Sage Journals: Discover world-class research

Abstract

User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. Since sensor nodes are equipped with limited computing power, storage, and communication modules, authenticating remote users in such resource-constrained environments is a paramount security concern. To overcome the weaknesses of Yeh et al.'s protocol, we proposed a new authentication protocol for wireless sensor networks using elliptic curves cryptography. The comparisons show that our protocol is more suitable for WSNs.

1. Introduction

Wireless sensor networks (WSNs) are becoming more and more popular in everyday life as they offer economically viable, real-time monitoring solutions. These wireless sensors can be quickly and easily deployed in hostile environments, and WSNs are now widely used in a variety of real-time applications, such as vehicular tracking, habitat monitoring, environment control, military surveillance, healthcare monitoring, wildlife monitoring, and traffic monitoring. One recent survey declared that, in the near future, WSNs will become an intelligent and integral part of daily lives [1].

A WSN consists of a discrete group of independent, low cost, and low power nodes with limited memory and computation power. They communicate wirelessly over limited frequency and low bandwidth [1]. More specifically, sensor nodes collectively monitor the area and sense substantial amounts of data, which are transmitted to the base station traversing some nodes via RF signals and routing schemes.

A key requirement for WSN is user authentication [2, 3]. The client devices (remote wireless sensor nodes) need to be authenticated before being allowed to join the WSN and have access to the WSN's resources. To date, most user authentication methods have focused on protocol implementations in the network and link layers. It should be noted that, in order to limit power consumption by sensor nodes and to overcome limitations in computation capacity, user authentication in a WSN is typically done in dedicated gateway node (GW node) [1].

In 2004, Sastry and Wagner [4] proposed a security enhancement using access control lists (ACLs) in the GW node. In Sastry and Wagner's protocol, an ACL would be maintained besides the client's identity and the arranging of the nearest sensor node. Watro et al. [5] proposed a user authentication protocol employing RSA and Diffie-Hellman algorithms, but this protocol is open to hostile attack by a user masquerading as a sensor node. Wong et al. [6] proposed a dynamic user authentication protocol using hash function. Das [7] and Tseng et al. [8] demonstrated that both Watro's and Wong's user authentication methods were vulnerable to stolen-verifier, replay, and forgery attacks. To improve the security, Das [7] proposed a two-factor user authentication protocol. In 2007, Tseng et al. [8] show that Wong's protocol was vulnerable to stolen passwords. Tseng et al. also proposed an enhanced user authentication protocol to improve overcome the weakness. However, Khan and Alghathbar [9, 10] show that Das' protocol did not provide mutual authentication between gateway node and sensor node and was vulnerable to gateway node bypassing attack and privileged-insider attack. Chen and Shih [11] also demonstrated that Das' protocol did not provide mutual authentication between gateway node and sensor node. Chen and Shih [11] also proposed a more secure and robust two-factor user authentication in WSNs. Unfortunately, Yeh et al. [12] found that Chen and Shih's protocol failed to provide a secure method for updating user passwords and was vulnerable to the insider attack problem. To improve the performance and the security, Yeh et al. [12] proposed the first user authentication protocol for WSNs using the elliptic curve cryptography (ECC). ECC was first proposed by Miller [13] and Koblitz [14], and its security was based upon the difficulty of elliptic curve discrete logarithm problem. Compared with the other cryptography, ECC offers a better performance because it can achieve the same security with a smaller key size. For example, 160-bit ECC and 1024-bit RSA have the same security level in practice [15]. Thus, ECC-based authentication schemes are very suitable for WSNs.

Unfortunately, Han [16] found that the Yeh et al. protocol had the following weaknesses: (1) no mutual authentication between the user and the sensor node, (2) no perfect forward secrecy, and (3) no key agreement between the user and the sensor node. To overcome the weaknesses of Yeh et al.'s protocol, we propose a new ECC-based user authentication protocol for WSNs.

The remainder of this paper is organized as follows. In Section 2, we propose our ECC-based authentication protocol for WSNs. The security analysis of the proposed protocol is presented in Section 3. In Section 4, performance analysis is presented. Conclusions are given in Section 5.

2. The Proposed Protocol

To solve the weakness of Yeh et al.'s scheme, we propose a new ECC-based user authentication protocol for WSNs. Thus, before issuing a query to a sensor node, each user must register with the gateway in a secure manner so that they can access the real-time sensors' data. Upon the successful user registration request, the gateway node personalizes a smart card for every registered user. Then, a user can submit his query in an authentic way and access the sensor network data at any time within an administratively configurable period [6].

In order to execute the proposed framework, we considered that the gateway is a trusted node and it holds two master keys (x and y), which are sufficiently large for the sensor network. Before starting the system, it is assumed that the gateway and the sensor nodes share a long-term common secret key, that is, $S K_{G S} = h (S_{n} | | y)$ using any key agreement protocol. For example, Watro et al. [17] demonstrated that, with the careful design, D-H key agreement protocol [18] can be easily deployed on most constrained devices. Here, $h (\cdot)$ is a collision-free one-way hash function (i.e., SHA-1), which has an output length of 160 bits [19] and is used throughout this paper.

It is assumed that some identical secure symmetric cryptosystems are publicly available and stored in the gateway and the sensor node. As a result only the users registered with the gateway have access privileges to the sensors, which share a long-term secret with the gateway. The framework is divided into four phases, namely, user registration phase, login phase, authentication phase, and password update phase. For convenience, the notations used throughout this paper are summarized as follows:

$p, n$ : two large prime numbers;

$F_{p}$ : a finite field;

E: an elliptic curve defined on finite field $F_{p}$ with large order;

G: the group of elliptic curve points on E;

P: a point on elliptic curve E with order n;

U: a user;

$I D_{U}$ : the user U identity;

$p w_{U}$ : the user U password;

GW node: the gateway node of WSN;

$S_{n}$ : a sensor node of WSN;

$I D_{S_{n}}$ : the sensor node $S_{n}$ identity;

$x, y$ : the master keys of GW node;

$h (\cdot)$ : a secure one-way hash function;

||: a string concatenation operation;

⊕: a string XOR operation;

ECDLP: the discrete logarithm problem, that is, given $Q \in G$ to compute $x \in Z_{n}^{*}$ such that $Q = x P$ ;

ECCDHP: the computational Diffie-Hellman problem, that is, given $a P, b P \in G$ to compute $a b P$ .

2.1. Registration Phase

In this phase, user U has to submit an identity, $I D_{U}$ , and a password, $p w_{U}$ , to the GW node in a secured way. Then, the GW node issues a license to U. The detailed steps are depicted as follows. (1)

U chooses his identity $I D_{U}$ and password $p w_{U}$ , generates a random number $b_{U}$ , and computes ${\bar{pw}}_{U} = h (p w_{U} \oplus b_{U})$ . Then, U sends $I D_{U}$ and ${\bar{pw}}_{U}$ to the GW node.

(2)

Upon receiving the registration request, GW node computes $K_{U} = h (I D_{U} | | x) \times P$ , $B_{U} = h (I D_{U} \oplus {\bar{pw}}_{U})$ , and $W_{U} = h (I D_{U} | | {\bar{pw}}_{U}) \oplus K_{U}$ . Then GW node stores ${B_{U}, W_{U}, h (\cdot)}$ into a smart card and sends it to the user U.

(3)

After receiving the smart card, the user U inputs $b_{U}$ into it and finishes the registration.

2.2. Login Phase

When U enters an $I D_{U}$ and a $p w_{U}$ in order to deliver some query to or access data from the WSN, the smart card must perform the following steps to validate the legitimacy of U. Figure 1 shows both the login phase and the authentication phase. (1)

User U inserts his smart card into the terminal and enters his identity $I D_{U}$ and password $p w_{U}$ .

(2)

The smart card computes ${\bar{pw}}_{U} = h (p w_{U} \oplus b_{U})$ and $B_{U}^{'} = h (I D_{U} \oplus {\bar{pw}}_{U})$ and checks whether $B_{U}^{'} = B_{U}$ . If it does not hold, the smartcard stops the request. Otherwise, the smart card computes $K_{U} = h (I D_{U} | | {\bar{pw}}_{U}) \oplus W_{U}$ . Then the smart card generates a random number $r_{U} \in Z_{n}^{*}$ and computes $X = r_{U} \times P$ , $X^{'} = r_{U} \times K_{U}$ , and $α = h (I D_{U} | | X | | X^{'} | | T_{U})$ , where $T_{U}$ is the current timestamp of U's system. At last, the smart card sends the login message $M_{1} = {I D_{U}, X, T_{U}, α}$ to $S_{n}$ .

Figure 1

The login phase and the authentication phase of our scheme.

2.3. Authentication Phase

After receiving the login request message $M_{1}$ at time $T^{'}$ , the sensor node $S_{n}$ executes the following steps to authenticate U's requests by the following steps. (1)

$S_{n}$ checks whether $T^{'} - T_{U} \leq Δ T$ holds, where $Δ T$ is the legal time interval for transmission delay. If the answer is yes, the validity of $T_{U}$ can be assured, and $S_{n}$ proceeds to the next step. If no, the $S_{n}$ rejects the request.

(2)

$S_{n}$ generates a random number $r_{S} \in Z_{n}^{*}$ and computes $Y = r_{S} \times P$ and $β = h (S K_{G S} | | I D_{U} | | X | | T_{U} | | α | | I D_{S_{n}} | | Y | | T_{S})$ , where $T_{S}$ is the current timestamp of $S_{n}$ 's system. At last, $S_{n}$ sends $M_{2} = {I D_{U}, X, T_{U}, α, I D_{S_{n}}, Y, T_{S}, β}$ to GW node.

After receiving the message $M_{2}$ at time $T^{''}$ , GW node performs the following actions. (1)

GW node checks whether $T^{''} - T_{U} \leq Δ T$ and $T^{''} - T_{S} \leq Δ T$ hold, where $Δ T$ is the legal time interval for transmission delay. If the answer is yes, the validity of $T_{U}$ and $T_{S}$ can be assured, and GW node proceeds to the next step. If no, GW node rejects the request.

(2)

GW node uses long-term key $S K_{G S}$ to check whether the equation $β = h (S K_{G S} | | I D_{U} | | X | | T_{U} | | α | | I D_{S_{n}} | | Y | | T_{S})$ holds. If the equation does not hold, GW node stops the session. Otherwise, GW node computes $X^{'} = h (I D_{U} | | x) \times X$ using his master key x. Then, GW node checks whether the equation $α = h (I D_{U} | | X | | X^{'} | | T_{U})$ holds. If the equation does not hold, GW node stops the session. Otherwise, GW node computes $γ = h (S K_{G S} | | I D_{U} | | X | | T_{U} | | α | | I D_{S_{n}} | | Y | | T_{S} | | T_{G})$ and $δ = h (I D_{U} | | X | | X^{'} | | T_{U} | | Y | | T_{S})$ . At last, GW node sends the message $M_{3} = {T_{G}, γ, δ}$ to $S_{n}$ .

After receiving the message $M_{3}$ at time $T^{'''}$ , $S_{n}$ performs the following actions to authenticate U and GW node. (1)

$S_{n}$ checks whether $T^{'''} - T_{G} \leq Δ T$ holds, where $Δ T$ is the legal time interval for transmission delay. If the answer is yes, the validity of $T_{G}$ can be assured, and $S_{n}$ proceeds to the next step. If no, $S_{n}$ rejects the request.

(2)

$S_{n}$ uses long-term key $S K_{G S}$ to check whether the equation $γ = h (S K_{G S} | | I D_{U} | | X | | T_{U} | | α | | I D_{S_{n}} | | Y | | T_{S} | | T_{G})$ holds. If the equation does not hold, $S_{n}$ stops the session. Otherwise, $S_{n}$ computes $K_{S U} = r_{S} \times X$ , $τ = h (Y | | T_{S} | | δ | | K_{S U})$ , and the session key sk = $h (X | | Y | | K_{S U})$ and sends $M_{4} = {Y, T_{S}, δ, τ}$ to the smart card.

After receiving the message $M_{4}$ at time $T^{''''}$ , the smart card performs the following actions to authenticate $S_{n}$ . (1)

The smart card checks whether $T^{''''} - T_{S} \leq Δ T$ holds, where $Δ T$ is the legal time interval for transmission delay. If the answer is yes, the validity of $T_{S}$ can be assured, and the smart card proceeds to the next step. If no, the smart card rejects the request.

(2)

The smart card computes $K_{U S} = r_{U} \times Y$ and checks whether the equations $δ = h (I D_{U} | | X | | X^{'} | | T_{U} | | Y | | T_{S})$ and $τ = h (Y | | T_{S} | | δ | | K_{U S})$ hold. If either of the two equations does not hold, the smart card stops the session. Otherwise, $S_{n}$ is authenticated and the smart card computes the session key $sk = h (X | | Y | | K_{U S})$ .

2.4. Password Update Phase

The password update phase is invoked whenever user U wants to update his old password $p w_{U}$ . The password update phase is described below. (1)

User U inserts his smart card into the terminal and enters his identity $I D_{U}$ , the old password $p w_{U}$ , and the new password ${pw}_{U}^{'}$ .

(2)

The smart card computes ${\bar{pw}}_{U} = h (p w_{U} \oplus b_{U})$ and $B_{U}^{'} = h (I D_{U} \oplus {\bar{pw}}_{U})$ and checks whether $B_{U}^{'} = B_{U}$ . If it does not hold, the smart card stops the request. Otherwise, the smart card computes $K_{U} = h (I D_{U} | | {\bar{pw}}_{U}) \oplus W_{U}$ , ${\bar{pw}}_{U}^{'} = h ({pw}_{U}^{'} \oplus b_{U})$ , and $W_{U}^{'} = K_{U} \oplus h (I D_{U} | | {\bar{pw}}_{U}^{'})$ . At last, the smart card replaces $W_{U}$ with $W_{U}^{'}$ .

3. Security Analysis

In this section, we will discuss the security of our protocol as follows.

Mutual Authentication

Our scheme provides mutual authentication, where all entities (i.e., user, gateway, and sensor nodes) are mutually authenticating each other. More specifically, when the GW node receives the message $M_{2} = {I D_{U}, X, T_{U}, α, I D_{S_{n}}, Y, T_{S}, β}$ , it can make sure that the user message $M_{1} = {I D_{U}, X, T_{U}, α}$ is included in the sensor node message $M_{2}$ . When the sensor node receives message $M_{3} = {T_{G}, γ, δ}$ , it ensures that this message is generated by the GW node. Furthermore, when the user receives message $M_{4} = {Y, T_{S}, δ}$ , he can also confirm that this message is generated by the sensor node. Hence, mutual authentication is achieved.

Replay Attacks

Our scheme is resistant to replay attacks, because the authenticity of messages $M_{1}, M_{2}, M_{3}$ , and $M_{4}$ is validated by checking the freshness of four timestamps. Let us assume an intruder intercepts a login request message $M_{1} = {I D_{U}, X, T_{U}, α}$ and attempts to access the sensor node by replaying the same message $M_{1}$ . The verification of this login attempt fails since the time difference expires (i.e., $T^{'} - T_{U} > Δ T$ ). Similarly, if an intruder intercepts a valid message $M_{2} = {I D_{U}, X, T_{U}, α, I D_{S_{n}}, Y, T_{S}, β}$ and attempts to replay it to the GW node, the verification request will fail at the GW node because the time difference expires again (i.e., $T^{''} - T_{S} > Δ T$ ). Thus, our protocol is secure against replaying of messages.

User Impersonation Attacks

An attacker cannot impersonate the user. Suppose an attacker forges a login message $M_{1} = {I D_{U}, X, T_{U}, α}$ . Now, he will again try to login into the system with the modified message ${I D_{U}, X^{*}, T_{U}^{'}, α^{*}}$ . However, the attacker cannot forge $α^{*}$ without knowing $K_{U} = h (I D_{U} | | x) \times P$ or the master key x since he will be faced with ECDLP. Therefore, it is not possible to impersonate the user.

Sensor Impersonation Attacks

As long as an attacker does not know the secret key $S K_{G S}$ , he cannot generate a legal message $M_{2} = {I D_{U}, X, T_{U}, α, I D_{S_{n}}, Y, T_{S}, β}$ . Then he cannot cheat the gateway. At the same time, he cannot generate a legal message $M_{4} = {Y, T_{S}, δ}$ without knowing the master key x. Therefore, it is not possible to impersonate the sensor.

Gateway Impersonation Attacks

As long as an attacker does not possess the secret key $S K_{G S}$ , he cannot impersonate the gateway and cannot cheat the sensor node. Hence, it frustrates attackers to generate the valid message $M_{4}$ to the sensor node. Therefore, it is not possible to impersonate the gateway.

Man-in-the-Middle Attack

Man-in-the-middle attack means that an active attacker intercepts the communication line between a legal user and the server and uses some means to successfully masquerade as both the server to the user and the user to the server. Then, the user will believe that he is talking to the intended server and vice versa. From the above discussion we know that our protocol can provide mutual authentication, and then the “man-in-the-middle” attack can be resisted.

Stolen-Verifier Attacks

An attacker who steals the password verifier (e.g., hashed passwords) from the gateway can use the stolen verifier to impersonate a legal user to login to the system. The proposed scheme is free from the stolen verifier attack. There is no such information stored at the server, by which an adversary can make a fabricated login request to impersonate a legal user to login the server or can impersonate the gateway to cheat the legal user and the sensor node.

Insider Attacks

It is possible in a real-time environment, when the gateway manager or system administrator can use the user password $p w_{U}$ (e.g., weak password), to impersonate the user U through any other network gateways. In this case, our scheme does not give any room for privileged insiders, since, in the registration phase, the user U is passing ${\bar{pw}}_{U} = h (p w_{U} \oplus b_{U})$ instead of the plain password. Thus, the insider of the GW node cannot get $p w_{U}$ easily. Here, $b_{U}$ is a sufficiently high entropy number, which is not revealed to the GW node. Furthermore, the proposed scheme does not store any verifier table and can resist the insider attacks.

Perfect Forward Secrecy

A protocol is said to be perfect forward secrecy if compromise of the three private keys of the participating entities does not affect the security of the previous session keys. Two aspects are related to this notion, that is, perfect forward secrecy (p-FS) and master key perfect forward secrecy. p-FS means that the compromise of both user's and sensor node's long-term private keys would not affect the secrecy of the previously established session keys. Master key p-FS is satisfied if the session key secrecy still holds even when the server's master key is compromised. Our protocol satisfies both p-FS and master key p-FS by using $sk = h (X | | Y | | r_{S} \times X)$ or $sk = h (X | | Y | | r_{U} \times Y)$ as the shared secret. If user's private keys or gateway's master key is compromised, the adversary cannot compute $r_{U}$ or $r_{S}$ from X and Y since he has to solve the ECCDHP, thus satisfying both p-FS and master key p-FS.

4. Performance Comparison

For the convenience of evaluating the computational cost, we define some notations as follows.

${T G}_{mul}$ : the time of executing a scalar multiplication operation of point.

${T G}_{add}$ : the time of executing an addition operation of points.

${T G}_{grp}$ : the time of generating a random number point.

${T G}_{mtph}$ : the time of executing a map-to-point hash function.

$T G_{h}$ : the time of executing a one-way hash function.

In Table 1, we summarize the performance results of the proposed protocol. In Table 1, we know that the user, the sensor node, and the gateway require $3 {T G}_{mul} + 5 T G_{h}$ , $2 {T G}_{mul} + 3 T G_{h}$ , and $1 {T G}_{mul} + 4 T G_{h}$ , separately. From the theoretical analysis [20] and the experimental result [21, 22], we know that the relative computation cost of generating a random number point and executing a map-to-point hash function is about $1 / 2$ times that of the scalar multiplication.

Table 1

	Yeh et al. 's protocol	Our protocol
Computational cost (user)	2 $T G_{mul} + 1 T G_{grp} + 1 T G_{add} + 4 T G_{h} \approx 2.5 T G_{mul}$	$3 T G_{mul} + 5 T G_{h} \approx 3 T G_{mul}$
Computational cost (sensor node)	$2 T G_{mul} + 1 T G_{grp} + 1 T G_{add} + T G_{mtph} + 1 T G_{h} \approx 3 T G_{mul}$	$2 T G_{mul} + 3 T G_{h} \approx 2 T G_{mul}$
Computational cost (gateway)	$3 T G_{mul} + 1 T G_{grp} + T G_{mtph} + 1 T G_{h} \approx 3 T G_{mul}$	$1 T G_{mul} + 4 T G_{h} \approx 1 T G_{mul}$
Mutual authentication	No	Yes
Perfect forward secrecy	No	Yes
Key agreement between user and node	No	Yes
User impersonation attack	No	No
Sensor node impersonation attack	Yes	No
Gateway impersonation attack	No	No
Inside attack	No	No
Replay attacks	No	No
Stolen-verifier attacks	No	No
Man-in-the-middle attack	No	No

Besides, the computation costs of ${T G}_{mul}$ are considerably higher than ${T G}_{add}$ and $T G_{h}$ . Then, the computational costs of the user, the sensor node, and the gateway in Yeh et al.'s protocol are about $3 {T G}_{mul}$ , $3 {T G}_{mul}$ , and $3 {T G}_{mul}$ , separately. The computational costs of the user, the sensor node, and the gateway in our protocol are about $3 {T G}_{mul}$ , $2 {T G}_{mul}$ , and $1 {T G}_{mul}$ , separately. Then our protocol has better performance at the sensor node side and the gateway side. Moreover, Yeh et al.'s protocol cannot provide (1) mutual authentication between the user and the sensor node, (2) perfect forward secrecy, and (3) key agreement between the user and the sensor node, and then our protocol enhances the security at the cost of increasing user's computation cost slightly.

5. Conclusions

This paper provides a new ECC-based user authentication protocol for WSNs. The proposed protocol performs more efficiently in terms of computation cost, communication cost, and security. Compared with the protocol of Yeh et al., the proposed protocol in this paper can prevent general security issues and provide mutual authentication to protect inside security and outside security. Therefore, the proposed protocol is more suited to WSNs environments.

Footnotes

Acknowledgments

The authors thank the editors and the anonymous reviewers for their valuable comments. This research was supported by National Natural Science Foundation of China (nos. 61202447 and 61201180), Natural Science Foundation of Hebei Province of China (no. F2013501066), Northeastern University at Qinhuangdao Science and Technology Support Program (no. xnk201307), Beijing Natural Science Foundation (no.4132055), and Excellent Young Scholars Research Fund of Beijing Institute of Technology.

References

Akyildiz

I. F.

Sankarasubramamiam

Cayirci

E. A.

Survey on saensor network

IEEE Communications Magazine 2002 40 102 114

Das

M. L.

Saxena

Gulati

V. P.

A dynamic ID-based remote user authentication scheme

IEEE Transactions on Consumer Electronics 2004 50 2 629 631

2-s2.0-4043122631

10.1109/TCE.2004.1309441

Leung

K. C.

Cheng

L. M.

Fong

A. S.

Chan

C. K.

Cryptanalysis of a modified remote user authentication scheme using smart cards

IEEE Transactions on Consumer Electronics 2003 49 4 1243 1245

2-s2.0-1542542636

10.1109/TCE.2003.1261224

Sastry

Wagner

Security considerations for IEEE 802.15.4 networks

Proceedings of the ACM Workshop on Wireless Security (WiSe '04)

October 2004

Philadelphia, Pa, USA

32 42

2-s2.0-11244354854

Watro

Kong

Cuti

S. F.

Gardiner

Lynn

Kruus

TinyPK: securing sensor networks with public key technology

Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '04)

October 2004

Washington, DC, USA

59 64

2-s2.0-14844304757

Wong

K. H. M.

Yuan

Jiannong

Shengwei

A dynamic user authentication scheme for wireless sensor networks

Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing

June 2006

Taichung, Taiwan

244 251

2-s2.0-33845458336

10.1109/SUTC.2006.1636182

Das

M. L.

Two-factor user authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2009 8 3 1086 1090

2-s2.0-62949130774

10.1109/TWC.2008.080128

Tseng

H. R.

Jan

R. H.

Yang

An improved dynamic user authentication scheme for wireless sensor networks

Proceedings of the 50th Annual IEEE Global Telecommunications Conference (GLOBECOM '07)

November 2007

Washington, DC, USA

986 990

2-s2.0-39349093196

10.1109/GLOCOM.2007.190

Khan

M. K.

Alghathbar

Security analysis of two-factor authentication in wireless sensor networks

Proceedings of the Advances in Computer Science and Information Technology (AST/UCMA/ISA/ACN '10)

June 2010

Miyazaki, Japan

55 60

10.

Khan

M. K.

Alghathbar

Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks'

Sensors 2010 10 3 2450 2459

2-s2.0-77955495427

10.3390/s100302450

11.

Chen

T. H.

Shih

W. K.

A robust mutual authentication protocol for wireless sensor networks

ETRI Journal 2010 32 5 704 712

2-s2.0-78049334450

10.4218/etrij.10.1510.0134

12.

Yeh

H. L.

Chen

T. H.

Liu

P. C.

Kim

T. H.

Wei

H. W.

A secured authentication protocol for wireless sensor networks using Elliptic Curves Cryptography

Sensors 2011 11 5 4767 4779

2-s2.0-79957702363

10.3390/s110504767

13.

Miller

V. S.

Use of elliptic curves in cryptography

218

Proceedings of the Advances in Cryptology (CRYPTO ’85)

1986

Springer

417 426 Lecture Notes in Computer Science

14.

Koblitz

Elliptic curve cryptosystem

Mathematics of Computation 1987 48 203 209

15.

Hankerson

Menezes

Vanstone

Guide to Elliptic Curve Cryptography 2004

New York, NY, USA

Springer

Lecture Notes in Computer Science

16.

Han

Weakness of a Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography

http://eprint.iacr.org/2011/293

17.

Watro

Kong

Cuti

S. F.

Gardiner

Lynn

Kruus

TinyPK: securing sensor networks with public key technology

Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '04)

October 2004

59 64

2-s2.0-14844304757

18.

Diffie

Hellman

M. E.

New directions in cryptography

IEEE Transactions on Information Theory 1976 22 6 644 654

2-s2.0-0017018484

19.

National Institute of Standards and Technology, FIPS PUB 180-1, Secure Hash Standard

http://www.techheap.com/cryptography/hash/fip180-1.pdf

20.

Chen

Cheng

Smart

N. P.

Identity-based key agreement protocols from pairings

International Journal of Information Security 2007 6 4 213 241

2-s2.0-34347393777

10.1007/s10207-006-0011-9

21.

Cao

Zeng

Kou

Identity-based anonymous remote authentication for value-added services in mobile networks

IEEE Transactions on Vehicular Technology 2009 58 7 3508 3517

2-s2.0-69549116775

10.1109/TVT.2009.2012389

22.

Debiao

Jianhua

Jin

An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security

Information Fusion 2012 13 3 223 230

2-s2.0-79751538861

10.1016/j.inffus.2011.01.001

A New User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography

Abstract

1. Introduction

2. The Proposed Protocol

2.1. Registration Phase

2.2. Login Phase

2.3. Authentication Phase

2.4. Password Update Phase

3. Security Analysis

Mutual Authentication

Replay Attacks

User Impersonation Attacks

Sensor Impersonation Attacks

Gateway Impersonation Attacks

Man-in-the-Middle Attack

Stolen-Verifier Attacks

Insider Attacks

Perfect Forward Secrecy

4. Performance Comparison

5. Conclusions

Footnotes

Acknowledgments

References