Skip to main content
Sensors (Basel, Switzerland) logoLink to Sensors (Basel, Switzerland)
. 2016 Dec 14;16(12):2123. doi: 10.3390/s16122123

Three-Factor User Authentication and Key Agreement Using Elliptic Curve Cryptosystem in Wireless Sensor Networks

YoHan Park 1, YoungHo Park 1,*
Editor: Kemal Akkaya1
PMCID: PMC5191103  PMID: 27983616

Abstract

Secure communication is a significant issue in wireless sensor networks. User authentication and key agreement are essential for providing a secure system, especially in user-oriented mobile services. It is also necessary to protect the identity of each individual in wireless environments to avoid personal privacy concerns. Many authentication and key agreement schemes utilize a smart card in addition to a password to support security functionalities. However, these schemes often fail to provide security along with privacy. In 2015, Chang et al. analyzed the security vulnerabilities of previous schemes and presented the two-factor authentication scheme that provided user privacy by using dynamic identities. However, when we cryptanalyzed Chang et al.’s scheme, we found that it does not provide sufficient security for wireless sensor networks and fails to provide accurate password updates. This paper proposes a security-enhanced authentication and key agreement scheme to overcome these security weaknesses using biometric information and an elliptic curve cryptosystem. We analyze the security of the proposed scheme against various attacks and check its viability in the mobile environment.

Keywords: user authentication, key agreement, biometric information, elliptic curve cryptosystem, wireless sensor networks

1. Introduction

Wireless sensor networks (WSNs) are ad hoc networks composed of a number of sensor nodes with limited power, computation, storage and communication capabilities [1]. They provide effective solutions to a wide array of monitoring problems in various environments, such as battlefields, healthcare services and the smart grid [2]. Recently, sensor-attached things that communicate with neighboring things are enabling the development of the Internet of Things (IoT) environment [3]. For these reasons, WSNs have gained wide attention, in both the academic and industrial fields. However, the issue of securing and authenticating communication is problematic, because the nodes are vulnerable to attacks and do not have enough capacity for the secure storage of keys [4,5,6]. To solve these security issues, authentication and key agreement schemes using two-factor security, passwords and smart cards have attracted attention and have been studied widely in an effort to guarantee secure communication [7,8,9,10,11,12,13,14]. Unfortunately, many of them still suffer from various attacks and do not provide secure communication.

Several authentication and key agreement schemes for WSNs have been proposed. In 2010, Das [8] proposed a two-factor user authentication protocol for WSNs. He insisted the scheme withstood various attacks from users with the same identity, as well as from stolen-verifier attacks. However, He et al. [9], Khan and Alghathbar [10] and Chen and Shih [11] pointed out that Das’s scheme was vulnerable to insider and impersonation attacks, gateway node bypassing attacks and privileged-insider attacks and did not provide mutual authentication. Subsequently, each proposed their own authentication scheme to provide secure user authentication in WSNs. In 2012, Vaidya et al. [12] demonstrated that Das’s scheme [8], Khan and Alghathbar’s scheme [10] and Chen and Shih’s scheme [11] had security problems and that none of them provided key agreement. Vaidya et al. proposed a two-factor mutual user authentication scheme with key agreement for WSNs. In 2014, Kim et al. [13] presented that both gateway node bypassing attacks and user impersonation attacks were possible in Vaidya et al.’s scheme [12]. They proposed an authentication and key agreement scheme that resisted user impersonation and gateway node bypassing attacks. However, in 2015, Chang et al. [14] analyzed Kim et al.’s scheme [13] and found it had security vulnerabilities in the following areas: impersonation attacks, lost smart card attacks, man-in-the-middle attacks, violation of session key security and failure to protect user privacy. To solve these problems, Chang et al. [14] proposed a scheme that provided user privacy by using dynamic identities and provided better security functionality than Kim et al.’s scheme. However, we point out that Chang et al.’s scheme does not withstand several types of attacks and fails to provide a password update.

Recently, to improve the security of two-factor authentication schemes that are vulnerable to guessing attacks and subject to inefficient password change policies in WSNs, biometric-based user authentication schemes, combined with smart cards and passwords, have drawn considerable attention in research [15,16,17,18,19]. Biometric-based user authentication in the WSN becomes inherently more reliable and secure than traditional two-factor user authentication schemes [20]. Several advantages can be derived from the use of biometric keys over traditional passwords because they cannot be lost; they are unforgettable, difficult to copy, hard to forge and difficult to break. Therefore, biometric-based user authentication is considered to be more secure and reliable than conventional authentication schemes [20].

In this paper, we cryptanalyze Chang et al.’s scheme [14] and demonstrate the security weaknesses, such as password guessing attacks, lack of forward secrecy and inaccurate password updates. Further, we propose a biometric-based user authentication and key agreement scheme for WSNs using fuzzy extraction and an elliptic curve cryptosystem (ECC). The proposed scheme withstands security threats from malicious adversaries and insider users by using an ECC-based session key. Our scheme is also suitable for WSNs when compared to traditional authentication and key agreement schemes because it performs simple ECC operations, hash functions and exlusive OR (XOR) operations. We prove that our scheme provides mutual authentication using Burrows-Abadi-Needham (BAN) logic [21].

The remainder of this paper is organized as follows: In Section 2, we present our preliminary details, and Chang et al.’s scheme is reviewed in Section 3. In Section 4, we cryptanalyze Chang et al.’s scheme, and our proposed scheme is presented in Section 5. Finally, we analyze our proposed scheme in Section 6 and conclude with the findings of this work in Section 7.

2. Preliminaries

In this section, we introduce the notations used in this paper and then define the cryptographic system and primitives used as building blocks in our security system. Finally, we define security requirements for user authentication in WSNs.

2.1. Notations

The notations used throughout this paper are described in Table 1.

Table 1.

Notations.

Notation Meaning
p,q two large primes
Ui user i
Sj sensor node j
GWN gateway node
SCi smart card of the user Ui
IDi/pwi identity/password of Ui
BIOi biometric template of Ui
TIDi temporal identity of Ui
SIDj identity of Sj
IDS identity of SCi
A adversary
K a master secret of GWN
G1 cyclic group of order q
P generator of G1
Ti,Tj,TG timestamps
XOR operation
|| concatenate operation
h(·) a secure one-way hash function

2.2. Elliptic Curves Cryptosystem

Let p,q be two large primes, and E/Fp indicates an elliptic curve y2=x3+ax+b over the finite field Fp. We denote by G1 a q-order subgroup of the additive group of points of E/Fp. The discrete logarithm problem (DLP) is required to be hard in G1. Mathematical problems in ECC are given as follows [22]:

Definition 1 (Elliptic curve discrete logarithm (ECDL) problem).

Given a point element QG1, find an integer aZp*, such that Q=a×P, where a×P indicates that the point P is added to itself for a times by the elliptic curve operation.

Definition 2 (Elliptic curve computational Diffie–Hellman (ECDH) problem).

For a,bZp*, given two point elements a×P,b×PG1, compute a×b×PG1.

Definition 3 (Elliptic curve decisional Diffie–Hellman (ECDDH) problem).

For a,b,cZp*, given three point elements a×P,b×P,c×PG1, decide whether c×P=a×b×P or not.

We assume that the ECDDH problem is intractable, which may guarantee that there is no probabilistic polynomial time (PPT) algorithm to solve ECDDHP, ECCDHP and ECDDLP with non-negligible probability.

2.3. Fuzzy Extraction

We briefly describe the extraction process of key data from the given biometrics of a user using a fuzzy extractor. The output of a conventional hash function is sensitive, and it may also return completely different outputs even if there is little variation in the inputs. Note that the biometric information is prone to various noises during data acquisition, and the reproduction of the actual biometrics is hard in common practice. To avoid such a problem, a fuzzy extractor method [23] is preferred, which can extract a uniformly-random string and public information from the biometric template with a given error tolerance. In the reproduction process, the fuzzy extractor recovers the original biometric key data for noisy biometrics using a helper string. The fuzzy extractor consists of Gen (generate) and Rep (reproduce).

  • Gen(BIOi)=(Ri,Pi). This probabilistic algorithm takes a biometric template BIOi as an input and then outputs a biometric key Ri, which is a uniform and random string, and a helper string Pi. Ri can be the same under the assistance of Pi even if the biometric information changes slightly.

  • Rep(BIOi,Pi)=(Ri). This deterministic algorithm takes noisy biometric information BIOi and a helper string Pi as inputs, then reproduces the biometric key Ri. To reproduce the same Ri, the metric space distances between BIOi and BIOi have to meet the given verification threshold.

2.4. Network Model

  • Ui: A user who receives a smart card from GWN and uses it to access multiple servers. After a successful authentication process with Sj, the user is given access to mobile services. Furthermore, the user’s smart card is not tamper-resistant and can be lost or stolen by an adversary.

  • Sj: A sensor node that collects information and provides services to users who successfully complete the authentication process. Sensors are not equipped with tamper-resistant hardware due to cost constraints, thus an adversary will know all of the keying materials stored in that sensor’s memory.

  • GWN: A trusted third-party that generates system parameters. It provides smart cards to users and pre-shared keys to sensors. GWN is assumed to be trustworthy and never compromised by an adversary.

2.5. Security Requirements

According to recent studies [24,25], the user authentication scheme for WSNs should satisfy the following security requirements: (1) mutual authentication: the user Ui and the sensor node Sj should authenticate each other with the help of the gateway node GWN; (2) anonymity: any adversary A should not be able to obtain the real identity of the user Ui; (3) session key generation: after executing the authentication and key agreement phase, the user Ui and the sensor node Sj should generate a session key; (4) unconstrained by GWN: the GWN should not have or be able to compute the registered user’s information, such as the password and biometric template; (5) attack resistance: the scheme should withstand various attacks, such as off-line identity/password guessing, impersonation, smart card loss, man-in-the-middle and reply attacks; (6) efficient password update: it is required to change or update the users’ password without the participation of GWN.

3. Review of Chang et al.’s Authentication and Key Agreement Scheme

In this section, we review Chang et al.’s authenticated key agreement scheme. It comprises four phases: registration, login, authentication and key agreement, as well as password change.

3.1. Registration Phase

  • Step 1:

    Ui chooses IDi,pwi and a random number RNr, then computes HPWi=h(pwi||RNr) and sends {IDi,HPWi} to GWN via a secure channel.

  • Step 2:

    GWN computes HIDi=h(IDi||K), XSi=h(HIDi||K), Ai=h(HPWi||XSi)HIDi, Bi=h(HPWiXSi), Ci=XSih(IDS||HPWi). Then, GWN sends the smart card SCi=(IDS,h(·),Ai,Bi,Ci,TIDi) to Ui via a secure channel. GWN stores (TIDi,TIDi,HIDi) in its storage, where TIDi=RNG, RNG is a nonce, and TIDi=, where TIDi= means TIDi contains nothing.

  • Step 3:

    Ui computes XPWi=h(pwi)RNr and inserts it into SCi.

3.2. Login Phase

  • Step 1:

    Ui inputs IDi* and pwi* into SCi.

  • Step 2:

    SCi computes RNr*=h(pwi*)XPWi, HPWi*=h(pwi*||RNr*), XSi*=Cih(IDS||HPWi*), Bi*=h(HPWi*XSi*. Then, SCi verifies Bi*=?Bi. If it is valid, SCi computes ki=h(XSi*||Ti), DIDi=h(HPWi*||XSi*)ki, MUi,G=h(Ai||XSi*||Ti), where Ti is the timestamp.

  • Step 3:

    Ui sends {DIDi,MUi,G,Ti,TIDi} to GWN.

3.3. Authentication and Key Agreement Phase

  • Step 1:

    GWN checks the validity of Ti and retrieves HIDi from TIDi. Then, GWN computes XSi=h(HIDi||K), ki=h(XSi||Ti), X*=DIDiki, MUi,G*=h((X*HIDi)||XSi||Ti), then checks MUi,G*=?MUi,G. If it is correct, GWN computes XSj=h(SIDj||K), MG,Sj=h(DIDi||SIDj||XSj||TG), then sends {DIDi,MG,Sj,TG} to Sj, where TG is the timestamp.

  • Step 2:

    Sj checks the validity of TG and computes MG,Sj*=h(DIDi||SIDj||XSj*||TG), then checks MG,Sj*=?MG,Sj. If it is successful, Sj computes kj=h(XSj||Tj), Zi=MG,Sj*kj, KS=f(DIDi,kj), MSj,G=h(Zi||XSj*||Tj), then sends {MSj,G,Tj} to GWN, where Tj is the timestamp.

  • Step 3:

    GWN checks the validity of Tj and computes kj=h(XSj||Tj), Zi*=MG,Sj*kj, MSj,G*=h(Zi||XSj*||Tj), then checks MSj,G*=?MSj,G. If it is correct, GWN computes MG,Ui=h(DIDi||MUi,G*||kj||XXi||TG), yi=kjh(ki), TIDinew=h(HIDi||Ti), then sends {yi,MG,Ui,TG}, where TG is the timestamp. Additionally, GWN updates (TIDi,TID) as (TIDinew,TIDi).

  • Step 4:

    Ui checks the validity of TG and computes kj=yih(ki), MG,Ui*=h(DIDi||MUi,G||kj||XSi||TG), then checks MG,Ui*=?MG,Ui If it is correct, Ui computes KS=f(DIDi,kj) and updates TIDi as h(HIDi||Ti).

3.4. Password Change Phase

  • Step 1:

    Ui inputs {IDi*,pwi*,pwni} into SCi, where pwni is a new password.

  • Step 2:

    The smart card computes RNr*=h(pwi*)XPWi, HPWi*=h(pwi*||RNr*), XSi*=Cih(IDs||HPWi*), Bi*=h(HPWi*XSi*), then checks Bi*=?Bi. If it is correct, SCi computes updated values HPWni=h(pwni||RNr*), Ani=Aih(HPWi*||XSi*)h(HPWni||XSi*), Bni=h(HPWniXSi*), Cni=XSi*h(IDS||HPWni. Then, SCi replaces (Ai,Bi,Ci) with (Ani,Bni,Cni).

4. Security Weaknesses of Chang et al.’s Scheme

In this section, we analyze the security weaknesses of Chang et al.’s scheme [14]. Chang et al. cryptanalyzed Kim et al.’s scheme [13] and improved it by providing enhanced security properties. They claimed that their protocol could withstand various attacks. However, we show that their protocol is vulnerable to off-line password guessing attacks and does not provide perfect forward secrecy. We also show that their protocol cannot satisfy accurate password change. The capabilities of an adversary A [25] throughout this paper are as follows:

  • An adversary A can be either a user or a sensor node, but not a gateway node [26].

  • An adversary A has total control over the public communication channel. Thus, the adversary can intercept, insert, delete or modify any message transmitted via a public channel.

  • An adversary A may steal a user’s smart card and extract the information stored in it by means of analyzing the power consumption [27].

  • An adversary A can easily guess low-entropy passwords in an off-line manner, but the guessing of two secret parameters is computationally infeasible in polynomial time [28].

4.1. Off-Line Password Guessing Attack

Previous works [27] demonstrated that smart cards could be vulnerable to side channel attack, i.e., A could extract the information stored in the smart card SCi. A chooses an arbitrary password pwi*, then computes to guess a correct password as follows:

RNr*=XPWih(pwi*)HPWi*=h(pwi*||RNr*)XSi*=Cih(IDS||HPWi*)Bi*=h(HPWi*XSi*)verifiesBi*=?Bi

If they are equal, A finds the correct password. Otherwise, A guesses another pwi* and repeats the steps listed above until the correct password is found. In practical applications, people usually choose an easy-to-remember password for convenience, thus passwords could come from a very small dictionary. Therefore, A could find the correct password using a brute-force attack.

Even though Chang et al. has claimed that it is secure, once A guesses the password correctly, A can launch various attacks, such as impersonation, stolen verifier and lost smart card attacks. This is due to the fact that the scheme uses only a password to check the validity of users. Therefore, it is crucial to protect password guessing attacks and use various authentication factors to check the validity of users.

4.2. Lack of Perfect Forward Secrecy

In Chang et al.’s scheme, session key KS is computed as h(DIDi,kj). Once a long-term key of Sj, XSj, is disclosed to A, A can compute previous session keys as follows:

  • Step 1:

    A intercepts and stores all messages exchanged in previous sessions, such as DIDi and Ti.

  • Step 2:

    A computes kj=h(XSj||Tj), then finally retrieves a previous session key KS=f(DIDi,kj).

This result indicates that Chang et al.’s scheme does not provide perfect forward secrecy. Furthermore, A who knows XSj also can compute present and future session keys by intercepting messages via the public channel, indicating that Chang et al.’s scheme does not provide backward secrecy.

4.3. Incorrectness of Password Change

Chang et al.’s adopted Kim et al.’s password change phase; however, we found out that Kim et al.’s password update is not suitable for Chang et al.’s scheme. We demonstrate the incorrectness of the password change phase as follows:

  • Step 1:

    Once the user performs the password change phase, the previous password pwi is changed into pwni, and information in the smart card, (Ai,Bi,Ci), is replaced with (Ani,Bni,Cni).

  • Step 2:

    Then, the user performs the login phase using the new password pwni; however, Ui is not allowed to access for not computing the proper RNr from XPWi. XPWi is not updated in the password change phase; therefore, RNr*=XPWih(pwni*)RNr and, finally, Bi*Bi.

In addition, it is of no use to update the password if the password is revealed even one time because no other information, such as identity, is required to login and change the password. Therefore, regardless of whether a user changes the password, A can also change the password and be verified by the smart card.

5. The Proposed Three-Factor Authentication and Key Agreement Scheme

In this section, we propose a secure three-factor authentication and key agreement scheme for WSNs to overcome the security weaknesses in Chang et al.’s scheme. Based on Kim et al. and Chang et al.’s schemes, the proposed scheme provides better security functionality by using biometric information of the user and makes up for the password update inaccuracy. The proposed scheme consists of four phases: registration, login, authentication and key agreement and password change. The details of each phase are presented as follows.

5.1. Registration Phase

A user Ui registers the identity and password to GWN, then GWN generates a smart card SCi for Ui and sends it to Ui through a secure channel. Likewise, a sensor node Sj is distributed with (SIDj,XSj), where XSj=h(SIDj||K). Figure 1 illustrates the registration phase, which is performed as follows:

  • Step 1:

    UiGWN : {IDi,HPWi}

    Ui chooses IDi and pwi and imprints BIOi, then Ui computes (Ri,Pi)=Gen(BIOi) and HPWi=h(pwi||Ri) and sends {IDi,HPWi} to GWN through a secure channel.

  • Step 2:

    GWNUi : SCi={h(·),Ai,Bi,Ci,TIDi}

    GWN computes HIDi=h(IDi||K), XSi=h(HIDi||K)), Ai=h(HPWi||XSi)HIDi, Bi=h(HPWiXSi), Ci=XSih(IDi||HPWi).

  • Step 3:

    GWN stores parameters (TIDi,TIDi,HIDi), where TIDi=RNG (RNG is a nonce); TIDi=. TIDi is empty at first time because TIDi has not been updated; however, this parameter is required to check the correctness of the received TIDi and retrieve HIDi safely when GWN does not find a proper updated TIDi in the case of an unsuccessful update process.

    Then, GWN issues the smart card SCi={h(·),Ai,Bi,Ci,TIDi} and sends it to Ui through a secure channel.

Figure 1.

Figure 1

Registration phase.

5.2. Login Phase

When Ui tries to access the Sj, the login request is launched at first by Ui with SCi. Figure 2 illustrates the login phase, which is performed as follows:

  • Step 1:

    Ui inserts SCi, inputs IDi*, pwi* and imprints BIOi*.

  • Step 2:

    SCi computes Ri*=Rep(BIOi*,Pi), HPWi*=h(pwi*||Ri*), XSi*=Cih(IDi*||HPWi*), Bi*=h(HPWi*XSi*). Then, SCi verifies Bi*=?Bi. If it is correct, SCi generates a random number aZp* and computes Xi=aP, ki=h(XSi*||Ti), DIDi=h(HPWi*||XSi*)ki, MUi,G=h(Ai||XSi*||Xi||Ti), where Ti is the current timestamp.

  • Step 3:

    Ui sends the login request message {DIDi,Xi,MUi,G,Ti,TIDi} to GWN.

Figure 2.

Figure 2

Login phase.

5.3. Authentication and Key Agreement Phase

In this phase, Ui and Sj authenticate each other and generate a common session key SK by the help of GWN. The trusted party GWN is interconnected with Ui and Sj, respectively, and helps to establish a session key between Ui and Sj; however, GWN is not able to derive the session key. Figure 3 illustrates the authentication and key agreement phase, which is performed as follows:

  • Step 1:

    GWNSj : {DIDi,Xi,MG,Sj,TG}

    After receiving {DIDi,Xi,MUi,G,Ti,TIDi}, GWN checks the validity of Ti and retrieves HIDi from TIDi. If no TIDi is found, GWN checks TIDi. If it still is not found, GWN rejects the login request; otherwise, GWN computes XSi=h(HIDi||K) and ki=h(XSi||Ti). Then, GWN verifies MUi,G=?h((DIDikiHIDi)||XSi||Xi||Ti). If it is valid, GWN authenticates Ui and computes MG,Sj=h(DIDi||SIDj||XSj||Xi||TG), then sends {DIDi,Xi,MG,Sj,TG} to Sj, where TG is the current timestamp.

  • Step 2:

    SjGWN : {MSj,G,Yj,Tj}

    After receiving {DIDi,Xi,MG,Sj,TG}, Sj checks the validity of TG and verifies MG,Sj=?h(DIDi||Xi||XSj*||TG) using its stored secret value XSj*=h(SIDj||K). If it is valid, Sj authenticates GWN and computes kj=h(XSj*||Tj), Zi=MG,Sjkj, where Tj is the current timestamp. Then, Sj generates a random number bZp* and computes Yj=bP and a session key SK=kji=h(DIDi||kj||bXi). Finally, Sj computes (MSj,G=h(Zi||XSj*||Xi||Yj||Tj)) and sends {MSj,G,Yj,Tj} to GWN.

  • Step 3:

    GWNUi : {ei,MG,Ui,Yi,TG}

    After receiving {MSj,G,Yi,Tj}, GWN checks the validity of Tj, computes kj=h(XSj||Tj), Zi*=MG,Sj*kj and verifies MSj,G=?h(Zi*||XSj||Xi||Yj||Tj). If it is valid, GWN authenticates Sj and computes ei=kjh(ki), (MG,Ui=h(DIDi||MUi,G||kj||XSi||Xi||Yj||TG)), TIDinew=h(HIDi||Ti), where TG is the current timestamp. Then, GWN sends {ei,MG,Ui,Yi,TG} to Ui and updates (TIDi,TIDi) as (TIDinew,TIDi) in its storage.

  • Step 4:

    After receiving {ei,MG,Ui,Yi,TG}, Ui checks the validity of TG, computes kj*=eih(ki*) and verifies MG,Ui=?h(DIDi||MUi,G||kj*||XSi||Xi||Yj||TG). If it is valid, Ui computes the session key SK=kij=h(DIDi||kj||aYi). Finally, Ui updates TIDi as h(HIDi||Ti).

Figure 3.

Figure 3

Authentication and key agreement phase.

5.4. Password Change Phase

When Ui wants to change pwi with the new pwni, Ui performs the password change phase. Figure 4 illustrates the password change phase, which is performed as follows:

  • Step 1:

    Ui imprints BIOi* and computes Ri*=Rep(BIOi*,Pi), then inputs {IDi*,Ri*,pwi*,pwni} into SCi.

  • Step 2:

    SCi computes HPWi*=h(pwi*||Ri*), XSi*=Cih(IDi*||HPWi*), Bi*=h(HPWi*XSi*). Then, SCi verifies Bi*=Bi to check the validity of Ui. If it is correct, SCi computes updated values HPWni=h(pwni||Ri*), Ani=Aih(HPWi||XSi*)h(HPWni||XSi*), Bni=h(HPWniXSi*), Cni=XSi*h(IDi*||HPWni). Then, SCi replaces (Ai,Bi,Ci) with (Ani,Bni,Cni).

Figure 4.

Figure 4

Password change phase.

6. Analysis

In this section, we describe an analysis of our proposed authentication and key agreement scheme with respect to security and efficiency. We assume that the capabilities of the adversary are the same as those from our cryptanalysis of Chang et al.’s scheme in Section 4. We first prove the security of our scheme with BAN logic [21], then analyze the proposed scheme based on the security requirements for WSNs.

6.1. Proof of Authentication and Key Agreement Based on BAN Logic

Recently, security analyses about authentication and key agreement schemes in WSNs have been conducted using the BAN logic, which is a method to prove the security of mutual authentication and a session key [25,29]. In this section, we analyze the security of our proposed authentication scheme with BAN logic [21]. Table 2 illustrates notations used in BAN logic.

Table 2.

BAN logic notations.

Notations Meaning
PX P believes X
PX P sees X
PX P once said X
PX P has jurisdiction over X
#(X) X is fresh
PKQ P and Q may use the shared key K
SK The session key shared between two principals
XY X combined with the formula Y
(X)K X hashed under the key K
{X}K X encrypted under the key K
  1. The BAN logic postulates:
    • (a)
      Message meaning rule:
      P believes QKP,P sees {X}KP believes Q said X
    • (b)
      Nonce-verification rule:
      P believes fresh (X),P believes Q said XP believes Q believes X
    • (c)
      Jurisdiction rule:
      P believes Q controls X,P believes Q believes XP believes X
    • (d)
      Freshness-conjuncatenation rule:
      P believes fresh (X)P believes fresh (X,Y).
  2. Security goals:

    The proposed scheme should satisfy the following goals:
    • g1.
      Ui|UiSKSj
    • g2.
      Sj|UiSKSj
    • g3.
      Ui|Sj|UiSKSj
    • g4.
      Sj|Ui|UiSKSj
  3. Idealized scheme:

    We transform our scheme into the idealized form as follows:
    • Msg1.
      UiGWN:(DIDi,K,Xi,Ti)HIDi
    • Msg2.
      GWNSj:(DIDi,SIDj,K,Xi,TG)XSj
    • Msg3.
      SjGWN:(DIDi,SIDj,K,Xi,Yi,Tj)XSj
    • Msg4.
      GWNUi:(DIDi,kj,K,Xi,Yi,TG)HIDi
  4. Initiative premises:

    We make the assumptions about the initial state of the scheme to analyze the proposed scheme as follows.
    • p1.
      GWN|#(Ti)
    • p2.
      GWN|#(Tj)
    • p3.
      Sj|#(TG)
    • p4.
      Ui|#(TG)
    • p5.
      GWN|GWNXSjSj
    • p6.
      Sj|GWNXSjSj
    • p7.
      Ui|UiHIDiGWN
    • p8.
      GWN|UiHIDiGWN
    • p9.
      Ui|SjUiSKSj
    • p10.
      Sj|UiUiSKSj
      (The meanings of p9 and p10 are different from g3 and g4. p9 and p10 are not the goals that we want to deduce. These are widely-used premises as done in [29,30,31,32].)
  5. Security analysis of the idealized form of the proposed scheme:
    • a1.
      According to Msg1, we could get:
      s1:GWN(DIDi,K,Xi,Ti)HIDi
    • a2.
      According to p8, we apply the message-meaning rule to obtain:
      s2:GWN|Ui|(DIDi,K,Xi,Ti)HIDi
    • a3.
      According to p1, we apply the freshness-conjuncatenation rule to obtain:
      s3:GWN|#(DIDi,K,Xi,Ti)HIDi
      Then, from s2 and s3, we apply the nonce-verification rule to obtain:
      s4:GWN|Ui|(DIDi,K,Xi,Ti)HIDi
    • a4.
      According to Msg2, we could get:
      s5:Sj(DIDi,SIDj,K,Xi,TG)XSj
    • a5.
      According to p6, we apply the message-meaning rule to obtain:
      s6:Sj|GWN|(DIDi,SIDj,K,Xi,TG)XSj
    • a6.
      According to p3, we apply the the freshness-conjuncatenation rule to obtain:
      s7:Sj|#(DIDi,SIDj,K,Xi,TG)XSj
      Then, from s6 and s7, we apply the nonce-verification rule to obtain:
      s8:Sj|GWN|(DIDi,SIDj,K,Xi,TG)XSj
    • a7.
      According to Msg3, we could get:
      s9:GWN(DIDi,SIDj,K,Xi,Yi,Tj)XSj
    • a8.
      According to p5, we apply the message-meaning rule to obtain:
      s10:GWN|Sj|(DIDi,SIDj,K,Xi,Yi,Tj)XSj
    • a9.
      According to p2, we apply the the freshness-conjuncatenation rule to obtain:
      s11:GWN|#(DIDi,SIDj,K,Xi,Yi,Tj)XSj
      Then, from s10 and s11, we apply the nonce-verification rule to obtain:
      s12:GWN|Ui|(DIDi,SIDj,K,Xi,Yi,Tj)XSj
    • a10.
      According to Msg4, we could get:
      s13:Ui(DIDi,kj,K,Xi,Yi,TG)HIDi
    • a11.
      According to p7, we apply the message-meaning rule to obtain:
      s14:Ui|GWN|(DIDi,kj,K,Xi,Yi,TG)HIDi
    • a12.
      According to p4, we apply the the freshness-conjuncatenation rule to obtain:
      s15:Ui|#(DIDi,kj,K,Xi,Yi,TG)HIDi
      Then, from s14 and s15, we apply the nonce-verification rule to obtain:
      s16:Ui|GWN|(DIDi,kj,K,Xi,Yi,TG)HIDi
    • a13.
      Because SK=h(DIDi||kj||bXi), according to s16 and s12, we could produce:
      s17:Ui|Sj|UiSKSj(Goal3)
      Likewise, SK=h(DIDi||kj||aYi), according to s8 and s4, we could produce:
      s18:Sj|Ui|UiSKSj(Goal4)
    • a14.
      According to s17 and p9, we apply the jurisdiction rule to produce:
      s19:Ui|UiSKSj(Goal1)
      Likewise, according to s18 and p10, we apply the jurisdiction rule to produce:
      s20:Sj|UiSKSj(Goal2)

    According to Goal 1, Goal 2, Goal 3 and Goal 4, we conclude that both Ui and Sj believe they share the session key.

6.2. Security Analysis against Various Attacks

  • User anonymity and untraceability: Our scheme provides anonymity of users. The user Ui does not reveal a real identity IDi in open channels; instead, GWN generates and sends a pseudonym identity TIDi=HIDi=RNG to Ui in the registration phase and updates it as TIDi=h(HIDi||Ti) before finalizing the session. The identity is dynamic for every session; thus, an adversary A cannot obtain the user’s true identity. The proposed scheme also provides untraceability by having all messages used in the session satisfy a freshness requirement. Therefore, A cannot trace the user.

  • Perfect forward secrecy: A session key SK is computed as h(DIDi||kj||abP). Even though the long-term private keys XSi and XSj are disclosed to A, he/she cannot compute previous session keys, because it is hard to compute abP using Xi and Yi due to the difficulty of ECDH. Thus, A cannot compute previous session keys using long-term private keys. Therefore, our scheme provides forward secrecy.

  • Mutual authentication: In our scheme, Ui and GWN authenticate each other, and GWN and Sj authenticate each other, respectively. GWN authenticates Ui by checking MUi,G=?h((DIDikiHIDi)||XSi||Xi||Ti). A needs to compute XSi and ki to reconstruct MUi,G; however, only a legal user can compute those values. Ui authenticates GWN by checking (MG,Ui=h(DIDi||MUi,G||kj||XSi||Xi||Yj||TG)). A needs to compute kj* and XSi to reconstruct (MG,Ui; however, only a legal GWN can compute those values. Therefore, Ui and GWN mutually authenticate. Similarly, Sj authenticates GWN by checking MG,Sj, and GWN authenticates Sj by checking MSj,G. Additionally, only legal Sj and GWN can reconstruct them, then authenticate mutually. Therefore, our scheme provides proper mutual authentication.

  • Off-line password guessing attack: A may attempt to guess the password pwi by extracting the values stored in the smart card SCi. A could guess correctly if he/she generates a series of equations and computes the valid Bi using guessing passwords. However, A is required to know the biometric information of the user, which cannot be forged, for generating equations. Therefore, it is infeasible to correctly guess the user’s password in our scheme.

  • Smart card loss attack: A can extract values in the smart card by means of power analysis and other techniques. Suppose A obtains the user’s smart card and extracts stored parameters {h(·),Ai,Bi,Ci,TIDi}. From these values, A cannot obtain any useful information because the parameters are safeguarded with a one-way hash function, and TIDi is just a nonce. Furthermore, A may attempt to log in by generating a login request message. However, A cannot even pass the login phase and generate a valid login request message without proper IDi, pwi and Bi. Therefore, the proposed scheme withstands smart card loss attacks.

  • User impersonation attack: A who somehow possesses a valid smart card SCi of Ui and wants to access Sj is required to generate and send a valid login request message {DIDi,Xi,MUi,G,Ti,TIDi} to GWN. A must know HPWi and XSi to compute these values. However, in our scheme, IDi,pwi and Ri are not revealed. Thus, A cannot compute the temporal key ki and generate a valid login request message. Therefore, our scheme is secure against the user impersonation attack.

  • Man-in-the-middle attack and replay attack: A who knows public channel information and has the smart card SCi of Ui may attempt to establish a secure channel with Sj. However, A cannot authenticate with GWN because A cannot generate a valid login request message, as mentioned above. In addition, those messages captured in a public channel are refreshed in every session, so that A cannot use them repeatedly. Therefore, our scheme withstands man-in-the-middle and replay attacks.

  • Stolen verifier attack: A who obtains the verifier table of GWN may attempt to attack users to gain some advantages. However, A still cannot compute HPWi, XSi and ki and will fail to pass the login phase. Of course, A will fail to compute a login request message without pwi and Ri. Therefore, even if A has the verifier table, our protocol withstands stolen verifier attacks.

  • Known-key attack: A session key SK is computed as h(DIDi||kj||abP), and DIDi, kj and abP are independent in each session. Though A, who somehow possesses each value, attempts to generate other session keys, he/she will find that they cannot successfully derive valid session keys. Therefore, our proposed scheme withstands known-key attacks.

We compare the functionality features of the proposed scheme with related user authentication schemes for WSNs in Table 3. ∘ denotes that the scheme provides the property; × denotes that the scheme does not provide the property; Δ denotes that the scheme does not provide the property when off-line password guessing attacks succeed; − denotes that the scheme does not concern the property.

Table 3.

Comparisons of the functionality features. ECC, elliptic curve cryptosystem.

Kim et al.’ Scheme [13] Chang et al.’ Scheme [14] Yoon and Yoo’s Scheme [15] Choi et al.’ Scheme [18] Proposed Scheme
Provides user anonymity × × ×
Provides user untraceability × Δ × ×
Provides forward secrecy × ×
Provides secure password update ×
Provides mutual authentication
Resists off-line password guessing attack × ×
Resists user impersonation attack × Δ ×
Resists lost smart card attack × Δ
Resists stolen verifier attack × Δ
Resists man-in-the-middle attack × Δ
Resists replay attack
Resist biometric recognition error ×
Usage of biometrics × ×
Usage of ECC × ×

6.3. Performance Comparisons

In Table 4, we compare the computational cost with related schemes. Th denotes the computation time for the hash function; Tx denotes the XOR operation; TF denotes the fuzzy extraction; TE denotes the ECC multiplication; Tenc denotes the encryption/decryption. The computation cost of ours is a bit higher than [13,14] because of the usage of biometrics and ECC, but it is considered to be operationally viable in WSNs [15,18]. Additionally, our proposed scheme provides the enhanced security functionalities and is secure against various attacks.

Table 4.

Comparisons of the computation costs.

Scheme Computation Cost
Registration Login & Authentication Total
Kim et al.’s [13] User 2Th+Tx 9Th+9Tx 11Th+10Tx
GWN 6Th+3Tx 8Th+8Tx 14Th+11Tx
Sensor 0 2Th+2Tx 2Th+2Tx
Chang et al.’s [14] User 2Th+Tx 9Th+5Tx 11Th+6Tx
GWN 5Th+3Tx 10Th+4Tx 15Th+7Tx
Sensor 0 4Th+Tx 4Th+Tx
Yoon and Yoo’s [15] User Th 3Th+2Tx+2TE 4Th+2Tx+2TE
GWN 2Th+2Tx 4Th 6Th+2Tx
Sensor 0 3Th+2TE 3Th+2TE
Choi et al.’s [18] User Th+TF 10Th+2Tx+TF+Tenc+2TE 11Th+2Tx+2TF+Tenc+2TE
GWN 3Th+3Tx 10Th+Tx+2Tenc 13Th+4Tx+2Tenc
Sensor 0 6Th+Tenc+2TE 6Th+Tenc+2TE
Proposed User Th+TF 9Th+4Tx+TF+2TE 10Th+4Tx+2TF+2TE
GWN 5Th+3Tx 11Th+4Tx 16Th+7Tx
Sensor 0 4Th+Tx+2TE 4Th+Tx+2TE

7. Conclusions

To provide improved security functionality for mobile services in WSNs, several user authentication and key agreement schemes have been proposed in the last few years. However, most of them cannot provide secure authentication and are vulnerable to security attacks.

In this paper, we analyzed the security weaknesses of Chang et al.’s scheme and found that it is vulnerable to off-line password guessing attacks and does not provide forward secrecy and accurate password updates. To address the security problems, we proposed a biometric-based user authentication and key agreement scheme. The proposed scheme withstands the security attacks described above and provides better security functionality than previous schemes by using biometric information and ECC. In addition, we provided security and efficiency analyses, which demonstrated that the proposed protocol is more secure than the previous schemes and operationally viable in WSNs.

Acknowledgments

This study was supported by the BK21 Plus project funded by the Ministry of Education, Korea (21A20131600011).

Author Contributions

YoHan Park and YoungHo Park found the problems in the related schemes for WSNs, analyzed the vulnerabilities of the related schemes, designed the improved scheme, proved the security of proposed scheme and wrote the manuscript.

Conflicts of Interest

The authors declare no conflict of interest.

References

  • 1.Akyildiz I.F., Su W., Sankarasubramaniam Y., Cayirci E. A survey on sensor networks. IEEE Commun. Mag. 2002;40:102–114. doi: 10.1109/MCOM.2002.1024422. [DOI] [Google Scholar]
  • 2.Yick J., Mukherjee B., Ghosal D. Wireless sensor network survey. Comput. Netw. 2008;52:2292–2330. doi: 10.1016/j.comnet.2008.04.002. [DOI] [Google Scholar]
  • 3.Gubbi J., Buyya R., Marusic S., Palaniswami M. Internet of Things (IoT): A vision, architectural elements, and future directions. Futur. Gene Comput. Syst. 2013;29:1645–1660. doi: 10.1016/j.future.2013.01.010. [DOI] [Google Scholar]
  • 4.Pathan A.S.K., Lee H.W., Hong C.S. Security in wireless sensor networks: Issues and challenges; Proceedings of the 8th International Conference Advanced Communication Technology (ICACT); Phoenix Park, Korea. 20–22 February 2006; pp. 1043–1048. [Google Scholar]
  • 5.Perrig A., Stankovic J., Wagner D. Security in wireless sensor networks. ACM Commun. 2004;47:53–57. doi: 10.1145/990680.990707. [DOI] [Google Scholar]
  • 6.Al Ameen M., Liu J., Kwak K. Security and privacy issues in wireless sensor networks for healthcare applications. J. Med. Syst. 2012;36:93–101. doi: 10.1007/s10916-010-9449-4. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 7.Wong K.H., Zheng Y., Cao J., Wang S. A dynamic user authentication scheme for wireless sensor networks; Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing; Taichung, Taiwan. 5–7 June 2006; pp. 1–8. [Google Scholar]
  • 8.Das M.L. Two-factor user authentication scheme in wireless sensor networks. IEEE Trans. Wirel. Commun. 2009;8:1086–1090. doi: 10.1109/TWC.2008.080128. [DOI] [Google Scholar]
  • 9.He D., Gao Y., Chan S., Chen C., Bu J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 2010;10:361–371. [Google Scholar]
  • 10.Khan M.K., Alghathbar K. Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks. Sensors. 2010;10:2450–2459. doi: 10.3390/s100302450. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 11.Chen T.H., Shih W.K. A robust mutual authentication protocol for wireless sensor networks. ETRI J. 2010;32:704–712. doi: 10.4218/etrij.10.1510.0134. [DOI] [Google Scholar]
  • 12.Vaidya B., Makrakis D., Mouftah H. Two-factor mutual authentication with key agreement in wireless sensor networks. Secur. Commun. Netw. 2016;9:171–183. doi: 10.1002/sec.517. [DOI] [Google Scholar]
  • 13.Kim J., Lee D., Jeon W., Lee Y., Won D. Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks. Sensors. 2014;14:6443–6462. doi: 10.3390/s140406443. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 14.Chang I.P., Lee T.F., Lin T.H., Liu C.M. Enhanced two-factor authentication and key agreement using dynamic identities in wireless sensor networks. Sensors. 2015;15:29841–29854. doi: 10.3390/s151229767. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 15.Yoon E.J., Yoo K.Y. A biometric-based authenticated key agreement scheme using ECC for wireless sensor networks; Proceedings of the 29th Annual ACM Symposium on Applied Computing; Gyeongju, Korea. 24–28 March 2014; pp. 699–705. [Google Scholar]
  • 16.Das A.K. A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wirel. Pers. Commun. 2015;82:1377–1404. doi: 10.1007/s11277-015-2288-3. [DOI] [Google Scholar]
  • 17.Das A.K. A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. Int. J. Commun. Syst. 2015;2015:1–25. doi: 10.1002/dac.2933. [DOI] [Google Scholar]
  • 18.Choi Y., Lee Y., Won D. Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction. Int. J. Dist. Sens. Netw. 2016;8572410:1–16. doi: 10.1155/2016/8572410. [DOI] [Google Scholar]
  • 19.Park Y., Lee S., Kim C., Park Y. Secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks. Int. J. Dist. Sens. Netw. 2016;12:1–11. doi: 10.1177/1550147716658607. [DOI] [Google Scholar]
  • 20.Li C.T., Hwang M.S. An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comp. Appl. 2010;33:1–5. doi: 10.1016/j.jnca.2009.08.001. [DOI] [Google Scholar]
  • 21.Burrows M., Abadi M., Needham R.M. A logic of authentication. Proc. R. Soc. Lond. A Math. Phys. Eng. Sci. 1989;426:233–271. doi: 10.1098/rspa.1989.0125. [DOI] [Google Scholar]
  • 22.Lu R., Cao Z., Chai Z., Liang X. A Simple User Authentication Scheme for Grid Computing. IJ Netw. Sec. 2008;7:202–206. [Google Scholar]
  • 23.Dodis Y., Reyzin L., Smith A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data; Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques; Interlaken, Switzerland. 2–6 May 2004; pp. 523–540. [Google Scholar]
  • 24.Tan Z. A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J. Med. Syst. 2014;38:1–9. doi: 10.1007/s10916-014-0016-2. [DOI] [PubMed] [Google Scholar]
  • 25.Jung J., Kim J., Choi Y., Won D. An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks. Sensors. 2016;16:1299. doi: 10.3390/s16081299. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 26.Yeh H.L., Chen T.H., Liu P.C., Kim T.H., Wei H.W. A secured authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors. 2011;11:4767–4779. doi: 10.3390/s110504767. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 27.Kocher P., Jaffe J., Jun B. Differential power analysis; Proceedings of the Advances in Cryptology-CRYPTO’99; Santa Barbara, CA, USA. 15–19 August 1999; pp. 388–397. [Google Scholar]
  • 28.Amin R., Biswas G.P. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw. 2016;36:58–80. doi: 10.1016/j.adhoc.2015.05.020. [DOI] [Google Scholar]
  • 29.He D., Kumar N., Chilamkurti N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf. Sci. 2015;321:263–277. doi: 10.1016/j.ins.2015.02.010. [DOI] [Google Scholar]
  • 30.Jiang Q., Kumar N., Ma J., Shen J., He D., Chilamkurti N. A privacy-aware two-factor authentication protocol based on elliptic curve cryptography for wireless sensor networks. Int. J. Netw. Manag. 2016 doi: 10.1002/nem.1937. [DOI] [Google Scholar]
  • 31.Lu Y., Li L., Yang X., Yang Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015;10:e0126323. doi: 10.1371/journal.pone.0126323. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 32.Liu J., Li Q., Yan R., Sun R. Efficient authenticated key exchange protocols for wireless body area networks. EURASIP J. Wirel. Commun. Netw. 2015;2015:1–11. doi: 10.1186/s13638-015-0406-2. [DOI] [Google Scholar]

Articles from Sensors (Basel, Switzerland) are provided here courtesy of Multidisciplinary Digital Publishing Institute (MDPI)

RESOURCES