About this Journal Submit a Manuscript Table of Contents
International Journal of Distributed Sensor Networks
Volume 2012 (2012), Article ID 382810, 11 pages
http://dx.doi.org/10.1155/2012/382810
Research Article

A Security-Performance-Balanced User Authentication Scheme for Wireless Sensor Networks

Department of Computer Science and Engineering, Sogang University, Seoul 121-742, Republic of Korea

Received 3 November 2011; Revised 20 January 2012; Accepted 12 February 2012

Academic Editor: Wensheng Zhang

Copyright © 2012 Sang Guun Yoo et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

The uses of wireless sensor networks have increased to be applicable in many different areas, such as military applications, ecology, and health applications. These applications often include the management of confidential information, making the issue of security one of the most important aspects to consider. In this aspect, a user authentication mechanism that allows only legitimate users to access the network data becomes critical for maintaining the confidentiality and integrity of the network information. In this paper, we describe and cryptoanalyze previous works in user authentication to illustrate their vulnerabilities and security flaws. We then propose a robust user authentication scheme that solves the identified limitations. Additionally, we describe how the proposed protocol is more suitable for a secure sensor network implementation by analysis in terms of security and performance.

1. Introduction

Wireless sensor networks (WSNs) are being applied in different fields such as habitat monitoring [1], indoor sensor networks [2], military applications [3], and health monitoring [4]. Many of these applications manage confidential information, making the issue of security one of the most important points to consider. One of the fields of research in wireless sensor network security is the user authentication scheme that allows only authentic users to access the data collected by the sensor nodes.

In 2006, Wong et al. [5] proposed a dynamic user authentication scheme and discussed the implementation issues with the recommendation of using the security features of the IEEE 802.15.4 MAC sublayer. Later, in 2009, Das [6] presented his research work where he identified vulnerabilities in Wong et al.’s protocol and proposed his own authentication scheme based on the two-factor user authentication concept. After publication of Das’ proposal, several works have pointed out that such a protocol was vulnerable to other attacks. Nyang and Lee [7] identified that Das’ protocol was vulnerable to offline password guessing and sensor node compromising attacks. Huang et al. [8] also identified some limitations of Das’ scheme, such as vulnerability from an impersonation attack. Additionally, [9] pointed out the absence of a mutual authentication feature in Das’ protocol, while Khan and Alghathbar [10] pointed out more security flaws of Das’ proposal, noting that it was vulnerable to privileged-insider and gateway-node bypassing attacks. References [710] also proposed enhanced versions of Das’ protocol to eliminate detected vulnerabilities. However, those proposals still include several vulnerabilities and limitations that an adversary could take advantage of.

In this paper, we provide two specific contributions to the WSN user authentication research area: (1) first, we cryptoanalyze the aforementioned works and show how reference [7] is still vulnerable to parallel session and privileged-insider attacks and how it does not offer a password change mechanism. We also illustrate how [8] is vulnerable to parallel session and privileged-insider attacks and how it does not provide mutual authentication and password change features. Additionally, we explain how [9] is defenseless against parallel session, privileged-insider, and gateway-node bypassing attacks, does not offer a password change mechanism, and has a serious vulnerability in its mutual authentication mechanism. Furthermore, we explain how [10] is vulnerable from parallel session attacks, only offers a partial protection against gateway-node bypassing attacks, and does not provide mutual authentication between the user and the gateway-node. (2) Later, after identifying the limitations of previously mentioned works, we propose a robust user authentication for wireless sensor networks which fixes the aforementioned weaknesses.

The rest of the paper is organized as follows. Section 2 briefly reviews the existing works and details the weaknesses and security pitfalls of such schemes. Section 3 then presents the proposed protocol which solves the vulnerabilities and limitations mentioned in Section 2. Next, Section 4 analyzes the proposed protocol in terms of security and performance. Finally, Section 5 concludes this paper.

2. Previous Works and Their Cryptanalysis

In this section, we explain briefly the proposal of Das [6]. We then describe further works [710] focused to solve the limitations of Das’ scheme and how those enhanced proposals are still not secure and have several security vulnerabilities.

2.1. Review of the Das Scheme

The scheme proposed by Das [6] is composed of registration and authentication phases.

Registration Phase
A user submits his/her identity and password to the gateway node using a secure channel. then computes , where is a symmetric key only known by , is a hash function, and “” is a concatenation operator. Once is calculated, personalizes a smart card with the parameters , , , , and , where is a secret parameter generated securely by and stored in the sensor nodes before deployment. Finally, delivers the smart card to in a secure manner.

Authentication Phase
This phase is executed when needs to access data of a sensor node of the network. The phase is composed of the Login and verification phases.

(1) Login Phase. inserts the smart card in his/her terminal, and inputs and . The smart card verifies the validity of those values by comparing and with the data stored in it. If those values are correct, the smart card computes and , where is the current timestamp of ’s system and sends to .

(2) Verification Phase. Upon receiving the login request at time validates . If , then aborts the authentication process, where denotes the maximum allowed communication delay. Otherwise, computes and . If is different to , then rejects the login request; otherwise, sends a message to some nearest sensor node to respond to the query with the data that is looking for, where and is the current timestamp of the ’s system. first validates , then computes , and checks whether it is equal to . If those values match, then responds to query.

2.2. Chen-Shih’s Scheme

In [9], the authors indicate that Das’ scheme fails in mutual authentication and it is vulnerable to parallel session attack, and propose “A robust mutual authentication protocol for wireless sensor networks” which still has vulnerabilities and limitations.

2.2.1. Review of Chen-Shih’s Scheme

The protocol proposed in [9] is composed of registration, login, verification, and mutual authentication phases.

Registration Phase
The user submits his/her identity and password to the gateway node using a secure channel. then computes , where is a symmetric key only known by , is a hash function, and “” is a concatenation operator. Once is calculated, personalizes a smart card with the parameters , , , , and , where is a secret parameter generated by and stored in the sensor nodes before deployment. Finally, delivers the smart card to in a secure manner.

Login Phase
When enters his/her and , the smart card verifies the validity of and . If they are not correct, it terminates the request; otherwise, ’s smart card generates a random nonce at and computes and , where is the current timestamp of ’s system. then sends the message to .

Verification Phase
Once the message is received at time , verifies if , where denotes the maximum allowed delay. If the required condition is fulfilled, aborts the authentication process; otherwise, computes and . If is different to , rejects the login request; otherwise, accepts the request and generates a random nonce and sends a message to some sensor node , where and is the current timestamp of ’s system. Additionally, also sends the message to where . Finally, , after validating , computes and checks whether it is equal to . If those values match, then responds to the query from .

Mutual Authentication Phase
After receiving the message , only coworks with if is equal to .

2.2.2. Cryptoanalysis of Chen-Shih’s Scheme

Here, we show how the proposal of Chen and Shih still has some critical security pitfalls and limitations.

Parallel Session Attack
In Chen-Shih’s scheme, the authors include the random nonce inside and to neutralize this attack. However, their protocol remains vulnerable. Assume that a legal user Tom eavesdrops on the message between and at timestamp to obtain and , where is the value at and denotes the random nonce at . Tom can then forge the message at timestamp by generating and , and computing , where is any random number selected by Tom, and and are Tom’s ID and password, respectively. Once ’s is obtained, Tom can send a new session message at for a new login request.

Gateway Node Bypassing Attack
The Chen-Shih scheme uses the value to allow to verify that the message originates from the authentic . If we assume that the adversary can extract the value of stored inside of a valid smart card by using some techniques [1113], the adversary can execute the gateway node bypassing attack. First, the attacker computes a forged by using the extracted , where is a forged , is a randomly chosen forged password, is the timestamp of an adversary’s terminal, and is an arbitrary random nonce. The attacker then computes . Once and are calculated, the adversary sends the message to over the public channel. Finally, authenticates the adversary’s message because cannot recognize its invalidity because the value computed by is equal to the value received from the adversary.

Privileged-Insider Attack
The system administrator or privileged-insider of may try to impersonate by authenticating himself/herself to other servers where could be registered user. This is possible because receives the password of in plaintext, that is, , in the registration phase, and because many users use the same password to access different applications of servers.

Vulnerable Mutual Authentication between and
Chen-Shih’s scheme proposes a mutual authentication phase. However, it has vulnerability which allows an adversary to execute the spoofing attack. If we assume that the adversary can extract the value of from a valid smart card or sensor node by using some techniques [1113] as assumed in [8, 10], the adversary can then pretend to be a valid . First, the fake gateway node listens to the network and sniffs the message. Once the message is received, can respond with the message , where , where is the identification of the adversary’s sensor node and where is a random nonce selected by the adversary. Finally, authenticates the adversary’s message because cannot recognize its invalidity because the received is equal to computed by . After authentication, the fake sensor node can send false data to .

Lack of Mutual Authentication between and the Sensor Node
The Chen-Shih scheme does not provide a mutual authentication mechanism between and the sensor nodes. Therefore, it is vulnerable to a sensor node spoofing attack. The adversary can place a false sensor node to respond to the message with false data. cannot recognize the invalidity of the false data because it does not perform any verification.

Lack of a Password Change Phase
The Chen-Shih scheme does not provide a password change phase for , which is a requirement for a secure system.

2.3. Khan-Alghathbar’s Scheme

In [10], the authors indicate that Das’ scheme is vulnerable to gateway node bypassing and privileged-insider attacks. They also point out that Das’ scheme does not provide mutual authentication or a password change mechanism. As a response to such limitations, they propose improvements of Das’ scheme which still has vulnerabilities and limitations.

2.3.1. Review of Khan-Alghathbar’s Scheme

The protocol proposed in [10] is composed of registration and authentication phases.

Registration Phase
A user submits his/her identity and password to his/her terminal. The terminal then calculates and sends and to the gateway node using a secure channel, where is a hash function. then computes , where is a symmetric key only known by and “” is a concatenation operator. Once is calculated, personalizes a smart card with the parameters , , , , and , where is a secret parameter generated securely by . On the other hand, generates another secret parameter and stores it in each sensor node before its deployment in the field.

Authentication Phase
This phase is executed when needs to access the data of a sensor node of the network. The phase is composed of login and verification phases.

(1) Login Phase. inserts the smart card in his/her terminal, and inputs and . The smart card verifies the validity of those values by comparing the data stored in it. If those values are correct, the smart card computes and  , where is the current timestamp of ’s system and sends   to  . Otherwise, the login request is rejected.

(2) Verification Phase. Upon receiving the login request at time , validates . If , aborts the authentication process, where denotes the maximum allowed communication delay. Otherwise, computes and . If is different to , rejects the login request. Otherwise, sends a message to some nearest sensor node , where and is the current timestamp of ’s system. first validates , then computes , and checks whether it is equal to . If those values match, computes , where is the current timestamp of sensor node’s system and sends to . After receiving the mutual authentication message , first checks the validity of timestamp and then computes and checks whether it is equal to . If those values match, establishes trust with the sensor node; otherwise, alerts about the possibility of a malicious sensor node in the network and sends a process-termination message.

Password Change Phase
When a user wants to change his/her password to a new password , inserts his/her smart card into the terminal and enters , , and . The smart card validates and . Only if those values are correct, then the smart card computes and replaces and with and , respectively.

2.3.2. Cryptoanalysis of Khan-Alghathbar Scheme

The proposal of Khan and Alghathbar still has some critical security pitfalls and limitations as shown below.

Parallel Session Attack
Assume that a legal user Tom eavesdrops on the message between and at timestamp to obtain the at . Tom then can forge the at timestamp by generating and , then computing , where and are Tom’s and password, respectively. Once is obtained, Tom can then send a new session message at for a new login request.

Gateway Node Bypassing Attack
The secret value stored and shared by sensor nodes can be extracted using similar techniques of extracting from a smart card [11, 13]. If is extracted, the adversary can execute the gateway node bypassing attack using and , where is a forged , is a randomly chosen forged password, and is the timestamp of adversary’s terminal.

Lack of Mutual Authentication between and
First of all, the aforementioned work proposes a mutual authentication between and . However, they omit the mutual authentication between and . Newer sensor networks offer remote administration/query features in gateway nodes [14, 15] allowing users to access to network’s data from a remote terminal. In this kind of environment, it is really important to authenticate the validity of from the ’s side to avoid adversaries collecting valuable data using fake gateway nodes.

2.4. Nyang-Lee’s Scheme

In [7], the authors point out that Das’ scheme is vulnerable to password guessing attacks and gateway node impersonation attacks and has the limitation of a lack of protection relating to query-response. As a response to such security pitfalls, the authors propose a security-enhanced protocol.

2.4.1. Review of Nyang-Lee’s Scheme

In [7], the authors propose a security-enhanced protocol composed of the registration and authentication phases.

Registration Phase
The registration phase is the same as that of Das’ protocol except that is computed as .

Authentication Phase
It starts with the submission of and by . Once inputs those values, then ’s smart card authenticates and by comparing those values with the values stored in it. The smart card then computes and to send to . Upon receiving the request from , validates and authenticates by comparing it with . After validation, computes an encryption key and a MAC key between and the sensor node . To provide a secure channel for and between and itself, computes the encryption key and the MAC key , respectively, where is a predistributed symmetric key between and , and is the current time. then encrypts and using the key computed in the previous step and produces . It also computes a MAC using the key , and transmits to . When receives those values, it first verifies and computes using and then checks if is equal to . After verification, decrypts with and recovers and . Data sensed by nodes is encrypted with as and the MAC is computed with as , where is the current time. Once and are calculated, the message is sent to . then verifies and checks by comparing it with , where . If this verification is successful, the sensed data is recovered by decrypting using .

2.4.2. Cryptoanalysis of Nyang-Lee’s Scheme

The Nyang-Lee’s proposal still has some critical security pitfalls and limitations as shown below.

Parallel Session Attack
The Nang-Lee scheme is vulnerable to a parallel session attack in the same way that happens in [9, 10]. A legal user Tom can obtain the message between and at timestamp to obtain the value at . Tom then can forge the value at by generating and , and computing . Once ’s is obtained, Tom can send a new session message at for a new login request.

Privileged-Insider Attack
The system administrator or privileged-insider of may try to impersonate by authenticating himself/herself to other servers where could be a registered user. This is possible because receives the password of in plaintext, that is, , in the registration phase and because many users use same password to access different applications of servers.

Lack of Password Change Phase
This scheme does not provide a password change phase for , which is a requirement for a secure system.

2.5. Huang et al.’s Scheme

In [8], the authors point out that the security features of Das’ scheme is based on the value and its leakage can compromise the entire network. After explaining the limitations of Das’ scheme, the authors propose an improved scheme which still has vulnerabilities and limitations.

2.5.1. Review of Huang et al.’s Scheme

In this scheme, computes and stores in the designated sensor node before deployment. Note that each is responsible for exchanging data with users. The improved scheme consists of four phases: the registration phase, login phase, verification phase, and password change phase.

Registration Phase
The user submits his/her identity and password to using a secure channel. then computes and issues a smart card containing , , , , and to through a secure channel.

Login Phase
inserts his/her smart card into the terminal and inputs and . The smart card then verifies and with the data stored in it. Once those values are verified, the smart card computes and , where is the current timestamp, and sends to .

Verification Phase
Once has been received at time , verifies and authenticates by comparing it with , where . If is different to , rejects the login request. Otherwise, accepts the request and sends a message to some nearest sensor node , where and is the current timestamp of ’s system. Finally, , after validating , computes , and checks whether it is equal to . If those values match, then responds to the query from ; otherwise, the query is rejected.

Password Change Phase
When wants to update his/her password, he/she inserts the smart card into a card reader and enters the original password and the new password . The smart card computes and replaces the stored and with and , respectively.

2.5.2. Cryptoanalysis of Huang et al.’s Scheme

Parallel Session Attack
Huang et al.’s scheme is vulnerable to parallel session attacks in the same way that can happen in [7, 9, 10]. A legal user Tom can obtain the message between and at timestamp to obtain the value at . Tom then can forge the value at by generating and , and computing . Once ’s is obtained, Tom can send a new session message at for a new login request.

Privileged-Insider Attack
The system administrator or privileged-insider of may try to impersonate by authenticating himself/herself to other servers where could be a registered user. This is possible because receives the password of in plaintext, that is, , in the registration phase, and because many users use same password to access different applications of servers.

Lack of Mutual Authentication
Huang et al.’s scheme does not provide a mutual authentication mechanism. Therefore, it is vulnerable to and Sensor node spoofing attacks. does not have any mechanism to verify the validity of messages sent by . Therefore, the adversary can respond to the message with false data. In the same way, the adversary can place a false sensor node to respond to the message with false data.

3. Proposed Protocol

This section describes a proposed enhanced protocol which fixes the weaknesses of previous works. The proposed protocol is composed of three phases: Registration, authentication and password change phases executed among three independent entities: users, gateway node, and sensor nodes.

3.1. Registration Phase

A user chooses his/her identity and password and inputs them to the terminal. The terminal then generates a random number and computes , where is a hash function and is an XOR operator. Once has been calculated, and are sent to the Gateway node using a secure channel. then computes , , and , where is a symmetric key only known by , and where is a secret parameter generated securely by , and “” is a concatenation operator. Once , , and have been calculated, personalizes a smart card with the parameters , , , and . Finally, delivers the smart card to in a secure manner and stores into the smart card.

Meanwhile, a unique secret key is stored in each sensor node responsible for exchanging data with , where is the unique identification of the sensor node.

3.2. Authentication Phase

This phase is performed when requests access to the data of a sensor node, and it is composed of login and verification phases.

Login Phase
inserts the smart card and inputs his/her and . The smart card then computes and and compares with to authenticate . If those values do not match, the authentication request is rejected. Otherwise, the smart card computes and transmits to , where is the current timestamp of ’s system and is a random nonce generated by .

Verification Phase
Upon receiving the login request at time , validates . If , aborts the authentication process, where denotes the maximum allowed communication delay. Otherwise, computes , , and . Once computed , generates a random nonce and transmits the message to . then computes and checks whether it is equal to . If is different to , finishes the authentication process; otherwise, computes , and sends the message to . then computes and checks whether it is equal to . authenticates only if those values match. After a valid authentication, generates a random nonce and transmits the message to some nearest sensor node to respond to the query with the data that is looking for, where is the timestamp of ’s system when sending the message. first validates using similar method of verification, then computes and sends the message , where is a random nonce generated by . then computes and and checks whether is equal to . Only if those values match, responds to ’s message by sending the message , where . Finally, checks the validity of by comparing with the received . If those values match, then is allowed to access ’s data.

Session Key Establishment
A session key between and and a session key between and could be used if an encryption channel were required after authentication. Additionally, if a direct communication channel between and were required, a bilateral session key could be established through . In this case, would generate a random and send encrypted with to and encrypted with to .

3.3. Password Change Phase

inputs his/her , , and new password to the terminal. The smart card then calculates and , and verifies the validity of and by comparing with . If those values do not match, the password change request is rejected. Otherwise, the smart card computes , , and , where . Finally, the smart card replaces and with and , respectively.

4. Analysis of the Protocol

In this section, we analyze the proposed protocol in terms of security and performance.

4.1. Security Analysis

In this part, we analyze the security of the proposed protocol in terms of formal verification and analysis of aforementioned attacks. The registration and password change phases of the proposed mechanism were excluded from this analysis because they are executed in a secure environment. In the analysis of the authentication phase, the widely used Dolev-Yao [16] threat model was applied, which assumes that two communicating parties communicate over an insecure channel.

4.1.1. Formal Proof Based on BAN Logic

In this subsection, we demonstrate the security of the proposed mechanism by a well-known formal model called BAN logic [17]. BAN logic has been widely used in different works such as [1820] to reason about their security validation.

The logical notations of BAN logic used in this paper are as described as follows.

The principal believes that holds. In other words, it means that is entitled to act as though is true.
# The formula is fresh. That is, has not been sent before in any run of the protocol.
The principal has jurisdiction over the statement . That is, is an authority on and can be trusted on .
The principal sees the statement . That is, someone has sent a message to containing , and can read and repeat .
The principal once said the statement . That is, sent a message containing sometime.
The formula or is one part of the formula .
The formula is encrypted under the key
The formula is hashed with the key , and may be used to prove the origin of .
Principals and may use the shared key to communicate. The key will never be discovered by any principal except and .

Moreover, we describe some main logical postulates to be used in proofs.

Message-Meaning Rule
If the principal believes that the secret key is shared with the principal and sees that the statement is encrypted under , then the principal believes that the principal once said the statement

Freshness-Conjuncatenation Rule
Provided that the principal believes freshness of the statement , the principal believes freshness of the

Nonce-Verification Rule
Provided that the principal believes that the statement has never been utter before and the principal once said  , the principal believes that believes

Jurisdiction Rule
Provided that the principal believes that the principal jurisdiction over the statement , the principal believes on the validity of

Belief Rules
A necessary property of the belief operator is that believes a set of statements if and only if believes each statement separately. This justifies the following rules: In the following, we will demonstrate the security of the proposed scheme using the BAN logic. The proposed scheme will satisfy the following goals:

, (G.1)
, (G.2)
, (G.3)
, (G.4)
, (G.5)
, (G.6)
, (G.7)
, (G.8)
, (G.9)
, (G.10)
, (G.11)
. (G.12)

First, we transform the messages of the proposed protocol to the idealized form as follows:

:, (M.1)
:(M.2)
:(M.3)
:(M.4)
:(M.5)
:(M.6)
:(M.7)
:.(M.8)

Second, we make the following assumptions about the initial state of the scheme to analyze the proposed scheme:

, (A.1)
, (A.2)
, (A.3)
, (A.4)
, (A.5)
, (A.6)
, (A.7)
, (A.8)
, (A.9)
, (A.10)
, (A.11)
. (A.12)

Finally, we perform the proof steps to the idealized form of the proposed scheme based on the BAN logic rules and the assumptions (see Table 1).

tab1
Table 1

The proposed goals were reached by (S.17)–(S.24), (S.29), (S.34), and (S.35). In summary, we have demonstrated how the proposed scheme provides mutual authentication as well as establishes a fresh session keys among , , and .

4.1.2. Security Verification from Possible Attacks

This subsection analyzes the security of the proposed solution against possible attacks. We assume that common communication channels are insecure and that there exists an attacker who can intercept all messages communicated among , , and . In addition, we assume that the attacker can obtain or steal legal user ’s smart card. Based on these assumptions, the attacker might execute certain attacks to interfere with the proposed scheme.

Parallel Session Attack
Even though another legal user of the system, say Tom, eavesdrops on ’s message , he cannot obtain the as happens in previous protocols because the in our protocol is calculated as   which is based on ’s unique values. The equation contains which is random and individual for each , and is unique for each . Therefore, the resultant value of will be , a totally different value from .

Privileged-Insider Attack
In the proposed solution, transmits his/her pseudopassword instead of . Therefore, will never know the value. This means that only will know his/her secret password, thus protecting in this way from a privileged-insider attack. Additionally, a random value is incorporated inside to make the discovery of harder.

Gateway Node Bypassing Attack
The reason for the possibility of a bypassing attack in [6, 9] is due to the sharing of secret parameter with the sensor node and user . If the value of is compromised, then the whole sensor network will become vulnerable to the gateway node bypassing attack. On the other hand, the reason for the possibility of the gateway node bypassing attack in [10] is due to the secret value which is stored in the sensor nodes and can be extracted using similar method of extracting from a smart card [1113]; if is extracted, the adversary can execute the bypassing attack using and .

In the proposed protocol, ’s smart card and the sensor node do not store either or , but instead store other individual secret values and which are unique per smart card and sensor node. Therefore, even if the or value were extracted from a smart card or node, the rest of the users of the nodes will still maintain their security.

Mutual Authentication
The proposed protocol provides both mutual authentication between and , and between and .

(1) Mutual authentication between and verifies the authenticity of by comparing sent by with the value calculated by itself. can only be computed by the authentic because it is based on secret values such as and which are personal to each . On the other hand, verifies the authenticity of by comparing sent by with the value computed by . can only be computed by the authentic because it is based on the secret values and only known by .

(2) Mutual authentication between and verifies the authenticity of by comparing sent by with the value calculated by itself. can only be computed by the authentic because it is based on the secret value . On the other hand, verifies the authenticity of by comparing sent by with the value computed by . can only be computed by the authentic because it is based on the secret value only known by the specific .

Masquerade Attack
An adversary who wants to impersonate a valid user to log into the network must calculate a valid and . Since and are calculated by a one-way hash function, the adversary cannot decipher such values. Additionally, and cannot be created arbitrarily because they are based on secret values such as and , Furthermore, the adversary cannot forge the because he/she does not know the and values.

Replay Attack
Timestamps and random nonces are used to avoid replay attacks. At the beginning of each authentication request, a timestamp mechanism is used to guarantee the freshness of the authentication request. Later, a stronger mechanism: challenge-response of codified nonces is used to respond to the authentication requests. An adversary cannot replay a valid ’s verification message to to succeed in verification because the value required for computation is regenerated in each request. In the same way, the adversary cannot replay a valid ’s verification message to succeed in verification because the value used in is regenerated in each request. In addition, the authentication messages between and are protected using the same method of messages between and .

Stolen-Verifier Attack
One of the features of the proposed protocol is the absence of a password/verifier table which prevents our solution from stolen-verifier attacks.

Guessing Attack
In the proposed scheme, secret values are never sent in plaintext, but encrypted inside a one-way hash function. Therefore, even if the adversary got , , , , or , he or she could not guess any secret values (, , , or ) because of the one-way property of the hash function.

Many Logged-IN Users with the Same Login ID
By using two-factor based authentication, the proposed scheme offers higher protection than only-password-based schemes against this attack. Assuming that the ’s smart card is not cloned, the proposed protocol successfully prevents this threat because the authentication process requires computation executed inside the valid smart card.

Brute-Force Attack
An attacker can try two kinds of brute-force attacks. (1) First, the attacker can attempt to authenticate by sending random or sequential messages ( or combinations) to or . However, as well as explained in the replay attack, this attack becomes infeasible because each authentication process uses a different nonce. (2) On the other hand, an insider with a valid smart card can try to discover the secret values or by performing brute-force attacks. However, the determination of those values is infeasible because they are stored using a secure one-way hash functions. If higher level of protection for was required, additional random numbers and could be added for the generation of and , respectively, which would be stored in secret in the . By using this additional random numbers, the number of possible combinations to decipher and is increased by times, where is the size it bits of and .

Password Change Phase
Our proposal offers a light-weight password change phase that does not require communication with , making it secure and efficient.

Session Key Establishment
Our proposal offers a simple and practical method for session key establishment among , , and .
Table 2 shows the comparison of security features among different works. This demonstrates how our scheme is stronger in terms of security. Our approach provides protection against different kinds of attacks (privileged insider’s attack, gateway node bypassing attack), also provides a secure password change phase, session key establishment, and achieves complete mutual authentication (mutual authentication between and , and between and ), features that previous works do not offer or offer with limitations.

tab2
Table 2: List of enhanced security features of the proposed protocol.
4.2. Performance Analysis

Table 3 indicates the number of hash operations required in each phase for each entity. It shows that our protocol requires a few more operations in the verification phase than some previous works. However, the majority of additional operations are executed by or infrastructure which has no energy or computation power limitations. Therefore, we believe that the additional operations are not an impediment for real implementation. Additionally, we believe that the additional operations are justifiable considering that our protocol includes security features that previous works do not offer, which is indispensable for implementing a reliable and trustworthy network. It is important to remember that a failure at the component level will often compromise the security of the entire system [21].

tab3
Table 3: Performance analysis/number of operations (h: hash, se: symmetric encryption, sd: symmetric decryption).

According [22], the energy consumed by the MIPS R4000 and MC68328 “DragonBall” processors for performing the SHA-1 hashing function are 0.0000072 mJ/bit and 0.0000410 mJ/bit, respectively. Based on the previously mentioned data, we can calculate the energy consumed by sensor nodes executing the operations of the proposed scheme. Assuming that the size of , , random nonces, and timestamps are 160 bits long, the total energy consumed by sensor nodes in each authentication would be 0.008064 mJ and 0.04592 mJ for MIPS R4000 and MC68328 “DragonBall” processors, respectively. We believe that the energy consumption of sensor nodes to perform the security operations is acceptable considering the benefits of the proposed solution.

5. Conclusion

In this paper, we have analyzed previous user authentication mechanisms for wireless sensor networks and identified their vulnerabilities and limitations. We also have proposed a robust user authentication for wireless sensor networks that eliminates the identified security flaws. The proposed solution takes advantage of the two-factor authentication concept to provide a secure authentication system offering balanced features in terms of security and performance.

References

  1. A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J. Anderson, “Wireless sensor networks for habitat monitoring,” in Proceedings of the 1st ACM International Workshop on Wireless Sensor Networks and Applications, pp. 88–97, September 2002. View at Publisher · View at Google Scholar · View at Scopus
  2. J. Carlson, R. Han, S. Lao, C. Narayan, and S. Ghani, “Rapid prototyping of mobile input devices using wireless sensor nodes,” in Proceedings of the 5th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA ’03), pp. 21–29, October 2003.
  3. U.A.F., ARGUS Advanced Remote Ground Unattended Sensor Systems. Department of Defense, 2009, http://www.globalsecurity.org/ intell/systems/arguss.htm.
  4. C. Otto, A. Milenkovic, C. Sanders, and E. Jovanov, “System architecture of a wireless body area sensor network for ubiquitous health monitoring,” Journal of Mobile Multimedia, vol. 1, no. 4, pp. 307–326, 2006.
  5. K. H. M. Wong, Z. Yuan, C. Jiannong, and W. Shengwei, “A dynamic user authentication scheme for wireless sensor networks,” in Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, pp. 244–251, IEEE Computer Society, June 2006. View at Publisher · View at Google Scholar · View at Scopus
  6. M. L. Das, “Two-factor user authentication in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, Article ID 4801450, pp. 1086–1090, 2009. View at Publisher · View at Google Scholar · View at Scopus
  7. D. Nyang and M. Lee, “Improvement of das’s two-factor authentication protocol in wireless sensor networks,” Cryptology ePrint Archive 2009/631, http://eprint.iacr.org/2009/631.pdf.
  8. H. F. Huang, Y. F. Chang, and C. H. Liu, “Enhancement of two-factor user authentication in wireless sensor networks,” in Proceedings of the 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP '10), pp. 27–30, October 2010. View at Publisher · View at Google Scholar · View at Scopus
  9. T. H. Chen and W. K. Shih, “A robust mutual authentication protocol for wireless sensor networks,” ETRI Journal, vol. 32, no. 5, pp. 704–712, 2010. View at Publisher · View at Google Scholar · View at Scopus
  10. M. K. Khan and K. Alghathbar, “Cryptanalysis and security improvements of “two-factor user authentication in wireless sensor networks”,” Sensors, vol. 10, no. 3, pp. 2450–2459, 2010. View at Publisher · View at Google Scholar · View at Scopus
  11. P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proceedings of the 19th International Advances in Cryptology Conference (CRYPTO '99), pp. 388–397, 1999.
  12. T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-card security under the threat of power analysis attacks,” IEEE Transactions on Computers, vol. 51, no. 5, pp. 541–552, 2002. View at Publisher · View at Google Scholar · View at Scopus
  13. B. Jack, “Exploiting embedded systems,” Black Hat, Las Vegas, Nev, USA, 2006, http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf.
  14. M. Raluca, M. Razvan, and A. Terzis, “Gateway design for data gathering sensor networks,” in Proceedings of the 5th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON '08), pp. 296–304, June 2008. View at Publisher · View at Google Scholar · View at Scopus
  15. National Instruments, WSN Ethernet Gateway, http://sine.ni.com/nips/cds/view/p/lang/en/nid/206919/.
  16. D. Doley and A. C. Yao, “On the security of public-key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983. View at Scopus
  17. M. Burrows, M. Abadi, and R. Needham, “Logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990. View at Publisher · View at Google Scholar · View at Scopus
  18. W. Tsaur, J. Li, and W. Lee, “An efficient and secure multi-server authentication scheme with key agreement,” Journal of Systems and Software, vol. 85, no. 4, pp. 876–882, 2012.
  19. S. Wang, Q. Ma, Y. Zhang, and Y. Li, “An authentication protocol for RFID tag and its simulation,” Journal of Networks, vol. 6, no. 3, pp. 446–453, 2011. View at Publisher · View at Google Scholar
  20. J. Tsai, T. Wu, and K. Tsai, “New dynamic ID authentication scheme using smart cards,” International Journal of Communication Systems, vol. 23, pp. 1449–1462, 2010. View at Publisher · View at Google Scholar
  21. R. Ying, “Building systems using software components,” Journal of Software Technology, vol. 9, no. 1, 2006.
  22. D. Carman, P. Kruus, and B. Matt, “Constraints and approaches for distributed sensor network security (Final),” NAI Labs Technical Report #00-010, 2000.