A Provably Secure Anonymous Authenticated Key Exchange Protocol Based on ECC for Wireless Sensor Networks

Zhang, Ke; Xu, Kai; Wei, Fushan

doi:https://doi.org/10.1155/2018/2484268

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Rethinking Authentication on Smart Mobile Devices

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 2484268 | https://doi.org/10.1155/2018/2484268

A Provably Secure Anonymous Authenticated Key Exchange Protocol Based on ECC for Wireless Sensor Networks

Ke Zhang,^1,2Kai Xu,³and Fushan Wei²

Academic Editor: Ding Wang

Received22 Jan 2018

Revised07 Apr 2018

Accepted19 Apr 2018

Published16 Jul 2018

Abstract

In wireless sensor networks, users sometimes need to retrieve real-time data directly from the sensor nodes. Many authentication protocols are proposed to address the security and privacy aspects of this scenario. However, these protocols still have security loopholes and fail to provide strong user anonymity. In order to overcome these shortcomings, we propose an anonymous authenticated key exchange protocol based on Elliptic Curves Cryptography (ECC). The novel protocol provides strong user anonymity such that even the gateway node and the sensor nodes do not know the real identity of the user. The security of the proposed protocol is conducted in a well-defined security model under the CDH assumption. Compared with other related protocols, our protocol is efficient in terms of communication and enjoys stronger security. The only disadvantage is that our protocol consumes more computation resources due to the usage of asymmetric cryptography mechanisms to realize strong anonymity. Consequently, our protocol is suitable for applications which require strong anonymity and high security in wireless sensor networks.

1. Introduction

1.1. Background

As an important part of Internet of things, wireless sensor networks (WSNs) draw more and more attentions from the industrial and the researchers. Typically, a WSN is composed of numerous tiny sensor nodes. These sensor nodes can be deployed in unattended or hostile environments to collect valuable data of interest. For example, a large amount of visual data such as images and videos can be collected by visual sensor nodes [1]. These nodes have the characteristics of easy deployment, low cost, and high mobility [2]. Due to these merits, WSNs are very useful in many application scenarios, such as natural disaster prevention, machine health monitoring, air temperature monitoring, health care monitoring, and battlefield surveillance.

Usually, the data collected by the sensor nodes will be transmitted to and aggregated by a gateway node periodically. Whenever a user wants to get access to the aggregated data from the gateway node, he will authenticate himself to the gateway node. However, in some application scenarios such as health care monitoring and battlefield surveillance, users have great needs to access the data directly from the sensor nodes. Under such circumstances, the user first sends a request to the gateway node for accessing the real-time data. The gateway will authenticate whether the user is valid or not. If the user is valid, a common session key will be established between the user and the sensor node with the help of the gateway node. The session key can later be used to protect confidentiality and integrity of the data [3].

1.2. Related Work

In order to address the security aspects under the above-mentioned application scenario, many authentication protocols are proposed [4–7]. In 2009, Das [8] proposed a two-factor user authentication protocol, which is claimed to have strong authentication and session key establishment and achieves efficiency. Unfortunately, Khan et al. [9] soon found that Das’s protocol is vulnerable to the gateway node bypassing attack and the privileged-insider attack. Besides, Das’s protocol also fails to provide password update and mutual authentication. Khan et al. also presented an improved protocol to fix the susceptibilities of the original protocol. In 2011, Yeh et al. [10] pointed out several weaknesses of Das’s protocol. They also design an ECC-Based authentication protocol to meet the needs of applications with higher security requirements. In 2013, Xue et al. [11] proposed a temporal-credential-based mutual authentication scheme among the user, the gateway node, and the sensor node. A credential is issued by the gateway node to each user for authentication. Their protocol only involves lightweight operations such as XOR and hash and is suitable for resource-constrained WSNs. Nevertheless, He et al. [12] soon pointed out that Xue et al.’s protocol is vulnerable to the offline password guessing attack, the user impersonation attack, the sensor node impersonation attack, and the modification attack. They also proposed an improved temporal-credential-based protocol to remedy the weaknesses. Yuan et al. [13] proposed an authentication scheme for WSNs based on pubic key mechanism and biometric characteristics of the user to realize strong authentication. In 2014, Wang et al. [14] analyzed two authentication schemes for WSNs and demonstrated several loopholes. They also investigate the underlying rationale of the security failures and put forward three basic principles for designing secure authentication protocols in WSNs. In 2016, Shen et al. [15] proposed an efficient multilayer authentication protocol and a secure session key generation method for WSNs. They also designed a one-to-many group authentication protocol and a certificate-less authentication protocol, which is of independent interest.

Recently, researchers begin to focus on user’s privacy protection in WSNs. Wu et al. [16] proposed an anonymous authentication scheme based on ECC for WSNs with formal security proof. Jiang et al. [17] designed an anonymous lightweight three-factor authentication scheme for WSNs. The security of their protocol is conducted using ProVerif. Wang et al. [20] put forward a new authentication which can resist all known attacks for WSNs. Moreover, they explore the design principle of authentication schemes. They also designed a biometric-based authentication scheme and proved its security using the Burrows-Abadi-Needham (BAN) logic [18]. Li et al. [19] proposed a three-factor anonymous authentication scheme for WSNs. They use fuzzy commitment to deal with the user’s biometric template.

1.3. Motivation and Contribution

Until now, there are many authentication protocols designed for protection of security and privacy when accessing real-time data in WSNs. However, there are still some problems which are not solved. Firstly, most of these protocols only have informal heuristic security arguments. It is quite common such that a protocol which is claimed to be secure is soon found to be vulnerable to several attacks. What is worse, the improved protocol still has many vulnerabilities. Secondly, the existing protocol pays little attention to user’s privacy. Only few protocols provide user anonymity and these protocols only achieve weak anonymity; i.e., the real identity is hidden to an adversary but is known to the gateway node and sometimes even the sensor node knows the real identity of the user. Last but not least, the existing protocols rely on efficient XOR, symmetric encryption, and hash operations to provide better efficiency. Although these protocols can meet the characteristics of constrained storage, computation, and communication capabilities of sensor nodes, they fail to provide strong security guarantee. For security-critical applications such as battlefield surveillance, security and privacy are more important than the computation and communication efficiency.

In this paper, we investigate the design of anonymous and strongly secure authenticated key exchange protocol in WSNs. We propose an efficient authenticated key exchange protocol for the scenario in which the user wants to access the real-time data directly from the sensor node. The novel protocol has the following advantages. First of all, our protocol enjoys formal security proof in a well-defined security model. The security is conducted in the random oracle model under the CDH assumption. Second, our protocol provides the strongest anonymity in the sense the real identity of the user is only known to himself. Neither the gateway node nor the sensor node can obtain any information of the user’s identity, not to mention the adversary. Thirdly, our protocol achieves more security attributes than other related protocols. Consequently, it is more secure than other related protocol and is particularly suitable for security-critical applications in WSNs. The only disadvantage is that it needs more computation resources. However, security and privacy are more important than the computation efficiency in security-critic application. So our protocol is suitable for security-critical applications in WSNs.

The rest of the paper is organized as follows. In Section 2, we present the security model and some preliminaries. We describe the details of the proposed protocol in Section 3. The security proof is given in the random oracle model in Section 4. The performance comparison with other related protocols is summarized in Section 5. We conclude this paper in Section 6.

2. Security Model

In this section, we briefly recall the security model presented in [21, 22]. The security of our protocol will be conducted in this formal security model.

Protocol Participants. The participants of an authentication and key exchange protocol for real-time data retrieval in WSNs involves users , a gateway node , and a sensor node . Each user registers with the gateway node and each sensor node shares a common secret key with the gateway node.

Protocol Execution. All the participants are modeled as a PPT Turing machine. The i-th instance of a participant is denoted by . All the communication channels are managed by a probabilistic polynomial time adversary . The adversary can intercept, delay, modify, and even forge a message at will. The capabilities of the adversary are captured through oracle queries. The adversary can make the following oracle queries:(i): the execution query captures the passive eavesdrop ability of . In reply to this oracle query, will get all the transcripts of the authentication instance executed among a user instance , a gateway node instance , and a sensor node instance .(ii): the send query captures the active attack ability of . Through the query, sends a modified or forged message to instance in the name of another participant instance. will get the message generated by the participant instance upon receiving the message according to the description of the protocol. The participant can be a user, a gateway node, or a sensor node.(iii): this query captures the compromise of the user’s password. The adversary only gets the password of the victim user; it can neither control nor compromise the credential of the user.(iv): this query captures the compromise of the user’s terminal. The adversary can extract the credential issued by the gateway node and control the victim user’s terminal. However, the password of the user is still unknown to .(v): this query captures the compromise of a sensor node . The adversary will get the secret key and control the sensor node through this query.(vi): this query can only be asked to a user instance or a sensor node instance. If the instance accepts the session and generates a session key, will get the session key. Otherwise, will get the symbol which means the instance does not hold a session key.(vii): this query does not capture any real attack ability of but is used to measure the security of the session key held by instance . Upon receiving this query, the simulator will flip a coin . If the result is 1, then it returns the real session key to . If the result is 0, the simulator will send a random session key of the same length with the real session key to . has to distinguish if the key is real or random. In other words, has to guess the coin flip result.

The session identification (sid) is defined as the transcripts shared between a user instance and a sensor node instance. The partner identification (pid) of an instance is defined to be the participant with whom the instance wants to establish a common session key. We say a user instance and a sensor node instance are partners if the following conditions are satisfied: these two instances both accept and generate the same session key; these two instances share the same sid; the pid of is and the pid of is ; and no other instances accept the same sid with and .

If the adversary asks both and , the user is said to be fully corrupted. When defining the AKE security of the session key, we do not consider the corruption of the gateway node. This is because once the gateway node is corrupted; there is nothing we can do to guarantee the security of the protocol. A user instance or a sensor node instance is said to be fresh if does not send queries to the instance or its partner; and the user or the sensor node is not fully corrupted by .

AKE Security. The security of the session keys is captured by the AKE security. The adversary is restricted to ask queries to fresh instances only; otherwise the adversary can trivially win the attack game. The adversary is given access to all the oracle queries; the only restriction is that only can ask one query to a fresh instance. The adversary needs to guess the hidden bit used by the simulator when answering the query. If correctly guesses the random bit, then we say wins the AKE security game. We denote this event by . With respect to the distribution of the passwords, we use the Zipf’s law put forward by Wang et al. [21] instead of assuming a uniform distribution. The adversary ’s advantage in attacking the AKE security of a protocol , when passwords are chosen according to the Zipf’s law of a dictionary , is defined as follows:

An authentication and key exchange protocol is said to be AKE secure if for all PPT adversary , the advantage is only negligible larger than , where and are Zipf parameters and is the number of active attack sessions. Moreover, and are constants depending on the password data set and can be calculated by linear regression.

3. Description of the Protocol

In this section, we describe the proposed anonymous authenticated key exchange protocol based on ECC for WSNs. The most important benefit of ECC is that it provides the same level of security with a smaller key size compared to other cryptography mechanisms such as RSA. So it suits the needs of the resource-constrained nature of the WSN. Our protocol has three phases: the setup phase, the registration phase, the authentication, and key exchange phase. The detailed steps of each phase are described in the following. The symbols used in this paper are summarized in Table 1.

3.1. The Setup Phase

Let be a large prime and be a finite field of prime order . Let be an elliptic curve cryptosystem satisfying the equation such that and . The set of rational points in over finite field is denoted by . More precisely, , where is the point at infinity. Let be a cyclic group generated by , where has a large prime order . These parameters are the system parameters and can be chosen by a trusted third party or the gateway node. The gateway node () chooses a random number as his private key and computes the corresponding public key . The public key is published in the whole network. Define six hash functions such that , , , where is the security parameter. All these parameters are available to all the entities in the WSN.

3.2. The Registration Phase

If a user wants to access the data collected by the sensor nodes in the WSN, has to register himself to the gateway node. For a pictorial illustration of the user registration, please refer to Figure 1. The detailed steps are described in the following.

Step 1. The user randomly chooses his identity and his password from the password dictionary. sends his identity to the gateway node through a secure channel.

Step 2. When the gateway node receives the registration request from the user, verifies the validity of the identity . If it is valid and there is no other user in its database registers using the same identity, first computes the credential . Then chooses a random number and computes and , where , . At last, sends the registration message to the user through a secure channel.

Step 3. When the user receives the registration message from , will verify the validity of the message. computes , , and . verifies whether is equal to or not. If the verification is successful, will accept as a valid credential. Finally, computes and then stores his password-protected credential in his terminal.

The registration of the sensor node is rather simple compared with the user registration. The sensor node sends the registration request to the gateway node through a secure channel. Upon receiving the request, the gateway node will compute a symmetric key and send the symmetric key to through a secure channel.

3.3. The Authentication and Key Exchange Phase

Suppose a user wants to get the real-time data from the sensor node , has to execute the authentication and key exchange phase with the gateway node and the sensor node . During this phase, the user , the gateway node , and the sensor node will authenticate each other. At the end of this phase, a session key will be established between and to protect the upcoming data transmission. The detailed steps of the authentication and key exchange phase are described as follows. For a pictorial illustration, please refer to Figure 2.

Step 1. The user types his password to his terminal. The terminal will compute and recovers the credential from the stored . then chooses a random number and computes . defines the label of this session as . chooses three random numbers and computes , , , , and . Finally, sends the message to the gateway node .

Step 2. Upon receiving the message from the user, needs to authenticate the user . computes , , and . checks whether is equal to or not. If the verification is successful, authenticates the user and believes the user is a valid user. then computes the shared key with the sensor node and the authenticator , where is the current timestamp of . Finally, send the message to the sensor node .

Step 3. Upon receiving the message from at time , the sensor node first checks whether , where is the expected time interval for the transmission delay. If this is true, then verifies the validity of the authenticator using its private key . If the authenticator is valid, chooses a random number and computes . then computes the authenticator , where is the current timestamp of . computes the Diffie-Hellman key and the session key . Finally, sends the message to the gateway node .

Step 4. Upon receiving the message from at time , first checks whether , where is the expected time interval for the transmission delay. If this is true, then computes the shared key with the sensor node and verifies the validity of the authenticator . If the verification is successful, computes and signs the random number using his private key ; the signature is denoted by . Finally, sends the message to the user .

Step 5. Upon receiving the message from , first verifies the validity of the signature . computes the random number and checks if is a valid signature for singed by . If the verification is successful, computes the Diffie-Hellman key and the session key . will accept the session and wait for the upcoming communication.

4. Security Proof

In this section, we present the security proof of our protocol. The security proof is conducted in the security model presented in Section 2.

Theorem 1. Suppose is the anonymous authentication and key exchange protocol for WSN described in the previous section and is a PPT time adversary against the AKE security of who runs in time and makes at most queries of Send oracle to different instances. If the signature scheme used in our protocol is existential unforgeable against adaptive chosen message attacks, the hash functions are all modeled as random oracles; then under the CDH assumption, the advantage of the adversary in violating the AKE security of the protocol is at most

Proof. We use the hybrid experiments technique to prove Theorem 1. These hybrid experiments start with the real attack scenario. We gradually change the simulation rules in each experiment. In the last experiment, the advantage of the adversary in distinguishing the session key is negligible. We also estimate the advantage difference of the adversary between two hybrid experiments and the advantage of the adversary in breaking the AKE security can be calculated. We denote the adversary’s advantage in hybrid using .

Experiment . This is the real attack scenario defined in the security model. In this experiment, the adversary has access to all the oracles. According to the definition of ’s advantage, we have the following result:

Experiment . In this experiment, we simulate all the hash function by maintaining hash lists using the following rules:(i)On a query , if a record exists in , then return . Otherwise, the output is chosen according to the following rule: . if , choose a random element from . Then add the record to . if , choose a random element from . Then add the record to . if , choose a random element from . Then add record to .

In addition to these lists, we also simulate six private hash oracles by maintaining hash lists . We will use these private hash functions in the following hybrid experiments. It is well known that a hash function can be simulated perfectly in PPT time using the above rules; thus, we have

Experiment . In this experiment, we cancel the sessions if some unlikely collisions occur in these sessions. To be more specific, if some collisions occur in the simulation of the hash functions or on the transcripts of , we will terminate the session and let the adversary win. Based on the birthday paradox, we have the following result:

Experiment . In this experiment, we modify the simulation rules of sessions by queries. Whenever we need to compute the session key in a passive session, we use the private hash oracle instead of . Moreover, the Diffie-Hellman key is not used as an input. In other words, the session key of a passive session is computed as . The adversary can distinguish the experiment and the previous experiment if and only if the adversary sends a hash query to the hash oracle in which is generated in a passive session and . However, if the adversary can issue such a query, we can use the ability of the adversary to solve the CDH problem.

Given a CDH instance , we can embed the instance to all the passive session using the self-reducibility of the CDH problem. In order to do so, we choose four random numbers for each passive session. In simulation the transcripts, we simply set and . All other transcripts are simulated as usual until the computation of the session key. The session key is computed as . If an adversary can distinguish between this experiment and the previous one, then a query must be issued to the hash oracle . We can compute the Diffie-Hellman value of by selecting a random record in and computing .

Under the intractability assumption of the CDH problem, we have

Experiment . In this experiment, we begin to deal with the active sessions. For a query, if the signature is a valid signature for this active session, we simply terminate the simulation and let the adversary win. Since the user is honest in this session, the message is generated by the user . Besides, we cancel the experiment in which the collision occurs in the output of the hash functions and the transcripts in , so the signature is valid if it is a signature for the random number . The adversary wins the game in this experiment if and only if a new signature is forged. The signature scheme used in our protocol is existential unforgeable against the chosen message attacks, so the advantage of the adversary in forging a signature for a new random number is negligible. It is obvious that

Experiment . In this experiment, we continue to deal with the active sessions. For a query, if the sensor node is uncorrupted, the timestamp is within the transmission delay and is a valid authenticator; then we simply terminate the simulation and let the adversary win the attack game. Since the sensor node is uncorrupted, the symmetric key is unknown to the adversary. Moreover, the timestamp makes the replay attack impossible. The adversary can only produce a valid authenticator by issuing a query to the hash oracle or the adversary correctly guesses the output of the hash function without asking the corresponding message. and are two random values chosen from ; the success probability of the adversary is negligible. Consequently we have the following equation:

Experiment . In this experiment, we deal with the active sessions once again. For a query, if the timestamp is within the transmission delay and is a valid authenticator, then we simply terminate the simulation and let the adversary win the attack game. Since the gateway node is not allowed to be corrupted, the symmetric key is unknown to the adversary and the timestamp ensures the adversary cannot replay an old authenticator. The adversary can only produce a valid authenticator by issuing a query to the hash oracle or the adversary correctly guesses the output of the hash function without asking the corresponding message. and are two random values chosen from ; the success probability of the adversary is negligible. Similarly with the previous experiment, we have

Experiment . In this experiment, we change the simulation rule of queries for the last time. For a query, the gateway node will first check the validity of the credential proof. If the credential proof is valid and the message is forged by the adversary, we then terminate the simulation and the adversary is claimed successful. However, the success probability of the adversary in producing a fake proof is bounded by the presentation of an algebraic MAC. With a similar analysis with [23], we get the following result:

In the last experiment, we can see that all the session keys of passive sessions are chosen randomly from the domain and all the active sessions are terminated without accepting. The only way for the adversary to succeed is to steal the terminal of the user and recover the credential by guessing the password. The adversary has to verify the correctness of the recovered credential by executing the protocol. Consequently, we have

5. Performance Analysis

In this section, we evaluate the computation and communication costs and the security attributes of our protocol with other related protocols with user anonymity [16–19]. In terms of computation, let “” denote the time of one modular exponentiation computation, “” denote the time cost of one point multiplication computation on elliptic curve, ‘” denote the time of one hash function computation, and “” denote the time of one symmetric encryption/decryption operation. According to [24], , , , and . Moreover, we only evaluate the computation cost of the authentication and key exchange phase because the registration phase is a one-time job. In terms of communication cost, we assume the length of the identity is 32 bits, the secure parameter is 160 bits, the length of the timestamp is 64 bits, an element of cyclic group of ECC can be represented with 320 bits, and an element of cyclic group of RSA can be presented with 1024 bits. We also instantiate the signature scheme using the famous ECDSA signature scheme [25]. The performance of communication and computation is summarized in Table 2. We can see from Table 2 that our protocol is inefficient in terms of computation. However, the communication performance of the compared protocols is more or less the same. The computation cost of our protocols mainly arises from the strong user anonymity; i.e., no one except the user knows his real identity in our protocol, while the gateway node knows the user’s real identity in other protocols.

Table 3 summarizes security properties of the proposed protocol with related protocols. It can be seen from Table 3 that our protocol provides all the security features. Moreover, our protocol is the only one which provides strong user anonymity and formal security proof. Considering the computation cost, communication cost, and security attributes as a whole, our protocol outperforms to other protocols. Consequently, the proposed protocol is more suitable for security and privacy critic applications scenarios in WSNs.

6. Conclusions

In this paper, we propose an anonymous authentication and key exchange protocol for WSNs. The most attractive property of our protocol is its strong user anonymity such that no one except the user knows the real identity of himself. Besides this, our protocol also enjoys formal security proof in the random oracle model and efficient communication complexity. The only disadvantage is that it consumes more computation resources. In wireless communication networks, establishing a channel usually consumes more energy than computation does. As a result, the heavy computation cost is not a serious problem. Due to its high security and strong anonymity, our protocol is very suitable for security and privacy critic application scenarios in WSNs.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is supported by the Funding of Science and Technology on Information Assurance Laboratory (no. KJ-17-001) and Key Scientific and Technological Project of Henan Province (no. 122102210126).

References

Y. Liu, W. Guo, C. Fan, L. Chang, and C. Cheng, “A practical privacy-preserving data aggregation (3PDA) scheme for smart grid,” IEEE Transactions on Industrial Informatics, pp. 1–1, 2018.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, H. Wang, L. Wang, K. R. Choo, and A. Vinel, “A Provably-Secure Cross-Domain Handshake Scheme with Symptoms-Matching for Mobile Healthcare Social Network,” IEEE Transactions on Dependable and Secure Computing, pp. 1–1, 2016.
View at: Publisher Site | Google Scholar
J. Shen, T. Zhou, D. He, Y. Zhang, X. Sun, and Y. Xiang, “Block design-based key agreement for group data sharing in cloud computing,” IEEE Transactions on Dependable and Secure Computing, vol. PP, no. 99, 2017.
View at: Publisher Site | Google Scholar
J. Shen, J. Shen, X. Chen, X. Huang, and W. Susilo, “An efficient public auditing protocol with novel dynamic structure for cloud data,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 10, pp. 2402–2415, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, and L. Wu, “Certificateless public auditing scheme for cloud-assisted wireless body area networks,” IEEE Systems Journal, vol. 12, no. 1, pp. 64–73, 2018.
View at: Publisher Site | Google Scholar
Q. Jiang, Z. Chen, B. Li et al., “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence and Humanized Computing, 2017.
View at: Google Scholar
Q. Jiang, J. Ma, C. Yang, X. Ma, J. Shen, and S. A. Chaudhry, “Efficient end-to-end authentication protocol for wearable health monitoring systems,” Computers and Electrical Engineering, 2017.
View at: Publisher Site | Google Scholar
M. L. Das, “Two-factor user authentication in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086–1090, 2009.
View at: Publisher Site | Google Scholar
M. K. Khan and K. Alghathbar, “Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’,” Sensors, vol. 10, no. 3, pp. 2450–2459, 2010.
View at: Publisher Site | Google Scholar
H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, and H.-W. Wei, “A secured authentication protocol for wireless sensor networks using Elliptic Curves Cryptography,” Sensors, vol. 11, no. 5, pp. 4767–4779, 2011.
View at: Publisher Site | Google Scholar
K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks,” Journal of Network and Computer Applications, vol. 36, no. 1, pp. 316–323, 2013.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, H. Shen, and J.-H. Lee, “One-to-many authentication for access control in mobile pay-TV systems,” Science China Information Sciences, vol. 59, no. 5, pp. 1–14, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
J.-J. Yuan, “An enhanced two-factor user authentication in wireless sensor networks,” Telecommunication Systems, vol. 55, no. 1, pp. 105–113, 2014.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks,” Ad Hoc Networks, vol. 20, pp. 1–15, 2014.
View at: Publisher Site | Google Scholar
J. Shen, S. Chang, J. Shen, Q. Liu, and X. Sun, “A lightweight multi-layer authentication protocol for wireless body area networks,” Future Generation Computer Systems, vol. 78, no. 3, pp. 956–963, 2018.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari, and X. Li, “A new and secure authentication scheme for wireless sensor networks with formal proof,” Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 16–30, 2017.
View at: Publisher Site | Google Scholar
Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017.
View at: Publisher Site | Google Scholar
C. Wang, G. Xu, and J. Sun, “An enhanced three-factor user authentication scheme using elliptic curve cryptosystem for wireless sensor networks,” Sensors, vol. 17, no. 12, article no. 2946, 2017.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and K. R. Choo, “A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments,” Journal of Network and Computer Applications, vol. 103, pp. 194–204, 2018.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, G. Xu, and Y. Guo, “A lightweight password-based authentication protocol using smart card,” International Journal of Communication Systems, vol. 30, no. 16, pp. 1–11, 2017.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, P. Wang et al., “Zipfs law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Google Scholar
F. Wei, P. Vijayakumar, J. Shen, R. Zhang, and L. Li, “A provably secure password-based anonymous authentication scheme for wireless body area networks,” Computers and Electrical Engineering, 2017.
View at: Google Scholar
Z. Zhang, K. Yang, X. Hu, and Y. Wang, “Practical anonymous password authentication and TLS with anonymous client authentication,” in Proceedings of the 23rd ACM Conference on Computer and Communications Security, CCS 2016, pp. 1179–1191, October 2016.
View at: Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, 2016.
View at: Publisher Site | Google Scholar
C. Schnorr, “Efficient signature generation by smart cards,” Journal of cryptology, vol. 4, no. 3, pp. 161–174, 1991.
View at: Google Scholar

Copyright

Copyright © 2018 Ke Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1460

Downloads

1029

Citations