Secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks

Abstract

Wireless sensor networks (WSNs) are ad-hoc networks composed primarily of a large number of sensor nodes with limited power, computation, storage and communication capabilities. The issue of securing and authenticating communications in such a network is problematic, and thus an adversary has an opportunity to capture a sensor node directly from the target field and extract all the information from its memory. In 2013, Yoon and Kim proposed an advanced biometric-based user authentication scheme for WSNs. Choi et al. analyzed Yoon and Kim’s scheme and performed a security cryptanalysis in 2016. They demonstrated that Yoon and Kim’s scheme had several security problems, and proposed instead an improved biometric-based user authentication scheme using fuzzy extraction. However, we cryptanalyze Choi et al.’s scheme and demonstrate that their scheme is vulnerable to insider attack and has a problem with smart card revocation/reissue. To overcome these drawbacks, we propose a secure biometric-based authentication scheme in WSNs that is secure against inside adversaries and provides secure and efficient smart card revocation/reissue.

Keywords

authentication biometric wireless sensor networks revocation

Introduction

Wireless sensor networks (WSNs) are ad-hoc networks composed of a large number of sensor nodes with limited power, computation, storage and communication capabilities.¹ They are used for monitoring purposes, providing information about an area of interest to the rest of the system. The sensor nodes can communicate with each other via short-range radio wireless communications. The base station, also known as the gateway node $(GW)$ , is the most powerful node in a WSN. The sensors are extremely starved of resources, lacking in memory, computational capability and radio transmission range.² The extensive rise of WSN use in various applications, including hostile, unattended or inaccessible environments, places an emphasis on users being more assured about the network’s security than about its survivability. In the context of WSNs, the issue of securing and authenticating communication is problematic, especially as nodes currently have no capacity for the secure storage of secret keys. Furthermore, they are frequently deployed in unprotected areas, which makes them more vulnerable to attack^3–6 Thus, an adversary has an opportunity to capture a sensor node directly from the target field and extract all the information from its memory, as nodes are not generally tamper-resistant, owing to their cost effectiveness. Authentication schemes for WSNs have therefore attracted considerable research attention, and have been studied widely, in an effort to guarantee secure communication.

User authentication schemes have been designed and developed to address these security issues and to facilitate authorized access.^7,8 User authentication is a common approach to verifying the legitimacy of a potential user, and has become an indispensable component of service access. By employing a user authentication scheme, the GW can first authenticate users before connecting them to the sensor nodes. If the sensor nodes and users are able to authenticate each other, they can communicate securely using a session key. Otherwise, the GW or a sensor node will reject the unauthorized entity, whose aim is potentially to damage the network security.

In traditional authentication schemes for WSNs, versions based on smart cards were initially introduced to resolve such security issues.^9–12 Recently, a large amount of research on password-based authentication schemes using smart cards has been presented.^13,14 However, password-based authentication schemes are vulnerable to identity or password-based guessing attacks, and suffer from inefficient password-change policies.^15,16 To resolve single-password authentication problems, several biometric-based user authentication schemes have been proposed.^17–19 In contrast with passwords, biometric information, such as faces, irises, fingerprints and palmprints, is considered a unique identifier of a user and is difficult to forge. Therefore, biometric-based user authentication is inherently more secure and reliable than conventional authentication schemes.^20–22

In 2010, Yuan et al.¹⁸ proposed the first biometric-based user authentication scheme for WSNs. Their scheme was very efficient because it used only the hash function. However, Yoon and Yoo²³ pointed out that this scheme¹⁸ was vulnerable to insider attack, user impersonation attack, GW-impersonation attack and sensor-node-impersonate attack. To improve security, in 2011, Yoon and Yoo²³ proposed an improved scheme and claimed their scheme could withstand various attacks. In 2012, He et al.²⁴ proposed a robust biometric-based user authentication scheme for WSNs. However, Yoon and Kim²⁵ demonstrated that this scheme²⁴ had security breaches. Yoon and Kim then proposed an improved and advanced biometric-based user authentication scheme in 2013. They demonstrated that their scheme for WSNs was more effective and had stronger security than other related schemes. In 2016, Choi et al.²⁶ analyzed this scheme²⁵ and performed a security cryptanalysis. They demonstrated that Yoon and Kim’s scheme had several security problems: error with biometric recognition, problem with user verification, a lack of anonymity and perfect forward secrecy, exposure of the session key by the gateway node, a vulnerability to denial of service attack and a problem with revocation. To solve these problems, Choi et al.²⁶ proposed a biometric-based user authentication scheme using fuzzy extraction, which overcame the security weaknesses of Yoon and Kim’s scheme.²⁵

This paper discusses the security vulnerabilities of Choi et al.’s scheme²⁶ and proposes an enhanced biometric authentication scheme for WSNs with has improved security functionalities.²⁶ We provide an analysis of our scheme in terms of its security and efficiency. The major contributions of this study are summarized as follows.

Cryptanalysis of Choi et al.’s scheme. We cryptanalyze Choi et al.’s scheme and demonstrate that it is insecure against anonymity, user impersonation attack and illegal smart card revocation/reissue. Furthermore, we show that its revocation/reissue phase may cause high computational loads for both users and the GW. We illustrate that an inside adversary can obtain the identity of – and impersonate – an authenticated user.

Improvement of Choi et al.’s scheme. We propose an enhanced biometric authentication scheme for WSNs to overcome the security weaknesses of Choi et al.’s scheme. Our scheme is secure against inside adversaries and provides secure smart card revocation/reissue.

Security analysis against various attacks. We analyze the proposed scheme in security and efficiency. Our scheme supports better security functionalities than those of Choi et al.’s scheme. Our scheme is secure against insider attack and user impersonation attack. In addition, ours provides user anonymity, mutual authentication, session key agreement, efficient smart card revocation/reissue and forward secrecy.

The remainder of this paper is organized as follows. First, we present our preliminary details, before reviewing Choi et al.’s scheme. Next, we cryptanalyze Choi et al.’s scheme, before presenting our proposed scheme. After this, we analyze our proposed scheme and finally, we list our findings.

Preliminaries

In this section, we define the cryptographic system and primitives that are used as the building blocks in our scheme. Notation is defined in the appendix.

Capability of adversary

We assume that the capabilities of an adversary $A$ are as follows:^27–29

$A$ has total control over the communication channel connecting a user, a sensor node and the gateway in the login/authentication phase. Thus, the adversary can intercept, insert, delete or modify any message transmitted via a public channel.

$A$ may either steal a user’s smart card or obtain a user’s password, but not both at the same time.

$A$ can extract the information stored in a smart card by means of analyzing its power consumption.

$A$ can be an authorized user of the system (i.e. an insider) or an outsider.^30,31

Elliptic curves cryptography

Let p,q be two large primes, and $E / F_{p}$ indicate an elliptic curve $y^{2} = x^{3} + ax + b$ over the finite field $F_{p}$ . We denote by $G_{1}$ a q-order subgroup of the additive group of points of $E / F_{p}$ , and by $G_{2}$ a q-order subgroup of the multiplicative group of the finite field $F_{p^{2}}^{*}$ . The discrete logarithm problem is required to be hard in both $G_{1}$ and $G_{2}$ . Mathematical problems in elliptic curves cryptography are given as follows:³²

Definition 1. (Elliptic curve discrete logarithm problem) Given a point element $Q \in G_{1}$ , find an integer $a \in Z_{p}^{*}$ such that $Q = a \times P$ , where $a \times P$ indicates that the point P is added to itself for a times by the elliptic curves operation.

Definition 2. (Elliptic curve computational Diffie–Hellman problem) For $a, b \in Z_{p}^{*}$ , given two point elements $a \times P, b \times P \in G_{1}$ , compute $a \times b \times P \in G_{1}$ .

Definition 3. (Elliptic curve decisional Diffie–Hellman problem.) For $a, b, c \in Z_{p}^{*}$ , given three point elements $a \times P, b \times P, c \times P \in G_{1}$ , decide whether $c \times P = a \times b \times P$ or not.

We assume that the elliptic curve decisional Diffie–Hellman problem is intractable, which may guarantee that there is no probabilistic polynomial time algorithm to solve these three problems with non-negligible probability.

Fuzzy extraction

We briefly describe the extraction process of key data from the given biometric information of a user using a fuzzy extractor. The output of a conventional hash function is sensitive; the hash function may also return completely different outputs even if there is a little variation in inputs. Note that the biometric is prone to various noises during data acquisition, and that reproduction of the actual biometric is hard in common practice. To avoid such problems, a fuzzy extractor method^33,34 is preferred, which can extract a uniformly random string and public information from the biometric template with a given error tolerance. In the reproduction process, the fuzzy extractor recovers the original biometric key data for a noisy biometric using a helper string. The fuzzy extractor consists of Gen (generate) and Rep (reproduce).

$Gen (B_{i}) = (R_{i}, P_{i})$ . This probabilistic algorithm takes a biometric template $B_{i}$ as input and then outputs a secret key $R_{i}$ , which is a uniform and random string and a helper string $P_{i}$ . $R_{i}$ can be the same under the assistance of $P_{i}$ even if the biometric information changes slightly.

$Rep (B_{i}', P_{i}) = (R_{i})$ . This deterministic algorithm takes noisy biometric information $B_{i}'$ and then reproduces the biometric template $B_{i}$ . To reproduce the same $R_{i}$ , the metric space distances between $B_{i}$ and $B_{i}'$ must meet the given verification threshold.^33,34

Review of Choi et al.’s authentication scheme

In this section, we review Choi et al.’s authentication scheme.²⁶ The GW generates two master keys, x and y, and provides a long-term secret key $h (SI D_{j} | | y)$ to the sensor $S_{j}$ before the scheme is executed.

Registration phase

A user $U_{i}$ first registers at the gateway GW by using a secure channel to get the service from sensor nodes $S_{j}$ and achieves the personalized smart card $S C_{i}$ . The user chooses an identity $I D_{i}$ and imprints biometric template $B_{i}$ , then performs the following steps:

$U_{i}$ chooses $I D_{i}$ and imprints biometric template $B_{i}$ .

$U_{i}$ computes $< R_{i}, P_{i} > = Gen (B_{i})$ and $A_{i} = h (R_{i})$ and sends $$ to GW.

On receiving $$ , GW computes the authentication parameters as

\begin{matrix} M_{i} = h (I D_{i} | | x) \oplus A_{i} \\ N_{i} = h (x | | y) \oplus A_{i} \\ V_{i} = h (I D_{i} | | A_{i}) \end{matrix}

GW stores $I D_{i}$ , $h (\cdot)$ and the authentication parameters $$ in a smart card $S C_{i}$ . Then GW issues $S C_{i}$ to $U_{i}$ through a secure channel.

$U_{i}$ stores $P_{i}$ in the smart card.

Login and authentication phase

In this phase, the smart card $S C_{i}$ checks the legitimacy of a user by checking $I D_{i}$ and $B_{i}^{*}$ . GW authenticates the user as follows:

$U_{i}$ chooses $I D_{i}$ and imprints biometric template $B_{i}^{*}$ , then $S C_{i}$ computes $R_{i}^{*}$ , $A_{i}^{*}$ and $V_{i}^{*}$ using fuzzy extraction and compares $V_{i}^{*}$ with $V_{i}$ as

\begin{matrix} R_{i}^{*} = Rep (B_{i}^{*}, P_{i}) \\ A_{i}^{*} = h (R_{i}^{*}) \\ V_{i}^{*} = h (I D_{i} | | A_{i}^{*}) \\ verifies V_{i} ? = V_{i}^{*} \end{matrix}

$S C_{i}$ generates a random number $r_{i}$ and computes $X_{i}$ , $D_{i}$ and $h (X | | y)$ as

\begin{matrix} X_{i} = r_{i} \times P \\ D_{i} = M_{i} \oplus A_{i}^{*} \\ h (x | | y) = N_{i} \oplus A_{i}^{*} \end{matrix}

$U_{i}$ picks up $T_{i}$ and computes $k_{i}$ , $C_{i}$ , $AI D_{i}$ and $W_{i}$ as

\begin{matrix} k_{i} = h (D_{i} | | T_{i}) \\ C_{i} = E_{k_{i}} (I D_{i} | | X_{i}) \\ AI D_{i} = I D_{i} \oplus h (h (x | | y) | | T_{i}) \\ W_{i} = h (h (x | | y) | | AI D_{i} | | X_{i} | | C_{i} | | T_{i}) \end{matrix}

Then $U_{i}$ sends the authentication message $M_{1} = < AI D_{i}, X_{i}, C_{i}, T_{i}, W_{i} >$ to GW.

On receiving $M_{1}$ , GW retrieves $T'$ and verifies $T' - T_{i} \leq Δ T$ . If this is true, GW verifies the legitimacy of the received $W_{i}$ by comparing it with $W_{i} ? = h (h (x | | y) | | AI D_{i} | | X_{i} | | C_{i} | | T_{i})$ .

GW computes ${ID}_{i}'$ , $D_{i}'$ and $k_{i}'$ and decrypts $C_{i}$ using $k_{i}'$ . Then, GW authenticates $U_{i}$ as

\begin{matrix} {ID}_{i}' = AI D_{i} \oplus h (h (x | | y) | | T_{i}) \\ D_{i}' = h ({ID}_{i}' | | x) \\ k_{i}' = h (D_{i}' | | T_{i}) \\ D_{k_{i}'} (C_{i}) = {ID}_{i}^{"} | | X_{i}' \\ verifies {ID}_{i}' ? = {ID}_{i}^{"} \end{matrix}

GW picks up $T_{g}$ and computes $k_{g}$ , $C_{g}$ and $W_{g}$ as

\begin{matrix} k_{g} = h (h (SI D_{j} | | y) | | T_{g}) \\ C_{g} = E_{k_{g}} (AI D_{i} | | X_{i}') \\ W_{g} = h (h (SI D_{j} | | y) | | AI D_{i} | | C_{g} | | T_{g}) \end{matrix}

Then GW sends the authentication message $M_{2} = < AI D_{i}, C_{g}, T_{g}, W_{g} >$ to $S_{j}$ .

On receiving $M_{2}$ , $S_{j}$ retrieves $T^{"}$ and verifies $T^{"} - T_{g} \leq Δ T$ . If this is true, $S_{j}$ verifies the legitimacy of $W_{g}$ by comparing it with $h (h (SI D_{j} | | y) | | AI D_{i} | | C_{g} | | T_{g})$ . After that, $S_{j}$ computes $k_{g}'$ and decrypts $C_{g}$ using $k_{g}'$ . Then $S_{j}$ checks the validity of the received $AI D_{i}$ by comparing the computed ${AID}_{i}'$ as

\begin{matrix} k_{g}' = h (h (SI D_{j} | | y) | | T_{g}) \\ D_{k_{g}'} (C_{g}) = {AID}_{i}' | | X_{i}' \\ verifies AI D_{i} ? = {AID}_{i}' \end{matrix}

$S_{j}$ generates a random number $r_{s}$ , and computes $K_{SU}$ , $Y_{i}$ and a session key sk. Then $S_{j}$ picks up $T_{s}$ and computes RM, $V_{s}$ as

\begin{matrix} K_{SU} = r_{s} \times X_{i}' \\ Y_{i} = r_{s} \times P \\ sk = h (AI D_{i} | | K_{SU} | | T_{s}) \\ RM = Response to the query of U_{i} \\ V_{s} = h ({AID}_{i}' | | X_{i}' | | Y_{i} | | RM | | T_{s}) \end{matrix}

Then $S_{j}$ sends $M_{3} = < RM, Y_{i}, V_{s}, T_{s} >$ to $U_{i}$ .

On receiving $M_{3}$ , $U_{i}$ retrieves $T_{s}$ and checks the sameness of $V_{s}$ . Then $U_{i}$ computes $K_{US}$ and sk as

\begin{matrix} verifies V_{s} ? = h (AI D_{i} | | X_{i} | | Y_{i} | | RM | | T_{s}) \\ K_{US} = r_{i} \times Y_{i} \\ sk = h (AI D_{i} | | K_{US} | | T_{s}) \end{matrix}

Only the legitimate $U_{i}$ can compute $K_{US}$ and sk. Then $U_{i}$ accepts RM. $U_{i}$ and $S_{j}$ can communicate securely using the common sk.

Revocation/reissue phase

Revocation/reissue phase is as follows:

$U_{i}$ inputs the previous identity $I D_{i}$ , imprints $B_{i}$ and computes $A_{i}$ . Then $U_{i}$ selects a new identity ${ID}_{i}^{*}$ and sends $$ to GW.

GW checks whether $I D_{i}$ is the same as ${ID}_{i}^{*}$ or not. If they are different, GW computes new authentication parameters as

\begin{matrix} M_{i} = h ({ID}_{i}^{*} | | x) \oplus A_{i} \\ N_{i} = h (x | | y) \oplus A_{i} \\ V_{i} = h ({ID}_{i}^{*} | | A_{i}) \end{matrix}

GW stores $h (\cdot)$ and the authentication parameters; $< {ID}_{i}^{*}, M_{i}, N_{i}, V_{i}, h (\cdot) >$ in the smart card $S C_{i}$ . Then GW issues $S C_{i}$ to $U_{i}$ through a secure channel.

$U_{i}$ stores $P_{i}$ in the smart card.

Cryptanalysis of Choi et al.’s authentication scheme

In this section, we analyze the security problems of Choi et al.’s scheme. Choi et al. cryptanalyzed a scheme of Yoon and Kim²⁵ and improved it to support better security functionality. However, we found that Choi et al.’s scheme²⁶ also has security vulnerabilities.

Anonymity

We assumed that an authenticated user of the system could try to acquire the information of other users^27,30,31. This legitimate user would then be a powerful adversary $A$ in this scheme, because he or she can compute a hashed master key $h (x | | y)$ of the GW, and use it as a trigger to derive other secret information. Choi et al. insist that only the legal user $U_{i}$ and the GW can compute $I D_{i}$ from $AI D_{i}$ . However, we show that their scheme²⁶ is vulnerable to an anonymity-violation attack against another authenticated user. Adversary $A$ can compute $h (x | | y)$ and derive the identity $I D_{i}$ of $U_{i}$ as follows:

If a legitimate user $U_{a}$ , with a smart card $S C_{a}$ that contains $$ , attempts to attack other users, then $U_{a}$ becomes an adversary $A$ .

$A$ imprints one’s biometric template $B_{a}^{*}$ and computes $R_{a}^{*} = Rep (B_{a}^{*}, P_{a})$ and $A_{a}^{*} = h (R_{a}^{*})$ . Then $A$ can compute $h (x | | y)$ by computing $N_{a} \oplus A_{a}^{*}$ .

After that, $A$ intercepts the message $M_{i}$ of $U_{i}$ at the login phase and obtains $AI D_{i}, T_{i}$ .

Finally, $A$ derives an identity $I D_{i}$ of $U_{i}$ by computing $AI D_{i} \oplus h (h (x | | y) | | T_{i})$ . Even though $U_{i}$ changes identity in each session, $A$ can keep track of the $I D_{i}$ of $U_{i}$ without the need of $S C_{i}$ . Hence, $A$ has successfully broken the anonymity of $U_{i}$ .

User impersonation attack

Choi et al. analyzed the security of their authentication scheme and claimed that it is secure against user impersonation attack, because $A$ cannot extract $D_{i}, k_{i}$ from $AI D_{i}, C_{i}, W_{i}$ . However, an authenticated but malicious inside user $A$ can masquerade as another legitimate user $U_{i}$ . We show that Choi et al.’s scheme²⁶ is vulnerable to user impersonation attack. As shown in the previous section, $A$ can compute $h (x | | y)$ as follows:

$A$ extracts $N_{i}$ from the smart card $S C_{i}$ of the user $U_{i}$ and computes $A_{i}^{*} = N_{i} \oplus h (x | | y)$ . The $S C_{i}$ verifies the validity of the user by comparing the computed $V_{i}^{*}$ with the stored $V_{i}$ .

If it is true, $A$ generates a random number $r_{a}$ and computes $X_{a} = r_{a} \times P$ and $D_{i}^{*} = M_{i} \oplus A_{i}^{*}$ .

$A$ picks up a time stamp $T_{a}$ and computes $M_{1}'$ as

\begin{matrix} k_{a} = h (D_{i}^{*} | | T_{a}) \\ C_{a} = E_{k_{a}} (I D_{i} | | X_{a}) \\ AI D_{a} = I D_{i} \oplus h (h (x | | y) | | T_{a}) \\ W_{a} = h (h (x | | y) | | AI D_{a} | | X_{a} | | C_{a} | | T_{a}) \end{matrix}

Then $A$ sends $M_{1}' = < AI D_{a}, X_{a}, C_{a}, T_{a}, W_{a} >$ to the gateway node GW.

The following steps are the same as those of Choi et al.’s login/authentication phase from their step (4).²⁶

The GW cannot distinguish whether $M_{1}'$ is sent from $U_{i}$ or $A$ . Therefore, $A$ can impersonate the user $U_{i}$ .

Illegal smart card revocation/reissue attack

A revocation/reissue phase should be provided to protect a user’s information from loss of the smart card or other security risks. However, revocation and reissue are troublesome and require additional communication with the user, so an indiscriminate revocation/reissue phase might give rise to high computational loads for both the user and the GW.

In Choi et al.’s revocation/reissue phase,²⁶ GW compares the new identity ${ID}_{i}^{*}$ with the previous identity $I D_{i}$ to prevent a user from registering with the same user identity. However, this method gives an adversary a chance of attacking a legitimate user, because GW cannot distinguish whether or not the user who wishes to revoke $I D_{i}$ is the real user $U_{i}$ . We show two attack scenarios using a weak point of the revocation/reissue phase of Choi et al.’s scheme.²⁶

$A$ can be issued a smart card that has the same identity of the user $U_{i}$ , using another user’s smart card without the permission of $U_{i}$ . Let $A$ obtain $U_{i}$ ’s smart card $S C_{i}$ and get the identity $I D_{i}$ . Then $A$ performs the revocation/reissue phase to compromise $U_{i}$ :

(a) $A$ sends $$ , where $I D_{a}$ and $A_{a}$ are arbitrary values generated by $A$ , to GW.

(b) GW checks whether $I D_{a} ? = I D_{i}$ or not. Then GW reissues $S C_{a}$ as

\begin{matrix} M_{a} = h (I D_{i} | | x) \oplus A_{a} \\ N_{a} = h (x | | y) \oplus A_{a} \\ V_{a} = h (I D_{i} | | A_{a}) \end{matrix}

(d) $A$ can compute $A_{i} = (M_{a} \oplus M_{i} \oplus A_{a})$ or $A_{i} = (N_{a} \oplus N_{i} \oplus A_{a})$ .

Using the computed $A_{i}$ , $A$ can extract information of $U_{i}$ as illustrated in the previous two sections.

Any authenticated/unauthenticated user or adversary can revoke the smart card of an authenticated user who does not wish the said smart card to be revoked without permission because GW has no proper process for checking the legitimacy of the user on the previous identity $I D_{i}$ . As a result, $I D_{i}$ can be revoked by anyone who is not the legitimate user of $I D_{i}$ and $S C_{i}$ can be unavailable. Therefore, a checking process for the legitimacy of a revocation request is required by the GW to avoid unwanted smart card revocation/reissue.

The proposed scheme

We propose a WSN biometric-based authentication scheme that is secure against an inside adversary. We overcome the security problems of Choi et al.’s scheme. In our scheme, we modify some secret values to support anonymity and resist insider attack. We assume that the GW generates two master keys, x and y, and provides a long-term secret key $h (SI D_{j} | | y)$ to the sensor $S_{j}$ . Our scheme comprises three phases: registration, login/authentication and revocation/reissue.

Registration phase

In this phase, a user $U_{i}$ chooses an identity $I D_{i}$ and imprints biometric template $B_{i}$ , then performs the following steps:

$U_{i}$ chooses $I D_{i}$ and imprints biometric template $B_{i}$ .

$U_{i}$ computes $< R_{i}, P_{i} > = Gen (B_{i})$ and $A_{i} = h (R_{i})$ . Then $U_{i}$ sends $$ to GW.

On receiving $$ , GW computes the authentication parameters as

\begin{matrix} V_{i} = h (I D_{i} | | A_{i}) \\ M_{i} = h (x | | y | | A_{i}) \\ N_{i} = M_{i} \oplus A_{i} \\ C_{i} = E_{x} (A_{i} | | u p_{i}) \end{matrix}

GW stores $h (\cdot)$ and the authentication parameters; $< V_{i}, N_{i}, C_{i}, h (\cdot) >$ in the smart card $S C_{i}$ . Then GW issues $S C_{i}$ to $U_{i}$ through a secure channel.

$U_{i}$ stores $P_{i}$ in the smart card.

Figure 1 illustrates the registration phase of our proposed scheme.

Figure 1.

Registration phase of proposed scheme.

Login and authentication phase

To log in to GW and $S_{j}$ , $U_{i}$ performs the login phase, and then $U_{i}, GW$ and $S_{i}$ verify each other’s authenticities. Finally, $U_{i}$ and $S_{i}$ generate a session key in this phase as follows:

$U_{i}$ chooses $I D_{i}$ and imprints biometric template $B_{i}^{*}$ , then $S C_{i}$ computes $R_{i}^{*}, A_{i}^{*}$ and $V_{i}^{*}$ using fuzzy extraction and compares $V_{i}^{*}$ with $V_{i}$ as

\begin{matrix} R_{i}^{*} = Rep (B_{i}^{*}, P_{i}) \\ A_{i}^{*} = h (R_{i}^{*}) \\ V_{i}^{*} = h (I D_{i} | | A_{i}^{*}) \\ verifies V_{i} ? = V_{i}^{*} \end{matrix}

$S C_{i}$ generates a random number $r_{i}$ and computes $X_{i}$ and $M_{i}$ as

\begin{matrix} X_{i} = r_{i} \times P \\ M_{i} = N_{i} \oplus A_{i} \end{matrix}

$U_{i}$ picks up $T_{i}$ and computes $AI D_{i}$ and $W_{i}$ as

\begin{matrix} AI D_{i} = I D_{i} \oplus h (M_{i} | | T_{i}) \\ W_{i} = h (M_{i} | | I D_{i} | | X_{i} | | T_{i}) \end{matrix}

Then $U_{i}$ sends the authentication message $M_{1} = < AI D_{i}, X_{i}, C_{i}, T_{i}, W_{i} >$ to GW.

On receiving $M_{1}$ , GW retrieves $T'$ and verifies $T' - T_{i} \leq Δ T$ . If this is true, GW computes $A_{i}^{*}, M_{i}^{*}, {ID}_{i}^{*}, W_{i}^{*}$ and compares $W_{i}^{*}$ with $W_{i}$ as

\begin{matrix} A_{i}^{*} | | u p_{i} = D_{x} (C_{i}) \\ M_{i}^{*} = h (x | | y | | A_{i}^{*}) \\ {ID}_{i}^{*} = AI D_{i} \oplus h (M_{i}^{*} | | T_{i}) \\ W_{i}^{*} = h (M_{i}^{*} | | {ID}_{i}^{*} | | X_{i}^{*} | | T_{i}) \\ verifies W_{i} ? = W_{i}^{*} \end{matrix}

If this is true, GW verifies the legitimacy of $U_{i}$ .

GW picks up $T_{g}$ and computes $k_{g}$ , $C_{g}$ and $W_{g}$

\begin{matrix} k_{g} = h (h (SI D_{j} | | y) | | T_{g}) \\ C_{g} = E_{k_{g}} (AI D_{i} | | X_{i}) \\ W_{g} = h (h (SI D_{j} | | y) | | AI D_{i} | | C_{g} | | T_{g}) \end{matrix}

Then GW sends the authentication message $M_{2} = < AI D_{i}, C_{g}, T_{g}, W_{g} >$ to $S_{j}$ .

On receiving $M_{2}$ , $S_{j}$ retrieves $T^{"}$ and verifies $T^{"} - T_{g} \leq Δ T$ . If this is true, $S_{j}$ verifies the validity of $W_{g}$ by comparing it with $h (h (SI D_{j} | | y) | | AI D_{i} | | C_{g} | | T_{g})$ to check the legitimacy of GW. After that, $S_{j}$ computes $k_{g}^{*}$ and decrypts $C_{g}$ using $k_{g}^{*}$ . Then $S_{j}$ checks the validity of the received $AI D_{i}$ by comparing the computed ${AID}_{i}^{*}$ as

\begin{matrix} k_{g}^{*} = h (h (SI D_{j}) | | y) | | T_{g}) \\ D_{k_{g}^{*}} (C_{g}) = {AID}_{i}^{*} | | X_{i}^{*} \\ verifies AI D_{i} ? = {AID}_{i}^{*} \end{matrix}

$S_{j}$ generates a random number $r_{s}$ and computes $K_{SU}$ , $Y_{i}$ and a session key sk. Then $S_{j}$ picks up $T_{s}$ and computes $RM, V_{s}$ as

\begin{matrix} K_{SU} = r_{s} \times X_{i}^{*} \\ Y_{i} = r_{s} \times \Pr \\ sk = h (AI D_{i} | | K_{SU} | | T_{s}) (session key) \\ RM = Response to the query of U_{i} \\ V_{s} = h (AI D_{i} | | X_{i} | | Y_{i} | | RM | | T_{s}) \end{matrix}

Then $S_{j}$ sends $M_{3} = < RM, Y_{i}, V_{s}, T_{s} >$ to $U_{i}$ .

On receiving $M_{3}$ , $U_{i}$ retrieves $T_{s}$ and checks the sameness of $V_{s}$ . Then, $U_{i}$ computes $K_{US}$ and sk as

\begin{matrix} verifies V_{s} ? = h (AI D_{i} | | X_{i} | | Y_{i} | | RM | | T_{s}) \\ K_{US} = r_{i} \times Y_{i} \\ sk = h (AI D_{i} | | K_{US} | | T_{s}) \end{matrix}

Only the legitimate $U_{i}$ can compute $K_{US}$ and sk. Then $U_{i}$ accepts RM. $U_{i}$ and $S_{j}$ can communicate securely using the common sk.

Figure 2 illustrates the login and authentication phase of our proposed scheme.

Figure 2.

Revocation or reissue phase

To make up for smart card loss or long-term key disclosure, the smart card should be revoked and reissued in cycles.

$U_{i}$ who wants to revoke and reissue a smart card inputs the previous identity $I D_{i}$ and the new identity ${ID}_{i}^{*}$ to prevent adversaries from registering with the same identity $I D_{i}$ . Then, $U_{i}$ imprints biometric template $B_{i}$ and computes $R_{i} = Rep (B_{i}, P_{i}), A_{i} = h (R_{i})$ and $M_{i} = N_{i} \oplus A_{i}$ .

$U_{i}$ computes $Z_{i} = I D_{i} \oplus M_{i}$ and sends the revocation/reissue request message $$ to GW.

GW computes $M_{i}^{*}, Z_{i}^{*}$ and checks the legitimacy of the user as

\begin{matrix} M_{i}^{*} = h (x | | y | | A_{i}) \\ Z_{i}^{*} = I D_{i} \oplus M_{i}^{*} \\ verifies Z_{i}^{*} ? = Z_{i} \end{matrix}

If this is true, GW revokes $I D_{i}$ and records it on the revocation look-up table. Then, GW computes new authentication parameters $V_{i}$ , $N_{i}$ and $C_{i}$ as

\begin{matrix} V_{i} = h ({ID}_{i}^{*} | | A_{i}) \\ N_{i} = M_{i}^{*} \oplus A_{i} \\ C_{i} = E_{x} (A_{i} | | {up}_{i}^{*}) \end{matrix}

GW stores $h (\cdot)$ and the new authentication parameters; $< V_{i}, N_{i}, C_{i}, h (\cdot) >$ in the smart card $S C_{i}$ . Then GW reissues $S C_{i}$ to $U_{i}$ through a secure channel.

$U_{i}$ stores $P_{i}$ in the smart card.

Figure 3 illustrates the revocation/reissue phase of our proposed scheme.

Figure 3.

Revocation or reissue phase of the proposed scheme.

Analysis

In this section, we describe an analysis of our proposed authentication scheme with respect to security and performance. Table 1 compares the functionality features provided by our scheme with those of other existing schemes.

Table 1.

Comparison of functionality features.

	Yoon and Kim²⁵	Choi et al.²⁶	Ours
Provides anonymity	N/A	×	°
Provides perfect forward secrecy	N/A	°	°
Provides mutual authentication	°	°	°
Provides message confidentiality	°	°	°
Resists insider attack	°	×	°
Resists impersonation attack	°	×	°
Resists illegal smart card revocation/reissue attack	×	×	°
Resists biometric recognition error	×	°	°
Resists sk exposure by GW	×	°	°
Resists denial of service attack	×	°	°
Resists user verification problem	×	°	°
Resists stolen verifier attack	°	°	°
Resists replay attack	°	°	°
Security factor	Two-factor	Two-factor	Two-factor

°: scheme provides the property; ×: scheme does not provide the property;

N/A: scheme does not consider the property.

Security

User anonymity against insider/outsider. We use a dynamic pseudo identity $AI D_{i}$ to conceal an actual identity $I D_{i}$ . To derive $I D_{i}$ from $AI D_{i}$ , $A$ has to know $h (M_{i} | | T_{i})$ . However, $M_{i}$ is a hashed value $h = (x | | y | | A_{i})$ and $A$ , whether insider or outsider, cannot know all the values. Therefore, it is difficult for $A$ to derive $I D_{i}$ from $AI D_{i}$ . Moreover, we do not store $I D_{i}$ in the smart card $S C_{i}$ .

Perfect forward secrecy. The session key between $U_{i}$ and $S_{j}$ is computed as $sk = h (AI D_{i} | | K_{SU} | | T_{s})$ . To compute a session key, $A$ has to know both $M_{i}$ and $K_{SU}$ concurrently. Even though $A$ knows the long-term key of GW node $(x, y)$ and derives $M_{i}$ in the future, $A$ cannot know $K_{SU}$ , thus $A$ cannot compute a previous session key. Therefore, the proposed scheme provides the perfect forward secrecy.

Mutual authentication. In our scheme, $U_{i}$ , $S_{j}$ and GW authenticate each other. At first, GW authenticates $U_{i}$ by checking whether $W_{i}$ is valid or not, because only a legitimate user can generate a valid $W_{i}$ using a biometric template. Thus GW can assure the validity of the user and the message. $S_{j}$ authenticates GW by checking $W_{g}$ , which only GW can compute using the shared long-term key $h (SI D_{j} | | y)$ and the time stamp $T_{g}$ . Finally, $U_{i}$ authenticates $S_{j}$ by checking the validity of $V_{s}$ , because only $S_{j}$ can know $X_{i}$ and $Y_{i}$ .

Message confidentiality. Messages $M_{1}$ , $M_{2}$ and $M_{3}$ in the public channel do not affect the disclosure of secret values, such as $I D_{i}$ , $R_{i}$ , $r_{i}$ , $r_{s}$ and sk.

User impersonation attack. $A$ is required to compute a valid login request in order to impersonate a legal user. $A$ may attempt to login to the GW using the message $M_{1} = < AI D_{i}, X_{i}, C_{i}, T_{i}, W_{i} >$ . The GW verifies the validity of $U_{i}$ by checking the correctness of $W_{i}$ . $A$ has to compute valid $M_{i}$ , $I D_{i}$ and $X_{i}$ . However, the biometric template $B_{i}$ and the identity $I D_{i}$ are still unknown to the adversary. Therefore, the GW refuses the login request of $A$ , and $A$ fails to impersonate a legitimate user.

Gateway or sensor node impersonation attack. To masquerade as the gateway node GW or a sensor node $S_{j}$ , $A$ is required to compute $h (SI D_{j} | | y)$ . However, it is computationally difficult to guess $h (SI D_{j} | | y)$ or $k_{g}$ correctly.^35,36 Therefore, our scheme is secure against gateway or sensor node impersonation attack.

Illegal smart card revocation/reissue attack. $A$ might obtain a user’s smart card and intercept messages in a public channel. However, information of identity cannot be extracted from $S C_{i}$ or any intercepted message. Without information of identity, $A$ cannot attempt an illegal smart card revocation/reissue. Although $A$ could get the identity $U_{i}$ in some way, GW checks the legitimacy of the user on the requested identity. $A$ , however, cannot compute $M_{i}$ and the revocation/reissue request message $Z_{i}$ without biometric information of $U_{i}$ . Therefore, $A$ fails to revoke $I D_{i}$ and reissue the smart card with $I D_{i}$ .

Session key exposure by GW. GW can get both $X_{i}$ and $Y_{i}$ ; however, it cannot derive $r_{i}$ and $r_{s}$ because of the difficulty of the elliptic curve discrete logarithm problem. Therefore, GW cannot compute sk.

Vulnerability of denial of service attacks. Our scheme is comparatively robust against denial of service attacks, because $U_{i}$ , GW and $S_{j}$ check the freshness of the messages using time stamps. As Choi et al. mentioned,²⁶ our scheme is also more secure against the denial of service attack than previous authentication schemes.

User verification problem. By using fuzzy extraction, $U_{i}$ can compute consistent biometric information $A_{i}$ from the biometric template $B_{i}^{*}$ , while GW can compute $I D_{i}$ and verify a user using $A_{i}$ . Therefore, the proposed scheme resists a user verification problem.

Stolen verifier attack. $S_{i}$ and GW do not store any identities, passwords or biometric information from users. Therefore, a stolen verifier attacker who has the authority to access the database of the $S_{i}$ and GW cannot be authenticated as a legal user.

Replay attack. $U_{i}$ , GW and $S_{j}$ check the validity of the messages $W_{i}$ , $W_{G}$ and $V_{s}$ and the messages are composed of time stamps $T_{i}$ , $T_{g}$ and $T_{s}$ . If the attacker uses previous messages, $U_{i}$ , GW and $S_{j}$ can recognize the incorrectness of the message and discard it.

Performance

We compare the functionality features and the computational cost of the proposed scheme with those of other existing schemes. In Table 2, we compare the computational cost. In the comparisons, XOR operations are not considered because these can be ignored. We use mostly hash functions; these are acceptable, compared with traditional authentication schemes in WSNs. Compared with Choi et al.’s scheme,²⁶ we reduce one hash function and one encryption. Therefore our authentication is reasonable for adaptation in WSNs.

Table 2.

Comparison of computation costs

	Choi et al.²⁶			Ours
	User	GW	Sensor	User	GW	Sensor
Registration	$T_{h} + T_{F}$	$3 T_{h}$	0	$T_{h} + T_{F}$	$2 T_{h} + T_{E}$	0
Login and authentication	$10 T_{h} + T_{F} + T_{E} + 2 T_{e}$	$10 T_{h} + 2 T_{E}$	$6 T_{h} + T_{E} + 2 T_{e}$	$6 T_{h} + T_{F} + 2 T_{e}$	$7 T_{h} + 2 T_{E}$	$6 T_{h} + T_{E} + 2 T_{e}$
Revocation/reissue	$T_{h} + T_{F}$	$3 T_{h}$	0	$T_{h} + T_{F}$	$2 T_{h} + T_{E}$	0
Total	$12 T_{h} + 3 T_{F} + T_{E} + 2 T_{e}$	$16 T_{h} + 2 T_{E}$	$6 T_{h} + T_{E} + 2 T_{e}$	$8 T_{h} + 3 T_{F} + 2 T_{e}$	$11 T_{h} + 4 T_{E}$	$6 T_{h} + T_{E} + 2 T_{e}$

$T_{e}$ : computation time for elliptic curve computation; $T_{E}$ : computation time for encryption/decryption;

$T_{F}$ : computation time for fuzzy extraction; $T_{h}$ : computation time for hash function

Conclusions

In this paper, we demonstrated the security vulnerabilities of Choi et al.’s scheme and its security weakness in the revocation/reissue phase. We noted that this scheme is vulnerable to insider attack, and can cause unnecessary computational loads for a user and the gateway node, owing to faulty design of the revocation/reissue phase. In addition, we proposed a secure biometric-based authentication scheme with better security functionalities than those of Choi et al. Our scheme provides a secure and efficient smart card revocation/reissue and resists insider attack and user impersonation attack. Our scheme satisfies all the desirable security attributes, as demonstrated in our security analysis.

Footnotes

Appendix 1

Academic Editor: Ling Wang

Declaration of conflicting interests

This research received no specific grant from any funding agency in the public, commercial or not-for-profit sectors.

References

Akyildiz

Sankarasubramaniam

. A survey on sensor networks. IEEE Commun Mag 2002; 40(8): 102–114.

Yick

Mukherjee

Ghosal

. Wireless sensor network survey. Comput Networks 2008; 52(12): 2292–2330.

Pathan

ASK

Lee

Hong

. Security in wireless sensor networks: issues and challenges. In: 8th international conference on advanced communication technology, Gangwon-Do, South Korea, 20–22 February 2006, vol. 2, pp. 1043–1048. Piscataway, NJ: IEEE.

Perrig

Stankovic

Wagner

. Security in wireless sensor networks. Commun ACM 2004; 47(6): 53–57.

Ameen

Liu

Kwak

. Security and privacy issues in wireless sensor networks for healthcare applications. J Med Syst 2012; 36(1): 93–101.

Almogren

. Developing a powerful and resilient smart body sensor network through hypercube interconnection. Int J Distrib Sens Netw 2015; 2015: 4.

Wong

KHM

Zheng

Cao

. A dynamic user authentication scheme for wireless sensor networks. In: IEEE international conference on sensor networks, ubiquitous, and trustworthy computing, Taichung, Taiwan, 5–7 June 2006, vol. 1, pp. 1–8. Piscataway, NJ: IEEE.

Wander

Gura

Eberle

. Energy analysis of public-key cryptography for wireless sensor networks. In: 3rd IEEE international conference on pervasive computing and communications, HI, USA, 8–12 March 2005. pp. 324–328. Piscataway, NJ: IEEE.

Das

. Two-factor user authentication in wireless sensor networks. IEEE Trans Wireless Commun 2009; 8(3): 1086–1090.

10.

Khan

Alghathbar

. Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’. Sensors 2010; 10(3): 2450–2459.

11.

Chen

Shih

. A robust mutual authentication protocol for wireless sensor networks. ETRI J 2010; 32(5): 704–712.

12.

Yoo

Lee

Kim

. A performance and usability aware secure two-factor user authentication scheme for wireless sensor networks. Int J Distrib Sens Netw 2013; 2013: 543950.

13.

Tseng

Jan

Yang

. An improved dynamic user authentication scheme for wireless sensor networks. In: Global Telecommunications Conference, Washington, DC, USA, 26–30 November 2007. pp. 986–990. Piscataway, NJ: IEEE.

14.

Vaidya

Rodrigues

Park

. User authentication schemes with pseudonymity for ubiquitous sensor network in NGN. Int J Commun Syst 2010; 23(9–10): 1201–1222.

15.

Das

Saxena

Gulati

. A dynamic ID-based remote user authentication scheme. IEEE Trans Consum Electron 2004; 50(2): 629–631.

16.

Wang

Liu

Xiao

. A more efficient and secure dynamic ID-based remote user authentication scheme. Comput Commun 2009; 32(4): 583–585.

17.

Poon

Zhang

Bao

. A novel biometrics method to secure wireless body area sensor networks for telemedicine and m-health. IEEE Commun Mag 2006; 44(4): 73–81.

18.

Yuan

Jiang

. A biometric-based user authentication for wireless sensor networks. Wuhan Univ J Nat Sci 2010; 15(3): 272–276.

19.

Hwang

. An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 2010; 33(1): 1–5.

20.

Lin

Lai

. A flexible biometrics remote user authentication scheme. Comp Stand Inter 2004; 27(1): 19–23.

21.

Das

Bruhadeshwar

. A biometric-based user authentication scheme for heterogeneous wireless sensor networks. In: 27th international conference on advanced information networking and applications workshops, Barcelona, Spain, 25–28 March 2013, pp. 291–296. Piscataway, NJ: IEEE.

22.

Das

. A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. Int J Communication Syst. Epub ahead of print 29 January 2015. DOI: 10.1002/dac.2933.

23.

Yoon

Yoo

. A new biometric-based user authentication scheme without using password for wireless sensor networks. In: 20th IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises, Paris, France, 27–29 June 2011, pp. 279–284. Piscataway, NJ: IEEE.

24.

Zhang

Chen

. Robust biometric-based user authentication scheme for wireless sensor networks. IACR Cryptology ePrint Archive 2012; 2012: 203.

25.

Yoon

Kim

. Advanced biometric-based user authentication scheme for wireless sensor networks. Sens Lett 2013; 11(9): 1836–1843.

26.

Choi

Lee

Won

. Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction. Int J Distri Sens Netw 2016; 2016: 8572410.

27.

Chaudhry

. A secure biometric based multi-server authentication scheme for social multimedia networks. Multimed Tools Appl 2015; : 1–21.

28.

Mishra

Kumari

Khan

. An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems. Int J Commun Syst, Epub head of print 2 March 2015. DOI: 10.1002/dac.2946.

29.

Cao

Zhong

. Breaking a remote user authentication scheme for multi-server architecture. IEEE Commun Lett 2006; 10(8): 580–581.

30.

Boyd

Mathuria

. Protocols for key establishment and authentication. Berlin: Springer, 2003.

31.

Moon

Choi

Jung

. An improvement of robust biometrics-based authentication and key agreement scheme for multi-server environments using smart cards. PloS One 2015; 10(12): 1–15.

32.

Cao

Chai

. A simple user authentication scheme for grid computing. Int J Network Security 2008; 7(2): 202–206.

33.

Dodis

Reyzin

Smith

. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: International conference on the theory and applications of cryptographic techniques, Interlaken, Switzerland, 2–6 May, pp. 523–540. Berlin: Springer.

34.

Sahai

Waters

. Fuzzy identity-based encryption. In: Advances in cryptology – EUROCRYPT, Aarhus, Denmark, 22–26 May 2005, pp. 457–473. Berlin: Springer.

35.

Das

Goswami

. A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J Med Syst 2013; 37(3): 1–16.

36.

Chang

Shiao

. A uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J Med Syst 2013; 37(3): 1–9.