Improving Biometric-Based Authentication Schemes with Smart Card Revocation/Reissue for Wireless Sensor Networks

Abstract

User authentication in wireless sensor networks is more difficult than in traditional networks owing to sensor network characteristics such as unreliable communication, limited resources, and unattended operation. For these reasons, various authentication schemes have been proposed to provide secure and efficient communication. In 2016, Park et al. proposed a secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks. However, we found that their scheme was still insecure against impersonation attack, and had a problem in the smart card revocation/reissue phase. In this paper, we show how an adversary can impersonate a legitimate user or sensor node, illegal smart card revocation/reissue and prove that Park et al.’s scheme fails to provide revocation/reissue. In addition, we propose an enhanced scheme that provides efficiency, as well as anonymity and security. Finally, we provide security and performance analysis between previous schemes and the proposed scheme, and provide formal analysis based on the random oracle model. The results prove that the proposed scheme can solve the weaknesses of impersonation attack and other security flaws in the security analysis section. Furthermore, performance analysis shows that the computational cost is lower than the previous scheme.

1. Introduction

Wireless Sensor Networks (WSNs) generally consist of gateways, users, and a large number of sensor nodes. The sensor node is tiny and can be easily deployed in various kinds of severe environments. However, each sensor node has limited resources, is lacking in memory, has low computational capabilities and short radio transmission range [1]. Data collected from sensor nodes in WSNs sometimes include valuable and classified information such as the environmental surrounding the wartime, a patient’s personal information, monitoring information of museums, and the power company’s voltage variation monitoring data. To ensure the confidentiality and reliability of deployed WSNs, only registered and legitimate users should be able to access them. In addition, establishing secure protocol actively requires a mutual authentication between the user and the sensor node. For these reasons, secure user authentication is one of the major issues in WSNs.

To support message confidentiality and secure authentication for sensor networks, various authentication schemes for WSNs have been proposed. However, a problem that occurs with respect to password-based authentication schemes is that a server must maintain a password table to legitimately verify a login user. Therefore, the server requires additional memory space to store the password table. For this reason, many researchers have proposed a new type of remote user authentication scheme whereby personal biological characteristics are used, such as a fingerprint or an iris. The main advantage biometrics is uniqueness. A smart card can be used as a tool to store biometric information. Since the smart card has its own calculation function, it can operate at more than one level. In 2004, Watro et al. [2] proposed a user authentication scheme using the RSA and DH algorithms for WSNs. After that, Wong et al. [3] proposed a hash-based dynamic user authentication scheme in 2006. However, Tseng et al. [4] found that Wong et al.’s authentication scheme was vulnerable to replay, stolen verifiers, and forgery attacks. In 2009, Das [5] proposed and claimed that his scheme can resist various real-time attacks. Unfortunately, He et al. [6] found that Das’s scheme was vulnerable to insider and impersonation attacks, and proposed an improved two factor scheme to solve these security problems. In the same year, Khan and Alghathbar [7] demonstrated that Das’s scheme did not provide mutual authentication, and was vulnerable to gateway bypassing and privileged insider attacks, and Chen et al. [8] also found that Das’s scheme did not provide mutual authentication between the gateway and the sensor, proposed a robust mutual authentication scheme for WSNs, and claimed that their scheme provides greater security than Das’s scheme. In 2010, Yuan et al. [9] proposed a biometric-based user authentication scheme. However, Yoon et al. demonstrated that Yuan et al.’s scheme was vulnerable to insiders, user impersonation, gateway node impersonation and sensor node impersonation attacks. To solve these problems, Yoon et al. [10] proposed an improved user authentication scheme. Unfortunately, He et al. [11] found that Yoon et al.’s scheme was still vulnerable to denial of service (DoS) and sensor impersonation attacks, and then proposed an improved scheme to overcome these security problems.

In 2013, Yoon and Kim [12] pointed out that He et al.’s scheme had various security vulnerabilities such as poor repairability, and was vulnerable to user and sensor node impersonation attacks. They then proposed an advanced biometrics-based user authentication scheme for WSNs. They claimed that their scheme was more effective and had stronger security than other related schemes. However, Choi et al. [13] found that Yoon and Kim’s scheme [12] had various security problems, including a biometric recognition error, a user verification problem, lack of anonymity, perfect forward secrecy, session key exposure by the gateway node, vulnerability to DoS attacks, and a revocation problem. To overcome these vulnerabilities, they proposed a biometric-based user authentication scheme using a fuzzy extractor, and claimed that their scheme is more secure than other authentication schemes. Unfortunately, Park et al. [14] demonstrated that Choi et al.’s scheme [13] was still insecure against user impersonation attacks, and had security weakness in the revocation/reissue phase. They then proposed an enhanced biometric-based authentication scheme for WSNs that has improved security functions. After careful analysis, however, we found that Park et al.’s scheme [14] was still insecure against impersonation attack, and also had a problem in the smart card revocation/reissue phase.

In this paper, we show how an adversary can impersonate a legitimate user or a sensor node, and perform an illegal smart card revocation/reissue. After demonstrating these problems, we propose an improved biometric authentication scheme. Finally, we analyze our proposed scheme for security properties and computational cost. The proposed scheme is more secure and efficient than other related authentication schemes.

The rest of this paper is organized as follows. In Section 2, we briefly introduce the elliptic curve cryptosystem, threat assumptions and fuzzy extractors that we adopt in our scheme. In Section 3 and Section 4, we review and analyze, respectively, Park et al.’s scheme [14]. In Section 5, we propose an improved authentication scheme for WSNs. In Section 6, we present a security analysis of the proposed scheme. Section 7 shows performance analysis comparing our scheme with previous schemes. Our conclusions are presented in Section 8.

2. Preliminaries

In this section, we briefly introduce the elliptic curve cryptosystem, threat assumptions, and fuzzy extractor.

2.1. Elliptic Curve Cryptosystem

The elliptic curve cryptosystem (ECC) was first proposed by Koblitz [15] and Miller [16] to design public key cryptosystems, and presently it is widely used in several cryptographic schemes to provide desired levels of security and performance. An elliptic curve $E_K$ defined over a field K of the characteristic ≠ 2 or 3 is the set of solutions $(x$, $y)$∈$K^2$ to the equation:

$$y^2=x^3+ax+b,a,b\in K,4a^3+27b^2\ne 0.$$

(1)

Cryptosystems based on GF(${q)}^{*}$ can be translated to systems using the group E, where E is an elliptic curve defined over a GF(q). The point multiplications $kP$ = $(P+P+...+P$, k times) that means k times addition of point P. Given an elliptic curve E defined over a GF(q) and two points P, Q ∈ E, it finds an integer x such that $Q=xP,$ if such x exists. This problem proved to be more intractable than the typically discrete logarithm problem. The details of the ECC definitions can be found in [15]. There are several computational problems based on ECC which are presented below:

Definition 1.

The elliptic curve discrete logarithm problem ($ECDLP$) is defined as: given two elements Q, $R\in G_p$, find an integer $k\in [1$, $n-1]$ such that $R=kQ$.

Definition 2.

The computational Diffie–Hellman problem ($CDHP$) is defined as: given three elements $(P$, $aP$, $bP)$ for any a, $b\in [1$, $n-1]$, computation of $abP$ is very hard to the group $G_p$.

Definition 3.

The elliptic curve factorization problem ($EC$ $FP$) is defined as: given two elements P, $Q\in G_p$, where $Q=sP+tP$ and $(s$, $t)\in [1$, $n-1]$, then computation of $sP$ and $tP$ is impossible.

Definition 4.

The decisional Diffie–Hellman problem ($DD$ $HP$) is defined as: given four elements $(P$, $aP$, $bP$, $cP)$ for any $(a$, b, $c)$ $\in [1$, $n-1]$, decide whether or not $cP=abP$ i.e., $c=ab$ $mod$p or not.

Definition 5.

The weak Diffie–Hellman problem ($WDHP$) is defined as: for $Q\in G_p$ and some $k\in [1$, $n-1]$ from the given three elements $(P$, Q, $kP),$ computation of $kQ$ is very hard.

2.2. Threat Assumptions

We introduce the Dolev–Yao [17] and some threat model [18,19], and consider the risk of side channel attack [20] to construct the threat assumptions, which are described as follows:

• An adversary $\mathcal{A}$ can be either a user, gateway, or sensor node. Any registered user can act as an adversary.
• An adversary $\mathcal{A}$ can eavesdrop every communication in a public channel, thereby capturing any message exchanged between a user and gateway or sensor node.
• An adversary $\mathcal{A}$ has the ability to alter, delete or reroute the captured message.
• Information can be extracted from the smart card by examining the power consumption of the card.

2.3. Fuzzy Extractor

In this subsection, we describe the basis for a biometric-based fuzzy extractor, which converts biometric information data into a random value. Based on [21,22,23], the fuzzy extractor is given by two procedures ($Gen$, $Rep$). The mechanism of a fuzzy extractor consists of two procedures ($Gen$, $Rep$), which is demonstrated as:

• $Gen(BIO)\to 〈R,P〉,$
• $Rep(BI{O}^{*},P)=R$ if $BI{O}^{*}$ is reasonably close to $BIO.$

The function $Gen$ is a probabilistic generation procedure, which on biometric input $BIO$ outputs an “extracted” string $R\in {\{0,1\}}^l$ and an auxiliary string $P\in {\{0,1\}}^{*}$. $Rep$ is a deterministic reproduction procedure, which recovery of R from the corresponding auxiliary string P, and any vector $BI{O}^{*}$ close to $BIO$. The detailed information about fuzzy extractors can be founded in the literature [24].

3. Review of Park et al.’s Authentication Scheme

In this section, we review Park et al.’s authentication scheme [14]. The notations used in the paper are listed in

Table 1. Notations used in this paper.

Term	Description
$U_i$	user i
$\mathcal{A}$	adversary
$B_i$	biometric template of $U_i$
$E_k(·)/D_k(·)$	encryption or decryption with key k
$GW$	gateway node
${\mathbb{G}}_1$	cyclic groups of order q
$h(·)$	hash function
$h(SI{D}_j||y)$	long-term secret of $S_j$ generated by $GW$
$I{D}_i$	actual identity of $U_i$
P	generator of ${\mathbb{G}}_1$
$r_i$, $r_1$, $r_2$	random number generated by $U_i$
$r_s$	random number generated by $S_j$
$S_j$	sensor node j
$S{C}_i$	smart card of user $U_i$
$SI{D}_j$	identity of $S_j$
$T_i$	time stamp
$u{p}_i$	i-th update phase
$x,y$	two master keys of $GW$
$RM$	Response to the query message
‖	concatenation operation
⊕	bitwise XOR operation

. The $GW$ generates two master keys, x and y, and provides a long-term secret key $h(SI{D}_j||y)$ to the sensor $S_j$ before the scheme is executed. Their scheme involves three parties, i.e., the user $U_i$, the gateway $GW$ and the sensor $S_j$, to communicate with each other to perform the following three phases: registration, login/authentication, and revocation/reissue.

3.1. Registration Phase

In this phase, a user $U_i$ chooses an identity $I{D}_i$, imprints biometric template $B_i$, and then performs the following steps:

• $U_i$ computes $\langle R_i$, $P_i\rangle =Gen(B_i)$ and $A_i=h(R_i)$. $U_i$ then sends $\langle I{D}_i,A_i\rangle$ to the gateway $GW$.
• Upon receiving $\langle I{D}_i$, $A_i\rangle$ from $U_i$, $GW$ computes the authentication parameters as:

  $$\begin{gathered} V_i=h(I{D}_i||A_i) \\ {M}_i=h(x||y||A_i) \\ {N}_i=M_i\oplus A_i \\ {C}_i=E_x(A_i||u{p}_i). \end{gathered}$$
• $GW$ stores $h(·)$ and the authentication parameters; $\langle V_i$, $N_i$, $C_i$, $h(·)\rangle$ in the smart card $S{C}_i$. $GW$ then issues $S{C}_i$ to $U_i$ through a secure channel.
• After receiving the smart card from $GW$, $U_i$ stores $P_i$ in the smart card.

3.2. Login and Authentication Phase

If a user $U_i$ wants to log in to the $GW$ and $S_j$, $U_i$ performs the login phase, and then $U_i$, $GW$ and $S_j$ verify each other’s authenticities. Finally, $U_i$ and $S_j$ generate a session key in this phase as follows:

• $U_i$ enters $I{D}_i$ and imprints biometric template $B_i^{*}$. $S{C}_i$ then computes $R_i^{*}$, $A_i^{*}$ and $V_i^{*}$ using fuzzy extraction, and compares $V_i^{*}$ with $V_i$ as:

  $$\begin{gathered} R_i^{*}=Rep(B_i^{*},P_i) \\ {A}_i^{*}=h(R_i^{*}) \\ {V}_i^{*}=h(I{D}_i||A_i^{*}) \\ verifies{V}_i\stackrel{?}{=}{V}_i^{*}. \end{gathered}$$
• $S{C}_i$ generates a random number $r_i$ and computes $X_i$ and $M_i$ as:

  $$\begin{gathered} X_i=r_i\times P \\ {M}_i=N_i\oplus A_i. \end{gathered}$$
• $U_i$ picks up $T_i$ and computes $AI{D}_i$ and $W_i$ as:

  $$\begin{gathered} AI{D}_i=I{D}_i\oplus h(M_i||T_i) \\ {W}_i=h(M_i||I{D}_i||X_i||T_i). \end{gathered}$$
  $U_i$ then sends the login request message $M_1=\langle AI{D}_i$, $X_i$, $C_i$, $T_i$, $W_i\rangle$ to $GW$.
• After receiving $M_1$, $GW$ retrieves $T^{\prime }$ and verifies $T^{\prime }-T_i\le △T$. If this holds, $GW$ computes $A_i^{*}$, $M_i^{*}$, $I{D}_i^{*}$ and $W_i^{*}$, and compares $W_i^{*}$ with $W_i$ as:

  $$\begin{gathered} A_i^{*}||u{p}_i=D_x(C_i) \\ {M}_i^{*}=h(x||y||A_i^{*}) \\ I{D}_i^{*}=AI{D}_i\oplus h(M_i^{*}||T_i) \\ {W}_i^{*}=h(M_i^{*}||I{D}_i^{*}||X_i^{*}||T_i) \\ verifies{W}_i\stackrel{?}{=}{W}_i^{*}. \end{gathered}$$
  If this holds, $GW$ verifies the legitimacy of $U_i$.
• $GW$ picks up $T_g$ and computes $k_g$, $C_g$ and $W_g$,

  $$\begin{gathered} k_g=h(h(SI{D}_j||y)||T_g) \\ {C}_g=E_{k_g}(AI{D}_i||X_i) \\ {W}_g=h(h(SI{D}_j||y)||AI{D}_i||C_g||T_g). \end{gathered}$$
  $GW$ then sends the authentication message $M_2=\langle AI{D}_i$, $C_g$, $T_g$, $W_g\rangle$ to $S_j$.
• When receiving $M_2$ from $GW$, $S_j$ retrieves $T^{″}$, and verifies $T^{″}-T_g\le △T$. If this holds, $S_j$ verifies the validity of $W_g$ by comparing it with $h(h(SI{D}_j||y)||AI{D}_i||C_g||T_g)$ to check the legitimacy of $GW$. After that, $S_j$ computes $k_g^{*}$, and decrypts $C_g$ using $k_g^{*}$. $S_j$ then checks the validity of the received $AI{D}_i$ by comparing $AI{D}_i^{*}$ as:

  $$\begin{gathered} k_g^{*}=h(h(SI{D}_j||y)||T_g) \\ {D}_{k_g^{*}}=AI{D}_i^{*}||X_i^{*} \\ verifiesAI{D}_i\stackrel{?}{=}AI{D}_i^{*}. \end{gathered}$$
• $S_j$ generates a random number $r_s$ and computes $K_{SU}$, $Y_i$ and a session key $sk$. $S_j$ then picks up $T_s$ and computes $RM$, $V_s$ as:

  $$\begin{gathered} K_{SU}=r_x\times X_i^{*} \\ {Y}_i=r_s\times P \\ sk=h(AI{D}_i||K_{SU}||T_s) \\ RM=\text{Response to the query of }{U}_i \\ {V}_s=h(AI{D}_i||X_i||Y_i||RM||T_s). \end{gathered}$$
  $S_j$ hence sends $M_3=\langle RM$, $Y_i$, $V_s$, $T_s\rangle$ to $U_i$.
• Upon receiving $M_3$, $U_i$ retrieves $T_s$, and checks the sameness of $V_s$. $U_i$ then computes $K_{US}$ and $sk$ as:

  $$\begin{gathered} V_s^{*}=h(AI{D}_i||X_i||Y_i||RM||T_s) \\ verifies{V}_s^{*}\stackrel{?}{=}{V}_s \\ {K}_{US}=r_i\times Y_i \\ sk=h(AI{D}_i||K_{US}||T_s). \end{gathered}$$
  Only the legitimate $U_i$ can compute $K_{US}$ and $sk$. $U_i$ then accepts $RM$. Finally, $U_i$ and $S_j$ can communicate securely using the common $sk$.

3.3. Revocation or Reissue Phase

To make up for smart card loss or long term key disclosure, the smart card should be revoked and reissued in cycles.

• $U_i$ who wants to revoke and reissue a smart card inputs the previous identity $I{D}_i$ and the new identity $I{D}_i^{*}$ to prevent adversaries from registering with the same identity $I{D}_i$. Then, $U_i$ imprints biometric template $B_i$ and computes $R_i=Rep(B_i,P_i)$, $A_i=h(R_i)$ and $M_i=N_i\oplus A_i$.
• $U_i$ computes $Z_i=I{D}_i\oplus M_i$ and sends the revocation/reissue request message $\langle I{D}_i$, $I{D}_i^{*}$, $A_i$, $Z_i\rangle$ to $GW$.
• $GW$ computes $M_i^{*}$, $Z_i^{*}$ and checks the legitimacy of the user as:

  $$\begin{gathered} M_i^{*}=h(x||y||A_i) \\ {Z}_i^{*}=I{D}_i\oplus M_i^{*} \\ verifies{Z}_i^{*}\stackrel{?}{=}{Z}_i. \end{gathered}$$
• If this holds, $GW$ revokes $I{D}_i$ and records it on the revocation look-up table. Then, $GW$ computes new authentication parameters $V_i$, $N_i$ and $C_i$ as:

  $$\begin{gathered} V_i=h(I{D}_i^{*}||A_i) \\ {N}_i=M_i^{*}\oplus A_i \\ {C}_i=E_x(A_i||u{p}_i^{*}). \end{gathered}$$
• $GW$ stores $h(·)$ and the new authentication parameters; $\langle V_i$, $N_i$, $C_i$, $h(·)\rangle$ in the smart card $S{C}_i$. $GW$ then reissues $S{C}_i$ to $U_i$ through a secure channel.
• $U_i$ stores $P_i$ in the smart card.

4. Cryptanalysis of Park et al.’s Authentication Scheme

In this section, we analyze the security problems of Park et al.’s scheme [14]. Park et al. cryptanalyzed a scheme of Choi et al. [13] and improved it to support better security functionality. However, we found that Park et al.’s scheme [14] was still insecure against impersonation attack and had a problem with smart card revocation/reissue. The following attacks are based on the threat assumptions that a malicious adversary $\mathcal{A}$ was completely monitored through the communication channel connecting $U_i$, $GW$ and $S_j$ in the login and authentication phases, and that the $\mathcal{A}$ obtained the information saved in their own smart card [20]. $\mathcal{A}$ therefore can eavesdrop, modify, insert, or delete any message transmitted over a public channel. We now reveal the details of these problems.

4.1. User Impersonation Attack

• Let $\mathcal{A}$ be an active adversary who is he/she legal user and owns a smart card to extract information $\langle V_a$, $N_a$, $C_a$, $h(·)$, $P_a\rangle$.
• $\mathcal{A}$ then imprints one’s biometric template $B_a^{*}$ and computes $R_a^{*}=Rep(B_a^{*},P_a)$ and $A_a^{*}=h(R_a^{*})$.
• $\mathcal{A}$ generates a random number $r_{\mathcal{A}}$, and selects any identity $I{D}_i$. $\mathcal{A}$ then computes login request message $M_1$ as:

  $$\begin{gathered} X_a=r_a\times P \\ {M}_a=N_a\oplus A_a^{*} \\ AI{D}_i=I{D}_i\oplus h(M_a||T_a) \\ {W}_a=h(M_a||I{D}_i||X_a||T_a). \end{gathered}$$
  $\mathcal{A}$ then sends the login request message $M_1=$ $\langle AI{D}_i$, $X_a$, $C_a$, $T_a$, $W_a\rangle$ to $GW$.
• When receiving $M_1$, $GW$ retrieves $T^{\prime }$ and verifies $T^{\prime }-T_a\le △T$. If this holds, $GW$ computes $A_a^{*}$, $M_a^{*}$, $I{D}_i^{*}$, $W_a^{*}$ and compares $W_a^{*}$ with $W_a$ as:

  $$\begin{gathered} A_a^{*}||u{p}_a=D_x(C_a) \\ {M}_a^{*}=h(x||y||A_a^{*}) \\ I{D}_i^{*}=AI{D}_i\oplus h(M_a^{*}||T_a) \\ {W}_a^{*}=h(M_a^{*}||I{D}_i^{*}||X_a^{*}||T_a) \\ verifies{W}_a\stackrel{?}{=}{W}_a^{*}. \end{gathered}$$
  If this holds and $I{D}_i$ does exist in the database, the gateway $GW$ continues to proceed the scheme without detected. Otherwise, $\mathcal{A}$ selects another identity nominee and performs the same processes until he/she locates the valid identity.
• $GW$ picks up $T_g$ and computes $k_g$, $C_g$ and $W_g$:

  $$\begin{gathered} k_g=h(h(SI{D}_j||y)||T_g) \\ {C}_g=E_{k_g}(AI{D}_i||X_a) \\ {W}_g=h(h(SI{D}_j||y)||AI{D}_i||C_g||T_g). \end{gathered}$$
  $GW$ then sends the authentication message $M_2=$ $\langle AI{D}_i$, $C_g$, $T_g$, $W_g\rangle$ to $S_j$.
• Upon receiving $M_2$ from $GW$, $S_j$ retrieves $T^{″}$ and verifies $T^{″}-T_g\le △T$. If this holds, $S_j$ verifies the validity of $W_g$ by comparing it with $h(h(SI{D}_j||y)||AI{D}_i||C_g||T_g)$ to check the legitimacy of $GW$. After that, $S_j$ computes $k_g^{*}$ and decrypts $C_g$ using $k_g^{*}$. $S_j$ then checks the validity of the received $AI{D}_i$ by comparing $AI{D}_i^{*}$ as

  $$\begin{gathered} k_g^{*}=h(h(SI{D}_j||y)||T_g) \\ {D}_{k_g^{*}}=AI{D}_i^{*}||X_a^{*} \\ verifiesAI{D}_i\stackrel{?}{=}AI{D}_i^{*}. \end{gathered}$$
• $S_j$ generates a random number $r_s$ and computes $K_{SU}$, $Y_i$ and a session key $sk$. $S_j$ then computes $RM$, $V_s$ as:

  $$\begin{gathered} K_{SU}=r_x\times X_a^{*} \\ {Y}_i=r_s\times P \\ sk=h(AI{D}_i||K_{SU}||T_s) \\ RM=\text{Response to the query of }{U}_i \\ {V}_s=h(AI{D}_i||X_a||Y_i||RM||T_s), \end{gathered}$$

  where $T_s$ is current timestamp. $S_j$ then sends $M_3=\langle RM$, $Y_i$, $V_s$, $T_s\rangle$ to $\mathcal{A}$.
• After receiving $M_3$, $\mathcal{A}$ retrieves $T_s$, and checks the sameness of $V_s$. Then, $\mathcal{A}$ computes $K_{US}$ and $sk$ as:

  $$\begin{gathered} V_s^{*}=h(AI{D}_i||X_a||Y_i||RM||T_s) \\ verifies{V}_s^{*}\stackrel{?}{=}{V}_s \\ {K}_{US}=r_a\times Y_i \\ sk=h(AI{D}_i||K_{US}||T_s). \end{gathered}$$
  Lastly, $\mathcal{A}$ and $S_j$ “successfully” agree on a session key $sk$. Unfortunately, the sensor $S_j$ mistakenly believes that he/she is communicating with the legitimate user $U_i$.

4.2. Sensor Node Impersonation Attack

Park et al. [14] claimed that if $\mathcal{A}$ wants to masquerade as the sensor node $S_j$, $\mathcal{A}$ is required to compute $h(SI{D}_j||y)$. This is because the symmetric key $k_g=h(h(SI{D}_j||y)||T_g)$. However, if $\mathcal{A}$ obtains the login request message $M_1=$ $\langle AI{D}_i$, $X_i$, $C_i$, $T_i$, $W_i\rangle$ of the legitimate user $U_i$, $\mathcal{A}$ then can easily impersonate the sensor node $S_j$.

• After receiving $M_2$ from $GW$, $\mathcal{A}$ generates a random number $r_a$ and computes $K_{AU}$, $Y_a$, $RM$, $V_a$ and a session key $sk$ as:

  $$\begin{gathered} K_{AU}=r_a\times X_i \\ {Y}_a=r_a\times P \\ sk=h(AI{D}_i||K_{AU}||T_a) \\ RM=\text{Any response to the query of }{U}_i \\ {V}_a=h(AI{D}_i||X_i||Y_a||RM||T_a), \end{gathered}$$

  where $T_a$ is current timestamp. $\mathcal{A}$ then sends $M_3=\langle RM$, $Y_a$, $V_a$, $T_a\rangle$ to $U_i$.
• Upon receiving $M_3$ from $\mathcal{A}$, $U_i$ retrieves $T_a$ and checks the sameness of $V_a$. Then, $U_i$ computes $K_{UA}$ and $sk$ as:

  $$\begin{gathered} V_a^{*}=h(AI{D}_i||X_i||Y_a||RM||T_a) \\ verifies{V}_a^{*}\stackrel{?}{=}{V}_a \\ {K}_{UA}=r_i\times Y_a \\ sk=h(AI{D}_i||K_{UA}||T_a). \end{gathered}$$
  Lastly, $U_i$ and $\mathcal{A}$ “successfully” agree on a session key $sk$. Unfortunately, the user $U_i$ mistakenly believes that he/she is communicating with the legitimate sensor $S_j$.

4.3. Illegal Smart Card Revocation/Reissue Attack

Park et al. [14] claimed that, although $\mathcal{A}$ could get the identity $I{D}_i$ in some way, $GW$ checks the legitimacy of the user on the requested identity, and $\mathcal{A}$ cannot compute $M_i$ and the revocation/reissue request message $Z_i$ without the biometric information of $U_i$. However, $\mathcal{A}$ can modify the revocation/reissue request message. This is because $GW$ cannot distinguish whether or not the user who wishes to revoke $I{D}_i$ is the real user $U_i$.

• Suppose $\mathcal{A}$ owns a smart card to extract information $\langle V_a$, $N_a$, $C_a$, $h(·)$, $P_a\rangle$ and obtains the identity $I{D}_i$ of the legitimate user $U_i$ by using a user impersonation attack.
• Next, $\mathcal{A}$ imprints the personal biometric information $B_a$ at the sensor. The sensor hence sketches $B_a$ and extracts $\langle R_a$, $P_a\rangle$ from $Gen(B_a)\to \langle R_a$, $P_a\rangle$.
• $\mathcal{A}$ computes $A_a^{*}=h(R_a)$ and $Z_i^{\prime }=I{D}_i\oplus N_a\oplus A_a^{*}$ and sends the revocation/reissue request message $\langle I{D}_i$, $I{D}_i^{*}$, $A_a^{*}$, $Z_i^{\prime }\rangle$ to $GW$.
• $GW$ computes $M_i^{*}$, $Z_i^{*}$, and checks the legitimacy of the user as:

  $$\begin{gathered} M_a^{*}=h(x||y||A_a^{*}) \\ {Z}_i^{*}=I{D}_i\oplus M_a^{*} \\ verifies{Z}_i^{\prime }\stackrel{?}{=}{Z}_i^{*}. \end{gathered}$$
• If this holds, $GW$ revokes $I{D}_i$ and records it on the revocation look-up table. Then, $GW$ computes new authentication parameters $V_i$, $N_i$ and $C_i$ as:

  $$\begin{gathered} V_i=h(I{D}_i^{*}||A_a^{*}) \\ {N}_i=M_a^{*}\oplus A_a^{*} \\ {C}_i=E_x(A_a^{*}||u{p}_i^{*}). \end{gathered}$$
• $GW$ stores the new authentication parameters $\langle V_i$, $N_i$, $C_i$, $h(·)\rangle$ in the smart card $S{C}_i$. $GW$ then reissues $S{C}_i$ to $\mathcal{A}$ through a secure channel.
• $\mathcal{A}$ stores $P_a$ in the smart card.

Adversary $\mathcal{A}$ can revoke the smart card of an authenticated user who does not wish the said smart card to be revoked without permission because $GW$ has no proper process for checking the legitimacy of the user on the previous identity $I{D}_i$.

5. The Proposed Scheme

In this section, we will propose a new biometric-based password authentication scheme using a smart card. In our scheme, there are also three participants, the user $U_i$, the gateway $GW$ and the sensor $S_j$. The $GW$ generates two master keys x and y, and sends a long-term secret key $h(SI{D}_j||y)$ to the sensor $S_j$ before the scheme is executed. After that, $GW$ computes $x\times P$ where $xP$ is the public key of the gateway. The proposed scheme consists of three phases: registration, login and authentication, and revocation/reissue.

5.1. Registration Phase

In this phase, a user $U_i$ chooses an identity $I{D}_i$, imprints biometric template $B_i$ at the sensor, and then performs the following steps:

• The sensor sketches $B_i$, extracts $\langle R_i$, $P_i\rangle$ from $Gen(B_i)\to \langle R_i$, $P_i\rangle$, and stores $P_i$ in the memory. $U_i$ then sends $\langle I{D}_i$, $A_i=h(R_i)\rangle$ to $GW$ over a secure channel.
• When receiving the registration request message $\langle I{D}_i$, $A_i\rangle$ from $U_i$, the gateway $GW$ computes the authentication parameters as:

  $$\begin{gathered} C_i=h(I{D}_i||x||y) \\ {M}_i=h(C_i)\oplus A_i \\ {N}_i=x\oplus C_i\oplus y \\ {V}_i=h(I{D}_i||A_i). \end{gathered}$$
• $GW$ stores the authentication parameters $\langle M_i$, $N_i$, $V_i$, $h(·)\rangle$ in the smart card $S{C}_i$. $GW$ hence issues $S{C}_i$ to $U_i$ via a secure channel.
• Lastly, $U_i$ stores $P_i$ in the smart card.

Figure 1 illustrates the registration phase of the proposed scheme.

5.2. Login and Authentication Phase

In this phase, $U_i$ performs the login phase, and hence $U_i$, $GW$ and $S_j$ verify each other’s authenticity. Finally, $U_i$ and $S_j$ generates a common session key in this phase as follows:

• $U_i$ inserts his/her smart card $S{C}_i$ into the card reader, inputs the identity $I{D}_i$, and imprints the personal biometrics $B_i^{*}$ at the sensor.
• The sensor then sketches $B_i^{*}$ and extracts $R_i$ from $Rep(B_i^{*}$, $P_i)\to \langle R_i\rangle$. Then, $S{C}_i$ computes $A_i^{*}$ and $V_i^{*}$ using fuzzy extraction and compares $V_i^{*}$ with $V_i$ as:

  $$\begin{gathered} R_i^{*}=Rep(B_i^{*},P_i) \\ {A}_i^{*}=h(R_i^{*}) \\ {V}_i^{*}=h(I{D}_i||A_i^{*}) \\ verifies{V}_i\stackrel{?}{=}{V}_i^{*}. \end{gathered}$$
• $S{C}_i$ generates random numbers $r_1$ and $r_2$ and hence computes

  $$\begin{gathered} X_i=r_1\times P \\ h(C_i)=M_i\oplus A_i^{*} \\ AI{D}_i=I{D}_i\oplus h(r_2) \\ {M}_1=r_2\oplus h(C_i) \\ {M}_2=h(AI{D}_i||h(C_i)||X_i||r_2||T_i) \\ {M}_3=N_i\oplus (r_1\times xP), \end{gathered}$$

  where $T_i$ is current timestamp. Then, $U_i$ sends the login request message $\langle AI{D}_i$, $X_i$, $M_1$, $M_2$, $M_3$, $T_i\rangle$ to $GW$.
• Upon receiving a login request message from $U_i$, $GW$ retrieves $T^{\prime }$ and verifies $T^{\prime }-T_i\le △T$. If this is true, $GW$ computes $C_i^{*}$, $r_2^{*}$, $I{D}_i^{*}$ and $M_2^{*}$ and compares $C_i^{*}$ with $h(I{D}_i^{*}||x||y)$ and $M_2^{*}$ with $M_2$ as:

  $$\begin{gathered} C_i^{*}=M_3\oplus (x\times X_i)\oplus x\oplus y \\ {r}_2^{*}=M_1\oplus h(C_i^{*}) \\ I{D}_i^{*}=AI{D}_i\oplus h(r_2^{*}) \\ verifies{C}_i^{*}=h(I{D}_i^{*}||x||y) \\ {M}_2^{*}=h(AI{D}_i||h(C_i^{*})||X_i||r_2^{*}||T_i) \\ verifies{M}_2\stackrel{?}{=}{M}_2^{*}. \end{gathered}$$
  If this holds, $GW$ verifies the legitimacy of $U_i$.
• $GW$ computes $k_g$, $C_g$ and $W_g$,

  $$\begin{gathered} k_g=h(h(SI{D}_j||y)||T_g) \\ {C}_g=E_{k_g}(AI{D}_i||r_2||X_i) \\ {W}_g=h(h(SI{D}_j||y)||AI{D}_i||C_g||T_g), \end{gathered}$$

  where $T_g$ is current timestamp. $GW$ then sends the authentication message $\langle AI{D}_i$, $C_g$, $T_g$, $W_g\rangle$ to $S_j$.
• When receiving the authentication message from $GW$, $S_j$ retrieves $T^{″}$ and verifies $T^{″}-T_g\le △T$. If this is true, $S_j$ verifies the validity of $W_g$ by comparing it with $h(h(SI{D}_j||y)||AI{D}_i||C_g||T_g)$ to check the legitimacy of $GW$. After that, $S_j$ computes $k_g^{*}$, and decrypts $C_g$ using $k_g^{*}$. Then, $S_j$ checks the validity of the received $AI{D}_i$ by comparing the computed $AI{D}_i^{*}$ as

  $$\begin{gathered} k_g^{*}=h(h(SI{D}_j||y)||T_g) \\ {D}_{k_g^{*}}=AI{D}_i^{*}||r_2^{*}||X_i^{*} \\ verifiesAI{D}_i\stackrel{?}{=}AI{D}_i^{*}. \end{gathered}$$
• $S_j$ generates a random number $r_s$ and computes $K_{SU}$, $Y_i$, $RM$, $V_s$ and a session key $sk$ as:

  $$\begin{gathered} K_{SU}=r_s\times X_i^{*} \\ {Y}_i=r_s\times P \\ sk=h(AI{D}_i||K_{SU}||T_s) \\ RM=\text{Response to the query of }{U}_i \\ {V}_s=h(AI{D}_i||r_2^{*}||Y_i||sk||RM||T_s), \end{gathered}$$

  where $T_s$ is current timestamp. $S_j$ then sends $\langle RM$, $Y_i$, $V_s$, $T_s\rangle$ to $U_i$.
• After receiving response message $\langle RM$, $Y_i$, $V_s$, $T_s\rangle$ from $S_j$, $U_i$ computes $sk$ and checks whether $V_s^{*}$ is equal to $V_s$:

  $$\begin{gathered} K_{US}=r_1\times Y_i \\ sk=h(AI{D}_i||K_{US}||T_s) \\ {V}_s^{*}=h(AI{D}_i||r_2||Y_i||sk||RM||T_s) \\ verifies{V}_s^{*}\stackrel{?}{=}{V}_s. \end{gathered}$$
  The legitimate user $U_i$ can only compute $K_{US}$ and $sk$. $U_i$ and $S_j$ can communicate securely using the common session key $sk$.

Figure 2 illustrates the login and authentication phase of the proposed scheme.

5.3. Revocation or Reissue Phase

To make up for smart card loss or long term key disclosure, the smart card should be revoked and reissued in cycles.

• If $U_i$ wants to revoke and reissue a smart card, he/she inserts his/her smart card $S{C}_i$ into the card reader, inputs the previous identity $I{D}_i$ and the new identity $I{D}_i^{*}$ to prevent adversaries from registering with the same identity $I{D}_i$, and then imprints the personal biometrics $B_i^{*}$ at the sensor.
• The sensor then sketches $B_i^{*}$ and extracts $R_i$ from $Rep(B_i^{*}$, $P_i)\to \langle R_i\rangle$. Then, $S{C}_i$ computes $A_i^{*}$ and $V_i^{*}$ using fuzzy extraction,

  $$\begin{gathered} R_i=Rep(B_i^{*},P_i) \\ {A}_i=h(R_i). \end{gathered}$$
• $U_i$ computes $Z_i=I{D}_i\oplus M_i$ and sends the revocation/reissue request message $\langle I{D}_i$, $I{D}_i^{*}$, $A_i$, $Z_i\rangle$ to $GW$ over a secure channel.
• $GW$ first checks whether $I{D}_i$ is the same as $I{D}_i^{*}$ or not. If they are different, $GW$ computes $M_i^{*}$, $Z_i^{*}$ and checks the legitimacy of the user as:

  $$\begin{gathered} C_i^{*}=h(I{D}_i||x||y) \\ {Z}_i^{*}=I{D}_i\oplus h(C_i^{*})\oplus A_i \\ verifies{Z}_i^{*}\stackrel{?}{=}{Z}_i. \end{gathered}$$
• If this is true, $GW$ revokes $I{D}_i$ and records it on the revocation look-up table. Then, $GW$ computes new authentication parameters $V_i$, $N_i$ and $C_i$ as:

  $$\begin{gathered} C_i=h(I{D}_i^{*}||x||y) \\ {M}_i=h(C_i)\oplus A_i \\ {N}_i=x\oplus C_i\oplus y \\ {V}_i=h(I{D}_i^{*}||A_i). \end{gathered}$$
• $GW$ stores $h(·)$ and the new authentication parameters $\langle M_i$, $N_i$, $V_i$, $h(·)\rangle$ in the smart card $S{C}_i$. $GW$ then reissues $S{C}_i$ to $U_i$ through a secure channel.
• $U_i$ stores $P_i$ in the smart card.

Figure 3 illustrates the revocation/reissue phase of the proposed scheme.

6. Security Analysis

In this section, we demonstrate that the proposed scheme, which retains the merits of Park et al.’s scheme [14], can withstand several types of possible attacks; and we also show that the scheme supports several security properties. The security analysis of the proposed scheme was conducted with the threat assumptions made in the Preliminaries.

6.1. Formal Security Analysis

In this subsection, we have demonstrated that the proposed scheme is secure through a formal proof using the random oracle model [18,25]. At first, we specify a collision-free one-way hash function as follows.

Definition 6.

The collision-resistance one-way hash function $f:\{0$, ${1\}}^{*}\to \{0$, ${1\}}^n$ pick up an input as a binary string $x\in \{0$, ${1\}}^{*}$ that has a random length, produces a binary string $h(x)\in \{0$, ${1\}}^n$, and gratifies the following requirements:

• Given the $y\in Y$, it is not possible to find out computationally about $x\in X$ such that $y=h(x)$.
• Given the $x\in X$, it is not possible to find out computationally about another $x^{\prime }\ne x\in X$, such that $h(x^{\prime })=h(x)$.
• It is not possible to find out computationally about a pair $(x^{\prime }$, $x)\in X^{\prime }\times X$, with $x^{\prime }\ne x$, such that $h(x^{\prime })=h(x)$.

Theorem 1.

According to the assumption that if the collision-free one-way hash function $h(·)$ closely acts like an oracle, the proposed scheme is then distinctly secure against an adversary $\mathcal{A}$ for the protection of the sensitive information including the identity $I{D}_i$, nearly random binary string $r_2$ and master secret key x, y of the gateway node $GW$.

Proof. 

This random oracle can extract the input value x from the given hash result $y=h(x)$ without fail. $\mathcal{A}$ now executes the experimental algorithm as shown in Algorithm 1, $EX{P}_{HASH,A}^{JHKAS},$ for the proposed scheme as JHKAS, for example. Let us define the probability of success for $EX{P}_{HASH,A}^{JHKAS}$ as $Succes{s}_{HASH,A}^{JHKAS}=|Pr[EX{P}_{HASH,A}^{JHKAS}=1]-1|$, where $Pr(·)$ means the probability of $EX{P}_{HASH,A}^{JHKAS}$. The advantage function for this algorithm then becomes $Ad{v}_{HASH,A}^{JHKAS}(t,q_R)=ma{x}_{Success}$, where the t is the execution time and $q_R$ is the number of queries. Discuss the algorithm as shown in Algorithm 1 for the $\mathcal{A}$. If $\mathcal{A}$ has the capability to solve the hash function problem given in Definition 6, then he/she can immediately retrieve the identity $I{D}_i$, nearly random binary string $r_2$ and master secret key x, y of the gateway node $GW$. In that case, the $\mathcal{A}$ will detect the complete connections between the $U_i$ and the $GW$; however, the inversion of the input from a given hash value is not possible computationally, i.e., $Ad{v}_{HASH,A}^{JHKAS}(t)\le ϵ$, for all $ϵ>0$. Thus, $Ad{v}_{HASH,A}^{JHKAS}(t,q_R)\le ϵ$, since $Ad{v}_{HASH,A}^{JHKAS}(t,q_R)$ depends on $Ad{v}_{HASH,A}^{JHKAS}(t)$. In conclusion, there is no way for $\mathcal{A}$ to detect the complete connections between the $U_i$ and the $GW$, and the proposed scheme is distinctly secure to an adversary $\mathcal{A}$ for retrieving ($I{D}_i$, $r_2$, x, y). ☐

Algorithm 1 $EX{P}_{HASH,A}^{JHKAS}$

1.  Eavesdrop login request message $\langle AI{D}_i$, $X_i$, $M_1$, $M_2$, $M_3$, $T_i\rangle$ during the login phase. 2.  Call the Reveal oracle. Let $(AI{D}_i^{\prime }$, $h{(C_i)}^{\prime }$, $X_i^{\prime }$, $r_2^{\prime }$, $T_i^{\prime })\leftarrow$ Reveal($M_2$) 3.  if ($AI{D}_i^{\prime }$ == $AI{D}_i$) then 4.   Accept $h{(C_i)}^{\prime }$, $X_i^{\prime }$, $r_2^{\prime }$, $T_i^{\prime }$ as the correct of user $U_i$ 5.   Call the Reveal oracle. Let ($C_i^{\prime })\leftarrow$ Reveal($h{(C_i)}^{\prime }$) 6.   Call the Reveal oracle. Let ($C_i^{″})\leftarrow$ Reveal($M_1\oplus r_2$) 7.   if ($C_i^{\prime }$ == $C_i^{″}$) then 8.    Accept the $C_i$ as the correct of user $U_i$ 9.    Call the Reveal oracle. Let $(I{D}_i^{\prime }$, $x^{\prime }$, $y^{\prime })\leftarrow$ Reveal($C_i$) 10.   Compute $I{D}_i^{″}=AI{D}_i\oplus h(r_2)$ 11.   if ($I{D}_i$ == $I{D}_i^{″}$) then 12.    Accept $x^{\prime }$, $y^{\prime }$ as the correct secret key x, y of gateway node $GW$ 13.    return 1(Success) 14.   else 15.    return 0 16.  else 17.   return 0 18.  end if 19. else 20.  return 0 21. end if

6.2. Simulation for Formal Security Verification Using the AVISPA Tool

In this subsection, we simulate the proposed scheme using the widely accepted AVISPA for the formal security verification. The main purpose of the simulation is to verify whether the proposed scheme is secure to replay and man-in-the middle attacks. The AVISPA tool consists of four back-ends: (i) On-the-fly Model-Checker (OFMC); (ii) Constraint-Logic-based Attack Searcher; (iii) SAT-based Model Checker; and (iv) Tree Automata based on Automatic Approximations for the Analysis of Security Protocols. In the AVISPA, the protocol is implemented in HLPSL [26], which is based on: the basic roles for representing each participant role and composition roles for representing the scenarios of the basic roles. The basic types available in the HLPSL are [27]:

• agent : The agent denotes a principal name. The intruder always has the special identifier i.
• symmetric_key : The symmetric_key is the key for a symmetric-key cryptosystem.
• text : The text values are often used as nonces. They can also be applied for messages.
• nat : The nat is used for denoting the natural numbers in non-message contexts.
• const : This type represents constants.
• hash_func : The base type hash_func represents cryptographic one-way hash functions.

The role of the initiator, the user $U_i,$ is provided in Algorithm 2. The $U_i$ first receives the start signal and updates its state value from 0 to 1. The state value is maintained by the variable State. In a similar way, the roles of the gateway $GW$ and sensor node $S_j$ of the proposed scheme are implemented and shown in Algorithm 3 and 4, respectively. The specifications in HLPSL language for the role of session, goal, and environment are specified in Algorithm 5. The simulation result for the formal security verification of the proposed scheme using CL-AtSe is shown in Algorithm 6. It is clear that the proposed scheme is secure to passive and active attacks including the replay and man-in-the middle attacks.

Algorithm 2 Role specification for user $U_i$

role user (Ui, GW, Sj: agent, SKug, SKus: symmetric_key, H, F: function, SND, RCV: channel (dy))   played_by Ui def=   local State : nat, IDi, Ri, P, Ai, Mi, Ni, Vi: text, AIDi, R1, R2, Xi, Ci, Di, M1, M2, M3, Ti, Rs: text, RM, Yi, Vs, Ts, Gx, Gy, Kus: text   init State := 0   transition   0. State = 0 ∧ RCV(start) =|> State’:= 5 ∧ Ai’ := H(Ri) ∧ secret(Ri, scrt0, Ui) ∧ secret(IDi, scrt1, {Ui, GW}) ∧ SND({IDi.Ai’}_SKug)   5. State = 2 ∧ RCV({Mi’.Ni’.Vi’}_SKug.P’) =|> State’:= 8 ∧ R1’:=new() ∧ R2’:=new() ∧ Ti’:=new() ∧ Xi’:=F(R1’.P’) ∧ Di’:=xor(Mi’, Ai’) ∧ AIDi’:=xor(IDi, H(R2’)) ∧ M1’:=xor(R2’, Di’) ∧ M2’:=H(AIDi’.Di’.Xi’.R2’.Ti’) ∧ M3’:=xor(Ni’, F(R1’.F(Gx’.P))) ∧ secret({Gx’, Gy’}, scrt2, GW) ∧ SND(AIDi’, Xi’, M1’, M2’, M3’, Ti’) ∧ witness(Ui, Sj, ui_sj_r1, R1’)   8. State = 8 ∧ RCV({RM’.Yi’.Vs’.Ts’}_SKug.P’) =|> State’:= 9 ∧ Vs’:=H(AIDi’.Xi’.Yi’.RM’.Ts’) ∧ Kus’:= F(R1’.F(Rs’.P)) ∧ SKus’:=H(AIDi’.Kus’.Ts’) ∧ witness(Ui, GW, ui_gw_r2, R2’) ∧ request(Sj, Ui, sj_ui_rs, Rs’)   end role

Algorithm 3 Role specification for gateway $GW$

role gateway (Ui, GW, Sj: agent, SKug, SKgs, Kg: symmetric_key, H, F: function, SND, RCV: channel (dy))   played_by GW def=   local State : nat, IDi, R1, R2, Ri, P, Ai, Mi, Ni, Vi, Rs: text, AIDi, SIDj, Ks, Xi, Ci, Di, M1, M2, M3, Ti: text, Cg, Tg, Wg, Gx, Gy: text   init State := 1   transition   1. State = 1 ∧ RCV({IDi.Ai’}_SKug) =|> State’:= 6 ∧ Ci’:= H(IDi.Gx’.Gy’) ∧ P’:=new() ∧ Di’:=H(Ci’) ∧ Mi’:=xor(Di’, H(Ri)) ∧ Ni’:=xor(Gx’, Ci’, Gy’) ∧ Vi’:=H(IDi.H(Ri)) ∧ secret({Gx’, Gy’}, scrt2, GW) ∧ SND({Mi’.Ni’.Vi’}_SKug.P’)   3. State = 3 ∧ RCV({SIDj}_SKgs) =|> State’:= 6 ∧ Ks’:=H(SIDj.Gy’) ∧ SND({Ks’}_SKgs.P’)   6. State = 6 ∧ RCV(AIDi’.Xi’.M1’.M2’.M3’.Ti’) =|> State’:= 9 ∧ Tg’ = new() ∧ Di’:=H(xor(M3’, F(R1’.F(Gx’.P)), Gx’, Gy’)) ∧ R2’:=xor(M1’, Di’) ∧ IDi’:=xor(AIDi’, H(R2’)) ∧ Kg’:=H(H(SIDj’.Gy’).Tg’) ∧ Cg’:={AIDi’.R2’.Xi’}_Kg’ ∧ Wg’:=H(H(SIDj’.Gy’).AIDi’.Cg’.Tg’) ∧ secret({Gx’, Gy’}, scrt2, GW) ∧ secret(H(SIDj’.Gy’), scrt4, {GW, Sj}) ∧ SND(AIDi’.Cg’.Tg’.Wg’) ∧ request(Ui, Sj, ui_sj_r1, R1’)   end role

Algorithm 4 Role specification for sensor $S_j$

role sensor (Ui, GW, Sj: agent, SKgs, Kg, SKus: symmetric_key, H, F: function, SND, RCV: channel (dy))   played_by Sj def=   local State : nat, IDi, Ri, P, Ai, Mi, Ni, Vi, R1, R2: text, AIDi, SIDj, Ks, Xi, Ci, M1, M2, M3, Ti: text, Cg, Tg, Wg: text, RM, Yi, Vs, Ts, Gx, Gy, Rs, Kus:text   init State := 2   transition   2. State = 2 ∧ RCV(start) =|> State’:= 4 ∧ SND({SIDj}_SKgs.P’)   4. State = 4 ∧ RCV({H(SIDj.Gy’)}_SKgs.P’) =|> State’:= 7 ∧ secret({Gx’, Gy’}, scrt2, GW)   7. State = 7 ∧ RCV(AIDi’.Xi’.M1’.M2’.M3’.Ti’) =|> State’:= 10∧ Kg’:=H(H(SIDj’.Gy’).Tg’) ∧ Kus’:=F(R1’.F(Rs’.P)) ∧ Yi’:=F(Rs’.P) ∧ Ts’:=new() ∧ SKus’:=H(AIDi’.Kus’.Ts’) ∧ RM’:=new() ∧ Vs’:=H(AIDi’.Xi’.Yi’.RM’.Ts’) ∧ SND(RM’, Yi’, Vs’, Ts’) ∧ secret(H(SIDj.Gy’), scrt4, {GW, Sj}) ∧ witness(Sj, Ui, sj_ui_rs, Rs’) ∧ request(Ui, Sj, ui_sj_r1, R1’)   end role

Algorithm 5 Role specification for session, goal and environment

role session(Ui, GW, Sj: agent, SKug, SKus, SKgs, Kg: symmetric_key, H, F: function) def=   local Z1, Z2, Z3, S1, S2, S3: channel (dy)   composition   user(Ui, GW, Sj, SKug, SKus, H, F, Z1, S1) ∧ gateway(Ui, GW, Sj, SKug, SKgs, Kg, H, F, Z2, S2) ∧ sensor(Ui, GW, Sj, SKgs, Kg, SKus, H, F, Z3, S3)   end role   role environment() def=   const ui, gw, sj : agent, skug, skgs, skus, kg : symmetric_key, h, f : function, aidi, sidj, p, xi : text, xi, m1, m2, m3, ti : text, cg, tg, wg : text, rm, yi, vs, ts : text, ui_sj_r1, ui_gw_r2, sj_ui_rs : protocol_id, scrt0, scrt1, scrt2, scrt3, scrt4 : protocol_id   intruder_knowledge = {ui, gw, sj, h, f, p, aidi, sidj, xi, m1, m2, m3, ti, cg, tg, wg, rm, yi, vs, ts}   composition   session(ui, gw, sj, skug, skgs, kg, skus, h, f)   end role   goal   secrecy_of scrt0 secrecy_of scrt1 secrecy_of scrt2 secrecy_of scrt3 secrecy_of scrt4   authentication_on ui_sj_r1 authentication_on ui_gw_r2 authentication_on sj_ui_rs   end goal

Algorithm 6 Role specification for session, goal and environment

SUMMARY SAFE   DETAILS BOUNDED_NUMBER_OF_SESSIONS   PROTOCOL /home/span/span/testsuite/results/testrv.if   GOAL As Specified   BACKEND CL-AtSe   STATISTICS   Analysed : 1 states Reachable : 0 states Translations: 0.03 s Computation: 0.00 s

6.3. Informal Security Analysis

Table 2. Comparison of security features.

Features	Yoon and Kim	Choi et al.	Park et al.	The Proposed
	[12]	[13]	[14]
Provides user anonymity	N/A	×	◯	◯
Provides mutual authentication	◯	◯	◯	◯
Provides message confidentiality	◯	◯	◯	◯
Provides perfect forward secrecy	N/A	◯	◯	◯
Resists insider attack	◯	×	◯	◯
Resists impersonation attack	◯	×	×	◯
Resists illegal smart card revocation/reissue attack	×	×	×	◯
Resists biometric recognition error	×	◯	◯	◯
Resists session key exposure by gateway	×	◯	◯	◯
Resists denial of service attack	×	◯	◯	◯
Resists user verification problem	×	◯	◯	◯
Resists stolen verifier attack	◯	◯	◯	◯
Resists replay attack	◯	◯	◯	◯
Security factor	Two-factor	Two-factor	Two-factor	Two-factor

◯: scheme provides the property; ×: scheme does not provide the property; N/A: scheme does not consider the property.

compares the security features provided by the proposed scheme with other related schemes.

6.3.1. User Anonymity

Suppose an adversary $\mathcal{A}$ intercepts the login request message $\langle AI{D}_i$, $X_i$, $M_1$, $M_2$, $M_3$, $T_i\rangle$ of a legitimate user $U_i$. However, $I{D}_i$ cannot be derived from $AI{D}_i$ without the knowledge of a random number $r_2$; furthermore, the $r_2$ cannot be derived from $M_1$ without a hash value $h(C_i)=h(h(I{D}_i||x||y))$. The $U_i$ and $GW$ can only compute $h(C_i$). The proposed scheme therefore provides user anonymity.

6.3.2. Mutual Authentication

The proposed scheme not only guarantees secrecy as the other authentication scheme, but also $U_i$, $S_j$ and $GW$ authenticate each other. $GW$ authenticates $U_i$ by checking whether $M_2$ is valid or not because only a legitimate user can compute a valid $h(C_i)$ using a biometric template. Then, $S_j$ authenticates $GW$ by checking $W_g$, which only $GW$ can compute using the shared long-term key $h(SI{D}_j||y)$ and the time stamp $T_g$. Finally, the $U_i$ authenticates $S_j$ by checking the validity of $V_s$ because only $U_i$ and $S_j$ can compute the session key $sk$.

6.3.3. Message Confidentiality

Message confidentiality is an important security aspect that provides secrecy by limiting the adversary’s access to the message. Communication messages in the public channel do not affect the disclosure of secret values, such as $I{D}_i$, $r_1$, $r_2$, $r_s$ and $sk$. $\mathcal{A}$ cannot compute important information from $AI{D}_i$, $X_i$, $M_1$, $M_2$, $M_3$, $C_g$, $W_g$, $Y_i$ and $V_s$. Furthermore, $T_i$, $T_g$, $T_s$ and $RM$ are basically public information, so they do not need to be protected.

6.3.4. Perfect Forward Secrecy

The perfect forward secrecy means that if one long-term key is compromised, a session key that is derived from these long-term keys will not be compromised in the future [28]. In our scheme, a session key $sk$ between user $U_i$ and sensor $S_j$ is calculated as follows:

$$\begin{gathered} X_i=r_1\times P \\ {Y}_i=r_s\times P \\ {K}_{US}=K_{SU}=r_s\times X_i=r_1\times Y_i \\ sk=h(AI{D}_i||K_{US}||T_s). \end{gathered}$$

Even if the gateway $GW$’s long-term key (x, y) is compromised, adversary $\mathcal{A}$ cannot retrieve $r_1$ and $r_s$ to generate the session keys between $U_i$ and $S_j$. The session key of our proposed scheme is based on a elliptic curve discrete logarithm problem (ECDLP). An adversary $\mathcal{A}$ cannot obtain $r_1\times r_s\times P$ from $r_1\times P$ and $r_s\times P$. Our scheme therefore provides the perfect forward secrecy.

6.3.5. User Impersonation Attack

Suppose $\mathcal{A}$ owns a smart card to extract information $\langle V_a$, $N_a$, $C_a$, $h(·)$, $P_a\rangle$ and intercepts the login request message $\langle AI{D}_i$, $X_i$, $M_1$, $M_2$, $M_3$, $T_i\rangle$ of legitimate user $U_i$. $\mathcal{A}$ can then try modifying a login request message. Even if $\mathcal{A}$ guesses or obtains $U_i$’s identity $I{D}_i$, $GW$ verifies whether $C_i^{*}$ is equal to $h(I{D}_i^{*}||x||y)$. The $\mathcal{A}$ cannot compute $C_i$ and $h(C_i)$, and then fails to impersonate a legitimate user $U_i$. The proposed scheme therefore can resist user impersonation attack.

6.3.6. Gateway or Sensor Node Impersonation Attack

If $\mathcal{A}$ wants to masquerade as the gateway node $GW$ or a sensor node $S_j$, the hash value $h(SI{D}_j||y)$ is needed. However, it is computationally difficult to guess $h(SI{D}_j||y)$ or $k_g$ correctly. Furthermore, even if $\mathcal{A}$ obtains the login request message $\langle AI{D}_i$, $X_i$, $M_1$, $M_2$, $M_3$, $T_i\rangle$, $\mathcal{A}$ does not know $r_2$. Thus, $V_s=h(AI{D}_i||r_2||Y_i||sk||RM||T_s)$ cannot be computed. The proposed scheme therefore can resist gateway or sensor node impersonation attack.

6.3.7. Illegal Smart Card Revocation/Reissue Attack

Even if $\mathcal{A}$ obtains the identity $I{D}_i$ of a legitimate user $U_i$, $\mathcal{A}$ cannot compute $h(C_i)$ without the value $A_i=h(R_i)$. Furthermore, $GW$ checks the legitimacy of the user on the request identity by computing $C_i^{*}=h(I{D}_i||x||y)$ and $Z_i^{*}=I{D}_i\oplus h(C_i^{*})\oplus A_i$. Therefore, even if $\mathcal{A}$ sends the revocation/reissue request message $\langle I{D}_i$, $I{D}_i^{*}$, $A_a=h(R_a)$, $Z_a=I{D}_i\oplus h(C_a)\oplus A_a\rangle$ to $GW$, $\mathcal{A}$ fails to revoke $I{D}_i$ and reissue the smart card with $I{D}_i$. The proposed scheme therefore can resist an illegal smart card revocation/reissue attack.

6.3.8. Session Key Exposure by GW

The gateway $GW$ can intercept communication messages and obtain both $X_i=r_1\times P$ and $Y_i=r_s\times P$. However, $GW$ cannot derive $r_1$ and $r_s$ and therefore cannot compute the common session key $sk$. This is because our proposed scheme based on the elliptic curve discrete logarithm problem (ECDLP).

6.3.9. Denial of Service Attack

In the proposed scheme, $U_i$, $S_j$ and $GW$ basically check for freshness of timestamp in each authentication step. Each message for verification such as $M_2$, $W_g$ and $V_s$ includes the current timestamp T. Furthermore, each entity checks whether the calculated value is equal to the received value. The proposed scheme can resist denial of service attack.

6.3.10. User Verification Problem

$GW$ checks for the sameness in the identity $I{D}_i$ to verify the status a legitimate user $U_i$ by computing $C_i^{*}=h(I{D}_i^{*}||x||y)$. Furthermore, $U_i$ can compute constant values including $A_i=h(R_i)$ as a result of the fuzzy extractor. $GW$ can authenticate a legal user even if the user inputs slightly different biometric information $B_i^{*}$. Our proposed scheme therefore can prevent user verification problems.

6.3.11. Stolen Verifier Attack

In the proposed scheme, $GW$ and $S_j$ do not store any identification, password table or user biometrics. $GW$ stores only the master secret key (x, y), and $S_j$ stores only $h(SI{D}_j||y)$. The proposed scheme therefore can resist stolen verifier attacks.

6.3.12. Replay Attack

Even if the adversary $\mathcal{A}$ obtains the communication message, and sends them again with the current timestamps $T_i$, $T_g$, and $T_s$, $\mathcal{A}$ cannot compute $M_2$, $W_g$, $V_s$ using the current timestamps. The proposed scheme therefore can resist replay attacks.

7. Performance Analysis

In this section, we compare the computational costs of the proposed scheme with the other related schemes [13,14,29,30].

Table 3. Comparison of computational costs.

Phases		Choi et al.	Park et al.	Nam et al.	Park et al.	The Proposed
		[13]	[14]	[29]	[30]
Registration	$U_i$	$T_H$ + $T_F$	$T_H$ + $T_F$	$T_H$	$T_H$ + $T_F$	$T_H$ + $T_F$
	$GWN$	3$T_H$	2$T_H$ + $T_E$	$T_H$ + $T_E$ + $T_e$	5$T_H$	$T_e$ + 3$T_H$
	$S_j$	-	-	-	-	-
Login and authentication	$U_i$	$10T_H$ + $T_F$ + $T_E$ + 2$T_e$	$6T_H$ + $T_F$ + 2$T_e$	3$T_H$ + 3$T_e$ + $T_E$ + $T_M$	10$T_H$ + $T_F$ + 2$T_e$	$6T_H$ + $T_F$ + 3$T_e$
	$GWN$	10$T_H$ + 2$T_E$	7$T_H$ + 2$T_E$	$T_H$ + 2$T_E$ + $T_e$ + 3$T_M$	11$T_H$	6$T_H$ + $T_e$ + $T_E$
	$S_j$	6$T_H$ + $T_E$ + 2$T_e$	4$T_H$ + $T_E$ + 2$T_e$	$T_H$ + 2$T_e$ + 2$T_M$	4$T_H$ + 2$T_e$	4$T_H$ + $T_E$ + 2$T_e$
Revocation and reissue	$U_i$	$T_H$ + $T_F$	$T_H$ + $T_F$	-	-	$T_H$ + $T_F$
	$GWN$	3$T_H$	2$T_H$ + $T_E$	-	-	5$T_H$
	$S_j$	-	-	-	-	-
Total cost		34$T_H$ + 3$T_F$	23$T_H$ + 3$T_F$	7$T_H$ + 4$T_E$	31$T_H$ + 2$T_F$	26$T_H$ + 3$T_F$
		+ 4$T_E$ + 4$T_e$	+ 5$T_E$ + 4$T_e$	+ 7$T_e$ + 6$T_M$	+ 4$T_e$	+ 2$T_E$ + 6$T_e$

$T_e$: computational time for elliptic curve computation; $T_E$: computational time for encryption/decryption; $T_F$: computational time for fuzzy extraction; $T_H$: computational time for hash function; $T_M$: computational time for massage authentication code.

shows a comparison of the computational costs of the proposed scheme with the other related schemes. In the comparisons, XOR operations are not considered because these also can be ignored. Compared to Park et al.’s scheme [14], the proposed scheme performs three further hash operations and two elliptic curve computations. However, we reduce three encryption/decryption operations. Additionally, the proposed scheme provides the revocation and reissue phase, and can resist well-known attacks.

8. Conclusions

The various authentication schemes for WSNs have been proposed. Recently, Park et al. demonstrated the security vulnerabilities of Choi et al.’s scheme and proposed an enhanced authentication scheme. However, in this paper, we have identified vulnerabilities in Park et al.’s scheme in terms of impersonation and revocation/reissue. To overcome these vulnerabilities, we proposed a new biometric-based authentication scheme with improved security. Security and performance analysis shows that our proposed scheme is more secure and efficient than other related schemes.