Sage Journals: Discover world-class research

Abstract

The uses of wireless sensor networks have increased to be applicable in many different areas, such as military applications, ecology, and health applications. These applications often include the management of confidential information, making the issue of security one of the most important aspects to consider. In this aspect, a user authentication mechanism that allows only legitimate users to access the network data becomes critical for maintaining the confidentiality and integrity of the network information. In this paper, we describe and cryptoanalyze previous works in user authentication to illustrate their vulnerabilities and security flaws. We then propose a robust user authentication scheme that solves the identified limitations. Additionally, we describe how the proposed protocol is more suitable for a secure sensor network implementation by analysis in terms of security and performance.

1. Introduction

Wireless sensor networks (WSNs) are being applied in different fields such as habitat monitoring [1], indoor sensor networks [2], military applications [3], and health monitoring [4]. Many of these applications manage confidential information, making the issue of security one of the most important points to consider. One of the fields of research in wireless sensor network security is the user authentication scheme that allows only authentic users to access the data collected by the sensor nodes.

In 2006, Wong et al. [5] proposed a dynamic user authentication scheme and discussed the implementation issues with the recommendation of using the security features of the IEEE 802.15.4 MAC sublayer. Later, in 2009, Das [6] presented his research work where he identified vulnerabilities in Wong et al.'s protocol and proposed his own authentication scheme based on the two-factor user authentication concept. After publication of Das' proposal, several works have pointed out that such a protocol was vulnerable to other attacks. Nyang and Lee [7] identified that Das' protocol was vulnerable to offline password guessing and sensor node compromising attacks. Huang et al. [8] also identified some limitations of Das' scheme, such as vulnerability from an impersonation attack. Additionally, [9] pointed out the absence of a mutual authentication feature in Das' protocol, while Khan and Alghathbar [10] pointed out more security flaws of Das' proposal, noting that it was vulnerable to privileged-insider and gateway-node bypassing attacks. References [7–10] also proposed enhanced versions of Das' protocol to eliminate detected vulnerabilities. However, those proposals still include several vulnerabilities and limitations that an adversary could take advantage of.

In this paper, we provide two specific contributions to the WSN user authentication research area: (1) first, we cryptoanalyze the aforementioned works and show how reference [7] is still vulnerable to parallel session and privileged-insider attacks and how it does not offer a password change mechanism. We also illustrate how [8] is vulnerable to parallel session and privileged-insider attacks and how it does not provide mutual authentication and password change features. Additionally, we explain how [9] is defenseless against parallel session, privileged-insider, and gateway-node bypassing attacks, does not offer a password change mechanism, and has a serious vulnerability in its mutual authentication mechanism. Furthermore, we explain how [10] is vulnerable from parallel session attacks, only offers a partial protection against gateway-node bypassing attacks, and does not provide mutual authentication between the user and the gateway-node. (2) Later, after identifying the limitations of previously mentioned works, we propose a robust user authentication for wireless sensor networks which fixes the aforementioned weaknesses.

The rest of the paper is organized as follows. Section 2 briefly reviews the existing works and details the weaknesses and security pitfalls of such schemes. Section 3 then presents the proposed protocol which solves the vulnerabilities and limitations mentioned in Section 2. Next, Section 4 analyzes the proposed protocol in terms of security and performance. Finally, Section 5 concludes this paper.

2. Previous Works and Their Cryptanalysis

In this section, we explain briefly the proposal of Das [6]. We then describe further works [7–10] focused to solve the limitations of Das' scheme and how those enhanced proposals are still not secure and have several security vulnerabilities.

2.1. Review of the Das Scheme

The scheme proposed by Das [6] is composed of registration and authentication phases.

Registration Phase

A user $U_{i}$ submits his/her identity $I D_{i}$ and password $P W_{i}$ to the gateway node $G W$ using a secure channel. $G W$ then computes $N_{i} = h (I D_{i} ∥ P W_{i}) ⨁ h (K)$ , where K is a symmetric key only known by $G W$ , $h (\cdot)$ is a hash function, and “ $∥$ ” is a concatenation operator. Once $N_{i}$ is calculated, $G W$ personalizes a smart card with the parameters $h (\cdot)$ , $I D_{i}$ , $N_{i}$ , $h (P W_{i})$ , and $x_{a}$ , where $x_{a}$ is a secret parameter generated securely by $G W$ and stored in the sensor nodes before deployment. Finally, $G W$ delivers the smart card to $U_{i}$ in a secure manner.

Authentication Phase

This phase is executed when $U_{i}$ needs to access data of a sensor node of the network. The phase is composed of the Login and verification phases.

(1) Login Phase. $U_{i}$ inserts the smart card in his/her terminal, and inputs $I D_{i}$ and $P W_{i}$ . The smart card verifies the validity of those values by comparing $I D_{i}$ and $h (P W_{i})$ with the data stored in it. If those values are correct, the smart card computes $D I D_{i} = h (I D_{i} ∥ P W_{i}) ⨁ h (x_{a} ∥ T)$ and $C_{i} = h (N_{i} ∥ x_{a} ∥ T)$ , where T is the current timestamp of $U_{i}$ 's system and sends ${D I D_{i}, C_{i}, T}$ to $G W$ .

(2) Verification Phase. Upon receiving the login request at time $T^{*}, G W$ validates T. If $(T^{*} - T) > Δ T$ , then $G W$ aborts the authentication process, where $Δ T$ denotes the maximum allowed communication delay. Otherwise, $G W$ computes $h {(I D_{i} ∥ P W_{i})}^{*} = D I D_{i} ⨁ h (x_{a} ∥ T)$ and $C_{i}^{*} = h ((h {(I D_{i} ∥ P W_{i})}^{*} ⨁ h (K)) ∥ x_{a} ∥ T)$ . If $C_{i}^{*}$ is different to $C_{i}$ , then $G W$ rejects the login request; otherwise, $G W$ sends a message ${D I D_{i}, A_{i}, T^{'}}$ to some nearest sensor node $S_{n}$ to respond to the query with the data that $U_{i}$ is looking for, where $A_{i} = h (D I D_{i} ∥ S_{n} ∥ x_{a} ∥ T^{'})$ and $T^{'}$ is the current timestamp of the $G W$ 's system. $S_{n}$ first validates $T^{'}$ , then computes $h (D I D_{i} ∥ S_{n} ∥ x_{a} ∥ T^{'})$ , and checks whether it is equal to $A_{i}$ . If those values match, then $S_{n}$ responds to $U_{i}$ query.

2.2. Chen-Shih's Scheme

In [9], the authors indicate that Das' scheme fails in mutual authentication and it is vulnerable to parallel session attack, and propose “A robust mutual authentication protocol for wireless sensor networks” which still has vulnerabilities and limitations.

2.2.1. Review of Chen-Shih's Scheme

The protocol proposed in [9] is composed of registration, login, verification, and mutual authentication phases.

Registration Phase

The user $U_{i}$ submits his/her identity $I D_{i}$ and password $P W_{i}$ to the gateway node $G W$ using a secure channel. $G W$ then computes $N_{i} = h (I D_{i} ∥ P W_{i}) ⨁ h (K)$ , where K is a symmetric key only known by $G W$ , $h (\cdot)$ is a hash function, and “ $∥$ ” is a concatenation operator. Once $N_{i}$ is calculated, $G W$ personalizes a smart card with the parameters $h (\cdot)$ , $I D_{i}$ , $N_{i}$ , $h (P W_{i})$ , and $x_{a}$ , where $x_{a}$ is a secret parameter generated by $G W$ and stored in the sensor nodes before deployment. Finally, $G W$ delivers the smart card to $U_{i}$ in a secure manner.

Login Phase

When $U_{i}$ enters his/her $I D_{i}$ and $P W_{i}$ , the smart card verifies the validity of $I D_{i}$ and $P W_{i}$ . If they are not correct, it terminates the request; otherwise, $U_{i}$ 's smart card generates a random nonce $R_{i}$ at $T_{u}$ and computes $D I D_{i} = h (I D_{i} ∥ P W_{i}) ⨁ h (x_{a} ∥ T_{u} ∥ R_{i})$ and $C_{i} = h (N_{i} ∥ x_{a} ∥ T_{u} ∥ R_{i})$ , where $T_{u}$ is the current timestamp of $U_{i}$ 's system. $U_{i}$ then sends the message ${D I D_{i}, C_{i}, T_{u}, R_{i}}$ to $G W$ .

Verification Phase

Once the ${D I D_{i}, C_{i}, T_{u}, R_{i}}$ message is received at time $T_{g}$ , $G W$ verifies if $(T_{g} - T_{u}) > Δ T$ , where $Δ T$ denotes the maximum allowed delay. If the required condition is fulfilled, $G W$ aborts the authentication process; otherwise, $G W$ computes $h {(I D_{i} ∥ P W_{i})}^{*} = D I D_{i} ⨁ h (x_{a} ∥ T_{u} ∥ R_{i})$ and $C_{i}^{*} = h ((h {(I D_{i} ∥ P W_{i})}^{*} ⨁ h (K)) ∥ x_{a} ∥ T_{u} ∥ R_{i})$ . If $C_{i}^{*}$ is different to $C_{i}$ , $G W$ rejects the login request; otherwise, $G W$ accepts the request and generates a random nonce $R_{c}$ and sends a message ${D I D_{i}, A_{i}, T^{'}}$ to some sensor node $S_{n}$ , where $A_{i} = h (D I D_{i} ∥ S_{n} ∥ x_{a} ∥ T^{'})$ and $T^{'}$ is the current timestamp of $G W$ 's system. Additionally, $G W$ also sends the ${C_{g}, R_{c}, S_{n}}$ message to $U_{i}$ where $C_{g} = h (D I D_{i} ∥ S_{n} ∥ x_{a} ∥ R_{c})$ . Finally, $S_{n}$ , after validating $T^{'}$ , computes $h (D I D_{i} ∥ S_{n} ∥ x_{a} ∥ T^{'})$ and checks whether it is equal to $A_{i}$ . If those values match, then $S_{n}$ responds to the query from $U_{i}$ .

Mutual Authentication Phase

After receiving the message ${C_{g}, R_{c}, S_{n}}$ , $U_{i}$ only coworks with $S_{n}$ if $C_{g}$ is equal to $h (D I D_{i} ∥ S_{n} ∥ x_{a} ∥ R_{c})$ .

2.2.2. Cryptoanalysis of Chen-Shih's Scheme

Here, we show how the proposal of Chen and Shih still has some critical security pitfalls and limitations.

Parallel Session Attack

In Chen-Shih's scheme, the authors include the random nonce $R_{i}$ inside $D I D_{i}$ and $C_{i}$ to neutralize this attack. However, their protocol remains vulnerable. Assume that a legal user Tom eavesdrops on the message ${D I D_{i}, C_{i}, T_{1}, R_{i 1}}$ between $G W$ and $U_{i}$ at timestamp $T_{1}$ to obtain $D I D_{i (T 1)} = h (I D_{i} ∥ P W_{i}) ⨁ h (x_{a} ∥ T_{1} ∥ R_{i 1})$ and $R_{i 1}$ , where $D I D_{i (T 1)}$ is the $D I D_{i}$ value at $T_{1}$ and $R_{i 1}$ denotes the random nonce at $T_{1}$ . Tom can then forge the message $D I D_{i}$ at timestamp $T_{2} D I D_{i (T 2)}$ by generating $D I D_{Tom (T 1)} = h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{1} ∥ R_{i 1})$ and $D I D_{Tom (T 2)} = h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{2} ∥ R_{i 2})$ , and computing $D I D_{i (T 2)} = D I D_{i (T 1)} ⨁ D I D_{Tom (T 1)} ⨁$ $D I D_{Tom (T 2)} = h (I D_{i} ∥ {P W}_{i}) ⨁ h (x_{a} ∥ T_{1} ∥ R_{i 1}) ⨁ h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{1} ∥ R_{i 1}) ⨁ h (I D_{Tom} ∥ P W_{Tom}) ⨁$ $h (x_{a} ∥ T_{2} ∥ R_{i 2})$ , where $R_{i 2}$ is any random number selected by Tom, and $I D_{Tom}$ and $P W_{Tom}$ are Tom's ID and password, respectively. Once $U_{i}$ 's $D I D_{i (T 2)}$ is obtained, Tom can send a new session message ${D I D_{i (T 2)}, C_{i}, T_{2}, R_{i 2}}$ at $T_{2}$ for a new login request.

Gateway Node Bypassing Attack

The Chen-Shih scheme uses the $x_{a}$ value to allow $S_{n}$ to verify that the $A_{i}$ message originates from the authentic $G W$ . If we assume that the adversary can extract the value of $x_{a}$ stored inside of a valid smart card by using some techniques [11–13], the adversary can execute the gateway node bypassing attack. First, the attacker computes a forged $D I D_{f} = h (I D_{f} ∥ P W_{f}) ⨁ h (x_{a} ∥ T_{f} ∥ R_{f})$ by using the extracted $x_{a}$ , where $I D_{f}$ is a forged $I D$ , $P W_{f}$ is a randomly chosen forged password, $T_{f}$ is the timestamp of an adversary's terminal, and $R_{f}$ is an arbitrary random nonce. The attacker then computes $A_{f} = h (D I D_{f} ∥ S_{n} ∥ x_{a} ∥ T_{f})$ . Once $D I D_{f}$ and $A_{f}$ are calculated, the adversary sends the message ${D I D_{f}, A_{f}, T_{f}}$ to $S_{n}$ over the public channel. Finally, $S_{n}$ authenticates the adversary's message because $S_{n}$ cannot recognize its invalidity because the $h (D I D_{f} ∥ S_{n} ∥ x_{a} ∥ T_{f})$ value computed by $S_{n}$ is equal to the $A_{f}$ value received from the adversary.

Privileged-Insider Attack

The system administrator or privileged-insider of $G W$ may try to impersonate $U_{i}$ by authenticating himself/herself to other servers where $U_{i}$ could be registered user. This is possible because $G W$ receives the password of $U_{i}$ in plaintext, that is, $P W_{i}$ , in the registration phase, and because many users use the same password to access different applications of servers.

Vulnerable Mutual Authentication between $U_{i}$ and $G W$

Chen-Shih's scheme proposes a mutual authentication phase. However, it has vulnerability which allows an adversary to execute the $G W$ spoofing attack. If we assume that the adversary can extract the value of $x_{a}$ from a valid smart card or sensor node by using some techniques [11–13] as assumed in [8, 10], the adversary can then pretend to be a valid $G W$ . First, the fake gateway node $G W_{f}$ listens to the network and sniffs the ${D I D_{i}, C_{i}, T_{u}, R_{i}}$ message. Once the message is received, $G W_{f}$ can respond with the message ${C_{f}, R_{f}, S_{f}}$ , where $C_{f} = h (D I D_{i} ∥ S_{f} ∥ x_{a} ∥ R_{f})$ , where $S_{f}$ is the identification of the adversary's sensor node and where $R_{f}$ is a random nonce selected by the adversary. Finally, $U_{i}$ authenticates the adversary's message because $U_{i}$ cannot recognize its invalidity because the received $C_{f}$ is equal to $h (D I D_{i} ∥ S_{f} ∥ x_{a} ∥ R_{f})$ computed by $U_{i}$ . After authentication, the fake sensor node $S_{f}$ can send false data to $U_{i}$ .

Lack of Mutual Authentication between $G W$ and the Sensor Node

The Chen-Shih scheme does not provide a mutual authentication mechanism between $G W$ and the sensor nodes. Therefore, it is vulnerable to a sensor node spoofing attack. The adversary can place a false sensor node $S_{f}$ to respond to the ${D I D_{i}, A_{i}, T'}$ message with false data. $G W$ cannot recognize the invalidity of the false data because it does not perform any verification.

Lack of a Password Change Phase

The Chen-Shih scheme does not provide a password change phase for $U_{i}$ , which is a requirement for a secure system.

2.3. Khan-Alghathbar's Scheme

In [10], the authors indicate that Das' scheme is vulnerable to gateway node bypassing and privileged-insider attacks. They also point out that Das' scheme does not provide mutual authentication or a password change mechanism. As a response to such limitations, they propose improvements of Das' scheme which still has vulnerabilities and limitations.

2.3.1. Review of Khan-Alghathbar's Scheme

The protocol proposed in [10] is composed of registration and authentication phases.

Registration Phase

A user $U_{i}$ submits his/her identity $I D_{i}$ and password $P W_{i}$ to his/her terminal. The terminal then calculates $h (P W_{i})$ and sends $I D_{i}$ and $h (P W_{i})$ to the gateway node $G W$ using a secure channel, where $h (\cdot)$ is a hash function. $G W$ then computes $N_{i} = h (I D_{i} ∥ h (P W_{i})) ⨁ h (K)$ , where K is a symmetric key only known by $G W$ and “ $∥$ ” is a concatenation operator. Once $N_{i}$ is calculated, $G W$ personalizes a smart card with the parameters $h (\cdot)$ , $I D_{i}$ , $N_{i}$ , $h (P W_{i})$ , and $x_{a}$ , where $x_{a}$ is a secret parameter generated securely by $G W$ . On the other hand, $G W$ generates another secret parameter $x_{s}$ and stores it in each sensor node before its deployment in the field.

Authentication Phase

This phase is executed when $U_{i}$ needs to access the data of a sensor node of the network. The phase is composed of login and verification phases.

(1) Login Phase. $U_{i}$ inserts the smart card in his/her terminal, and inputs $I D_{i}$ and $P W_{i}$ . The smart card verifies the validity of those values by comparing the data stored in it. If those values are correct, the smart card computes $D I D_{i} = h (I D_{i} ∥ {P W}_{i}) ⨁ h (x_{a} ∥ T)$ and $C_{i} = h (N_{i} ∥ x_{a} ∥ T)$ , where T is the current timestamp of $U_{i}$ 's system and sends ${D I D_{i}, C_{i}, T}$ to $G W$ . Otherwise, the login request is rejected.

(2) Verification Phase. Upon receiving the login request at time $T^{*}$ , $G W$ validates T. If $(T^{*} - T) > Δ T$ , $G W$ aborts the authentication process, where $Δ T$ denotes the maximum allowed communication delay. Otherwise, $G W$ computes $h {(I D_{i} ∥ P W_{i})}^{*} = D I D_{i} ⨁ h (x_{a} ∥ T)$ and $C_{i}^{*} = h ((h {(I D_{i} ∥ P W_{i})}^{*} ⨁ h (K)) ∥ x_{a} ∥ T)$ . If $C_{i}^{*}$ is different to $C_{i}$ , $G W$ rejects the login request. Otherwise, $G W$ sends a message ${D I D_{i}, A_{i}, T^{'}}$ to some nearest sensor node $S_{n}$ , where $A_{i} = h (D I D_{i} ∥ S_{n} ∥ x_{s} ∥ T^{'})$ and $T^{'}$ is the current timestamp of $G W$ 's system. $S_{n}$ first validates $T^{'}$ , then computes $h (D I D_{i} ∥ S_{n} ∥ x_{s} ∥ T^{'})$ , and checks whether it is equal to $A_{i}$ . If those values match, $S_{n}$ computes $B_{i} = h (S_{n} ∥ x_{s} ∥ T^{''})$ , where $T^{''}$ is the current timestamp of sensor node's system and sends ${B_{i}, T^{''}}$ to $G W$ . After receiving the mutual authentication message ${B_{i}, T^{''}}$ , $G W$ first checks the validity of timestamp $T^{''}$ and then computes $B_{i}^{*} = h (S_{n} ∥ x_{s} ∥ T^{''})$ and checks whether it is equal to $B_{i}$ . If those values match, $G W$ establishes trust with the sensor node; otherwise, $G W$ alerts $U_{i}$ about the possibility of a malicious sensor node in the network and sends a process-termination message.

Password Change Phase

When a user $U_{i}$ wants to change his/her password $P W_{i}$ to a new password $P W_{i}^{*}$ , $U_{i}$ inserts his/her smart card into the terminal and enters $I D_{i}$ , $P W_{i}$ , and $P W_{i}^{*}$ . The smart card validates $I D_{i}$ and $P W_{i}$ . Only if those values are correct, then the smart card computes $N_{i}^{*} = N_{i} ⨁ h (I D_{i} ∥ P W_{i}) ⨁ h (I D_{i} ∥ P W_{i}^{*})$ and replaces $N_{i}$ and $h (P W_{i})$ with $N_{i}^{*}$ and $h (P W_{i}^{*})$ , respectively.

2.3.2. Cryptoanalysis of Khan-Alghathbar Scheme

The proposal of Khan and Alghathbar still has some critical security pitfalls and limitations as shown below.

Parallel Session Attack

Assume that a legal user Tom eavesdrops on the message ${D I D_{i}, C_{i}, T_{1}}$ between $G W$ and $U_{i}$ at timestamp $T_{1}$ to obtain the $D I D_{i}$ at $T_{1} D I D_{i (T 1)} = h (I D_{i} ∥ P W_{i}) ⨁ h (x_{a} ∥ T_{1})$ . Tom then can forge the $D I D_{i}$ at timestamp $T_{2}$ ${D I D}_{i (T 2)}$ by generating $D I D_{Tom (T 1)} = h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{1})$ and $D I D_{Tom (T 2)} = h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{2})$ , then computing $D I D_{i (T 2)} = D I D_{i (T 1)} ⨁ D I D_{Tom (T 1)}$ $⨁ D I D_{Tom (T 2)} = h (I D_{i} ∥ P W_{i}) ⨁ h (x_{a} ∥ T_{1}) ⨁ h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{1}) ⨁ h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (x_{a} ∥ T_{2})$ , where $I D_{Tom}$ and $P W_{Tom}$ are Tom's $I D$ and password, respectively. Once $D I D_{i (T 2)}$ is obtained, Tom can then send a new session message ${D I D_{i (T 2)}, C_{i}, T_{2}}$ at $T_{2}$ for a new login request.

Gateway Node Bypassing Attack

The secret value $x_{s}$ stored and shared by sensor nodes can be extracted using similar techniques of extracting $x_{a}$ from a smart card [11, 13]. If $x_{s}$ is extracted, the adversary can execute the gateway node bypassing attack using $D I D_{f} = h (I D_{f} ∥ P W_{f}) ⨁ h (x_{a} ∥ T_{f})$ and $A_{f} = h (D I D_{f} ∥ S_{n} ∥ x_{s} ∥ T_{f})$ , where $I D_{f}$ is a forged $I D$ , $P W_{f}$ is a randomly chosen forged password, and $T_{f}$ is the timestamp of adversary's terminal.

Lack of Mutual Authentication between $U_{i}$ and $G W$

First of all, the aforementioned work proposes a mutual authentication between $G W$ and $S_{n}$ . However, they omit the mutual authentication between $U_{i}$ and $G W$ . Newer sensor networks offer remote administration/query features in gateway nodes [14, 15] allowing users to access to network's data from a remote terminal. In this kind of environment, it is really important to authenticate the validity of $G W$ from the $U_{i}$ 's side to avoid adversaries collecting valuable data using fake gateway nodes.

2.4. Nyang-Lee's Scheme

In [7], the authors point out that Das' scheme is vulnerable to password guessing attacks and gateway node impersonation attacks and has the limitation of a lack of protection relating to query-response. As a response to such security pitfalls, the authors propose a security-enhanced protocol.

2.4.1. Review of Nyang-Lee's Scheme

In [7], the authors propose a security-enhanced protocol composed of the registration and authentication phases.

Registration Phase

The registration phase is the same as that of Das' protocol except that $N_{i}$ is computed as $N_{i} = h (I D_{i} ∥ P W_{i} ∥ x_{a}) ⨁ h (K)$ .

Authentication Phase

It starts with the submission of $I D_{i}$ and $P W_{i}$ by $U_{i}$ . Once $U_{i}$ inputs those values, then $U_{i}$ 's smart card authenticates $I D_{i}$ and $P W_{i}$ by comparing those values with the values stored in it. The smart card then computes $D I D_{i} = h (I D_{i} ∥ P W_{i} ∥ x_{a}) ⨁ h (x_{a} ∥ T)$ and $C_{i} = h (N_{i} ∥ x_{a} ∥ T)$ to send ${D I D_{i}, C_{i}, T}$ to $G W$ . Upon receiving the request from $U_{i}$ , $G W$ validates T and authenticates $C_{i}$ by comparing it with $C_{i}^{*} = h ((D I D_{i} ⨁ h (x_{a} ∥ T) ⨁ h (K)) ∥ x_{a} ∥ T)$ . After validation, $G W$ computes an encryption key $E K_{i, n} = h_{1} (D I D_{i} ∥ S_{n} ∥ (D I D_{i} ⨁ h (x_{a} ∥ T) ⨁ h (K)) ∥ x_{a} ∥ T)$ and a MAC key $M K_{i, n} = h_{2} (D I D_{i} ∥ S_{n} ∥$ $(D I D i ⨁ h (x_{a} ∥ T) ⨁ h (K)) ∥ x_{a} ∥ T)$ between $U_{i}$ and the sensor node $S_{n}$ . To provide a secure channel for $E K_{i, n}$ and $M K_{i, n}$ between $S_{n}$ and itself, $G W$ computes the encryption key $E K_{G W, n} = h_{1} (G W ∥ S_{n} ∥ x_{n} ∥ T')$ and the MAC key $M K_{G W, n} = h_{2} (G W ∥ S_{n} ∥ x_{n} ∥ T^{'})$ , respectively, where $x_{n}$ is a predistributed symmetric key between $G W$ and $S_{n}$ , and $T^{'}$ is the current time. $G W$ then encrypts $E K_{i, n}$ and $M K_{i, n}$ using the key $E K_{G W, n}$ computed in the previous step and produces $D_{i} = E_{E K_{G W}, n} (E K_{i, n}, M K_{i, n})$ . It also computes a MAC $A_{i} = h_{0} (D I D_{i} ∥ S_{n} ∥ D_{i} ∥ T^{'}, M K_{G W, n})$ using the key $M K_{G W, n}$ , and transmits ${D I D_{i}, D_{i}, T^{'}, A_{i}}$ to $S_{n}$ . When $S_{n}$ receives those values, it first verifies $T^{'}$ and computes $A_{i}^{*} = h_{0} (D I D_{i} ∥ S_{n} ∥ D_{i} ∥ T^{'}, M K_{G W, n})$ using $M K_{G W, n}$ and then checks if $A_{i}$ is equal to $A_{i}^{*}$ . After verification, $S_{n}$ decrypts $D_{i}$ with $E K_{G W, n}$ and recovers $E K_{i, n}$ and $M K_{i, n}$ . Data sensed by nodes is encrypted with $E K_{i, n}$ as $R = E_{E K_{i, n}} (Data)$ and the MAC is computed with $M K_{i, n}$ as $B_{i} = h_{0} (D I D_{i} ∥ S_{n} ∥ R ∥ T^{''}, M K_{i, n})$ , where $T^{''}$ is the current time. Once R and $B_{i}$ are calculated, the ${S n, R, T^{''}, B_{i}}$ message is sent to $U_{i}$ . $U_{i}$ then verifies $T^{''}$ and checks $B_{i}$ by comparing it with $B_{i}^{*} = h_{0} (D I D_{i} ∥ S_{n} ∥ R ∥ T^{''}, M K_{i, n})$ , where $M K_{i, n} = h_{2} (D I D_{i} ∥ S_{n} ∥ N_{i} ∥ x_{a} ∥ T)$ . If this verification is successful, the sensed data is recovered by decrypting R using $E K_{i, h} = h_{1} (D I D_{i} ∥ S_{n} ∥ N_{i} ∥ x_{a} ∥ T)$ .

2.4.2. Cryptoanalysis of Nyang-Lee's Scheme

The Nyang-Lee's proposal still has some critical security pitfalls and limitations as shown below.

Parallel Session Attack

The Nang-Lee scheme is vulnerable to a parallel session attack in the same way that happens in [9, 10]. A legal user Tom can obtain the message ${D I D_{i}, C_{i}, T_{1}}$ between $G W$ and $U_{i}$ at timestamp $T_{1}$ to obtain the $D I D_{i}$ value at $T_{1}$ $D I D_{i (T 1)} = h (I D_{i} ∥ P W_{i} ∥ x_{a}) ⨁ h (x_{a} ∥ T_{1})$ . Tom then can forge the $D I D_{i}$ value at $T_{2}$ $D I D_{i (T 2)}$ by generating $D I D_{Tom (T 1)} = h (I D_{Tom} ∥ P W_{Tom} ∥ x_{a}) ⨁ h (x_{a} ∥ T_{1})$ and $D I D_{Tom (T 2)} = h (I D_{Tom} ∥ P W_{Tom} ∥ x_{a}) ⨁ h (x_{a} ∥ T_{2})$ , and computing $D I D_{i (T 2)} = D I D_{i (T 1)} ⨁ D I D_{Tom (T 1)} ⨁$ $D I D_{Tom (T 2)} = h (I D_{i} ∥ P W_{i} ∥ x_{a}) ⨁ h (x_{a} ∥ T_{1}) ⨁ h (I D_{Tom} ∥ P W_{Tom} ∥ x_{a}) ⨁ h (x_{a} ∥ T_{1}) ⨁ h (I D_{Tom} ∥ P W_{Tom} ∥ x_{a}) ⨁$ $h (x_{a} ∥ T_{2})$ . Once $U_{i}$ 's $D I D_{i (T 2)}$ is obtained, Tom can send a new session message ${D I D_{i (T 2)}, C_{i}, T_{2}}$ at $T_{2}$ for a new login request.

Privileged-Insider Attack

The system administrator or privileged-insider of $G W$ may try to impersonate $U_{i}$ by authenticating himself/herself to other servers where $U_{i}$ could be a registered user. This is possible because $G W$ receives the password of $U_{i}$ in plaintext, that is, $P W_{i}$ , in the registration phase and because many users use same password to access different applications of servers.

Lack of Password Change Phase

This scheme does not provide a password change phase for $U_{i}$ , which is a requirement for a secure system.

2.5. Huang et al.'s Scheme

In [8], the authors point out that the security features of Das' scheme is based on the $x_{a}$ value and its leakage can compromise the entire network. After explaining the limitations of Das' scheme, the authors propose an improved scheme which still has vulnerabilities and limitations.

2.5.1. Review of Huang et al.'s Scheme

In this scheme, $G W$ computes and stores $h (x_{a} ∥ S_{n})$ in the designated sensor node $S_{n}$ before deployment. Note that each $S_{n}$ is responsible for exchanging data with users. The improved scheme consists of four phases: the registration phase, login phase, verification phase, and password change phase.

Registration Phase

The user $U_{i}$ submits his/her identity $I D_{i}$ and password $P W_{i}$ to $G W$ using a secure channel. $G W$ then computes $N_{i} = h (I D_{i} ∥ P W_{i}) ⨁ h (K ∥ x_{a})$ and issues a smart card containing $N_{i}$ , $h (\cdot)$ , $I D_{i}$ , $h (P W_{i})$ , and $h (x_{a})$ to $U_{i}$ through a secure channel.

Login Phase

$U_{i}$ inserts his/her smart card into the terminal and inputs $I D_{i}$ and $P W_{i}$ . The smart card then verifies $I D_{i}$ and $P W_{i}$ with the data stored in it. Once those values are verified, the smart card computes $D I D_{i} = h (I D_{i} ∥ P W_{i}) ⨁ h (h (x_{a}) ∥ T)$ and $C_{i} = h (N_{i} ∥ h (x_{a}) ∥ T)$ , where T is the current timestamp, and sends ${D I D_{i}, C_{i}, T}$ to $G W$ .

Verification Phase

Once ${D I D_{i}, C_{i}, T}$ has been received at time $T^{*}$ , $G W$ verifies T and authenticates $C_{i}$ by comparing it with $C_{i}^{*} = h ((h {(I D_{i} ∥ P W_{i})}^{*} ⨁ h (K ∥ x_{a})) ∥ h (x_{a}) ∥ T)$ , where $h {(I D_{i} ∥ P W_{i})}^{*} = D I D_{i} ⨁ h (h (x_{a}) ∥ T)$ . If $C_{i}^{*}$ is different to $C_{i}$ , $G W$ rejects the login request. Otherwise, $G W$ accepts the request and sends a message ${D I D_{i}, A_{i}, T^{'}}$ to some nearest sensor node $S_{n}$ , where $A_{i} = h (D I D_{i} ∥ h (x_{a} ∥ S_{n}) ∥ T^{'})$ and $T^{'}$ is the current timestamp of $G W$ 's system. Finally, $S_{n}$ , after validating $T^{'}$ , computes $A_{i}^{*} = h (D I D_{i} ∥ h (x_{a} ∥ S_{n}) ∥ T^{'})$ , and checks whether it is equal to $A_{i}$ . If those values match, then $S_{n}$ responds to the query from $U_{i}$ ; otherwise, the query is rejected.

Password Change Phase

When $U_{i}$ wants to update his/her password, he/she inserts the smart card into a card reader and enters the original password $P W_{i}$ and the new password $P W_{i}^{'}$ . The smart card computes $N_{i}^{'} = N_{i} ⨁ h (I D_{i} ∥ P W_{i}) ⨁ h (I D_{i} ∥ P W_{i}^{'}) = h (I D_{i} ∥ P W_{i}^{'}) ⨁ h (k ∥ x_{a})$ and replaces the stored $N_{i}$ and $h (P W_{i})$ with $N_{i}^{'}$ and $h (P W_{i})$ , respectively.

2.5.2. Cryptoanalysis of Huang et al.'s Scheme

Parallel Session Attack

Huang et al.'s scheme is vulnerable to parallel session attacks in the same way that can happen in [7, 9, 10]. A legal user Tom can obtain the message ${D I D_{i}, C_{i}, T_{1}}$ between $G W$ and $U_{i}$ at timestamp $T_{1}$ to obtain the $D I D_{i}$ value at $T_{1} D I D_{i (T 1)} = h (I D_{i} ∥ P W_{i}) ⨁ h (h (x_{a}) ∥ T_{1})$ . Tom then can forge the $D I D_{i}$ value at $T_{2} D I D_{i (T 2)}$ by generating $D I D_{Tom (T 1)} = h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (h (x_{a}) ∥ T_{1})$ and $D I D_{Tom (T 2)} = h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (h (x_{a}) ∥ T_{2})$ , and computing $D I D_{i (T 2)} = D I D_{i (T 1)} ⨁ D I D_{Tom (T 1)} ⨁$ $D I D_{Tom (T 2)} = h (I D_{i} ∥ P W_{i}) ⨁ h (h (x_{a}) ∥ T_{1}) ⨁ h (I D_{Tom} ∥ P W_{Tom}) ⨁ h (h (x_{a}) ∥ T_{1}) ⨁ h (I D_{Tom} ∥ P W_{Tom}) ⨁$ $h (h (x_{a}) ∥ T_{2})$ . Once $U_{i}$ 's $D I D_{i (T 2)}$ is obtained, Tom can send a new session message ${D I D_{i (T 2)}, C_{i}, T_{2}}$ at $T_{2}$ for a new login request.

Privileged-Insider Attack

The system administrator or privileged-insider of $G W$ may try to impersonate $U_{i}$ by authenticating himself/herself to other servers where $U_{i}$ could be a registered user. This is possible because $G W$ receives the password of $U_{i}$ in plaintext, that is, $P W_{i}$ , in the registration phase, and because many users use same password to access different applications of servers.

Lack of Mutual Authentication

Huang et al.'s scheme does not provide a mutual authentication mechanism. Therefore, it is vulnerable to $G W$ and Sensor node spoofing attacks. $U_{i}$ does not have any mechanism to verify the validity of messages sent by $G W$ . Therefore, the adversary can respond to the ${D I D_{i}, C_{i}, T}$ message with false data. In the same way, the adversary can place a false sensor node $S_{f}$ to respond to the ${D I D_{i}, A_{i}, T'}$ message with false data.

3. Proposed Protocol

This section describes a proposed enhanced protocol which fixes the weaknesses of previous works. The proposed protocol is composed of three phases: Registration, authentication and password change phases executed among three independent entities: users, gateway node, and sensor nodes.

3.1. Registration Phase

A user $U_{i}$ chooses his/her identity $I D_{i}$ and password $P W_{i}$ and inputs them to the terminal. The terminal then generates a random number $r_{i}$ and computes $P P W_{i} = h (P W_{i}) ⨁ r_{i}$ , where $h (\cdot)$ is a hash function and ⨁ is an XOR operator. Once $P P W_{i}$ has been calculated, $I D_{i}$ and $P P W_{i}$ are sent to the Gateway node $G W$ using a secure channel. $G W$ then computes $M_{i} = h (I D_{i} ∥ P P W_{i})$ , $N_{i} = h (I D_{i} ∥ P P W_{i}) ⨁ h (K ∥ x_{a})$ , and $K_{i} = h (x_{a} ∥ I D_{i})$ , where K is a symmetric key only known by $G W$ , and where $x_{a}$ is a secret parameter generated securely by $G W$ , and “ $∥$ ” is a concatenation operator. Once $M_{i}$ , $N_{i}$ , and $K_{i}$ have been calculated, $G W$ personalizes a smart card with the parameters $h (\cdot)$ , $M_{i}$ , $N_{i}$ , and $K_{i}$ . Finally, $G W$ delivers the smart card to $U_{i}$ in a secure manner and $U_{i}$ stores $r_{i}$ into the smart card.

Meanwhile, a unique secret key $K_{n} = h (x_{a} ∥ S_{n})$ is stored in each sensor node responsible for exchanging data with $U_{i}$ , where $S_{n}$ is the unique identification of the sensor node.

3.2. Authentication Phase

This phase is performed when $U_{i}$ requests access to the data of a sensor node, and it is composed of login and verification phases.

Login Phase

$U_{i}$ inserts the smart card and inputs his/her $I D_{i}$ and $P W_{i}$ . The smart card then computes $P P W_{i} = h (P W_{i}) ⨁ r_{i}$ and $M_{i}^{*} = h (I D_{i} ∥ P P W_{i})$ and compares $M_{i}^{*}$ with $M_{i}$ to authenticate $U_{i}$ . If those values do not match, the authentication request is rejected. Otherwise, the smart card computes $D I D_{i} = h (I D_{i} ∥ P P W_{i}) ⨁ h (K_{i} ∥ T)$ and transmits ${D I D_{i}, T, I D_{i}, R N_{i}}$ to $G W$ , where T is the current timestamp of $U_{i}$ 's system and $R N_{i}$ is a random nonce generated by $U_{i}$ .

Verification Phase

Upon receiving the login request at time $T^{*}$ , $G W$ validates T. If $(T^{*} - T) > Δ T$ , $G W$ aborts the authentication process, where $Δ T$ denotes the maximum allowed communication delay. Otherwise, $G W$ computes $K_{i}^{*} = h (x_{a} ∥ I D_{i})$ , $h {(I D_{i} ∥ P P W_{i})}^{*} = D I D_{i} ⨁ h (K_{i}^{*} ∥ T)$ , and $A_{i} = h (h {(I D_{i} ∥ P P W_{i})}^{*} ∥ K_{i}^{*} ∥ R N_{i})$ . Once computed $A_{i}$ , $G W$ generates a random nonce $R N 1_{G W}$ and transmits the message ${A_{i}, R N 1_{G W}}$ to $U_{i}$ . $U_{i}$ then computes $A_{i}^{*} = h (M_{i} ∥ K_{i} ∥ R N_{i})$ and checks whether it is equal to $A_{i}$ . If $A_{i}^{*}$ is different to $A_{i}$ , $U_{i}$ finishes the authentication process; otherwise, $U_{i}$ computes $B_{i} = h (N_{i} ∥ K_{i} ∥ R N 1_{G W})$ , and sends the message ${B_{i}}$ to $G W$ . $G W$ then computes $B_{i}^{*} = h (h {(I D_{i} ∥ P P W_{i})}^{*} ⨁ h (K ∥ x_{a}) ∥ K_{i}^{*} ∥ R N 1_{G W})$ and checks whether it is equal to $B_{i}$ . $G W$ authenticates $U_{i}$ only if those values match. After a valid $U_{i}$ authentication, $G W$ generates a random nonce $R N 2_{G W}$ and transmits the message ${D I D_{i}, T^{''}, R N 2_{G W}}$ to some nearest sensor node $S_{n}$ to respond to the query with the data that $U_{i}$ is looking for, where $T^{''}$ is the timestamp of $G W$ 's system when sending the message. $S_{n}$ first validates $T^{''}$ using similar method of T verification, then computes $C_{i} = h (K_{n} ∥ T^{''} ∥ R N 2_{G W})$ and sends the message ${C_{i}, R N_{n}}$ , where $R N_{n}$ is a random nonce generated by $S_{n}$ . $G W$ then computes $K_{n}^{*} = h (x_{a} ∥ S_{n})$ and $C_{i}^{*} = h (K_{n}^{*} ∥ T^{''} ∥ R N 2_{G W})$ and checks whether $C_{i}^{*}$ is equal to $C_{i}$ . Only if those values match, $G W$ responds to $S_{n}$ 's message by sending the message ${D_{i}}$ , where $D_{i} = h (D I D_{i} ∥ K_{n}^{*} ∥ R N_{n})$ . Finally, $S_{n}$ checks the validity of $D_{i}$ by comparing $D_{i}^{*} = h (D I D_{i} ∥ K_{n} ∥ R N_{n})$ with the received $D_{i}$ . If those values match, then $U_{i}$ is allowed to access $S_{n}$ 's data.

Session Key Establishment

A session key between $U_{i}$ and $G W$ $K_{U_{i} - G W} = h (R N_{i} ∥ R N 1_{G W} ∥ K_{i})$ and a session key between $G W$ and $S_{n} K_{S_{n} - G W} = h (R N_{n} ∥ R N 2_{G W} ∥ K_{n})$ could be used if an encryption channel were required after authentication. Additionally, if a direct communication channel between $U_{i}$ and $S_{n}$ were required, a bilateral session key $K_{U_{i} - S_{n}}$ could be established through $G W$ . In this case, $G W$ would generate a random $K_{U_{i} - S_{n}}$ and send $R N_{i} ∥ K_{U_{i} - S_{n}}$ encrypted with $K_{U_{i} - G W}$ to $U_{i}$ and $R N_{n} ∥ K_{U_{i} - S_{n}}$ encrypted with $K_{S_{n} - G W}$ to $S_{n}$ .

3.3. Password Change Phase

$U_{i}$ inputs his/her $I D_{i}$ , $P W_{i}$ , and new password $New P W_{i}$ to the terminal. The smart card then calculates $P P W_{i} = h (P W_{i}) ⨁ r_{i}$ and $M_{i}^{*} = h (I D_{i} ∥ P P W_{i})$ , and verifies the validity of $I D_{i}$ and $P W_{i}$ by comparing $M_{i}^{*}$ with $M_{i}$ . If those values do not match, the password change request is rejected. Otherwise, the smart card computes $New M_{i} = h (I D_{i} ∥ New P P W_{i})$ , $h (K ∥ x_{a}) = N_{i} ⨁ h (I D_{i} ∥ P P W_{i})$ , and $New N_{i} = h (I D_{i} ∥ New P P W_{i}) ⨁ h (K ∥ x_{a})$ , where $New P P W_{i} = h (New P W_{i}) ⨁ r_{i}$ . Finally, the smart card replaces $M_{i}$ and $N_{i}$ with $New M_{i}$ and $New N_{i}$ , respectively.

4. Analysis of the Protocol

In this section, we analyze the proposed protocol in terms of security and performance.

4.1. Security Analysis

In this part, we analyze the security of the proposed protocol in terms of formal verification and analysis of aforementioned attacks. The registration and password change phases of the proposed mechanism were excluded from this analysis because they are executed in a secure environment. In the analysis of the authentication phase, the widely used Dolev-Yao [16] threat model was applied, which assumes that two communicating parties communicate over an insecure channel.

4.1.1. Formal Proof Based on BAN Logic

In this subsection, we demonstrate the security of the proposed mechanism by a well-known formal model called BAN logic [17]. BAN logic has been widely used in different works such as [18–20] to reason about their security validation.

The logical notations of BAN logic used in this paper are as described as follows.

$P ∣ \equiv X :$	The principal P believes that X holds. In other words, it means that P is entitled to act as though X is true.
# $(X) :$	The formula X is fresh. That is, X has not been sent before in any run of the protocol.
$P \Rightarrow X :$	The principal P has jurisdiction over the statement X. That is, P is an authority on X and can be trusted on X.
$P ⊲ X :$	The principal P sees the statement X. That is, someone has sent a message to P containing X, and P can read and repeat X.
$P ∣ ~ X :$	The principal P once said the statement X. That is, P sent a message containing X sometime.
$(X, Y) :$	The formula X or Y is one part of the formula $(X, Y)$ .
${X}_{K} :$	The formula X is encrypted under the key K
${(X)}_{K} :$	The formula X is hashed with the key K, and K may be used to prove the origin of X.
$P \overset{K}{\leftrightarrow} Q :$	Principals P and Q may use the shared key K to communicate. The key K will never be discovered by any principal except P and Q.

Moreover, we describe some main logical postulates to be used in proofs.

Message-Meaning Rule

If the principal P believes that the secret key is shared with the principal Q and P sees that the statement X is encrypted under K, then the principal P believes that the principal Q once said the statement X

\frac{P ∣ \equiv P \overset{K}{\leftrightarrow} Q, P ⊲ {X}_{K}}{P ∣ \equiv Q ∣ \sim X} .

(1)

Freshness-Conjuncatenation Rule

Provided that the principal P believes freshness of the statement X, the principal P believes freshness of the $(X, Y)$

\frac{P ∣ \equiv # (X)}{P ∣ \equiv # (X, Y)} .

(2)

Nonce-Verification Rule

Provided that the principal P believes that the statement X has never been utter before and the principal Q once said X, the principal P believes that Q believes X

\frac{P ∣ \equiv # (X), P ∣ \equiv Q ∣ \sim X}{P ∣ \equiv Q ∣ \equiv X} .

(3)

Jurisdiction Rule

Provided that the principal P believes that the principal Q jurisdiction over the statement X, the principal P believes Q on the validity of X

\frac{P ∣ \equiv Q ⟹ X, P ∣ \equiv Q ∣ \equiv X}{P ∣ \equiv X} .

(4)

Belief Rules

A necessary property of the belief operator is that P believes a set of statements if and only if P believes each statement separately. This justifies the following rules:

\begin{gathered} \frac{P ∣ \equiv X, P ∣ \equiv Y}{P ∣ \equiv (X, Y)}, \frac{P ∣ \equiv (X, Y)}{P ∣ \equiv X}, \frac{P ∣ \equiv Q ∣ \equiv (X, Y)}{P ∣ \equiv Q ∣ \equiv X}, \\ \frac{P ∣ \equiv Q ∣ \sim (X, Y)}{P ∣ \equiv Q ∣ \sim X} . \end{gathered}

(5)

In the following, we will demonstrate the security of the proposed scheme using the BAN logic. The proposed scheme will satisfy the following goals:

$U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$ ,	(G.1)
$U_{i} ∣ \equiv G W ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$ ,	(G.2)
$G W ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$ ,	(G.3)
$G W ∣ \equiv U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$ ,	(G.4)
$S_{n} ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$ ,	(G.5)
$S_{n} ∣ \equiv G W ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$ ,	(G.6)
$G W ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$ ,	(G.7)
$G W ∣ \equiv S_{n} ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$ ,	(G.8)
$U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ ,	(G.9)
$U_{i} ∣ \equiv S_{n} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ ,	(G.10)
$S_{n} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ ,	(G.11)
$S_{n} ∣ \equiv U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ .	(G.12)

First, we transform the messages of the proposed protocol to the idealized form as follows:

$U_{i} \to G W$ :	$D I D_{i} : ({h (I D_{i} ∥ P P W_{i})}_{K i}$ , ${(U_{i} \overset{K_{i}}{\leftrightarrow} G W, T)}_{K i})$	(M.1)
$U_{i} \leftarrow G W$ :	$A_{i} : {(h (I D_{i} ∥ P P W_{i}), U_{i} \overset{K_{i}}{\leftrightarrow} G W, R N_{i})}_{K_{i}}$	(M.2)
$U_{i} \to G W$ :	$B_{i} : {(N_{i}, U_{i} \overset{K_{i}}{\leftrightarrow} G W, R N 1_{G W})}_{K_{i}}$	(M.3)
$S_{n} \leftarrow G W$ :	$D I D_{i} : ({h (I D_{i} ∥ P P W_{i})}_{K i}, {(U_{i} \overset{K_{i}}{\leftrightarrow} G W, T)}_{K_{i}})$	(M.4)
$S_{n} \to G W$ :	$C_{i} : {(S_{n} \overset{K_{n}}{\leftrightarrow} G W, T^{''}, R N 2_{G W})}_{K_{n}}$	(M.5)
$S_{n} \leftarrow G W$ :	$D_{i} : {(D I D_{i}, S_{n} \overset{K_{n}}{\leftrightarrow} G W, R N_{n})}_{K_{n}}$	(M.6)
$U_{i} \leftarrow G W$ :	${R N_{i}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(M.7)
$S_{n} \leftarrow G W$ :	${R N_{n}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K S_{n} - G W}$ .	(M.8)

Second, we make the following assumptions about the initial state of the scheme to analyze the proposed scheme:

$G W ∣ \equiv # (T)$ ,	(A.1)
$U_{i} ∣ \equiv # (R N_{i})$ ,	(A.2)
$G W ∣ \equiv # (R N 1_{G W})$ ,	(A.3)
$S_{n} ∣ \equiv # (T^{''})$ ,	(A.4)
$S_{n} ∣ \equiv # (R N_{n})$ ,	(A.5)
$G W ∣ \equiv # (R N 2_{G W})$ ,	(A.6)
$U_{i} ∣ \equiv U_{i} \overset{K_{i}}{\leftrightarrow} G W$ ,	(A.7)
$G W ∣ \equiv U_{i} \overset{K_{i}}{\leftrightarrow} G W$ ,	(A.8)
$S_{n} ∣ \equiv S_{n} \overset{K_{n}}{\leftrightarrow} G W$ ,	(A.9)
$G W ∣ \equiv S_{n} \overset{K_{n}}{\leftrightarrow} G W$ ,	(A.10)
$U_{i} ∣ \equiv G W \Rightarrow U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ ,	(A.11)
$S_{n} ∣ \equiv G W \Rightarrow U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ .	(A.12)

Finally, we perform the proof steps to the idealized form of the proposed scheme based on the BAN logic rules and the assumptions (see Table 1).

Table 1

$G W ⊲ ({h (I D_{i} ∥ P P W_{i})}_{K_{i}}, {(U_{i} \overset{K_{i}}{\leftrightarrow} G W, T)}_{K i})$	(S.1)	//by (M.1)
$G W ∣ \equiv U_{i} ∣ ~ h (I D_{i} ∥ P P W_{i})$	(S.2)	//by (S.1), (A.8), and message-meaning rule
$G W ∣ \equiv U_{i} ∣ ~ {(U_{i} \overset{K_{i}}{\leftrightarrow} G W, T)}_{K i}$	(S.3)	//by (S.1), (A.8), and message-meaning rule
$G W ∣ \equiv U_{i} ∣ \equiv h (I D_{i} ∥ P P W_{i})$	(S.4)	//by (S.2), (S.3), (A.1), freshness-conjuncatenation rule, nonce-verification rule
$U_{i} ⊲ {(h (I D_{i} ∥ P P W_{i}), U_{i} \overset{K_{i}}{\leftrightarrow} G W, R N_{i})}_{K i}$	(S.5)	//by (M.2)
$U_{i} ∣ \equiv G W ∣ ~ R N_{i}$	(S.6)	//by (S.5), (A.7), and message-meaning rule
$U_{i} ∣ \equiv G W ∣ \equiv R N_{i}$	(S.7)	//by (S.6), (A.2), and nonce-verification rule
$G W ⊲ {(N_{i}, U_{i} \overset{K_{i}}{\leftrightarrow} G W, R N 1_{G W})}_{K i}$	(S.8)	//by (M.3)
$G W ∣ \equiv U_{i} ∣ ~ R N 1_{G W}$	(S.9)	//by (S.8), (A.8), and message-meaning rule
$G W ∣ \equiv U_{i} ∣ \equiv R N 1_{G W}$	(S.10)	//by (S.9), (A.3), and nonce-verification rule
$G W ⊲ (S_{n} \overset{K_{n}}{\leftrightarrow} G W, T'', R N 2_{G W})_{K n}$	(S.11)	//by (M.5)
$G W ∣ \equiv S_{n} ∣ ~ R N 2_{G W}$	(S.12)	//by (S.11), (A.10), and message-meaning rule
$G W ∣ \equiv S_{n} ∣ \equiv R N 2_{G W}$	(S.13)	//by (S.12), (A.6), and nonce-verification rule
$S_{n} ⊲ (D I D_{i}, S_{n} \overset{K_{n}}{\leftrightarrow} G W, R N_{n})_{K n}$	(S.14)	//by (M.6)
$S_{n} ∣ \equiv G W ∣ ~ R N_{n}$	(S.15)	//by (S.14), (A.9), and message-meaning rule
$S_{n} ∣ \equiv G W ∣ \equiv R N_{n}$	(S.16)	//by (S.15), (A.5), and nonce-verification rule
$U_{i} \| \equiv # (U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W), U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$	(S.17)	//once verified (S.7), $U_{i}$ computes $K_{U_{i} - G W}$
$G W ∣ \equiv # (U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W)$ , $G W ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$	(S.18)	//once verified (S.4) and (S.10), $G W$ computes $K_{U_{i} - G W}$
$S_{n} ∣ \equiv # (S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W)$ , $S_{n} ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$	(S.19)	//once verified (S.16), $S_{n}$ computes $K_{S_{n} - G W}$
$G W ∣ \equiv # (S n \overset{K_{S_{n} - G W}}{\leftrightarrow} G W)$ , $G W ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$	(S.20)	//once verified (S.13), $G W$ computes $K_{S_{n} - G W}$
$U_{i} ∣ \equiv G W ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$	(S.21)	//by (S.17), (S.18), and $K_{U_{i} - G W}$ generation algorithm shared between $U_{i}$ and $G W$
$G W ∣ \equiv U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{\leftrightarrow} G W$	(S.22)	//by (S.17), (S.18), and $K_{U_{i} - G W}$ generation algorithm shared between $U_{i}$ and $G W$
$S_{n} ∣ \equiv G W ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$	(S.23)	//by (S.19), (S.20), and $K_{S_{n} - G W}$ generation algorithm shared between $S_{n}$ and $G W$
$G W ∣ \equiv S_{n} ∣ \equiv S_{n} \overset{K_{S_{n} - G W}}{\leftrightarrow} G W$	(S.24)	//by (S.19), (S.20), and $K_{S_{n} - G W}$ generation algorithm shared between $S_{n}$ and $G W$
$U_{i} ⊲ {R N_{i}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(S.25)	//by (M.7) and seeing rule
$U_{i} ∣ \equiv G W ∣ ~ {R N_{i}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(S.26)	//by (S.25), (S.17), and message-meaning rule
$U_{i} ∣ \equiv G W ∣ \equiv {R N_{i}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(S.27)	//by (S.26), (A.2), and nonce-verification rule
$U_{i} ∣ \equiv G W ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$	(S.28)	//by (S.27) and breaking conjunction rule
$U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$	(S.29)	//by (S.28), (A.11), and jurisdiction rule
$S_{n} ⊲ {R N_{n}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(S.30)	//by (M.8) and seeing rule
$S_{n} ∣ \equiv G W ∣ ~ {R N_{n}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(S.31)	//by (S.30), (S.19), and message-meaning rule
$S_{n} ∣ \equiv G W ∣ \equiv {R N_{n}, U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}}_{K U_{i} - G W}$	(S.32)	//by (S.31), (A.5), and nonce-verification rule
$S_{n} ∣ \equiv G W ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$	(S.33)	//by (S.32) and breaking conjunction rule
$S_{n} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$	(S.34)	//by (S.33), (A.12), and jurisdiction rule
$U_{i} ∣ \equiv S_{n} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$ , $S_{n} ∣ \equiv U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - S_{n}}}{\leftrightarrow} S_{n}$	(S.35)	//by (S.28), (S.29), (S.33), and (S.34)

The proposed goals were reached by (S.17)–(S.24), (S.29), (S.34), and (S.35). In summary, we have demonstrated how the proposed scheme provides mutual authentication as well as establishes a fresh session keys among $U_{i}$ , $G W$ , and $S_{n}$ .

4.1.2. Security Verification from Possible Attacks

This subsection analyzes the security of the proposed solution against possible attacks. We assume that common communication channels are insecure and that there exists an attacker who can intercept all messages communicated among $U_{i}$ , $G W$ , and $S_{n}$ . In addition, we assume that the attacker can obtain or steal legal user $U_{i}$ 's smart card. Based on these assumptions, the attacker might execute certain attacks to interfere with the proposed scheme.

Parallel Session Attack

Even though another legal user of the system, say Tom, eavesdrops on $U_{i}$ 's message ${D I D_{i}, T_{1}, I D_{i}, R N_{i}}$ , he cannot obtain the $D I D_{i (T 2)}$ as happens in previous protocols because the $D I D_{i}$ in our protocol is calculated as $h (I D_{i} ∥ P P W_{i}) ⨁ h (K_{i} ∥ T)$ which is based on $U_{i}$ 's unique values. The equation $P P W_{i} = h (P W_{i}) ⨁ r_{i}$ contains $r_{i}$ which is random and individual for each $U_{i}$ , and $K_{i}$ is unique for each $U_{i}$ . Therefore, the resultant value of $D I D_{i (T 1)} ⨁ D I D_{Tom (T 1)} ⨁ h D I D_{Tom (T 2)}$ will be $h (I D_{i} ∥ h (P W_{i}) ⨁ r_{i}) ⨁ h (K_{i} ∥ T_{1}) ⨁ h (I D_{Tom} ∥ h (P W_{Tom}) ⨁ r_{Tom}) ⨁ h (K_{Tom} ∥ T_{1}) ⨁ h (I D_{Tom} ∥ h (P W_{Tom}) ⨁$ $r_{Tom}) ⨁ h (K_{Tom} ∥ T_{2}) = h (I D_{i} ∥ h (P W_{i}) ⨁ r_{i}) ⨁ h (K_{i} ∥ T_{1}) ⨁ h (K_{Tom} ∥$ $T_{1}) ⨁ h (K_{Tom} ∥ T_{2})$ , a totally different value from $D I D_{i (T 2)}$ .

Privileged-Insider Attack

In the proposed solution, $U_{i}$ transmits his/her pseudopassword $P P W_{i} = h (P W_{i}) ⨁ r_{i}$ instead of $P W_{i}$ . Therefore, $G W$ will never know the $P W_{i}$ value. This means that only $U_{i}$ will know his/her secret password, thus protecting $U_{i}$ in this way from a privileged-insider attack. Additionally, a random value $r_{i}$ is incorporated inside $P P W_{i}$ to make the discovery of $P W_{i}$ harder.

Gateway Node Bypassing Attack

The reason for the possibility of a $G W$ bypassing attack in [6, 9] is due to the sharing of secret parameter $x_{a}$ with the sensor node $S_{n}$ and user $U_{i}$ . If the value of $x_{a}$ is compromised, then the whole sensor network will become vulnerable to the gateway node bypassing attack. On the other hand, the reason for the possibility of the gateway node bypassing attack in [10] is due to the secret value $x_{s}$ which is stored in the sensor nodes and can be extracted using similar method of extracting $x_{a}$ from a smart card [11–13]; if $x_{s}$ is extracted, the adversary can execute the $G W$ bypassing attack using $D I D_{f} = h (I D_{f} ∥ P W_{f}) ⨁ h (x_{a} ∥ T_{f})$ and $A_{f} = h (D I D_{f} ∥ S_{n} ∥ x_{s} ∥ T_{f})$ .

In the proposed protocol, $U_{i}$ 's smart card and the sensor node $S_{n}$ do not store either $x_{a}$ or $x_{s}$ , but instead store other individual secret values $K_{i} = h (x_{a} ∥ I D_{i})$ and $K_{n} = h (x_{a} ∥ S_{n})$ which are unique per smart card and sensor node. Therefore, even if the $K_{i}$ or $K_{n}$ value were extracted from a smart card or node, the rest of the users of the nodes will still maintain their security.

Mutual Authentication

The proposed protocol provides both mutual authentication between $U_{i}$ and $G W$ , and between $G W$ and $S_{n}$ .

(1) Mutual authentication between $U_{i}$ and $G W : G W$ verifies the authenticity of $U_{i}$ by comparing $B_{i}$ sent by $U_{i}$ with the $B_{i}^{*}$ value calculated by itself. $B_{i}$ can only be computed by the authentic $U_{i}$ because it is based on secret values such as $N_{i}$ and $K_{i}$ which are personal to each $U_{i}$ . On the other hand, $U_{i}$ verifies the authenticity of $G W$ by comparing $A_{i}$ sent by $G W$ with the $A_{i}^{*}$ value computed by $U_{i}$ . $A_{i}$ can only be computed by the authentic $G W$ because it is based on the secret values K and $x_{a}$ only known by $G W$ .

(2) Mutual authentication between $G W$ and $S_{n} : S_{n}$ verifies the authenticity of $G W$ by comparing $D_{i}$ sent by $G W$ with the $D_{i}^{*}$ value calculated by itself. $D_{i}$ can only be computed by the authentic $G W$ because it is based on the secret value $x_{a}$ . On the other hand, $G W$ verifies the authenticity of $S_{n}$ by comparing $C_{i}$ sent by $G W$ with the $C_{i}^{*}$ value computed by $G W$ . $C_{i}$ can only be computed by the authentic $S_{n}$ because it is based on the secret $K_{n}$ value only known by the specific $S_{n}$ .

Masquerade Attack

An adversary who wants to impersonate a valid user $U_{i}$ to log into the network must calculate a valid $D I D_{i}$ and $B_{i}$ . Since $D I D_{i} = h (I D_{i} ∥ P P W_{i}) ⨁ h (K_{i} ∥ T)$ and $B_{i} = h (N_{i} ∥ K_{i} ∥ R N 1_{G W})$ are calculated by a one-way hash function, the adversary cannot decipher such values. Additionally, $D I D_{i}$ and $B_{i}$ cannot be created arbitrarily because they are based on secret values such as $K_{i}$ and $P P W_{i}$ , Furthermore, the adversary cannot forge the $G W$ because he/she does not know the K and $x_{a}$ values.

Replay Attack

Timestamps and random nonces are used to avoid replay attacks. At the beginning of each authentication request, a timestamp mechanism is used to guarantee the freshness of the authentication request. Later, a stronger mechanism: challenge-response of codified nonces is used to respond to the authentication requests. An adversary cannot replay a valid $G W$ 's verification message ${A_{i}, R N_{G W}}$ to $U_{i}$ to succeed in verification because the $R N_{i}$ value required for $A_{i}$ computation is regenerated in each request. In the same way, the adversary cannot replay a valid $U_{i}$ 's verification message ${B_{i}}$ to succeed in verification because the $R N 1_{G W}$ value used in $B_{i}$ is regenerated in each request. In addition, the authentication messages between $G W$ and $S_{n}$ are protected using the same method of messages between $U_{i}$ and $G W$ .

Stolen-Verifier Attack

One of the features of the proposed protocol is the absence of a password/verifier table which prevents our solution from stolen-verifier attacks.

Guessing Attack

In the proposed scheme, secret values are never sent in plaintext, but encrypted inside a one-way hash function. Therefore, even if the adversary got $D I D_{i}$ , $A_{i}$ , $B_{i}$ , $C_{i}$ , or $D_{i}$ , he or she could not guess any secret values ( $P W_{i}$ , $K_{i,}$ , $K_{n}$ , or K) because of the one-way property of the hash function.

Many Logged-IN Users with the Same Login ID

By using two-factor based authentication, the proposed scheme offers higher protection than only-password-based schemes against this attack. Assuming that the $U_{i}$ 's smart card is not cloned, the proposed protocol successfully prevents this threat because the authentication process requires computation executed inside the valid smart card.

Brute-Force Attack

An attacker can try two kinds of brute-force attacks. (1) First, the attacker can attempt to authenticate by sending random or sequential messages ( $D I D_{i} / B_{i}$ or $D I D_{i} / D_{i}$ combinations) to $G W$ or $S_{n}$ . However, as well as explained in the replay attack, this attack becomes infeasible because each authentication process uses a different nonce. (2) On the other hand, an insider with a valid smart card can try to discover the secret values K or $x_{a}$ by performing brute-force attacks. However, the determination of those values is infeasible because they are stored using a secure one-way hash functions. If higher level of protection for $x_{a}$ was required, additional random numbers $R_{i}$ and $R_{n}$ could be added for the generation of $K_{i} = h (x_{a} ∥ I D_{i} ∥ R_{i})$ and $K_{i} = h (x_{a} ∥ S_{n} ∥ R_{n})$ , respectively, which would be stored in secret in the $G W$ . By using this additional random numbers, the number of possible combinations to decipher $K_{i}$ and $K_{n}$ is increased by $2^{n}$ times, where n is the size it bits of $R_{i}$ and $R_{n}$ .

Password Change Phase

Our proposal offers a light-weight password change phase that does not require communication with $G W$ , making it secure and efficient.

Session Key Establishment

Our proposal offers a simple and practical method for session key establishment among $U_{i}$ , $G W$ , and $S_{n}$ .

Table 2 shows the comparison of security features among different works. This demonstrates how our scheme is stronger in terms of security. Our approach provides protection against different kinds of attacks (privileged insider's attack, gateway node bypassing attack), also provides a secure password change phase, session key establishment, and achieves complete mutual authentication (mutual authentication between $G W$ and $S_{n}$ , and between $U_{i}$ and $G W$ ), features that previous works do not offer or offer with limitations.

Table 2

List of enhanced security features of the proposed protocol.

Security Feature	Proposed	M. Das'	Nyang-Lee's	Huang et al.'s	Chen-Shih's	Khan-Alghathbar
Secure password change/update	Yes	No	No	Yes	No	Yes
Protection against insider's attack	Yes	No	No	No	No	Yes
Protection against $G W$ bypassing attack	Yes	No	No	No	No	Partial
Protection against Parallel session attack	Yes	No	No	No	No	No
Mutual authentication $(G W / S_{n})$	Yes	No	Yes	No	No	Yes
Mutual authentication $(U_{i} / G W)$	Yes	No	Yes	No	No	No
Session Key Establishment	Yes	No	Yes	No	No	No

4.2. Performance Analysis

Table 3 indicates the number of hash operations required in each phase for each entity. It shows that our protocol requires a few more operations in the verification phase than some previous works. However, the majority of additional operations are executed by $U_{i}$ or $G W$ infrastructure which has no energy or computation power limitations. Therefore, we believe that the additional operations are not an impediment for real implementation. Additionally, we believe that the additional operations are justifiable considering that our protocol includes security features that previous works do not offer, which is indispensable for implementing a reliable and trustworthy network. It is important to remember that a failure at the component level will often compromise the security of the entire system [21].

Table 3

Performance analysis/number of operations (h: hash, se: symmetric encryption, sd: symmetric decryption).

Phase	Entity	Proposed	M. Das'	Nyang-Lee's	Huang et al.'s	Chen-Shih's	Khan-Alghathbar's
Registration phase	User	1 h	0 h	0 h	0 h	0 h	0 h
	$G W$	3 h	3 h	3 h	4 h	3 h	3 h
	Sensor	0 h	0 h	0 h	0 h	0 h	0 h

Login phase	User	3 h	4 h	4 h	4 h	4 h	4 h
	$G W$	0 h	0 h	0 h	0 h	0 h	0 h
	Sensor	0 h	0 h	0 h	0 h	0 h	0 h

Verification phase	User	2 h	0 h	1 h + 1 sd	0 h	1 h	0 h
	$G W$	8 h	4 h	9 h + 1 se	6 h	5 h	5 h
	Sensor	2 h	1 h	2 h + 1 se + 1 sd	1 h	1 h	2 h

Password change phase	User	5 h	—	—	4 h	—	4 h
	$G W$	0 h	—	—	0 h	—	0 h
	Sensor	0 h	—	—	0 h	—	0 h

According [22], the energy consumed by the MIPS R4000 and MC68328 “DragonBall” processors for performing the SHA-1 hashing function are 0.0000072 mJ/bit and 0.0000410 mJ/bit, respectively. Based on the previously mentioned data, we can calculate the energy consumed by sensor nodes executing the operations of the proposed scheme. Assuming that the size of $D I D_{i}$ , $K_{n}$ , random nonces, and timestamps are 160 bits long, the total energy consumed by sensor nodes in each authentication would be 0.008064 mJ and 0.04592 mJ for MIPS R4000 and MC68328 “DragonBall” processors, respectively. We believe that the energy consumption of sensor nodes to perform the security operations is acceptable considering the benefits of the proposed solution.

5. Conclusion

In this paper, we have analyzed previous user authentication mechanisms for wireless sensor networks and identified their vulnerabilities and limitations. We also have proposed a robust user authentication for wireless sensor networks that eliminates the identified security flaws. The proposed solution takes advantage of the two-factor authentication concept to provide a secure authentication system offering balanced features in terms of security and performance.

References

Mainwaring

Polastre

Szewczyk

Culler

Anderson

Wireless sensor networks for habitat monitoring

Proceedings of the 1st ACM International Workshop on Wireless Sensor Networks and Applications

September 2002

88 97

10.1145/570738.570751

2-s2.0-0036986465

Carlson

Han

Lao

Narayan

Ghani

Rapid prototyping of mobile input devices using wireless sensor nodes

Proceedings of the 5th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA ’03)

October 2003

21 29

U.A.F., ARGUS Advanced Remote Ground Unattended Sensor Systems. Department of Defense, 2009, http://www.globalsecurity.org/intell/systems/arguss.htm

Otto

Milenkovic

Sanders

Jovanov

System architecture of a wireless body area sensor network for ubiquitous health monitoring

Journal of Mobile Multimedia 2006 1 4 307 326

Wong

K. H. M.

Yuan

Jiannong

Shengwei

A dynamic user authentication scheme for wireless sensor networks

Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing

June 2006

IEEE Computer Society

244 251

2-s2.0-33845458336

10.1109/SUTC.2006.1636182

Das

M. L.

Two-factor user authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2009 8 3 1086 1090

2-s2.0-62949130774

10.1109/TWC.2008.080128

4801450

Nyang

Lee

Improvement of das's two-factor authentication protocol in wireless sensor networks

Cryptology ePrint Archive 2009/631, http://eprint.iacr.org/2009/631.pdf

Huang

H. F.

Chang

Y. F.

Liu

C. H.

Enhancement of two-factor user authentication in wireless sensor networks

Proceedings of the 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP ′10)

October 2010

27 30

2-s2.0-78650442232

10.1109/IIHMSP.2010.14

Chen

T. H.

Shih

W. K.

A robust mutual authentication protocol for wireless sensor networks

ETRI Journal 2010 32 5 704 712

2-s2.0-78049334450

10.4218/etrij.10.1510.0134

10.

Khan

M. K.

Alghathbar

Cryptanalysis and security improvements of “two-factor user authentication in wireless sensor networks”

Sensors 2010 10 3 2450 2459

2-s2.0-77955495427

10.3390/s100302450

11.

Kocher

Jaffe

Jun

Differential power analysis

Proceedings of the 19th International Advances in Cryptology Conference (CRYPTO ′99)

1999

388 397

12.

Messerges

T. S.

Dabbish

E. A.

Sloan

R. H.

Examining smart-card security under the threat of power analysis attacks

IEEE Transactions on Computers 2002 51 5 541 552

2-s2.0-0036566408

10.1109/TC.2002.1004593

13.

Jack

Exploiting embedded systems

Black Hat, Las Vegas, Nev, USA, 2006, http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf

14.

Raluca

Razvan

Terzis

Gateway design for data gathering sensor networks

Proceedings of the 5th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON ′08)

June 2008

296 304

2-s2.0-51749120139

10.1109/SAHCN.2008.44

15.

National Instruments WSN Ethernet Gateway, http://sine.ni.com/nips/cds/view/p/lang/en/nid/206919/

16.

Doley

Yao

A. C.

On the security of public-key protocols

IEEE Transactions on Information Theory 1983 29 2 198 208

2-s2.0-0020720357

17.

Burrows

Abadi

Needham

Logic of authentication

ACM Transactions on Computer Systems 1990 8 1 18 36

2-s2.0-0025386404

10.1145/77648.77649

18.

Tsaur

Lee

An efficient and secure multi-server authentication scheme with key agreement

Journal of Systems and Software 2012 85 4 876 882

19.

Wang

Zhang

An authentication protocol for RFID tag and its simulation

Journal of Networks 2011 6 3 446 453

10.4304/jnw.6.3.446-453

20.

Tsai

New dynamic ID authentication scheme using smart cards

International Journal of Communication Systems 2010 23 1449 1462

10.1002/dac.1118

21.

Ying

Building systems using software components

Journal of Software Technology 2006 9 1

22.

Carman

Kruus

Matt

Constraints and approaches for distributed sensor network security (Final)

NAI Labs Technical Report 2000 #00-010

A Security-Performance-Balanced User Authentication Scheme for Wireless Sensor Networks

Abstract

1. Introduction

2. Previous Works and Their Cryptanalysis

2.1. Review of the Das Scheme

Registration Phase

Authentication Phase

2.2. Chen-Shih's Scheme

2.2.1. Review of Chen-Shih's Scheme

Registration Phase

Login Phase

Verification Phase

Mutual Authentication Phase

2.2.2. Cryptoanalysis of Chen-Shih's Scheme

Parallel Session Attack

Gateway Node Bypassing Attack

Privileged-Insider Attack

Vulnerable Mutual Authentication between U i and G W

Lack of Mutual Authentication between G W and the Sensor Node

Lack of a Password Change Phase

2.3. Khan-Alghathbar's Scheme

2.3.1. Review of Khan-Alghathbar's Scheme

Registration Phase

Authentication Phase

Password Change Phase

2.3.2. Cryptoanalysis of Khan-Alghathbar Scheme

Parallel Session Attack

Gateway Node Bypassing Attack

Lack of Mutual Authentication between U i and G W

2.4. Nyang-Lee's Scheme

2.4.1. Review of Nyang-Lee's Scheme

Registration Phase

Authentication Phase

2.4.2. Cryptoanalysis of Nyang-Lee's Scheme

Parallel Session Attack

Privileged-Insider Attack

Lack of Password Change Phase

2.5. Huang et al.'s Scheme

2.5.1. Review of Huang et al.'s Scheme

Registration Phase

Login Phase

Verification Phase

Password Change Phase

2.5.2. Cryptoanalysis of Huang et al.'s Scheme

Parallel Session Attack

Privileged-Insider Attack

Lack of Mutual Authentication

3. Proposed Protocol

3.1. Registration Phase

3.2. Authentication Phase

Login Phase

Verification Phase

Session Key Establishment

3.3. Password Change Phase

4. Analysis of the Protocol

4.1. Security Analysis

4.1.1. Formal Proof Based on BAN Logic

Message-Meaning Rule

Freshness-Conjuncatenation Rule

Nonce-Verification Rule

Jurisdiction Rule

Belief Rules

4.1.2. Security Verification from Possible Attacks

Parallel Session Attack

Privileged-Insider Attack

Gateway Node Bypassing Attack

Mutual Authentication

Masquerade Attack

Replay Attack

Stolen-Verifier Attack

Guessing Attack

Many Logged-IN Users with the Same Login ID

Brute-Force Attack

Password Change Phase

Session Key Establishment

4.2. Performance Analysis

5. Conclusion

References

Vulnerable Mutual Authentication between $U_{i}$ and $G W$

Lack of Mutual Authentication between $G W$ and the Sensor Node

Lack of Mutual Authentication between $U_{i}$ and $G W$