A Provably Secure Three-Factor Authentication Protocol for Wireless Sensor Networks

Wu, Tsu-Yang; Yang, Lei; Lee, Zhiyuan; Chu, Shu-Chuan; Kumari, Saru; Kumar, Sachin

doi:https://doi.org/10.1155/2021/5537018

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Security, Trust and Privacy in Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 5537018 | https://doi.org/10.1155/2021/5537018

A Provably Secure Three-Factor Authentication Protocol for Wireless Sensor Networks

Tsu-Yang Wu,¹Lei Yang,¹Zhiyuan Lee,¹Shu-Chuan Chu,¹Saru Kumari,²and Sachin Kumar³

Academic Editor: Mattin Pirouz Nia

Received27 Jan 2021

Revised12 Mar 2021

Accepted01 Apr 2021

Published16 Apr 2021

Abstract

The wireless sensor network is a network composed of sensor nodes self-organizing through the application of wireless communication technology. The application of wireless sensor networks (WSNs) requires high security, but the transmission of sensitive data may be exposed to the adversary. Therefore, to guarantee the security of information transmission, researchers propose numerous security authentication protocols. Recently, Wu et al. proposed a new three-factor authentication protocol for WSNs. However, we find that their protocol cannot resist key compromise impersonation attacks and known session-specific temporary information attacks. Meanwhile, it also violates perfect forward secrecy and anonymity. To overcome the proposed attacks, this paper proposes an enhanced protocol in which the security is verified by the formal analysis and informal analysis, Burross-Abadii-Needham (BAN) logic, and ProVerif tools. The comparison of security and performance proves that our protocol has higher security and lower computational overhead.

1. Introduction

With the development of artificial intelligence technologies [1–3], the application of sensors has become more common, and the demand for high-end sensors is also increasing day by day. Sensors have developed from wired sensors to today’s wireless sensors, and wireless sensors are the most common category in daily applications. The wireless sensor network [4, 5] is a self-organizing network formed by multiple functional nodes through wireless communication. These functional nodes include a large number of sensor nodes and gateway nodes. Sensor nodes perceive, collect, process, and transmit the information of the perceived object through the scope covered by the wireless sensor network.

Wireless body area network [6] usually installs sensors on clothes or attached to the human body and can also be implanted into the skin to monitor the user’s physical activities and the state of body functions. The physical health data monitored by the sensors are sent to the cloud server for storage and analysis through the Internet of Things (IoTs). Users can view these data through the Internet and understand the physical condition, to achieve the purpose of early treatment of illnesses and reduce the number of deaths due to diseases. Wireless sensors are used in the growth of crops to monitor environmental factors such as humidity, temperature, and light that affect crop growth. The data monitored by the sensors are sent to the gateway node, which can send the data to the user to understand the growth status of crops, achieve the harvesting effect, and increase the income of farmers. The data collected by wireless sensor networks, whether used in military, medical, or other environments, is sensitive and private [7–13], so it is important to establish a secure authentication mechanism. Figure 1 shows a typical architecture in the wireless sensor network.

In most authentication mechanisms of the wireless sensor networks, there are three components: user, sensor node, and gateway node. This paper will adopt such a structure, after the user logs in to the network, the data in the sensor are obtained through the gateway, and message authentication and key exchange are completed in this process. Since WSN is an open network, only using the password as a factor for encryption authentication will lead to a large number of vulnerabilities. In 2009, Das [14] proposed a protocol for encryption and authentication in wireless sensor network environments with a password and smart card. In 2010, Khan and Alghathbar [15] considered that in the protocol [14], users could not update their passwords and would be subject to internal privilege attacks. To solve these security vulnerabilities, they improved the protocol based on [14]. Chen and Shih [16] believed that [14] had security flaws in mutual authentication. To solve these flaws, they proposed a mutual authentication protocol that could be robust in wireless sensor networks. Vaidya et al. [17] found that Das’s protocol [14] could be attacked by stolen smart card attacks, password guessing attacks, and other attacks, so Vaidya et al. improved a two-factor authentication protocol in the WSN environment. In 2016, Vaidya et al. [18] believed that [14–16] would be subject to stolen smart card attacks and sensor impersonation attacks and proposed two-factor authentication based on the key agreement in WSNs. Kim et al. [19] pointed out that [18] cannot resist gateway node bypass attacks and user impersonation attacks and eliminated these security flaws by improving the scheme. With the rapid development of WSNs, more and more two-factor schemes have been proposed in the wireless sensor network environments [20–23].

To solve the security vulnerabilities in two-factor authentication (such as stolen smart card attacks and password guessing attacks), biometric data is added as the third factor to the authentication scheme of the wireless sensor network. In 2010, Yuan et al. [24] found that Wong et al.’s dynamic authentication scheme [25] was vulnerable to the threat of the same ID and the stolen-verifier attack. They proposed a scheme based on biometric user authentication in the wireless sensor network environment. In 2011, Yoon and Yoo [26] found that Yuan et al.’s scheme [24] would be subject to an insider attack and impersonation attack and also had message integrity problems. Then, they proposed a wireless sensor network authentication scheme based on the smart card and biometric without the password. In 2013, Althobaiti et al. [27] pointed out that Yoon et al.’s scheme [26] would be subject to denial of service attacks and proposed an efficient authentication protocol based on biometric for WSNs. In 2015, Das [28] proposed a three-factor user authentication scheme for distributed WSNs. In 2017, Das [29] also proposed a new user authentication scheme based on biometrics. In the same year, Maurya and Sastry [30] considered that [29] would be attacked by a stolen smart card and proposed efficient user authentication protocols for WSNs and the IoTs. In 2018, Wu et al. [31] believed that both [28, 29] had security vulnerabilities such as offline password guessing attacks, user impersonation attacks, and violation of perfect forward security and then proposed an improved three-factor scheme. In the same year, Das et al. [32] proposed an authentication scheme based on biometrics to protect user privacy in the cloud environment. Then, Ryu et al. [33] pointed out that [31] could not provide user anonymity and was also subject to user impersonation attacks. In 2019, Hussain and Chaudhry [34] found that [32] would be subject to the smart card stolen attacks and traceability attacks and could not provide perfect forward security. In the same year, Chen et al. [35] proposed an improved three-factor authentication scheme under the medical wireless sensor network.

Recently, Wu et al. [36] believed that [32, 35] were attacked by the off-line password guessing attacks. Therefore, they proposed a new three-factor authentication protocol for wireless sensor networks with the concept of the Internet of Things and claimed that the protocol has higher security advantages. However, we found that their protocol cannot resist key compromise impersonation attacks, violates perfect forward security, cannot provide anonymity, and cannot resist known session-specific temporary information attacks. This paper presents an improved three-factor authentication protocol for provable security. Through the formal analysis in the Real-Or-Random (ROR) model and the informal analysis, the security of the protocol is proved. Further, we also prove the security through BAN logic and ProVerif tools. The comparison of security and performance proves that the improved protocol has higher security and lower computational overhead.

The framework of the rest of this paper is as follows. In the second and third sections, we give a brief review and cryptanalysis of the protocol proposed by Wu et al. Section 4 describes the improved protocol in detail. Section 5 is the security proof of the improved protocol. Section 6 is the comparison of performance and security. Section 7 is the summary of the whole paper.

2. Review of Wu et al.’s Protocol

Wu et al.’s protocol [36] mainly includes two phases: registration and authentication and key exchange. The symbols and descriptions used in this paper are shown in Table 1.

2.1. Registration

Sensor Node Registration. Sensor selects its own identity and sends to gateway node . Then, selects as the master key and computes . Finally, sends to .

User Registration. User selects his own and sends it to the system administrator . Then, checks whether exists in its database. If it exists, reject the request. Otherwise, selects and computes , . The values are stored in a smart card SC and is stored in SA’s database. Finally, sends SC to . Upon receiving the smart card, enters his , , selects , and computes , , , , and . Then, stores to SC and deletes from SC. Note that, all communications in this phase are based on a secure channel.

2.2. Authentication and Key Exchange

inserts SC and enters , , and . Then, the smart card selects , and computes , , , , , , , , , . Finally, sends to .

first checks whether is valid. If it times out, the request is terminated. Otherwise, calculates , , and then searches for in its database. If it is not found, terminates. Otherwise, computes , , , and verifies . If the verification holds, selects and calculates , , and . Finally, sends to .

first checks whether is valid. If it times out, the communication is terminated. Otherwise, calculates and verifies . If the verification holds, selects , and computes , , and . Finally, sends to .

first checks whether is valid. If it times out, the communication is terminated. Otherwise, calculates , and verifies . If the verification holds, selects , and computes , , , and . Finally, sends to .

first checks whether is valid. If it times out, the communication is terminated. Otherwise, calculates , , , , and verifies . If the verification holds, computes and stores to the smart card and deletes the old .

After finish the above steps, , , and can establish a session to communicate. Note that, and are used in the next section.

3. Cryptanalysis of Wu et al.’s Protocol

In this section, we found that Wu et al.’s protocol [36] is subject to key compromise impersonation attacks and known session-specific temporary information attacks. Meanwhile, their protocol violates perfect forward secrecy and anonymity.

Here, we define the capabilities of adversary according to the literature [29, 35, 37]. (1)Messages transmitted over public channels can be eavesdropped, intercepted, modified, and replayed by (2) may try to guess the user’s password and identity in polynomial time(3) may successfully steal the user’s SC such that some important parameters can be obtained by (4) may obtain the long-term key of each entity

Note that stealing the smart card and obtaining the long-term key cannot be performed at the same time in our proposed following attacks.

3.1. Key Compromise Impersonation Attacks

Key compromise impersonation attacks [38] mean that adversary knows the long-term key of one entity and tries to impersonate the other entity. Here, we assume that obtains the long-term private key of . After intercepting , can recover , , , , , , and .

In the following, we show that can impersonate to establish a session key with by the above values. (1) intercepts and selects a random number and timestamp . Then, computes , , and sends to (2) checks whether is valid. If it times out, the communication is terminated. Otherwise, calculates , , and verifies . The following steps are similar to the authentication phase in Subsection 2.2 except . Then, sends to (3) checks whether is valid. If it times out, the communication is terminated. Otherwise, calculates = , , , , and verifies . It is easy to see that the result is true

Thus, believes that he can establish a session key with (impersonated by ).

3.2. Violating Perfect Forward Secrecy and Anonymity

By the similar attack approach in Subsection 3.1, suppose that gets and intercepts , . Then, can recover and , where , , . In other words, Wu et al.’s protocol violates perfect forward secrecy and anonymity.

3.3. Known Session-Specific Temporary Information Attacks

Here, assume that the adversary gets the temporary value and intercepts . Then, can recover the current session key , where . Furthermore, can compute update values and by intercepting , , and , where .

In the next section, may intercept messages , , and to recover , . The session key can be computed by . Meanwhile, the newest updated values , can be computed. Thus, under a known session-specific temporary information attack approach, we can conclude that Wu et al.’s protocol not only violates “perfect forward secrecy” but also not provides “backward secrecy.”

4. Improved Protocol

In order to fix our proposed security flaws of Wu et al.’s protocol [36], an enhanced protocol is present.

4.1. Registration

Sensor Node Registration. selects , and sends to via a secure channel. Then, calculates , , and stores in its database. Finally, sends to . After receiving , computes and stores in its memory.

User Registration. selects , and inputs his to compute and , where . Then, sends to via a secure channel. After receiving , checks whether exits its database. If so, deleting the relevant records in the database and reregister. Otherwise, selects and computes , , and . Then, stores in and sends to via a secure channel. Meanwhile, is stored in ’s database. After receiving , stores in .

The sensor node registration phase and the user registration phase are shown in Figure 2.

4.2. Authentication and Key Exchange

inserts and enters , , and . Then, can compute , , , to check whether is equal to . If the verification holds, generates , , and computes , , , , . Finally, sends to .

Upon receiving , first checks whether is valid. If the times out, the communication is terminated. Otherwise, according to finds the corresponding in its database and computes , . Then, checks whether equals to . If not, the session is terminated. Otherwise, computes , and verifies . If the verification holds, generates , and computes , , , . Finally, sends to .

Upon receiving , first checks whether is valid. If the times out, the communication is terminated. Otherwise, computes , and verifies . If the verification holds, generates , and computes , , . Finally, sends to .

Upon receiving , first checks whether is valid. If times out, the communication is terminated. Otherwise, computes , and verifies . If the verification holds, generates and computes , . Finally, sends to .

Upon receiving , first checks whether is valid. If times out, the communication is terminated. Otherwise, computes , , and verifies . If the verification holds, is set as a session key used to communicate between , , and .

The authentication and key exchange phase is shown in Figure 3.

5. Proof of Security

5.1. Correctness by BAN Logic

In this subsection, we use BAN logic to show the correctness of our improved protocol. As far as the proposed protocol is concerned, we need to prove that , , and share a session key through rigorous logical analysis. The symbols and rules used for BAN logic are referred to [39–41].

5.1.1. Rules

(i) (Message meaning (M-M) rule): (ii) (Nonce verification (N-V) rule): (iii) (Jurisdiction rule): (iv) (Session key (S-K) rule):

5.1.2. Goals

(i): (ii): (iii): (iv): (v):(vi):(vii):

5.1.3. Idealize the Communication Messages

(i).(ii).(iii).(iv).(v)

5.1.4. Initial Assumptions

(i)(ii)(iii)(iv)(v)(vi)(vii)(viii)(ix)(x)(xi)(xii)(xiii)(xiv)(xv)(xvi)(xvii)(xviii)(xix)(xx)(xxi)(xxii)(xxiii)(xxiv)(xxv)(xxvi)

5.1.5. The Proof of our Proposed Protocol via BAN Logic

By , we have and further Base on , , and (Jurisdiction rule), we can obtain According to , it implies . By , , and (M-M rule), it implies . By , , and (N-V rule), we can obtain According to , , and (Jurisdiction rule), it implies According to , we have . By , , and (M-M rule), it implies . By , , and (N-V rule), we can obtain According to , , and (Jurisdiction rule), it implies

By , we have and further Base on , , and (Jurisdiction rule), we can obtain By , , and (S-K rule), it implies According to , we have . Base on , , and (M-M rule), it implies . By , and (N-V rule), we can obtain According to , , and (Jurisdiction rule), it implies Base on , , and (S-K rule), we have According to , we have . By , , and (M-M rule), it implies By , , and (N-V rule), we can obtain Base on , , and (Jurisdiction rule), it implies Since , is obtained. According to , , and (S-K rule), we can obtain .

By , we have and further . Base on , , and (M-M rule), we can obtain . By , and (N-V rule), it implies . Base on , and (Jurisdiction rule), we can obtain . According to , , and , it implies . Base on , , and (S-K rule), we can obtain . According to , , and (S-K rule), it implies .

By , we have Base on , , and (S-K rule), we can obtain According to , we have Base on , , and (M-M rule), it implies . By , , and (N-V rule), we can obtain . According to , , and (Jurisdiction rule), it implies .

By , we have Base on, , and (M-M rule), it implies . By , , and (N-V rule), we can obtain . Base on , , and (Jurisdiction rule), it implies . According to and , we can obtain . According to and , we can obtain .

5.2. Formal Security Analysis

In this section, we perform a formal security analysis of the improved protocol in ROR model [42–48]. The proposed protocol involves three entities, , , and . We use , and to represent the th instance of , the th instance of , and the th instance of , respectively. Here, we define that adversary has the ability to initiate the following query. Note that, . (i)𝐸𝑥𝑒𝑐𝑢𝑡𝑒(): if executes this query, it can obtain an entire communication record on the public channel(ii)𝑒𝑛𝑑(, 𝑀): if executes this query, it can send to and receive the response from (iii): if executes this query, it can input to get its hash value(iv): if executes this query, it can get secret values of one party, such as some parameter stored in the smart card, long-term secret key, or temporary information(v): if executes this query, it flips a coin . If , then can get the correct session key; if , gets a random string of the same length as the session key

Theorem 1. In the ROR model, assume that can make , , , , and queries. Then, the advantage of to break the proposed protocol in polynomial time is , where is the number of times to execute queries, is the number of times to execute queries, and are two constants [49], and is the bits of biological information.

Proof. We prove this theorem by following game sequences to . is defined by the probability that succeeds in , which is the probability that . The detailed simulations of queries in real attacks are shown in Tables 2 and 3. The details are as follows.

Flip to start the game. is a game played without any queries. Therefore, we can get the probability of successfully breaking as

The difference between and is that adds the query. In , just gets messages , , , and . After is over, queries the session key through , but , and are all confidential to . Therefore, the probability of and is equal, that is,

The difference between and is that adds the query. According to Zipf’s law [49], we can get

The difference between and is that adds the query and deletes the query. According to the birthday paradox, we can get

In this game, we discuss the security of the session key in two cases. The first is to obtain the long-term private key of to verify the perfect forward security; the second is to get temporary information to verify whether the known session-specific temporary information attacks can be resisted. (1)Perfect forward security. uses to try to get the private key of or uses or to try to get a secret value in the registration phase(2)Known session-specific temporary information attacks. uses either or or to try to obtain the temporary information of the corresponding party

In both cases, can only compute the session key through Send and Hash queries. For the first case, if only knows the private key of , or a secret value of or in the registration phase, it cannot get the temporary information , and in . For the second case, we assume that gets , but and are kept secret. Similarly, if or is leaked, the session key cannot be calculated. Therefore, we have

In this game, uses to get the parameters stored in the and attempts to launch the stolen smart card attacks and the offline password guessing attacks. Suppose gets according to , and computes , , until . However, , , and are all confidential to . The probability that can guess the biological information of the bits is [50]. In Zipf’s law [49], the probability of guessing the password is more than 0.5 when . Therefore, we get where and are constants depending on the size of the password.

The purpose of this game is to verify whether it can resist impersonation attacks. The difference between and is that when initiates query to guess the session key, the game is terminated. Therefore, we have

Since the probability of success and failure is equal, the probability of successfully guessing the session key is

According to formulas (1) to (8), we can get

Thus, we have .

5.3. Informal Security Analysis

5.3.1. Replay Attacks

The replay attacks are to send the sent message repeatedly, to launch some other attacks to interfere with normal communication. First, if is replayed, the session key cannot be successfully established between the user and the sensor, because the message cannot be validated by , and further, because each round and will be refreshed. So, let us see what happens when are replayed? If is replayed, the sensor passes the verification, and the same session key is established as the previous round, but the user will not verify this message because or will be updated every round. If or is replayed, the user will not pass the verification, and the session will be terminated for the same reason as that of . Therefore, our improved protocol is resistant to replay attacks.

5.3.2. Privileged-Insider Attacks

In this paper, we specify that privileged insiders only have access to the content stored in the gateway database. In other words, privileged insiders can get , but to calculate sensitive information such as and , they also need to obtain private information such as and gateway key , while . Therefore, our improved protocol is resistant to privileged-insider attacks.

5.3.3. Three-Factor Secrecy

The three factors are password, smart card, and biometric information. According to the previous analysis, and are the key parameters for launching an attack to compute the session key. Now, let get any two of the three factors. (1)Password and smart card. Even if knows the password and can extract the parameters from , he cannot be able to calculate and for any attack(2)Password and biometrics. If gets the password and biometrics and wants to compute , he needs to know and . However,