SLUA-WSN: Secure and Lightweight Three-Factor-Based User Authentication Protocol for Wireless Sensor Networks

Abstract

Wireless sensor networks (WSN) are composed of multiple sensor nodes with limited storage, computation, power, and communication capabilities and are widely used in various fields such as banks, hospitals, institutes to national defense, research, and so on. However, useful services are susceptible to security threats because sensitive data in various fields are exchanged via a public channel. Thus, secure authentication protocols are indispensable to provide various services in WSN. In 2019, Mo and Chen presented a lightweight secure user authentication scheme in WSN. We discover that Mo and Chen’s scheme suffers from various security flaws, such as session key exposure and masquerade attacks, and does not provide anonymity, untraceability, and mutual authentication. To resolve the security weaknesses of Mo and Chen’s scheme, we propose a secure and lightweight three-factor-based user authentication protocol for WSN, called SLUA-WSN. The proposed SLUA-WSN can prevent security threats and ensure anonymity, untraceability, and mutual authentication. We analyze the security of SLUA-WSN through the informal and formal analysis, including Burrows–Abadi–Needham (BAN) logic, Real-or-Random (ROR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Moreover, we compare the performance of SLUA-WSN with some existing schemes. The proposed SLUA-WSN better ensures the security and efficiency than previous proposed scheme and is suitable for practical WSN applications.

1. Introduction

Wireless sensor networks (WSN) are widely exploited in terms of enormous applicability [1] and have been used in various fields such as smart homes, smart factories, healthcares, and environmental monitoring [2,3,4,5,6,7,8]. Generally, WSN consist of a gateway node (GWN), a user, and a sensor node (SN) which are resource-limited in smart devices (things, sensors, etc.) [9]. SNs are deployed in various fields and collect a large amount of real-time data. GWN manages data collected by deployed SNs to provide services for legitimate users.

One of the application areas of WSN is a smart home with sensor devices, which provides a better daily life for users [10,11]. A smart home provides various services for users such as automatic checking of the temperature and humidity of the house and controlling light bulbs. However, it may cause serious privacy problems [12,13] because the data collected by SNs are exchanged through a public channel. If data collected by SNs is exposed, a malicious adversary can obtain the private information of users such as daily routines and habits in the house, and also can use the information for criminal purposes. Furthermore, in these application scenarios, smart devices are resource-constrained in terms of computation, communication, and storage overheads, and it is not suitable to apply asymmetric cryptosystems that generate high computational overheads [14]. Therefore, secure and lightweight authentication and key agreement protocols are indispensable to provide secure services for legal users in WSN environments. The secure and lightweight authentication and key agreement protocols must consider the following security requirements.

• Three-factor security: The protocol must meet the three-factor security to protect the legitimate user’s privacy.
• Preventing well-known attacks: The protocol for WSN must be secure against potential attacks, including smart card stolen, masquerade, privileged insider, man-in-the-middle (MITM) attacks, and so on.
• Preventing sensor node capture attack: Even if some sensors are captured by a malicious adversary, it is hard for an adversary to pretend to be other sensors.
• Preventing offline password guessing attack: The protocol must prevent the guessing of the legitimate user’s real password if a malicious adversary either intercepts the transmitted messages or approaches smart card contents.
• Preventing smart card stolen attack: In this attack it is assumed that a malicious adversary can attain the stored secret parameters on the smart card, thus the knowledge of attained parameters should not be enough for the malicious adversary to attain useful information to masquerade a legal user.
• Preventing privileged insider attack: The protocol must be secure to privileged insider attacks where the insider having privileges in the database may access the secret credentials and misuse the contents.
• Anonymity and untraceability: A malicious adversary cannot reveal and trace the real identity of a legitimate user.
• User authentication and key agreement: The protocol must mutually authenticate among entities and successfully establish a secure session key.
• Confidentiality: All transmitted messages communicated between the participants must be safely transmitted using a secret credential so that only legal participants can verify the message.

In 2019, Mo and Chen [15] proposed an elliptic curve cryptosystem (ECC)-based user authentication scheme for WSN. Mo and Chen claimed that their scheme prevents various attacks and provides user anonymity, untraceability, and authentication. However, we prove that their scheme suffers from many drawbacks, including masquerade and replay and session key exposure attacks, and does not provide user anonymity, untraceability, and mutual authentication. In addition, their scheme is not suitable for WSN environments because it requires high communication and computation costs. Consequently, we propose a secure and lightweight three-factor authentication protocol for WSN (SLUA-WSN), considering the efficiency of smart devices and improving the security level of Mo and Chen’s scheme [15].

1.1. Contributions and Motivations

The main contributions of our paper can be summarized as follows.

• We propose a secure and lightweight authentication protocol for WSN to resolve the security problems of Mo and Chen’s scheme utilizing secret parameters and biometrics.
• We perform the Burrows–Abadi–Needham (BAN) logic analysis [16] to evaluate that SLUA-WSN ensures secure mutual authentication. We also perform formal security analysis utilizing the Real-or-Random (ROR) model [17] to prove session key security of SLUA-WSN.
• We carry out the simulation analysis using the automated verification of internet security protocols and applications (AVISPA) [18,19] to evaluate that SLUA-WSN prevents against replay and MITM attacks.
• According to the security and performance analysis, we show that the proposed SLUA-WSN achieves better security along with more features, and provides efficient computational, communication, and storage overheads as compared with related schemes.

The motivations of our paper can be summarized as follows.

• Authentication and key agreement protocols for WSN are susceptible to well-known attacks, including sensor node capture, masquerade, and replay attacks.
• Authentication and key agreement protocols for WSN should provide useful convenience for legitimate users and take into account the security requirements.
• Secure and efficient user authentication protocols are essential in WSN, which take into account limitations for resource-constrained smart devices in terms of memory and battery capacity.

We propose a secure and lightweight three-factor authentication protocol for WSN to resolve the security weaknesses of Mo and Chen’s scheme [15]. The proposed SLUA-WSN presents several advantages compared with existing authentication schemes: SLUA-WSN prevents potential attacks, including sensor node capture, replay, privileged insider, and masquerade attacks, and also ensures secure untraceability, user anonymity, and mutual authentication. SLUA-WSN also uses the fuzzy extractor technique to improve the security level of the two-factor-based protocol. Even if two of the three factors are exposed, SLUA-WSN is still secure. Furthermore, SLUA-WSN provides better efficient computation and communication costs with existing schemes because it only uses the hash and XOR operations. Thus, SLUA-WSN is suitable for practical WSN environments because it is more secure and efficient than related schemes.

1.2. Organization

The rest of this article is organized as follows. We introduce the related works for WSN environments in Section 2, and present the preliminaries of this paper in Section 3. Section 4 reviews Mo and Chen’s scheme and then Section 5 proves the security shortcomings of Mo and Chen’s scheme. Section 6 presents a secure and lightweight user authentication protocol for WSN environments to enhance the security shortcomings of Mo and Chen’s scheme. Section 7 evaluates the security analysis of SLUA-WSN by performing informal and formal analysis, including BAN logic, ROR model, and AVISPA simulation. Section 8 presents the results of the performance analysis of the SLUA-WSN compared with those of the related schemes. Finally, we conclude the paper in Section 9.

2. Related Works

In the last few decades, numerous authentication protocols have been proposed to provide user privacy in the WSN environment [20,21,22,23,24,25]. In 1981, Lamport [26] presented the password-based authentication protocol using a single factor to provide user privacy and anonymity. However, Lamport’s scheme [26] was fragile to offline password guessing attacks because it relied solely on the security of the password. To improve these security problems, Das [27] presented a two-factor authentication scheme using smartcard and password. Das [27] claimed that their scheme is secure and efficient because it uses only hash functions and prevents various attacks. However, some researchers [28,29] pointed out that Das’s scheme [27] has various security drawbacks. Nyang and Lee [28] showed that Das’s scheme [27] is fragile to the sensor node capture and offline password guessing attacks. Nyang and Lee [28] presented a secure authentication scheme in WSN to enhance the security problems of Das’s scheme. In 2010, He et al. [29] proposed a two-factor user authentication scheme for WSN. However, in 2011, Kumar and Lee [30] discovered that He et al.’s scheme [29] cannot provide mutual authentication and generate a session key between each entity. Therefore, these smartcard-based two-factor authentication protocols [27,28,29] were fragile to various attacks.

Numerous biometric-based three-factor authentication protocols have been proposed [31,32,33] to resolve the above-mentioned security issues. Compared with the existing two-factor authentication schemes using a password and smartcard, biometrics (palms, irises, and fingerprints) cannot be stolen or lost because they are very difficult to forget or lose, copy, distribute, guess, break, and forge. Thus, biometric-based three-factor authentication has a higher security level than two-factor authentication.

In recent years, many three-factor authenticated key agreement protocols have been proposed to provide various services in WSN environments [34,35,36]. In 2018, Wu et al. [37] presented a secure three-factor user authentication scheme for WSN. However, in 2019, Mo and Chen [15] demonstrated that if the user inputs an incorrect password at the login process in Wu et al.’s scheme [37], the smartcard does not check whether the password is verified, and the protocol will proceed until GWN finds that the login request of the user was invalid, so GWN performs unnecessary computational resources. In 2017, Wang et al. [38] presented an enhanced three-factor user authentication scheme using ECC for WSN. Unfortunately, Wang et al.’s scheme [38] is susceptible to insider attack because the random nonce for the legitimate user is stored in the database of GWN, and the insider can access and modify it so user login can result in failure. In 2018, Li et al. [39] presented a three-factor-based authentication scheme for WSN in Internet of Things (IoT) environments with adoption of fuzzy extractor to provide high security level. However, Mo and Chen [15] pointed out that Li et al.’s scheme [39] cannot provide three-factor security if the stolen/lost smartcard is obtained by the adversary. In addition, their scheme [39] is not as secure as they claimed because the biometric of the user is collected by the adversary without the awareness of the legitimate user. In 2019, Li et al. [40] presented a secure three-factor-based user authentication protocol for wireless medical sensor networks. However, Mo and Chen [15] demonstrated that their scheme [40] is vulnerable to replay attacks. In 2019, Lu et al. [41] proposed a three-factor authenticated key agreement for WSN using ECC. However, Mo and Chen [15] proved that Lu et al.’s protocol [41] cannot withstand known session-specific temporary information (KSSTI) attacks and cannot provide three-factor security along with session key security. To improve the security drawbacks of Lu et al.’s scheme, Mo and Chen [15] presented a lightweight secure user authenticated key agreement scheme for WSN using ECC. Mo and Chen [15] claimed that their scheme can prevent potential attacks and can ensure anonymity, untraceability, and authentication. However, we analyze that Mo and Chen’s scheme suffers from various security threats, such as session key exposure and masquerade attacks, and cannot ensure anonymity, untraceability, and mutual authentication. In addition, Mo and Chen’s scheme is not practical for WSN because ECC makes the computation and communication overheads burden very heavy. Therefore, we propose a secure and lightweight three-factor user authentication protocol in WSN, considering the efficiency of smart devices and improving security shortcomings of Mo and Chen’s scheme.

3. Preliminaries

This section introduces the preliminaries to improve the readability of this paper.

3.1. Fuzzy Extractor

This section briefly discusses the concepts of a fuzzy extractor [42]. The fuzzy extractor is a cryptographic method utilizing biometrics to perform secure authentication and it comprises two operations—the generator ($Gen$) and reproduction ($Rep$)—which are presented below.

1. 

$Gen$: After users imprint the biometric input $Bio$, $Gen$ generates a consistent random string $\rho \in {\{0,1\}}^l$ and a random auxiliary string $\sigma \in {\{0,1\}}^{*}$, which is a probabilistic function.

2. 

$Rep$: When a noisy biometric $Bi{o}_{new}$ is imprinted, $Rep$ reproduces $\rho$ using value $\sigma$, where $\sigma$ is public reproduction value related with $Bio$.

3.2. Attacker Model

We present the well-known Dolev–Yao (DY) threat model [43] to examine the security of SLUA-WSN. In the DY model, the capabilities of the attacker are as follows.

• Referring to the DY model [43], an attacker can inject, delete, intercept, and eavesdrop the data exchanged over wireless networks.
• A malicious attacker can steal the smart card of legal users and can extract secret credentials stored in memory utilizing power-analysis [44].
• After obtaining the secret credentials of smart card, a malicious attacker may attempt various attacks, including the masquerade, offline password guessing, privileged insider, forward secrecy attacks, and so on [45,46].

3.3. System Model

In 2013, Xue et al.’s scheme [47] introduced the five basic authentication mechanism models for WSN. We adopt the first authentication mechanism model presented by Xue et al.’s scheme [47]. This authentication model for WSN consists of three entities: the user, the SN, and the GWN, as shown in Figure 1. Initially, the user contacts GWN to initiate the key agreement between them and the SN. In contrast, the SN checks whether the legitimate user and performs mutual authentication through a GWN. As a result, this model enables mutual authentication between all entities and establishes key agreement between users and corresponding sensor nodes.

4. Review of Mo and Chen’s Scheme

Mo and Chen’s scheme [15] presented a secure authentication protocol to provide useful services in WSN. This protocol comprises three entities: the user, the SN, and the GWN. Mo and Chen’s scheme has four processes: pre-deployment, user registration, authentication, and password update. In the pre-deployment process, the gateway node ($GWN$) selects a unique identity $SI{D}_j$ for each sensor ($S_j$) and computes $K_j=h(SI{D}_j\left|\right|X_{GWN})$. Then, $GWN$ sends $\{SI{D}_j,K_j,P\}$ to $S_j$ through a secure channel. Finally, $S_j$ stores $\{SI{D}_j,K_j,P\}$ in memory. During the user registration process, the $GWN$ issues a smartcard to the legal user who wants to request registration through a secure channel and then helps the agreement of the session key between the $S_j$ and the user. They presented a password update process to maintain a high level of security. Figure 2 shows the registration process of Mo and Chen’s scheme, and also the detailed steps involved in the authentication and key agreement process of Mo and Chen’s scheme are as shown in Figure 3. Furthermore, the password update process is described in the following subsections.

Table 1. Notations.

Notation	Description
$U_i$	User
$GWN$	Gateway node
$S_j$	Sensor node
$I{D}_i$	$U_i$’s identity
$P{W}_i$	$U_i$’s password
$SI{D}_j$	$S_j$’s identity
$K_{GWN}$	Master key of $GWN$
$X_{pub}$	Public key of $GWN$
$X_j$	Secret key of $S_j$
$E/F_p$	Elliptic curve E defined on the finite field $F_p$ with order p
G	A group for an elliptic curve
P	The generator of G
$E_k/D_k$	Symmetric key encryption/decryption
$SK$	Session key
$T_i$	Timestamp
$BIO$	Biometric of $U_i$
$h(·)$	Hash function
⊕	XOR operation
$\left|\right|$	Concatenation operation

presents the notations used in this paper.

Password Update Process

If the authorized user requests a new password, Mo and Chen’s scheme can update the password from the gateway as follows.

Step 1:

$U_i$ inputs $I{D}_i$ and the old $P{W}_i$ and imprints $Bi{o}^{*}$, and inserts the smartcard ($SC$) in the reader. After that, the $SC$ calculates $Gen\left(Bi{o}^{*}\right)=({\delta }_i^{*},{\tau }_i^{*})$, $r_i^{*}=B_i\oplus h(I{D}_i\left|\right|{\delta }_i^{*}\left|\right|P{W}_i)$, and $f_i^{{}^{\prime }}=h\left(h\right(I{D}_i\left|\right|r_i^{*}\left|\right|P{W}_i)$ mod t and checks whether $f_i^{{}^{\prime }}\stackrel{?}{=}{f}_i$ holds. If the condition is false, the communication is aborted.

Step 2:

$U_i$ inputs a new $P{W}_i^{new}$, computes $f_i^{new}=h\left(h\right(P{W}_i^{new}\left|\right|r_i^{*}\left|\right|{\delta }_i^{*})$ mod t, $A_i^{new}=C_i\oplus f_i^{new}$, $B_i^{new}=h(I{D}_i\left|\right|{\delta }_i^{*}\left|\right|P{W}_i^{new})\oplus r_i^{*}$ and replaces ($A_i,B_i,f_i$) with ($A_i^{new},B_i^{new},f_i^{new}$).

5. Security Flaws of Mo and Chen’s Scheme

We discuss the security flaws of Mo and Chen’s scheme, including session key exposure and masquerade attacks. Furthermore, we discover that Mo and Chen’s scheme cannot ensure user anonymity, untraceability, and mutual authentication.

5.1. Masquerade Attack

In this attack, a malicious attacker ($MA$) may attempt to impersonate legal users through stolen smartcard. According to Section 3.2, we assume that $MA$ is able to extract the secret credentials $\{A_i,B_i,{\tau }_i,f_i\}$ stored in the smart card. Furthermore, $MA$ can intercept the messages exchanged over the wireless network. Therefore, $MA$ can perform the masquerade attack as shown in the following detailed steps.

Step 1:

A $MA$ first calculates $e_i=m_1\oplus A_i\oplus f_i$, $PI{D}_i^{new}=m_3\oplus h\left(e_i\right)$, $(I{D}_i\left|\right|SI{D}_j)=m_4\oplus h(PI{D}_i\left|\right|e_i)$, and $m_5=h(I{D}_i\left|\right|PI{D}_i\left|\right|PI{D}_i^{new}\left|\right|m_2\left|\right|SI{D}_j\left|\right|T_1)$. After that, the $MA$ generates the two random numbers $e_{MA}$, $a_{MA}$ and computes $m_{1MA}=A_i\oplus f_i\oplus e_{MA}$, $m_{2MA}=a_{MA}P$, $m_{3MA}=PI{D}_i^{new}\oplus h\left(e_{MA}\right)$, $m_{4MA}=(I{D}_i\left|\right|SI{D}_j)\oplus h(PI{D}_i\left|\right|e_{MA})$ and $m_{5MA}=h(I{D}_i\left|\right|PI{D}_i\left|\right|PI{D}_i^{new}\left|\right|m_2\left|\right|SI{D}_j\left|\right|T_1)$. The $MA$ sends $M_1=\{m_{1MA},m_{2MA},m_{3MA},m_{4MA},m_{5MA},PI{D}_i,T_1\}$ to the $GWN$ over wireless networks.

Step 2:

Upon getting the $M_1$, the $GWN$ verifies the validity of $T_1$. If it is equal, the $GWN$ computes $e_{MA}=m_{1MA}\oplus h(PI{D}_i\left|\right|x_g)$, $PI{D}_i^{new}=m_{3MA}\oplus h\left(e_{MA}\right)$, $(I{D}_i^{{}^{\prime }}\left|\right|SI{D}_j^{{}^{\prime }})=m_{4MA}\oplus h(PI{D}_i\left|\right|e_{MA})$, and $m_{5MA}=h(I{D}_i^{{}^{\prime }}\left|\right|PI{D}_i\left|\right|PI{D}_i^{new}\left|\right|m_{2MA}\left|\right|SI{D}_j^{{}^{\prime }}\left|\right|T_1)$. Then, the $GWN$ checks $m_{5MA}^{{}^{\prime }}\stackrel{?}{=}{m}_{5MA}$. If it is correct, the $GWN$ computes $e_k=h(SI{D}_j^{{}^{\prime }}\left|\right|K_j)$, $m_6=E_{e_k}(e_{MA},PI{D}_i^{new})$ and $m_7=h(K_j\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j^{{}^{\prime }}\left|\right|m_2\left|\right|T_2)$. Next, the $GWN$ sends $M_2=\{m_{2MA},m_6,m_7,T_2\}$ to the $S_j$.

Step 3:

After getting the $M_2$, the $S_j$ verifies the $T_2$. If it is equal, the $S_j$ calculates $e_k^{{}^{\prime }}=h(SI{D}_j\left|\right|K_j)$ and decrypts $m_6$ to get ($e_{MA},PI{D}_i^{new}$). After that, the $S_j$ calculates $m_7^{{}^{\prime }}=h(K_j\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|m_2\left|\right|T_2)$ and then checks $m_7^{{}^{\prime }}\stackrel{?}{=}{m}_7$. If the condition is equal, the $S_j$ selects a random number $b_j$ and timestamp $T_3$. Then, $S_j$ computes $m_8=b_{j}P$, $S{K}_{S-MA}=h(b_j{m}_{2MA}\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|e_{MA})$, $m_{9MA}=h(S{K}_{S-MA}\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|m_8\left|\right|T_3)$ and $m_{10}=h(K_j\left|\right|PI{D}_i^{new}\left|\right|m_8\left|\right|T_3)$. Finally, $S_j$ sends $M_3=\{m_8,m_{9MA},m_{10},T_3\}$ to the $GWN$.

Step 4:

Upon getting the $M_3$, the $GWN$ verifies the validity of $T_3$. If the condition is equal, the $GWN$ calculates $m_{10}^{{}^{\prime }}=h(K_j\left|\right|PI{D}_i^{new}\left|\right|m_8\left|\right|T_3)$ and verifies $m_{10}^{{}^{\prime }}\stackrel{?}{=}{m}_{10}$. If the condition is valid, the $GWN$ selects $T_4$ and calculates $m_{11}=h(PI{D}_i^{new}\left|\right|x_g)$ and $m_{12MA}=h(PI{D}_i^{new}\left|\right|e_{MA}\left|\right|m_8\left|\right|T_4)$. Finally, $GWN$ sends $M_4=\{m_8,m_{9MA},m_{11},m_{12MA},T_3,T_4\}$ to the $U_i$.

Step 5:

After getting the $M_4$, the $MA$ checks the $T_4$ and calculates $m_{12MA}^{{}^{\prime }}=h(PI{D}_i^{new}\left|\right|e_{MA}\left|\right|m_8\left|\right|T_4)$ and checks $m_{12MA}^{{}^{\prime }}\stackrel{?}{=}{m}_{12MA}$. If it is equal, the $MA$ computes $S{K}_{MA-S}=h(a_{MA}\left|\right|m_8\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|e_{MA})$ and $m_9^{{}^{\prime }}=h(S{K}_{MA-S}\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|m_8\left|\right|T_3)$.

As a result, Mo and Chen’s scheme cannot prevent the masquerade attack because the $MA$ can impersonate an legitimate user successfully.

5.2. Session Key Exposure Attack

In Mo and Chen’s scheme, they claimed that their scheme could prevent to session key exposure attack because a $MA$ could not obtain the secret credentials. However, according to Section 5.1, we prove that $MA$ is able to impersonate legal users $U_i$ and calculates the session key $SK$ as follows. Referring to Section 3.2, the $MA$ can extract secret credentials $\{A_i,B_i,{\tau }_i,f_i\}$ stored in the smartcard. Then, the $MA$ is able to intercept the exchanged messages between $U_i$, $GWN$, and $S_j$ via wireless networks. If so, the $MA$ can calculate $e_i$, $PI{D}_i^{new}$ and $\left(I{D}_i\right|\left|SI{D}_j\right)$. After that, the $MA$ selects random numbers $e_{MA},a_{MA}$ and can successfully generate new messages $\{m_{1MA},m_{2MA},m_{3MA},m_{4MA},m_{5MA}\}$ by utilizing $e_{MA}$ and $a_{MA}$. Consequently, the $MA$ can successfully perform the session key exposure attack by calculating $S{K}_{MA-S}=h(a_{MA}\left|\right|m_8\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|e_{MA})$ and disguise as legitimate users.

5.3. Anonymity and Untraceability

Referring to Section 5.1, the $MA$ can trace a legitimate user $U_i$ and can obtain the real identities $\{I{D}_i,SI{D}_j\}$ of $U_i$ and $S_j$. The $MA$ computes $e_i=m_1\oplus A_i\oplus f_i$ utilizing secret credentials $\{A_i,f_i\}$ stored in the smart card. After that, the $MA$ can compute $(I{D}_i\left|\right|SI{D}_j)=m_4\oplus h(PI{D}_i\left|\right|e_i)$, $PI{D}_i^{new}=m_3\oplus h\left(e_i\right)$, and $m_5=h(I{D}_i\left|\right|PI{D}_i\left|\right|PI{D}_i^{new}\left|\right|m_2\left|\right|SI{D}_j\left|\right|T_1)$ successfully. Thus, Mo and Chen’s scheme does not ensure user anonymity and untraceability.

5.4. Mutual Authentication

Mo and Chen’s scheme asserted that their scheme provides secure mutual authentication among the $U_i$, $GWN$, and $S_j$. However, referring to Section 5.1, the $MA$ can generate authentication request message $m_{5MA}=h(I{D}_i\left|\right|PI{D}_i\left|\right|PI{D}_i^{new}\left|\right|m_2\left|\right|SI{D}_j\left|\right|T_1)$, response message $m_{12MA}=h(PI{D}_i^{new}\left|\right|e_{MA}\left|\right|m_8\left|\right|T_4)$, and then can calculate session key $S{K}_{MA-S}=h(a_{MA}\left|\right|m_8\left|\right|PI{D}_i^{new}\left|\right|SI{D}_j\left|\right|e_{MA})$. As a result, we prove that their scheme cannot provide correct mutual authentication among $U_i$, $GWN$, and $S_j$.

6. Proposed Scheme

We present a secure and lightweight user authentication protocol in WSN to improve the security flaws of [15]. The proposed SLUA-WSN comprises the same process as that Mo and Chen’s scheme. The details of the four processes are shown below.

6.1. Pre-Deployment Process

This process is similar to the pre-deployment process given in Mo and Chen’s scheme [15]. In Figure 4, we show the user registration process of SLUA-WSN and the detailed steps are below.

Step 1:

$GWN$ selects a unique identity $SI{D}_j$ for sensors and computes $X_j=h(SI{D}_j\left|\right|K_{GWN})$. Finally, $GWN$ sends $\{SI{D}_j,X_j\}$ to the $S_j$ over a secure communication.

Step 2:

Upon receiving the messages, the $S_j$ stores them in secure memory.

6.2. User Registration Process

The $U_i$ must register within $GWN$ to access various services. In Figure 5, we show the user registration process of SLUA-WSN and the detailed steps are below.

Step 1:

$U_i$ inputs the $I{D}_i$ and $P{W}_i$ and imprints biometric $BI{O}_i$. Then, the $U_i$ computes $Gen\left(BIO\right)$=$\langle R_i,P_i\rangle$ and $MP{W}_i=h(P{W}_i\left|\right|R_i)$, and sends $\{I{D}_i,MP{W}_i\}$ to the $GWN$ over a secure communication.

Step 2:

After reception of messages, the $GWN$ generates a random nonce $r_g$ and calculates $MI{D}_i=h(I{D}_i\left|\right|h(K_{GWN}\left|\right|r_g\left)\right)$, $X_i=h(MI{D}_i\left|\right|r_g\left|\right|K_{GWN})$, $Q_i=h(MI{D}_i\left|\right|MP{W}_i)\oplus X_i$ and $W_i=h(MP{W}_i\left|\right|X_i)$, and then stores $\left\{r_g\right\}$ in secure database. After that, the $GWN$ stores $\{Q_i,W_i,MI{D}_i\}$ in the smart card and issues it to the $U_i$.

6.3. Authentication Process

After performing the registration process, the registered $U_i$ requests authentication to the $GWN$ in order to establish the session key. In Figure 6, we show the authentication process of SLUA-WSN and the detailed steps are below.

Step 1:

$U_i$ first inserts the smart card and inputs $I{D}_i$ and $P{W}_i$. Then, the $U_i$ imprints $BI{O}_i$ and computes $R_i$=$Rep\langle BI{O}_i,P_i\rangle$, $MP{W}_i=h(P{W}_i\left|\right|R_i)$, $X_i=h(MI{D}_i\left|\right|MP{W}_i)\oplus Q_i$, and $W_i^{*}=h(MP{W}_i\left|\right|X_i)$, and then checks $W_i^{*}\stackrel{?}{=}{W}_i$. If the condition is valid, the $U_i$ generates a random nonce $R_u$ and a timestamp $T_1$. The $U_i$ computes $M_1=X_i\oplus R_u$, $CI{D}_i=(I{D}_i\left|\right|SI{D}_j)\oplus h(MI{D}_i\left|\right|R_u\left|\right|X_i)$, and $M_{UG}=h(I{D}_i\left|\right|R_u\left|\right|X_i\left|\right|T_1)$, and sends $\{M_1,MI{D}_i,CI{D}_i,M_{UG},T_1\}$ to the $GWN$ over an insecure channel.

Step 2:

Upon reception of messages, the $GWN$ checks the validity of $T_1$ and calculates $X_i=h(MI{D}_i\left|\right|r_g\left|\right|K_{GWN})$, $R_u=M_1\oplus X_i$, $(I{D}_i\left|\right|SI{D}_j)=CI{D}_i\oplus h(MI{D}_i\left|\right|R_u\left|\right|X_i)$ and $M_{UG}^{*}=h(I{D}_i\left|\right|R_u\left|\right|X_i\left|\right|T_1)$ and then, checks $M_{UG}^{*}\stackrel{?}{=}{M}_{UG}$. If the condition is correct, the $GWN$ calculates $M_2=(R_u\left|\right|R_g)\oplus h(SI{D}_j\left|\right|X_j\left|\right|T_2)$ and $M_{GS}=h(MI{D}_i\left|\right|SI{D}_j\left|\right|R_u\left|\right|R_g\left|\right|X_j\left|\right|T_2)$, and sends $\{M_2,MI{D}_i,M_{GS},T_2\}$ to the $S_j$.

Step 3:

After reception of messages, the $S_j$ checks the validity of $T_2$ and computes $(R_u\left|\right|R_g)=M_2\oplus h(SI{D}_j\left|\right|X_j\left|\right|T_2)$ and $M_{GS}^{*}=h(MI{D}_i\left|\right|SI{D}_j\left|\right|R_u\left|\right|R_g\left|\right|X_j\left|\right|T_2)$ and checks $M_{GS}^{*}\stackrel{?}{=}{M}_{GS}$. If it is valid, the $S_j$ generates a random nonce $R_s$ and timestamp $T_3$ and calculates $M_3=R_s\oplus h(R_u\left|\right|SI{D}_j\left|\right|X_j\left|\right|T_3)$, $M_{SG}=h(R_s\left|\right|R_g\left|\right|SI{D}_j\left|\right|X_j\left|\right|T_3)$, $SK=h\left(R_u\right|\left|R_s\right)$, and $M_{SU}=h\left(SK\right||R_s\left|\right|R_u\left|\right|SI{D}_j\left|\right|MI{D}_i)$, and then sends $\{M_3,M_{SG},M_{SU},T_3\}$ to the $GWN$ over an insecure channel.

Step 4:

Upon reception of messages, the $GWN$ checks the validity of $T_3$ and calculates $R_s=M_3\oplus h(R_u\left|\right|SI{D}_j\left|\right|X_j\left|\right|T_3)$ and $M_{SG}^{*}=h(R_s\left|\right|R_g\left|\right|SI{D}_j\left|\right|X_j\left|\right|T_3)$, and checks $M_{SG}^{*}\stackrel{?}{=}{M}_{SG}$. If it is valid, the $GWN$ generates a timestamp $T_4$ and computes $MI{D}_i^{new}=h(I{D}_i\left|\right|h(K_{GWN}\left|\right|R_g\left)\right)$, $X_i^{new}=h(MI{D}_i^{new}\left|\right|R_g\left|\right|K_{GWN})$, $M_4=(MI{D}_i^{new}\left|\right|X_i^{new}\left|\right|R_s\left|\right|R_g)\oplus h(MI{D}_i\left|\right|X_i\left|\right|T_4)$, and $M_{GU}=h(R_u\left|\right|R_g\left|\right|MI{D}_i\left|\right|X_i\left|\right|T_4)$ and sends $\{M_4,M_{SU},M_{GU},T_4\}$ to the $U_i$.

Step 5:

After reception of messages, the $U_i$ checks the validity of $T_4$ and computes $(MI{D}_i^{new}\left|\right|X_i^{new}\left|\right|R_s\left|\right|R_g)=M_4\oplus h(MI{D}_i\left|\right|X_i\left|\right|T_4)$ and $M_{GU}^{*}=h(R_u\left|\right|R_g\left|\right|MI{D}_i\left|\right|X_i\left|\right|T_4)$, and then checks $M_{GU}^{*}\stackrel{?}{=}{M}_{GU}$. If the condition is valid, the $U_i$ computes $SK=h\left(R_u\right|\left|R_s\right)$ and $M_{SU}^{*}=h\left(SK\right||R_s\left|\right|R_u\left|\right|SI{D}_j\left|\right|MI{D}_i)$, and checks $M_{SU}^{*}\stackrel{?}{=}{M}_{SU}$. If the condition is correct, the $U_i$ computes $Q_i^{new}=h(MI{D}_i^{MPW}\left|\right|MP{W}_i)\oplus X_i^{new}$, and $W_i^{new}=h(MP{W}_i\left|\right|X_i^{new})$ and replaces $\{Q_i,W_i,MI{D}_i\}$ with $\{Q_i^{new},W_i^{new},MI{D}_i^{new}\}$. Consequently, the $U_i$, the $GWN$ and $S_j$ are mutually authenticated successfully.

6.4. Password Change Process

In SLUA-WSN, an authorized $U_i$ can freely update their password. The detailed steps of the password change process are below.

Step 1:

$U_i$ inputs $I{D}_i^{{}^{\prime }}$ and $P{W}_i^{{}^{\prime }}$ and imprints biometric $BI{O}_i^{{}^{\prime }}$. After that, the $U_i$ computes $Gen\left(BI{O}^{{}^{\prime }}\right)$=$\langle R_i^{{}^{\prime }},P_i^{{}^{\prime }}\rangle$ and $MP{W}_i^{{}^{\prime }}=h(P{W}_i^{{}^{\prime }}\left|\right|R_i^{{}^{\prime }})$ and then sends $\{I{D}_i^{{}^{\prime }},MP{W}_i^{{}^{\prime }}\}$ to the $SC$ over a secure communication.

Step 2:

Upon reception of messages, the $SC$ calculates $X_i^{{}^{\prime }}=Q_i^{{}^{\prime }}\oplus h(MI{D}_i^{{}^{\prime }}\left|\right|MP{W}_i^{{}^{\prime }})$ and $W_i^{{}^{\prime }}=h(MP{W}_i^{{}^{\prime }}\left|\right|X_i^{{}^{\prime }})$ and sends authentication message to the $U_i$.

Step 3:

After reception of messages, the $U_i$ chooses a new $P{W}_i^{new}$ and imprints a new $BI{O}^{new}$. Then, the $U_i$ calculates $Gen\left(BI{O}^{new}\right)$=$\langle R_i^{new},P_i^{new}\rangle$ and $MP{W}_i^{new}=h(P{W}_i^{new}\left|\right|R_i^{new})$ and sends $\left\{MP{W}_i^{new}\right\}$ to the $SC$ over a secure channel.

Step 4:

Upon reception of messages, the $SC$ calculates $Q_i^{new}=h(MI{D}_i^{{}^{\prime }}\left|\right|MP{W}_i^{new})\oplus X_i^{{}^{\prime }}$ and $W_i^{new}=h(MP{W}_i^{new}\left|\right|X_i^{{}^{\prime }})$ and then replaces $\{Q_i^{{}^{\prime }},W_i^{{}^{\prime }}\}$ with $\{Q_i^{new},W_i^{new}\}$ successfully.

7. Security Analysis

This section assessed the security of SLUA-WSN by using informal and formal security analysis such as BAN logic, ROR model, and AVISPA simulation, which are widely known security models.

7.1. Informal Security Analysis

The security of SLUA-WSN is assessed by performing an informal security analysis. We show that SLUA-WSN can resist potential security threats, including masquerade, sensor node capture, replay, and privileged insider attacks, and ensure secure authentication and anonymity.

7.1.1. Masquerade Attack

In this attack, the $MA$ attempts to masquerade a legitimate user by intercepting messages transmitted over an insecure channel. However, the $MA$ cannot generate the request messages $\{M_1,MI{D}_i,CI{D}_i,M_{UG}\}$ in the proposed SLUA-WSN correctly. The $MA$ cannot compute the request messages because $MA$ cannot get $U_i$’s real identity $I{D}_i$, the biometric $BIO$, and the random nonce $R_u$. As a result, SLUA-WSN resists masquerade attacks.

7.1.2. Replay Attack

Assuming that the $MA$ attempts the replay attack utilizing previously exchanged data over an insecure channel, even if the $MA$ intercepts the request message $\{M_1,MI{D}_i,CI{D}_i,M_{UG},T_1\}$ in the previous session, the proposed SLUA-WSN verifies the freshness of the timestamp. In addition, the request messages are protected with secret parameter $X_i$ and random nonce $R_u$. Thus, SLUA-WSN prevents replay attacks.

7.1.3. Sensor Node Capture Attack

As sensor nodes are typically placed in unmanned or hostile areas, the $MA$ can easily capture sensor nodes. However, each $S_j$ has a unique $SI{D}_j$ and a secret parameter $X_j$. Even if some sensor nodes are captured by the $MA$, it is difficult to impersonate that the $MA$ is another sensor. Therefore, the $MA$ does not have any ability to compromise other $SK$ established between the $U_i$ and non-compromised $S_j$. Thus, SLUA-WSN prevents sensor node capture attacks.

7.1.4. Privileged Insider Attack

In this attack, the privileged insider is able to access the password of the user stored in $GWN$ and disguises the user to log in to other systems. However, the user in the proposed SLUA-WSN only sends $\{I{D}_i,MP{W}_i\}$ to the $GWN$ during the registration process. Consequently, SLUA-WSN prevents privileged insider attacks because the privileged insider cannot obtain the real password of the legitimate user.

7.1.5. Anonymity and Untraceability

We assume that the $MA$ can extract secret credentials stored in a smartcard and is able to eavesdrop the message exchanged in each session. However, the $MA$ cannot trace a legal user $U_i$ because all exchanged messages are updated every session, and also $\{Q_i,W_i,MI{D}_i\}$ messages in the proposed SLUA-WSN update with $\{Q_i^{new},W_i^{new},MI{D}_i^{new}\}$. Moreover, the $MA$ cannot obtain the real $I{D}_i$ of $U_i$ because it is masked with XOR and hash functions. Thus, SLUA-WSN provides anonymity and untraceability because the $MA$ cannot retrieve $I{D}_i$ without knowing a secret parameter $X_i$ and a random nonce $R_u$.

7.1.6. Mutual Authentication

In SLUA-WSN, each entity performs mutual authentication successfully. Upon getting the authentication request messages $\{M_1,MI{D}_i,CI{D}_i,M_{UG}\}$ from the $U_i$, the $GWN$ verifies $M_{UG}^{*}\stackrel{?}{=}{M}_{UG}$. If the condition is correct, the $GWN$ authenticates the $U_i$. After getting the messages $\{M_2,MI{D}_i,M_{GS},T_2\}$ from the $GWN$, the $S_j$ checks $M_{GS}^{*}\stackrel{?}{=}{M}_{GS}$. If it is valid, the $S_j$ authenticates the $GWN$. After receiving the messages $\{M_3,M_{SG},M_{SU},T_3\}$ from the $S_j$, the $GWN$ verifies $M_{SG}^{*}\stackrel{?}{=}{M}_{SG}$. If the condition is correct, the $GWN$ authenticates the $S_j$. After obtaining the response messages $\{M_4,M_{SU},M_{GU},T_4\}$ from the $GWN$, the $U_i$ authenticates the $GWN$. As a result, the $U_i$, the $S_j$ and the $GWN$ are mutually authenticated because the $MA$ cannot generate exchanged messages $\{M_{UG},M_{GS},M_{SG},M_{SU}\}$ successfully.

7.2. Security Properties

We present the security properties of SLUA-WSN compared to those of the existing schemes [15,37,38,39,40,41].

Table 2. Security property comparison.

Security Properties	Wu et al. [37]	Wang et al. [38]	Li et al. [39]	Li et al. [40]	Lu et al. [41]	Mo and Chen [15]	Ours
Three-factor security	×	∘	×	∘	×	∘	∘
Masquerade attack	×	∘	×	×	×	×	∘
Replay attack	×	∘	×	×	∘	∘	∘
Privileged insider attack	∘	×	∘	×	∘	∘	∘
Sensor node capture attack	∘	∘	∘	∘	∘	∘	∘
Man-in-the-middle attack	∘	∘	×	×	∘	∘	∘
User anonymity	∘	∘	∘	∘	∘	×	∘
Untraceability	∘	∘	∘	∘	∘	×	∘
Mutual authentication	∘	∘	∘	∘	∘	×	∘

∘: it supports security properties; ×: it does not support security properties.

tabulates the security and functionality features of the proposed SLUA-WSN and other existing schemes. According to Table 2, previous schemes [15,37,38,39,40,41] suffer from various attacks, and also their schemes cannot ensure anonymity, untraceability, and mutual authentication. In contrast, SLUA-WSN ensures mutual authentication, anonymity, and untraceability and prevents various attacks. Thus, the proposed SLUA-WSN offers superior security and more functionality features compared with existing schemes.

7.3. Formal Security Analysis Using Ban Logic

We perform the BAN logic to demonstrate the mutual authentication of SLUA-WSN. We present notations utilized for BAN logic in

Table 3. Notations used for BAN logic.

Notation	Description
$N|\equiv M$	NbelievesM
$\#M$	M is updated and fresh
$N⊲M$	NseesM
$N|\sim M$	N once said M
$N\Rightarrow M$	Ncontrols that M
$<M{>}_W$	M is combined with W
${\left\{M\right\}}_K$	M is encrypted utilizing symmetric key K
$N\stackrel{K}{\leftrightarrow }P$	N and P share a shared secret key K
$SK$	Session key used in communication session

.

7.3.1. Rules of Ban Logic

In the following, the rules of BAN logic are summarized.

1. 

Message meaning rule:

$$\frac{N|\equiv N\stackrel{K}{\leftrightarrow }P,N⊲{\left\{M\right\}}_K}{N\left|\equiv P\right|\sim M}$$

2. 

Nonce verification rule:

$$\frac{N\left|\equiv \#\left(M\right),N\right|\equiv P|\sim M}{N\left|\equiv P\right|\equiv M}$$

3. 

Jurisdiction rule:

$$\frac{N\left|\equiv P\right|⟹M,N\left|\equiv P\right|\equiv M}{N|\equiv M}$$

4. 

Freshness rule:

$$\frac{N|\equiv \#(M)}{N|\equiv \#\left(M,W\right)}$$

5. 

Belief rule:

$$\frac{N|\equiv \left(M,W\right)}{N|\equiv M}$$

7.3.2. Goals

We define the following security goals to prove that the proposed SLUA-WSN is capable of performing secure mutual authentication.

Goal 1:

$U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

Goal 2:

$S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

Goal 3:

$U_i\mid \equiv S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

Goal 4:

$S_j\mid \equiv U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

7.3.3. Idealized Forms

The idealized form messages of SLUA-WSN are as below.

$Ms{g}_1$: 

$U_i\to GWN$: ${(I{D}_i,MI{D}_i,R_u,T_1)}_{X_i}$

$Ms{g}_2$: 

$GWN\to S_j$: ${(MI{D}_i,SI{D}_j,R_u,R_g,T_2)}_{X_j}$

$Ms{g}_3$: 

$S_j\to GWN$: ${(MI{D}_i,SI{D}_j,R_u,R_s,T_3)}_{X_j}$

$Ms{g}_4$: 

$GWN\to U_i$: ${(I{D}_{MU},R_g,R_s,T_4)}_{X_i}$

7.3.4. Assumptions

In the following, the assumptions used in BAN logic are summarized.

$A_1$: 

$GWN\mid \equiv \#\left(T_1\right)$

$A_2$: 

$GWN\mid \equiv \#\left(T_3\right)$

$A_3$: 

$S_j\mid \equiv \#\left(T_2\right)$

$A_4$: 

$U_i\mid \equiv \#\left(T_4\right)$

$A_5$: 

$GWN\mid \equiv \left(GWN\stackrel{X_j}{⟷}{S}_j\right)$

$A_6$: 

$S_j\mid \equiv \left(GWN\stackrel{X_j}{⟷}{S}_j\right)$

$A_7$: 

$U_i\mid \equiv \left(U_i\stackrel{X_i}{⟷}GWN\right)$

$A_8$: 

$GWN\mid \equiv \left(U_i\stackrel{X_i}{⟷}GWN\right)$

$A_9$: 

$U_i\mid \equiv S_j\Rightarrow \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

$A_{10}$: 

$S_j\mid \equiv U_i\Rightarrow \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

7.3.5. Proof Using Ban Logic

The BAN logic proof then proceeds as below.

Step 1:

According to $Ms{g}_1$, we could get the following,

$$\left(S_1\right):GWN⊲{(I{D}_i,MI{D}_i,R_u,T_1)}_{X_i}$$

Step 2:

Using $S_1$ and $A_8$ with “message meaning rule”, the following is obtained,

$$\left(S_2\right):GWN\mid \equiv MU\mid \sim {(I{D}_i,MI{D}_i,R_u,T_1)}_{X_i}$$

Step 3:

Using $S_2$ and $A_1$ with “freshness rule”, the following is obtained,

$$\left(S_3\right):GWN\mid \equiv \#{(I{D}_i,MI{D}_i,R_u,T_1)}_{X_i}$$

Step 4:

From $S_2$ and $S_3$ with “nonce verification rule”, we could get

$$\left(S_4\right):GWN\mid \equiv U_i\mid \equiv {(I{D}_i,MI{D}_i,R_u,T_1)}_{X_i}$$

Step 5:

According to $Ms{g}_2$, we could get

$$\left(S_5\right):S_j⊲{(MI{D}_i,SI{D}_j,R_u,R_g,T_2)}_{X_j}$$

Step 6:

Using the $S_5$ and $A_6$ with “message meaning rule”, the following is obtained,

$$\left(S_6\right):S_j\mid \equiv GWN\mid \sim {(MI{D}_i,SI{D}_j,R_u,R_g,T_2)}_{X_j}$$

Step 7:

Now, using $S_6$ and $A_3$ with “freshness rule”, we could get

$$\left(S_7\right):S_j\mid \equiv \#{(MI{D}_i,SI{D}_j,R_u,R_g,T_2)}_{X_j}$$

Step 8:

Utilizing $S_6$ and $S_7$ with “nonce verification rule”, the following is obtained,

$$\left(S_8\right):S_j\mid \equiv GWN\mid \equiv {(MI{D}_i,SI{D}_j,R_u,R_g,T_2)}_{X_j}$$

Step 9:

According to $Ms{g}_3$, we could get the following,

$$\left(S_9\right):GWN⊲{(MI{D}_i,SI{D}_j,R_u,R_s,T_3)}_{X_j}$$

Step 10:

Using $S_9$ and $A_5$ with “message meaning rule”, the following is obtained,

$$\left(S_{10}\right):GWN\mid \equiv S_j\mid \sim {(MI{D}_i,SI{D}_j,R_u,R_s,T_3)}_{X_j}$$

Step 11:

Using $S_{10}$ and $A_2$ with “freshness rule”, the following is obtained,

$$\left(S_{11}\right):GWN\mid \equiv \#{(MI{D}_i,SI{D}_j,R_u,R_s,T_3)}_{X_j}$$

Step 12:

From $S_{10}$ and $S_{11}$ with “nonce verification rule”, we could get

$$\left(S_{12}\right):GWN\mid \equiv U_i\mid \equiv {(MI{D}_i,SI{D}_j,R_u,R_s,T_3)}_{X_j}$$

Step 13:

According to $Ms{g}_4$, we could get the following,

$$\left(S_{13}\right):U_i⊲{(I{D}_{MU},R_g,R_s,T_4)}_{X_i}$$

Step 14:

Using $S_{13}$ and $A_7$ with “message meaning rule”, the following is obtained,

$$\left(S_{14}\right):U_i\mid \equiv GWN\mid \sim {(I{D}_{MU},R_g,R_s,T_4)}_{X_i}$$

Step 15:

Using $S_{14}$ and $A_4$ with “freshness rule”, the following is obtained,

$$\left(S_{15}\right):U_i\mid \equiv \#{(I{D}_{MU},R_g,R_s,T_4)}_{X_i}$$

Step 16:

From $S_{14}$ and $S_{15}$ with “nonce verification rule”, we could get

$$\left(S_{16}\right):U_i\mid \equiv GWN\mid \equiv {(I{D}_{MU},R_g,R_s,T_4)}_{X_i}$$

Step 17:

Because $SK=h\left(R_u\right|\left|R_s\right)$, according to $S_{12}$ and $S_{16}$, the following is obtained,

$$\left(S_{17}\right):U_i\mid \equiv S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{3}\right)$$

Step 18:

Because $SK=h\left(R_u\right|\left|R_s\right)$, according to $S_4$ and $S_8$, we could get

$$\left(S_{18}\right):S_j\mid \equiv U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{4}\right)$$

Step 19:

From $A_9$ and $S_{17}$, the following is obtained,

$$\left(S_{19}\right):U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{1}\right)$$

Step 20:

Using $A_{10}$ and $S_{18}$, the following is obtained,

$$\left(S_{20}\right):S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{2}\right)$$

According to Goals 1–4, we prove that the proposed SLUA-WSN ensures secure mutual authentication among $U_i$, $GWN$, and $S_j$.

7.4. Formal Security Analysis Using Ror Model

We perform the ROR model [17] to evaluate the session key (SK) security of SLUA-WSN from the malicious attacker $MA$. Initially, we introduce the ROR model [17] before performing the analysis of SK security for SLUA-WSN.

In the ROR model, the malicious attacker $MA$ interacts with the $P_{MA}^t$, the $t^{th}$ instance of the executing participant. Furthermore, there are three participants—the user $P_{U_i}^{t_1}$, gateway $P_{GWN}^{t_2}$, and sensor $P_{S_j}^{t_3}$—where $P_{U_i}^{t_1}$, $P_{GWN}^{t_2}$, and $P_{S_j}^{t_3}$ are instances $t_1^{th}$ of $U_i$, $t_2^{th}$ of $GWN$, and $t_3^{th}$ of $S_j$, respectively. In

Table 4. Queries of the Real-or-Random (ROR) model.

Query	Description
$Execute(P_{U_i}^{t_1},P_{GWN}^{t_2},P_{S_j}^{t_3})$	$Execute$ denotes that $MA$ performs the passive attack by eavesdropping transmitted messages between legitimate participants over an insecure channel.
$CorruptSC\left(P_{U_i}^{t_1}\right)$	$CorruptSC$ is modeled that the smartcard stolen attack, in which the $MA$ can extract the secret credentials stored in the smartcard.
$Send(P^t,M)$	Using this query, the $MA$ can transmit a message M to the instance $P^t$ and also can receive accordingly.
$Test\left(P^t\right)$	$Test$ corresponds to the semantic security of the $SK$ between $U_i$ and $S_j$ following the indistinguishability style in the ROR model [17]. In this query, an unbiased coin c is flipped prior to the starting of the experiment. If the $MA$ performs $Test$ query and the corresponding $SK$ is fresh, and then $P^t$ returns $SK$ when $c=1$ after running $Test$ query, $SK$ is new or a random number when $c=0$; otherwise, it delivers a null value (⊥).
$Reveal\left(P^t\right)$	Using this query, the $MA$ reveals the current $SK$ generated by its partner to an adversary $MA$.

, we define various queries for ROR model to evaluate security analysis such as $Execute$, $CorruptSC$, $Reveal$, $Send$, and $Test$. Furthermore, an one-way hash function $h(·)$ is modeled as a random oracle $Hash$. We utilize Zipf’s law [48] to evaluate SK security of SLUA-WSN.

Theorem 1.

If $Ad{v}_{MA}$ denotes the advantage function of the $MA$ in violating SK security of SLUA-WSN. After that, we can derive the following.

$$Ad{v}_{MA}\le \frac{q_h^2}{\left|Hash\right|}+2\{C·q_{send}^s,\frac{q_s}{2^{l_b}}\}$$

where $q_h$, $\left|Hash\right|$, and $q_{send}$ are the number of $Hash$, the range space of $Hash$, and the number of $Send$ queries, respectively. Furthermore, C, $l_b$, and s are parameters used in Zipf’s laws [48].

Proof 1.

We define the following four games, namely, $G_i$ ($i\in [0,3]$). We indicate that $Suc{c}_i$ is the probability of $MA$ winning the $G_i$. All $G_i$ are described in detail as shown below.

• Game$G_0$: The first game $G_0$ is considered as an passive attack executed from the $MA$ in the proposed protocol P, as the bit C is guessed randomly at the beginning of $G_0$. According to this game, the following is obtained.

$$Ad{v}_{MA}=|2·Pr\left[Suc{c}_0\right]-1|$$

(1)

• Game$G_1$: This $G_1$ considers the scenario where $MA$ simulates the eavesdropping attack in which the transmitted messages are intercepted during the authentication process using the $Execute$ query. After eavesdropping transmitted messages, the $MA$ performs the $Reveal$ and $Test$ queries to verify whether it is the SK or a random number. The $MA$ needs the secret parameters, such as $R_u$, $R_s$, $X_i$, and $X_j$, to derive $SK=h\left(R_u\right|\left|R_s\right)$. Thus, the $MA$ does not at all help in increasing the $G_1$’s winning probability by eavesdropping on the transmitted messages. According to this game, the following is obtained.

$$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right]$$

(2)

• Game$G_2$: $G_2$ is modeled as an active attack, where the simulations of the $Send$ and $Hash$ oracles are included. In $G_2$, the $MA$ can eavesdrop all exchanged messages $\{M_1,MI{D}_i,CI{D}_i,M_{UG},T_1\}$, $\{M_2,MI{D}_i,M_{GS},T_2\}$, $\{M_3,M_{SG},M_{SU},T_3\}$, and $\{M_4,M_{SU},M_{GU},T_4\}$ during the authentication and key agreement process. However, all exchanged messages are safeguarded using the hash function $h(·)$. Furthermore, the random numbers $R_u$ and $R_s$ are not derived from the intercepted exchanged messages because the random numbers are protected by hash function $h(·)$. By applying the birthday paradox [49], we can derive the following.

$$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le \frac{q_h^2}{2\left|Hash\right|}$$

(3)

• Game$G_3$: $G_3$ is simulated using $CorruptSC$ query. In this game, the $MA$ is able to extract the secret credentials $\{Q_i,W_i,MI{D}_i\}$ from a smartcard’s memory using the power analysis attack. Generally, a user utilizes the low-entropy password. Using $SC$’s stored secret credentials $\{Q_i,W_i,MI{D}_i\}$, the $MA$ may try to extract the password $P{W}_i$ by performing a password guessing attack. However, in the proposed protocol, the $MA$ cannot obtain password $P{W}_i$ of the legitimate user correctly through the $Send$ query without $GWN$’s master key $K_{GWN}$ and secret parameter $X_i$. Furthermore, the probability of guessing the biometric secret key $b_i$ of $l_b$ bits by the $MA$ is approximately $\frac{1}{2^{l_b}}$. Thus, the $G_2$ and $G_3$ are indistinguishable if biometric/password guessing attacks are not present. Consequently, by applying Zipf’s law [48], the following is obtained.

$$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le max\{C·q_{send}^s,\frac{q_s}{2^{l_b}}\}$$

(4)

When all the games are executed, the $MA$ should guess the correct bit c. Consequently, we can obtain the following result.

$$Pr\left[Suc{c}_3\right]=\frac{1}{2}$$

(5)

By applying Equations (1), (2), and (5), the following result is obtained.

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{MA}& =|Pr\left[Suc{c}_0\right]-\frac{1}{2}|\hfill \\ \hfill & =|Pr\left[Suc{c}_1\right]-\frac{1}{2}|\hfill \\ \hfill & =|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_3\right]|\hfill \end{array}$$

(6)

By applying Equations (4)–(6), the following result is obtained, utilizing the triangular inequality.

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{U_A}& =|Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_3\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_3\right]|\hfill \\ \hfill & \le \frac{q_h^2}{2\left|Hash\right|}+max\{C·q_{send}^s,\frac{q_s}{2^{l_b}}\}\hfill \end{array}$$

(7)

As a result, multiplying both sides of Equation (7) by a factor of two, the following result is obtained.

$$Ad{v}_{MA}\le \frac{q_h^2}{\left|Hash\right|}+2max\{C·q_{send}^s,\frac{q_s}{2^{l_b}}\}$$

□

7.5. AVISPA Simulation

We perform the AVISPA simulation tool [18,19] to prove the security of SLUA-WSN against MITM and replay attacks. To perform the AVISPA simulation, the environment and session of the protocol must be implemented utilizing the High-Level Protocols Specification Language (HLPSL) [50].

7.5.1. HLPSL Specification

Referring to HLPSL, we consider three roles: the $U_i$, the $GWN$, and the $S_j$. We present the environment and session using HLPSL in Figure 7, which consists of the security goals.

In Figure 8, the $U_i$ initially receives the message and updates the state value from 1 to 2. After that, $U_i$ transmits the registration request message $\{I{D}_i,MP{W}_i\}$ to $GWN$ over a secure channel. Then, $U_i$ receives the $\left\{smartcard\right\}$ from $GWN$ and $U_i$ changes the state value from 1 to 2. In the authentication process, the $U_i$ should send an authentication request message $\{M_1,MI{D}_i,CI{D}_i,M_{UG},T_1\}$ to $GWN$ over a public channel. Thus, the $U_i$ declares $witness(UA,GA,ua\_ga\_ru,R{U}^{{}^{\prime }})$ from the $GWN$, and then changes the state value from 2 to 3. Then, $U_i$ receives the authentication response messages $\{M_4,M_{SU},M_{GU},T_4\}$ from the $GWN$. Finally, $U_i$ checks $M_{GU}^{*}\stackrel{?}{=}{M}_{GU}$ and $M_{SU}^{*}\stackrel{?}{=}{M}_{SU}$. If it is correct, the $U_i$, $GWN$, and $S_j$ are mutually authenticated successfully. In addition, the HLPSL specification roles of $GWN$ and $S_j$ are similarly defined. Figure 9 and Figure 10 show the role specification of the $GWN$ and $S_j$.

7.5.2. AVISPA Simulation Result

We present the AVISPA simulation result to demonstrate the security of the SLUA-WSN utilizing On-the-Fly Model Checker (OFMC) and Constraint-Logic-based ATtack SEarcher (CL-AtSe) back-ends. The OFMC and CL-AtSe back-ends verify whether a legitimate entity is able to execute the protocol by searching for a passive attacker. In addition, CL-AtSe and OFMC back-ends check that the SLUA-WSN is secure against the replay and MITM attacks based on the DY model. According to Figure 11, the proposed SLUA-WSN is secure against MITM and replay attacks. Moreover, the result of OFMC validation shows that the search time was 4.11 s for visiting 520 nodes, and the result of the CL-AtSe validation analyzed three states and the translation time was 0.10 s. We provide similar AVISPA simulation results as adopted in [51,52,53,54,55].

8. Performance Analysis

We evaluate the performance of SLUA-WSN in terms of the computation, communication, and storage overheads. We also compare SLUA-WSN with other existing schemes [15,37,38,39,40,41].

8.1. Computation Overheads

This section compares the computation overhead associated with the SLUA-WSN to those of related schemes [15,37,38,39,40,41] during the authentication process. We analyzed utilizing the following parameters to evaluate the computation overhead. Referring to the work in [15], $T_m$, $T_R$, $T_S$, and $T_h$ denote the execution time for point multiplication $(\approx 7.3529\mathrm{ms})$, rep operation $(\approx 7.3529\mathrm{ms})$, symmetric encryption/decryption $(\approx 0.1303\mathrm{ms})$, and hash function $(\approx 0.0004\mathrm{ms})$, respectively. The execution time of XOR operation is not included because it is negligible. In

Table 5. Computation overheads comparison.

Schemes	User	Gateway	Sensor node	Total	Computation overhead
Wu et al. [37]	$11T_h+T_R+2T_m$	$10T_h$	$3T_h+2T_m$	$24T_h+T_R+4T_m$	36.77 ms
Wang et al. [38]	$10T_h+T_R+3T_m$	$13T_h+T_m$	$6T_h+2T_m$	$29T_h+T_R+6T_m$	51.48 ms
Li et al. [39]	$8T_h+T_R+2T_m$	$9T_h+T_m$	$4T_h$	$21T_h+T_R+3T_m$	29.42 ms
Li et al. [40]	$12T_h+3T_m$	$8T_h+T_m$	$4T_h+2T_m$	$24T_h+6T_m$	44.13 ms
Lu et al. [41]	$7T_h+T_R+3T_m+T_S$	$6T_h+T_m+T_S$	$2T_h+2T_m+2T_S$	$15T_h+T_R+6T_m+4T_S$	51.99 ms
Mo and Chen [15]	$12T_h+T_R+2T_m$	$10T_h+T_S$	$5T_h+2T_m+T_S$	$27T_h+T_R+4T_m+2T_S$	37.03 ms
Ours	$11T_h+T_R$	$11T_h$	$6T_h$	$28T_h+T_R$	7.36 ms

, we show the results of the computation overhead comparison. Consequently, SLUA-WSN provides a more efficient computation cost compared with the other existing schemes [15,37,38,39,40,41].

8.2. Communication Overheads

We compare the communication cost with the related schemes [15,37,38,39,40,41]. Referring to the work in [15], we assume that the hash function, a timestamp, an identity, a random nonce, and a prime p are 160 bits, 32 bits, 32 bits, 128 bits, and 160 bits, respectively. In addition, we consider that an ECC of 160 bits has a security level equivalent to that of the 1024-bit RSA [56]. The block size of plaintext/ciphertext for the AES algorithm is 128 bits [57]. In the authentication process of SLUA-WSN, the exchanged messages $\{M_1,MI{D}_i,CI{D}_i,M_{UG},T_1\}$, $\{M_2,MI{D}_i,M_{GS},T_2\}$, $\{M_3,M_{SG},M_{SU},T_3\}$, and $\{M_4,M_{SU},M_{GU},T_4\}$ require (160 + 160 + 160 + 160 + 32 = 672 bits), (160 + 160 + 160 + 32 = 512 bits), (160 + 160 + 160 + 32 = 512 bits), and (160 + 160 + 160 + 32 = 512 bits), respectively. In

Table 6. Communication overheads comparison.

Schemes	Communication Overhead	Number of Messages
Wu et al. [37]	3072 bits	4 messages
Wang et al. [38]	2368 bits	4 messages
Li et al. [39]	2496 bits	4 messages
Li et al. [40]	2880 bits	4 messages
Lu et al. [41]	2880 bits	3 messages
Mo and Chen [15]	3328 bits	4 messages
Ours	2208 bits	4 messages

, we present the results of the communication overhead comparison. Thus, SLUA-WSN has a more efficient communication cost compared with other related schemes [15,37,38,39,40,41].

8.3. Storage Overheads

We compare the storage costs with the related schemes [15,37,38,39,40,41]. We first define that the hash, identity, timestamp, random nonce, ECC algorithm, RSA algorithm, and AES algorithm are 20, 4, 4, 16, 20, 128, and 16 bytes, respectively, and the prime p in $E_p(a,b)$ is 20 bytes. In the proposed SLUA-WSN, stored messages $\{Q_i,W_i,MI{D}_i\}$ and $\left\{r_g\right\}$ require (20 + 20 + 20 = 60 bytes) and (20 bytes), respectively. Although the storage costs of the proposed SLUA-WSN are somewhat higher than Mo and Chen’s scheme [15], it provides better security and efficiency than the other related schemes [15,37,38,39,40,41].

Table 7. Storage overheads comparison.

Schemes	Stored Message (Smart Card/mobile Device)	Stored Message (Gateway Node)
Wu et al. [37]	$B_1,B_2,P_{bi}\approx 56$ bytes	$I{D}_i\approx 4$ bytes
Wang et al. [38]	$A_i,B_i,n_0,Y,P\approx 100$ bytes	$I{D}_i,r_i\approx 20$ bytes
Li et al. [39]	$\alpha ,\delta ,A_i,B_i,X\approx 92$ bytes	$I{D}_i\approx 4$ bytes
Li et al. [40]	$A_i,B_i,E_i,X,f,n_0,r\approx 108$ bytes	$I{D}_i,k_i\approx 20$ bytes
Lu et al. [41]	$RP{W}_i,f_i,v_i\approx 56$ bytes	$K_j\approx 20$ bytes
Mo and Chen [15]	$RI{D}_i,f_i,\tau \approx 56$ bytes	$K_j\approx 20$ bytes
Ours	$Q_i,W_i,MI{D}_i\approx 60$ bytes	$r_g\approx 20$ bytes

shows the analysis results of storage overhead compared to related schemes.

9. Conclusions

In this paper, we proved that Mo and Chen’s scheme suffers from various security flaws, such as session key exposure and masquerade attacks, and does not provide anonymity, untraceability, and authentication. We proposed a secure and lightweight user authentication protocol in WSN environments utilizing biometric and secret parameters to resolve the security drawbacks of Mo and Chen’s protocol. SLUA-WSN prevents various attacks, including sensor node capture, masquerade, and privileged insider attacks. We demonstrated that the proposed SLUA-WSN ensures secure mutual authentication between $U_i$, $GWN$, and $S_j$ by performing BAN logic. We also proved the security of SLUA-WSN by performing the formal security analysis such as the ROR model and AVISPA simulation. We compared the performance of SLUA-WSN in terms of computation, communication, and storage overheads with existing schemes. Consequently, the proposed SLUA-WSN provided a great improvement in terms of the security level compared with three-factor-based related schemes and also preserved the low computation and communication overheads using only hash and XOR operations. Therefore, the proposed SLUA-WSN provides superior security and efficiency than related schemes and is suitable for practical WSN environments.