Provably Secure Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in Internet of Things

Round 1

Reviewer 1 Report

In this manuscript, authors first pointed out that most previous protocol for WSN in IOT are insecure, and then take Butt et al.’s scheme as an example to analyze their security, and showed several security flaws. After that, authors propose a dynamic anonymous three-factor authentication protocol for WSN in IoT. The security analysis on Butt et al.’s scheme is correct. Authors design dynamic anonymity strategy to guarantee the user's privacy and resist the desynchronization attack and sensor node captured attacks, and use Find-Guess model and random oracle model to prove the security of the proposed protocol, which is an innovative work. However, the following weaknesses need to be overcome.

 

1. For the security analysis of the Butt et al.’s scheme, I suggest that authors modify the Privileges-inside attachment/Sensor node captured attacks in Section 4.2 to Sensor node captured attacks, because Butt et al. assumed that the sensor node is trusted. But it cannot resist sensor node captured attacks.

2. I suggest that authors delete “of a smart home” in “Figure 1. The system model of a smart home”.

3. Because the security proof of most papers only uses random oracle model, so in the first paragraph of section 6, it is better to explain why the Find-Guess model is used to prove the security of the proposed protocol beside random oracle model.

4. In informal security analysis, I noticed that the authors use both attacker and adversary.  I suggest using the adversary uniformly.

5. The initial letters of the secondary title should be consistent in size. It is recommended to refer to the template.

6. There are still some spelling and grammatical errors in the manuscript, for example:

(1)“mixed” in the first sentence of the second paragraph of Section 4.4 should be “fixed”.

(2)In the first sentence of Section 9, “IOT” should be “IoT”.

(3)The first sentence of Definition 2 in Section 6 :“Only three states of the oracle in the proposed scheme”,

(4)In the first paragraph of section 8: “As shown in Table 2, the comparison result includes the costs of login, mutual authentication, and the session key negotiation.”

Authors should proofread the manuscript and correct them.

 

Author Response

Revision Statement

Dear Editor,

Thank you for your letter and for the reviewers’ comments concerning our manuscript entitled “Provably Secure Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”(sustainability-2237034). Those comments are valuable and very helpful for improving our paper. We have studied comments carefully and have made corrections as follows.

 

Reviewer 1

In this manuscript, authors first pointed out that most previous protocol for WSN in IOT are insecure, and then take Butt et al.’s scheme as an example to analyze their security, and showed several security flaws. After that, authors propose a dynamic anonymous three-factor authentication protocol for WSN in IoT. The security analysis on Butt et al.’s scheme is correct. Authors design dynamic anonymity strategy to guarantee the user's privacy and resist the desynchronization attack and sensor node captured attacks, and use Find-Guess model and random oracle model to prove the security of the proposed protocol, which is an innovative work. However, the following weaknesses need to be overcome.

 

1. For the security analysis of the Butt et al.’s scheme, I suggest that authors modify the Privileges-inside attachment/Sensor node captured attacks in Section 4.2 to Sensor node captured attacks, because Butt et al. assumed that the sensor node is trusted. But it cannot resist sensor node captured attacks.

Response: Thank you for your valuable comment. We have changed “Privileges-inside attachment/Sensor node captured attacks” to “Sensor node captured attacks” and modified the description of this attack accordingly.

 

2. I suggest that authors delete “of a smart home” in “Figure 1. The system model of a smart home”.

Response: Thank you for your valuable comment. We have changed the description of Figure 1 to “The system model”.

 

3. Because the security proof of most papers only uses random oracle model, so in the first paragraph of section 6, it is better to explain why the Find-Guess model is used to prove the security of the proposed protocol beside random oracle model.

Response: Thank you for your valuable comment. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we use the combination of Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

We added the relevant explanation in the first paragraph in Section 4 (Security Analysis).

 

4. In informal security analysis, I noticed that the authors use both attacker and adversary.  I suggest using the adversary uniformly.

Response: Thank you for your valuable suggestion. We have replaced all “attacker” with “adversary”.

 

5. The initial letters of the secondary title should be consistent in size. It is recommended to refer to the template.

Response: Thank you for your valuable comment. We have unified the format of the secondary titles by referring to the template.

 

6. There are still some spelling and grammatical errors in the manuscript, for example:

(1)“mixed” in the first sentence of the second paragraph of Section 4.4 should be “fixed”.

(2)In the first sentence of Section 9, “IOT” should be “IoT”.

(3)The first sentence of Definition 2 in Section 6 :“Only three states of the oracle in the proposed scheme”,

(4)In the first paragraph of section 8: “As shown in Table 2, the comparison result includes the costs of login, mutual authentication, and the session key negotiation.”

Authors should proofread the manuscript and correct them.

Response: Thank you for your valuable comments. We have proofread and corrected the manuscript according to your comments.

 

 

Reviewer 2

The article showed that Butt et al.’s protocol is vulnerable to replay attacks, privileged-insider attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and proposed a “Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”. The formal security proof shows that the proposed protocol is secure, so the contributions of the article are valuable. After reading the article carefully, I still find some problems as follows.

(1)The first letters of keywords are either lowercase or uppercase. Don't mix them.

Response: Thank you for your valuable comment. We have unified the format of the keywords according to the template.

 

(2)The keyword “Provably Security” maybe “provably secure”.

Response: Thank you for your valuable comment. We have corrected it.

(3)The Butt et al.‘s protocol cannot resist the sensor node captured attacks. Why didn't the authors express it clearly in the abstract and conclusion?

Response: Thank you for your valuable comments. We have corrected the relevant descriptions in the manuscript.

 

(4)In Shuai et al.’s scheme [15], because the secret number K2 stored in sensor node, if an adversary can capture the sensor node, then s/he can get K2 and obtain user’s identity, so their scheme cannot resist sensor node captured attacks. Please correct the comparison table.

Response: Thank you for your valuable suggestion. We have added the description of this attack on Shuai et al.’s scheme [15] and Xie et al.’s scheme [16] in “Section 1 Introduction”, and also corrected Table 3.

 

(5)Since article [16] is an improvement on article [15], I suggest that article [16] be compared with the proposed scheme.

Response: Thank you for your valuable suggestion. We have added article [16] to Section 5 (Performance Comparisons) for comparative analysis. Please refer to Section 5.

(6)There are several syntax errors, and some descriptions should be revised, such as “while maintaining overwhelming security.” in contributions. I don't suggest the authors use “overwhelming”.

Response: Thank you for your valuable suggestion. We have proofread the manuscript and corrected syntax errors, and also modified “while maintaining overwhelming security.” to “our protocol has higher security”.

 

 

Reviewer 3

The article proposes a three-factor authentication protocol for WSN in IoT, which could improve security in IoT contexts. The topic is relevant but the document requires several adjustments, so that it can be considered for publication.

1. In the abstract it is important to express what the "three-factor authentication protocol for WSN in IoT" consists of. What are the 3 factors considered?

Response: Thank you for your valuable suggestions. Three-factor authentication combines what you know (password), what you have (smart card), and what you are (biometric information) to verify the user's identity, which can provide higher security than two-factor authentication. We have made corresponding modifications in Abstract.

2. The article contains too many chapters (nine in total), I consider that it is appropriate to organize it in a better way, reducing the chapters to a maximum of 5 or 6.

Response: Thank you for your valuable suggestion. We reduce the Sections to 6. The details are as follows:

Section 1. Introduction; Section 2. Security Analysis of Butt et al.’s Scheme (2.1. Review of Butt et al.’s Scheme, 2.2. Security analysis of Butt et al.’s Scheme); Section 3. The Proposed Scheme (3.1. System Model and Adversary Model, 3.2. The Proposed Protocol); Section 4. Security Analysis (4.1. Formal Security Proof, 4.2. Informal Security Analysis); Section 5. Performance Comparisons; Section 6. Conclusions.

3. In the introduction the motivation and contributions subtitle is not appropriate to include.

Response: Thank you for your valuable suggestion. We have deleted the motivation and contributions subtitle in Section 1 (Introduction).

4. The contributions presented are not actually contributions, they are points that describe the content of the article. It is important to clarify in the introduction, what is the objective of the research, what is intended to be performed. In this way it will be easier to establish the real contributions.

Response: Thank you for your valuable comments. According to your suggestions, we reorganized our contributions are as follows:

(1)Since the model of Butt et al.’s protocol is universal and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, we point out the reasons why these design flaws occur, which imply the design strategies to overcome them .

(2)Based on our strategy to avoid design deficiencies, we combine symmetric encryption and ECC to design a security protocol for WSN. A dynamic pseudonym strategy is designed to resist desynchronization attacks and sensor node captured attacks, and symmetric encryption is used to improve the security of the transmitted messages .

(3)We first use Find-Guess model to prove the security of symmetric encryption, and then combine Find-Guess model and random oracle model to prove the semantic security of our protocol, making our formal security proof more rigorous.

5. Figure 1 describes a smart home system, but the related text does not explain why that particular context is used. It is very important to justify it properly.

Response: Thank you for your valuable comment. As the first reviewer pointed out that it was our mistake to write “The system model.” as “The system model of a smart home.”, we have corrected it. We feel sorry for our carelessness. Thank you so much for your careful check.

6. I think the attack model described in section 2.2 should be improved considerably.

Response: Thank you for your valuable suggestion. We refer to D-Y model and relevant literature to improve the adversary model in Section 3.1.2, which are as follows:  

According to Dolev and Yao’s attack model of the protocols [28] and a survey [29]，we present the following adversary model of our protocol.

• All the messages transmitted publicly can be captured by the adversary, and he/she can replay, modify, and reroute the messages.
• The adversary can list all elements in the user password space and identity space offline at the same time. In particular, the adversary can obtain the identity of the user when evaluating the anti-attack strength of the protocol.
• An adversary can capture sensor nodes and steal smart cards, and obtain all information stored in the captured nodes and stolen cards.
• The adversary may be a privileged insider user.
• Only gateway node is trust.
• The adversary cannot obtain the master key of the gateway and user’s biological key.

 

7. In section 3 the authors explain the Butt et al.' scheme, but there is no clear justification for why the scheme was used. Why not other models? Why is the selected scheme relevant? They must make it explicit in the document.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

We have added the corresponding explanation in the first paragraph of Section 2 (Security Analysis of Butt et al.’s Scheme).

8. What is the basis for proposing the scheme of section 5? It is important to justify the components the authors propose.

Response: Thank you for your valuable comment. Yes, in view of the common security flaws in the design of the protocol by Butt et al’s and others, we have purposely designed a solution strategy and proposed a new protocol. The formal security proof proves the security of our protocol, overcomes the loopholes of traditional design, and can provide a reference for readers to design secure protocols in the future.

9. For system tests use "Find-Guess model" and "random oracle model". The authors must justify why they use these particular models and not others. Do these models guarantee an adequate comparison with other proposals?

Response: Thank you for your valuable comment. The methods for proving and verifying the security of protocols generally include the random oracle model, BAN logic, ProVerif, AVISPA, etc. Generally speaking, researchers only select one of them to prove the security of protocol. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we combine Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

In the first paragraph of Section 4 (Security Analysis), we have added the explanation of using "Find-Guess model" and "random oracle model".

 

10. There are some kind of restrictions or limitations in the proposed system. It is very important that they mention them.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The computing power of sensors may be a limitation in the protocol.  

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future.”

11. The conclusions section cannot be similar to the abstract, where the document is summarized. They should adequately write the conclusions of the work carried out.

Response: Thank you for your valuable suggestion. We have revised the conclusions, which are as follows:

In this paper, we pointed out that Butt et al.'s protocol cannot resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and further presented the reasons why these design flaws occur, which are also typical design flaws often encountered by other designers. Then, we proposed an ECC based three-factor authentication protocol for WSN in IoT by using dynamic anonymous strategy and symmetrical encryption technology, and proved the security of the proposed protocol by combining Find-Guess model and random oracle model. The comparisons between ours with some related protocols show that the proposed protocol has higher security, although its computation cost is slightly higher than that of other protocols. Therefore, the proposed protocol can still be applied to WSN in IoT.

 

12. It is important that you review the use of English very well, there are several serious errors in managing verb tenses and others.

Response: Thank you for your valuable comment. We have checked and corrected the grammatical errors in the revised version.

 

 

Reviewer 4

Detailed comments to the authors are as follows:
1. Abstract: line 12-14, it is not appropriate to mention any specific existing work in the abstract. This is better mentioned in the Introduction section.

Response: Thank you for your valuable comment. According to your revision, we have simplified Line 12-14 to “However, we find that their protocol is vulnerable to several attacks, and lacks of some security properties.”.

2. 
   Introduction: line 23, for abbreviations (such as WSN), please spell out the full term at its first mention in the main body of the manuscript (abstract doesn’t count).

Response: Thank you for your valuable comment. We have revised them.

3. 
   The reviewer noticed that two of the authors’ previous publications (ref 16 and 25) are cited in the introduction section. Please comment on the main difference between the current manuscript and the published work. Focus on the novelty and improvement.

Response: Thank you for your valuable comment. In References [16] and [25], because sensor nodes are often deployed in unattended scenarios, and the sensor nodes can recover the user’s real identity, which may reveal the user’s privacy. Therefore, once an adversary captures a sensor node, he or she can obtain user’s identity. That is to say, the protocols of [16] and [25] cannot resist the sensor node captured attack.

The novelty and improvements of our current manuscript are: we use dynamic pseudonym strategy to resist the sensor node captured attack, use symmetric encryption to improve the security of the transmitted messages, combine Find-Guess model and random oracle model to prove the security of our protocol.

4. 
   Section 3, please explain the reasons why this specific work was picked up for review. Also please mention if other researchers have analyzed this work before or not; and if so, what is the novelty of your review/analysis.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

5. 
   From Table 3, admittedly, the proposed protocol presents higher security resistance. Meanwhile from the comparison in Table 2, the higher computational cost does imply that the proposed protocol has higher requirement for hardware (sensors). Please comment on the challenges or limitations that the proposed protocol may face in the field applications.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol.

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future..”

 

 

Thanks again for your good comments and suggestions. We hope the Editors and Reviewers will be satisfied with the revisions for the original manuscript.

 

Yours sincerely,

 

Qi XIE

Author Response File: Author Response.pdf

Reviewer 2 Report

The article showed that Butt et al.’s protocol is vulnerable to replay attacks, privileged-insider attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and proposed a “Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”. The formal security proof shows that the proposed protocol is secure, so the contributions of the article are valuable. After reading the article carefully, I still find some problems as follows.

(1)The first letters of keywords are either lowercase or uppercase. Don't mix them.

(2)The keyword “Provably Security” maybe “provably secure”.

(3)The Butt et al.‘s protocol cannot resist the sensor node captured attacks. Why didn't the authors express it clearly in the abstract and conclusion?

(4)In Shuai et al.’s scheme [15], because the secret number K2 stored in sensor node, if an adversary can capture the sensor node, then s/he can get K2 and obtain user’s identity, so their scheme cannot resist sensor node captured attacks. Please correct the comparison table.

(5)Since article [16] is an improvement on article [15], I suggest that article [16] be compared with the proposed scheme.

(6)There are several syntax errors, and some descriptions should be revised, such as “while maintaining overwhelming security.” in contributions. I don't suggest the authors use “overwhelming”.

Author Response

Revision Statement

Dear Editor,

Thank you for your letter and for the reviewers’ comments concerning our manuscript entitled “Provably Secure Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”(sustainability-2237034). Those comments are valuable and very helpful for improving our paper. We have studied comments carefully and have made corrections as follows.

 

Reviewer 1

In this manuscript, authors first pointed out that most previous protocol for WSN in IOT are insecure, and then take Butt et al.’s scheme as an example to analyze their security, and showed several security flaws. After that, authors propose a dynamic anonymous three-factor authentication protocol for WSN in IoT. The security analysis on Butt et al.’s scheme is correct. Authors design dynamic anonymity strategy to guarantee the user's privacy and resist the desynchronization attack and sensor node captured attacks, and use Find-Guess model and random oracle model to prove the security of the proposed protocol, which is an innovative work. However, the following weaknesses need to be overcome.

 

1. For the security analysis of the Butt et al.’s scheme, I suggest that authors modify the Privileges-inside attachment/Sensor node captured attacks in Section 4.2 to Sensor node captured attacks, because Butt et al. assumed that the sensor node is trusted. But it cannot resist sensor node captured attacks.

Response: Thank you for your valuable comment. We have changed “Privileges-inside attachment/Sensor node captured attacks” to “Sensor node captured attacks” and modified the description of this attack accordingly.

 

2. I suggest that authors delete “of a smart home” in “Figure 1. The system model of a smart home”.

Response: Thank you for your valuable comment. We have changed the description of Figure 1 to “The system model”.

 

3. Because the security proof of most papers only uses random oracle model, so in the first paragraph of section 6, it is better to explain why the Find-Guess model is used to prove the security of the proposed protocol beside random oracle model.

Response: Thank you for your valuable comment. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we use the combination of Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

We added the relevant explanation in the first paragraph in Section 4 (Security Analysis).

 

4. In informal security analysis, I noticed that the authors use both attacker and adversary.  I suggest using the adversary uniformly.

Response: Thank you for your valuable suggestion. We have replaced all “attacker” with “adversary”.

 

5. The initial letters of the secondary title should be consistent in size. It is recommended to refer to the template.

Response: Thank you for your valuable comment. We have unified the format of the secondary titles by referring to the template.

 

6. There are still some spelling and grammatical errors in the manuscript, for example:

(1)“mixed” in the first sentence of the second paragraph of Section 4.4 should be “fixed”.

(2)In the first sentence of Section 9, “IOT” should be “IoT”.

(3)The first sentence of Definition 2 in Section 6 :“Only three states of the oracle in the proposed scheme”,

(4)In the first paragraph of section 8: “As shown in Table 2, the comparison result includes the costs of login, mutual authentication, and the session key negotiation.”

Authors should proofread the manuscript and correct them.

Response: Thank you for your valuable comments. We have proofread and corrected the manuscript according to your comments.

 

 

Reviewer 2

The article showed that Butt et al.’s protocol is vulnerable to replay attacks, privileged-insider attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and proposed a “Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”. The formal security proof shows that the proposed protocol is secure, so the contributions of the article are valuable. After reading the article carefully, I still find some problems as follows.

(1)The first letters of keywords are either lowercase or uppercase. Don't mix them.

Response: Thank you for your valuable comment. We have unified the format of the keywords according to the template.

 

(2)The keyword “Provably Security” maybe “provably secure”.

Response: Thank you for your valuable comment. We have corrected it.

(3)The Butt et al.‘s protocol cannot resist the sensor node captured attacks. Why didn't the authors express it clearly in the abstract and conclusion?

Response: Thank you for your valuable comments. We have corrected the relevant descriptions in the manuscript.

 

(4)In Shuai et al.’s scheme [15], because the secret number K2 stored in sensor node, if an adversary can capture the sensor node, then s/he can get K2 and obtain user’s identity, so their scheme cannot resist sensor node captured attacks. Please correct the comparison table.

Response: Thank you for your valuable suggestion. We have added the description of this attack on Shuai et al.’s scheme [15] and Xie et al.’s scheme [16] in “Section 1 Introduction”, and also corrected Table 3.

 

(5)Since article [16] is an improvement on article [15], I suggest that article [16] be compared with the proposed scheme.

Response: Thank you for your valuable suggestion. We have added article [16] to Section 5 (Performance Comparisons) for comparative analysis. Please refer to Section 5.

(6)There are several syntax errors, and some descriptions should be revised, such as “while maintaining overwhelming security.” in contributions. I don't suggest the authors use “overwhelming”.

Response: Thank you for your valuable suggestion. We have proofread the manuscript and corrected syntax errors, and also modified “while maintaining overwhelming security.” to “our protocol has higher security”.

 

 

Reviewer 3

The article proposes a three-factor authentication protocol for WSN in IoT, which could improve security in IoT contexts. The topic is relevant but the document requires several adjustments, so that it can be considered for publication.

1. In the abstract it is important to express what the "three-factor authentication protocol for WSN in IoT" consists of. What are the 3 factors considered?

Response: Thank you for your valuable suggestions. Three-factor authentication combines what you know (password), what you have (smart card), and what you are (biometric information) to verify the user's identity, which can provide higher security than two-factor authentication. We have made corresponding modifications in Abstract.

2. The article contains too many chapters (nine in total), I consider that it is appropriate to organize it in a better way, reducing the chapters to a maximum of 5 or 6.

Response: Thank you for your valuable suggestion. We reduce the Sections to 6. The details are as follows:

Section 1. Introduction; Section 2. Security Analysis of Butt et al.’s Scheme (2.1. Review of Butt et al.’s Scheme, 2.2. Security analysis of Butt et al.’s Scheme); Section 3. The Proposed Scheme (3.1. System Model and Adversary Model, 3.2. The Proposed Protocol); Section 4. Security Analysis (4.1. Formal Security Proof, 4.2. Informal Security Analysis); Section 5. Performance Comparisons; Section 6. Conclusions.

3. In the introduction the motivation and contributions subtitle is not appropriate to include.

Response: Thank you for your valuable suggestion. We have deleted the motivation and contributions subtitle in Section 1 (Introduction).

4. The contributions presented are not actually contributions, they are points that describe the content of the article. It is important to clarify in the introduction, what is the objective of the research, what is intended to be performed. In this way it will be easier to establish the real contributions.

Response: Thank you for your valuable comments. According to your suggestions, we reorganized our contributions are as follows:

(1)Since the model of Butt et al.’s protocol is universal and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, we point out the reasons why these design flaws occur, which imply the design strategies to overcome them .

(2)Based on our strategy to avoid design deficiencies, we combine symmetric encryption and ECC to design a security protocol for WSN. A dynamic pseudonym strategy is designed to resist desynchronization attacks and sensor node captured attacks, and symmetric encryption is used to improve the security of the transmitted messages .

(3)We first use Find-Guess model to prove the security of symmetric encryption, and then combine Find-Guess model and random oracle model to prove the semantic security of our protocol, making our formal security proof more rigorous.

5. Figure 1 describes a smart home system, but the related text does not explain why that particular context is used. It is very important to justify it properly.

Response: Thank you for your valuable comment. As the first reviewer pointed out that it was our mistake to write “The system model.” as “The system model of a smart home.”, we have corrected it. We feel sorry for our carelessness. Thank you so much for your careful check.

6. I think the attack model described in section 2.2 should be improved considerably.

Response: Thank you for your valuable suggestion. We refer to D-Y model and relevant literature to improve the adversary model in Section 3.1.2, which are as follows:  

According to Dolev and Yao’s attack model of the protocols [28] and a survey [29]，we present the following adversary model of our protocol.

• All the messages transmitted publicly can be captured by the adversary, and he/she can replay, modify, and reroute the messages.
• The adversary can list all elements in the user password space and identity space offline at the same time. In particular, the adversary can obtain the identity of the user when evaluating the anti-attack strength of the protocol.
• An adversary can capture sensor nodes and steal smart cards, and obtain all information stored in the captured nodes and stolen cards.
• The adversary may be a privileged insider user.
• Only gateway node is trust.
• The adversary cannot obtain the master key of the gateway and user’s biological key.

 

7. In section 3 the authors explain the Butt et al.' scheme, but there is no clear justification for why the scheme was used. Why not other models? Why is the selected scheme relevant? They must make it explicit in the document.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

We have added the corresponding explanation in the first paragraph of Section 2 (Security Analysis of Butt et al.’s Scheme).

8. What is the basis for proposing the scheme of section 5? It is important to justify the components the authors propose.

Response: Thank you for your valuable comment. Yes, in view of the common security flaws in the design of the protocol by Butt et al’s and others, we have purposely designed a solution strategy and proposed a new protocol. The formal security proof proves the security of our protocol, overcomes the loopholes of traditional design, and can provide a reference for readers to design secure protocols in the future.

9. For system tests use "Find-Guess model" and "random oracle model". The authors must justify why they use these particular models and not others. Do these models guarantee an adequate comparison with other proposals?

Response: Thank you for your valuable comment. The methods for proving and verifying the security of protocols generally include the random oracle model, BAN logic, ProVerif, AVISPA, etc. Generally speaking, researchers only select one of them to prove the security of protocol. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we combine Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

In the first paragraph of Section 4 (Security Analysis), we have added the explanation of using "Find-Guess model" and "random oracle model".

 

10. There are some kind of restrictions or limitations in the proposed system. It is very important that they mention them.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The computing power of sensors may be a limitation in the protocol.  

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future.”

11. The conclusions section cannot be similar to the abstract, where the document is summarized. They should adequately write the conclusions of the work carried out.

Response: Thank you for your valuable suggestion. We have revised the conclusions, which are as follows:

In this paper, we pointed out that Butt et al.'s protocol cannot resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and further presented the reasons why these design flaws occur, which are also typical design flaws often encountered by other designers. Then, we proposed an ECC based three-factor authentication protocol for WSN in IoT by using dynamic anonymous strategy and symmetrical encryption technology, and proved the security of the proposed protocol by combining Find-Guess model and random oracle model. The comparisons between ours with some related protocols show that the proposed protocol has higher security, although its computation cost is slightly higher than that of other protocols. Therefore, the proposed protocol can still be applied to WSN in IoT.

 

12. It is important that you review the use of English very well, there are several serious errors in managing verb tenses and others.

Response: Thank you for your valuable comment. We have checked and corrected the grammatical errors in the revised version.

 

 

Reviewer 4

Detailed comments to the authors are as follows:
1. Abstract: line 12-14, it is not appropriate to mention any specific existing work in the abstract. This is better mentioned in the Introduction section.

Response: Thank you for your valuable comment. According to your revision, we have simplified Line 12-14 to “However, we find that their protocol is vulnerable to several attacks, and lacks of some security properties.”.

2. 
   Introduction: line 23, for abbreviations (such as WSN), please spell out the full term at its first mention in the main body of the manuscript (abstract doesn’t count).

Response: Thank you for your valuable comment. We have revised them.

3. 
   The reviewer noticed that two of the authors’ previous publications (ref 16 and 25) are cited in the introduction section. Please comment on the main difference between the current manuscript and the published work. Focus on the novelty and improvement.

Response: Thank you for your valuable comment. In References [16] and [25], because sensor nodes are often deployed in unattended scenarios, and the sensor nodes can recover the user’s real identity, which may reveal the user’s privacy. Therefore, once an adversary captures a sensor node, he or she can obtain user’s identity. That is to say, the protocols of [16] and [25] cannot resist the sensor node captured attack.

The novelty and improvements of our current manuscript are: we use dynamic pseudonym strategy to resist the sensor node captured attack, use symmetric encryption to improve the security of the transmitted messages, combine Find-Guess model and random oracle model to prove the security of our protocol.

4. 
   Section 3, please explain the reasons why this specific work was picked up for review. Also please mention if other researchers have analyzed this work before or not; and if so, what is the novelty of your review/analysis.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

5. 
   From Table 3, admittedly, the proposed protocol presents higher security resistance. Meanwhile from the comparison in Table 2, the higher computational cost does imply that the proposed protocol has higher requirement for hardware (sensors). Please comment on the challenges or limitations that the proposed protocol may face in the field applications.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol.

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future..”

 

 

Thanks again for your good comments and suggestions. We hope the Editors and Reviewers will be satisfied with the revisions for the original manuscript.

 

Yours sincerely,

 

Qi XIE

Author Response File: Author Response.pdf

Reviewer 3 Report

The article proposes a three-factor authentication protocol for WSN in IoT, which could improve security in IoT contexts. The topic is relevant but the document requires several adjustments, so that it can be considered for publication.

1. In the abstract it is important to express what the "three-factor authentication protocol for WSN in IoT" consists of. What are the 3 factors considered?

2. The article contains too many chapters (nine in total), I consider that it is appropriate to organize it in a better way, reducing the chapters to a maximum of 5 or 6.

3. In the introduction the motivation and contributions subtitle is not appropriate to include.

4. The contributions presented are not actually contributions, they are points that describe the content of the article. It is important to clarify in the introduction, what is the objective of the research, what is intended to be performed. In this way it will be easier to establish the real contributions.

5. Figure 1 describes a smart home system, but the related text does not explain why that particular context is used. It is very important to justify it properly.

6. I think the attack model described in section 2.2 should be improved considerably.

7. In section 3 the authors explain the Butt et al.' scheme, but there is no clear justification for why the scheme was used. Why not other models? Why is the selected scheme relevant? They must make it explicit in the document.

8. What is the basis for proposing the scheme of section 5? It is important to justify the components the authors propose.

9. For system tests use "Find-Guess model" and "random oracle model". The authors must justify why they use these particular models and not others. Do these models guarantee an adequate comparison with other proposals?

10. There are some kind of restrictions or limitations in the proposed system. It is very important that they mention them.

11. The conclusions section cannot be similar to the abstract, where the document is summarized. They should adequately write the conclusions of the work carried out.

12. It is important that you review the use of English very well, there are several serious errors in managing verb tenses and others.

Author Response

Revision Statement

Dear Editor,

Thank you for your letter and for the reviewers’ comments concerning our manuscript entitled “Provably Secure Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”(sustainability-2237034). Those comments are valuable and very helpful for improving our paper. We have studied comments carefully and have made corrections as follows.

 

Reviewer 1

In this manuscript, authors first pointed out that most previous protocol for WSN in IOT are insecure, and then take Butt et al.’s scheme as an example to analyze their security, and showed several security flaws. After that, authors propose a dynamic anonymous three-factor authentication protocol for WSN in IoT. The security analysis on Butt et al.’s scheme is correct. Authors design dynamic anonymity strategy to guarantee the user's privacy and resist the desynchronization attack and sensor node captured attacks, and use Find-Guess model and random oracle model to prove the security of the proposed protocol, which is an innovative work. However, the following weaknesses need to be overcome.

 

1. For the security analysis of the Butt et al.’s scheme, I suggest that authors modify the Privileges-inside attachment/Sensor node captured attacks in Section 4.2 to Sensor node captured attacks, because Butt et al. assumed that the sensor node is trusted. But it cannot resist sensor node captured attacks.

Response: Thank you for your valuable comment. We have changed “Privileges-inside attachment/Sensor node captured attacks” to “Sensor node captured attacks” and modified the description of this attack accordingly.

 

2. I suggest that authors delete “of a smart home” in “Figure 1. The system model of a smart home”.

Response: Thank you for your valuable comment. We have changed the description of Figure 1 to “The system model”.

 

3. Because the security proof of most papers only uses random oracle model, so in the first paragraph of section 6, it is better to explain why the Find-Guess model is used to prove the security of the proposed protocol beside random oracle model.

Response: Thank you for your valuable comment. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we use the combination of Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

We added the relevant explanation in the first paragraph in Section 4 (Security Analysis).

 

4. In informal security analysis, I noticed that the authors use both attacker and adversary.  I suggest using the adversary uniformly.

Response: Thank you for your valuable suggestion. We have replaced all “attacker” with “adversary”.

 

5. The initial letters of the secondary title should be consistent in size. It is recommended to refer to the template.

Response: Thank you for your valuable comment. We have unified the format of the secondary titles by referring to the template.

 

6. There are still some spelling and grammatical errors in the manuscript, for example:

(1)“mixed” in the first sentence of the second paragraph of Section 4.4 should be “fixed”.

(2)In the first sentence of Section 9, “IOT” should be “IoT”.

(3)The first sentence of Definition 2 in Section 6 :“Only three states of the oracle in the proposed scheme”,

(4)In the first paragraph of section 8: “As shown in Table 2, the comparison result includes the costs of login, mutual authentication, and the session key negotiation.”

Authors should proofread the manuscript and correct them.

Response: Thank you for your valuable comments. We have proofread and corrected the manuscript according to your comments.

 

 

Reviewer 2

The article showed that Butt et al.’s protocol is vulnerable to replay attacks, privileged-insider attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and proposed a “Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”. The formal security proof shows that the proposed protocol is secure, so the contributions of the article are valuable. After reading the article carefully, I still find some problems as follows.

(1)The first letters of keywords are either lowercase or uppercase. Don't mix them.

Response: Thank you for your valuable comment. We have unified the format of the keywords according to the template.

 

(2)The keyword “Provably Security” maybe “provably secure”.

Response: Thank you for your valuable comment. We have corrected it.

(3)The Butt et al.‘s protocol cannot resist the sensor node captured attacks. Why didn't the authors express it clearly in the abstract and conclusion?

Response: Thank you for your valuable comments. We have corrected the relevant descriptions in the manuscript.

 

(4)In Shuai et al.’s scheme [15], because the secret number K2 stored in sensor node, if an adversary can capture the sensor node, then s/he can get K2 and obtain user’s identity, so their scheme cannot resist sensor node captured attacks. Please correct the comparison table.

Response: Thank you for your valuable suggestion. We have added the description of this attack on Shuai et al.’s scheme [15] and Xie et al.’s scheme [16] in “Section 1 Introduction”, and also corrected Table 3.

 

(5)Since article [16] is an improvement on article [15], I suggest that article [16] be compared with the proposed scheme.

Response: Thank you for your valuable suggestion. We have added article [16] to Section 5 (Performance Comparisons) for comparative analysis. Please refer to Section 5.

(6)There are several syntax errors, and some descriptions should be revised, such as “while maintaining overwhelming security.” in contributions. I don't suggest the authors use “overwhelming”.

Response: Thank you for your valuable suggestion. We have proofread the manuscript and corrected syntax errors, and also modified “while maintaining overwhelming security.” to “our protocol has higher security”.

 

 

Reviewer 3

The article proposes a three-factor authentication protocol for WSN in IoT, which could improve security in IoT contexts. The topic is relevant but the document requires several adjustments, so that it can be considered for publication.

1. In the abstract it is important to express what the "three-factor authentication protocol for WSN in IoT" consists of. What are the 3 factors considered?

Response: Thank you for your valuable suggestions. Three-factor authentication combines what you know (password), what you have (smart card), and what you are (biometric information) to verify the user's identity, which can provide higher security than two-factor authentication. We have made corresponding modifications in Abstract.

2. The article contains too many chapters (nine in total), I consider that it is appropriate to organize it in a better way, reducing the chapters to a maximum of 5 or 6.

Response: Thank you for your valuable suggestion. We reduce the Sections to 6. The details are as follows:

Section 1. Introduction; Section 2. Security Analysis of Butt et al.’s Scheme (2.1. Review of Butt et al.’s Scheme, 2.2. Security analysis of Butt et al.’s Scheme); Section 3. The Proposed Scheme (3.1. System Model and Adversary Model, 3.2. The Proposed Protocol); Section 4. Security Analysis (4.1. Formal Security Proof, 4.2. Informal Security Analysis); Section 5. Performance Comparisons; Section 6. Conclusions.

3. In the introduction the motivation and contributions subtitle is not appropriate to include.

Response: Thank you for your valuable suggestion. We have deleted the motivation and contributions subtitle in Section 1 (Introduction).

4. The contributions presented are not actually contributions, they are points that describe the content of the article. It is important to clarify in the introduction, what is the objective of the research, what is intended to be performed. In this way it will be easier to establish the real contributions.

Response: Thank you for your valuable comments. According to your suggestions, we reorganized our contributions are as follows:

(1)Since the model of Butt et al.’s protocol is universal and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, we point out the reasons why these design flaws occur, which imply the design strategies to overcome them .

(2)Based on our strategy to avoid design deficiencies, we combine symmetric encryption and ECC to design a security protocol for WSN. A dynamic pseudonym strategy is designed to resist desynchronization attacks and sensor node captured attacks, and symmetric encryption is used to improve the security of the transmitted messages .

(3)We first use Find-Guess model to prove the security of symmetric encryption, and then combine Find-Guess model and random oracle model to prove the semantic security of our protocol, making our formal security proof more rigorous.

5. Figure 1 describes a smart home system, but the related text does not explain why that particular context is used. It is very important to justify it properly.

Response: Thank you for your valuable comment. As the first reviewer pointed out that it was our mistake to write “The system model.” as “The system model of a smart home.”, we have corrected it. We feel sorry for our carelessness. Thank you so much for your careful check.

6. I think the attack model described in section 2.2 should be improved considerably.

Response: Thank you for your valuable suggestion. We refer to D-Y model and relevant literature to improve the adversary model in Section 3.1.2, which are as follows:  

According to Dolev and Yao’s attack model of the protocols [28] and a survey [29]，we present the following adversary model of our protocol.

• All the messages transmitted publicly can be captured by the adversary, and he/she can replay, modify, and reroute the messages.
• The adversary can list all elements in the user password space and identity space offline at the same time. In particular, the adversary can obtain the identity of the user when evaluating the anti-attack strength of the protocol.
• An adversary can capture sensor nodes and steal smart cards, and obtain all information stored in the captured nodes and stolen cards.
• The adversary may be a privileged insider user.
• Only gateway node is trust.
• The adversary cannot obtain the master key of the gateway and user’s biological key.

 

7. In section 3 the authors explain the Butt et al.' scheme, but there is no clear justification for why the scheme was used. Why not other models? Why is the selected scheme relevant? They must make it explicit in the document.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

We have added the corresponding explanation in the first paragraph of Section 2 (Security Analysis of Butt et al.’s Scheme).

8. What is the basis for proposing the scheme of section 5? It is important to justify the components the authors propose.

Response: Thank you for your valuable comment. Yes, in view of the common security flaws in the design of the protocol by Butt et al’s and others, we have purposely designed a solution strategy and proposed a new protocol. The formal security proof proves the security of our protocol, overcomes the loopholes of traditional design, and can provide a reference for readers to design secure protocols in the future.

9. For system tests use "Find-Guess model" and "random oracle model". The authors must justify why they use these particular models and not others. Do these models guarantee an adequate comparison with other proposals?

Response: Thank you for your valuable comment. The methods for proving and verifying the security of protocols generally include the random oracle model, BAN logic, ProVerif, AVISPA, etc. Generally speaking, researchers only select one of them to prove the security of protocol. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we combine Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

In the first paragraph of Section 4 (Security Analysis), we have added the explanation of using "Find-Guess model" and "random oracle model".

 

10. There are some kind of restrictions or limitations in the proposed system. It is very important that they mention them.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The computing power of sensors may be a limitation in the protocol.  

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future.”

11. The conclusions section cannot be similar to the abstract, where the document is summarized. They should adequately write the conclusions of the work carried out.

Response: Thank you for your valuable suggestion. We have revised the conclusions, which are as follows:

In this paper, we pointed out that Butt et al.'s protocol cannot resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and further presented the reasons why these design flaws occur, which are also typical design flaws often encountered by other designers. Then, we proposed an ECC based three-factor authentication protocol for WSN in IoT by using dynamic anonymous strategy and symmetrical encryption technology, and proved the security of the proposed protocol by combining Find-Guess model and random oracle model. The comparisons between ours with some related protocols show that the proposed protocol has higher security, although its computation cost is slightly higher than that of other protocols. Therefore, the proposed protocol can still be applied to WSN in IoT.

 

12. It is important that you review the use of English very well, there are several serious errors in managing verb tenses and others.

Response: Thank you for your valuable comment. We have checked and corrected the grammatical errors in the revised version.

 

 

Reviewer 4

Detailed comments to the authors are as follows:
1. Abstract: line 12-14, it is not appropriate to mention any specific existing work in the abstract. This is better mentioned in the Introduction section.

Response: Thank you for your valuable comment. According to your revision, we have simplified Line 12-14 to “However, we find that their protocol is vulnerable to several attacks, and lacks of some security properties.”.

2. 
   Introduction: line 23, for abbreviations (such as WSN), please spell out the full term at its first mention in the main body of the manuscript (abstract doesn’t count).

Response: Thank you for your valuable comment. We have revised them.

3. 
   The reviewer noticed that two of the authors’ previous publications (ref 16 and 25) are cited in the introduction section. Please comment on the main difference between the current manuscript and the published work. Focus on the novelty and improvement.

Response: Thank you for your valuable comment. In References [16] and [25], because sensor nodes are often deployed in unattended scenarios, and the sensor nodes can recover the user’s real identity, which may reveal the user’s privacy. Therefore, once an adversary captures a sensor node, he or she can obtain user’s identity. That is to say, the protocols of [16] and [25] cannot resist the sensor node captured attack.

The novelty and improvements of our current manuscript are: we use dynamic pseudonym strategy to resist the sensor node captured attack, use symmetric encryption to improve the security of the transmitted messages, combine Find-Guess model and random oracle model to prove the security of our protocol.

4. 
   Section 3, please explain the reasons why this specific work was picked up for review. Also please mention if other researchers have analyzed this work before or not; and if so, what is the novelty of your review/analysis.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

5. 
   From Table 3, admittedly, the proposed protocol presents higher security resistance. Meanwhile from the comparison in Table 2, the higher computational cost does imply that the proposed protocol has higher requirement for hardware (sensors). Please comment on the challenges or limitations that the proposed protocol may face in the field applications.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol.

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future..”

 

 

Thanks again for your good comments and suggestions. We hope the Editors and Reviewers will be satisfied with the revisions for the original manuscript.

 

Yours sincerely,

 

Qi XIE

Author Response File: Author Response.pdf

Reviewer 4 Report

Detailed comments to the authors are as follows:
1. Abstract: line 12-14, it is not appropriate to mention any specific existing work in the abstract. This is better mentioned in the Introduction section.
2. Introduction: line 23, for abbreviations (such as WSN), please spell out the full term at its first mention in the main body of the manuscript (abstract doesn’t count).
3. The reviewer noticed that two of the authors’ previous publications (ref 16 and 25) are cited in the introduction section. Please comment on the main difference between the current manuscript and the published work. Focus on the novelty and improvement.
4. Section 3, please explain the reasons why this specific work was picked up for review. Also please mention if other researchers have analyzed this work before or not; and if so, what is the novelty of your review/analysis.
5. From Table 3, admittedly, the proposed protocol presents higher security resistance. Meanwhile from the comparison in Table 2, the higher computational cost does imply that the proposed protocol has higher requirement for hardware (sensors). Please comment on the challenges or limitations that the proposed protocol may face in the field applications.

Author Response

Revision Statement

Dear Editor,

Thank you for your letter and for the reviewers’ comments concerning our manuscript entitled “Provably Secure Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”(sustainability-2237034). Those comments are valuable and very helpful for improving our paper. We have studied comments carefully and have made corrections as follows.

 

Reviewer 1

In this manuscript, authors first pointed out that most previous protocol for WSN in IOT are insecure, and then take Butt et al.’s scheme as an example to analyze their security, and showed several security flaws. After that, authors propose a dynamic anonymous three-factor authentication protocol for WSN in IoT. The security analysis on Butt et al.’s scheme is correct. Authors design dynamic anonymity strategy to guarantee the user's privacy and resist the desynchronization attack and sensor node captured attacks, and use Find-Guess model and random oracle model to prove the security of the proposed protocol, which is an innovative work. However, the following weaknesses need to be overcome.

 

1. For the security analysis of the Butt et al.’s scheme, I suggest that authors modify the Privileges-inside attachment/Sensor node captured attacks in Section 4.2 to Sensor node captured attacks, because Butt et al. assumed that the sensor node is trusted. But it cannot resist sensor node captured attacks.

Response: Thank you for your valuable comment. We have changed “Privileges-inside attachment/Sensor node captured attacks” to “Sensor node captured attacks” and modified the description of this attack accordingly.

 

2. I suggest that authors delete “of a smart home” in “Figure 1. The system model of a smart home”.

Response: Thank you for your valuable comment. We have changed the description of Figure 1 to “The system model”.

 

3. Because the security proof of most papers only uses random oracle model, so in the first paragraph of section 6, it is better to explain why the Find-Guess model is used to prove the security of the proposed protocol beside random oracle model.

Response: Thank you for your valuable comment. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we use the combination of Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

We added the relevant explanation in the first paragraph in Section 4 (Security Analysis).

 

4. In informal security analysis, I noticed that the authors use both attacker and adversary.  I suggest using the adversary uniformly.

Response: Thank you for your valuable suggestion. We have replaced all “attacker” with “adversary”.

 

5. The initial letters of the secondary title should be consistent in size. It is recommended to refer to the template.

Response: Thank you for your valuable comment. We have unified the format of the secondary titles by referring to the template.

 

6. There are still some spelling and grammatical errors in the manuscript, for example:

(1)“mixed” in the first sentence of the second paragraph of Section 4.4 should be “fixed”.

(2)In the first sentence of Section 9, “IOT” should be “IoT”.

(3)The first sentence of Definition 2 in Section 6 :“Only three states of the oracle in the proposed scheme”,

(4)In the first paragraph of section 8: “As shown in Table 2, the comparison result includes the costs of login, mutual authentication, and the session key negotiation.”

Authors should proofread the manuscript and correct them.

Response: Thank you for your valuable comments. We have proofread and corrected the manuscript according to your comments.

 

 

Reviewer 2

The article showed that Butt et al.’s protocol is vulnerable to replay attacks, privileged-insider attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and proposed a “Dynamic Anonymous Authentication Protocol for Wireless Sensor Networks in IoT”. The formal security proof shows that the proposed protocol is secure, so the contributions of the article are valuable. After reading the article carefully, I still find some problems as follows.

(1)The first letters of keywords are either lowercase or uppercase. Don't mix them.

Response: Thank you for your valuable comment. We have unified the format of the keywords according to the template.

 

(2)The keyword “Provably Security” maybe “provably secure”.

Response: Thank you for your valuable comment. We have corrected it.

(3)The Butt et al.‘s protocol cannot resist the sensor node captured attacks. Why didn't the authors express it clearly in the abstract and conclusion?

Response: Thank you for your valuable comments. We have corrected the relevant descriptions in the manuscript.

 

(4)In Shuai et al.’s scheme [15], because the secret number K2 stored in sensor node, if an adversary can capture the sensor node, then s/he can get K2 and obtain user’s identity, so their scheme cannot resist sensor node captured attacks. Please correct the comparison table.

Response: Thank you for your valuable suggestion. We have added the description of this attack on Shuai et al.’s scheme [15] and Xie et al.’s scheme [16] in “Section 1 Introduction”, and also corrected Table 3.

 

(5)Since article [16] is an improvement on article [15], I suggest that article [16] be compared with the proposed scheme.

Response: Thank you for your valuable suggestion. We have added article [16] to Section 5 (Performance Comparisons) for comparative analysis. Please refer to Section 5.

(6)There are several syntax errors, and some descriptions should be revised, such as “while maintaining overwhelming security.” in contributions. I don't suggest the authors use “overwhelming”.

Response: Thank you for your valuable suggestion. We have proofread the manuscript and corrected syntax errors, and also modified “while maintaining overwhelming security.” to “our protocol has higher security”.

 

 

Reviewer 3

The article proposes a three-factor authentication protocol for WSN in IoT, which could improve security in IoT contexts. The topic is relevant but the document requires several adjustments, so that it can be considered for publication.

1. In the abstract it is important to express what the "three-factor authentication protocol for WSN in IoT" consists of. What are the 3 factors considered?

Response: Thank you for your valuable suggestions. Three-factor authentication combines what you know (password), what you have (smart card), and what you are (biometric information) to verify the user's identity, which can provide higher security than two-factor authentication. We have made corresponding modifications in Abstract.

2. The article contains too many chapters (nine in total), I consider that it is appropriate to organize it in a better way, reducing the chapters to a maximum of 5 or 6.

Response: Thank you for your valuable suggestion. We reduce the Sections to 6. The details are as follows:

Section 1. Introduction; Section 2. Security Analysis of Butt et al.’s Scheme (2.1. Review of Butt et al.’s Scheme, 2.2. Security analysis of Butt et al.’s Scheme); Section 3. The Proposed Scheme (3.1. System Model and Adversary Model, 3.2. The Proposed Protocol); Section 4. Security Analysis (4.1. Formal Security Proof, 4.2. Informal Security Analysis); Section 5. Performance Comparisons; Section 6. Conclusions.

3. In the introduction the motivation and contributions subtitle is not appropriate to include.

Response: Thank you for your valuable suggestion. We have deleted the motivation and contributions subtitle in Section 1 (Introduction).

4. The contributions presented are not actually contributions, they are points that describe the content of the article. It is important to clarify in the introduction, what is the objective of the research, what is intended to be performed. In this way it will be easier to establish the real contributions.

Response: Thank you for your valuable comments. According to your suggestions, we reorganized our contributions are as follows:

(1)Since the model of Butt et al.’s protocol is universal and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, we point out the reasons why these design flaws occur, which imply the design strategies to overcome them .

(2)Based on our strategy to avoid design deficiencies, we combine symmetric encryption and ECC to design a security protocol for WSN. A dynamic pseudonym strategy is designed to resist desynchronization attacks and sensor node captured attacks, and symmetric encryption is used to improve the security of the transmitted messages .

(3)We first use Find-Guess model to prove the security of symmetric encryption, and then combine Find-Guess model and random oracle model to prove the semantic security of our protocol, making our formal security proof more rigorous.

5. Figure 1 describes a smart home system, but the related text does not explain why that particular context is used. It is very important to justify it properly.

Response: Thank you for your valuable comment. As the first reviewer pointed out that it was our mistake to write “The system model.” as “The system model of a smart home.”, we have corrected it. We feel sorry for our carelessness. Thank you so much for your careful check.

6. I think the attack model described in section 2.2 should be improved considerably.

Response: Thank you for your valuable suggestion. We refer to D-Y model and relevant literature to improve the adversary model in Section 3.1.2, which are as follows:  

According to Dolev and Yao’s attack model of the protocols [28] and a survey [29]，we present the following adversary model of our protocol.

• All the messages transmitted publicly can be captured by the adversary, and he/she can replay, modify, and reroute the messages.
• The adversary can list all elements in the user password space and identity space offline at the same time. In particular, the adversary can obtain the identity of the user when evaluating the anti-attack strength of the protocol.
• An adversary can capture sensor nodes and steal smart cards, and obtain all information stored in the captured nodes and stolen cards.
• The adversary may be a privileged insider user.
• Only gateway node is trust.
• The adversary cannot obtain the master key of the gateway and user’s biological key.

 

7. In section 3 the authors explain the Butt et al.' scheme, but there is no clear justification for why the scheme was used. Why not other models? Why is the selected scheme relevant? They must make it explicit in the document.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

We have added the corresponding explanation in the first paragraph of Section 2 (Security Analysis of Butt et al.’s Scheme).

8. What is the basis for proposing the scheme of section 5? It is important to justify the components the authors propose.

Response: Thank you for your valuable comment. Yes, in view of the common security flaws in the design of the protocol by Butt et al’s and others, we have purposely designed a solution strategy and proposed a new protocol. The formal security proof proves the security of our protocol, overcomes the loopholes of traditional design, and can provide a reference for readers to design secure protocols in the future.

9. For system tests use "Find-Guess model" and "random oracle model". The authors must justify why they use these particular models and not others. Do these models guarantee an adequate comparison with other proposals?

Response: Thank you for your valuable comment. The methods for proving and verifying the security of protocols generally include the random oracle model, BAN logic, ProVerif, AVISPA, etc. Generally speaking, researchers only select one of them to prove the security of protocol. It is well known that using the Find Guess model can prove the security of symmetric encryption, while the random oracle model can prove the semantic security of the protocol. Because the messages transmitted in our proposed protocol are encrypted symmetrically, so we combine Find Guest model and random oracle model to prove the security of the proposed protocol, making the proof more rigorous.

In the first paragraph of Section 4 (Security Analysis), we have added the explanation of using "Find-Guess model" and "random oracle model".

 

10. There are some kind of restrictions or limitations in the proposed system. It is very important that they mention them.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The computing power of sensors may be a limitation in the protocol.  

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future.”

11. The conclusions section cannot be similar to the abstract, where the document is summarized. They should adequately write the conclusions of the work carried out.

Response: Thank you for your valuable suggestion. We have revised the conclusions, which are as follows:

In this paper, we pointed out that Butt et al.'s protocol cannot resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability, and further presented the reasons why these design flaws occur, which are also typical design flaws often encountered by other designers. Then, we proposed an ECC based three-factor authentication protocol for WSN in IoT by using dynamic anonymous strategy and symmetrical encryption technology, and proved the security of the proposed protocol by combining Find-Guess model and random oracle model. The comparisons between ours with some related protocols show that the proposed protocol has higher security, although its computation cost is slightly higher than that of other protocols. Therefore, the proposed protocol can still be applied to WSN in IoT.

 

12. It is important that you review the use of English very well, there are several serious errors in managing verb tenses and others.

Response: Thank you for your valuable comment. We have checked and corrected the grammatical errors in the revised version.

 

 

Reviewer 4

Detailed comments to the authors are as follows:
1. Abstract: line 12-14, it is not appropriate to mention any specific existing work in the abstract. This is better mentioned in the Introduction section.

Response: Thank you for your valuable comment. According to your revision, we have simplified Line 12-14 to “However, we find that their protocol is vulnerable to several attacks, and lacks of some security properties.”.

2. 
   Introduction: line 23, for abbreviations (such as WSN), please spell out the full term at its first mention in the main body of the manuscript (abstract doesn’t count).

Response: Thank you for your valuable comment. We have revised them.

3. 
   The reviewer noticed that two of the authors’ previous publications (ref 16 and 25) are cited in the introduction section. Please comment on the main difference between the current manuscript and the published work. Focus on the novelty and improvement.

Response: Thank you for your valuable comment. In References [16] and [25], because sensor nodes are often deployed in unattended scenarios, and the sensor nodes can recover the user’s real identity, which may reveal the user’s privacy. Therefore, once an adversary captures a sensor node, he or she can obtain user’s identity. That is to say, the protocols of [16] and [25] cannot resist the sensor node captured attack.

The novelty and improvements of our current manuscript are: we use dynamic pseudonym strategy to resist the sensor node captured attack, use symmetric encryption to improve the security of the transmitted messages, combine Find-Guess model and random oracle model to prove the security of our protocol.

4. 
   Section 3, please explain the reasons why this specific work was picked up for review. Also please mention if other researchers have analyzed this work before or not; and if so, what is the novelty of your review/analysis.

Response: Thank you for your valuable comment. We analyze the existing protocols for WSN in IoT, and find that the model of Butt et al’s protocol is universal, and the security flaws in Butt et al.'s protocol are also typical design flaws often encountered by other designers, such as inability to resist replay attack, sensor node captured attack, off-line password guessing attack, and has no session key secrecy, perfect forward secrecy, anonymity, and unlinkability. Because this protocol has not been analyzed by other researchers, so we take this protocol as a typical example to point out the reasons why these design flaws occur and propose design strategies to overcome these flaws, and then propose a new secure protocol under the same scenario, providing reference for readers to design secure protocols.

5. 
   From Table 3, admittedly, the proposed protocol presents higher security resistance. Meanwhile from the comparison in Table 2, the higher computational cost does imply that the proposed protocol has higher requirement for hardware (sensors). Please comment on the challenges or limitations that the proposed protocol may face in the field applications.

Response: Thank you for your valuable comment. Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol.

At the end of Section 5, we discuss this limitation as: “Our protocol needs sensors, gateways, and user equipment to support ECC point multiplication and symmetric encryption/decryption. The sensor node needs to be capable of ECC point multiplication and symmetric encryption and decryption, which may be the application limitation of our protocol. However, according to the survey [29], in the past five years, the growth of sensor computing capability and security requirements have become a trend. More and more sensors support symmetric encryption and ECC point multiplication, so the problem of sensor computing capacity limitation will be gradually solved in the future..”

 

 

Thanks again for your good comments and suggestions. We hope the Editors and Reviewers will be satisfied with the revisions for the original manuscript.

 

Yours sincerely,

 

Qi XIE

Author Response File: Author Response.pdf

Round 2

Reviewer 3 Report

The authors have adequately corrected the requested points. However, I recommend that you check again for some language errors. It also seems pertinent to me that the authors expand the conclusions section a bit, explaining the relevance of the results obtained and some future work. Thanks.

Author Response

Dear Editors and Reviewers,

Thank you for your valuable suggestions. We invited a teacher with good English to correct the grammatical errors in the full text. In addition, we have checked and replaced two references [2] and [27]. Thank you very much!

Yours sincerely,

 

Qi XIE

Reviewer 4 Report

The reviewer appreciates the effort the authors put in improving the manuscript. It is up to the satisfaction of the reviewer.

Author Response

Dear Editors and Reviewers,

Thank you for your valuable suggestions. We invited a teacher with good English to correct the grammatical errors in the full text. In addition, we have checked and replaced two references [2] and [27]. Thank you very much!

Yours sincerely,

 

Qi XIE