Robust Multi-Gateway Authentication Scheme for Agriculture Wireless Sensor Network in Society 5.0 Smart Communities

Abstract

Recent Society 5.0 efforts by the Government of Japan are aimed at establishing a sustainable human-centered society by combining new technologies such as sensor networks, edge computing, Internet of Things (IoT) ecosystems, artificial intelligence (AI), big data, and robotics. Many research works have been carried out with an increasing emphasis on the fundamentals of wireless sensor networks (WSN) for different applications; namely precision agriculture, environment, medical care, security, and surveillance. In the same vein, almost all of the known authentication techniques rely on the single gateway node, which is unsuitable for the current sensor nodes that are broadly distributed in the real world. Despite technological advances, resource constraints and vulnerability to an attacker physically capturing some sensor nodes have remained an important and challenging research field for developing wireless sensor network user authentication. This work proposes a new authentication scheme for agriculture professionals based on a multi-gateway communication model using a fuzzy extractor algorithm to support the Society 5.0 environment. The scheme provides a secure mutual authentication using the well-established formal method called BAN logic. The formal security verification of the proposed scheme is validated with the AVISPA tool, a powerful validation method for network security applications. In addition, the security of the scheme was informally analyzed to demonstrate that the scheme is secure from different attacks, e.g., sensor capture, replay, and other network and physical attacks. Furthermore, the communication and computation costs of the proposed scheme are evaluated and show better performance than the existing authentication schemes.

1. Introduction

Society 5.0 has been launched by Japan for the perfect industrial structure and social system of the future. According to the Japan Cabinet Office (CAO), society 5.0 is “a human centred society that balances the economic development of a system by combining cyberspace and physical space to solve social problems” [1]. Figure 1 illustrates the evolution of societies from Society 1.0 to the new Society 5.0, in which everyone can live a safe and fulfilling life. Smart Food value chain of Society 5.0 with the National Organization for Agriculture and Food Research (NARO) addresses breeding, cultivation, harvesting, storage, processing, distribution, and consumption issues [2,3]. As a result, the process of establishing a “data-driven society”, has begun, which now includes agriculture [4,5]. The ongoing evolution of information and communications technology (ICT) and digital technology of all kinds are the motivation behind Society 5.0 to offer individuals an enormous society of prospects for creativity, growth, unparalleled prosperity collaboration, and human to human, human to machine, and machine to device services [4,6].

By the end of 2025, the world market in smart agriculture is predicted to reach USD 15.3 billion compared to USD 5 billion in 2016, which is more than triple of the market size in just about ten years [7]. Smart agriculture in the agri-product exporting countries will become a critical IoT field [8]. At present, smart agriculture has been applied in IoT applications such as irrigation sensors [9], frost prediction of the event [10], farming of precision soil [11], identification of blind entity [12], smart farming [13], precision agriculture [14], so on. Terrestrial wireless sensor networks (TWSN) and wireless underground sensor networks (WUSN) are the two types of WSNs being utilized in agricultural fields. Wireless underground sensor networks [15] are planted inside the soil with higher frequencies being substantially reduced, while lower frequencies are allowed to permeate the soil [13,16,17,18]. The overview and the architecture of WSN in the agriculture environment is illustrated in Figure 2.

The agriculture applications may transfer or monitor sensitive data via a public channel; thus securing the transmission and authenticating of highly sensitive information. Several gateways should also be included in dealing with a distributed environment to avoid high computation costs in the entire network [19]. Additionally, different issues exist in IoT-based agriculture development, such as information security, privacy, data analysis, maintenance, mobility, and hardware [8,20,21]. The type of wireless communication (e.g., 4G, 5G, WiFi, 6LowPan, LoRa) used for connecting sensors distributed across a large area in the agriculture field may present a mobility challenge [22,23]. Implementing the IoT into the agriculture fields may allow the attacker to attack the agriculture systems; thus, the smart agriculture communication system needs to be secured [8]. Security concerns, such as eavesdropping, disruption, physical attack, and others, might compromise the data and structure of the network [24]. To address this, a data security architecture is constructed that protects data from sensors, wireless networks, and data processing applications through encryption, digital envelopes, digital signatures, and critical public key infrastructures (PKI) [25]. Generally, once the sensors and the gateway nodes are placed, they are stationary. In wireless environment, the cost of sending and receiving messages increases when the distance between the participants and the whole network increases. It is better to allow only the gateway nodes to communicate with the relatively far away users. However, a data flow with high speed may collide, and the performance of the WSN will be slowed down where there is only one gateway. More gateway nodes are needed when the sensors are distributed on a large scale. Thus, the costs of transmitting and receiving messages are much higher than the local computations at an entity in the network [26].

There have been many proposed authentication and key agreement (also known as the key establishment) schemes for WSNs in the literature. For instance, in [27] a lightweight authentication scheme (LAS) for IoT WSN users in a multi-gateway conception is proposed. Similarly, in [28] a three-factor mutual authentication protocol for multi-gateway IoT environments to solve the existing security weaknesses in two-factor authentication protocols is proposed. In 2014, a WSN with a lightweight authentication protocol was integrated with a fingerprint-based biological factor [29]. In [30], a new mechanism for user authentication and key agreement in heterogeneous ad hoc WSNs is proposed. In 2015, an authentication approach based on pseudo-identity temporal credentials in WSNs was devised [31]. In [32], a biometric-based user authentication solution for WSNs is suggested. In 2015, a new secure and more efficient authentication and key agreement scheme for agriculture monitoring using WSNs is proposed [33]. The work of [34] applied dark web technology to ensure the privacy of blockchain and servers. In 2017, work of [35] presented a confidentiality-preserving remote user authentication system for IoT users using WSN, which was more efficient than earlier comparable methods and could withstand all forms of security outbreaks. In [36], an authentication-based, smart-card, and password-based strategy for intelligent agriculture based on the use of fuzzy biometric extraction before providing users with required fields is developed. In [37], an elliptic curve-based user authentication mechanism based on symmetric cryptography (ECC) is presented. In [38], biometric-based authentication and key management services are discussed. In 2020, an Elliptic-Curve Diffie–Hellman authentication and key agreement approach for wireless sensor network (WSN) applications is suggested [39]. In [40], a new user authentication system based on signatures and the ECC in the IoT-enabled environment is presented. In [41], the WSN data protection, three-factor remote user authentication solution for increased security and efficient agricultural monitoring by ECC algorithm are also presented.

Table 1. Comparison of the existing WSN authentication scheme in the agricultural field.

Ref.	Communication Model	Method	Tool	Advantages	Limitations
[29]	Single gateway	RSA public key	GNY logic	Mutual authentication	Vulnerability to offline password guessing, insider, and gateway node impersonation attack.
[30]	Single gateway	ECC	Prototype (MICA2 sensor node)	Vulnerability to offline password guessing, insider, and gateway node impersonation attack.	Vulnerability to various impersonation attacks.
[31]	Single gateway	Hash function, and XOR	PBC library	Reduces the computation burden.	Node captured impersonation attack.
[32]	Single gateway	AES	PBC library	Denial-of-service attack and sensor node impersonation attack.	Fail to provide acclaimed security goals.
[33]	Single gateway	Dynamic pseudonym identity.	C/C++	Most suitable for agriculture monitoring.	Needs to concentrate on redundancy.
[34]	Single gateway	Blockchain	PBC library	Ensures data privacy and integrity.	Single point failure.
[35]	Single gateway	ECC	JPBC library	Provides mutual authentication between the user, the sensor, and the gateway.	Lack of user anonymity or smart card stolen attack.
[36]	Single gateway	PKI	Crypto ++	Agriculture field monitoring.	Packets drop and latency ratio.
[37]	Single gateway	ECC	PBC library	Node transfers data to the user without any interference from the gateway.	Vulnerable to user impersonation, stolen smart card, privileged insider attacks and does not support anonymity, and traceability.
[38]	Single gateway	ECC	Crypto ++	Computationally less expensive.	An adversary could gain unauthorized access to the device.
[39]	Single gateway	ECDH	JPBC library	Secure from numerous security attacks.	Vulnerability to attacks.
[44]	Single gateway	ECC	PBC library	Achieves essential security requirements like integrity, anonymity, forward secrecy.	Vulnerability to offline guessing attack, and sensor capture attack.
[41]	Single gateway	Fuzzy extractor.	Crypto ++	Secure monitoring.	High computation cost.

, shows that Turkanovic et al. in [30] did not secure forward privacy [42]. Amin and Biswas [43] found that the scheme in [33] is required to concentrate on redundancy. Wu et al. [31] highlighted specific security weaknesses such as sensor capture attacks, and impersonation attacks in He et al. [32]. On the other hand, Khalid et al. [33] revealed that Wu et al.’s [35] system lacks appropriate online registration and password change phases for sensor nodes. Ali et al. [36] and Lee et al. [28] are found to be vulnerable to impersonations, robbed smart-cards, ephemeral secret leaking (ESL), privileged insider attacks, and a Denial-of-Service (DoS) attack. Sadukhan et al. [37] does not lacks anonymity, traceability, and dynamic node addition. Furthermore, Yuan et al.’s [29] was found to be vulnerable to offline password guessing, privileged insider attacks, and gateway node impersonation attacks. In addition, it cannot provide query response protection. Moghadam et al. [39] and Haseeb et al. [44] are vulnerable to an insider attack, session key attack, and do not provide confidentiality. Vangala et al. [45] and Rangwani et al. [41] were subsequently broken by Ali et al. [36], who pointed out that the schemes are vulnerable to offline password guessing attack, identity guessing attack, and user tracking attack. Nevertheless, the analysis that identifies several attacks in the current authentication scheme has not been considered by the researchers (e.g., offline password/identity guessing attacks, sensor capture attacks, and impersonation attacks). In addition, the methods are vulnerable to inefficient authentication phases. In agriculture, wireless communication messages are transferred and received substantially at higher network entity computations than the local network entity computations. Therefore, transmission and reception expenses increase as network unit distance increases. As a result, the GWNs suffer high communication overhead, leading to slow shutdown or crash due to many users and sensors management in large-scale WSN.

Several alternative architectures with single-gateway architecture for agriculture environment are proposed previously. These single-gateway systems have low fault tolerance, as the gateway acts as a single point of failure, thus making it vulnerable to external attacks. Therefore, an efficient multi-gateway authentication scheme for agriculture is needed to address these issues [7], because insecure communication between the smart devices, gateways, and users makes the IoT agriculture environment vulnerable to various potential attacks. Several Internet of Things (IoT) smart devices, e.g., sensor nodes, can be deployed to monitor the agricultural environment in smart farming. The drones can be further utilized to collect the data sensed by the IoT smart devices, and even sometimes, they can directly collect the information from the specific agriculture fields. However, insecure communication between the sensor nodes, gateways, and agriculture professionals makes the IoT agriculture environment vulnerable to various potential attacks, including replay, impersonation, man-in-the-middle, privileged-insider, and physical smart devices and drones capture attacks [46]. Apart from these, anonymity and mutual authentication properties to be highly maintained is essentially required. An adversary cannot trace the entities sending the data securely to the control room via a gateway. Therefore, to address the above issues, we propose a multi-gateway authentication scheme with the three factors being the identity, password, and personal biometrics for agriculture WSN. The proposed scheme relies mainly on the fuzzy extractor method. We have also provided the simulation of our scheme using AVISPA, a powerful validation tool for network security applications, and showed that our scheme is safe against popularly known attacks. Similarly, the BAN logic is utilized to prove the secure mutual authentication between entities.

2. Materials and Methods

2.1. Security Requirements

The integration of WSN in low power agriculture for the internet and society 5.0 requires adequate security mechanisms, which can offer essential safety safeguards for WSN applications, equipment, and communications in agriculture. The conventional Internet connections require sufficient security to use end-to-end communications between low-power farm WSN sensing devices and other external or internet companies. According to recent studies in [2,3,5,16,21,40,47,48] about the security of smart agriculture, the agriculture WSN authentication scheme must satisfy the security and functionality of agriculture WSN in Society 5.0. These security and functionality requirements are as following:

• Mutual authentication: the agriculture professional Ui and the sensor node Sn should authenticate each other with the help of the gateway node (GWN).
• Anonymity: an adversary should not get the real identity of the agriculture professional $U_i$.
• Multi-gateway: agriculture WSN has many sensor nodes and IoT devices that are distributed over large agriculture fields. Hence, a single-gateway node can hardly manage this number of nodes, causing a single point of failure. Therefore, the agriculture environment should support multi-gateway communication.
• Physical Attack: The attacker disturbs the protocol by causing a collision packet, inserting and interrogating packets to obtain information about the communication template, or delaying communication. Thus, the WSN should withstand physical attacks, such as sensor capture attacks and gateway attacks.
• Network Attacks: The WSN authentication scheme for agriculture must resist several attacks, such as an offline password guess attack, the user impersonation attack, the node impersonation attack, the modification attack, the man-in-the-middle attack, and the replay attack.

2.2. Single-Gateway Model

Many researchers have utilized the single communication model to design a user authentication for WSN. The model, as shown in Figure 3, includes user, gateway, and sensor nodes. In the model, the user can access the desired sensor node after registering himself/herself into the GWN. However, the model user can only access the sensor nodes that are deployed within the local network. Furthermore, a user cannot access any sensor nodes that are deployed in the different agriculture fields, especially in large-scale environments. The user first sends an authentication message to the gateway; the gateway then sends the message to the deployed sensor. Later, the sensor node sends back the message to the gateway, and it forwards the message to the user whether the user was granted access or not.

2.3. Multi-Gateway Model

Amin and Biswas [43], and H. Guo [49] proposed a multi-gateway communication model, including users, gateway nodes (GWNs), and sensor nodes. Here, we divide gateway nodes into two categories: home gateway nodes (HGWN) and foreign gateway nodes (FGWN) according to the distance to other nodes—relatively close gateway nodes are called HGWNs, and the rest of them are called FGWNs. Sensors and gateway nodes are stationary after they are placed. The computing power of the gateway nodes is powerful, while sensors have low memory, low bandwidth, low battery power and limited computing power. Sensor nodes monitor and collect data, then send the sensed data to the nearest gateway node, i.e., HGWN. The HGWN forwards the received data to other FGWNs, users or sensors. For example, when a user wants to communicate with a sensor node, they need to authenticate each other.

As shown in Figure 4, if the user and the sensor belong to a home network managed by the same HGWN, the authentication process is as follows: Case 1; Firstly, the user sends a login message to HGWN. Second, HGWN authenticates the user and sends a message to the sensor node. Then, the sensor authenticates HGWN and returns messages to HGWN. After HGWN completes the authentication, it returns messages to the user. Finally, the user completes the authentication of HGWN and computes a session key with the sensor and HGWN. When a user wants to communicate with a sensor node in different networks, the detailed steps are shown in Figure 3. We describe the process as follows: Case 2; The user Ui sends a login message to its HGWN. The HGWN then broadcasts request messages to the sensor node that the user wants to request for a communication. After FGWN receives the broadcast messages, it checks whether the sensor node is in its database. If so, FGWN sends a message to HGWN. The HGWN returns reply messages to the user. Finally, the user and FGWN perform mutual authentication and negotiate the session key as shown in Figure 4.

2.4. Fuzzy Extractor

This section provides a brief explanation of fuzzy extractors to clarify the procedure of the algorithm. In a Fuzzy extractor, there are two main procedures: a reproduction procedure referred to as (Rep), and a generation procedure referred to as (Gen). The two procedures are described as follows:

• $Gen$: the input of this procedure is the user biometric $BI{O}_i$. Furthermore, the outputs are the key to the biometric ${\sigma }_i$ and the public parameter. Thus, the procedure function can be represented as $Gen(BI{O}_i)=({\sigma }_i,{\tau }_i)$ where ${\tau }_i$ is the error tolerance threshold.
• $Rep$: This procedure retrieves the biometric key ${\sigma }_i$ form corresponding auxiliary string ${\tau }_i$ and the user biometric $BI{O}_i^{{}^{\prime }}$, where the function can be represented as $Rep(BI{O}_i^{{}^{\prime }},{\tau }_i)={\sigma }_i.$ This provides the error tolerance threshold $\tau$ greater than the Hamming distance between the original input of $BI{O}_i$ and the retrieved biometric $BI{O}_i^{{}^{\prime }}$.

However, the polynomial-time running of the Gen and Rep procedures is efficiently robust to the fuzzy extractor algorithm. Furthermore, recovering ${\sigma }_i$ from the input of the biometric $BI{O}_i^{{}^{\prime }}$ alongside the string of the auxiliary ${\tau }_i$ by an attacker is difficult. Thus, the fuzzy extractor algorithm is highly secured.

2.5. Proposed Scheme

The following section proposes a new multi-gateway authentication scheme for agriculture wireless sensor networks, as shown in Figure 5. The proposed scheme uses the smart card, password, and personal biometrics as authentication factors. There are four phases involved in the proposed scheme (e.g., pre-deployment phase, agriculture/sensor registration phase, login phase, and authentication phase). In

Table 2. Notations.

Notations	Description
SA	System administrator.
HGWN	Home gateway.
FGWN	Foreign gateway.
$SNi$	Sensor.
$U_i$	Agriculture professional.
$S{N}_{ID}$	Sensor identity.
$S{N}_{MSK}$	Sensor master key.
$G{W}_{ID}$	Gateway identity.
$G{W}_{MSK}$	Gateway master key.
$HG{W}_{ID}$	Home gateway identity.
$HG{W}_{MSK}$	Home gateway master key.
$FG{W}_{ID}$	Foreign gateway identity.
$FG{W}_{MSK}$	Foreign gateway master key.
$U_{PW}$	Agriculture profession Password.
$U_{BIO}$	Agriculture profession biometric.
$PI{D}_i$	Pseudo-identity.
$PW{R}_i$	Pseudo-password.
$S{N}_{ID}^n$	New sensor identity.
$S{K}_i$	Secret key.
$h(.)$	One-way hash function.
$(Gen)$	Generation procedure of fuzzy extractor.
$(Rep)$	Reproduction procedure of fuzzy extractor.
$A\Vert B$	Concatenation.
$A\oplus B$	Exclusive-OR.

, the used notations in the proposed scheme are illustrated. As mentioned in the literature review, a unique property of biometrics enables its use in authentication protocols. Using biometric keys with low-entropy passwords makes it difficult to fake or exchange, including the inability to be lost or forgotten. As a result, guessing biometric keys becomes a complex problem. This study makes use of a robust fuzzy extractor. Finally, the WSN’s sensor nodes, the GWNs, and the users are synchronized and use the timestamp to withstand the replay attack.

2.5.1. Pre-Deployment Phase

The system parameters are selected in this phase, and it pre-loads information in deployed sensor nodes and gateways before being deployed in a target field. This phase is carried out in a stand-alone mode. The system administrator (SA) is responsible for and manages the pre-deployment phase. Each cluster has n sensor nodes that are deployed randomly or manually in the preceding stage with a target field; each cluster also contains (HGWN). In this work, we assume that every sensor node chooses the nearest HGWN. The SA, on the other hand, selects the system parameters in the following manner:

• Sensor node pre-deployment:
  • The SA randomly chooses a unique identity $S{N}_{ID}$ and master key $S{N}_{MSK}$. For each deployed sensor node in the cluster $(1\le j\le m)$, then, SA calculates $A_j=h(S{N}_{ID}\Vert S{N}_{MSK})$ for each sensor node. It also generates a distinct master key $S{N}_{MSK}$, with all the generated $A_j$, which are distinct throughout the WSN. Now, the credentials $(S{N}_{ID},A_j)$ are pre-loaded into the sensor node memory within its corresponding cluster priorly.
• Gateway Pre-deployment:
  • First, the gateway selects an identity $G{W}_{ID}$, and $G{W}_{MSK}$ as gateway master key for the deployed GWNs in the cluster. In the proposed scheme, there are two different GWNs: HGWNs, those located in a specific cluster, and those located outside a cluster called FGWN. The SA then generates an identity $HG{W}_{ID}$ and $HG{W}_{MSK}$ as gateway master key. The same goes for the FGWN generating $FG{W}_{ID}$ and $FG{W}_{MSK}$.
  • Later, the SA computes $A_{HGWN}=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert HG{W}_{MSK})\oplus h(S{N}_{ID}\Vert S{N}_{MSK})$ for all n sensor nodes $S{N}_i$ within HGWN, for example. The SA finally pre-loads the information $HG{W}_{ID},(S{N}_{ID},A_{HGWN})\le j\le m$,$HG{W}_{MSK}$ into the memory of the HGWN priorly to its deployment in the target field.

2.5.2. Registration Phase

After the pre-deployment phase of the sensor nodes in the targeted agriculture field, the sensors are transmitted to the registered legal professional via HGWN and FGWN. The sensors and agriculture professionals must be registered with SA to access the desired services. The following sections outline how to register a sensor node and an agriculture professional:

• User/agriculture professional registration: Before participating in any communication during this phase, the user or agriculture professional must register with one of the GWNs. Assuming that the user chooses to register with HGWN, he or she must follow the steps outlined in Figure 6:

  –

  Agriculture Professional chooses $U_{ID}$ as an identity and $U_{PW}$, which is the password, and a random number R to computes $PI{D}_i=h(U_{ID}\Vert R)$ and $PW{R}_i=h(U_{PW}\Vert R)$. Then, the parameters $PI{D}_i,PW{R}_i$ are securely transmitted to the SA as a registration request.

  –

  The SA receives the message and generates an identity $TI{D}_i$, which is 160-bit to compute $A_{th}=h(HG{W}_{ID}\Vert PI{D}_i\Vert HG{W}_{MSK})\oplus h(PI{D}_i\Vert PW{R}_i\Vert TI{D}_i)$ for each user $U_i$ in HGWN. It also computes $A_{tf}=h(FG{W}_{ID}\Vert PI{D}_i\Vert FG{W}_{MSK})\oplus h(PI{D}_i\Vert PW{R}_i\Vert TI{D}_i)$ for the FGWN. The SA then issues an embedded smart-card $S{C}_i:(HG{W}_{ID},A_{th}),(FG{W}_{ID},A_{tf}),TI{D}_i,Gen(.),Rep(.),h($ $.),t,$ where t is the error tolerance threshold. Finally, it sends the message to the user Ui via a secure channel.

  –

  Now that the user $U_i$ receives the embedded smart-card from SA securely, the $U_i$ imprints their fingerprint $U_{BIO}$ at the sensor of a specific terminal and computes $Gen(U_{BIO})=(\sigma ,\tau )$, which $\sigma$ is the key of the biometric data and $\sigma$ is the parameter. Then, the $U_i$ computes $T_i=h(U_{ID}\Vert \sigma )\oplus R,S_i=h(PI{D}_i\Vert PW{R}_i\Vert \sigma )$ and $A_{th}^{*}=A_{th}\oplus h(\sigma \Vert R)=(HG{W}_{ID}\Vert PI{D}_i\Vert HG{W}_{MSK})\oplus h(PI{D}_i\Vert PW{R}_i\Vert TI{D}_i)\oplus h(\sigma \Vert R).$ The $U_i$ then computes $A_{if}^{*}=A_{if}\oplus h(\sigma \Vert R)=h(FG{W}_{ID}\Vert PI{D}_i\Vert FG{W}_{MSK})\oplus h(PI{D}_i\Vert PW{R}_i\Vert TI{D}_i)\oplus h(\sigma \Vert R).$$U_i$ stores $\tau ,T_i$ and $S_i$ in the smart-card SC. The $U_i$ then replaces $A_{th}with{A}_{th}^{*}$, and $A_{tf}$ with $A_{if}^{*}$ in the stored information of SC. The stored data will be as $(HG{W}_{ID},A_{th}^{*}),(FG{W}_{ID},A_{if}^{*}),TI{D}_i,Gen(.),Rep(.),h(.),t,\tau ,T_i,S_i$.

  However, the pair $(PI{D}_i,TI{D}_i)$ are stored in the database of the corresponding HGWNs to the $Ui$ and also sores them into all FGWNs by the SA if the user desires to access services from any sensor node through the FGWNs.
• Newly Joined Sensors: The newly joined sensor node must be registered with the SA for further communication services in this phase. The phase is performed after being deployed priorly in the pre-deployment phase. Figure 7 shows the steps of newly joined sensors. As we mentioned above, each sensor in the cluster has the information $(S{N}_{ID},A_j)$ in its memory. Thus, to register the sensor node SNi into the SA, the sensor is required to apply the following steps:

  –

  Firstly, the sensor $S{N}_i$ chooses an identity $(S{N}_{ID}^n)$, and a random number $r_{sn}$ is generated for each sensor to compute $N_{SN}=h(S{N}_{ID}^n\Vert r_{sn})$, and $M_{SN}=h(N_{SN}\Vert r_{sn})$. Then, the sensor sends $N_{SN}$ to the SA securely.

  –

  Now, the SA receives the message and obtain a new sensor identity $S{N}_{ID}^n$ and generate a master key $S{N}_{MSK}^n$ for the newly joined sensor. Then, it calculates $A_j^n=h(S{N}_{ID}^n\Vert S{N}_{MSK}^n)$ and loads the $(A_j^n,S{N}_{ID}^n)$ into the sensor memory within its corresponding cluster.

2.5.3. Login Phase

This phase enables the agriculture professional to authenticate to HGWNs using the smart-card SC. After inserting the smart-card into a specific card reader terminal, the SC transmits the login request message to the HGWNs by performing the following steps, which are shown in Figure 8:

• Firstly, the agriculture user inserts their smart-card and inputs the username $U_{ID}$, password $U_{PW}$ and imprints their biometric $U_{BIO}$ at the sensor. Then, the smart-card calculates using the error tolerance thresholds value $\tau ,{\sigma }_i^{*}=Rep(U_{BIO},\sigma )$, $R^{*}=T_i\oplus h(U_{ID}\Vert {\sigma }_i^{*}),$$PI{D}_i^{*}=h(U_{ID}\Vert R^{*})$, $PW{R}_i^{*}=h(U_{PW}\Vert R^{*}),$ and $R_i^{*}=h(PI{D}_i^{*}\Vert PW{R}_i^{*}\Vert {\sigma }_i^{*})$. Then, it checks the condition of $R_i^{*}\ne R_i,$ if invalid, terminates the session.
• Otherwise, the SC authenticates the user and generates a random nonce $N_i$ and calculates a secret key $S{K}_i=A_{th}^{*}\oplus h(PI{D}_i^{*}\Vert PW{R}_i^{*}\Vert TI{D}_i)\oplus h({\sigma }_i^{*}\Vert R_i^{*})=h(HG{W}_{ID}\Vert PI{D}_i\Vert HG{W}_{MSK})$ consistent with the HGWN of the $U_i$. The $U_i$ selects $S{N}_j$ to have access to WSN services. Furthermore, smart-card computes $W_i=h(PI{D}_i^{*}\Vert TI{D}_i\Vert N_i)$ and $C{T}_i=E_{S{K}_i}[HG{W}_{ID},S{N}_{ID},W_i,N_i,T{S}_1]$, where $E_{S{K}_i}(M)$ signifies the plaintext message M’s symmetric key encryption (e.g., AES) using the key $S{K}_i$, and $T{S}_1$ current timestamp. The SC finally sends $M_1=[S{N}_{ID},TI{D}_i,C{T}_i]$ to HGWN publicly.

2.5.4. Authentication Phase

When the HGWN receives the login message, it checks to see if the $S{N}_{ID}$ is stored in the HGWN database. If $S{N}_{ID}$ is in the database, Case 1 will be down. Otherwise, it performs Case 2. Figure 9 and Figure 10 depict distinct procedures individually for the two cases.

• Case 1:
  • The HGWN verifies the $T{S}_1$ by selecting a new timestamp $T{S}_2$ to check the freshness $|T{S}_2-T{S}_1|\le ▵T,$ where $▵T$ is the current timestamp. It calculates $S{K}_i^{*}=h(HG{W}_{ID}\Vert PI{D}_i\Vert HG{W}_{MSK})$ based on the stored information in its database. After that, it decrypts $C{T}_i=D_{S{K}_i}[HG{W}_{ID}^{*},S{N}_{ID}^{*},W_i^{*},N_i^{*},T{S}_1^{*}]$, where $D_{S{K}_i}$ depicts the decryption of a symmetric key using the key $S{K}_i$. After retrieving the information, HGWN verifies the timestamp $|T{S}_1^{*}-T{S}_1^{{}^{\prime }}|\le ▵T,$ where $T{S}_1^{{}^{\prime }}$ is the message receiving time. If it holds, HGWN checks $HG{W}_{ID}^{*}\ne HG{W}_{ID},$ and $S{N}_{ID}^{*}\ne S{N}_{ID},$ and if these parameters are valid, it computes $W_i^{(**)}=h(PI{D}_i\Vert TI{D}_i\Vert N_i^{*})$ based on the stored $PI{D}_i$, and $TI{D}_i$, then checks $W_i^{(**)}\ne W_i^{*}$, if it does not hold, it terminates the session. Otherwise, it selects a random nonce $N_j$ to compute a shared secret key with the sensor node $S{K}_j=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert HG{W}_{MSK})=h(S{N}_{ID}\Vert S{N}_{MSK}),$$P_i=h(PI{D}_i\Vert N_j\Vert N_i^{*}\Vert T{S}_2),$ and $C{T}_j=E_{S{K}_j}[HG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2],$ and sends an authentication message $M_2=S{N}_{ID},C{T}_j$ to the sensor node via a public channel.
  • The sensor node $S{N}_i$ receives the message and decrypts $C{T}_j=D_{A_j}[HG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2]$ using the stored key $A_j=h(S{N}_{ID}\Vert S{N}_{MSK})$ stored in the memory to obtain the information. Later, $SNi$ checks the freshness of the timestamp $|T{S}_2^{{}^{\prime }}-T{S}_2^{*}|\le ,$ where $T{S}_2^{*}$ is the message $M_2$ received time, if not fresh, terminates the session; otherwise, it computes $P_i^{*}=h(PI{D}_i\Vert N_j^{{}^{\prime }}\Vert N_i^{{}^{\prime }}\Vert T{S}_2^{{}^{\prime }})$ and checks $P_i^{*}\ne P_i^{{}^{\prime }},$ if it does not hold, $S{N}_i$ terminates the session. After that, $S{N}_i$ calculates $Z_i=h(PI{D}_i\oplus N_i^{*}\oplus N_j),$$S{K}_{U\to SN}=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert PI{D}_i\Vert N_j)$, where $S{K}_{U\to SN}$ is a shared key between user and sensor node, and $B_i=h(S{K}_{U\to SN}\Vert T{S}_3)$. Then, $T{S}_2$ sends a replay authentication message $M_3=S{N}_{ID},B_i,Z_i,T{S}_3$ to the user via an open channel.
  • Upon receiving $M_3$, it checks the freshness of the timestamp $|T{S}_3-T{S}_3^{*}|\le ▵T,$ if not fresh, it terminates the session; otherwise, it computes $N_j^{{}^{\prime }}=Z_i\oplus h(PI{D}_i^{*}\oplus N_i)$ using the previously computed $PI{D}_i^{*}=h(U_{ID}\Vert R^{*})$, $S{K}_{U\to SN}^{*}=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert PI{D}_i^{*}\Vert N_j\Vert N_j^{{}^{\prime }})$, and $B_i^{*}=h(S{K}_{U\to SN}^{*}\Vert T{S}_3).$ Finally, $U_i$ verifies $B_i^{*}\ne B_i,$ if it holds, it ensures that $U_i$ and $S{N}_i$ share the same session key and store it for the future communication.
• Case 2:
  • The FGWN calculates $S{K}_{if}=A_{tf}^{*}\oplus h(FG{W}_{ID}\Vert S{N}_{ID}\Vert FG{W}_{MSK})=h(S{N}_{ID}\Vert S{N}_{MSK}),$ then it extracts $PI{D}_i$ corresponding to $TI{D}_i$ and generates a nonce number $N_f$, and computes $V_i=h(TI{D}_i\Vert N_f\Vert T{S}_4)$, $C{T}_f=E_{S{K}_{if}}[HG{W}_{ID},FG{W}_{ID},$$S{N}_{PID},PI{D}_i,N_f,V_i,T{S}_4],$ then it sends $M_5=S{N}_{ID},C{T}_f$ to the sensor node $S{N}_i$.
  • Upon receiving $M_5$, the $S{N}_i$ decrypts the message $C{T}_f=E_{A_j}[HG{W}_{ID},FG{W}_{ID},S{N}_{ID},PI{D}_i,N_f,V_i,T{S}_4],$ using the key $A_j$ to obtain information. Then, it checks the freshness of the timestamp $|T{S}_4^{*}-T{S}_4^{{}^{\prime }}|\le ▵T,$ and checks $S{N}_{ID}^{*}\ne S{N}_{ID}.$ If holds, $S{N}_i$ calculates $V_i^{{}^{\prime }}=h(TI{D}_i\Vert N_f^{*}\Vert T{S}_4^{*})$ and verifies $V_i^{{}^{\prime }}\ne V_i^{*},$ if does not hold, ends session. Otherwise; $S{N}_i$ generates a random nonce $N{c}_f,$ and computes $F_i=h(PI{D}_i\oplus N_f\oplus N{c}_f),$$Q_i=h(FG{W}_{ID}^{*}\Vert N{c}_f\Vert T{S}_5)$ and sends $M_6=S{N}_{ID},F_i,Q_i,T{S}_5$ to the FGWN.
  • The FGWN receives $M_6$, it checks the freshness of the timestamp $T{S}_5$, and computes $N{c}_f^{*}=F_i\oplus h(PI{D}_i\oplus N_f),$ and $Q_i^{*}=h(FG{W}_{ID}\Vert S{N}_{ID}\Vert PI{D}_i\Vert N_f\Vert N{c}_f^{*}\Vert T{S}_5)$. Then, it validates $Q_i^{*}\ne Q_i,$ if holds, the FGWN calculates $S{K}_{ef}=h(FG{W}_{ID}\Vert S{N}_{ID}\Vert PI{D}_i\Vert N_f\Vert N{c}_f^{*}\Vert T{S}_5)$, and $C{T}_{if}=E_{S{K}_{ef}}[FG{W}_{ID},S{N}_{ID},PI{D}_i,N_f,N{c}_f^{*},T{S}_6].$ Finally, FGWN prepares and sends the $M_7=S{N}_{ID},C{T}_{if}$ to the $U_i$.
  • After receiving $M_7$, the $U_i$ calculates key $S{K}_u=A_{if}^{*}\oplus h(PI{D}_i^{*}\Vert PW{R}_i^{*}\Vert TI{D}_i)\oplus h({\sigma }_i^{*}\Vert R_i^{*})=h(FG{W}_{ID}\Vert PI{D}_i\Vert FG{W}_{MSK}),$ and decrypts $C{T}_{if}=D_{S{K}_u}[FG{W}_{ID},S{N}_{ID},PI{D}_i,N_f,N{c}_f^{*},T{S}_6]$ to obtain information. After retrieving the data, it checks the freshness of the timestamps $T{S}_6$. Furthermore, the sensor identity is $S{N}_{ID}$. If it holds, $U_i$ generates a random nonce $N{c}_u$ and computes $D_i=h(PI{D}_i\Vert N_f\Vert N{c}_f^{*}\Vert N{c}_u),$ and also computes shared session key as $S{K}_{U\to SN}=h(HG{W}_{ID}\Vert FG{W}_{ID}^{*}\Vert S{N}_{ID}\Vert PI{D}_i^{*}\Vert N{c}_f\Vert N_j\Vert N_j^{{}^{\prime }})$, and $J_i=h(S{K}_{U\to SN}\Vert T{S}_7)$. Finally, $U_i$ sends $M_8=S{N}_{ID},D_i,J_i,T{S}_7$ to the sensor node.
  • The $S{N}_i$ receives $M_8$ and starts checking the freshness of the timestamp $T{S}_7$, then calculates $N{c}_u^{*}=D_i\oplus h(PI{D}_i\Vert N_f\Vert N_f)$ and session key $S{K}_{U\to SN}^{*}=h(HG{W}_{ID}^{*}\Vert FG{W}_{ID}^{*}\Vert S{N}_{ID}\Vert PI{D}_i\Vert N_f\Vert N{c}_f^{*}\Vert N{c}_u)$, and $J_i^{*}=h(S{K}_{U\to SN}^{*}\Vert T{S}_7)$. After that, the $S{N}_i$ checks the condition $J_i^{*}\ne J_i$, and if it holds, the agriculture professional and sensor node are successfully and mutually authenticated.

2.6. Proof of Authentication Using BAN Logic

This section applies the Burrows–Abadi–Needham logic (BAN) to the proposed scheme to conduct a formal analysis. The BAN logic [50,51] is used widely to ensure the security of the key agreement-based authentication protocol [24,29,44]. First, communication parties establish the protocol’s accuracy: the user Ui and the sensor node Sn, which exchange a freshly formed session key after the execution of the protocol. We begin by illustrating the BAN logic with the following specific notations:

• $P|\equiv X$: The principal P is convinced that the announcement X is valid.
• $P◃X$: P examines X, which indicates that P has received a message containing X that can be read by P.
• $P|\sim X$: P once stated X, which signifies that P| X as P once said it sometime.
• $P|\Rightarrow X$: P commands X completely, believing X is trustworthy (Jurisdiction over X).
• $\#(X)$: Because the message X is new, no entity has previously sent a message containing X.
• $P|\equiv Q\stackrel{SK}{\leftrightarrow }P$: P and Q communicate via SK (shared key).
• $P\stackrel{SK}{\leftrightarrow }Q$: P and Q share SK as a secret.
• $<X{>}_Y$: In conjunction with the formula Y, the formula X is utilized.
• $(X)$: X is a hashed value in the formula.
• $(X,Y)$: After that, the X and Y formulae are concatenated and hashed.
• ${(X,Y)}_k$: Using the key k to hash the formulae X and Y.

In the light of forgoing explanation of specific notations, we present the following rules for formalizing the logical postulates of BAN logic:

Message meaning rule: For shared secret keys (Rule 1):

$$\frac{P|\equiv Q\stackrel{k}{\leftrightarrow }P,P◃X_k}{P|\equiv Q|\sim X}$$

P trusts Q if it believes k is shared with Q and sees X is encrypted under k.

Nonce verification rule (Rule 2):

$$\frac{P|\equiv \#(X),P|\equiv Q|\sim X}{P|\equiv Q|\equiv X}$$

If P believes X was recently expressed (freshness) and Q once said X, P believes that Q believes X.

Jurisdiction rule (Rule 3):

$$\frac{P|\equiv (Q)|\equiv X,P|\equiv Q|\Rightarrow X}{P|\equiv X}$$

If P believes that Q has jurisdiction over X and Q believes that a file contains X, P believes X as well.

Freshness rule (Rule 4):

$$\frac{P|\equiv \#(X)}{P|\equiv \#(X,Y)}$$

If one of the components in the formula is known to be fresh, the complete formula must be fresh.

Belief rule (Rule 5):

$$\frac{P|\equiv Q|\equiv (X,Y)}{P|\equiv Q|\equiv (X)}$$

If P believes that Q believes in the message set (X, Y), then P also believes that Q believes in message X. Session key rule: For shared secret keys (Rule 6):

$$\frac{P|\equiv \#(X),P|\equiv Q|\equiv X}{P|\equiv P|\stackrel{k}{\leftrightarrow }Q}$$

If P believes the shared session key is fresh, P and Q are said to believe X. The session key k with Q is then believed by P. Hence, the proposed scheme should meet the following goals, according to the BAN logic’s analytic procedures:

Goal 1.$HGWN|\equiv (U_i\stackrel{SK}{\leftrightarrow }HGWN);$

Goal 2.$HGWN|\equiv U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }HGWN);$

Goal 3.$S{N}_j|\equiv (HGWN\stackrel{SK}{\leftrightarrow }S{N}_j);$

Goal 4.$S{N}_j|\equiv HGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }S{N}_j).$

Goal 5.$HGWN|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }HGWN);$

Goal 6.$HGWN|\equiv S{N}_j|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }HGWN).$

Goal 7.$U_i|\equiv (HGWN\stackrel{SK}{\leftrightarrow }{U}_i);$

Goal 8.$U_i|\equiv HGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }{U}_i);$

Goal 9.$FGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }FGWN).$

Goal 10.$FGWN|\equiv HGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }FGWN).$

Goal 11.$HGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }HGWN).$

Goal 12.$HGWN|\equiv FGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }HGWN).$

Goal 13.$FGWN|\equiv (U_i\stackrel{SK}{\leftrightarrow }FGWN);$

Goal 14.$FGWN|\equiv U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }FGWN).$

Goal 15.$S{N}_j|\equiv (FGWN\stackrel{SK}{\leftrightarrow }S{N}_j);$

Goal 16.$S{N}_j|\equiv FGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }S{N}_j);$

Goal 17.$FGWN|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }FGWN);$

Goal 18.$FGWN|\equiv S{N}_j|\equiv (S{N}_j\stackrel{SK}{\leftrightarrow }FGWN).$

Goal 19.$U_i|\equiv (FGWN\stackrel{SK}{\leftrightarrow }{U}_i);$

Goal 20.$U_i|\equiv FGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }{U}_i).$

To simplify the analysis between $U_i$ and $S{N}_j$, we first idealize the transmitted messages of our proposed scheme, which are as follows:

Message 1:$U_i\to HGWN$: $HG{W}_{ID},S{N}_{ID},W_i,N_i,T{S}_1.$

Message 2:$HGWN\to S{N}_j$: $HG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2.$

Message 3:$S{N}_j\to HGWN$: $S{N}_{ID},B_i,Z_i,T{S}_3.$

Message 4:$HGWN\to Ui$: $HG{W}_{ID},S{N}_{ID},PI{D}_i^{*},N_j,N_j^{{}^{\prime }}.$

Message 5:$HGWN\to FGWN$: $S{N}_{ID},PI{D}_i,HG{W}_{ID},A_{th}.$

Message 6:$FGWN\to HGWN$: $A_{th},HG{W}_{ID}:<PI{D}_i,FG{W}_{ID}>A_{tf},PI{D}_i.$

Message 7:$HGWN\to U_i$: $A_{th}:<HG{W}_{ID},S{N}_{ID},PI{D}_i^{*},N_j,N_j^{{}^{\prime }}>A_{tf},FG{W}_{ID}.$

Message 8:$U_i\to FGWN$: $FG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2.$

Message 9:$FGWN\to S{N}_j$: $FG{W}_{ID},S{N}_{ID},PI{D}_i,N_f,N{c}_f^{*},T{S}_6.$

Message 10:$S{N}_j\to FGWN$: $S{N}_{ID},F_i,Q_i,T{S}_5.$

Message 11:$FGWN\to U_i$: $FG{W}_{ID},S{N}_{ID},PI{D}_i,N_f,N{c}_f^{*},T{S}_6$.

Based on our proposed scheme, we made the following initial state assumptions:

A1:$U_i|\equiv \#(N_i^{*},N_j,N_f,N{c}_f^{*});$

A2:$HGWN|\equiv \#(N_i^{*},N_j,N_f);$

A3:$S{N}_j|\equiv \#(N_i^{*},N_j,N_f,N{c}_f^{*});$

A4:$FGWN|\equiv \#(N_i^{*},N_j,N_f);$

C1:$U_i|\equiv (U_i\stackrel{K_i}{\leftrightarrow }HGWN);$

C2:$HGWN|\equiv (HGWN\stackrel{P_j}{\leftrightarrow }S{N}_j);$

C3:$S{N}_j|\equiv (S{N}_j\stackrel{P_j}{\leftrightarrow }HGWN);$

C4:$HGWN|\equiv (HGWN\stackrel{PI{D}_i}{\leftrightarrow }{U}_i);$

C5:$U_i|\equiv (U_i\stackrel{S{K}_{if},A3}{\leftrightarrow }FGWN);$

C6:$FGWN|\equiv (FGWN\stackrel{S{K}_{if},N_f,A5}{\leftrightarrow }S{N}_j);$

C7:$S{N}_j|\equiv (S{N}_j\stackrel{A6}{\leftrightarrow }S{N}_{j}FGWN);$

C8:$FGWN|\equiv (FGWN\stackrel{N_f,A7}{\leftrightarrow }Ui);$

C9:$HGWN|\equiv (HGWN\stackrel{N{c}_f^{*}}{\leftrightarrow }FGWN);$

C10:$FGWN|\equiv (FGWN\stackrel{S{K}_{if}}{\leftrightarrow }HGWN);$

B1:$HGWN|\equiv (U_i\to N_i^{*});$

B2:$S{N}_j|\equiv (HGWN\to N_j);$

B3:$HGWN|\equiv (S{N}_j\to N_i^{{}^{\prime }});$

B4:$U_i|\equiv (HGWN\to N_j^{{}^{\prime }});$

B5:$FGWN|\equiv (U_i\to N_f);$

B6:$S{N}_j|\equiv (FGWN\to N_f);$

B7:$FGWN|\equiv (S{N}_j\to N{c}_f^{*});$

B8:$U_i|\equiv (FGWN\to N_f);$

B9:$HGWN|\equiv (FGWN\to N_i^{*});$

B10:$FGWN|\equiv (HGWN\to N_f);$

Additionally, we demonstrate the robustness of the present scheme based on BAN logic rules by showing that Ui and SNj have the same shared SK session key to communicate securely while still accomplishing the required goals under initial assumptions. The following are the descriptions of the inside information:

We might get the following based on message 1:

$$S1:HGWN◃HG{W}_{I}D,S{N}_{ID},W_i,N_i,T{S}_1.$$

We apply the message meaning rule to S1 and Assumption C1 to get:

$$S2:HGWN|\equiv U_i|\sim N_i.$$

Then, we use the freshness conjunctenation rule and the nonce verification rule to get the final observations based on assumptions A2 and Step 2:

$$S3:HGWN|\equiv U_i|\equiv N_i.$$

When B1, S3, and the jurisdiction rule are applied, we get:

$$S4:HGWN|\equiv N_i.$$

We apply the session key rule to the assumptions A2 and S3 to get:

$$S5:HGWN|\equiv (U_i\stackrel{SK}{\leftrightarrow }HGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{1}\mathbf{\right)}$$

The nonce verification rule and jurisdiction rule are applied to S5 and assumption A2 to obtain:

$$S6:HGWN|\equiv U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }HGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{2}\mathbf{\right)}$$

We could obtain the following from message 2:

$$S7:SNj◃S{N}_{ID},B_i,N_j,Z_i,T{S}_3$$

If we apply the message meaning rule to C2, S7, we get:

$$S8:S{N}_j|\equiv HGWN|\sim N_j$$

The freshness conjunctenation rule and nonce verification rule are applied to assumptions A3 and S8 to obtain:

$$S9:SNj|\equiv HGWN|\equiv N_j.$$

We use the jurisdiction rule to get the following results from Step 9 and B2:

$$S10:S{N}_j|\equiv N_j$$

S9 and A3 are combined with the session key rule to produce:

$$S11:SNj|HGWN(SK)SNj.\mathbf{\left(}\mathbf{Goal}\mathbf{3}\mathbf{\right)}$$

S11 and assumption A3 are applied to the nonce verification rule to achieve:

$$S12:SNj|\equiv HGWN|\equiv HGWN\stackrel{SK}{\leftrightarrow }SNj.\mathbf{\left(}\mathbf{Goal}\mathbf{4}\mathbf{\right)}$$

We may get the following from message 3:

$$S13:HGWN◃S{N}_{ID},B_i,N_j,Z_i,T{S}_3.$$

We apply the message meaning rule to S13 and assumption C3 to get:

$$S14:HGWN|\equiv SNj|\sim N_j.$$

The freshness conjunctenation rule and nonce verification rule are applied to assumptions A2 and S14 to obtain:

$$S15:HGWN|\equiv S{N}_j|\equiv N_j.$$

We apply the jurisdiction rule in S15 and B3 to obtain:

$$S16:HGWN|\equiv N_j.$$

We apply the session key rule to the assumptions A2 and S15 to obtain:

$$S17:HGWN|\equiv (SNj\stackrel{SK}{\leftrightarrow }HGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{5}\mathbf{\right)}$$

We use the nonce verification rule to derive the following result from S17 and assumption A2:

$$S18:HGWN|\equiv SNj|\equiv SNj\stackrel{SK}{\leftrightarrow }HGWN.\mathbf{\left(}\mathbf{Goal}\mathbf{6}\mathbf{\right)}$$

We might get the following based on message 4:

$$S19:Ui◃HG{W}_{ID},S{N}_{ID},PI{D}_i^{*},N_j,N_j^{{}^{\prime }},T{S}_4$$

We apply the message meaning rule to S19 and assumption C4 to obtain:

$$S20:Ui|\equiv HGWN|\sim N_j^{{}^{\prime }}.$$

Applying the freshness concatenation and nonce verification rules to assumptions A1 and S20, we obtain:

$$S21:Ui|\equiv HGWN|\equiv N_j^{{}^{\prime }}.$$

We obtain jurisdiction by using the jurisdiction rule in line with B4 and S21:

$$S22:Ui|\equiv N_j^{{}^{\prime }}.$$

We use the session key rule-following A1 and S21 to achieve:

$$S23:Ui|HGWN\stackrel{SK}{\leftrightarrow }Ui.\mathbf{\left(}\mathbf{Goal}\mathbf{7}\mathbf{\right)}$$

We use the nonce verification rule to derive the following result from S23 and assumption A1:

$$S24:Ui|\equiv HGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }Ui).\mathbf{\left(}\mathbf{Goal}\mathbf{8}\mathbf{\right)}$$

According to message 5, we might be able to obtain:

$$S25:FGWN◃S{N}_{ID},PI{D}_i,HG{W}_{ID},A_{th}.$$

S25 and assumption C9 are subjected to the message meaning rule to obtain:

$$S26:FGWN|\equiv HGWN|\sim A_{th}$$

From S26, we apply the nonce verification rule to get:

$$S27:FGWN|\equiv HGWN|\equiv A_{th}.$$

We use the jurisdiction rule to get the following from S27 and B8:

$$S28:FGWN|\equiv A_{th}.$$

According to S27 and S28, the session key rule is applied, and we get:

$$S29:FGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }FGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{9}\mathbf{\right)}$$

According to S29, we apply the nonce verification rule to get:

$$S30:FGWN|\equiv HGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }FGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{10}\mathbf{\right)}$$

We might be able to access this based on message 6:

$$S31:HGWN◃A_{th},HG{W}_{ID}:<PI{D}_i,FG{W}_{ID}>A_{tf},PI{D}_i.$$

Using the message meaning rule with S31 and Assumption C10, and we get at:

$$S32:HGWN|\equiv FGWN|\sim A_{tf}.$$

We use the nonce verification rule to get the following observations from S32:

$$S33:HGWN|\equiv FGWN|\equiv A_{tf}.$$

We apply the jurisdiction rule to S33 and B9 to obtain:

$$S34:HGWN|\equiv A_{tf}.$$

According to S33 and S34, the session key rule is applied, we get:

$$S35:HGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }HGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{11}\mathbf{\right)}$$

We apply the nonce verification procedure following S35 to obtain:

$$S36:HGWN|\equiv FGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }HGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{12}\mathbf{\right)}$$

We might be able to obtain this based on message 7:

$$S37:Ui◃A_{th}:<HG{W}_{ID},S{N}_{ID},PI{D}_i^{*},N_j,N_j^{{}^{\prime }}>A_{tf},FG{W}_{ID}.$$

We apply the message meaning rule to S37 and assumption C5 to obtain:

$$S38:Ui|\equiv HGWN|\sim N_j^{{}^{\prime }}.$$

Applying the freshness conjuncatenation and nonce verification rules to assumptions A4 and S38, we obtain:

$$S39:Ui|\equiv HGWN|\equiv N_j^{{}^{\prime }}.$$

We apply the jurisdiction rule by B9 and S39 to get:

$$S40:Ui|\equiv N_j^{{}^{\prime }}.$$

We apply the session key rule-following A1, A4, and Step 40 to obtain:

$$S41:Ui|\equiv HGWN\stackrel{SK}{\leftrightarrow }Ui.\mathbf{\left(}\mathbf{Goal}\mathbf{7}\mathbf{\right)}$$

We apply the nonce verification rule to Step 41 and assumption A1 to get:

$$S42:Ui|\equiv HGWN|\equiv (HGWN\stackrel{SK}{\leftrightarrow }Ui).\mathbf{\left(}\mathbf{Goal}\mathbf{8}\mathbf{\right)}$$

We may obtain according to message 8:

$$S43:FGWN◃FG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2.$$

We use the message meaning rule from S43 and assumption C10:

$$S44:FGWN|\equiv Ui|\sim N_i^{*}.$$

We apply the freshness conjuncatenation rule and the nonce verification rule from assumptions A4 and S44 to:

$$S45:FGWN|\equiv Ui|\equiv N_i^{*}$$

From S45 and B5, we apply the rule of competence to obtain:

$$S46:FGWN|\equiv N_i^{*}.$$

The session key rule is applied according to A4 and S45 and 46; thus, we obtain:

$$S47:FGWN|\equiv (Ui\stackrel{SK}{\leftrightarrow }FGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{13}\mathbf{\right)}$$

Under A4 and S47, the nonce verification rule is to be established:

$$S48:FGWN|\equiv Ui|\equiv (Ui\stackrel{SK}{\leftrightarrow }FGWN).\mathbf{\left(}\mathbf{Goal}\mathbf{14}\mathbf{\right)}$$

We may obtain according to message 9:

$$S49:SNj◃FG{W}_{ID},S{N}_{ID},PI{D}_i,N_f,N{c}_f^{*},T{S}_6$$

We apply the message meaning rule according to C2, B5, and S49:

$$S50:SNj|\equiv FGWN|\sim N_f,N{c}_f^{*}$$

We apply the freshness conjuncatenation rules and the nonce verification rule for assumptions A3 and S50:

$$S51:SNj|\equiv FGWN|\equiv N_f,N{c}_f^{*}.$$

We use the rule of jurisdiction to obtain the following S51 and B6 results:

$$S52:SNj|\equiv N_f,N{c}_f^{*}.$$

From S52 and A3 and to obtain the key session rule:

$$S53:SNj|\equiv FGWN\stackrel{SK}{\leftrightarrow }SNj.\mathbf{\left(}\mathbf{Goal}\mathbf{15}\mathbf{\right)}$$

From S52 and A3 and to obtain the key session rule:

$$S54:SNj|\equiv FGWN|\equiv FGWN\stackrel{SK}{\leftrightarrow }SNj.\mathbf{\left(}\mathbf{Goal}\mathbf{16}\mathbf{\right)}$$

According to message 10, we could get:

$$S55:FGWN◃S{N}_{ID},F_i,N_j,Q_i,T{S}_5.$$

From S55 and assumption C7, we use the message meaning rule:

$$S56:FGWN|\equiv SNj|\sim N_j.$$

We obtain by applying the freshness conjuncatenation and nonce verification rules to assumptions A4 and S56:

$$S57:FGWN|\equiv SNj|\equiv N_j,$$

We apply the jurisdiction rule-following S57 and B7 to obtain:

$$S58:FGWN|\equiv N_j.$$

We apply the session key rule to the assumptions A4 and S58 to obtain:

$$S59:FGWN|\equiv SNj\stackrel{SK}{\leftrightarrow }FGWN.\mathbf{\left(}\mathbf{Goal}\mathbf{17}\mathbf{\right)}$$

We obtain by applying the nonce verification rule to S59 and assumption A4:

$$S60:FGWN|\equiv SNj|\equiv SNj\stackrel{SK}{\leftrightarrow }FGWN.\mathbf{\left(}\mathbf{Goal}\mathbf{18}\mathbf{\right)}$$

According to message 11, we might be able to obtain:

$$S61:Ui◃S{N}_{ID},F_i,Q_i,N{c}_f^{*},T{S}_5.$$

We apply the message meaning rule to Step 61 and assumption C8 to obtain:

$$S62:Ui|\equiv FGWN|\sim N{c}_f^{*}.$$

We obtain by applying the freshness conjuncatenation and nonce verification rules to the assumptions A1 and S62:

$$S63:Ui|\equiv FGWN|\equiv N{c}_f^{*}.$$

We apply the jurisdiction rule by A1 and S63 to get:

$$S64:Ui|\equiv N{c}_f^{*}.$$

We apply the session key rule by A1 and S63 and S64 to achieve:

$$S65:Ui|\equiv FGWN\stackrel{SK}{\leftrightarrow }Ui.\mathbf{\left(}\mathbf{Goal}\mathbf{19}\mathbf{\right)}$$

Applying the nonce verification rule to S65 and assumption A1, we obtain:

$$S66:Ui|\equiv FGWN|\equiv (FGWN\stackrel{SK}{\leftrightarrow }Ui).\mathbf{\left(}\mathbf{Goal}\mathbf{20}\mathbf{\right)}$$

From Steps 5–6, 11, 12, 17, 18, 23, 24, 29, 30,35, 36, 41, 42, 48, 47, 53, 54, 59, 60, 65, and 66, it is obvious that our scheme accomplishes all of the goals (Goals 1–20). Both Ui and SNj assume they share a secure session key $S{K}_j=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert HG{W}_{MSK})=h(S{N}_{ID}\Vert S{N}_{MSK}),$ via HGWN/FGWN.

2.7. Formal Security Verification Using AVISPA Tool

This section demonstrates the proposed scheme’s security validation using the AVISPA tool, a widely used and well-known security validation tool [52]. The security verification code was written using the AVISPA tool based on High-Level Protocol Specification Language (HLPSL). It is a role-oriented language composed of primary roles that define each participant system and composition roles representing scenarios connected to fundamental roles [53]. The intruder, who is always represented by ”I“ and explained using the Dolev–Yao model, also plays a special role. The intruder plays a critical part in implementing the protocol and interacts with several other functions in the system. Using the HLPSL2IF translator, the HLPSL protocol specification is transformed into an intermediate format (IF). After that, the intermediate format is examined using one of four different backends: CL-AtSe, OFMC, SATMC, or TA4SP. Each backend uses a variety of automated analytical tools to detect potential attacks against known models.

Specifying Scheme Roles

This section shows our scheme employing HLPSL in two scenarios. The first scenario, as shown in Figure 11, Figure 12, Figure 13 and Figure 14, carries out the basic functions of UI’s, SA’s, HWGN, and SNj sensor nodes during the user registration, log-in and authentication, and key agreement phases (Case 1). In the second scenario, we integrated user roles Ui, SA, HWGN, and sensor node SNj throughout the user registration, log-in and authentication phase, and key agreement phase (Case 2).

The details of the role of the initiator, the user Ui, are shown in Figure 11 for Case 1. The start signal is first received by Ui, which changes its state from 0 to 1. The variable status is used to keep track of the current state. Using the SND() function, Ui securely provides PIDi, PWRi to the SA during the registration phase of the user. The SCi smart card is received in Ui from the SA containing information (IDGWNh, Aih), (IDGWNf, Aif), TIDi, Gen (.), Rep(.), h (.) and t, changing the status from 1 to 2. Ui delivers the log-in request message M1 = IDSNj, TIDi, Ci to the HGWN across an open channel during the log-in phase. The secret declaration (X, id, A) states that the protocol identification of agent A is id. The information X is kept secret from agent A. For example, secret (IDi, PWRi, BIOi, sp1, Ui) implies that IDi, PWi, and secret number R are kept secret from Ui only, as determined by the protocol identifier sp1. Declaration witness (Ui, HGWN, ui hgwn ru, TS1’) implies that Ui recently generated the HGWN timestamp TS1. During the authentication and key agreement phases, Ui gets the acknowledgment message M3 = hIDSNj, Gi, Hi, TS3i through a public channel from the sensor node SNj and updates its state from 2 to 3. Finally, Ui checks SNj’s authenticity by comparing SNj’s timestamp TS3 to the randomly generated nonce RNj generated by the declaration request (SNj, Ui, sn ui rk, RNj’). Notably, the type declaration channel (dy) reflects the communication channel using the Dolev–Yao threat model, implying that an intruder can view, intercept, or change messages sent via an insecure public channel. Sentence A denotes that the function is carried out by the agent identified by variable A.

Similarly, Figure 12 shows the role of the home gateway role in HLPSL. The role starts by receiving the message (IDSNj.TIDi’.IDGWNh.IDSNj.H(H(IDi.R).TIDi’.RNi’). RNi’.TS1’ _H(IDGWNh.H(IDi.R).MKGWNh)) from the user Ui using the operation Rcv (). The declaration secret (IDi, PWi, R, sp1, Ui) indicates that the values IDi, PWi, R sent secularly to the user Ui using the protocol sp1. While the statement secret (IDGWNh, sp2, Ui, SA, HGWN) specifies the identity of the home gateway among the Ui and SA by the HGWN using protocol ID sp2. Furthermore, the indication secret (MKGWNh, sp3, SA, HGWN) shows that the master key is shared between the SA and the HGWN. While the identity of the foreign gateway is shared securely using the declaration secret (IDGWNf, sp4, Ui, SA, FGWN) amongst the Ui, and SA using the protocol ID sp4. The foreign gateway shares its master key with SA using the declaration secret (MKGWNf, sp5, SA, FGWN). Later, the home gateway sends the message (IDSNj.Fi’) to the sensor using Snd(). The declaration witness (HGWN, SNj, hgwn_sn_rf, TS2’) indicates that the HGWN freshly generates TS2’ for the SNj. Furthermore, the HGWN is freshly generating random nonce RNi’ for the sensor using the declaration witness (HGWN, SNj, hgwn_sn_tsf, RNk’). The HGWN accepts the legitimacy of the Ui by checking the freshness of the TS1 using the declaration request (Ui, HGWN, ui_hgwn_ru, TS1’), and also accepts the legitimacy of the user by checking RNi’ through the indication request (Ui, HGWN, ui_hgwn_tsu, RNi’).

In Figure 13, the role of the sensor node in HLPSL is illustrated. The role starts by receiving the message (IDSNj.IDGWNh.IDSNj.H(xor(H(IDi.K), RNi’)). RNi’ .RNk’.H(H(xor (H(IDi.K), RNi’)). RNi’.RNk’.TS2’).TS2’_H(IDSNj.MKSNj)) from the HGWN using the operation Rcv (). However, the role indicates the values IDi, PWi, R are shared securely to the user using the declarations secret (IDi, PWi, R, sp1, Ui). The declarations secret (IDGWNh, sp2, Ui, SA, HGWN), and secret (IDGWNf, sp4, Ui, SA, FGWN) specify that the identity of the home and foreign gateway is shared secretly among the Ui, and the SA. While the expressions secret (MKGWNh, sp3, SA, HGWN, and secret(MKGWNf, sp5, SA, FGWN) show that the master key of the home and foreign gateways is shared securely to the user Ui. Likewise, the user believes that the sensor freshly generates TS3’, and RNj’ for user. The user also acknowledges the HGWN’s legality by confirming the TS2’ timestamp using the declaration request (HGWN, SNj, hgwn sn rf, TS2’), and by validating the RNk’s random nonce with the declaration request (HGWN, SNj, hgwn sn tsf, RNk’).

The role of system administrator in HLPSL is shown in Figure 14. After the message (H(IDi.K).H(PWi.K)_SKuisa) is received from the user, it shares the values IDi, PWi, K securely using the protocol ID sp1. Later, it sends (IDGWNh.Aih’.IDGWNf.Aif’.TIDi’.Gen.Rep.

H.T_SKuisa) and encrypts the message using the SKuisa secret key. Furthermore, it indicates that the identities by the declarations secret (IDGWNh, sp2, Ui, SA, HGWN), and secret (IDGWNf, sp4, Ui, SA, FGWN) are shared among Ui, SA, HGWN, and FGWN. The master keys MKGWNh, and MKGWNf are share secretly by the declarations secret (MKGWNh, sp3, SA, HGWN), and secret (MKGWNf, sp5, SA, FGWN) to the SA.

Figure 15 shows the session, goal, and environmental roles of the proposed scheme. All primary roles of the session, including user, sa, hgwn, and sensor, are instances with concrete arguments. The HLPSL specification continually defines the top-level role (environment). In addition, the proposed scheme has implemented five secrecy goals and three authentication goals:

• Secrecy Goals:
• secrecy_of sp1: Indicates that the IDi, PWRi, and BIOi are kept secret to the Ui.
• secrecy_of sp2: States that the IDGWNh is shared securely to the Ui, SA, and HGWN.
• secrecy_of sp3: This shows that the MKGWNh is kept secret to the SA and HGWN.
• secrecy_of sp4: Indicates that the IDGWNf is shared among Ui, SA, and FGWN.
• secrecy_of sp5: Indicates that the MKGWNf is kept secret to the SA and FGWN.
• Authentication Goals:
• authentication_on ui_hgwn_ru, ui_hgwn_tsu: It indicates that the user Ui generates TS1’ and RNi; which are freshly generated and perform a strong authentication with HGWN-based validity of these values.
• authentication_on hgwn_sn_rf, hgwn_sn_tsf: It indicates that HGWN generates TS2’ and RNK’ freshly for the sensor and performs a strong authentication of the parameter’s freshness.
• authentication_on sn_ui_rk, sn_ui_tsk: It shows that the sensor generates a fresh TS3’ and RNj’ for the user and performs a strong authentication based on the validity of the values.

3. Results and Discussion

In this section, we provide a comprehensive discussion on the security and functional results of the proposed scheme with the related user authentication schemes applied for agriculture WSNs, such as D. Rangwani et al. [41], Dhillon and Kalra [38], J. Lee et al. [28], and A.Vangala et al. [45]. We first provide the results of the AVISPA tool presented in the earlier Section 2.7. Then, a theoretical security analysis on the way of providing security protection against various attacks is discussed. Finally, it illustrates the functionality of the proposed scheme in terms of communication and computation costs against other exiting authentication schemes.

3.1. The AVISPA Results

In the OFMC and CL-AtSe back-ends, the SPAN tool simulated the proposed scheme for both cases (Case 1 and Case 2) using AVISPA tool. The following evaluations are carried out in our scheme in both cases:

• Executability check on non-trivial HLPSL specifications: The proposed protocol model may not be completed due to modeling errors. As a result, the state unreachability of critical states in which an attack can occur, the AVISPA back-ends may not identify an attack, as mentioned in the protocol model. Consequently, an executability test is essential. Our initial HLPSL implementation shows that the executability test objectives in Figure 11, Figure 12, Figure 13 and Figure 14 are met in both cases.
• Replay attack check: The OFMC and CL-AtSe back-ends search for a passive intruder to determine whether authentic agents can execute the specified protocol. The simulation results shown in Figure 16 and Figure 17 reveal that our scheme is secure against replay attacks in both cases.
• Dolev–Yao model check: The AVISPA simulation, built on the OFMC and CLAtSe back-ends, detects man-in-the-middle and replay attacks. Figure 16 and Figure 17 indicate indisputably that our scheme is secure when employed with these back-ends.

3.2. Security Features

This section details the proposed security analysis of security properties and resistance to various attacks against existing agriculture professional authentication schemes. It shows that the proposed scheme can resist a variety of security attacks and withstand multiple security features.

Table 3. Comparison of security features.

	Rangwani et al. [41]	Vangala et al. [45]	Dhillon et al. [38]	Lee et al. [28]	Proposed Scheme
Insider attack	✓	✓	×	×	✓
Agriculture professional identity-guessing attack	×	×	×	×	✓
Gateway impersonation attack	×	×	✓	×	✓
IoT smart device impersonation attack	×	×	×	✓	✓
Agriculture professional impersonation attack	✓	✓	×	✓	✓
Denial of service attack	✓	✓	✓	×	✓
Session Key attack	✓	×	×	✓	✓
Offline guessing attack	✓	✓	×	✓	✓
Replay attack	✓	✓	✓	✓	✓
Man-in-the-middle attack	✓	✓	✓	✓	✓
Smart card stolen attack	✓	✓	✓	✓	✓
Sensor Capture attack	✓	×	×	×	✓
Untraceability	✓	✓	×	✓	✓
Anonymity	✓	✓	✓	✓	✓
Forward secrecy	✓	×	×	×	✓
Mutual Authentication	✓	✓	✓	✓	✓
Multi-gateway supports	×	×	×	✓	✓

shows the comparison of the proposed scheme against other selected works in terms of security features. For example, it indicates that D. Rangwani et al. [41] and A.Vangala et al. [45] schemes are vulnerable to identity guessing, gateway, and sensor impersonation attacks. Furthermore, the A.Vangala et al. [45] scheme is vulnerable to sensor capture attack and does not guaranteed forward secrecy. However, the D. Rangwani et al. [41] and A.Vangala et al. [45] schemes have not considered the multi-gateway environment. Likewise, the work of Dhillon and Kalra [38] is vulnerable to insider attacks, user identity guessing attacks, session key attacks, sensor capture attacks, and offline guessing attacks. Furthermore, Dhillon and Kalra [38] did not consider security features such as forward secrecy, untraceability, and multi-gateway supports. Furthermore, work of J. Lee et al. [28] is vulnerable to insider attacks, gateway impersonation attacks, DoS attacks, and sensor capture attacks.

• Insider attack: The adversary gets the user’s lost/stolen card and obtains the information $(HG{W}_{I}D,A_{th}^{*}),(FG{W}_{ID},A_{if}^{*}),TI{D}_i,Gen(.),Rep(.),h(.),t,\tau ,T_i,S_i$ that is stored in the smart card. Even if the SA is trusted, information can be obtained $PI{D}_i$ and $PW{R}_i$ by a malicious insider. Nevertheless, if the value $T_i=h(U_{I}D)R$ is calculated with 1024-bit large secret number R; the attacker needs R to guess the user information $U_{ID},$ and $U_{PW}$, which only the user Ui knows about it. Additionally, the attacker must know the biometric key data, if he/she wants to derive R, which is computationally infeasible to guess when compared to low-entropy passwords. Since the attacker cannot correctly guess $U_{ID}$, and $U_{PW},$, therefore, the proposed scheme is secure against insider attacks.
• Agriculture professional identity-guessing attack: As mentioned above, the SA knows the user information $U_{ID}$, and $U_{PW}$ during the registration phase and in case of the adversary with malicious insider attack, the SA knows about it while sending requests for registration. To obtain the identity of the user $U_{ID}$ from $PI{D}_i=h(U_{ID}\Vert R)$, the attacker is required to know R. Furthermore, if the attackers intercept the messages $M_1=[S{N}_{ID},TI{D}_i,C{T}_i]$ in the login phase,$M_2=S{N}_{ID},C{T}_j,M_3=S{N}_{ID},B_i,Z_i,T{S}_3$, during Case 1, and $M_5=S{N}_{ID},C{T}_f,M_6=S{N}_{ID},F_i,Q_i,T{S}_5,M_7=S{N}_{ID},C{T}_{if}$ and $M_8=S{N}_{ID},D_i,J_i,T{S}_7$ during the authentication procedure of Case 2. The attacker cannot correctly infer the user’s identity since the $TI{D}_i$ is safeguarded using a one-way hash function. As a result, the proposed scheme is resistant to identity-guessing attacks.
• Gateway impersonation attack: If the adversary attempts to drop the message $M_2=S{N}_{ID},C{T}_j$ from the public channel during Case 1, where $P_i=h(PI{D}_i\Vert N_j\Vert N_i^{*}\Vert T{S}_2)$, and $C{T}_j=E_{S{K}_j}[HG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2]$, and tries to calculate the message $M_2=S{N}_{ID},C{T}_j$ to send to the SNi. If the sensor accepts the message, the attacker will impersonate the news as a legitimate gateway. However, this is not possible in our proposed scheme since the letter is attached with a fresh timestamp $T{S}_2$ and cannot pass the verification even if the adversary successfully generates a nonce $N_j$. Further, the attacker needs to compute the $C{T}_j$ through the use of the secret key to encrypt additional parameters $S{K}_j=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert HG{W}_{MSK})=h(S{N}_{ID}\Vert S{N}_{MSK})$ that are shared between gateway and sensor. The $S{K}_j$ is unknown to the attacker with $N_j$, and $PI{D}_i$ to compute $P_i$. As a result, even if the attacker successfully captures a sensor, he/she will be unable to impersonate a valid HGWN. As a result, the proposed scheme is resistant to a gateway impersonation attack.
• IoT smart device impersonation attack: The adversary must construct a valid message to impersonate the sensor node SN and deceive the HGWN, say $M_3=S{N}_{ID},B_i,Z_i,T{S}_3$ throughout the authentication phase, and make additional efforts to create a message $M_3^{\prime }$ via the public channel. The attacker needs $PI{D}_i$, and $N_j$. As a result, the adversary cannot pose as a valid sensor node SN in the proposed system, preventing sensor node impersonation attacks.
• Agriculture professional impersonation attack: To impersonate the user $U_i$ as a valid user, assume that the adversary eavesdrops on the message $M_1=[S{N}_{ID},TI{D}_i,C{T}_i]$, where $W_i=h(PI{D}_i^{*}\Vert TI{D}_i\Vert N_i),C{T}_i=E_{S{K}_i}[HG{W}_{ID},S{N}_{ID},W_i,N_i,T{S}_1],$ and $PI{D}_i^{*}=h(U_{ID}\Vert R^{*})$. Assume the attacker attempts to construct another valid log-in request message, compelling the adversary to authenticate to the HGWN. To accomplish this, the adversary must know $PI{D}_i^{*},$ which is impossible without the secret $R^{*}$. Assume the adversary gets the $N_i$, and $T{S}_1$, but cannot generate $C{T}_i=E_{S{K}_i}[HG{W}_{ID},S{N}_{ID},W_i,N_i,T{S}_1]$ because he/she does not have access to the shared User/HGWN Secret Key $S{K}_i.$ As a result, a user impersonation attack can be used against the proposed scheme.
• Denial of service attack: Assume the attacker has the lost/stolen smart card of the user $U_i$; he/she cannot have the user information username $U_{ID}$, password $U_{PW}$ and imprints of their biometric $U_{BIO}$. Furthermore, the smart card compute ${\sigma }_i^{*}=Rep(U_{BIO},\tau )$ using the error tolerance thresholds value $\tau ,R^{*}=T_i\oplus h(U_{ID}\Vert {\sigma }_i^{*}),$$PI{D}_i^{*}=h(U_{ID}\Vert R^{*}),PW{R}_i^{*}=h(U_{PW}\Vert R^{*}),$ and $R_i^{*}=h(PI{D}_i^{*}\Vert PW{R}_i^{*}\Vert {\sigma }_i^{*})$. After that, the smart card checks the validity of $R_i^{*}\ne R_i.$ Therefore, without having valid user information, the validation will fail. Similarly, the adversary cannot update the smart card’s stored secret credentials without access to user information. As a result, the proposed scheme protects against denial of service attacks.
• Session Key attack: The shared session key is established during the authentication step by the user Ui and the sensor node $S{K}_{U\to SN}=h(HG{W}_{ID}\Vert S{N}_{ID}\Vert PI{D}_i\Vert N_j)$, which includes $PI{D}_i=h(U_{ID}\Vert R),$ and random nonce $N_j$. In both cases, these parameters are protected using a one-way hash function, which means that an attacker cannot obtain the session key without knowing the secret parameters of the session key. Therefore, the session key attack is resisted in the proposed scheme.
• Offline guessing attack: Assume that the user password $U_{PW}$ is guessed by the adversary, he/she will not be able to generate a valid authentication request $C{T}_j=E_{S{K}_j}[HG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2],$ where $P_i=h(PI{D}_i\Vert N_j\Vert N_i^{*}\Vert T{S}_2)$. Because the adversary does not have the $PI{D}_i$, and $N_j$ and cannot forge the user biometric $U_{BIO}$. Even if the adversary generates $N_j,$ they still will not be able to compute $C{T}_j$, because he/she does not know the secret key $S{K}_j$. Therefore, the proposed scheme is resilient against offline guessing attacks.
• Replay attack: Assume that the adversary intercepts the messages $M_1=[S{N}_{ID},TI{D}_i,C{T}_i],$$M_2=S{N}_{ID},C{T}_j,$$M_3=S{N}_{ID},B_i,Z_i,T{S}_3$ in both cases during authentication. The adversary will be unable to replay the message, as each message contains timestamps and a random nonce, both of which are verified by the recipient before any message processing. Thus, the receiver can determine an older message by comparing the timestamp to the timestamp of the current system. As a result, the proposed scheme prevents replay attacks.
• Man-in-the-middle attack: Assume that the adversary intercepts the messages $M_1=[S{N}_{ID},TI{D}_i,C{T}_i],$$M_2=S{N}_{ID},C{T}_j,$$M_3=S{N}_{ID},B_i,Z_i,T{S}_3$, and tries to tamper with the content before passing it to the receiver so that the receiver will not be aware of the modified messages. In the proposed scheme, the messages are encrypted, say $C{T}_j=E_{S{K}_j}[HG{W}_{ID},S{N}_{ID},PI{D}_i,N_i^{*},N_j,P_i,T{S}_2]$, which involves random nonce, timestamp, and $PI{D}_i$. The receiver checks the condition of the timestamp and random nonce before any processing of the received message. Furthermore, the parameters are encrypted using the shared key $S{K}_j$, which is computationally infeasible for the attacker to generate and obtain the parameters. If the attacker generates the secret key, he/she does not know $PI{D}_i^{*}=h(U_{ID}\Vert R^{*})$ because it is protected using a one-way hash function and involves a secret value $R^{*}$. Therefore, the proposed scheme withstands a man-in-the-middle attack.
• Smart card stolen attack: Assume that an attacker steals the user’s smart-card SC and extracts the value $TI{D}_i,\sigma ,T_i$ and $S_i$. The attacker will not be able to compute $T_i=h(U_{ID}\Vert \sigma )\oplus R,S_i=h(PI{D}_i\Vert PW{R}_i\Vert \sigma )$ since they are computed using the biometric key data. Furthermore, the adversary cannot compute $PI{D}_i=h(U_{ID}\Vert R)$ because it is protected using a one-way hash function. Thus, without knowing the user information, the adversary cannot generate the login message. Therefore. the proposed scheme protects against smart card stolen attacks.
• Sensor Capture attack: In a harsh environment, the attackers quickly capture the sensor nodes. If the attacker captures the node SN, he/she will extract the secret information $(S{N}_{ID},A_j)$, where $A_j=h(S{N}_{ID}\Vert S{N}_{MSK})$ is computed using the $S{N}_{MSK}$, which is a secret value not known to other participants. Therefore, identifying the sensor secured with the one-hash function cannot negatively affect the sensor node nor can it disrupt the authentication process between the agricultural professional and the sensor node. Therefore, the proposed scheme protects against sensor capture attacks.
• Agriculture professional/sensor node untraceability: Assume that the attacker eavesdrops on the authentication messages from different sessions and checks whether the messages are the same. If they are the same, both messages are sent by identical identities, e.g., agriculture professional or sensor node. However, despite recording the authentication message and stealing $M_1=[S{N}_{ID},TI{D}_i,C{T}_i],$$M_2=S{N}_{ID},C{T}_j,$$M_3=S{N}_{ID},B_i,Z_i,T{S}_3$, the adversary cannot trace the agriculture professional or the sensor node because these messages are comprised of the random nonces $N_i^{*},N_j,$ and timestamps $T{S}_1,T{S}_4$, which are generated freshly in every session separately, leading to a new formation of the messages. Therefore, the user anonymity and sensor node cannot be traced.
• User anonymity: The adversary in this attack tries to obtain the user information when the messages are transmitted via a public channel in their original form. The user sends the messages, say $M_1=[S{N}_{ID},TI{D}_i,C{T}_i],$$M_2=S{N}_{ID},C{T}_j,$$M_3=S{N}_{ID},B_i,Z_i,T{S}_3$ to the gateway, and the transmitted messages do not contain any identity of the agriculture professionals. Additionally, the messages are sent in encrypted form where $C{T}_i=E_{S{K}_i}[HG{W}_{ID},S{N}_{ID},W_i,N_i,T{S}_1]$ using the freshly generated shared secret key. The messages are further formed using an irreversible hash operation. Thus, each message that comes from the same user is different from one session to another. Therefore, the scheme guarantees user anonymity.
• Forward secrecy: In the proposed scheme, the long-term key $S{K}_i$ is disclosed to the user only, and the session key is also kept securely. The secret key is computed $S{K}_i=A_{th}^{*}\oplus h(PI{D}_i^{*}\Vert PW{R}_i^{*}\Vert TI{D}_i)\oplus h({\sigma }_i^{*}\Vert R_i^{*})=h(HG{W}_{ID}\Vert PI{D}_i\Vert HG{W}_{MSK})$, and it needs $PI{D}_i,R_i^{*}$, and ${\sigma }_i^{*}$ only known to the user. If the adversary somehow reveals the secret key of both user and gateway, he/she also needs to know $PI{D}_i$, which is protected using a one-way hash function, and the random number $R_i^{*}.$ The complexity of guessing the secret key and the random number chosen by the user or sensor node in polynomial time using any powerful computer is amazingly massive and almost impossible. As a result, the proposed scheme preserves forward secrecy.
• Mutual authentication: The proposed scheme provides mutual authentication because the agriculture professional sends the login message, say $M_1=[S{N}_{ID},TI{D}_i,C{T}_i],$ to the HGWN via a public channel. Upon receiving message, the HGWN verifies the $T{S}_1$ by selecting a new timestamp $T{S}_2$ to check the freshness $|T{S}_2-T{S}_1|\le ▵T,$ where $▵T$ is allowed transmission delay. Furthermore, it decrypts $C{T}_i=D_{S{K}_i}[HG{W}_{ID}^{*},S{N}_{ID}^{*},W_i^{*},N_i^{*},T{S}_1^{*}],$ where $D_{S{K}_i}$ depicts the decryption of a symmetric key using the key $S{K}_i$. After retrieving the information, HGWN verifies the timestamp $|T{S}_1^{*}-T{S}_1^{{}^{\prime }}|\le ▵T,$ where $T{S}_1^{{}^{\prime }}$ is the message receiving time. If it holds, it checks $HG{W}_{ID}^{*}\ne HG{W}_{ID},$ and $S{N}_{ID}^{*}\ne S{N}_{ID},$ and if these parameters are valid, it computes $W_i^{**}=h(PI{D}_i\Vert TI{D}_i\Vert N_i^{*})$ based on the stored $PI{D}_i$, and $TI{D}_i$, then checks $W_i^{**}\ne W_i^{*}$. If it does not hold, it terminates the session. The verification will fail here since the validation depends on the one-way hash function. Therefore, mutual authentication is provided in the proposed scheme among all the participants.
• Multi-gateway supports: In the proposed scheme, multi-gateways (e.g., HGWN and FGWN) are registered with SA to enable agriculture professionals to authenticate to a sensor node with other fields. When the HGWN receives the login message, it checks if the HGWN database contains $S{N}_{ID}$, and performs HGWN authentication (Case 1); otherwise, it performs FGWN authentication (Case 2). Therefore, the proposed scheme supports multi-gateway authentication.

3.3. Computation Cost

In

Table 4. Comparison of the computation and communication costs of schemes.

Scheme	Computation Cost (ms)				Communication Cost
	User	Sensor	Gateway	Total
A.Vangala et al. [45]	$13T_h+4T_{ecm}+T_{eca}+T_{fe}$	$9T_h+4T_{ecm}+T_{eca}$	$12T_h+6T_{ecm}+2T_{eca}$	32.13 ms	5792 bits
Dhillon and Kalra [38]	$10T_h+1T_{E/D}$	$6T_h+2T_{E/D}$	$7T_h+2T_{E/D}$	20.382 ms	4016 bits
D. Rangwani et al. [41]	$4T_H+2T_{ecm}$	$4T_H+1T_{ecm}+1T_{E/D}$	$7T_H+1T_{ecm}+2T_{E/D}$	20.4885 ms	2752 bits
J. Lee et al. [28]	$14T_H+1T_{fe}$	$9T_H$	$5T_H$	27.2743 ms	2400 bits
Proposed scheme	$9T_H+1T_{fe}+1T_{E/D}$	$3T_H+1T_{E/D}$	$5T_H+2T_{E/D}$	17.6651 ms	1696 bits

, this subsection compares the proposed scheme in terms of computation cost in the login and authentication phases with other related schemes, e.g., D. Rangwani et al. [41], Dhillon and Kalra [38], J. Lee et al. [28], and A.Vangala et al. [45]. In WSN, the sensor node has the most limited resources such as the user’s smart card, sensor node, and GWN (base station). We used the hardware platform primarily on the previous studies to calculate execution time, including an Intel dual-core processor with a clock speed of 2.20 GHz, Ubuntu 12.04.1 LTS 32-bit Operating System, and 2 GB memory. The approximate execution time for various cryptographic operations by using the cryptography PBC library (version 0.5.12) is based on the GMP Library (version 5.0.5) reported in [41]. The execution time in ms is required for each primitive operation as noted in Table 4. During the login and authentication phase of the A.Vangala et al. [45] scheme, a user requires $13T_h+4T_{ecm}+T_{eca}+T_{fe}=15.473$ ms, an IoT smart device (sensor node) requires $9T_h+4T_{ecm}+T_{eca}=11.949$ ms, and a gateway node requires $12T_h+6T_{ecm}+2T_{eca}=4.708$ ms. In the Dhillon and Kalra [38] scheme, the user needs to perform $10T_h+1T_{E/D}$, and the sensor applies $6T_h+2T_{(E/D)}$. In the gateway side, $7T_h,$ and $2T_{E/D}$ are needed, so, the total computation cost in Dhillon and Kalra [38] is 20.382 ms.

In the D. Rangwani et al. [41] scheme, the user requires $4T_H+2T_{ecm},$ and the gateway nodes require $7T_H+1T_{ecm}$. Likewise, in the sensor side, the computation cost is $4T_H+1T_{ecm},$ thus, the total computation cost in the D. Rangwani et al. [41] scheme can be represented as $15T_H+4T_{ecm}$ and the estimation time is 8.9730 ms. In the J. Lee et al., [28] scheme, the user needs to perform hash function operation $14T_H$ and one-time fuzzy extractor operation $1T_{fe}$. At the sensor side, nine times hash operations $9T_H$ are required. Likewise, five times hash operations $5T_H$ are needed at the gateway side. Therefore, the total computation cost of the J. Lee et al. [28] scheme is $28T_H+1T_{fe}\equiv 27.2743ms$. The proposed scheme, on the other hand, has a total computational cost of $17T_H+1T_{fe}+4T_{E/D}$ for Case 1, and $19T_H+1T_{fe}+5T_{E/D}$ for Case 2. The user is not required to employ symmetric encryption/decryption (e.g., AES) because of the computational efficiency of both the fuzzy extractor operation and symmetric encryption/decryption (e.g., AES). The computational cost of a resource-constrained sensor node is $3T_H+1T_{E/D}$ in Case 1, whereas it is $4T_H+1T_{E/D}$ in Case 2. Both the hash function and symmetric encryption/decryption are very efficient, which makes the proposed scheme very efficient for resource-constrained sensor nodes in WSNs. Table 4 compares the computation costs required in different schemes during the “login and authentication phase. For instance, it shows that the A.Vangala et al. [45], Dhillon and Kalra [38], and D. Rangwani et al. [41] require the computation costs 32.13ms, 32.13ms, and 20.4885ms, respectively. According to the comparison, the proposed scheme has less computation cost when compared to the existing schemes. Furthermore, due to the utilization of the fuzzy extractor technique, it provides “superior security and more functionality features when compared with all authentication schemes”.

3.4. Communication Cost

The communication cost comparison of the proposed scheme and other existing schemes regarding the total number of bits required for that transmitted message is illustrated in Table 4. For computing the communication cost, we assume that the identities $HG{W}_{ID},FG{W}_{ID},PI{D}_i,$ and $U_{ID}$ are all 160 bits in length; the hash output is 160 bits long; and the identities SN ID, random number/nonce, and timestamp are all 32 bits. For a 128-bit plaintext block, symmetric encryption/decryption (using AES-128) requires 128 bits. In the A.Vangala et al. [45] scheme, the messages $Ms{g}_1=⟨TI{D}_U,M_1,Y_1,Sig{n}_{y1},T_1⟩$ with $|TI{D}_U|=160$ bits,$|M_1|=320$ bits, $|Y_1|=320$ bits, $|Sig{n}_{y1}|=256$ bits and $|T_1|=32$ bits, requires 1088 bits; $Ms{g}_2=⟨TI{D}_C,M_2,Y_1,Y_2,Sig{n}_{y2},T_2⟩$ with $|TIDC|=160$ bits, $|M_2|=256$ bits, $|Y_1|=320$ bits, $|Y_2|=320$ bits, $|Sig{n}_{y2}|=256$ bits and $|T_2|=32$ bits, needs 1344 bits; $Ms{g}_3=⟨TI{D}_S^{*},M_3,M_4,Y_3,Sig{n}_{y3},T_3⟩$ with $|TI{D}_S^{*}|=256$ bits, $|M_3|=256$ bits, $|M_4|=256$ bits, $|Y_3|=320$ bits, $|Sig{n}_{y3}|=256$ bits and $|T_3|=32$ bits, demands 1376 bits; and $Msg4=⟨TI{D}_U^{*},M_3,M_4,M_5,Y_3,Y_4,Sig{n}_{y4},T_3,T_4⟩$ with $|TI{D}_U^{*}|=256$ bits, $|M_3|=256$ bits, $|M_4|=256$ bits, $|M_5|=256$ bits, $|Y_3|=320$ bits, $|Y_4|=320$ bits, $|Sig{n}_{y4}|=256$ bits, $|T_3|=32$ bits and $|T_4|=32$ bits, requires 1984 bits. The cumulative communication cost in this scheme amounts to 5792 bits. Furthermore, the Dhillon and Kalra [38] scheme has four messages, which are transmitted among the participant’s entities, costing 4016 bits. In the D. Rangwani et al. [41] scheme, the user transmitting the message $M_1=h(storedDG||R_{U1}||T1||K)$ that requires 256 bits, and receives $M_6=h(receivedI{D}_N||I{D}_G||storedDG||T_4),M_7=h(M_6||R{G}_1||receivedRN||K)$ with 352 bits size length. Likewise, the gateway transmits the message $M_1^{{}^{\prime }}=h(storedDG||receivedR{U}_1||$$received{T}_1||K)$ and receives $M_3=h(M_2||R{G}_1||receivedR{U}_1||L)$ with a size of 1376 bits. The sensor node transmits and receives the messages $M_4=h(I{D}_N||receivedR{G}_1||storedAN||T_3)$ and $M_5=h(M_4||RN||L)$ that cost approximately 832 bits. Therefore, the total communication cost of D. Rangwani et al. [41] is 2752 bits. In J. Lee et al. [28], four messages are exchanged between entities, the user transmits the login request message $\{HI{D}_i,C_i,V{U}_i\}$ and receives an authentication message $\{H_i,M{c}_u\}$ from GWNs. While the gateway sends the message $\{HI{D}_i,C_i,PI{D}_j,D_i,V{S}_j\}$ to control server and receives $\{M{c}_g,M{c}_u,E_i,F_i\}$ from the GWN. Therefore, the total communication cost of J. Lee et al. [28] is 2400 bits.

The communication cost required in the proposed scheme, on the other hand, is 1696 bits (for case 1) and 3168 bits (for instance 2) when the FGWN is involved in the authentication phase. In our scheme, during the log-in phase, the log-in request message, $M_1=[S{N}_{ID},TI{D}_i,C{T}_i]$ requires 704 bits, where 32 and 160 bits are required for $S{N}_{ID}$ and $TI{D}_i,$, respectively, and (160 + 32 + 160 + 32 + 32)/128e = 512 bits for $C{T}_i=E_{S{K}_i}[HG{W}_{ID},S{N}_{ID},W_i,N_i,T{S}_1]$. For the authentication and key agreement phase, consider case 1, the messages of $M_2=S{N}_{ID},C{T}_j$ and $M_3=S{N}_{ID},B_i,Z_i,T{S}_3$ 640 bits and 384 bits are required, respectively. As a result, the proposed scheme’s communication cost for case 1 becomes (704 + 640 + 384) = 1696 bits. Similarly, the communication cost for case 2 in our scheme is 3168 bits due to the messages’ involvement $M_1[S{N}_{ID},TI{D}_i,C{T}_i],M_5=S{N}_{ID},C{T}_f,M_6=S{N}_{ID},F_i,Q_i,T{S}_5,$$M_7=S{N}_{ID},C{T}_{if},and{M}_8=S{N}_{ID},D_i,J_i,T{S}_7.$ Table 4 compares the costs of communication in terms of the number of bits required for message exchange; it illustrates that D. Rangwani et al. [41], Dhillon and Kalra [38], J. Lee et al. [28], and A.Vangala et al. [45] require 5792 bits, 4016 bits, 2400 bits and 2752 bits, independently. This comparison proves that the proposed scheme has less communication cost, which required 1696 bits.

4. Conclusions

As security breaches become more prevalent, new authentication techniques must incorporate agriculture professionals’ biometrics to improve the system’s security. To cater for this need, a robust multi-gateway authentication scheme for agriculture WSN is proposed in this paper. The proposed scheme exploits the advantages of the fuzzy extractor to design a secure authentication system. The study proposed a multi-gateway model to overcome single point failure that exists in a single gateway communication model. This paper pointed out that multi-gateway WSN can allow users to access data from multiple sensor areas (a typical IoT deployment). Furthermore, the study added a new joined phase to enable new sensors to join the agriculture field. The proposed scheme is resistant to various known attacks, including the sensor node capture attack, as proved by formal and informal security research. The proposed scheme is secure against replay and man-in-the-middle attacks, as demonstrated by the extensive formal security verification performed using the AVISPA tool. Furthermore, we demonstrated that our scheme is efficient and provides additional functionality as compared to previous schemes through performance results. In terms of performance, the proposed scheme is better suitable for IoT deployment, where devices deployed in agriculture are generally resource constrained. The future works of this research can be summarized as follows: First, this paper provides secure communication for a multi-gateway environment with efficient results. This solution can be extended to enable the environment with different communication methods used in the same area (e.g., Bluetooth, ZigBee, and WiFi) to guard against interference. Second, due to the efficiency of the proposed scheme, it can further be extended to provide secure user authentication to monitor the field progress. Third, we plan to extend the proposed scheme to protect against distributed denial of service attacks (DDoS) that mainly target sensor nodes.