Citation: Lee, J.; Oh, J.; Kwon, D.;
Kim, M.; Yu, S.; Jho, N.-S.; Park, Y.
PUFTAP-IoT: PUF-Based
Three-Factor Authentication Protocol
in IoT Environment Focused on
Sensing Devices. Sensors 2022, 22,
7075. https://doi.org/10.3390/
s22187075
Academic Editors: Matteo Anedda
and Daniele Giusto
Received: 16 August 2022
Accepted: 16 September 2022
Published: 19 September 2022
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2022 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Article
PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol
in IoT Environment Focused on Sensing Devices
JoonYoung Lee
1
, JiHyeon Oh
1
, DeokKyu Kwon
1
, MyeongHyun Kim
1
, SungJin Yu
1,2
, Nam-Su Jho
2
and Youngho Park
1,3,
*
1
School of Electronic and Electrical Engineering, Kyungpook National University, Daegu 41566, Korea
2
Electronics and Telecommunications Research Institute, Daejeon 34129, Korea
3
School of Electronics Engineering, Kyungpook National University, Daegu 41566, Korea
* Correspondence: parkyh@knu.ac.kr; Tel.: +82-53-950-7842
Abstract:
In IoT-based environments, smart services can be provided to users under various envi-
ronments, such as smart homes, smart factories, smart cities, smart transportation, and healthcare,
by utilizing sensing devices. Nevertheless, a series of security problems may arise because of the
nature of the wireless channel in the Wireless Sensor Network (WSN) for utilizing IoT services.
Authentication and key agreements are essential elements for providing secure services in WSNs.
Accordingly, two-factor and three-factor-based authentication protocol research is being actively
conducted. However, IoT service users can be vulnerable to ID/password pair guessing attacks by
setting easy-to-remember identities and passwords. In addition, sensors and sensing devices de-
ployed in IoT environments are vulnerable to capture attacks. To address this issue, in this paper, we
analyze the protocols of Chunka et al., Amintoosi et al., and Hajian et al. and describe their security
vulnerabilities. Moreover, this paper introduces PUF and honey list techniques with three-factor
authentication to design protocols resistant to ID/password pair guessing, brute-force, and capture
attacks. Accordingly, we introduce PUFTAP-IoT, which can provide secure services in the IoT envi-
ronment. To prove the security of PUFTAP-IoT, we perform formal analyses through Burrows Abadi
Needham (BAN) logic, Real-Or-Random (ROR) model, and scyther simulation tools. In addition, we
demonstrate the efficiency of the protocol compared with other authentication protocols in terms of
security, computational cost, and communication cost, showing that it can provide secure services in
IoT environments.
Keywords: IoT; WSN; PUF; biometrics; honey list; authentication; BAN logic; ROR model; scyther
1. Introduction
The rapid development of wireless networks and the Internet of Things (IoT) has
created opportunities to communicate with things over the Internet. Wireless sensor
networks (WSN), a combination of wireless networks and IoT sensors, are garnering
increasing attention worldwide as an exciting new paradigm of IoT in various fields, such
as smart home, smart city, smart transportation, and smart agriculture [
1
–
3
]. In this IoT-
based environment, data are collected through various sensors and sensing devices, and
users can access them through a gateway node. Through WSN, users can use convenient
services in real-time through IoT devices in an IoT-based environment. For example, with
their IoT devices, users can remotely operate the lights in their house or sprinklers in
their garden.
However, because this convenient service is provided through a wireless network, it is
vulnerable to illegal access by malicious attackers [
4
,
5
]. This can harm the convenience of
IoT, such as invasions of user privacy and eavesdropping on privacy. Malicious attackers
can also be insiders or outsiders seeking to breach network security and falsify data integrity.
Moreover, problems of node and link failures (i.e., cascading failures) can occur due to the
Sensors 2022, 22, 7075. https://doi.org/10.3390/s22187075 https://www.mdpi.com/journal/sensors