Sage Journals: Discover world-class research

Abstract

Wireless sensor networks are used to monitor physical or environmental conditions. However, authenticating a user or sensor in wireless sensor networks is more difficult than in traditional networks owing to sensor network characteristics such as unreliable communication networks, resource limitation, and unattended operation. As a result, various authentication schemes have been proposed to provide secure and efficient communication. He et al. suggested a robust biometrics-based user authentication scheme, but Yoon and Kim indicated that their scheme had several security vulnerabilities. The latter then proposed an advanced biometrics-based user authentication scheme; in this paper, we analyze this advanced scheme and perform a cryptanalysis. Our analysis shows that Yoon and Kim's scheme has various security weaknesses such as a biometric recognition error, a user verification problem, lack of anonymity and perfect forward secrecy, session key exposure by the gateway node, vulnerability to denial of service attacks, and a revocation problem. Therefore, we suggest countermeasures that can be implemented to solve these problems and then propose a security-enhanced biometrics-based user authentication scheme using fuzzy extraction that conforms to the proposed countermeasures. Finally, we conduct a security analysis for the proposed biometrics-based user authentication scheme.

1. Introduction

Nowadays, numerous physical, chemical, and biological sensors are deployed in wireless sensor network (WSN) environments for various applications. These sensors can monitor a variety of conditions, including temperature, pressure, military surveillance, and real-time traffic conditions. One benefit of WSNs is that the sensors can be easily deployed in various kinds of harsh environments. Therefore, there has been a remarkable increase in the interest in WSNs [1]. WSNs generally consist of gateways, users, and sensors, and communication security is a momentous concern in real-world applications. Various authentication schemes for WSNs have been proposed for ensuring secure communication.

To support confidentiality and authentication for sensor networks, Watro et al. introduced a user authentication scheme employing the RSA and DH algorithms for WSNs in 2004. Wong et al. proposed a dynamic user authentication scheme that used a hash function [2]. But Tseng et al. indicated that Wong et al.'s authentication scheme has vulnerability to replay, stolen-verifier, and forgery attacks [3–7]. Das proposed a two-factor user authentication scheme based on a password and smart card to improve the security in 2009. Das demonstrated his scheme to be secure against various real-time attacks [6]. However, He et al. indicated that Das's scheme has vulnerability to insider attacks and impersonation attacks and that no provision was available for users to change their passwords. And also He et al. proposed an improved two-factor scheme to solve these security problems [8]. Khan and Alghathbar demonstrated that Das's scheme did not provide mutual authentication, and it has vulnerability to gateway bypassing and privileged-insider attacks [9]. Chen and Shih indicated that Das's scheme did not provide mutual authentication between the gateway and the sensor, and Chen and Shih proposed a robust mutual authentication scheme for WSNs and claimed that their scheme provides greater security than Das's scheme [10]. In 2010, Yuan et al. [11] proposed a biometric-based user authentication scheme, but it was found to have various security problems. Yoon and Yoo pointed out that Yuan et al.'s scheme has vulnerability to insider, user impersonation, gateway node impersonation, and sensor node impersonation attacks. To address these problems, Yoon and Yoo proposed an improved user authentication scheme [12]. However, in 2012, He demonstrated that Yoon and Yoo scheme was still vulnerable to denial of service (DoS) and sensor impersonation attacks. The former then proposed an improved scheme to overcome these security problems [13].

In 2013, Yoon and Kim [14] indicated that even He et al.’ scheme had various security vulnerabilities such as poor repair-ability and vulnerability to user and sensor node impersonation attacks. The former then proposed an advanced biometrics-based user authentication scheme for WSNs. They demonstrated that their scheme was more effective and had stronger security than other related schemes [13, 14]. To verify the security of Yoon and Kim's advanced scheme, we analyzed their scheme and performed a security cryptanalysis. We found that it has various security problems, including a biometric recognition error, a user verification problem, lack of anonymity and perfect forward secrecy, session key exposure by the gateway node, vulnerability to DoS attacks, and a revocation problem. To solve these problems, we first suggest appropriate countermeasures and then propose a biometrics-based user authentication scheme using fuzzy extraction with improved security that conforms to the proposed countermeasures. Moreover, we also conduct a security analysis of 16 security properties for the proposed biometrics-based user authentication scheme.

The remainder of this paper is organized as follows. Section 2 describes some related work to understand this paper. Section 3 explains Yoon and Kim's authentication scheme, and Section 4 analyzes their scheme to discuss the inherent security problems. Section 5 explains countermeasures to solve these problems. Section 6 proposes the biometric-based authentication using fuzzy extraction with improved security, and Section 7 presents a security analysis about 16 security properties for the proposed scheme. Section 8 concludes the paper.

2. Related Works

2.1. Attacker's Capability

Throughout this paper, we make the following assumptions about the capabilities of a probabilistic, polynomial-time attacker $A$ in order to properly capture the security requirements of the two-factor authentication scheme that uses smart cards in WSNs [15]. (i)

$A$ has complete control over all message exchanges between the protocol participants, including a user, a sensor, and the gateway. That is, $A$ can eavesdrop, insert, modify, intercept, and delete messages exchanged among the three parties at will.

(ii)

$A$ is able to $(1)$ extract sensitive information from the smart card of a user through a power analysis attack or $(2)$ determine the user's password possibly via shoulder-surfing or by employing a malicious card reader. However, it is assumed that $A$ is unable to compromise both the information of the smart card and the password of the user. It is otherwise clear that there is no way to prevent $A$ from impersonating the user if both factors have been compromised.

2.2. Elliptic Curves Cryptography

Elliptic Curves Cryptography (ECC) is a form of public-key cryptography that is based on the use of algebraic structures of elliptic curves over finite fields. Elliptic curves are also used in several integer factorization algorithms. The important benefit of ECC is that it provides a smaller key size, so ECC can maintain the same degree of security with a smaller key size than other public-key forms of cryptography, such as Rivest Shamir Adleman (RSA), Diffie-Hellman (DH), and Digital Signature Algorithm (DSA). Therefore, ECC is especially useful for wireless devices that are typically limited in terms of their computational ability, power, and network connectivity.

ECC has three related mathematical problems: an Elliptic Curve Discrete Logarithm Problem (ECDLP), Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP), and Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP). No polynomial time algorithm can solve the ECDLP, ECCDHP, and ECDDHP with nonnegligible probability.

Let $p > 3$ be a large prime and choose two field elements $a, b \in F_{p}$ satisfying $4 a^{3} + 27 b^{2} \neq 0$ $\mod p$ to define the equation of a nonsuper-singular elliptic curve $E : y^{2} = x^{3} + a x + b \mod p$ over $F_{p}$ . Choose a generator point $P = (x \times P, y \times P)$ whose order is a large prime number q over $E (F_{p})$ . The subgroup G of the elliptic curve group $E (F_{p})$ with order q is constructed in the same way. Then, the three mathematical problems in ECC that are defined in several studies [16–18] are given as follows: (i)

ECDLP: given a point element Q in G, find an integer $x \in Z_{q}^{*}$ such that $Q = x \times P$ , where $x \times P$ indicates that point P is added to itself x times through an operation with elliptic curves.

(ii)

ECCDHP: for $a, b \in Z_{q}^{*}$ , given two point elements $a \times P$ , $b \times P$ in G, compute $a \times b \times P$ in G.

(iii)

ECDDHP: for $a, b, c \in Z_{q}^{*}$ , given three point elements $a \times P$ , $b \times P$ , and $c \times P$ in G, decide whether $c \times P = a \times b \times P$ .

In the proposed scheme, we use ECDLP for protecting $r_{i}$ and $r_{s}$ . In detail, a user sends $X_{i} = r_{i} \times P$ to the gateway, and the sensor node sends $Y_{i} = r_{s} \times P$ to the user for authentication and session key agreement. If an attacker knows $r_{i}$ and $r_{s}$ , he can attempt various attacks. However, the attacker cannot compute $r_{i}$ and $r_{s}$ due to ECDLP even if he steals $X_{i}$ and $Y_{i}$ from public communication. And in proposed scheme, we use ECCDHP for protecting $K_{U S} = K_{S U} = r_{i} \times r_{s} \times P$ . In other words, An attacker cannot compute $K_{U S}$ and $K_{S U}$ due to ECCDHP even thought he know $X_{i}$ and $Y_{i}$ . Only legal user and sensor node can compute $K_{U S}$ and $K_{S U}$ , respectively, using $X_{i}$ and $Y_{i}$ , and own random number. The user computes $K_{U S} = r_{i} \times Y_{i} = r_{i} \times r_{s} \times P$ and the sensor node computes $K_{S U} = r_{s} \times X_{i} = r_{s} \times r_{i} \times P$ .

2.3. Fuzzy Extraction

The fuzzy extractor converts biometric information into a uniformly random string. Therefore, it is possible to apply cryptographic techniques for biometric security. The extractor consists of a pair of efficient randomized procedures, $Gen$ (generate) and $Rep$ (reproduce). Li et al.'s scheme uses $Gen (B_{i}) = (R_{i}, P_{i})$ and $R_{i} = Rep (B_{i}^{'}, P_{i})$ are used. The fuzzy extractor $Gen$ generates $R_{i}$ and $P_{i}$ by using a user's biometric information during the registration phase. $R_{i}$ is a uniform and random string, and $P_{i}$ is the helper string; thus, $R_{i}$ can be the same under the assistance of auxiliary information $P_{i}$ even if the the biometric information that has been input changes, so long it maintains a reasonably similar status as the original biometric information. As a result, the fuzzy extraction is error-tolerant, and $Rep$ reproduces the $R_{i}$ using the biometric information that has been newly input $B_{i}^{'}$ and $P_{i}$ in the login phase. To reproduce the same $R_{i}$ , the metric space distances between $B_{i}$ and $B_{i}^{'}$ have to meet the given verification threshold [19, 20].

The basic notation that is used consistently throughout this paper is shown in “Notations.”

3. Review of Yoon and Kim's Authentication Scheme

Yoon and Kim's authentication scheme includes a registration phase and login and authentication phases. This scheme does not require making changes to a user's password because this scheme only uses biometrics. The gateway node has two master keys $(x$ and $y)$ and before starting the system, the gateway issues a long-term secret key $h ({S ID}_{j} ∥ y)$ to sensor node $S_{j}$ . x is then used for $U_{i}$ . During the registration phase, the gateway issues a smart card stored as $h ({ID}_{i} ∥ x)$ to $U_{i}$ [11].

3.1. Registration Phase

In the registration phase, a user $U_{i}$ communicates securely with the gateway. $U_{i}$ sends important information regarding the user's identification and biometrics. Figure 1 describes the registration phase, and detailed steps are given as follows. First, $U_{i}$ chooses ${ID}_{i}$ and imprints his biometrics $B_{i}$ on the specific sensor device. Then, $U_{i}$ computes $E_{i} = h ({ID}_{i}, E_{i})$ and sends ${ID}_{i}$ and $E_{i}$ to $GW$ node by using a secure channel. Then, $GW$ node computes two values: $R_{i} = h ({ID}_{i} ∥ x) \oplus E_{i}$ and $V_{i} = h ({ID}_{i} ∥ E_{i})$ . And the $GW$ node inputs $〈I D_{i}, R_{i}, V_{i}, h (\cdot), d (\cdot), τ〉$ into a smart card and sends the smart card to user $U_{i}$ . $h (\cdot)$ is a one-way hash function. $d (\cdot)$ is a symmetric parametric function and τ is a predetermined threshold for the biometric verification.

Figure 1

Registration phase of Yoon and Kim's scheme.

3.2. Login and Authentication Phases

During the login and authentication phases, when $U_{i}$ enters ${ID}_{i}$ and $B_{i}$ into a smart card terminal, the smart card must validate the legitimacy of $U_{i}$ . Then, $U_{i}$ , $S_{j}$ , and $GW$ authenticate each other. This scheme uses three messages $〈M_{1}, M_{2}, M_{3}〉$ during authentication, as shown in Figure 2. Finally, $U_{i}$ and $S_{j}$ share the session key $sk$ after the login and authentication phases; $U_{i}$ and $S_{j}$ communicate with each other using the session key $sk$ . (1)

$U_{i}$ inserts his smart card into the card reader and imprints his biometric $B_{i}$ on a specific device to verify the user's biometrics.

(2)

The smart card computes two values: $E_{i}^{*} = h ({ID}_{i}, B_{i})$ and $V_{i}^{*} = h ({ID}_{i} ∥ E_{i}^{*})$ .

(3)

The smart card compares the computed $V_{i}^{*}$ and the $V_{i}$ that is stored in the smart card. If $d (V_{i}, V_{i}^{*}) \leq τ$ , the user's smart card stops the login phase. Otherwise, the smart card generates a random number $r_{i}$ .

(4)

The smart card computes three values: $D_{i} = R_{i} \oplus E_{i}^{*}$ , $k_{i} = h (D_{i} ∥ T_{i})$ , and $C_{i} = E_{k_{i}} ({ID}_{i} ∥ r_{i})$ , where $T_{i}$ is the current timestamps.

(5)

Then, the smart card sends the login message $M_{1} = 〈{ID}_{i}, C_{i}, T_{i}〉$ to the $GW$ node.

Figure 2

$G W$ receives $M_{1}$ and executes the following actions. (1)

The $GW$ node checks the freshness of $T_{i}$ by using $(T^{'} - T_{i}) \leq Δ T$ . $Δ T$ is the expected time interval for the transmission delay. If $T_{i}$ is not fresh, the $GW$ node rejects the user's request.

(2)

The $GW$ node computes three values: $D_{i}^{'} = h ({ID}_{i} ∥ x)$ , $k_{i}^{'} = h (D_{i}^{'} ∥ T_{i})$ , and ${ID}_{i}^{'} ∥ r_{i}^{'} = D_{k_{i}^{'}} (C_{i})$ .

(3)

The $GW$ node checks whether ${ID}_{i}$ and ${ID}_{i}^{'}$ are equal. If they are not equal, the $GW$ node stops the session. Otherwise, the $GW$ node picks up the current timestamps $T_{g}$ .

(4)

The $GW$ node computes two values: $k_{g} = h (h ({S ID}_{j} ∥ y) ∥ T_{g})$ and $C_{g} = E_{k_{g}} ({ID}_{i}^{'} ∥ r_{i}^{'})$ .

(5)

The $GW$ node then computes $M_{2} = 〈{ID}_{i}, C_{g}, T_{g}〉$ and sends it to the sensor node $S_{j}$ .

$S_{j}$ receives $M_{2}$ and performs the following actions. (1)

$S_{j}$ checks the freshness of $T_{g}$ using $(T^{''} - T_{g}) \leq Δ T$ .

(2)

$S_{j}$ computes two values: $k_{g}^{'} = h (h ({S ID}_{j} ∥ y) ∥ T_{g})$ and ${ID}_{i}^{''} ∥ r_{i}^{''} = D_{k_{g}^{'}} (C_{g})$ .

(3)

$S_{j}$ checks whether ${ID}_{i}$ and ${ID}_{i}^{''}$ are equal and $S_{j}$ picks up the current timestamps $T_{s}$ .

(4)

$S_{j}$ generates $RM$ and computes $V_{s}$ . $RM$ is response to the query of $U_{i}$ ; $V_{s} = h ({ID}_{i}^{''} ∥ r_{i}^{''} ∥ RM ∥ T_{s})$ .

(5)

$S_{j}$ computes $M_{3} = 〈 RM, V_{s}, T_{s} 〉$ and sends it to the user $U_{i}$ .

$U_{i}$ receives $M_{3}$ and executes the following actions. (1)

$U_{i}$ checks the freshness of $T_{s}$ using $(T^{'''} - T_{s}) \leq Δ T$ .

(2)

$U_{i}$ computes $V_{s}^{'} = h ({ID}_{i} ∥ r_{i} ∥ RM ∥ T_{s})$ and checks whether $V_{s}^{'}$ and $V_{s}$ are the same.

(3)

If the entire authentication phase finishes without any problems, $U_{i}$ accepts $RM$ .

(4)

$U_{i}$ and $S_{j}$ communicate with each other securely using the session key $sk$ , and $U_{i}$ and $S_{j}$ compute $sk = h ({ID}_{i} ∥ r_{i} ∥ T_{s})$ .

4. Cryptanalysis of Yoon and Kim's Authentication Scheme

4.1. Biometric Recognition Error

Yoon and Kim's authentication scheme uses a one-way hash function to provide biometric verification. This hash function can be used to map the data of an arbitrary size to data of a fixed size with slight differences in the input data producing very large differences in the output data. Figure 3 describes the biometric recognition error in Yoon and Kim's scheme. Biometrics have general limitations such as false acceptance and false rejection. This means that the output of the imprinted biometrics is not always constant. Although $U_{i}$ inputs its own biometrics to the scanning device, it is possible to output a different ${~  B}_{i}^{*}$ . Therefore, the same biometrics can generate different output, such as the $B_{i}^{*}$ and ${~  B}_{i}^{*}$ . A different ${~  B}_{i}^{*}$ causes slight differences in $E_{i}^{*}$ and ${~  E}_{i}^{*}$ . Therefore, this difference produces a very large difference between $V_{i}^{*}$ and ${~  V}_{i}^{*}$ due to the property of hash function. The large difference between $V_{i}^{*}$ and ${~  V}_{i}^{*}$ causes a biometric recognition error, so a legal user can fail to accept the smart card verification. As a result, advanced techniques are needed to improve the success rate of a legal user's verification [5].

Figure 3

Biometric recognition error on Yoon and Kim's scheme.

4.2. User Verification Problem

In Yoon and Kim's authentication scheme, $GW$ verifies a legal user by comparing ${ID}_{i}$ in $M_{1}$ and ${ID}_{i}^{'}$ in the output of the decrypted $C_{i}$ . Specifically, the user computes $C_{i}$ using a symmetric encryption algorithm; $C_{i} = E_{k_{i}} ({ID}_{i} ∥ r_{i})$ . ${ID}_{i}$ and $r_{i}$ do not matter but $E_{k_{i}}$ has a problem in that there is a possibility to obtain unexpected results. This is the reason why $E_{k_{i}}$ is made up by $D_{i}$ and $T_{i}$ and $D_{i}$ consist of $R_{i}$ , $E_{i}^{*}$ :

\begin{matrix} E_{i}^{*} = h ({ID}_{i}, B_{i}), \\ D_{i} = R_{i} \oplus E_{i}^{*}, \\ k_{i} = h (D_{i} ∥ T_{i}), \\ C_{i} = E_{k_{i}} ({ID}_{i} ∥ r_{i}) . \end{matrix}

(1)

Even if biometrics are the same, the output of the scanning device is not constant. Therefore, the same biometrics can generate a different output, like

~   B_{i}^{*}

. The different output of the biometrics causes slight differences in

E_{i}^{*}

and

~   E_{i}^{*}

. Due to these slight differences, different

~   D_{i}

and

~   k_{i}

are produced. As a result, the user and

GW

en/decrypt the

C_{i}

using different keys.

GW

cannot get a normal

{ID}_{i}

from

C_{i}

so the user is not authenticated by

GW

even when the user uses its own normal

{ID}_{i}

and

B_{i}

. This is the reason why the hash function and the symmetric key encryption algorithm have a property that results in large differences due to a slight difference of input. Figure 4 specifically describes the user verification problem in Yoon and Kim's scheme.

Figure 4

User verification problem on Yoon and Kim's scheme.

4.3. Lack of Anonymity

Figure 5 describes how Yoon and Kim's scheme does not provide the anonymity. In this scheme, the user sends its own $U_{i}$ to $GW$ over public communication, and $GW$ sends $U_{i}$ to the sensor without any protection. Therefore, an attacker can easily acquire $U_{i}$ from those communications. This results in an information exposure problem. For the $GW$ ’ incoming communication, an attacker can obtain information of the approximate number of registered users to $GW$ . Also an attacker can acquire information on which user communicates with $S_{j}$ . Therefore, the lack of anonymity in Yoon and Kim's scheme raises some problems that need to be addressed by providing user anonymity through a protection technique. To solve this problem, it is necessary to use anonymity identification ${AID}_{i}$ in the WSNs communication instead of sending a normal ${ID}_{i}$ [21–23].

Figure 5

Lack of anonymity on Yoon and Kim's scheme.

4.4. Lack of Perfect Forward Secrecy

Perfect forward secrecy means that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised at some point in the future [24]. Unfortunately, Yoon and Kim's authentication scheme does not provide perfect forward secrecy. Therefore, an attacker can compute the session key $sk$ between the $U_{i}$ and $S_{j}$ if the attacker knows one of the long-term keys $D_{i}$ in the future. The following list describes how Yoon and Kim's scheme does not provide perfect forward secrecy [5]: (1)

Attacker got $C_{i}$ , $T_{i}$ , and $T_{s}$ in previous public channel.

(2)

Attacker knew one of user's long-term secret: $D_{i}$ .

⇒

Attacker has $C_{i}$ , $T_{i}$ , $T_{s}$ , and $D_{i}$ and computes $k_{i}$ and $D_{k_{i}}$ as follows:

⇒

$k_{i} = h (D_{i} ∥ T_{i})$ ,

⇒

$D_{k_{i}} (C_{i}) = {ID}_{i} ∥ r_{i}$ .

(3)

Attacker acquires ${ID}_{i}$ and $r_{i}$ and then computes $sk$ .

⇒

$sk = h ({ID}_{i} {∥ r_{i} ∥ T}_{s})$ .

(4)

Attacker can compute all of previous session key sk.

In advance, the attacker obtains

C_{i}

T_{i}

, and

T_{s}

from previous communication between

U_{i}

and

S_{j}

. The attacker obtains one of the user's long-term secrets

D_{i}

. Then, the attacker can compute

k_{i} = h (D_{i} ∥ T_{i})

and decrypt the

C_{i}

using the computed

k_{i}

. So the attacker can figure out

{ID}_{i}

and random number

r_{i}

. Finally, the attacker can compute the session key

sk

using

{ID}_{i}

r_{i}

, and

T_{s}

4.5. Session Key Exposure by the Gateway Node

The session key $sk$ is used to provide secure communications between $U_{i}$ and $S_{j}$ after the authentication phase is successfully finished. Even if the $GW$ node is a trusted node, it is not necessary for the $GW$ node to know $sk$ because $U_{i}$ usually wants to communicate secretly with $S_{j}$ without the observation of the $GW$ node. However, in Yoon and Kim's authentication scheme, the $GW$ node can compute $sk$ without difficulty. $GW$ node can collect previous ${ID}_{i}$ and $r_{i}$ in $U_{i}$ 's authentication phase and thus can obtain all $T_{s}$ over a public channel. Then, the $GW$ node can compute all $sk = h ({ID}_{i} ∥ r_{i} ∥ T_{s})$ between $U_{i}$ and $S_{j}$ . Therefore, the $GW$ node can decrypt the encrypted message between $U_{i}$ and $S_{j}$ , and can figure out all $U_{i}$ 's secret messages that are protected by session key $sk$ . The session key exposure by GW on Yoon and Kim's scheme [5] is described as follows: (1)

GW knew ${ID}_{i}$ and $r_{i}$ in communication with $U_{i}$ .

(2)

GW got $T_{s}$ in public channel:

⇒ $GW$ has ${ID}_{i}$ , $r_{i}$ and $T_{s}$ ,

⇒ $sk = h ({ID}_{i} ∥ r_{i} ∥ T_{s})$ .

(3)

GW can compute all session key sk between $U_{i}$ and $S_{j}$ .

(4)

GW can decrypt the secret messages between $U_{i}$ and $S_{j}$ .

(5)

GW can acquire important information between $U_{i}$ and $S_{j}$ .

4.6. Vulnerability to Denial of Service Attack

Figure 6 shows the potential for a DoS attack on Yoon and Kim's authentication scheme. The attacker can send malicious messages $〈 {ID}_{i}, C_{i}, T_{c} 〉$ that have been generated to consume the battery power of the $GW$ node and sensor node. The attacker obtains ${ID}_{i}$ and $C_{i}$ from the previous public channel communication and generates a current timestamps $T_{c}$ . When the $GW$ node and the sensor node receive the malicious messages $〈 {ID}_{i}, C_{i}, T_{c} 〉$ , they first check for the freshness of the timestamps $T_{c}$ . However, the $T_{c}$ generated by the attacker is current, and the $GW$ node and sensor cannot determine that ${ID}_{i}$ and $C_{i}$ are from previous messages. So they execute various functions, such as a hash function, decryption function, and verification function before checking whether the ${ID}_{i}$ sent by the attacker and the computed ${ID}_{i}$ are the same. Therefore, the attacker is able to execute a DoS attack without difficulty [5]. The $GW$ node has sufficient resources that can be used in the system, but the sensors are different. The sensor nodes have a limited computational ability, low battery, low bandwidth, and a small amount of memory. The computational cost of a sensor node is a critical consideration in the design of WSNs since this increases the consumption of the battery power of the sensor [15]. Quite often it is economically preferable to discard a sensor rather than recharge it, and for this reason, the battery power of a sensor is usually important for wireless devices, with its lifetime determining the sensor lifetime. Therefore, it is significant issue for the sensor node to be protected from a DoS attack.

Figure 6

Vulnerability to denial of service attack on Yoon and Kim's scheme.

4.7. Revocation Problem

Yoon and Kim's authentication scheme does use the user's password but only uses the user's ${ID}_{i}$ and biometrics $B_{i}$ . Therefore, a password change phase is not necessary. For this reason, when an attacker steals or picks up the user's smart card, a revocation problem occurs. When the $GW$ node issues the user's smart card, it always produces the same $〈 {ID}_{i}, R_{i}, V_{i}, h (\cdot), d (\cdot), τ 〉$ if the $U_{i}$ sends the same ${ID}_{i}$ and $B_{i}$ to the $GW$ node. So even though $U_{i}$ reissues a new smart card, $U_{i}$ cannot discard the lost smart card because the reissued smart card and the lost smart card are the same. Therefore, the user $U_{i}$ has to change his ID in order to reissue a different smart card. Figure 7 describes the potential problem due to lack of revocation phase on Yoon and Kim's scheme [5].

Figure 7

Revocation problem on Yoon and Kim's scheme.

5. Countermeasures

The vulnerability of Yoon and Kim's scheme to a biometric recognition error and a user verification problem is due to the fact that (i)

though the same $U_{i}$ inputs its own biometrics to the scanning device, a different output can be generated;

(ii)

the hash function makes slight differences in the input data by producing very large differences in the output data;

(iii)

in a symmetric key encryption algorithm $E_{k_{i}}$ , small differences of $k_{i}$ produce large differences in the output.

This design flaw causes normal users to fail the login phase using smart card. Therefore, we suggest modifying the $E_{i}^{*} = h ({ID}_{i}, B_{i}^{*})$ , $V_{i}^{*} = h ({ID}_{i} ∥ E_{i}^{*})$ , and $d (V_{i}, V_{i}^{*}) \leq τ$ to prevent a biometric recognition error. Moreover, the difference in $B_{i}$ and $B_{i}^{*}$ results in a different encryption key $k_{i}$ . So, this can cause a user verification problem because the differences in $K_{i}$ and $K_{i}^{'}$ produce a different $C_{i}$ that is used for authentication between $U_{i}$ and the $GW$ node. To prevent an authentication error, we also suggest modifying $D_{i} = R_{i} \oplus E_{i}^{*}$ and $k_{i} = h (D_{i} ∥ T_{i})$ . We thus improve Yoon and Kim's scheme using fuzzy extraction as follows.

During the registration phase, instead of $E_{i}^{*} = h ({ID}_{i}, B_{i}^{*})$ , the smart card computes $R_{i}$ and $P_{i}$ using a fuzzy extraction function $Gen (B_{i})$ such as $〈 R_{i}, P_{i} 〉 = Gen (B_{i})$ . It also computes $F_{i} = h (R_{i})$ and sends both ${ID}_{i}$ and $F_{i}$ to the $GW$ node. The $GW$ node modifies the computation of $A_{i}$ and $V_{i}$ from $A_{i} = h ({ID}_{i} ∥ x) \oplus E_{i}$ and $V_{i} = h ({ID}_{i} ∥ E_{i})$ to

\begin{matrix} A_{i} = h (R_{i}), \\ M_{i} = h ({ID}_{i} ∥ x) \oplus A_{i}, \\ V_{i} = h ({ID}_{i} ∥ A_{i}) . \end{matrix}

(2)

During the login and authentication phase, instead of $E_{i}^{*} = h ({ID}_{i}, B_{i}^{*})$ , $V_{i}^{*} = h ({ID}_{i} ∥ E_{i}^{*})$ , $d (V_{i}, V_{i}^{*}) \leq τ$ , and $D_{i} = A_{i} \oplus E_{i}^{*}$ , smart card computes the following:

\begin{matrix} R_{i}^{*} = Rep (B_{i}^{*}, P_{i}), \\ A_{i}^{*} = h (R_{i}^{*}), \\ V_{i}^{*} = h ({ID}_{i} ∥ A_{i}^{*}), \\ V_{i} \overset{?}{=} V_{i}^{*}, \\ D_{i} = M_{i} \oplus A_{i}^{*} . \end{matrix}

(3)

As a result of this modification carried out using a fuzzy extraction function, the accuracy of verification using biometrics improves. Consequently, the biometric recognition error and user verification problem can be solved.

We next present a possible mechanism for eliminating the vulnerability in Yoon and Kim's scheme due to the lack of anonymity. This vulnerability is due to the fact that (i)

${ID}_{i}$ is used in public communication without any protection;

(ii)

the $attacker$ can know how many users are registered in $GW$ and which user wants to access $S_{j}$ .

Using the user's ${ID}_{i}$ , the attacker can acquire a variety of information on the user, $GW$ , and the sensor. Therefore, we propose to use an anonymity ${AID}_{i}$ to provide anonymity. Instead of sending a normal ${ID}_{i}$ , we suggest using ${AID}_{i}$ in the communication as follows:

\begin{matrix} {AID}_{i} = {ID}_{i} \oplus h (h (x ∥ y) ∥ T_{i}) . \end{matrix}

(4)

GW

sends

h (x ∥ y)

to a user using

N_{i}

h (x ∥ y) \oplus A_{i}

in registration phase.

h (x ∥ y)

uses only a previous secret x and y so it does not need to add a new secret. The attacker and sensor cannot know

h (x ∥ y)

and

{AID}_{i}

changes every session due to

T_{i}

so we can provide user anonymity.

To provide the perfect forward secrecy in our proposed scheme, we modify the computation of $sk$ from $sk$ = $h ({ID}_{i} ∥ r_{i} ∥ T_{s})$ to

\begin{matrix} sk = h ({AID}_{i} ∥ K_{U S} ∥ T_{s}) . \end{matrix}

(5)

{AID}_{i} = {ID}_{i} \oplus h (h (x ∥ y) ∥ T_{i})

has a secret

h (x ∥ y)

. Therefore,

sk

has two secret

h (x ∥ y)

and

K_{U S}

; moreover, they are independent on each other, and so the session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future.

K_{U S}

is thus important information between

U_{i}

and

S_{j}

\begin{matrix} K_{U S} = r_{i} \times r_{s} \times P . \end{matrix}

(6)

Since

K_{U S}

can be used to eliminate the vulnerability in Yoon and Kim's scheme to session key exposure by the

GW

node, this vulnerability is due to the fact that

(i)

the $GW$ node can know all elements of $sk$ including $r_{i}$ ;

(ii)

it is hard to share secret information between $U_{i}$ and $S_{j}$ in advance.

To prevent this problem, we suggest a key exchange using elliptic curve encryption. The user generates $r_{i}$ and computes $X_{i}$ and $K_{U S}$ :

\begin{matrix} X_{i} = r_{i} \times P, \\ K_{U S} = r_{i} \times Y_{i} = r_{i} \times r_{s} \times P . \end{matrix}

(7)

Then, the user sends

X_{i}

to the sensor through the

GW

and receives

Y_{i}

from the sensor, so the sensor can compute

sk

as follows:

\begin{matrix} Y_{i} = r_{s} \times P, \\ K_{S U} = r_{s} \times X_{i} = r_{s} \times r_{i} \times P . \end{matrix}

(8)

K_{U S}

and

K_{S U}

can be used by the user and sensor to compute

sk = h ({AID}_{i} ∥ K_{U S} ∥ T_{s})

in a manner that is concealed from the

GW

node. Therefore, we resolve the session key exposure by the

GW

node.

However, even after implementing the modifications described above, Yoon and Kim's scheme is vulnerable to DoS attacks. This type of attack results from the fact that (i)

$GW$ and the sensor perform all operations without checking the freshness of the incoming messages;

(ii)

in particular, the sensor has limited energy but this scheme verifies messages after performing various operations.

To prevent the vulnerability to DoS attack, we suggest adding verification to $M_{1}$ and $M_{2}$ to check incoming message. We modify the computations for $M_{1}$ and $M_{3}$ from $M_{1} = 〈 {ID}_{i}, C_{i}, T_{i} 〉$ and $M_{2} = 〈 {ID}_{i}, C_{g}, T_{g} 〉$ to

\begin{matrix} M_{1} = 〈{AID}_{i}, X_{i}, C_{i}, T_{i}, W_{i}〉, \\ M_{2} = 〈{AID}_{i}, C_{g}, T_{g}, W_{g}〉 . \end{matrix}

(9)

In advance, the

GW

node and sensor check

W_{i}

and

W_{g}

to verify an incoming message:

\begin{matrix} W_{i} = h (h (x ∥ y) ∥ {AID}_{i} ∥ X_{i} ∥ C_{i} ∥ T_{i}), \\ W_{g} = h (h ({S ID}_{j} ∥ y) ∥ {AID}_{i} ∥ C_{g} ∥ T_{g}) . \end{matrix}

(10)

W_{i}

and

W_{g}

are thus only computed for a legal user and the

GW

node. Due to this modification, the

GW

node and sensor can prevent a DoS attack by checking

W_{i}

and

W_{g}

M_{1}

and

M_{2}

, respectively.

Finally, the revocation problem is prevented by implementing a revocation and reissue phase. This phase should also be modified for consistency, particularly to induce a user to select identification different from previous identifications (see Section 6.3 for details). All the modifications suggested above are combined to propose an improved authentication scheme that is described in the following section.

6. Proposed Scheme

Our proposed scheme is divided into three phases: a user registration phase, login and authentication phase, and revocation and reissue phase. Before our scheme is executed, $GW$ generates two master keys, x and y, and provides a long-term secret key $h ({S ID}_{j} ∥ y)$ to the sensor $S_{j}$ .

6.1. Registration Phase

The registration phase of the proposed scheme is described in Figure 8. The $U_{i}$ perform a user registration phase with $GW$ by using a secure channel. $U_{i}$ computes $B_{i}$ by using a biometrics scanning device and $R_{i}$ and $P_{i}$ using fuzzy extraction. Then, the user's information is sent to the $GW$ for registration. However, the $GW$ cannot store the user's biometrics information. The detailed steps are as follows. (1)

$U_{i}$ selects ${ID}_{i}$ and scans its own biometrics to compute $B_{i}$ .

(2)

$U_{i}$ computes $〈 R_{i}, P_{i} 〉 = Gen (B_{i})$ and $A_{i} = h (R_{i})$ . And then $U_{i}$ sends $〈 {ID}_{i}, A_{i} 〉$ to the $GW$ node.

(3)

After receiving $〈 {ID}_{i}, A_{i} 〉$ , the $GW$ node computes the authentication parameters for $U_{i}$ as follows:

\begin{matrix} M_{i} = h ({ID}_{i} ∥ x) \oplus A_{i}, \\ N_{i} = h (x ∥ y) \oplus A_{i}, \\ V_{i} = h ({ID}_{i} ∥ A_{i}) . \end{matrix}

(11)

(4)

$GW$ stores ${ID}_{i}$ , $h (\cdot)$ , and the authentication parameters; $〈 {ID}_{i}, M_{i}, N_{i}, V_{i}, h (\cdot) 〉$ in a smart card. And GW issues the smart card to $U_{i}$ through a secure channel.

(5)

$U_{i}$ receives the smart card and inputs $P_{i}$ to the smart card.

Figure 8

Registration phase of the proposed scheme.

6.2. Login and Authentication Phases

The login and authentication phase of the proposed scheme is described in Figure 9. During the login phase, the smart card checks the user's legality by using the user's $U_{i}$ and biometrics $B_{i}^{*}$ . $GW$ authenticates the user by checking ${ID}_{i}$ through the detailed steps of the login phase as follows: (1)

$U_{i}$ inserts his smart card into a card reader. Then, $U_{i}$ inputs his ${ID}_{i}$ and computes the biometric information $B_{i}^{*}$ using a scanning device. The smart card computes $R_{i}^{*}$ , $A_{i}^{*}$ , and $V_{i}^{*}$ using fuzzy extraction and compares $V_{i}^{*}$ with $V_{i}$ stored in smart card as follows:

\begin{matrix} R_{i}^{*} = Rep (B_{i}^{*}, P_{i}), \\ A_{i}^{*} = h (R_{i}^{*}), \\ V_{i}^{*} = h ({ID}_{i} ∥ A_{i}^{*}), \\ verifies V_{i} \overset{?}{=} V_{i}^{*} . \end{matrix}

(12)

(2)

The smart card generates a random number $r_{i}$ and computes $X_{i}$ , $D_{i}$ , and $h (x ∥ y)$ . $X_{i}$ is used for the session key between $U_{i}$ and $S_{j}$ . This scheme uses $h (x ∥ y)$ to provide perfect forward secrecy:

\begin{matrix} X_{i} = r_{i} \times P, \\ D_{i} = M_{i} \oplus A_{i}^{*}, \\ h (x ∥ y) = N_{i} \oplus A_{i}^{*} . \end{matrix}

(13)

(3)

$U_{i}$ picks up the current timestamps $T_{i}$ and computes $k_{i}$ , $C_{i}$ , ${AID}_{i}$ , and $W_{i}$ for authentication with $GW$ . $W_{i}$ is used to prevent the DoS attack. Then, $U_{i}$ sends the authentication message $M_{1}$ to $GW$ :

\begin{matrix} k_{i} = h (D_{i} ∥ T_{i}), \\ C_{i} = E_{k_{i}} ({ID}_{i} ∥ X_{i}), \\ {AID}_{i} = {ID}_{i} \oplus h (h (x ∥ y) ∥ T_{i}), \\ W_{i} = h (h (x ∥ y) ∥ {AID}_{i} ∥ X_{i} ∥ C_{i} ∥ T_{i}), \\ M_{1} = 〈{AID}_{i}, X_{i}, C_{i}, T_{i}, W_{i}〉 . \end{matrix}

(14)

(4)

Upon receiving $M_{1}$ from $U_{i}$ , $GW$ retrieves the current timestamps $T^{'}$ and verifies the freshness of the $U_{i}$ ’ timestamps $T_{i}$ using $(T^{'} - T_{i}) \leq Δ T$ . Then, $GW$ verifies the received $W_{i}$ using $W_{i} \overset{?}{=} h (h (x ∥ y) ∥ {AID}_{i} ∥ X ∥ C_{i} ∥ T_{i})$ .

(5)

$GW$ computes ${ID}_{i}^{'}$ , $D_{i}^{'}$ , and $k_{i}^{'}$ and decrypts the $C_{i}$ in $M_{1}$ . The output of the decryption is used by $GW$ to authenticate $U_{i}$ by comparing ${ID}_{i}^{'}$ and ${ID}_{i}^{''}$ :

\begin{matrix} {ID}_{i}^{'} = {AID}_{i} \oplus h (h (x ∥ y) ∥ T_{i}), \\ D_{i}^{'} = h ({ID}_{i}^{'} ∥ x), \\ k_{i}^{'} = h (D_{i}^{'} ∥ T_{i}), \\ {ID}_{i}^{''} ∥ X_{i}^{'} = D_{k_{i}^{'}} (C_{i}), \\ verifies {ID}_{i}^{'} \overset{?}{=} {ID}_{i}^{''} . \end{matrix}

(15)

(6)

$GW$ picks up the current timestamps $T_{g}$ and $k_{g}$ , $C_{g}$ , and $W_{g}$ to authenticate $S_{j}$ . Then, $GW$ sends an authentication message $M_{2}$ to $S_{j}$ :

\begin{matrix} k_{g} = h (h ({S ID}_{j} ∥ y) ∥ T_{g}), \\ C_{g} = E_{k_{g}} ({AID}_{i} ∥ X_{i}^{'}), \\ W_{g} = h (h ({S ID}_{j} ∥ y) ∥ {AID}_{i} ∥ C_{g} ∥ T_{g}), \\ M_{2} = 〈{AID}_{i}, C_{g}, T_{g}, W_{g}〉 . \end{matrix}

(16)

(7)

With $M_{2}$ in hand, $S_{j}$ retrieves the current timestamps $T^{''}$ and checks if $T^{''} - T_{g} \leq Δ T$ . If the freshness check for $T^{''}$ fails, $S_{j}$ stops the authentication phase. Otherwise, $S_{j}$ computes $W_{g}$ and compares it with $h (h ({S ID}_{j} ∥ y) ∥ {AID}_{i} ∥ C_{g} ∥ T_{g})$ . After that, $S_{j}$ computes $k_{g}^{'}$ and decrypts $C_{g}$ using $k_{g}^{'}$ . Then, $S_{j}$ checks the sameness between the received ${AID}_{i}$ and the computed ${AID}_{i}^{'}$ :

\begin{matrix} k_{g}^{'} = h (h ({S ID}_{j} ∥ y) ∥ T_{g}), \\ {AID}_{i}^{'} ∥ X^{'} = D_{k_{g}^{'}} (C_{g}), \\ verifies {AID}_{i} \overset{?}{=} {AID}_{i}^{'} . \end{matrix}

(17)

(8)

To compute $sk$ , $S_{j}$ generates a random number $r_{s}$ and computes $K_{S U}$ , $Y_{i}$ . This $sk$ is computed only by $U_{i}$ and $S_{j}$ due to a mathematical problem inherent to ECC. Then, $S_{j}$ picks up the current timestamps $T_{s}$ and computes $RM$ , $V_{s}$ for the authentication. After the operation is finished, $S_{j}$ send $M_{3}$ to $U_{i}$ :

\begin{matrix} K_{S U} = r_{s} \times X_{i}^{'}, \\ Y_{i} = r_{s} \times P, \\ computes  sk = h ({AID}_{i} ∥ K_{S U} ∥ T_{s}), \\ RM = Response  to  the  query  of U_{i}, \\ V_{s} = h ({AID}_{i}^{'} ∥ X_{i}^{'} ∥ Y_{i} ∥ RM ∥ T_{s}), \\ M_{3} = 〈RM, Y_{i}, V_{s}, T_{s}〉 . \end{matrix}

(18)

(9)

First, $U_{i}$ checks the freshness in $T_{s}$ and the sameness of $V_{s}$ . Then, $U_{i}$ computes $K_{U S}$ using the received $Y_{i}$ , and $sk$ by using ${AID}_{i}$ , $K_{U S}$ , and $T_{s}$ . Only a legal $U_{i}$ computes $K_{U S}$ using $Y_{i}$ so anyone cannot compute $sk$ including $GW$ . Then, $U_{i}$ accepts RM:

\begin{matrix} verifies (T^{'''} - T_{s}) \leq Δ T, \\ verifies V_{s} \overset{?}{=} h ({AID}_{i} ∥ X_{i} ∥ Y_{i} ∥ RM ∥ T_{s}), \\ K_{U S} = r_{i} \times Y_{i}, \\ computes  sk = h ({AID}_{i} ∥ K_{U S} ∥ T_{s}), \\ accepts  RM . \end{matrix}

(19)

(10)

From now on, $U_{i}$ can communicate securely with $S_{j}$ using $sk$ :

\begin{matrix} shared  sk = h ({AID}_{i} ∥ r_{i} \times r_{s} \times P ∥ T_{s}), \\ h ({AID}_{i} ∥ r_{s} \times X_{i} ∥ T_{s}) = h ({AID}_{i} ∥ r_{i} \times Y_{i} ∥ T_{s}) . \end{matrix}

(20)

Figure 9

6.3. Revocation and Reissue Phase

The revocation problem can result in serious attacks, so a revocation phase should be provided when $U_{i}$ wants to reissue a smart card due to loss. To prevent the same user identification from being selected, $U_{i}$ inputs the previous ${ID}_{i}$ . Then, $U_{i}$ selects a different identification ${ID}_{i}^{*}$ and sends ${ID}_{i}$ , ${ID}_{i}^{*}$ to the $GW$ with hashed biometrics information $A_{i}$ . After the $GW$ receives these, $GW$ revokes ${ID}_{i}$ and reissues the smart card using ${ID}_{i}^{*}$ . Then, $GW$ continues into a phase that is equal to the registration phase. Revocation and reissue phase of the proposed scheme is described in Figure 10.

Figure 10

Revocation and reissue phase of the proposed scheme.

7. Security Analysis

This section describes the security analysis to confirm the security of the proposed scheme. We need to provide the following definitions to then compare the proposed scheme to other authentication schemes, including that proposed by Yoon and Kim.

Definition 1.

A strong secret key $(B_{i}, x, y)$ has a high value of entropy $S (k)$ that cannot be guessed in polynomial time.

Definition 2.

A secure one-way hash function $y = h (x)$ is the following. Given x to compute y is easy but y to compute x is hard.

7.1. Biometric Recognition Error

The proposed scheme prevents a biometric recognition error by using fuzzy extraction. Yoon and Kim's scheme uses a hash function to check for conformity in the biometrics. Even if they use a threshold τ, since the hash function makes slight differences in the input data that produces very large differences in the output data, it is possible for biometric recognition errors to occur. However, the proposed scheme using fuzzy extractor prevents biometric recognition errors.

The fuzzy extractor $Gen ()$ generates $R_{i}$ and $P_{i}$ using the user's biometric $B_{i}$ during the registration phase. $R_{i}$ is a uniform and random string, and $P_{i}$ is a helper string, so $R_{i}$ can be the same with the assistance of auxiliary information $P_{i}$ even if the user's inputs slightly different biometrics $B_{i}^{*}$ , which thus maintains a reasonably similar status as that of the original biometric information. $U_{i}$ imprints $B_{i}$ for registration and computes $R_{i}$ , $P_{i}$ , and $A_{i}$ as follows:

\begin{matrix} 〈R_{i}, P_{i}〉 = Gen (B_{i}), \\ A_{i} = h (R_{i}) . \end{matrix}

(21)

U_{i}

imprints

B_{i}^{*}

for login and computes

R_{i}^{*}

P_{i}^{*}

, and

V_{i}^{*}

and compares

V_{i}

with

V_{i}^{*}

as follows:

\begin{matrix} R_{i}^{*} = Rep (B_{i}^{*}, P_{i}), \\ A_{i}^{*} = h (R_{i}^{*}), \\ V_{i}^{*} = h ({ID}_{i} ∥ A_{i}^{*}), \\ verifies V_{i} \overset{?}{=} V_{i}^{*} . \end{matrix}

(22)

With the assistance of $P_{i}$ , the fuzzy extractor can compute a constant $V_{i}^{*}$ even if the user inputs slightly different biometrics, so the proposed scheme is secure against a biometric recognition error.

7.2. User Verification Problem

The proposed scheme checks for the sameness in the ${ID}_{i}$ to verify the status a legal user. Concretely, $U_{i}$ makes $B_{i}$ using the device and computes $R_{i}$ and $P_{i}$ . These values and information stored in smart card are used by $U_{i}$ to compute $D_{i}, h (x ∥ y), k_{i}, C_{i}, {AID}_{i}$ and send $M_{1}$ to $GW$ . $GW$ computes ${ID}_{i}^{'}$ from ${AID}_{i}$ and then computes $D_{i}^{'}$ and $k_{i}^{'}$ . $U_{i}$ decrypts $C_{i}$ and confirms ${ID}_{i}^{''}$ . Finally, $GW$ authenticates $U_{i}$ as follows if ${ID}_{i}^{'}$ and ${ID}_{i}^{''}$ are the same. $U_{i}$ imprints $B_{i}$ for authentication. And then GW computes $M_{1}$ as follows:

\begin{matrix} 〈R_{i}, P_{i}〉 = Gen (B_{i}), \\ A_{i} = h (R_{i}), \\ D_{i} = M_{i} \oplus A_{i}^{*}, \\ h (x ∥ y) = N_{i} \oplus A_{i}^{*}, \\ k_{i} = h (D_{i} ∥ T_{i}), \\ C_{i} = E_{k_{i}} ({ID}_{i} ∥ X_{i}), \\ {AID}_{i} = {ID}_{i} \oplus h (h (x ∥ y) ∥ T_{i}), \\ M_{1} = 〈{AID}_{i}, X_{i}, C_{i}, T_{i}, W_{i}〉 . \end{matrix}

(23)

GW

verifies sameness of ID as follows:

\begin{matrix} {ID}_{i}^{'} = {AID}_{i} \oplus h (h (x ∥ y) ∥ T_{i}), \\ D_{i}^{'} = h ({ID}_{i}^{'} ∥ x), \\ k_{i}^{'} = h (D_{i}^{'} ∥ T_{i}), \\ {ID}_{i}^{''} ∥ X_{i}^{'} = D_{k_{i}^{'}} (C_{i}), \\ verifies {ID}_{i}^{'} \overset{?}{=} {ID}_{i}^{''} . \end{matrix}

(24)

Unlike in Yoon and Kim's scheme, $U_{i}$ can compute constant values including $A_{i}$ as a result of the fuzzy extractor. Therefore, $GW$ can authenticate a legal user even if the user inputs a slightly different biometric information $B_{i}^{*}$ . Therefore, the proposed scheme can prevent a user verification problem.

7.3. Anonymity

In the proposed scheme, an attacker cannot compute a user's real identification ${ID}_{i}$ without $h (x ∥ y)$ because the real identification of the user is always protected using ${AID}_{i} = {ID}_{i} \oplus h (h (x ∥ y) ∥ T_{i})$ . Therefore, only the legal user $U_{i}$ and $GW$ can compute ${ID}_{i}$ from ${AID}_{i}$ . $GW$ stores x and y, so $GW$ can easily compute $h (x ∥ y)$ . $U_{i}$ can compute $h (x ∥ y)$ from the $N_{i}$ stored in the smart card as follows:

\begin{matrix} N_{i} = h (x ∥ y) \oplus A_{i}, \\ 〈R_{i}, P_{i}〉 = Gen (B_{i}), \\ A_{i} = h (R_{i}), \\ h (x ∥ y) = N_{i} \oplus A_{i}^{*} . \end{matrix}

(25)

To compute $h (x ∥ y)$ , the attacker has to obtain both the user's smart card and $B_{i}$ . However, even if the attacker can obtain a smart card, he cannot compute $B_{i}$ . As a result, the attacker cannot obtain the user's real identification ${ID}_{i}$ . Therefore, the proposed scheme provides user anonymity.

7.4. Perfect Forward Secrecy

Proposed scheme computes the session key between $U_{i}$ and $S_{j}$ as follows:

\begin{matrix} sk = h ({AID}_{i} ∥ K_{U S} ∥ T_{s}), \\ {AID}_{i} = {ID}_{i} \oplus h (h (x ∥ y) ∥ T_{i}) . \end{matrix}

(26)

Therefore, to compute all of the session keys of a user, an attacker has to know both $h (x ∥ y)$ and $K_{U S}$ . However, the attacker cannot compute two values using another long-term key because $h (x ∥ y)$ and $K_{U S}$ are independent of each other. In other words, if an attacker knows one of $h (x ∥ y)$ and $K_{U S}$ , he cannot compute the other one, so the session key that is derived from a set of long-term keys will not be compromised, even if one of the long-term keys is compromised in the future. Therefore, the proposed scheme achieves the perfect forward secrecy.

7.5. Session Key Exposure by the Gateway Node

In the proposed scheme, $GW$ also knows most of the information related to the scheme but cannot compute $sk$ between $U_{i}$ and $S_{j}$ . we suggest $sk$ as follows:

\begin{matrix} sk = h ({AID}_{i} ∥ r_{i} \times Y_{i} ∥ T_{s}) = h ({AID}_{i} ∥ r_{s} \times X_{i} ∥ T_{s}) = h ({AID}_{i} ∥ r_{i} \times r_{s} \times P ∥ T_{s}) . \end{matrix}

(27)

$GW$ can know ${AID}_{i}$ , $T_{s}$ , $X_{i}$ , and $Y_{i}$ but cannot acquire $r_{i}$ and $r_{s}$ . Even though $X_{i} = r_{i} \times P$ and $Y_{i} = r_{s} \times P$ , $GW$ cannot compute $r_{i}$ and $r_{s}$ from $X_{i}$ and $Y_{i}$ because it is mathematical problem about ECC. Therefore, $sk$ is not exposed by $GW$ in proposed scheme.

7.6. Vulnerability to Denial of Service Attack

In the proposed scheme, $U_{i}$ , $GW$ , and $S_{j}$ basically check for freshness in the message using timestamps. Therefore, the scheme is considered to be able to endure a DoS attack if an attacker sends a previous message to the server with previous timestamps. Moreover, the DoS attack can be better prevented since the proposed scheme uses $W_{i}$ , $W_{g}$ , $V_{s}$ in $M_{1}$ , $M_{2}$ , and $M_{3}$ , respectively:

\begin{matrix} W_{i} = h (h (x ∥ y) ∥ {AID}_{i} ∥ X_{i} ∥ C_{i} ∥ T_{i}), \\ W_{g} = h (h ({S ID}_{j} ∥ y) ∥ {AID}_{i} ∥ C_{g} ∥ T_{g}), \\ V_{s} = h ({AID}_{i}^{'} ∥ X_{i}^{'} ∥ Y_{i} ∥ RM ∥ T_{s}) . \end{matrix}

(28)

$W_{i}$ , $W_{g}$ , and $V_{s}$ include the current timestamps $T_{i}$ . So, $U_{i}$ , $GW$ , and $S_{j}$ can check for the freshness and legality of $M_{1}$ , $M_{2}$ , and $M_{3}$ because the timestamps of $W_{i}$ , $W_{g}$ , and $V_{s}$ do not match the timestamps of $M_{1}$ , $M_{2}$ , and $M_{3}$ even if the attacker sends the previous $W_{i}$ , $W_{g}$ , and $V_{s}$ with the current timestamps. Therefore, the proposed scheme is more secure against the DoS attack than Yoon and Kim's scheme.

7.7. Revocation Problem

The proposed scheme does not use the user's password but only uses the user's ${ID}_{i}$ and biometrics $B_{i}$ for registration. As a result, the proposed scheme needs to provide a revocation and reissue phase when the $U_{i}$ wants to reissue a smart card due to loss. If a user reissues their own smart card with the same ${ID}_{i}$ as the previous ${ID}_{i}$ , the reissued smart card is going to be completely the same as the previous smart card. An attacker could thus make use of the lost smart card due to the sameness. Therefore, the proposed scheme suggests for the $GW$ to check for differences between the previous ${ID}_{i}$ and new ${ID}_{i}^{*}$ during the revocation and reissue phase. In other words, we induce a user to select a different identification from the previous identification, so the $GW$ reissues a new smart card with different information when the user loses his smart card, and the revocation problem is solved in this manner.

7.8. Mutual Authentication

In the proposed scheme, $U_{i}$ , $GW$ , and $S_{j}$ authenticate each other by checking the accuracy of ${ID}_{i}$ , ${AID}_{i}$ , and $V_{s}$ . Specifically, $GW$ can authenticate whether the $U_{i}$ that sent $M_{1}$ is a legal user or not by checking the validity of ${ID}_{i} \overset{?}{=} {ID}_{i}^{*}$ . Only the legal case computes $C_{i}$ using ${ID}_{i}$ and $B_{i}$ , so $GW$ can confirm the user's legitimacy by decrypting $C_{i}$ using $k_{i}$ . $S_{j}$ can authenticate $GW$ by checking if it sends a correct hash $k_{g}$ by verifying ${ID}_{i} \overset{?}{=} {ID}_{i}^{*}$ . $k_{g}$ can be computed within the current time only by a legal $GW$ and $S_{j}$ because $k_{g} = h (h ({S ID}_{j} ∥ y) ∥ T_{g})$ . Finally, $U_{i}$ can authenticate $S_{j}$ and $GW$ by checking $V_{s} \overset{?}{=} h ({AID}_{i} ∥ X_{i} ∥ Y_{i} ∥ RM ∥ T_{s})$ . Only a legal $S_{j}$ can compute $V_{s}$ within the current time because only $S_{j}$ can know $X_{i}$ and $Y_{i}$ .

7.9. Message Confidentiality

The proposed scheme uses 3 messages $M_{1}$ , $M_{2}$ , and $M_{3}$ in the login and authentication phase as follows:

\begin{matrix} M_{1} = 〈{AID}_{i}, X_{i}, C_{i}, T_{i}, W_{i}〉, \\ M_{2} = 〈{AID}_{i}, C_{g}, T_{g}, W_{g}〉, \\ M_{3} = 〈RM, Y_{i}, V_{s}, T_{s}〉 . \end{matrix}

(29)

$T_{i}$ , $T_{g}$ , $T_{s}$ , and RM are basically public information, so they do not need to be protected. Other information can provide confidentiality because an attacker cannot compute important information from ${AID}_{i}$ , $X_{i}$ , $C_{i}$ , $W_{i}$ , $C_{g}$ , $W_{g}$ , $Y_{i}$ , and $V_{s}$ .

7.10. Password Change Phase

In a password-based authentication scheme, the user should be able to change his own password when he forgets his password or loses his smart card. In detail, to change a password freely, a smart card has to store information related to the user's password, such as $h (password)$ . However, when an attacker steals a user's smart card, he can gain all the information stored in the smart card by using a simple and differential power analysis. Therefore, the attacker can obtain a user's password even when it is protected by $h (password)$ because a few characters are necessary to use the password. Therefore, a password change phase is important but poses a serious risk in that information (such as the password) for login and authentication can be exposed. However, the proposed scheme uses only a user's biometric information with high entropy; therefore, the attacker cannot obtain the original biometric information, even if $h (biometrics)$ is known. Moreover, a user does not forget his biometric information and so does not need to change it.

7.11. Stolen Verifier Attack

If the $GW$ or $S_{j}$ stores verifier information, an attacker can attempt a stolen verifier attack. However, the proposed scheme is resistant to a stolen verifier attacker because $GW$ and $S_{j}$ do not store a user's identification/password table and the user's biometrics. In the proposed scheme, $GW$ only stores the secret key x, y, and $S_{j}$ store only $h ({S ID}_{j} ∥ y)$ . Therefore, the $GW$ cannot obtain authentication information from a legal user even if the attacker has the authority to access the database of the $GW$ and $S_{j}$ .

7.12. Guessing Attack

Since the proposed scheme does not use the user's password, this scheme is not vulnerable to a guessing attack. Moreover, the user's biometrics is always protected by the one-way hash function. Since the biometrics information has a high level of entropy, unlike a password, the attacker cannot calculate the user's biometric information from the hashed value. When the attacker steals a user's smart card, the attacker can obtain ${ID}_{i}$ , $M_{i}$ , $N_{i}$ , $V_{i}$ , $P_{i}$ , $h (\cdot)$ from the smart card. However, since $M_{i}$ , $N_{i}$ , $V_{i}$ are hashed values, the attacker cannot obtain any secret information from them. ${ID}_{i}$ and $P_{i}$ are not secret information, so the attacker cannot acquire secret information using a guessing attack. Therefore, the proposed scheme is not vulnerable to a guessing attack [25–27].

7.13. Replay Attack

The proposed scheme is secure against a replay attack by adding timestamps $T_{i}$ , $T_{g}$ , $T_{s}$ into authentication messages $W_{i}$ , $W_{g}$ , $V_{s}$ in $M_{1}$ , $M_{2}$ , $M_{3}$ , respectively. Even if the attacker obtains $M_{1}$ , $M_{2}$ , $M_{3}$ and sends them again with the current timestamps, the attacker cannot compute $W_{i}$ , $W_{g}$ , $V_{s}$ using the current timestamps:

\begin{matrix} M_{1} = 〈{AID}_{i}, X_{i}, C_{i}, T_{i}, W_{i}〉, \\ W_{i} = h (h (x ∥ y) ∥ {AID}_{i} ∥ X_{i} ∥ C_{i} ∥ T_{i}), \\ M_{2} = 〈{AID}_{i}, C_{g}, T_{g}, W_{g}〉, \\ W_{g} = h (h ({S ID}_{j} ∥ y) ∥ {AID}_{i} ∥ C_{g} ∥ T_{g}), \\ M_{3} = 〈RM, Y_{i}, V_{s}, T_{s}〉, \\ V_{s} = h ({AID}_{i}^{'} ∥ X_{i}^{'} ∥ Y_{i} ∥ RM ∥ T_{s}) . \end{matrix}

(30)

7.14. Impersonation Attack

Even if an attacker intercepts the authentication message $M_{1} = 〈 {AID}_{i}, X_{i}, C_{i}, T_{i}, W_{i} 〉$ to impersonate a legitimate user, the attacker cannot normally extract $D_{i}$ and $k_{i}$ from ${AID}_{i}$ , $C_{i}$ , and $W_{i}$ since the one-way hash function is implemented according to Definition 2. Without $D_{i}$ and $k_{i}$ , the attacker cannot produce a legitimate login and authentication message in the attacker's current time. Therefore, the proposed scheme is secure from impersonation attacks. Likewise, the attacker cannot impersonate a legitimate $GW$ and $S_{j}$ . Even if the attacker obtains $M_{2} = 〈 {AID}_{i}, C_{g}, T_{g}, W_{g} 〉$ , the attacker cannot compute $k_{i}$ or $h (h ({S ID}_{j} ∥ y) ∥ T_{g})$ from such due to Definition 2.

7.15. Insider Attack

Typically, malicious insiders want to acquire private user information, such as their biometrics. In the proposed registration phase, a user's smart card device imprints the biometric impression $B_{i}$ and computes $〈 R_{i}, P_{i} 〉$ using $Gen (B_{i})$ and then sends $A_{i}$ to $GW$ ; $A_{i} = h (R_{i})$ . Therefore, $GW$ cannot obtain $B_{i}$ using the incoming $A_{i}$ because of the properties of the one-way hash function. Therefore, the proposed scheme is secure against insider attacks.

7.16. Security Factor

Two- or three-factor authentication methods are implemented by means of a combination of two or three different components. In WSNs, most authentication schemes use a user's password, smart card, and biometric information as components. We propose a two-factor authentication scheme that uses the smart card and biometric information without a password but can provide a similar secure authentication environment comparable to those provided by three-factor authentication schemes.

Table 1 provides a summary and comparison of the security provided by the proposed scheme and that provided by other schemes, including the one by Yoon and Kim.

Table 1

Security comparison.

Security property	Yuan et al.[11]	He et al. [8]	Yoon and Kim[14]	Proposed scheme
Biometric recognition error	Insecure	Secure	Insecure	Secure
User verification problem	Insecure	Secure	Insecure	Secure
Anonymity	Provide	Do not provide	Do not provide	Provide
Perfect forward secrecy	No sk	No sk	Do not provide	Provide
sk exposure by GW	No sk	No sk	Insecure	Secure
Vulnerable to DoS attack	Secure	Insecure	Insecure	Secure
Revocation problem	Secure	Secure	Insecure	Secure
Mutual authentication	Do not provide	Provide	Provide	Provide
Message confidentiality	Do not provide	Do not provide	Provide	Provide
Password change phase	Required	Required	Not required	Not required
Stolen verifier attack	Secure	Secure	Secure	Secure
Guessing attack	Secure	Insecure	Secure	Secure
Replay attack	Secure	Secure	Secure	Secure
Impersonation attack	Insecure	Insecure	Secure	Secure
Insider attack	Insecure	Insecure	Secure	Secure
Security factor	Three-factor	Two-factor	Two-factor	Two-factor

8. Conclusions

To provide security to wireless sensors and users, various authentication schemes for WSNs have been proposed recently. The security problem in He et al.'s scheme was addressed by Yoon and Kim, who proposed an advanced biometrics-based user authentication scheme for WSNs. In this paper, we have identified vulnerabilities in Yoon and Kim's scheme in terms of a biometric recognition error, a user verification problem, lack of anonymity and perfect forward secrecy, session key exposure by the GW node, vulnerability to a DoS attack, and a revocation problem. To solve these security vulnerabilities, we have suggested specific countermeasures, including the use of fuzzy extraction to imprint biometrics during the registration phase consisting of error-tolerant cryptographic primitives for biometric security. We recommend the use of the sensor node's random number and ECC to exchange a random number between a user and the sensor node during the authentication phase. ECC can maintain the same degree of security with a smaller key size than other forms of public-key cryptography. Therefore, ECC is suitable for use with wireless devices that have limited resources. In accordance with these countermeasures, we propose a biometrics-based authentication scheme based on fuzzy extraction with improved security. In addition, we conduct a security analysis to show that the proposed scheme is more secure than other authentication schemes.

Footnotes

Notations

Conflict of Interests

The authors declare no conflict of interests.

Authors' Contribution

Younsung Choi, Youngsook Lee, and Dongho Won contributed to the security analysis, design of the proposed scheme, and preparation of the paper.

Acknowledgment

This research was supported by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2015-H8501-15-1003) supervised by the IITP (Institute for Information and communications Technology Promotion).

References

Nam

Kim

Paik

Lee

Won

A provably-secure ECC-based authentication scheme for wireless sensor networks

Sensors (Switzerland) 2014 14 11 21023 21044

10.3390/s141121023

2-s2.0-84908621929

Wong

K. H. M.

Yuan

Jiannong

Shengwei

A dynamic user authentication scheme for wireless sensor networks

Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing

June 2006

Taichung, Taiwan

244 251

10.1109/sutc.2006.1636182

2-s2.0-33845458336

Kim

Lee

Jeon

Lee

Won

Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks

Sensors 2014 14 4 6443 6462

10.3390/s140406443

2-s2.0-84898648439

Watro

Kong

Cuti

S.-F.

Gardiner

Lynn

Kruus

TinyPK: securing sensor networks with public key technology

Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN ‘04)

October 2004

Washington, DC, USA

ACM

59 64

Choi

Nam

Lee

Jung

Won

Cryptanalysis of advanced biometric-based user authentication scheme for wireless sensor networks

Computer Science and Its Applications 2015 330

Berlin, Germany

Springer

1367 1375 Lecture Notes in Electrical Engineering

10.1007/978-3-662-45402-2_190

Das

M. L.

Two-factor user authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2009 8 3 1086 1090

10.1109/TWC.2008.080128

2-s2.0-62949130774

Tseng

H.-R.

Jan

R.-H.

Yang

An improved dynamic user authentication scheme for wireless sensor networks

Proceedings of the 50th Annual IEEE Global Telecommunications Conference (GLOBECOM ‘07)

November 2007

Washington, DC, USA

986 990

10.1109/glocom.2007.190

2-s2.0-39349093196

Gao

Chan

Chen

An enhanced two-factor user authentication scheme in wireless sensor networks

Ad-Hoc and Sensor Wireless Networks 2010 10 4 361 371

2-s2.0-78650459565

Khan

M. K.

Alghathbar

Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks'

Sensors 2010 10 3 2450 2459

10.3390/s100302450

2-s2.0-77955495427

10.

Chen

T.-H.

Shih

W.-K.

A robust mutual authentication protocol for wireless sensor networks

ETRI Journal 2010 32 5 704 712

10.4218/etrij.10.1510.0134

2-s2.0-78049334450

11.

Yuan

Jiang

A biometric-based user authentication for wireless sensor networks

Wuhan University Journal of Natural Sciences 2010 15 3 272 276

10.1007/s11859-010-0318-2

2-s2.0-77952339469

12.

Yoon

E.-J.

Yoo

K.-Y.

Cryptanalysis of robust mutual authentication protocol for wireless sensor networks

Proceedings of the 10th IEEE International Conference on Cognitive Informatics & Cognitive Computing (ICCI*CC ‘11)

August 2011

Alberta, Canada

IEEE

392 396

10.1109/coginf.2011.6016171

2-s2.0-80053293841

13.

Robust biometric-based user authentication scheme for wireless sensor networks

IACR Cryptology ePrint Archive 2012 2012, article 203

14.

Yoon

E.-J.

Kim

Advanced biometric-based user authentication scheme for wireless sensor networks

Sensor Letters 2013 11 9 1836 1843

10.1166/sl.2013.3014

2-s2.0-84893438606

15.

Choi

Lee

Kim

Jung

Nam

Won

Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography

Sensors 2014 14 6 10081 10106

10.3390/s140610081

2-s2.0-84902296026

16.

Kar

Majhi

An efficient password security of multiparty key exchange protocol based on ECDLP

International Journal of Computer Science and Security 2009 3 5 405 413

17.

Cao

Chai

Liang

A simple user authentication scheme for grid computing

International Journal of Network Security 2008 7 2 202 206

2-s2.0-70349791260

18.

Giruka

V. C.

Chakrabarti

Singhal

A distributed multiparty key agreement protocol for dynamic collaborative groups using ECC

Journal of Parallel and Distributed Computing 2006 66 7 959 970

10.1016/j.jpdc.2006.03.006

2-s2.0-33744525893

19.

Dodis

Reyzin

Smith

Fuzzy extractors: how to generate strong keys from biometrics and other noisy data

Advances in Cryptology—EUROCRYPT 2004 2004

Berlin, Germany

Springer

523 540

10.1007/978-3-540-24676-3_31

MR2153192

20.

Boyen

Reusable cryptographic fuzzy extractors

Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS ‘04)

October 2004

Washington, DC, USA

82 91

2-s2.0-14844335721

21.

Jeon

Kim

Nam

Lee

Won

An enhanced secure authentication scheme with anonymity for wireless environments

IEICE Transactions on Communications 2012 E95-B 7 2505 2508

10.1587/transcom.E95.B.2505

2-s2.0-84863463143

22.

Nam

Choo

K. R.

Park

Paik

Won

On the security of a simple three-party key exchange protocol without server's public keys

The Scientific World Journal 2014 2014 7

479534

10.1155/2014/479534

23.

Choo

K. R.

Nam

Won

A mechanical approach to derive identity-based protocols from Diffie-Hellman-based protocols

Information Sciences 2014 281 182 200

10.1016/j.ins.2014.05.041

MR3230928

2-s2.0-84904595350

24.

Choi

Nam

Lee

Kim

Jung

Won

Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics

The Scientific World Journal 2014 2014 15

281305

10.1155/2014/281305

25.

Kocher

Jaffe

Jun

Differential power analysis

Advances in Cryptology—CRYPTO'99 1999 1666

Berlin, Germany

Springer

388 397 Lecture Notes in Computer Science

10.1007/3-540-48405-1_25

26.

Messerges

T. S.

Dabbish

E. A.

Sloan

R. H.

Examining smart-card security under the threat of power analysis attacks

IEEE Transactions on Computers 2002 51 5 541 552

10.1109/tc.2002.1004593

MR1901004

2-s2.0-0036566408

27.

Muthukuru

Sathyanarayana

A survey of elliptic curve cryptography implementation approaches for efficient smart card processing

Global Journal of Computer Science and Technology 2012 12 1

Security Improvement on Biometric Based Authentication Scheme for Wireless Sensor Networks Using Fuzzy Extraction

Abstract

1. Introduction

2. Related Works

2.1. Attacker's Capability

2.2. Elliptic Curves Cryptography

2.3. Fuzzy Extraction

3. Review of Yoon and Kim's Authentication Scheme

3.1. Registration Phase

3.2. Login and Authentication Phases

4. Cryptanalysis of Yoon and Kim's Authentication Scheme

4.1. Biometric Recognition Error

4.2. User Verification Problem

4.3. Lack of Anonymity

4.4. Lack of Perfect Forward Secrecy

4.5. Session Key Exposure by the Gateway Node

4.6. Vulnerability to Denial of Service Attack

4.7. Revocation Problem

5. Countermeasures

6. Proposed Scheme

6.1. Registration Phase

6.2. Login and Authentication Phases

6.3. Revocation and Reissue Phase

7. Security Analysis

Definition 1.

Definition 2.

7.1. Biometric Recognition Error

7.2. User Verification Problem

7.3. Anonymity

7.4. Perfect Forward Secrecy

7.5. Session Key Exposure by the Gateway Node

7.6. Vulnerability to Denial of Service Attack

7.7. Revocation Problem

7.8. Mutual Authentication

7.9. Message Confidentiality

7.10. Password Change Phase

7.11. Stolen Verifier Attack

7.12. Guessing Attack

7.13. Replay Attack

7.14. Impersonation Attack

7.15. Insider Attack

7.16. Security Factor

8. Conclusions

Footnotes

Notations

Conflict of Interests

Authors' Contribution

Acknowledgment

References