A Lightweight Secure User Authentication and Key Agreement Protocol for Wireless Sensor Networks

Mo, Jiaqing; Chen, Hang

doi:https://doi.org/10.1155/2019/2136506

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 2136506 | https://doi.org/10.1155/2019/2136506

A Lightweight Secure User Authentication and Key Agreement Protocol for Wireless Sensor Networks

Jiaqing Mo¹and Hang Chen¹

Academic Editor: Bela Genge

Received22 Jul 2019

Revised31 Oct 2019

Accepted21 Nov 2019

Published16 Dec 2019

Abstract

Wireless sensor networks (WSNs) have great potential for numerous domains of application because of their ability to sense and understand unattended environments. However, a WSN is subject to various attacks due to the openness of the public wireless channel. Therefore, a secure authentication mechanism is vital to enable secure communication within WSNs, and many studies on authentication techniques have been presented to build robust WSNs. Recently, Lu et al. analyzed the security defects of the previous ones and proposed an anonymous three-factor authenticated key agreement protocol for WSNs. However, we found that their protocol is vulnerable to some security weaknesses, such as the offline password guessing attack, known session-specific temporary information attack, and no session key backward secrecy. We propose a lightweight security-improved three-factor authentication scheme for WSNs to overcome the previously stated weaknesses. In addition, the improved scheme is proven to be secure under the random oracle model, and a formal verification is conducted by ProVerif to reveal that the proposal achieves the required security features. Moreover, the theoretical analysis indicates that the proposal can resist known attacks. A comparison with related works demonstrates that the proposed scheme is superior due to its reasonable performance and additional security features.

1. Introduction

A wireless sensor network (WSN) is an intelligent network that can achieve data collection, data fusion, and data transmission independently. It combines the logical information world and the real physical world together closely to realize the “ubiquitous computing” mode [1–3]. A WSN comprises many tiny sensor nodes, which have limited battery power and computation capability, and they can be deployed in untended target fields, such as habitats [4], health care [5], agriculture [6], battlefields [7], and environmental monitoring [8]. These nodes sense the environment, collect data from the surrounding areas, and transmit them to the closest gateway node (GWN) via wireless channels for further transferring to external users. Thus, WSNs have wide application scenarios, such as city management, emergency medical care, temperature and humidity monitoring in agriculture, wildlife monitoring, antiterrorism, military defense, and so on. However, the messages transmitted in the wireless channel are easily eavesdropped, injected, rerouted, and altered by an adversary because of the broadcast nature and insecurity of wireless communication. Although the WSN has adequate security progress in its lower layers, such as link layer and network layer [9, 10], it is still necessary to design mutual authentication schemes with key agreement in the application layer to prevent unauthorized access to the sensor node. As shown in Figure 1, authentication mechanisms should be provided to protect the secure communication between related parties in a WSN.

In addition, traditional security service architectures, such as IPsec [11] and IKE [12], are not suitable for WSNs because the sensors in a WSN have limited battery power and computation capability. Consequently, the authentication with key establishment between sensors and the user outside the WSN should have lightweight computation and should be robust enough to withstand well-known attacks from adversaries. In other words, it is vital that the user should be authenticated before he is permitted to access the remote sensor to acquire data, and the sensor to be accessed should be an authorized one. In particular, a shared session key should be generated between the sensor and the user to protect the data transmission. Moreover, users likely prefer to keep their identity and other privacy undisclosed to avoid being tracked by adversaries when they communicate with the sensors in a WSN. Thus, the user’s anonymity and untraceability are desirable security properties in the authentication scheme in WSNs.

1.1. Related Works

In the last several years, many authentication schemes have been presented to prevent unauthorized access to transmitted data within WSN from malicious users or adversaries. Li-Xiong [13], Chen et al. [14], and Ramachandran-Shanmugam [15] proposed mutual authentication schemes on bilinear pairing for WSN and generated a session key among the related parties. However, employing bilinear pairing makes the computation burden very heavy, and thus, these schemes are not practical for WSNs.

In 2006, Wong et al. [16] proposed a user authentication scheme with hash function and exclusive-or (XOR) operation for WSNs. In their scheme, the user submits his identity and password to a system interface and directly accesses the sensor within the expiration time. However, Tseng found that Wong’s scheme was vulnerable to the replay attack, stolen verifier attack, and impersonation attack and then put forward a modified version while adding a new password change phase to solve the problem of the static password [17]. Generally, the security of the type of scheme [16, 17] only depending on the single factor of password easily leads to password guessing attack.

To address the above security issues, Das [18] first put forward the concept of two-factor authentication, that is, using a smart card along with a password. There is no doubt that Das’s scheme [18] introduced the authentication concept of two-factor, removing the need to maintain a database on the gateway and store user-specific information on the sensor, thus paving a new way of application layer authentication for WSNs. The author claimed that his scheme has the security merits of only using hash function, requiring less communication overhead and resisting various attacks. However, several researchers [19–21] analyzed Das’s scheme [18] and found that it had various loopholes. Nyang and Lee [19] found that Das’s protocol [18] was vulnerable to the offline password guessing attack, and sensor node capture attack, and presented an improved version to overcome these weaknesses. In the same year, Huang et al. [20] examined Das’s scheme [18] for weaknesses such as the inability to provide user anonymity and withstand sensor impersonation attack. Huang et al. [20] also proposed an enhanced scheme to repair the pitfalls in Das’s scheme [18]. Later, He et al. [21] pointed out that Das’s scheme [18] suffered from insider attack along with impersonation attack. As a countermeasure to these drawbacks, He et al. [21] presented an enhanced protocol to thwart these threats. However, Kumar and Lee [22] observed that He et al.’s protocol [21] failed to provide mutual authentication and could not generate a shared session key between the sensor and the user. Moreover, there have been many schemes [23–29] settling the security weaknesses in the two-factor authentication protocols for WSNs. In these schemes, the authors cryptanalyzed the previous schemes, found some vulnerabilities in them, and presented a new improved two-factor scheme as a remedy. Unfortunately, Wang et al. [30, 31] criticized that most of these solutions and the similar two-factor authentication schemes were found to be vulnerable to various practical attacks that could lead to unintended consequences.

To overcome the security weakness in two-factor authentication schemes for WSNs and further improve their security strength, plenty of three-factor-based authenticated key agreement schemes have been proposed in the past few years [32–38]. In the three-factor schemes, a user is identified as a legal one only if his smart card, password, and biometric information are valid. Compared with the traditional authentication methods, biometrics has the following advantages [39]: (1) biometrics cannot be lost, forgotten, or forged; and (2) a biometric key is difficult to guess or breach.

In this section, we briefly describe the schemes closest to our work. In 2014, Das [33] came across the privileged insider attack, improper authentication, and inefficiency in Jiang et al.’s scheme [40] and proposed a three-factor user authentication protocol for WSNs with symmetric cryptographic primitives. In the next year, Das also presented another two three-factor schemes for WSNs [34, 35]. However, Wu et al. [41] pointed out that these three schemes are vulnerable to offline password guessing attack, user impersonation attack, and destitution of strong forward security and proposed an enhanced one. Unfortunately, we found that if the user enters an incorrect password during the login phase in Wu et al.’s scheme [41], the smart card will not check whether the password is correct, and the protocol will proceed until GWN finds that the user's login request was invalid, thereby unnecessarily wasting precious computation resource of the user and the GWN.

In 2016, Amin et al. [38] reviewed Farash et al.’s authenticated key agreement scheme [42] for heterogeneous WSN and found that Farash et al.’s scheme [42] cannot withstand offline password guessing attack, known session-specific temporary information (KSSTI) attack, and user impersonation attack. To overcome these pitfalls, Amin et al. [38] proposed a secure improved three-factor scheme and claimed that their new scheme was secure enough to resist the known threats. However, Jiang et al. [36] proved that Amin et al.’s scheme [38] was insecure to smart-card-loss attack defined by [43], KSSTI attack, and tracking attack. As a remedy, Jiang et al. [36] built an improved three-factor user authentication scheme on the Rabin cryptosystem for WSN. We observe that Jiang et al.’s scheme [36] is skeptical to privileged insider attack because GWN also generates the session key which means GWN can decrypt all of the session messages between the user and the sensor. In 2017, Wang et al. [44] identified weaknesses (offline dictionary attack, impersonation attack, etc.) in previous ones, and proposed an enhanced anonymous three-factor user authentication protocol employing an elliptic curve cryptosystem (ECC) for WSN. Owing to the fuzzy verifier, their scheme can withstand the offline identity and password guessing attack. Unfortunately, their scheme is vulnerable to insider attack because the random number chosen by GWN for the user is stored in GWN’s database, and the insider can access and modify it, resulting in user login failure. Moreover, their scheme is subject to KSSTI attack, which is similar to the analysis in Section 4.4. In 2018, Li et al. [45] introduced a three-factor authenticated scheme for WSNs in Internet of Things environments with adoption of fuzzy commitment to handle the user’s biometric information. However, we discovered that their scheme fails to provide three-factor security if the lost/stolen smart card is obtained by the attacker and the biometric information is also collected by the attacker without the awareness of the owner, so their scheme is not as secure as they claimed. With a similar reason, schemes of [46–48] fail to provide true three-factor security. Although Li et al. employed fuzzy verifier technique and claimed that their protocol [49] for wireless medical sensor networks satisfies many security features, we found that it cannot resist replay attack.

In 2015, Das [35] proposed an efficient biometric-based authentication scheme for WSNs using smart card and demonstrated that the scheme can resist various attacks. However, Lu et al. [50] criticized that Das’s scheme [35] has security weaknesses including lack of three-factor security along with user anonymity and user impersonation attack. To eliminate the security drawbacks, Lu et al. [50] proposed a new three-factor solution on ECC and claimed that their scheme was secure against the known attacks. Furthermore, their scheme has been equipped with a formal security proof in random oracle model, and thus they have full confidence in the security of their scheme.

In this paper, we examine the scheme of Lu et al. [50] and show that it cannot provide three-factor security along with a lack of strong session key security, suffers from KSSTI attack, and is unsuitable to the WSN environment. To overcome the security pitfalls found in Lu et al.’s scheme, we present an improved scheme and prove its security under random oracle model and heuristic security analysis. Moreover, we use the formal verification tool ProVerif to demonstrate that the improved scheme fulfills session key secrecy and mutual authentication. A comparison with other related schemes shows that our scheme is superior to theirs.

1.2. Our Contribution

Motivated by the thought of overcoming the security vulnerabilities in Lu et al.’s scheme [50], we present a new secure three-factor authentication scheme exploiting ECC in the WSN context. In short, our main contributions are summarized as follows:(i)First, we cryptanalyze Lu et al.’s protocol [50] and show its security weaknesses.(ii)Second, we propose a new lightweight anonymous three-factor authentication and key agreement protocol on ECC for WSN. The proposal not only overcomes the security weaknesses in Lu et al.’s protocol, but also achieves more security features than the related competitive works.(iii)Third, we use the random oracle model to demonstrate the validity of the proposed scheme, and we conduct a formal verification by using ProVerif. Additionally, a performance comparison is made between our scheme and the related three-factor authentication schemes to show that it provides a better tradeoff between performance and security requirements, thereby making it more suitable for practical application in WSN environments.

1.3. Security Requirements

To design a robust and efficient three-factor authenticated scheme for WSNs, the following security requirements should be fulfilled.

(1) Provide three-factor security: the scheme should still be secure even if any two of the three factors are compromised. (2) Attack resistance: the scheme should be secure against various attacks, such as user impersonation attack, gateway node impersonation attack, sensor impersonation attack, KSSTI attack, replay attack, privileged insider attack. (3) Forward and backward secrecy: if the long-term secret key is compromised, the attacker cannot compute the previous session and the future ones. (4) Resistance to sensor capture attack: if a single sensor is captured by the attacker, it is difficult for he/she to pretend to be any noncompromised sensors. (5) User anonymity: any attackers are incapable of revealing the identity of the user, and it is also an important privacy protection requirement for users. (6) Mutual authentication and key agreement: the user and the sensor should authenticate each other and generate a shared session key.

1.4. Organization of the Paper

The remainder of the paper is organized as follows. In Section 2, we discuss the preliminaries of the fuzzy extractor and related mathematical assumptions. We review and cryptanalyze Lu et al.’s scheme in Section 3 and Section 4, respectively. Section 5 presents our new three-factor authenticated key agreement protocol for WSNs. Next, the validity of our scheme and the security analysis are demonstrated in Section 6, and the formal security verification via ProVerif is given in Section 7. Section 8 shows the performance comparison with the related studies. Finally, conclusions are drawn in Section 9.

2. Preliminaries

2.1. Fuzzy Extractor

The fuzzy extractor was introduced by Dodis et al. [51] in 2004, it is mainly used to address the issue of biometric templates authentication, and many protocols use this technology [32, 52–54] to improve their security.

The fuzzy extractor can produce a biological key δ_i and a public parameter τ_i from the user’s biometric template Bio by utilizing certain error-correcting code technology. To recover δ_i, the reproduction algorithm is applied to τ_i and the other newly captured biometric template , which is similar to Bio. By comparing the similarity of the stored biometric template and the captured biometric template, the protocol can achieve biometric authentication with error tolerance. According to [51], the fuzzy extractor is given by two effective algorithms (Gen, Rep) which are defined as follows: Gen (Bio) = (δ_i, τ_i): Gen is a probabilistic generation algorithm. When the biometric template Bio is input, Gen will output a random string δ_i with an auxiliary random string τ_i. Rep (, τ_i) = δ_i: Rep is a deterministic reproduction algorithm. Upon receiving a biometric template within an error-tolerant range and the auxiliary random string τ_i, Rep will recover δ_i.

2.2. Mathematical Assumption

Let E_p (a, b) be a set of elliptic curve points over the prime field F_p, which is defined by the equation style of y² mod p = (x³ + ax + b) mod p, with a, b ∈ F_p, 4a³ + 27b² mod p ≠ 0. An elliptic curve group G is defined on E/F_p with generator P. For simplicity, mod p is omitted in the following section. In this section, we briefly describe two important mathematical assumptions [55] that rely on the elliptic curve and are closely related to our scheme.

Elliptic curve discrete logarithm (ECDL) problem: given Q, P ∈ G, it is infeasible to find the integer a ∈ [1, p − 1] such that Q = aP.

Computational Diffie-Hellman (CDH) problem: given (P, aP, bP) for any a, b ∈ [1, p − 1], it is infeasible to calculate abP ∈ G.

3. Review of Lu et al.’s Scheme

Lu et al.’s three-factor authenticated scheme [50] consists of seven phases, i.e., predeployment, user registration, sensor node registration, login, authentication and key agreement, password change, and dynamic sensor node addition. The last two phases are omitted since they are not relevant. For convenience, the notations used in this paper are listed in Table 1.

3.1. Predeployment

(1)GWN computes K_j = h (SID_j, X_GWN) shared with each S_j(2)GWN stores K_j into S_j’s memory and then deletes X_GWN

3.2. User Registration

(1)U_i inputs his ID_i and password PW_i, imprints his biometrics Bio, and then computes Gen (Bio) = (δ_i, τ_i).(2)U_i sends {ID_i, h (PW_i, δ_i)} to GWN via a secure channel.(3)GWN computes RPW_i = h (ID_i) h (ID_i, h (K)) and stores it in a smart card, where K is a nonce. Then, GWN sends the smart card to U_i via a secure channel.(4)U_i computes f_i = h (ID_i, h (PW_i, δ_i)) and stores (f_i, τ_i, Gen (), Rep (), h ()) on the smart card.

3.3. Sensor Node Registration

(1)S_j sends {SID_j} to GWN(2)GWN computes h (SID_j, K_j) and sends it to S_j via a secure channel(3)S_j stores h (SID_j, K_j) in its memory

3.4. Login

(1)U_i inserts his smart card into a card reader, enters (ID_i, PW_i) and imprints biometrics .(2)The smart card computes Rep (, τ_i) and checks whether h (ID_i, h (PW_i, δ_i)) = f_i holds. If it is true, the smart card selects a nonce a_i; computes A_i = a_iP, B_i = ID_i ⊕ a_iX_pub, V_i = h (ID_i, h (ID_i, h (K)), a_iP, T₁); and then sends M₁ = {A_i, RPW_i, B_i, V_i, T₁} to GWN. Otherwise, the smart card rejects the login request.

3.5. Authentication and Key Agreement

(1)On receiving M₁ from U_i, GWN computes ID_i = ⊕ B_i, and checks whether V_i = h (ID_i, h (ID_i, h (K)), a_iP, T₁) holds. If it is successful, GWN selects a new nonce , computes = h (ID_i, h (ID_i, h ()) and , and then sends M₂ = {, V_j, T₂} to S_j.(2)S_j decrypts V_j and checks the validity of the timestamp T₂. If T₂ is valid, S_j computes h (ID_i, h ()) = h (ID_i)⁻¹, selects a nonce b_j, and computes sk = h (a_ib_jP) and . Finally, S_j sends M₃ = {C_i, , T₃} to U_i.(3)U_i computes h (ID_i, h ()) = h (ID_i)⁻¹, replaces RPW_i with on the smart card, computes , sk′ = h (a_ib_jP), and verifies whether sk′ = sk holds. If it holds, U_i believes that he has shared a session key sk with S_j. Otherwise, U_i aborts this session.

4. Cryptanalysis of Lu et al.’s Scheme

In this section, we discuss the security weaknesses of Lu et al.’s scheme [50], which include failure to provide three-factor security, no backward secrecy, and vulnerability to KSSTI attack. Before cryptanalyzing Lu et al.’s scheme [50], we summarize the adversarial model used in this paper based on [38] as follows:(1)The attacker has full control of the communication channel between the related participants. In other words, the attacker might eavesdrop, intercept, insert, delete, and modify messages transmitted over the public channel.(2)When the smart card is lost, stolen, or somehow obtained by an attacker, he/she could extract all of the secret data stored on the smart card by launching a differential power attack [56] or side-channel attacks [57, 58]. Furthermore, the attacker might compromise two of the three factors (i.e., password and smart card, password and biometrics, or smart card and biometrics), but he is incapable of compromising all of the three factors.(3)The attacker can learn the user’s identity as far as the attacks (e.g., impersonation attack) and security properties (e.g., mutual authentication and session key agreement) are concerned.(4)The attacker can guess the user’s identity and password offline by choosing a pair (ID, PW) from the Cartesian product D_ID × D_PW in polynomial time, where D_ID denotes identity space and D_PW denotes the password space [31, 59].(5)The random nonce and the secret key selected by communication parties are adequately large to prevent the attacker from successfully guessing these data in polynomial time.

4.1. Failure to Provide Three-Factor Security

Generally, an authentication protocol providing three-factor security means that an attacker can launch impersonation attacks only if he learns all of the three factors (password, biometrics, and smart card). Lu et al. claimed that their protocol can provide three-factor security and withstands various attacks. Unfortunately, we found that if the lost/stolen smart card is obtained by the attacker and the biometrics of the user are also obtained by the attacker without the awareness of the owner, the attacker could perform the identity and password offline guessing attack resulting in failure to provide the privacy preservation and security properties as they claimed. The attacker carries out the attack as follows.(1)The attacker extracts the secret data {RPW_i, f_i, τ_i, Gen(), Rep(), h ()} from the smart card by performing side-channel analysis attack [57, 58](2)With the user’s biometric template and τ_i as input, the attacker recovers δ_i by computing Rep (, τ_i)(3)The attacker selects a pair (, ) from D_ID × D_PW randomly and verifies whether f_i = h (ID_i, h (PW_i, δ_i)) holds, where f_i is recovered from the smart card(4)If it is false, the attacker repeats step 3∼4 until the correct pair (, ) is found

The running time of the above attack is O (|D_ID || D_PW |2T_h), where |D_ID| and |D_PW| denote the number of items in D_ID and D_PW, respectively, and in reality, |D_ID| ≤ |D_PW| ≈ 10⁶ [60, 61]; T_h denotes the computing time of a hash function. Furthermore, because T_h is almost negligible, the required time of this attack is linear to |D_ID || D_PW|. In practice, the attacker can offline guess the correct pair (, ) from × within polynomial time [43].

With the disclosure of the user’s identity and password, Lu et al.’s scheme [50] cannot preserve user privacy and other security features as they claimed.

Therefore, Lu et al.’s protocol fails to provide three-factor security.

4.2. Lack of Backward Secrecy

Backward secrecy is essential since the authentication should immunize the subsequent session key from compromise by the attacker. In Lu et al.’s protocol [50], if an attacker has disclosed the identity ID_i through the offline guessing attack mentioned above and captures the message {C_i, , T₃} from the public channel, he can derive h (ID_i, h ()) by computing h (ID_i)⁻¹, then he decrypts C_i using symmetrical key h (ID_i, h ()) and obtains (ID_i, b_jP, sk, T₃), where the session key sk generated by sensor S_j is identical to the one generated by the user. Thus, the attacker is able to learn all the subsequent session keys between the user and the sensor once he obtains U_i’s identity.

The root cause of this weakness is that the message verifier is only dependent on U_i’s identity. Naturally, the attacker will make use of it to obtain the subsequent session keys of the U_i.

4.3. KSSTI Attack

For the authentication protocol, if the session key is generated with ephemeral secret information, such as random numbers provided by each party, and it is secure even though this transient information is compromised, we can say that this protocol is secure against KSSTI attack. In Lu et al.’s protocol, the session key sk = h (a_ib_jP), where a_i and b_j are random numbers chosen by the user and the sensor, respectively. Once the ephemeral information a_i and b_j are disclosed by the attacker, he can compute the session key easily. Therefore, Lu et al.’s protocol [50] cannot withstand KSSTI attack.

4.4. Inapplicability to the WSN Environment

A WSN consists of many sensors that are deployed in unattended fields to continuously monitor the surroundings. As we pointed out earlier, the sensor node is small in size with limited battery power and computation capability as well as a short communication range. According to the communication experiments of the sensor reported in [62], the power consumption increases proportionally with the increase in the distance between the sensor and the communication participant. Therefore, reducing power consumption is an important problem for sensor nodes in communication to prolong their life cycle, and it is a reasonable solution that the messages exchanged between U_i and S_j should use GWN as a bridge. However, from the concrete authentication procedures described in Lu et al.’s scheme [50], we can see that the S_j delivers messages to U_i directly. Obviously, the distance from the user is far beyond the communication range of the sensor. Therefore, Lu et al.’s scheme [50] is inapplicable to the WSN environment.

5. The Proposed Protocol

In this section, we develop an improved three-factor authentication scheme with key agreement to overcome the security weaknesses existing in Lu et al.’s scheme. Meanwhile, our protocol employs ECC without bilinear pairing to reduce the computation cost while maintaining security strength in WSN environment. Our scheme consists of four phases, i.e., predeployment, user registration, login and authentication, and password update.

First, the GWN chooses a large prime number p and generates an elliptic curve E/F_p and an additive cyclic group G over E/F_p with a generator P. After that, GWN selects a private key and a secure one-way hash function h (). Finally, GWN selects an integer t ∈ [2⁴, 2⁸] as the parameter of the fuzzy verifier. A detailed description of the proposed scheme is as follows.

5.1. Predeployment

(1)GWN chooses a unique identity SID_j for each sensor and calculates K_j = h (SID_j || X_GWN)(2)GWN sends {SID_j, K_j, P} to S_j via a secure channel(3)S_j stores {SID_j, K_j, P} in its memory

5.2. User Registration

(1)U_i inputs his ID_i, PW_i, imprints his biometric Bio, and computes Gen (Bio) = (δ_i, τ_i). After that, U_i selects a random number r_i and computers PID_i = h (ID_i || δ_i || r_i), f_i = h (h (PW_i || r_i || δ_i) mod t), and then he sends {ID_i, PID_i} to GWN through a secure channel.(2)GWN computes C_i = h (PID_i || ), and a smart card storing {h (),C_i, E_k(), D_k(), Gen(), Rep(), P} is sent to U_i via a secure channel.(3)U_i computes A_i = C_i ⊕ f_i and B_i = h (ID_i || δ_i || PW_i) ⊕ r_i and then stores {A_i, B_i, τ_i, f_i} into the smart card.

5.3. Login and Authentication

The following steps are performed if U_i intends to access the WSN:(1)U_i inputs ID_i and PW_i, inserts the smart card and imprints his biometrics . The card computes = Rep (Bio, τ_i), = B_i ⊕ h (ID_i || || PW_i), and = h (h (PW_i || r_i || ) mod t) and checks whether = f_i holds. If it is false, the smart card rejects U_i’s login request. Otherwise, the card chooses two random number and e_i, chooses a login-sensor node SID_j, and computes = h (ID_i || || ), m₁ = A_i ⊕ f_i ⊕ e_i.(2)U_i selects a random number a_i, and the timestamp T₁, computes m₂ = a_iP, m₃ = ⊕ h (e_i), m₄ = (ID_i || SID_j) ⊕ h (PID_i || e_i), and m₅ = h (ID_i || PID_i || || m₂ || SID_j || T₁), and sends M₁ = {m₁, m₂, m₃, m₄, m₅, PID_i, T₁} to GWN.(3)On receiving M₁, GWN checks the validity of T₁. If it is false, GWN aborts the session; otherwise, GWN computes e_i = m₁ ⊕ h (PID_i || ), = m₃ ⊕ h (e_i), ( || ) = m₄ ⊕ h (PID_i || e_i), and = h ( || PID_i || || m₂ || || T₁). GWN will terminate this session if ≠ m₅. Otherwise, it selects a timestamp T₂, and computes K_j = h( || X_GWN), e_k = h ( || K_j), , and m₇ = h (K_j || || || m₂ || T₂). Finally, GWN forwards M₂ = {m₂, m₆, m₇, T₂} to S_j.(4)After receiving M₂ from GWN, S_j will reject the session if T₂ is invalid; otherwise, S_j computes e_k′ = h (SID_j || K_j), and decrypts m₆ to obtain (e_i, ). Next, S_j computes = h (K_j || || SID_j || m₂ || T₂) and checks whether m₇′ = m₇ holds. If it is incorrect, S_j stops the session; otherwise, S_j chooses a random number b_j and computes m₈ = b_jP, SK_S-U = h (b_jm₂ || || SID_j || e_i) and m₉ = h (SK_S-U || || SID_j || m₈ || T₃), and m₁₀ = h (K_j || || m₈ || T₃), where T₃ is S_j’s current timestamp. Finally, S_j sends M₃ = {m₈, m₉, m₁₀, T₃} to GWN.(5)Upon reception of M₃, GWN checks the validity of T₃, and GWN will reject the session if it is invalid. Otherwise, GWN computes m₁₀’ = h (K_j || || m₈ || T₃) and checks the condition = m₁₀. If the condition holds, GWN selects the current timestamp T₄, computes m₁₁ = h ( || ) and m₁₂ = h ( || e_i || m₈ || T₄), and then forwards M₄ = {m₈, m₉, m₁₁, m₁₂, T₃, T₄} to U_i.(6)After the reception of M₄, U_i first checks the validity of T₄. If it is true, U_i further computes = h ( || e_i || m₈ || T₄) and checks whether = m₁₂ holds. If it holds, U_i computes SK_U-S = h (a_im₈ || || SID_j || e_i) and = h (SK_U-S || || SID_j || m₈ || T₃) and checks the condition = m₉. If it is false, U_i aborts the session; otherwise, U_i accepts SK_U-S as the session key shared with S_j. Finally, the smart card computes = h (h (PW_i || || ) mod t), = m₁₁ ⊕ , and = h (ID_i || δ_i || PW_i) ⊕ and replaces (A_i, B_i, f_i) with (, , ).

The login and authentication phase is shown in Table 2.

5.4. Password Update

Similar to Lu et al.’s protocol, our improved scheme allows the authorized user to update his password with GWN if he likes.

U_i keys ID_i and the old password PW_i, imprints biometrics , and inserts the smart card into a reader. Then, the smart card computes Gen () = (, ), = B_i ⊕ h (ID_i || || PW_i), and = h (h (ID_i || || PW_i) mod t) and checks whether = f_i holds. The session is aborted if the condition is false.(1)U_i inputs a new password , calculates = h (h ( || || ) mod t), = C_i ⊕ and = h (ID_i || || ) ⊕ , and replaces (A_i, B_i, f_i) with (, , ).

6. Security Analysis

In this section, we first conduct a formal security analysis under the random oracle model [63] and then provide an informal security analysis to demonstrate that our improved scheme can withstand various attacks and meet the security requirement in WSNs.

6.1. Formal Security Analysis

This section justifies our security analysis of our lightweight user authentication and key agreement protocol for WSNs. For the sake of simplicity, we follow the security model in [63] to conduct our formal security proof.

Theorem 1. Assume that denotes the advantage of the attacker A in cracking the security of the improved protocol P and that denotes the advantage of the attacker A in solving the CDH problem in polynomial time t, and the attacker asks at most q_sSend queries, q_eExecute queries, q_h Hash queries. Then, we havewhere l_s represents the security parameter, which also represents the length of the random number and hash value; n, D_PW, |D_PW|, l_b, ε, and T_m represent the order of the elliptic curve group G over E/F_p, a password dictionary with a frequency distribution following Zipf’s law [64], the size of password dictionary D_PW, the length of BIO_i, the probability of a “false positive” event, and the execution time of a point multiplication in G, respectively.

Proof. A series of games Gm_i (0 ≤ i ≤ 5) are defined to demonstrate that our improved scheme is provably secure. In each game Gm_i, S_i (0 ≤ i ≤ 5) denotes the event that the attacker guesses a correct bit in the Test query, and Pr[S_i] denotes the corresponding probability. Gm₀: this game is considered to perform in a real attack scenario under random oracle model. Thus, we have Gm₁: in this game, we simulate Hash oracle h (), Send query, Test query, Execute query, and Corrupt query with respect to our improved scheme, and L_h, L_A, and L_T are used to store the query result of various oracle. Thus, we have Gm₂: in this game, collisions of random oracle queries are considered. The simulation will be aborted if collision occurs on the hash oracle and transcripts M₁, M₂, M₃, M₄, and we let the attacker win. According to the birthday paradox, the collision probability on the hash oracle is at most, the collision probability of random nonces a_i and b_j is , and the collision probability of e_i and is at most. Thus, we have Gm₃: in this game, we consider the collision probability of the attacker impersonating transcript messages M₁∼M₄ from the remaining oracle queries.

Case 1. For Send (U_i^μ, GWN^λ, M₁): the simulator reveals h (ID_i || || PW_i) of , h (ID_i || || ) of , h (PID_i || e_i) of m₄ to the attacker and checks whether M₁∈L_P holds. Thus, the total collision probability is .

Case 2. For Send (GWN^λ, S_j^ν, M₂): the simulator reveals h (PID_i || ) of e_i, h ( || PID_i || || m₂ || || T₁) of m₅, and h (K_j || || || m₂ || T₂) of m₇ to the attacker and checks whether M₂∈L_P holds. Thus, the collision probability is at most.

Case 3. For Send (S_j^ν, GWN^λ, M₃): the simulator reveals h (K_j || || || m₂ || T₂) of m₇, h (SK_S-U || || SID_j || m₈ || T₃) of m₉, and h (K_j || || m₈ || T₃) of m₁₀ to the attacker and checks whether M₃∈L_P holds. Thus, the collision probability is at most.

Case 4. For Send (GWN^λ, U_i^μ, M₄): the simulator reveals h (K_j || || m₈ || T₃) of m₁₀ and h ( || e_i || m₈ || T₄) of m₁₂, to the attacker, and checks whether M₄∈L_P holds. Thus, the collision probability is at most.
As a whole, we have Gm₄: in this game, the attacker encounters the CDH problem. If it is possible for the attacker to use Corrupt query to get the session key, it means that the attacker can find a solution for the CDH problem and (b_ja_iP || || SID_j || e_i) ∈ L_A holds. It is necessary for the attacker to obtain the smartcard to breach the session key because the simulation will terminate if the attacker gets only PW_i and BIO_i. Thus, the game can be demonstrated as having three cases:

Case 1. The attacker asks Corrupt (U_i^μ, 2) to guess PW_i within password space D_PW with at most q_sSend queries. The possibility is .

Case 2. The attacker asks Corrupt (U_i^μ, 0) and chooses one of the following approaches to obtain BIO_i:(a)The attacker guesses BIO_i with at most q_s Send queries. The possibility is , where l_b is the length of BIO_i.(b)The attacker asks Send queries with his own biometrics to try the probability of a “false positive”. The possibility of this event is ε.It is noted that the attacker can ask at most two Corrupt (U_i^μ, ω) ω ∈ {0,1,2}, and the above two cases cannot occur concurrently. Thus, the possibility of the above three cases is .

Case 3. To compromise the session key SK = h (b_ja_iP || || SID_j || e_i), the attacker has to compute b_ja_iP using m₂, m₈, and P, where m₂ = a_iP and m₈ = b_jP. Then the attacker asks either Corrupt (U_i^μ, 0) or Corrupt (U_i^μ, 2) queries, as well as Execute query, and he will win the game with at least q_hHash queries. Therefore, we have Gm₅: in this game, the strong forward security is considered. The attacker asks Corrupt (U_i^μ\GWN^λ\S_j^ν) after simulating a Test query, the two indexes of which are chosen from {1, 2, …, q_s + q_e}. If the Test query cannot return the session key with the ith instance of U_i and the jth instance of S_j, the game will terminate. Thus, we haveTaking all of the games into account, the attacker has no advantage in guessing the correct bit b, and thus we haveCombining equations (2)–(8) together, the theorem is proved.

6.2. Analysis of Security

We show that our enhanced scheme not only overcomes the vulnerability in Lu et al.’s scheme [50] but also withstands various attacks in this section.

6.2.1. Three-Factor Security

Three-factor security means that the user can access the sensor data only when he has learned the password, smart card, and biometrics. That is, if the attacker has any two factors, he is incapable of mounting an impersonation attack. We will discuss that the enhanced scheme satisfies this security feature in three aspects.

Case 1. Suppose the attacker has the user’s smart card and password.
Assume that the attacker extracts the secret data {A_i, B_i, f_i, τ_i, h (), Gen (), Rep ()} stored in the smart card, where f_i = h (h (PW_i || r_i || δ_i) mod t), A_i = C_i ⊕ f_i, and B_i = h(ID || δ_i || PW_i) ⊕ r_i. To masquerade as the user to log into GWN, the attacker calculates = B_i ⊕ h (ID_i || δ_i || PW_i) and = h (h (PW_i || || δ_i) mod t). However, the attacker fails to verify the correctness of ID_i and cannot recover δ_i due to the lack of the user’s biometrics. Thus, the attacker cannot construct a correct to log into GWN.

Case 2. Suppose that the attacker has the user’s smart card and biometrics.
The attacker could also reveal the secret data {A_i, B_i, f_i, τ_i, h (), Gen (), Rep ()} from the smart card and recovers δ_i by calculating Rep (Bio, τ_i). Afterwards, the attacker tries to guess ID_i and PW_i, calculates = B_i ⊕ h (ID_i || δ_i || PW_i), and then checks whether = h (h (PW_i || || ) mod t) holds. However, he will not succeed because there are |D_ID ||D_PW|/t 2³² candidates of (ID_i, PW_i) (where |D_PW| = |D_ID| = 10⁶ and t = 2⁸) [59, 65]. Then, if the attacker directly enters a pair of (ID_i, PW_i) and sends a login request to GWN to test the correctness of (ID_i, PW_i), the smart card will reject his/her request if the number of login requests exceeds the threshold and his/her dream will not come true.

Case 3. Suppose that the attacker has the user’s biometrics and password.
Undoubtedly, the attacker could not derive δ_i by computing Rep (Bio, τ_i), where the auxiliary string τ_i is stored on the smart card. The attacker can also intercept the message M₁ = {m₁, m₂, m₃, m₄, m₅, PID_i, T₁} where m₁ = A_i ⊕ f_i ⊕ e_i = h (PID_i || ) ⊕ e_i, m₂ = aP, m₃ = ⊕ h (e_i), W_i = ID_i ⊕ h (PID_i || e_i), and m₄ = h (ID_i || PID_i || || m₂ || SID_j). If the attacker attempts to find some clues about τ_i in M₁, his wish will not come true because none of the elements in M₁ have a direct relationship with τ_i. Therefore, it is infeasible for the attacker to impersonate a legitimate user to log into GWN.

6.2.2. Resistance to GWN Impersonation Attack

In the proposed scheme, the attacker is unable to masquerade as GWN to communicate with U_i or S_j. If the attacker intends to masquerade as GWN to S_j, he first intercepts the message M₂ = {m₂, m₆, m₇, T₂} in the public channel. However, it is impossible for him to forge m₆ because m₆ is encrypted with the symmetric key h (SID_j || K_j), where K_j is the secret key to S_j and the attacker has no knowledge of it. On the other hand, to impersonate as GWN to U_i, it is necessary for the attacker to generate a valid message M₄ = {m₈, m₉, m₁₁, m₁₂, T₃, T₄} and send it to U_i, where m₉ = h (SK_S-U || || SID_j || m₈ || T₃), m₁₁ = h ( || ), and m₁₂ = h ( || e_i || m₈ || T₄), which requires verification of m₁₀ and m₁₂. However, it is infeasible because the attacker has no knowledge of , e_i and K_j. Therefore, our improved scheme can resist the GWN impersonation attack.

6.2.3. Resistance to Sensor Impersonation Attack

If the attacker intends to impersonate a sensor S_j to communicate with GWN, he/she has to forge a valid message M₃ = {m₈, m₉, m₁₀, T₃}, which is embedded with b_j, K_j, e_i, and to cheat GWN. However, the attacker is unable to obtain these secret parameters since they are protected carefully by the communication parties. Therefore, our improved scheme can resist the sensor impersonation attack.

6.2.4. Resistance to KSSTI Attack

In Lu et al.’s protocol, the security of the session key h (a_ib_jP) depends on the ephemeral random numbers a_i and b_j, which are generated by U_i and S_j, respectively. Naturally, the transient leakage of a_i and b_j will bring about the compromise of their session key. In the improved scheme, the session key SK = h (b_jm₂ || || SID_j || e_i), where m₂ = a_iP. It is worth noting that SK relies not only on a_i and b_j, but also on K_j, e_i, and . Further, to obtain , the attacker needs to learn (ID_i, Bio, , e_i), where (, e_i) will be different in every authentication session. Hence, it is difficult for the attacker to disclose these secret ephemeral random numbers to calculate the session key. Therefore, the proposed protocol can thwart KSSTI attack.

6.2.5. Provision of Perfect Forward and Backward Secrecy

As shown in the login and authentication phase, the session key SK_S-U = h (b_jm₂ || || SID_j || e_i) is calculated by S_j and SK_U-S = h (a_im₈ || || SID_j || e_i) is calculated by U_i. As analyzed above, the session key is related to (a_i, b_j, , SID_j, e_i), where (a_i, b_j, , e_i) is generated randomly and unpredictably. Even if GWN’s long-term secret key is compromised by the attacker and he/she obtains m₂ and m₈, it is infeasible for the attacker to calculate the session key because he/she heads to resolve the ECDL problem and CDH problem to obtain a_ib_jP from m₂ (= a_iP) and m₈(= b_jP). Thus, the proposed protocol can provide perfect forward and backward secrecy.

6.2.6. Resistance to Replay Attack

It is generally true that timestamp mechanism is employed to overcome replay attack. However, addressing time synchronization is quite difficult in a large-scale network. It is noteworthy that time synchronization issue should not take place in a WSN since a WSN could be deployed in specific areas. The proposed protocol exploits the timestamp technique to prevent replay attack. When an attacker intercepts the login message M₁ = {m₁, m₂, m₃, m₄, m₅, PID_i, T₁} and replays it to the receiver, he will fail because the receiver will check the freshness of timestamp and verify the hash value, which is calculated with a secret value e_i shared between the sender and the receiver. Furthermore, if the attacker constructs a forgery message with a new timestamp, e. g, = {m₁, m₂, m₃, m₄, m₅, PID_i, } under a new timestamp , it is easily detected by verifying the hash value m₅ because T₁ is a parameter of m₅. Therefore, the proposed protocol is secure against replay attack.

6.2.7. Resistance to Privileged Insider Attack

The insider attack implies that the system insider can directly access user’s password that is stored in GWN and impersonates the user to log into other systems and enjoy their services. In the proposed protocol, the user only submits {ID_i, PID_i} to GWN in the registration phase. Thus, the insider cannot get the user’s password information. Therefore, our scheme can overcome privileged insider attack.

6.2.8. Resistance to Sensor Capture Attack

Suppose that if a sensor node S_j has been captured physically by the attacker, he/she can compromise the identity SID_j and secret number K_j from the memory of the sensor. However, it is infeasible for the attacker to guess GWN’s secret key X_GWN successfully in relation K_j = h (SID_j || X_GWN) in light of item 5 in the adversarial model described in Section 4. That is, if a single sensor is captured by the attacker, it is impossible for him/her to break the confidentiality during sessions between the user U_i and other noncaptured sensors. Therefore, the proposed scheme can withstand sensor capture attack.

6.2.9. Resistance to Many Logged-In Users with the Same Login-ID Attack

In the proposed protocol, to log into GWN, U_i has to input his (ID_i, PW_i), imprint his biometric Bio, and insert his smart card into the card reader. Assume that users U_i and U_j have the same identity and password. Note that = h (h (PW_i || || ) mod t) for U_i and = h (h (PW_i || || ) mod t) for U_j are distinct since and are generated by a fuzzy extractor with different biometrics. As a result, the proposed scheme can resist many logged-in users with the same login-ID attack.

6.2.10. Resistance to Man-in-the-Middle Attack

In our protocol, GWN verifies m₅ to authenticate U_i, S_j verifies m₇ to authenticate GWN, GWN verifies m₁₀ to authenticate S_j, and U_i verifies m₁₂ to authenticate GWN and verifies m₉ to authenticate S_j, respectively.

Therefore, our scheme can provide mutual authentication and withstand the man-in-the-middle attack.

6.2.11. User Anonymity and Untraceability

Assume that the attacker intercepts all of the exchanged messages between the related parties during the execution of the protocol and attempts to reveal U_i’s identity. In our protocol, U_i’s identity is included in m₄ = (ID_i || SID_j) ⊕ h(PID_i || e_i) where PID_i is transmitted in the public channel. If the attacker wants to get the user’s ID_i, he/she has to compute e_i = m₁ ⊕ h (PID_i || ). It is infeasible because GWN’s secret key is protected carefully by GWN and cannot be guessed successfully according to Item 5 in the adversarial model described in Section 4. Another way to obtain U_i’s identity is to guess ID_i from PID_i = h (ID_i || δ_i || r_i), which is also impossible because the attacker knows little about the user’s biometric and random nonce r_i. Therefore, our scheme can withstand tracking attack and achieves untraceability property.

7. Formal Security Verification via ProVerif

This section presents the formal security verification of the proposed protocol by using the Pi calculus-based simulation tool ProVerif [66]. The researchers used this tool to test an authentication protocol and see whether the adversary is capable of compromising the session key, since ProVerif makes use of the Dolev-Yao model and implements many cryptographic primitives, such as symmetric encryption and asymmetric encryption, signature, hash function, etc. So far, many protocols have been verified by ProVerif to demonstrate their correctness and robustness properties [66]. In this section, we use ProVerif to rectify the secrecy and authentication properties of our protocol.

First, we define the following channels. Channels sch1 and sch2 are used for secure communication between U_i and GWN and between S_j and GWN, respectively. Meanwhile, channels ch1 and ch2 are used for public insecure communication between U_i and GWN and between S_j and GWN, respectively. (--------Channels-------) free sch1:channel [private]. (the secure channel between U_i and GWN) free sch2:channel [private]. ( the secure channel between S_j and GWN) free ch1:channel [private]. (the public channel between U_i and GWN) free ch2:channel [private]. ( the public channel between S_j and GWN)

The variables and constants are defined as follows: const P: bitstring. const Bio:bitstring. const Bio′:bitstring. const t:bitstring. const X_GWN: bitstring [private]. (GWN’s password key) const x_g: bitstring [private]. (GWN’s private key) free ID_i: bitstring [private]. (the identity of user) free SID_j: bitstring. (the identity of sensor)

The related function are modeled as follows: (--------Concat operation--------) fun con (bitstring, bitstring):bitstring. fun con3 (bitstring, bitstring, bitstring):bitstring. fun con4 (bitstring, bitstring, bitstring, bitstring):bitstring. fun con5 (bitstring, bitstring, bitstring, bitstring, bitstring):bitstring. fun mult (bitstring, bitstring):bitstring. (Multiplication operation) fun syme (bitstring, bitstring):bitstring. (Symmetric encryption operation) reduc forall m:bitstring, key:bitstring; symd (syme (m, key), key) = m. (Symmetric decryption operation) fun mod (bitstring, bitstring):bitstring. (Mod operation) fun xor (bitstring, bitstring):bitstring. (XOR operation) fun h (bitstring):bitstring. (Hash operation) fun Gen (bitstring):bitstring. (Gen operation) fun Rep (bitstring, bitstring):bitstring. (Rep operation)

In particular, we define four events to test the mutual authentication between U_i and S_j as follows: event beginSj (bitstring). event endSj (bitstring). event beginUi (bitstring). event endUi (bitstring).

According to the proposed protocol execution, we define the process of U_i as follows: let process U_i = new PWi:bitstring; let (delta_i:bitstring, tau_i:bitstring) = Gen (Bio) in new ri: bitstring; let PID_i = h (con3 (IDi, delta_i, ri)) in out (sch1, (IDi, PID_i)); let fi = h (mod (h (con3 (PWi, ri, delta_i)),t)) in in (sch1, xCi:bitstring); let Ai = xor (xCi, fi) in let Bi = xor (h (con (con (IDi, delta_i),PWi)), ri) in ! ( event beginUi (IDi); let delta_i′ = Rep (Bio′,tau_i) in let ri′ = xor (Bi, h (con3 (IDi, delta_i, PWi))) in let fi′ = h (mod (h (con3(PWi, ri′,delta_i′)),t)) in if fi′ = fi then new ri_new:bitstring; new ei:bitstring; let PIDi_new = h (con3 (IDi, delta_i′,ri_new)) in let m₁ = xor (xor (Ai, fi),ei) in new ai:bitstring; new T₁:bitstring; let m₂ = mult (ai, P) in let m₃ = xor (PIDi_new, h (ei)) in let m₄ = xor (con (IDi, SIDj), h (con (PIDi, ei))) in let m₅ = h (con (con5 (IDi, PIDi, PIDi_new, m₂, SIDj),T₁)) in out (ch1, (m₁, m₂, m₃, m₄, m₅, PIDi, T₁)); in (ch1, (m₈s:bitstring, m₉s:bitstring, m₁₁g:bitstring, m₁₂g:bitstring, T₃s:bitstring, T₄g:bitstring)); let m₁₂′ = h (con4 (PIDi_new, ei, m₈s, T₄g)) in if m₁₂′ = m₁₂g then let SKu_s = h (con4 (mult (ai, m₈s),PIDi_new, SIDj, ei)) in let m₉′ = h (con5 (SKu_s, PIDi_new, SIDj, m₈s, T₃s)) in if m₉′ = m₉s then event endSj (SIDj); let fi_new = h (mod (con3 (PWi, ri_new, delta_i′),t)) in let Ai_new = xor (m₁₁g, fi_new) in let Bi_new = xor (h (con3 (IDi, delta_i′,PWi)),ri_new) in 0 ).

The process of S_j is modeled as follows: let processSensor = in (sch2, (xSIDj: bitstring, xKj:bitstring)); ! ( event beginSj (SIDj); in (ch2, (m₂s:bitstring, m₆s:bitstring, m₇s:bitstring, xT₂:bitstring)); let ek′ = h (con (xSIDj, xKj)) in let (ei_s:bitstring, PIDi_new_s:bitstring) = symd (m₆s, ek′) in let m₇′ = h (con5 (xKj, PIDi_new_s, SIDj, m₂s, xT₂)) in if m₇′ = m₇s then event endUi (PIDi_new_s); new bj:bitstring; new T₃:bitstring; let m₈ = mult (bj, P) in let SKs_u = h (con4 (mult (bj, m₂s),PIDi_new_s, SIDj, ei_s)) in let m₉ = h (con5 (SKs_u, PIDi_new_s, SIDj, m₈, T₃)) in let m₁₀ = h (con4 (xKj, PIDi_new_s, m₈, T₃)) in out (ch2, (m₈, m₉, m₁₀, T₃)); 0 ).

The process of GWN is modeled as follows: let processGWN = in (sch1, (xIDi:bitstring, xPIDi:bitstring)); let Ci = h (con (xPIDi, x_g)) in let Kj = h (con (SIDj, X_GWN)) in out (sch2, (SIDj, Kj)); out (ch1, Ci); ! ( in (ch1, (m₁′:bitstring, m₂′:bitstring, m₃′:bitstring, m₄′:bitstring, m₅′:bitstring, PIDi′:bitstring, T₁′:bitstring)); let ei′ = xor (m₁′,h (con (PIDi′,x_g))) in let PID_i_new′ = xor (m₃′, h (ei′)) in let (IDi′:bitstring, SIDj′:bitstring) = xor (m₄′, h (con (PIDi′,ei′))) in let m₅g = h (con (con5 (IDi′,PIDi′,PIDi_new′, m₂′, SIDj′),)) in if m₅′ = m₅g then new T₂:bitstring; let ek = h (con (SIDj, Kj)) in let m₆ = syme (con (ei′,PIDi_new′),ek) in let m₇ = h (con5 (Kj, PIDi_new′,SIDj, m₂′, T₂)) in out (ch2, (m₂′, m₆, m₇, T₂)); in (ch2, (m₈s:bitstring, m₉s:bitstring, m₁₀s:bitstring, T₃s:bitstring)); let m₁₀' = h (con4 (Kj, PIDi_new′, m₈s, T₃s)) in if m₁₀′ = m₁₀s then new T₄:bitstring; let m₁₁ = h (con (PIDi_new′,x_g)) in let m₁₂ = h (con5 (PIDi_new′, ei′, m₈s, T₃s, T₄)) in out (ch1, (m₈s, m₉s, m₁₁, m₁₂, T₄)); 0 ).

The queries are defined as follows: query attacker (SKu_s). query attacker (SKs_u). query id:bitstring; inj-event (endSj (id)) = =>inj-event (beginSj (id)). query id:bitstring; inj-event (endUi (id)) = =>inj-event (beginUi (id)).

The whole protocol is simulated as executing in parallel as follows: process !processUi | !processGWN | !processSensor

The outputs of the ProVerif verification are as follows:(1)RESULT not attacker (SKu_s[]) is true.(2)RESULT not attacker (SKs_u[]) is true.(3)RESULT inj-event (endSj (id)) = => inj-event (beginSj (id)) is true.(4)RESULT inj-event (endUi (id_18)) = => inj-event (beginUi (id_18)) is true.

Results (1) and (2) indicate the secrecy of the proposed scheme because of the failing query attack on session key SK_S-U and SK_U-S. Moreover, results (3) and (4) confirm the successfully mutual authentication between U_i and S_j. In other words, the proposed scheme not only provides the secrecy of the session key, but also achieves the authentication property by verifying the correspondence assertions in the Dolev–Yao model.

8. Performance and Security Comparisons

To evaluate the proposed scheme, we compare the performance and security with related schemes [26, 29, 41, 44, 45, 49, 50] in the login and authentication phase.

To compare computation cost fairly, we use the time cost of cryptographic calculations in [41] as the benchmark, which is shown in Table 3. The execution time of XOR and the concatenation operation is ignored because their computation cost is very trivial. In addition, we assume that the length of an identity, a hash value, a random nonce, and a timestamp are 32 bits, 160 bits, 128 bits, and 32 bits, respectively, and the prime p in E_p (a, b) is 160 bits (the 160 bit ECC has a security strength equivalent to that of a 1024 bit RSA [67]). In AES symmetric encryption/decryption, the block size of plaintext/ciphertext is 128 bits [68]. The performance comparison of our scheme and the related ones [26, 29, 41, 44, 45, 49, 50] is summarized in Table 4. It is worth noting that although scheme in [50] is not suitable for WSN environment, we still compare it as a related scheme to determine whether our scheme can maintain better performance while overcoming its security defects.

In Table 4, we can see that (1) the computation time of our scheme is slightly higher than that of protocols [26, 29, 41, 45] and much lower than that of protocols [44, 49, 50] and (2) the communication overhead of our scheme is slightly lower than that of protocol [29] and higher than that of the others. Meanwhile, from Table 5, it is evident that our scheme fulfills all of the security features, while other protocols suffer from some security weaknesses more or less. Specifically, our protocol overcomes the security pitfalls of Lu et al.’s protocol [50]. Compared with Li et al.’s protocol [45], our scheme makes use of the ECDL and CDH problem on ECC to enhance security, and thus, our protocol consumes more computation cost and needs more communication overhead. It is worth noting that security is the most important factor to be considered in cryptography protocols. Thus, it is worthwhile to gain a higher security level at the cost of a slightly increased computation cost or communication overhead. Although our protocol is not the most efficient one in performance compared with schemes [26, 29, 41, 44, 45, 49, 50], the security analysis in Section 6 has demonstrated that the proposed scheme thwarts security threats in [26, 29, 41, 44, 45, 49, 50]. In a word, the proposal provides a better tradeoff between performance and security requirements and is more suitable for practical application in WSN environments.

9. Conclusion

Although many three-factor mutual authentication schemes have been presented for the WSN environment, most of them have been found to be unprotected from various attacks or lacking in functionality properties. In this paper, we have analyzed Lu et al.’s scheme and show its security defects of their scheme. To overcome these defects, we have proposed a lightweight secure three-factor authentication scheme for WSNs. Furthermore, we propose a security analysis, and show that the proposed protocol is secure against known security attacks, and address the vulnerability in Lu et al.’s scheme. The formal security proof of the proposal is proved under the random oracle model. Security verification is confirmed by the formal proof through ProVerif. A performance comparison between our scheme and the related recent ones in terms of computation cost and communication overhead demonstrates that our scheme offers a better tradeoff between security and efficiency. Based on these advantages, we believe that our scheme provides a reasonable lightweight solution for authentication in the WSN environment.

Data Availability

The data used to support the findings of this study have been cited within the text as references [26, 29, 41, 44, 45, 49, 50].

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was partially supported by the National Natural Science Foundation of China (Project no. 61672007) and Science and Technology Innovation Guidance Project 2017 (Project no. 201704030605).

References

D. Jinwala, “Ubiquitous computing: wireless sensor network deployment, models, security, threats and challenges,” in Proceedings of the National Conference NCIIRP-2006, SRMIST, pp. 1–8, Bardoli, India, January 2006.
View at: Google Scholar
S. A. Munir, B. Ren, W. Jiao, B. Wang, D. Xie, and J. Ma, “Mobile wireless sensor network: architecture and enabling technologies for ubiquitous computing,” in Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, AINAW’07, pp. 113–120, Niagara Falls, Canada, May 2007.
View at: Google Scholar
D. Puccinelli and M. Haenggi, “Wireless sensor networks: applications and challenges of ubiquitous sensing,” IEEE Circuits and Systems Magazine, vol. 5, no. 3, pp. 19–31, 2005.
View at: Publisher Site | Google Scholar
A. Mainwaring, D. Culler, J. Polastre, R. Szewczyk, and J. Anderson, “Wireless sensor networks for habitat monitoring,” in Proceedings of the 1st ACM International Workshop on Wireless Sensor Networks and Applications, pp. 88–97, ACM, Atlanta, GA, USA, September 2002.
View at: Google Scholar
T. Hayajneh, B. Mohd, M. Imran, G. Almashaqbeh, and A. Vasilakos, “Secure authentication for remote patient monitoring with wireless medical sensor networks,” Sensors, vol. 16, no. 4, p. 424, 2016.
View at: Publisher Site | Google Scholar
F. J. Pierce and T. V. Elliott, “Regional and on-farm wireless sensor networks for agricultural systems in Eastern Washington,” Computers and Electronics in Agriculture, vol. 61, no. 1, pp. 32–43, 2008.
View at: Publisher Site | Google Scholar
M. P. Đurišić, Z. Tafa, G. Dimić, and V. Milutinović, “A survey of military applications of wireless sensor networks,” in Proceedings of the2012 Mediterranean Conference on Embedded Computing (MECO), pp. 196–199, IEEE, Bar, Montenegro, 2012.
View at: Google Scholar
L. M. Oliveira and J. J. Rodrigues, “Wireless sensor networks: a survey on environmental monitoring,” Journal of Clinical Microbiology, vol. 6, no. 2, pp. 143–151, 2011.
View at: Publisher Site | Google Scholar
R. Roman, C. Alcaraz, J. Lopez, and N. Sklavos, “Key management systems for sensor networks in the context of the Internet of Things,” Computers & Electrical Engineering, vol. 37, no. 2, pp. 147–159, 2011.
View at: Publisher Site | Google Scholar
A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: security protocols for sensor networks,” Wireless Networks, vol. 8, no. 5, pp. 521–534, 2002.
View at: Publisher Site | Google Scholar
S. Raza, S. Duquennoy, T. Chung, D. Yazar, T. Voigt, and U. Roedig, “Securing communication in 6LoWPAN with compressed IPsec,” in Proceedings of the 2011 International Conference on Distributed Computing in Sensor Systems and Workshops (DCOSS), pp. 1–8, IEEE, Barcelona, Spain, Spain 2011.
View at: Google Scholar
S. Ray and G. Biswas, “Establishment of ECC-based initial secrecy usable for IKE implementation,” in Proceedings of the World Congress on Expert Systems (WCE), London, UK, 2012.
View at: Google Scholar
F. Li and P. Xiong, “Practical secure communication for integrating wireless sensor networks into the internet of things,” IEEE Sensors Journal, vol. 13, no. 10, pp. 3677–3684, 2013.
View at: Publisher Site | Google Scholar
C.-L. Chen, T.-F. Shih, Y.-T. Tsai, and D.-K. Li, “A bilinear pairing-based dynamic key management and authentication for wireless sensor networks,” Journal of Sensors, 2015.
View at: Google Scholar
S. Ramachandran and V. Shanmugam, “A two way authentication using bilinear mapping function for wireless sensor networks,” Computers & Electrical Engineering, vol. 59, pp. 242–249, 2017.
View at: Publisher Site | Google Scholar
K. H. M. Wong, Y. Zheng, J. Cao, and S. Wang, “A dynamic user authentication scheme for wireless sensor networks,” in Proceedings of the IEEE International Conference on Sensor Networks, Taichung, Taiwan, 2006.
View at: Google Scholar
H. R. Tseng, R. H. Jan, and W. Yang, “An improved dynamic user authentication scheme for wireless sensor networks,” in Proceedings of the IEEE Globecom- IEEE Global Telecommunications Conference, Washington, DC, USA, 2007.
View at: Google Scholar
M. L. Das, “Two-factor user authentication in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086–1090, 2009.
View at: Publisher Site | Google Scholar
D. Nyang and M.-K. Lee, “Improvement of Das’s two-factor Authentication protocol in wireless sensor networks,” IACR Cryptology ePrint Archive, vol. 2009, p. 631, 2009.
View at: Google Scholar
H. F. Huang, Y. F. Chang, and C. H. Liu, “Enhancement of two-factor user authentication in wireless sensor networks,” in Proceedings of the Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Kaohsiung, Taiwan, November 2010.
View at: Google Scholar
D. He, Y. Gao, S. Chan, C. Chen, and J. Bu, “An enhanced two-factor user authentication scheme in wireless sensor networks,” Ad Hoc & Sensor Wireless Networks, vol. 10, no. 4, pp. 361–371, 2010.
View at: Google Scholar
P. Kumar and H. J. Lee, “Cryptanalysis on two user authentication protocols using smart card for wireless sensor networks,” in Proceedings of the Wireless Advanced, pp. 241–245, London, UK, 2011.
View at: Google Scholar
K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks,” Journal of Network and Computer Applications, vol. 36, no. 1, pp. 316–323, 2013.
View at: Publisher Site | Google Scholar
S. G. Yoo, K. Y. Park, and J. Kim, “A security-performance-balanced user authentication scheme for wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 8, no. 3, p. 382810, 2012.
View at: Publisher Site | Google Scholar
B. Vaidya, D. Makrakis, and H. Mouftah, “Two-factor mutual authentication with key agreement in wireless sensor networks,” Security and Communication Networks, vol. 9, no. 2, pp. 171–183, 2016.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari, and X. Li, “A new and secure authentication scheme for wireless sensor networks with formal proof,” Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 16–30, 2017.
View at: Publisher Site | Google Scholar
A. Singh, A. K. Awasthi, and K. Singh, “Cryptanalysis and improvement in user authentication and key agreement scheme for wireless sensor network,” Wireless Personal Communications, vol. 94, no. 3, pp. 1881–1898, 2017.
View at: Publisher Site | Google Scholar
P. Chandrakar, “A secure remote user authentication protocol for healthcare monitoring using wireless medical sensor networks,” International Journal of Ambient Computing and Intelligence, vol. 10, no. 1, pp. 96–116, 2019.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari, and X. Li, “A privacy-preserving and provable user authentication scheme for wireless sensor networks based on Internet of Things security,” Journal of Ambient Intelligence and Humanized Computing, vol. 8, no. 1, pp. 101–116, 2017.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks,” Ad Hoc Networks, vol. 20, pp. 1–15, 2014.
View at: Publisher Site | Google Scholar
D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 9, pp. 4081–4092, 2018.
View at: Publisher Site | Google Scholar
D. He and D. Wang, “Robust biometrics-based authentication scheme for multiserver environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015.
View at: Publisher Site | Google Scholar
A. K. Das, “A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks,” Peer-to-Peer Networking and Applications, no. 1, pp. 1–22, 2014.
View at: Google Scholar
A. K. Das, “A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks,” Wireless Personal Communications, vol. 82, no. 3, pp. 1377–1404, 2015.
View at: Publisher Site | Google Scholar
A. K. Das, “A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor,” International Journal of Communication Systems, vol. 30, no. 1, Article ID e2933, 2015.
View at: Publisher Site | Google Scholar
Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017.
View at: Publisher Site | Google Scholar
Q. Xie, Z. Tang, and K. Chen, “Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks,” Computers & Electrical Engineering, vol. 59, pp. 218–230, 2017.
View at: Publisher Site | Google Scholar
R. Amin, S. H. Islam, G. P. Biswas, M. K. Khan, L. Leng, and N. Kumar, “Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks,” Computer Networks, vol. 101, pp. 42–62, 2016.
View at: Publisher Site | Google Scholar
C.-T. Li and M.-S. Hwang, “An efficient biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications, vol. 33, no. 1, pp. 1–5, 2010.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks,” Peer-to-Peer Networking and Applications, vol. 8, no. 6, pp. 1070–1081, 2015.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari, and X. Li, “An improved and provably secure three-factor user authentication scheme for wireless sensor networks,” Peer-to-Peer Networking and Applications, vol. 11, no. 1, pp. 1–20, 2018.
View at: Publisher Site | Google Scholar
M. S. Farash, M. Turkanović, S. Kumari, and M. Hölbl, “An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the Internet of Things environment,” Ad Hoc Networks, vol. 36, pp. 152–176, 2016.
View at: Publisher Site | Google Scholar
D. Wang, Q. Gu, H. Cheng, and P. Wang, “The request for better measurement: a comparative evaluation of two-factor authentication schemes,” in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 475–486, ACM, Xi’an, China, May 2016.
View at: Google Scholar
C. Wang, G. Xu, and J. Sun, “An enhanced three-factor user authentication scheme using elliptic curve cryptosystem for wireless sensor networks,” Sensors, vol. 17, no. 12, p. 2946, 2017.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and K.-K. R. Choo, “A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments,” Journal of Network and Computer Applications, vol. 103, pp. 194–204, 2018.
View at: Publisher Site | Google Scholar
R. Ali, A. K. Pal, S. Kumari, A. K. Sangaiah, X. Li, and F. Wu, “An enhanced three factor based authentication protocol using wireless medical sensor networks for healthcare monitoring,” Journal of Ambient Intelligence and Humanized Computing, pp. 1–22, 2018.
View at: Google Scholar
H. Luo, G. Wen, and J. Su, “Lightweight three factor scheme for real-time data access in wireless sensor networks,” Wireless Networks, pp. 1–16, 2018.
View at: Publisher Site | Google Scholar
J. Srinivas, D. Mishra, S. Mukhopadhyay, and S. Kumari, “Provably secure biometric based authentication and key agreement protocol for wireless sensor networks,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, no. 4, pp. 875–895, 2018.
View at: Publisher Site | Google Scholar
X. Li, J. Peng, M. S. Obaidat, F. Wu, M. K. Khan, and C. Chen, “A secure three-factor user authentication protocol with forward secrecy for wireless medical sensor network systems,” IEEE Systems Journal, 2019.
View at: Google Scholar
Y. Lu, G. Xu, L. Li, and Y. Yang, “Anonymous three-factor authenticated key agreement for wireless sensor networks,” Wireless Networks, vol. 25, no. 4, pp. 1461–1475, 2019.
View at: Publisher Site | Google Scholar
Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 523–540, Interlaken, Switzerland, May 2004.
View at: Google Scholar
A. K. Das, “A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems,” Journal of Medical Systems, vol. 39, no. 3, p. 30, 2015.
View at: Publisher Site | Google Scholar
X. Li, K. Wang, J. Shen, S. Kumari, F. Wu, and Y. Hu, “An enhanced biometrics-based user authentication scheme for multi-server environments in critical systems,” Journal of Ambient Intelligence and Humanized Computing, vol. 7, no. 3, pp. 427–443, 2016.
View at: Publisher Site | Google Scholar
J. Srinivas, D. Mishra, S. Mukhopadhyay, and S. Kumari, “Provably secure biometric based authentication and key agreement protocol for wireless sensor networks,” Journal of Ambient Intelligence and Humanized Computing, pp. 1–21, 2017.
View at: Google Scholar
N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve cryptography,” Designs, Codes and Cryptography, vol. 19, no. 2-3, pp. 173–193, 2000.
View at: Publisher Site | Google Scholar
S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31, Springer Science & Business Media, Berlin, Germany, 2008.
T. H. Kim, C. Kim, and I. Park, “Side channel analysis attacks using AM demodulation on commercial smart cards with SEED,” Journal of Systems and Software, vol. 85, no. 12, pp. 2899–2908, 2012.
View at: Publisher Site | Google Scholar
N. Veyrat-Charvillon, “Standaert F-X Generic side-channel distinguishers: improvements and limitations,” in Proceedings of the Annual Cryptology Conference, pp. 354–372, Santa Barbara, CA, USA, August 2011.
View at: Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor Authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, no. 4, pp. 708–722, 2018.
View at: Google Scholar
J. Bonneau, “The science of guessing: analyzing an anonymized corpus of 70 million passwords,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), pp. 538–552, IEEE, Oakland, CA, USA, 2012.
View at: Google Scholar
M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password strength: an empirical analysis,” in Proceedings of the 2010 IEEE INFOCOM, pp. 1–9, IEEE, Shanghai, China, 2010.
View at: Google Scholar
W. B. Heinzelman, A. P. Chandrakasan, and H. Balakrishnan, “An application-specific protocol architecture for wireless microsensor networks,” IEEE Transactions on Wireless Communications, vol. 1, no. 4, pp. 660–670, 2002.
View at: Publisher Site | Google Scholar
M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73, ACM, Fairfax, VA, USA, November 1993.
View at: Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar
W. Ding, D. He, W. Ping, and C. H. Chu, “Anonymous two-factor Authentication in distributed systems: certain goals are beyond attainment,” Dependable & Secure Computing, vol. 12, no. 4, pp. 428–442, 2015.
View at: Google Scholar
B. Blanchet, “An efficient cryptographic protocol verifier based on prolog rules,” in Proceedings of the IEEE Computer Security Foundations Workshop, Mordano, Italy, 2001.
View at: Google Scholar
R. L. Rivest, M. E. Hellman, J. C. Anderson, and J. W. Lyons, “Responses to NIST’s proposal,” Communications of the ACM, vol. 35, no. 7, pp. 41–54, 1992.
View at: Publisher Site | Google Scholar
J. H. Burrows, Secure Hash Standard, Department of Commerce, Washington, DC, USA, 1995.

Copyright

Copyright © 2019 Jiaqing Mo and Hang Chen. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2329

Downloads

1582

Citations