Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Open Access

Peer-reviewed

Research Article

A Temporal Credential-Based Mutual Authentication with Multiple-Password Scheme for Wireless Sensor Networks

  • Xin Liu,

    Affiliation School of information Science & Engineering, Lanzhou University, Lanzhou, China

  • Ruisheng Zhang ,

    zhangrs@lzu.edu.cn

    Affiliation School of information Science & Engineering, Lanzhou University, Lanzhou, China

  • Qidong Liu

    Affiliation School of information Science & Engineering, Lanzhou University, Lanzhou, China

Abstract

Wireless sensor networks (WSNs), which consist of a large number of sensor nodes, have become among the most important technologies in numerous fields, such as environmental monitoring, military surveillance, control systems in nuclear reactors, vehicle safety systems, and medical monitoring. The most serious drawback for the widespread application of WSNs is the lack of security. Given the resource limitation of WSNs, traditional security schemes are unsuitable. Approaches toward withstanding related attacks with small overhead have thus recently been studied by many researchers. Numerous studies have focused on the authentication scheme for WSNs, but most of these works cannot achieve the security performance and overhead perfectly. Nam et al. proposed a two-factor authentication scheme with lightweight sensor computation for WSNs. In this paper, we review this scheme, emphasize its drawbacks, and propose a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Our scheme uses multiple passwords to achieve three-factor security performance and generate a session key between user and sensor nodes. The security analysis phase shows that our scheme can withstand related attacks, including a lost password threat, and the comparison phase shows that our scheme involves a relatively small overhead. In the comparison of the overhead phase, the result indicates that more than 95% of the overhead is composed of communication and not computation overhead. Therefore, the result motivates us to pay further attention to communication overhead than computation overhead in future research.

Citation: Liu X, Zhang R, Liu Q (2017) A Temporal Credential-Based Mutual Authentication with Multiple-Password Scheme for Wireless Sensor Networks. PLoS ONE 12(1): e0170657. https://doi.org/10.1371/journal.pone.0170657

Editor: Yongtang Shi, Nankai University, CHINA

Received: March 16, 2016; Accepted: January 9, 2017; Published: January 30, 2017

Copyright: © 2017 Liu et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper and its Supporting Information files.

Funding: The authors received no specific funding for this work.

Competing interests: The authors have declared that no competing interests exist.

Introduction

With the development of microelectronic, computer, and wireless communication techniques, multifunctional sensor nodes with small consumption have rapidly developed [1]. As a result, the Internet of Things has become increasingly popular. Wireless sensor networks (WSNs), which consist of a large number of sensor nodes (SNs), are widely used in various application fields, such as, environmental monitoring, military surveillance, nuclear-reactor control systems, vehicle safety systems, and medical monitoring [2, 3]. Although WSNs perform important functions in numerous application fields, the drawbacks of the network are evident. First, WSNs are often deployed in unattended environments [4] or enemy-controlled environments. Therefore, the networks are easily manipulated. Second, given their characteristics, WSNs consist of numerous resource-constrained nodes. The main limitation points are as follows [5]:

  1. Given the low data-transfer rate, the short communication distance, and the harsh environment deployment, the transmission of WSNs is unreliable and has a higher energy costs.
  2. Owing to the small size of SNs, each node is supplied with a small battery. WSNs are, however, always deployed in unattended environments or enemy environments; therefore, energy supplementation is impracticable.
  3. As SNs use embedded processor and memory, only base computation capacity is available for processing. Therefore, the technology is limited by low computation and storage capacity.

The security of WSNs is related to sensitive data and safety of patients, and it can even escalate to national security. Compared with traditional networks, however, WSNs are vulnerable to various related attacks. Unfortunately, the information transmitted in WSNs is highly important and sensitive, so adversaries can destroy WSNs or obtain confidential information from such networks. Therefore, the challenge and priority is to secure the performance of WSNs with small overhead, and this topic has recently been studied by many researchers. Authentication schemes have become the most important concern in the security of WSNs. In the last five years, numerous mutual-authentication and key agreement schemes have been published by researchers around the world and are discussed in the following subsection.

Related Work

The authentication scheme for WSNs has recently been studied by many professors, and several investigations have surveyed the security of WSNs [3, 613]. These studies have analyzed the main problems faced by WSN security research and classified authentication schemes into two types: scheme-based asymmetric encryption and scheme-based symmetric encryption. The majority of the schemes aim to achieve improved security performance with small overhead. Nam et al. [14] proposed an anonymous scheme with lightweight computation. The group used elliptic curve cryptography for better security and focused on user anonymity. Watro et al. [15] proposed a security scheme of mutual authentication with RSA cryptosystem and Diffie—Hellman key agreement. Wong et al. [16] proposed another password-based authentication scheme that only uses hash functions. The scheme proposed by Wong et al. is therefore more efficient than Watro et al.’s schemes. However, their scheme is vulnerable to numerous attacks, as proven by M. L. Das et al. [17], who proposed a two-factor scheme with a password and a smart card (SC). Although vulnerable to numerous attacks, the scheme prompted other researchers to improve the two-factor authentication for WSNs. Xue et al. [18] proposed temporal credential authentication for WSNs. This scheme allows the gateway nodes (GW) to issue a temporal credential to users and SNs for mutual authentication. The scheme is efficient because it only uses the hash function and XOR operation. Jiang et al. [19] concluded that Xue et al.’s scheme cannot withstand the privileged insider, weak stolen smart card, identity guessing, and tracking attacks. Then, Jiang et al. proposed a two-factor user authentication scheme with unlinkability for WSNs. Despite presenting an improvement on the weakness of Xue et al.’s approach, Jiang et al.’s scheme is also vulnerable to privileged insider attacks and presents several drawbacks, as proven by A. K. Das [20]. The scheme proposed by A. K. Das used biometrics as the third factor for user authentication and improved the weakness of the scheme by Xue et al. He et al. [21] also found drawbacks in Xue et al.’s scheme. Through their analysis, the team found that Xue et al.’s scheme is vulnerable to offline password guessing, user impersonation, and modification attacks. Thereafter, He et al. proposed a temporal credential authentication with pseudo identity for WSNs. The scheme proposed by Khan and Alghathbar [22] indicated that M. L. Das’s scheme cannot withstand bypassing attacks and is vulnerable to privileged insider attacks. Sun et al. [23] concluded that Khan and Alghathbar’s scheme is vulnerable to GW impersonation and other related attacks. Sun et al. proposed a scheme to improve the weakness of Khan and Alghathbar’s scheme and determined that their scheme had low overhead cost.

Key establishment is the central problem in authentication schemes [24]. Diffie and Hellman proposed the revolutionary introduction of the key establishment protocol [25] and Bellare and Rogaway proposed a model of authentication and key distribution that is widely accepted [2628]. Choo et al. discovered that all secure key distribution protocols should use partnering definitions based on session identifiers [29] and that session identifiers should also be included within the protocol specification [30]; the secure protocols should construct the session keys using the identities of participants, unique session identifiers and ephemeral-long-term shared secrets [31]; and any entity authentication and key establishment protocol should provide rigorous proof of security based on their meticulous research [32]. They also carefully researched the subtle differences between the well-known models and contributed a better understanding of proof models for key establishment protocols [33]. Based on the careful study, Choo and Hitchcock proposed that the proof models allow different options for the key-sharing requirement in formulation [34]. Numerous researchers have worked on fulfilling this requirement, so listing these works in our paper is unnecessary.

Our Contribution

In this paper, we propose a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Comparison with other related works shows that our proposed scheme exhibits improved security performance with low overhead. The major contributions are described as follows.

  1. We perform user authentication without any GW consumption which presents better efficiency and security performance, as proven by A. K. Das and Amin et al.’ s research [20, 35], they bind U with IDSC so that the scheme can reliably withstand D-DOS attacks that are launched by inputting wrong passwords [20] as well as withstand same-login ID attacks [22, 36].
  2. We use multiple passwords to authenticate the legality of the user identity. We select all user-inputting passwords, the sequence of passwords, and the number of passwords n as the factors to verify the identity of the user. This innovation not only presents the same security performance as the three-factor authentication based on biometrics but also exhibits a more efficient performance than biometric authentication. This approach overcomes several weaknesses of biometric authentication, which is unsuitable for WSNs. These disadvantages include high noise data rate, false non-match rate, false match rate, intraclass variations, non-universality, spoof attacks [37], high biometric error rate, stolen biometric features attacks [38], and high consumption [20, 39].
  3. Through detailed comparison, we found that communication overhead accounts for the majority of the overhead. Most of the related studies, which were concerned only with computation overhead, are not comprehensive. Therefore, more attention should be paid to communication overhead than to computation overhead to evaluate the performance of any scheme in future research.

Notations in This Paper

The notations used in this paper are described as follows.

  1. GW: a gateway node
  2. U: the user
  3. SN: the sensor node
  4. SC: the smart card of U
  5. : the adversary
  6. IDU: the identity of U
  7. IDGW: the identity of GW
  8. IDSC: the identity of SC
  9. IDSN: the identity of SN
  10. PWU: the password of U
  11. n: the number of passwords
  12. ki, kGW, ki: the secret number for U,GW,SN respectively
  13. ei, PKGW, PKj: the protected information for the secret number of U,GW,SN, respectively
  14. Vi: the verification information of U
  15. DIDSC, PIDj: the pseudonym of SC,SN, respectively
  16. TU, TGW, TS: the current timestamp
  17. RPWi: the protected information for the multiple password
  18. PTCi, PTCj: the protected temporal credential of U, SN, respectively
  19. SK: the session key in the future
  20. σU, σGW: the HMAC output with secret keys kUG, kGS, respectively
  21. (Mac, Ver): a keyed-hashing for message authentication codes
  22. (Enc, Dec): symmetric encryption/decryption functions
  23. H(·): hash function
  24. ∥: bitwise concatenation operation

Review of Nam et al.’s Scheme

In this section, we review Nam et al.’s scheme in detail. The scheme consists of three phases: the registration phase, the login phase, and the authentication and key exchange phase [14]. Nam et al.’s scheme stores an elliptical curve group G with generator P of prime order q; MAC function ∑ = (Mac, Ver) [40, 41]; symmetric encryption and decryption functions Δ = (Enc, Dec); and three hash functions, H, J, and I in each entity (we use only H to represent the hash function in this paper). After finishing these tasks, GW selects two random numbers, and, z ∈ {0, 1}k, computes Y = yP with kGS = h(IDSN ∥ z) as the public key and shares a secret key with SN.

Registration phase

A user U registers his identity IDU and password PWU through the following steps.

  1. A user U registers the identity IDU and password PWU and submits IDU to the GW.
  2. GW computes EIDU = Encz(IDU ∥ IDGW) with the key z and sends {EIDU, Y, IDGW, G, P, ∑, Δ, H} to U. U stores these messages in the SC.
  3. U computes XEIDU = EIDU ⊕ h(IDU ∥ PWU) to replace EIDU.

Login, authentication, and key exchange phase

In these phases, U, GW, and SN authenticate each other through the following, and the session key SK is generated. The details of these phases are described as follows:

  1. U inserts his SC and inputs the identity IDU and password PWU. Then, SC retrieves the current timestamp TU and gets two random numbers , kUS ∈ {0, 1}k. SC performs a series of calculations as follows. KUG = xY, X = xP, kUG = h(TU ∥ X ∥ Y ∥ KUG), EIDU = XEIDU ⊕ h(IDU ∥ PWU), and . Finally, U sends (TU, IDSN, X, CU, σU) to GW.
  2. Upon receiving these message, GW checks the freshness of TU, if TU is not fresh, GW discards the session. Otherwise, GW checks whether is equal to 1, where kUG = h(TU ∥ X ∥ Y ∥ KUG) and KUG = yX. If it is not equal, GW discards the session. Otherwise, GW uses the key kUG to decrypt CU to get IDU and EIDU. GW uses the key z to decrypt EIDU to get . Then, GW checks whether IDU is equal to . If they are equal, GW computes and , where TGW is the current TS. Finally, GW sends (IDGW, TGW, TU, CGW, σGW) to SN.
  3. Upon receiving these messages, SN first checks the freshness of TGW. If TGW is not fresh, SN aborts the session. Otherwise, SN checks whether is equal to 1. If it is not equal, SN aborts the session. Otherwise, SN decrypts CGW with the key kGS to get kUS. Then, SN computes SK = h(kUS ∥ TU ∥ IDSN) and ρSN = h(kUS ∥ TU ∥ IDSN). Finally, SN sends ρSN to the user U.
  4. Upon receiving messages, the user checks whether ρSN is equal to h(kUS ∥ IDSN ∥ TU). If they are not equal, U aborts the session. Otherwise, U computes SK = h(kUS ∥ TU ∥ IDSN) as the SK.

Password update phase

In this phase, Nam et al. have designed an interactive password update phase as follows:

  1. U inserts his SC and inputs IDU, PWU, and new password .
  2. SC completes a series of calculations with the random and timestamp TU as follows. kUG = xY, X = xP, kUG = h(TU ∥ X ∥ Y ∥ KUG), EIDU = XEIDU ⊕ h(IDU ∥ PWU) . Then, SC sends (TU, CU, X) to the GW.
  3. Upon receiving these messages, GW rejects the request if TU is not fresh. Otherwise, GW computes kUG = h(TU ∥ X ∥ Y ∥ KUG) and KUG = yX. Then, GW uses the key kUG to decrypt CU to get IDU and EIDU. GW decrypts EIDU with the key z to get another . GW checks whether IDU is equal to . If they are equal, GW computes ρGW = h(kUG ∥ X ∥ IDU ∥ IDGW) and sends ρGW to SC.
  4. SC checks whether ρGW is equal to h(kUG ∥ X ∥ IDU ∥ IDGW). If they are not equal, SC aborts the session. Otherwise, SC computes and finishes the password update phase.

Security Analysis of Nam et al.’s Scheme

In this section, we comprehensively analyze the security performance of Nam et al.’s scheme. During the analysis, several weaknesses of the scheme were identified. Nam et al.’s scheme ensures user anonymity and uses the elliptical curve computational Diffie—Hellman (ECCDH) protocol and authenticated key exchange (AKE) to fulfill the security function. However, further analysis shows that the scheme is vulnerable to the following threats.

D-DOS attacks

In the authentication and key exchange phase or password update phase of Nam et al.’s scheme, SC and GW need to execute numerous complex computations to verify the identity of U. To fulfill this task, SC and GW have to execute the hash function three times, encryption once, decryption twice, and MAC calculation and Ver calculation twice. Following several studies [3, 20, 42], we assume that an adversary would start a D-DOS attack that is launched by persistently inputting a wrong IDU or wrong PWU. According to Nam et al. [14] and the reference basis that is analyzed in this paper, each verification needs approximately 9.5 hash calculations, wasting 0.00304 s and costing 0.073 mJ of WSNs. would not be suspended until the energy of GW is depleted [42].

Based on the preceding discussion, Nam et al.’s scheme is vulnerable to D-DOS attacks, and adversary can easily drain the batteries in the login phase.

Online guessing attacks

In the authentication and key exchange phase, we assume that eavesdrops on the communication channel [43]. can obtain the secret key kUS and compute the SK with an online guessing attack through the following steps:

  1. obtains TU, IDSN, and ρSN by intercepting channels U → GW, GW → SN, and SN → U.
  2. guesses the kUS from the directory.
  3. verifies whether h(kUS ∥ IDSN ∥ TU) is equal to ρSN. If both numbers are the same, obtains kUS. Otherwise, repeats steps 2 and 3 until the correct kUS is guessed.
  4. After obtaining kUS, computes SK = h(kUS ∥ TU ∥ IDSN) to obtain the SK.

According to the preceding discussion, we conclude that can obtain the secret key kUS and compute the SK by online guessing attacks. These findings prove that Nam et al.’s scheme is vulnerable to online guessing attacks.

Lost password threat

Numerous approaches, such as the hit library attack and social engineering [44, 45], can be used to obtain user passwords. The lost password threat is currently popular and is a deadly threat to any one-password-based authentication, including WSNs. If the adversary obtains the commonly used passwords of U by other methods, we can see that the authentication scheme encounters a considerable threat.

Replay attacks

In the authentication and key exchange phase, we assume that an adversary intercepts the message ρSN. Then, sends ρSN to U. As U does not check the freshness of T, U cannot realize that has already obtained the ρSN, therefore proving that Nam et al.’s scheme is vulnerable to replay attacks.

Impersonation attacks

In the authentication and key exchange phase, SN authentication verifies whether the identity of GW is invalid. Furthermore, U does not authenticate the validity of SN. can start the impersonation attack by forging GW and SN as in the following steps:

  1. intercepts IDGW, TGW, TU, CGW, and σGW from the communication channel GW → SN.
  2. sends IDGW, TGW, TU, CGW, and σGW to SN.
  3. passes the MAC, and is believed to be the real GW.

According to the preceding discussion, as U does not check the freshness of T, we can safely conclude that Nam et al.’s scheme is vulnerable to impersonation attacks. The detailed security analysis is described in Table 1.

thumbnail
Download:
Table 1. The security comparison with other schemes.

https://doi.org/10.1371/journal.pone.0170657.t001

Our Proposed Scheme

In this section, we propose a temporal credential-based mutual authentication with multiple-password scheme for WSNs. The temporary SK has many advantages relative to using long-term keys according to Choo’s research [46]. Our scheme not only inherits the excellent properties of Nam et al.’s scheme but also improves upon the weaknesses of their scheme. As our scheme uses multiple passwords to replace Tate-pairing computation and the fuzzy extractor function, our scheme can achieve the same security performance with smaller overhead [47].

Unlike Nam et al.’s scheme, our proposed scheme consists of five phases: registration phase, login phase, authentication and key exchange phase, password update phase, and dynamic-node addition phase. These phases are described in detail as follows.

Registration phase

In this phase, we register a legal user, U, and sensor nodes, SN. This concept has already been presented in other studies [18, 21]. The registration phase is executed in a rigorously secure environment prior to the deployment of WSNs. Before registration, GW assigns the unique identities, namely, IDSN, IDSC, and IDGW, to SNs, SC, and the GW respectively. Then, GW randomly generates a secret number, kGW. Finally, the hash function-H(∙); message authentication check scheme MAC(∙); and Ver(∙) are stored in SC, GW, and SN. The registration phase is described in detail as follows.

Registration phase for legal user.

In this phase, we register the legal user U through the following steps.

  1. U inserts his SC and inputs his multiple-password PW1, PW2 ⋯PWn. U generates a random secret number Ki and gets the unique identifier IDSC. U computes RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki) and retrieves the timestamp TS1. Finally, U sends (RPWi, TS1, IDSC) to GW.
  2. Upon receiving the message, GW checks the freshness of TS1. If TS1 is not fresh, GW rejects the request. Otherwise, GW gets the unique identifier IDGW. Then, GW computes TCi = H(kGW ∥ IDGW ∥ IDSC), PTCi = TCi ⊕RPWi, and PKGW = PTCi⊕kGW. Then, GW retrieves the current timestamp TS2. Finally, GW stores the tuple (IDGW, IDSC, PKGW) in the verification table and sends (PTCi, TS2, IDGW) to U.
  3. Upon receiving the message, U checks the freshness of TS2. If TS2 is not fresh, U rejects the request. Otherwise, U computes ei = ki⨁H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn), Vi = H(ei ∥ RPWi ∥ IDSC ∥ ki ∥ n). Finally, U stores (ei, Vi, PTCi, IDSC, IDGW) in the SC.

In this phase, adversary cannot restore the sensitive number because of the property of the hash function [4850] and the confidentiality property of the XOR operation [5153], as well as the information stored in GW and SC. The random secret numbers ki and kGW are not stored in GW. This phase is shown in Fig 1.

thumbnail
Download:
Fig 1. The registration phase for user of our scheme.

https://doi.org/10.1371/journal.pone.0170657.g001

Registration for sensor node.

In our scheme, each legal SN is required to register in GW so that we can verify the legal SN and add the new SN to WSNs in the future. Before SN registration, the legality of U should be verified. The steps are as follows.

  1. SN generates a random secret number kj and gets the unique identifier IDSN. Then, SN computes PIDj = H(IDSN ∥ kj), PKj = PIDj⊕kj and replaces IDSN with PIDj. Finally, SN retrieves timestamp TS3 and sends (PIDj, TS3) to GW.
  2. Upon receiving the message, GW checks the freshness of TS3. If TS3 is not fresh, GW rejects the request. Otherwise, GW computes TCj = H(kGW ∥ PIDj), PTCj = TCj⊕PIDj. Then, GW retrieves the timestamp TS4 and stores PIDj. Finally, GW sends (TS4, PTCj) to SN.
  3. Upon receiving the message, SN checks the freshness of TS4. If TS4 is not fresh, GW rejects the request. Otherwise, SN stores (PKj, PTCj).

In this phase, different SNs possess different PIDj and PKj, and the random secret number Kj is not stored in SN. Therefore, our scheme can withstand node capture attacks, as analyzed in the security analysis section. This phase is shown in Fig 2. After finishing the entire registration scheme, GW deletes kGW, SC deletes Ki, and SN deletes Kj before the deployment of WSNs.

thumbnail
Download:
Fig 2. The registration phase of sensor node of our scheme.

https://doi.org/10.1371/journal.pone.0170657.g002

Login phase

The login phase procedure is described in detail as follows. If U attempts to login to WSNs and obtains data from SN, the following steps are executed. This phase is shown in Fig 3.

  1. U inserts his SC and inputs the registered multiple-password PW1, PW2 ⋯PWn.
  2. SC gets the unique identifier IDSC and computes ki = ei⨁H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn), RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki).
  3. SC checks whether H(ei ∥ RPWi ∥ ki ∥ n ∥ IDSC) is equal to Vi. If it is not equal, SC rejects the request. Otherwise, SC retrieves timestamp TS1 and computes TCi = PTCi⊕RPWi, PKSi = ki⊕H(TCi ∥ TS1), , DIDSC = IDSC⊕H(TS1 ∥ IDGW).
  4. Finally, U sends (PTCi, Cj, PKSi, TS1, DIDSC) to GW.
thumbnail
Download:
Fig 3. The login, authentication and key exchange phase of our scheme.

https://doi.org/10.1371/journal.pone.0170657.g003

Authentication and key exchange phase

In this phase, we describe the authentication mechanism through U, GW, and SC. The mechanism achieves mutual authentication and generates the SK, for future use. The details are presented as follows.

  1. Upon receiving the message, GW checks the freshness of TS1. If it is not fresh, GW aborts the session. Otherwise, GW retrieves the unique identity IDGW and computes IDSC = DIDSC⨁H(TS1 ∥ IDGW), GW obtains the PKGW corresponding to IDSC in the verification table. Then, GW computes kGW = PKGW⨁PTCi, TCi = H(kGW ∥IDGW), RPWi = PTCi⨁TCi, and ki = PKSi⨁ (TCi ∥ TS1). GW checks whether Verki(TCi ∥ TS1 ∥ RPWi, Ci) is equal to 1. If it is not equal, GW aborts the session. Otherwise, GW retrieves timestamp TS2 and computes TCj = H(kGW ∥PIDj), PKSGW = ki⨁H(TCj ∥ TS2),. Finally, GW sends (PIDj, CGW, PKSGW, TS2) to SN.
  2. Upon receiving the message, SN checks the freshness of TS2. If it is not fresh, SN aborts the session. Otherwise, SN computes TCj = PTCj⨁PIDj, ki = PKSGW⨁H(TCj ∥TS2). Then, SN checks whether is equal to 1. If it is not equal, SN aborts the session. Otherwise, SN retrieves timestamp TS3 and computes ki = PKi⨁PIDj, PKSj = kj⨁H(ki ∥TS3), and SK = H(ki⨁kj) as the SK. Finally, SN sends (Cj, PKSj, TS3) to U.
  3. Upon receiving the message, U checks the freshness of TS3. If it is not fresh, U aborts the session. Otherwise, the SC of U computes kj = PKSj⨁H(ki ∥TS3). Then SC checks whether is equal to 1? If it is not equal, SC aborts the session. Otherwise, SC computes SK = H(ki⨁kj) as the SK for the future.

In this phase, our proposed scheme not only achieves mutual authentication and key establishment but also checks the integrity of the message. Each message authentication check function in U, SN, and GW uses different secret encryption keys for secure communication [3]. The detailed security performance of our scheme is discussed in the security analysis section, and the authentication and key exchange phase is shown in Fig 3.

Password updated phase

For security reasons, U needs to change his/her password periodically. In this phase, we propose the password-updating phase to change the password of U and U can change the sequence of passwords and the number of passwords as the new identity characteristics with minimal consumption. The details of this phase are described as follows.

  1. U inserts his SC and inputs the older multiple-password PW1, PW2 ⋯PWn.
  2. SC gets the unique identifier IDSC and computes ki = ei⨁H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn), RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki).
  3. SC checks whether H(ei ∥ RPWi ∥ ki ∥ n ∥IDSC) is equal to Vi. If it is not equal, SC rejects the request. Otherwise, SC computes TCi = PTCi⨁RPWi. Then, U inputs his new multiple-password .
  4. After inputting the new multiple-password, SC computes , , . U sends PTCi, , and current TS to GW. Finally, SC replaces (ei, Vi, PTCi) with().
  5. Upon receiving , GW checks the freshness of TS. If it is not fresh, GW rejects the request. Otherwise, GW computes kGW = PKGW⨁PTCi, . Then, GW replaces PKGW with .

Dynamic node addition phase

New node deployment is inevitable in WSNs because nodes may be lost, exhausted, or destroyed [54]. In this phase, our proposed scheme allows U to add new SN to WSNs after deployment. Our scheme strictly requires that the dynamic node addition phase must be executed by the legal user. Thus, our scheme must initially verify the legality of U. We assume that a new sensor node SNnew is going to join the WSNs, and the following steps must be executed.

  1. U inserts his SC and inputs the registered multiple-password PW1, PW2 ⋯PWn.
  2. SC gets the unique identifier IDSC and computes ki = ei⊕H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn) and RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki).
  3. SC checks whether H(ei ∥ RPWi ∥ ki ∥ n ∥IDSC) is equal to Vi. If it is not equal, SC rejects the request. Otherwise, SC sends PTCi and the current TS to GW.
  4. GW checks the freshness of TS. If it is not fresh, GW rejects the request. Otherwise, GW computes kGW = PKGW⨁PTCi and assigns the new unique identifier to SNnew via a secure channel.
  5. Finally, SNnew executes the registration phase for the sensor node.

Note that in this phase, the dynamic addition phase must be executed by a legal U that is authenticated by SC. This mechanism is able to withstand malicious sensor node attacks.

Security Analysis

In this section, we analyze the security performance of our proposed scheme by both formal and informal analyses. We assume that threatens the security of WSNs. Based on the existing defined models of adversary capabilities that are widely accepted [26, 27, 55, 56], and we conclude that possesses the following hacking capabilities: (1) intercept the transmitted message via the channel [3, 6]; (2) use power analysis attacks to obtain the information stored in SC [57, 58] and use sensor node capture attack to obtain the information stored in SN [5961]; (3)use dictionary attacks to guess numbers [43]; (4) posses the right to access the gateway station because he/she is a privileged user [40]; and (5) obtain the used passwords of U through other methods. We assume that sensitive information (PW1, PW2 ⋯PWn, n, ki, kj, kGW, TCj, TCi, SK) is attractive to . Our goal is to prevent the sensitive information from being extracted by . Thus we carefully analyzed the security performance of our proposed scheme using BAN-logic [62], which is popularly used to ensure the security of communication and session key agreement. The details of our analysis are described as follows.

Formal analysis based on BAN-logic

In this section, we use BAN-logic to analyze the security of our proposed scheme. The notations of BAN-logic are defined as follows, where P denotes the principal as well as, X and Y denote the statements.

  1. P |≡X: P believes X
  2. P ⊲ X: P sees X
  3. P | ∼ X: P once said X
  4. P ⇒ X: P has jurisdiction over X
  5. #(X): X is fresh
  6. (X, Y): The formulae X or Y is one part of the formulae (X, Y)
  7. < X >Y: X combined with Y
  8. {X}K: X is encrypted under the key K
  9. (X)K: X is hashed with the key K
  10. : P and Q communicate via shared key K
  11. SK: The session key between U and SN
  12. : The formulae X is known only to P and Q

Some main logical postulates of the BAN-logic are as follows:

  1. The Message-meaning rule: ,
  2. The nonce-verification rule:
  3. The jurisdiction rule:
  4. The belief rule:
  5. The freshness rule:
  6. The session key rule:

In order to prove the security of proposed scheme, the follow goals of BAN-logic must be satisfied.

  1. Goal 1.
  2. Goal 2.
  3. Goal 3.
  4. Goal 4.
  5. Goal 5.
  6. Goal 6.
  7. Goal 7.
  8. Goal 8.

First, the initial status of our scheme is made according to the following assumptions:

  1. A1: U |≡⋕(TS1)
  2. A2: U |≡⋕(TS3)
  3. A3:
  4. A4:
  5. A5:
  6. A6:
  7. A7:
  8. A8: GW|≡⋕(TS1)
  9. A9: GW|≡⋕(TS2)
  10. A10:
  11. A11:
  12. A12:
  13. A13:
  14. A14: SN |≡⋕(TS2)
  15. A15: SN |≡⋕(TS3)
  16. A16:
  17. A17:
  18. A18:
  19. A19:
  20. A20:
  21. A21:

Second, our scheme is transformed to the idealized form.

  1. M1:
  2. M2:
  3. M3:

Third, the idealized form of our scheme is analyzed based on BAN-logic and the assumptions. The main steps are described as follows:

  1. By M1 and the seeing rule, we get:
    S1:
  2. By A10, S1 and the message-meaning rule, we get:
    S2:
  3. By A8, S2, freshness rule and nonce-verification, we get:
    S3:
  4. By M2 and the seeing rule, we get:
    S4:
  5. By A16, S4 and the message-meaning rule, we get:
    S5:
  6. By A14, S5, freshness rule and nonce-verification, we get:
    S6:
  7. By A19, S6 and the jurisdiction rule, we get:
    S7:
  8. By A21, S7 and the jurisdiction rule, we get:
    S8:
  9. By S7 and session key rule which ki is the necessary parameters of SK, we get:
    S9:
  10. By A20, S9 and the jurisdiction rule, we get:
    S10:
  11. By M3 and the seeing rule, we get:
    S11:
  12. By A10, S11 and the message-meaning rule, we get:
    S12:
  13. By A15, S12 freshness rule and nonce-verification, we get:
    S13:
  14. By S13 and the belief rule, we get:
    S14:
    S15:
  15. By A6, S14 and the jurisdiction rule, we get:
    S16:
  16. By S15 and the session key rule which kj is the necessary parameters of SK, we get:
    S17:
  17. By A5, S17 and the jurisdiction rule, we get:
    S18:

From the above discussion, our scheme satisfies (Goal 1), (Goal 2), (Goal 3), (Goal 4), (Goal 5), (Goal 6), (Goal 7) and (Goal 8). Therefore, U, GW and SN perform the mutual authentication and session key exchange securely.

Informal analysis

In this section, we prove our scheme could withstand other attacks. The detailed analysis is described as follows.

Stolen smart card attacks.

We know that could use a power analysis attack to extract the information stored in the SC. We assume that obtains information (ei, Vi, PTCi, IDSC). These messages are operated after a one-way hash function. The multiple passwords and the secret number Ki from the SC are impossible to obtain. Because meets the property of the one-way hash function [4850], our scheme can withstand the stolen SC attacks.

Nodes captured attacks.

After WSNs are deployed in the target field, can easily capture a legitimate sensor node [5961]. Although there are some important studies that focus on the key revocation protocols [63, 64], we believe the confidentiality of stored key/data is as important as key revocation. We assume that could obtain (PTCj, PKj) from SN. Owing to the properties of the one-way hash function and XOR operation [5153], the secret number kj or TCj are impossible to obtain from SN. Given that IDSN is replaced with PIDj in the registration phase, cannot extract IDSN. The secret number, kj, is impossible to guess because of the two unknown numbers. To obtain TCj, can compute TCj = PTCj⨁PIDj. However, PIDj is not stored in SN. Therefore, cannot obtain TCj. According to the preceding discussion, we can conclude that our proposed scheme can withstand the nodes captured attack.

Privileged insider attacks.

We assume that the adversary is a privileged insider of WSNs. Therefore, can access GW to obtain others’ sensitive information. In our scheme, GW does not store the passwords of U and other sensitive information. Therefore, cannot extract the passwords of U. We assume that can obtain (PKGW, PIDj) from GW. Given the properties of the one-way hash function and XOR operation, deriving kGW and TCi is an almost impossible task for . We assume that intends to compute kGW = PTCi⨁PKGW. However, since PTCi is stored in the SC of U, cannot obtain kGW. The preceding discussion shows that our proposed scheme can withstand privileged insider attacks.

Impersonation attacks/ mutual authentication.

The adversary can impersonate the GW to send/receive the message or install any program to take over the entire network [65]. In our scheme, each receiver must authenticate the identity of the sender by MAC and Ver functions with the sender’s own secret key. GW verifies the identity of U by computing = 1? with Ki. SN verifies the identity of GW by = 1? with TCj. U verifies the identity of SN by = 1? with Kj. cannot impersonate any legitimate entity without knowing the secret numbers, such as Ki, TCj, and kj. Accordingly our proposed scheme can withstand an impersonation attack and achieve mutual authentication.

User anonymity.

According to Choo et al.’ research [66], there is a mechanical approach to derive identity-based schemes from existing Diffie-Hellman-based schemes. After a careful study of this work, our scheme is designed to withstand this method for protecting user’s anonymity. In the login phase, our proposed scheme uses IDSC as the only identity of U. However, a serious problem with user privacy exists. User anonymity is necessary to resist tracing attacks. Our scheme hides IDSC in RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki), Vi = H(ei ∥ RPWi ∥ IDSC ∥ ki ∥n) and DIDSC = IDSC⊕H(TS1 ∥ IDGW). The transmitted pseudo identity DIDSC is the dynamic name. Given the hash function property, cannot extract IDSC without IDGW. Consequently, our scheme achieves the goal of anonymity and can withstand tracing attacks.

Online guessing attacks.

In our scheme, the registration phase is executed strictly in a secure environment before deployment. We assume that intercepts message transmission in the channel during the login, authentication and key exchange, password updating, and dynamic-node addition phases. can obtain the messages (PTCi, Ci, PKSi, TS1), (PIDj, CGW, PKSGW, TS2), and (Cj, PKSj, TS3), (). Notably, the intercepted message, excluding the TS, is entirely encrypted by hash function and XOR operation. In addition, each hash function includes a minimum of two unknown numbers. Therefore, cannot use online guessing attacks to guess the inputs of the hash function. In CGW and calculation, although only one unknown input is in the function, cannot guess the inputs from the dictionary without the secret key, TCj. Therefore, our scheme can resist online guessing attacks.

Offline password guessing attacks.

Offline password guessing attacks have always been a major security concern in designing password-based schemes. There are some outstanding studies trying to solve this problem, and our scheme strictly observes the rules that are described in Nam et al.’s research [67]. In this attack analysis section, can use the power analysis attack to extract the information stored in the SC. Therefore, obtains (ei, Vi, PTCi, IDSC) from SC. All messages extracted by are operated by hash function and XOR operation. Therefore, cannot derive the sensitive information from these messages. Each message includes a minimum of two unknown inputs, as well as multiple passwords encrypted by the hash function. Therefore, cannot use offline password-guessing attacks to derive the multiple passwords and the number of passwords n from the SC.

Replay attacks.

We assume that intercepts the messages transmitted in the communication channel and replays these messages to the receiver without any modification. A replay attack cannot work in our scheme because each entity initially checks the freshness of the TS. If the TS is not fresh, then the receiver rejects the request. Therefore, our scheme can resist replay attacks.

Man-in-the-middle attacks.

Choo et al. proposed that the unknown key share attack(man-in-the-middle attack) is the most fatal security problem for any protocol [68]. We assume that intercepts the messages transmitted in the communication channel and replays these messages to the receiver with a particular modification of the message. The purpose of this action of is to make the receiver believe that is the legitimate sender. can intercept the transmitted messages via the channel. To pass authentication, must compute Ci, CGW, and Cj and is unable to obtain (TCi, RPWi, ki, TCj, kj) without knowing the secret number or the temporal credential of each entity. Therefore, cannot obtain the right (Ci, CGW, Cj) and pass authentication. Therefore, our scheme can resist man-in-the-middle attacks.

Lost password threat.

According to other studies [6971], passwords are currently not safe and are therefore vulnerable to any identity authentication. can obtain the used passwords of U through numerous methods. For example, can obtain user passwords from a low-security level database or by using social engineer [44, 45]. Then, can use these lost passwords to pass the authentication of WSNs with the stolen SC. Once the password is lost, the scheme for WSNs encounters a considerable threat. In our scheme, multiple passwords are used to replace the unique password, which means that the legitimate user needs to input several passwords at will. The passwords, their sequence, and their number are used as key factors to authenticate the user’s identity. Although obtains the used passwords, he/she does not know other security factors, such as the sequence of passwords, their combination, and their number. In other schemes, if obtains m passwords of the user, the probability of obtaining the correct password is described as follows: where we assume that the probability of using the old password is Ph. In our scheme, U adopts n passwords as login passwords. The probability of obtaining the correct password is

If the lost passwords do not consist of all the multiple passwords, the probability is smaller than Pmultiple. According to the preceding discussion, Pmultiple is smaller than Pone, and cannot obtain the correct multiple passwords. Therefore, our scheme can prevent the lost password threat.

D-DOS attacks.

Because of the energy limitation of WSNs, D-DOS attack is one of the most detrimental threats to WSNs [3, 42, 59], this attack includes the hello flood, inputting the wrong password, and resource depletion attacks. The goal of these attacks is to deplete the resource, especially the energy of WSNs. Numerous related schemes verify the user identity in GW with several complex computations, including numerous hash functions and other operations. This authentication method costs considerable energy of WSNs if starts a D-DOS attack, which is launched by persistently inputting wrong passwords persistently. Our scheme verifies the user identity by the SC without any consumption of GW. This idea can cut the spare overhead off and can validly resist the D-DOS attacks that are launched by inputting wrong passwords in the login phase.

Malicious sensor-node attack.

In the dynamic-node addition phase, U can add his/her new SNs to the WSNs. If the SNnew is the malicious sensor node that is employed by , then SNnew can obtain information from other legitimate SNs and start malicious sensor-node attacks on WSNs, including Sybil, wormhole, sink hole, rushing, routing loop, and other types of attacks [1, 40]. To protect WSNs from malicious sensor-node attacks, our scheme requires the procedure of the dynamic node addition phase to be executed under the legitimate user. If someone wants to add any new SN to the WSN, the validity of the user identity must be verified. If the identity is not legitimate, the request is rejected. Therefore, our scheme can withstand malicious sensor-node attacks.

Three-factor security.

Numerous related schemes adopting three security factors [20, 72, 73] usually adopt SC, password, and biometric characteristics as authenticating factors. However, biometrics present several drawbacks that are unsuitable for WSNs. Therefore, our scheme uses multiple passwords to replace the biometric characteristic. Several passwords, their sequence, and the number of passwords are used as the most important factors for verification.

Integrity of message.

In our scheme, the MAC and Ver functions are used to achieve the goal of confidentiality and integrity, which are the most important properties of security [74, 75]. Upon receiving messages, the receiver verifies whether the output of the Ver function is equal to 1. If it is not equal, the receiver aborts the session and rejects the request from the sender. Therefore, if modifies the message and sends it to the next entity, then the message is denied. Therefore, our scheme checks the integrity of the message.

Security performance comparison

In this section, we compare our proposed scheme with other schemes from the security aspect. The comparison shows that our scheme exhibits superior security performance to other schemes. The detailed comparison is presented in Table 1. Yes and No in this table denote that the scheme could withstand the attack or could not withstand the attack, respectively, and n/a denotes the scheme is not applicable in this comparison. The abbreviations below Table 1 denote the compared security properties [76].

Performance Analysis

In this section, we compare our proposed scheme with other schemes that are listed in Table 1. As introduced in other studies [6, 72], the overhead of several base operations, such as XOR operation, TS, and random number generation are ignored. These types of operations entail approximately no cost in comparison with the one-way hash computation and other complex computations. We believe that the communication overhead and storage overhead are of equal importance to the computational overhead. As introduced in Amin et al.’s research [76], the communication and storage overheads are analyzed in detail. Therefore, we analyze our scheme in three terms.

Reference basis

In this section, we enumerate the reference basis of WSN performance that is adopted in this paper. As described in several studies [14, 1721, 23, 35, 73, 7783], all protocols are compared by the number of main computations. To show the result intuitively, we unified the hash function to represent all protocol overheads. The basis of comparison is described as follows:

  1. According to Nam et al.’s research [14] and Crypto++ 5.6.0 benchmarks, we know that SHA-1 takes 11.4 cycles per byte, HMAC takes 11.9 cycles per byte, and AES takes 16.9 cycles per byte under Windows Vista and Intel Core 2. Therefore, one HMAC is equal to 1.04 hash functions and one AES is almost equal to 1.5 hash functions.
  2. As introduced in other studies [72, 84], one asymmetric encryption/decryption is equal to 100 symmetric encryptions/decryptions. In addition, a symmetric encryption/decryption is at least 60 times faster than a one-exponential operation.
  3. According to other studies [20, 39, 72], the time to execute a fuzzy extractor is the same as for an elliptic curve point multiplication. The time for a one-way hashing operation is 0.00032 s, for a symmetric encryption/decryption operation is 0.0056 s, for a modular exponentiation operation is 0.0192 s, and for an elliptic curve point relative multiplication operation or a fuzzy extractor is 0.0171 s.
  4. According to Ma’s study [85], we assume one WSN that adopts MICA2 and, integrates an 8 bit 8 MHz ATmega128L processor with the voltage is 3 V, the computational electric current is 8 mA, the received electric current is 10 mA, the transmitted electric current is 27 mA, and the transmission rate is 12.4 kb/s. Therefore, the executed 0.00032 s computation needs 3 V × 8 mA × 0.00032 s = 0.00768 mJ.
  5. In agreement to [6, 20], we assume that the hash output is 160 bits [86], one prime factor is 160 bits minimum, the elliptical curve output is 320 bits, and the secret parameter is at least 160 bits [87]. The TS has 32 bits; expiration time for TE, is 32 bits; the user identity ID, pseudo ID, and random nonce are 160 bits; sensor node identity IDSN, GW IDGW, and pseudo IDSN are 16 bits; encryption/decryption output is 128 bits; MAC output is 128 bits; and key setup is 128 bits.

Therefore, we can conclude all main computations in several aspects. The overhead of these main computations is described in Table 2.

thumbnail
Download:
Table 2. The comparison with main computations.

https://doi.org/10.1371/journal.pone.0170657.t002

The notations in this section are as follows:

TH: hash function operation;TA: asymmetric encryption/decryption; TE: symmetric encryption/decryption;TM: MAC generation/verification;TME: modular exponentiation operation;TEx: one-exponential operation; TEC: elliptic curve point multiplication;TF: fuzzy extractor.

Comparison with other schemes.

In this section, we compare our proposed scheme with the schemes proposed by Nam et al. [14], A. K. Das [20], He et al. [21], Jiang et al. [19], M. L. Das [17], and Xue et al. [18] in terms of computational, communication, and storage overheads. Comparison details are described as follows.

Computational overhead.

In this section, we compare the computational overhead of all schemes in several aspects. The details of the comparison of computational overhead are shown in Table 3. Notation: the numbers shown in Table 3 is a rough number that retains three decimal places.

thumbnail
Download:
Table 3. Comparison of computational overhead.

https://doi.org/10.1371/journal.pone.0170657.t003

Communication overhead.

As introduced by the study [6], the transmission overhead is considerably larger than the computational overhead. The proportion of all overheads is listed as follows: 71% data transmission, 20% MAC transmission, 7% nonce transmission (for freshness), and 2% MAC and encryption computation. Therefore, analyzing the communication overhead is crucial. We assume that the receiving electric current of WSNs is 10 mA, the transmitting electric current is 27 mA, and the rate of transmission is 12.4 kb/s. According to Ma’s study [85], we assume that 1-byte transmission consumption is 3 V × 27 mA × 8 b/12400 b/s = 0.052mJ and a received byte consumption is 3 V × 10 mA × 8 b/12400 b/s = 0.019 mJ.

The details of the communication overhead of all schemes are presented in Table 4. The hello and successful signals are ignored. Notation: the number shown in Table 4 is a rough number that retains three decimal places.

thumbnail
Download:
Table 4. Comparison of communication overhead.

https://doi.org/10.1371/journal.pone.0170657.t004

Storage overhead analysis.

In this section, we compare the size of stored messages with other schemes. According to the reference basis, we compute the size of stored messages in U, GW, and SN, respectively. The detailed comparison of storage overhead is presented in Table 5.

thumbnail
Download:
Table 5. Comparison of storage overhead.

https://doi.org/10.1371/journal.pone.0170657.t005

Comparison of total overhead.

In this section, we compare the total overhead of schemes, including communication and computation overheads. We compare the overhead of each entity in Table 6 and compute the total overhead of all schemes. The result shows that the communication consumption is markedly larger than the computation consumption and the percentage is almost above 95% of the total overhead, and the result is the same as that in Perrig et al.’s study [6] and in common agreement with other research. Future security schemes developed will be compared based on computation overhead and communication overhead. Owing to the property of WSNs [85], the gateway station presents larger energy, higher computation performance, and larger storage performance than SN. If we want to improve the overhead of the research scheme, the most important point is improving the communication overhead of SN instead of computational overhead. Notation: the number shown in Table 6 is a rough number that retains three decimal places. The notations in this section are denoted as follows: CC: communication costs; PC: computation costs; Tot: total overhead %: the communication costs’ percentage of total overhead.

thumbnail
Download:
Table 6. Comparison of total consumption.

https://doi.org/10.1371/journal.pone.0170657.t006

Conclusion

In this paper, we designed a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Through comparison with other schemes, we have proven that our scheme exhibits better security performance than the other schemes. Moreover, our scheme can withstand related attacks, including the lost password threat. The discussion in this paper proves that our scheme entails relatively small consumption. The analysis shows that the communication consumption’s percentage of total overhead is almost above 95% and it is markedly larger than the computational consumption. Therefore, we will compare future security schemes based on computational overhead and communication overhead.

Supporting Information

S1 Table. The security comparison with other schemes.

This table illustrates the security comparison with other schemes. The comparison show that our scheme has better security performance than others.

https://doi.org/10.1371/journal.pone.0170657.s001

(DOCX)

S2 Table. The comparison with main computations.

This table illustrates the main computations in the authentication scheme for wireless sensor networks.

https://doi.org/10.1371/journal.pone.0170657.s002

(DOCX)

S3 Table. Comparison of computational overhead.

This table illustrates the computational overhead comparison with other schemes. The comparison shows that our scheme has better performance than others in computational overhead.

https://doi.org/10.1371/journal.pone.0170657.s003

(DOCX)

S4 Table. Comparison of communication overhead.

This table illustrates the communication overhead comparison with other schemes. The comparison shows that our scheme has better performance than others in communication overhead.

https://doi.org/10.1371/journal.pone.0170657.s004

(DOCX)

S5 Table. Comparison of storage overhead.

This table illustrates the storage overhead comparison with other schemes. The comparison shows thatour scheme has better performance than others in storage overhead.

https://doi.org/10.1371/journal.pone.0170657.s005

(DOCX)

S6 Table. Comparison of total consumption.

This table illustrates the comparison with other schemes. The detailed comparison shows that the communication overhead accounts for the majority of total overhead.

https://doi.org/10.1371/journal.pone.0170657.s006

(DOCX)

Acknowledgments

This research has no sponsors of any kind and we would like to thank the kind colleagues from the Laboratory of Information Security at Lanzhou University for their assistance with this paper. Finally, we sincerely thank the anonymous referees for their constructive feedback.

Author Contributions

  1. Conceptualization: XL RZ.
  2. Data curation: XL.
  3. Formal analysis: XL.
  4. Investigation: QL.
  5. Methodology: XL.
  6. Writing – original draft: XL.
  7. Writing – review & editing: RZ QL.

References

  1. 1. Yang G, Chen W, Cao X. The security of Wireless sensor networks: Sciences Press; 2010.
    • 2. Liu X, Shen Y, Li S, Chen F, editors. A fingerprint-based user authentication protocol with one-time password for wireless sensor networks. Sensor Network Security Technology and Privacy Communication System (SNS & PCS), 2013 International Conference on; 2013: IEEE.
      • 3. Nguyen KT, Laurent M, Oualha N. Survey on secure communication protocols for the Internet of Things. Ad Hoc Networks. 2015.
        • 4. Chong C-Y, Kumar SP. Sensor networks: evolution, opportunities, and challenges. Proceedings of the IEEE. 2003;91(8):1247–56.
        • 5. Zhang N. Research on Wireless sensor network security technology: Southwest Jiaotong University Press; 2010.
          • 6. Perrig A, Szewczyk R, Tygar JD, Wen V, Culler DE. SPINS: Security protocols for sensor networks. Wireless networks. 2002;8(5):521–34.
          • 7. Camaraa C, Peris-Lopeza P, Tapiadora JE. Security and Privacy Issues in Implantable Medical Devices: A Comprehensive Survey.
          • 8. Miorandi D, Sicari S, De Pellegrini F, Chlamtac I. Internet of things: Vision, applications and research challenges. Ad Hoc Networks. 2012;10(7):1497–516.
          • 9. Atzori L, Iera A, Morabito G. The internet of things: A survey. Computer networks. 2010;54(15):2787–805.
          • 10. Kumar JS, Patel DR. A survey on Internet of Things: security and privacy issues. International Journal of Computer Applications. 2014;90(11).
          • 11. Roman R, Alcaraz C, Lopez J, Sklavos N. Key management systems for sensor networks in the context of the Internet of Things. Computers & Electrical Engineering. 2011;37(2):147–59.
          • 12. Wang Y, Attebury G, Ramamurthy B. A survey of security issues in wireless sensor networks. 2006.
          • 13. Akyildiz IF, Su W, Sankarasubramaniam Y, Cayirci E. A survey on sensor networks. Communications magazine, IEEE. 2002;40(8):102–14.
          • 14. Nam J, Choo K-KR, Han S, Kim M, Paik J, Won D. Efficient and Anonymous Two-Factor User Authentication in Wireless Sensor Networks: Achieving User Anonymity with Lightweight Sensor Computation. 2015.
          • 15. Watro R, Kong D, Cuti S-f, Gardiner C, Lynn C, Kruus P, editors. TinyPK: securing sensor networks with public key technology. Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks; 2004: ACM.
            • 16. Wong KH, Zheng Y, Cao J, Wang S, editors. A dynamic user authentication scheme for wireless sensor networks. Sensor Networks, Ubiquitous, and Trustworthy Computing, 2006 IEEE International Conference on; 2006: IEEE.
              • 17. Das ML. Two-factor user authentication in wireless sensor networks. Wireless Communications, IEEE Transactions on. 2009;8(3):1086–90.
              • 18. Xue K, Ma C, Hong P, Ding R. A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. Journal of Network and Computer Applications. 2013;36(1):316–23.
              • 19. Jiang Q, Ma J, Lu X, Tian Y. An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-to-Peer Networking and Applications. 2014:1–12.
              • 20. Das AK. A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Networking and Applications. 2014:1–22.
              • 21. He D, Kumar N, Chilamkurti N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences. 2015.
              • 22. Khan MK, Alghathbar K. Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’. Sensors. 2010;10(3):2450–9. pmid:22294935
              • 23. Sun D-Z, Li J-X, Feng Z-Y, Cao Z-F, Xu G-Q. On the security and improvement of a two-factor user authentication scheme in wireless sensor networks. Personal and ubiquitous computing. 2013;17(5):895–905.
              • 24. Choo KKR. Secure Key Establishment. Advances in Information Security. 2008;41.
              • 25. Diffie W, Hellman M. New directions in cryptography. IEEE Transactions on Information Theory. 1976;22(6):644–54.
              • 26. Bellare M, Rogaway P, editors. Entity Authentication and Key Distribution. International Cryptology Conference on Advances in Cryptology; 1993.
                • 27. Bellare M, Rogaway P, editors. Provably Secure Session Key Distribution—The Three Party Case. Proceedings of the twenty-seventh annual ACM symposium on Theory of computing; 1995.
                  • 28. Bellare M, Pointcheval D, Rogaway P. Authenticated Key Exchange Secure against Dictionary Attacks: Springer Berlin Heidelberg; 2012. 139–55 p.
                    • 29. Choo KKR, Boyd C, Hitchcock Y, Maitland G. On Session Identifiers in Provably Secure Protocols 2004. 351–66 p.
                      • 30. Choo KKR. A Proof of Revised Yahalom Protocol in the Bellare and Rogaway (1993) Model1. Computer Journal. 1993;773(5):110–25.
                      • 31. Choo KKR, Boyd C, Hitchcock Y. On Session Key Construction in Provably-Secure Key Establishment Protocols: Springer Berlin Heidelberg; 2005. 116–31 p.
                        • 32. Choo KKR, Boyd C, Hitchcock Y. The importance of proofs of security for key establishment protocols ☆: Formal analysis of Jan—Chen, Yang—Shen—Shieh, Kim—Huh—Hwang—Lee, Lin—Sun—Hwang, and Yeh—Sun protocols. Computer Communications. 2006;29(15):2788–97.
                        • 33. Choo KKR, Boyd CA, Hitchcock Y. Examining Indistinguishability-Based Proof Models for Key Establishment Protocols: Springer Berlin Heidelberg; 2005. 585–604 p.
                          • 34. Choo KKR, Hitchcock Y. Security Requirements for Key Establishment Proof Models: Revisiting Bellare—Rogaway and Jeong—Katz—Lee Protocols: Springer Berlin Heidelberg; 2005. 429–42 p.
                            • 35. Amin R, Islam SH, Biswas G, Khan MK, Li X. Cryptanalysis and enhancement of anonymity preserving remote user mutual authentication and session key agreement scheme for e-health care systems. Journal of medical systems. 2015;39(11):1–21.
                            • 36. Das ML, Saxena A, Gulati VP, Phatak DB. A novel remote user authentication scheme using bilinear pairings. Computers & Security. 2006;25(3):184–9.
                            • 37. Delac K, Grgic M, editors. A survey of biometric recognition methods. Electronics in Marine, 2004 Proceedings Elmar 2004 46th International Symposium; 2004: IEEE.
                              • 38. Gorman LO. Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE. 2003;91(12):2021–40.
                              • 39. He D, Kumar N, Lee J-H, Sherratt R. Enhanced three-factor security protocol for consumer USB mass storage devices. Consumer Electronics, IEEE Transactions on. 2014;60(1):30–7.
                              • 40. Cayirci E, Rong C. Security in wireless ad hoc and sensor networks: John Wiley & Sons; 2008.
                                • 41. Krawczyk H, Canetti R, Bellare M. HMAC: Keyed-hashing for message authentication. 1997.
                                  • 42. Raymond DR, Midkiff SF. Denial-of-service in wireless sensor networks: Attacks and defenses. Pervasive Computing, IEEE. 2008;7(1):74–81.
                                  • 43. Goodrich MT, Tamassia R. Introduction to computer security: Pearson; 2011.
                                    • 44. Mitnick K. Ghost in the Wires: My Adventures as the World's Most Wanted Hacker: Little, Brown; 2011.
                                      • 45. Mitnick KD, Simon WL. The art of deception: Controlling the human element of security: John Wiley & Sons; 2011.
                                        • 46. Choo KKR. On the Security Analysis of Lee, Hwang & Lee (2004) and Song & Kim (2000) Key Exchange / Agreement Protocols. Informatica. 2006;17(4):467–80.
                                        • 47. jia C. Wireless sensor network security research [D]: Zhejiang University; 2008.
                                          • 48. Bakhtiari S, Safavi-Naini R, Pieprzyk J. Cryptographic hash functions: A survey. Centre for Computer Security Research, Department of Computer Science, University of Wollongong, Australie. 1995.
                                            • 49. Damgård IB, editor A design principle for hash functions. Advances in Cryptology—CRYPTO’89 Proceedings; 1990: Springer.
                                              • 50. Rogaway P, Shrimpton T, editors. Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. Fast Software Encryption; 2004: Springer.
                                                • 51. Maymounkov P, Mazieres D. Kademlia: A peer-to-peer information system based on the xor metric. Peer-to-Peer Systems: Springer; 2002. p. 53–65.
                                                  • 52. Yang C-N, Wang D-S. Property analysis of XOR-based visual cryptography. Circuits and Systems for Video Technology, IEEE Transactions on. 2014;24(2):189–97.
                                                  • 53. Javidi B, Bernard L, Towghi N. Noise performance of double-phase encryption compared to XOR encryption. Optical Engineering. 1999;38(1):9–19.
                                                  • 54. Zeng P, Choo KKR, Sun DZ. On the security of an enhanced novel access control protocol for wireless sensor networks. IEEE Transactions on Consumer Electronics. 2010;56(2):566–9.
                                                  • 55. Bellare M, Pointcheval D, Rogaway P. Authenticated Key Exchange Secure against Dictionary Attacks: Springer Berlin Heidelberg; 2000. 139–55 p.
                                                    • 56. Choo KKR, Boyd CA, Hitchcock Y, Maitland GM. Complementing Computational Protocol Analysis with Formal Specifications. Ifip Advances in Information & Communication Technology. 2004;173:129–44.
                                                    • 57. Messerges TS, Dabbish E, Sloan RH. Examining smart-card security under the threat of power analysis attacks. Computers, IEEE Transactions on. 2002;51(5):541–52.
                                                    • 58. Kocher P, Jaffe J, Jun B, editors. Differential power analysis. Advances in Cryptology—CRYPTO’99; 1999: Springer.
                                                      • 59. Newsome J, Shi E, Song D, Perrig A, editors. The sybil attack in sensor networks: analysis & defenses. Proceedings of the 3rd international symposium on Information processing in sensor networks; 2004: ACM.
                                                        • 60. Eschenauer L, Gligor VD, editors. A key-management scheme for distributed sensor networks. Proceedings of the 9th ACM conference on Computer and communications security; 2002: ACM.
                                                          • 61. Perrig A, Stankovic J, Wagner D. Security in wireless sensor networks. Communications of the ACM. 2004;47(6):53–7.
                                                          • 62. Burrows M, Abadi M, Needham RM, editors. A logic of authentication. Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences; 1989: The Royal Society.
                                                            • 63. Ge M, Choo KKR, Wu H, Yu Y. Survey on key revocation mechanisms in wireless sensor networks. Journal of Network & Computer Applications. 2016;63(C):24–38.
                                                            • 64. Ge M, Choo KKR, editors. A Novel Hybrid Key Revocation Scheme for Wireless Sensor Networks. International Conference on Network and System Security, Nss; 2014.
                                                              • 65. Zeng P, Cao Z, Choo KKR, Wang S. Security weakness in a dynamic program update protocol for wireless sensor networks. IEEE Communications Letters. 2009;13(6):426–8.
                                                              • 66. Choo KKR, Nam J, Won D. A mechanical approach to derive identity-based protocols from Diffie—Hellman-based protocols. Information Sciences. 2014;281:182–200.
                                                              • 67. Nam J, Choo KKR, Paik J, Won D. Cryptanalysis of Server-Aided Password-Based Authenticated Key Exchange Protocols. International Journal of Security & Its Applications. 2013;7(2):47–58.
                                                              • 68. Choo KKR, Boyd C, Hitchcock Y. Errors in Computational Complexity Proofs for Protocols: Springer Berlin Heidelberg; 2005. 624–43 p.
                                                                • 69. Matthews T. Passwords are not enough. Computer Fraud & Security. 2012;2012(5):18–20.
                                                                • 70. Morris R, Thompson K. K.: Password security: A case history. Communications of the Acm. 1979;22(11):594–7.
                                                                • 71. Bonneau J, Herley C, Oorschot PCV, Stajano F, editors. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy; 2012.
                                                                  • 72. Lee C-C, Chen C-T, Wu P-H, Chen T-Y. Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices. Computers & Digital Techniques, IET. 2013;7(1):48–56.
                                                                  • 73. Li C-T, Hwang M-S. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and computer applications. 2010;33(1):1–5.
                                                                  • 74. Subashini S, Kavitha V. A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications. 2011;34(1):1–11.
                                                                  • 75. Padmavathi DG, Shanmugapriya M. A survey of attacks, security mechanisms and challenges in wireless sensor networks. arXiv preprint arXiv:09090576. 2009.
                                                                    • 76. Amin R, Biswas G. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Networks. 2016;36:58–80.
                                                                    • 77. Wang D, Wang N, Wang P, Qing S. Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity. Information Sciences. 2015.
                                                                    • 78. Zhou J, Cao Z, Dong X, Xiong N, Vasilakos AV. 4S: A secure and privacy-preserving key management scheme for cloud-assisted wireless body area network in m-healthcare social networks. Information Sciences. 2015;314:255–76.
                                                                    • 79. Zhao Z. An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem. Journal of medical systems. 2014;38(2):1–7.
                                                                    • 80. Yuan J-J. An enhanced two-factor user authentication in wireless sensor networks. Telecommunication Systems. 2014;55(1):105–13.
                                                                    • 81. Delgado-Mohatar O, Fúster-Sabater A, Sierra JM. A light-weight authentication scheme for wireless sensor networks. Ad Hoc Networks. 2011;9(5):727–35.
                                                                    • 82. Chatterjee K, De A, Gupta D. A Secure and Efficient Authentication Protocol in Wireless Sensor Network. Wireless Personal Communications. 2015;81(1):17–37.
                                                                    • 83. Wang D, Wang P. Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Networks. 2014;20:1–15.
                                                                    • 84. Schneier B. Applied cryptography: protocols, algorithms, and source code in C: john wiley & sons; 2007.
                                                                      • 85. Ma C. Key Management for Heterogeneous Sensor Networks: National Defense Industry Press; 2012. 206–9 p.
                                                                        • 86. PUB F. Secure hash standard. Public Law. 1995;100:235.
                                                                          • 87. Brouwer AE, Pellikaan R, Verheul ER. Doing more with fewer bits. Advances in Cryptology-ASIACRYPT’99: Springer; 1999. p. 321–32.