Provably Secure Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in Internet of Things

Abstract

Wireless sensor networks are a promising application of the Internet of Things in the sustainable development of smart cities, and have been afforded significant attention since first being proposed. Authentication protocols aim to protect the security and confidentiality of legitimate users when accessing and transmitting data. However, existing protocols may suffer from one or more security flaws. Recently, Butt et al. proposed an energy-efficient three-factor authentication protocol for wireless sensor networks. However, their protocol is vulnerable to several attacks, and lacks certain security properties. In this paper, the causes of these design flaws are analyzed. Furthermore, we propose a novel three-factor authentication protocol (password, smart card, and biometric information) for wireless sensor networks in Internet of Things contexts. A dynamic anonymous strategy is designed to prevent privacy disclosure and to resist sensor node capture attacks, tracking attacks, and desynchronization attacks. The Find–Guess model and random oracle model are combined to prove the security of the proposed protocol. A comparative analysis with related schemes shows that the proposed protocol has higher security and is able to maintain a low computational overhead.

1. Introduction

A wireless sensor network is a network formed by multi-sensor cooperative detection of the complex physical environment through wireless communication technology. The lightweight nature of the Internet of Things makes wireless sensor network more practical. Nodes in traditional sensor networks realize point-to-point transmission through a wired channel. The function and application scenario of traditional sensor networks are relatively simple and limited. Until the end of the last century, circuit bus technology and wireless technology were applied to sensor networks, and the current Internet of Things-based wireless sensor network architecture was gradually formed. Compared with traditional sensor networks, the cost of sensors in Internet of Things contexts is greatly reduced, while the reliability and scalability of the system are significantly improved. In addition, as the most recent sensor networks, Internet of Things-based wireless sensor networks have the advantages of self-organizing dynamic topology [1], the development and application of which have a far-reaching impact on all fields. However, communication based on wireless channels makes wireless sensor networks in Internet of Things contexts vulnerable to passive eavesdropping, active intrusion, message replay, and other attacks [2]. Therefore, the security issues involving Internet of Things-based wireless sensor networks are urgent and need to be solved.

In the past few decades, authentication protocols for wireless sensor networks for the Internet of Things have made great progress. In 2006, Wong et al. [3] proposed a dynamic password-based authentication scheme for wireless sensor network, in which the users request sensors via the gateway node. However, their scheme is vulnerable to multiple attacks, including replay attacks, impersonation attacks, and stolen-verifier attacks. Das [4] pointed out these defects in Wong et al.’s scheme and proposed a security-enhanced scheme based on a smart card and password, allowing it to resist the attacks above. Although the scheme proposed by Das is more secure than that of Wong et al., it is not satisfactory in that the secret parameters are stored as plaintext in the sensor node and smart card, which makes it vulnerable to node-capture attacks or smart card loss attacks. In 2010, the research of Khan and Alghathbar [5] indicated that the scheme proposed by Das fails to realize mutual authentication and suffers from vulnerability to privileged-insider attacks. They proposed an authentication scheme that resists privileged-insider attacks. In addition, multiple password-based authentication schemes have been proposed [6,7,8,9]. Nevertheless, most password-based schemes are generally vulnerable to off-line password guessing attacks.

To overcome the shortcomings of password-based schemes, biometrics can be adopted in identity verification. In 2010, Yuan et al. [10] proposed an authentication protocol based on biometrics, passwords, and smart cards. However, their protocol lacks message confidentiality and integrity verification. Moreover, their scheme suffers from sensor node capture attacks and impersonation attacks. In the following year, Yoon et al. [11] improved on Yuan et al.’s scheme without using passwords. Legitimacy verification in the scheme proposed by Yoon et al. is based on secret parameters. However, there are security flaws in this scheme, such as confidentiality issues and vulnerability to denial of service attacks. He et al. [12] proposed a protocol in 2012 that fixes these flaws. Chen et al. [13] proposed an authentication scheme suitable for wireless sensor networks in Internet of Things environments; however, Hu [14] pointed out that their scheme is vulnerable to off-line password guessing attacks and impersonation attacks, and fails to achieve perfect forward secrecy, user anonymity, and unlinkability. They instead proposed a novel security-enhanced scheme for wireless sensor networks in Internet of Things contexts.

Compared with password-based two-factor authentication schemes, three-factor schemes with the participation of biometrics have higher security. Generally speaking, three-factor schemes can resist password-guessing attacks and user impersonation attacks. In 2021, Shuai et al. [15] proposed a three-factor authentication scheme for wireless sensor networks in Internet of Things environments. However, Xie et al. pointed out that this scheme is vulnerable to stolen-verifier attacks and desynchronization attacks, and has no perfect forward secrecy. Instead, they proposed a security-enhanced anonymous three-factor authentication scheme [16] based on elliptic curve cryptography [17]. Unfortunately, if an adversary captures a sensor node, it can be used to recover the user’s identity in the schemes of both Xie et al. [16] and Shuai et al. [15]. Generally speaking, if the designed protocols does not use Diffie-Hellman key exchange algorithm [18] to generate the session key, such schemes cannot achieve perfect forward secrecy [19,20,21,22,23]. Recently, Butt et al. [24] proposed a three-factor authentication scheme based on elliptic curve cryptography for wireless sensor network. However, their scheme is vulnerable to replay attacks, sensor node capture attacks, and off-line password guessing attacks, and fails to preserve session key secrecy, perfect forward secrecy, anonymity, and unlinkability. In 2021, Xie et al. [25] proposed a wireless sensor network authentication protocol for a smart city that addressed a number of open issues, such as the inability to resist offline password guessing attacks and impersonation attacks as well as the lack of session key secrecy, identity unlinkability, and perfect forward secrecy. In 2022, Ouni and Saleem [26] proposed a framework for wireless sensor networks for the Internet of Things that detects environmental data through sensors connected to the cloud and feeds these data back to users.

Wireless sensor networks for the Internet of Things are considered to be one of the most crucial technologies affecting the future development of mankind. They can provide a new way to obtain and process information. However, wireless sensor networks face two major challenges that traditional sensor networks do not have. First, in terms of security, information transmitted via open channels is subject to eavesdropping, tampering, and other attacks [27]. Second, in terms of computing power, the limited resources of sensors demand the design of lightweight authentication protocols for wireless sensor networks. Previous researchers have often focused on only one of these issues, not both, resulting in proposed solutions with either insufficient security or high computational cost.

Most protocols are likely to suffer from one or more attacks. In particular, sensor node captured attacks can easily lead to user privacy disclosure and vulnerability to forgery attacks. Therefore, we take Butt et al.’s scheme as an example. We analyze their scheme for security flaws and investigate their causes. In addition, we propose a protocol using the Diffie-Hellman algorithm and symmetric encryption algorithm. The contributions of this paper are listed as follows:

• The security flaws of Butt et al.’s protocol are typical, which implies that the design strategies used in our proposed protocol can be applied to similar schemes in general.
• The proposed strategies can avoid existing design deficiencies. Symmetric encryption and elliptic curve cryptography are combined to design a secure protocol for wireless sensor networks. A dynamic pseudonym strategy is developed to resist desynchronization attacks and sensor node capture attacks, while symmetric encryption is used to protect the privacy of transmitted messages.
• The proposed protocol is formally proved by combining a Find–Guess model and a random oracle model.

The remainder of this paper is organized as follows. In the next Section, the scheme of Butt et al. is reviewed and analyzed. Section 3 introduces the system model, the adversary model, and the proposed protocol. A security analysis and proof of the proposed protocol are presented in Section 4. Section 5 provides comparisons of performance and security properties with related works. Finally, the paper is concluded in Section 6.

2. Security Analysis of Butt et al. Scheme

In this section, the scheme of Butt et al. is reviewed and the flaws in their scheme are pointed out. In addition, the causes of these design flaws are analyzed, implying design strategies that can be used to overcome them.

2.1. Review of Butt et al. Scheme

2.1.1. Registration Phase

In this phase, the user registers with the gateway and the sensor nodes. The gateway generates a secret number $x_0$, which is shared with users and sensor nodes. The steps are as follows.

Step RP1: The user first enters his/her identity $I{D}_i$, password $P{W}_i$, and biometric $B_i$ into the device with a biometric reader. The device calculates $I{D}_i^{*}=I{D}_i\oplus x_0$, $\left({\sigma }_i,{\tau }_i\right)=Gen\left(B_i\right)$, $A_i=h\left({\sigma }_i\right)$, and $HPW=h\left(P{W}_i\right)$, where the secret parameter $x_0$ is known to all nodes. Then, $M_1=\left\{I{D}_i^{*},A_i,HPW\right\}$ is transmitted to the gateway.

Step RP2: Upon receiving $M_1=\left\{I{D}_i^{*},A_i,HPW\right\}$, the gateway computes $I{D}_i=I{D}_i^{*}\oplus x_0$, $N_i=HPW\oplus x_0$, $S_i=I{D}_i\oplus x_0$, and $M_i=S_i\oplus h\left(A_i\oplus HPW\right)$. Then, the gateway sends $M_2=\left\{N_i,S_i,M_i\right\}$ to the user and sensor nodes.

2.1.2. Login and Authentication Phase

The user follows the steps below to log in and authenticate.

Step LA1: The user first inputs the identity $I{D}_i$, the password $P{W}_i^{*}$, and the biometric $B_i^{*}$ into the device. Then, the device calculates ${\sigma }_i^{*}=Rep\left(B_i^{*},{\tau }_i\right)$, $A_i^{*}=h\left({\sigma }_i^{*}\right)$, $HP{W}^{*}=h\left(P{W}_i^{*}\right)$, $X_i=\left(r_u·P_{ec}\right)\oplus x_0$, $Y_i=I{D}_i\oplus N_i$, and $I{D}_i^{*}=Y_i\oplus HP{W}^{*}$, where $P_{ec}$ is the generator point on an elliptic curve, $r_u$ is a random number generated by the device. After that, the user sends $M_3=\left\{I{D}_i^{*},A_i^{*},X_i,HP{W}^{*},RI,N_a\right\}$ to the gateway, where $RI$ is the request information and $N_a$ is a nonce generated by the user.

Step LA2: On receiving the message $M_3=\left\{I{D}_i^{*},A_i^{*},X_i,HP{W}^{*},RI,N_a\right\}$, the gateway calculates and verifies $I{D}_i=I{D}_i^{*}\oplus x_0$. If the verification is passed, the gateway compares $A_i^{*}$ and $HP{W}^{*}$ with $A_i$ and $HPW$ to check their equality, then generates a random number $r_s$ and computes $S_i^{*}=I{D}_i^{*}\oplus x_0$, $M_i^{*}=S_i^{*}\oplus h\left(A_i^{*}\oplus HP{W}^{*}\right)$, $X_i^{*}=X_i\oplus x_0$, $D_i=r_s·P_{ec}$, and $C_i=r_s·X_i^{*}$. Then, the gateway transmits the message $M_4=\left\{I{D}_i^{*},X_i,A_i^{*},C_i,D_i,HP{W}^{*},RI,M_i^{*},N_a\right\}$ to the sensor node.

Step LA3: After receiving the message $M_4$, the sensor node first verifies whether $M_i^{*}=M_i$. If the verification is passed, the sensor node calculates $X_i^{*}=X_i\oplus x_0$, $S{K}_s=h\left(C_i\parallel I{D}_i^{*}\parallel N_a\parallel x_0\right)$, $E_{S{K}_s}\left(RI\right)=e$, and $E_{S{K}_s}\left(N_a\right)=J_i$. Then, the message $M_5=\left\{D_i,e,N_s,J_i\right\}$ is sent to the user, where $N_s$ is a nonce generated by the sensor node.

Step LA4: Upon receiving the message $M_5$, the user calculates $C_i=r_u·D_i$, $S{K}_u=h\left(C_i\parallel I{D}_i^{*}\parallel N_a\parallel x_0\right)$, and $RI=D_{S{K}_u}\left(e\right)$.

Step LA5: The user sends $\left(N_s\oplus x_0\right)S{K}_u$ to the sensor node as an acknowledgment.

2.2. Security Analysis of Butt et al. Scheme

The scheme proposed by Butt et al. cannot resist replay attacks, sensor node capture attacks, or off-line password guessing attacks, and fails to preserve session key secrecy, perfect forward secrecy, anonymity, or unlinkability. These weaknesses are described in the following subsections, and the causes of these issues are presented.

2.2.1. Replay Attack/User Impersonation Attack

By replaying $\left\{I{D}_i^{*},A_i^{*},HP{W}^{*},RI\right\}$ and generating $\left\{X_i,N_a\right\}$ to forge the message $M_3$, an adversary can impersonate a user to complete the authentication process and negotiate the session key, where $X_i=\left(r_u·P_{ec}\right)\oplus x_0$, $P_{ec}$ is the generator point, $r_u$ is a random number, $N_a$ is a nonce, and $x_0$ is shared among all nodes and users, and can be obtained by registering or capturing nodes.

The cause of vulnerability to replay attacks is that the proposed scheme does not use timestamps and makes improper use of random numbers. The cause of vulnerability to user impersonation attacks is that the secret key $x_0$ is shared among the users, sensor nodes, and gateway.

2.2.2. Sensor Node Capture Attacks

In Butt et al.’s scheme, the secret parameter $x_0$ and user’s information $\left\{N_i,S_i,M_i\right\}$ are known to all nodes, where $N_i=HPW\oplus x_0$, $S_i=I{D}_i\oplus x_0$, and $M_i=S_i\oplus h\left(A_i\oplus HPW\right)$. An adversary can obtain them by capturing a sensor node. Therefore, the adversary can obtain the session key by calculating $S{K}_s=h\left(C_i\parallel I{D}_i^{*}\parallel N_a\parallel x_0\right)$, where $C_i$, $I{D}_i^{*}$, and $N_a$ are transmitted in public. In addition, the adversary can corrupt a user’s privacy and impersonate the user.

The reason for the above defect is that sensors store a generic secret value $x_0$ and users’ private information $\left\{N_i,S_i,M_i\right\}$.

2.2.3. No Perfect Forward Secrecy

If the long-term key $x_0$ is known by an adversary, he/she can acquire the previous session keys and the later session keys by calculating $S{K}_s=h\left(C_i\parallel I{D}_i^{*}\parallel N_a\parallel x_0\right)$, where $C_i$, $I{D}_i^{*}$, and $N_a$ are transmitted in public. Therefore, the scheme lacks perfect forward secrecy.

The reason for the lack of perfect forward security is the absence of a Diffie–Hellman key agreement algorithm.

2.2.4. No Anonymity and Unlinkability

In Step LA2 of Butt et al.’s scheme, the gateway transmits $M_4=\left\{I{D}_i^{*},X_i,A_i^{*},C_i,D_i,HP{W}^{*},RI,M_i^{*},N_a\right\}$ to the sensor node in public. The adversary can recover $S_i^{*}$ by calculating $M_i^{*}\oplus h\left(A_i^{*}\oplus HP{W}^{*}\right)=S_i^{*}$, where $A_i^{*}$ and $HP{W}^{*}$ are available from $M_3=\left\{I{D}_i^{*},A_i^{*},X_i,HP{W}^{*},RI,N_a\right\}$. By computing $S_i^{*}\oplus I{D}_i^{*}=x_0$ and $x_0\oplus I{D}_i^{*}=I{D}_i$, the identity $I{D}_i$ of the user is known to the adversary. Therefore, the scheme fails to provide anonymity.

$I{D}_i^{*}$, $A_i^{*}$, and $HP{W}^{*}$ are fixed in each session, and the adversary can trace the user by eavesdropping. Consequently, the scheme fails to achieve unlinkability.

The reason for the lack of anonymity and unlinkability is that the identity $I{D}_i$ can be easily recovered and the parameter $S_i^{*}=I{D}_i^{*}\oplus x_0$ is fixed.

2.2.5. Off-Line Password Guessing Attacks

In Step LA1 of the login and authentication phase, the user sends $M_3=\left\{I{D}_i^{*},A_i^{*},X_i,HP{W}^{*},RI,N_a\right\}$ to the gateway via the open channel, where $HP{W}^{*}=h\left(P{W}_i^{*}\right)$, $P{W}_i^{*}$ is the user’s password. An adversary can verify the correctness of the guessed password $P{W}_A$ by comparing $HP{W}^{*}$ with $h\left(P{W}_A\right)$.

The reason for this flaw is that the adversary can use the public parameter $HP{W}^{*}$ to verify the correctness of the guessed password. Making the verification of guessed passwords infeasible can ensure password security.

2.2.6. No Session Key Secrecy

As per the steps shown in Section 2.2.4, the secret parameter $x_0$ can be obtained by calculating $M_i^{*}\oplus h\left(A_i^{*}\oplus HP{W}^{*}\right)\oplus I{D}_i^{*}=x_0$. Therefore, an adversary can compute the session key $S{K}_s=h\left(C_i\parallel I{D}_i^{*}\parallel N_a\parallel x_0\right)$, where $C_i$, $I{D}_i^{*}$, and $N_a$ are transmitted via the open channel, implying that the scheme has no session key secrecy.

This deficiency exists because all negotiation parameters of the session key are accessible to third parties over the public channel. In order to fulfill session key secrecy, it must be ensured that the key composition parameters cannot be easily calculated and obtained by attackers.

3. The Proposed Scheme

In this section, a lightweight dynamic anonymous authentication scheme for wireless sensor networks in Internet of Things environments is proposed. It consists of a system setup phase, registration phase, and login and authentication phase. The system model and the adversary model are shown as follows. The notation mentioned in the scheme is listed in

Table 1. Notation.

Notation	Description
$U_i$	$i^{th}$ User
$I{D}_i$	The identity of $U_i$
$S{N}_j$	$j^{th}$ Sensor node
$SI{D}_j$	The identity of $S{N}_j$
$GWN$	The gateway node
$P{W}_i$	The password of $U_i$
$S{K}_{ }$	The session key
$B_i$	The biometric of $U_i$
$N_a$, $N_s$	Nonces
$T_1$, $T_2$	Timestamps
$x_0$	Secret parameter shared with trusted nodes
${\tau }_i$, ${\sigma }_i$	Reproduction parameter and biometric key of fuzzy extractor
$Rep()$, $Gen()$	Reproduction and generation function of fuzzy extractor
$\parallel$	Concatenation
$\oplus$	XOR operation
$h\left(.\right)$	Hash function
$\mathsf{\Delta }T$	Transmission delay time
$K_{GWN}$	The secret key of the gateway
$r_i$, $u_i$, $c_j$	Random numbers
$DI{D}_i$	The temporary identity of the user

.

3.1. System Model and Adversary Model

3.1.1. System Model

There are three types of participants involved in wireless sensor network systems: the user, the gateway, and the sensor. Users and sensors are registered in the gateway via the secure channel. After registration, mutual authentication and communication between users and sensors are established through the public channel. The system model is shown in Figure 1.

User: The registered user has a smart card to store the registration information. The smart card can be obtained and analyzed by the adversary. While the adversary may guess the user’s password, the user’s biometric information cannot be obtained by the adversary.

Gateway: The gateway is assumed to be trustful, and its key cannot be obtained by an adversary. The gateway never conspires with other participants.

Sensor node: The storage and computing capabilities of sensor nodes are limited, and adversaries can capture sensors and analyze their stored information.

3.1.2. Adversary Model

According to Dolev and Yao’s attack model [28] as well as to a previous survey [29], the adversary model of the proposed protocol is presented as follows:

• All messages transmitted publicly can be captured by the adversary, and he/she can replay, modify, and reroute the messages.
• Off-line password guessing attacks can be launched, and the identity of users can be obtained.
• Sensor nodes and smart cards can be captured, and all information stored in captured nodes and stolen cards can be obtained.
• Adversaries may be privileged insider users.
• The only trusted entity is the gateway.
• The master key of the gateway and the biological keys of the users cannot be obtained.

3.2. The Proposed Protocol

3.2.1. System Initialization Phase

The gateway chooses an elliptic curve $E\left(G{F}_q\right)$ based on a finite field $GF\left(q\right)$, where $q$ is a large prime number and $P$ is a generator point. The gateway then publishes $P$, the generation function $Gen\left(.\right)$ and reproduction function $Rep\left(.\right)$ of the fuzzy extractor, and the hash function $h\left(.\right)$.

3.2.2. Registration Phase

User registration phase:

Step UR1: The user first inputs their identity $I{D}_i$, biometrics $B_i$, and password $P{W}_i$ into the device. The device computes $\left({\sigma }_i, {\tau }_i\right)=Gen\left(B_i\right)$ and $HP{W}_i=h\left(I{D}_i\parallel P{W}_i\parallel {\sigma }_i\right)$, and sends $\left\{I{D}_i\right\}$ to the gateway via secure channel.

Step UR2: The gateway verifies the uniqueness of $I{D}_i$; if it cannot, it requests a new identity from the user. Otherwise, the gateway generates a random number $r_i$ and calculates $S_i=h\left(I{D}_i\parallel h\left(K_{GWN}\right)\right)$ and $DI{D}_i=E_{K_{GWN}}\left(I{D}_i,r_i\right)$, where $K_{GWN}$ is the gateway’s secret key. Then, $\left\{S_i,DI{D}_i\right\}$ is sent to the user via secure channel and $h\left(I{D}_i\right)$ is stored for uniqueness verification.

Step UR3: The user’s device computes $A_i=S_i\oplus h\left(I{D}_i\parallel {\sigma }_i\parallel P{W}_i\right)$ and $HI{D}_i=DI{D}_i\oplus h\left(S_i\parallel P{W}_i\parallel {\sigma }_i\right)$, and stores $\left\{HP{W}_i,{\tau }_i,A_i,HI{D}_i\right\}$ on the smart card.

The process of the user registration phase is shown in Figure 2.

Sensor node registration phase:

Step SR1: The gateway first chooses a unique identity $SI{D}_j$ of the sensor node and computes $b_j=h\left(SI{D}_j\parallel h\left(K_{GWN}\right)\right)$. Then, $\left\{b_j, SI{D}_j\right\}$ is securely transmitted to the sensor node.

Step SR2: The sensor node stores $\left\{b_j, SI{D}_j\right\}$.

Figure 3 shows the registration phase of the sensor node.

3.2.3. Authentication and Session Key Agreement Phase

Step AP1: The user first inserts the smart card and inputs their identity $I{D}_i^{*}$, password $P{W}_i^{*}$, and biometrics $B_i^{*}$ into the device. The device calculates ${\sigma }_i^{*}=Rep\left(B_i^{*},{\tau }_i\right)$ and $HP{W}_i^{*}=h\left(I{D}_i^{*}\parallel P{W}_i^{*}\parallel {\sigma }_i^{*}\right)$. If $HP{W}_i^{*}\ne HP{W}_i$, the user login fails; otherwise, the device computes $S_i^{*}=A_i\oplus h\left(I{D}_i^{*}\parallel {\sigma }_i^{*}\parallel P{W}_i^{*}\right)$, $DI{D}_i^{*}=HI{D}_i\oplus h\left(S_i^{*}\parallel P{W}_i^{*}\parallel {\sigma }_i^{*}\right)$, $M_1=u_i·P$, and $M_2=E_{S_i^{*}}\left(I{D}_i^{*},SI{D}_j,M_1,T_1\right)$, where $u_i$ is a random number and $T_1$ is a timestamp. After that, the device sends the message $ME{S}_1=\left\{DI{D}_i^{*},M_2\right\}$ to the gateway via the public channel.

Step AP2: On receiving $\left\{DI{D}_i^{*},M_2\right\}$, the gateway recovers the identity of the user by calculating $\left(I{D}_i^{\prime },r_i^{\prime }\right)=D_{K_{GWN}}\left(DI{D}_i^{*}\right)$, then computes $S_i^{\prime }=h\left(I{D}_i^{\prime }\parallel h\left(K_{GWN}\right)\right)$ and $\left(I{D}_i^{*},SI{D}_j,M_1,T_1\right)=D_{S_i^{\prime }}\left(M_2\right)$. The gateway generates the current timestamp $T_1^{*}$ and verifies whether $\left|T_1^{*}-T_1\right|\le \mathsf{\Delta }T$ and $I{D}_i^{*}=I{D}_i^{\prime }$. If not, the gateway aborts this session. Otherwise, the gateway generates the timestamp $T_2$ and computes $b_j=h\left(SI{D}_j\parallel h\left(K_{GWN}\right)\right)$ and $M_3=E_{b_j}\left(DI{D}_i^{*},SI{D}_j,M_1,T_2\right)$. Then, the message $ME{S}_2=\left\{M_3\right\}$ is transmitted to the sensor node.

Step AP3: After $ME{S}_2$ is received, the sensor node calculates $\left(DI{D}_i^{*},SI{D}_j^{*},M_1,T_2\right)=D_{b_j}\left(M_3\right)$ and verifies whether $\left|T_2^{*}-T_2\right|\le \mathsf{\Delta }T$ and $SI{D}_j^{*}=SI{D}_j$. If not, the sensor node terminates this session. Otherwise, the sensor node generates a random number $c_j$ and timestamp $T_3$, then computes $M_4=c_j·M_1$, $M_5=c_j·P$, $SK=h\left(DI{D}_i^{*}\parallel SI{D}_j\parallel M_4\parallel T_3\right)$, $V_1=h\left(SK\parallel SI{D}_j\parallel T_3\right)$, and $M_6=E_{b_j}\left(M_1,V_1,M_5,T_3\right)$. Then, the sensor node transmits the message $ME{S}_3=\left\{M_6\right\}$ to the gateway.

Step AP4: On receiving the message $ME{S}_3$, the gateway calculates $\left(M_1^{\prime },V_1,M_5,T_3\right)=D_{b_j}\left(M_6\right)$ and checks whether $\left|T_3^{*}-T_3\right|\le \mathsf{\Delta }T$ and $M_1^{\prime }=M_1$. If not, the gateway aborts the session. Otherwise, the gateway generates a random number $r_i^{″}$ and a timestamp $T_4$. Then, the gateway updates the temporary identity of the user by computing $DI{D}_i^{new}=E_{K_{GWN}}\left(I{D}_i^{*},r_i^{″}\right)$. Finally, $M_7$ is transmitted to the user as the message $ME{S}_4$, where $M_7=E_{S_i^{\prime }}\left(DI{D}_i^{new},M_1^{\prime },M_5,V_1,T_3,T_4\right)$ is computed by the gateway.

Step AP5: After receiving $M_7$, the user’s device calculates $\left(DI{D}_i^{new},M_1^{\prime },M_5,V_1,T_3,T_4\right)=D_{S_i^{*}}\left(M_7\right)$ and verifies whether $\left|T_4^{*}-T_4\right|\le \mathsf{\Delta }T$ and $M_1^{\prime }=M_1$. If not, the session is terminated. Otherwise, the device calculates $M_8=u_i·M_5$, $S{K}^{\prime }=h\left(DI{D}_i^{*}\parallel SI{D}_j\parallel M_8\parallel T_3\right)$, and $V_1^{\prime }=h\left(S{K}^{\prime }\parallel SI{D}_j\parallel T_3\right)$. If $V_1^{\prime }\ne V_1$, the device aborts the session. Otherwise, the smart card updates the $HI{D}_i$ with $HI{D}_i^{new}$, where $HI{D}_i^{new}=h\left(S_i^{*}\parallel P{W}_i^{*}\parallel {\sigma }_i^{*}\right)\oplus DI{D}_i^{new}$.

Figure 4 shows the authentication and session key agreement phases.

4. Security Analysis

In this section, the security of the proposed protocol is analyzed and proven. Methods used for security proof and validation include the random oracle model, BAN logic, ProVerif, AVISPA, etc. The proposed protocol is based on computational the Diffie–Hellman problem and symmetric encryption; hence, the Find–Guess Model is adopted to prove the security of symmetric encryption, and is combined with the random oracle model to formally prove the security of the proposed protocol.

4.1. Security Model and Proof

4.1.1. Security Model

Definition 1 (Participants):

There are three participants ($P$) in the proposed scheme (denoted as $\Pi$): the user, the gateway, and the sensor node, denoted as $U$, $GWN$, and $SN$, respectively. For the $i$-th instance, they can be recorded as $I_U^i$, $I_{GWN}^i$, and $I_{SN}^i$, which are collectively known as $I_P^i$.

Definition 2 (Oracle states):

In the proposed scheme, the oracle has only three states: $accept$, $reject,$and $\perp$. $accept$ represents that an oracle receives a correct request. If the request is illegal, the oracle is in $reject$. If the above conditions have not occurred, the state of the oracle is $\perp$. We identify that if the state of the oracle $I_U^i$ (or $I_{SN}^i$) is $accept$ and the session key denoted as $S{K}_U^i$ ($S{K}_{SN}^i$) is negotiated already, $I_U^i$ (or $I_{SN}^i$) obtains a session identity $Si{d}_U^i$ (or $Si{d}_{SN}^i$) and corresponding partner identity $Pi{d}_{SN}^i$($Pi{d}_U^i$).

Definition 3 (Partnering):

If the states of $I_U^i$ and $I_{SN}^i$ are $accept$ and the session key has been negotiated between the user and the sensor node, $I_U^i$ and $I_{SN}^i$ are considered partners. Meanwhile, they meet the following conditions:

(1)

$I_U^i=Pi{d}_{SN}^i$ and $I_{SN}^i=Pi{d}_U^i$,

(2)

$Si{d}_U^i=Si{d}_{SN}^i\ne NULL$,

(3)

$S{K}_U^i=S{K}_{SN}^i$.

Definition 4 (Queries):

Queries are listed as follows to simulate various attacks.

• Send ($I_P^i$, $ME{S}_i$): This query simulates an adversary $A$ sending a message to an oracle $I_P^i$. If the message is correct, the oracle responds with $A$ based on $\Pi$. Otherwise, $I_P^i$ ignores the message.
• Execute ($I_P^i$): An execute query represents a passive attack; if the query is executed, $A$ receives all the messages transmitted openly.
• Reveal ($I_P^i$): If $I_U^i$ and $I_{SN}^i$ have negotiated the session key, and all are in the $accept$ state while $A$ has not launched a Test query, the Reveal query reveals the session key $S{K}^i$; otherwise, it reveals $null$.
• Corrupt ($I_U^i$): This query offers the credentials of the user. In the proposed scheme, $A$ executes the Corrupt query to obtain the information $\left\{HP{W}_i,{\tau }_i,A_i,HI{D}_i\right\}$ stored in a smart card.
• Test ($I_P^i$): This query can only be executed once by $A$. If the session key has not been generated, $A$ obtains $null$. Otherwise, the Test query creates a random bit $r$. If $r=1$, the correct session key is sent to $A$; otherwise, $A$ obtains a random number.
• Hash (string): This query outputs the hash value of the input string.
• SymmetricEncryption (string1, string2): The output of this query is the symmetric encryption value, where string1 is the symmetric key and string2 is the input.

Definition 5 (Freshness):

If an instance $I_P^i$ satisfies the following conditions, it can be regarded as freshness.

(1) The Corrupt query can only be executed once at most. (2) The Reveal query has not been executed yet. (3) The states of $I_U^i$ and $I_{SN}^i$ are $accept$.

Definition 6 (Semantic Security):

In the random oracle model, $A$ is allowed to execute a Test query once at most, and can use multiple Execute, Send, and Reveal queries. According to the definition of the Test query, the random bit $r$ determines the correctness of the returned session key. Meanwhile, $A$ generates a random bit $r^{\prime }$, and if $r^{\prime }=r$, then $A$ knows the correctness of the output. In this case, the semantic security of $\Pi$ is broken. The possibility of breaking the semantic security is portrayed as $Ad{v}_{\Pi }^A=\left|2\mathrm{Pr}\left[r=r^{\prime }\right]-1\right|=\left|2\mathrm{Pr}\left[succ\left(A\right)\right]-1\right|$. $\Pi$ is not secure unless $Ad{v}_{\Pi }^A<\eta$, where $\eta$ is sufficiently small.

Definition 7 (CDHP&ECDLP):

CDHP refers to the given generator point $P$ of an elliptic curve $aP$ and $bP$, where $a, b\in Z_p$. Computing $abP$ is computationally infeasible for $A$ in probabilistic polynomial time (PPT). The advantage of solving CDHP in PPT can be described as $Ad{v}_A^{CDHP}=Pr\left[A\left(P,aP,bP\right)=abP:P\in E\left(F_p\right);a,b\in Z_p\right]$, $Ad{v}_A^{CDHP}<\eta$.

Given $P$ and $aP$, it is computationally infeasible to calculate $a$. This is called the Elliptic Curve Discrete Logarithm Problem (ECDLP). The probability of solving ECDLP in PPT is expressed as $Ad{v}_A^{\mathrm{ECDLP}}=\mathrm{Pr}\left[A\left(P,aP\right)=a:P\in E\left(F_p\right);a\in Z_p\right]$. $Ad{v}_A^{\mathrm{ECDLP}}<\eta$.

Definition 8 (Symmetric Encryption & Find-Guess Model):

Suppose a symmetric encryption scheme denoted as $\Gamma =\left(E,D,KSP,MSP\right)$, where $E$ is the encryption algorithm, $D$ is the decryption algorithm, $KSP\left(k\right)$ and $MSP\left(k\right)$ are finite sets, and $KSP\left(k\right), MSP\left(k\right)\subseteq {\{0,1\}}^l$, $k\in \mathbb{N}$. For any $k\in \mathbb{N}$, given $a\in KSP\left(k\right)$, $x\in MSP\left(k\right)$, the result of encryption $y=E_a\left(x\right)$, and $x=D_a\left(y\right)$.

The Find–Guess model is a security notion for symmetric encryption [30]. In the Find stage, an adversary $A$ adaptively produces distinct messages $x_0$, $x_1$, and information $i$. In the Guess stage, the encryption oracle selects $a\in {}_R{}^{ }KSP\left(k\right)$ as the symmetric key, $b\in {}_R{}^{ }\{0,1\}$, and calculates $y=E_a\left(x_b\right)$. $A$ does not know $a$. The advantage of $A$ guessing $b$ from $y$ is defined as follows:

$$\begin{gathered} Ad{v}_{A,\mathsf{\Gamma }}^{\mathrm{FG}}\left(k\right)=2\mathrm{Pr}[a\leftarrow {}_R{}^{ }KSP\left(k\right);\left(x_0,x_1,i\right)\leftarrow A\left(Find\right);b\leftarrow {}_R{}^{ }\{0,1\};y= \\ {E}_a\left(x_b\right):A\left(Guess,i,y\right)=b]-1<\eta . \end{gathered}$$

It should be noted that $x_0\ne x_1$ and $x_0,x_1\in MSP\left(k\right)$. Here, we defined the adversary $A\left(PPT,\eta \right)$ breaking through $\mathsf{\Gamma }$ in the sense of the Find–Guess model if $A$ runs it in Probabilistic Polynomial Time (PPT) and $Ad{v}_{A,\mathsf{\Gamma }}^{\mathrm{FG}}\left(k\right)\ge \eta$, where $\eta$ is sufficiently small. Otherwise, $\mathsf{\Gamma }$ is $\left(PPT,\eta \right)$-secure.

Furthermore, in the proposed scheme, the inputs of the encryption algorithm are mixed with random numbers and timestamps; the adversary $A$ does not know the inputs or the symmetric keys. Therefore, given $a\in {}_R{}^{ }KSP\left(k\right)$, $m\in {}_R{}^{ }MSP\left(k\right)$, and $x_m=E_a\left(m\right)$, the advantage of calculating $m$ from $x_m$ by $A$ is described as follows:

$$Ad{v}_A^{\mathrm{SE}}\left(k\right)=\mathrm{Pr}\left[A\left(x_m\right)=m:a\leftarrow {}_R{}^{ }KSP\left(k\right);m\leftarrow {}_R{}^{ }MSP\left(k\right);x_m=E_a\left(m\right)\right]$$

Therefore, $Ad{v}_A^{\mathrm{SE}}\left(k\right)<Ad{v}_{A,\mathsf{\Gamma }}^{\mathrm{FG}}\left(k\right)<\eta$.

4.1.2. Security Proof

Theorem 1:

We define an adversary $A$ to attack the proposed scheme $\Pi$; $q_{hash}$, $q_{SE}$, $q_{send}$, and $q_{exe}$ are the executed times of the hash operation, symmetric encryption, and the Send and Execute queries, respectively, while $l_{out}$, $l_{in}$, and $l_k$ are the bit lengths of the output, input, and symmetric key of the symmetric encryption, respectively, the biometric key of the user is $l_{bio}$ bits, and $C^{\prime }$ and $s^{\prime }$ are the regression constants of the distributed password dictionary. The advantage of breaking $\Pi$ by $A$ in PPT is

$$Ad{v}_A^{\Pi }\le 2q_{hash}·Ad{v}_A^{SE}\left(k\right)·Ad{v}_A^{CDHP}+\frac{q_{SE}^2}{2^{l_k+l_{in}}}+\frac{{(q_{send}+q_{exe})}^2}{2^{l_{out}}}+2C^{\prime }·q_{send}^{s^{\prime }}·\frac{q_{send}}{2^{l_{bio}}}$$

Proof :

The goal of the adversary $\mathrm{A}$ is to break the security of $\mathsf{\Pi }$ in PPT. To simulate the attacks executed by $A$, we can define various games, which are donated as $Gam{e}_i$ $\left(0\le i\le 4\right)$. The events $Ev{e}_i$ $\left(0\le i\le 4\right)$ signify that a random bit $r$ of the query Text is obtained by $A$ in $Gam{e}_i$. The games are described as follows.

$Gam{e}_0$: This game simulates a real attack on $\Pi$ implemented by $A$. In the beginning, $A$ has to guess the random bit $r$. Therefore, we have

$$Ad{v}_A^{\mathsf{\Pi }}=\left|2\mathrm{Pr}\left[Ev{e}_0\right]-1\right|$$

(1)

$Gam{e}_1$: In this game, an eavesdropping attack is simulated following the Execute query. Meanwhile, $A$ is permitted to execute the Test query once at most. After obtaining the output of the Test query and the transmitted messages, $A$ must determine whether the output is the session key. In the proposed scheme, $M_6$ and $M_7$ are related to the session key, where $M_6=E_{b_j}\left(I{D}_i^{*},M_1,V_1,M_5,T_3\right)$, $M_7=E_{S_i^{\prime }}\left(DI{D}_i^{new},M_1^{\prime },M_5,V_1,T_3,T_4\right)$, and $SK=h\left(I{D}_i^{*}\parallel SI{D}_j\parallel c_j·u_i·P_{ec}\parallel T_3\right)$. First, $A$ cannot decrypt $M_6$ and $M_7$ without the symmetric key. Even if $A$ knows the encrypted information in $M_6$ and $M_7$, he/she cannot compute $c_j·u_i·P_{ec}$ in PPT because of the CDHP and hash function. Therefore, $A$ cannot determine whether the output is the session key, and we have

$$\mathrm{Pr}\left[Ev{e}_0\right]=\mathrm{Pr}\left[Ev{e}_1\right]$$

(2)

$Gam{e}_2$: In the proposed scheme, all the transmitted messages are encrypted using symmetric encryption. This game simulates $A$ executing Execute queries in an attempt to break the symmetric encryption and calculate the session key. The advantage of breaking the symmetric encryption by $A$ is $Ad{v}_A^{\mathrm{SE}}\left(k\right)$. The session key $SK=h\left(I{D}_i^{*}\parallel SI{D}_j\parallel c_j·u_i·P_{ec}\parallel T_3\right)$, that is, even if $A$ knows all the encrypted information $\left\{I{D}_i^{ },r_i^{\prime },SI{D}_j,M_1,T_1,T_2,V_1,M_5,T_3,DI{D}_i^{new},T_4\right\}$ after breaking the symmetric encryption, he/she cannot calculate the session key using $M_5=c_j·P_{ec}$ and $M_1=u_i·P_{ec}$ because of CDHP. Therefore, we have

$$\mathrm{Pr}\left[Ev{e}_2\right]-\mathrm{Pr}\left[Ev{e}_1\right]\le q_{hash}·Ad{v}_A^{\mathrm{SE}}\left(k\right)·Ad{v}_A^{\mathrm{CDHP}}$$

(3)

This shows that symmetric encryption greatly reduces the probability of the adversary winning $Gam{e}_2$.

$Gam{e}_3$: The Execute, Send, and SymmetricEncryption queries are executed to simulate an active game committed to implementing collision attacks in the transmitted messages. The length of the output of the encryption algorithm is based on the input length, and the relationship between them is $l_{out}=128·\frac{l_{in}}{64}·$ bits, where $l_{in}$ is the bit-length of the input and $l_{out}$ is the bit-length of the output. According to the birthday paradox, the collision probability of the result of symmetric encryption is at most $\frac{q_{SE}^2}{2^{l_k+l_{in}+1}}$, where $l_k$ is the bit-length of the symmetric key and $q_{SE}$ is the execute number of the symmetric encryption. The probability of collisions in the transcripts is at most $\frac{{(q_{send}+q_{exe})}^2}{2^{l_{out}+1}}$. Therefore, we have

$$\mathrm{Pr}\left[Ev{e}_3\right]-\mathrm{Pr}\left[Ev{e}_2\right]\le \frac{q_{SE}^2}{2^{l_k+l_{in}+1}}+\frac{{(q_{send}+q_{exe})}^2}{2^{l_{out}+1}}$$

(4)

where $q_{send}$ and $q_{exe}$ are the execution times of the Send and Execute queries, respectively.

$Gam{e}_4$: The Corrupt query is executed in this game to simulate a smart card being obtained and analyzed by $A$, In this case, $A$ knows the card’s stored information $\left\{HP{W}_i,{\tau }_i,A_i,HI{D}_i\right\}$, where $HP{W}_i=h\left(I{D}_i\parallel P{W}_i\parallel {\sigma }_i\right)$, $A_i=S_i\oplus h\left(I{D}_i\parallel {\sigma }_i\parallel P{W}_i\right)$, $HI{D}_i=DI{D}_i\oplus h\left(S_i\parallel P{W}_i\parallel {\sigma }_i\right)$, and ${\tau }_i$ is the reproduction parameter of the fuzzy extractor. Then, $A$ tries to forge $ME{S}_1=\left\{DI{D}_i^{*},M_2\right\}$ and execute the Send query to impersonate the user, where $DI{D}_i^{*}=HI{D}_i\oplus h\left(S_i^{*}\parallel P{W}_i^{*}\parallel {\sigma }_i^{*}\right)$ and $M_2=E_{S_i^{*}}\left(I{D}_i^{*},SI{D}_j,M_1,T_1\right)$. Therefore, $A$ has to guess the user’s biometric key ${\sigma }_i^{*}$ and password $P{W}_i^{*}$. According to Zipf’s law [31], we have

$$\mathrm{Pr}\left[Even{t}_4\right]-\mathrm{Pr}\left[Even{t}_3\right]\le C^{\prime }·q_{send}^{s^{\prime }}·\frac{q_{send}}{2^{l_{bio}}}$$

(5)

where $C^{\prime }$ and $s^{\prime }$ are the constants [31] corresponding to the dictionary space of the passwords and $l_{bio}$ is the bit-length of the biometric key.

The probability that the returned session key from the Test query is correct is equal to the probability of guessing the right answer of the random bit $r$. Consequently, we have

$$\mathrm{Pr}\left[Ev{e}_4\right]=\frac{1}{2}$$

(6)

Taking the formulas from (2) into (1), we obtain

$$Ad{v}_A^{\mathsf{\Pi }}=\left|2\mathrm{Pr}\left[Ev{e}_1\right]-1\right|$$

(7)

That is,

$$\frac{1}{2}Ad{v}_A^{\mathsf{\Pi }}=\left|\mathrm{Pr}\left[Ev{e}_1\right]-\frac{1}{2}\right|$$

(8)

Taking (6) into (8), we have

$$\frac{1}{2}Ad{v}_A^{\mathsf{\Pi }}=\left|\mathrm{Pr}\left[Ev{e}_1\right]-\mathrm{Pr}\left[Ev{e}_4\right]\right|$$

(9)

Moreover, because $\left|\mathrm{Pr}\left[Ev{e}_1\right]-\mathrm{Pr}\left[Ev{e}_4\right]\right|\le |\mathrm{Pr}\left[Ev{e}_3\right]-\mathrm{Pr}\left[Ev{e}_4\right]|+\left|\mathrm{Pr}\left[Ev{e}_2\right]-\mathrm{Pr}\left[Ev{e}_3\right]\right|+\left|\mathrm{Pr}\left[Ev{e}_1\right]-\mathrm{Pr}\left[Ev{e}_2\right]\right|$, we have

$$\frac{1}{2}Ad{v}_A^{\mathsf{\Pi }}\le q_{hash}·Ad{v}_A^{\mathrm{SE}}\left(k\right)·Ad{v}_A^{\mathrm{CDHP}}+\frac{q_{SE}^2}{2^{l_k+l_{in}+1}}+\frac{{(q_{send}+q_{exe})}^2}{2^{l_{out}+1}}+C^{\prime }·q_{send}^{s^{\prime }}·\frac{q_{send}}{2^{l_{bio}}}$$

(10)

Now, we can rewrite (10) as

$$Ad{v}_A^{\mathsf{\Pi }}\le 2q_{hash}·Ad{v}_A^{\mathrm{SE}}\left(k\right)·Ad{v}_A^{\mathrm{CDHP}}+\frac{q_{SE}^2}{2^{l_k+l_{in}}}+\frac{{(q_{send}+q_{exe})}^2}{2^{l_{out}}}+2C^{\prime }·q_{send}^{s^{\prime }}·\frac{q_{send}}{2^{l_{bio}}}$$

(11)

□

4.2. Security Analysis

4.2.1. Stolen Verifier Attacks

In the proposed scheme, the gateway does not store any valuable information or verification tables related to the user. Therefore, the proposed scheme can resist stolen verifier attacks.

4.2.2. Off-Line Password Guessing Attacks

Even assuming that an adversary knows the information $\left\{HP{W}_i,{\tau }_i,A_i,HI{D}_i\right\}$ stored in a smart card, where $HP{W}_i=h\left(I{D}_i\parallel P{W}_i\parallel {\sigma }_i\right)$, he/she cannot verify the correctness of the guessed password $P{W}_i$ without knowing the biometric key ${\sigma }_i$.

4.2.3. Replay Attacks

As timestamps are varied between any two different sessions, the proposed scheme can resist replay attacks.

4.2.4. Man-In-The-Middle and Impersonation Attacks

Supposing that an adversary tries to impersonate a user, he/she has to forge or replay $M_2$, $\mathrm{where} M_2=E_{S_i^{*}}\left(I{D}_i^{*},SI{D}_j,M_1,T_1\right)$ and $S_i^{*}=A_i\oplus h\left(I{D}_i^{*}\parallel {\sigma }_i^{*}\parallel P{W}_i^{*}\right)=h\left(I{D}_i^{*}\parallel h\left(K_{GWN}\right)\right)$. However, such forgery is impossible without knowing $S_i^{*}$. Similarly, the adversary cannot forge $M_7$ to impersonate the gateway, where $M_7=E_{S_i^{\prime }}\left(DI{D}_i^{new},M_1^{\prime },M_5,V_1,T_3,T_4\right)$.

If the adversary tries to forge $ME{S}_2=\left\{M_3\right\}$ to impersonate the gateway, where $M_3=E_{b_j}\left(DI{D}_i^{*},SI{D}_j,M_1,T_2\right)$ and $b_j=h\left(SI{D}_j\parallel h\left(K_{GWN}\right)\right)$, this is infeasible because he/she does not know the symmetric key $b_j$. Therefore, the proposed scheme is robust against impersonation and man-in-the-middle attacks.

4.2.5. Smart Card Loss Attacks

Supposing that an adversary obtains a smart card and the information $\left\{HP{W}_i,{\tau }_i,A_i,HI{D}_i\right\}$ stored in the smart card, where $HP{W}_i=h\left(I{D}_i\parallel P{W}_i\parallel {\sigma }_i\right)$, $A_i=S_i\oplus h\left(I{D}_i\parallel {\sigma }_i\parallel P{W}_i\right)$, $HI{D}_i=DI{D}_i\oplus h\left(S_i\parallel P{W}_i\parallel {\sigma }_i\right)$, and ${\tau }_i$ is the reproduction parameter of the fuzzy extractor, the adversary cannot recover any information from the encrypted data without the biometric key ${\sigma }_i$. Consequently, the proposed scheme resists smart card loss attacks.

4.2.6. Sensor Node Capture Attacks

The sensor node stores $\left\{b_j, SI{D}_j\right\}$, where $b_j=h\left(SI{D}_j\parallel h\left(K_{GWN}\right)\right)$, $SI{D}_j$ is the identity of the sensor node, $b_j$ is the secret parameter shared between the sensor node and the gateway, and $SI{D}_j$ is public. Supposing that an adversary captures a sensor node and obtains the information $\left\{b_j, SI{D}_j\right\}$, he/she can decrypt $M_3$ by calculating $\left(DI{D}_i^{*},SI{D}_j^{*},M_1,T_2\right)=D_{b_j}\left(M_3\right)$, where $DI{D}_i^{*}$ is the user’s temporary pseudo-identity, $M_1=u_i·P$, and $T_2$ is the timestamp. As the adversary cannot obtain any information from $M_3$, robustness against node capture attacks is guaranteed.

4.2.7. Known Session Key Secrecy

The negotiation of session keys in the proposed scheme is based on ECDLP, which is hard to solve because of the intractability of CDHP. The random numbers used for session key agreement in each session are different and unlinkable, meaning that the session keys are as well. Even if the adversary obtains the current session key, this does not provide any information about previous or future session keys.

4.2.8. Perfect Forward Secrecy

In the proposed scheme, the session key is $SK=h\left(I{D}_i^{*}\parallel SI{D}_j\parallel c_j·u_i·P\parallel T_3\right)$, where $c_j$ and $u_i$ are random numbers generated by the user and the sensor node, respectively. Even if the adversary knows all the long-term keys, including the password $P{W}_i$, the biometric key ${\sigma }_i$, and the shared secret parameters $S_i$ and $b_j$, he/she cannot calculate the current session key or previous session keys due to the intractability of ECDLP. Therefore, the proposed protocol provides perfect forward secrecy.

4.2.9. Desynchronization Attacks

In the proposed scheme, the new temporary identity $DI{D}_i^{new}$ of the user is updated by the gateway. However, the gateway does not store $DI{D}_i^{new}$. The real identity $I{D}_i^{\prime }$ of the user can only be revealed by the gateway through computing $\left(I{D}_i^{\prime }\parallel r_i^{\prime }\right)=DI{D}_i^{*}\oplus h\left(K_{GWN}\right)$. Even if the adversary intercepts or modifies $ME{S}_4$ that contains $DI{D}_i^{new}$ to prevent the user from updating her/his temporary identity, the user can use their previous temporary identity to pass the authentication. Hence, the proposed scheme can resist desynchronization attacks.

4.2.10. Anonymity and Unlinkability

In the proposed protocol, the user sends a temporary identity $DI{D}_i=E_{K_{GWN}}\left(I{D}_i,r_i\right)$ to the gateway instead of their real identity. The user updates their temporary identity at the end of each session, which is unlinkable because of the random number $r_i$. Meanwhile, through combination with fresh timestamps and random numbers generated in each session, the messages transmitted are different as well. Therefore, the proposed protocol preserves anonymity and unlinkability.

5. Performance Comparisons

In this section, the proposed scheme is compared with several related schemes (Shuai et al. [15], Xie et al. [16], Masud et al. [22], Kou et al. [23], Butt et al. [24], and Xie et al. [25]) in terms of computational costs and security properties, which are shown in

Table 2. Comparison of the computational costs.

Scheme	User	Gateway (Server)	Sensor	Total	Time (ms)
Shuai [15]	$7T_H+2T_{SE}$	$4T_H$	$10T_H+2T_{SE}$	$21T_H+4T_{SE}$	$3.688 \mathrm{ms}$
Xie [16]	$6T_H+3T_{ECC}$	$7T_H+T_{ECC}$	$4T_H+2T_{ECC}$	$17T_H+6T_{ECC}$	$16.162 \mathrm{ms}$
Masud [22]	$3T_H$	$3T_H$	$2T_H$	$8T_H$	$0.544 \mathrm{ms}$
Kou [23]	$7T_H+2T_{SE}$	$12T_H+2T_{SE}$	$6T_H$	$25T_H+4T_{SE}$	$3.94 \mathrm{ms}$
Butt [24]	$3T_H+T_{SE}+2T_{ECC}$	$12T_H+2T_{ECC}$	$T_H+2T_{SE}$	$5T_H+3T_{SE}+4T_{ECC}$	$12.024 \mathrm{ms}$
Xie [25]	$8T_H+T_{SE}+3T_{ECC}$	$7T_H+2T_{SE}+T_{ECC}$	$5T_H+T_{SE}+2T_{ECC}$	$20T_H+4T_{SE}+6T_{ECC}$	$18.606 \mathrm{ms}$
Ours	$6T_H+2T_{SE}+2T_{ECC}$	$4T_H+6T_{SE}$	$2T_H+2T_{SE}+2T_{ECC}$	$12T_H+10T_{SE}+4T_{ECC}$	$16.42 \mathrm{ms}$

and

Table 3. Comparison of security and properties.

Attacks/Properties	Shuai [15]	Xie [16]	Masud [22]	Kou [23]	Butt [24]	Xie [25]	Ours
Privileged-Insider Attack	✓	✓	✗	✗	✗	✓	✓
Off-line Password Guessing Attack	✓	✓	✗	✓	✗	✓	✓
Impersonation Attack	✓	✓	✗	✓	✗	✓	✓
Replay Attack	✓	✓	✓	✓	✗	✓	✓
Man-in-Middle Attack	✓	✓	✓	✓	✓	✓	✓
Smart Card (Device) Loss Attack	✓	✓	✗	✗	✗	✓	✓
Sensor (Edge) Node Captured Attack	✗	✗	✓	✓	✗	✗	✓
Stolen-Verifier Attack	✗	✓	✗	✓	✓	✓	✓
Update asynchronous Attack	✗	✓	✗	✓	✓	✓	✓
Identity Anonymity	✓	✓	✗	✗	✗	✓	✓
Mutual Authentication	✓	✓	✓	✓	✓	✓	✓
Session key secrecy	✓	✓	✗	✓	✗	✓	✓
Know session key attack	✓	✓	✗	✓	✓	✓	✓
Perfect forward secrecy	✗	✓	✗	✗	✗	✓	✓
Unlinkability	✓	✓	✗	✗	✗	✓	✓

✓:Resist (Attacks)/Possess (Properties). ✗:Suffer (Attacks)/No (Properties)

, respectively.

The time costs of the hash operation, symmetric encryption/decryption, and elliptic curve scalar multiplication are recorded as $T_H$, $T_{SE}$, and $T_{ECC}$, respectively. A Raspberry Pi 4B environment was used to simulate the computational cost of operation on Internet of Things devices in practical applications. According to the test, $T_H=0.068 \mathrm{ms}$ (millisecond), $T_{SE}=0.56 \mathrm{ms}$, and $T_{ECC}=2.501 \mathrm{ms}$.

Compared with Butt et al.’s scheme, the computational cost of the proposed protocol is slightly higher, as more hash operations and symmetric encryptions are used to ensure security. Table 3 and Section 3 indicate that the scheme of Butt et al. is vulnerable to multiple attacks and fails to maintain perfect forward secrecy, unlinkability, anonymity, and session key secrecy. The proposed scheme not only resists various attacks, it provides the properties above.

The proposed protocol requires sensors, gateways, and user devices to support point multiplication on elliptic curves and symmetric encryption/decryption. The sensor nodes need to be capable of performing point multiplication on elliptic curves and symmetric encryption and decryption. According to the survey in [29], more and more sensors support symmetric encryption and point multiplication on elliptic curves; thus, this issue around limited computing capacity is expected to be solved in the near future.

6. Conclusions

In this paper, we demonstrate that the protocol of Butt et al. is unable to resist replay attacks, sensor node capture attacks, or off-line password guessing attacks, and that it fails to provide session key secrecy, perfect forward secrecy, anonymity, or unlinkability. The causes of these security issues are presented, and we describe how the same analysis can be adopted more generally as a reference in the design of other related schemes. On this basis, we propose an elliptic curve cryptography-based three-factor authentication protocol for wireless sensor networks in Internet of Things environments. The proposed protocol uses a dynamic anonymous strategy and symmetrical encryption technology, and its security is proven by combining the Find–Guess and random oracle models. Comparisons between the proposed protocol and several related protocols show that the proposed protocol achieves higher security with acceptable computational cost; thus, it is suitable for wireless sensor network applications in Internet of Things environments.