SECURE LIGHTWEIGHT AUTHENTICATION FOR INTERNET OF THINGS

Abstract

The proliferation of Internet of Things (IoT) devices across various domains has in- troduced new challenges in ensuring secure and efficient communication over inherently insecure networks. Authentication protocols in such environments must balance robust- ness, lightweight execution, and resilience against evolving attack vectors. Given the limitations of conventional schemes in resource-constrained and high-risk settings, this thesis report presents two novel contributions designed to enhance authentication security in IoT ecosystems through cryptographic and architectural innovations. As part of this effort, the first contribution targets security enhancement in Internet- of-Medical-Things (IoMT) scenarios. Robust schemes are particularly critical in such settings due to the transmitted data’s sensitivity and resource-constrained device limi- tations. While Masud et al. proposed a protocol for securing data in IoMT networks, their approach remains vulnerable to offline password-guessing and privileged insider at- tacks, posing serious privacy and patient safety risks. To address these issues, this report proposes a novel protocol, P-MASFEP (security-enhanced PUF (Physically Unclonable Functions)-based Mutual Authentication & Session key establishment using Fuzzy Ex- tractor & PKI (Public Key Infrastructure)). P-MASFEP integrates PUFs with fuzzy extractors to actively derive stable cryptographic keys from biometric input, mitigating password-guessing risks. It also employs PKI to distribute session keys securely and ensures protection against insider threats through mutual authentication. The second contribution focuses on overcoming the inherent limitations of a traditional authentication framework, Kerberos. Its traditional design faces challenges in resource- constrained IoT environments, including computational inefficiencies, lack of clock syn- chronization, and limited scalability. In addition to these limitations, Kerberos remains vulnerable to several modern attacks such as password-guessing, Kerberoasting, Golden Ticket, and Silver Ticket attacks. Prapty et al.’s KESIC, adapts Kerberos for IoT by introducing optimizations. However, it relies on symmetric cryptography for authentica- tion and key exchange. Additionally, it remains susceptible to password-based attacks, necessitating a more secure approach. This work proposes two novel protocols to address these issues: (1) Kerberos with FIDO (Fast Identity Online) Integration (KFI), which integrates FIDO’s passwordless authentication to eliminate password-derived vulnerabil- ities; and (2) Kerberos with FIDO and Lightweight extension for IoT (KFLIT), which extends KFI by incorporating lightweight HMAC and XOR operations to reduce compu- tational overhead, counter-based synchronization to eliminate dependency on real-time clocks, and an attestation mechanism to verify IoT device integrity before granting access. Together, the proposed solutions address critical gaps in current authentication mech- anisms for constrained environments. By tackling domain-specific (IoMT) and general- purpose (IoT) challenges, this report contributes to building a secure and scalable au- thentication foundation for next-generation connected systems.