A lightweight certificate-based authentication scheme for 6LoWPAN-based internet of things

As the 6LoWPAN devices in the Internet of Things (IoT) applications communicate sensitive information over the unattended and insecure channel, it is essential to design suitable authentication methods for such devices. Due to high computation and communication overheads, the traditional certificate-based authentication schemes are predominantly considered impractical for resource-constraint 6LoWPAN devices used in IoT applications. However, a certificate with some lightweight features makes the authentication feasible in those resource-constraint 6LoWPAN devices. This paper proposes a lightweight certificate-based authentication scheme based on cryptographic hash operation and elliptic curve digital signature algorithm. It can mitigate several security threats, including replay, man-in-the-middle, impersonation, malicious device deployment, and spoofing attacks. The automated validation of Internet security protocols and applications (AVISPA) verification tool is used to formally verify the security of the proposed scheme against several known attacks. In addition, the correctness of the authentication scheme is verified using the widely accepted BAN logic. Moreover, a comparative analysis among the proposed and other well-established relevant schemes is carried out in order to figure out the trade-off considering not only the functionality attributes and security but also the involved computation and communication costs.


Introduction
The Internet of Things (IoT) is considered as internetworking of several physical and virtual objects (things). It allows these intelligent objects such as sensors, smart meters, smartphones, smart vehicles, radio-frequency identification (RFID) tags, personal digital assistants (PDAs), and other items to communicate as well as to exchange information [1,2]. The increasing use of such IoT devices generates massive data requiring high storage capability and communication bandwidth [3]. The IoT devices are of resource-constraint nature with lower computation and communication capabilities as such devices are primarily battery-operated. Hence, any security protocols developed for such resource-constrained devices should be lightweight.
The IPv6 over IEEE 802. 15.4 (6LoWPAN) has gained popularity in IoT due to its capability to incorporate Internet protocol in low-power IoT devices [4]. The risk of getting an attack increases with the unattended nature of 6LoWPAN devices. The primary security features required in a 6LoWPAN network are authentication of data and devices, data confidentiality, data integrity, and device tampering attacks [5,6]. The fragmented information obtained from the decentralized and distributed architecture of the IoT network makes authentication more critical and increases security challenges. The resource-constraint IoT devices must be identified and verified before they access the network as well as communicate with each other. Therefore, providing authenticity security service for such resource-constraint devices becomes challenging.
Public key cryptography [7,8] offers a satisfying solution for such decentralized and distributed IoT networks. Along with the use of certificates [9,10] and digital signature [11,12], it can provide a feasible solution for authentication of data and devices. Certificate-based authentication identifies a device with a digitally signed certificate signed by the server known as a certificate authority (CA). A digital signature is the data encrypted with a device secret key [13,14]. The underlying advantages of using certificates are no pre-configured pair-wise agreement between authenticating devices and meta information in the certificate authenticates devices. Also, it can directly exclude compromised devices from the pre-configuration revocation list of the Certificate Authority (CA).
For large-scale device authentication, the certificate is an established method, making it highly scalable. The CA need not maintain the user or the device's secret information, giving it the advantage over symmetric-based schemes. However, certificate-based solutions need to process a long certificate chain in a resource-constrained device that leads to memory overhead transmitting, generating, verifying the certificate, and checking the revocation list of certificates. Therefore, designing a certificate-based authentication scheme is challenging due to the lightweight nature of the resource-constraint 6LoWPAN devices.

Motivation
Low-power wireless personal area networks (LoWPANs) [15,16] consist of IEEE 802.15.4 devices with constraints on low computation power and memory consumption. When the low-power 6LoWPAN devices communicate among themselves on the open internet, their security becomes vital. The sharing and communicating devices must ensure that the information obtained or shared among themselves is genuine and from the authorized person or device. Therefore, authentication of the devices becomes one of the essential features of 6LoWPAN security. The symmetric key-based authentication schemes with XOR and Hash provided the critical security solutions for LoWPAN networks [17]. However, certificates can provide better security solutions where symmetric key cryptography falls short. The certificate scheme eradicates the key-distribution problem in the symmetric key-based approaches. The signature used in the certificate is non-repudiate which makes the authentication process more accessible. Considering the advantages of using a certificate, we proposed a lightweight certificate-based authentication scheme for the 6LoWPANbased Internet of Things in this article and evaluated its performance over such resource-constrained devices. Our scheme undergoes the following two tasks: -Device AuthenticationA new sensor device must perform entity authentication, authenticating itself to its neighbor device based on the certificate issued by the Gateway Node (GWN) to prove that the sensor device is legal and has the right to access the information from other communicating devices.

3
-Key EstablishmentAfter successful entity authentication is performed in the previous task, the key establishment ensures that "a secret shared session key is to be established between two smart devices to assure secure communication during the transmission of sensing information."

Contribution
The contribution of this paper is as follows: -We propose a lightweight certificate-based authentication scheme for the resource-constrained 6LoWPAN-based IoT. The one-way cryptographic hash operation and Elliptic curve cryptography (ECC) make our scheme lightweight. -We have tested the security of the proposed scheme using the widely accepted AVISPA tool. Moreover, the correctness of the logic in the proposed scheme is proved by BAN logic. -Lastly, a comprehensive study is carried out to evaluate the performance of the proposed and some relevant schemes and compare them. This study shows that a better trade-off exists among the performance parameters, "security and functionality features, and also computation and communication overhead" as compared to other relevant established schemes.

Organization of the paper
The important certificate-based solutions for resource-constrained devices are discussed in Sect. 2. Section 3 provides a detailed description of the proposed scheme, including its various phases. The security analysis evaluation of the proposed scheme with its verification and proof of correctness is presented in Sect. 4. A Fig. 1 Architecture description of a 6LoWPAN network comparative analysis of the proposed scheme with the existing conventional methods is done in Sect. 5. Finally, we conclude the paper in Sect. 6.

Architecture of 6LoWPAN network
The architecture considered in the proposed scheme is as shown in Fig. 1. A 6LoW-PAN network consists of the 6LoWPAN routers or gateway (GWN) and local hosts connected via the Internet. Every local host device must register itself with its router and authenticate each other before communicating and exchanging messages.

Threat model
We use the standard adopted adversary model, the "Dolev Yao (DY) model" [18,19] to analyze the properties of an attacker in the proposed scheme. Due to the unattended nature of the 6LoWPAN network, the principals like entity, user, or device, the risk of getting the attack increases. The principals may be a computer, device, organization of devices, user, etc. The attacker can not only eavesdrop but also alter, modify, forge, duplicate, re-route, delete or inject data disrupting the network. The attacker can compute the following: -Obtain and eavesdrop on the message passing through the network.
-Duplicate the legitimate device to communicate with other devices in the network. -Inject, forge, manipulate, and impersonate a legitimate device. -Encrypt or decrypt the message if obtained the secret key.

Diffie-Hellman key exchange protocol
This protocol is used to establish the secret session key between two parties, say A and B, over an open network without using a trusted third party in between them. A step-wise description of the "Diffie-Hellman key exchange" is given below: -Step 1 Let p, q be two large prime numbers, is the generator over Z p * , Z p * Step 2 When a device A wants to communicate with device B using "Diffie-Hellman protocol", device A selects its private key X A , where X A < p. -Step 3 It calculates it's public key Y A = XA modq and key, K = Y XA B modq. -Step 4 The device B selects its private key X B where X B < p , calculates Y B = XB modq and also computes the key K = Y XB A mod q.
Step 5 Now, the key computed between devices A and B is compared. If the compared value of the key K is the same for both of the devices, then the authentication is successful, else the authentication request is rejected.

Elliptic curve digital signature algorithm
A digital signature is a very important cryptographic primitive which can be utilized to provide non-repudiation, authentication, and integrity security services.
In the digital signature algorithm, a signer issues its public key while keeping the private key secret. The signer then uses its private key to create a digital signature on the message or data and its public key to verify the signature. The ECDSA [20] is described as the following: -Given the elliptic curve E defined over finite field F q , base point G ∈ E(F p ) , where p, q are field size and either p = q , odd number, and q = 2 m . -Let elements a, b ∈ F p define the equation of the E over F q , i.e., y 2 = x 3 + ax + b and 4a 3 + 27b 2 ≢ 0(modp). -Let E defined on curve over F q have an order N, where N = nh , n ≠ q and n is prime. ECDSA key generation: Both the entity A and B undergo the following key pair generation steps: The most widely used digital signatures are "RSA (Rivest-Shamir-Adleman)" [21], "DSA (Digital Signature Algorithm)" [22], "ECDSA (Elliptic Curve Digital Signature Algorithm)" [23]. RSA (RSA-1024) and DSA (DSA-1024) provide security with its 1024 bits key, and "Elliptic curve Cryptography" (ECC-160) provides the same security level of 80 bits. Therefore, ECDSA provides a short signature size of 320 bits.

Related work
The simple certificate-based authentication scheme for wireless sensor networks is discussed in [24]. Every user has its private-public key pair in this public key-based approach, and every sink is equipped with every user's private-public key pair. The user signs the message with the generated public-private key using the digital signature algorithm. The sink or the "Certificate Authority" (CA) stores and evaluates the user's private-public key pair. This approach solves the message transmission delay problem of the symmetric key approach. The author analyzed the energy consumption of the scheme. Transmitting a long certificate along with the message in every hop becomes a high per-message overhead. Signature generation and verification also create an overhead issue. Porambage et al. [25] discussed a two-phase certificate-based authentication for IoT scenarios with secure initial connection and mutual authentication. The protocol supported sensor node scarcity, scalability, and heterogeneity of the distributed IoT network. The protocol consists of a registration phase that obtains the node's credentials like certificates and cipher suites from a trusted third party, i.e., "certificate authority" (CA) between the user and the edge device. In the second phase, the authentication phase mutually authenticates the edge device and the end-user using the obtained security credentials. Their certificate scheme uses the "elliptic curve Qu-Vanstone" (ECQV) and ECDH key exchange mechanism. The security analysis is for denial-of-service attacks and node modification issues. In contrast, analysis of the vulnerabilities like node capture, replay, and man-in-the-middle attacks is yet to be done.
A certificate-based signature scheme [26] creates a compact signature using an aggregate of messages or signatures. It is a paring-free approach, where all sensing device acts as a user/signer. The device credentials like ID and system parameters are pre-loaded in the device before deployment. In the deployment phase, the device runs the keyExtract(.) and sends its (ID, public key) to the Trusted Authority (TA) for generating a certificate by TA. The aggregator node or device has the capabilities to verify and compress the signature. The aggregate certificate generated is confirmed at the receiving end device. The particular certificate has been used several times before the complications and changes in the purpose of the certificate.
Zhou et al. [27] proposed a "certificate-based access control mechanism" with ECC along with the "bootstrapping time" applicable for sensor networks. In addition, Huang et al. [28] proposed another access control scheme based on the conventional Schnorr signature scheme [29] and the device expiration time. Chatterjee et al. [30] highlighted the drawbacks of Huang's scheme and proposed an efficient access control mechanism using "one-way cryptographic hash" and ECC. Huang et al. [31] scheme for "certificate-less access control approach" with "hash-chain based" and "hash-chainless" schemes was developed. Gradually, Kim et al. [32] proposed an enhanced "access control scheme" with "hash renewal" features. The author identified that Huang et al. [33] lacks the security analysis leaving it prone to replay and active attacks.
Recently, Malani et al. [10] proposed a device access control mechanism using a lightweight certificate for IoT networks. The scheme considered the gateway node, the "Certificate Authority" (CA), which generates certificates for the communicating devices and pre-loads the certificate before the deployment phase. The mechanism uses lightweight authentication and key management for device access control. The author also establishes the shared secret key, which helps secure communication while transmitting sensitive data. The scheme could provide a better trade-off among security features and attacks, communication, and computation cost.
A PUF-based authentication scheme based on ECC for an IoT environment was proposed by Siddhartha et al. [34]. It consists of three phases: implicit certificate generation, key establishment, and mutual authentication phase. Certificate generation and verification take a huge execution overhead. With the encryption-decryption operation, the computational overhead increases. The proposed scheme did not do an attack analysis. Moreover, security verification with well-established security verification tools like PROVERIF and AVISPA was not done.
An energy-saving secure end-to-end (E2E) communication based on header compression of 6LoWPAN HIP DEX packet is discussed in Bettoum et al. [35]. HIP DEX is an adaptation layer IP-based protocol over 6LoWPAN, which is resistant to Denial of Service attacks (DoS) and man-in-the-middle attacks because of its puzzle mechanism. Using the HIP, IPsec, and ECC ensures secure traffic in the transport layer. The proposed method uses ECDH for key generation. The paper does not provide any formal security verification analysis. The article only focuses on the energetic cost and transmission delay of authentication protocol.
A trust aggregation-based authentication scheme for edge-enabled IoT devices is proposed in Wazid et al. [36] called TACAS-IoT. The article discusses various trust levels: local trust between device-to-device communication, semi-global trust between edge-to-IoT device communication, and global trust between server-toedge device communications. Successful verification of the certificate and signature builds the ultimate trust between the communicating devices. It has high communication and computation overhead.
Siddiqui2022 et al. [37] proposed a robust authentication scheme with PUF-based Digital signature, certificates and Public Key Infrastructure (PKI) for IoT cloud system. The article uses lightweight 2-phase authentication with physically unclonable functions (PUF). A PUF authentication is secure due to its unclonable functionality to withstand security attacks and its ability to support biometric features for authentication. The article discusses the shortcomings of [38] and enhances it with the improvement in the PUF key generation mechanism and PUF-PKI-based digital signature. Table 1 compares the existing certificate-based authentication schemes for an IoT network.

Proposed scheme
In this section, we present a novel certificate-based authentication scheme for 6LoWPAN-based IoT. This scheme utilizes a "one-way cryptographic hash function" and ECC, which make it simple and lightweight. The proposed scheme has three phases: Setup, Device Registration, and Authentication. The description of the denotations used in the proposed scheme for analyzing and evaluating our scheme is as mentioned in Table 2. The current timestamp denoted by T 1 , T 2 , T 3 with all clocks in the communication is assumed synchronized [10,39].
A detailed elaboration of these three phases is as follows.

Setup phase
In the proposed scheme, GWN acts as the public key infrastructure (PKI), making authentication a straightforward approach. Before deploying any sensor device in the network, the gateway GWN sets the system parameters with the following operations by executing this setup phase. - Step 1 The gateway uses the lightweight "one-way cryptographic hash function" defined as H ∶ (0, 1) * → (0, 1) l , where input is of arbitrary length and output or message digest l is of fixed length (in bits) of H(.).
where (a, b) ∈ F p and satisfying the condition 4a 3 + 27b 2 ≠ 0.  Step 4 The GWN then generates its public-private key by selecting its private key randomly as K gwn and calculates its public key PK gwn = K gwn .G -Step 5 Finally, the GWN issues the public parameters ( H(.), G, PK gwn , E p (a, b) ) and keeps K gwn as secret.

Registration phase/device enrollment phase
In the proposed scheme, each 6LoWPAN sensing device SD i in a 6LoWPAN network must register itself with the gateway before deployment. The local host registers itself to the router with its unique ID and the public key. This phase undergoes the following steps: -Step 1 For each SD i , GWN checks whether the device ID has already registered or not. If the ID has not been registered before, the GWN generates a unique ID, ID dev i and random secret key, K dev i over Z p * . It calculates the public key of the device as PK dev i = K dev i .G.
-Step 2 The GWN generates certificate for every local host devices as CERT dev i , which can be calculated as . It is to be noted that nobody except the GWN can create the certificate as the secret key K gwn . The GWN now pre-loads the credentials of the sensor SD i as:

Authentication phase
The communicating device processes SD i and SD j must undergo successful authentication before establishing a secure session key between them. An outline of the proposed scheme is described in Fig. 2. The authentication phase of the proposed scheme is executed as follows: -Step 1 The device SD i generates the current timestamp T 1 and the random number r dev i ∈ Z p * and calculate the key R dev i = r dev i .G . The SD i calculates the signature SIG dev i with two components S1 dev i and S2 dev i where S1 dev i = H(r dev i .G) and . It is worth noting that the ECDLP [20] is used for signing purposes. The local host SD i sends the message: the SD i , the SD j performs the following sequence of steps.
-Step 2.1: SD j checks whether the timestamp obtained is within the threshold value (T 2 − T 1 ) ≤ ΔT ; if yes, then the following below computations are computed. Else, the device is rejected and block-listed. Once the condition is satisfied, the device SD j checks whether the certificate obtained is valid or not. The correctness of the certificate is checked as follows: Correctness is verified as: CERT dev i .G = K gwn .H(ID gwn ||K dev i ||PK gwn ) + K dev i ) .G = (K gwn .G).H(ID gwn ||K dev i ||PK gwn ) + (K dev i .G) = PK gwn .H(ID gwn ||K dev i ||PK gwn ) + PK dev i -Step 2.2: Once certificate verification is over, the device SD j verifies the signature of the sending device SD i by checking the following condition: .S1 dev i .PK dev i = S1 dev i Correctness is verified as: Now, once the signature is verified, the device SD j generates a random number r dev j ∈ Z * p . The device SD j has its current timestamp T 2 and calculate its key R dev j = r dev j .G . The SD j calculates the signature SIG dev j with two components S1 dev j and S2 dev j where S1 dev j =H(r dev j .G) and S2 dev j =

3
A lightweight certificate-based authentication scheme for… [H(K dev j ||ID dev j ||PK dev j ||R dev j ) + K dev j .S1 dev j ].r −1 dev j modp . The secret session key SK ij is calculated as SK ij = R dev i .r dev j . The verifier of the session key VSK ij is generated as VSK ij = H(SK ij ||T 2 ).
Receiving the message ⟨CERT dev j , SIG devi j ∶< S1 dev j , S2 dev j >, K dev j , T 2 , VSK ij ⟩ from the device SD j ,SD i checks whether the timestamp is fresh or not with the verification condition (T 3 − T 2 ) ≤ ΔT . If not, the authentication request is rejected. Else, the following computations are carried out:--Step 5.1: The obtained certificate is verified as follows: CERT dev j .G = K gwn .H(ID gwn ||K dev j ||PK gwn ) + K dev j .G = (K gwn .G).H(ID gwn ||K dev j ||PK gwn ) + (K dev j .G = PK gwn .H(ID gwn ||K dev j ||PK gwn ) + PK dev j -Step 5.2: Once the certificate is verified, the device SD i verifies the signature of the sensing device SD j . The device SD i checks the validity of the obtained signature SIG dev j as follows: .S1 dev j .PK dev j = S1 dev j . Correctness is verified as: Step 6 If the validity of the certificate and signature is not true, then the authentication request of the device SD j is rejected, and SD j is blocked. If both are valid, then SD i evaluates the session key SK ′ ij as follows: SK ′ ij = R dev j .r dev i . It can be proven that SK ′ ij is nothing but SK ij as shown below: Step 7 The validity of the secret session key is checked with VSK ij = H(SK � ij ||T j ) . If this condition holds, both the devices SD i and SD j will use the secret session key SK ij , which is nothing but SK ′ ij . The session key SK ij then establishes a secure connection between SD i and SD j .

Security analysis
In this section, we analyze the security of the proposed lightweight certificate-based authentication scheme as given in the following subsections.

Informal security analysis
1. Replay Attack When an adversary seizes the transmitted data and reuses the captured data to the other party stating the data is legal and fresh, therefore, disrupts the network. In the proposed scheme, if an adversary grabs the previously transmitted message, i.e., ⟨CERT dev i , SIG dev i ⟨S1 dev i , S2 dev i ⟩, PK dev i , T 1 , R dev i ⟩ and tries to re-transmit it again, the timestamp T 1 checked at every end device ensures that repeated entry is not allowed. The attacker cannot access the data because the maximum allowable transmission delay would not be the same, i.e., (T 2 − T 1 ) ≠ ΔT.

Device Impersonation Attack If the attacker captures the message
transmitted over an open channel, it is unlikely that an attacker can compute CERT dev i because it cannot have access to K dev i and K gwn which are the secret private keys for the device SD i and the Gateway Node, respectively. The adversary cannot get success by making a random choice of these secret keys as the undertaken key range is significantly very large.

Man-in-the Middle Attack
This attack is not possible as forging the signature, generated by our proposed scheme is equivalent to forging the signature of Elliptic Curve Digital Signature Algorithm. For creating a valid signature for the device SD i , the attacker needs to know the private key K dev i of the device SD i to generate the signature SIG dev i consisting of two components S1 dev i and S2 dev i where S1 dev i = H(r dev i .G) and which is a computationally hard problem. 4. Device compromised Attack The session key SK ij = R dev j .r dev i generated can be distinguished even if an attacker has captured and modified the device as the SK ij is constructed based on the intractability of the Elliptic Curve Diffie-Hellman problem which a hard problem. 5. Spoofing Attack To assure the attacker that the local host device SD j is the legitimate node and cheat the local host SD i , the attacker must compute the message M 2 ⟨CERT dev j .SIG dev j .PK dev j .T 2 .R dev j ⟩ . The adversary may have the PK dev j , but still, the attacker is inaccessible to the secret keys of the communicating devices. The secret key of SD j , i.e., K dev j and random number r dev j cannot be obtained. The adversary cannot spoof the sensing device node. 6. Perfect forward secrecy: The proposed scheme assures the perfect forward secrecy. Let us assume an adversary knows the secret key K dev i , K dev j of communicating local hosts. The attacker cannot compute the session key. Now, we know SK ij =R dev i .r dev j so that it can access the previously communicated messages. The randomly generated number r dev i , r dev j and timestamps T 1 , T 2 , T 3 are fresh at every session.

Formal security verification using AVISPA tool
The widely accepted "AVISPA verification tool" [40,41] formally verifies the proposed scheme. The AVISPA tool is a formal language for specifying protocols and their security properties, integrating various back-ends with existing automatic analysis techniques. The AVISPA protocol is specified using "High-Level Protocol Specification Language (HLPSL)" [42]. The HLPSL is a role-based, modular, and expressive formal language. AVISPA implementation takes place in four back  Format (OF) result stating whether the proposed scheme is SAFE or UNSAFE. The scheme has three primary roles, sensor SRI, as shown in Fig. 3, relay SRJ as in Fig. 4, and the router GWN as shown in Fig. 5. The proposed authentication scheme is SAFE using AVISPA OFMC and CL-AtSe, as shown in Figs. 6 and 7, respectiv ely.

BAN logic correctness proof
After the formal verification of the proposed authentication scheme, the BAN logic identifies the correctness of the authentication scheme. BAN Logic [43,44] is a simple logic calculus on an agreed set of deduction rules which describes the beliefs of the reliable communicating parties in the authentication protocol. The BAN logic provides correctness, efficiency, and applicability of the authentication scheme [43]. Table 3 describes the BAN logic postulates used in the proposed authentication scheme.
The goal of the station-to-station protocol is to exchange a shared secret key between the two communicating parties SD i and SD j with explicit two-way The key 'k' between the entities SD i and SD j is agreed upon, and both entities believe in 'k.' By BAN logic analytical procedure, our proposed scheme satisfies the following goals: We have taken the session key SK ij as SK for convenience in denotation. Now, the communicated messages are idealized for a given 6LoWPAN network. The idealization procedure alleviates the analysis between the sensing device and the The goals can be divided into subgoals to reach the goals. In the proposed scheme, a part of the message is signed with the sender's private key. At the same time, by retrieving the message, the public key of the signer is utilized to verify the message. We assume all the communicating parties have the key materials. If the entities do not have the public key, then it requests the GWN. The initial state assumptions for our proposed scheme are listed as given below: A 1 ∶ SD i |≡ #(r dev i , r dev j ) ( SD i believes all the random nonce are fresh) A 2 ∶ SD j |≡ #((r dev i , r dev j ) ( SD j believes the nonce used are fresh) ⟷ SD j ( SD j believes that the key R dev i is from SD i , and therefore, believes in the key).
believes that the key R dev j is from SD j , and therefore, believes in the key). C 3 ∶ SD i |≡ SD j |≡ R dev i ⟷ SD j ( SD i believes in SD j that SD j believes that the key is from SD i and therefore, believes in the key). C 4 ∶ SD j |≡ SD i |≡ R dev j ⟷ SD i ( SD j believes in SD i that SD i believes that the key R dev j is from SD j and therefore, believes in the key).
C 5 ∶ SD i |≡ SD SK i ⟷ SD j ( SD i believes that SD i and SD j share the session key SK).
C 6 ∶ SD j |≡ SD SK j ⟷ SD i ( SD j believes the session key SK is shared with SD i ). C 7 ∶ SD i |≡ SD j |≡ SD SK i ⟷ SD j ( SD i believes in SD j that the session key SK is shared between SD j and SD i ).

3
A lightweight certificate-based authentication scheme for… C 8 ∶ SD j |≡ SD i |≡ SD SK j ⟷ SD i ( LH j believes in SD i that the session key SK is shared between SD i and SD j ). B 1 ∶ SD i |≡ SD j → r dev j (random nonce assumptions) B 2 ∶ SD j |≡ SD i → r dev i (random nonce assumptions) → SD j (private key assumptions) The BAN logic rules illustrate the proposed scheme. The shared secret SK ij efficiency ensures that the communication is secure by achieving the derived goals. SK is the shared secret key, and SD i and SD j believe in SK. SD i and SD j agree on SK. SD i and SD j believe that other entity also believes in SK. The BAN logic verification process undergoes the following steps: is the necessary parameter of the proposed scheme.
-Step 4 By taking the assumption A 2 ∶ SD j |≡ #r dev j and applying MMR SD j |≡ SD SK i ⟷ SD j , P ⊲ r dev j , we get SD j |≡ SD i |∼ r dev j -Step 5 According to B 1 , SD i |≡ SD j → r dev j , and Jurisdiction rule, SD j |≡ SD i ⇒ r dev j , SD i |≡ SD j |∼ r dev j , we get: SD j |≡ SD i |≡ r dev j -Step 6 By taking assumption A 2 and Session key rule Step 7 By taking the assumption A 2 as A 2 ∶ SD j |≡ #(r dev j ) and step 4, we Step 10 SD i ⊲ SD j ,(ID gwn , K dev i , PK gwn ) K −1 gwn , r dev j , r dev j is the necessary parameter of the proposed scheme.
A lightweight certificate-based authentication scheme for… -Step 11 By taking the assumption A 1 ∶ SD i |≡ #r dev i and applying MMR SD i |≡ SD SK j ⟷ SD i , P ⊲ r dev i , we get SD i |≡ SD j |∼ r dev i -Step 12 According to B 2 , SD j |≡ SD i → r dev i , and Jurisdiction rule, SD i |≡ SD j ⇒ r dev i , SD i |≡ SD j |∼ r dev i , we get: SD i |≡ SD j |≡ r dev i -Step 13 By taking assumption A 1 and Session key rule Step 14 By taking the assumption A 2 as A 2 ∶ SD j |≡ #(r dev j ) and step 4, we obtain SD j |≡ SD i |≡ SD SK i ⟶ SD j (GOAL 2). Therefore, all goals are achieved using BAN logic, which proves the correctness of the proposed scheme.

Security and functionality analysis
Several security requirements and threats are reported in the literature related to the authentication method. Table 4 shows a comprehensive comparative study on various security requirements and threats of our proposed authentication scheme with relevant well-established schemes. The Porambage et al. [25] suffers from replay attacks, man-in-the-middle attacks, and device impersonation attacks. Ren et al. [24] could not withstand device impersonation attack, spoofing attack, and functionality attribute F 3 . Zhou et al. [27] fails to support device impersonation attacks and spoofing attacks. However, Huang et al. [33] fails against replay, device impersonation, and spoofing attacks. We observe that the proposed scheme could withstand all security and functionality attributes.

Computation overhead
The proposed scheme calculates the computation overhead of the scheme considering the time taken to compute the hash and encryption-decryption operation. The computation overhead of concatenation operation is negligible compared to hash and encryption-decryption. Therefore, we omit concatenation operation overhead here. The denotations used in the proposed scheme for computing the communication overhead are the time to compute elliptic curve point multiplication ( T em ), "time for elliptic curve point addition" ( T ea ), "time to execute ECC encryption" ( T ee ), "time required to compute ECC encryption-decryption" ( T E∕D ), "time to execute ECC decryption" ( T ed ), and "time to execute modular inverse operation ( T m )". T E∕D can be calculated as T E∕D = 2T em + T ea . The proposed scheme computes five hash operations. The cost to compute the authentication and key exchange phase requires 5T H + 5T em + 2T ea in SD i and 6T H + 5T em + 2T ea + 2T m SD j , respectively. The average computation cost of the scheme is 5.5T H + 5T em + 2T ea + 2T m . We calculate the approximate computation time (in milliseconds) [45,46] [32] is lesser, but they fail to provide various "security and functionality attributes".

Communicational overhead
The messages exchanged among the communicating parties define the communicational overhead. Here, we have calculated the message size (in bits) in communicational cost to achieve the security level of 80 bits. The proposed scheme has two and M 2 ⟨CERT devj , SIG dev j , PK lhj , T 2 , VSK ij ⟩ =(320+320+160+32+160). The total message size of Ren et al. [24] was computed as 86 bytes for CERT U ID , message size for M is 160 bits, tt is 16 bits resulting in the message size to 148 bytes or 1184 bits. The communicational overhead for the conventional schemes, Malani et al. [10] is 2144 bits, Ren et al. [24] is 3488, Zhou et al. [27] is 4608, Huang et al. [33] is 1920, Kim et al. [32] is 1920, and Porambage et al. [25] is 2940. The communicational overhead evaluated for the proposed scheme is M 1 + M 2 = 1984 bits, as shown in Tables 6. The communicational cost of Huang et al. [33] is less. However, the scheme fails to secure against replay and active adversary attacks, and Kim et al. [32] do not tolerate security and functionality attribute like node impersonation and spoofing attack as in Table 4.

Conclusion
In this article, we presented a novel lightweight certificate-based authentication scheme to prevent malicious smart devices from participating in the 6LoWPANbased IoT environment. Moreover, the proposed scheme provides a bi-directional authentication process that allows authorized devices to exchange sensed information with other sensor devices only after establishing a secret session key. The use of one-way cryptographic hash operation, ECC-based digital signatures, and ECCbased Diffie-Hellman key exchange mechanism make the proposed scheme lightweight. In order to make the system more straightforward, the gateway device preloads the certificates in the resource-constraint tiny devices before the deployment in the network. The broadly accepted automated security verification tool AVISPA shows that the proposed scheme is secure against several known attacks. In addition, the BAN Logic also verifies the correctness of the proposed scheme. Moreover, we provided a comprehensive comparative study of the proposed scheme with other similar well-established schemes to show the trade-off among security & functionality attributes, communication, and computational costs. With the same security level, we observed that the proposed scheme has lesser communication overhead than the other relevant schemes. Hence, the proposed scheme is adaptable for the resource-constrained 6LoWPAN-based IoT smart devices with power, bandwidth, and computational limitations.