Nowadays wireless sensor networks (WSNs) have drawn great attention from both industrial world and academic community. To facilitate real-time data access for external users from the sensor nodes directly, password-based authentication has become the prevalent authentication mechanism in the past decades. In this work, we investigate three foremost protocols in the area of password-based user authentication scheme for WSNs. Firstly, we analyze an efficient and anonymous protocol and demonstrate that though this protocol is equipped with a formal proof, it actually has several security loopholes been overlooked, such that it cannot resist against smart card loss attack and violate forward secrecy. Secondly, we scrutinize a lightweight protocol and point out that it cannot achieve the claimed security goal of forward secrecy, as well as suffering from user anonymity violation attack and offline password guessing attack. Thirdly, we find that an anonymous scheme fails to preserve two critical properties of forward secrecy and user friendliness. In addition, by adopting the “perfect forward secrecy (PFS)” principle, we provide several effective countermeasures to remedy the identified weaknesses. To test the necessity and effectiveness of our suggestions, we conduct a comparison of 10 representative schemes in terms of the underlying cryptographic primitives used for realizing forward secrecy.

1. Introduction

Currently, wireless sensor networks (WSNs) have become one of the most standard services employed in commercial and industrial applications and proved to be a leading area of research [13]. Like many advanced technologies, the original appliance of WSNs can be found in military and heavy industrial applications. In the 1950s, the first modern WSN—the Sound Surveillance System (SOSUS)—is developed by the United States Military and used for detecting Soviet submarines [4]. Nowadays, WSNs thrive in industrial and consumer applications, including machine health monitoring, environmental sensing, natural disaster prevention, and health care monitoring [57].

A wireless sensor network generally includes a central gateway node (GWN, so-called base station), a large number of circulating, self-directed and low powered devices named sensor nodes, and a set of end users. The GWN acts as a bridge between WSNs and the other networks and also a powerful data managing and processing center. Sensor nodes are multifunctional, energy efficient devices and are spatially distributed over the networks for caringly collecting, processing, and transferring data.

In many critical applications, remote users are usually keen on real-time accessing with sensor nodes [8, 9], yet if data queries are carried out by the gateway node, efficiency and accuracy might not be guaranteed over the long transmission path between GWN and the sensors. Accordingly, password-based user authentication proves to be a proper solution for this issue as its security, simplicity, and portability [1012]. That is, users are first authenticated by remote sensor nodes before being permitted to access data.

In 2006, Wong et al. [13] proposed the first password-based authentication scheme for wireless sensor networks that allows legitimate users to query sensitive information at every sensor of the network. However, shortly after this protocol was presented, Tseng et al. [14] and Das et al. [15] pointed out that Wong et al.’s scheme [13] is vulnerable to replay attack, forgery attack, and node capture attack separately, then an enhanced one based on smart card was firstly proposed by Das et al. [15]. Unfortunately, Khan and Alghathbar [16], Chen et al. [17], and Yeh et al. [18] pointed out some weaknesses in Das et al.’s scheme, such as suffering from impersonation attack, insider attack, and the violation of user anonymity and key agreement. Then some improvements are made in these works.

However, in 2013, Shi and Gong [19] found that Yeh et al.’s scheme [18] cannot achieve mutual authentication and user anonymity, then they proposed an efficient ECC-based authentication scheme for WSNs. At the same time, Khan and Alghathbar’s protocol [16] was also proven insecure against insider attack, smart card loss attack and forgery attack by Vaidya et al. [20] and Chen et al.’s scheme [17] was shown as vulnerable to impersonation attack, replay attack and GWN by passing attack in [21]. Later, Choi et al. [22] demonstrated that Shi and Gong’s scheme [19] is vulnerable to smart card loss attack and an enhanced scheme was given in [22]. Meanwhile, Xue et al. [23] presented a temporal credential-based two-factor (i.e., smart card and password) authentication scheme for WSNs. Although their scheme retains many admirable properties, there are some weaknesses being found by researchers [8, 11, 24], such as offline password guessing, insider, impersonation, and tracking attacks.

Quite recently, Li et al. [25] analyzed the security of Jiang et al.’s scheme [11] (an improvement based on [23]) and showed that their scheme suffers from user friendliness issue, desynchronization problem, and is inapplicable for WSN environments. Then a new scheme was proposed in [25]; however, in this paper, we reveal that Li et al.’s scheme [25] still fails to eliminate the security pitfalls of smart card loss attack and the violation of forward secrecy. At the same time, we find that the newly proposed schemes by Amin et al. [8] and Wu et al. [9] are prone to the same security defects with Li et al.’s scheme [25].

From the above analysis, it can be seen that many of the previous protocols are not much satisfactory. On the one hand, this is because the lack of necessary principles. Some principles that have been proven are still ignored in the design of the protocol, such as user anonymity principle [7] and perfect forward secrecy principle [26]. On the other hand, the protocol designers usually do not follow unified evaluation criteria, and they tend to emphasize the advantages of their new designed protocol, but ignore its inadequacies. Besides reporting the security flaws in [8, 9, 25], we also provide effective countermeasures and refinements to overcome these pitfalls, accordingly, examine the necessary of our suggestions.

Contributions. In this work, we mainly review and analyze three state-of-the-art authentication protocols proposed by Li et al. [25], Amin et al. [8], and Wu et al. [9]. And reveal that all these three schemes suffer from smart card loss issue and cannot achieve forward secrecy. Then we suggest several possible countermeasures to overcome these pitfalls. We also provide a comparison of 10 representative schemes for wireless sensor networks which emphatically considered how and with what technology did they realize forward secrecy. This illustrates the necessity and effectiveness of our suggestions and provides a better understanding of the exiting schemes.

Organization. The remainder of this paper is organized as follows. Section 2 reviews and demonstrates the pitfalls of Li et al.’s scheme. Section 3 cryptanalyzes Amin et al.’s protocol with proper countermeasures over discovered flaws. Section 4 describes the weaknesses of Wu et al.’s protocol and compares 10 representative schemes. The conclusion is made in Section 5.

2. Cryptanalysis of Li et al.’s Scheme

Earlier in 2018, Li et al. [25] presented a three-factor anonymous and efficient authentication scheme for wireless sensor networks. Although their scheme has many attractive properties, such as the provision of user anonymity and local password change, it still fails to attain many of the claimed goals. In this section, we will demonstrate that though Li et al. try to settle the user friendliness issue of Jiang et al.’s scheme [11], their solution leads to offline dictionary attack. And we also observe that Li et al.’s scheme cannot preserve forward secrecy, which is the most crucial goal for WSNs.

2.1. Review of Li et al.’s Scheme

In this subsection, we briefly revisit Li et al.’s scheme [25]. For ease of description, some intuitive notations and abbreviates are listed in Table 1 and will appear throughout this paper. Their scheme includes three main phases: registration, login and authentication, and password change. We will follow their presentations as close as possible.

2.1.1. Registration Phase

Before the registration phase of Li et al.’s [25] scheme, the gateway node defines a finite cyclic group = <> of order a large prime number . This group could be an elliptic curve group, or it could be a prime order subgroup of . Then GWN chooses two random numbers , as its master secret key and computes as its public key. Ultimately, GWN publishes and stores , securely.

Sensor Registration Phase. GWN chooses an identity and computes the secret key for each sensor node. Then, GWN embeds in the memory of and deploys it in the particular area.

User Registration Phase. When a user aims to acquire the sensitive information of remote sensor nodes, the following procedure is carried out by firstly.

(1) chooses an identity , a password , and a nonce and calculates . Then imprints his/her biometric on a specific device.

(2) GWN: .

(3) Once obtaining ’s registration request, GWN generates a random codeword and computes , where and . GWN further computes and and keeps , into a new smart card . At the same time, GWN stores in its database.

(4) GWN .

(5) When receiving the smart card, stores into it.

2.1.2. Login and Authentication Phase

In this phase, the following steps are performed by , , and GWN as well as negotiating a session key.

(1) inserts into a card reader and inputs on a specific device. Then computes and checks whether . If not, terminates the session. Otherwise, asks to input and and computes . Then checks whether . If it does not hold, rejects the session. Otherwise, chooses two random numbers and and then calculates , , , , , , and .

(2) GWN: .

(3) Upon receiving the login request, GWN computes and and verifies if is in the database. If not, the request is aborted. Otherwise, GWN computes , , , and and checks whether . If it does not hold, GWN terminates the session. Otherwise, GWN selects a random number and computes , , , , and

(4) GWN .

(5) When receiving the message, computes , , , and and checks whether . If not, the session is rejected. Otherwise, selects a random number and computes , , and .

(6) GWN: .

(7) After getting the response message, GWN computes , , and and checks whether . If not, GWN aborts the session. Otherwise, GWN calculates , , and .

(8) GWN .

(9) When receiving the response message, computes , , , and and checks whether . If it does not hold, terminates the connection. Otherwise, and establish a connection with a session key.

2.2. Cryptanalysis of Li et al.’s Scheme

A concrete and concise adversarial model is essential for a good design of user authentication scheme in wireless sensor networks. Though lacking of specification in Li et al.’s scheme [25], the following assumptions about the adversary’s capabilities are implicitly made in [25]:

(1) Two communication channels exist: one is a secure, or a private channel which is mainly used for registration; another is a public channel which acts on login and authentication phases. As in the conventional authentication protocols, the adversary is modeled to have full control of the public channel; i.e., can eavesdrop, intercept, and modify and redirect any transmitted messages between the communication parties [3, 6].

(2) The user-memorable identities and passwords are of low entropy and can be offline enumerated by at the same time within polynomial time.

(3) When considering truly multifactor authentication (i.e., the scheme is secure even if one or more factors are cracked [10]), it is rational to assume that may (i) learn a victim’s password such as phishing or shoulder surfing attacks, (ii) extract the secret parameters in the lost smart card by side-channel attack, or (iii) obtain a victim’s biometric information via malicious device, but cannot achieve all. Otherwise, it is a trivial case.

(4) To delineate the critical feature of forward secrecy, is allowed to corrupt any valid entities to obtain its longterm secret key(s). In addition, previous session key(s) may be revealed by as a possible reason of improper erasure [10, 27].

It is worth noting that the above adversarial model, following the existing works in [3, 6, 7, 10, 28], is one of the few ones that apply to multifactor authentication in WSNs. For the sake of user friendliness, many protocols allow their users to select his/her identity and password . However, the user usually chooses easy-to-remember identity (e.g., email, phone number) and password, which are of low entropy ( [29, 30]) and can be offline enumerated by within polynomial time. Besides, assumption (3) specifies truly three-factor security and assumption (4) is used to capture the crucial notion of forward secrecy when GWN or any sensor node is corrupted. In the following sections, our analysis will take account of these four assumptions.

2.2.1. Smart Card Loss Attack

In [25], Li et al. pointed out that Jiang et al.’s scheme [11] lacks timely detection mechanism, which means once a user inputs wrong identity or password unintentionally, the system will remain executing the following login and authentication phases. Undoubtedly, this interaction process will bring extra cost. In reality, it is a common accident as users usually involve in countless applications and manage various pairs of identity and password [7]. To solve this problem, Li et al.’s scheme [25] inserts a verification item in the smart card for the purpose of providing timely detection and performing password change without any interaction with the GWN. However, their modification goes back to the “security-usability” balance problem proposed by Huang et al. [12]; that is, it realizes local password change but brings offline dictionary attack. We illustrate this attack as below.

Step 1. chooses a pair () from , where represents the identity space and represents the password space.

Step 2. computes , where is extracted from the victim’s smart card and can be obtained by computing with the help of malicious device.

Step 3. verifies the correctness of () pair by checking whether the computed equals the extracted .

Step 4. repeats the above Steps ~ until the right values are found.

Besides the previous reasonable assumption (3), it should be pointed out that, in the registration phase of Li et al.’s scheme [25], imprints his/her biometric information on a specific device and simply submits the plain-text to GWN. Then, GWN employs the fuzzy commitment technology [31] and the generated to compute . In such situation, if a privileged insider, e.g., the administrator, has learned the user’s biometric information, she is able to complete the above offline guessing attack. Of course, she is able to impersonate the victim to login other applications as biometric characteristics cannot be easily changed.

For another, in order to realize user friendliness, most password-based authentication schemes (e.g., [8, 9, 11]) allow users to choose his/her own and , and Li et al.’s scheme is no exception. However, users usually tend to choose easy-to-remember and thus of low entropy identities and passwords, so that it is reasonable to make the assumption (2) that can offline enumerate all the () pairs within polynomial time. The running time of the above attack procedure is , where denotes the number of identities, denotes the number of passwords, and is the running time for Hash operation. Since and are very limited in practice (e.g., [29, 30]), our above attack is meaningful and poses a real challenge to user authentication protocols for wireless sensor networks.

2.2.2. The Violation of Forward Secrecy

WSNs are generally deployed in security-critical applications, such as battlefield surveillance and health care monitoring [7, 27, 32, 33]. The sensor nodes at risk had been driven: on one hand, due to the unattended environments and low-cost considerations, it is easier for an adversary to focus on sensors access to breakthrough success; on the other hand, sensors often perform extremely sensitive tasks and thus, they preserve sensitive information and exhibit greater attack surface. Consequently, sensor nodes are more vulnerable to serious attacks, so that an admired authentication scheme for WSNs ought to be guaranteed against node capture attack.

Unfortunately, Li et al.’s scheme [25] cannot resist against this severe node capture attack. Let us consider the following scenarios. In case a sensor node has been compromised by an adversary and the stored secret key can be extracted. This assumption is sound as made in assumption (4) and it is also implicitly described in Li et al.’s scheme [25]. With the extracted , can successfully obtain the previous session key between and any user , as follows.

Step 1. Eavesdrop and intercept the message sending from GWN to .

Step 2. Compute , , and .

Step 3. Intercept the message sending from to GWN.

Step 4. Compute .

Step 5. Intercept the login message sending from to GWN.

Step 6. Compute .

Step 7. Compute the previous session key as .

There are some points to be noted regarding the aforementioned attack. Firstly, the reason why we add Steps 5 and 6 is that these two steps are conducive to check the parameters though has already known . Then, it is not hard to see that only needs to eavesdrop over the public channel with simple computations to complete the aforementioned attack procedure. Consequently, the desirable security goal of perfect forward secrecy (PFS) cannot be attained by Li et al.’s scheme.

Despite considerable attention has been paid to forward secrecy issue, many prior works still explicitly or implicitly use an incorrect computation for the session key(s) (e.g., [8, 9, 21, 34]). This is mainly due to the violation of the “PFS principle” suggested in [26]: (i) public-key techniques are indispensable; (ii) at least two exponentiation operations are conducted on server side. Though Ma et al. [26] emphasize this principle on client-server architecture, after careful analysis, we find this “PFS principle” is suitable for WSN environments (i.e., three-party environment). In this cases, we will take GWN and sensors as server side, while keeping users as client.

Accordingly, elliptic curves cryptosystem (ECC) is a reasonable choice for overcoming this pitfall, whereas in their original scheme [25] Li et al. employ this mechanism to greatly attain user anonymity. To make a precisely modification, we assume to be and to be , where point is a generator mentioned before and , are two random numbers chosen by and separately. Note that GWN has no need to be involved in negotiating the session key. Then in this way, the session key can be recalculated as . As it is generated by session-variant random numbers and and computationally infeasible to guess from transmitted message due to discrete logarithm problem, Li et al.’s scheme [25] will be secure against node capture attack and provide forward secrecy perfectly after slight modifications.

2.2.3. Mistakes in the Proof

The emergence of BAN logic opens up a new chapter in the proof of user authentication protocol [35, 36]; it can not only be used to prove whether the protocol achieves some desired goals, but also be employed to find some defects in the protocol. However, there still are some problems in the application of BAN logic. On the one hand, BAN logic cannot prove whether the protocol achieves all security goals and desirable properties. For example, it cannot prove that the protocol resists against parallel session attack, denial-of-service attack, node capture attack, etc. On the other hand, the analysis of BAN logic depends on some basic assumptions and the initial hypotheses. If the initial hypotheses was not sound, the formal analysis will lead to erroneous conclusions.

In the formal proof of Li et al.’s scheme [25] with BAN logic, there are several minor problems. Firstly, Li et al. add a new logic rule, session keys rule:

However, it is better to explain the calculation method of and the key role of in . Otherwise, we cannot derive that believes and share from the upper part of the equation.

Secondly, we suggest that the initiative premises p13 and p14, i.e., GWN and GWN, respectively, should be derived from the translation messages, but not in the premises. Finally, they may ignore some details in the formal proof, such as in the D5, it is better to add GWN, which we cannot find in the assumption or derive from the front. It also can be seen that the correctness of the protocol cannot be guaranteed only by using the formal proof.

3. Cryptanalysis of Amin et al.’s Scheme

Recently, Amin et al. [8] proposed a lightweight protocol for IoT-enabled devices for cloud computing environments. The private information is usually stored in distributed cloud servers (e.g., sensors), so that distributed nodes are confronted with the same security threats of sensors in wireless sensor networks. After careful analysis, we find that though equipped with a formal proof and exhibiting great application prospects, Amin et al.’s scheme still cannot resist against smart card loss attack and also fail to provide user anonymity and forward secrecy.

3.1. Review of Amin et al.’s Scheme

Here we briefly review the scheme proposed by Amin et al. [8], an enhancement over Xue et al.’s scheme [37] and Chuang et al.’s scheme [38].

3.1.1. Registration Phase

The registration phase of Amin et al.’s scheme can be divided into cloud server registration and user registration.

Cloud Server Registration Phase. In this phase, any cloud server sends a self-chosen identity and random number pair to control server (CS). Then CS chooses a random number , computes , , and responds to securely. Finally, stores in the memory.

User Registration Phase. Firstly, a user chooses his/her identity , password , and two random numbers . Then computes , , and and sends to CS via secure channel. Upon receiving the registration request, the CS computes , , and with its secret key. Finally, CS replies a smart card with . After getting the smart card , computes and records , into it.

3.1.2. Login and Authentication Phase

In order to access remote server resources, a legal user inserts his/her smart card into a card reader and inputs , . Then the following steps are performed:

(1) SC computes , , , , and and verifies whether . If so, SC selects a random number and computes , , , and , where is ’s identity chosen by and is the current timestamp. Otherwise, SC terminates the session.

(2) .

(3) Upon receiving the login request, checks whether holds, where is ’s current timestamp and is the expected valid time interval. If it does not hold, rejects the connection. Otherwise, produces a random number and computes , .

(4) .

(5) Once receiving the message from , CS first checks the validity of time interval . If the verification holds, CS continues to compute , , , and and checks whether . If either of the above verification fails, CS terminates the procedure. Otherwise, CS keeps on calculating , , and and verifies whether the computed equals the received one. If not, CS aborts the session. Otherwise, CS chooses a random number and computes , , , , and .

(6) .

(7) While receiving the message from CS, computes , , , and and checks the condition holds or not. If it does not hold, terminates the connection. Otherwise, sends to via public channel.

(8) After receiving the response message from , computes , , , and and verifies whether . If so, successfully authenticates and and establish a session key .

3.2. Cryptanalysis of Amin et al.’s Scheme

The four assumptions made in Section 2.2 are also explicitly employed in Amin et al.’s work [8] when they analyze the security of Xue et al.’s scheme [37] and Chuang et al.’s scheme [38] and proof the safety of their scheme. Consequently, our following discussions will base on these four assumptions.

3.2.1. No Provision of User Anonymity

Nowadays, privacy concerns are attracting more and more attention among governments, organizations, and individuals, and anonymous privacy-preserving authentication protocols are of particular interest. This is because the violation of user anonymity, say the leakage of some user-specific (static) information, may facilitate a malicious adversary to track the victim’s current activities and login history [7, 39]. Generally, there are two kinds of user anonymity attributes, basic and advanced [7]: (i) user protection, which means cannot obtain the real of the user; (ii) user untraceability, which means is unable to tell who the user is and distinguish whether two communications are coming from the same user. In wireless sensor networks, the latter notion has been widely adopted (e.g., [4042]), so does Amin et al.’s scheme.

In 2014, Das et al. [43] firstly introduced a “dynamic ID technique” to achieve user anonymity: a user’s real is concealed in the session-variant pseudonym identities. Subsequently, many schemes (e.g., [25, 44, 45]) follow this technique, which are so-called “dynamic ID” schemes, and Amin et al.’s scheme [8] falls into this category. However, after careful analysis, we find that Amin et al.’s scheme cannot achieve user anonymity in practice. To be specific, in the login phase of their scheme, Amin et al. try to compute a pseudonym identity as a dynamic identity. On one hand, is specific to the legitimate user ; on the other hand, is kept static and transmitted in plain of all the ’s login messages .

Accordingly, this specific value can be seen as ’s “identification”, and thus can exploit it to identify and track in the whole system. To conduct the aforementioned attack, an adversary only needs to eavesdrop the transmission channel without other contact operations and computations. This well serves to show the violation of user anonymity on Amin et al.’s scheme [8], thereby contradicting their claim.

3.2.2. Smart Card Loss Attack

Amin et al. [8] showed that, in Xue et al.’s protocol [37], users’ passwords can be offline guessed once has somehow obtained (lost or stolen) the victim’s smart card and extracted the stored secret information. Then Amin et al. attempt to overcome this pitfall in their new proposed scheme. However, precisely the same deficiency still exits in Amin et al.’s enhanced version. Let us consider the following scenario, suppose that has obtained the secret parameters stored in ’s smart card (e.g., by side-channel attack [4648] and reverse engineering technique [49]), which is reasonable under assumption (3). Then can conduct the following procedure to guess ’s password.

Step 1. Choose a pair of () from the identity space and password space .

Step 2. Compute , , , , and .

Step 3. Verify whether the computed equals the extracted .

Step 4. Repeat Steps 1, 2, and 3 until finding the correct values.

Let and denote the size of and , and the time complexity of the aforementioned attack is , which is linearly associated with the running time of Hash operation and can be finished in a few days as the limited size of [29, 30].

Further, according to assumption (1), is capable of eavesdropping and intercepting the normal (previous successful) login message between and over the public channel. It is fair to assume that has already obtained the correct value of , then Step 2 might be changed to compute , , , and and compared the computed with the intercepted in Step 3. In this way, the time complexity of the above procedure reduces to , where the exclusive and concatenation operations are too small to overlook.

Note that both of the above two attacks are carried out offline without any interaction with the control server. Hence, there is no way for CS to find abnormality and the adversary can impersonate at anytime until CS revokes the victim’s smart card. All in all, our analysis demonstrates the feasibility of smart card loss attack on Amin et al.’s scheme [8].

3.2.3. The Violation of Forward Secrecy

As mentioned in Section 2.2.2, Amin et al.’s scheme [8] also subjects to node capture attack. In such cases, the captured nodes may enable an adversary to compromise communications between other noncaptured nodes or obtain previous session keys. We will show this pitfall in this subsection. Assume that a malicious adversary has compromised a cloud server and extracted the secret parameters stored in its memory, can recover the previous session key as follows.

Step 1. Intercept the message sending from to .

Step 2. Compute , where is extracted from the compromised node .

Step 3. Intercept the message sending from to .

Step 4. Compute .

Step 5. Compute the session key .

In light of and which are all correct values, manages to find the previous session key. Hence, the desirable property of forward secrecy can not be attained by Amin et al.’s scheme [8]. Similar to Li et al.’s scheme [25], this also due to the violation of “PFS principle”. Except the ECC technique mentioned before, we suggest this issue to be well addressed by introducing another high-efficiency technique, i.e., Chebyshev polynomials semigroup property (so-called chaotic maps).

For this property, given , , and , it is intractable to find , where is a variable and denote the integer degree [45]. Assume the control server chooses and writes a variable value in each user’s smart card in the registration phase. Then we slightly modify the random numbers to be and to be , and thus the session key can be calculated as . For higher security, it is better to involve other secret parameters such as , . In this way, the improvement of Amin et al.’s scheme [8] can achieve perfect forward secrecy based on computational Diffie-Hellman problem.

3.2.4. Mistakes in the Proof

Similarly, the security proof in Amin et al.’s scheme [8] does not capture realistic security threat. There are three main reasons: (1) The error of initial hypothesis. In the formal proof of Amin et al.’s scheme [8], they make an assumption A11: , which is the same as Goal 3. This demonstrates that the proof of Goal 3 is not necessary. (2) The wrong usage of logic rules. We take Step S2 as an example. This step is based on the message meaning rule and derives that believes said from A11 and S1. However, according to the message meaning rule, we cannot obtain this conclusion from A11. Hence, A11 should be changed to . (3) Using undefined new rules. Amin et al. [8] also employ a new session keys rule, but they did not give a definition of the new rule.

4. Cryptanalysis of Wu et al.’s Scheme

In this section, we will review and analyze Wu et al.’s scheme [9], which is a lightweight and relatively robust two-factor authentication scheme for wireless medical sensor networks. In [9], Wu et al. have found some security pitfalls in historical schemes and attempted to overcome all these flaws in the new proposed one. Besides, Wu et al. [9] use NS-3, a simulation tool to prove the security of their proposed protocol. Note that, the simulation process can only prove the validity of their protocol, including the viable communication between the sensor node and the user, the probable communication time, system size, etc. However, it can not prove whether their protocol resists against various known attacks. In the following section, we find Wu et al.’s improved scheme still fails to attain the most important goal of forward secrecy and is prone to user friendliness issue.

4.1. Review of Wu et al.’s Scheme

This subsection briefly reviews Wu et al.’s [9] scheme, which involves four critical phases: registration, login, authentication and password change, and a previous initialization. We simplify initialization phase in the registration phase.

4.1.1. Registration Phase

Initially, GWN is equipped with an identity and its own secret key . The registration phase is further divided into sensor node registration and user registration.

Sensor Node Registration Phase. Each sensor node chooses an identity and sends to GWN via a secure channel. Then GWN decides to deploy it in a sensor set numbered and computes the secret key . Finally, is injected to the memory of and is stored in the database of GWN.

User Registration Phase. In this phase, first selects an identity , a password , and a nonce , and then

(1) computes ;

(2) GWN: ;

(3) GWN checks if has already existed in the database. If so, it denies the registration request. Otherwise, GWN chooses a pseudoidentity and computes and and then stores in database;

(4) GWN : a smart card contains sensitive parameters ;

(5) after receiving the message, computes and inserts it into .

4.1.2. Login and Authentication Phase

conducts the following procedures to access sensitive information of the target sensor :

(1) inputs and to the smart card. Then computes and . chooses a random number and the required sensor node and further computes , , , and .

(2) GWN: .

(3) When receiving the message from , GWN first checks if is correct. If so, GWN computes , , and and verifies whether is in the database and . If either of the two verifications does not hold, GWN will terminate the session. Otherwise, GWN searches from the database, generates a random number , and computes , , , and .

(4) GWN .

(5) Once receiving the message, the corresponding node checks if is correct and computes and . Then verifies whether . If either is incorrect, rejects the session. Otherwise, generates and computes , , and .

(6) GWN: .

(7) Once received the response message, GWN computes , and checks whether . If so, GWN chooses a new pseudoidentity and calculates , , , , and .

(8) GWN .

(9) When receiving the response message, computes , , , and and verifies whether . If it is equal, computes and replaces with .

4.2. Cryptanalysis of Wu et al.’s Scheme

Due to its simplicity and admirable provision of user anonymity, Wu et al.’s scheme [9] exhibits great application prospects, and yet there are still some security pitfalls being overlooked by Wu et al. In the following, we will demonstrate that Wu et al.’s scheme [9] has some user friendliness issue and fails to achieve the critical property of forward security.

4.2.1. No Provision of User Friendliness

According to the collected data from Dashlane [56], “we are online hoarders” that the average user maintains over 107 accounts registered to one email address and this figure will rise to 207 by 2020. This statistical shows that users are creating and virtually stashing more online account information than ever, which leads to an insanely high number of accounts to manage. In that case, freely password change is a recommended practice, for users have to reset a forgotten password (an average of 37 accounts [56]) and the fixed password is definitely vulnerable. Moreover, users may make a slip in writing passwords or identities; the rapid response and decisive action are quite necessary for a user friendly authentication protocol.

Early in 1968, Robert Miller [57] published a classic paper about response time in man-computer conversational transactions, which pointed out that “response times exceed 10 seconds will completely lose the user’s attention”. In this way, locally secure password change, i.e., providing an explicit and secure process to verify the correctness of user-keyed password in smart card, is essential. That is, the smart card has no need to interact with remote server in user input and password changing phases. However, as stated above, both Li et al.’s scheme [25] and Amin et al.’s scheme [8] provide local password change, but their strategies introduce new vulnerabilities-offline dictionary attack.

Back to Wu et al.’s scheme [9], there is no verifier in the smart card, which means their scheme even cannot provide timely detection mechanism and reasonable password change. Fortunately, Wang et al. [10] introduced a “fuzzy verifier” technique to effectively solve this security-usability issue. In the following, we will take Wu et al.’s scheme [9] as an example to show this strategy. Firstly, submits to GWN in the registration phase. Then GWN computes mod and stores it in ’s smart card, where denotes the size of pool and . Assume and [29, 30], we can be assured that there have the possibilities of identity and password pairs to thwart the adversary from guessing out the correct password.

The same considerations can also be applied to Li et al.’s scheme [25] and Amin et al.’s scheme [8]. The large-scale candidates will effectively frustrate from random guessing the password by a brute force method as well as providing a timely detection of the mistyped identity or password.

4.2.2. The Violation of Forward Secrecy

Forward secrecy is an important property, for the unattended environment and security-critical applications in wireless sensor networks [7, 11]. In [9], Wu et al. explicitly stated that “the sensor nodes may be captured by the intruder”, which accords with assumption (4) made in Section 2.2. Under this statement, we find that Wu et al.’s scheme cannot achieve the forward secrecy. Once a sensor node has been compromised, the stored information might be obtained by and the following attacks can be launched.

Step 1. Intercept the message sending from to GWN and the message sending from GWN to .

Step 2. Compute , , where is extracted from the compromised node .

Step 3. Intercept the message sending from GWN to .

Step 4. Compute .

Step 5. Compute the session key .

The above attack demonstrates that once a sensor node has been captured, the previous sessions might be decoded. This is the same failure with Li et al.’s scheme [25] and Amin et al.’s scheme [8]. Besides the above two techniques (ECC cryptosystem and chaotic maps), we also suggest employing some other public-key cryptography techniques, such as Pairing [58] and RSA cryptosystem. Note that when using RSA cryptosystem to achieve forward secrecy, a new temporary RSA key must be generated by user side for each session [59].

To demonstrate the necessity and effectiveness of our suggestions, we provide a comparison of 10 recently proposed schemes by assessing whether they achieve forward secrecy and what main technology do they use. The result are shown in Table 2. One can see that only Das et al.’s scheme [52] successfully provides forward secrecy. This failure is mainly due to the fact that half of them (i.e., [8, 9, 51, 54]) only use Hash operation that are virtually impossible to provide forward secrecy (“PFS principle” [26]), yet the other 4 schemes (i.e., [25, 45, 50, 55]) that make use of public-key techniques (e.g., ECC, Chaotic maps, RSA) violate the principle that the random numbers must be generated by and separately and cannot be transmitted over the public channel.

5. Conclusion

In this paper, we first analyze three state-of-the-art authentication schemes presented by Li et al., Amin et al., and Wu et al., which are mainly applied to realize real-time data access for security-critical wireless sensor networks. We demonstrate that although their schemes are equipped with formal proof, they still suffer from smart card loss attack and fail to achieve some important properties of forward secrecy, user anonymity, and user friendliness. Our cryptanalysis results discourage the practical application of these three schemes and reveal some challenges in designing a robust scheme for WSNs. We then suggest several possible countermeasures on account of their weaknesses and provide a comparison of 10 representative schemes in terms of forward secrecy and key technology to demonstrate the necessity of our suggestions. For the future work, a natural direction is to employ our recommended technologies and countermeasures to design robust and efficient schemes for WSNs.

Data Availability

Data sharing is not applicable to this article as no new data were created or analyzed in this study.

Conflicts of Interest

The authors have declared that no conflicts of interest exist.


This research was partially supported by the National Natural Science Foundation of China (NSFC) under Grants no. 61472016 and no. 61772548, the National Key R&D Program of China under Grants no. 2016YFB0800603 and no. 2017YFB1200700, and the Foundation of Science and Technology on Information Assurance Laboratory No. KJ-17-001.