Next Article in Journal
An Orientation Sensor-Based Head Tracking System for Driver Behaviour Monitoring
Next Article in Special Issue
An Enhanced Three-Factor User Authentication Scheme Using Elliptic Curve Cryptosystem for Wireless Sensor Networks
Previous Article in Journal
First Spaceborne SAR-GMTI Experimental Results for the Chinese Gaofen-3 Dual-Channel SAR Sensor
Previous Article in Special Issue
A CoAP-Based Network Access Authentication Service for Low-Power Wide Area Networks: LO-CoAP-EAP
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks

1
School of Information Science and Technology, Southwest Jiaotong University, Chengdu 611756, China
2
School of Software, Beijing Institute of Technology, Beijing 100081, China
3
School of Transportation and Logistics, Southwest Jiaotong University, Chengdu 611756, China
4
School of Computer and Software Engineering, Xihua University, Chengdu 610039, China
*
Author to whom correspondence should be addressed.
Sensors 2017, 17(11), 2681; https://doi.org/10.3390/s17112681
Submission received: 27 September 2017 / Revised: 13 November 2017 / Accepted: 16 November 2017 / Published: 21 November 2017
(This article belongs to the Special Issue Security, Trust and Privacy for Sensor Networks)

Abstract

:
Due to their frequent use in unattended and hostile deployment environments, the security in wireless sensor networks (WSNs) has attracted much interest in the past two decades. However, it remains a challenge to design a lightweight authentication protocol for WSNs because the designers are confronted with a series of desirable security requirements, e.g., user anonymity, perfect forward secrecy, resistance to de-synchronization attack. Recently, the authors presented two authentication schemes that attempt to provide user anonymity and to resist various known attacks. Unfortunately, in this work we shall show that user anonymity of the two schemes is achieved at the price of an impractical search operation—the gateway node may search for every possible value. Besides this defect, they are also prone to smart card loss attacks and have no provision for perfect forward secrecy. As our main contribution, a lightweight anonymous authentication scheme with perfect forward secrecy is designed, and what we believe the most interesting feature is that user anonymity, perfect forward secrecy, and resistance to de-synchronization attack can be achieved at the same time. As far as we know, it is extremely difficult to meet these security features simultaneously only using the lightweight operations, such as symmetric encryption/decryption and hash functions.

1. Introduction

Wireless sensor networks (WSNs) have gained a great deal of attention from researchers in the academic and industrial field mainly because of two reasons: first, they consist of a large number of resource-constrained sensor nodes, which are deployed randomly in a target region [1], and second, they can be widely used in various kinds of applications, such as healthcare monitoring [2], environment sensing [3], industrial monitoring [4], etc. Generally, WSNs are developed to monitor physical or environmental conditions, such as temperature, humidity, sound, etc. and collect real-time information about these conditions. In many applications [5,6,7], external users need to access to this real-time information from the sensor nodes. Figure 1 describes a way for real-time information access in WSNs. For example, using a WSN in the healthcare environment, the patient’s real-time information such as temperature, blood pressure, and pulse rate, will be collected by sensor nodes. Then, legitimate medical workers are able to access these data directly from the sensor nodes.
Although it seems appealing for users to access the real-time data from the sensor nodes, user authentication has been a critical issue in WSNs due to their frequent use in unattended and hostile environments [8]. Because many applications for WSNs operate in such environments, such as battlefields, a malicious adversary could easily control the communication channel, i.e., he/she would be able to eavesdrop, insert, block, and alter the transmitted data. Thus, WSNs are subject to various types of attacks. To ensure that only authorized users can access the reliable sensor nodes and to protect the real-time information, it is indispensable to achieve mutual authentication and establish a session key between the user and the sensor node. Nowadays, there are mainly three ways to accomplish authenticated key establishment scheme in WSNs [9].
  • The first and the simplest solution for the authenticated key establishment is a shared symmetric key between the user and the sensor node. In this case, if a WSN has n sensor nodes and m users, each sensor node needs to store m symmetric keys, each user needs to store n symmetric keys, and the WSN needs to establish nm symmetric keys.
  • Secondly, using public key cryptography, like ECC [10], RSA [11] or ElGamal [12], is another approach to complete authenticated key establishment.
  • Third, the user and the sensor node can achieve mutual authentication and establish a session key through a trust gateway node (GWN) [13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30]. In this case, both the user and the sensor node need to share only a single key with the GWN. The GWN can help the user and the sensor authenticate each other and distribute a shared secret session key at each session. After this phase, the user can use this session key to access the real-time data from the desired sensor node without involving the GWN.
Obviously, the first method does not scale well, and the second way using public key cryptography primitives may tend to be resource intensive because most of them are based on the large integer. Hence, the authenticated key establishment scheme with the help of the GWN is even more admired owing to limited computation and communication resources, capability, bandwidth of sensor nodes. Additionally, identity masquerade and identity tracing have become common attacks in WSNs, which will cause the problem of identity privacy. Hence, there is a growing demand to achieve anonymous authentication in WSNs. Besides, since the sensor node is unattended, the long-term key of the sensor node may be compromised by an adversary. In this case, the previous session keys will be in danger. To address it, perfect forward secrecy should be considered. Therefore, anonymous authentication schemes with perfect forward secrecy for WSNs should be designed by using only the lightweight cryptographic primitives, such as symmetric key encryption/decryption and hash functions.
Many anonymous authentication schemes using lightweight cryptographic primitive have been proposed for WSNs in the past several years. However, as far as we know, most of them cannot consider perfect forward secrecy or suffer from de-synchronization attack. In this work, we design a lightweight authentication scheme for WSNs, which can achieve user anonymity, perfect forward secrecy, and resistance to de-synchronization attack at the same time.

1.1. Related Works

In some applications for WSNs, such as real-time healthcare monitoring, traffic control monitoring, and military surveillance, external users are interested in accessing real-time data directly from desired sensor nodes without involving the GWN. User authentication is an essential security measure for the user to be first authorized to the GWN as well as the sensor nodes before granting access to the real-time data. To achieve user authentication in WSNs, hundreds of schemes have been proposed in the last decade, such as remarkable schemes [13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30]. In 2006, Wong et al. [13] designed a dynamic strong-password authentication scheme for WSNs using lightweight operations, such as one-way hash function and XOR operations. But later, Das [14] pointed out that Wong et al.’s scheme is vulnerable to replay attack and stolen-verifier attack. In order to address these issues, Das [14] presented a two-factor authenticated key establishment scheme for WSNs, which claimed to provide strong authentication and resist various kinds of attacks. Unfortunately, a series of articles [15,16,17,18,19] have indicated that Das’s scheme [14] has still some drawbacks and flaws, such as susceptibility to privileged-insider attacks, smart card loss attacks, and parallel session attacks.
Although the abovementioned schemes [15,16,17,18,19] have much better performance than Das’ scheme [14], they are still prone to several security flaws, such as smart card loss attacks and forgery attacks. In 2012, Das et al. [20] developed a better scheme to solve these weaknesses. However, the security of Das et al.’s new scheme was not satisfactory, because of its vulnerability to some attacks [21,22,23]. After that, Xue et al. [24] designed a temporal-credential based authenticated key agreement scheme for WSNs using the hash function and XOR operations, which claimed to provide identity and password protection, and resiliency of smart card loss attacks. Unfortunately, Jiang et al. [25] described how the Xue et al.’s scheme [24] was insecure against identity guessing attack, privileged insider attack, tracking attack and smart card loss attack. They proposed an efficient two-factor user authentication scheme with unlinkability property in WSNs. The unlinkability pseudonym identity can help the GWN to quickly search the exact communicating user. Besides, it is able to provide user anonymity and resistance to smart card loss attack. In 2016, Das [26] proposed an enhanced authentication scheme based on Jiang et al.’s scheme [25]. He insisted that their scheme can provide higher security level than other schemes.
To the designers’ disappointment, both Jiang et al.’s scheme and Das’ scheme have been found vulnerable to the desynchronization attack [31]. Most recently, Gope and Hwang [27] proposed a realistic authentication scheme for WSNs, which can ensure various kinds of imperative security properties like mutual authentication, user anonymity, perfect forward secrecy, etc. For the communication between the user and the GWN, Gope and Hwang’s scheme employed a set of unlinkable shadow-IDs and emergency keys to prevent de-synchronization attack [31]. This is the preferred way to solve the de-synchronization attack. However, for the communication between the GWN and the sensor node, if the adversary blocks the response message flow from the sensor node, the communication will be lost in synchronization. Thus the sensor node needs to ask the GWN for the new secret shared key. Besides, we observe that their scheme also cannot resist against known session-specific temporary information attack [28]. When the session-specific temporary information Nu is disclosed to the adversary, it is obvious that Kug can be resumed from transmitted message Nx = NuKug. Then, the adversary generates his own Ts*ugnew and the session key SK*, and computes Ts* = h(Kug||IDU||Nu)⊕Ts*ugnew, SK*’’ = h(Kug||IDU||Nu)⊕SK*, V4 = h(SK*’’||Nu||Ts*||Kug), where IDU is the identity of the user, which can be off-line guessed by transmitted messages Ksug and AIDU = h(IDU||Kug||Nu||Ksug). Thus, the adversary can successfully forge a legal gateway node authentication message and get the session key.
In the same year, the authors of [28,29] proposed a lightweight authentication scheme, which uses a ‘dynamic ID technique’ to achieve user anonymity and is secure in resisting known session-specific temporary information attack. Unfortunately, we find that the two schemes are insecure against smart card loss attacks. Besides, both schemes have two design flaws, including impractical GWN search operation and no provision for perfect forward secrecy.
On the other hand, perfect forward secrecy is an important security property for authenticated schemes. Unfortunately, to the best of our knowledge, most of the authentication schemes only using lightweight cryptographic primitives cannot provide perfect forward secrecy (e.g., the recent pertinent authentication schemes [24,25,26,28,29,30]). Although Mir et al. [30] claimed that their scheme is secure in perfect forward secrecy, we find out it is still prone to forward secrecy attack. In this scheme, the authors proved that the session key SK = h(Ki||Kj||IDi||SIDi||T1) is secure under the assumption that the adversary A does not obtain the identity IDi of the user. However, if GWN’s secret key d is compromised, A can offline guess IDi through the transmitted message M as below. A guesses a candidate IDi and computes Xi = h(IDi||d), IDi||Ki||T1||Hi = DX’i(M). A checks whether IDi and IDi are equivalent. If they are equal, A can obtain the correct IDi. Otherwise, A repeats this operation until the correct IDi is obtained. Hence, Mir et al.’s scheme is unable to achieve perfect forward secrecy. Several articles [32,33,34] pointed out that it is intrinsically unable to provide perfect forward secrecy in the scheme that does not employ public-key primitives. To the best of our knowledge, some schemes [27] tried to address this issue using the one-time hash chain technique. However, it may cause de-synchronization attack because the hash chain value will be updated after each successful session.

1.2. Motivation and Contributions

Two previously-thought sound schemes [28,29] use ‘dynamic ID technique’ to achieve user anonymity at the price of the impractical exhaustive search operations. The reason is that users’ real identities are encoded into dynamic identities, no one is able to get the identity information of the user without the secret key. When the user wants to access the WSNs systems, it is difficult for the GWN to tell apart the real identity of the user. As a result, the GWN needs to search for every possible parameter to figure out the exact user. Generally, to address this, a pseudonym identity method [25,26] is used to help the GWN to read the correct information from the user information table. In this way, both of the user and the GWN store a randomly generated pseudonym identity, which is updated after each successful session. Since the pseudonym identity is different at each session, the adversary cannot track a specific user. However, Wang et al. [31] pointed out the scheme using pseudonym identity may easily suffer from the de-synchronization attacks, which may render the scheme completely unusable unless the user or the sensor node re-registers.
To the best of our knowledge, the hash chain technique can be employed to ensure perfect forward secrecy for lightweight cryptographic protocols [27]. However, like the pseudonym identity method, both communicating parties need to update their shared one-time hash chain value after completion of each session. Thus, the technique may also cause the de-synchronization attack.
Motivated by the above facts, we construct a new efficient authentication scheme for WSNs using the pseudonym identity method and one-time hash chain technique to achieve user anonymity and perfect forward secrecy. For the communication between the user and the GWN, the back-end of GWN stores two pseudonym identities PIDi0 and PIDi1 to resist against de-synchronization attack. PIDi0 stores the value of the new pseudonym identity. PIDi1 has two functions: the one is storing the value of the old pseudonym identity, the other is a tag for updating hash chain. If PIDi1 = ⊥, it means that the value of hash chain has updated in the previous session. Otherwise, the value of hash chain does not change, where ⊥ denotes null. For the communication between the GWN and the sensor node, serial number technique is used to resist against de-synchronization attack.
Altogether, in this paper, we analyze the security of two representative schemes [28,29] for WSNs and show their vulnerability to smart card loss attack, impractical GWN search operation and no provision for perfect forward secrecy. To overcome these weaknesses, we design a lightweight anonymous authentication protocol for WSNs based on the one-time hash chain and pseudonym identity. The main contributions of our scheme are summarized as follows:
(1)
The proposed scheme is resilient to various kinds of known attacks, such as de-synchronization attack, known session-specific temporary information attack;
(2)
The proposed scheme can provide mutual authentication, user anonymity, and perfect forward secrecy, etc.
(3)
The proposed scheme uses lightweight cryptographic primitives, such as symmetric encryption/decryption and hash functions. It is very suitable for the resource constrained sensor nodes.

1.3. Adversary Model

An adversary A has five goals. The first is that A can successfully impersonate the user Ui authenticating to GWN. The second is that A can successfully impersonate GWN authenticating to Ui. The third is that A can successfully impersonate the sensor node Snj authenticating to GWN. The fourth is that A can successfully impersonate GWN authenticating to Snj. And the last is that A can obtain the session key among Ui, GWN and Snj. We assume that A is a probabilistic polynomial time attacker, and the feasible attacks are summarized as follows:
A can control the channel among Ui, GWN and Snj. It means that A can eavesdrop, insert, block, and alter the transmitted messages through the public communication channel.
A can obtain one of the two authentication factors, smart card or password. If A has obtained the smart card, he can extract the secret value in the smart card and has the capability of enumerating identity and password space |DID*DPW|.
A may be another legitimate but malicious user in the system.
A may be a legitimate but malicious sensor node.

1.4. Notations

All the notations mentioned in two related schemes and our proposed scheme are defined in Table 1.

1.5. Organization of the Paper

This paper takes two relate schemes [28,29] as case studies, we present a concrete attack to show that the two schemes are insecure against the smart card loss attack. Besides, we also show both schemes have two design flaws, including impractical GWN search operation and no provision for perfect forward secrecy. Then, we put forward a new way to deal with de-synchronization attack and design an efficient anonymous authentication scheme with perfect forward secrecy for WSNs.
The rest of this paper is organized as follows: Section 2 reviews two related schemes for WSNs. Section 3 presents the detailed procedure of the proposed scheme. Section 4 gives security analysis of our scheme. The computation and communication costs analysis of the proposed scheme are discussed in Section 5. Finally, Section 6 concludes this paper.

2. Review of Two Related Schemes

This section will describe two related authenticated key establishment schemes for WSNs, which are Lu et al.’s scheme [28] and Jung et al.’s scheme [29]. The reason for choosing these two schemes is that they are the typical representations of recent schemes in WSNs which have the security flaws in smart card loss attack, impractical GWN search operation and no provision for perfect forward secrecy. First, we will give briefly review of two schemes. Later on, the detailed weaknesses of the two schemes will be described.

2.1. Review of Lu et al.’s Scheme

Lu et al.’s authentication scheme [28] is shown in Figure 2. This scheme consists of four phases: the user registration, the sensor node registration, login and authentication, password change.

2.1.1. User Registration

Step 1: A new user Ui selects the identity IDi and the password PWi, generates a random number bi. Then Ui computes Ci = h(PWi||bi), Ui transmits {IDi,Ci} to GWN through a secure channel.
Step 2: Upon receipt of the message, the GWN computes Ai = h(h(IDi)||Ci), Bi = h(TIDi||x)⊕Ci, Mi = h(IDi||x)⊕h(h(IDi)⊕Ci). After that, GWN stores {TIDi} in its memory, and stores {Ai,Bi,Mi} into smart card SC. Finally, GWN sends SC to Ui via a private channel.
Step 3: After receiving SC from GWN, Ui stores bi into SC.

2.1.2. Sensor Node Registration

Step 1: A new sensor node Snj selects identity SIDj and transmits {SIDj} to GWN through a secure channel.
Step 2: The GWN computes Aj = h(SIDjKGMN_S), and returen it to Snj after storing {SIDj,Aj} into its memory.
Step 3: After receiving SIDj, Aj from GWN, Snj stores them into its memory as the secret.

2.1.3. Login

When a user Ui desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and Snj. As shown in Figure 2, the process of mutual authentication is described as follows.
Step 1: Ui inputs IDi and PWi into the smart card SC. SC computes Ci = h(PWi||bi), Ai = h(h(IDi)||Ci), and compares Ai with the stored value Ai. If they are not equal, SC terminates the session. Otherwise, SC believes Ui as a legitimate user. Next, SC generates a random number ri, and computes h(IDi||x) = Mih(h(IDi)⊕Ci), EK = h(TIDi||x) = BiCi, CT1 = EEK(IDi||T1||TIDi||ri), Ei = h(h(IDi||x)||ri||T1), where T1 is the timestamp. Finally, SC sends the login request {CT1,Ei} to GWN through the public channel.
Step 2: After receiving the login messages, the GWN computes EK = h1(TIDi||x), IDi||T1||TIDi||ri = DEK(CT1). Then, the GWN checks the timestamp T1, computes Ei = h(h(IDi||x)||ri||T1), and checks whether Ei matches with the received Ei. If it does not hold, GWN terminates the session. Otherwise, the GWN generates a random numnber rk, and computes CT2 = Eh(SIDjKGMN_S)(rkri||TIDi||T1||T2), Gi = h(TIDi||SIDj||h(SIDjKGMN_S)||IDGWN||T2||rkri), where T2 is the timestamp. Finally, the GWN sends {CT2,Gi} to the sensor node Snj that Ui wants to interact with via the public channel.
Step 3: Upon receiving the messages {CT2,Gi} from GWM, Snj at first computes rkri||TIDi||T1||T2 = Dh(SIDjKGMN_S)(CT2). Then, Snj checks the timestamp T2, computes Gi = h(TIDi||SIDj||h(SIDjKGMN_S)||IDGWN||T2||rkri), and checks whether Gi matches with the received Gi. If it does not hold, Snj terminates the session. Otherwise, the Snj generates a random numnber rj, and computes SK = h(rkrirj||T1||T2||T3), CT3 = Eh(SIDjKGMN_S)(rj||T3||rkri), Ii = h(SIDj||TIDi||T3||SK), where T3 is the timestamp. Finally, Snj transmits {CT3, Ii} to GWN.
Step 4: GWN first computes rj||T3||rkri = Dh(SIDjKGMN_S)(CT3). Then, the GWN checks the timestamp T3, and computes SK = h(rkrirj||T1||T2||T3), Ii = h(SIDj||TIDi||T3||SK), and checks whether Ii matches with the received Ii. If it does not hold, GWN terminates the session. Otherwise, the GWN computes CT4 = Eh(IDix)(rkrj||ri||SIDj||IDGWN||T2||T3||T4), Vi = h(SK||T4||h(TIDi||x)), where T4 is the timestamp. Finally, GWN transmits {CT4, Vi} to Ui.
Step 5: Ui computes rkrj||ri||SIDj||IDGWN||T2||T3||T4 = Dh(IDix)(CT4), and checks the timestamp T4. Then Ui computes SK = h(rkrirj||T1||T2||T3), Vi = h(SK||T4||h(TIDi||x)), and checks whether Vi matches with the received Vi. If it holds, Ui completes the authentication. Otherwise, Ui fails to authenticate the GWN.

2.1.4. Password Update Phase

When a user Ui wants to update the password, he/she needs to execute the following steps:
Step 1: Ui inputs IDi, PWi into the smart card SC. SC computes Ci = h(PWi||bi), h(TIDi||x) = BiCi, h(IDi||x) = Mih(h(IDi)⊕Ci), Ai = h(h(IDi)||Ci), and checks whether Ai and Ai are equal. If not, SC fails to authenticate Ui, and rejects the request of the password update. Otherwise Ui inputs a new password PW*i.
Step 2: SC computes C*i = h0(PW*i||bi), B*i = h(TIDi||x)⊕Ci⊕C*i, M*i = h(IDi||x)⊕h(h(IDi)⊕C*i) and A*i = h(h(IDi)||C*i).
Step 3: Finally, A*i,B*i, and M*i are stored in SC to replace Ai, Bi, and Mi respectively.

2.2. Review of Jung et al.’s Scheme

Jung et al.’s authentication scheme [29] is shown in Figure 3. This scheme consists of three phases: registration, login and authentication, password change. This scheme has not sensor node registration phase. When the sensor node is developed, a shared key KGWN_S between the sensor node and the GWN is assigned.

2.2.1. User Registration

Step 1: A new user Ui selects the identity IDi and the password PWi, generates a random number bi. Then Ui computes Ci = h(PWi||bi), Ui transmits {IDi,Ci} to GWN through a secure channel.
Step 2: Upon receipt of the message, the GWN computes v = h(xi), Ni = h(IDi||Ci)⊕v, Mi = h(Ci||v). After that, GWN stores {v} in its memory, and stores {Ni,Mi,h} into smart card SC. Finally, GWN sends SC to Ui via a private channel.
Step 3: After receiving SC from GWN, Ui stores bi into SC.

2.2.2. Login and Authentication

When a user Ui desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and Snj. Figure 3 illustrates the process of mutual authentication for the proposed scheme. In detail, the process is:
Step 1: Ui inputs IDi and PWi into the smart card SC. SC computes Ci = h(PWi||bi), v = h(IDi||Ci)⊕Ni, Mi = h(Ci||v), and compares Mi with the stored value Mi. If they are not equal, SC terminates the session. Otherwise, SC believes Ui as a legitimate user. Next, SC generates a random number R1, and computes DIDi = h(IDi||R1), EK = h(DIDi||v||T1), CT1 = EEK(DIDi||R1||T1), where T1 is the timestamp. Finally, SC sends the login request {DIDi, CT1, T1} to GWN through the public channel.
Step 2: After receiving the login messages, the GWN first checks the timestamp T1, and computes EK = h(DIDi||h(xi)||T1), DIDi||R1||T1 = DEK(CT1). Then, the GWN checks whether DIDi and T1 matches with the received values. If they do not hold, GWN terminates the session. Otherwise, the GWN generates a random numnber R2, and computes CT2 = R2h(xS||SIDj), SK = h(DIDi||h(KGWN_S||SIDj)||R2||T2), Bi = h(DIDi||SK||h(KGWN_S||SIDj)||SIDj||T2), where T2 is the timestamp. Finally, the GWN sends {CT2,DIDi,Bi,T2} to the sensor node Snj.
Step 3: Upon receiving the messages {CT2,DIDi,Bi,T2i} from GWM, Snj first checks the timestamp T2, and computes R2 = CT2h(KGWN_S||SIDj), SK = h(DIDi||h(KGWN_S||SIDj)||R2||T2), Bi = h(DIDi||SK||h(KGWN_S||SIDj)||SIDj||T2). Then, the Snj checks whether Bi matches with the received Bi. If it does not hold, Snj terminates the session. Otherwise, the Snj computes Ci = h(h(KGWN_S||SIDj)||SK||DIDi||SIDj||T3), where T3 is the timestamp. Finally, Snj transmits {Ci,T3} to GWN.
Step 4: GWN first checks the timestamp T3, and computes Ci = h(h(KGWN_S||SIDj)||SK||DIDi||SIDj||T3). Then, the GWN checks whether Ci matches with the received Ci. If it does not hold, GWN terminates the session. Otherwise, the GWN computes CT3 = EEK(DIDi||SIDj||SK||R1||T4), where T4 is the timestamp. Finally, GWN transmits {CT3, T4} to Ui.
Step 5: Ui checks the timestamp T4 and computes DIDi||SIDj||SK||R1||T4 = DEK(CT3). Then Ui checks whether DIDi, R1, and T4 matches with the previous values. If it holds, Ui completes the authentication. Otherwise, Ui fails to authenticate the GWN.

2.2.3. Password Update Phase

When a user Ui wants to update the password, he/she needs to execute the following steps:
Step 1: Ui inputs IDi, PWi into the smart card SC. SC computes Ci = h(PWi||bi), v = h(IDi||Ci)⊕Ni, Mi = h(Ci||v), and checks whether Mi and the stored Mi are equal. If not, SC fails to authenticate Ui, and rejects the request for the password update. Otherwise Ui inputs a new password PW*i.
Step 2: SC computes C*i = h0(PW*i||bi), N*i = v⊕h(IDi||C*i), and M*i = h(C*i||v).
Step 3: Finally, N*i and M*i are stored in SC to replace Ni and Mi respectively.

2.3. Security Analysis of Two Related Schemes

The security of the above two related schemes will be discussed in this section. Both of them are claimed that they can resist against various kinds of attacks and fulfill the desirable security requirements. However, we find that these two schemes are prone to smart card loss attack. Besides, they also suffer from two design flaws, including the impractical GWN search operation and no provision for perfect forward security.

2.3.1. Smart Card Loss Attack

The smart card loss attack means that the password in the smart card can be guessed offline in the case where the smart card is lost or stolen. The authors of the above two schemes [28,29] have proved that their schemes are secure against this attack. The proofs assume that the identity of the user is unable to be guessed. However, since the identity of the user is a weak strength with low entropy, several articles [32,35,36] have proposed that the identity may be leaked when the smart card is lost or stolen. We now describe the details of this attack.
For Lu et al.’s scheme [28], suppose that the adversary A has obtained the smart card of Ui, and can extract secret information <Ai,Bi,Mi,bi,h> from it, where Ai = h(h(IDi)||Ci), Bi = h(TIDi||x)⊕Ci, Mi = h(IDi||x)⊕h(h(IDi)⊕Ci), Ci = h(PWi||bi). Then A can successfully guess the IDi and PWi as below.
Step 1: A guesses a candidate pair IDi and PWi, and computes Ci = h(PWi||bi), Ai = h(h(IDi)||Ci).
Step 2: A checks whether Ai and Ai stored in smart card are equivalent. If they are equal, A can obtain the correct IDi and PWi pair. Otherwise, A repeats the steps 1 and 2 until the correct IDi and PWi pair is obtained.
For Jung et al.’s scheme [29], the smart card stores <Ni,Mi,bi,h>, where Ni = h(IDi||Ci)⊕v, Mi = h(Ci||v), v = h(xi), Ci = h(PWi||bi). Therefore, the process of launching smart card loss attack is similar, in many ways, to the process of attacking Lu et al.’s scheme. A can guess the correct IDi and PWi pair through checking whether Mi = h(h(PWi||bi)||Nih(IDi||h(PWi||bi))) holds or not.
Since the identity space |DID| and the password space |DPW| are usually not more than 106, the time required for A to complete this attack is linear [35]. As a result, Lu et al.’s scheme and Jung et al.’s scheme still fail to smart card loss attack.

2.3.2. Impractical GWN Search Operation

User anonymity is an important security feature of authentication scheme for WSNs, which consists of two properties, user identity-protection, and untraceability [36]. User identity-protection means that the adversary could not know the real identity of the user, and user untraceability guarantees that the adversary can neither determine who the user is nor distinguish whether two sessions are executed by the same user. To achieve user anonymity, the ‘dynamic ID technique’ is widely adopted in most schemes, so do Lu et al.’s scheme [28] and Jung et al.’s scheme [29]. In the two schemes, a user requires concealing his real identity into a dynamic identity. When the user wants to log in GWN, it is difficult for GWN to tell apart the real identity of the user. As a result, the GWN needs to search for every possible parameter or have a back-end channel to figure out the exact user, which is impractical [27]. The detailed of this operation will be described as follows.
For Lu et al.’s scheme, the user sends a login message {CT1,Ei} to GWN, where CT1 = EEK(IDi||T1||TIDi||ri), Ei = h(h(IDi||x)||ri||T1), EK = h(TIDi||x) = BiCi. After receiving the message {CT1,Ei} from the user, the GWN decrypts CT1 by the symmetric key EK = h(TIDi||x). Now, there is a problem that the GWN does not figure out exactly which TIDi is the communicating user’s because all of the users’ TIDi are stored in the GWN. The GWN has to perform an exhaustive search operation to obtain the exact user’s TIDi. Let L is the size of user’s information table, Th is the execution time for hash operation and TE is the execution time for the decryption operation. The time complexity of the above operation is O(L*Th*TE). This is obviously impractical.
The similar problem can also be found in Jung et al.’s scheme. The user sends a login message {DIDi,CT1,T1} to GWN, where CT1 = EEK(DIDi||R1||T1), EK = h(DIDi||v||T1), DIDi = h(IDi||R1), v = h(xi). After receiving the message {DIDi,CT1,T1} from the user, GWN decrypts CT1 by the symmetric key EK = h(DIDi||h(xi)||T1), where xi is the shared symmetric key between the user and the GWN. Since all users’ shared symmetric keys are stored in the GWN, the GWN does not figure out exactly which one is the communicating user’s. It is obviously unrealistic for the GWN to perform an exhaustive search operation to obtain the exact user’s xi. Because the time complexity of the above operation is O(L*2Th*TE), where L is the size of user’s key table, Th is the execution time for hash operation and TE is the execution time for the decryption operation.

2.3.3. No Provision for Perfect Forward Secrecy

Perfect forward secrecy is one of the important security properties for authenticated key establishment protocols. A protocol is said to achieve the notion of perfect forward secrecy if the compromise of long-term keys does not compromise the previous session keys [33]. In the practical application, such as battlefield, the sensor node is unattended, which make it be dangerous in compromised by the adversary. Then the long-term key of the sensor node may be compromised and the previous session keys will be retrieved. Therefore, perfect forward secrecy should be considered for WSNs. However, none of the above two schemes [28,29] can provide perfect forward secrecy.
For Lu et al.’s scheme, suppose the user’s long-term secret key h(IDi||x) and h(TIDi||x) are compromised by the adversary A, and A has captured all the previous transmitted messages through the public communication channel. In this case, A is able to obtain all the previous message CT4. Thus, A can retrieve the past session keys through rkrj||ri||SIDj||IDGWN||T2||T3||T4 = Dh(IDix)(CT4), SK = h(rkrirj||T1||T2||T3). Meanwhile, if the GWN’s long-term secret key x and the sensor node’s long-term secret key KGMN_S are compromised, the previous session keys will also be retrieved.
The similar problem can also be found in Jung et al.’s scheme, if the user’s long-term secret key v is compromised by A, and A has captured all the previous transmitted messages DIDi, CT3, T1 through the public communication channel. Thus, A can retrieve the past session keys through EK = h(DIDi||v||T1), DIDi||SIDj||SK||R1||T4 = DEK(CT3). Meanwhile, if the GWN’s long-term secret key xi and the sensor node’s long-term secret key KGWN_S are compromised, the previous session keys will also be retrieved.

3. The Proposed Scheme

This section will describe each phase of the proposed anonymous authentication scheme for WSNs. It uses PID instead of the user’s real identity to protect user anonymity. In order to achieve the perfect forward secrecy, the transmitted messages in public channel are protected by the one-time hash chain technique. The back-end of GWN stores new PID and old PID during execution so as to resist against de-synchronization attack. The old PID will be set null until the GWN completes the authentication successfully. The proposed scheme consists of four phases: registration phase, authentication and key agreement phase, password update phase, and dynamically deploy sensor nodes phase. We will describe the detail in the upcoming subsection.

3.1. Registration Phase

The registration phase includes user registration phase and sensor node registration. The details of these processes are described as follows. Figure 4 illustrates the registration phase for the proposed scheme.

3.1.1. User Registration

When a user Ui wants to access a sensor node Snj, he/she needs to register in GWN first. The GWN issues a smart card to Ui as a response to the registration request. As shown in Figure 4a, the procedure of user registration is described as follows.
Step 1: A new user Ui selects identity IDi and password PWi, generates a random number bi. Then Ui computes Ci = h0(IDi||PWi||bi), Ui transmits {IDi,Ci} to GWN through a secure channel.
Step 2: The GWN checks whether IDi exists in the user information table. If it exists, GWN rejects the registration request. Otherwise, GWN generates three random numbers ui,a,b, sets NCi = a, PIDi = PIDi0 = b, PIDi1 = ⊥, and computes Ki = h1(IDi||x||ui), Fi = KiCi,V = h2(h3(Ki||Ci)), where ⊥ denotes null. After that, GWN updates the user identity information table with the new entry {PIDi0,PIDi1,IDi,NCi,ui}, and stores {PIDi,Fi,NCi,V} into smart card SC. Finally, GWN sends SC to Ui via a private channel.
Step 3: After receiving SC from GWN, Ui stores bi into SC.

3.1.2. Sensor Node Registration

When a new sensor node Snj is deployed, Snj is required to register in GWN. As shown in Figure 4b, the procedure of sensor node registration is described as follows.
Step 1: The new sensor node Snj selects identity SIDj and transmits {SIDj} to GWN through a secure channel.
Step 2: The GWN checks whether SIDj exists in the sensor node information table. If it exists, the GWN rejects the registration request. Otherwise, the GWN generates a random number KGWN-S, and sets the initial sequence numbers NSj = NSj0 = 0. After that, GWN updates the sensor node information table with the new entry {SIDj,NSj0,KGWN-S}, and sends {NSj,KGWN-S } to Snj via a private channel.
Step 3: After receiving NSj,KGWN-S from GWN, Snj stores them into its memory as secret.

3.2. Authentication and Key Agreement Phase

When a user Ui wants to gain access to WSNs, Ui needs to achieve mutual authenticate with GWN and Snj. As shown in Figure 5, the process of mutual authentication is described as follows.
Step 1: Ui inputs IDi and PWi into the smart card SC. SC computes Ci = h0(IDi||PWi||bi), Ki = FiCi, V’ = h2(h3(Ki||Ci)), and compares V’ with the stored value V. If they are not equal, SC terminates the session. Otherwise, SC believes Ui as a legitimate user. Next, SC generates a random number rA, and computes EK = h1(PIDi||Ki||NCi), CT1 = EEK(rA||T), V1 = h3(IDi||rA||Ki||PIDi||NCi||T), where T is the timestamp. Finally, SC sends the login request {PIDi,CT1,V1} to GWN through the public channel.
Step 2: After receiving the login messages, GWN at first checks the timestamp T. Then GWN searches its back-end database to get each pair of the pseudonym identity (PIDi0,PIDi1) and operates as follows:
(1)
GWN checks whether the pseudonym identity exists in the user information table.
  • If PIDi = PIDi0, it means that both the user’s and GWN’s pseudonym identity are updated in the previous session. Then GWN needs to verify whether the one-time hash chain value updates or not. GWN checks whether PIDi1 = ⊥ holds.
    If the equation does not hold, it means that the GWN’s hash chain value does not update in the previous session. So, GWN computes NC’i = h1(NCi), Ki = h1(IDi||x||ui), EK = h1(PIDi0||Ki||NC’i), rA||T = DEK(CT1), V’1 = h3(IDi||rA||Ki||PIDi0||NC’i||T). The GWN checks whether V’1 matches with the received V1. If it holds, GWN generates a random PID’i0, and sets PIDi1 = PIDi0, PIDi0 = PID’i0, NCi = NC’i. Otherwise, GWN terminates the session.
    Otherwise, GWN computes Ki = h1(IDi||x||ui), EK = h1(PIDi0||Ki||NCi), rA||T = DEK(CT1), V’1 = h3(IDi||rA||Ki||PIDi0||NCi||T). The GWN checks whether V’1 matches with the received V1. If it holds, GWN generates a random PID’i0, and sets PIDi1 = PIDi0, PIDi0 = PID’i0. Otherwise, GWN terminates the session.
  • If PIDi = PIDi1, it means that the user’s pseudonym identity and hash chain are not updated in the previous session. GWN computes Ki = h1(IDi||x||ui), EK = h1(PIDi1||Ki||NCi), rA||T = DEK(CT1), V’1 = h3(IDi||rA||Ki||PIDi1||NCi||T). GWN checks whether V’1 matches with the received V1. If it holds, GWN generates a random PID’i0, and sets PIDi0 = PID’i0. Otherwise, GWN terminates the session.
  • If PIDiPIDi0, PIDiPIDi1, GWN terminates the session.
(2)
GWN randomly generates a session key sk and chooses a specified sensor node SIDj, and computes CT2 = (sk||IDi)⊕h0(KGWN-S||SIDj||NSj0), V2 = h3(IDi||SIDj||sk||KGWN-S||NSj0). Subsequently, GWN updates KGWN-S = h1(KGWN-S||SIDj), NSj0 = NSj0 + 1.
(3)
GWN sends {CT2,V2,NSj0} to the sensor node Snj that Ui wants to interact with via the public channel.
Step 3: Upon receiving the messages {CT2,V2,NSj0} from GWM, Snj at first verifies whether 1≤NSj0-NSjN, where N is a threshold, which sets according to specific requirements of applications. If it does not hold, Snj terminates the session. Otherwise, Snj set K’GWN-S = KGWN-S, and computes N-1 times K’GWN-S = h1(K’GWN-S||SIDj), if N-1 = 0, there is no hash function operation. Next, Snj computes sk||IDi = CT2h0(K’GWN-S||SIDj||NSj0-1), V2’ = h3(IDi||SIDj||sk||K’GWN-S||NSj0-1). Then, Snj checks whether V’2 matches with the received V2. If it holds, Snj computes V3 = h3(SIDj||IDi||sk||NSj0), and updates KGWN-S = h1(K’GWN-S||SIDj), NSj = NSj0. Otherwise, Snj terminates the session. Finally, Snj transmits {SIDj, V3} to GWN.
Step 4: GWN first computes V’3 = h3(SIDj||IDi||sk||NSj0), and checks whether V’3 matches with the received V3. If it holds, GWN computes GEK = h1(rA||PIDi1||Ki||NCi), CT3 = EGEK(sk||PIDi0||SIDj), V4 = h3(IDi||sk||rA||PIDi0). Otherwise, GWN terminates the session. Finally, GWN transmits {CT3, V4} to Ui.
Step 5: Ui computes GEK = h1(rA||PIDi||Ki||NCi), sk||PIDi0||SIDj = DGEK(CT3), V4 = h3(IDi||sk||rA||PIDi0), and checks whether V’4 matches with the received V4. If it holds, Ui computes V5 = h3(SIDj||IDi||PIDi0||sk), and updates NCi = h1(NCi), PIDi = PIDi0. Otherwise, Ui terminates the session. Finally, Ui sends {V5} to GWN.
Step 6: After receiving the message V5 from Ui, GWN computes V’5 = h3(SIDj||IDi||PIDi0||sk), and checks whether V’5 matches with the received V5. If it holds, GWN updates NCi = h1(NCi), PIDi1 = ⊥. Otherwise, GWN fails to authenticate Ui.
Thus, the authentication key agreement among three-party is successful, and they establish the session key sk with each other as summarized in Figure 5.

3.3. Password Update Phase

When a user Ui wants to update the password, he/she needs to run the following steps:
Step 1: Ui inputs IDi, PWi into the smart card SC. SC computes Ci = h0(IDi||PWi||bi), Ki = FiCi, V’ = h2(h3(Ki||Ci)), and checks whether V’ and V are equal. If not, SC fails to authenticate Ui, and rejects the request of the password update. Otherwise Ui inputs a new password PW*i.
Step 2: SC computes C*i = h0(IDi||PW*i||bi), F*i = Ki⊕Ci⊕C*i, V* = h2(h3(Ki||C*i)).
Step 3: Finally, F*i and V* are stored in SC to replace Fi and V respectively.

3.4. Dynamically Deploy Sensor Nodes Phase

When the system administrator deploys a new sensor node in the existing system, the deployed sensor node is required to apply to register in the GWN. The procedure of sensor node registration follows the steps described in Section 3.1.2.

4. Security Analysis of Our Scheme

In the section, we will discuss the security of our proposed scheme. First, the strand space model will be adopted to demonstrate the validity of our scheme. Second, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif. Finally, further security analysis illustrates the ability of the proposed scheme to resist various known attacks.

4.1. Authentication Proof Based on Strand Space Model

Strand space model [37,38] is a well-known formal analysis method to verify the security of cryptographic protocols. Before we prove the correctness of our proposed scheme using stand space mode, we will describe the basic notions as below.

4.1.1. The Basic Notion of Strand Space Model

According to [37,38], a stand space is a set Σ of stands with a trace mapping tr:Σ → (±A)*, which includes various protocol participant stands and penetrator strands. Where A is a set, the elements of which are the transmitted messages between principals. (±A)* is the set of finite sequences. The elements of A is denoted as terms t. t1 t is defined as that t1 is a subterm of t. Due to the limitations of space, only the fundamental notations and lemmas in strand space model are enumerated here:
  • +t/-t: send/receive a term t.
  • <s,i>: a node of s, where sΣ, 1 ≤ i ≤ length(tr(r)). If n = <s,i>, then, index(n) = i, strand(n) = s, term(n) is the ith signed term in the trace of s, and uns_term(n) is the unsigned part of the ith signed term in the strand of s.
  • n1n2: it means that the node n1 sends a message and n2 receives the message.
  • n1 n2: it means that n1 is an immediate causal predecessor of n2, n1 = <s,i> and n2 = <s,i + 1>.
  • n1 + n2: it means that n1 is a precedence of n2, n1 = <s,i> and n2 = <s,j>, i < j.
  • S: a set of edges with respect to the causal relations →, and +.
  • n S n’: it means that there are one or more edges in S leading from n to n’.
  • n _ S n’: it means that there are zero or more edges in S leading from n to n’.
  • T: a set of atomic messages.
  • K: a set of cryptographic keys, which disjoints from T.
  • {m}K: it means that the message m is encrypted by the key K.
Lemma 1.
Suppose C is a bundle. Then _ C is a partial order, i.e., a reflexive, anti-symmetric, transitive relation. Every non-empty subset of the nodes in C has _ C -minimal members.
Lemma 2.
Suppose C is a bundle. and suppose S is a set of nodes such that uns_term(m) = uns_term(m’) implies that m S iff m’ S, for all nodes m,m’. If n is a _ C -minimal member of S, then the sign of n is positive.

4.1.2. Penetrator Strands

The following describes the abilities of an adversary, which are mainly characterized by the two factors, the one is the key set Kp possessed by the adversary, the other is the capability of the adversary to generate new messages from messages he intercepts. The strands of the adversary/penetrator are as follows:
M. Text message: < + t>, the penetrator sends an atomic messages t, where tT.
F. Flushing: <-g>, the penetrator receives message g.
T. Tee: <-g, + g, + g>, the penetrator receives message g and forward it.
C. Concatenation: <-g,-h, + gh>, after receiving messages g and h, the penetrator joins them to get gh, then sends gh.
S. Separation into components: <-gh, + g, + h>, upon receiving message gh, the penetrator sends message g and h.
K. Key: < + K>, the penetrator sends a key K, where KKP.
E. Encryption: <-K,-h, + {h}K>, after receiving a key K and a message h, the penetrator encrypts h using K, and gets {h}K. Then, he sends {h}K.
D. Decryption: <-K−1,-{h}K, + h>, after receiving a private key K−1 and a ciphertext {h}K, the penetrator decrypts {h}K using K, and gets h. Then, he sends h.
H. Hash:<-K,-M, + H(K,M)>, after receiving a key K and a message M, the penetrator compute the hash value of K||M, and gets H{K||M}. Then, he sends H{K||M}.

4.1.3. Authentication Proof Based on the Stand Space Model

The process of our proposed authentication scheme is as follows:
(1)
Ui → GWN: PIDi, CT1, V1
(2)
GWN → Snj: CT2, V2, NSj0
(3)
Snj → GWN: SIDj, V3
(4)
GWN → Ui: CT3, V4
(5)
Ui → GWN: V5
where EK = h1(PIDi||Ki||NCi), CT1 = EEK(rA||T), V1 = h3(IDi||rA||Ki||PIDi||NCi||T), CT2 = (sk||IDi)⊕h0(KGWN-S||SIDj||NSj0), V2 = h3(IDi||SIDj||sk||KGWN-S||NSj0), V3 = h3(SIDj||IDi||sk||NSj0), GEK = h1(rA||PIDi1||Ki||NCi),CT3 = EGEK(sk||PIDi0||SIDj),V4 = h3(IDi||sk||rA||PIDi0), V5 = h3(SIDj||IDi||PIDi0||sk).
The security goal of our proposed scheme is that the three participants should authenticate each other and share a secret key sk. In order to make the process of proof description clearer, we will refer to our proposed scheme using abbreviations LAAP.
Definition 1.
Let (Σ,P) be an infiltrated strand space. The strands space model is shown in Figure 6. (Σ,P) is a LAAP space if Σ have four kinds of strands.
(1) 
Penetrator strands s ∈ P.
(2) 
‘User strands’ with trace U[IDi,SIDj,T, rA,PIDi,PIDi0,Ki,NCi,sk], defined to be < + {PIDi, CT1, V1}, -{CT3, V4}, + {V5}>, where IDi, SIDj ∈ Tname, rA, sk,PIDi ∈ T, Ki,NCi ∈ K, rA Tname, rA K.
(3) 
‘GWN strands’ with trace G[IDi,SIDj,T, rA,PIDi0, PIDi1,Ki,NCi,sk,KGWN-S, NSj0],defined to be < −{PIDi, CT1, V1}, + { CT2,V2,NSj }, −{SIDj, V3}, + { CT3,V4}, −{V5} >, where IDi, SIDj ∈ Tname, rA, sk,PIDi,PIDi0,PIDi1 ∈ T, Ki,NCi,KGWN-S ∈ K, sk Tname, sk K.
(4) 
‘Sensor node’ strands with trace Sn[IDi,SIDj,sk,KGWN-S,NSj0],defined to be <−{CT2,V2,NSj0}, + {SIDj, V3} >
If the user, the GWN, and the sensor node can achieve successful authentication with each other, our scheme is a secure authentication scheme. The details in the proof of our proposed scheme using strand space model is described in the Appendix A.

4.2. Formal Security Validation Using ProVerif

In this section, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif [39,40,41]. ProVerif is one of the widely used formal verification tools for cryptography protocols, which supports many cryptographic primitives, including symmetric and asymmetric cryptography, digital signatures, hash functions, Diffie-Hellman key agreements, and signature proofs of knowledge.
In order to analyze the security of our scheme by ProVerif, we define two public channels, c1 is the public channel between the user and the GWN and c2 is the public channel between the GWN and the sensor node. The proposed scheme is modeled as the parallel execution of three distinct processes: the user, the GWN and the sensor node. We have implemented the specifications in the latest version 1.96 of Proverif [42] for three processes. The implementation details of the proposed scheme are provided in the supplementary material available at [43].
ProVerif allows the verifier encrypts some free names using the secrecy session key, and verifies the security of session key by test the secrecy of that free names [41]. As shown in Figure 3, we use four names secretA, secretB, secretC and secretD for secrecy queries to analyze the secrecy of session key sk. To verify mutual authentication, we declare eight events:
  • event beginUGparam(host), event endUGparam(host),
  • event beginGUparam(host), event endGUparam(host),
  • event beginGSparam(host), event endGSparam(host),
  • event beginSGparam(host), event endSGparam(host).
Intuitively, if one participant believes he has completed the scheme with another participant and hence executes the event endXXparam(host), where XX denotes UG, GU, GS, or SG. The results show that our scheme can achieve mutual authentication and session key security. We describe the results of the code as below:
Query not attacker(secretA[]), not attacker(secretB[]),not attacker(secretC[]), not attacker(secretD[])
RESULT not attacker(secretA[]), not attacker(secretB[]), not attacker(secretC[]), not attacker(secretD[]) are true.
The result means that the adversary has not trace to reconstruct secretA, secretB, secretC, secretD. Hence, the session key sk is secure to resist cracking.
Query inj-event(endGUparam(GWN)) ═> inj-event(beginGUparam(GWN))
RESULT inj-event(endGUparam(GWN)) = = > inj-event(beginGUparam(GWN)) is true.
This result means that the execution of the event beginGUparam(GWN) is preceded by the execution of the event endGUparam(GWN). Hence, the authentication of the user to the GWN holds.
Query inj-event(endUGparam(user)) ═> inj-event(beginUGparam(user))
RESULT inj-event(endUGparam(user)) ═> inj-event(beginUGparam(user)) is true.
This result means that the execution of the event beginUGparam(user) is preceded by the execution of the event endUGparam(user). Hence, the authentication of the GWN to the user holds.
Query inj-event(endGSparam(GWN)) ═> inj-event(beginGSparam(GWN))
RESULT inj-event(endGSparam(GWN)) ═> inj-event(beginGSparam(GWN)) is true.
This result means that the execution of the event beginGSparam(GWN) is preceded by the execution of the event endGSparam(GWN). Hence, the authentication of the sensor node to the GWN holds.
Query inj-event(endSGparam(SN)) ═> inj-event(beginSGparam(SN))
RESULT inj-event(endSGparam(SN)) ═> inj-event(beginSGparam(SN)) is true.
This result means that the execution of the event beginSGparam(GWN) is preceded by the execution of the event endSGparam(GWN). Hence, the authentication of the GWN to the sensor node holds.

4.3. Further Security Analysis of Our Scheme

In this section, the ability of the proposed scheme to resist various known attacks will be analyzed.

4.3.1. Resistance to De-synchronization Attack

Our scheme employs PID and one-time hash chain techniques to provide user anonymity and perfect forward secrecy. Hence, it needs an additional synchronization method to maintain the consistency of several one-time values among the user, the GWN, and the sensor node. In the proposed scheme, the consistencies of PID and hash chain value will be ensured by using two pseudonym identities < PIDi0,PIDi1 > for the communication between the user and the GWN. For the communication between the GWN and the sensor node, we use the serial number to resist de-synchronization attack. Since the hash function is one way, we let the initiator updates the hash chain value at first. As a result, even if the adversary blocked the message, the hash chain value of the GWN and the sensor node can re-synchronize. In order to make our analysis clearer, a brief framework of our scheme is shown in Figure 7.
The adversary can launch the following malicious scenarios:
Scenario 1: If the adversary blocks the ① message flow, obviously, this attack will not work because all the participants have not even started updating. So, this scenario will be omitted.
Scenario 2: If the ② message flow is blocked by the adversary, the communication will be jammed. For the communication between the Ui and the GWN, this scenario is the same as scenario 4. For the communication between the GWN and Snj, the hash chain values of two participants will not match each other. This attack does not cause our scheme completely unusable because we use serial number NSj0 and NSj to record the number of hash chain updated, where NSj0 is the serial number of GWN side, NSj is the serial number of Snj side. When the GWN sends the ② message flow, the value of hash chain and NSj0 in GWN side must be updated. The Snj receives the ② message {CT2,V2,NSj0}, he/she can synchronize the one-time hash chain value through performing NSj0-NSj time hash functions. Therefore, this scenario will cause asynchronous between the GWN and the Snj, but it will not have any impact on the future session.
Scenario 3: If the adversary blocks the ③ message flow, obviously, this attack will not work between the GWN and the Snj because the two participants have updated their hash chain values, and the hash chain values are equal to each other. For the communication between the Ui and the GWN, this scenario is the same as scenario 4. Therefore, this scenario will be omitted.
Scenario 4: If the ④ message flow is blocked by the adversary, this attack will not work between the GWN and the Snj because both of them have updated hash chain values. But the communication between the Ui and the GWN will be jammed. In this scenario, since both the hash chain values in two participants are not changed, only the synchronization of pseudonym identities are required to consider. The value of PIDi0 in the GWN side has been a new pseudonym identity, while the value of PIDi in the Ui side does not change. Fortunately, the old pseudonym identity is stored in PIDi1 in the GWN side, that is PIDi1 = PIDi. So, when the next session is initiated by the Ui using unchanged PIDi, the GWN is still able to recognize it and continues to complete the authentication. Therefore, this scenario will cause pseudonym identity asynchronous between the Ui and the GWN, but it will not have any impact on the future session.
Scenario 5: If the ⑤ message flow is blocked by the adversary, like scenario 4, this attack will not work between the GWN and the Snj. However, for the communication between the Ui and the GWN, it will be jammed. Since the pseudonym identities values of two participants have updated, it means PIDi0 = PIDi, we only need to worry about the synchronization of two participants’ hash chain values. In this scenario, the hash chain value in the Ui side is updated, while the value hash chain in the GWN side is unchanged. When Ui using changed hash chain value initiates a new session, the GWN will update its hash chain value through checking whether the value of PIDi1 is non-null or not. Therefore, even if this scenario will cause hash chain value asynchronous between the Ui and the GWN, the two pseudonym identities will make the hash chain values synchronize again. As a result, our scheme can resist de-synchronization attack through the above analyses.

4.3.2. Mutual Authentication

According to the proofs of Proposition A1–Proposition A4 and the formal validation using ProVerif, it is infeasible for an adversary to forge a legitimate user’s or GWN’s or sensor node’s authentication message. Thus, the user, the GWN, and the sensor node can successfully authenticate each other.

4.3.3. User Anonymity

To protect user’s identity, the proposed scheme employs pseudonym identity as a transmitted message instead of user’s real identity. The pseudonym identity is randomly generated and changes after completing each session. Thus, the pseudonym identity is different for every session. Moreover, it is almost impossible for an adversary to get the user’s real identity from transmitted messages. Therefore, our scheme is able to support user anonymity and untraceability.

4.3.4. Perfect Forward Secrecy

In the proposed scheme, suppose the adversary has obtained the long-term keys of two participants, that are Ki, NCi, and KGWN-S, he/she still cannot get the session key sk. The reason is that after each successful session, the keys NCi and KGWN-S will be updated by one-way hash function, that is NC’i = h1(NCi), K’GWN-S = h1(KGWN-S||SIDj). Because the hash function is one way, the adversary cannot obtain NCi and KGWN-S from NC’i and K’GWN-S. Therefore, our scheme can provide perfect forward secrecy.

4.3.5. Resistance to Smart Card Loss Attack

Suppose the adversary steals the user’s smart card and obtains the data {PIDi,Fi,NCi,V,bi}, where Ki = h1(IDi||x||ui), Fi = KiCi,V = h2(h3(Ki||Ci)), Ci = h0(IDi||PWi||bi). The adversary cannot guess the correct password, because there exist |DID|*|DPW|/1024 candidates of the password, where |DID|is the space of the identity and |DPW| is the space of the password. This method is called ‘fuzzy verifier’ [23,44,45], which prevents the adversary from obtaining the exacting correct password. Therefore, our proposed scheme can resist smart card loss attack.

4.3.6. Resistance Known Session-Specific Temporary Information Attack

In the proposed scheme, suppose the adversary gets the ephemeral random number rA, he still cannot obtain information of session key sk. The reason is that the adversary has no way to compute the long-term key Ki, one-time hash chain values NCi and KGWN-S. Moreover, transmitted messages in the public channel are unhelpful to compute sk. Therefore, the proposed scheme has the ability to prevent the session-specific temporary information attack.

4.3.7. Resistance to Stolen Verifier Table Attack

In our scheme, no any password-verifier table of the user is stored in the GWN side. Therefore, our scheme can resist stolen verifier table attack.

4.3.8. Resistance to User Impersonation Attack

In our scheme, in order to forge a user, the adversary has to generate a valid value {T,PIDi,CT1,V1}. However, it is infeasible because the adversary does not know the secret keys Ki and NCi. Therefore, our proposed scheme can resist against user impersonation attack.

4.3.9. Resistance to Sensor Node Spoofing Attack

Proposition A1–Proposition A4 and the formal validation using ProVerif show that the adversary cannot forge a legitimate user’s or sensor node’s authentication message without the secret keys Ki, NCi or KGWN_S. In the proposed scheme, the sensor node only has his own secret value and does not know the secret values of other sensor nodes or users. Therefore, he cannot spoof any user or other sensor nodes.

4.3.10. Resistance to Replay Attack

The proposed scheme uses timestamp, nonce and serial number to prevent the replay attack. For the communication between the user and the GWN, the first message flow includes a current timestamp T, and other message flow employs challenge-response mechanism to resist reply attack. For the communication between the GWN and the sensor node, the serial number is used in every message flow, which is updated after each successful authentication session. As a result, when the user and the sensor node accept each other, it must be the current session, not previous session. Therefore, our proposed scheme can avoid the replay attack.

4.3.11. Resistance to Man-in-the-middle Attack

In the proposed scheme, the transmitted messages are protected by the secret values Ki, NCi and KGWN_S, anyone without them cannot forge legal authentication messages. Therefore, our scheme can resist man-in-the-middle attack.

4.3.12. Resistance to Wrong Password Login/Update Attack

In the proposed scheme, the password verification information V = h2(h3(Ki||Ci)) is stored in the mobile device, which is designed to check the correctness of password. If the user inputs wrong password PWi, the verification data V and V’ = h2(h3(Fih0(IDi||PW’i||bi)||h0(IDi||PW’i||bi))) will not be equal. Therefore, our scheme can quickly detect unauthorized login and password update.

4.4. Security Comparisons

The security features of our proposed scheme with the two prior related schemes [28,29] will be compared in this section. The results of the comparison are listed in Table 2.
From Table 2, it can be concluded that the proposed scheme is the only one who can resist against various kinds of known attacks and fulfill the desirable security features. Therefore, our scheme has better security than the previously related schemes.

5. Performance Analysis

This section will compare the communication and communication costs of our proposed scheme with the two prior related schemes [28,29]. Since the registration phase and password update phase are not used frequently, we only concentrate on comparing authentication phase.

5.1. Computation Analysis

For efficiency analysis, we compare the computation costs of our scheme with the two prior related schemes [28,29]. To facilitate analysis, we use the following notations to measure computation costs.
  • Th: the time complexity of the general hash function.
  • TE/D: the time complexity of general symmetric-key encryption/decryption algorithm.
As pointed out in [46,47], the running time of a one-way hash function operation, and symmetric-key encryption/decryption operation are 0.00032s and 0.0056s respectively. Thus, we have Th ≈ 0.00032s, TE/D ≈ 0.0056s. The results of the computation complexity comparisons of our scheme and two related schemes are summarized in Table 3. It shows that our scheme is as efficient as the most efficient one of these prior related schemes at sensor nodes. Although the computation cost for the user and the GWN of our proposed scheme is higher than that of Jung et al.’s scheme, it should be toleratable because our proposed scheme provides higher security, and resists most well-known attacks.

5.2. Communication Analysis

In this section, we compare the communication cost of our proposed scheme with the two prior related schemes [28,29]. To achieve convincing comparisons, we assume that the bit length of identity (IDi,SIDj,IDGWN), password (PWi), pseudonym identity (PIDi,PIDi0,PIDi1), timestamp (T,T1,T2,T3,T4), serial number (NSj0, NSj), random number (rA,sk), hash (h,h1,h3) output and hash (h0) output are 64, 64, 64, 160, 64, 256, 160 and 320 bits, the block length of the symmetric encryption is 128 bits, respectively. Since the bit length of ciphertext using the symmetric encryption is the multiples of 128 bits, the bit length of CT1 and CT3 are 512 and 384 bits, respectively. Table 4 shows the communication cost comparison among our scheme and the prior related schemes. In our scheme, the message {PIDi,CT1,V1}, {CT2,V2,NSj0}, {SIDj,V3}, {CT3,V4} and {V5} require (64 + 512 + 160) = 736, (320 + 160 + 64) = 544, (160 + 64) = 224, (384 + 160) = 544 and 160 bits, respectively. Adding the five values, the total communication cost of our scheme is 2208 bits.
For Lu et al.’s scheme [28], the message {CT1,Ei}, {CT2,Ci}, {CT3,Ii} and {CT4,Vi}require ((64 + 160 + 64 + 256) + 160) = 128 × 5 + 160 = 800, ((256 + 64 + 160 + 160) + 160) = 128 × 5 + 160 = 800, ((256 + 256 + 160) + 160) = 128 × 6 + 160 = 928, and ((256 + 256 + 64 + 64 + 160 × 3) + 160) = 128 × 9 + 160 = 1312 bits, respectively. Adding the four values, the total communication cost of Lu et al.’s scheme is 3840 bits.
For Jung et al.’s scheme [29], the message {DIDi,CT1,T1}, {CT2,DIDi,Bi,T2}, {Ci,T3} and {CT3,T4} require (64 + (64 + 256 + 160) + 160) = 64 + 128 × 4 + 160 = 736, (256 + 64 + 160 + 160) = 640, (160 + 160) = 320, and ((64 + 64 + 160 + 256 + 160) + 160) = 128 × 6 + 160 = 928 bits, respectively. Adding the four values, the total communication cost of Jung et al.’s scheme is 2624 bits.
Using the above similar approach, the total communication cost of the other related schemes can be computed in Table 4. From comparison in Table 4, it can be concluded that the proposed scheme has the least communication cost among the above schemes.

6. Conclusions

In this paper, we propose a lightweight anonymous authentication protocol for WSNs based on a one-time hash chain and pseudonym identity. The proposed scheme can provide mutual authentication, user anonymity, perfect forward secrecy, etc. Besides, it is resilient to various kinds of known attacks, such as de-synchronization attack, and known session-specific temporary information attack. Formal security analysis and simulations are also conducted by ProVerif to demonstrate that our scheme is secure against active and passive attacks. Furthermore, the proposed scheme only uses symmetric key encryption/decryption and hash functions. It is very suitable for the resource constrained sensor nodes.

Acknowledgments

This research was supported by National Science Foundation of China under Grant number (Grant No. 61502034 and 61571375) and the open research fund of key laboratory of intelligent network information processing, Xihua University (16224221).

Author Contributions

Conceived and designed the experiments: Ling Xiong and Daiyuan Peng. Performed the experiments: Tu Peng and Zhicai Liu. Analyzed the data: Ling Xiong and Daiyuan Peng. Contributed reagents/materials/analysis tools: Zhicai Liu and Hongbin Liang. Wrote the paper: Ling Xiong and Hongbin Liang.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. The Details in the Proof of Our Proposed Scheme Using Strand Space Model

Proposition A1.
Suppose:
(1)
Σ is a LAAP space and C is a bundle containing a GWN’s strand s with trace G[IDi,SIDj,T, rA,PIDi0, PIDi1,Ki,NCi,sk,KGWN-S, NSj0];
(2)
EK KP, KGWN-S KP, where EK = h1(PIDi||Ki||NCi); and
(3)
rAPIDi0skPIDiPIDi1, PIDi0 and sk are uniquely originating in Σ.
then C contains a user’s strand with trace U[IDi,SIDj,T,rA,PIDi,PIDi0,Ki,NCi,sk], and a sensor node’s strand with Sn[IDi,SIDj,sk,KGWN-S,NSj0].
We will prove Proposition A1 using the following lemmas. For the sake of convenience, we will refer to <s,2> (that is the second node + {CT2,V2,NSj} of s) as a0, and to its term(that is term(a0)) as u0. We will refer to <s,3> (that is the third node + {SIDj, V3} of s) as a3, and to its term(that is term(a3)) as u3. We will refer to other nodes similarly. The node <s,4> is denoted as b0, and term(b0) = v0. The node <s,5> is denoted as b3, and term(b3) = v3. As shown in Figure A1, we will use four additional nodes a1,a2,b1,b2 during the course of the proof, such that a0 a1 a2 a3, b0 b1 b2 b3.
Figure A1. The nodes of a GWN’s strand. (a) The nodes a0 a1 a2 a3; (b) The nodes b0 b1 b2 b3.
Figure A1. The nodes of a GWN’s strand. (a) The nodes a0 a1 a2 a3; (b) The nodes b0 b1 b2 b3.
Sensors 17 02681 g0a1
First, we will prove C contains a sensor node’s strand with Sn[IDi,SIDj,sk,KGWN-S,NSj0].
Lemma A1.
sk originates at a0.
Proof. 
By the assumptions, sk u0, and the sign of a0 is positive. According to the definition of originates, we only require verifying that sk is not the subterm of a node a’, where a’ is the precedence node of a0. Since on the same strand, the precedence node of a0 is <s,1>, uns_term(<s,1>) = -{PIDi,CT1,V1}, where EK = h1(PIDi||Ki||NCi), CT1 = EEK(rA||T), V1 = h3(IDi||rA||Ki||PIDi||NCi||T). We need to check that skrA, skPIDi, which is a hypothesis, skKi, skNCi, skSIDj, skIDi, which follows from the stipulation in Definition 1 Clause 3 that sk Tname, sk K. ☐
Lemma A2.
The set S = {a ∈ C: sk term(a) u0! term(a)} has a minimal node a2, u0! term(a) denotes as u0 that is the subterm of term(a). The node a2 is regular and the sign of a2 is positive.
Proof. 
Because a3C, skC, u0! u3, S is non-empty. Therefore, S has at least a minimal element a2 by Lemma 1, and the sign of the node a2 is positive by Lemma 2. Whether a2 lie on a penetrator stand p? We will check it through the form of the trace of p. ☐
M. Text message: < + t>, where tT. If this stand contains the node a2, which means that sk originates on this strand. Accord to Lemma A1, sk originates at a0. Obviously, it is a contradictory assumption. Therefore, M strand cannot contain the node a2.
F. Flushing: <-g>, since this strand lacks any positive nodes, F strand cannot contain the node a2.
T. Tee: <-g, + g, + g>, the penetrator receives message g and forward it. T strand cannot contain the node a2 because a2 is a minimal element.
C. Concatenation: <-g,-h, + gh>, after receiving messages g and h, the penetrator joins them to get gh, then sends gh. C strand cannot contain the node a2 because a2 is a minimal element.
K. Key: < + K>, the penetrator sends a key K,where KKP. K strand cannot contain the node a2 because sk! K.
E. Encryption: <-K,-h, + {h}K>, after receiving a key K and a message h, the penetrator encrypts h using K, and gets {h}K. Then, he sends {h}K. Suppose the node + {h}KS, since sk {h}K u0! {h}K, thus sk h, u0! h. E strand cannot contain the node a2 because the positive node is not in S.
D. Decryption: <-K−1,-{h}K, + h>, after receiving a private key K−1 and a ciphertext {h}K, the penetrator decrypts {h}K using K, and gets h. Then, he sends h. If the node + h is a minimal element a2, then u0! h u0 {h}K. According to the assumption of free encryption, h = sk||IDi, and K = h0(KGWN-S||SIDj||NSj0). So, there must exist a penetrator strand which can send K. Obviously, it is contradictory because KGWN-S KP. Therefore, D strand cannot contain the node a2.
H. Hash:<-K,-M, + H(K,M)>, after receiving a key K and a message M, the penetrator compute the hash value of K||M, and gets H{K||M}. Then, he sends H{K||M}. According to the assumption, K = sk, and M = SIDj||IDi||NSj0. So, there must exist a penetrator strand which can send K. Obviously, it is contradictory because sk is secret, and any penetrator without KGWN-S can know it. Therefore, H strand cannot contain the node a2.
S. Separation into components: <−gh, + g, + h>, upon receiving message gh, the penetrator sends message g and h. Suppose, the unsigned term minimal element uns_term(a2) = g(there is a similar case if uns_term(a2) = h). Since a2S, then sk g u0! g. There must have u0 gh, or the term of the minimal element in S is gh. Because, u0! g, u0 gh, there must have u0 h. Let a set T = {mC: m a2 gh term(m)}. Every element of T is a penetrator node because there is no regular node contains a subterm gh, where u0 h. T is non-empty because of the first node of S strand -ghC. Therefore, T has at least a minimal element m by Lemma 1, and the sign of the node m is positive by Lemma 2. We will check what kind of stand m can lie on.
Obviously, similar to the above analysis, M,F,T,C,K,S,E,D cannot contains the minimal element of T. Therefore, the node a2 does not lie on p but must lie on a regular node.
Lemma A3.
The precedence node of a2 is on the same regular strand. Let it as a1, and term(a1) = {CT2,V2,NSj}.
Proof. 
Because sk originates at a0 and sk are uniquely originating in Σ, sk must not originate at a2. According to Lemma A2, a2 lie on a regular node, there must be a node preceding a1 on the same strand such that sk term(a1). Since u0! term(a2), and a2 is the minimal element, u0 term(a1). Besides, there is no regular node contains u0. Therefore, term(a1) = {CT2,V2,NSj}. ☐
Lemma A4.
The strand containing a1 and a2 is a sensor node strand, and is contained in C.
Proof. 
According to Lemma A3, term(a1) = {CT2,V2,NSj}, and it is the precedence node of a2. Because a2 is the minimal element, and it is a positive node. Beside, a0 is a positive node, and term(a0) = {CT2,V2,NSj}. Therefor, a1 = -{CT2,V2,NSj}, a2 = + {SIDj,V3}, it must be an sensor node strand. ☐
Lemma A3 and Lemma A4 shows C contains a sensor node’s strand with Sn[IDi,SIDj,sk,KGWN-S,NSj0]. Moreover, we can prove that C contains a user node’s strand with U[IDi,SIDj,rA,PIDi,PIDi0,Ki,NCi,sk] using the above similar proof methods.
Proposition A2.
If Σ is an LAAP space, C is a bundle, and sk are uniquely originating in Σ, then there are at most one sensor node strand t1 with trace Sn[IDi,SIDj,sk,KGWN-S,NSj0] for any GWN, sensor node and sk.
Proof. 
If any sensor node strand t1 has trace Sn[IDi,SIDj,sk,KGWN-S,NSj0] any user, GWN, and sk, the <t1,2> is positive, sk term<t1,2>, and sk is the challenge information of GWN. Hence, if sk originates uniquely in Σ, there can be at most one such t1. ☐
Proposition A3.
If Σ is an LAAP space, C is a bundle, and rA is uniquely originating in Σ, then there are at most one user strand t2 a with trace U[IDi,SIDj,rA,PIDi,PIDi0,Ki,NCi,sk] for any user, GWN, and sk.
Proof. 
If any user strand t2 has trace U[IDi,SIDj,rA,PIDi,PIDi0,Ki,NCi,sk] any user, GWN, and sk, the <t2,1> is positive, rA term<t2, 1>, and rA cannot possibly occur earlier on t2. Therefore, rA originates at node <t2, 1>. Hence, if rA originates uniquely in Σ, there can be at most one such t2. ☐
Proposition A4.
Suppose:
(1)
Σ is a LAAP space and C is a bundle containing a user’s strand s with trace U[IDi,SIDj,rA,PIDi,PIDi0,Ki,NCi,sk] and a sensor node’s strand t with Sn[IDi,SIDj,sk,KGWN-S,NSj0];
(2)
GEK KP, KGWN-S KP, where GEK = h1(rA||PIDi1||Ki||NCi); and
(3)
rAPIDi0skPIDiPIDi1, PIDi0 and sk are uniquely originating in Σ.
then C contains a GWN’s strand with trace G[IDi,SIDj,rA,PIDi0, PIDi1,Ki,NCi,sk,KGWN-S, NSj0].
Proof. 
In order to prove Proposition A4, we can refer to the GWN’s strand as a responder’s strand of the user or a initiator’s stand of the sensor node. As the responder’s strand and as the initiator’s stand, the processes of proofs are similar with Proposition A1. Take the case of GWN as an responder’s strand, we only consider the set S = {aC: {V4} term(a)} is non-empty. Because <s2,2> is the element of S, S has at least a minimal element a0. If a0 is on the regular strand g, it is easy to prove g ∈ G[IDi,SIDj,rA,PIDi0, PIDi1,Ki,NCi,sk,KGWN-S, NSj0]. Otherwise, g should be on the H strand with trace<-GEK,-rA||sk||PID0, + {V4}>. Obviously, it is contradictory because GEK KP. Therefore, C contains a GWN’s strand with trace G[IDi,SIDj,rA,PIDi0, PIDi1,Ki,NCi,sk,KGWN-S, NSj0]. Proposition A1–Proposition A4 show that our scheme is a secure mutual authentication scheme among the user, the GWN and the sensor node. ☐

References

  1. Yick, J.; Mukherjee, B.; Ghosal, D. Wireless sensor network survey. Comput. Netw. 2008, 52, 2292–2330. [Google Scholar] [CrossRef]
  2. O’Donovan, T.; O’Donoghue, J.; Sreenan, C.; Sammon, D.; O’Reilly, P.; O’Connor, K.A. A Context Aware Wireless Body Area Network (BAN). In Proceedings of the 3rd International Conference on Pervasive Computing Technologies for Healthcare (PervasiveHealth 2009), London, UK, 1–3 April 2009. [Google Scholar]
  3. Hart, J.K.; Martinez, K. Environmental Sensor Networks: A revolution in the earth system science? Earth Sci. Rev. 2006, 78, 177–191. [Google Scholar] [CrossRef]
  4. Tiwari, A.; Ballal, P.; Lewis, F.L. Energy-efficient wireless sensor network design and implementation for condition-based maintenance. ACM Trans. Sens. Netw. 2007, 3, 1. [Google Scholar] [CrossRef]
  5. Gnawali, O.; Jang, K.Y.; Paek, J.; Vieira, M.; Govindan, R.; Greenstein, B.; Joki, A.; Estrin, D.; Kohler, E. The tenet architecture for tiered sensor networks. In Proceedings of the 4th International Conference on Embedded Networked Sensor Systems, 31 October–3 November 2006; ACM: New York, NY, USA, 2006; pp. 153–166. [Google Scholar] [CrossRef]
  6. Yang, D.; Misra, S.; Fang, X.; Xue, G.; Zhang, J. Two-tiered constrained relay node placement in wireless sensor networks: Computational complexity and efficient approximations. IEEE Trans. Mob. Comput. 2012, 11, 1399–1411. [Google Scholar] [CrossRef]
  7. He, D.; Kumar, N.; Chilamkurti, N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf. Sci. 2015, 321, 263–277. [Google Scholar] [CrossRef]
  8. He, D.; Chen, C.; Chan, S.; Bu, J.; Yang, L.L. Security Analysis and Improvement of a Secure and Distributed Reprogramming Protocol for Wireless Sensor Networks. IEEE Trans. Ind. Electron. 2013, 60, 5348–5354. [Google Scholar] [CrossRef]
  9. Perrig, A.; Stankovic, J.; Wagner, D. Security in wireless sensor networks. Commun. ACM 2004, 47, 53–57. [Google Scholar] [CrossRef]
  10. Koyama, K.; Maurer, U.M.; Okamoto, T.; Vanstone, S.A. New public-key schemes based on elliptic curves over the ring Zn. In Advances in Cryptology-CRYPTO’91; Springer: Berlin/Heidelberg, Germany, 1992; pp. 252–266. [Google Scholar]
  11. Watro, R.; Kong, D.; Cuti, S.F.; Gardiner, C.; Lynn, C.; Kruus, P. TinyPK: Securing sensor networks with public key technology. In Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks, Washington, DC, USA, 25 October 2004; pp. 59–64. [Google Scholar]
  12. Hwang, M.S.; Li, L.H. A new remote user authentication scheme using smart cards. IEEE Trans. Consum. Electron. 2000, 46, 28–30. [Google Scholar] [CrossRef]
  13. Wong, K.H.; Zheng, Y.; Cao, J.; Wang, S. A dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan, 5–7 June 2006; pp. 1–9. [Google Scholar]
  14. Das, M.L. Two-Factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 2009, 8, 1086–1090. [Google Scholar] [CrossRef]
  15. Huang, H.F.; Chang, Y.F.; Liu, C.H. Enhancement of two-factor user authentication in wireless sensor networks. In Proceedings of the 2010 Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Darmstadt, Germany, 15–17 October 2010; pp. 27–30. [Google Scholar]
  16. Chen, T.H.; Shih, W.K. A robust mutual authentication protocol for wireless sensor networks. ETRI J. 2010, 32, 704–712. [Google Scholar] [CrossRef]
  17. Khan, M.K.; Alghathbar, K. Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks. Sensors 2010, 10, 2450–2459. [Google Scholar] [CrossRef] [PubMed]
  18. Jiang, Q.; Ma, Z.; Ma, J.; Li, G. Security enhancement of robust user authentication framework for wireless sensor networks. China Commun. 2012, 9, 103–111. [Google Scholar]
  19. He, D.J.; Gao, Y.; Chan, S.; Chen, C.; Bu, J.J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 2010, 10, 361–371. [Google Scholar]
  20. Das, A.K.; Sharma, P.; Chatterjee, S.; Sing, J.K. A dynamic password-based user authentication scheme for hierarchical wireless sensor networks. J. Netw. Comput. Appl. 2012, 35, 1646–1656. [Google Scholar] [CrossRef]
  21. Turkanovic, M.; Hölbl, M. An improved dynamic password-based user authentication scheme for hierarchical wireless sensor networks. Elektron. Elektrotech. 2013, 19, 109–116. [Google Scholar] [CrossRef]
  22. Turkanović, M.; Brumen, B.; Hölbl, M. A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad Hoc Netw. 2014, 20, 96–112. [Google Scholar] [CrossRef]
  23. Wang, D.; Wang, P. Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Netw. 2014, 20, 1–15. [Google Scholar] [CrossRef]
  24. Xue, K.P.; Ma, C.S.; Hong, P.L.; Ding, R. A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. J. Netw. Comput. Appl. 2013, 36, 316–323. [Google Scholar] [CrossRef]
  25. Jiang, Q.; Ma, J.; Lu, X.; Tian, Y. An Efficient Two-Factor User Authentication Scheme with Unlinkability for Wireless Sensor Networks. Peer-to-Peer Netw. Appl. 2014, 8, 1070–1081. [Google Scholar] [CrossRef]
  26. Das, A.K. A Secure and Robust Temporal Credential-based Three-Factor User Authentication Scheme for Wireless Sensor Networks. Peer-to-Peer Netw. Appl. 2016, 9, 223–244. [Google Scholar] [CrossRef]
  27. Gope, P.; Hwang, T. A Realistic Lightweight Anonymous Authentication Protocol for Securing Real-Time Application Data Access in Wireless Sensor Networks. IEEE Trans. Ind. Electron. 2016, 63, 7124–7132. [Google Scholar] [CrossRef]
  28. Lu, Y.; Li, L.; Peng, H.; Yang, Y. An Energy Efficient Mutual Authentication and Key Agreement Scheme Preserving Anonymity for Wireless Sensor Networks. Sensors 2016, 16, 837. [Google Scholar] [CrossRef] [PubMed]
  29. Jung, J.; Kim, J.; Choi, Y.; Won, D. An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks. Sensors 2016, 16, 1299. [Google Scholar] [CrossRef] [PubMed]
  30. Mir, O.; Munilla, J.; Kumari, S. Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks. Peer-to-Peer Netw. Appl. 2017, 10, 79–91. [Google Scholar] [CrossRef]
  31. Wang, D.; Wang, N.; Wang, P.; Qing, S. Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity. Inf. Sci. 2015, 321, 162–178. [Google Scholar] [CrossRef]
  32. Wang, D.; He, D.; Wang, P.; Chu, C.H. Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment. IEEE Trans. Dependable Secur. Comput. 2015, 12, 428–442. [Google Scholar] [CrossRef]
  33. Park, D.; Boyd, C.; Moon, S.J. Forward Secrecy and Its Application to Future Mobile Communications Security. In Proceedings of the Public Key Cryptography, Melbourne, Australia, 18–20 January 2000; pp. 433–445. [Google Scholar]
  34. Ma, C.; Wang, D.; Zhao, S. Security Flaws in Two Improved Remote User Authentication Schemes Using Smart Cards. Int. J. Commun. Syst. 2012, 27, 2215–2227. [Google Scholar] [CrossRef]
  35. Jiang, Q.; Zeadally, S.; Ma, J.; He, D. Lightweight Three-Factor Authentication and Key Agreement Protocol for Internet-Integrated Wireless Sensor Networks. IEEE Access 2017, 5, 3376–3392. [Google Scholar] [CrossRef]
  36. Wang, D.; Wang, P. On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Comput. Netw. 2014, 73, 41–57. [Google Scholar] [CrossRef]
  37. Fabrega, F.; Herzog, J.C.; Guttman, J.D. Strand spaces: Why is a security protocol correct? In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 6 May 1998; pp. 160–171. [Google Scholar]
  38. Fabrega, F.; Herzog, J.C. Strand spaces: Proving Security Protocol Protocols Correct. J. Comput. Secur. 1999, 7, 191–230. [Google Scholar] [CrossRef]
  39. Abadi, M.; Blanchet, B. Computer-assisted verification of a protocol for certified email. Sci. Comput. Program. 2005, 58, 3–27. [Google Scholar] [CrossRef]
  40. Abadi, M.; Glew, N.; Horne, B.; Pinkas, B. Certified email with a light on-line trusted third party: Design and implementation. In Proceedings of the 11th International World Wide Web Conference, Honolulu, HI, USA, 7–11 May 2002; ACM: Honolulu, HI, USA, 2002; pp. 387–395. [Google Scholar]
  41. Abadi, M.; Blanchet, B.; Cedric, F. Just Fast Keying in the pi calculus. ACM Trans. Inf. Syst. Secur. 2007, 10, 9. [Google Scholar] [CrossRef]
  42. Blanchet, B.; Smyth, B.; Cheval, V.; Sylvestre, M. ProVerif 1.96: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. Available online: http://prosecco.gforge.inria.fr/personal/bblanche/proverif/ (accessed on 21 September 2016).
  43. Xiong, L. Lightweight-Anonymous-Authentication-WSNs. Available online: https://github.com/idle010/Lightweight-Anonymous-Authentication-WSNs (accessed on 26 October 2017).
  44. Wang, D.; Wang, P. On the usability of two-factor authentication. In Proceedings of the 10th International Conference on Security and Privacy in Communication Systems, Beijing, China, 24–26 September 2014; pp. 141–150. [Google Scholar]
  45. Wang, D.; Wang, P. Two Birds with One Stone: Two-Factor Authentication with Security beyond Conventional Bound. IEEE Trans. Dependable Secur. Comput. 2016, 1–23. [Google Scholar] [CrossRef]
  46. He, D.; Kumar, N.; Lee, J.H.; Sherratt, R. Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 2014, 60, 30–37. [Google Scholar] [CrossRef]
  47. Lee, C.C.; Chen, C.T.; Wu, P.H.; Chen, T.Y. Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices. IET Comput. Digit. Tech. 2013, 7, 48–55. [Google Scholar] [CrossRef]
Figure 1. Real-time data access in WSNs.
Figure 1. Real-time data access in WSNs.
Sensors 17 02681 g001
Figure 2. The authentication and key agreement phase of Lu et al.’s scheme.
Figure 2. The authentication and key agreement phase of Lu et al.’s scheme.
Sensors 17 02681 g002
Figure 3. The authentication and key agreement phase of Jung et al.’s scheme.
Figure 3. The authentication and key agreement phase of Jung et al.’s scheme.
Sensors 17 02681 g003
Figure 4. The registration phase. (a) The user registration phase; (b) The sensor node registration phase.
Figure 4. The registration phase. (a) The user registration phase; (b) The sensor node registration phase.
Sensors 17 02681 g004
Figure 5. The authentication and key agreement phase.
Figure 5. The authentication and key agreement phase.
Sensors 17 02681 g005
Figure 6. LAAP strands space model.
Figure 6. LAAP strands space model.
Sensors 17 02681 g006
Figure 7. The de-synchronization on our proposed scheme.
Figure 7. The de-synchronization on our proposed scheme.
Sensors 17 02681 g007
Table 1. Notations.
Table 1. Notations.
NotationDescriptions
UiThe user
SnjThe sensor node
GWNThe gateway node
SCThe smart card
IDi,PWiUnique identity and password of Ui
SIDjUnique identity of Snj
IDGWNUnique identity of GWN
PIDPseudonym identity
PIDiPseudonym identity of Ui in the user side
TIDiA random number of Ui generated in the GWN
xThe secret key of GWN
xiThe shared secret key between GWN and Ui
KGWN_SThe shared secret key between GWN and Snj
biA random number generate by Ui
SKThe session key
EK,DKEncryption/Decryption using the symmetric key K
h,h0,h1,h3One-way hash function
h2One-way hash function, h2:{0,1}*→{0,1,...,1023}
T,T1,T2,T3,T4Current timestamp
||String concatenation operation
XOR operation
Table 2. Security features comparisons of our scheme and the two related schemes.
Table 2. Security features comparisons of our scheme and the two related schemes.
FeaturesLu et al. [28]Jung et al. [29]Ours
Resistance to de-synchronization attack
Mutual authentication
User anonymity
Perfect forward security××
Smart card loss attack××
Resistance to known session-specific temporary information attack
Resistance to stolen verifier table attack
Resistance to user impersonation attack
Resistance to sensor node spoofing attack
Resistance to replay attack
Resistance to man-in-the-middle attack
Resistance to wrong password login/update attack
Table 3. Computation complexity comparisons of our scheme and the two related schemes.
Table 3. Computation complexity comparisons of our scheme and the two related schemes.
SchemesUsersGWNSensor NodeTotal
Lu et al. [28]7Th + 2TE/D ≈ 0.01344s8Th + 4TE/D ≈ 0.02496s4Th + 2TE/D ≈ 0.01248s19Th + 8TE/D ≈ 0.05088s
Jung et al. [29]5Th + 2TE/D ≈ 0.0128s5Th + 2TE/D ≈ 0.0128s4Th ≈ 0.00128s13Th + 4TE/D ≈ 0.02688s
Ours9Th + 2TE/D ≈ 0.01408s11Th + 2TE/D ≈ 0.01472s4Th ≈ 0.00128s25Th + 4TE/D ≈ 0.03008s
Table 4. Communication cost comparisons of our scheme and the two related schemes.
Table 4. Communication cost comparisons of our scheme and the two related schemes.
SchemesNumber of Message RequiredNumber of Bits Required
Lu et al. [28]4 Messages3840
Jung et al. [29]4 Messages2624
Ours5 Messages2208

Share and Cite

MDPI and ACS Style

Xiong, L.; Peng, D.; Peng, T.; Liang, H.; Liu, Z. A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks. Sensors 2017, 17, 2681. https://doi.org/10.3390/s17112681

AMA Style

Xiong L, Peng D, Peng T, Liang H, Liu Z. A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks. Sensors. 2017; 17(11):2681. https://doi.org/10.3390/s17112681

Chicago/Turabian Style

Xiong, Ling, Daiyuan Peng, Tu Peng, Hongbin Liang, and Zhicai Liu. 2017. "A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks" Sensors 17, no. 11: 2681. https://doi.org/10.3390/s17112681

APA Style

Xiong, L., Peng, D., Peng, T., Liang, H., & Liu, Z. (2017). A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks. Sensors, 17(11), 2681. https://doi.org/10.3390/s17112681

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop