Efficient and Security Enhanced Anonymous Authentication with Key Agreement Scheme in Wireless Sensor Networks

Abstract

At present, users can utilize an authenticated key agreement protocol in a Wireless Sensor Network (WSN) to securely obtain desired information, and numerous studies have investigated authentication techniques to construct efficient, robust WSNs. Chang et al. recently presented an authenticated key agreement mechanism for WSNs and claimed that their authentication mechanism can both prevent various types of attacks, as well as preserve security properties. However, we have discovered that Chang et al’s method possesses some security weaknesses. First, their mechanism cannot guarantee protection against a password guessing attack, user impersonation attack or session key compromise. Second, the mechanism results in a high load on the gateway node because the gateway node should always maintain the verifier tables. Third, there is no session key verification process in the authentication phase. To this end, we describe how the previously-stated weaknesses occur and propose a security-enhanced version for WSNs. We present a detailed analysis of the security and performance of our authenticated key agreement mechanism, which not only enhances security compared to that of related schemes, but also takes efficiency into consideration.

1. Introduction

Wireless Sensor Networks (WSNs) are distributed networks composed of tiny autonomous sensors capable of collecting information related to the environment or physical conditions of a target region [1]. WSNs can be implemented in various use cases—including military battlefields, healthcare services and smart grid networks—to provide convenience to users [2]. Figure 1 illustrates the WSN system architecture. As shown in Figure 1, WSN systems are comprised of three parties, including the user, the gateway nodes and the sensor nodes [1,2]. WSN is made of sensor nodes that are wirelessly connected to a gateway that is then connected to a user. On the other hand, in some WSNs, the sensor nodes can also be connected to each other in order to facilitate multi-hop wireless mesh networks.

Although users enjoy the simplicity and efficiency in WSNs, security has emerged as a major issue in both academia and industry [3]. Specifically, confidential information including the user’s identity and password should not be exposed even if an unauthorized user eavesdrops on data packets transmitted in the WSN [4]. To guarantee reliability among the communicating parties, an authentication mechanism can afford confidentiality and integrity when users access WSNs [3,4]. At this point, in order to design a secure authentication mechanism for WSNs, the following security requirements should be commonly considered [5,6,7,8,9,10,11,12,13].

• User anonymity: Even if an attacker extracts some information stored in the user’s smart card or if it eavesdrops on the messages transmitted in the communication group, the user’s identity should be protected.
• Mutual authentication: An authentication mechanism should execute several steps to achieve mutual authentication, which is to test all transmitted messages to judging the legitimacies.
• Session key agreement: After the mutual authentication process has completed, the session key should be securely assigned to communication parties on the network.
• Password verification process: If a user mistakenly enters an incorrect password in the login phase, the password should be promptly detected before performing the authentication phase.
• User friendliness: An authentication mechanism provides a password change procedure with which a user can freely update their password without communicating with the gateway node.
• Robustness: User authenticated key agreement schemes should withstand different types of attacks, such as off-line password guessing attacks, replay attacks, insider attacks and impersonation attacks.

Furthermore, the efficiency aspect should be considered when applying the authentication mechanism to the WSN environment because the sensor nodes are limited in terms of their computing resources and power [5]. In other words, when constructing an authentication mechanism for WSNs, a hash function-based method is recommended for use since it requires less computation overhead than public-key cryptosystems, such as RSA, elliptic curves cryptography (ECC) and El-gamal, all of which have a high computational overhead [6,7]. Therefore, the authentication protocol implemented for WSNs should be simple and efficient while also conforming to the required security.

1.1. Related Studies

In 2006, Wong et al. [8] first presented a lightweight user authentication protocol for WSNs. Their protocol improved the efficiency by only employing a one-way hash function and exclusive-OR operation. However, Das [9] pointed out that Wong et al.’s scheme [8] could not withstand many logged-in users with the same login identity attacks and stolen-verifier attacks. Das [9] then suggested an improved version that solved the flaws present in Wong et al.’s method. Unfortunately, Khan and Alghathbar [10] demonstrated in 2010 that Das’s scheme [9] could not withstand a privileged-insider attack and gateway node bypass attack and proposed an enhanced new strategy. In the same year, Chen and Shih [11] also demonstrated that Das’s scheme [9] overlooks parallel session attacks and cannot support a mutual authentication property. Chen and Shih [11] then proposed an enhanced version. In 2012, Vaidya et al. [12] pointed out that Das’s scheme [9], Khan and Alghathbar’s scheme [10] and Chen and Shih’s scheme [11] contained the same vulnerabilities against a lost smart card attack and sensor node impersonation attack. To compensate for these defects, Vaidya et al. [12] suggested their own authentication scheme, arguing that it can withstand various attack types. However, Kim et al. [13] proved in 2014 that Vaidya et al.’s scheme [12] has some weaknesses, such as to user impersonation attacks and gateway node bypass attacks, and thus proposed an upgraded scheme. In 2015, Chang et al. [14] demonstrated that Kim et al.’s scheme [13] could not prevent an impersonation attack, lost smart card attack or man-in-the-middle attack, and it did not provide session key security. Chang et al. [14] then proposed an improved scheme. However, Park and Park [15] pointed out recently that Chang et al’s scheme [14] still had some weaknesses, such as off-line password guessing attack, perfect forward secrecy problem and incorrectness of password change, and proposed an enhanced new version.

In particular, various cryptography techniques were employed in their protocols in order to improve the security for WSNs. Lee [16] and Kumari et al. [17] apply a chaotic map technique in their authentication mechanism. In 2015, Cheng et al. [18] presented an RSA-based authentication method for WSNs. In addition, Yeh et al. [19] proposed an authentication protocol based on elliptic curves cryptography (ECC) for WSNs. However, Han [20] pointed out that Yeh et al.’s scheme [19] could not achieve perfect forward secrecy and fails to provide mutual authentication. To address these weaknesses, Shi and Gong [21] presented a new authentication mechanism for WSNs using an ECC technique. However, Choi et al. [22] demonstrated that Shi and Gong’s mechanism [21] could not satisfy security requirements because their scheme is unsafe against lost smart card attacks and does not provide session key security.

1.2. Motivations and Contributions

In 2015, Chang et al. [14] presented a two-factor user authenticated key agreement scheme for WSNs. They claimed that their scheme could resist an off-line password guessing attack and an impersonation attack, as well as provide session key security. However, we have discovered that Chang et al.’s scheme [14] comprises critical security weaknesses. Their scheme (i) still cannot guarantee protection against an off-line password guessing attack or user impersonation attack, (ii) fails to provide session key security, (iii) is faced with a scalability problem because the gateway nodes in their scheme always maintain verifier tables (iv) and cannot provide session key verification processes.

Our main contribution in this study is as follows. First, we concretely explain the weaknesses in Chang et al.’s scheme. Second, we propose a more developed authentication protocol for WSNs. Third, we show that the proposed mechanism satisfies various security requirements. Finally, we demonstrate that the proposed protocol has better performance than other related studies in terms of the computation cost and time consumption.

1.3. Preliminaries

In this subsection, we first introduce the biohash function [23], which is used in our proposed scheme. Then, we list the notations of Chang et al.’s scheme [14] and our proposed scheme in

Table 1. Notations.

Value	Description
$U_i$	Remote user
$S_j$	Sensor node
$GWN$	Gateway node
$I{D}_i$, $P{W}_i$	Identity and password of $U_i$
$Bi{o}_i$	Biometric information of $U_i$
$P{W}_i^{new}$	New password of $U_i$
u	Random number of $U_i$
$I{D}_s$	Identity of smart card
$TI{D}_i$	Temporary identity for $U_i$’s next login
$SI{D}_j$	Identity of $S_j$
K	Secret key generated by the $GWN$
$R{N}_r,R{N}_G,R$	Random numbers
$h(·)$	One-way hash function
$H(·)$	Biohash function
$f(x,k)$	Pseudo-random function of variable s with key k
$X||Y$	Concatenate operation
⊕	XOR operation
$T_1$, $T_2$, $T_3$, $T_4$	Current time stamp values
$K_S$	Session key
$\Delta T$	The maximum of the transmission delay time

.

1.3.1. Biohash Function

The user’s biometric information is very sensitive data. Thus, when user identification is carried out using biometric data, a secure and sophisticated matching technique is required. In order to handle this concern, in 2004, Jin et al. [23] presented a fingerprint-based function to identify the user’s legitimacy. The biohash technique employs the particular tokenized pseudo-random numbers to each of the users measuring biometric feature arbitrarily onto two-fold strands. Figure 2 describes the user recognition mechanism employing the user’s biometric information and biohashing technique. When a device recognizes user’s biometric template T, it transforms T into the form of feature vector and then transmits to transform function $H(·)$. Transform function $H(·)$ creates transformed template $H(T,K)$ by inputting the transmitted template T and random key K. Furthermore, the device creates biohash code, $H(Q,K)$ from the random key K and the stored value, which is a biometric query, in order to judge whether the user is registered or not, comparing to the new value, $H(T,K)$. The biohashing technique is also applied in our scheme, illustrated in Section 5. We use an input value $Bio$ as a combination of the user’s biometric information and a random key for convenience, like other authentication schemes [24,25,26,27] using the biohashing technique.

The biohash function $H(·)$ is a one-way function with a feature that can reduce the probability of the denial of service. That is to say, the identical biometric information creates the identical value of $H(Bio)$, and it is impossible to calculate an input value $Bio$ from the result value of $H(Bio)$. Until now, many authentication studies have been conducted [24,25,26,27] based on the biohashing technique. Our proposed scheme also adopts the user’s biometric information applying a biohashing, and the details are given below in Section 5.

1.3.2. Scalability and Practicability in Terms of Authentication Using Biometric Information

The three-factor authentication protocol has been frequently employed in recent days, which complements the two-factor authentication protocol using the identity and password by adding biometric information. Basically, an authentication mechanism using biometric information requires a smart card terminal capable of recognizing a smart card and a device capable of recognizing the user’s biometric (fingerprint) information. To reduce this inconvenience, Baratelli [28] and Kozlay [29] devised a new smart card-based fingerprint identification technology by adding a fingerprint recognition device in the smart card, and Clancy [30] proposed a self-fingerprint authentication technique using a smart card. In other words, a new device that combines a smart card terminal and a fingerprint reader has already been developed. In fact, authentication research does not really mean the inconvenience of fingerprint terminal devices and assumes that devices that can recognize both smart cards and fingerprints are used. In addition, a number of research works with respect to three-factor authentication protocol already [24,25,26,27] have applied user’s biometric information.

First of all, the most important reason for using biometric information in the authentication mechanism is to increase the security of the protocol by preventing identity/password guessing attack. For this reason, our proposed scheme also uses the biometric information of the user, and it is confirmed that the proposed scheme is very safe. A detailed description of the protocol can be found in Section 4, and a security analysis can be found in Section 5.

1.3.3. Notations

The notations used in this paper are listed in Table 1.

1.4. Organization of the Paper

The remainder of this paper is structured as follows. In Section 2, we briefly explain Chang et al.’s authentication scheme. Section 3 demonstrates the vulnerabilities in Chang et al.’s scheme. A detailed explanation of our proposed scheme is provided in Section 4. In Section 5, we evaluate whether our proposed scheme can withstand various attacks. Further, we conduct a formal security proof using the random oracle model in Section 6. In Section 7, we analyze the performance of the proposed scheme, and in Section 8, we provide the conclusion to the paper.

2. Review of Chang et al.’s Scheme

In this section, we briefly review Chang et al.’s authenticated key agreement scheme [14] to then cryptanalyze their scheme. It is composed of four phases: registration, login, authentication and password change. In Chang et al.’s scheme [14], there are three communication parties, including a user $U_i$, a gateway node $GWN$ and a sensor node $S_j$. We describe each phase in detail, and Table 1 shows the notations used in Chang et al.’s scheme.

2.1. Registration Phase

(1)

$U_i$ selects $I{D}_i$ and $P{W}_i$, and $U_i$ then generates a random number $R{N}_r$. $U_i$ computes $HP{W}_i=h(P{W}_i||R{N}_r)$ and sends a registration request $〈I{D}_i,HP{W}_i〉$ to $GWN$ through a secure channel.

(2)

$GWN$ computes $HI{D}_i=h(I{D}_i||K)$, $X_{S_i}=h(HI{D}_i||K)$, $A_i=h(HP{W}_i||X_{S_i})\oplus HI{D}_i$, $B_i=h(HP{W}_i\oplus X_{S_i})$ and $C_i=X_{S_i}\oplus h(I{D}_s||HP{W}_i)$ and maintains $(TI{D}_i,TI{D}_i^{\circ },HI{D}_i)$ in its database for $U_i$, where $TI{D}_i=R{N}_G$ and $TI{D}_i^{\circ }{=}^{\prime \prime \prime \prime }$. $GWN$ chooses a smart card and writes $\{I{D}_s,A_i,B_i,C_i,TI{D}_i,h(·)\}$ into the smart card’s memory. Then, $GWN$ sends the smart card to $U_i$ through a secure channel.

(3)

$U_i$ computes $XP{W}_i=h(P{W}_i)\oplus R{N}_r$ and stores $XP{W}_i$ in the smart card’s memory. Finally, the smart card contains the information $\{I{D}_s,A_i,B_i,C_i,TI{D}_i,h(·),XP{W}_i\}$.

2.2. Login Phase

(1)

$U_i$ inserts $U_i$’s smart card into a terminal and inputs the $I{D}_i$ and $P{W}_i$. The smart card computes $R{N}_r^{*}=h(P{W}_i)\oplus XP{W}_i$, $HP{W}_i^{*}=h(P{W}_i||R{N}_r^{*})$, $X_{S_i}^{*}=C_i\oplus h(I{D}_s||HP{W}_i^{*})$, $B_i^{*}=h(HP{W}_i^{*}\oplus X_{S_i}^{*})$ and compares $B_i^{*}$ with the stored value $B_i$. If this condition is satisfied, the smart card acknowledges the legitimacy of $U_i$ and proceeds with the next step. Otherwise, it terminates this phase.

(2)

The smart card computes $k_i=h(X_{S_i}^{*}||T_1)$, $DI{D}_i=h(HP{W}_i^{*}||X_{S_i}^{*})\oplus k_i$ and $M_{U_i,G}=h(A_i||X_{S_i}^{*}||T_1)$.

(3)

Finally, $U_i$ sends a login request $〈DI{D}_i,M_{U_i,G},T_1,TI{D}_i〉$ to $GWN$ through a public channel.

2.3. Authentication Phase

(1)

$GWN$ first checks the validity of the time stamp $|T_1^{\prime }-T_1|<\Delta T$ and retrieves $HI{D}_i$ from $TI{D}_i$ corresponding to $TI{D}_i$ in its database. If $GWN$ cannot search the $TI{D}_i$, $GWN$ retrieves $HI{D}_i$ from $TI{D}_i^{\circ }$. $GWN$, then computes $X_{S_i}=h(HI{D}_i||K)$, $k_i=h(X_{S_i}||T_1)$, $X^{*}=DI{D}_i\oplus k_i$, $M_{U_i,G}^{*}=h(X^{*}\oplus HI{D}_i||X_{S_i}||T_i)$ and compares $M_{U_i,G}^{*}$ with the received value $M_{U_i,G}$. If this condition is satisfied, $GWN$ acknowledges the legitimacy of the $U_i$ and proceeds with the next step. Otherwise, it terminates this phase.

(2)

$GWN$ computes $X_{S_j}=h(SI{D}_j||K)$, $M_{G,S_j}=h(DI{D}_i||SI{D}_j||X_{S_j}||T_2)$, then sends the message $\langle DI{D}_i,M_{G,S_j},T_2\rangle$ to $S_j$ through a public channel.

(3)

$S_j$ checks whether $|T_2^{\prime }-T_2|<\Delta T$. $S_j$ then computes $M_{G,S_j}^{*}=h(DI{D}_i||SI{D}_j||X_{S_j}^{*}||T_2)$ and compares $M_{G,S_j}^{*}$ with the received value $M_{G,S_j}$. If this condition is satisfied, $S_j$ believes that the $GWN$ is authentic. Otherwise, it terminates this phase.

(4)

$S_j$ computes $k_j=h(X_{S_j}^{*}||T_3)$, $z_i=M_{G,S_j}^{*}\oplus k_j$, $K_S=f(DI{D}_i,k_j)$, $M_{S_j,G}=h(z_i||X_{S_j}^{*}||T_3)$ and then sends the message $\langle M_{S_j,G},T_3\rangle$ to $GWN$ through a public channel.

(5)

$GWN$ checks whether $|T_3^{\prime }-T_3|<\Delta T$. $GWN$ then computes $k_j=h(X_{S_j}||T_3)$, $z_i^{*}=M_{G,S_j}\oplus k_j$, $M_{S_j,G}^{*}=h(z_i^{*}||X_{S_j}||T_3)$ and compares $M_{S_j,G}^{*}$ with the received value $M_{S_j,G}$. If true, $GWN$ believes that the $S_j$ is authentic. Otherwise, $GWN$ terminates this phase.

(6)

$GWN$ computes $M_{G,U_i}=h(DI{D}_i||M_{U_i,G}^{*}||k_j||X_{S_i}||T_4)$, $y_i=k_j\oplus h(k_i)$, $TI{D}_{i\_new}=h(HI{D}_i||T_1)$ and updates $(TI{D}_i,TI{D}_i^{\circ })$ as $(TI{D}_{i\_new},TI{D}_i)$ in its database. $GWN$ then sends the message $〈y_i,M_{G,U_i},T_4〉$ to $U_i$ through a public channel.

(7)

$U_i$ checks whether $|T_4^{\prime }-T_4|\le \Delta T$. $U_i$ then computes $k_j^{*}=y_i\oplus h(k_i)$, $M_{G,U_i}^{*}=h(DI{D}_i||M_{U_i,G}||k_j^{*}||X_{S_i}||T_4)$ and compares $M_{G,U_i}^{*}$ with the received value $M_{G,U_i}$. If the verification does not hold, this phase is terminated. Otherwise, $U_i$ believes that the $GWN$ is authentic and computes the shared session key $K_S=f(DI{D}_i,k_j^{*})$.

(8)

$U_i$ computes $HI{D}_i=A_i\oplus h(HP{W}_i^{*}||X_{S_i}^{*})$ and $h(HI{D}_i||T_1)$. Lastly, $U_i$ updates $TI{D}_i$ as $h(HI{D}_i||T_1)$ and successfully ends the authentication phase.

2.4. Password Change Phase

(1)

$U_i$ inserts $U_i$’s smart card into a card reader and inputs $I{D}_i$, the old password $P{W}_i$ and new password $P{W}_i^{new}$. The smart card computes $R{N}_r^{*}=h(P{W}_i)\oplus XP{W}_i$, $HP{W}_i^{*}=h(P{W}_i||R{N}_r^{*})$, $X_{S_i}^{*}=C_i\oplus h(I{D}_s||HP{W}_i^{*})$, $B_i^{*}=h(HP{W}_i^{*}\oplus X_{S_i}^{*})$ and compares $B_i^{*}$ with the stored value $B_i$. If this condition is not satisfied, it terminates this phase. Otherwise, the smart card proceeds with the next step.

(2)

The smart card computes $HP{W}_i^{new}=h(P{W}_i^{new}||R{N}_r^{*})$, $A_i^{new}=h(HP{W}_i^{new}||X_{S_i})\oplus HI{D}_i$, $B_i^{new}=h(HP{W}_i^{new}\oplus X_{S_i})$$C_i^{new}=X_{S_i}\oplus h(I{D}_s||HP{W}_i^{new})$ and $XP{W}_i^{new}=h(P{W}_i^{new})\oplus R{N}_r$.

(3)

The smart card replaces the existing value $(A_i,B_i,C_i,XP{W}_i)$ with the new values $(A_i^{new},B_i^{new},C_i^{new},XP{W}_i^{new})$.

3. Security Weaknesses of Chang et al.’s Scheme

In this section, we show that Chang et al.’s scheme [14] possesses a number of security vulnerabilities. The following vulnerabilities are based on the two assumptions that

• An attacker can extract all parameters stored in the smart card by physically monitoring its power consumption [31].
• An attacker can eavesdrop or reform any messages in the public channel [32,33].

Under these two assumptions, the following problems have been found, and their detailed descriptions are given below.

3.1. Off-Line Password Guessing Attack

This attack attempts to input a password until the correct password is discovered because many users have a tendency to employ simple, brief passwords for the sake of convenience. For this reason, the authentication mechanism for all passwords should be invented to guarantee protection against a guessing attack. However, Chang et al.’s scheme [14] has a weakness in this situation, and we therefore propose a scenario for an off-line password-guessing attack. The following is a detailed description:

Step 1.

An attacker extracts $\{I{D}_s,A_i,B_i,C_i,TI{D}_i,h(·),XP{W}_i\}$ from $U_i$’s stolen smart card by physically monitoring its power consumption [31].

Step 2.

The attacker collects a valid login request $〈DI{D}_i,M_{U_i,G},T_1,TI{D}_i〉$ from the previous session [32,33].

Step 3.

The attacker selects a password candidate $P{W}_i^{*}$.

Step 4.

The attacker computes $HP{W}_i^{*}=h(P{W}_i^{*}||h(P{W}_i^{*})\oplus XP{W}_i)$ using the password candidate $P{W}_i^{*}$.

Step 5.

The attacker then computes:

$$\begin{array}{ccc}\hfill X_{S_i}^{*}& =& C_i\oplus h(I{D}_s||HP{W}_i^{*})\hfill \\ & =& C_i\oplus h(I{D}_s||h(P{W}_i^{*}||h(P{W}_i^{*})\oplus XP{W}_i))\hfill \\ \hfill B_i^{*}& =& h(HP{W}_i^{*}\oplus X_{S_i}^{*})\hfill \\ & =& h(h(P{W}_i^{*}||h(P{W}_i^{*})\oplus XP{W}_i)\oplus C_i\oplus h(I{D}_s||h(P{W}_i^{*}||h(P{W}_i^{*})\oplus XP{W}_i)))\hfill \end{array}$$

Step 6.

The attacker repeats the steps above from 3–5 until the computed result $B_i^{*}$ equals the breached secret $B_i$.

Step 7.

If they correspond with each other, $P{W}_i^{*}$ would be an accurate password. If not, the attacker repeats the above steps until the correct password is found.

Therefore, we can realize that Chang et al.’s scheme [14] is vulnerable to the off-line password guessing attack.

3.2. User Impersonation Attack

The security of the password-based authentication mechanism relies on the complexity of the password. Thus, if an attacker obtains a password, the attacker can pretend to be a legal user. Unfortunately, Chang et al.’s scheme [14] allows an attacker to impersonate a legal user if the attacker obtains the user’s password $P{W}_i$ through a guessing attack. The following is a detailed description of this scenario:

Step 1.

An attacker extracts $\{I{D}_s,A_i,B_i,C_i,TI{D}_i,h(·),XP{W}_i\}$ from $U_i$’s stolen smart card [31].

Step 2.

The attacker collects a valid login request $〈DI{D}_i,M_{U_i,G},T_1,TI{D}_i〉$ from the previous session.

Step 3.

The attacker obtains the user’s $P{W}_i$ through an off-line password guessing attack.

Step 4.

The smart card computes:

$$\begin{array}{ccc}\hfill DI{D}_i^{*}& =& h(HP{W}_i||X_{S_i})\oplus k_i\hfill \\ & =& h(HP{W}_i||X_{S_i})\oplus h(X_{S_i}||T_1),\mathrm{where}{X}_{S_i}=C_i\oplus h(I{D}_s||h(P{W}_i||h(P{W}_i)\oplus XP{W}_i))\hfill \\ \hfill M_{U_i,G}^{*}& =& h(A_i||X_{S_i}||T_1)\hfill \\ & =& h(A_i||C_i\oplus h(I{D}_s||h(P{W}_i||h(P{W}_i)\oplus XP{W}_i))||T_1)\hfill \end{array}$$

Step 5.

The attacker then sends a counterfeited login request $\langle DI{D}_i^{*},M_{U_i,G}^{*},T_1,TI{D}_i\rangle$ to $GWN$ through a public channel.

Step 6.

After receiving the $\langle DI{D}_i^{*},M_{U_i,G}^{*},T_1,TI{D}_i\rangle$, $GWN$ computes $X_{S_i}=h(HI{D}_i||K)$, $k_i=h(X_{S_i}||T_i)$, $X=DI{D}_i^{*}\oplus k_i$ and $M_{U_i,G}=h(X\oplus HI{D}_i||X_{S_i}||T_i)$.

Step 7.

$GWN$ compares the computed value $M_{U_i,G}$ with the received value $M_{U_i,G}^{*}$. Finally, $GWN$ successfully finishes the verification process because $M_{U_i,G}^{*}$, which is computed by the attacker, is correctly equal to $M_{U_i,G}$, which is computed by the $GWN$.

Through the aforementioned descriptions, the attacker can successfully pass the checking process and be disguised as a legal user under Chang et al.’s scheme [14].

3.3. Session Key Compromise

In Chang et al.’s scheme [14], if an attacker knows $U_i$’s password $P{W}_i$, the attacker can establish the session key $K_S=f(DI{D}_i,k_j)$ shared between $U_i$ and $S_j$. First, the attacker can extract $\{I{D}_s,A_i,B_i,C_i,TI{D}_i,h(·),XP{W}_i\}$ from $U_i$’s stolen smart card. Second, the attacker can obtain $DI{D}_i$ and $y_i$ after eavesdropping on the messages $〈DI{D}_i,M_{U_i,G},T_1,TI{D}_i〉$ and $〈y_i,M_{G,U_i},T_4〉$. Then, the attacker can try to compute $k_j=y_i\oplus h(k_i)=y_i\oplus h(h(C_i\oplus h(I{D}_s||h(P{W}_i||h(P{W}_i)\oplus XP{W}_i))||T_1))$ using the acquired $P{W}_i$, which has been previously compromised as in Section 3.1. With the combined $\{y_i,C_i,I{D}_s,P{W}_i,XP{W}_i,T_1\}$ values, the attacker can successfully construct the $K_S=f(DI{D}_i,k_j)$.

3.4. Scalability Problem

In order to provide convenience, Chang et al. [14] suggested that the $GWN$ maintains a verifier table in the database to save the information, such as the user’s temporary identities $(TI{D}_i,TI{D}_i^{\circ })$ and $HI{D}_i=h(I{D}_i||K)$ value. Accordingly, the $GWN$ should always need to retain each user’s verifier table. However, the increased amount of user information that needs to be retained places greater burden on the $GWN$ since the number of verifier tables will increase as the number of users’ increases. Moreover, the use of the verifier table is inefficient in terms of the computation time since the changed values at each phase need to be updated in the verifier table.

3.5. Absence of a Session Key Verification Process

According to [34,35], the authenticated key agreement mechanism recommends a verification procedure to verify the coherence of the generated session keys between the communicating parties. In the authentication phase in Chang et al.’s scheme [14], $U_i$ generates his/her own session key $K_S$ after verifying the message $〈y_i,M_{G,U_i},T_4〉$ through $M_{G,U_i}^{*}\stackrel{?}{=}{M}_{G,U_i}$. However, in this case, because of the $M_{S_j,G}=h(z_i||X_{S_j}^{*}||T_3)$ has no information about the session key generated by $S_j$, and the $U_i$ can hardly be sure whether a new generated session key $K_S$ is precisely the same as the $S_j$’s session key or not. Therefore, the following procedures [34] are required to ensure an accurate session key distribution between a $U_i$ and a $S_j$: (1) after generating a session key, $S_j$ sends a message, including information regarding the generated session key; (2) the $U_i$ should guarantee the accuracy of the session key from the $S_j$, verifying the received message.

4. The Proposed Scheme

In this section, we suggest an improved version of the authenticated key agreement mechanism for the WSN in order to provide improved security by resolving Chang et al.’s [14] weaknesses. In the proposed scheme, to guarantee protection from the off-line password guessing attack, we employ biometrics information with the biohashing technique $H(·)$ [23], as mentioned in Section 1.3. By preventing an off-line password guessing attack, our scheme can guarantee protection against an impersonation attack and against session key compromise. In addition, we remove the verifier table stored in $GWN$ to increase efficiency. Our proposed scheme also consists of four phases: registration, login, authentication and password change. We describe each phase in detail, and Figure 3, Figure 4 and Figure 5 describe our scheme. The notation used in the proposed scheme is displayed in Table 1.

4.1. Registration Phase

The registration phase begins when the $U_i$ sends a request message for registration to $GWN$ through a secure channel. The $GWN$ then issues a smart card, including some information, and sends it to $U_i$. Meanwhile, $S_j$ stores pre-defined values $SI{D}_j$ and $X_{S_j}^{*}$ in its memory, where $X_{S_j}^{*}=h(SI{D}_j||K)$. The following describes this process in detail, and Figure 2 illustrates the registration phase for our proposed scheme.

(1)

$U_i$ selects $I{D}_i$ and $P{W}_i$, and $U_i$ then imprints his/her biometrics $Bi{o}_i$. $U_i$ computes $HP{W}_i=h(P{W}_i||H(Bi{o}_i))$, generates a random number u and computes $TI{D}_i=h(I{D}_i||u)$. $U_i$ sends a registration request $〈TI{D}_i,HP{W}_i〉$ to $GWN$ through a secure channel.

(2)

$GWN$ computes $HI{D}_i=h(TI{D}_i||K)\oplus HP{W}_i$, $A_i=h(HP{W}_i||TI{D}_i)\oplus HI{D}_i$, $B_i=h(HP{W}_i||HI{D}_i)$ and $C_i=HI{D}_i\oplus K$. $GWN$ chooses a smart card and writes $\{A_i,B_i,C_i,h(·),H(·)\}$ into the smart card’s memory. Then, $GWN$ sends the smart card to $U_i$ through a secure channel.

(3)

Upon receiving the smart card, $U_i$ computes $D_i=u\oplus H(Bi{o}_i)$ and stores it in the smart card. Finally, the smart card contains the information $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$.

4.2. Login Phase

The login phase is executed whenever the $U_i$ wants to gain access to WSN using his/her $I{D}_i$, $P{W}_i$ and smart card. In this phase, $U_i$ sends the login request to $GWN$. Figure 3 illustrates the login and authentication phase for our proposed scheme. The following describes this process in detail.

(1)

$U_i$ inserts $U_i$’s smart card into a terminal and inputs the $I{D}_i$, $P{W}_i$ and imprints biometric $Bi{o}_i$. The smart card computes $HP{W}_i^{*}=h(P{W}_i||H(Bi{o}_i))$, $u=D_i\oplus H(Bi{o}_i)$, $TI{D}_i=h(I{D}_i||u)$, $HI{D}_i^{*}=A_i\oplus h(HP{W}_i^{*}||TI{D}_i)$, $B_i^{*}=h(HP{W}_i^{*}||HI{D}_i^{*})$ and compares $B_i^{*}$ with the stored value $B_i$. If this condition is satisfied, the smart card acknowledges the legitimacy of the $U_i$ and proceeds to the next step. Otherwise, it terminates this phase.

(2)

The smart card computes $DI{D}_i=TI{D}_i\oplus HI{D}_i^{*}$ and $M_{U_i,G}=h(TI{D}_i||HP{W}_i^{*}||HI{D}_i^{*}||T_1)$.

(3)

Finally, $U_i$ sends a login request $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$ to $GWN$ through a public channel.

4.3. Authentication Phase

The authentication phase begins when $GWN$ receives the login request from the $U_i$. This phase performs several steps to achieve mutual authentication, as well as a session key agreement between $U_i$, $GWN$ and $S_j$ involved within the WSN. The following describes this process in detail.

(1)

$GWN$ first checks the validity of the time stamp $|T_1^{\prime }-T_1|<\Delta T$ and computes $TI{D}_i^{*}=DI{D}_i\oplus C_i\oplus K$, $HI{D}_i=C_i\oplus K$ and $HP{W}_i^{*}=HI{D}_i\oplus h(TI{D}_i^{*}||K)$. $GWN$ further computes $M_{U_i,G}^{*}=h(TI{D}_i^{*}||HP{W}_i^{*}||HI{D}_i||T_1)$ and compares it with the received value $M_{U_i,G}$. If this condition is satisfied, $GWN$ acknowledges the legitimacy of the $U_i$ and proceeds with the next step. Otherwise, it terminates this phase.

(2)

$GWN$ generates a random number R and computes $X_{S_j}=h(SI{D}_j||K)$, $M_j=R\oplus X_{S_j}$, $K_S=f(DI{D}_i,R)$ and $M_{G,S_j}=h(DI{D}_i||SI{D}_j||X_{S_j}||K_S||T_2)$. $GWN$ then sends the message $\langle DI{D}_i,M_{G,S_j},M_j,T_2\rangle$ to $S_j$ through a public channel.

(3)

$S_j$ checks whether $|T_2^{\prime }-T_2|<\Delta T$ and computes $R^{*}=M_j\oplus X_{S_j}^{*}$ and $K_S^{*}=f(DI{D}_i,R^{*})$. $S_j$ further computes $M_{G,S_j}^{*}=h(DI{D}_i||SI{D}_j||X_{S_j}^{*}||K_S^{*}||T_2)$ and compares it with the received value $M_{G,S_j}$. If this condition is satisfied, $S_j$ believes that the $GWN$ is authentic. Otherwise, it terminates this phase.

(4)

$S_j$ computes $k_j=h(X_{S_j}^{*}||T_3)$ and $M_{S_j,G}=h(k_j||X_{S_j}^{*}||K_S^{*}||T_3)$. $S_j$ then sends the message $\langle M_{S_j,G},T_3\rangle$ to $GWN$ through a public channel.

(5)

$GWN$ checks whether $|T_3^{\prime }-T_3|<\Delta T$. $GWN$ computes $k_j=h(X_{S_j}||T_3)$, $M_{S_j,G}^{*}=h(k_j||X_{S_j}||K_S||T_3)$ and compares $M_{S_j,G}^{*}$ with the received value $M_{S_j,G}$. If true, $GWN$ believes that the $S_j$ is authentic. Otherwise, $GWN$ terminates this phase.

(6)

$GWN$ computes $k_i=R\oplus h(TI{D}_i^{*}||K)$ and $M_{G,U_i}=h(K_S||k_i||T_4)$. $GWN$ then sends the message $〈k_i,M_{G,U_i},T_4〉$ to $U_i$ through a public channel.

(7)

$U_i$ checks whether $|T_4^{\prime }-T_4|\le \Delta T$ and computes $R^{*}=k_i\oplus HP{W}_i\oplus HI{D}_i^{*}$ and $K_S^{*}=f(DI{D}_i,R^{*})$. $U_i$ further computes $M_{G,U_i}^{*}=h(K_S^{*}||k_i||T_4)$ and compares it with the received value $M_{G,U_i}$. If this condition is not satisfied, this phase is terminated. Otherwise, $U_i$ believes that the $GWN$ is authentic and successfully ends the authentication phase

4.4. Password Change Phase

The password change phase begins when the $U_i$ intends to change the original password $P{W}_i$ to a new password $P{W}_i^{new}$. Figure 4 illustrates the password change phase for our proposed scheme. The following describes this process in detail.

(1)

$U_i$ inserts $U_i$’s smart card into a terminal, inputs $I{D}_i$, $P{W}_i$, $P{W}_i^{new}$ and then imprints biometric $Bi{o}_i$. The smart card computes $HP{W}_i^{*}=h(P{W}_i||H(Bi{o}_i))$, $u=D_i\oplus H(Bi{o}_i)$, $TI{D}_i=h(I{D}_i||u)$, $HI{D}_i^{*}=A_i\oplus h(HP{W}_i^{*}||TI{D}_i)$, $B_i^{*}=h(HP{W}_i^{*}||HI{D}_i^{*})$ and compares $B_i^{*}$ with the stored value $B_i$. If this condition is not satisfied, it terminates this phase. Otherwise, the smart card proceeds with the next step.

(2)

The smart card computes $HP{W}_i^{new}=h(P{W}_i^{new}||H(Bi{o}_i))$, $A_i^{new}=h(HP{W}_i^{new}||TI{D}_i)\oplus HI{D}_i$ and $B_i^{new}=h(HP{W}_i^{new}||HI{D}_i)$.

(3)

The smart card replaces the existing values $A_i$ and $B_i$ with the new values $A_i^{new}$ and $B_i^{new}$, respectively. Finally, the smart card contains the information $\{A_i^{new},B_i^{new},C_i,D_i,h(·),H(·)\}$.

5. Security Analysis and Proof of the Proposed Scheme

In this section, we first describe whether the proposed scheme can withstand various attacks and also satisfy the basic requirements. Moreover, we adopt Burrows–Abadi–Needham (BAN) logic [36] to prove that a session key can be correctly generated between $U_i$ and $S_j$. The results are described as follows.

5.1. Informal Security Analysis of the Proposed Scheme

In this subsection, our proposed scheme is examined against various attacks and is evaluated according to the suitability of the basic requirements [5,6,7,8,9,10,11,12,13]. We also conduct a comparative analysis [10,12,13,14,15], which is illustrated in

Table 2. Security comparison of our proposed scheme and other related schemes.

Features	Khan et al. [10]	Vaidya et al. [12]	Kim et al. [13]	Chang et al. [14]	Park et al. [15]	Our Scheme
User anonymity	×	×	√	√	√	√
Mutual authentication	×	√	√	√	√	√
Stolen smart card attack	×	×	×	×	√	√
Replay attack	√	√	√	√	√	√
Off-line PW guessing attack	×	√	√	×	√	√
$U_i$ impersonation attack	×	×	√	×	√	√
$S_j$ impersonation attack	×	√	×	√	√	√
Password verification	√	√	√	√	√	√
Session key verification	×	×	×	×	×	√
Privileged-insider attack	√	√	√	√	√	√
Session key security	×	×	×	×	√	√
Efficient password change	√	√	√	√	√	√
$GWN$ bypass attack	×	×	√	√	√	√
Off-line ID guessing attack	×	×	√	√	√	√
No verifier table	√	√	√	×	×	√
Formal proof	×	√	×	√	√	√

.

• The proposed scheme preserves user anonymity:

User anonymity is a valuable property for the user authentication protocol because the exposure of a user’s identity can allow an unauthorized party to track the user’s login pattern. Suppose that the attacker has intercepted $U_i$’s login request $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$ and extracted information $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$ in a stolen smart card [31]. The attacker may then try to compute $I{D}_i$ through $h(I{D}_i||u)=DI{D}_i\oplus HI{D}_i$. However, it is impossible to know $HI{D}_i$ since $HI{D}_i$ consists of $(C_i\oplus K)$ and the secret key K is only known to $GWN$. In addition, u includes $H(Bi{o}_i)$ information that is only known to $U_i$. Therefore, the attacker cannot acquire the user’s $I{D}_i$.

• The proposed scheme achieves mutual authentication:

In the authentication phase of our scheme, $U_i$, $GWN$ and $S_j$ authenticate each other through some checking processes. In detail, $GWN$ first verifies the login request $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$ by checking whether $M_{U_i,G}^{*}$ = $M_{U_i,G}$. $S_j$ also verifies the message $\langle DI{D}_i,M_{G,S_j},M_j,T_2\rangle$ by checking whether $M_{G,S_j}^{*}$ = $M_{G,S_j}$. In addition, $GWN$ and $U_i$ verify the messages $\langle M_{S_j,G},T_3\rangle$ and $〈k_i,M_{G,U_i},T_4〉$ by checking $M_{S_j,G}^{*}\stackrel{?}{=}{M}_{S_j,G}$ and $M_{G,U_i}^{*}\stackrel{?}{=}{M}_{G,U_i}$, respectively. Thus, all transmitted messages in our scheme are successfully verified, and our scheme can achieve mutual authentication.

• The proposed scheme withstands stolen smart card attacks:

In our scheme, even if an attacker extracts secret values $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$ stored in a stolen smart card through the power consumption technique [31], the attack cannot lead to other malicious attacks. In order to obtain the $I{D}_i$, the attack has to know the secret key K and $H(Bi{o}_i)$. However, it is impossible to know the K and $H(Bi{o}_i)$. Therefore, if the attacker does not know the user’s $I{D}_i$, the attacker cannot impersonate a legitimate user. Thus, our proposed scheme can withstand a stolen smart card attack.

• The proposed scheme withstands replay attacks:

In our scheme, all transmitted messages include current time stamp values, such as $T_1,T_2,T_3$ or $T_4$. Therefore, even if an attacker intercepts the login request message and tries to login $GWN$, the attacker cannot pass the time stamp checking process during the authentication phase. Thus, our proposed scheme can withstand a replay attack.

• The proposed scheme withstands off-line password guessing attacks:

An off-line password guessing attack occurs when an attacker attempts to guess a password and eventually finds the exact user’s password in an off-line environment. This comes from the tendency that many users create simple and brief passwords for their personal convenience, which makes the attacker easily acquire the users’ password by guessing the off-line password without a time limit [37]. For these reasons, the authentication schemes for all password-based users should be designed to prevent a guessing attack.

In our scheme, the attacker can obtain $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$ from the stolen smart card [31] and can intercept the login request $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$. Using these values, the attacker may try to guess the correct identity $I{D}_i^{\prime }$ and password $P{W}_i^{\prime }$ through $B_i^{\prime }=h(h(P{W}_i^{\prime }||H(Bi{o}_i))||A_i\oplus h(h(P{W}_i^{\prime }||H(Bi{o}_i)||TI{D}_i^{\prime }))$ or $DI{D}_i\oplus A_i=TI{D}_i^{\prime }\oplus h(h(P{W}_i^{\prime }||H(Bi{o}_i)||TI{D}_i^{\prime })$. However, without knowing $Bi{o}_i$, the attacker cannot guess $P{W}_i^{\prime }$. In addition, $H(Bi{o}_i)$ is hashed biometric information, which is only known by $U_i$. Therefore, our proposed scheme is secure against off-line password guessing attacks.

• The proposed scheme withstands user impersonation attacks:

In order to impersonate a legitimate $U_i$, the attacker should modify the login request $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$ after obtaining the value of $I{D}_i$. However, as we mentioned above, it is impossible for an attacker to obtain the value of $I{D}_i$. Thus, the attacker fails to compute $DI{D}_i=TI{D}_i\oplus HI{D}_i$ and cannot generate a sufficient login request to cheat $GWN$. Therefore, our proposed scheme can withstand a user impersonation attack.

• The proposed scheme withstands sensor node impersonation attacks with node capture:

Suppose that the attacker captures the sensor node $S_j$ and extracts information $(SI{D}_j,X_{S_j}^{*})$ [13]. The attacker then tries to modify the message $\langle M_{S_j,G},T_3\rangle$ to impersonate a legitimate $S_j$. However, the attacker cannot generate a valid message because $X_{S_j}^{*}$ consists of $h(SI{D}_j||K)$, and it is not feasible to obtain the K. Therefore, the attacker cannot impersonate a valid sensor node.

• The proposed scheme provides password verification process:

There is a possibility that a user inputs an incorrect password by mistake. However, for the password verification procedure, the incorrect password will be detected after performing the authentication phase. Our scheme considers this kind of inefficiency situation, verifying the correctness of password $P{W}_i$ by checking the value $B_i$ at the beginning of the login phase.

• The proposed scheme provides the session key verification process:

In our scheme, after generating a session key $K_S^{*}=f(DI{D}_i,R^{*})$, $S_j$ computes $M_{S_j,G}=h(k_j||X_{S_j}^{*}||K_S^{*}||T_3)$ and sends the message $\langle M_{S_j,G},T_3\rangle$ to $GWN$. $GWN$ then computes $k_i=R\oplus h(TI{D}_i^{*}||K)$ and $M_{G,U_i}=h(K_S||k_i||T_4)$, and sends the message $〈k_i,M_{G,U_i},T_4〉$ to $U_i$. After receiving the message, $U_i$ computes $R^{*}=k_i\oplus HP{W}_i\oplus HI{D}_i^{*}$, $K_S^{*}=f(DI{D}_i,R^{*})$ and $M_{G,U_i}^{*}=h(K_S^{*}||k_i||T_4)$ and then compares $M_{G,U_i}^{*}$ with the received value $M_{G,U_i}$. Since $M_{G,U_i}$ includes the information of the session key $K_S$, $U_i$ may be sure that the $K_S$ generated by $S_j$ and $GWN$ is accurate if the comparison result $M_{G,U_i}^{*}=M_{G,U_i}$ is correct. Therefore, our scheme provides a session key verification process.

• The proposed scheme withstands privileged-insider attacks:

An insider attack means that an insider can directly obtain the user’s password from the server and can then access the user’s account in another server by using the same password. During the registration phase of our scheme, $P{W}_i$ is transmitted not as a revealed condition, but as a form of $HP{W}_i=h(P{W}_i||H(Bi{o}_i))$ when $U_i$ sends a registration request $〈TI{D}_i,HP{W}_i〉$ to $GWN$. Accordingly, the insider attacker in $GWN$ cannot identify the $U_i$’s $P{W}_i$. Thus, our scheme can withstand an insider attack.

• The proposed scheme provides session key security:

In our scheme, in order to compromise the session key $K_S=f(DI{D}_i,R)$, the attacker should know the random number R. Therefore, the attacker may try to obtain R through $R=M_j\oplus h(SI{D}_j||K)$. However, it is impossible for an attacker to compute R because the attacker cannot obtain K, which is only known to $GWN$. Thus, our authentication scheme ensures session key security.

• The proposed scheme provides an efficient password change phase:

In general, when a password change occurs, it is encouraged for the verification process to be carried out without any assistance from the $GWN$ to ensure user friendliness and efficiency [24]. Our proposed scheme performs existing password checks in the self-verification process within the smart card. After checking the process through $B_i^{*}=B_i$, the computed values $(A_i^{new},B_i^{new})$ from the new password $P{W}_i^{new}$ will be switched with the existed values $(A_i,B_i)$ in a convenient and efficient way.

• The proposed scheme withstands gateway node bypass attacks:

During the authentication phase of our scheme, the attacker may try to construct the message $\langle DI{D}_i,M_{G,S_j},M_j,T_2\rangle$ using the parameters $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$ stored in the stolen smart card [31] in order to impersonate a legitimate $GWN$. However, the attacker cannot compute $X_{S_j}=h(SI{D}_j||K)$ because K is not public information. Thus, the attacker cannot construct a sufficient message to cheat $S_j$. Eventually, the attacker cannot impersonate a valid $GWN$.

• The proposed scheme withstands off-line identity guessing attacks:

Suppose that the attacker extracts all of the secret information $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$ from the smart card and intercepts $U_i$’s login request $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$. Using these values, the attacker may try to guess the correct identity $I{D}_i^{\prime }$ through $TI{D}_i^{\prime }=h(I{D}_i^{\prime }||u)$, $HI{D}_i^{\prime }=DI{D}_i\oplus TI{D}_i^{\prime }$, $K^{\prime }=C_i\oplus HI{D}^{\prime }$, $HP{W}_i^{\prime }=HI{D}_i^{\prime }\oplus h(TI{D}_i^{\prime }||K^{\prime })$ and $B_i^{\prime }=h(DI{D}_i\oplus TI{D}_i^{\prime }\oplus h(TI{D}_i^{\prime }||K^{\prime })||DI{D}_i\oplus TI{D}_i^{\prime })$. However, in order to successfully guess the $I{D}_i^{\prime }$, the attacker should know the random number u. Even though the attacker knows the $D_i$, the attacker fails to compute $u=D_i\oplus H(Bi{o}_i)$ because $H(Bi{o}_i)$ is not public information. Therefore, our proposed scheme can withstand an off-line identity guessing attack.

5.2. Authentication Proof Using BAN Logic

In this subsection, we use BAN logic to verify the legitimacy of the session keys distributed to participants who communicate in the proposed scheme. BAN logic [36] is applied as a well-known formal logic to analyze the security of cryptographic protocols. The basic notation for BAN logic is as follows.

• $U◃C$: U sees condition C.
• $U\mid \equiv C$: Condition C is believed by U
• $♯(C)$: It makes a fresh C.
• $U\mid \sim C$: U expresses the condition C.
• $U\stackrel{K}{⟷}S$: U and S share a secret key K.
• $U\Rightarrow C$: Condition C is handled by U.
• ${(C)}_K$: Perform the hash operation on C using K.

BAN logic also offers five logic rules as follows.

• Rule 1. Message-meaning rule: $\frac{U\mid \equiv U\stackrel{K}{\leftrightarrow }S,U◃<C{>}_K}{U\mid \equiv S\mid \sim C}$: if U trusts that the key K is shared with S, U sees the C combined with K, then U trusts S once said C.
• Rule 2. Nonce-verification rule: $\frac{U\mid \equiv \#(C),U\mid \equiv S\mid \sim C}{U\mid \equiv S\mid \equiv C}$: if U trusts that C’s freshness and U trusts S once said C, then U trusts that S trusts C.
• Rule 3. Believe rule: $\frac{U\mid \equiv C,U\mid \equiv M}{A\mid \equiv (C,M)}$: if U trusts C and M, $(C,M)$ are also trusted by U.
• Rule 4. Freshness-conjuncatenation rule: $\frac{U\mid \equiv \#(C)}{A\mid \equiv \#(C,M)}$: if freshness of C is trusted by U, then U can trust the freshness of full condition.
• Rule 5. Jurisdiction rule: $\frac{U\mid \equiv S\mid \Rightarrow C,U\mid \equiv S\mid \equiv C}{U\mid \equiv C}$: if U trusts that S has jurisdiction over C, and U trusts that S trusts a condition C, then U also trusts C.

Through our analysis, we will intend to satisfy the following four goals.

• Goal 1: $U_i\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$
• Goal 2: $S_j\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$
• Goal 3: $U_i\mid \equiv S_j\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$
• Goal 4: $S_j\mid \equiv U_i\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$

Next, all transmitted messages can be transmuted into an idealized form as follows.

• Message 1: $U_i\to GWN$ : ${(I{D}_i,HP{W}_i,K,T_1)}_{HI{D}_i}$
• Message 2: $GWN\to S_j$ : ${(I{D}_i,SI{D}_j,R,T_2)}_{X_{S_j}}$
• Message 3: $S_j\to GWN$ : ${(I{D}_i,R,T_3)}_{X_{S_j}}$
• Message 4: $GWN\to U_i$ : ${(I{D}_i,K,R,T_4)}_{HI{D}_i}$

In order to analyze our authentication mechanism, we define some assumptions as follows.

• A1: $GWN\mid \equiv ♯(T_1)$
• A2: $S_j\mid \equiv ♯(T_2)$
• A3: $GWN\mid \equiv ♯(T_3)$
• A4: $U_i\mid \equiv ♯(T_4)$
• A5: $GWN\mid \equiv (GWN\stackrel{X_{S_j}}{⟷}{S}_j)$
• A6: $S_j\mid \equiv (GWN\stackrel{X_{S_j}}{⟷}{S}_j)$
• A7: $U_i\mid \equiv (U_i\stackrel{HI{D}_i}{⟷}GWN)$
• A8: $GWN\mid \equiv (U_i\stackrel{HI{D}_i}{⟷}GWN)$
• A9: $U_i\mid \equiv S_j\Rightarrow (U_i\stackrel{K_S}{⟷}{S}_j)$
• A10: $S_j\mid \equiv U_i\Rightarrow (U_i\stackrel{K_S}{⟷}{S}_j)$

Now, we describe our main proof as follows. In order to describe our proof, we use predefined information, including five logic rules, four messages and ten assumptions.

• According to the Message 1, we could derive the following:
  V1: $GWN◃{(I{D}_i,HP{W}_i,K,T_1)}_{HI{D}_i}$
• Based on Assumption A8 and Rule 1, we derive:
  V2: $GWN\mid \equiv U_i\mid \sim {(I{D}_i,HP{W}_i,K,T_1)}_{HI{D}_i}$
• Based on Assumption A1 and Rule 4, we derive:
  V3: $GWN\mid \equiv ♯{(I{D}_i,HP{W}_i,K,T_1)}_{HI{D}_i}$
• Based on V2, V3 and Rule 2, we derive:
  V4: $GWN\mid \equiv U_i\mid \equiv {(I{D}_i,HP{W}_i,K,T_1)}_{HI{D}_i}$
• According to Message 2, we derive:
  V5: $S_j◃{(I{D}_i,SI{D}_j,R,T_2)}_{X_{S_j}}$
• Based on Assumption A6 and Rule 1, we derive:
  V6: $S_j\mid \equiv GWN\mid \sim {(I{D}_i,SI{D}_j,R,T_2)}_{X_{S_j}}$
• Based on Assumption A2 and Rule 4, we derive:
  V7: $S_j\mid \equiv ♯{(I{D}_i,SI{D}_j,R,T_2)}_{X_{S_j}}$
• Based on V6, V7 and Rule 2, we derive:
  V8: $S_j\mid \equiv GWN\mid \equiv {(I{D}_i,SI{D}_j,R,T_2)}_{X_{S_j}}$
• According to Message 3, we derive:
  V9: $GWN◃{(I{D}_i,R,T_3)}_{X_{S_j}}$
• Based on Assumption A5 and Rule 1, we derive:
  V10: $GWN\mid \equiv S_j\mid \sim {(I{D}_i,R,T_3)}_{X_{S_j}}$
• Based on Assumption A3 and Rule 4, we derive:
  V11: $GWN\mid \equiv ♯{(I{D}_i,R,T_3)}_{X_{S_j}}$
• Based on V10, S11 and Rule 2, we derive:
  V12: $GWN\mid \equiv S_j\mid \equiv {(I{D}_i,R,T_3)}_{X_{S_j}}$
• According to Message 4, we derive:
  V13: $U_i◃{(I{D}_i,K,R,T_4)}_{HI{D}_i}$
• Based on Assumption A7 and Rule 1, we derive:
  V14: $U_i\mid \equiv GWN\mid \sim {(I{D}_i,K,R,T_4)}_{HI{D}_i}$
• Based on Assumption A4 and Rule 4, we derive:
  V15: $U_i\mid \equiv ♯{(I{D}_i,K,R,T_4)}_{HI{D}_i}$
• Based on V14, V15 and Rule 2, we derive:
  V16: $U_i\mid \equiv GWN\mid \equiv {(I{D}_i,K,R,T_4)}_{HI{D}_i}$
• Based on V12, V16 and the session key $K_S=f(DI{D}_i,R)$, we derive:
  V17: $U_i\mid \equiv S_j\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$ (Goal 3)
• Based on V4, V8 and the session key $K_S=f(DI{D}_i,k_i\oplus HP{W}_i\oplus HI{D}_i)$, we derive:
  V18: $S_j\mid \equiv U_i\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$ (Goal 4)
• Based on Assumption A9, V17 and Rule 5, we derive:
  V19: $U_i\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$ (Goal 1)
• Based on assumption A10, V18 and Rule 5, we derive:
  V20: $S_j\mid \equiv (U_i\stackrel{K_S}{⟷}{S}_j)$ (Goal 2)

The above description clearly shows that $U_i$, $GWN$ and $S_j$ achieve the mutual authentication property. In addition, based on Goal 1, Goal 2, Goal 3 and Goal 4, we can assure that the session key $K_S$ is securely shared between them.

6. Formal Security Proof of the Proposed Scheme

In this section, we have demonstrated that the proposed scheme is secure through a formal proof using the random oracle model. First, we specify a cryptographic one-way hash function as follows.

Definition 1.

A hash function $f:{\{0,1\}}^{*}\to {\{0,1\}}^n$ is a one-direction function [38,39] that takes the input $x\in {\{0,1\}}^{*}$ of arbitrary length and outputs a bit string with a fixed-length $f(x)\in {\{0,1\}}^n$, which is referred to as the “message digest” or “hash value”. When using cryptographic hash functions, the following three common levels of security must be considered:

• It is impossible to acquire the input x under the conditions of the hash value $y=h(x)$ and the given hash function $h(·)$.
• It is impossible to acquire another input $x^{\prime }$, when given the input x and $f(x^{\prime })=f(x)$.
• It is impossible to acquire the inputs $(x,x^{\prime })$, where $x\ne x^{\prime }$, when given $f(x)=f(x^{\prime })$.

Reveal: Given the hash result $y=h(x)$, this random oracle will unconditionally output the input x.

Theorem 1.

A one-way hash function $h(·)$ is assumed to operate like an oracle. Under this assumption, our proposed mechanism is provably secure against an attacker $\mathcal{A}$ to protect $U_i$’s personal information, such as identity $I{D}_i$, password $P{W}_i$, biometrics $Bi{o}_i$ and the $GWN$’s secret key K.

Proof. 

A similar method as that used in [26] is applied in our authentication mechanism to formally verify the security. For the proof, we assume that an attacker $\mathcal{A}$ is able to derive $U_i$’s identity $I{D}_i$, password $P{W}_i$, biometrics $Bi{o}_i$ and the $GWN$’s secret key K. For this, $\mathcal{A}$ runs the experimental algorithm that is shown in Algorithm 1, $EXP{1}_{HASH,A}^{AUAKAS}$ for our anonymous user authentication with key agreement scheme (AUAKAS). We define the success probability for $EXP{1}_{HASH,A}^{AUAKAS}$ as $Success{1}_{HASH,A}^{ABUAKAS}=|Pr[EXP{1}_{HASH,A}^{ABUAKAS}=1]-1|$, where $Pr(·)$ means the probability of $EXP{1}_{HASH,A}^{AUAKAS}$. The advantage function for this experiment becomes $Ad{v}_{HASH,A}^{ABUAKAS}(t,q_R)=ma{x}_A\{Success{1}_{HASH,A}^{ABUAKAS}\}$ in which the maximum is determined by three factors: all of $\mathcal{A}$, the execution time t and the number of queries $q_R$ derived from the Reveal oracle. If attacker $\mathcal{A}$ is assumed to be able to resolve the hash function problem, $\mathcal{A}$ could directly obtain $U_i$’s identity $I{D}_i$, password $P{W}_i$, biometrics $Bi{o}_i$ and the $GWN$’s secret key K. Refer to the attack experiment described in Algorithm 1. In this case, $\mathcal{A}$ will discover the complete connections between $U_i$ and $GWN$. However, it is computationally infeasible to invert a one-way hash function $h(·)$, i.e., $Ad{v}_{HASH,A}^{AUAKAS}(t)\le ϵ$, $\forall ϵ>0$. Then, we have $Ad{v}_{HASH,A}^{AUAKAS}(t,q_R)\le ϵ$, since $Ad{v}_{HASH,A}^{AUAKAS}(t,q_R)$ depends on $Ad{v}_{HASH,A}^{AUAKAS}(t)$. Therefore, our proposed scheme is provably secure against the attacker $\mathcal{A}$ for deriving $I{D}_i,P{W}_i,Bi{o}_i$ and K. ☐

Algorithm 1: Algorithm $EXP{1}_{HASH,A}^{AUAKAS}$.

1. Eavesdrop login request message $〈DI{D}_i,M_{U_i,G},C_i,T_1〉$ during the login phase.  2. Call the Reveal oracle. Let $(TI{D}_i^{\prime },HP{W}_i^{\prime },HI{D}_i^{\prime },T_1^{\prime })\leftarrow Reveal(M_{U_i,G})$  3. Call the Reveal oracle. Let $(I{D}_i^{\prime },u^{\prime })\leftarrow Reveal(TI{D}_i^{\prime })$  4. Computes $DI{D}_i^{\prime }=h(I{D}_i^{\prime }||u^{\prime })\oplus HI{D}_i^{\prime }$  5. if $(DI{D}_i^{\prime }=DI{D}_i)$ then  6.    Accepts $I{D}_i^{\prime }$ as the correct $I{D}_i$ of user $U_i$  7.    Call the Reveal oracle. Let $(P{W}_i^{\prime },Bi{o}_i^{\prime })\leftarrow Reveal(HP{W}_i^{\prime })$  8.    Computes $M_{U_i,G}^{\prime }=h(TI{D}_i^{\prime }||h(P{W}_i^{\prime }||Bi{o}_i^{\prime })||HI{D}_i^{\prime }||T_1^{\prime })$  9.    if $(M_{U_i,G}^{\prime }=M_{U_i,G})$ then  10.       Accepts $Bi{o}_i^{\prime }$ and $P{W}_i^{\prime }$ as the correct $Bi{o}_i$ and $P{W}_i$ of user $U_i$  11.       Call the Reveal oracle. Let $(HI{D}_i^{\prime \prime },K^{\prime })\leftarrow Reveal(C_i)$  12.       if $(HI{D}_i^{\prime \prime }=HI{D}_i^{\prime })$ then  13.          Accept $K^{\prime }$ as the correct secret key K of gateway node $GWN$  14.          return 1 (Success)  15.       else  16.          return 0  17.       end if  18.    else  19.       return 0  20.    end if  21. else  22.    return 0  23. end if

Theorem 2.

The one-way hash function $h(·)$ is assumed to perform as an oracle, and the smart card for $U_i$ is stolen by an adversary $\mathcal{A}$. Under these assumptions, our proposed mechanism is secure against an adversary $\mathcal{A}$ to derive the password $P{W}_i$ of a user $U_i$.

Proof. 

We assume that an attacker $\mathcal{A}$ is able to derive the $U_i$’s password $P{W}_i$ after extracting the parameters $\{A_i,B_i,C_i,h(·),H(·)\}$ stored in the smart card by physically monitoring its power consumption [31]. $\mathcal{A}$ then runs the experimental algorithm $EXP{2}_{HASH,A}^{AUAKAS}$ that is shown in Algorithm 2. We define the success probability for $EXP{2}_{HASH,A}^{AUAKAS}$ as $Success{2}_{HASH,A}^{ABUAKAS}=|Pr[EXP{2}_{HASH,A}^{ABUAKAS}=1]-1|$, where $Pr(·)$ means the probability of $EXP{2}_{HASH,A}^{AUAKAS}$. The advantage function for this experiment becomes $Adv{2}_{HASH,A}^{ABUAKAS}(t_2,q_R)=ma{x}_A\{Success{2}_{HASH,A}^{ABUAKAS}\}$ in which the maximum is determined by three factors: all of $\mathcal{A}$, the execution time $t_2$ and the number of queries $q_R$ derived from the Reveal oracle. If $Adv{2}_{HASH,A}^{AUAKAS}(t_2)\le ϵ$, $\forall ϵ>0$, our scheme is provably secure against the attacker $\mathcal{A}$ to derive $P{W}_i$. According to the attack experiment described in Algorithm 2, $\mathcal{A}$ could obtain $U_i$’s password $P{W}_i$ if $\mathcal{A}$ is able to resolve the hash function problem. However, as shown in Definition 1, it is computationally infeasible to invert a one-way hash function $h(·)$. Then, we have $Adv{2}_{HASH,A}^{AUAKAS}(t_2,q_R)\le ϵ$, since $Adv{2}_{HASH,A}^{AUAKAS}(t_2,q_R)$ depends on $Adv{2}_{HASH,A}^{AUAKAS}(t_2)$. As a result, the proposed scheme is provably secure against attacker $\mathcal{A}$ to derive $P{W}_i$ even if the smart card is stolen by $\mathcal{A}$. ☐

Algorithm 2: Algorithm $EXP{2}_{HASH,A}^{AUAKAS}$.

1. Extract the information $\{A_i,B_i,C_i,D_i,h(·),H(·)\}$ stored in the smart card       through physically monitoring its power consumption [31].  2. Call the Reveal oracle. Let $(HP{W}_i^{\prime },TI{D}_i^{\prime },HI{D}_i^{\prime })\leftarrow Reveal(A_i)$  3. Call the Reveal oracle. Let $(P{W}_i^{\prime },Bi{o}_i^{\prime })\leftarrow Reveal(HP{W}_i^{\prime })$  4. Computes $HI{D}_i^{\prime }=A_i\oplus h(h(P{W}_i^{\prime }||Bi{o}_i^{\prime })||TI{D}_i^{\prime })$  5. Computes $B_i^{\prime }=h(HP{W}_i^{\prime }||HI{D}_i^{\prime })=h(h(P{W}_i^{\prime }||Bi{o}_i^{\prime })||A_i\oplus h(h(P{W}_i^{\prime }||Bi{o}_i^{\prime })||TI{D}_i^{\prime }))$  6. if $(B_i^{\prime }=B_i)$ then  7.    Accepts $P{W}_i^{\prime }$ as the correct $P{W}_i$ of user $U_i$  8.    return 1 (Success)  9. else  10.    return 0  11. end if

7. Performance Analysis of the Proposed Scheme

In this section, we performed a comparison of the computational costs and execution time for the proposed scheme relative to other, related schemes [10,12,13,14,15]. In general, the computational cost is examined based on the respective operations in the authentication protocol. Accordingly, this analysis of the computational cost concentrates on the operations that are conducted by the participant, such as $U_i$, $GWN$ and $S_j$. To evaluate the computational costs, we define the following computational parameters.

• $T_H$: the time to execute a one-way hash/pseudo-random function/biohash function.
• $T_X$: the time to execute a XOR operation.
• $T_E$: the time to execute a ECC multiplication.
• $T_F$: the time to execute a fuzzy extractor.

Table 3. Comparison of the computational cost between our scheme and other hash-based schemes.

Phases		Khan et al. [10]	Vaidya et al. [12]	Kim et al. [13]	Chang et al. [14]	Park et al. [15]	Proposed Scheme
Registration	$U_i$	$1T_H$	$1T_H$	$2T_H+1T_X$	$2T_H+1T_X$	$1T_H+1T_F$	$3T_H$
	$GWN$	$2T_H+1T_X$	$4T_H+2T_X$	$6T_H+3T_X$	$5T_H+3T_X$	$5T_H+3T_X$	$3T_H+3T_X$
	$S_j$	−	−	−	−	−	−
Login	$U_i$	$3T_H+1T_X$	$6T_H+4T_X$	$7T_H+5T_X$	$7T_H+4T_X$	$6T_H+3T_X+1T_F+1T_E$	$6T_H+2T_X$
	$GWN$	−	−	−	−	−	−
	$S_j$	−	−	−	−	−	−
Authen tication	$U_i$	−	$2T_H+3T_X$	$2T_H+4T_X$	$4T_H+2T_X$	$4T_H+2T_X+1T_E$	$2T_H+2T_X$
	$GWN$	$5T_H+2T_X$	$6T_H+6T_X$	$8T_H+8T_X$	$6T_H+4T_X$	$11T_H+4T_X$	$8T_H+5T_X$
	$S_j$	$2T_H$	$3T_H+2T_X$	$3T_H+2T_X$	$4T_H+1T_X$	$4T_H+1T_X+2T_E$	$4T_H+1T_X$
Password change	$U_i$	$3T_H+2T_X$	$8T_H+6T_X$	$9T_H+7T_X$	$9T_H+6T_X$	$8T_H+6T_X+1T_F$	$8T_H+2T_X$
	$GWN$	−	−	−	−	−	−
	$S_j$	−	−	−	−	−	−
Total cost		$16T_H+6T_X$	$30T_H+24T_X$	$37T_H+30T_X$	$37T_H+21T_X$	$39T_H+19T_X+3T_F+4T_E$	$34T_H+15T_X$
Execution time		≈0.008 s	≈0.015 s	≈0.0185 s	≈0.0185 s	≈0.4605 s	≈0.017 s

provides a summary of the comparison of the computational overhead of the related schemes [10,12,13,14,15]. The results show that Khan and Alghathbar’s scheme [10], Vaidya et al.’s scheme [12], Kim et al.’s scheme [13], Change et al.’s scheme [14], Park and Park’s scheme [15] and the proposed scheme require total computational overheads of $16T_H+6T_X$, $30T_H+24T_X$, $37T_H+30T_X$, $37T_H+21T_X$, $39T_H+19T_X+3T_F+4T_E$ and $34T_H+15T_X$, respectively.

Based on the total cost results in Table 3, we have performed an experiment on the execution time to obtain an objective comparison between our scheme and other related schemes [10,12,13,14,15]. The following methods are generally used to measure the execution time for the authentication protocol: (i) determine computational overhead; (ii) measure the execution time of the cryptographic operations used in the protocol; and (iii) substitute the measured time obtained by (ii) into (i). We have measured the execution times using these measurement methods, and the results are shown in the execution time field of Table 3.

The results of the simulation in Li et al.’s and Wazid et al.’s research [40,41] show that the actual execution time for the cryptographic one-way hash function $T_H$ and ECC multiplication $T_E$ is 0.0005 s and 0.063 s, respectively. In addition, according to [41], the execution time of the fuzzy extractor operation $T_F$ is almost the same as the ECC multiplication operation $T_E$. Thus, we assumed that the time consumption of these two operations is the same. On the other hand, XOR operation $T_X$ is not considered in our measurement because the execution time of the XOR operation $T_X$ is extremely short. Based on the $T_H\approx 0.0005$, $T_E\approx 0.063$, $T_F\approx 0.063$ and the total computation cost, we finally analyze the execution time. As shown in Table 3, we observed that the execution time of our proposed scheme is of only 0.017 s ($34T_H$ ≈ 34 × 0.0005 s), so it can be considered as a negligible significance. In contrast, the execution times of Kim et al.’s scheme [13], Chang et al.’s scheme [14] and Park and Park’s scheme [15] are 0.0185 s ($37T_H$ ≈ 37 × 0.0005 s), 0.0185 s ($37T_H$ ≈ 37 × 0.0005 s) and 0.4605 s ($39T_H+3T_F+4T_E$ ≈ 39 × 0.0005 s + 7 × 0.063 s), respectively. Therefore, our scheme turned out to have a slightly better efficiency than these schemes [13,14,15]. Even if our scheme requires slightly more computation time than Khan and Alghathbar’s scheme [10] and Vaidya et al.’s scheme [12], this is acceptable because our scheme has more effective security features and a higher security level, as shown in Table 2.

8. Conclusions

In this paper, we have demonstrated that Chang et al.’s scheme has a number of critical weaknesses, and we propose an authentication mechanism with enhanced security to overcome these weaknesses. Our proposed scheme has been thoroughly verified in terms of its variety of security features, and the proof result demonstrates that our scheme can guarantee protection against various types of attacks, even if the smart card is stolen by an attacker. In addition, a performance comparison for the proposed scheme in relation to the schemes proposed in other studies was carried out, and we consider that our proposed scheme has sufficient efficiency for WSNs.