Secure Mutual Authentication and Key-Exchange Protocol Between PUF-Embedded IoT Endpoints

Device authentication and key exchange protocol are essential front line of access controls in IoT security, and physical unclonable function (PUF) is a key enabler to lightweight, low-power and secure authentication of internet enabled endpoint devices in IoT. Current PUF-enabled authentication protocol requires the verifier to store a sufficiently large number of challenge-response pairs (CRPs) of each of its interlocutors, which makes the protocol impractical in application scenarios where the verifier is a resource-constrained device, especially when the verifier needs to communicate with multiple PUF- embedded endpoints. To solve this problem, a new lightweight PUF-based mutual authentication and key-exchange protocol is proposed in this paper to allow two resource-constrained PUF embedded endpoint devices to authenticate each other without the need to store the CRPs locally, and simultaneously establish the session key for secure data exchange without resorting to public-key algorithm. The PUF response reliability is mitigated by the use of reverse fuzzy extractor to offload the compute- intensive error decoding to the server during the initialization phase of the protocol. The proposed protocol is evaluated using ProVerif to corroborate its secrecy, mutual authenticity as well as resistance against replay and man-in-the-middle attacks.