Sage Journals: Discover world-class research

Abstract

Recently, several user authentication schemes for wireless sensor networks based on two-factor concept using the smart card technology were proposed. However, they have serious limitations in terms of security and usability. First, even though they are enhancements of other works, they still have several security flaws, such as vulnerability against parallel session, privileged-insider, and gateway-node bypassing attacks and lack of mutual authentication between user station and gateway node. On the other hand, they also present a usability constraint, in a sense that they do not consider the use case when sensor nodes cannot communicate with gateway node. In this case, data collected by isolated sensor nodes could not be accessed until they recover such communication, which is in many times not recoverable rapidly or forever (e.g., military applications, natural disaster monitoring). Due to all these reasons, this paper proposes a robust user authentication scheme which fixes the security weaknesses of previous solutions and provides wider usability considering the use case when the sensor nodes cannot communicate with the gateway node. Once the solution is described, its security is ensured by formal proof and analysis against attacks. Additionally, performance and cost analysis are executed to determine its level of feasibility for real implementation.

1. Introduction

With the growth of wireless sensor network (WSN) application fields, the frequency of WSNs managing critical tasks and important information has also increased. However, most of real applications do not include any security mechanisms making them vulnerable to serious attacks. This fact makes evident the necessity of security solutions for WSNs such as [1]. Among different security mechanisms, a user authentication mechanism that allows only legitimate users to access the WSN's data is considered one of the most important security mechanisms because it contributes to keeping the confidentiality and integrity of network's data and because it is an essential primitive upon which other security mechanisms such as secure channel establishment and over-the-air (OTA) programming [2] are built on.

At this point, several research works [3–7] have been executed for providing user authentication schemes for WSNs. Those proposals consider the resource limitations of WSNs and provide lightweight schemes. However, they have serious limitations in terms of security and usability. First, previous works have several security flaws such as vulnerability against parallel session, privileged-insider, and gateway-node bypassing attacks and lack of mutual authentication between user station and the gateway node. On the other hand, they also present a usability constraint, in a sense that they do not consider the case when sensor nodes cannot communicate with the gateway node; in this case, data collected by sensor nodes could not be accessed until they recover this communication, which is in many times not recoverable rapidly or forever. (e.g., military applications in war, natural disaster monitoring). Due to all these reasons, this paper proposes an enhanced user authentication scheme that solves the identified security issues and constraints.

The rest of this paper is organized as follows. Section 2 analyzes the existing works to detail their weaknesses and limitations in terms of security and usability. Section 3 then specifies the design criteria of the proposed user authentication scheme. Later, Section 4 presents the details of the proposed solution which solves the vulnerabilities and limitations mentioned in Section 2. Next, Section 5 analyzes the proposed protocol in terms of achieved security level, performance, and cost. Finally, Section 6 details the conclusions of this paper.

2. Analysis of Existing Works

Lately, user authentication for wireless sensor networks based on smart cards has been actively researched. The two-factor authentication approach which requires the verification of ownership of both a password and a smart card achieves effectively the purpose of authentic delivery of sensed data while minimizing the load of storing user data in the gateway node. This is because the tamper-proof smart card of the user delivers the function of secure storage of authentication data instead of the gateway node.

In 2009, Das [3] presented a research work where The author proposed an authentication scheme based on the two-factor user authentication concept using the smart card technology. Das' proposal was considered as an efficient two-factor user authentication scheme because it only required the usage of small number of hash function calculations [4]. However, even though Das' proposal was adopted by different research works, its limitations and security flaws were discovered in subsequent works. Nyang and Lee [4] identified that Das' protocol was vulnerable to offline password guessing and sensor node compromising attacks. Huang et al. [5] also identified some limitations of Das' scheme such as vulnerability from impersonate attack. Additionally, the authors of [6] pointed out the absence of mutual authentication feature in Das' protocol while Khan and Alghathbar [7] pointed out additional security flaws of Das' proposal, describing that it was vulnerable to privileged-insider and gateway-node bypassing attacks.

Once they discovered different vulnerabilities and security limitations of Das' proposal, the authors of [3–6] also proposed enhanced versions of Das' protocol to eliminate detected vulnerabilities. However, as shown in our previous work [8], those protocols still include serious vulnerabilities and security limitations of which an attacker can take advantage, exposing WSNs to serious risks. Table 1 summarizes the security analysis of [8] showing that the protocols in [3–7] are still vulnerable to different attacks and have several security limitations.

Table 1

Summary of cryptanalysis of previous works based on smart cards.

Security feature	Das' [3]	Nyang-Lee's [4]	Huang et al.'s [5]	Chen-Shih's [6]	Khan-Alghathbar's [7]
Secure password change/update	No	No	Yes	No	Yes
Protection against insider's attack	No	No	No	No	Yes
Protection against gateway bypassing attack	No	No	No	No	Partial
Protection against parallel session attack	No	Yes	No	No	No
Mutual authentication (gateway-sensor node)	No	Yes	No	No	Yes
Mutual authentication (user station-gateway)	No	Yes	No	No	No
Session key establishment	No	Yes	No	No	No

In addition, all of the aforementioned approaches only focus their analysis on the security and performance aspects, and neglect the usability aspect. From this point of view, we can say that the previous user authentication schemes also present a serious usability constraint because they do not consider the case when important sensor nodes are isolated. Isolation of sensor nodes could occur because of network link failures between the gateway node and sensor nodes (see Figure 1) or because of disconnections between critical routing sensor nodes (see Figure 2). Sensor nodes isolation is considered problematic for several reasons. First, the isolated sensor nodes frequently store critical information which requires to be transmitted opportunely to the user for decision making. However, using the previous user authentication mechanisms, users could not authenticate to the isolated sensor nodes until sensor nodes recover the communication with the gateway node, which is in many times not recoverable rapidly or forever. Additionally, if the link between the gateway node and isolated sensor nodes is not reestablished rapidly, historical data of those nodes could be eliminated because of their limited storage memory capacity. In this regard, this situation demands for a new user authentication scheme with an offline user authentication mechanism which allows users to authenticate directly to isolated sensor nodes for getting the critical information in an opportune way.

Figure 1

Sensor nodes isolated because of broken link between gateway and sensor nodes.

Figure 2

Sensor nodes isolated because of broken link between sensor nodes.

Even though many people may think sensor node isolations are not common, they are common in particular applications. Here we describe some applications where sensor nodes could be isolated and why offline user authentication (mobile user station authenticating directly to the sensor node) is important. First, let us consider a volcano monitoring sensor network [9] gathering seismic and infrasonic signals. In such systems, there are several events that could provoke sensor nodes' isolation. One of the possibilities is when an explosion occurs in a side vent (see Figure 3); in such case, the sensor nodes located in the superior region of the side vent can lose the connection with the inferior region because the sensor nodes nearby the side vent are destroyed or buried. Another case is when critical routing sensor nodes are buried or damaged because of lahars or seismic activities. Data of Tungurahua volcano in Ecuador (see Figure 4) published by Instituto Geofísico de la Escuela Politécnica Nacional (http://www.igepn.edu.ec/) illustrates how frequent this situation could occur in an active volcano. The report indicates that 29 lahars and 8400 long-period seismic events were detected only in 2004. In those cases, it is frequent that the isolated nodes store important data that could help to forecast the future behavior of the volcano. Therefore, it is important to provide a mechanism that allows a rapid and opportune access to such information while maintaining the confidentiality and integrity features.

Figure 3

Sensor nodes isolated because of side vent explosion of a volcano.

Figure 4

Statistical data of Tungurahua volcano in 2004.

Another type of applications where critical sensor nodes could be isolated is the military one. Consider that a battlefield application has lost some intermediate nodes because they have been destroyed by the enemy, but the nodes deployed in the enemy's territory have accumulated important data. In this case, an automaton user station could be sent to the enemy's territory to gather such information. An easy way to authenticate to the sensor nodes is that the automaton carries the secret keys. However, carrying the secret keys in hostile environment opens wide possibilities of leakage of the secret values which could compromise the security of the whole network. Therefore, the user authentication scheme must provide a way to maintain the security of the sensor network even if the automaton is taken by the adversary.

In conclusion, as described previously, previous works present several limitations in terms of security and usability, and this situation creates the need for designing an enhanced user authentication scheme which overcomes such constraints.

3. User Authentication Scheme Design Criteria

We believe that several limitations of previous works were produced because of the absence of a concrete and clear requirement elicitation process. To avoid falling into the same mistake, this paper has decided to describe the design criteria of the proposed user authentication scheme.

3.1. General Considerations and Assumptions

The proposed user authentication scheme must be able to be implemented in a scenario with the following considerations and assumptions. (i)

The network is composed of traditional elements, that is, sensor nodes, gateway node(s), and user station with time synchronization.

(ii)

The network has at least one gateway node which has a stable link with the user station.

(iii)

The network implements a routing protocol which provides the path between sensor nodes and gateway node(s).

(iv)

The hierarchies of sensor nodes and the topology of the network are taken care of by the routing protocol.

(v)

Each sensor node can store a set of predefined data.

3.2. Security Requirements

The most important aspect of the proposed user authentication scheme is its security. Therefore, it is vital to precisely define the security requirements that the proposed scheme must satisfy. This section defines the threat model and then describes the list of security requirements considered in this paper.

3.2.1. Threat Model

In the analysis of the proposed protocol, the widely used Doley and Yao [10] threat model will be used, which assumes that two communicating parties communicate over an insecure channel. This means that the attacker is able to eavesdrop and manipulate the messages sent over the air. In other words, the attacker can read, modify, and delay the messages sent by the different entities that participate in WSNs. Additionally, it is assumed that the attacker may know the algorithm of the security mechanisms that are deployed in the network. The main aim of the attacker is the falsification of an authentication. It is assumed that the attacker aims for a forgery in the proposed message exchange scenario where a user authenticates to the sensor network. The attack is considered successful if the sensor network (whether sensor node or gateway node) accepts a fake message that was not sent by an authentic user or if the user accepts messages coming from a fake sensor node or gateway node. All kinds of nonauthentic messages such as random new messages, replayed messages, and modified messages sent by the attacker are considered as fake messages.

This paper only takes care of the user authentication problem; other security issues of other layers of the protocol are taken care of by security solutions of other levels. In addition, it is assumed that gateway node(s) is managed by a trusted infrastructure. Therefore, the gateway node(s) is considered as secure and its security is not considered as part of this work. Additionally, not every aspect of physical attacks is considered in this paper; however, the unauthorized extraction of the secret values of a sensor node or smart card using techniques such as shown in [11–13] must not have effect on the security of the rest of nodes and users.

3.2.2. Basic Requirements

Data Confidentiality. Data confidentiality is the most important issue in network security. The proposed security solution must provide concealment of private information making it infeasible for an unauthorized user to understand the confidential data.

Data Integrity. With the implementation of confidentiality, an adversary may be unable to read the information. However, this does not mean the data is safe. The adversary can change the data to produce disorder in the sensor network. Therefore, it is important that different entities of the network can detect modification of messages transmitted over the network.

Data Freshness. Even if confidentiality and data integrity are assured, it is necessary to ensure the freshness of each message. Data freshness suggests that the data is recent and it ensures that no old messages have been replayed.

3.2.3. Attack List

There are several attacks that have been considered common in user authentication for WSNs such as privileged-insider, stolen-verifier, replay, parallel session, guessing, brute force, impersonation, and gateway-node bypassing attacks [3–7]. The proposed solution must also demonstrate its security against such attacks.

3.2.4. Other Security Requirements

Mutual Authentication. Some of previous works [4, 7] provide mutual authentication between the gateway node and sensor nodes but do not provide mutual authentication between user and gateway node. This situation can compromise the security of the whole network because newer sensor network implementations offer remote administration/query features in their gateway nodes [14, 15], allowing users to access to network's data from a remote terminal. In this kind of environment, it is really important to authenticate the validity of the gateway node from the user's side to avoid adversaries collecting valuable data using fake gateway nodes.

Secure Registration, Authentication, and Password Change Processes. It is important to remember that the proposed user authentication mechanism must offer user registration, authentication, and password change processes and they must be executed in a secure manner.

Session Key Establishment. After authentication, the scheme must provide a simple session key establishment algorithm to provide a secure channel between entities after authentication.

3.3. Performance Requirements

WSNs own special characteristics which must also be considered in the designing of the security mechanisms. The most important resource constraints of WSN are the resource related ones [16], namely, limited storage space, limited computation power, and low energy capacity. Since the use of security algorithms reduces the lifetime of nodes, it is critical that the user authentication algorithm uses low quantity of energy. The aspects to be considered as performance requirements are as follows.

Type of Cryptographic Algorithm. Traditionally, there are two different types of cryptography algorithms, namely, public-key cryptography and symmetric-key cryptography. The first one has the characteristic of using two separate keys: one to encrypt the plaintext and another to decrypt the ciphertext. The most representative algorithms in public-key cryptography are Rivest-Shamir-Adleman ((RSA) the creators of the algorithm) and elliptic curve cryptography (ECC). On the other hand, the symmetric-key cryptography uses a common key for encryption and decryption which is shared among the communicating parties. One of the most representative algorithms of symmetric-key cryptography is advanced encryption standard (AES). Additionally, there is another type of encryption/decryption mechanism based on hash functions and exclusive-or operations which is considered as part of symmetric-key cryptography because it uses a common key between the communicating entities. One of the most representative hash functions used in such mechanisms is the secure hash algorithm (SHA). The importance of selecting a correct cryptographic algorithm lies in its complexity. A different Different cryptographic algorithms mean different complexities which is reflected in the required computation power and energy usage. This issue is very important because the common sensor nodes have very limited computation power and energy capacity. Several research works [17–20] have applied the asymmetric-key algorithms in WSNs. The results of such works reveal that despite the use of energy efficient techniques, such as ECC or dedicated cryptography coprocessors, asymmetric-key algorithms consume more energy than symmetric-key algorithms. For this reason, many researchers believe that the processing time and power consumption make it undesirable for public key algorithm techniques to be employed in sensor networks. Based on this criterion, the public cryptography was discarded for the proposed solution.

On the other hand, between the traditional symmetric key cryptography and encryption using hash functions, this paper has considered to use the last one because of its benefits in terms of energy usage as shown in previous works such as [21, 22]. In case of [21], the authors explain how AES-128 consumes more than double of SHA-1 function showing that the last one consumes around 154 μJ while AES-128 consumes 339 μJ on CrossBow nodes. The work described in [22] shows how for payloads of 17 bytes or above SHA-1 requires considerably less iterations than AES and therefore a shorter running time and less energy. In another earlier publication [16], the authors estimated that the energy per bit consumed by MIPS R4400 and MC68328 “DragonBall” processors for performing AES encryption/decryption operations is 9 nJ/bit and 101 nJ/bit, respectively, while for SHA-1 hashing function, the same processors consume 7.2 nJ/bit and 41 nJ/bit, respectively.

Number of Cryptographic Operations. The number of cryptographic operations used in sensor nodes must be minimal to extend their lifetime. The number of cryptographic operations executed by the user station and gateway node is not considered as important because they own superior resource capacities (i.e., computation power, storage, and energy capacity).

Number of Messages. One of main the operations that consume more energy is the transmission of messages. Therefore, the number of messages sent by sensor nodes must also be minimal to reduce their energy spent in wireless communication.

Energy Consumption Analysis. Energy consumption analysis using realistic data sizes will help to understand the effects of the proposed user authentication scheme over WSN.

3.4. Usability Requirements

The proposed scheme must also consider the different use cases of the authentication process according to the state of the network to offer extensive usability. This paper considers two specific use cases.

3.4.1. Online User Authentication

Online user authentication refers to the user authentication process executed when the sensor node has network connection with the gateway node (see Figure 5). This is considered the most traditional because sensor nodes are commonly monitored from the fixed network infrastructure installed in a safe place which includes the gateway node.

Figure 5

Online user authentication.

3.4.2. Offline or Gateway-Less User Authentication

This case is when the user authenticates directly to the sensor node because the network connection between the sensor node and gateway node cannot be established. In this case, the user must approach to the sensor node to authenticate with it but without the authorization of the gateway node (see Figure 6).

Figure 6

Offline or gateway-less user authentication.

Important. Although this use case is very important for different types of WSNs such as military operation and natural disaster monitoring applications (as explained in Section 2), none of the previous works have considered this use case.

4. Proposed User Authentication Scheme

The proposed solution is composed of three protocols: user registration, user authentication, and password change protocols which are executed among three independent entities, that is, users, gateway node, and sensor nodes.

4.1. User Registration Protocol

The user registration protocol is executed when new user needs to be authorized to access the sensor network. The steps executed in this protocol are as follows (see Figure 7 and Table 2). A user $U_{i}$ chooses his/her identity ${I D}_{i}$ and password ${P W}_{i}$ and inputs them to the terminal. The terminal then generates a random number $r_{i}$ and computes $P P W_{i} = h ({P W}_{i}) \oplus r_{i}$ , where $h (\cdot)$ is a hash function and ⊕ is an XOR operator. Once $P P W_{i}$ has been calculated, ${I D}_{i}$ and $P P W_{i}$ are sent to the gateway node $G W$ . $G W$ then computes $N_{i} = h ({I D}_{i} ∥ P P W_{i}) \oplus h ({I D}_{i} ∥ K)$ , where K is a symmetric key only known by GW and “ $∥$ ” is a concatenation operator. Once $N_{i}$ has been calculated, $G W$ personalizes a smart card with the parameters $h (\cdot)$ and $N_{i}$ . Then, $G W$ delivers the smart card to $U_{i}$ in a secure manner. Finally, $U_{i}$ calculates $M_{i} = h ({I D}_{i} ∥ P W_{i} ∥ r_{i})$ and stores $M_{i}$ and $r_{i}$ into the smart card.

Table 2

Notations of the proposed scheme.

Notation	Description
${I D}_{i}$	Identification of user i
${P W}_{i}$	Password of user i
$N e w {P W}_{i}$	New password of user i
$r_{i}$	Random number of user i
K	Secret key of $G W$
$K_{n}$	Secret key of $S_{n}$
$T_{1}$ , $T_{2}$ , $T_{3}$ , $T_{4}$ , $T_{p e r m i t}$	Timestamps
${P e r m i t}_{i n}$	Permit of user i to access $S_{n}$
$K_{U_{i} - G W}$	Session key between $U_{i}$ and $G W$
$K_{S_{n} - G W}$	Session key between $S_{n}$ and $G W$
$K_{U_{i} - S_{n}}$	Session key between $U_{i}$ and $S_{n}$
$E_{x}$ (y)	Symmetric encryption of string y using the key x
$D_{x}$ (y)	Symmetric decryption of string y using the key x
h(·)	One-way hash function
$∥$	String concatenation
⨁	XOR operation
?=	Comparison operation

Figure 7

Proposed user registration protocol.

On the other hand, a unique secret key $K_{n} = h (S_{n} ∥ K)$ is stored in each sensor node responsible for exchanging data with $U_{i}$ , where $S_{n}$ is the unique identification of the sensor node.

The proposed user registration protocol includes several enhancements compared to the previous solutions. First, each smart card and sensor node includes unique secret values: $N_{i} = h ({I D}_{i} ∥ P P W_{i}) \oplus ({I D}_{i} ∥ K)$ and $K_{n} = h (S_{n} ∥ K)$ , respectively, which limits the effect of the physical attack to the attacked unit, maintaining the security of the rest of the network. Additionally, the usage of $P P W_{i}$ (instead of $P W_{i}$ ) provides protection against the privileged-insider attack. Finally, the usage of $h ({I D}_{i} ∥ K)$ inside $N_{i}$ delivers protection against parallel session attacks.

4.2. User Authentication Protocol

This protocol is performed when $U_{i}$ needs to access the data gathered by a sensor node. The process of user authentication is differentiated depending on the use case as described in Section 3.

4.2.1. Online User Authentication Protocol

This subsection describes the authentication protocol when the sensor node is connected to the gateway node (see Figure 5). In this case, the gateway node works as a verifier to validate the authenticity of the user and sensor node. The steps executed in this protocol are as follows (see Figure 8 and Table 2).

Figure 8

Proposed online user authentication protocol.

Authentication Phase. $U_{i}$ inserts the smart card and inputs his/her ${I D}_{i}$ and $P W_{i}$ . The smart card then computes $M_{i}^{*} = h ({I D}_{i} ∥ P W_{i} ∥ r_{i})$ and compares $M_{i}^{*}$ with $M_{i}$ to authenticate $U_{i}$ . If those values do not match, the authentication request is rejected. Otherwise, the smart card computes $P P W_{i} = h (P W_{i}) \oplus r_{i}$ , $K_{i} = N_{i} \oplus h ({I D}_{i} ∥ {P P W}_{i})$ , and $A_{i} = h ({I D}_{i} {∥ K}_{i} ∥ T_{1})$ and transmits ${{I D}_{i}, A_{i}, T_{1}}$ to $G W$ , where $T_{1}$ is the current timestamp of $U_{i}$ 's system. Upon receiving the login request at time $T_{1}^{*}$ , $G W$ validates $T_{1}$ . If $(T_{1}^{*} - T_{1}) > Δ T$ , $G W$ aborts the authentication process, where $Δ T$ denotes the maximum allowed communication delay. Otherwise, $G W$ computes $K_{i}^{*} = h ({I D}_{i} ∥ K)$ and $A_{i}^{*} = h ({I D}_{i} ∥ K_{i}^{*} ∥ T_{1})$ . Once $A_{i}^{*}$ is computed, $G W$ checks whether it is equal to $A_{i}$ . If $A_{i}^{*}$ is different to $A_{i}$ , GW finishes the authentication process; otherwise, $G W$ computes $K_{n}^{*} = h (S_{n} ∥ K)$ and $B_{i} = h ({I D}_{i} ∥ K_{n}^{*} ∥ T_{2})$ and transmits the message ${{I D}_{i}, B_{i}, T_{2}}$ to some nearest sensor node $S_{n}$ to respond to the query with the data that $U_{i}$ is looking for, where $T_{2}$ is the timestamp of GW's system when sending the message. $S_{n}$ first validates $T_{2}$ using similar method of $T_{1}$ verification then computes $B_{i}^{*} = h ({I D}_{i} {∥ K}_{n} ∥ T_{2})$ and checks whether $B_{i}^{*}$ is equal to $B_{i}$ . Only if those values match, $S_{n}$ responds to $G W$ 's message by sending the message ${C_{i}, T_{3}}$ , where $C_{i} = h ({I D}_{i} ∥ K_{n} ∥ T_{3})$ . Once $G W$ is received the message, validates $T_{3}$ using similar method of $T_{1}$ and $T_{2}$ verification and then checks the validity of $C_{i}$ by comparing $C_{i}^{*} = h ({I D}_{i} ∥ K_{n}^{*} ∥ T_{3})$ with the received $C_{i}$ . Once the sensor node is authenticated, $G W$ computes $D_{i} = h ({I D}_{i} ∥ K_{i}^{*} ∥ T_{4})$ , where $T_{4}$ is the current timestamp of $G W$ and sends the message ${D_{i}, T_{4}}$ to $U_{i}$ . Finally, $U_{i}$ validates $T_{4}$ and computes $D_{i}^{*} = h ({I D}_{i} ∥ K_{i} ∥ T_{4})$ and checks whether it is equal to $D_{i}$ .

Session Key Establishment Phase. A session key between $U_{i}$ and $G W K_{U_{i} - G W} = h (T_{1} ∥ T_{4} ∥ K_{i})$ and a session key between $G W$ and $S_{n} K_{S_{n} - G W} = h (T_{2} ∥ T_{3} ∥ K_{n})$ could be used if an encryption channel was required after authentication. Additionally, if a direct communication channel between $U_{i}$ and $S_{n}$ was required, a bilateral session key $K_{U_{i} - S_{n}}$ could be established through $G W$ . In this case, $G W$ would generate a random $K_{U_{i} - S_{n}}$ and send $T_{5} ∥ K_{U_{i} - S_{n}}$ encrypted with $K_{U_{i} - G W}$ to $U_{i}$ and $T_{5} ∥ K_{U_{i} - S_{n}}$ encrypted with $K_{S_{n} - G W}$ to $S_{n}$ , where $T_{5}$ is the timestamp of $G W$ when sending the session key.

Note. Although the process of the online user authentication protocol is similar to that proposed by the existing works, it includes several enhancements. First, it delivers mutual authentication among all entities ( $U_{i}$ , $G W$ , and $S_{n}$ ). Additionally, the proposed protocol includes a simple session key establishment phase which was not provided in most of solutions.

4.2.2. Offline or Gateway-Less User Authentication Protocol

In this use case, $S_{n}$ is disconnected from the gateway node; therefore, it is not possible to receive the authorization from $G W$ to provide access to the collected data to $U_{i}$ (see Figure 6). In this situation, another form of authentication is required, where $S_{n}$ must be sure that the $U_{i}$ is an authenticated user authorized by $G W$ without dealing directly with $U_{i}$ 's key; on the other hand, $U_{i}$ also must be sure that $S_{n}$ is an authentic sensor node, but without dealing with $S_{n}$ 's key. On that point, a special data called Permit is proposed to be used instead of the secret keys. Permit contains the authorization of $G W$ to access the data of a sensor node.

The offline or gateway-less user authentication protocol is composed of two subprotocols, namely, permit issue and User Authentication. The first one allows $U_{i}$ to request the permit for accessing $S_{n}$ ( ${P e r m i t}_{i n}$ ) to the gateway node, while the second one allows $U_{i}$ to use the issued permit to authenticate to $S_{n}$ .

(A) Permit Issue Subprotocol. After receiving the smart card from $G W$ , $U_{i}$ can use it to authenticate himself or herself to GW and receive the ${P e r m i t}_{i n}$ which will allow $U_{i}$ to authenticate to the sensor node $S_{n}$ when it is disconnected from GW. ${P e r m i t}_{i n}$ is a secret value issued by $G W$ , which certifies that $U_{i}$ has permission to access the data collected by $S_{n}$ . The permit issue subprotocol is executed as follows (see Figure 9 and Table 2).

Figure 9

Proposed offline permit issue subprotocol.

$U_{i}$ inserts the smart card and inputs his/her $I D_{i}$ and $P W_{i}$ . The smart card then computes $M_{i}^{*} = h (I D_{i} ∥ P W_{i} ∥ r_{i})$ and compares $M_{i}^{*}$ with $M_{i}$ to authenticate $U_{i}$ . If those values do not match, the authentication request is rejected. Otherwise, the smart card computes $P P W_{i} = h (P W_{i}) \oplus r_{i}$ , $K_{i} = N_{i} \oplus h (I D_{i} ∥ P P W_{i})$ , and $A_{i} = h (I D_{i} ∥ K_{i} ∥ T_{1})$ and transmits ${I D_{i}, A_{i}, T_{1}}$ to $G W$ , where $T_{1}$ is the current timestamp of $U_{i}$ 's system. Upon receiving the login request at time $T_{1}^{*}$ , $G W$ validates $T_{1}$ . If $(T_{1}^{*} - T_{1}) > Δ T$ , $G W$ aborts the authentication process, where $Δ T$ denotes the maximum allowed communication delay. Otherwise, $G W$ computes $K_{i}^{*} = h (I D_{i} ∥ K)$ and $A_{i}^{*} = h (I D_{i} ∥ K_{i}^{*} ∥ T_{1})$ . Once $A_{i}^{*}$ is computed, $G W$ checks whether it is equal to $A_{i}$ . If $A_{i}^{*}$ is different to $A_{i}$ , $G W$ finishes the permit issue process; otherwise, $G W$ computes $K_{n}^{*} = h (S_{n} ∥ K)$ , ${P e r m i t}_{i n} = h (I D_{i} ∥ K_{n}^{*} ∥ T_{p e r m i t}) \oplus K_{i}^{*}$ , $K_{U_{i} - G W} = h (T_{1} ∥ T_{p e r m i t} ∥ K_{i}^{*})$ , and encrypted permit $E P_{i} = E_{K_{U_{i} - G W}} ({P e r m i t}_{i n} ∥ T_{p e r m i t})$ and transmits ${E P_{i}, T_{p e r m i t}}$ to $U_{i}$ , where $T_{p e r m i t}$ is the timestamp of $G W$ 's system when generating ${P e r m i t}_{i n}$ and $E_{s e c r e t_k e y} (s t r i n g)$ is a symmetric encryption of a string using the key secret_key. $U_{i}$ first validates $T_{p e r m i t}$ using similar method of $T_{1}$ verification then computes $K_{U_{i} - G W} = h (T_{1} ∥ T_{p e r m i t} ∥ K_{i})$ to obtain ${P e r m i t}_{i n} ∥ T_{p e r m i t} = D_{K_{U_{i} - G W}} (E P_{i})$ , where $D_{s e c r e t_k e y} (s t r i n g)$ is a symmetric decryption of a string using the key secret_key. Once $T_{p e r m i t}$ is obtained, $U_{i}$ compares it with the $T_{p e r m i t}$ received in plaintext to validate once more the validity of $E P_{i}$ . Finally, $U_{i}$ stores ${P e r m i t}_{i n}$ and $T_{p e r m i t}$ into the smart card.

Note. The permit can be obtained (1) immediately after receiving the smart card as well as (2) when the need arises. The criterion for checking the validity of $Δ T_{p e r m i t}$ is the same for both cases, that is, a period of time (e.g., one day, one week, etc.). The first case provides the advantage that the user can mobilize to a location near sensor nodes but without network connection with the $G W$ . However, in this case, the user must be prudent in updating the Permit before its expiration. The second case can be used when the user stays in a location with stable network connection with the GW. We believe that obtaining the permit from the GW when the need arises is not a critical problem because the time required in executing the permit issue sub-protocol is small. In conclusion, taking into account the previous analysis, the first case (obtaining the permit immediately) could be a better solution, if the response time to the events was critical and the user was not in a place connected to the GW. On the other hand, the second case (obtaining the permit from the GW when the need arises) could be better when the user is located in a place with stable network connection with the GW.

(B) User Authentication Subprotocol. Once the Permit received, $U_{i}$ can go to the field to authenticate directly to the sensor node. This protocol is composed of two phases, namely authentication and session key establishment (see Figure 10 and Table 2).

Figure 10

Proposed offline user authentication subprotocol.

Authentication Phase. Once the ${P e r m i t}_{i n}$ is issued from GW, $U_{i}$ can use it to authenticate himself or herself to $S_{n}$ and access $S_{n}$ 's data. The authentication process is executed as follows. $U_{i}$ inserts the smart card and inputs his/her ${I D}_{i}$ and ${P W}_{i}$ . The smart card then computes $M_{i}^{*} = h ({I D}_{i} ∥ P W_{i} ∥ r_{i})$ and compares $M_{i}^{*}$ with $M_{i}$ to authenticate $U_{i}$ . If those values do not match, the authentication request is rejected. Otherwise, the smart card computes $P P W_{i} = h ({P W}_{i}) \oplus r_{i}$ , $K_{i} = N_{i} \oplus h ({I D}_{i} ∥ {P P W}_{i})$ , and $P_{i} = h ({P e r m i t}_{i n} \oplus K_{i} ∥ T_{1})$ and transmits ${{I D}_{i}, P_{i}, T_{1}, T_{p e r m i t}}$ to $S_{n}$ , where $T_{1}$ is the current timestamp of $U_{i}$ 's system. Upon receiving the login request at time $T_{1}^{*}$ , $S_{n}$ validates $T_{1}$ and $T_{p e r m i t}$ . If $(T_{1}^{*} - T_{1}) > Δ T$ or $(T_{1}^{*} - T_{p e r m i t}) > Δ T_{p e r m i t}$ , $S_{n}$ aborts the authentication process, where $Δ T$ denotes the maximum allowed communication delay and $Δ T_{p e r m i t}$ denotes the period of validity of a permit. Otherwise, $S_{n}$ computes $P_{i}^{*} = h (h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})$ . Once $P_{i}^{*}$ is computed, $S_{n}$ checks whether it is equal to $P_{i}$ . If $P_{i}^{*}$ is different to $P_{i}$ , $S_{n}$ finishes the authentication process; otherwise, $S_{n}$ computes $Q_{i} = h (h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{2})$ and transmits ${Q_{i}$ , $T_{2}}$ to $U_{i}$ , where $T_{2}$ is the actual timestamp of $S_{n}$ 's system. $U_{i}$ first validates $T_{2}$ using similar method of $T_{1}$ verification then checks the validity of $Q_{i}$ by comparing $Q_{i}^{*} = h ({P e r m i t}_{i n} \oplus K_{i} ∥ T_{2})$ with the received $D_{i}$ . If those values match, then $U_{i}$ trusts $S_{n}$ and accesses its data.

Session Key Establishment. A session key between $U_{i}$ and $S_{n}$ $K_{U_{i} - S_{n}} = h (T_{1} ∥ T_{2} ∥ h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t}))$ could be used if an encryption channel was required after authentication.

4.3. Password Change Protocol

One of the requirements of a secure protocol is the delivery of a mechanism to users so that they can freely change their passwords. The proposed scheme provides a simple and efficient password change protocol which does not require communication with the gateway node. The proposed password change protocol is executed as follows (see Figure 11 and Table 2).

Figure 11

Proposed password change protocol.

$U_{i}$ inputs his/her $I D_{i}$ , ${P W}_{i}$ , and new password $N e w {P W}_{i}$ to the smart card. The smart card then calculates $M_{i}^{*} = h (I D_{i} ∥ {P W}_{i} ∥ r_{i})$ and verifies the validity of ${I D}_{i}$ and ${P W}_{i}$ by comparing $M_{i}^{*}$ with $M_{i}$ . If those values do not match, the password change request is rejected. Otherwise, the smart card computes $P {P W}_{i} = h ({P W}_{i}) \oplus r_{i}$ , $h ({I D}_{i} ∥ K) = N_{i} \oplus h ({I D}_{i} ∥ P {P W}_{i})$ , $N e w M_{i} = h ({I D}_{i} ∥ N e w {P W}_{i} ∥ r_{i})$ , and $N e w N_{i} = h ({I D}_{i} ∥ N e w P {P W}_{i}) \oplus h ({I D}_{i} ∥ K)$ , where $N e w {P P W}_{i} = h (N e w {P W}_{i}) \oplus r_{i}$ . Finally, the smart card replaces $M_{i}$ and $N_{i}$ with $N e w M_{i}$ and $N e w N_{i}$ , respectively.

4.4. Implementation Issue

This paper does not consider the details related to the real implementation of the proposed scheme. However, we would like to share several ideas required on implementing the proposed scheme. First, the user interface of the application to be installed in the user station ( $U_{i}$ ) managing the execution of protocols must include the option to choose the protocol to be executed by the user. Second, as the content of the messages sent from $U_{i}$ to GW in online user authentication protocol and offline permit issue subprotocol is the same $({{I D}_{i}, A_{i}, T_{1}})$ , it must include a header indicating which protocol GW must execute; one possible solution could be the usage of 1 bit: “0” for online user authentication and “1” for offline permit issue sub-protocol. Finally, the requests ${{I D}_{i}, B_{i}, T_{2}}$ and ${{I D}_{i}, P_{i}, T_{1}, T_{p e r m i t}}$ used in online and offline user authentication protocols are differentiated by $S_{n}$ using messages' sizes. This means that $S_{n}$ would execute the steps of one protocol according to the size of the receiving message. As another option, request messages could include a header to indicate the type of the request the user is asking for. The mentioned ideas are just possible options and we believe that the details required for real implementation should be considered in the implementation based on the requirements of the total solution.

5. Analysis of the Proposed Scheme

5.1. Security Analysis

This part analyzes the security of the proposed scheme in terms of formal verification and analysis of security requirements described in Section 3. The registration and password change protocols of the proposed scheme are excluded from this analysis because they are executed in a secure environment. In the analysis of the user authentication protocol, the threat model discussed in Section 3 is applied.

5.1.1. Formal Proof Based on BAN Logic

(A) Notations and Rules of BAN Logic. This subsection demonstrates the security of the proposed scheme by a well-known formal model called BAN logic [23, 24]. BAN logic has been widely used in different works such as [25–27] to reason about their security validation. The logical notations of BAN logic used in this paper are as described in Table 3. This section also lists some main logical postulates to be used in proofs.

Table 3

Notations of BAN logic.

Notation	Description
$P ∣ \equiv X$	The principal P believes that X holds. In other words, it means that P is entitled to act as though X is true
#(X)	The formula X is fresh. That is, X has not been sent before in any run of the protocol
$P \Rightarrow X$	The principal P has jurisdiction over the statement X. That is, P is an authority on X and can be trusted on X
$P ⊲ X$	The principal P sees the statement X. That is, someone has sent a message to P containing X, and P can read and repeat X
P ∣~ X	The principal P once said the statement X. That is, P sent a message containing X sometime
(X, Y)	The formula X or Y is one part of the formula (X, Y)
${X}_{K}$	The formula X is encrypted under the key K
${(X)}_{K}$	The formula X is hashed with the key K, and K may be used to prove the origin of X
$P \overset{k}{\leftrightarrow} Q$	Principals P and Q may use the shared key K to communicate. The key K will never be discovered by any principal except P and Q

Message-Meaning Rule. If the principal P believes that the secret key is shared with the principal Q and P sees that the statement X is encrypted or combined (hashed) under K then the principal P believes that the principal Q once said the statement X:

\begin{matrix} \frac{P | \equiv P \overset{K}{⟷} Q, P ⊲ {X}_{K}}{P | \equiv Q | ~ X}, \frac{P | \equiv P \overset{K}{⟷} Q, P ⊲ {(X)}_{K}}{P | \equiv Q | ~ X} . \end{matrix}

(1)

Freshness-Conjuncatenation Rule. Provided that the principal P believes freshness of the statement X, the principal P believes freshness of the (X, Y):

\begin{matrix} \frac{P | \equiv # (X)}{P | \equiv # (X, Y)} . \end{matrix}

(2)

Nonce-Verification Rule. Provided that the principal P believes that the statement X have never been utter before and the principal Q once said X, the principal P believes that Q believes X:

\begin{matrix} \frac{P | \equiv # (X), P | \equiv Q | ~ X}{P | \equiv Q | \equiv X} . \end{matrix}

(3)

Jurisdiction Rule. Provided that the principal P believes that the principal Q jurisdiction over the statement X, the principal P believes Q on the validity of X:

\begin{matrix} \frac{P | \equiv Q \Rightarrow X, P | \equiv Q | \equiv X}{P | \equiv X} . \end{matrix}

(4)

Belief Rules. A necessary property of the belief operator is that P believes a set of statements if and only if P believes each statement separately. This justifies the following rules:

\begin{matrix} \frac{P | \equiv X, P | \equiv Y}{P | \equiv (X, Y)}, \frac{P | \equiv (X, Y)}{P | \equiv X}, \\ \frac{P | \equiv Q | \equiv (X, Y)}{P | \equiv Q | \equiv X}, \frac{P | \equiv Q | ~ (X, Y)}{P | \equiv Q | ~ X} . \end{matrix}

(5)

(B) Formal Proof. In the following, it shows the security proof of the authentication protocol using the BAN logic.

(1) Formal Proof of Online User Authentication. This part presents the formal proof of the online user authentication protocol, when sensor nodes have active communication link with the gateway node.

In this case, the protocol must satisfy the following goals:

$G W \| \equiv A_{i}$ ,	$(G . 1)$
$S_{n} \| \equiv B_{i}$ ,	$(G . 2)$
$G W \| \equiv C_{i}$ ,	$(G . 3)$
$U_{i} \| \equiv D_{i}$ ,	$(G . 4)$
$U_{i} \| \equiv K_{U_{i} - G W}$ ,	$(G . 5)$
$G W \| \equiv K_{U_{i} - G W}$ ,	$(G . 6)$
$G W \| \equiv K_{S_{n} - G W}$ ,	$(G . 7)$
$S_{n} \| \equiv K_{S_{n} - G W}$ .	$(G . 8)$

First, messages of the protocol are transformed to the idealized form as shown below:

$U_{i} ⟶ G W :$ ${{I D}_{i}, ({I D}_{i} ∥ h ({I D}_{i} ∥ K) ∥ T_{1})}_{h ({I D}_{i} ∥ K)}, T_{1}$ ,	$(M . 1)$
$S_{n} ⟵ G W :$ ${{I D}_{i}, ({I D}_{i} ∥ h (S_{n} ∥ K) ∥ T_{2})}_{h (S_{n} ∥ K)}, T_{2}$ ,	$(M . 2)$
$S_{n} ⟶ G W :$ ${({I D}_{i} ∥ h (S_{n} ∥ K) T_{3})}_{h (S_{n} ∥ K)}, T_{3}$ ,	$(M . 3)$
$U_{i} ⟵ G W :$ ${({I D}_{i} ∥ h ({I D}_{i} ∥ K) ∥ T_{4})}_{h ({I D}_{i} \| \| K)}, T_{4}$ .	$(M . 4)$

Second, assumptions about the initial state of the protocol are defined. Those assumptions are listed below:

$G W \| \equiv # (T_{1})$ ,	$(A . 1)$
$S_{n} \| \equiv # (T_{2})$ ,	$(A . 2)$
$G W \| \equiv # (T_{3})$ ,	$(A . 3)$
$U_{i} \| \equiv # (T_{4})$ ,	$(A . 4)$
$U_{i} \| \equiv U_{i} \overset{h ({I D}_{i} ∥ K)}{⟷} G W$ ,	$(A . 5)$
$G W \| \equiv U_{i} \overset{h ({I D}_{i} ∥ K)}{⟷} G W$ ,	$(A . 6)$
$S_{n} \| \equiv S_{n} \overset{h (S_{n} ∥ K)}{⟷} G W$ ,	$(A . 7)$
$G W \| \equiv S_{n} \overset{h (S_{n} ∥ K)}{⟷} G W$ ,	$(A . 8)$
$G W \| \equiv U_{i} \Rightarrow A_{i}$ ,	$(A . 9)$
$S_{n} \| \equiv G W \Rightarrow B_{i}$ ,	$(A . 10)$
$G W \| \equiv S_{n} \Rightarrow C_{i}$ ,	$(A . 11)$
$U_{i} \| \equiv G W \Rightarrow D_{i}$ .	$(A . 12)$

Finally, the proof steps to the idealized form of the proposed protocol are performed based on BAN logic rules and assumptions. The proof steps are as in Table 21.

The proposed goals were reached by $(S . 5)$ , $(S . 10)$ , $(S . 15)$ , $(S . 20)$ , $(S . 21)$ , $(S . 22)$ , $(S . 23)$ , and $(S . 24)$ . In summary, this paper has demonstrated how the proposed online user authentication protocol is secure and provides mutual authentication among $U_{i}$ , GW, and $S_{n}$ .

(2) Formal Proof of Offline or Gateway-Less User Authentication

(a) Permit Issue Subprotocol. In the following, there is the security proof of the proposed permit issue sub-protocol. In this sub-protocol, goals to be reached are as follows:

$G W \| \equiv A_{i}$ ,	$(G . 1)$
$U_{i} \| \equiv {P e r m i t}_{i n}$ .	$(G . 2)$

First, messages of the protocol are transformed to the idealized form as shown below:

$U_{i} ⟶ G W :$ ${{I D}_{i}, ({I D}_{i} ∥ h ({I D}_{i} ∥ K) ∥ T_{1})}_{h ({I D}_{i} ∥ K)}, T_{1}$ ,	$(M . 1)$
$S_{n} ⟵ G W :$ ${{P e r m i t}_{i n}, T_{p e r m i t}}_{K_{U_{i} - G W}}, T_{p e r m i t}$ .	$(M . 2)$

Second, the following assumptions are made about the initial state of the sub-protocol to analyze the proposed scheme:

$G W \| \equiv # (T_{1})$ ,	$(A . 1)$
$U_{i} \| \equiv # (T_{p e r m i t})$ ,	$(A . 2)$
$U_{i} \| \equiv U_{i} \overset{h (I D_{i} ∥ K)}{⟷} G W$ ,	$(A . 3)$
$G W \| \equiv U_{i} \overset{h (I D_{i} ∥ K)}{⟷} G W$ ,	$(A . 4)$
$G W \| \equiv U_{i} \Rightarrow A_{i}$ ,	$(A . 5)$
$U_{i} \| \equiv G W \Rightarrow {P e r m i t}_{i n}$ .	$(A . 6)$

Finally, proof steps to the idealized form of the proposed sub-protocol are performed based on the BAN logic rules and the assumptions as in Table 22.

The proposed goals were reached by $(S . 5)$ and $(S . 10)$ . In summary, this paper has demonstrated how the proposed permit issue sub-protocol is secure and provides mutual authentication between $U_{i}$ and GW.

(b) User Authentication Subprotocol. In the following, there is the security proof of the proposed user authentication sub-protocol using the BAN logic. The sub-protocol will satisfy the following goals:

$S_{n} \| \equiv P_{i}$ ,	$(G . 1)$
$U_{i} \| \equiv Q_{i}$ ,	$(G . 2)$
$S_{n} \| \equiv K_{U_{i} - S_{n}}$ ,	$(G . 3)$
$U_{i} \| \equiv K_{U_{i} - S_{n}}$ .	$(G . 4)$

First, here is the transformation of protocol's messages to the idealized form:

$U_{i} ⟶ S_{n} :$
${I D}_{i},  {( {I D}_{i}  ∥  h ( {I D}_{i}  ∥  K_{n}  ∥  T_{p e r m i t} )  ∥  T_{1} )}_{h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t})}$ ,
$T_{1}, T_{p e r m i t}$ ,
	$(M . 1)$
$U_{i} ⟵ S_{n} :$
$({I D}_{i}  ∥  h {( {I D}_{i}  ∥  K_{n}  ∥  T_{p e r m i t}) ∥  T_{2} )}_{h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t}), T_{2}}$ .	$(M . 2)$

Second, the following assumptions are made about the initial state of the scheme to analyze the proposed scheme:

$S_{n} \| \equiv # (T_{1})$ ,	$(A . 1)$
$U_{i} \| \equiv # (T_{2})$ ,	$(A . 2)$
$U_{i} \| \equiv U_{i} \overset{h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t})}{⟷} S_{n}$ ,	$(A . 3)$
$S_{n} \| \equiv U_{i} \overset{h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t})}{⟷} S_{n}$ ,	$(A . 4)$
$S_{n} \| \equiv U_{i} \Rightarrow P_{i}$ ,	$(A . 5)$
$U_{i} \| \equiv S_{n} \Rightarrow Q_{i}$ .	$(A . 6)$

Finally, the proof steps to the idealized form of the proposed sub-protocol are performed based on the BAN logic rules and the assumptions as in Table 23.

The proposed goals were reached by $(S . 5)$ , $(S . 10)$ , $(S . 11)$ , and $(S . 12)$ . In summary, this paper has demonstrated how the proposed user authentication sub-protocol is secure and provides mutual authentication between $U_{i}$ and $S_{n}$ .

5.1.2. Security Verification

This subsection analyzes the security of the proposed solution from the point of view of basic security requirements mentioned in Section 3. This section also analyzes how the proposed solution is secure against possible attacks. As mentioned previously, the paper assumes that the communication channels used in user authentication are insecure and that there exists an attacker who can intercept all messages exchanged among $U_{i}$ , GW, and $S_{n}$ . In addition, the paper assumes that the attacker can obtain or steal legal user $U_{i}$ 's smart card. Based on these assumptions, the attacker might execute certain attacks to interfere with the proposed scheme.

(A) Security Analysis of Basic Requirements

Confidentiality. Confidentiality of messages is guaranteed by usage of secret values. Communication between $U_{i}$ and GW is encrypted using $K_{i} = h ({I D}_{i} ∥ K)$ while communication between GW and $S_{n}$ is encrypted using $K_{n} = h (S_{n} ∥ K)$ . Additionally, the communication messages in offline user authentication are encrypted by using a value generated from ${P e r m i t}_{i n}$ . Furthermore, session keys ( $K_{U_{i} - G W}$ , $K_{S_{n} - G W}$ , and $K_{U_{i} - S_{n}}$ ) are generated to guarantee the transmission of confidential values after authentication.

Integrity. Integrity of messages transmitted during the authentication process is guaranteed by verification in each step of protocols. In each verification step, entities, that is, $U_{i}$ , GW, and $S_{n}$ , compare the received data with values autonomously calculated by them to confirm the authenticity of messages.

Freshness. In network security protocols, the freshness and uniqueness of messages allow the provision of a strong defense against replay attacks. These two properties are reachable by using a time variant parameter inside messages, such as random numbers, sequence numbers, and timestamps, being most common the usage of random numbers (nonces) and timestamps. This work has used the timestamp method because it is always more efficient in terms of number of communication rounds compared to the nonce-based counterpart [28].

(B) Security Verification from Possible Attacks

Privileged-Insider Attack. In the proposed solution, $U_{i}$ transmits his/her pseudo-password ${P P W}_{i} = h ({P W}_{i}) \oplus r_{i}$ instead of ${P W}_{i}$ . Therefore, GW will never know the ${P W}_{i}$ value. This means that only $U_{i}$ will know his/her secret password, protecting $U_{i}$ in this way from a privileged-insider attack. Additionally, a random value $r_{i}$ is incorporated inside ${P P W}_{i}$ to make the discovery of ${P W}_{i}$ harder.

Stolen-Verifier Attack. One of the features of the proposed protocol is the absence of a password/verifier table in GW and $S_{n}$ . This feature prevents our solution from stolen-verifier attacks.

Replay Attack. Timestamps are used to avoid replay attacks. In each message, a different timestamp is used to guarantee its freshness.

Parallel Session Attack. In previous works, the attacker can obtain a valid authentication request message for the next timestamp because they use the XOR operation in a vulnerable way (see reference [8] for more details). In the proposed protocol, we have eliminated the possibility of parallel session attack by sending hash values instead of values resulting from XOR operations. Therefore, even though another legal user of the system eavesdrops on $U_{i}$ 's message ${{I D}_{i}, A_{i}, T_{1}}$ or ${{I D}_{i}, P_{i}, T_{1}, T_{p e r m i t}}$ , he/she cannot obtain the secret values $A_{i}$ or $P_{i}$ for the next timestamp $T_{2}$ because they are irreversible one-way hash values.

Guessing Attack. In the proposed scheme, secret values are never sent in plaintext but encrypted by a one-way hash function or symmetric cryptography algorithm. Therefore, even when the adversary got $A_{i}$ , $B_{i}$ , $C_{i}$ , $D_{i}$ , ${E P}_{i}$ , $P_{i}$ , or $Q_{i}$ , he or she could not guess any secret value (i.e., ${P W}_{i}$ , $K_{i}$ , $K_{n}$ , or K) because of the secure property of the hash and symmetric cryptography algorithms.

Gateway-Node Bypassing Attack. The reason for the possibility of a GW bypassing attack in [3, 6] is due to the sharing of secret parameter $x_{a}$ with $S_{n}$ and $U_{i}$ . If the value of $x_{a}$ is compromised, then the whole sensor network will become vulnerable to the gateway node bypassing attack. On the other hand, the reason for the possibility of the gateway node bypassing attack in [7] is due to the secret value $x_{s}$ stored in sensor nodes which can be extracted using similar method of extracting $x_{a}$ from a smart card [11–13]; if $x_{s}$ is extracted, the adversary can execute the GW bypassing attack using $D {I D}_{f} = h ({I D}_{f} ∥ {P W}_{f}) \oplus h (x_{a} ∥ T_{f})$ and $A_{f} = h ({D I D}_{f} ∥ S_{n} ∥ x_{s} ∥ T_{f})$ .

In the proposed protocol, $U_{i}$ 's smart card and $S_{n}$ do not store either $x_{a}$ or $x_{s}$ but instead store other individual secret values $N_{i} = h ({I D}_{i} ∥ {P P W}_{i}) \oplus ({I D}_{i} ∥ K)$ and $K_{n} = h (S_{n} ∥ K)$ which are unique per smart card and sensor node. Therefore, even if the $K_{n}$ value was extracted from a sensor node, the rest of nodes will still maintain their security. On the other hand, even if the $N_{i}$ were extracted from a smart card, the $N_{i}$ would be unusable without the correct ${P W}_{i}$ value because the $A_{i}$ used for authentication is generated by using the $h ({I D}_{i} ∥ K)$ which can only be obtained with the correct $h ({I D}_{i} ∥ {P P W}_{i})$ value.

User Impersonation. An adversary who wants to impersonate a valid user $U_{i}$ to log into the network must calculate a valid $A_{i}$ (for the online and offline user authentication) or $P_{i}$ (for the permit issue). Since $A_{i} = h ({I D}_{i} ∥ K_{i} ∥ T_{1})$ and $P_{i} = h ({P e r m i t}_{i n} \oplus K_{i} ∥ T_{1})$ are calculated by a one-way hash function, the adversary cannot decipher such values. Additionally, $A_{i}$ and $P_{i}$ cannot be created arbitrarily because they are based on the secret value $K_{i}$ obtainable only with the correct $N_{i}$ and ${P W}_{i}$ .

Gateway-Node Impersonation. An adversary who wants to impersonate a valid GW must calculate a valid $B_{i}$ (for the online user authentication) or ${E P}_{i}$ (for the permit issue). Since $B_{i} = h ({I D}_{i} ∥ K_{n} ∥ T_{2})$ and $E P_{i} = E_{K_{U_{i} - G W}} ({P e r m i t}_{i n} ∥ T_{p e r m i t})$ are calculated using one-way hash function or a secure symmetric cryptographic algorithm, the adversary cannot decipher such values. Additionally, $B_{i}$ and ${E P}_{i}$ cannot be created arbitrarily because they are based on the secret value K which is only known by the authentic GW.

Sensor Node Impersonation. An adversary who wants to impersonate a valid $S_{n}$ must calculate a valid $C_{i}$ (for the online user authentication) or $Q_{i}$ (for the offline user authentication). Since $C_{i} = h ({I D}_{i} ∥ K_{n} ∥ T_{3})$ and $Q_{i} = h (h ({I D}_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{2})$ are calculated using one-way hash function, the adversary cannot decipher such values. Additionally, $C_{i}$ and $Q_{i}$ cannot be created arbitrarily because they are based on the secret value $K_{n}$ which is only known by the authentic GW.

Many Logged-In Users with the Same Login-ID. By using two-factor based authentication, the proposed scheme offers higher protection than only password-based schemes. Assuming that the $U_{i}$ 's smart card is not cloned, the proposed protocol successfully prevents this threat because the authentication process requires computation executed inside the valid smart card.

Brute-Force Attack. An attacker can try two kinds of brute-force attacks. (1) First, the attacker can attempt to authenticate by sending random or sequential messages $(A_{i}$ , $B_{i}$ , or $P_{i})$ to GW or $S_{n}$ . However, as well as explained in the replay attack, this attack becomes infeasible because each authentication process uses a different timestamp. (2) On the other hand, an insider with a valid smart card can try to discover the secret values by performing brute-force attacks. However, the determination of those values is infeasible because they are stored using secure one-way hash functions. If higher level of protection for K was required, additional random numbers $R_{i}$ and $R_{n}$ could be added for the generation of $K_{i} = h ({I D}_{i} ∥ K ∥ R_{i})$ and $K_{n} = h (S_{n} ∥ K ∥ R_{n})$ , respectively, which would be stored secretly in the GW. By using those additional random numbers, the number of possible combinations to decipher $K_{i}$ and $K_{n}$ is increased by $2^{n}$ times, where n is the size in bits of $R_{i}$ and $R_{n}$ .

(C) Security Verification of Other Security Requirements

Mutual Authentication. The proposed protocol provides both mutual authentication between $U_{i}$ and GW as well as between GW and $S_{n}$ , (i)

Online User Authentication. (1) The mutual authentication between $U_{i}$ and GW is verified as follows. GW verifies the authenticity of $U_{i}$ by comparing $A_{i}$ sent by $U_{i}$ with the $A_{i}^{*}$ value calculated by itself. $A_{i}$ can only be computed by the authentic $U_{i}$ because it is based on the secret value $h ({I D}_{i} ∥ K)$ only calculable with the valid $N_{i}$ and ${P W}_{i}$ which are personal to each $U_{i}$ . In the same way, $U_{i}$ verifies the authenticity of GW by comparing $D_{i}$ sent by GW with the $D_{i}^{*}$ value computed by $U_{i}$ . $D_{i}$ can only be computed by the authentic GW because it is based on the secret value K only known by the authentic GW. (2) On the other hand, the mutual authentication between GW and $S_{n}$ is verified as follows. $S_{n}$ verifies the authenticity of GW by comparing $B_{i}$ sent by GW with the $B_{i}^{*}$ value calculated by itself. $B_{i}$ can only be computed by the authentic GW because it is based on the secret value K. In the same way, GW verifies the authenticity of $S_{n}$ by comparing $C_{i}$ sent by GW with the $C_{i}^{*}$ value computed by GW. $C_{i}$ can only be computed by the authentic $S_{n}$ because it is based on the secret $K_{n}$ value only known by the specific $S_{n}$ .

(ii)

Offline or Gateway-Less User Authentication/Permit Issue Subprotocol. The mutual authentication between $U_{i}$ and GW is verified as follows. GW verifies the authenticity of $U_{i}$ by comparing $A_{i}$ sent by $U_{i}$ with the $A_{i}^{*}$ value calculated by itself. $A_{i}$ can only be computed by the authentic $U_{i}$ because it is based on the secret value $h ({I D}_{i} ∥ K)$ only calculable with the valid $N_{i}$ and ${P W}_{i}$ which are personal to each $U_{i}$ . On the other hand, $U_{i}$ verifies the authenticity of GW by comparing $T_{p e r m i t}$ sent in plaintext by GW with the $T_{p e r m i t}$ value contained inside ${E P}_{i}$ . ${E P}_{i}$ can only be computed by the authentic GW because it is based on the secret value K only known by GW.

(iii)

Offline or Gateway-Less User Authentication/User Authentication Subprotocol. The mutual Authentication between $U_{i}$ and $S_{n}$ is verified as follows. $S_{n}$ verifies the authenticity of $U_{i}$ by comparing $P_{i}$ sent by $U_{i}$ with the $P_{i}^{*}$ value calculated by itself. $P_{i}$ can only be computed by the authentic $U_{i}$ because it is based on the secret value ${P e r m i t}_{i n} \oplus K_{i}$ only calculable by the authentic $U_{i}$ . On the other hand, $U_{i}$ verifies the authenticity of $S_{n}$ by comparing $Q_{i}$ sent by $S_{n}$ with the $Q_{i}^{*}$ value calculated by $U_{i}$ . $Q_{i}$ can only be computed by the authentic $S_{n}$ because it is based on the secret value $K_{n}$ only known by $S_{n}$ .

Password Change Phase. Our proposal offers a lightweight password change phase that does not require communication with GW, making it secure and efficient.

Session Key Establishment. Our proposal offers a simple and practical method for session key establishment among $U_{i}$ , GW, and $S_{n}$ .

(D) Summary of Security Features of the Proposed Solution. Table 4 shows the comparison of security features among different works. This demonstrates how our scheme is stronger in terms of security. Our approach provides protection against different kinds of attacks (privileged-insider attack, gateway-node bypassing attack), also provides a secure password change phase and session key establishment, and achieves complete mutual authentication (mutual authentication between GW and $S_{n}$ and between $U_{i}$ and GW) features that previous works do not offer or offer with limitations.

Table 4

List of enhanced security features of the proposed scheme.

Security feature	Proposed	Das's [3]	Nyang-Lee's [4]	Huang et al.'s [5]	Chen-Shih's [6]	Khan-Alghathbar's [7]
Secure password change/update	Yes	No	No	Yes	No	Yes
Protection against insider's attack	Yes	No	No	No	No	Yes
Protection against $G W$ bypassing attack	Yes	No	No	No	No	Partial
Protection against parallel session attack	Yes	No	Yes	No	No	No
Mutual authentication between $G W$ and $S_{n}$	Yes	No	Yes	No	No	Yes
Mutual authentication between $U_{i}$ and $G W$	Yes	No	Yes	No	No	No
Session key establishment	Yes	No	Yes	No	No	No
Offline user authentication	Yes	No	No	No	No	No

5.2. Performance and Cost Analysis

5.2.1. Cryptographic Operations

Table 5 indicates the number of cryptographic operations required in each protocol per entity for online user authentication. It shows that our protocol requires a few more operations in the verification phase than some previous works. However, the majority of additional operations are executed by $U_{i}$ or GW infrastructure which has no energy or computation power limitations. Therefore, the additional operations are not an impediment for real implementation. Additionally, it is possible to say that the additional operations are justifiable considering that our scheme includes security features that previous works do not offer, which is indispensable for implementing a reliable and trustworthy network. It is important to remember that a failure at the component level will often compromise the security of the entire system [29]. Furthermore, the proposed solution provides further usability delivering offline authentication when sensor nodes cannot communicate with the gateway node which is really useful in different kinds of applications such as the military and natural phenomenon monitoring. Table 6 shows the number of cryptographic operations required to execute the offline user authentication protocol. The permit issue sub-protocol requires 5 hash executions and 1 symmetric cryptographic operation in both $U_{i}$ and GW. However, we believe this overhead is not an impediment for a real implementation because $U_{i}$ and GW are powerful entities without resource limitations. On the other hand, the additional hash execution required by $S_{n}$ in the offline user authentication sub-protocol (compared to the proposed online user authentication) is not an impediment for real implementation because it is not executed all the time but only in extraordinary situations.

Table 5

Number of cryptographic operations in online user authentication.

Protocol	Entity	Proposed	Das' [3]	Nyang-Lee's [4]	Huang et al.'s [5]	Chen-Shih's [6]	Khan-Alghathbar's [7]
	$U_{i}$	2 h	0 h	0 h	1 h	0 h	1 h
User registration protocol	$G W$	2 h	3 h	3 h	3 h	3 h	2 h
	$S_{n}$	0 h	0 h	0 h	0 h	0 h	0 h

	$U_{i}$	7 h	n/a	n/a	4 h	n/a	4 h
Password change protocol	$G W$	0 h	n/a	n/a	0 h	n/a	0 h
	$S_{n}$	0 h	n/a	n/a	0 h	n/a	0 h

Online user authentication protocol	$U_{i}$	5 h	4 h	7 h + 1 sd	4 h	5 h	4 h
	$G W$	6 h	4 h	8 h + 1 se	6 h	5 h	5 h
	$S_{n}$	2 h	1 h	4 h + 1 se + 1 sd	1 h	1 h	2 h

h: hash, se: symmetric encryption, and sd: symmetric decryption.

Table 6

Number of cryptographic operations in offline user authentication.

Subprotocol	Entity	Number of operations
Permit issue subprotocol	$U_{i}$	5 h + 1 sd
Permit issue subprotocol	$G W$	5 h + 1 se

Authentication subprotocol	$U_{i}$	5 h
Authentication subprotocol	$S_{n}$	3 h

h: hash, se: symmetric encryption, and sd: symmetric decryption.

5.2.2. Number of Messages

Analyzing the number of messages transmitted and received by sensor nodes is considered important because it affects the energy consumption of those devices. This paper only focuses on the protocols where the resource limited sensor nodes participate in (i.e., online and offline user authentication protocols). Table 7 shows the number of transmissions and receptions executed by different entities in online user authentication protocols in different proposals. It illustrates how the proposed protocol maintains equal or less number of messages than previous works to show its competitiveness.

Table 7

Number of transmissions and receptions in online user authentication.

Entity	Proposed		Das' [3]		Nyang-Lee's [4]		Huang et al.'s [5]		Chen-Shih's [6]		Khan-Alghathbar's [7]
Entity	$T x$	$R x$	$T x$	$R x$	$T x$	$R x$	$T x$	$R x$	$T x$	$R x$	$T x$	$R x$
$U_{i}$	1	1	1	1	1	1	1	1	1	2	1	1
$G W$	2	2	2	2	2	2	2	2	3	2	2	2
$S_{n}$	1	1	1	1	1	1	1	1	1	1	1	1

Tx: transmission; Rx: reception.

Going into details of Table 7, the present work also presents the content of messages transmitted and received by different entities and their sizes in each solution (see Tables 8, 9, 10, 11, 12, and 13). This work has considered that the size of the different data inside of messages, such as user identification, timestamps, hash values, and login confirmation messages, is equal because the intention of this part is to analyze the number of data units in each protocol (analysis using more realistic data sizes is executed in Section 5.2.3). As you can see in Tables 8–13, the most lightweight solutions in terms of messages sizes in sensor nodes are those proposed by Das, Huang et al., and Chen-Shih. However, messages sizes in those protocols are reduced because they omit steps required to provide mutual authentication between the gateway-node and sensor nodes opening serious vulnerabilities. Therefore, even though they offer less communication, they cannot be considered as optimal solutions. On the other hand, Table 9 shows how Nyang-Lee's proposal has the highest communication overhead requiring 4 data units for transmission and 4 data units for reception in sensor nodes. Finally, Alghathbar's proposal and the proposed solution have the same communication overhead in sensor nodes with 2 data units in transmission and 3 data units in reception.

Table 8

Details of communication messages of Das' proposal [3].

Entity	Transmission ( $T x$ )		Reception ( $R x$ )
Entity	Content of messages	Total size	Content of messages	Total size
$U_{i}$	${{D I D}_{i}$ , $C_{i}$ , $T}$	3	{Login OK}	1
$G W$	${D {I D}_{i}$ , $A_{i}$ , $T}$ , {Login OK}	4	${D {I D}_{i}$ , $C_{i}$ , $T}$ , {Login OK}	4
$S_{n}$	{Login OK}	1	${D {I D}_{i}$ , $A_{i}$ , T′}	3

Table 9

Details of communication messages of Nyang-Lee's proposal [4].

Entity	Transmission ( $T x$ )		Reception ( $R x$ )
Entity	Content of messages	Total size	Content of messages	Total size
$U_{i}$	${D {I D}_{i}$ , $C_{i}$ , $T}$	3	${S_{n}$ , R, T′′, $B_{i}}$	4
$G W$	${D {I D}_{i}$ , $D_{i}$ , T′ $A_{i}}$ , ${S_{n}$ , R, T′′, $B_{i}}$	8	${D {I D}_{i}$ , $C_{i}$ , $T}$ , ${S_{n}$ , R, T′′, $B_{i}}$	7
$S_{n}$	${S_{n}$ , R, T′′, $B_{i}}$	4	${D {I D}_{i}$ , $D_{i}$ , T′, $A_{i}}$	4

Table 10

Details of communication messages of Huang et al.'s proposal [5].

Entity	Transmission ( $T x$ )		Reception ( $R x$ )
Entity	Content of messages	Total size	Content of messages	Total size
$U_{i}$	${D {I D}_{i}$ , $C_{i}$ , $T}$	3	{Login OK}	1
$G W$	${D {I D}_{i}$ , $A_{i}$ , T′}, {Login OK}	4	${D {I D}_{i}$ , $C_{i}$ , $T}$ , {Login OK}	4
$S_{n}$	{Login OK}	1	${D {I D}_{i}$ , $A_{i}$ , T′}	3

Table 11

Details of communication messages of Chen-Shih's proposal [6].

Entity	Transmission ( $T x$ )		Reception ( $R x$ )
Entity	Content of messages	Total size	Content of messages	Total size
$U_{i}$	${D {I D}_{i}$ , $C_{i}$ , $T_{u}$ , $R_{i}}$	4	${C_{g}$ , $R_{c}$ , $S_{n}}$ , {Login OK}	4
$G W$	${D {I D}_{i}$ , $A_{i}$ , T′}, ${C_{g}$ , $R_{c}$ , $S_{n}}$ , {Login OK}	7	${D {I D}_{i}$ , $C_{i}$ , $T_{u}$ , $R_{i}}$ , {Login OK}	5
$S_{n}$	{Login OK}	1	${D {I D}_{i}$ , $A_{i}$ , T′}	3

Table 12

Details of communication messages of Khan-Alghathbar's proposal [7].

Entity	Transmission ( $T x$ )		Reception ( $R x$ )
Entity	Content of messages	Total size	Content of messages	Total size
$U_{i}$	${D {I D}_{i}$ , $C_{i}$ , $T}$	3	{Login OK}	1
$G W$	${D {I D}_{i}$ , $A_{i}$ , T′}, {Login OK}	4	${D {I D}_{i}$ , $C_{i}$ , $T}$ , ${B_{i}$ , T′′}	5
$S_{n}$	${B_{i}$ , T′′}	2	${D {I D}_{i}$ , $A_{i}$ , T′}	3

Table 13

Details of communication messages of the proposed scheme (online user authentication).

Entity	Transmission ( $T x$ )		Reception ( $R x$ )
Entity	Content of messages	Total size	Content of messages	Total size
$U_{i}$	${{I D}_{i}$ , $A_{i}$ , $T_{1}}$	3	${D_{i}$ , $T_{4}}$	2
$G W$	${{I D}_{i}$ , $B_{i}$ , $T_{2}}$ , ${D_{i}$ , $T_{4}}$	5	${{I D}_{i}$ , $A_{i}$ , $T_{1}}$ , ${C_{i}$ , $T_{3}}$	5
$S_{n}$	${C_{i}$ , $T_{3}}$	2	${{I D}_{i}$ , $B_{i}$ , $T_{2}}$	3

On the other hand, Table 14 shows the number of messages in offline user authentication. In this protocol, only one message exchange between $U_{i}$ and $S_{n}$ is executed, showing how it is efficient in this aspect. In case of $S_{n}$ , it only requires the transmission and reception of 2 and 4 data units, respectively.

Table 14

Details of communication messages of the proposed scheme (offline user authentication).

Entity	Transmission ( $T x$ )			Reception ( $R x$ )
Entity	Number of messages	Content of messages	Total size	Number of messages	Content of messages	Total size
$U_{i}$	1	${{I D}_{i}$ , $P_{i}$ , $T_{1}$ , $T_{p e r m i t}}$	4	1	${Q_{i}$ , $T_{2}}$	2
$S_{n}$	1	${Q_{i}$ , $T_{2}}$	2	1	${{I D}_{i}$ , $P_{i}$ , $T_{1}$ , $T_{p e r m i t}}$	4

5.2.3. Energy Consumption

One of the most sensible limitations in sensor nodes is their energy capacity. Therefore, it is important to analyze the energy consumption in those devices. The energy consumptions of user station and gateway node have not been analyzed because they do not suffer from this aspect. Following the fact that the battery power of a sensor node is depleted by computational processing and radio consumption [30], this paper has calculated the energy consumption overhead caused by (1) cryptographic operations and (2) radio communications in executing the proposed security mechanism.

(A) Energy Consumption Overhead of Cryptographic Operations. First, for the calculation of energy used by cryptographic operations, this paper has used the energy consumption estimates indicated in [16]. In [16], the authors estimated that the energy per bit consumed by MIPS R4400 and MC68328 “DragonBall” processors for performing AES encryption/decryption operations is 9 nJ/bit and 101 nJ/bit, respectively, while for the SHA-1 hashing function the same processors consume 7.2 nJ/bit and 41 nJ/bit, respectively. Additionally, this work has assumed that the size of random numbers is 160 bits, the sizes of timestamps, identifications (ID of users, gateway node, and sensor nodes), and Login OK messages are 64 bits each, and the sizes of secret values such as $x_{a}$ , $x_{s}$ , $x_{n}$ , $K_{n}$ are 160 bits each. Using those values, the energy consumption of cryptographic operation in each scheme was calculated (see Table 15). Here is an example of how the energy consumptions of cryptographic operation were calculated: in the proposed online authentication protocol, two hash values are calculated by $S_{n}$ , that is, $B_{i}^{*}$ and $C_{i}$ . As the input values for the generation of $B_{i}^{*}$ and $C_{i}$ are 288 bits each, the energy used in generating $B_{i}^{*}$ and $C_{i}$ will be 7.2 nJ/bit * 288 bits = 0.002074 mJ for MIPS R4400 processor and 41 nJ/bit * 288 bits = 0.011808 mJ for MC68628 processor. Therefore, the total energy used by the cryptographic operations in the proposed online user authentication protocol will be the summation of the energy consumptions in generating $B_{i}^{*}$ and $C_{i}$ , that is, 0.0041472 mJ and 0.023616 mJ for MIPS R4400 and MC68628 processors, respectively. Table 15 shows how the proposed solution consumes 0.00092, 0.00138, and 0.00092 mJ more than M. Das, Huang et al., and Chen-Shih's schemes, respectively, and consumes 0.012557 and 0.001152 mJ less than Nyang-Lee and Khan-Alghathbar's schemes, respectively, when using the MIPS R4400 processor. Using the data of the table, it is also possible to deduce that the proposed solution consumes 0.002097 mJ less than the average energy consumption of the rest of approaches, which means it has competitive energy consumption compared to the rest of solutions. Similar conclusion can be reached with the energy consumption values when using the MC68328 microprocessor.

Table 15

Energy consumption of cryptographic operations executing different online user authentication protocols.

Scheme	Energy (mJ)
Scheme	MIPS R4000	MC68328
Proposed	0.0041472	0.023616
Das' [3]	0.0032256	0.018368
Nyang-Lee's [4]	0.0167040	0.111040
Huang et al.'s [5]	0.0027648	0.015744
Chen-Shih's [6]	0.0032256	0.018368
Khan-Alghathbar's [7]	0.0052992	0.030176

On the other hand, this work also has calculated the energy consumption of sensor nodes in executing cryptographic operations during the offline user authentication sub-protocol (see Table 16). It shows how this approach consumes 0.001152 and 0.00656 mJ more than the online user authentication using MIPS R4000 and MC68328 processors, respectively. However, we believe that it is not an impediment for real implementation because offline user authentication is not executed all the time but only in extraordinary situations where online user authentication cannot cover.

Table 16

Energy consumption of cryptographic operations executing the proposed offline user authentication sub-protocol.

Energy (mJ)
MIPS R4000	MC68328
0.0052992	0.030176

(B) Energy Consumption Overhead of Radio Communication. For the calculation of energy consumption of radio communication produced by the proposed protocols, the present work has assumed a simple model where the radio dissipates $E_{e l e c} = 50$ nJ/bit to run the transmitter or receiver circuitry and $E_{a m p} = 10$ pJ/bit/m² to run the transmitter amplifier (see Table 17), similar to the model used in [31–33]. Additionally, for the calculation of the energy consumption, this work has used the parameters indicated in Table 17 and has assumed that the implemented hash function is SHA1 (160 bits hash value), the sizes of random numbers are 160 bits, the sizes of timestamps, identifications (ID of users, gateway node, and sensor nodes), and Login OK messages are 64 bits each, and the sizes of secret values such as $x_{a}$ , $x_{s}$ , $x_{n}$ , $K_{n}$ are 160 bits each.

Table 17

Radio communication parameters.

Parameter	Value
Transmitter/receiver Electronics $E_{e l e c}$	50 nJ/bit
Transmitter amplifier $E_{a m p}$	10 pJ/bit
Distance d	50 m
Transmission energy model $E_{T X}$	$E_{T x} = (E_{e l e c} + E_{a m p} * d^{2}) * k$
Reception energy model $E_{R x}$	$E_{R x} = E_{e l e c} * k$

Table 18 indicates the energy used by a sensor node in executing the online user authentication in different schemes. Here we show an example of how such values were calculated. In the proposed online authentication protocol, the message ${{I D}_{i}, B_{i}, T_{2}}$ is received and the message ${C_{i}, T_{3}}$ is sent by $S_{n}$ . In this example, the total radio communication energy consumption is calculated by adding the energy used in reception and transmission of messages. As the receiving message's size is 288 bits, the radio communication energy used for reception will be 50 nJ/bit * 288 bits = 0.0144 mJ. On the other hand, as the transmitting message's size is 224 bits, the radio communication energy used for transmission will be (50 nJ + 10 pJ/bit/m² * (50 m)²) * 224 bits = 0.0168 mJ. Then, the total radio communication energy used in the proposed online authentication protocol will be 0.0144 mJ + 0.0168 mJ = 0.0312 mJ. Table 18 shows how the proposed solution consumes 0.0072 mJ more than M. Das, Huang et al.'s and Chen-Shih's schemes and consumes 0.0256 and 0.0048 mJ less than Nyang-Lee's and Khan-Alghathbar's schemes, respectively. It also illustrates how the proposed solution consumes 0.000176 mJ less than the average energy consumption of the rest of approaches, which means it has competitive energy consumption compared to the rest of solutions.

Table 18

Energy consumption of radio communication in different protocols.

Scheme	Energy (mJ)
Proposed online/offline user authentication	0.0312/0.0344
Das' [3]	0.0240
Nyang-Lee's [4]	0.0568
Huang et al.'s [5]	0.0240
Chen-Shih's [6]	0.0240
Khan-Alghathbar's [7]	0.0360

On the other hand, the offline user authentication sub-protocol only consumes 0.0032 mJ more than the proposed online user authentication protocol. We believe that this difference is acceptable considering the extraordinary situation when the offline user authentication is used.

(C) Total Energy Consumption Overhead. The total energy consumption overhead in sensor nodes can be calculated adding the energy consumption of cryptographic operations and radio communication. Table 19 shows the total energy consumption overhead of different schemes. It shows that the proposed solution consumes 0.008122, 0.008582, and 0.008122 mJ more than M. Das's, Huang et al.'s, and Chen-Shih's schemes, respectively, and consumes 0.03816 and 0.00595 mJ less than Nyang-Lee's and Khan-Alghathbar's schemes, respectively, when using the MIPS R4400 processor. It also illustrates how the proposed solution consumes 0.00386 mJ less than the average energy consumption of the rest of approaches, which means it has competitive energy consumption compared to the rest of solutions. Similar conclusion can be reached with the energy consumption of schemes when using the MC68328 microprocessor. It is important to say that the additional energy overhead from other works is justifiable considering that our scheme includes security features that previous works do not offer, which is indispensable for implementing a reliable and trustworthy network.

Table 19

Total energy consumption overhead of authenticating sensor nodes executing different online user authentication protocols.

Scheme	Total energy (mJ)
Scheme	MIPS R4000	MC68328
Proposed	0.0353472	0.054816
Das' [3]	0.0272256	0.042368
Nyang-Lee's [4]	0.0735040	0.167840
Huang et al.'s [5]	0.0267648	0.039744
Chen-Shih's [6]	0.0272256	0.042368
Khan-Alghathbar's [7]	0.0412992	0.066176

On the other hand, Table 20 shows the total energy consumption of authenticating sensor nodes executing the proposed offline user authentication sub-protocol. It shows that this approach consumes 0.004352 and 0.00976 mJ more than the online user authentication using MIPS R4000 and MC68328 processors, respectively. However, we believe that it is not an impediment for real implementation because offline user authentication is not executed all the time but only in extraordinary situations where online user authentication cannot cover.

Table 20

Total energy consumption overhead of authenticating sensor nodes executing the proposed offline user authentication sub-protocol.

Total energy (mJ)
MIPS R4000	MC68328
0.0396992	0.064576

Table 21

$G W {⊲ (I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 1)$	// by $(M . 1)$
$G W ∣ \equiv U_{i} ∣ ~ {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 2)$	// by $(S . 1)$ , $(A . 6)$ , and message-meaning rule
$G W ∣ \equiv U_{i} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 3)$	// by $(S . 2)$ , $(A . 1)$ , freshness-conjuncatenation rule, and nonce-verification rule
$G W ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 4)$	// by $(S . 3)$ , $(A . 9)$ , and jurisdiction rule.
$G W ∣ \equiv A_{i}$	$(S . 5)$	// by $(S . 4)$ and as $A_{i} = {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$ ( $G . 1$ )
$S_{n} ⊲ {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{2})}_{h (S_{n} ∥ K)}$	$(S . 6)$	// by $(M . 2)$
$S_{n} ∣ \equiv G W ∣ ~ {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{2})}_{h (S_{n} ∥ K)}$	$(S . 7)$	// by $(S . 6)$ , $(A . 7)$ , and message-meaning rule
$S_{n} ∣ \equiv G W ∣ \equiv {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{2})}_{h (S_{n} ∥ K)}$	$(S . 8)$	// by $(S . 7)$ , $(A . 2)$ , freshness-conjuncatenation rule, and nonce-verification rule
$S_{n} ∣ \equiv {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{2})}_{h (S_{n} ∥ K)}$	$(S . 9)$	// by $(S . 8)$ , $(A . 10)$ , and jurisdiction rule.
$S_{n} ∣ \equiv B_{i}$	$(S . 10)$	// by $(S . 9)$ and as $B_{i} = {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{2})}_{h (S_{n} ∥ K)}$ ( $G . 2$ )
$G W ⊲ {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{3})}_{h (S_{n} ∥ K)}$	$(S . 11)$	// by $(M . 3)$
$G W ∣ \equiv S_{n} ∣ ~ {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{3})}_{h (S_{n} ∥ K)}$	$(S . 12)$	// by $(S . 11)$ , $(A . 8)$ , and message-meaning rule
$G W ∣ \equiv S_{n} ∣ \equiv {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{3})}_{h (S_{n} ∥ K)}$	$(S . 13)$	// by $(S . 12)$ , $(A . 3)$ , freshness-conjuncatenation rule, and nonce-verification rule
$G W ∣ \equiv {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{3})}_{h (S_{n} ∥ K)}$	$(S . 14)$	// by $(S . 13)$ , $(A . 11)$ , and jurisdiction rule.
$G W ∣ \equiv C_{i}$	$(S . 15)$	// by $(S . 14)$ and as $C_{i} = {(I D_{i} ∥ h (S_{n} ∥ K) ∥ T_{3})}_{h (S_{n} ∥ K)}$ ( $G . 3$ )
$U_{i} ⊲ {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{4})}_{h (I D_{i} ∥ K)}$	$(S . 16)$	// by $(M . 4)$
$U_{i} ∣ \equiv G W ∣ ~ {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{4})}_{h (I D_{i} ∥ K)}$	$(S . 17)$	// by $(S . 16)$ , $(A . 5)$ , and message-meaning rule
$U_{i} ∣ \equiv G W ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{4})}_{h (I D_{i} ∥ K)}$	$(S . 18)$	// by $(S . 17)$ , $(A . 4)$ , freshness-conjuncatenation rule, and nonce-verification rule
$U_{i} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{4})}_{h (I D_{i} ∥ K)}$	$(S . 19)$	// by $(S . 18)$ , $(A . 12)$ , and jurisdiction rule.
$U_{i} ∣ \equiv D_{i}$	$(S . 20)$	// by $(S . 19)$ and as $D_{i} = {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{4})}_{h (I D_{i} ∥ K)}$ ( $G . 4$ )
$U_{i} ∣ \equiv # (K_{U_{i} - G W}), U_{i} ∣ \equiv K_{U_{i} - G W}$	$(S . 21)$	// once $(S . 20)$ is verified, $U_{i}$ calculates $K_{U_{i} - G W}$ ( $G . 5$ )
$G W ∣ \equiv # (K_{U_{i} - G W}), G W ∣ \equiv K_{U_{i} - G W}$	$(S . 22)$	// once $(S . 5)$ is verified, GW calculates $K_{U_{i} - G W}$ ( $G . 6$ )
$G W ∣ \equiv # (K_{S_{n} - G W}), G W ∣ \equiv K_{S_{n} - G W}$	$(S . 23)$	// once $(S . 15)$ is verified, GW calculates $K_{S_{n} - G W}$ ( $G . 7$ )
$S_{n} ∣ \equiv # (K_{S_{n} - G W}), S_{n} ∣ \equiv K_{S_{n} - G W}$	$(S . 24)$	// once $(S . 10)$ is verified, $S_{n}$ calculates $K_{S_{n} - G W}$ ( $G . 8$ )

Table 22

$G W ⊲ {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 1)$	// by ( $M . 1$ )
$G W ∣ \equiv U_{i} ∣ ~ {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 2)$	// by ( $S . 1$ ), ( $A . 4$ ), and message-meaning rule
$G W ∣ \equiv U_{i} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 3)$	// by ( $S . 2$ ), ( $A . 1$ ), freshness-conjuncatenation rule, and nonce-verification rule
$G W ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$	$(S . 4)$	// by ( $S . 3$ ), ( $A . 5$ ), and jurisdiction rule
$G W ∣ \equiv A_{i}$	$(S . 5)$	// by ( $S . 4$ ) and as $A_{i} = {(I D_{i} ∥ h (I D_{i} ∥ K) ∥ T_{1})}_{h (I D_{i} ∥ K)}$ ( $G . 1$ )
$U_{i} ⊲ {{P e r m i t}_{i n}, T_{P e r m i t}}_{K_{U_{i}} - G W}, T_{P e r m i t}$	$(S . 6)$	// by ( $M . 2$ )
$U_{i} ∣ \equiv # (U_{i} \overset{K_{U_{i} - G W}}{⟷} G W)$ , $U_{i} ∣ \equiv U_{i} \overset{K_{U_{i} - G W}}{⟷} G W$	$(S . 7)$	// Once ( $M . 2$ ) is received, $U_{i}$ calculates $K_{U_{i} - G W}$
$U_{i} ∣ \equiv G W ∣ ~$ ${P e r m i t}_{i n}$	$(S . 8)$	// by ( $S . 6$ ), ( $S . 7$ ), and message-meaning rule
$U_{i} ∣ \equiv G W ∣ \equiv$ ${P e r m i t}_{i n}$	$(S . 9)$	// by ( $S . 8$ ), ( $A . 2$ ), freshness-conjuncatenation rule, and nonce-verification rule
$U_{i} ∣ \equiv$ ${P e r m i t}_{i n}$	$(S . 10)$	// by ( $S . 9$ ), ( $A . 6$ ), and jurisdiction rule ( $G . 2$ )

Table 23

$S_{n} ⊲ {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 1)$	// by ( $M . 1$ )
$S_{n} ∣ \equiv U_{i} ∣ ~ {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 2)$	// by ( $S . 1$ ), ( $A . 4$ ), and message-meaning rule
$S_{n} ∣ \equiv U_{i} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 3)$	// by ( $S . 2$ ), ( $A . 1$ ), freshness-conjuncatenation rule, and nonce-verification rule
$S_{n} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 4)$	// by ( $S . 3$ ), ( $A . 5$ ), and jurisdiction rule
$S_{n} ∣ \equiv P_{i}$	$(S . 5)$	// by ( $S . 4$ ) and as $P_{i} = {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$ ( $G . 1$ )
$U_{i} ⊲ {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{2})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 6)$	// by ( $M . 2$ )
$U_{i} ∣ \equiv S_{n} ∣ ~ {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{2})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 7)$	// by ( $S . 6$ ), ( $A . 3$ ), and message-meaning rule
$U_{i} ∣ \equiv S_{n} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{2})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 8)$	// by ( $S . 7$ ), ( $A . 2$ ), freshness-conjuncatenation rule, and nonce-verification rule
$U_{i} ∣ \equiv {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{2})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$	$(S . 9)$	// by ( $S . 8$ ), ( $A . 6$ ), and jurisdiction rule
$U_{i} ∣ \equiv Q_{i}$	$(S . 10)$	// by ( $S . 9$ ) and as $Q_{i} = {(I D_{i} ∥ h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t}) ∥ T_{1})}_{h (I D_{i} ∥ K_{n} ∥ T_{p e r m i t})}$ ( $G . 2$ )
$S_{n} ∣ \equiv # (K_{U_{i} - S_{n}}), S_{n} ∣ \equiv K_{U_{i} - S_{n}}$	$(S . 11)$	Once ( $S . 5$ ) is verified, $S_{n}$ calculates $K_{U_{i} - S_{n}}$ ( $G . 3$ )
$U_{i} ∣ \equiv # (K_{U_{i} - S_{n}}), U_{i} ∣ \equiv K_{U_{i} - S_{n}}$	$(S . 12)$	Once ( $S . 10$ ) is verified, $U_{i}$ calculates $K_{U_{i} - S_{n}}$ ( $G . 4$ )

(D) Effect of Energy Consumption Overhead in the Wireless Sensor Network. Although there are differences among the energy consumption in different schemes, as they are small, it could not be neglected. Therefore, this paper has analyzed how much the energy consumption overhead of the proposed solution affects the lifetime of the sensor network. According to [16], one of the most common typical batteries in sensor nodes is the MN1500 Duracell AA with energy potential of 15.39 kJ. Based on this data, this work calculates how long a sensor node can survive executing the proposed user authentication scheme. In this simulation, we assume that the user authentication can use from 1% to 5% of the total energy while the rest of energy is used by other functionalities of the sensor node, such as path maintenance, data gathering, and data transmission.

Knowing that common sensor network applications are not dedicated for a massive user access yet, this work assumes that it is acceptable to use the average of one user authentication per minute as parameter. However, to understand how the proposed user authentication can act from higher demand, the present paper also considers the case when the average number of user authentication per minute is five. Figure 12 shows the number of months a sensor node with MIPS R4000 microprocessor can survive when executing 1 and 5 online user authentications per minute assuming that 1% to 5% of the total energy of the battery is dedicated for user authentication. It shows that a sensor node can survive from 20.2 to 100.8 months depending on the number of authentications (1 and 5 per minute) using only 1% of the total energy of the sensor node. The same figure also indicates that the sensor node can survive up to 503.9 months using 5% of the total energy.

Figure 12

Number of months that a sensor node can survive executing the proposed online user authentication protocol using the MIPS R4000 microprocessor.

Figure 13 also shows the number of months a sensor node can survive executing 1 and 5 online user authentications per minute using 1% to 5% of the total energy and using the MC68328 microprocessor. It shows that a sensor node can survive from 13.0 to 65 months depending on the number of authentications per minute using only 1% of the total energy of the sensor node. The same figure also indicates that the sensor node can survive up to 325 months using 5% of the total energy.

Figure 13

Number of months that a sensor node can survive executing the proposed online user authentication protocol using the MC68328 microprocessor.

Note. If high demand of user authentication (number of authentication request per minute) in online user authentication protocol was required, the following solution could be provided. It is possible to establish a predefined session period to maintain the authentication session between the gateway node and sensor node. So, if another user requests for authentication for such node, the authentication can be executed only between the $U_{i}$ and GW and reuse the connection between GW and $S_{n}$ created before in the previous user authentication.

Figures 14 and 15 show the number of months for which a sensor node with MIPS R4000 and MC68328 microprocessor can survive when executing 1 and 5 offline user authentications per minute assuming that 1% to 5% of the total energy of the battery is dedicated for user authentication. It shows that the survival period of a sensor node (from 11 to 448.7 months) depends on the microprocessor, number of authentication per minute, and percentage of total energy dedicated for user authentication. Once again, we believe this durability is consistent for real implementation because offline user authentication is not executed all the time but only in extraordinary situations where online user authentication cannot cover.

Figure 14

Number of months that a sensor node can survive executing the proposed offline user authentication sub-protocol using the MIPS R4000 microprocessor.

Figure 15

Number of months that a sensor node can survive executing the proposed offline user authentication sub-protocol using the MC68328 microprocessor.

6. Conclusion

With the increase of different types of sensor network implementations such as medical, ecology, and military operation applications, there have been many proposals which tried to give secure user authentication schemes for them. However, even though they deliver important advance in this area, they still incorporate serious vulnerabilities and limitations. In those circumstances, this paper proposes a user authentication mechanism which considers the security, performance, and usability factors. The security is guaranteed by an intensive analysis in terms of formal verification and analysis of possible attacks. The optimization of performance is achieved by using lightweight cryptography and in most of cases, only hash functions and XOR operations; additionally, the number of messages is reduced by using timestamps instead of challenge response of random nonces. Finally, the usability requirements are satisfied by considering both the online and offline user authentication use cases, the feature which was not considered in previous works.

In summary, this paper analyzes previous user authentication mechanisms for wireless sensor networks and identifies their vulnerabilities and limitations and proposes a robust user authentication for wireless sensor networks that eliminates the identified security flaws and limitations. The proposed solution takes advantage of the two-factor authentication concept to provide a secure authentication system offering balanced features in terms of security, performance, and usability.

Footnotes

Acknowledgment

This work was supported by the Sogang University Research Grant of 2011 (no. 201110026).

References

Eldefrawy

M. H.

Khan

M. K.

Alghathbar

Cho

E. S.

Broadcast authentication for wireless sensor networks using nested hashing and the chinese remainder theorem

Sensors 2010 10 9 8683 8695

2-s2.0-77958003482

10.3390/s100908683

Hagedorn

Starobinski

Trachtenberg

Rateless Deluge: over-the-air programming of wireless sensor networks using random linear codes

Proceedings of the International Conference on Information Processing in Sensor Networks (IPSN ′08)

April 2008

457 466

2-s2.0-51249102235

10.1109/IPSN.2008.9

Das

M. L.

Two-factor user authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2009 8 3 1086 1090

2-s2.0-62949130774

10.1109/TWC.2008.080128

Nyang

Lee

Improvement of Das's two-factor authentication protocol in wireless sensor networks

Cryptology ePrint archive 2009/631, 2012, http://eprint.iacr.org/2009/631.pdf

Huang

H. F.

Chang

Y. F.

Liu

C. H.

Enhancement of two-factor user authentication in wireless sensor networks

Proceedings of the 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP ′10)

October 2010

27 30

2-s2.0-78650442232

10.1109/IIHMSP.2010.14

Chen

T. H.

Shih

W. K.

A robust mutual authentication protocol for wireless sensor networks

ETRI Journal 2010 32 5 704 712

2-s2.0-78049334450

10.4218/etrij.10.1510.0134

Khan

M. K.

Alghathbar

Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks

Sensors 2010 10 3 2450 2459

2-s2.0-77955495427

10.3390/s100302450

Yoo

Park

K. Y.

Kim

A security-performance balanced user authentication scheme for wireless sensor networks

International Journal of Distributed Sensor Networks 2012 2012 11

382810

10.1155/2012/382810

Werner-Allen

Lorincz

Welsh

Marcillo

Johnson

Ruiz

Lees

Deploying a wireless sensor network on an active volcano

IEEE Internet Computing 2006 10 2 18 25

2-s2.0-33645115901

10.1109/MIC.2006.26

10.

Doley

Yao

A. C.

On the security of public-key protocols

IEEE Transactions on Information Theory 1983 29 2 198 208

2-s2.0-0020720357

11.

Kocher

Jaffe

Jun

Differential power analysis

Proceedings of the 19th International Advances in Cryptography Conference (CRYPTO ′99)

1999

388 397

12.

Messerges

T. S.

Dabbish

E. A.

Sloan

R. H.

Examining smart-card security under the threat of power analysis attacks

IEEE Transactions on Computers 2002 51 5 541 552

2-s2.0-0036566408

10.1109/TC.2002.1004593

13.

Jack

Exploiting embedded systems

Black Hat, 2006, http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf

14.

Raluca

M. E.

Razvan

M. E.

Terzis

Gateway design for data gathering sensor networks

Proceedings of the 5th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON ′08)

June 2008

296 304

2-s2.0-51749120139

10.1109/SAHCN.2008.44

15.

National Instruments WSN Ethernet Gateway, 2012, http://sine.ni.com/nips/cds/view/p/lang/en/nid/206919

16.

Carman

D. W.

Krus

P. S.

Matt

B. J.

Constraints and approaches for distributed sensor network security

2000 00-010

Glenwood, Md, USA

NAI Labs, Network Associates

17.

Bertoni

Breveglieri

Venturi

Power aware design of an elliptic curve coprocessor for 8 bit platforms

Proceedings of the 4th Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops ′06)

March 2006

337 341

2-s2.0-33750286059

10.1109/PERCOMW.2006.110

18.

Malan

D. J.

Welsh

Smith

M. D.

A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography

Proceedings of the 1st Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (IEEE SECON ′04)

October 2004

71 80

2-s2.0-20344381294

19.

Piotrowski

Langendoerfer

Peter

How public key cryptography influences wireless sensor node lifetime

Proceedings of the 4th ACM Workshop on Security of ad hoc and Sensor Networks (SASN ′06)

October 2006

169 176

2-s2.0-34547420699

10.1145/1180345.1180366

20.

Wander

Gura

Eberle

Gupta

Shantz

S. C.

Energy analysis of public-key cryptography for wireless sensor networks

Proceedings of the Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops ′05)

2005

324 328

21.

Chang

C. C.

Nagel

D. J.

Muftic

Balancing security and energy consumption in wireless sensor networks

Lecture Notes in Computer Science 2007 4864 469 480

2-s2.0-38549122795

22.

Kaps

J. P.

Sunar

Energy comparison of AES and SHA-1 for ubiquitous computing

Lecture Notes in Computer Science 2006 4097 372 381

2-s2.0-33749382575

23.

Burrows

Abadi

Needham

Logic of authentication

ACM Transactions on Computer Systems 1990 8 1 18 36

2-s2.0-0025386404

10.1145/77648.77649

24.

Kim

Y. G.

Moon

C. J.

Jeong

D. W.

Baik

D. K.

Formal verification of bundle authentication mechanism in OSGi service platform: BAN Logic

International Journal of Software Engineering and Knowledge Engineering 2006 16 2 153 173

2-s2.0-33646427708

10.1142/S0218194006002793

25.

Tsaur

Lee

An efficient and secure multi-server authentication scheme with key agreement

Journal of Systems and Software 2012 85 4 876 882

26.

Wang

Zhang

An Authentication protocol for RFID tag and its simulation

Journal of Networks 2011 6 3 446 453

2-s2.0-79953066191

10.4304/jnw.6.3.446-453

27.

Tsai

J. L.

T. C.

Tsai

K. Y.

New dynamic ID authentication scheme using smart cards

International Journal of Communication Systems 2010 23 12 1449 1462

2-s2.0-78649878863

10.1002/dac.1118

28.

Gamage

Leiwo

Zheng

Timestamps for Network Authentication Protocols Revisited 1999

29.

Ying

Building systems using software components

Journal of Software Technology 2006 9 1

30.

Park

Sahni

An online heuristic for maximum lifetime routing in wireless sensor networks

IEEE Transactions on Computers 2006 55 8 1048 1056

2-s2.0-33746924369

10.1109/TC.2006.116

31.

Heinzelman

W. B.

Chandrakasan

A. P.

Balakrishnan

An application-specific protocol architecture for wireless microsensor networks

IEEE Transactions on Wireless Communications 2002 1 4 660 670

2-s2.0-33646589837

10.1109/TWC.2002.804190

32.

Younis

Fahmy

HEED: a hybrid, energy-efficient, distributed clustering approach for ad hoc sensor networks

IEEE Transactions on Mobile Computing 2004 3 4 366 379

2-s2.0-10944266504

10.1109/TMC.2004.41

33.

Yoo

S. G.

Kang

S. H.

Kim

SERA: a secure energy reliability aware data gathering for sensor networks

Multimedia Tools and Applications 2011 1 30

2-s2.0-79151469885

10.1007/s11042-011-0735-z