Because sensor nodes are deployed in public areas, these sensors are easy to capture by adversaries. Once a sensor is stolen, the sensitive information stored in it is likely to be exposed. Accordingly, designing a secure authentication protocol should consider this issue. Sadri et al. recently proposed a two-factor authentication protocol with anonymity for wireless sensor networks. Unfortunately, we found that their protocol had a design flaw in the user and sensor authentication phase. Besides, their protocol can not resist stolen smart card attacks, sensor capture attacks, and user impersonation attacks. In addition, their protocol does not provide perfect forward security. This paper proposes a provably secure authentication to overcome these weaknesses and flaws. By comparing the security and performance of the proposed protocol with other related protocols, we find that our work has reasonable computation overhead and better security.

1. Introduction

The Internet of things (IoT) [1, 2] is defined as a network formed by sharing data between devices. It is usually used to represent any device connected to the Internet. IoT devices can collect data in the environment, connect to the Internet, and send the data to the cloud. These collected data can be further analyzed by artificial intelligence or machine learning. Some devices can connect to gateways or other devices to share the data they collect, and some devices can even communicate with other related devices and take actions based on the data they obtain from each other. IoT provides many advantages, including enhancing the degree of automation to improve the efficiency of time and resources and making more intelligent decisions using collected data. Now IoT is widely operated in numerous applications and environments such as industry [3, 4], transportation [5, 6], smart cities [7], medical care [8], etc. There are many kinds of IoT devices, and sensors are the most common device of IoT.

A wireless sensor network (WSN) [9, 10] is a network of vast numbers of sensors arbitrarily deployed in a particular environment. After being deployed, these sensors sense the environment and collect environmental data, such as temperature, humidity, light, pressure, chemical composition, etc. After that, sensors transmit the sensing data back to a gateway or a server through a wireless network. While submitting sensing data in WSN, it is essential to provide security. The security issue is supposed to be the most demanding mission in WSN as it is challenging to keep monitoring sensor nodes at any time. But it must be secured to prevent an intruder from eavesdropping on data transmission.

Many authentication protocols for WSN have been presented [11, 12]. These protocols provide two essential security requirements, authentication of each role in WSN and the confidentiality of transmitted data. Very recently, Sadri and Asaar [13] described a two-factor authentication protocol with anonymity. This protocol allows users to modify their passwords locally. They declared that their protocol is secure against various kinds of attacks, including user impersonation attacks and stolen smart card attacks, and can provide perfect forward secrecy. However, in this paper, we indicate that Sadri et al.’s protocol still has the following security issues. First, this protocol is still weak to user impersonation attacks, stolen smart card attacks, and sensor capture attacks. Second, this protocol does not provide perfect forward secrecy. Third, this protocol cannot complete a sensor node authentication process because of a design flaw. We further analyze why Sadri et al.’s protocol [13] has these security issues. The reasons are categorized in three items. First, once an adversary captures a sensor and gets the sensitive information stored, he can calculate the session key successfully. Second, their protocol selects symmetric encryption algorithms to encrypt the data. The keys used for encryption/decryption are stored in users’ smart cards. If an adversary steals a user’s smart card and obtains parameters stored in it, he can calculate the session key. Third, a sensor cannot know the user’s identity communicating with it, so the sensor and gateway cannot complete a sensor node authentication process correctly.

In this paper, to solve the drawbacks and flaws of Sadri and Asaar protocol [13], we offer a provable secure two-factor authentication protocol for IoT. Unlike their protocol [13], we decide to use asymmetric key encryption algorithms to design our protocol. It can prevent sensor capture attacks. In our design, an adversary cannot calculate a session key or impersonate a legitimate user if he has compromised a sensor or stolen a smart card. In order to demonstrate that the proposed protocol is provably secure, we utilize the Random Oracle (ROR) model for conducting a formal security investigation. Besides, we employ BAN logic to examine the security and logic of our design. Furthermore, we estimate the performance of the proposed protocol concerning the computation and communication costs. The experimental results reveal that our method has significant advantages in both security and performance.

The remainder of this paper is arranged as follows. Section 2 introduces the related works and Section 3 presents the system model, respectively. In Section 4, we briefly review Sadri and Assar protocol [13] and then cryptoanalyze it. The proposed protocol is represented in Section 6. Sections 7 and 8 deliver security and performance analyses and comparisons. Finally, Section 9 concludes the paper.

Because of the increasing number of IoT devices and cyberattacks, there is various existing research on security issues for different applications and environments [14]. Chaudhry et al. [15] offered an anonymous device-to-device access control mechanism for the Internet of Medical Things. Huang et al. [1] designed a revocable storage attribute-based encryption algorithm in cloud-assisted IoT. Xue and Chen [16] utilized a compact evolutionary search scheme to match sensor ontologies. Chu et al. [17] presented an algorithm to identify correctness data in WSN. Reddy et al. [18] described a security approach for home surveillance systems using IoT. Li et al. [19] described a secure paradigm of message protection for RFID-based IoT. Hussain et al. [7] designed a secure mechanism for smart cities.

As for research for authentication protocols in IoT, Turkanovic et al. [20] provided an authentication protocol that enhances user privacy in 2014, but Amin and Biswas [21] discovered that their protocol [20] is helpless to stolen smart card attacks and offline password guessing attacks. Then, Xu et al. [22] proposed a new authentication protocol and declared that it could resist various known attacks and have user anonymity. However, Alzahrani et al.’s [23] located that Xu et al.’s protocol [22] does not have user anonymity after performing offline identity guessing attacks. Besides, in 2020, Shin and Kwon [24] discovered that Adavoudi-Jolfae et al.’s protocol [25] cannot resist desynchronization attacks and user collusion attacks and then proposed a new privacy protection authentication protocol. In addition, Tewari and Gupta [26] proposed a novel protocol using bit-by-bit operations to reduce communication costs. After that, Jiang et al. [27] proposed another authentication protocol to provide confidentiality and integrity of transmitted messages. In 2020, Wu et al. [28] proposed a three-factor authentication protocol for WSN. Still, Sadri and Asaar [13] proved that it is vulnerable to sensor capture attacks, user tracking attacks, and desynchronization attacks, and they proposed a new protocol.

3. System Model

Here we define the network model and the adversary model used in this paper.

3.1. Network Model

The architecture of the protocol is illustrated in Figure 1. All communications in this architecture are through a public channel. Three entities are involved.(1)Sensor nodes: Various sensor nodes are deployed everywhere to sense the environment and gather data. After receiving the request from a user, a sensor node transmits data to the user through a gateway.(2)Users: If a user desires to acquire the data from a specific sensor node, he transmits a request to a gateway. This gateway confirms whether the request is valid and then forwards it to that specific sensor node.(3)Gateway: A gateway acts as a virtual bridge connecting users and sensor nodes wirelessly. More specifically, a gateway establishes an effective session process between users and sensors.

3.2. Adversary Model

To analyze the security of an authentication protocol, we need to define an adversary model first. Two well-known adversary models, Dolev-Yao (DY) adversary model [29] and Canetti-Krawczyk (CK) [30] adversary model, are widely used. DY model considers that an adversary can control messages transmitted through public channels and decrypt them with a known key. On the other hand, CK model can verify whether the protocol has some necessary security attributes. In this paper, we combine the characteristics of DY model and CK model and then define an adversary model suitable for this paper. We assume that the adversary has the subsequent capabilities.(1) can extract messages stored in the smart card with power analysis after stealing it [31, 32].(2) can intercept, modify, and replay the messages transmitted through public channels.(3) can compromise a gateway and then obtain information stored in it [33, 34] and get the long-term key of gateway [35, 36].(4) can capture a sensor node and then obtain the sensitive information stored in it [37].

4. Revisit Sadri Et Al.’s Protocol

The specific steps of Sadri et al.’s protocol [13] are as follows. Table 1 details the symbols used.

4.1. User Registration Phase
(1) first enters his own identity and selects a random number , calculates the pseudo-identity , and then transmits to through a secure channel.(2) generates a temporary identity , calculates , and then stores in the smart card and in its own memory. Finally, transmits the information to .(3) enters his password , calculates , , , and finally stores in the smart card.
4.2. Sensor Registration Phase

First, selects an identity for , calculates  =  using private key, stores in memory, and transmits to via a secure channel. stores in memory.

4.3. Login and Mutual Authentication Phase
(1) enters his own and and then calculates , , , . Next, compares the calculated with the stored in the smart card. If they are equal, further generates a random number and computes , , and then, transmits to through a public channel.(2) first calculates and then calculates through and and then queries in the database according to the calculated . Next, calculates and verifies whether the value of is equal to . If it is equal, the verification passes, and, thereafter, generates a random number and calculates , , , and then transmits to .(3) first calculates , then calculates and checks whether it is equal to the transmitted . Next, generates a random number and then computes the session key , , , and then transmits to .(4) calculates , obtains the session key , , and compares the calculated with the transmitted . Next, generates a new gateway pseudo-identity and updates , , , and then transmits to .(5) calculates , and then verifies whether the calculated is equal to . If it is equal, replaces with where .

5. Cryptanalysis of Sadri Et Al.’s Protocol

Here we discovered that Sadri et al.’s protocol [13] has the following security issues. First, this protocol cannot complete a sensor node authentication process. Second, this protocol is still insecure against user impersonation attacks, stolen smart card attacks, and sensor capture attacks. Third, this protocol does not provide perfect forward secrecy.

5.1. Failure Sensor Node Authentication

In the login and authentication phase, sends to in Step 2. After that, computes . However, cannot understand the value of which is an pseudo-identity of . For this reason, the procedure is now terminated.

5.2. Sensor Capture Attack

Assuming that captures and obtains the data stored in , also eavesdrops on and transmitted over a public channel, and then can calculate through the following steps.(1)Obtain , by calculating .(2)Obtain by calculating .(3)After having , , , and , can calculate where .

5.3. Stolen Smart Card Attack

Assuming that thieves the smart card of in some manner and then obtains stored in this smart card, also eavesdrops on and transmitted over a public channel. Now can calculate through the following steps.(1)Obtain and by calculating .(2)Obtain and by calculating  = .(3) can now calculate .

5.4. User Impersonation Attack

Suppose obtains the private key of ; then obtains some parameters based on the obtained key to pretend to be a legitimate user and successfully authenticate each other with . The specific steps are as follows:

calculates with obtained and then by decrypting with . With , , , and , now can act as legitimate user to authenticate . verifies that is equal to , and thus and are successfully mutually authenticated. Next, sends a message to , and verifies that is equal to , because and are stored in ’s memory, , , can be obtained by , and hence and are successfully authenticated. Similarly, in the process of sending information from to and the message from to , and can be successfully authenticated according to the above operations, and thus can complete a complete mutual authentication operation after obtaining the key of .

5.5. Perfect Forward Security

Assuming that obtains in and eavesdrops on , , and through a public channel, then can obtain through the following steps:(1)Obtain by calculating .(2)Obtain , , and by calculating .(3)Obtain and by calculating  = .(4)Now can compute where .

6. Proposed Protocol

The protocol consists of four phases. The first phase is the predeployment phase, through which parameters required in the communication process can be deployed in advance. The second is the user registration phase, through which can become a legal user through some operations to communicate with . The third is the sensor registration phase, through which can set the parameters required for communication with in advance and then store them in memory. The fourth phase is the login and authentication phase, which can complete the key establishment process of and . The specific protocol steps are as follows.

6.1. Predeployment Phase

In this phase, each user needs to negotiate a key with . Assume that a user wants to join this system and has negotiated a key with . In our design, we assume that this key cannot be obtained by adversaries.

6.2. User Registration Phase

Assume that a user wishes to register to . Figure 2 displays the user registration phase. Messages transmitted in this phase are via a secure channel.(1) selects an identity for himself, generates a random number , calculates the user’s pseudo-identity , and then sends to .(2) first checks whether has been registered before and then generates a temporary identity for and calculates . After that, stores in a smart card and stores ’s pseudo-identity in its own memory. Finally, transmits this smart card to .(3) enters his password , and then protects his password from being obtained by by calculating . Next, calculates , , , and finally stores in the smart card.

6.3. Sensor Registration Phase

Assume that a sensor node wishes to register with ; performs the following steps. Figure 3 illustrates the sensor registration phase. Note that all messages transmitted in this phase are via a secure channel.

first selects an identity for and then uses the ’s private key to protect the identity of to obtain the pseudo-identity of , which is . Finally, transmits to . After receiving these messages, stores the information in its own memory.

6.4. Login and Authentication Phase

Here we describe this phase between and with . The following steps are performed. Note that all transmissions in this phase are through a public channel. Figure 4 illustrates the architecture of this phase.(1) first enters his and to log in and calculates , and then calculates ’s pseudo-identity from the calculated and then verifies whether is equal to the stored in the smart card. If they are equal, it proves that the legitimate user has successfully logged in. Next, generates a random number , calculates , , and then transmits to .(2) first calculates and then obtains through a symmetric decryption operation. searches the database according to the obtained pseudo-identity of and then verifies whether is the same as the received . After that, generates and computes , , and . Finally, transmits to .(3) first calculates to obtain , , and and then checks the legitimacy of by verifying whether is equal to . After that, generates and then computes . generates another random number and calculates and then calculates , . Now transmits to .(4) first calculates and computes the random number . Then calculates the session key and verifies whether is equal to . If they are equal, starts to update ’s temporary identity. generates a new temporary identity , calculates , , , and transmits to .(5) first decrypts with to obtain and then generates the session key . then verifies whether is equal to . Finally, updates to obtain and replaces with .

7. Security Analysis

Here we utilize ROR model and BAN logic to demonstrate our protocol is provably secure. We also indicate that our work is secure against various attacks.

7.1. ROR Security Analysis
7.1.1. ROR Model

Random Oracle (ROR) model [38] is widely utilized to achieve a formal security analysis of an authentication protocol. Theorem 1 proves the security of the session key in our protocol.

In our design, we defined three entities: , , and . In the proof process, we assume that , , and are the -th user, -th gateway, and -th sensor node, and . Because can completely control a public channel, can intercept, modify, and delete messages transmitted through a public channel. In addition, can execute the following queries:: can destroy messages shared between various entities.: can transmit information to .: By doing this, after entering a series of strings, can obtain a fixed value.): By executing this query, can easily steal ’s smart card and extract the parameters stored in it.: By executing this query, all the information stored in is exposed to .: This operation is performed to verify the security of the shared secret key between and . Toss a coin before experimenting. If the result is 1, the correct session key is returned, and a random number is returned if the result is 0.

7.1.2. Security Proof

Theorem 1. Suppose is an attacker running in polynomial time to counter the protocol we proposed under the ROR model. Here, is a unified dictionary and is the number of digits of the key in the biometric information of . The advantage of ’s ability to destroy our new protocol is as follows:
, , , and represent the query, query, the spatial range of the hash function, and the size of the unified dictionary, respectively.

To prove the security of the session key, we defined four games: ( = 0, 1, 2, 3); represents ’s victory in the game. We start from to the end of . The detailed procedure is as follows:: In the initial game, does not need to perform any query operations and only needs to select bits; hence we obtain: In this game, we simulated an eavesdropping attack. executes the query and then verifies whether is a random number or a real key by executing a query. The session key in the protocol; we assume that intercepts messages , , , , and sent by and , but only calculated based on the intercepted information is impossible; hence we obtain: The third game adds the query operation and operation to the second game. In this game, can use query operations and operations to obtain some parameter information, and can fabricate some entity messages. To create authentic and credible messages , , , , and , must know the secret parameters , , , and , but these secret parameters are hidden in the hash function to prevent from stealing. Based on the birthday paradox, we can draw the following conclusions:: On the basis of the previous game, the operations of performing the and are added. can extract the information in the smart card and guess the password of based on the unified dictionary. Without knowing the password of , it is extremely difficult for to obtain ; hence we arrive at

Because the session key is generated for mutual authentication between and , we obtain

After we sort the above equations, we obtain

So we can draw the final conclusion:

Based on the conclusions drawn above, it can be proved that our protocol can be secure against stolen smart card attacks and sensor capture attacks. Moreover, it has perfect forward security.

7.2. BAN Security Analysis

Burrows-Abadi-Needham (BAN) logic [39] is a method suitable for analyzing an authentication protocol. It mainly studies the security of the protocol and the logic of the structure. BAN logic has been applied to the security analysis of many protocols and achieved good results.

7.2.1. Rules for BAN Logic
Message-meaning rule (R1) .Nonce-verification rule (R2) .Jurisdiction rule (R3) .Freshness rule (R4) .Belief rule (R5) .Session key rule (R6) .
7.2.2. Goals
G1 .G2 .G3 .G4 .G5 .G6 .G7 .G8 .
7.2.3. Idealizing Communication
Mess1 : .Mess2 : .Mess3 : .Mess4 : .
7.2.4. Initial State Assumptions
A1 .A2 .A3 .A4 .A5 .A6 .A7 .A8 .A9 .A10 .A11 .A12 .A13 .
7.2.5. Detailed Steps

By considering the message Mess1, we get

S1: .

Using S1, R1, and A1, we get

S2: .

Under the assumption of A2, using S2, R2 can be used to obtain

S3: .

With conclusion S3, using A3 and R3, the following can be obtained:

S4: .

Because , , we can get

S5: .

And because is generated by ,

S6: .

Because , using S4, S5, and S9, we obtain

S7: (G2).

With A3, A4, S7, and R4, we can get

S8: (G4).

By considering the message Mess4, we obtain

S9: .

By using S9, A5, and R1 we obtain

S10: .

With S10, using A6 and applying R2, we get

S11: .

Applying A8, S11, and R3, we have

S12: .

Because , using S11 and S13, we obtain

S13: (G1).

With conclusion S13, using A6, A7, and R4, we can obtain

S14: (G3).

By considering the message Mess2, we obtain

S15: .

By using S15, A9, and R1, we obtain

S16: .

With S16, using A11 and applying R2, we have

S17: .

Applying A12, S17, and R3, we obtain

S18: .

Because , and and are generated by S, we can get

S19: .

Using S18 and S19, we obtain

S20: (G5).

With S19, using A11 and R4 we can get

S14: (G7).

By considering the message Mess3, we obtain

S22: .

By using S22, A10, and R1 we obtain

S23: .

With S23, using A4 and applying R2 we have

S24: .

Applying A13, S24, and R3 we obtain

S25: .

Because , using S25, S4, and S6, we obtain

S26: (G6).

With conclusion S26, using A2, A4, and R4 we can obtain

S27: (G8).

7.3. Potential Attacks
7.3.1. Withstands Stolen Smart Card Attack

We assume that obtains ’s smart card and the parameters in the smart card through power analysis. Although obtains these parameters, cannot obtain because calculating also requires . Therefore, cannot further decrypt and to obtain , , , and . It means that cannot calculate . Now we can say that our protocol can resist stolen smart card attacks.

7.3.2. Withstands Sensor Capture Attack

Assuming that captures the sensor and extracts the message stored in , now can obtain and with and the messages extracted from the sensor. However, cannot further obtain and because does not have . For this reason, cannot calculate through sensor capture attacks.

7.3.3. Withstands User Impersonation Attack

Suppose obtains key , but the shared key between and cannot be obtained; therefore, parameter cannot be obtained. Without , cannot obtain . Also, without , cannot decrypt to get and . It is obvious that our design can resist user impersonation attacks.

7.3.4. Perfect Forward Security

Assuming obtains the long-term key of , cannot obtain . However, cannot obtain , and further calculate . Now we can say the proposed protocol provides the perfect forward security.

7.3.5. Withstands Offline Password Guessing Attack

In the login and authentication phase, we assume that tries to guess . uses the guessed password to login. Since does not know and , cannot verify if is correct. Thus, our protocol can effectively resist offline password guessing attacks.

7.4. Security Comparisons

Table 2 shows the security comparison between the proposed protocol and other related protocols. The outcomes reveal that other related protocols [13, 28, 40, 41] have various flaws in security, but our protocol can withstand different kinds of attacks.

8. Performance Comparisons

8.1. Experimental Setting

To investigate the performance of our work, we use a mobile phone (Honor 30S, CPU: HUAWEI Kirin 820, 8 GB), a notebook computer (MSI-GP63, CPU: Intel Core i7 8750H, 8 GB), and a desktop computer (Lenovo-M715E, CPU: Intel Pentium Dual-Core E5500, 2 GB) to simulate a user, a gateway, and a sensor, respectively. We use these devices to calculate the execution time of hash functions, symmetric encryption systems, and point addition functions. Each operation was executed 10 times, and the average running times were calculated. Table 3 lists our experimental results. Here, we do not evaluate the impact of the XOR operation since its running time is not worth mentioning compared with other functions.

8.2. Performance Comparisons

First, the computation cost of our work was compared with related protocols [13, 28, 40, 41]. We emphasize the login and authentication phase since this phase is frequently performed. Table 4 shows the running times of these five protocols. , , , and denote the running times of hash functions, symmetric encryption, symmetric decryption, and point addition function individually.

As depicted in Table 4, in our protocol, the running time for a user is 17.2522 ms, which is higher than Amin et al.’s protocol [40] and Wu et al.’s protocol [28]. Besides, the running time for a gateway in our design is 16.213 ms, which is slightly higher than Wu et al.’s protocol [28] and Chen et al.’s [41]. However, the running time for a sensor in our design is 0.022 ms which is obviously lower than Wu et al.’s protocol [28] and Chen et al.’s [41]. Overall, the total time consumed by the proposed protocol is 33.4872 ms, which is lower than Chen et al.’s protocol [41] and Sadri et al.’s protocol [13]. The running time of the proposed protocol is slightly higher than Amin et al.’s protocol [40] and Wu et al.’s protocol [28].

Furthermore, we consider the communication overhead. Assume that the output of a hash function is 256 bits, a random number is 160 bits, the identity is 160 bits, the symmetric encryption parameter is 128 bits, and a timestamp is 64 bits. As shown in Table 4, the communication cost of the proposed protocol is 6400 bits, which is higher than Chen et al.’s protocol [41] and Sadri et al.’s protocol [13].

We can observe that the proposed protocol does not have the best performance, but our design delivers better security than other protocols. We can say that our work has more practical significance for developing the IoT in the future. Figure 5 and Figure 6 show a comparison more intuitively.

9. Conclusions

IoT technology is constantly improving and updating. Protecting the security and privacy of data in IoT is an essential task. This paper demonstrated that Sadri’s protocol has some security issues. To solve these issues, we proposed a new protocol. We prove that our work is provably secure through BAN logic and ROR model, which can better ensure data security in the transmission process. Performance evaluation indicates that the proposed protocol has reasonable computation and communication overhead and thus has more practical significance for developing the IoT in the future.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


The work was supported by Guangxi Key Laboratory of Trusted Software (no. KX202033).