Research Article | Open Access
A Lightweight Privacy Protection User Authentication and Key Agreement Scheme Tailored for the Internet of Things Environment: LightPriAuth
Different data are collected by diverse sensors under an Internet of things scenario, such as health data, environmental data, and traffic flow data. People can access data remotely via the Internet easily. Considering the importance and confidentiality of these data, it is necessary to ensure the data security. In this study, we propose an authentication and key establishment scheme for an Internet of things scenario based on low-capability devices. This scheme achieves many security features: user anonymity, sensor anonymity, forward secrecy, resistance to the loss of synchronization problem, and so on We verified these security features using AVISPA and ProVerif; both results show that the scheme is safe enough to achieve the security requirements. Besides, the experiment results elucidate that this scheme gains an advantage in computation and communication costs. It is because of the sole usage of XOR operations and hash functions as well as a minimal amount of asymmetric encryptions to fulfil forward secrecy.
As sensors are applied to different aspects of our daily life, too much different personal information has been collected by different kinds of sensors; the personal information includes but is not limited to health information, home temperature, and home humidity. The information is so personal that we do not want them to be leaked when we access them remotely via the network. Many lightweight authentication schemes have been proposed to guarantee the safety of remote data access. Figure 1 depicts the structure of these schemes. There are three kinds of entities, the user who wants to read the data of sensors, sensors which are placed in the environment to collect data, and the gateway, which is introduced to authenticate users and sensors and helps the two to build a shared key. After negotiation of the shared key, the user and sensor can communicate with each other without the help of the gateway.
In this paper, we proposed an authentication and key establishment scheme with user anonymity; this scheme is an improved version of the previous scheme of ours  and the LifeWear project , which is also based on the ECC. To achieve user anonymity, the identity of the user is encrypted using XOR operation; the key for this encryption is generated by the gateway. When a user registers at the gateway, the gateway generates a random number for the user and a unique key based on this number and the gateway’s own secret key. This number could be seen as an indicator of the key; the key and this number are sent to the user. The user could encrypt his identity with this key.
However, this is not enough to ensure perfect anonymity, because adversaries can track the user based on this unique number, even though the adversary does not know the real identity of this user. To prevent adversaries from tracking the users, in our scheme, once a user has been authenticated by the gateway, the gateway will assign a new number and a new key for this user. Thus, the adversary is unable to track the user based on the number, because the number has been updated to a new one. Many other schemes adopted this way of protecting the identity privacy of the users [3–10].
Some schemes use an asymmetric encryption method to ensure the anonymity of the authentication scheme. The gateway has a public key that is known by all the members in the scheme; users can use this public key to encrypt their identities; thus, the scheme ensures user anonymity. Our scheme has an advantage compared to the asymmetric encryption method. This is because the asymmetric encryption method requires more computation time compared to our scheme. In our scheme, we encrypt the identity of the user by using the XOR method; the execution time of the XOR operation is minimal compared to an elliptic curve point multiplication . This makes our scheme more suitable for the Internet of things scenario than the asymmetric encryption method.
In the proposed scheme, to enable forward security, the shared key between the user and sensor is generated on an elliptic curve. However, elliptic curve computation needs more computation time compared to the symmetric method; to minimize the computation cost, the proposed scheme only uses four elliptic multiplication operations; as far as we know, this is the least amount needed to build a shared key with perfect forward security. The contribution of this paper is threefold: (1)The proposed scheme uses the XOR operations, hash operations, and only four elliptic multiplications; the computation cost of the scheme is relatively low, and communication cost decreases at the same time.(2)The proposed scheme gains various security features: user anonymity, sensor anonymity, users being untraceable, sensors being untraceable, perfect forward secrecy, excellent resistance to the loss of synchronization problem, and so on. Most importantly, the password change phase has been modified to prevent an offline password-guessing attack.(3)We implement the scheme in HPSL language and test the security features; we analyze the scheme in ProVerif model, too.
2. Related Works
Turkanović et al. discussed the user authentication and key agreement problem for a wireless sensor network . They analyzed the identity protection problem in this scenario; they used a fixed fake identity instead of the real identity to protect the identity of the user. Amin and Biswas proposed an improved scheme , which improved several security weaknesses of the protocol of Turkanović et al. They protected the identity privacy by encrypting the identity using a symmetric key that is shared by all the users.
Wu et al. proposed a privacy-preserving and provable user authentication scheme for wireless sensor networks . Every time a user asks access to a sensor’s data, the gateway atomically generates a new identity for the user. The identity privacy of the user has been well protected in the scheme, but this scheme faces a loss of synchronization problem. Imagine that the gateway generates a new identity for the user and sends this identity to the user via the Internet but the user does not receive this identity, because either this identity is lost due to poor quality of the network condition or this identity is blocked by an adversary. Thus, when the user logs in the next time using the old identity, he will not be treated as a legal user. Another potential defect of this scheme is that the users in this scheme may be tracked. Even though the adversary does not know the real identity of the user, the adversary can also track the user by the fixed information, which is used by the user.
Different from [9, 10], Li et al. proposed a three-factor authentication scheme  with identity updating based on biometric information. Their scheme can successfully avoid the loss of synchronization problem. They did not update the identity of the users directly. Instead, in their scheme, every time the user logs in, the gateway generates a new key for the user and the user uses this new key to encrypt his identity. The adversary is unable to find out the real identity of the user. Li et al. proposed a similar scheme for wearable sensors in wireless body area networks . In the scheme of Jiang et al., the keys to encrypt the identities of users are the same . Schemes in [5–9] are similar; the key to encrypt the identity is updated when a user logs in. Das proposed a secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks . In this scheme, a temporary identity is generated for the user; every time the user asks for access, the temporary identity will be updated to a new one. However, in this case, the gateway has to store a table of the relationships between this temporary identity and the real identity of the user. This costs extra storage load on the server side.
Asymmetric encryption is used in some authentication schemes to protect the identity privacy of the users. The gateway has a public key that is known by all the users in the system; when a user logs in, he can use the gateway’s public key to encrypt his identity. There are asymmetric encryption methods based on the Elliptic Curve Cryptography (ECC) , pairing-based cryptography  by Tsai and Lo, and the scheme in  by Odelu et al. Liu et al. used ECC  to protect the identity privacy of the users. All the real identities are encrypted by the public key of the server; only the server knows the real identities of the users. In the scheme of Wang et al. , they used the ECC public key encryption method to protect the identity privacy. Pairing-based cryptography is another popular asymmetric encryption method. The scheme of Li et al. , the scheme of Tsai and Lo , and the scheme of Shim  are all based on bilinear pairing-based cryptography.
3. The Proposed Scheme
The symbols used in the scheme are listed in Table 1. At the beginning of the scheme, generates the parameters for ECC encryption (p, a, b, G, n, and h) and publishes them to the whole system. generates its secret key and keeps it as a secret.
3.1. Registration Phase of the User
User chooses a random number and computes . then sends the registration request message to via a private and secure channel.
When receives the user registration message , it computes and . Then, will choose a random number and computes ; these random numbers and are used to encrypt the identity information at the login and authentication phase. Finally, sends to in a private and secure channel.
User inserts the random nonce into the smart card and stores . Table 2 provides a depiction of the registration phase of the user.
3.2. Registration Phase of the Sensor
The registration messages of the sensors in the registration phase are sent via a private and secure channel. Sensor sends to . After receives the registration message from , it computes and sends to sensor . Sensor keeps this private key in its memory.
3.3. Login and Authentication Phase
When wants to access a sensor’s data via network remotely, has to log in first. A user inserts his smart card () into a card reader and inputs his identity and password . computes a temporary version using the user inputs and and the stored value . Then computes the information for login. (1) computes and using .(2) chooses a random number ∈[1, n − 1] and gets .(3) gets the hash value .(4) encrypts , , and with to get .(5) retrieves the stored , timestamp , and sends to gateway via a public channel.
When the gateway receives from a user , first checks the freshness of the message by the timestamp, then checks if this message is from a legal user or not. will abandon this message if it is not from a legal user; otherwise, will forward this request to the sensor . The process is depicted in the following: (1) checks the freshness of ; if is not fresh, abandons this message; otherwise, it goes to the next step.(2) computes using the received and its private key .(3) decrypts using and gets .(4) computes by .(5) computes by (6) uses , , , , and to check if . If they are equal, it goes to next step; otherwise, the protocol terminates here.(7) gets timestamp and computes .(8) sends to sensor .
After sensor receives , first checks the legitimacy of this message; if it is from the gateway, then replies to the message in the following way. (1) checks the freshness of the ; if is not fresh, abandons this message; otherwise, it goes to the next step.(2) checks if ; if they are equal, learns that this information is from the gateway, and it goes to the next step; otherwise, the protocol terminates here.(3) chooses a random number and gets .(4) calculates the shared key between and :.(5) calculates the hash value and .(6) sends to .
After receives , first, authenticates the source of the message, then generates the new random number and the new key for the user; afterwards, will send these encrypted information to the user. (1) checks if ; if they are equal, it goes to the next step; otherwise, it terminates here.(2) chooses a random number and computes .(3) calculates .(4) computes .(5) sends to .
After receives , it authenticates if the message is from the gateway; if the message is from the gateway, then updates the information received from the . The whole process is depicted in Table 3. (1)gets .(2)computes the shared key between and : .(3)gets the hashed value and checks if . If they are equal, accepts as the shared key.(4) updates the identity information .
3.4. Password Change Phase
To change a user’s password, the user first sends a password change request to the . After the verifies this user, the user can change his password.
In order to prevent the offline password guess attack, in our scheme, the user is only allowed to change his password times in a time period . We use a variable to record the times a user inputs a wrong password. means the first time a user inputs a wrong password. When a user inputs a wrong password more than times in a time period , he will not be allowed to input a password anymore in this time period. The whole process is depicted in Figure 2: (1)User inserts his into a card reader and inputs his identity and password: , .(2) checks if the ; if , go to step 3. If , go to step 4.(3) continues to check if ; if , user is not allowed to change the password; otherwise, if set , go to step 4.(4) computes using and and the stored . compares with stored in the smart card; if they are equal, acknowledges the legitimacy of . If they are not equal, go to step 11.(5)Check if ? If , set .(6) computes using the stored and the user password.(7) computes using the stored and the user password.(8)User inputs the new password .(9) updates to be .(10) uses this new to update the stored version of and to get and . Now user has finished the password change phase.(11)Set ; if , is set to be , go to the first step.
4. Formal Security Analysis Using ProVerif
ProVerif  is an automatic cryptographic protocol verifier, in the formal model (so-called Dolev-Yao model) . It can handle many different cryptographic primitives; it also can handle an infinite number of sessions. We use this tool to prove the secrecy of the shared key and the secrecy of the identity; furthermore, we prove the authentication between the user and the gateway and between the sensor and the gateway. We use ProVerif version 1.98pl1; the simulation was conducted on Ubuntu 14.04 LTS (32-bit) with a memory 1 GB. We show the part of the code implemented in the ProVerif in Appendix A. For more detailed code, please refer to .
4.1. Test on the Identity Privacy
To prove that the identity of the user is not known to the attacker, we test the query “Query not attacker (idi).” The query result is “true,” which means the identity of the user is not derivable by the attacker. This proof shows that our scheme can protect the identity privacy of the user. For the protection of the sensor identity, the result is the same. The simulation results are in Box 1.
4.2. Test of the Authentication of the Scheme
In ProVerif, “Injective correspondence” is used to capture the authentication in case of a one-to-one relationship. The event “event acceptUser (bitstring)” is used by the user to record the belief that the user has accepted to run the protocol with the gateway and with the supplied symmetric key. The event “event termUser(bitstring)” means that the user believes he has terminated a protocol run using the data type “bitstring.” The other events have similar meanings. These queries ensure the authentication between the users and the gateway and between the sensors and the gateway (see Box 2).
What is more, we prove the secrecy of the shared key by the queries “Query not attacker (skijs)” and “Query not attacker(skiju).” The result is “true” as shown in the following. The user calculates the shared key between the user and sensor as “skijs;” the sensor calculates the shared key as “skiju” (see Box 3).
5. AVISPA Verification
AVISPA (Automated Validation of Internet Security Protocols and Applications) is “a push-button tool for the automated validation of Internet security-sensitive protocols and applications” . The AVISPA project aims at developing a push-button, industrial-strength technology for the analysis of large-scale Internet security-sensitive protocols and applications. We write the scheme in HLPSL, which is a role-based language designed explicitly for AVISPA. The code is in Appendix B; we have uploaded the code to .
In the HLPSL, the confidentiality goals of the protocol are set to be “sc_sensor_id” and “sc_user_id,” which can ensure the confidentiality of the user identity and the sensor identity. The message authentication goal is set to be “shared_key,” which can enable the authentication of the shared key. This goal ensures that the users and sensors build a shared key with the help of the gateway.
The running result of the protocol is shown in Table 4. We run the security check based on the CL-based Model-Checker  and the On-the-Fly Model-Checker OFMC [28, 29]. The CL-based Model-Checker (CL-AtSe) translates protocol written as transition relation in the IF into a set of constraints which can be used efficiently to find attacks on protocols. While OFMC can be employed not only for efficient falsification of protocols but also for verification, without bounding the messages, an intruder can generate. Both of the two back-end verification tools show that our scheme is safe.
6.1. Computation Performance
The typical way to compute the execution time of the protocol is to calculate the protocol’s computational costs of different operations; the operations’ execution time is measured by simulation. In this study, the execution time of the XOR operation is minimal compared to an elliptic curve point multiplication or hash operation, and we neglect it when computing the time approximately . In this section, we first compare different schemes using a benchmark from one previously published paper. Then, we simulate the computation time of these schemes in C++; the result is shown in Figure 3.
The benchmark of MIRACL C/C++ Library used in this study can be found at ; we list the results in Table 5. Based on this benchmark, the computation costs of different schemes are calculated; the result is in Table 6. At the user side, our scheme only needs 2 ECC multiplications and 5 hash operations. At the sensor side, our scheme costs 2 ECC multiplications and 5 hash operations, and at the gateway side, our scheme costs 8 hash operations. Our scheme costs the least time at the user side and gateway side. And at the sensor side, our scheme costs the second least time. In all, our scheme costs the least computation time.
In this table, the boldface ones are the ones with the least computation time.
In the scheme , extra AES encryption/decryption is needed. User, sensor, and gateway need 1, 1, and 2 AES encryptions/decryptions separately. Their proposed scheme needs 6, 3, and 9 more hash operations than our scheme at the user side, gateway side, and in total, respectively.
The scheme  needs 2, 1, 1, and 4 more hash operations than our scheme at the user side, sensor side, sensor side, gateway side, and in total, respectively. In PriAuth, the asymmetric encryption method is needed to encrypt the identity of the user. The user and gateway in this scheme both need one more ECC multiplication; in total, PriAuth needs two more ECC multiplications than our scheme. The scheme of Wu et al.  is the most similar one with the proposed scheme; however, compared to our scheme, their proposed scheme needs 8, 6, and 14 more hash operations than our scheme at the user side, gateway side, and in total, respectively.
We implement these four different schemes in C++; the running codes are stored at a public repository in http://github.com . We use the MIRACL C/C++ Library . The experiment is conducted in Visual Studio C++ 2017 on a 64-bit Windows 7 operating system, 3.5 GHz processor, 8 GB memory. The hash function is SHA-256, the symmetric encryption/decryption function is AES in MR_PCFB1 form, and the 256-bit-long key for symmetric encryption/decryption function is generated by SHA-256 hash operation. We use the Curve P-192 provided by NIST Digital Signature Standard . The parameters are listed in Appendix C.
The code is compiled in x86 form, and the simulation does not take account of the transmission of the data. We run the login and authentication phase of different schemes 100, 250, 500, 750, and 1000 times. The result is shown in Figure 3. In this figure, the horizontal axis indicates the times the experiment is run and the vertical axis indicates the milliseconds to accomplish the experiment. Our scheme is the second-best one, and the computation time of the PriAuth is the longest.
We run the user registration phase of different schemes. The number of users in the registration phase is set to be 100, 250, 500, 750, and 1000. The result is shown in Figure 4. In this figure, the horizontal axis indicates the number of users and the vertical axis indicates the milliseconds needed to accomplish the experiment. Under all experimental conditions, the running time of the PriAuth is the shortest. Our scheme is the second-best scheme, which is about 1.5 times that of the PriAuth. However, this ratio becomes much smaller when the user number increases. Why did this happen? The computation time is mainly composed of two parts: the hash operation time and the checking time. The numbers of hash operation are listed in Table 7. The checking is performed by the gateway to determine if the user has registered before. The gateway keeps a list of registered users’ identity; when the gateway receives a registration request, it has to search the list to check if this user has registered or not. The hash operation time and the checking time are close when the number of the user is smaller. However, the time difference becomes huge with the increasing user numbers.
The running time of the other two schemes is about 2.5 times that of PriAuth. The ratio of hash operations between them is roughly the same as that of the running time. In Table 7, the ratio is computed using the formula , where means the number of hash operations needed by PriAuth. means the number of hash operations needed by the other schemes.
We run the sensor registration phase of different schemes. The number of sensors in the registration phase is set to be 100, 250, 500, 750, and 1000. The result is shown in Figure 5. In this figure, the horizontal axis indicates the number of sensors and the vertical axis indicates the milliseconds needed to accomplish the experiment. The running time of our scheme is close to the running time of Wu et al. [9, 14] and Chang and Le ; this is mainly because these three schemes need only 1 hash operation in the sensor registration phase. As PriAuth costs 7 hash operations in the sensor registration phase, the running time is close to 7 times that of the other three schemes. The computation time of the PriAuth is the longest. The running time of Wu et al.  is a little more than our scheme (Wu et al.  and Chang and Le ). This is because at the sensor registration phase, the input of the hash operation of our scheme, of Wu et al.’s scheme , and of Chang and Le’s scheme  is the sensor’s identity and the gateway’s private key, while the input of the hash operation of Wu et al.  is the sensor’s identity, gateway’s private key, and gateway’s identity; the hash operation’s input is longer.
6.2. Communication Performance
In this section, the communication performance is compared. The identity is set to 8 bytes long . The size of the timestamp is set to 4 bytes . Moreover, the byte length of a random number is set to be 20 bytes . The result of SHA-256 is 256 bits, which is 32 bytes. The sizes of a point on the elliptic curve with a 192-bit elliptic curve is 384 bits, which is 48 bytes . The sum of each type of variable length in bytes is calculated for comparison of the communication cost.
Table 8 shows the number of different types of data used in the scheme. It is not hard to find that the communication cost of our scheme is the least. The cost of our scheme, LightPriAuth, is 396 bytes; the costs of Wu et al.’s [9, 14], Chang and Le’s  and Chen et al.’s  schemes are 564, 624, 412, and 492 bytes, respectively; they are 168, 228, 16, and 96 bytes higher, respectively, than the proposed scheme. The main reason is that LightPriAuth transmits only 5 hash result data. While the other schemes of Wu et al. [9, 14], Chang and Le , and Chen et al.  have to transmit 10, 13, 9, and 9 hash result data, respectively. They are 5, 8, 4, and 4 more, respectively, than the proposed scheme.
Hash: means a general result data; ECC: means a random point on the elliptic curve, Id: means the identity of a sensor or a user; T: means a timestamp; R: means a general random number; Com: comparison between our scheme and the other schemes.
7. Other Security Feature Analyses
In this section, we analyze the security features of different schemes. At the end of this section, we conclude the results into a table.
7.1. User Anonymity/Sensor Anonymity
Regarding user anonymity, we find that all the schemes could enable user anonymity, as the identities of the users are encrypted. For sensor anonymity, the identity of the sensor is transmitted transparently in the scheme [11, 14]; adversaries could get the identity easily.
7.2. User Anonymity to Sensor
In the scheme of , the identity of the user is sent to the sensors directly; once a user accesses a sensor’s data, this user’s identity is known by the sensor; the sensor can learn the identity of the user. Apparently, this is not good for the identity privacy of the user. In the proposed scheme, LightPriAuth, the identity of the user need not be sent to the sensor; thus, this could avoid the potential identity leaking problem. We describe this “user anonymity to sensor.”
7.3. Loss of Synchronization Problem
Similar to the scheme , when a user logs in, the gateway will generate a new identity for the user and the old identity will not be used anymore. However, if adversaries block this identity from being sent to the user, the user cannot receive this identity, when he logs in the next time using the old identity, he will not be treated as a legal user anymore. The scheme in  has this problem.
7.4. Offline Dictionary Attack
For most of the schemes, an adversary is unable to launch an offline dictionary attack in the login and authentication phase. However, an adversary is able to launch an offline dictionary attack in the password-changing phase.
In the password change phase of , if the adversary types in a random identity and a random password , he will get a reply from the . Based on the replied message, the adversary can judge if the identity and password are correct or not. If the adversary guesses a correct key pair by accident, then he could set a new password. Thus, the adversary is able to launch an offline dictionary attack.
In the proposed scheme, we set a limitation on the user, if the user inputs a wrong identity and password pair more than times in a time period , he is not allowed to log in in this period of time. Thus, our scheme can avoid the offline dictionary attack in the password change phase.
7.5. Security Feature Comparison
Finally, we get in Table 9 the comparison of security features; we can find that compared to other schemes, the proposed scheme has more security features. Besides, the computation cost and the communication cost of the proposed scheme are lower.
With different sensors collecting different data around us, it is vital not only to ensure the safety of these data but also to protect the privacy of the data. In this paper, we propose an authentication and key establishment scheme between users and sensors. We analyzed the security features using ProVerif and AVISPA; the formal verifications show that the proposed scheme has achieved all the desired security features. Through comparison, we find that the proposed scheme is comparable to the related works regarding the computation cost and more efficient in communication cost. Our work is part of the LifeWear project, in which we focus on the safety of data transmission and identity privacy problem.
Algorithm 1 describes the role of the user.
Algorithm 2 describes the role of the sensor.
Algorithm 3 describes the role of the gateway.
Note that we write our scheme in HLPSL from the authentication phase; supposing that the users and sensors have registered at the gateway secretly, and successfully get the registered information, the role of the user is described in Algorithm 4.
The role of the sensor is described in Algorithm 5.
The role of the gateway is described in Algorithm 6.
The role of the session is described in Algorithm 7.
The role of the environment is described in Algorithm 8.
The role of the goal is divided into two parts. The first part is the “secrecy_of sc_sensor_id” and “sc_user_id”; this means we want to keep the identity of the user and sensor confidential between them and the gateway. The second part “authentication_on user_sensor_sk” means the authentication of the shared key between a user and a sensor (Algorithm 9).
The parameters of the Curve P-192 by NIST is described in Algorithm 10.
The experimental data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
The work presented in this paper has been supported by the LifeWear project (funded by the Spanish Ministry of Industry, Energy and Tourism with Reference TSI-010400-2010-100). The work has also been supported by the Chinese Scholarship Council (CSC) with File no. 201507040027.
- Y. Chen, J.-F. Martínez, P. Castillejo, and L. López, “A privacy protection user authentication and key agreement scheme tailored for the Internet of things environment: PriAuth,” Wireless Communications and Mobile Computing, vol. 2017, Article ID 5290579, 17 pages, 2017.
- J. Rodríguez-Molina, J.-F. Martínez, P. Castillejo, and L. López, “Combining wireless sensor networks and semantic middleware for an Internet of things-based sportsman/woman monitoring application,” Sensors, vol. 13, no. 2, pp. 1787–1835, 2013.
- X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, and M. K. Khan, “A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity,” Security and Communication Networks, vol. 9, no. 15, 2655 pages, 2016.
- X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta, and K.-K. R. Choo, “Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks,” Computer Networks, vol. 129, pp. 429–443, 2017.
- S. Kumari and M. K. Khan, “Cryptanalysis and improvement of “a robust smart-card-based remote user password authentication scheme”,” International Journal of Communication Systems, vol. 27, no. 12, pp. 3939–3955, 2014.
- Q. Jiang, J. Ma, Z. Ma, and G. Li, “A privacy enhanced authentication scheme for telecare medical information systems,” Journal of Medical Systems, vol. 37, no. 1, p. 9897, 2013.
- Q. Jiang, J. Ma, G. Li, and L. Yang, “An efficient ticket based authentication protocol with unlinkability for wireless access networks,” Wireless Personal Communications, vol. 77, no. 2, pp. 1489–1506, 2014.
- M. H. Ibrahim, S. Kumari, A. K. Das, M. Wazid, and V. Odelu, “Secure anonymous mutual authentication for star two-tier wireless body area networks,” Computer Methods and Programs in Biomedicine, vol. 135, pp. 37–50, 2016.
- F. Wu, L. Xu, S. Kumari, and X. Li, “A new and secure authentication scheme for wireless sensor networks with formal proof,” Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 16–30, 2017.
- A. K. Das, “A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks,” Peer-to-Peer Networking and Applications, vol. 9, no. 1, pp. 223–244, 2016.
- C. C. Chang and H. D. Le, “A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 15, no. 1, pp. 357–366, 2016.
- M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of things notion,” Ad Hoc Networks, vol. 20, pp. 96–112, 2014.
- R. Amin and G. P. Biswas, “A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks,” Ad Hoc Networks, vol. 36, Part 1, pp. 58–80, 2016.
- F. Wu, L. Xu, S. Kumari, and X. Li, “A privacy-preserving and provable user authentication scheme for wireless sensor networks based on Internet of things security,” Journal of Ambient Intelligence and Humanized Computing, vol. 8, no. 1, pp. 101–116, 2017.
- Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, and D. Won, “Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography,” Sensors, vol. 14, no. 6, pp. 10081–10106, 2014.
- J. L. Tsai and N. W. Lo, “Secure anonymous key distribution scheme for smart grid,” IEEE Transactions on Smart Grid, vol. 7, no. 2, pp. 906–914, 2016.
- V. Odelu, A. K. Das, M. Wazid, and M. Conti, “Provably secure authenticated key agreement scheme for smart grid,” IEEE Transactions on Smart Grid, vol. 9, no. 3, pp. 1900–1910, 2018.
- J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, “Certificateless remote anonymous authentication schemes for wirelessbody area networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 332–342, 2014.
- C. Wang, G. Xu, and J. Sun, “An enhanced three-factor user authentication scheme using elliptic curve cryptosystem for wireless sensor networks,” Sensors, vol. 17, no. 12, p. 2946, 2017.
- C.-T. Li, T.-Y. Wu, C.-L. Chen, C.-C. Lee, and C.-M. Chen, “An efficient user authentication and user anonymity scheme with provably security for IoT-based medical care system,” Sensors, vol. 17, no. 7, p. 1482, 2017.
- J. L. Tsai and N. W. Lo, “A privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, vol. 9, no. 3, pp. 805–815, 2015.
- K.-A. Shim, “S2DRP: secure implementations of distributed reprogramming protocol for wireless sensor networks,” Ad Hoc Networks, vol. 19, pp. 1–8, 2014.
- B. Blanchet, “An efficient cryptographic protocol verifier based on prolog rules,” in Proceedings. 14th IEEE Computer Security Foundations Workshop, pp. 82–96, Cape Breton, NS, Canada, June 2001.
- http://prosecco.gforge.inria.fr/personal/bblanche/proverif/. February 5, 2018.
- https://github.com/SevenBruce/UAuth. March 1, 2018.
- A. Armando, D. Basin, Y. Boichut et al., “The AVISPA tool for the Automated Validation of Internet Security Protocols and Applications,” in Computer Aided Verification. CAV 2005. Lecture Notes in Computer Science, pp. 281–285, Springer Berlin Heidelberg, 2005.
- M. Turuani, “The CL-Atse Protocol Analyser,” in Term Rewriting and Applications. RTA 2006. Lecture Notes in Computer Science, F. Pfenning, Ed., Springer, Seattle, WA, USA, 2006.
- D. Basin, S. Mӧdersheim, and L. Viganò, “Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols,” V. Atluri and P. Liu, Eds., pp. 335–344, ACM Press, http://www.avispa-project.org.
- D. Basin, S. Mӧdersheim, and L. Viganò, “OFMC: a symbolic model checker for security protocols,” International Journal of Information Security, vol. 4, no. 3, pp. 181–208, 2005.
- https://libraries.docs.miracl.com/miracl-user-manual/about. March 1, 2018.
- https://csrc.nist.gov/csrc/media/publications/fips/186/3/archive/2009-06-25/documents/fips_186-3.pdf. April 3, 2018.
- M. S. Farash, M. Turkanović, S. Kumari, and M. Hölbl, “An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the Internet of things environment,” Ad Hoc Networks, vol. 36, Part 1, pp. 152–176, 2016.
- D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
Copyright © 2018 Yuwen Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.