A Lightweight Three-Factor Authentication and Key Agreement Scheme for Multigateway WSNs in IoT

Xue, Lingyan; Huang, Qinglong; Zhang, Shuaiqing; Huang, Haiping; Wang, Wenming

doi:https://doi.org/10.1155/2021/3300769

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Authors’ Contributions Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy Challenges in Internet of Things and Mobile Edge Computing

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 3300769 | https://doi.org/10.1155/2021/3300769

A Lightweight Three-Factor Authentication and Key Agreement Scheme for Multigateway WSNs in IoT

Lingyan Xue,¹Qinglong Huang,¹Shuaiqing Zhang,¹Haiping Huang,^1,2and Wenming Wang^1,3

Academic Editor: Jinbo Xiong

Received10 Apr 2021

Revised23 May 2021

Accepted05 Jun 2021

Published22 Jun 2021

Abstract

The Internet of Things (IoT) has built an information bridge between people and the objective world, wherein wireless sensor networks (WSNs) are an important driving force. For applications based on WSN, such as environment monitoring, smart healthcare, user legitimacy authentication, and data security, are always worth exploring. In recent years, many multifactor user authentication schemes for WSNs have been proposed using smart cards, passwords, as well as biometric features. Unfortunately, these schemes are revealed to various vulnerabilities (e.g., password guessing attack, impersonation attack, and replay attack) due to nonuniform security evaluation criteria. Wang et al. put forward 12 pieces of widely accepted evaluation criteria by investigating quantities of relevant literature. In this paper, we first propose a lightweight multifactor authentication protocol for multigateway WSNs using hash functions and XOR operations. Further, BAN logic and BPR model are employed to formally prove the correctness and security of the proposed scheme, and the informal analysis with Wang et al.’s criteria also indicates that it can resist well-known attacks. Finally, performance analysis of the compared schemes is given, and the evaluation results show that only the proposed scheme can satisfy all 12 evaluation criteria and keep efficient among these schemes.

1. Introduction

As the third revolution of the information technology industry, Internet of Things (IoT) has been developing for over 20 years. During this period, more and more physical objects embedded with sensors and terminal devices are constantly connected to IoT to exchange information. For an instance, in wireless sensor networks (WSNs), tens of thousands of different sensors are deployed everywhere (e.g., architectures, bridges, and intelligent terminals). These devices collect the real-time data from surrounding environment or target objects and, at fixed periods, forward the collected data directly to nearby gateway nodes for further analysis. Then, application systems access the data through the network, to further provide various personalized services. In heterogeneous WSNs, any insecure terminal nodes possibly threaten the whole network’s security as the flexible access mode; potential vulnerabilities continually come forth due to the complexity of heterogeneous networks [1]. Thus, it is necessary to design an authentication protocol to ensure that only legitimate users have access to the network [2]. Generally, as far as sensor nodes are resource-constrained in some aspects such as low energy, insufficient computing capabilities, and lack of memory space, many expensive cryptographic primitives are not suitable. As a whole, the designed proposal for WSNs should be balanced well in both security and efficiency.

When it was 1981, Lamport [3] proposed the password-based authentication scheme, and in 1991, Chang and Wu [4] pioneered the smart card-based authentication scheme. Henceforth, achievements on single-factor identity authentication protocols for WSNs emerge in an endless stream. Until 2009, combining the smart card with password, Das [5] put forward a pioneering work on multifactor authentication protocols for WSNs. However, it was revealed to many weaknesses, i.e., destitution of mutual authentication, and vulnerabilities to password guessing attack, sensor node capture attack, and denial-of-service attack (DoS) [6–8]. Later, many multifactor authentication schemes that asserted high security and efficiency were proposed yet they were prone to various attacks [9, 10]. Xue et al. [11] presented a temporal-credential-based mutual authentication and key agreement scheme for WSNs. Soon afterwards, loopholes were pointed out in their scheme, i.e., vulnerabilities to offline password guessing attack, user tracing, impersonation attack, and stolen-verifier attack, as well as the lack of user anonymity [12–14]. In recent years, biological information of human bodies, such as fingerprint and iris, has been excavated for authentication. With its unforgeability, uniqueness, and stability, biometric authentication technology is inherently convenient, reliable, and promising [15]. Yuan [16] took human’s fingerprint as a third factor to achieve user authentication for WSNs, which was lightweight. Nevertheless, their scheme was pointed out that it did not withstand offline password guessing attack, privileged insider attack, and gateway impersonation attack. Then, Li et al. [17] introduced a three-factor authentication scheme for WSNs using biometric features. Subsequently, their scheme was illustrated that it could not resist to stolen smart card attack and support forward secrecy [18]. Additionally, in the practical applications of WSNs, multiple gateways are usually deployed to jointly manage multiple areas. As such, the user can access any sensor node for the real-time data in any area. Research on multigateway-based authentication protocols is also a deserving discussion. Amin et al. [19] proposed a two-factor multiple gateways’ authentication protocol using hash functions. Later, Wu et al. [20] believed that their scheme did not realize mutual authentication and resist impersonation attack; then, they put forward a new scheme. And, Srinivas et al. [21] also found many flaws in [19], i.e., stolen smart card attack and sensor node spoofing attack, and then, they presented a three-factor authentication scheme using hash functions. However, their scheme was also revealed to vulnerability to sensor node capture attack and nonsupport for user anonymity. In 2019, Guo et al. [22] found that the scheme designed by Wu et al. [20] could not resist to stolen smart card attack and session key reveal attack. In order to address these drawbacks, Guo et al. [22] presented a new scheme based on biometric features. Recently, Vinoth et al. [23] proposed a secure multifactor authentication key agreement scheme for industrial IoT, which was insecure as they claimed. It actually could not deal with such attacks such as sensor node capture attack, DoS attack, and replay attack.

As all mentioned above, these schemes are exposed to various vulnerabilities constantly, which in fact are trapped into a “break-propose-break” cycle. Security properties of one scheme is determined by an evaluation standard system, thereby researchers always find new flaws under different systems. In 2018, on the basis of the previous research studies, Wang and Wang [24] summarized and put forward security criteria for two-factor authentication protocols, which are recognized by the industry at present. In these criteria, 12 pieces of independent and fundamental rules are contained that multifactor authentication protocols shall satisfy. Specific content of the criteria can be referred to [24]; we call it “12-Criteria” here for the sake of convenience.

In terms of 12-Criteria, most existing multifactor authentication protocols cannot satisfy all. This paper will put forward a new lightweight three-factor authentication and key agreement scheme for multigateway WSNs, and main contributions are summed up as below:(1)We first reanalyse Guo et al.’s protocol [22]. And, in accordance with 12-Criteria, we further point out some vulnerabilities and drawbacks that still exist in their scheme, including no repairability, improper treatment of biological factors, offline password guessing attack, and lack of forward secrecy.(2)In the light of the 12-Criteria, we put forward a new lightweight three-factor authentication and key agreement scheme for the multigateway environment. In our scheme, biometric features, as an important factor, are extracted and validated by fuzzy extractor [25]. And, honey_list [24] is introduced to assist the effective smart card logout.(3)Formal and informal security analyses are given amply to prove the correctness and security of the proposed scheme, and comparisons with similar research studies show that this new scheme achieves a superior balance between security and efficiency.

The reminder of this paper is organized as follows. The relevant background is introduced in Section 2. In Section 3, discussions of some security flaws in Guo et al.’s work [22] are given. The proposed protocol and the corresponding security analysis are presented in Sections 4 and 5, respectively. The performance of the proposed protocol is evaluated in Section 6, and finally, the whole paper is concluded in Section 7.

2. Preliminaries

This section briefly introduces some necessary notations, system model, and adversary model, as well as preknowledge about formal proofs.

2.1. Notations

The related notations used in this paper are described in Table 1.

2.2. System Model

A multigateway system model is illustrated in Figure 1, wherein three roles, i.e., users, gateway nodes (GWNs), and sensor nodes, are included. Considering the distance measure, the relatively close node is referred to the home gateway node (HGWN), while the opposite is the foreign gateway node (FGWN). The communication processes are summarized as follows.

While a legitimate user attempts to communicate with the sensor node, first he needs to login successfully and send a message to inform HGWN. After the reception of the message, HGWN first checks its database with the key information of the target sensor node as an index. Here, two cases would be taken into an account. Case 1 is presented in steps ➀–④, wherein if the target sensor node exists in the database, HGWN authenticates the user and sends a message to the sensor node. Then, the sensor node authenticates HGWN and returns a message. After the complete verification of the returned message, HGWN returns a message to the user. Similarly, once the message is verified correctly by the user, the three parties can derive a common session key for further communication. While Case 2 is shown in steps 1–8, that is, the target sensor node does not exist in the database, HGWN broadcasts the request message to other nodes. When FGWN receives that and finds that the wanted sensor node exists in its database, it sends a message to HGWN. Then, HGWN returns a message to the user. After a complete authentication process, the user, FGWN, and the sensor node can negotiate the very session key.

2.3. Notations and Formulas of Ban Logic

The Burrows-Abadi-Needham logic [26], BAN logic for short, plays a positive and effective role when proving that one scheme can support authentication and key agreement among communicating participants. Formally, it needs three steps including idealization of interaction messages in the protocol, initial assumptions according to specific situations, and achievements of expected goals by inference rules. We first present the basic notations of BAN logic in Table 2.

The basic formulas of BAN logic are described as follows.(i)(R1) Message-meaning rule: if P concludes that the secret K or Y is shared with Q and sees or , then P believes Q once said X:(ii)(R2) Freshness rule: if P believes X is fresh, then P believes (X, Y) is also fresh:(iii)(R3) Belief rule: if P believes X and Y, then P believes the combination of X and Y:(iv)(R4) Nonce-verification rule: if P believes that X is fresh and Q once said X, then P believes that Q believes X:(v)(R5) Jurisdiction rule: if P believes Q has jurisdiction over X and Q believes X, then P believes X:(vi)(R6) Seeing rule: if P once received a formula and knew the associated key, then P once saw the components of the formula:(vii)(R7) Session key rule: if P believes X is fresh and Q believes X, then P believes he shares the key K with Q:

2.4. Adversary Model

Combing with the 12-Criteria, we list pieces of widely accepted valid assumptions to show the capabilities of an adversary , accordingly to analyse the security of the authentication and key agreement protocols.(i)When entities in WSN communicate with each other over an insecure wireless channel, can eavesdrop and intercept all messages transmitted over a public channel and is capable of tempering with and deleting the intercepted messages. In addition, can participate in running the protocol as a legitimate entity.(ii)In reality, users’ devices and sensors are usually equipped with the hardware to prevent reading and tempering with data illegally [27], but to adhere to the extreme-adversary principle [28], it is reasonable to assume that when the user’s device or the sensor is captured by , has the ability to obtain the data stored in the memory of the captured sensors through side channel attack [24].(iii) is capable of enumerating the Cartesian products of the user’s identity and password. Besides, in the n-factor authentication protocol, can obtain factors at most.(iv)Only when evaluating the forward secrecy of the protocol, can obtain the long-term private key of a gateway node or a sensor node.

2.5. Security Model

To formalize our proposed proposal later, the BPR model [29] can be introduced in this section, i.e., depictions of the random oracle model and definition of authentication and key-exchange (AKE) security. Participants. The authentication protocol involves three communication participants, i.e., the user, HGWN/FGWN, and sensor node. Each participant has many diverse instances which are called oracles. For a specific session, the three entities are instanced into , , and , respectively. Here, let denote any instance. Queries. can only interact with honest participants through oracle queries and attempt to collect the returned messages to break the protocol. Thus, the following queries simulate ’s abilities in practice.(i): it simulates the passive attack, through which can obtain all messages among the three communicators during a normal interaction.(ii): it represents the active attack, which allows intercepts, forges the message, further sends it to , and obtains the corresponding response.(iii): it models abuse of the session key. Once accepts the current session and generates a session key SK, it will return SK to ; otherwise, return .(iv): it simulates that can corrupt any two of the three factors of a legal user , but not at the same time. (1) If , can obtain and all parameters stored in SC; (2) if , can receive and all parameters stored in SC; (3) if , can get and .(v): it represents the semantic security of the session key. Flip a coin b at random; if , it returns the session key of ; if , returns a random number equal in length to the session key to . If the session key of does not exist, it returns . It is noted that it can only be invoked once at any time for fresh sessions. Partners. Let sid denote the session identifier; pid is the session identifier of partners. and are partners if and only if (1) they are both authenticated successfully; (2) they both have the same sid; (3) pid of is , while pid of is . Freshness. A fresh satisfies that (1) is accepted and owns its session key; (2) does not query to or its partner; (3) since runs, queries to or its partner once at most.

Definition 1. (AKE security) Given denotes an event, that is, makes queries to several new accepted instances and can guess the right satisfying . Then, the advantage of breaking the AKE security of can be defined as . For any adversary capable of breaking in probability polynomial time (PPT), is negligible; then, we say achieves AKE security.

3. Cryptanalysis of Guo et al.’s Scheme

The scheme designed by Guo et al. [22] is composed of five parts, including system setup, registration, login, authentication, and password change. Here, we have to leave out the review of their scheme due to space constraints, and readers can refer to [22]. Thus, on the basis of the aforementioned assumptions, security flaws in their scheme are analysed in this section later. No Sound Repairability. As a usual case, those discarded smart cards are not in the safe keeping of users. If unfortunate, his smart card is captured by an attacker . possibly launches the offline password guessing attack. Therefore, it is essential to provide a method to cancel the smart card of the user in multifactor authentication protocols. Improper Treatment of Biometric Factors. As described in this protocol, after the user enters his biometric factor , SC calculates which is a key parameter to verify the true identity of the user. In practice, however, a certain error bit always occurs in the extraction of biometric features (e.g., fingerprint and iris) by reading devices, that is, biometric features extracted each time are not always identical. Therefore, calculated by SC may not equal to that obtained during the user’s registration phase, which may result in the failed authentication even if the user has input the right password. Offline Password Guessing Attack. In the login phase, is assumed to have the ability to obtain two of the three authentication factors. Given that has accessed the user’s identity and biometric factor , then he can launch offline password guessing attack as the following process. guesses a possible password , calculates , , and , and checks whether the equation holds. can repeat these operations until the calculated equals to . Finally, can succeed in obtaining the user’s correct . Lack of Forward Secrecy. Given that the long-term secret key of the GWN is revealed, can grab the private key of the sensor and further restore previous session keys.(i)Case 1:(1) obtains of HGWN and eavesdrops the message to gain the identity of the user-pointed communication object . Then, computes .(2) eavesdrops messages and and then calculates , , , and . In this way, the session key can be derived by as .(ii)Case 2:(1) obtains of FGWN and computes after eavesdropping the message .(2) eavesdrops messages and and then calculates , , , and . Thus, can figure out with ease.

4. The Proposed Scheme

In this section, we present a lightweight three-factor authentication and key agreement scheme for multigateway WSNs in IoT, which involves users, sensor nodes, HGWNs, and FGWNs. Our scheme includes 6 phases: system initialization, registration, login, authentication and key agreement, password update, and smart card logout.

4.1. System Initialization

SA assigns the identity and private key to HGWN, similarly, and to FGWN, and to the sensor . Then, SA sets up a shared key for the communication between HGWN and FGWN. Beyond that, HGWN and FGWN need to select three random numbers , , and , respectively.

4.2. Registration

As shown in Figure 2, this phase involves two parts, sensor registration and user registration. Both sensor nodes and users need to register their essential information with the closest gateway, namely, HGWN.

4.2.1. Sensor Registration

Step 1: . sends its identity to HGWN over a private channel, and HGWN stores to its database for checking whether or not is registered. Step 2: . HGWN calculates and sends to via a private channel. After the reception of , saves it secretly.

4.2.2. User Registration

Step 1: . inputs his username , the password , and his biometric information . Next, he chooses a number at random and then computes and . Step 2: . HGWN selects a pseudoidentity for and calculates , , and . Then, HGWN stores into its database and to SC, where records the number of the user logon failures. Step 3: computes and , where . Next, stores into his SC.

4.3. Login

Step 1: first inputs , , and ; then, SC computes , , and and checks whether holds. If so, turn to the next step; otherwise, return a logon failure message and terminate this session. Step 2: . SC chooses a timestamp and a random number and then calculates , , , , , and .

4.4. Authentication and Key Agreement

After the reception of ’s request to communicate with , HGWN first confirms whether the specified sensor is located within its communication range. Specifically, if HGWN can query its local database for , then the authentication can be conducted as described in Case 1 (see Figure 3); otherwise, run as shown in Case 2 (see Figure 4).(i)Case 1: Step 1: after receiving , HGWN records the current timestamp . If is true, then is valid; otherwise, this session would be closed up. Next, HGWN computes , , , , and and verifies whether the equation is true; if so, it turns into the next step; otherwise, it sets and returns a logon failure message to . Note that once , ’s account would be frozen, and the session is also terminated. Step 2: . HGWN selects randomly and then computes , , , and . Step 3: After the reception of , records the timestamp and checks the freshness of . Next, calculates and and checks whether the equation ; if so, it turns to the next step; otherwise, it terminates the current session. Step 4: . chooses a random number and computes , , and . Step 5: when receiving from , HGWN records the present timestamp and verifies the freshness of . Next, HGWN calculates and and checks whether holds; if so, it turns to the next step; otherwise, it aborts this session. Step 6: . HGWN chooses a new pseudonym for and continues to compute , , , , , and . Step 7: after the reception of , takes down the current timestamp and checks the validity of . Next, computes , , , , and and verifies whether the equation matches; if so, then it turns to the next step; otherwise, it discontinues the session. Step 8: SC calculates and substitutes for .(ii)Case 2: Step 1: similarly, after the reception of , HGWN takes down the current timestamp . If , then is valid; otherwise, the session is discontinued. Next, HGWN computes , , , , and and verifies . If the equation holds, HGWN runs the next step; otherwise, it sets , returns a logon failure message to , and aborts the session. Step 2: HGWN broadcasts to other gateway nodes. Step 3: . FGWN finds in its database, then records the present timestamp , and computes and . Step 4: . When receiving from FGWN, HGWN takes down the timestamp and verifies the freshness of . HGWN selects a new pseudonym and calculates , , , , , and . Step 5: after receiving , records the time stamp and checks the validity of . Then, computes , , and and checks . If the equation holds, continues the next step; otherwise, it terminates the session. Step 6: . selects a random number and computes . Step 7: after the reception of , FGWN records and verifies the freshness of . Next, FGWN computes and further checks whether matches. If so, FGWN continues the next step; otherwise, it discontinues the session. Step 8: . FGWN selects at random and computes , , , and . Step 9: after the reception of , takes down the timestamp and verifies the freshness of . Next, calculates and and checks the equation . If the equation holds, turns to the next step; otherwise, it terminates the session. Step 10: . selects at random and computes , , and . Step 11: once receiving , FGWN takes down and verifies the freshness of . Further, FGWN computes and and checks whether the equation is true; if so, it continues the next step; otherwise, it terminates the session. Step 12: . FGWN computes , , and . Step 13: after receiving , thereupon records the timestamp and checks the validity of . Further, computes , , and and checks whether the equation holds; if so, it continues the next step; otherwise, it discontinues the session. Step 14: SC computes and replaces with .

4.5. Password Update

Step 1: first inputs his , , and . SC computes , , and and checks the equation . If the equation holds, the next step can be run; otherwise, a logon failure message would be returned and the login request also would be terminated. Step 2: inputs a new password , and SC computes , , , , and and then replaces with .

4.6. Smart Card Logout

Step 1: inserts his smart card SC and inputs , as well as . Further, SC computes , , and and checks whether matches; if so, it turns to Step 2; otherwise, it returns a logon failure message and terminates this session. Step 2: . selects the current timestamp , thereupon computes , , and . Step 3: after the reception of , HGWN records the timestamp . If is true, then is fresh. Then, HGWN computes and and continues to check whether . If the equation holds, it runs the next step; otherwise, it aborts the session. Step 4: HGWN deletes all local records of .

5. Security Analysis

This section provides a rigorous security analysis for the proposed authentication scheme. On the basis of 12-Criteria, informal analysis first discusses how the proposed scheme resists against some well-known attacks. Second, the well-popular BAN logic is utilized to validate the correctness of the proposed scheme as well as the feasibility for authentication and key negotiation. Finally, the BPR model-based formal security proof demonstrates the security of the proposed scheme well.

5.1. Informal Analysis

Resistance to Insider Attack. In multifactor authentication schemes, the user’s password, as a second factor, is of vital for the server/gateway to authenticate the user. The server/gateway in its usual sense is worth trusting, while it is facing a real possibility that insiders may disclose users’ sensitive information. At the registration phase, ’s password is masked by to transmit to HGWN. Though has the ability to obtain , he cannot guess the correct . That is because is a random number, only known to , and and derived information from ’s biometric factors are also secret. Additionally, the two parameters never appear in any communication channel, and does not possess the ability to crack hash functions. As a consequence, the proposed scheme can resist insider attack. Resistance to Password Guessing Attack. Assuming that has generated the Cartesian products of and maliciously obtained the biometric factors and SC through the reading device, then can calculate , , and and further check whether the equation holds to find out a correct password. It is noted that there are [24] passwords satisfying the equation, the attempts of which are enormous, thus the offline password guessing attack bounds to fail. Furthermore, records the number of user logon failure when HGWN verifies the identity of , which makes it extremely unlikely that can guess the right password through online password guessing within finite attempts. Clearly, the proposed scheme can resist diverse password guessing attacks. Resistance to Replay Attack. It is known that has the ability to eavesdrop and intercept messages over the public channel. So, may retransmit the eavesdropped or intercepted messages in a new round of the protocol implementation, to make the other party believe that “he” is legitimate to communicate with him. In the proposed protocol, however, the timestamp is employed to demonstrate the freshness of each message, so as to filter out old messages intercepted by . For an instance, has intercepted , where , and at time , he attempts to resend to HGWN for login. However, can only change the timestamp in the message but not that in , thus the launched replay attack bounds to fail. This instance illustrates that the proposed scheme can withstand replay attack. User Anonymity. In terms of user anonymity, it is required that cannot find out the true identities of users or trace their communication trajectories. In this scheme, each user is assigned a pseudonym , and after a round of key negotiation, his pseudonym will be updated with a new pseudonym . Moreover, the calculation of depends on ’s private key and identity , neither of which is exposed to the open channel. Therefore, cannot trace the communication trajectory of the user via the pseudonym. As analysed above, user anonymity is effective. Forward Secrecy. According to the proposed protocol, ’s and ’s private keys are both calculated by a random number and the gateway node’s long-term key. It helps that even if the long-term key of the gateway node is leaked for some reason, cannot figure out ’s or ’s private key due to no idea of the random number. As the session key depends on , , as well as , three of which are severally masked by private keys of three parties, cannot compute the right SK at all. Consequently, the presented scheme supports forward secrecy. Effective Smart Card Logout. For those smart cards not used any more, improper handling may pose a huge safety hazard. On the basis of the smart card logout method described in this protocol, must enter his right , , and simultaneously while cancelling his SC, so as to prevent from launching malicious cancellation after the smart card is lost. In addition, cannot achieve password guessing attack and obtain three authentication factors at the same time, so there is no way for to masquerade as a legitimate user to cancel the smart card. Hence, the smart card logout method presented in this protocol is effective and secure.

5.2. Formal Analysis Based on BAN Logic

In the light of BAN logic, a detailed analysis in this section will illustrate that the interacting parties (, , and ) can achieve mutual authentication and negotiate a common session key properly and securely. The analytic procedures for two cases in the proposed scheme are described as follows.

5.2.1. Security Analysis for Case 1

(i)Goals: (ii)Idealized forms: (iii)Assumptions: (iv)Main proofs: From and R6, we can know . From S1, , and R1, we can get . From S2, , R2, and R4, we can get . From S3, , and R5, we can get . From , R2, and , we can get . From S3, S5, and R7, we can get . Here, we have achieved G3. From S6, , and R4, we can get . Then, G4 has been also achieved. From and R6, we can know . From S8, , and R1, we can gain . From S9, , R2, and R4, we can gain . From S10 and R3, we can gain . From S11, , and R5, we can gain . From , R2, and , we can gain . From S11, S13, and R7, we can gain . Here, G7 has been proved. From S14, , and R4, we can gain . So, G8 has been also gained. Fromand R6, we can get . From S16, , and R1, we can get . From S17, , R2, and R4, we can get . From S18 and R3, we can get . Here, we have achieved G6. From S19, , and R5, we can get . So, G5 has been also gained. From and R6, we can gain . From S21, , and R1, we can obtain . From S22, , R2, and R4, we can obtain . From S23 and R3, we can obtain . So, we have achieved G2. From S24, , and R5, we can obtain . Finally, we have gained G1.

5.2.2. Security Analysis for Case 2

(i)Goals: (ii)Idealized forms: (iii)Assumptions: (iv)Main proofs: From and R6, we obtain . From S26, , and R1, we obtain . From S27, , R2, and R4, we obtain . From S28, , and R5, we obtain . From , R2, and , we obtain . From S28, S30, and R7, we obtain . So, G3 has been achieved. From S31, , and R4, we obtain . Here, G4 has been also obtained. From and R6, we get. From S33, , and R1, we get . From S34, , R2, and R4, we get . From S35 and R3, we get . From S36, , and R5, we get . From , R2, and , we get . From S36, S38, and R7, we get . Here, we have proved G7. From S39, , and R4, we get . Here, we have achieved G8. From and R6, we gain. From S41, , and R1, we gain . From S42 and R3, we gain . From , R2, and , we gain . From S43, S44, R2, and R4, we gain . Here, we have achieved G6. From , S45, and R5, we gain . So, we have also achieved G5. From and R6, we know . From S47, , and R1, we get . From S48 and R3, we get . From , R2, and , we get . From S49, S50, R2, and R4, we get . So, G2 has been gained. From S51, , and R5, we get . So, G1 has been also obtained.

Consequently, all security goals are amply demonstrated, both in Case 1 and in Case 2. In the meantime, it also confirms that the communication participants (, HGWN/FGWN, and ), can authenticate mutually and negotiate a common key successfully.

5.3. Formal Analysis Based on BPR Model

Theorem 1. For the protocol , assuming that, in a polynomial time t, makes up to queries, queries, and oracle queries. Let represent the password space subject to Zipf distribution, wherein and are Zipf parameters; let l denote the output length of hash functions. Now, we can get

Proof. Five games are considered to demonstrate Theorem 1, and simulation process of each game is analysed as below, wherein indicates an event that outputs the right random bit b in , where . : it simulates a true attack under the random oracle model. has the ability to access all oracles; so according Definition 1, we have : it maintains two lists, and , respectively, recording oracle queries and communications during the execution of . Besides, all other queries are run as the actual protocol. In , launches the passive attack to intercept all messages through query and then guesses the output result of query. Due to the impossibility of figuring out , the advantage of a successful attack does not increase for , so we can get : here, can make queries and queries to convince the true communicator of forged messages. Only when happens to find some collisions and succeeds in constructing credible messages, the simulation terminates. In , two kinds of collisions may be contained: output collisions of hash functions and collisions of random numbers selected in . According to Birthday Paradox [30], the probabilities of their occurrence are and , respectively. Therefore, we obtain : this game differs from the above games in the case that when can guess the correct authentication factors , , , and without queries, the simulation terminates. It is indistinguishable from the previous games except that some instance refuses the right authentication. Thus, we have : in this game, has abilities to reach more information through query.(i) queries , which means he has got the user’s password and parameters stored in SC. Then, in queries, succeeds in guessing with the length , the possibility of which is .(ii) queries , that is, has accessed the user’s biometric factors and parameters stored in SC. Then, in queries, succeeds in guessing the victim’s password, the possibility of which is .(iii) queries ; similarly, has the user’s password and biometric factors. Then, the possibility of guessing the right is . and are indistinguishable unless the above attack is successful. So, we haveWhen has no efficient input to make queries to , there is no advantage to distinguish the real SK from a random number with the same size through . Therefore,From (2)–(7), we can draw conclusion (1) or (8); this is

6. Performance Comparison

In this section, the proposed protocol is compared with several existing multifactor authentication protocols in terms of performance, involving security features, computation overhead, and storage costs. Specific comparison results and analysis are described as follows.

6.1. Security Features

On the basis of the security 12-Criteria, Table 3presents the comparison results of these diverse authentication protocols, i.e., Guo et al. [22], Wu et al. [20], Srinivas et al. [21], Amin [19], and our proposed protocol. Definitely, the proposed protocol can satisfy all 12 evaluation criteria whereas others can meet 8 pieces at most. In particular, the new protocol in this paper exclusively provides the repairability and forward security, as well as resistance against stolen smart card attack. The protocol presented by Guo et al. [22] has weaknesses in no repairability, improper treatment of biometric features, and offline password guessing attack; the protocol of Wu et al. [20] cannot resist insider attack, stolen smart card attack, and offline password guessing attack; the protocol proposed by Srinivas et al. [21] does not protect against insider attack and offline password guessing attack and ensure that the user will be not traced; Amin’s protocol [19] does not provide resistance to insider attack and guarantee of untraceability of the user. Furthermore, none of these protocols, except the proposed one, implements forward secrecy.

12 security evaluation criteria was proposed by Wang and Wang [24]: C1 for no password verifier-table; C2 for password-friendly; C3 for no password exposure; C4 for no smart card loss attack; C5 for resistance to known attacks; C6 for sound repairability; C7 for provision of key agreement; C8 for no clock synchronization; C9 for timely typo detection; C10 for mutual authentication; C11 for user anonymity; C12 for forward secrecy.

6.2. Computation Overhead

In this section, we compare the computation overhead among the above relevant schemes. In reality, login and authentication are much more frequent than registration, thus the performance of authentication and key-agreement protocols depends primarily on the computational costs of login and authentication phases. As depicted in Table 4, the proposed scheme is more computationally expensive than other schemes at the user side. This happens unsurprisingly because that fuzzy extractor is employed in this paper to extract and verify the biometric features, which is more applicable for high security systems. As for the gateways and resource-constrained sensor nodes, the computational costs are nearly the same. At any side, the schemes proposed by Wu et al. [20] and Amin [19] have the least computational overhead as they trade low safety features for high efficiency. In summary, despite other schemes outperforming in computational complexity, the proposed scheme can protect against all security threats faced by other schemes, which is more feasible in the real world.

6.3. Storage Costs

Comparison of storage costs among the proposed scheme and other relevant schemes is stated in this section, see Table 5and Figure 5. Primarily, it is recommended that 32 bits for the (pseudo-) identity, 160 bits for the hash output, 128 bits for the fuzzy extractor public data, and 128 bits for a random number, as well as 32 bits for a timestamp are agreed, and these parameters are denoted separately as , , , , and . As shown in Figure 5, storage overhead on the user and sensor nodes sides is nearly the same, but that on the gateway nodes is higher as in the proposed scheme; smart card logout is achieved with the assistance of honey_list saving in gateway nodes’ memories. However, in terms of storage capacity, gateway nodes are much better than smart cards and sensor nodes, thus the overhead is acceptable.

7. Conclusion

WSNs are becoming increasingly vital in IoT applications. Inevitably, multifactor and multigateway authentication protocols have become a focus. In this paper, through analysing weaknesses in the existing schemes, we introduced the widely accepted criteria for evaluating security protocols. In line with the criteria, we revisited Guo et al.’s scheme and found some security flaws, i.e., no repairability, improper treatment of biometric factors, offline password guessing, and no forward secrecy. Then, we proposed a new three-factor authentication protocol for multiple gateways using fuzzy extractor and honey_list technique. Following that, we proved the correctness and security of the proposed scheme by BAN logic and BPR model. As a whole, our proposed scheme outperformed other relevant schemes for keeping efficient in performance, meanwhile satisfying the security criteria.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Authors’ Contributions

L. Xue and Q. Huang contributed equally to this work.

Acknowledgments

This work was supported in part by the National Key Research and Development Program (2019YFB2101704 and 2018YFB0803403), National Natural Science Foundation of China (61872194 and 62072252), and Key Project on Anhui Provincial Natural Science Study by Colleges and Universities (KJ2019A0579, KJ2020A0513 and KJ2020A0497).

References

Y. Tian, Z. Wang, J. Xiong, and J. Ma, “A blockchain-based secure key management scheme with trustworthiness in DWSNs,” IEEE Transactions on Industrial Informatics, vol. 16, no. 9, pp. 6193–6202, 2020.
View at: Publisher Site | Google Scholar
R. Hajian, S. ZakeriKia, S. H. Erfani, and M. Mirabi, “SHAPARAK: scalable healthcare authentication protocol with attack-resilience and anonymous key-agreement,” Computer Networks, vol. 183, Article ID 107567, 2020.
View at: Publisher Site | Google Scholar
L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981.
View at: Publisher Site | Google Scholar
C.-C. Chang and T.-C. Wu, “Remote password authentication with smart cards,” IEE Proceedings E Computers and Digital Techniques, vol. 138, no. 3, pp. 165–168, 1991.
View at: Publisher Site | Google Scholar
M. L. Das, “Two-factor user authentication in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086–1090, 2009.
View at: Publisher Site | Google Scholar
M. K. Khan and K. Alghathbar, “Cryptanalysis and security improvements of 'two-factor user authentication in wireless sensor networks',” Sensors, vol. 10, no. 3, pp. 2450–2459, 2010.
View at: Publisher Site | Google Scholar
T.-H. Chen and W.-K. Shih, “A robust mutual authentication protocol for wireless sensor networks,” ETRI Journal, vol. 32, no. 5, pp. 704–712, 2010.
View at: Publisher Site | Google Scholar
D. He, Y. Gao, S. Chan, C. Chen, and J. Bu, “An enhanced two-factor user authentication scheme in wireless sensor networks,” Ad Hoc & Sensor Wireless Networks, vol. 10, pp. 361–371, 2010.
View at: Google Scholar
S. G. Yoo, K. Y. Park, and J. Kim, “A security-performance-balanced user authentication scheme for wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 8, no. 3, Article ID 382810, 2012.
View at: Publisher Site | Google Scholar
P. Kumar and H.-J. Lee, “Cryptanalysis on two user authentication protocols using smart card for wireless sensor networks,” in Proceedings of the 2011 Wireless Advanced, pp. 241–245, London, UK, June 2011.
View at: Publisher Site | Google Scholar
K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks,” Journal of Network and Computer Applications, vol. 36, no. 1, pp. 316–323, 2013.
View at: Publisher Site | Google Scholar
C.-T. Li, C.-Y. Weng, and C.-C. Lee, “An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks,” Sensors, vol. 13, no. 8, 2013.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks,” Peer-to-Peer Networking and Applications, vol. 8, no. 6, pp. 1070–1081, 2015.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, and N. Chilamkurti, “A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks,” Information Sciences, vol. 321, pp. 263–277, 2015.
View at: Publisher Site | Google Scholar
C.-T. Li and M.-S. Hwang, “An efficient biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications, vol. 33, no. 1, pp. 1–5, 2010.
View at: Publisher Site | Google Scholar
J.-J. Yuan, “An enhanced two-factor user authentication in wireless sensor networks,” Telecommunication Systems, vol. 55, 2013.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and K.-K. R. Choo, “A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments,” Journal of Network and Computer Applications, vol. 103, pp. 194–204, 2018.
View at: Publisher Site | Google Scholar
M. Azrour, J. Mabrouki, A. Guezzaz, and Y. Farhaoui, “New enhanced authentication protocol for internet of things,” Big Data Mining and Analytics, vol. 4, no. 1, pp. 1–9, 2021.
View at: Publisher Site | Google Scholar
R. Amin, “A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks,” Ad Hoc Networks, vol. 36, 2015.
View at: Google Scholar
F. Wu, L. Xu, S. Kumari et al., “An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment,” Journal of Network and Computer Applications, vol. 89, 2016.
View at: Google Scholar
J. Srinivas, S. Mukhopadhyay, and D. Mishra, “Secure and efficient user authentication scheme for multi-gateway wireless sensor networks,” Ad Hoc Networks, vol. 54, pp. 147–169, 2017.
View at: Publisher Site | Google Scholar
H. Guo, Y. Gao, T. Xu, X. Zhang, and J. Ye, “A secure and efficient three-factor multi-gateway authentication protocol for wireless sensor networks,” Ad Hoc Networks, vol. 95, Article ID 101965, 2019.
View at: Publisher Site | Google Scholar
R. Vinoth, L. J. Deborah, P. Vijayakumar, and N. Kumar, “Secure multi-factor authenticated key agreement scheme for industrial IoT,” IEEE Internet of Things Journal, vol. 8, no. 5, pp. 3801–3811, 2020.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Google Scholar
Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” in Advances in Cryptology—EUROCRYPT 2004, C. Cachin and J. L. Camenisch, Eds., pp. 523–540, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” in Proceedings of the Twelfth ACM Symposium on Operating Systems Principles, Litchfield Park, AZ, USA, November 1989.
View at: Publisher Site | Google Scholar
M. Tunstall, K. E. Mayes, and K. Markantonakis, “Smart card security. secure smart embedded devices, platforms and applications,” 2014.
View at: Google Scholar
F. Hao, “On robust key agreement based on public key authentication,” Security & Communication Networks, vol. 7, no. 1, pp. 77–87, 2014.
View at: Publisher Site | Google Scholar
E. Bresson, O. Chevassut, and D. Pointcheval, “Security proofs for an efficient password-based key exchange,” in Proceedings of the 10th ACM Conference on Computer and Communication Security: CCS ‘03, pp. 241–250, Washington, DC, USA, October 2003.
View at: Google Scholar
V. Boyko, P. MacKenzie, and S. Patel, “Provably secure password-authenticated key exchange using diffie-hellman,” in Advances in Cryptology—EUROCRYPT 2000, B. Preneel, Ed., pp. 156–171, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Lingyan Xue et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

772

Downloads

762

Citations