Sage Journals: Discover world-class research

Abstract

Smart home environment comprises high-capacity and low-capacity sensors. These sensor nodes interact with daily activities of users and they communicate with each other to perform particular tasks. A set of instructions in insecure network during communication can result in a deadlock due to attack of adversary. Such deadlocks can be a severe risk for the security of user’s activities in smart home environment. Recent critical security attacks in smart home environment exposed that how communication channels turned low-capacity sensors into harmful attack for illegal activities which later lead to damage security and privacy. Therefore, a suitable framework is needed to overcome security pitfalls and to protect user’s activities by establishing secure key session between sensor nodes. This study has proposed new secure distributed framework which is based on secure cryptic setup and efficient key-session authentication process to strengthen resource-limited devices. Secure distributed framework shares attributes of seamless key session among low-capacity nodes after sensing daily activities of user based on activity model to establish cryptic link by keeping identity of devices faceless. Distributed activity key-session model of secure distributed framework stores the user’s activities via sensor nodes and these nodes forward the data to nearby gateway in smart home environment. This scheme regularly updates token authentication process and enables stringency of nodes against severe attacks during communication. Secure distributed framework originates from distributed trajectories’ connection among sensors in network by avoiding deadlock and suspicious activities. Moreover, secure distributed framework works more efficiently on resources-restraint nodes as compared to previous schemes from literature while security is significantly enhanced. This article has focused on new encrypted key-session attributes of encrypted daily living activities to fortify low computational devices and enables wireless nodes for secure trajectory association. Preliminary simulation is performed in well-popular security tool automated validation of Internet security protocol applications to check the feasibility of proposed secure distributed framework and the required results are achieved.

Keywords

Smart home environment security authentication key session daily activity

Introduction

The popularity of smart home environment (SHE) has been increased in the last couple of years. SHE is basically a combination of low-power, low-cost, and sensor nodes which are installed over the specific region. The infrastructure of SHE could be heterogeneous which consists of different competences.¹ Our previous work in lab,² activity pattern knowledge mined from trajectories, described that automation is very important and possible when all the things are connected to each other virtually in SHE. Such types of SHE are combinations of appliance control system, smart energy system, multimedia system, light and flame control system, security and surveillance system, climate handling system, and home care system and these appliances take instructions from daily living activities (DLAs).³ In several countries, many research projects have started to make the ideal SHE, for example, GENIO (next-generation home),^4,5 SM4ALL (smart home for all),⁶ and HOPE (a smart home for the old living people)^7–9. Basically, smart homes combine with a large number of heterogeneous smart nodes and devices, such as smart light, actuator, smart surveillance digital camera, smart window shutter, thermostat, and many other types of devices which can be integrated, as shown in Figure 1. Design model of SHE is divided into four types of entities: (1) gateway, (2) nodes, (3) server, and (4) users. The sensor nodes are responsible to sense the users’ activities and forward these data to nearby local gateway. Then, local gateway is responsible to forward these data to server securely as shown in Figure 1. During our recent research in lab, we came to know that many security challenges (e.g. denial-of-service (DoS) threat, replay attack, masquerade attack, message forgery attack, and device-compromised attack) are existing in SHE due to the improper security level.^10,11

Figure 1.

Smart home environment.

Research contribution and motivation

In this article, we have assumed that SHE is a network of heterogeneous sensor nodes and these nodes sense the data from users’ activities and forward instructions to nearby devices like smart home local gateway (SHLG) so that users can access data and fulfill their objectives. SHLG works as a link between user and nodes. After sensing users’ activities, sensor nodes transmitted a message through insecure networks and adversary can insert, intercept, change, re-route, and delete the original communication message. Therefore, a number of security features such as message integrity, authentication, and protecting data of users’ activities are primary concerns of such type of network in SHE.

A secure seamless key session between the nodes involved is necessary to provide secure communication trajectory over insecure channel where authentication and anonymity are highly important. Many methods^12,13 experienced to achieve authenticity of smart home nodes (SHNs) but oversaw other properties of security. Petroulakis et al.¹⁴ and Burrough and Gill¹⁵ discussed how poor security of networking protocol can be mistreated to handle the SMNs, so that it breaches the security of SHE. Most of the previous research works^16,17 focused on authentication and none of them considered how to hide identity of SHNs. SHNs interact with daily activity pattern of users and then perform the tasks accordingly. If any device (e.g. surveillance camera and temperature control device) compromises with adversary, then it damages the security as well as privacy of users’ daily activity in SHE. Therefore, we preliminarily designed a secure distributed framework (SDF) suitable for SHE, basing upon on token authentication and seamless key session, for sensing the real-time data of sensor nodes and forward to nearby gateway and server after encryption, which resists the above-mentioned security attacks. Furthermore, the proposed scheme is better than the existing protocols as its uses distributed framework in order to keep the system secure and functional in case of any attack and by avoiding deadlock condition. Moreover, the proposed scheme uses activity recognition model to detect any kind of abnormal activity in SHE.

SDF proposed in this article meets the following facts:

Establishing secure trajectories. Data are transferred from high-capacity sensor (HCS) to low-capacity sensor (LCS) devices in SHE. It establishes secure trajectories (communication paths) for communication between LCS and HCS nodes.

Protecting DLA. To protect the users’ daily activities in SHE, encrypted attributes of key session are shared over the network between sensor nodes. Distributed activity key-session model stores the user’s activities via sensor nodes and secures the trajectories among nodes by detecting abnormality based on activity variation.

Fortify the SHNs. The SHNs against severe attacks are fortified (e.g. message forgery attack and device-compromised attacks).

Avoiding deadlock condition. To avoid deadlock, if any device compromised with adversary, this SDF upheld the alternative secure trajectory link among nodes for secure communication in SHE.

Faceless and cryptic link. It secures the information of SHNs and their functionality (e.g. collection of data, sensor information) from unauthorized tracing. Mischievous nodes will not be able to identify SHNs and their communication features. Moreover, configured nodes/devices remain faceless. (Proofs are in the “Security verification and performance analysis of SDF” section).

Authenticity and confidentiality. When communication starts in smart home, it makes sure that the information of working protocol cannot be stolen or altered by any unauthorized activity. (Proofs are in the “Security verification and performance analysis of SDF” section).

Low computational and communicational costs. The SHN has serious resource constraints to communicate and process the message in smart home. SDF will efficiently work in same resource constraints as it is seamless and due to its lightweight. (Proofs are in the “Security verification and performance analysis of SDF” section).

The rest of the article is prepared as follows. In section “Review of related work,” we discuss the most recent research studies that are related to this research. Section “Design model, security properties, and threat assumptions” presents the structure of system design model and properties of security model. Section “Proposed SDF” presents the proposed SDF and all its notations. Section “Security verification and performance analysis of SDF” discusses experiments and results and verifies effective performance analysis of proposed SDF. In section “Conclusion,” we discuss the conclusions.

Review of related work

A few research studies have been published on security issues of SHE. These studies proposed schemes to protect communication from unknown attacks and threats. Previous research did not consider security issue regarding daily behavior activities’ recognition of users in smart home. Every scheme has its advantages and disadvantages. However, in this article, most recent research works are conferred.

Kumar et al.¹⁷ claimed that the scheme is lightweight and established secure connection based on key-session process. During offline, secure key session is established after sharing a short authentication token to verify and legitimate smart nodes. However, schemes did not consider the anonymity to secure the identity of nodes and also did not provide activity recognition approach to distinguish abnormal activity. Kim et al.³ suggested a process of seamless integration for heterogeneous nodes of smart home and access control. The proposed scheme described the open-service gateway initiative (OSGI) and also suggested a smart home for heterogeneous protocol in home area network (HAN). They described that access control model manages different user’s request along with authentication and authorization. In their architecture, the restful web services provided the remote access in SHE. However, this method did not provide solution for authentication of nodes during deployment time in smart home. Vaidya et al.¹⁸ described a mechanism of smart energy for authenticity of devices in HAN. This scheme used the elliptic curve cryptography (ECC). For communication between two devices, a key session is established and then message is propagated over the channel. They claimed that their scheme is more effective and efficient. However, analysis of the security level of the scheme is not provided in detail. There is also not enough detail that how their scheme is more efficient than others.

Hoang and Pishva¹⁹ described a new communication pattern to secure the appliances of smart home which is totally Tor based and the scheme uses public key approach for cryptography which is not suitable for resource-constraint devices.¹⁹ Tor is used as an Internet browser by various users. This anonymous browser is operated only where surfing actions are performed. Moreover, authentication is not performed. Ayday and Rajagopal²⁰ observed that the existing technologies (e.g. ZigBee, Insteon, and Z-Wave) of HAN are suitable for security in smart home only up to a certain level. They proposed a new mechanism which is based on three different secure authentication mechanisms: (1) there should be authentication mechanism between gateway and smart meter, (2) there should be authentication between the HAN and smart appliances of smart grid, and (3) HAN and the transient devices should also have performed authentication. However, to perform the authentication process between two nodes, the scheme depends on the Internet service provider. The proposed scheme totally depends on the third part. In the work by Chen and Luo,¹³ a secure smart household framework is proposed for appliances as a secure mechanism. The main focus of authors in this scheme called S2A is about usability, operation protection, and controlling the electricity prices of devices. S2A does not consider the fundamental properties of the security (i.e. confidentiality, authentication, and integrity of data). Moreover, the framework of S2A may not withstand the Dolev–Yao model which is a model of collaborative adversary.²¹

Kumar et al.²² proposed an anonymous secure framework (ASF). This scheme focused on anonymity, unlinkability, authentication, and integrity of devices in smart home. A key agreement and mutual authentication are required in this scheme which fulfills the cost of computation complexity. However, this scheme did not discuss about security in terms of DLA recognition pattern and how to make sure devices are faceless for security attacks at initial time to secure the DLAs. Another drawback of this scheme is that it stores on static devices. Li²³ proposed a scheme for smart home energy management system based on ECC. A key establishment protocol was designed and this scheme is based on two units: (1) a node and (2) security manager. A public and private key is distributed between entities through a trusted authority. However, operations of public key are not cheap for sensors because of time complexity. Moreover, security analysis is very limited.

Design model, security properties, and threat assumptions

Design model

SHNs play various key roles of security surveillance such as smoke detection alarm, temperature sensor, light control, flame detection, and home gateway²⁴, as shown in Figure 2. In the work by Liang et al.,²⁵ wireless channel has used HAN protocol (e.g. ZigBee) for communication of SHNs to SHLG. This type of communication pattern is named as SD-To-HG.²⁶ Basically, design model of SHE is a combination five major units which are shown in Figure 2.

Figure 2.

Simple design model of SHE.

SHLG

SHNs are connected to SHLG and users collect information from SHLG. SHLG works as a router among users, SHNs, and server SSP (security service provider). Basically, SHLG communicates among different devices in smart home. It has the following functions: (1) it provides short-range wireless platform (e.g. 802.15.4) which facilitates connection within the internal SHNs and (2) works as a platform of communication to connect the outer world through Internet IPv4/IPv6.²⁷

SHNs

SHNs comprise N number of various smart devices which are assimilated with sensor network functionality. Basically, SHNs contain both devices (e.g. LCS and HCS).²⁸ These SHNs send home data to the SHLG which receive and respond to the queries for SHNs.

Security service provider/control system

The security service provider/control system (SSP/CS) provides various services to the SHNs and SHLG. It is a trusted server and it manages to assign the authentication services to SHLG. It also provides the secret key material to both SHNs and SHLG.

Internet (IPv4/IPv6)

It enables the smart home gateway to provide and operate the internal nodes with outer world through the connectivity of Internet (IPv4/IPv6).

Users

The end users can monitor and operate the internal functionality through the SHLG and its services. Users can also remotely or directly interact with appliances through internal short-range wireless channel.

Security properties

Internal design model of SHE consists of various heterogeneous nodes (LCS and HCS) and it requires various basic security properties. Security properties have been identified in recent research works^24,25 that should be noticed in the internal networking of SHE. Our proposed SDF will cover these properties which are discussed as follows:

Reciprocated authorization. In SHE, an adversary may make up another legal entity to obtain data regarding daily activity of users and sensitive information of SHE services. Therefore, reciprocal authentication of each sensor nodes in SHE is necessary in order to legitimate involved nodes and to prohibit unauthorized access from adversaries.

Session established. After reciprocal authorization and confirmation process, a secure encrypted session (e.g. key session) should be established between legal nodes and entities of smart home to communicate with each other.

Message integrity. Illegal users, entities, and devices are not permissible. Data can be altered or forged. Reliability of key data is a standard method to protect from antagonists.²⁶

Availability. Setting and safety strategy of devices which redirect a variety of device features must be considered. Device management system should provide availability to grasp of physical status.²³

Message freshness. Message confidentiality and authentication process are not enough but it should also make sure freshness of each received message by adequate security of protocol as mentioned in the work by Tschofenig and Arkko.²⁷

Message confidentiality. Mantas et al.²⁹ described that unauthorized entities may monitor the wireless channels by eavesdropping. Thus, the information can be leaked by this type of attack. Message confidentiality is a standard approach to protect the information of SHNs.

Defend to attacks: The scheme must defend the SHNs and transmission of the smart home from outer attacks (e.g. device compromise).²²

Energy efficient. Clearly, SHNs are resource-hungry entities in SHE. Therefore, secure scheme must have lightweight session establishment and authentication process. It should also be energy efficient for limited computational SHNs (LCS).²²

Assumptions

In this section, we describe some widely accepted important assumptions:

Secure service provider server (SSP) develops a safe environment with SHLG which senses activities of users and shares secret information to SHLG. Both SSP and SHLG have better memory in comparison with other devices in smart home, for instance, biometric detector sensor. Consider that both are temper proof and have good limitations of resources. SSPs have capacity to consider and store static and dynamic nodes, with attributes of key session.

SHLG and SSP are connected to each other through secure channel. Both have symmetric cryptographic method which is composed of encryption, decryption, and lightweight hash function. Asymmetric cryptographic method is not supported by low-capacity nodes in smart environment.³⁰ Therefore, low-capacity sensors are at higher risk of being attacked in SHE in comparison with HCS.

The scheme of Li et al.³⁰ is utilized to synchronize the clocks of all the nodes of smart home (i.e. SHNs and SHLG).

An adversary may eavesdrop between nodes which are involved over the insecure channel. It is also supposed that an adversary cannot interrupt the transmitted message in secure channel.

Threat model

We present threats and their widely accepted assumptions concerning threat and attack model as follows:

We follow the Dolev–Yao attack model,²¹ where adversary is able to insert new message and spoof other identities or change message. Moreover, adversary might be able to get illegitimate data access to perform denial of service or service degradation. A complete protection against such types of attacks is integrally very challenging. However, the least requirement is the detection and protection mechanism which must be incorporated.

An adversary can delete, modify, re-route, and resend the eavesdropped data.

An adversary may legitimate device or vice versa.

Attacker can manipulate user’s activity pattern and can create abnormal activities resulting in damaging security of SHE.

Proposed SDF

This research is an extension and continuity of our previous research work.^10,11 In this section, an SDF is proposed to protect the transmission in smart home architecture (SHA). SDF is based on key distributed session and mutual authentication phase to establish a secure trajectory. Proposed SDF is described in this section.

Notations, pre-deployment, and registration phase

In this section, all the notations, used in the SDF, are described in Table 1. Furthermore, in pre-deployment and registration setup of proposed SDF, network administrator is executed and run offline using setup server. Each regular sensor node, at the time of deployment, is pre-defined and labeled as $S N_{i}$ which is shared with nearby SHLG, where $m_{j}$ represents the number of nodes and it is stored in the memory of the node. Then, SHLG stores identity for sensor nodes $S N_{i} | (1 ⩽ i ⩽ m)$ . After this, registration setup is executed which is named as secure cryptic setup (SCS) and is presented in the following section.

Table 1.

Notations and their description.

S. no.	Notations	Descriptions
1	SHLG	Smart home local gateway
2	SSP	Secure service provider (server)
3	id_HG	Identity of smart home local gateway (SHLG)
4	Id_X	Identity of smart home node X
5	id_SX	Identity of silicon serial number
6	α_XId	Unique authentication token for smart nodes
7	[M]EK	Encryption for message, using secret key (K)
8	[M]DK	Decryption for message, using secret key (K)
9	\|\|	XOR and concatenation operation
10	H()	One-way hash function
11	P	Used to compute requests
12	Q_Xid	Used to compute and store values on SSP/three metrics
13	SK	For session key
14	ΔT	Use to describe transmission delay
15	s_x	Value of living activity
16	m_t	Value of trajectory
17	X	Smart home node/device
18	MAC	Message authentication code
19	HG	Home gateway
20	K_x	Secret key
21	HMAC	Hash message authentication code
22	R_n	Random nonce
23	E_kx	Encryption of corresponding key
24	SSK	Session secret key
25	SHNs	Smart home nodes (low and high capacity)
26	SHE	Smart home environment

SCS

All SHNs should be configured and listed in SSP by a system administrator (SA) while staying offline. All devices acquired secret credentials from SSP and it computes the following key edifices as shown in Figure 3. In addition, SSP also stores the SHLG identity id_HG to node X and id_SX is the silicon serial number of node X which is presented in the work by Mantas et al.²⁹

Figure 3.

Key-session steps of SDF for cryptic link setup: (a) scheme setup and (b) session key establishment for secure communication.

After this, SSP stores id_X identity of X node with unique secret key K_x and assembles Q_X along with its key identifier K_Xid to the SHLG. This SCS will help to recognize legitimate node X and distinguish normal and suspicious activity after establishing key agreement. Record of deployed nodes (both static and dynamic) of smart home is stored and maintained in database of SSP:

Key-session authentication process (KAP). KAP starts to send request for establishing secure communication between node X and SHLG through SSP. To build secure and cryptic link, four steps are included as shown in Figure 3.

Key-attributes’ exchange request (KER). SHLG generates the random number R_x and computes P = M [Q_Xid, id_HG|| Id_X|| R_x|| s_x|| m_t|| T1] and forwards the request of {P, id_HG, R_x, s_x, m_t, T1} message to the node X to describe the time frame; here, T1 is the assigned timestamp of SHLG.

Authentication and verification (AV). After receiving message from SHLG, the node X will check the time stamp (T1 T2) ≤ ΔT, if not then the system will abort or it will move to the next step and it will compute Q_X’_id = HG (α_Xid|| id_HG|| id_sx) and P₁ = M [Q_X’_id, Id_X|| id_HG|| R_x|| s_x|| m_t|| T1]. Then, it verifies P = P₁, if yes then node X generates a random session secret key SSK and computes P_X = E_kx [Id_X, T2, R, SSK] and sends message {K_Xid, P_X, T2, tab} in response to SHLG. Here, tab = HGM [Q_X’_id, Id_X|| id_HG|| R_x|| T2|| s_x|| m_t|| SSK], tab used for pointer value, and T2 is the time stamp of node X.

Decryption. Smart home gateway receives and checks (T2 T3) ≤ ΔT (transmission delay) because T3 is the time step for next authentication and it recovers the key K_x of K_Xid from database and starts to decrypt P_X to get SSK, R_x, T2, Id_X. It starts to verify T2 = T2, Id_X = Id_X, and R_x = R_x, if not the same, then it terminates the system. If it appears same, it then generates the session key SK = HG (Id_X,|| id_HG|| T3|| T2|| SSK|| s_x|| m_t|| Q_X’_id) and computes P_HG = E_kx [SK, SSK, s_x, m_t, T3]. Furthermore, it sends message {P_HG, T3} to node X. T3 is the time stamp of the current SHLG.

Cryptic link establishment (CE). After receiving message from SHLG, node X checks the time stamp T3 T4 ≤ ΔT (time frame showed in Figure 4), if not then it aborts the system or it starts to decrypt P_HG with the help of K_x and get SK (session key), S_k (secret key), and time stamp T3. If time stamp T3 and secret key S are same, then session key SK = HG (Id_X,|| id_HG|| T3|| T2|| SSK|| s_x|| m_t|| Q_X’_id), the key between two legal nodes, is established and authenticated. Here, current time stamp of node X is T4. In the light of above-mentioned procedure, the new SDF (secure key-session scheme) upheld secured cryptic link including security attributes (e.g. authenticity, integrity, and reliability). When session key (SK) is shared between node X and SHLG, then cryptic link is established for secure communication and is achieved to keep node’s identity faceless.

Figure 4.

Time stamp frame of incorporated activities.

Terminologies and approaches which are used in our proposed SDF are discussed in the following sections.

Distributed approach

Distributed approach is used to keep trajectory functional during attacks in SHE by avoiding stalemate condition.

Definition

“Using distributed approach, each sensor performs encrypted process on their own end by utilizing key-session attributes of proposed scheme which is shared on trajectory by the service provider server unit to avoid deadlock condition as shown in Figure 5(c).” Actually, sensors of SHAs coordinate and detect the daily living behavior activities of individuals to perform various tasks. For example, if a person goes to kitchen for cooking breakfast, then the sensors of the kitchens become active to stimulate and send behavior activity to the main server. Each sensor device has its own capacity for computation process of appliances, which is basically support to distributed scheme, and interacts with each other to recognize a common task. To detect this kind of blockage which is created by abnormal activity/command, by keeping rest network functional, it is necessary to launch an SDF, which is based on seamless key-session process as mentioned above, and is demonstrated in Figure 3.

Figure 5.

(a) Sensor devices and trajectories layout for encryption, (b) person’s behavior pattern layout of the new environment interaction with smart home’s nodes (LCS and HCS), and (c) distributed trajectories mode avoiding deadlock.

User’s activity recognition model

Activity recognition in SHE routinely detects person’s activities from the data captured by sensors. This is relevant and very near to most common applications such as human body motion–detecting sensors, surveillances, DLAs, healthcare, and temperature control. The time stamp frame of activities incorporated in smart architecture is shown in Figure 3. Here, we distinguish some definitions of DLAs of individuals:

User’s simple activity. This is commonly most basic atomic activities, for example, pour water and drink water.

User’s composite activity. This comprises many sub-activities or fine-grained shape of multi-activities, for example, the activity “cooking rice in the kitchen” is modeled as sub-activities, measuring water, quantity of rice, pouring contents into the pot, other ingredients, and cooking.

Activity of daily life (ADL). It is distinguished into two parts: (1) basic daily life related to self-caring (eating, dressing, watching, toilet hygiene, bathing, showering, and sleeping, etc.); (2) instrumental’s ADL,^7,8 which is basically not very necessary for daily life of smart architecture but it may let a person to live an independent life in the community, for instance, shopping, taking medicine, and meeting with colleagues. The time stamp frame of activities incorporated in smart architecture is shown in Figure 4.

Distributed activity key-session model and activity variation

In this section, we present activity model and activity variation concept which is used in our proposed SDF.

Activity key-session model

We describe the terminology which is used during work; set of sensor nodes is defined as $N = {S N_{1}, S N_{2}, S N_{3}, \dots, S N_{n}}$ which is deployed over the network of SHE. Node location $S N_{p}$ is used to represent the position of the user and when the user moves, his or her movement activity is detected by $S N_{p}$ . A set of activity $A_{n}$ comprises sequence of basic activities and is represented as $A_{n} = {A_{b 1}, A_{b 2}, A_{b 3}, \dots, A_{bn}}$ . As demonstrated in Figure 5(a)–(c), activity recognition phase is divided into two subparts: (1) obtaining and transferring activity and (2) recognizing and detecting new activity. There are two patterns to encrypt old and new activities

\begin{matrix} Set of activity s_{x} = (s_{1}, s_{2}, \dots, s_{n}) \\ Set of trajectory m_{t} = (m_{1}, m_{2}, \dots, m_{n}) \end{matrix}

Definition of second pattern

“Sensors are assigned by unique keys $S N_{i}$ by main server unit and authentication token value is shared among the devices. Key’s attributes of activity recognition support to extract the trajectory then transfer the recognized encrypted activities.” Each key has complete value set of the necessary attributes (as illustrated in Figure 3) of all connected nodes/devices of the entire network for smooth transformation of the communication.

Activity variation

It is well known that same pattern of activities cannot be repeated at same real time. Therefore, small dissimilarities between these same activities are known as activity variation in our proposed SDF. Difference between trajectory variation $T_{va 1}$ is presented as $T_{va} = S N_{20} \to S N_{21} \to S N_{23}$ but $T_{va 2} = S N_{20} \to S N_{18} \to S N_{16} \to S N_{16} \to S N_{21}$ by considering example of activity $A_{n}$ and $A_{m}$ , as shown in Figure 5. This tiny difference between two trajectory activities is calculated by $deviation_C$ , as follows

\begin{matrix} deviation_C (T_{van}, T_{vam}) \\ = MI N_{s} (| T_{van} - T_{vam} | | T_{vam} - T_{van} |) + | | T_{van} | - | T_{vam} | | \\ + order (T_{van}, T_{vam}) \\ = deviation_C \end{matrix}

(1)

Security verification and performance analysis of SDF

In this section, we have described experimental setup in real SHE using widely recognized security analyzer tool–automated validation of Internet security protocols applications (AVISPA).³¹ Then, we have discussed formal authentication of SDF in BAN (Burrows–Abadi–Needham) logic, informal, and performance analysis of SDF with other schemes. We have divided all these steps into four subsections which are discussed in the following sections.

Experimental setup using AVISPA tool

In this subsection, we implemented design model in real environment to make it easily understandable and performed same experiments in real environment to check the suitability of SDF as shown in Figure 6. Our real environment structure based on five basic parts is shown in Figure 2. This section comprises two parts: (1) brief detail about AVISPA and (2) simulation result.

Figure 6.

Real smart home environment and physical setup in lab.

Brief detail about AVISPA

Automatic verification of Internet security protocol and application tool (AVISPA) is an automated application which validates and analyzes the security by Internet sensitive protocol whether it is safe or unsafe. AVISPA comprises four backends which are autonomously verified, namely, OFMC (i.e. on-the-fly model-checker), CL-AtSe (i.e. constraint-logic-based attack searcher), SATMC (i.e. sat-based model checker), and TA4SP (i.e. tree automata–based security protocol). The AVISPA tool utilizes high-level protocol language (HLPSL) and uses script of HLPSL as an input and translated it into intermediate format (IF) by utilizing the translator named HLPSL2IF. HLPSL contains important features (e.g. control flow pattern, data structure, cryptographic primitives, complex security properties, and alternative intruder models) which make HLPSL a well-appropriate industrial-scale protocol, as shown in Figure 7(a).

Figure 7.

Authentication and confidentiality result: (a) steps of AVISPA analyzer tool structure, (b) SDF execution in AVISPA, and (c) authentication and confidentiality.

For additional details, we refer to the work by Vigano.³² The attacker can play a role of a legitimate user in top-level global constants (i.e. environment role) with composition of one or more sessions. In AVISPA,³¹ the attacker uses Dolev–Yao intruder model which is modeled through the channel.²¹ Our proposed SDF has four basic steps and two basic roles. A configuration phase of nodes and key installation is similar to session role and environment role using Dolev-Yao model attack. Therefore, to perform the testing and authentication, we used the translator HLPSL2IF to transform the script of HLPSL into IF. In addition, four backends, CL-AtSe, OFMC, TA4SP, and SATMC, are integrated with scripts of AVISPA tool. These four backends translate the code of IF. Figure 7(c) reveals the results of confidentiality and authentication.

Simulation results

In this section, we describe simulation results of the proposed SDF. The results revealed that the proposed SDF clearly remained safe under Dolev–Yao attack model. In other words, it can be said that communication remained safe from Dolev–Yao model attack and the result is shown in Figure 8. This shows that all parameters remain secure enough between SHLG and node X. Moreover, the proposed SDF meets identified result successfully and used protocol also remain secure in OFMC backend. Therefore, attacks of Dolev–Yao model do not remain destructive for the proposed SDF. Moreover, it is noted that simulation of proposed scheme can be executed using web-based interface of AVISPA tool. In both results, number of sensor nodes are different which indicates that the suitability and feasibility of SDF remained safe among maximum involved nodes in SHE. In the first case, 216 sensor nodes are calculated, and in the second case, 1296 sensor nodes are calculated. All these nodes remained secure during attacks.

Figure 8.

Simulation result in AVISPA and safe-from-attack model of Dolev–Yao.

Formal verification proof based on BAN logic

This section discusses the formal analysis of the proposed SDF (e.g. established key session, authentication, and freshness) using Burrows–Abadi–Needham logic,³³ generally known as BAN logic.

BAN logic rules and notations. Some BAN statements from the work by Burrows et al.,³³ which are used to verify the formal authentication of SDF, are as follows:

$N | \equiv A :$ N believes A, in particular, N can take A as true.

$N ◃ A :$ Only “N sees A,” that is, N received some messages A and it can read and repeat it (seeing rule).

$N | ~ A :$ N once said A. N sometimes sent message including A.

$N | \Rightarrow A :$ The principal “N has control over A,” the principal N is an authority on A and should be trusted in this case.

$N \Leftrightarrow^{M} A :$ N and A have message (M) that contains the secret parameters.

$# (A) :$ Fresh (A), which means that Fresh (A) protects from reply attack and A has not been sent recently in a message during the protocol execution.

$N \overset{K}{\leftrightarrow} A :$ N and A used secret key for secure communication.

{M}_K: The formula M is encrypted under the key K.

$〈 M 〉_{N} :$ That is, message M is combined with secret N and N is parameter.

Some basic postulates of the BAN logic are given as follows:

The message meaning rule: $(N | \equiv A \overset{K}{\leftrightarrow} N, N ◃ {M} K / N | \equiv A | ~ M)$

The freshness rule: $N | \equiv # (M) / N | \equiv # (M, N)$ .

In case, if principal sees a formula, therefore, it also sees its parameter: $(N ◃ MN / N ◃ M), (N ◃ (M, N) / N ◃ M)$ . If one part of the formula is fresh, then whole formula must also be fresh.³³

To verify an authenticity of protocol regarding its security, we followed the following steps:

The proposed SDF in the language of formal logic will be idealized.

The assumptions regarding the preliminary state of the proposed scheme will be identified.

The production and rules of the logic will be used to infer new predicates.

Logic will be used to determine the beliefs of entities about the proposed scheme.

In order to verify the proposed protocols secure, we perform the following logic verifications using BAN logic: $Goal 1 : SHLG | \equiv X \overset{K}{\leftrightarrow} SHLG, K is secret key$ ; $Goal 2 : X | \equiv SHLG | \equiv X \overset{SK}{\leftrightarrow} SHLG, SK is session key$ ; $Goal 3 : SHLG | \equiv X | \equiv SHLG \overset{SK}{\leftrightarrow} X$ ; $Goal 4 : X | \equiv # (R_{SHLG}, T 1)$ ; $Goal 5 : SHLG | \equiv # (R_{x}, T 2)$ .

Now, $Goal 1 : SHLG | \equiv X \overset{K}{\leftrightarrow} SHLG$ : Proof, $X \overset{K_{xid}, P_{x}, T_{2}, tab}{\leftrightarrow} SHLG$ ; device X starts session. According to M1, $SHLG ◃ K_{xid}, SHLG ◃ P_{x}, SHLG ◃ T_{2}, SHLG ◃ tab$ , and applying rule 4, we obtained $SHLG ◃ {K_{xid}}, 〈 P_{x} 〉_{P 1}, 〈 tab, P_{x} 〉_{# A}$ . Note that P₁ contains M [Q_X’_id, Id_X|| id_HG|| R_x|| T1|| s_x|| m_t]. If device X once sends message $K_{xid}, P_{x}, T_{2}, tab$ and SHLG believes that $I d_{X} = = {Id}_{X}^{*}$ , then the device is the legitimate in the system. Therefore, $SHLG | \equiv X \overset{K}{\leftrightarrow} SHLG$ . $Goal 2 : X | \equiv SHLG | \equiv X \overset{SK}{\leftrightarrow} SHLG : Proof, X | \equiv SHLG \overset{SK}{\leftrightarrow} X$ SK contains the value HG (id_X,|| id_HG|| T3|| T2|| SSK|| s_x|| m_t|| Q_X’_id. Device X believes that SHLG and message containing secret parameters are used to derive session key SK. According to M2, $X ◃ SK$ , it turns out that X receives HG (id_X,|| id_HG|| T3|| T2|| SSK|| s_x|| m_t|| Q_X’_id). Due to ${Id}_{HG}^{*} = I d_{HG}$ , we obtain that $X | \equiv SHLG | ~ S K_{# RHG}, I d_{x}, i d_{HG}$ . By applying rules 6 and 7, $X | \equiv SHLG | \equiv X \overset{HG (I d_{x}, | | i d_{HG} | | T 3 | | T 2 | | SSK | | s_{x} | | m_{t} | | Q_{X' id}}{\leftrightarrow} SHLG$ . Finally, we proved Goal 2 , that is, $X | \equiv SHLG | \equiv X \overset{SK}{\leftrightarrow} SHLG$ . Moreover, similarly Goal 3 can be proved. $Goal 4 : X | \equiv # (R_{SHLG}, T 1)$ , according to $M 1 : X ◃ D$ , in which D contains the value E_kx [id_HG|| id_X|| P_X|| s_x|| m_t|| T1]. Now applying fresh rule and rule A6, we obtained that $SHLG | \equiv # R_{X}$ . After this, according to $M 1 : SHLG ◃ T 1$ ; here, T1 represents time stamp of X. By applying rules 4 and A8, we get $SHLG | \equiv # (T 1)$ ; therefore, $Goal 4 : X | \equiv # (R_{SHLG}, T 1)$ has been achieved. Similarly, $Goal 4 : SHLG | \equiv # (R_{x}, T 2)$ can be achieved.

Informal analysis of security (properties)

This section focuses on the resilience compared to feasible attacks (e.g. device-compromised attack, denial of services, message forgery (including man-in-the-middle (MITM) attack), masquerade attack, known-key attack, and message replay) and recognition of abnormal DLAs. Dolev–Yao model is used to analyze the proposed SDF where an attacker can snoop message between node X and SHLG and modify packets as mentioned by Dolev and Yao.²¹ Moreover, the properties of security (faceless and cryptic link, confidentiality, integrity, key installation session, and freshness of message) are also examined. The SDF scheme resilient against numerous attacks (e.g. device compromise, message forgery, masquerades, denial of services, and message replay) is shown in Figure 8.

Analysis of encrypted activity transfer and establishing secure trajectory against attacks. As illustrated in Figure 10(a)–(c), the proposed SDF achieved required abnormal activity and normal activity recognition under different attacks.

Definition

Encrypted activity transfer is helpful in terms of transformation of activities from one another. To recognize the encrypted activity transfer process, the trajectory activity attributes consider to verify and also match the token authentication (α_Xid), which is shown in Table 1. Activity transfer process needs the activity trajectory set and the time duration ΔT:

Trajectory set (m_t = (m1, m2, …, mn))|| ΔT;

Key-pol’s attributes set (id_X, Q_Xid, ΔT, s_x, m_t).

Encrypted keys hold the attributes of the activity transfer process and trajectory process. Old and new encrypted activities’ key sessions have some similarities due to their abnormal functionality and condition. In order to explain the specific activity transfer, we have to take the daily activity routine of individual through sensors encrypted through key-session process of SDF. Therefore, through this process, communication upheld the secure trajectory among the devices of the SHA and shortly deployment is secured against attacks. Activity’s key updating and sharing process is shown in Figure 9, and results of activity recognition under various condition are shown in Figure 10.

Figure 9.

Distributed trajectories updating and sharing mode for encrypted activities of key-session attributes: (a) time stamp synchronization, (b) sending encrypted key-pol attributes (id_X, Q_Xid, ΔT, s_x, m_t), and (c) updating encrypted trajectory and encrypted activity key-pol attributes (m_t = (m1, m2, …, mn)|| ΔT), $(S_{x} = (S 1, S 2, \dots, Sn)$ .

Figure 10.

Result analysis of the proposed framework: (a) activity recognition under certain attacks, (b) activity recognition average, and (c) recognition of different types of DLAs.

Comparison analysis of activity recognition based on trajectory transfer and mining

To calculate more accurately, we evaluate the activity recognition result based on trajectory transfer and on activity recognition mining using various encrypted key-pol attributes shared between various sensors of bedrooms, kitchen, aisle, bathroom, and living room, as illustrated in Figure 5. To evaluate the activity recognition under uncertain attack, experiment is executed four times and results showed value of attacks 1 to 8, whereas encrypted activity recognition remained secured and performed the normal activity, as shown in Figure 10(a). We also calculated the encrypted activity recognition during 1 to 8 attacks based on mining. Results revealed that security of encrypted activity recognition remains high and also categorized into maximum activity recognition, minimum activity recognition, and average DLA recognition as shown in Figure 10(b).

Case: device-compromised attack and deadlock avoidance. Proof

This type of attack mostly happens during communication between devices in the smart home resulting in deadlock. When an unauthorized person (e.g. adversary (Tom)) attempts to access control on device (e.g. surveillance camera or door lock sensor) and any of the devices compromise with the attacker Tom, usually schemes terminate the system in case of such attacks resulting in deadlock. However, our proposed scheme will detect the cause of such attack and will prevent the deadlock condition by keeping the rest of the network functional using distributed framework. SDF secured the device from such attacks due to its unique value α_XId of authentication token. Authentication token value α_XId comprises α_Xid (id_HG|| id_SX). Tom may seizure one legal message and he intentionally forged the few parameters to disrupt message integrity but Tom will be easily detected at device X because time stamp value ΔT of captured device will not match with the actual value of time stamp. In other case, if adversary successfully manages the time mechanism, then unique encrypted identity of the sensor (device) will be checked out, and if found mismatched by the actual identity assigned during offline, then proposed distributed approach will pause the specific device and remaining system will keep working avoiding any kind of deadlock. Results also revealed that such suspicious devices are treated specially to recognize their abnormal behavior activity. Therefore, chances of fake communication to hold between two nodes are finished by avoiding deadlock condition. SDF establishes new trajectory by sharing activity key-pol attributes ((m_t = (m1, m2 …mn))|| ΔT), $S_{x} = (S 1, S 2, \dots, Sn)$ . Furthermore, hard device exists inside smart home and SHLG checks it on regular basis. Das et al.³⁴ clearly mentioned that physical/real attacks could not be stopped without tamper-proof device. Proposed SDF secures nodes from device-compromised attack by authentication token which comprises α_Xid (id_HG|| id_SX). Therefore, node X will not verify the message of Tom and it will terminate session by declaring that it is a fake message.

Case: SDF secured against masquerades attack, denial of services, and message replay attack during adversary attempt. Proof

1. Secured against masquerade attack. When adversary (Tom) sends fake message for masquerade attack to join network as legal entity, then Tom will face problems against his message verification. Node X will not verify the identity of Tom’s message (id_HG_tom) because the information (id_HG) of SHLG is hidden in P = M [Q_Xid, id_HG|| id_X|| R_x|| s_x|| m_t|| T1] which will mismatch and the session will terminate. Therefore, adversary will not compute and cannot masquerade as a legal entity and secure required activity results are achieved as shown in Figures 8 and 10(c).

2. Protection against denial of services and message replay attack. This SDF (secure distributed key-session framework) has also provided security against DoS threat and replay attack. Furthermore, authentication of SHNs is being enhanced by its Silicon-ID in the work by Seshadri et al.,³⁵ which is assigned in this article as a character id_SX, that is, irreversible identity. In SHE, DoS attack is also repudiated by SDF using the time stamps. Tom can throw DoS threat using the function of replay of old message. However, proposed SDF protects the message by exploiting the advantages of T1, T2, T3, and T4 time stamps of the node X and SHLG. The proposed pattern can repel such DoS threats and replay attack.

Case: SDF secured against message MITM attack. Proof

In this case, simulation results clearly ensure that proposed SDF secures against active and passive attacks including MITM attack. Here, we assume that adversary (e.g. Tom) may try MITM attack by modifying {P, id_HG, R_x, s_x, m_t, T1} to {P, id_HG, R_xM, s_x, m_tM, T1} based on assumption mentioned in the “Assumptions” section. The SHLG will identify the attempt when the parameters of X are decrypted by K = HG (id_X,|| id_HG|| T3|| T2|| SSK|| s_x|| m_t|| Q_X’_id) and verify id_X. If this does not hold the same, the SHLG will terminate the system. Moreover, as M does not know the key K, the adversary cannot compute the real id_X = E_kx [id_HG|| id_X|| P_X|| s_x|| m_t|| T1]. Therefore, our assumption has been approved and the proposed SDF is secured against MITM attack.

Case: SDF secured reciprocated authorization when adversary try illegal access. Proof

1. Reciprocated authentication. To disallow illegal access in smart home, there should be a mutual authentication between SHLG and SHNs for trustworthy communication. Receiving first message {P, id_HG, R_x, s_x, m_t, T1}, node X computes P₁ and verifies P = P₁. If it does not match, then node X will abort the system. Suppose that Tom produces a message and passes it to node X but this message cannot pass because message is computed Q_Xid and SHLG verifies id_X = id_X for authentication of node. Therefore, proposed SDF achieved mutual trust and maintained mutual authentication between SHLG and node X.

Case: SDF secured key-session establishment and message confidentiality during attack. Proof

1. Key-session establishment and confidentiality of data. SDF established the session key agreement after performing authentication. Our assumption concerning eavesdrop between nodes is analyzed in this proof. Token authentication α_Xid is shared between node X and SHLG with secret key K_x which is encrypted. There is a session key SK = HG (id_X,|| id_HG|| T3|| T2|| SSK|| s_x|| m_t|| Q_X’id) agreed between SHLG and node X. A secure session is upheld after establishing session key (SK). Token authentication α_Xid having parameters each time and SHLG exploits the value of time [SK, S, T3, s_x, m_t, T2]. To maintain confidentiality of message, the SDF provides adequate level of security with session secret key SSK along with its key identifier which protects and secures message from eavesdropping attack, as expected.

2. Message Integrity and freshness. The SHLG computed P₁ = M [Q_X’_id, id_X|| id_HG|| R_x|| T1] which have Q_X’id and assigned by the SSP to the legal SHLG. SHLG generates the MAC for each response message by its origin. If this message is tempered by Tom (e.g. P_1Tom = M_Tom [Q_X’_idTom, id_X|| id_HG|| R_XTom|| T1]), node X cannot recognize the endorsement key which can compute valid mac address of the message; therefore, temper message of Tom will not be responded and simply ignored. In addition, SHLG will verify the integrity of message by computing tab = HGM [Q_X’_id, id_X|| id_HG|| R_x|| T2|| SSK] of node X. Then, freshness of the message is an important property, therefore, this proposed SDF will check whether message is recent or not replayed. Key installation process shows that proposed SDF has clock frame of involved legal entities which ensured that each message is fresh. Hence, our assumption is approved. The procedure involves requesting freshness of message as (id_HG, R_x, T2, SSK) which is responded as (K_Xid, P_X, T2, tab), and then legal devices match the information as (P_HG, T3) in this way approving freshness of message.

Case: SDF secured node identity faceless and upheld cryptic link when adversary tries to send fake identity. Proof

1. Faceless and cryptic link. Suppose that adversary (Tom) interrupts the transmission between node X and legal SHLG by eavesdropping. When node X communicates with legal SHLG, message is forwarded with identity id_X in encrypted form and assigned to P (as in section “Proposed SDF”). The node X computes the authenticated values {P, id_HG, R_x, s_x, m_t, T1} in each session. Therefore, adversaries failed to recognize the identity of node. Each message is different and randomized with number R_x and with true time stamp T1. The legitimate SHLG comprehends the real identity of node X by decrypting the message D = E_kx [id_HG|| id_X|| P_X|| s_x|| m_t|| T1]. Therefore, attackers could not find the link and proposed SDF achieved required result by keeping identity of device faceless and upheld cryptic link between node X and SHLG.

Security properties comparison

In Figure 11, we have compared security feature of proposed protocol with some related existing schemes in terms of different security attacks. It is noticeable in Figure 11 that none of the protocols are completely safe from security flaws. The well-popular BAN logic authenticates the proposed SDF and verifies that SDF securely achieves session key agreement and mutual authentication. Furthermore, using AVISPA security tool, simulation results of SDF show that the protocol achieves the security properties and is secure against passive and active attacks including MITM attack.

Figure 11.

Security properties and features’ comparison of SDF with other related protocols.

Computational and communication cost analysis of SDF with other schemes

This section focus on performance analysis of proposed SDF and measured efficiency in the light of computation and communication costs in comparison with other schemes.^17,18,22 This section comprises two subsections: (1) computation cost comparison and (2) communication cost comparison.

Computational cost comparison

We choose TelosB mote for experimental setup to implement the SDF as in the work by Kumar and colleagues.^17,22 TinyOS version 2.x is used by TelosB mote to run and operate system; for more details, see TinyOS tutorials³⁶ and TelosB datasheet.³⁷ Advance Encryption Standard (AES) has considered current encryption standard which uses symmetric key algorithm and integrated in CC2420 radios.³⁸ We use cipher block chaining (e.g. CBC-MAC) to verify the authentication and integrity of message. A beacon frame is used by SHLG for synchronization of information and clock time which provide help to synchronize the SHNs and SHLG.²² Clock synchronization is beyond the scope of this article; for more detailed experiment, we refer to previous works.^17,19,39 The purposed SDF requires reasonable memory size to execute experiment in TelosB mote. SHNs are resource-hungry devices and we used computational and communication costs only for such devices. Figure 12(a) clearly displays the required size of memory (ROM and RAM) and time execution for TelosB mote. Hash, CBC-MAC, and AES required 39, 8, and 3.4 ms, respectively, for computation operation at node X. SDF is more efficient in case of time consumption in comparison with other schemes which require high time consumption for their operations. The following conclusions are achieved by analyzing SDF with other schemes in AVISPA, TelosB, and real smart environment. Table 2 shows comparison of computational cost with other schemes. The scheme proposed by Vaidya et al.¹⁸ take 2t + 1H + 1Sig which is expensive due to public key cryptography for low-cost nodes of smart home (e.g. TelosB). The schemes by Kumar and colleagues^17,22 require almost same computational costs. Kumar et al.,¹⁷ for investigation of communicational cost, proposed size for message in smart home as follows: node X_ID as 1 byte, time stamp as 4 bytes, random number as 4 bytes, 16 bytes for hash functions, and 16 bytes as key size. The SDF required 1H + 1E + 1D for operations which means that SDF pointedly has low computational cost against other schemes in terms of time execution for resource-constraint nodes as shown in Table 2.

Figure 12.

Communication and memory size comparison of SDF with other schemes during execution: (a) communication cost comparison of SDF with other schemes and (b) computational cost comparison of SDF.

Table 2.

Comparison of computational cost with other schemes.

	Kumar et al.¹⁷	Vaidya et al.¹⁸	Kumar et al.²²	SDF
Point multiplication	–	2t	–	–
Hash operation	2H	1H	2H	1H
MAC	1MAC	–	–	–
HMAC	1HMAC	–	–	–
Cryptosystem	1E + 1D	–	1E + 1D	1E + 1D

t: the time execution point multiplication; H: the time for execution one-way hash function; E: the time for performing encryption; D: the time for performing decryption; MAC: the time for performing MAC operation; HMAC: the time for performing HMAC operation.¹⁷

Communicational cost comparison

In order to calculate the communicational overhead of SDF, we consider total number of bits received and transmitted by device X to initiate boot strapping. The communication cost is defined as a packet size consumed energy during transmission/receiving by a node. Communication cost of SDF with other schemes by Kumar and colleagues and Vaidya et al.^17,18,22 is as follows. Schemes by Kumar et al. and Vaidya et al.^17,18 take three rounds of message exchange during execution of whole protocol process as shown in Figure 12(b). In the work by Kumar et al.,²² two rounds of message exchange are calculated. SDF sends 212 bits and receives 72 bits messages but scheme by Kumar et al.²² sends 232 bits and receives 72 bits messages. We summarized the communicational, storage overhead in Table 3. It shows that computational and communicational costs of SDF are suitable as compared to other schemes. However, note that protocols projected in the work by Kumar et al.²² focused on anonymity of devices and did not consider the DLA recognition approach to secure network, but the new SDF comprises new methodology based on daily activity recognition and provides faceless and cryptic link comprising authentication. SDF achieves secure DLA recognition in smart home devices after conducting experiments both in real smart environment setup and AVISPA tool.

Table 3.

Communication, storage overhead.

	Kumar et al.¹⁷	Vaidya et al.¹⁸	Kumar et al.²²	Turkanovic et al.⁴⁰	SDF
Send in bits	(IS) 296	256	232	768	212
Receive in bits	(108 + 160) 268	384	72	1024	72
Total in bits	564	640	304	1792	284

SDF: secure distributed framework.

Conclusion

SHE consists of heterogeneous devices and provides several services to the personages. These smart homes have various functions, for example, climate detection and control system, healthcare system, security system, and electricity control system. Individuals can enjoy these facilities in such smart environment through network-based smart devices and sensors. Faceless identity of devices during communication regarding security measurements is a critical challenge in smart home, where adversary and unauthorized individuals can recognize home devices to damage the DLA of users.

The SDF, proposed in this article, comprehends freshness of message actively via timestamp and uses user’s activity pattern to recognize the abnormal activity to secure the entire communication from attack. Furthermore, it covers the integrity and authentication of data by keeping identity of nodes faceless and establishes trustworthy session via cryptic link. SDF comprehends freshness of message actively via timestamp. In addition, analysis of SDF (in both AVISPA tool and real smart environment) demonstrated that proposed pattern is suitable to enhance the security level of SHE.

Footnotes

Acknowledgements

The authors are immensely grateful to Director, Mr Mazhar Waseem, for the language editing that greatly improved the manuscript.

Handling Editor: Weizhi Meng

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by the National Natural Science Foundation of China under grant no. 61672115 and Chongqing Social Undertakings and Livelihood Security Science and Technology Innovation Project Special Program (nos cstc2015jcyjBX0124 and cstc2017shmsA30003).

ORCID iD

Muhammad Mehran Arshad Khan

References

Desai

Upadhyay

Security and privacy consideration for Internet of Things in smart home environments. Int J Eng Res Dev 2014; 10(11): 73–83.

Wang

Peng

et al . DPHK real-time distributed predicted data collecting based on activity pattern knowledge mined from trajectories in smart environment. Front Comput Sci 2016; 10(6): 1000–1011.

Kim

Boulos

Yackovich

et al . Seamless integration of heterogeneous devices and access control in smart homes. In: Proceedings of 8th international conference on intelligent environments, Guanajuato, Mexico, 26–29 June 2012, pp.206–213. New York: IEEE.

Gomez

Paradells

Wireless home automation networks: a survey of architecture and technologies. IEEE Commun Mag 2010; 48(6): 92–101.

Kailas

Cecchi

Mukherjee

A survey of communication and networking technologies for energy management in building and home automation. J Comput Netw Commun 2012; 2012: 932181.

GENIO—next generation home, https://webcache.googleusercontent.com/search?q=cache:hrKZN1OlekcJ: https://www.eurescom.eu/news-and-events/eurescommessage/eurescom-message-archive/eurescom-messge-2-2012/celtic-project-genio.html+&cd=1&hl=en&ct=clnk&gl=us (accessed 15 July 2015).

SM4ALL—smart home for all, http://www.sm4all-project.eu/ (accessed 16 July 2015).

HOPE—smart home for elderly people, http://www.hope-project.eu/ (accessed 15 July 2015).

Roshan

Ray

AK.

Challenges and risk to implement IOT in smart homes: an Indian perspective. Int J Comput Appl 2016; 153: 16–19.

10.

Wang

Zhang

Time-window and Voronoi-partition based aggregation scheduling in multi-sink wireless sensor networks. Ad Hoc Sens Wirel Ne 2016; 32: 221–238.

11.

Khan

MMA

Wang

Minhui

et al . Lightweight and seamless distributed scheme. Int J Info Commun Eng 2018; 12(6). waset.org/Publication/10009056

12.

Kim

Jung

Lee

et al . Home appliances control framework based on smart TV set-top box. IEEE T Consum Electr 2016; 62(1): 39–44.

13.

Chen

Luo

S2A: secure smart household appliances. In: Proceedings of the second ACM conference on data and application security and privacy, San Antonio, TX, 7–9 February 2012, pp.217–228. New York: ACM.

14.

Petroulakis

Askoxylakis

Tryfonas

Life-logging in smart home environments: challenges and security threats. In: IEEE international conference on communication (ICC), Ottawa, ON, Canada, 10–15 June 2012, pp.5680–5684. New York: IEEE.

15.

Burrough

Gill

Smart thermostat security: turning up the heat, http://www.burrough.org/Documents/Thermostat-final-paper.pdf (accessed 10 April 2015).

16.

Han

Kim

Shon

et al . A novel secure key paring protocol for RF4CE ubiquitous smart home system. Pers Ubiquit Comput 2013; 17(5): 945–949.

17.

Kumar

Gurtov

Iinatti

et al . Lightweight and secure session-key establishment scheme in smart home environments. IEEE Sens J 2016; 16(1): 254–264.

18.

Vaidya

Makrakis

Mouftah

. Device authentication mechanism for smart energy home area network. In: IEEE international conference on consumer electronics (ICCE), Las Vegas, NV, 9–12 January 2013, pp.88–93. New York: IEEE.

19.

Hoang

Pishva

A TOR-based anonymous communication approach to secure smart home appliances. In: 17th international conferences on advanced communication technology (ICACT), Seoul, South Korea, 1–3 July 2015, pp.517–525. New York: IEEE.

20.

Ayday

Rajagopal

Secure device authentication mechanisms for the smart grid-enabled home area networks. Technical report, 2013, https://infoscience.epfl.ch/record/188373/files/smart_grid_tech_report.pdf

21.

Dolev

Yao

. On the security of public key protocols. In: Proceedings of the 22nd annual symposium on foundations of computer science, 28–30 October 1981, Nashville, TN, pp.350–357. New York: IEEE.

22.

Kumar

Braeken

Gurtov

et al . Anonymous secure framework in connected smart home environments. IEEE T Inf Foren Sec 2017; 12(4): 968–979.

23.

. Design of a key establishment protocol for smart home energy management system. In: Fifth international conference on computational intelligence, communication systems and networks, Madrid, 5–7 June 2013, pp.88–93. New York: IEEE.

24.

Xia

et al . Design and implementation of a wireless sensor network for smart homes. In: 7th international conference on ubiquitous intelligence & computing and 7th international conference on automatic & trusted computing (UIC/ATC), Xian, China, 26–29 October 2010, pp.239–243. New York: IEEE.

25.

Liang

Huang

Jiang

et al . Design and implementation of wireless smart-home sensor network based on Zigbee protocol. In: International conference on communications, circuits and systems (ICCCAS), Fujian, China, 25–27 May 2008, pp.434–438. New York: IEEE.

26.

Tschofenig

Arkko

McPherson

Architecture considerations in smart object networking. Technical report. IAB RFC 7452, July 2014. Fremont, CA: Internet Engineering Task Force.

27.

Tschofenig

Arkko

. Report from the smart object workshop. Report, April 2012. Fremont, CA: Internet Engineering Task Force, https://tools.ietf.org/html/rfc6574

28.

Kumar

Ylianttilla

Gurtov

et al . An efficient and simple key distribution scheme for smart environments. In: IEEE international conference on consumer electronics (ICCE), Las Vegas, NV, 10–13 January 2014, pp.468–469. New York: IEEE.

29.

Mantas

Lymberopoulos

Komninos

Security in smart home environment. In: Lazakidou

Siassiakos

Ioannou

(eds) Wireless technologies for ambient assisted living and healthcare: systems and applications. Hershey, PA: IGI Global, 2006, pp.170–191.

30.

Huang

Sun

. A time synchronization mechanism for heterogeneous wireless sensor networks. In: International conference on automatic control and artificial intelligence (ACAI), Xiamen, China, 3–5 March 2012, pp.317–320. New York: IEEE.

31.

AVISPA: automated validation of Internet security protocols applications, http://www.avispa-project.org/web-interface/basic.php

32.

Vigano

Automated security protocol analysis with the AVISPA tool. Electr Not Theor Comput Sci 2006; 155: 61–86.

33.

Burrows

Abadi

Needham

A logic of authentication. ACM T Comput Syst 1990; 8(1): 18–36.

34.

Das

ML.

Two-factor user authentication in wireless sensor networks. IEEE T Wirel Commun 2009; 8(3): 1086–1090.

35.

Seshadri

Luk

Perrig

SAKE: software attestation for key establishment in sensor networks. Ad Hoc Netw 2011; 9(6): 1059–1067.

36.

TinyOS tutorials, http://tinyos.stanford.edu/tinyos-wiki/index.php/TinyOS_Tutorials

37.

TelosB datasheet, http://www.willow.co.uk/TelosBDatasheet.pdf

38.

Lee

Kapitanova

Son

SH.

The price of security in wireless sensor networks. Comput Netw 2010; 54(17): 2967–2978.

39.

Perrig

Szewczyk

Wen

et al . SPINS: security protocols for sensor networks. In: Perrig

Szewczyk

Tygar

et al . (eds) Wireless networks. Berlin: Springer, 2001, pp.189–199.

40.

Turkanovic

Brumen

Hölbl

A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad Hoc Netw 2014; 20: 96–112.

41.

Drozda

Schaust

Szczerbicka

. AIS for misbehavior detection in wireless sensor networks: performance and design principles. In: IEEE congress on evolution computation (CEC), Singapore, 25–28 September 2007, pp.3719–3726. New York: IEEE.

42.

Xue

Hong

et al . A temporal-credential-based mu-tual authentication and key agreement scheme for wireless sensor networks. J Netw Comput Appl 2013; 36(1): 316–323.

43.

Ling

Daiyuan

et al . An enhanced privacy-aware authentication scheme for distributed mobile cloud computing services. KSII T Int Inform Syst 2017; 11(12): 6169–6187.

Secure distributed framework based on seamless key session for smart home environment

Abstract

Keywords

Introduction

Research contribution and motivation

Review of related work

Design model, security properties, and threat assumptions

Design model

SHLG

SHNs

Security service provider/control system

Internet (IPv4/IPv6)

Users

Security properties

Assumptions

Threat model

Proposed SDF

Notations, pre-deployment, and registration phase

SCS

Distributed approach

Definition

User’s activity recognition model

Distributed activity key-session model and activity variation

Activity key-session model

Definition of second pattern

Activity variation

Security verification and performance analysis of SDF

Experimental setup using AVISPA tool

Brief detail about AVISPA

Simulation results

Formal verification proof based on BAN logic

Informal analysis of security (properties)

Definition

Comparison analysis of activity recognition based on trajectory transfer and mining

Case: device-compromised attack and deadlock avoidance. Proof

Case: SDF secured against masquerades attack, denial of services, and message replay attack during adversary attempt. Proof

Case: SDF secured against message MITM attack. Proof

Case: SDF secured reciprocated authorization when adversary try illegal access. Proof

Case: SDF secured key-session establishment and message confidentiality during attack. Proof

Case: SDF secured node identity faceless and upheld cryptic link when adversary tries to send fake identity. Proof

Security properties comparison

Computational and communication cost analysis of SDF with other schemes

Computational cost comparison

Communicational cost comparison

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

ORCID iD

References