A Study on a JWT-Based User Authentication and API Assessment Scheme Using IMEI in a Smart Home Environment

sustainability

Article A Study on a JWT-Based User Authentication and API Assessment Scheme Using IMEI in a Smart Home Environment

Namsu Hong, Mansik Kim, Moon-Seog Jun and Jungho Kang *

Department of Computer Science & Engineering, Soongsil University, Seoul 07027, Korea; [email protected] (N.H.); [email protected] (M.K.); [email protected] (M.-S.J.) * Correspondence: [email protected]; Tel.: +82-2-826-6526

Received: 28 March 2017; Accepted: 20 June 2017; Published: 23 June 2017

Abstract: The development of information and communication technology (ICT) has opened the era of the Internet of Things (IoT), in which many devices can connect to the Internet to communicate. Recently, various technologies, such as smart grids, connected cars, and smart farms, have emerged based on IoT, and there is also the smart home, which is the fastest growing market. The smart home is where devices installed for various purposes connect to each other through the Internet so that users can use the service anytime and anywhere. However, while the smart home provides convenience to users, recently the smart home has been exposed to various security threats, such as vulnerability of session/cookies and the use of vulnerable OAuth. In addition, attacks on smart homes by hackers using these vulnerabilities are also increasing. Therefore, in this paper, we propose a user authentication method using the JSON Web Token (JWT) and International Mobile Equipment Identity (IMEI) in the smart home, and solved the problem of unauthorized smart home device registration of hackers by the application of IMEI and JWT technology.

Keywords: IoT; smart home; user authentication; smart home device; security

1. Introduction The development of the Internet has developed communication between people and things, and recently, the Internet of Things (IoT), which provides convenience to people by enabling communication between various devices, has emerged. Recently, the IoT has been developed due to the development of various smart devices, among which the smart home market is rapidly becoming active. The smart home product market is expected to grow to $130 billion by 2020, and the market value of smart home manufacturing and application makers will account for about $60 billion, according to a statistical research agency, Strategy Analytics. Statista estimates that the US smart home market will increase by 21.05% annually from 2016 to 2020, 5.82% of the US population is using smart home products, and by 2020 approximately 18% of Americans are expected to use smart home products. Recently, users often use smart home products not only in the home, but also outside. Icontrol networks, a company that develops and sells smart home items, conducted a survey of 3000 US and Canadian consumers in 2014 and 2015, and in response to the question, “Why purchase smart home technology?” 90% of smart device buyers cited home security as a reason to avoid accidents that could happen in the home due to theft or carelessness, and 70% said it was for cost saving, including remote control of heating and commissioning of gas valves during commuting. In addition, a survey of consumer preferences for smart devices reported statistics that smart home access from remote locations frequently occurs due to home security and savings, such as 72% for automatic thermostats, 71% for remote front door locks, 65% for indoor surveillance cameras, 65% for outdoor remote control, and 65% for outdoor lighting automatic remote control. In a smart home environment, there are

Sustainability 2017, 9, 1099; doi:10.3390/su9071099 www.mdpi.com/journal/sustainability Sustainability 2017, 9, 1099 2 of 16 various smart home devices, such as smart devices and sensors, and each provides a service for the convenience of the user [1]. The user goes through the process of registering the smart home device before using the smart home service. Since registered users can access the smart home via a remote device both inside and outside the smart home, in order to use smart home services securely, user authentication processes, such as session/cookie techniques or OAuth, is performed. However, these techniques are increasingly vulnerable to session hijacking attacks, and the exploitation of user information due to the detection of application programming interface (API) vulnerabilities is increasing [2–4]. Additionally, when registering a new device in a smart home, anyone can easily register it, so a smart home device not authorized by the user can be registered in the smart home by a hacker. Therefore, in this paper, we propose a scheme to authenticate users by using the JWT and IMEI of remote devices, and a scheme where only authorized users can register new smart home devices in a smart home. For the composition of this paper, Section2 discusses user authentication techniques used in smart homes, smart home security requirements, and existing research; Section3 describes a user authentication protocol using JWT and IMEI, a new smart home device registration protocol, and an API request and response protocol between the user and smart home device using JWT; in Chapter 4, we implement the proposed protocol; Chapter 5 explains the security and performance evaluation of the proposed protocol; Chapter 6 discusses the important points of this paper; and ﬁnally, Chapter 7 provides a conclusion.

2. Related Works

2.1. Smart Home According to the Korea Association Smart Home (KASH), a smart home is a human-centered smart living environment that enables the convenience of the people, promotion of welfare, and safe living by converging IT into the residential environment. Users can purchase and use their own smart home devices and conveniently control the home. As shown in Figure1, in the smart home, there are smart home devices composed of various smart devices and sensors, a remote device accessing a smart home, and an access point (AP) connecting smart home devices and a remote device. Smart home devices have different communication and power specifications. A smart home device capable of communicating can communicate directly with the AP, while a device that cannot communicate by itself communicates through another smart home device. In general, smart home devices have the hierarchy structure as shown in Figure1. The application layer provides the messaging protocol appropriate for communications in the smart home environment, and the user can establish its interface himself. The transport layer provides communication session management and defines the status of the connection with the service layer. The network layer provides the mechanism that enables proper communication among data within the smart home environment. The link layer defines the standards that make physical communication of the device possible. The user can install the dedicated application to the remote device to communicate through the above layers with the smart home device connected to the AP. However, smart home devices have different standards depending on the platform and, therefore, whenever a new smart home device is added, the user has to install a separate application for the new device. Additionally, recently, cases of security threats, such as takeovers of smart home devices and leakage of personal information by hackers threatening users’ smart homes, are increasing [5]. Therefore, there is a need to define security requirements for a secure smart home environment. Sustainability 2017, 9, 1099 3 of 16

Sustainability 2017, 9, 1099 3 of 16

Figure 1. Smart home structure. Figure 1. Smart home structure. 2.2. Security Requirements for a Smart Home 2.2. Security RequirementsIn the smart home for aenvironment Smart Home for the user’s convenience, numerous amounts and types of data are transmitted among a variety of smart devices, IoT gateways, and the users. Then, the data should In thebe smart applied home with security environment measures for to theprevent user’s extern convenience,al exposure, be numerous it simply-sensed amounts information, and types or of data are transmittedthe voice, among image, a and variety the personal of smart information devices, relat IoTedgateways, to the users, anddirectly the or users. indirectly; Then, hence, the the data should be appliedsecurity with measures security should measures meet th toe following prevent security external requirements. exposure, be it simply-sensed information, or the voice,2.2.1. image, Privacy and the personal information related to the users, directly or indirectly; hence, the security measures should meet the following security requirements. There are various types of smart home devices in the smart home environment, and each of them has different types of in- and output. Although simple data, such as manifold logs, documents, 2.2.1. Privacy images, animations, and so on, which occur in the smart home devices may not have significant Theremeaning, are various they may types hold the of smartsensitive home personal devices credit or inprivacy the smartinformation home that environment, should be protected and each of if malicious users analyze their correlation by big data analysis technique [6–8]. Therefore, proper them has differentsecurity communication types of in- should and output. be established Although for the simpleuser’s personal data, suchinformation as manifold not to be exposed logs, documents, images, animations,in the smart home. and so on, which occur in the smart home devices may not have significant meaning, they may hold the sensitive personal credit or privacy information that should be protected if malicious2.2.2. users Registration analyze of Certified their correlation Smart Home by Device big data analysis technique [6–8]. Therefore, proper security communicationThe users utilize should a variety be established of smart home for devices the user’s in the smart personal home information upon their registrations. not to be If exposed in the registration process of the device into the smart home is vulnerable, a smart home device that the the smart home. user does not permit can be registered in the smart home [9]. Even though the registration process of the smart home device is secure, malicious users can access the smart home considering the potential 2.2.2. Registrationto register ofthe Certified smart home Smart device Home randomly Device by the unauthorized users. Consequently, only the The usersauthorized utilize users a should variety be able of smart to register home their devices smart home in devices the smart in the homesmart home upon via their a secured registrations. process. If the registration process of the device into the smart home is vulnerable, a smart home device that the user2.2.3. does User notAuthentication permit can in Smart be registered Home in the smart home [9]. Even though the registration process of theThe smart users home can access device the issmart secure, home malicious devices physically users canwhen access they are the in smart the smart home home, considering the potentialhowever, to register physical the access smart is difficult home when device they randomly are out. Hence, by the users unauthorized access the smart users. home Consequently, via only the authorizedremote devices users [10–12]. should Since bethe ablepersonal toregister information their of the smart usershome in the smart devices home in can the besmart exposed home via a if the unauthorized user approaches the smart home remotely, they should follow the authentication secured process.process to block unauthorized users from the smart home. There are login systems using session/cookie; authentication systems using OAuth, in general; three-party password-based 2.2.3. Userauthenticated Authentication key exchange in Smart (3PAKE); Home biometrics; and so on. However, new authentication methods are required due to the vulnerability against security threats, such as session capture, vulnerable The usersAPIs, and can so accesson [13–15]. the smart home devices physically when they are in the smart home, however, physical access is difficult when they are out. Hence, the users access the smart home via remote devices [10–12]. Since the personal information of the users in the smart home can be exposed if the unauthorized user approaches the smart home remotely, they should follow the authentication process to block unauthorized users from the smart home. There are login systems using session/cookie; authentication systems using OAuth, in general; three-party password-based authenticated key exchange (3PAKE); biometrics; and so on. However, new authentication methods are required due to the vulnerability against security threats, such as session capture, vulnerable APIs, and so on [13–15]. Sustainability 2017, 9, 1099 4 of 16

2.2.4. Security Threats When the users use the smart home, multiple security threats can occur. Most of the data transmitted in the smart home are delivered mainly by wireless network. If the malicious user counterfeits or modiﬁes the data through the wireless network, which is vulnerable in the smart home, the data synchronization may not be properly performed between the user and the smart home device, and integrity may be affected, such as the occurrence of incorrect responses to the user’s request [16,17]. Thus, it should be secure against the attacks of counterfeit data and modiﬁcation by unauthorized users in the smart home environment [18]. In addition, because the users can utilize all of the services in their smart home by remote devices out of the home, it should be careful not to be infected by malicious code, with respect to malicious users capturing or hacking the remote devices. Furthermore, malicious users should not be able to easily access the smart home system even if the remote devices are stolen, too [19].

2.2.5. Heterogeneous Communication There can be various types of smart home devices in the smart home. Since each smart home device can use different types of communication, the communication among the smart home devices may not be easy, or even impossible [20]. Hence, the system that supports different types of smart home devices and provides the services should be established to support the users with consistent smart home services.

2.2.6. Low Resources Various smart home devices in the smart home environment continue to collect information or are on standby to communicate with users. Generally speaking, the smart home devices require miniaturization wherever they are positioned and low enough power to last longer with charging [21–24]. If the smart home device with a relatively low-powered battery performs a calculation with a high degree of complexity, it should be provided with proper security using low power in the smart home environment since the battery in the smart home device would be consumed quickly [25].

2.3. Previous Research on Smart Home In this chapter, previous studies are reviewed on the user authentications and security in the smart home. Lee [13] proposed the protocol which could exchange the secure session keys between the user and the smart home device by using the pre-shared password for authentication and 3PAKE technique agreed the session key to be used in the communication afterwards. The proposed scheme in [13] were 3PAKE, based on XOR calculation, and based on the Diffie-Hellman method. In the case of the XOR calculation method, it has the potential risk of key exposure during the exchange of keys between the user and the smart home device. The 3PAKE technique based of the Diffie-Hellman method, a heavy calculation method, is not efficient in the smart home environment where weight reduction is required and has the problem of continuous session information exposure once the key is exposed. In [14], the user access system was proposed using OAuth and realizing middleware to connect the users with the smart home devices for access to various smart home devices in an IoT environment. OAuth has the advantages to enable access to the other smart home devices with a one-time login process, and to resolve problems during the session/cookie usage since it is the access method using a token. Nevertheless, [14] generates a large amount of overhead without consideration of the middleware resource cost in the smart home environment where low power and low amounts of calculation are required. Since some vulnerable points were found in OAuth used in [14], such as token captures, re-transmission, and so on, by multiple analyses and studies, and new points which could not be satisfied with all of the considerations recommended in the OAuth protocol standards were detected, its security is lowered during usage. Sustainability 2017, 9, 1099 5 of 16

The authentication technique by fingerprint recognition in the remote device was proposed in [15] for the users to access the smart home externally. It has middleware for the authentication between the user and the smart home device and the user transmits his or her own fingerprint information to the middleware. The middleware checks the user’s authorization and approves the access to the smart home device. Prakash [15] has the advantage of convenience that the users do not have to remember their ID and password separately, while it has the potential of fingerprint information capture by malicious users because theSustainability fingerprint 2017, 9, 1099 information of the users is not processed with the additional coding5 of 16 process, but transmitted he middleware. Additionally, the fingerprint is bio-information that is never changed, hence, seriousbetween security the user issues and the might smart occur home due device to theand impossibilitythe user transmits of changinghis or her own once fingerprint it is captured. information to the middleware. The middleware checks the user’s authorization and approves the Kang [26] established an infrastructure based on trusted third party (TTP) and a physically-unclonable access to the smart home device. Prakash [15] has the advantage of convenience that the users do not functionshave (PUFs)-based to remember smart their homeID and environment.password separate Thely, developedwhile it has techniquethe potential of of the fingerprint security channel proposed,information in [26], to registercapture by the malicious service users provider, because the the device fingerprint of the information smart home of the sensor, usersand is not the gateway into TTP andprocessed to authorize with the additional them mutually. coding process, The home but transmitted gateway washe middleware. used to resolve Additionally, the heterogenicity the fingerprint is bio-information that is never changed, hence, serious security issues might occur due among the smart home devices. All of the smart home devices have PUFs which cannot be copied and to the impossibility of changing once it is captured. these are controlledKang [26] by established the PUF an DB infrastructure in TTP. However, based on Kangtrusted [third26] hasparty the (TTP) problem and a physically- that unauthorized smart homeunclonable devices functions can be registered(PUFs)-based in smart the smarthome home.environment. The developed technique of the security channel proposed, in [26], to register the service provider, the device of the smart home 3. Proposedsensor, Method and the gateway into TTP and to authorize them mutually. The home gateway was used to resolve the heterogenicity among the smart home devices. All of the smart home devices have PUFs 3.1. Proposedwhich Smarthome cannot be copied Infrastructure and these are controlled by the PUF DB in TTP. However, Kang [26] has the problem that unauthorized smart home devices can be registered in the smart home. The proposed smart home environment is shown in Figure2. The smart home devices in the 3. Proposed Method smart home are connected to the home gateway which integrally manages the smart home devices, and the user3.1. accessesProposed Smarthome the smart Infrastructure home device through the AP. At this time, the user does not access the smart home deviceThe proposed directly, smart but home uses environment the smart home is shown service in Figure by accessing2. The smart it home through devices the in authentication the system ofsmart the home home are gateway. connected In to the the proposedhome gateway environment, which integrally to manages provide the comprehensive smart home devices, smart home services toand the the user, user a accesses middleware the smart layer home has device been throug addedh the between AP. At this the time, application the user does layer not and access the transport layer in thethe home smart gatewayhome device and directly, the smart but uses home the device.smart home In doing service so, by moreaccessing ﬂexibility it through is offeredthe to the authentication system of the home gateway. In the proposed environment, to provide comprehensive communicationsmart home between services different to the user, devices a middleware and remote layer has device been andadded intellectual between the servicesapplication can layer be provided. In addition,and the the usertransport can layer access in the all home smart gateway home and devices the smart through home device. a single In doing comprehensive so, more flexibility application. In the proposedis offered scheme, to the communication the user establishes between different a Transport devices and Layer remote Security device and (TLS) intellectual session services with the home gateway, logscan be in withprovided. the accountIn addition, registered the user incan the access home all gateway smart home in advance, devices through and receives a single a JWT to be comprehensive application. In the proposed scheme, the user establishes a Transport Layer Security used in the(TLS) smart session home with from the home the homegateway, gateway. logs in with When the account the user registered accesses in the the home home gateway gateway, in the user can authenticateadvance, himself/herselfand receives a JWT and to be access used in the the smart home home from by the communicating home gateway. When with the the user JWT and the IMEI issuedaccesses by thethe home user. gateway, Then, thethe us authorizeder can authenticate user canhimself/hersel registerf theand newaccess smartthe smart home home device by in the home gatewaycommunicating through with the the proposed JWT and the technique. IMEI issued by the user. Then, the authorized user can register the new smart home device in the home gateway through the proposed technique.

Figure 2. Proposed smart home environment. Figure 2. Proposed smart home environment. Sustainability 2017, 9, 1099 6 of 16

3.2. Proposed Scheme

3.2.1. JSON Web Token JWTSustainability is a token 2017,authentication 9, 1099 system that encodes data in JSON format to base646 of 16 with the technique3.2. speciﬁed Proposed Scheme in RFC 7519 of IETF [27]. As shown in Figure3, JWT consists of three sections: header, payload, and signature, and each section is separated by a (dot) operator. The header section speciﬁes the3.2.1. type JSON of Web token Token and the hash algorithm to use for the JWT signature. The payload section is where the actualJWT informationis a token authentication for the token system to that be encodes used is data stored. in JSON The format information to base64 iswith a pairthe of names and values,technique and can specified store in arbitrary RFC 7519 of data, IETF such[27]. As as shown the token in Figure issuer, 3, JWT token consists expiration of three sections: time, and user header, payload, and signature, and each section is separated by a (dot) operator. The header section information.specifies The the signature type of token section and the allowshash algorithm the token to use issuerfor the JWT to signsignature. the The token payload using section a hash-based message authenticationis where the actual code information (HMAC), for the RSA, token etc., to be to used maintain is stored. the The integrity information of the is a token.pair of names When applying the HMAC,and the values, header and can and store payload arbitrary section data, such values as the are token encoded issuer, intoken base64, expiration and time, signatures and user are applied using hashinformation. HMACusing The signature the secret section key allows created the intoken advance. issuer to When sign the RSA token is applied,using a hash-based the header section message authentication code (HMAC), RSA, etc., to maintain the integrity of the token. When and payloadapplying section the HMAC, values the can header be encrypted and payload and sectio signedn values using are encoded the RSA in private base64, and key signatures of the token issuer. One suchare value applied consisting using hash of theHMAC three using sections the secret is usedkey created as a token in advance. and itWhen is called RSA is JWT. applied, The the server issues a JWT to theheader user section and and the payload user receives section values the service can be encrypted after proving and signed himself/herself using the RSA private using key the of issued JWT. At this time,the iftoken the issuer. JWT isOne delivered such value over cons anisting unsecured of the three network, sections is a used hacker as acan token seize and theit is base64-encodedcalled JWT. The server issues a JWT to the user and the user receives the service after proving himself/herself JWT andusing attempt the issued to modify JWT. At the this payload time, if the section JWT is delivered to the desired over an unsecured value. However, network, a hacker because can the hacker does not knowseize the the base64-encoded secret key to JWT be ableand attempt to hash to themodify header the payload and payload section to sections, the desired the value. integrity of the token canHowever, be maintained. because the JWT hacker has does the not advantage know the secret that key it can to be be able used to hash not the only header for and user payload authentication, but also forsections, maintaining the integrity data of the integrity. token can be maintained. JWT has the advantage that it can be used not only for user authentication, but also for maintaining data integrity.

Figure 3. JWT structure. Figure 3. JWT structure. 3.2.2. Proposed Scheme 3.2.2. ProposedThe Scheme proposed protocol is divided into a protocol in which a user authenticates itself where a JWT is issued from a home gateway, a protocol in which a new smart home device is registered only The proposedby an authorized protocol user, isand divided a protocol into in awhich protocol a home in gateway which ais user accessed authenticates using JWT and itself IMEI. where a JWT is issued fromTable 1 a shows home the gateway, parameter a values protocol used in in whichthe proposed a new protocol. smart home device is registered only by an authorized user, and a protocol in which a home gateway is accessed using JWT and IMEI. Table1 Table 1. Proposed protocol parameters. shows the parameter values used in the proposed protocol. Notation Meaning Client Table 1. Proposed protocolClient parameters. Home gateway Home gateway Smart home device Smart home device NotationSession keyUG Session key between client Meaning and home gateway Gpub Home gateway’s public key ClientGpri Home gateway’s Client private key Home gatewayH(x) Hash Home function gateway Smart home device Smart home device Session keyUG Session key between client and home gateway Gpub Home gateway’s public key Gpri Home gateway’s private key H(x) Hash function Sustainability 2017, 9, 1099 7 of 16

Table 1. Cont. Sustainability 2017, 9, 1099 7 of 16 Notation Meaning IDx x’s ID PWIDxx x’sx’s ID password Sustainability 2017, 9, 1099 7 of 16 PW⊕ x x’sExclusive password or operator ⊕ Exclusive or operator IMEIIDx x x’s x’sID IMEI value IMEIx x’s IMEI value SecretPW keyx x x’s passwordx’s secret key Secret⊕ key x Exclusivex’s secretor operator key JWTx x’s JWT JWTIMEIxx x’s IMEIx’s value JWT Base64 Base64 encoding/decoding SecretBase64 keyx Base64x’s encoding/decoding secret key JWTx SecureSecurex’s communication JWT communication Base64Rx GeneratedBase64Generated encoding/decoding random random number number for x for x A Generated random key between client and smart home device Ad-cd-c Generated randomSecure key communication between client and smart home device API API requested from client APIRx Generated API random requested number from for x client Resultd-c Result processed by smart home device ResultA Generated random Result key between processed client by and smart smart home home devicedevice SaltAPIR Random API numberrequested to from cover client user’s IMEI SaltResultR Result Random processed number by smart tohome cover device user’s IMEI SaltR Random number to cover user’s IMEI ProposedProposed User User Authentication Authentication Phase Phase Proposed User Authentication Phase The clientThe client must must authenticate authenticate to the to homethe home gateway gateway to access to access the smartthe smart home. home. In the In proposedthe proposed The client must authenticate to the home gateway to access the smart home. In the proposed authenticationauthentication protocol, protocol, as shown as shown in Figure in Figure4, after 4, establishingafter establishing a TLS a connectionTLS connection between between the client the client and theauthentication home gateway, protocol, if the as client shown transfers in Figure the4, af ID,ter establishing password, a andTLS conne IMEIction value between to the the home client gateway, andand the the home home gateway, gateway, if if the the client client transfers transfers the ID, the password, ID, password, and IMEI and value IMEI to the value home to gateway, the home gateway, the home gateway authenticates the client and issues the JWT and Ruser to the client. thethe home home gateway gateway authenticates the the client client and andissues issues the JWT the and JWT Ruser and to the Ruser client. to the client.

Figure 4. Proposed user authentication protocol. Figure 4. Proposed user authentication protocol. Step 1. Client and home gateway establishs TLS session through TLS handshake. Step 2. Client obtains Iuser by concatenating and hashing randomly generated SaltR with IMEIuser, Step 1. Client and home gateway establishs TLS session through TLS handshake. which is the device’s original value, and subsequently, generates Euser through the XOR with Step 2. Client obtainsthe password’sIuser by hash concatenatingFigure value, 4.H(PW Proposeduser and), and user hashing transmits authen randomly IDticationuser and protocol.Euser generated to the homeSalt gateway.R with IMEIuser, Stepwhich 3. isThe the home device’s gateway original obtains value, the Iuser and by subsequently,XORing the H(PW generatesuser) of theE previously-registereduser through the XOR with user Step the1. password’sClientclient and hash the home E value, receivedgatewayH(PW from establishsuser the), andclient. TLS transmits sessionID throughuser and ETLSuser handshake.to the home gateway. Step 2. Client obtains Iuser by concatenating and hashing randomly generated SaltR with IMEIuser, which is the device’s original value, and subsequently, generates Euser through the XOR with the password’s hash value, H(PWuser), and transmits IDuser and Euser to the home gateway. Step 3. The home gateway obtains the Iuser by XORing the H(PWuser) of the previously-registered client and the Euser received from the client. Sustainability 2017, 9, 1099 8 of 16

Step 3. The home gateway obtains the Iuser by XORing the H(PWuser) of the previously-registered client and the Euser received from the client. Step 4. The home gateway authenticates the client via IDuser and H (PWuser), and registers the IMEIuser as the IMEI of the client. Sustainability 2017, 9, 1099 8 of 16 Step 5. The home gateway randomly generates a JWT secret key to be issued to the client, and then Stepgenerates 4. The the home header gateway field authenticates and a payload the fieldclient of via the ID JWT.user and At H this (PW time,user), theand headerregisters field the is used to determineIMEIuser whether as the IMEI to useof the JWT client. and the signature technique to be used in the signature field. Step 5. The home gateway randomly generates a JWT secret key to be issued to the client, and In the payload field, the issuer, the expiration period of the token, the user identification ID, then generates the header field and a payload field of the JWT. At this time, the header the userfield name, is used and to the determine access rightwhether of theto use user JWT are and inputted. the signature technique to be used in Step 6. The homethe gatewaysignature field. signs In the the JWTpayload with field, the the secret issuer, key the usingexpiration the period HMAC of the method, token, the randomly generatesuser a identification random number ID, theR useruser, name, and sends and theJWT accessuser rightand ofR userthe userto the are client. inputted. Step 6. The home gateway signs the JWT with the secret key using the HMAC method, randomly Step 7. The client stores JWTuser and Ruser, which are delivered from the home gateway. generates a random number Ruser, and sends JWTuser and Ruser to the client. Step 7. The client stores JWTuser and Ruser, which are delivered from the home gateway. Proposed Register New Smart Home Device Phase WhenProposed a new Register smart New home Smart device Home is Device registered Phase in a smart home, it must be possible to register it only by an authorizedWhen a new smart user. home The proposeddevice is registered scheme in assumes a smart home, that whenit must abe client possible that to hasregister been it issued a JWT registersonly by an a authorized new smart user. home The deviceproposed in scheme a smart assumes home, that the when smart a client home that device has been can issued be registered a only throughJWT registers the authorization a new smart home of an device authorized in a smart client home, in the the smart same home network device can as thebe registered home gateway. only through the authorization of an authorized client in the same network as the home gateway. As As shownshown in Figure in Figure5, when5, when a newa new smart smart homehome device device is is connected, connected, it can it canbe registered be registered after receiving after receiving confirmationconfirmation of connection of connection to the to the client. client.

Figure 5. Proposed register new smart home device protocol. Figure 5. Proposed register new smart home device protocol.

Step 1. The smart home device generates a random number Rdevice and sends it to the home gateway through a secure channel. Step 1. The smart home device generates a random number Rdevice and sends it to the home gateway Stepthrough 2. The a secure home gateway channel. concatenates the timestamp and the Rdevice to prevent a replay attack, then the home gateway creates a Cdevice that XORs the Ruser shared with the client in the user Step 2. The homeauthentication gateway concatenatesphase and delivers the it timestampto the client. and the Rdevice to prevent a replay attack, Stepthen 3. theThe home client gateway XORs the creates received a Cdevice andthat Ruser XORs to obtain the theRuser Rdeviceshared and generates with the the client random in the user authenticationnumber A phased-c. Client and XORs delivers Ad-c and it toRdevice the to client. create Auser, then XORs Auser and Ruser to deliver Emessage to the home gateway. Sustainability 2017, 9, 1099 9 of 16

Step 3. The client XORs the received Cdevice and Ruser to obtain the Rdevice and generates the random number Ad-c. Client XORs Ad-c and Rdevice to create Auser, then XORs Auser and Ruser to deliver Emessage to the home gateway. Step 4. The home gateway XORs Emessage and Ruser to obtain the Auser and delivers the Auser to the smart home device. Sustainability 2017, 9, 1099 9 of 16 Step 5. The smart home device XORs Auser and Rdevice to obtain Ad-c, XORs H (Ad-c), which is a hash Step 4. The home gateway XORs Emessage and Ruser to obtain the Auser and delivers the Auser to the of Ad-c and Rdevice, generates Sdevice, and delivers Sdevice to the home gateway. smart home device. Step 6. The client also XORs the Ad-c hash H(Ad-c), and Ruser to obtain Sclient and deliver Sclient to the Step 5. The smart home device XORs Auser and Rdevice to obtain Ad-c, XORs H (Ad-c), which is a hash home gateway. of Ad-c and Rdevice, generates Sdevice, and delivers Sdevice to the home gateway. Step 7. StepThe 6. homeThe gatewayclient also compares XORs the A thed-c hash acquired H(Ad-c),H(A andd-c Ruser) obtained to obtain S byclient XORing and deliver the SSclientclient to theand Sdevice receivedhome from gateway. the client and smart home device with Ruser and Rdevice, respectively, and if Stepthe 7. smart The home home devicegateway has compares the same the acquired value, the H(A smartd-c) obtained home by device XORing is the registered Sclient and inSdevice the home gateway,received and refused from the if client different. and smart home device with Ruser and Rdevice, respectively, and if the smart home device has the same value, the smart home device is registered in the home gateway, and refused if different. Proposed Access API Phase TheProposed user must Access authenticate API Phase himself to the home gateway to access the smart home device. As shown inThe Figure user must6, a clientauthenticate sends himself its own to the JWT home and gateway IMEI issued to access when the smart requesting home device. the API As to the home gatewayshown in andFigure authenticates, 6, a client sends and its own the JWT home and gateway IMEI issued then when requests requesting the the client’s API to API the home to the smart home devicegateway and and delivers authenticates, the response and the home to the gateway client. then requests the client’s API to the smart home device and delivers the response to the client.

Figure 6. Proposed API access protocol. Figure 6. Proposed API access protocol.

Step 1. The client generates Iuser by concatenating and hashing IMEIuser and SaltR and, subsequently, delivers Kuser to the home gateway, which is generated through the XOR of Ruser with this Step 1. The client generates Iuser by concatenating and hashing IMEIuser and SaltR and, subsequently, value. delivers Kuser to the home gateway, which is generated through the XOR of Ruser with Step 2. The home gateway identifies the authorized client by obtaining Iuser through the XOR of Kuser this value.and Ruser and, subsequently, compares the existing registered client’s Iuser. At this time, the Step 2. The homehome gateway gateway judges identiﬁes that it the is abnormal authorized if it receives client different by obtaining IMEI valuesIuser throughfrom one client the XOR of to another JWT within a short time. Kuser and Ruser and, subsequently, compares the existing registered client’s Iuser. At this time,

Stepthe home3. For gatewaythe JWT received judges from that the it isclient, abnormal the home if gateway it receives verifies different the validity IMEI of values the token from one through the HMAC using the secret key that only it knows. Stepclient 4. toThe another home gateway JWT within concatenates a short the time. client’s API with the timestamp, XORs this value with Step 3. For thethe JWT Rdevice received, creates S from1, and delivers the client, it to the smart home home gateway device.veriﬁes the validity of the token Stepthrough 5. The the smart HMAC home using device the XORs secret S1 and key Rdevice that to onlyobtain it the knows. client’s API, and then generates the result after processing the client’s request. Then, the S2 created by XORing result and Rdevice Sustainability 2017, 9, 1099 10 of 16

Step 4. The home gateway concatenates the client’s API with the timestamp, XORs this value with the Rdevice, creates S1, and delivers it to the smart home device. Step 5. The smart home device XORs S1 and Rdevice to obtain the client’s API, and then generates the result after processing the client’s request. Then, the S2 created by XORing result and Rdevice is sent to the home gateway. Sustainability 2017, 9, 1099 10 of 16 Step 6. The home gateway obtains the result by XORing S2 and Rdevice. The home gateway concatenatesis sent to the the IMEIhome gateway. value and the timestamp of the registered client, XORs the result, Step 6. The home gateway obtains the result by XORing S2 and Rdevice. The home gateway and sends the Mresult value to the client by XORing the value with the Ruser value again. concatenates the IMEI value and the timestamp of the registered client, XORs the result, Step 7. The client XORs the M and Ruser values and XORs the IMEI with the timestamp to obtain and sends the Mresultresult value to the client by XORing the value with the Ruser value again. Stepthe result.7. The client XORs the Mresult and Ruser values and XORs the IMEI with the timestamp to obtain the result. 4. Implementation of the Proposed Protocol 4. Implementation of the Proposed Protocol The home gateway in the smart home environment proposed in this paper realized as a Raspberry pi3, RaspbianThe OS, home Apache, gateway MySQL, in the andsmart PHP; home and environm the smartent homeproposed device in this realized paper asrealized each smartas a home Raspberry pi3, Raspbian OS, Apache, MySQL, and PHP; and the smart home device realized as each device using an Ardunino uno, temperature sensor, power supply system, camera sensor, and so on, smart home device using an Ardunino uno, temperature sensor, power supply system, camera as shownsensor, in Figure and so7 andon, as Table shown2. in The Figure client 7 and used Table a Samsung 2. The client Galaxy used a Note5Samsung Android Galaxy Note5 6.0.1. Android For security of the home6.0.1. gateway, For security an SSL/TLS of the home authentication gateway, an SSL/T letterLS was authentication issued and letter applied was in issued StartSSL. and applied The realizations in were performedStartSSL. The as therealizations step that were the performed client logs as into the step the homethat the gateway client logs with into the his home or her gateway own preregistered with accounthis and or issuedher own JWT; preregistered the step account to register and theissued new JWT; smart the homestep to deviceregister bythe thenew authorized smart homeclient; device and the step forby the the client authorized to access client; to the and smart the step home for device the client and to communicate access to the withsmart it. home device and communicate with it.

Figure 7. Devices used in the proposed scheme. Figure 7. Devices used in the proposed scheme. Table 2. Specifications of devices.

Client Table Home 2. Speciﬁcations Gateway of devices. Smart Home Device Samsung Raspberry Name Galaxy Apache2 MySQL PHP ESP8266 LED DHT11 Clientpi3 Home Gateway Smart Home Device Note5 Samsung 15.1 Distrib PHP Temperature- Android RaspberryRaspbian Apache/2.4.1 WiFi Yellow NameFeature Galaxy Apache210.0.25- MySQL5.6.22- PHP ESP8266 LEDhumidity DHT11 6.0.1 OSpi3 JESSIE 0 (Raspbian) module LED Note5 MariaDB 0+deb8u1 sensor 15.1 Distrib Temperature- Android Raspbian Apache/2.4.10 PHP 5.6.22- WiFi Yellow Feature 10.0.25- humidity 4.1. Login6.0.1 Function OS JESSIE (Raspbian) 0+deb8u1 module LED MariaDB sensor The client performs the login process in the home gateway through the preregistered account in the home gateway, or the login process generating a new account as shown in Figure 8. Then, the 4.1. Loginconnection Function with the home gateway uses HttpsURLConnection for SSL communication. Providing Theinput client of an performs incorrect the account, login the process login process in the homewill begateway failed. Additionally, through the the preregisteredauthority of the account Android permission READ_PHONE_STATE was added in the client device to obtain the IMEI value in the home gateway, or the login process generating a new account as shown in Figure8. Then, of the client during the login process. In case of a login process with an authorized client, the IMEI the connectionvalue of the with client the is home registered gateway in the useshome HttpsURLConnection gateway and the JWT is issued for SSL from communication. the home gateway. Providing input of an incorrect account, the login process will be failed. Additionally, the authority of the Android Sustainability 2017, 9, 1099 11 of 16 permission READ_PHONE_STATE was added in the client device to obtain the IMEI value of the client during the login process. In case of a login process with an authorized client, the IMEI value of the clientSustainability is registered 2017, 9, 1099 in the home gateway and the JWT is issued from the home gateway.11 of 16

Sustainability 2017, 9, 1099 11 of 16

Figure 8. Login page for client access to a smart home. Figure 8. Login page for client access to a smart home.

4.2. Identification and RegistraFiguretion 8. of Login Smart page Home for Devices client access to a smart home. 4.2. Identiﬁcation and Registration of Smart Home Devices The client who completes the login process can check the list of the smart home devices 4.2. Identification and Registration of Smart Home Devices Theconnected client to who the completeshome gateway, the login as shown process in Figure can check 9 (left, the right). list If of ‘add the new smart device’ home button devices is clicked, connected to theas home inThe Figure gateway,client 9(center), who as completesany shown smart in homethe Figure login device9 process(left, to try right). tocan connect check If ‘ theaddthe home newlist of device’gateway the smartbutton would home be is clicked,informed devices as in Figureconnectedto9 the(center), client. to any Ifthe the home smart client gateway, home permits device asit, shownthe tosmart try in toFigureho connectme device 9 (left, the wouldright). home beIf gateway‘ addregistered new device’ would in the button behome informed is gateway. clicked, to the client.asAfter Ifin theFigure finish client 9(center),it, the permits user any can it, smart utilize the smart home the required homedevice deviceto se tryrvices to would connect depend be the on registered homethe accessibility gateway in the would of home the be smart gateway. informed home After to the client. If the client permits it, the smart home device would be registered in the home gateway. ﬁnishdevice it, the registered user can utilizein the home the required gateway. services depend on the accessibility of the smart home device After finish it, the user can utilize the required services depend on the accessibility of the smart home registered in the home gateway. device registered in the home gateway.

Figure 9. Connected smart home devices in a smart home.

4.3. JWT Validation and SmartFigure Home 9. Connected Device Access smart home devices in a smart home. Figure 9. Connected smart home devices in a smart home. The client can check his or her token issued from the home gateway upon pushing the check my 4.3. JWT Validation and Smart Home Device Access JWT button, as shown in Figure 10. The decoded data of the header and payload fields in the JWT 4.3. JWTcan be ValidationThe checked client can andin Figurecheck Smart his10. Home orHowever, her Device token the Accessissued signature from ofthe the home client gateway that does upon not pushing know the the secret check keymy JWTThecannot clientbutton, be verified can as shown check since hisin the Figure or signature her 10. token The field decoded issued is deve from dataloped theof with the home headerthe gatewayHMAC and payloadofupon the secret pushingfields key in thatthe the JWTonlycheck my can be checked in Figure 10. However, the signature of the client that does not know the secret key JWT button,knows the as home shown gateway. in Figure 10. The decoded data of the header and payload fields in the JWT can cannot be verified since the signature field is developed with the HMAC of the secret key that only be checked in Figure 10. However, the signature of the client that does not know the secret key cannot knows the home gateway. be verified since the signature field is developed with the HMAC of the secret key that only knows the home gateway. Sustainability 2017, 9, 1099 12 of 16 Sustainability 2017, 9, 1099 12 of 16

Figure 10. Checking the JWT and control of smart home devices. Figure 10. Checking the JWT and control of smart home devices. 5. Security and Performance Analysis 5. Security and Performance Analysis 5.1. Secuity Requirement Analysis 5.1. Secuity Requirement Analysis The proposed protocol enables remote devices and various smart home devices to communicate The proposed protocol enables remote devices and various smart home devices to communicate through home gateways. Additionally, the registration of the unauthorized smart home devices can through home gateways. Additionally, the registration of the unauthorized smart home devices can be blocked since only the authorized user can register the new smart home device in the smart home. be blocked since only the authorized user can register the new smart home device in the smart home. Since the user, the home gateway, and the smart home device communicate using the shared secret Since the user, the home gateway, and the smart home device communicate using the shared secret code, the leakage of the personal information can be protected. In addition, the home gateway can code, the leakage of the personal information can be protected. In addition, the home gateway can detect the changes of the client by the verification of the IMEI value even if the malicious user captures detect the changes of the client by the veriﬁcation of the IMEI value even if the malicious user captures the JWT. Therefore, this paper compared and analyzed security requirements with existing papers as the JWT. Therefore, this paper compared and analyzed security requirements with existing papers as Table 3. Table3. Table 3. Comparative security requirement analysis between smart homes. Table 3. Comparative security requirement analysis between smart homes. Dae-Hwi Lee Fremantle Prakash Kang, Jungho Proposed

Dae-Hwiet al. [13] Lee Fremantleet al. [14] etPrakash al. [15] Kang,et al. [26] Jungho SchemeProposed Privacy et al.O [13 ] et al.O [14 ] et al.O [15] et al.O [26] SchemeO SecurePrivacy Smart home O O O O O O X X X O Securedevice SmartRegistration home User authentication in OXXXO device Registration O O O O O smart home User authentication in OOOOO Securitysmart home threats O Δ Δ O O Heterogeneous Security threats OX ∆X ∆X OOO O communication Heterogeneous Low resource XXXOO X X O O O communication O: Support; Δ: not fully support; X: Not support. Low resource X X O O O 5.1.1. Privacy O: Support; ∆: not fully support; X: Not support. In the smart home environment, data should be accessed only by the authorized clients, and those5.1.1. Privacywithin the smart home should not be exposed to the unauthorized clients. In the proposed protocolIn the the smart client home can deliver environment, his or her data own should IMEI be value accessed and only Ruser by value the authorizedthat only the clients, client and and those the homewithin gateway the smart know home upon should XOR not to bethe exposed home gateway to the unauthorized securely so as clients. to obtain In the the proposed response protocolto what he or she requests. Since the home gateway sends and receives the pre-shared Rdevice value and the the client can deliver his or her own IMEI value and Ruser value that only the client and the home datagateway to the know smart upon home XOR device to the upon home XOR, gateway the user’s securely sensitive so as to data obtain shall the not response be exposed. to what Even he orif the she malicious user captures the JWT and requests to the home gateway after amendment, the signature requests. Since the home gateway sends and receives the pre-shared Rdevice value and the data to the ofsmart the homeJWT cannot device be upon counterfeited XOR, the user’sbecause sensitive it does data not shallknow not the be secret exposed. key. EvenMoreover, if the the malicious home gatewayuser captures can detect the JWT what and the requests maliciou tos theuser home requests gateway with afterthe user’s amendment, JWT since the the signature user’s IMEI of the value JWT iscannot checked be counterfeitedwhenever the becauseuser requests. it does not know the secret key. Moreover, the home gateway can detect what the malicious user requests with the user’s JWT since the user’s IMEI value is checked 5.1.2. Registration of a Certified Smart Home Device whenever the user requests. A variety of smart home devices in the smart home respond the user’s requests by the home gateway. Then, the registration to the home gateway should be possible only for the authorized smart Sustainability 2017, 9, 1099 13 of 16

5.1.2. Registration of a Certiﬁed Smart Home Device A variety of smart home devices in the smart home respond the user’s requests by the home gateway. Then, the registration to the home gateway should be possible only for the authorized smart home devices by the user. Fremantle, Prakash and Kang [14,15,26] can register a new smart home device in the smart home, but there is a disadvantage that anyone can register a new smart home device in the smart home because there is no process of identifying the registrant. Therefore, in this paper, the user veriﬁes himself or herself by a login process prior to the registration of the smart home device. After that, if the new smart home device tries to access the home gateway, the home gateway shall make the user acknowledge this and the user shall decide whether he or she adds the smart home device. Later, the user and the smart home device obtain the same Ad-c value by the home gateway and hashes Ad-c. Then, the user delivers the hashed Ad-c and Ruser upon XOR to the home gateway, and the smart home device delivers the hashed Ad-c and Rdevice upon XOR to the home gateway. In the case of two identical values, the home gateway registers the new smart home device and adds it to the user’s list of the smart home devices.

5.1.3. User Authentication in the Smart Home The user authentication process is used to access the smart home externally. In the proposed protocol, the user registers his or her IMEI value after verification of ID and password in the home gateway during the first login process, and obtains the JWT. Even if an improper user captures the user’s ID and password, the verification will fail since it has a different IMEI value in the case of an unauthorized device. Therefore, only the authorized users can access to the smart home.

5.1.4. Security Threats The information used in the smart home should be able to be inquired and amended only by the authorized user. The Diffie-Hellman scheme proposed in [13] has a high computational complexity, and there is a problem that when the session key between a user and a smart home device is exposed, all subsequent session information is exposed. Additionally, the technique proposed in [15] is a method of storing fingerprint information in a DB and comparing them. The method is proposed in [15] and is likely to be easily exposed because the fingerprint of the user is transmitted to the middleware without a separate process. Since biometric information is a unique value that cannot be changed, serious security damage can occur if exposed once. Hence, in this paper, the sending and receiving of information in the smart home is coded so only authorized users can make them able to inquire and amend. The transmitted data between the user and the home gateway are performed with encryption and decryption of Ruser that only the user and the home gateway know upon XOR, and the transmitted data between the home gateway and the smart home device performed with encryption and decryption of Rdevice upon XOR. The attacker who does not know Ruser and Rdevice cannot detect the data transmitted in the smart home.

5.1.5. Heterogeneous Communication The integrated management system is required to recognize each device since various smart home devices in the smart home have different platforms. Lee, Fremantle and Prakash [13–15] did not consider a comprehensive environment for devices using different platforms. In [20], the devices with individually different logic were integrated using XLM, and Intel also enabled communication with the devices with each different logic through their technology. As such, this paper added a middleware layer between the application layer and the transport layer in the home gateway and the smart home device to offer ﬂexibility in communication between different devices, and the user is able to use the comprehensive smart home services through a single application. Sustainability 2017, 9, 1099 14 of 16

5.1.6. Computing Resource Analysis The smart home device should be considered with low power and weight reduction in the smart home environment. In this paper, secure data transmission was realized between the smart home device and the user with a relatively low level of calculation and resource consumption, taking into account the specifications of the smart home device. Figure 11(left) demonstrates the amount of Sustainability 2017, 9, 1099 14 of 16 resource consumption that occurred during the user’s authentication process whenever the new smart homesmart deviceshome devices are registered. are registered. In [8]’s proposedIn [8]’s proposed scheme scheme using the using Diffie-Hellman the Diffie-Hellman Key exchange Key exchange method, themethod, amount the of amount data is increasedof data is asincreased the number as the of thenumber smart of home the smart devices home is increased. devices is The increased. user should The beuser verified should with be theverified effectiveness with the of theeffectiveness issued token of throughthe issued an externaltoken through resource an authorization external resource serve, wheneverauthorization new smartserve, homewhenever devices new are addedsmart inhome the smartdevices home; are inadded [9]’s proposedin the smart scheme home; since in it uses[9]’s OAuth.proposed Therefore, scheme thesince large it uses amount OAuth. of resources Therefore, is consumedthe large amount as the number of resources of smart is consumed home devices as the is increased.number of The smart proposed home devices protocol is in increased. this paper The is to proposed consume protocol relatively in lower this resourcespaper is to even consume if the numberrelatively of thelower smart resources home devices even if is the increased, number applying of the smart minimal home XOR devices and hash is calculationsincreased, applying to lower theminimal burden XOR of the and smart hash homecalculations devices. to lower the burden of the smart home devices.

(Left) (Right)

Figure 11. Computing resource analysis (Left), speeds of encryption and decryption of proposed Figure 11. Computing resource analysis (Left), speeds of encryption and decryption of proposed scheme (Right). scheme (Right). In the smart home environment, encryption and decryption processes are frequently used due to processingIn the smart large home amounts environment, of information. encryption In the and case decryption of complicated processes encryption are frequently and decryption used due tocalculation, processing each large smart amounts home ofdevice information. cannot proce In thess casethe data of complicated quickly and encryptiontimely communication and decryption may calculation,be difficult. eachFigure smart 11(right) home shows device that cannot it can process perform the datawith quickly relatively and faster timely speed communication when compared may bewith difficult. the proposed Figure 11scheme(right) of shows encryption that it and can decry performption with calculation relatively performed faster speed by each when smart compared home withdevice, the RSA, proposed and AES. scheme of encryption and decryption calculation performed by each smart home device, RSA, and AES. 6. Discussion 6. Discussion In this paper, we propose three protocols, which include a user authentication protocol allowing In this paper, we propose three protocols, which include a user authentication protocol allowing only an authorized user to access the smart home, a protocol allowing only an authorized user to only an authorized user to access the smart home, a protocol allowing only an authorized user to register a new smart home device in a smart home, and a protocol in which an authorized user register a new smart home device in a smart home, and a protocol in which an authorized user requests requests an API to a smart home device securely through a home gateway. When the user logs in to an API to a smart home device securely through a home gateway. When the user logs in to the smart the smart home through the remote device he/she has, he/she inputs the ID and password and the home through the remote device he/she has, he/she inputs the ID and password and the IMEI of the IMEI of the remote device is delivered to the home gateway in conjunction. There is a general remote device is delivered to the home gateway in conjunction. There is a general characteristic when characteristic when using the IMEI to authenticate the user’s device; it cannot be easily changed once using the IMEI to authenticate the user’s device; it cannot be easily changed once exposed. In this exposed. In this paper, when the user first registers an IMEI value, it concatenates the value of the paper, when the user first registers an IMEI value, it concatenates the value of the IMEI with the value IMEI with the value of the SaltR and hashes for delivery to the server. Through this, the user does of the SaltR and hashes for delivery to the server. Through this, the user does not need to directly not need to directly expose the IMEI. Even if the user’s IMEI is exposed, the user can add a new IMEI expose the IMEI. Even if the user’s IMEI is exposed, the user can add a new IMEI value to the home value to the home gateway whenever the user wants because the IMEI value is a salted and hashed gateway whenever the user wants because the IMEI value is a salted and hashed IMEI value, not the IMEI value, not the original IMEI value. Additionally, since the IMEI value of the remote device and the Euser, which is XORed with H (PWuser), is transmitted to the home gateway, there is little possibility of exposing the IMEI of the remote device on the network. Furthermore, if a malicious client attacks through IMEI brute force, it will ask for APIs multiple times. Therefore, if the home gateway detects a different IMEI for one JWT within a short time, it is considered to be a hacker. Since the user’s IMEI and password are not exposed on the network, attacks from hackers are difficult. Even if a hacker wishes to perform a complete hijack, it is very unlikely because he must know the user’s ID, password, and IMEI values before they can attack. In addition, JWT tampering is also impossible because the secret key to sign the JWT is unknown, even if a hacker attempts to access Sustainability 2017, 9, 1099 15 of 16 original IMEI value. Additionally, since the IMEI value of the remote device and the Euser, which is XORed with H (PWuser), is transmitted to the home gateway, there is little possibility of exposing the IMEI of the remote device on the network. Furthermore, if a malicious client attacks through IMEI brute force, it will ask for APIs multiple times. Therefore, if the home gateway detects a different IMEI for one JWT within a short time, it is considered to be a hacker. Since the user’s IMEI and password are not exposed on the network, attacks from hackers are difficult. Even if a hacker wishes to perform a complete hijack, it is very unlikely because he must know the user’s ID, password, and IMEI values before they can attack. In addition, JWT tampering is also impossible because the secret key to sign the JWT is unknown, even if a hacker attempts to access unauthorized information through JWT tampering. However, in an environment where the remote device’s IMEI can be easily leaked, it is recommended that one uses an identification value that can be changed when exposure occurs.

7. Conclusions In the IoT era where things communicate, the smart home, which combines with the environment in which people live, provides users with various convenient services. However, recently, smart home security threats, such as the vulnerability of sessions threatening the smart home and OAuth vulnerabilities, have appeared, and attacks, such as smart home intrusion, personal information leakage, and privacy exposure are increasing. Therefore, in order to establish a secure smart home, authentication and device registration techniques that can cope with these various security threats should be applied. If a correct security system is not built, the user’s personal information may be exposed to a hacker or a serious security problem, such as an unauthorized service being executed, may occur. Session/cookie and OAuth, which were used in existing smart home environments, are vulnerable because hackers can steal user information or disguise themselves as an authorized user. Therefore, in this paper, we proposed a user authentication scheme using JWT and IMEI, and proposed a scheme where only a user authorized to the home gateway can add a new smart home device. The proposed scheme minimizes the computation of data transmission and reception between the user and the smart home device, thereby providing low-power computing of the smart home device and the remote device. Additionally, even if a hacker seizes the JWT through JWT and IMEI, it has proved secure against various attack scenarios by preventing hackers from changing tokens by signing using a secret key.

Author Contributions: Mansik Kim researched relation work; Namsu Hong designed the protocol; Moon-Seog Jun and Jungho Kang performed and analyzed the data; and Namsu Hong and Jungho Kang wrote the paper. Conﬂicts of Interest: The authors declare no conﬂicts of interest.

References

1. Lin, H.; Bergmann, N.W. IoT Privacy and Security Challenges for Smart Home Environments. Information 2016, 7, 44. [CrossRef] 2. Marianthi, T.; Tsalis, N.; Gritzalis, D. Smart Home Solutions: Privacy Issues. In Handbook of Smart Homes, Health Care and Well-Being; Springer International Publishing: Cham, Switzerland, 2017; pp. 67–81. 3. Kumar, P.; Gurtov, A.; Iinatti, J.; Ylianttila, M.; Sain, M. Lightweight and secure session-key establishment scheme in smart home environments. IEEE Sens. J. 2016, 16, 254–264. [CrossRef] 4. Andreas, J.; Boldt, M.; Carlsson, B. A risk analysis of a smart home automation system. Future Gener. Comput. Syst. 2016, 56, 719–733. 5. Choi, B.-M. A Study on Setting up the Concept of Smart City through Analysis on the Term ‘Smart’. J. Korea Contents Assoc. 2011, 11, 943–949. [CrossRef] 6. Lee, M.; Park, J. Analysis and Study on Invasion Threat and Security Measures for Smart Home Services in IoT Environment. J. Inst. Int. Broadcast. Commun. 2016, 16, 27–32. [CrossRef] Sustainability 2017, 9, 1099 16 of 16

7. Verhoef, P.C.; Kannan, P.K.; Luo, X.; Zhang, Y. Consumer Connectivity in a Complex, Technology-Enabled, and Mobile-Oriented World with Smart Products. Northeastern U. D’Amore-McKim School of Business Research Paper, No. 2912321. Available online: https://ssrn.com/abstract=2912321 (accessed on 23 June 2017). 8. Suryadevara, N.K. Wireless Sensor Sequence Data Model for Smart Home and IoT Data Analytics. In Proceedings of the First International Conference on Computational Intelligence and Informatics; Springer: Singapore, 2017. 9. Bandara, A.M.K.C. Secure Smart Home System. Master of Science in Information Security. 2016. Available online: documents.ucsc.lk/jspui/handle/123456789/3711 (accessed on 23 June 2017). 10. Tan, J.Y.; Ker, P.J.; Abdullah, A. Smart Home Design with XBee Wi-Fi and Android-Based Graphical User Interface. In Proceedings of the 2016 IEEE Student Conference on Research and Development (SCOReD), Kuala Lumpur, Malaysia, 13–14 December 2016. 11. Wang, G.; Song, D. Smart Home Services Using the Internet of Things. In Internet of Things and Data Analytics Handbook; Wiley: Hoboken, NJ, USA, 2017; pp. 613–630. 12. Sharma, P.K.; Moon, S.Y.; Park, J.H. Block-VN: A Distributed Blockchain Based Vehicular Network Architecture in Smart City. J. Inf. Proc. Syst. 2017, 13, 184–195. [CrossRef] 13. Lee, D.-H.; Lee, I.-Y. A Study on Enhanced 3PAKE Scheme against Password Guessing Attack in Smart Home Environment. J. Korea Inst. Inf. Secur. Cryptol. 2016, 26, 1471–1481. [CrossRef] 14. Fremantle, P. Privacy-enhancing Federated Middleware for the Internet of Things. In Proceedings of the Doctoral Symposium of the 17th International Middleware Conference, New York, NY, USA, 12–16 December 2016. 15. Prakash, N.S.; Venkatram, N. Establishing efficient security scheme in home IOT devices through biometric finger print technique. Indian J. Sci. Technol. 2016, 9.[CrossRef] 16. Fernandes, E.; Jung, J.; Prakash, A. Security Analysis of Emerging Smart Home Applications. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016. 17. Min, K.W.; Moon, S.Y.; Park, J.H. An enhanced security framework for home appliances in smart home. Hum.-Centric Comput. Inf. Sci. 2017, 7, 6. 18. Kim, M.-S.; Lee, J.-K.; Park, J.H.; Kang, J.-H. Security Challenges in Recent Internet Threats and Enhanced Security Service Model for Future IT Environments. J. Int. Technol. 2016, 17, 947–955. 19. Zhu, W.; Lee, C. A Security Protection Framework for Cloud Computing. J. Inf. Proc. Syst. 2016, 12, 538–547. [CrossRef] 20. Moazzami, M.-M.; Xing, G.; Mashima, D.; Chen, W.-P.; Herberg, U. SPOT: A Smartphone-Based Platform to Tackle Heterogeneity in Smart-Home IoT Systems. In Proceedings of the 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), Reston, VA, USA, 12–14 December 2016. 21. Jungho, K.; Park, G.; Park, J.H. Design of secure authentication scheme between devices based on zero-knowledge proofs in home automation service environments. J. Supercomput. 2016, 72, 4319–4336. 22. Kwon, T.; Lee, J.; Choi, H.; Yi, O.; Ju, S. Efficiency of LEA compared with AES. J. Converg. 2015, 6, 16–25. 23. Deschambault, O.; Gherbi, A.; Légaré, C. Efficient Implementation of the MQTT Protocol for Embedded Systems. J. Inf. Proc. Syst. 2017, 13, 26–39. [CrossRef] 24. Lee, S.-W.; Yu, J.-H.; Sim, K.-B. Real-time Streaming and Remote Control for the Smart Door-Lock System based on Internet of Things. J. Korean Inst. Intell. Syst. 2015, 25, 565–570. [CrossRef] 25. Wu, X.; Hu, X.; Moura, S.; Yin, X.; Pickert, V. Stochastic control of smart home energy management with plug-in electric vehicle battery energy storage and photovoltaic array. J. Power Sources 2016, 333, 203–212. [CrossRef] 26. Kang, J.; Kim, M.; Park, J.H. A reliable TTP-based infrastructure with low sensor resource consumption for the smart home multi-platform. Sensors 2016, 16, 1036. [CrossRef][PubMed] 27. Jones, M.; Bradley, J.; Sakimura, N. JSON Web Token (JWT), RFC 7519, 2015. Available online: http: //www.rfc-editor.org/info/rfc7519 (accessed on 23 June 2017).

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).