An Enhanced Three-Factor User Authentication Scheme Using Elliptic Curve Cryptosystem for Wireless Sensor Networks

Abstract

As an essential part of Internet of Things (IoT), wireless sensor networks (WSNs) have touched every aspect of our lives, such as health monitoring, environmental monitoring and traffic monitoring. However, due to its openness, wireless sensor networks are vulnerable to various security threats. User authentication, as the first fundamental step to protect systems from various attacks, has attracted much attention. Numerous user authentication protocols armed with formal proof are springing up. Recently, two biometric-based schemes were proposed with confidence to be resistant to the known attacks including offline dictionary attack, impersonation attack and so on. However, after a scrutinization of these two schemes, we found them not secure enough as claimed, and then demonstrated that these schemes suffer from various attacks, such as offline dictionary attack, impersonation attack, no user anonymity, no forward secrecy, etc. Furthermore, we proposed an enhanced scheme to overcome the identified weaknesses, and proved its security via Burrows–Abadi–Needham (BAN) logic and the heuristic analysis. Finally, we compared our scheme with other related schemes, and the results showed the superiority of our scheme.

1. Introduction

With its strong self-organization, low-cost, resource-limited and data-centered, wireless sensor networks (WSNs) have been widely deployed in harsh environments such as military, industrial, transportation and even battlefields. Different to some systems such as the distributed architectures [1,2], there are three participants in WSNs. Each participant has different computational and storage power, and only the gateway can store the long-term key. Furthermore, most sensor nodes are distributed in an unattended environment, which means the sensor node is prone to be attacked. It also should be noted that the communications between users and sensor nodes are usually in an open channel, and the adversary can eavesdrop on or modify messages in the network. Therefore, the privacy and security of WSNs are always the thorny and vital issues. To deal with these security issues, it is a common practice to establish a security mechanism to share secret key between communicating parties and encrypt the date from remote parities. In this context, the remote user authentication protocol [3,4,5,6,7] with a session key is an essential security strategy for a secure and practical communication over an untrusted but complicated network. It guarantees that the communicating parties can verify the validity of each other and negotiate a session key for encrypting the future transmitted messages. The major challenge in designing an authentication protocol in WSNs is to balance the relationship between security, privacy and computational cost.

Generally, we authenticate a remote user from three aspects: what he knows, such as password; what he owns, such as a smart card; who he is, such as biometrics. A scheme using “X” aspects to verify the remote user is called “X-factor” authentication protocol. With the development of biotechnology and the increasing demands on security, three-factor (password + smart card + biometrics) user authentication scheme gets widely applied.

1.1. Related Works

In 2009, Das [8] introduced a password-based scheme with a smart card for WSNs; it then aroused an intense discussion and greatly promoted the development of user authentication in WSNs. Many researchers [4,9,10,11] identified the security pitfalls in Das’s scheme [8] (such as being prone to offline password guessing attack, impersonation attack and insider attack), and then proposed many enhanced versions. However, none of these schemes was secure enough to resist against various attacks or achieved low computational cost.

In 2011, Fan et al. [12] criticized the weakness of previous schemes and designed a new scheme with lightweight operations. With lower computational cost, their scheme seems quite suitable for a resources-limited environment such as WSNs. In 2012, Das et al. [13] proposed a new scheme which supports the dynamical addition of new nodes and only involves some lightweight operations. It has to be admitted that Das et al.’s scheme provides many desired attributes. Unfortunately, Wang et al. [14] identified that the two schemes both are vulnerable to many attacks: Fan et al.’s scheme [12] can neither achieve user anonymity, nor avoid smart card lost attack and insider attack, etc.; Das et al.’s scheme cannot resist against insider attack, smart card lost attack, etc.

In 2013, Xue et al. [15] introduced an efficient authentication scheme with admirable features and lightweight computational cost. However, it was revealed by Wang et al. [3] that this scheme fails to achieve user anonymity. Furthermore, Li et al. [16] demonstrated its vulnerability to offline dictionary attack, insider attack, stolen-verifier attack, etc., and proposed a new scheme which is still insecure against offline dictionary attack. In the same year, Li et al. [17] identified the weakness (not resistant to dictionary attack and session key disclosure attack, etc.) in Yeh et al.’s scheme [18].

In 2014, Choi et al. [19] showed that a previous scheme [20] suffers from sensor energy exhausting attack, offline password guessing attack and the session key attack, and then proposed a new scheme. After demonstrating the security flaws in Xue et al.’s scheme [15], Jiang et al. [21] also designed an improved one. However, both the scheme of Choi et al. [19] and Jiang et al. [21] were discovered as not being secure as claimed by Wu et al. [22].

In 2015, He et al. [23] described a temporal-credential-based scheme for WSNs, yet soon was pointed out subject to impersonation attack, smart card lost attack and tracking attack. In the same year, Chang et al. [24] proposed an enhanced dynamic identity authentication, once again, it was proved not secure against offline password guessing attack, user impersonation attack, etc. by Jung et al. [25] and Park et al. [26]. To strengthen the security of the scheme, Jung et al. [25] and Park et al. [26] both added the biological characteristic as a new factor and proposed a three-factor enhanced version. Furthermore, they both proved the security of their scheme formally, so they were confident in the security of their scheme.

1.2. Motivations and Contributions

When revisiting Jung et al.’s scheme [25] and Park et al.’s scheme [26], it was regretful to find that the two schemes are still not as secure as claimed, though they both are equipped with the complete formal proof, and furthermore, add a biometric factor into the scheme to improve the security of the previous scheme. Ridiculously, the improved two schemes that are armed with a biometric factor and a formal proof, even cannot provide the same level security assurance as the previous ones. We find them vulnerable to offline password guessing attack, impersonation attack, and no user anonymity, no forward security, etc.

In fact, it is pretty common that a scheme with formal security proof was found insecure. Though the user authentication in wireless sensor networks have been developed over almost ten years since Das [8] first proposed a two-factor scheme, there is not yet a secure and practical scheme. Even more alarming is the fact that many schemes violate some basic design principles that have been proposed. Such an unsatisfactory situation prompts us to design a secure but efficient scheme for wireless sensor networks. Furthermore, the common consensus on the system architecture, adversary model and security requirements should be reached. In conclusion, our contributions are as follows:

• We depict the system architecture, adversary model and security requirements of wireless sensor networks. Though these factors are the basis of the authentication scheme, researchers usually ignore them.
• We demonstrate that: (1) Jung et al.’s scheme cannot resist against offline password guessing attack, impersonation attack, and fails to achieve user anonymity and forward secrecy, etc.; (2) Park et al.’s scheme suffers from offline password guessing attack, and no user anonymity. Furthermore, we explain the inherent reason for these attacks.
• We propose an improved scheme with various desirable attributes, and prove its security via BAN logic and heuristic analysis. Then, we compare our scheme with other related schemes. The results show the great advantage of our scheme.

1.3. Organization of the Paper

The remainder of this paper is organized as follows: we describe the system architecture and adversary model in Section 2, analyze Jung et al.’s scheme and Park et al.’s scheme in Section 3 and Section 4, respectively; in Section 5, we propose an enhanced scheme; the security and performance analysis are given in Section 6 and Section 7, respectively; and the conclusions are drawn in Section 8.

2. Preliminaries

This section introduces the preliminaries in the user authentication scheme including computational problems, system architecture, adversary model and security requirements.

2.1. Computational Problems

Given two large primes p and q, let ${\mathbb{F}}_p$ be a finite field, $E/{\mathbb{F}}_p$ be an elliptic curve over ${\mathbb{F}}_p$, and $\mathbb{G}$ be a q-order subgroup of $E/{\mathbb{F}}_p$. Then, for $\alpha ,\beta \in Z_p^{\ast }$ and a point P in $\mathbb{G}$, we can define the discrete logarithm problem over the elliptic curve as follows:

• Elliptic curve discrete logarithm problem: given (P, $\alpha P$), it is impossible to compute $\alpha$ within polynomial time.
• Elliptic curve computational Diffie–Hellman problem: given ($\alpha P$, $\beta P$), it is impossible to compute $\alpha \beta P$ within polynomial time.

2.2. System Architecture

Wireless sensor networks (as shown in Figure 1) attract worldwide attention with the prevalence of Internet of Things (IoT). Generally, people may be more familiar with distributed systems, which involve two participants: a set of users and a single server, while there are three participants in the user authentication of WSNs: a number of sensor nodes, a gateway node and a set of users. In a wireless sensor network, there are tens to thousands of sensor nodes that are deployed in a particular area. They work together to collect the data from physical world and have limited computing and storage power. Furthermore, they are usually left in an unattended environment, so the adversary can easily capture them to acquire secret parameters. The gateway node acts like a registration center. In WSNs, an authentication protocol usually consists of four basic phases: registration, login, verification, and password update. Sometimes, the dynamic node addition phase is suggested for meeting the demand on increasing new sensor nodes. In the registration phase, users and sensor nodes submit their personal information to the gateway, then the gateway will issue users a smart card with some sensitive parameters physically (face to face or via the mail), and distribute a shared secret key to sensor nodes. When a user wants to access a sensor node, he/she can initialize an access request to the gateway in the login phase. After checking the legitimacy of the user, the gateway informs the corresponding sensor node about the request. Then, the user and the sensor node verify the legitimacy of each other via (or not) the gateway and negotiate a session key in the verification phase. The user can change the password in the password update phase. In addition, the new sensor nodes can join the network in the dynamic node addition phase.

2.3. Adversary Models

When considering cryptanalysis of the user authentication schemes in WSNs, the adversary $\mathcal{A}$ is also supposed to have the following capacities:

• $\mathcal{A}$ can fully control the open communication channel, i.e., $\mathcal{A}$ can modify, intercept, delete, and resend the eavesdropped on messages over an open channel [9,27].
• $\mathcal{A}$ can enumerate all the items in ${\mathcal{D}}_{pw}\ast {\mathcal{D}}_{id}$ in polynomial time, where ${\mathcal{D}}_{pw}$ and ${\mathcal{D}}_{id}$ denote the password space and the identity space, respectively [28,29].
• When evaluating forward secrecy, $\mathcal{A}$ can get the long-term secret key [28,30].
• $\mathcal{A}$ can acquire the password of a legitimate user by a malicious card reader, or get the parameters in the smart card, but cannot achieve both [28,30].
• $\mathcal{A}$ can get the data in sensor nodes for they are usually left unattended [3,31].
• $\mathcal{A}$ can get the past session keys [30].
• $\mathcal{A}$ can get the user’s biometrics [29,32].

The capacity of acquiring biometrics is the most controversial. Many researchers view it as a quite strong factor that cannot be broken. However, this is impractical. For example, the adversary can at least get the biometrics via a malicious terminal. Moreover, unlike the password that may change with the different applications, the biometrics is unique to every particular person. Thus, the adversary can collect one’s biometrics via any biometric-based terminal. This indicates that the adversary can acquire the password and biometrics both, or the smart card and the biometrics both. Furthermore, this hypothesis has been accepted in many schemes, such as [29,32,33].

It should be noted that: a secure three-factor authentication scheme should guarantee that the breaking of any two of the three factors will not affect the other one, and the system is still secure.

2.4. Security Requirements

Understanding the security requirements of the user authentication is a fundamental step to analyze or design a protocol. Thus, we summarize the security requirements of user authentication in the wireless sensor network:

S1 

Mutual authentication. It is an essential requirement in all authentication schemes. It requires the participants to authenticate each other [34,35].

S2 

User anonymity. It is a privacy protection requirement for individual users, not directly related to system security. Many systems have such a requirement including distributed system [36]. While the privacy protection in wireless sensor networks is more severe, since the information among sensor nodes (usually unreliable) is transmitted in a way of broadcasting. Protecting user anonymity is to stop $\mathcal{A}$ from computing the user’s identity or linking the transcript to a same user. Note that such a requirement is not applied to the gateway, but to sensor nodes for they are untrusted.

S3 

Key agreement. It is also an essential requirement in most authentication schemes. The session key is used to encrypt the further communications to achieve confidentiality.

S4 

Forward secrecy. It is for the final collapse of the whole system, and it requires that the previous communications will be secure, even the system collapses (usually refers to the adversary that owns the long-term key of the system).

S5 

User friendly. It is an additional requirement to improve the user experience with the development of the network. A user friendly scheme usually includes: let the user $U_i$ select the password freely, and change it locally [30]; when $U_i$ finds the smart card insecure, let he/she revoke it and re-register to the system with original identity.

S6 

No stolen-verifier attack. It is a requirement related to the security of the whole system (so as the following attacks), which requires that the verifier table does not expose any sensitive information for $\mathcal{A}$ to impersonate the participants or learn/control the session key.

S7 

No insider attack. It requires that the participants cannot get any sensitive information, which may provoke an attack.

S8 

No dictionary attack. It requires that $\mathcal{A}$ cannot conduct a brute force attack.

S9 

No replay attack. It stops $\mathcal{A}$ from conducting an attack via replaying the history message, which requires that the participants can check the freshness and validity of the received message.

S10 

No parallel session attack. This requirement is a bit similar to the replay attack, but it considers a condition where $\mathcal{A}$ conducts an attack via initiating multi-session simultaneously.

S11 

No de-synchronization attack. The synchronization attack in wireless sensor networks is more destructive than that in traditional networks, since a gateway may connect even hundreds of sensor nodes. It requires that the parameters among corresponding participants are consistent.

S12 

No impersonation attack. It is a very important requirement in authentication, which requires that the outside adversary (inside adversary has been considered in insider attack) will not be able to impersonate any participants. A scheme resistant to impersonation attack requires that the participants verify whether the corresponding communication party is a counterfeit one. Note that: the occasion where $\mathcal{A}$ performs a user impersonation attack using the password from a dictionary attack is not included—such an attack belongs to dictionary attack.

S13 

No known key attack. It is an attack related to the session key, which requires $\mathcal{A}$, who knows that the current session key cannot compute the keys in others.

3. Cryptanalysis of Jung et al.’s Scheme

In 2017, Jung et al. [25] demonstrated several attacks against Chang et al.’s [24] two-factor user authentication scheme in WSNs. To improve the security and practicability of the scheme, they devised an enhanced one over Chang et al.’s scheme [24] by “employing biometrics information with the biohashing technique". They proved their scheme secure to various attacks such as offline dictionary attack using the Burrows-Abadi-Needham (BAN) logic. However, as we will show in this section, Jung et al.’s scheme still suffers from offline dictionary attack, impersonation attack, etc., which is even less secure than the previous one. For convenience of illustration, some notations are listed in

Table 1. Notations and abbreviations.

Symbol	Description
$U_i$	$i$th user
$GW$	the gateway node
$S_j$	$j$th sensor node
$\mathcal{A}$	malicious attacker
${\mathit{ID}}_i$	identity of user ${\mathit{U}}_i$
$P{W}_i$	password of user ${\mathit{U}}_i$
$BI{O}_i$	biometrics of user ${\mathit{U}}_i$
$P_j$	the shared secret key between $GW$ and $S_j$
$x,y$	the secret key of remote server $GW$
⊕	the bitwise exclusive OR (XOR) operation
∥	the string concatenation operation
$H(BI{O}_i)$	collision free one-way hash function to the biometrics
$h(·)$	collision free one-way hash function
$Gen(BI{O}_i)$	one part of fuzzy extraction function, output a biometric key $R_i$ and a helper string $P_i$
$Rep(BI{O}_i,P_i)$	one part of fuzzy extraction function, output the biometric key $R_i$ in $Gen(BI{O}_i)$
$\to$	a insecure channel
$\Rightarrow$	a secure channel

.

3.1. A Brief Review of Jung et al.’s Scheme

In this section, we review Jung et al.’s scheme [25] briefly, their scheme consists of four phases: registration, login, verification and password change. The password change phase was omitted, since it has little relevance to this work.

3.1.1. Registration Phase

In Jung et al.’s paper, there is only a user registration phase as follows:

• $U_i\Rightarrow GW$: $\{TI{D}_i,HP{W}_i\}$, where $TI{D}_i$ = $h(I{D}_i||u)$, $HP{W}_i$ = $h(P{W}_i||H(BI{O}_i))$ and u is a random number chosen by the user $U_i$.
• $GW\Rightarrow U_i$: a smart card containing $\{A_i,E_i,C_i,h(·),H(·)\}$, where $HI{D}_i$ = $h(TI{D}_i\left|\right|x)\oplus HP{W}_i$, $A_i$ = $h(HP{W}_i\left|\right|TI{D}_i)\oplus HI{D}_i$, $E_i$ = $h(HP{W}_i||HI{D}_i)$, $C_i$ = $HI{D}_i\oplus x$.
• $U_i$ stores $D_i$ in the smart card, where $D_i$ = $u\oplus H(BI{O}_i)$.

However, according to the paper, the sensor node $S_j$ preserves a private key $X_{s_j}$. So we deduce that the sensor node registration phase was missed. For the integrity, we add it as below:

• $S_j\Rightarrow GW$: $\left\{SI{D}_j\right\}$.
• $GW\Rightarrow S_j$: $X_{s_j}$ = $h(SI{D}_j||x)$.
• $S_j$ stores $X_{s_j}$ as a secret key.

3.1.2. Login Phase and Verification Phase

• $U_i\to GW$: $\{DI{D}_i,M_{U_i,G},C_i,T_1\}$. $U_i$ inputs the $I{D}_i$ and $P{W}_i$, and his biometrics $BI{O}_i$; then, the smart card computes:
  • $\begin{array}{c}HP{W}_i^{\ast }=h(P{W}_i\left|\right|H(BI{O}_i)),\hfill \\ u=D_i\oplus H(BI{O}_i),\hfill \\ TI{D}_i=h(I{D}_i\left|\right|u),\hfill \\ HI{D}_i^{\ast }=A_i\oplus h(HP{W}_i^{\ast }\left|\right|TI{D}_i^{\ast }),\hfill \\ E_i=h(HP{W}_i^{\ast }\left|\right|HI{D}_i^{\ast }).\hfill \end{array}$
  Finally, the card checks $E_i^{\ast }$ ?= $E_i$. If it is equal, the card computes $DI{D}_i$ = $TI{D}_i\oplus HI{D}_i^{\ast }$ and $M_{U_i,G}$ = $h(TI{D}_i|\left|HP{W}_i^{\ast }\right|\left|HI{D}_i^{\ast }\right||T_1)$, and sends $\{DI{D}_i,M_{U_i,G},C_i,T_1\}$ to $GW$. Otherwise, it ends the session.
• $GW\to S_j$: $\{DI{D}_i,M_{G,S_j},M_j,T_2\}$. $GW$ first checks the freshness of $T_1$, then computes:
  • $\begin{array}{c}TI{D}_i^{\ast }=DI{D}_i\oplus C_i\oplus x,\hfill \\ HI{D}_i=C_i\oplus x\hfill \\ HP{W}_i^{\ast }=HI{D}_i\oplus h(TI{D}_i^{\ast }\left|\right|x),\hfill \\ M_{U_i,G}^{\ast }=h(TI{D}_i^{\ast }\left|\right|HP{W}_i^{\ast }\left|\right|HI{D}_i\left|\right|T_1),\hfill \end{array}$
  and further tests $M_{U_i,G}^{\ast }$?= $M_{U_i,G}$. If the condition is not satisfied, $GW$ rejects the request. Otherwise, it computes $X_{s_j}$ = $h(SI{D}_j||x)$, $M_j$ = $R\oplus X_{s_j}$, $SK$ = $f(DI{D}_i,R)$ and $M_{G,S_j}$ = $h(DI{D}_i|\left|SI{D}_j\right|\left|X_{s_j}\right|\left|SK\right||T_2)$, and sends $\{DI{D}_i,M_{G,S_j},M_j,T_2\}$ to $S_j$.
• $S_j\to GW$: $\{M_{S_j,G},T_3\}$. $S_j$ first checks $T_2$, and computes:
  • $\begin{array}{c}{R}^{\ast }=M_j\oplus X_{s_j},\hfill \\ S{K}^{\ast }=f(DI{D}_i,R^{\ast }),\hfill \\ M_{G,S_j}^{\ast }=h(DI{D}_i\left|\right|SI{D}_j\left|\right|X_{s_j}\left|\right|S{K}^{\ast }\left|\right|T_2).\hfill \end{array}$
  If $M_{G,S_j}^{\ast }$ = $M_{G,S_j}$, $S_j$ further computes $k_j$ = $h(X_{s_j}||T_3)$, $M_{S_j,G}$ = $h(k_j|\left|X_{s_j}\right|\left|S{K}^{\ast }\right||T_3)$, and sends $\{M_{S_j,G},T_3\}$ to the $GW$. Otherwise, it exits the session.
• $GW\to U_i$: $\{k_i,M_{G,U_i},T_4\}$. $GW$ first checks $T_3$, and computes:
  • $\begin{array}{c}{k}_j^{\ast }=h(X_{s_j}\left|\right|T_3),\hfill \\ M_{S_j,G}^{\ast }=h(k_j^{\ast }\left|\right|X_{s_j}\left|\right|SK\left|\right|T_3).\hfill \end{array}$
  If $M_{S_j,G}^{\ast }$ = $M_{S_j,G}$, $GW$ further computes $k_i$ = $R\oplus h(TI{D}_i^{\ast }||x)$, $M_{G,U_i}$ = $h(SK|\left|k_i\right|\left|\right||T_4)$, and sends $\{k_i,M_{G,U_i},T_4\}$ to the $GW$. Otherwise, it exits the session.
• $U_i$ first checks $T_4$, and computes $R^{\ast }$ = $k_i\oplus HP{W}_i\oplus HI{D}_i^{\ast }$, $S{K}^{\ast }$ = $f(DI{D}_i,R^{\ast })$ and $M_{G,U_i}^{\ast }$ = $h(S{K}^{\ast }|\left|k_i\right||T_4)$. If $M_{G,U_i}^{\ast }$ = $M_{G,U_i}$, $U_i$ believes the legitimacy of $GW$ and the authentication phase ends successfully. Otherwise, the authentication fails.

3.2. Security Flaws in Jung et al.’s Scheme

Jung et al. [25] criticized that Chang et al.’s scheme [24] fails to resist against offline password guessing attack and the session key attack. Thus, they add a new factor to enhance the security of the previous two-factor scheme, and formed a three-factor one. Despite armed with the biometrics factor and provable security proof, their scheme suffers from the same (even more serious) security issues.

3.2.1. Offline Dictionary Attack

Offline dictionary attack is exactly what most schemes suffer from and also the major security requirement of a user authentication protocol. Jung et al. [25] showed that Chang et al.’s scheme [24] cannot resist against this attack once the adversary breaches the victim’s smart card and eavesdrops on the message from the open channel. Unfortunately, as we show below, the same attack also works for Jung et al.’s own scheme. In addition, Jung et al.’s scheme is vulnerable to other kinds of offline dictionary attacks with less attack cost.

According to the adversary capabilities mentioned in Section 2.3, it is natural to suppose that the adversary $\mathcal{A}$ somehow possessed $U_i$’s smart card and then revealed the message $\{A_i,E_i,C_i,D_i\}$ in it; acquired $U_i$’s biometric $BI{O}_i$ by a malicious terminal or other ways; and intercepted transcripts $\{DI{D}_i,M_{U_i,G},C_i,T_1\}$ via the public channel. Then, $\mathcal{A}$ can obtain $U_i$’s password $P{W}_i$ as follows:

• Guesses the value of $P{W}_i$ to be $P{W}_i^{\ast }$ and $I{D}_i$ to be $I{D}_i^{\ast }$ from the dictionary space ${\mathcal{D}}_{pw}$ and ${\mathcal{D}}_{id}$, respectively. In fact, according to Wang et al. [28], once an adversary picks the victim’s ($U_i$) smart card, it is easy to learn the corresponding identity $I{D}_i$ of the user $U_i$.
• Computes $HP{W}_i^{\ast }$ = $h(P{W}_i^{\ast }||H(BI{O}_i))$.
• Computes u = $D_i\oplus H(BI{O}_i)$, where $D_i$ is from the smart card.
• Computes $TI{D}_i^{\ast }$ = $h(I{D}_i^{\ast }||u)$.
• Computes $HI{D}_i^{\ast }$ = $A_i\oplus h(HP{W}_i^{\ast }\left|\right|TI{D}_i^{\ast })$, where $A_i$ is from the card.
• Computes $M_{U_i,G}^{\ast }$ = $h(TI{D}_i^{\ast }|\left|HP{W}_i^{\ast }\right|\left|HI{D}_i^{\ast }\right||T_1)$, where $T_1$ is from the public channel.
• Verifies the correctness of $PW{i}^{\ast }$ and $I{D}_i^{\ast }$ by checking if the computed $M_{U_i,G}^{\ast }$ is equal to the intercepted $M_{U_i,G}$.
• Repeats Steps 1–7 of this procedure until the correct value of $P{W}_i$ and $I{D}_i$ is found.

The time complexity of the above attack is $\mathcal{O}(|{\mathcal{D}}_{pw}|\ast |{\mathcal{D}}_{id}|\ast (5T_H))$. $T_H$ is the running time for hash computation. $|{\mathcal{D}}_{pw}|$ denotes the number of passwords in ${\mathcal{D}}_{pw}$. $|{\mathcal{D}}_{pw}|$ and $|{\mathcal{D}}_{id}|$ are very limited, generally $|{\mathcal{D}}_{id}|<|{\mathcal{D}}_{pw}|<{10}^6$ [30,37], so the above attack is quite efficient.

Besides the above kind of offline dictionary attack, Jung et al.’s scheme still suffers from another kind of offline dictionary attack where the adversary $\mathcal{A}$ obtained the victim’s smart card and the biometrics $BI{O}_i$. Then, $\mathcal{A}$ can conduct another offline dictionary attack as follows (Steps 1–5 are the same with the above attack, so they are omitted):

• Step 6. Computes $E_i$ = $h(HP{W}_i^{\ast }||HI{D}_i^{\ast })$, where $A_i$ is from the card.
• Step 7. Verifies the correctness of $P{W}_i^{\ast }$ and $I{D}_i^{\ast }$ by checking if $E_i^{\ast }$ ?= $E_i$.
• Step 8. Repeats Steps 1–7 of this procedure until the correct value of $P{W}_i$ and $I{D}_i$ is found.

The time complexity of the attack is the same as the former attack. Actually, these two attack strategies are not new, and many researchers [32,36,38,39,40] have captured these two attack scenarios to break numerous schemes. However, these kinds of adversaries are still rampant.

Remark 1.

As we mentioned before, a true three-factor authentication scheme should ensure that even if any two of the three factors are compromised, the other factor cannot be breached and the entire system is still secure. Obviously, this protocol is intrinsically not a three-factor protocol. It indicates that the biometric factor is not a master key to settle the problem in user authentication. On the contrary, a scheme armed with biometrics factor may even cannot provide the same security level as a two-factor authentication. The way to add more factors into the authentication protocol is not the essential way to design a more secure protocol.

In the scheme of Jung et al. [25], the obstacles to compute the verification value $M_{U_i,G}$ for an adversary $\mathcal{A}$ is the $P{W}_i$ and the $I{D}_i$, so $\mathcal{A}$ can guess the value of the $P{W}_i$ and the $I{D}_i$, then verify the guessed value by comparing the computed $M_{U_i,G}^{\ast }$ with the intercepted $M_{U_i,G}$. This is exactly the essential reason for the former kind of offline dictionary attack. Similarly, $E_i$ is also the fuse of the latter kind of attack. However, the function of the two parameters is quite different: the $M_{U_i,G}$ is the key of the $GW$ to authenticate $U_i$, while the $E_i$ contributes to changing the password locally and detecting incorrect input timely. Therefore, the $M_{U_i,G}$ is indispensable to an authentication protocol, and the $E_i$ conduces to improve the usability of a scheme. Furthermore, the “public-key principle” is necessary to resist the former attack [41]; and a way of “honeywords” + “fuzzy-verifiers” is suggested by Wang et al. [30] to deal with the latter attack.

3.2.2. Impersonation Attack

Suppose an adversary $\mathcal{A}$ was also a legal user $U_a$, then he could get the secret key x as follows:

• Computes u = $D_a\oplus H(BI{O}_a)$, where $D_a$ is from the smart card.
• Computes $TI{D}_a$ = $h(I{D}_a||u)$.
• Computes $HP{W}_a$ = $h(P{W}_a||H(BI{O}_i))$.
• Computes $HI{D}_a$ = $A_a\oplus h(HP{W}_a\left|\right|TI{D}_a)$, where $A_a$ is from the card.
• Computes x = $C_a\oplus HI{D}_a$, where $C_a$ is from the card.

Obviously, the time complexity of the above attack is $\mathcal{O}(5T_H+3T_R)$, where $T_R$ is the running time for exclusive-or operation. With the secret x, $\mathcal{A}$ has the same capacity as the $GW$, thus $\mathcal{A}$ can impersonate as the $GW$ or the $S_j$; this indicates that the security of the whole system collapsed.

Actually, not only can an insider legal user carry out such an attack, but also an adversary who has gotten the $PW$ and $ID$ of any users by “offline dictionary attack” can also perform such an attack. The $C_i$ ($C_i$ = $HI{D}_i\oplus x$) is the fundamental reason for such an attack. To a legitimate user who knows the $HI{D}_i$, the secret key x is actually exposed. Therefore, the only “XOR” operation on x is a risky behavior which is far from enough to protect such an significant parameter.

3.2.3. User Anonymity

User anonymity is of great significance to privacy protection. It requires that the adversary can neither confirm who transmits the messages nor recognize whether the messages come from the same user. In wireless sensor networks, numerous sensor nodes are deployed in an unattended environment. In addition, the information is transmitted in a way of broadcasting. Therefore, user anonymity in WSNs is an essential requirement. However, in Jung et al.’s scheme [25], user-specific parameters $DI{D}_i$ and $C_i$ are transmitted via an open channel. Thus, following $DI{D}_i$ or $C_i$, the adversary $\mathcal{A}$ identifies the transmitted messages with the $DI{D}_i$ and $C_i$ from a large amount of messages in the open channel, and links them to the user $U_i$. Then, for the purpose of marketing or even other terrible attempts, the $\mathcal{A}$ can learn the user $U_i$’s habits, such as the time to initiate an access request, the kinds of sensor nodes to visit. Therefore, Jung et al’s scheme fails to achieve user anonymity.

3.2.4. Forward Secrecy

Forward secrecy requires that even if the long-term secret key was exposed, the adversary still cannot compute the previous session key. In other words, when the long-term key is compromised, the protocol cannot promise the security of further communications, but it can guarantee the security of the previous communication. Forward secrecy is the last umbrella of system security, but Jung et al.’s scheme fails to achieve it.

Supposing that an adversary $\mathcal{A}$ got the secret key x and intercepted the parameters $DI{D}_i$ and $M_j$ in the channel, $\mathcal{A}$ could perform an attack to get the previous session key as follows:

• Computes $X_{s_j}$ = $h(SI{D}_j||x)$.
• Computes R = $M_j\oplus X_{s_j}$, where $M_j$ is from the open channel.
• Computes $SK$ = $f(DI{D}_i,R)$, where $DI{D}_i$ is from the open channel.

Remark 2.

In this scheme, the session key consists of a fixed parameter $DI{D}_i$ and a random number R from $GW$. As $DI{D}_i$ is exposed to an open channel, the only challenge in computing the session key is the value of R. On one hand, the sensor node $S_j$ has to know R to form the session key. This means that the $S_j$ is capable of computing R. On the other hand, $S_j$’s special or only secret parameter is $X_{s_j},$ where $X_{s_j}$ = $h(SI{D}_j||x)$. Thus, once acquiring $X_{s_j}$ and the transmitted message in an open channel, anyone can compute the session key. Therefore, when an adversary learns the long-term key x, he/she has the same capability as the $S_j$. Of course, he/she can compute the correct session key. In fact, it is a more secure way to set up the session key with the security mechanism of challenge-response for the two sides of communication. Anyway, all this corroborates that a protocol without any exponentiation operations conducted on the server side cannot achieve forward secrecy [41].

4. Cryptanalysis of Park et al.’s Scheme

Similar to Jung et al., Park et al. [26] also criticized Chang et al.’s scheme [24], and improved this two-factor scheme into a three-factor one. They claimed their new scheme overcomes the weaknesses in [24], and proved the security of the scheme via BAN logic. Unfortunately, we once again found this scheme also insecure: no resistance to two kinds of offline dictionary attacks and no user anonymity.

4.1. A Brief Review of Park et al.’s Scheme

This section describes Park et al.’s scheme [26] briefly.

4.1.1. Registration Phase

Note that the senor node registration phase is the same with Jung et al.’s [25], so it is omitted here.

• $U_i\Rightarrow GW$: $\{I{D}_i,HP{W}_i\}$, where $(R_i,P_i)$ = $Gen(BI{O}_i)$, $HP{W}_i$ = $h(P{W}_i||R_i)$.
• $GW\Rightarrow U_i$: a smart card containing $\{A_i,B_i,C_i,TI{D}_i,h(·)\}$, where $HI{D}_i$ = $h(I{D}_i||x)$, $X_{s_i}$ = $h(HI{D}_i||x)$, $A_i$ = $h(HP{W}_i\left|\right|X_{s_i})\oplus HI{D}_i$, $B_i$ = $h(HP{W}_i||X_{s_i})$, $C_i$ = $X_{s_i}\oplus h(I{D}_i\left|\right|HP{W}_i$. Furthermore, $GW$ stores $(TI{D}_i,TI{D}_i^{\circ })$ in database, and $TI{D}_i$ is a random number, $TI{D}_i^{\circ }$ is initialized to NULL.
• $U_i$ inputs $P_i$ into the smart card. Note that, in Park et al.’s scheme [26], this step is not mentioned. But, according to the scheme, this step is necessary. We speculate it is missed.

4.1.2. Login Phase and Verification Phase

• $U_i\to GW$: $\{DI{D}_i,X_i,M_{U_i,G},T_i,TI{D}_i\}$. $U_i$ inputs the $I{D}_i$ and $P{W}_i$, and the biometrics $BI{O}_i$, and then the smart card computes:
  • $\begin{array}{c}{R}_i^{\ast }=Rep(BI{O}_i,P_i),\hfill \\ HP{W}_i^{\ast }=h(P{W}_i\left|\right|R_i^{\ast }),\hfill \\ X_{s_i}^{\ast }=C_i\oplus h(I{D}_i\left|\right|HP{W}_i^{\ast }),\hfill \\ B_i^{\ast }=h(HP{W}_i^{\ast }\oplus X_{s_i}^{\ast }).\hfill \end{array}$
  If $B_i^{\ast }$ == $B_i$, the card selects a random number $\alpha \in Z_p^{\ast }$, and computes $X_i$ = $\alpha P$, $k_i$ = $h(X_{s_i}^{\ast }||T_i)$, $DI{D}_i$ = $h(HP{W}_i\left|\right|X_{s_i}^{\ast })\oplus k_i$ and $M_{U_i,G}$ = $h(A_i|\left|X_{s_i}^{\ast }\right|\left|X_i\right||T_i)$, and sends $\{DI{D}_i,X_i,M_{U_i,G},T_i,TI{D}_i\}$ to $GW$. Otherwise, it ends the session.
• $GW\to S_j$: $\{DI{D}_i,M_{G,S_j},X_i,T_G\}$. $GW$ first checks $T_i$, then gets $HI{D}_i$ and computes:
  • $\begin{array}{c}{X}_{s_i}^{\prime }=h(HI{D}_i\left|\right|x),\hfill \\ k_i^{\prime }=h(X_{s_i}^{\prime }\left|\right|T_i).\hfill \end{array}$
  If $M_{U_i,G}$≠$h(h(DI{D}_i\oplus k_i^{\prime }\oplus HI{D}_i)|\left|X_{s_i}^{\prime }\right|\left|X_i\right||T_i)$, $GW$ rejects the request. Otherwise, it computes $X_{s_j}^{\prime }$ = $h(SI{D}_j||x)$, $M_{G,S_j}$ = $h(DI{D}_i|\left|SI{D}_j\right|\left|X_{s_j}^{\prime }\right|\left|X_i\right||T_G)$, and sends $\{DI{D}_i,M_{G,S_j},X_i,T_G\}$ to $S_j$.
• $S_j\to GW$: $\{M_{S_j,G},Y_j,T_j\}$. $S_j$ first checks $T_G$, and if $M_{G,S_j}$≠$h(DI{D}_i|\left|SI{D}_j\right|\left|X_{s_j}\right|\left|X_i\right||T_G)$, rejects it. Otherwise, $S_j$ chooses $b\in Z_p^{\ast }$ and computes:
  • $\begin{array}{c}{Y}_j=\beta P,\hfill \\ k_j=h(X_{s_j}\left|\right|T_j),\hfill \\ Z_i=M_{G,S_j}\oplus k_j\hfill \\ S{K}_j=h(DI{D}_i\left|\right|k_j\left|\right|\beta X_i),\hfill \\ M_{S_j,G}=h(Z_i\left|\right|X_{s_j}^{\ast }\left|\right|X_i\left|\right|Y_j\left|\right|T_j),\hfill \end{array}$
  and sends $\{M_{S_j,G},Y_j,T_j\}$ to the $GW$.
• $GW\to U_i$: $\{e_i,M_{G,U_i},Y_j,T_G^{\prime }\}$. $GW$ first checks $T_j$, and computes $k_j^{\prime }$ = $h(X_{s_j}^{\prime }||T)j)$, $Z_i^{\prime }$ = $M_{G,S_j}\oplus k_j^{\prime }$, if $M_{S_j,G}$ == $h(Z_i^{\prime }|\left|X_{s_j}^{\prime }\right|\left|X_i\right|\left|X_j\right||T_j)$, $GW$ further computes:
  • $\begin{array}{c}{e}_i=k_j\oplus h(k_i),\hfill \\ M_{G,U_i}=h(DI{D}_i\left|\right|M_{U_i,G}\left|\right|k_j^{\prime }\left|\right|X_{s_i}^{\prime }\left|\right|X_i\left|\right|Y_j\left|\right|T_G^{\prime }),\hfill \\ TI{D}_{i_{new}}=h(HI{D}_i\left|\right|T_i),\hfill \end{array}$
  and updates $(TI{D}_i,TI{D}_i^{\circ })$ as $(TI{D}_{i_{new}},TI{D}_i)$, then sends $\{e_i,M_{G,U_i},Y_i,T_G^{\prime }\}$ to the $GW$. Otherwise, it exits the session.
• $U_i$ checks $T_G^{\prime }$, and computes $k_j^{\ast }$ = $e_i\oplus h(k_i)$, if $M_{G,U_i}$ == $h(DI{D}_i|\left|M_{U_i,G}\right|\left|k_j^{÷}\right|\left|X_{s_i}^{\ast }\right|\left|X_i\right|\left|Y_j\right||T_G^{\prime })$, computes $SK$ = $h(DI{D}_i|\left|k_j^{\ast }\right||\alpha Y_j)$, and updates $TI{D}_i$ as $h(HI{D}_i||T_i)$. Otherwise, it exits the session.

4.2. Security Flaws in Park et al.’s Scheme

Compared with Jung et al. [25], Park et al. [26] deployed an elliptic curve cryptosystem trying to achieve user anonymity and resist against offline dictionary attack. Though Wang et al. [3,41] pointed out that a public key algorithm is necessary to achieve user anonymity and offline dictionary attack, it does not mean that, once the public key algorithm is added, the system will be secure. Deploying the public key algorithm requires some skills, and we will propose a sound scheme as an example to explain such skills in Section 5. In this section, we proved that Park et al.’s scheme suffers from many attacks, including offline dictionary attack and no user anonymity.

4.2.1. Offline Dictionary Attack

Suppose the adversary $\mathcal{A}$ got the message $\{A_i,B_i,C_i,P_i,TI{D}_i\}$ in the card; and also acquired $U_i$’s biometrics $BI{O}_i$ in addition to intercepted transcripts $\{DI{D}_i,X_i,M_{U_i,G},T_i,TI{D}_i\}$. Then, $\mathcal{A}$ conducts an offline dictionary attack as follows:

• Guesses $P{W}_i$ to be $P{W}_i^{\ast }$ and $I{D}_i$ to be $I{D}_i^{\ast }$.
• Computes $R_i^{\ast }$ = $Rep(BI{O}_i,P_i)$, where $P_i$ is from the smart card.
• Computes $HP{W}_i^{\ast }$ = $h(P{W}_i^{\ast }||R_i^{\ast })$.
• Computes $X_{s_i}^{\ast }$ = $C_i\oplus h(I{D}_i^{\ast }\left|\right|HP{W}_i^{\ast })$.
• Computes $M_{U_i,G}^{\ast }$ = $h(A_i|\left|X_{s_i}^{\ast }\right|\left|X_i\right||T_i)$, where $A_i$ is from the card, $X_i$ and $T_i$ are from the channel.
• Verifies the correctness of $PW{i}^{\ast }$ and $I{D}_i^{\ast }$ by checking whether $M_{U_i,G}^{\ast }$ == $M_{U_i,G}$.
• Repeats Step 1–7 of this procedure until the correct value of $P{W}_i$ and $I{D}_i$ is found.

The time complexity of the above attack is $\mathcal{O}(|{\mathcal{D}}_{pw}|\ast |{\mathcal{D}}_{id}|\ast (3T_H+T_{RE}))$. $T_{RE}$ is the running time of fuzzy extraction computation. Thus, the above attack is quite efficient.

Similar to the analysis in Section 3.2.1, the adversary can also select $B_i$ as the verification to test the guessed value of $P{W}_i^{\ast }$ and $I{D}_i^{\ast }$.

4.2.2. User Anonymity

Park et al. [26] attempted to update some parameters to provide user anonymity. However, such a method is not as desirable as they expected. On one hand, the gateway has to update the database in every session, which is efficient; on the other hand, if the adversary $\mathcal{A}$ acquires the verifier table $\{TI{D}_i,TI{D}_i^{\circ },HI{D}_i)\}$, and intercepts $\{DI{D}_i,X_i,M_{U_i,G},T_i,TI{D}_i\}$, then $\mathcal{A}$ can find the $TI{D}_i$ from the verifier table and get the corresponding $HI{D}_i$. Now, $\mathcal{A}$ can compute the $TI{D}_{i_{new}}$ in the next session as $h(HI{D}_i||T_i)$. Thus, $\mathcal{A}$ can link the login request to the same user who has ever used $TI{D}_i$ via computing $TI{D}_{i_{new}}$ in every session. Thus, Park et al.’s scheme cannot achieve user anonymity.

5. Proposed Scheme

In this section, we proposed a new enhanced scheme (as shown in Figure 2) which not only provides some desirable attributes but also can resist against the known attacks. Furthermore, we improve the scheme from the following aspects:

• based on Wang et al. [3,41], we apply a public key algorithm for resisting against offline dictionary attack via the verification from the open channel. In such an attack, as we analyzed above, the key solution is about the way to construct the verification parameter between the user and the gateway node. Once the verification parameter consists of a “challenge” that is deployed a public key algorithm, a trap door will be built. Therefore only the one who owns the corresponding secret key can compute the correct “challenge” (i.e., X in our scheme). In Park et al.’s scheme, though a public key algorithm is deployed, it is not used to construct a “challenge” for authentication. More specifically, all the parameters in the verification $M_{U_i,G}$ (=$h(A_i|\left|X_{S_i}\right|\left|X_i\right||T_i)$) can be computed with the static or open knowledge in the user side and the open channel, so $\mathcal{A}$ can compute all parameters ($A_i$,$X_{S_i}$,$X_i$,$T_i$) with guessed password and then use $M_{U_i,G}$ to verify the guessed value. While, in our new scheme, a “challenge” X is built. Besides the static or open knowledge on the user side, $\mathcal{A}$ has to know the dynamic $\alpha$ or the long-term key to compute X, and thus fails to conduct such an attack;
• as introduced in Section 3.2.1, we use “honeywords” + “fuzzy-verifiers” to resist against offline dictionary attack via verification from the smart card [30,42];
• we do not protect user anonymity via updating parameters as Park et al., but deploy a dynamic identity technique via a public key algorithm [3].

The details of our scheme is described as follows:

5.1. Registration Phase

The registration phase to the sensor node is similar to Jung et. al. [25] and Park et. al. [26], so it is omitted. When a new user wants to be a legitimate user of the system, then he/she may submit his/her personal information on the gateway to initiate a user registration phase as follows:

• $U_i\Rightarrow GW$: $\{I{D}_i,HP{W}_i\}$, where $(R_i,P_i)$ = $Gen(BI{O}_i)$, $HP{W}_i$ = $h(P{W}_i||R_i)$.
• $GW\Rightarrow U_i$: a smart card containing $\{A_i,B_i,n_0,Y,P\}$, where $X_{s_i}$ = $h(I{D}_i|\left|x\right||r_i)$ ($r_i$ is a random number), $A_i$ = $X_{s_i}\oplus HP{W}_i\oplus P_i$, $B_i$ = $h(h(HP{W}_i)\oplus h(I{D}_i)\oplus h(P_i))$ mod $n_0$, Y = $xP$. Furthermore, $GW$ stores $(I{D}_i,r_i,Honey\_List)$ in database, and $Honey\_List$ is supposed to count the number of failing in user login phase and it is initialized to NULL. Once its value is bigger than the predetermined threshold, the corresponding smart card will be discarded till the user re-registers.
• $U_i$ inputs $P_i$ into the smart card.

5.2. Login Phase and Verification Phase

After being legitimated, the user $U_i$ can login to the system with the password, identity and biometrics, and get authenticated via exchanging information with the corresponding communication parties. Finally, after finishing the authentication successfully, the user and the sensor node will build a session key to protect the security of the subsequent communications.

• $U_i\to GW$: $\{DI{D}_i,X_i,M_{U_i,G},T_i\}$. $U_i$ inputs his/her identity $I{D}_i$, password $P{W}_i$, and biometrics $BI{O}_i$; then, the smart card computes:
  • $\begin{array}{c}{R}_i^{\ast }=Rep(BI{O}_i,P_i),\hfill \\ HP{W}_i^{\ast }=h(P{W}_i\left|\right|R_i^{\ast }),\hfill \\ B_i^{\ast }=h(h(HP{W}_i^{\ast })\oplus h(I{D}_i)\oplus h(P_i))mod{n}_0.\hfill \end{array}$
  If $B_i^{\ast }$ == $B_i$, the card accepts the user, and selects a random number $\alpha \in Z_p^{\ast }$, computes:
  • $\begin{array}{c}{X}_i=\alpha P,\hfill \\ X=\alpha Y,\hfill \\ X_{s_i}^{\ast }=A_i\oplus HP{W}_i^{\ast }\oplus P_i,\hfill \\ k_i=h(X_{s_i}^{\ast }\left|\right|T_i),\hfill \\ DI{D}_i=I{D}_i\oplus h(X_i\left|\right|X),\hfill \\ M_{U_i,G}=h(X_{s_i}^{\ast }\left|\right|X_i\left|\right|X\left|\right|k_i\left|\right|T_i),\hfill \end{array}$
  and then sends $\{DI{D}_i,X_i,M_{U_i,G},T_i\}$ as a login request to $GW$. Otherwise, it ends the session.
• $GW\to S_j$: $\{X_i,M,M_{G,S_j},T_G\}$. $GW$ first checks the freshness of $T_i$, computes:
  • $\begin{array}{c}{X}^{\prime }=x{X}_i,\hfill \\ I{D}_i^{\prime }=DI{D}_i\oplus h(X_i\left|\right|X^{\prime }),\hfill \end{array}$
  and then finds $r_i^{\prime }$ and $Hony\_List$ via $I{D}_i^{\prime }$. If $Hony\_List\ge$ the preset value (for example 10), the $GW$ thinks this smart card has been suspended and rejects the request. Otherwise, $GW$ computes $X_{s_i}^{\prime }$ = $h(I{D}_i^{\prime }|\left|x\right||r_i^{\prime })$, $k_i^{\prime }$ = $h(X_{s_i}^{\prime }||T_i)$. If $M_{U_i,G}$≠$h(X_{s_i}^{\prime }|\left|X_i\right|\left|X^{\prime }\right|\left|k_i^{\prime }\right||T_i)$, $GW$ rejects the request and sets $Hony\_List$ = $Hony\_List+1$. Once $Hony\_List$ is bigger than the preset value, the corresponding smart card is suspended. Otherwise, it computes:
  • $\begin{array}{c}{X}_{s_j}^{\prime }=h(SI{D}_j\left|\right|x),\hfill \\ M=h(X_{s_j}^{\prime })\oplus h(k_i^{\prime }),\hfill \\ M_{G,S_j}=h(h(k_i^{\prime })\left|\right|X_{s_j}^{\prime }\left|\right|X_i\left|\right|SI{D}_j\left|\right|T_G),\hfill \end{array}$
  and sends $\{X_i,M,M_{G,S_j},T_G\}$ to $S_j$ to conveys $U_i$’s request.
• $S_j\to GW$: $\{Y_j,M_{S_j,G},T_j\}$. $S_j$ first checks the valid of $T_G$, and computes $h{(k_i^{\prime })}^{\ast }$ = $M\oplus h(X_{s_j})$. If $M_{G,S_j}^{\ast }$≠$h(h{(k_i^{\prime })}^{\ast }|\left|X_{s_j}\right|\left|X_i\right|\left|SI{D}_j\right||T_G)$, $S_j$ does not believe $GW$ and rejects the session. Otherwise, $S_j$ chooses $\beta \in Z_p^{\ast }$ and computes:
  • $\begin{array}{c}{Y}_j=\beta P,\hfill \\ k_j=h(X_{s_j}\left|\right|T_j),\hfill \\ S{K}_j=h(X_i\left|\right|Y_j\left|\right|\beta X_i),\hfill \\ M_{S_j,G}=h(k_j\left|\right|h{(k_i^{\prime })}^{\ast }\left|\right|Y_j\left|\right|X_{s_j}\left|\right|X_i\left|\right|T_j),\hfill \end{array}$
  and sends $\{Y_j,M_{S_j,G},T_j\}$ to $GW$.
• $GW\to U_i$: $\{Y_j,M_{G,U_i},T_G^{\prime }\}$. $GW$ first checks $T_j$. Then, it computes $k_j^{\prime }$ = $h(X_{s_j}^{\prime }||T_j)$, and if $M_{S_j,G}$ == $h(k_j|\left|h(k_i^{\prime })\right|\left|Y_j\right|\left|X_{s_j}^{\prime }\right|\left|X_i\right||T_j)$, $GW$ further computes $M_{G,U_i}$ = $h((X_{s_i}^{\prime }\left|\right|k_i^{\prime }\left|\right|X_i\left|\right|Y_j\left|\right|X\left|\right|T_G^{\prime })$, and then sends $\{Y_j,M_{G,U_i},T_G^{\prime }\}$ to $U_i$ to transmit $S_j$’s responds. Otherwise, it exits the session.
• $U_i$ first checks $T_G^{\prime }$, and if $M_{G,U_i}$ == $h((X_{s_i}\left|\right|k_i\left|\right|X_i\left|\right|Y_j\left|\right|X\left|\right|T_G^{\prime })$, $U_i$ authenticates the $GW$, and computes $S{K}_i$ = $h(X_i|\left|Y_j\right||\alpha Y_j)$ to finish the authentication successfully. Otherwise, the authentication fails.

5.3. Password Change Phase

Once the user wants to change password for security consideration, he/she can achieve it through the following steps:

• $U_i$ inputs $I{D}_i$, $P{W}_i$ and new password $P{W}_i^{new}$.
• The card computes:
  • $\begin{array}{c}{R}_i^{\ast }=Rep(BI{O}_i,P_i),\hfill \\ HP{W}_i^{\ast }=h(P{W}_i\left|\right|R_i^{\ast }),\hfill \\ B_i^{\ast }=h(h(HP{W}_i^{\ast })\oplus h(I{D}_i)\oplus h(P_i))mod{n}_0.\hfill \end{array}$
  If $B_i^{\ast }\ne B_i$, the card does not permit $U_i$ to change the password. Otherwise, it further computes:
  • $\begin{array}{c}HP{W}_i^{new}=h(P{W}_i^{new}\left|\right|R_i^{\ast }),\hfill \\ B_i^{new}=h(h(HP{W}_i^{new})\oplus h(I{D}_i)\oplus h(P_i))mod{n}_0,\hfill \\ A_i^{new}=A_i\oplus HP{W}_i^{\ast }\oplus HP{W}_i^{new},\hfill \end{array}$
  and finally replaces $A_i,B_i$ with $A_i^{new},B_i^{new}$.

5.4. Revocation Phase

Revocation phase, as the emergency response strategy, is of great significance to the security of the system. It provides an efficient way to protect the account from being abused. When the user finds his/her smart card breached, he/she can revoke the smart card as follows:

• $U_i$ firstly get authenticated by the card as the way to the step 1 in Section 5.2.
• $U_i⟶GW$: $\{DI{D}_i,X_i,M_{U_i,G},T_i,revoke\_request\}$. As described in Section 5.2, the smart card computes $DI{D}_i$,$X_i$,$M_{U_i,G}$ and sends $\{DI{D}_i,X_i,M_{U_i,G},T_i,revoke\_request\}$ to the gateway.
• After receiving the revocation request from $U_i$, $GW$ first verifies $U_i$. If $GW$ authenticates $U_i$ successfully, it sets $Honey\_List$ to a big number, which is bigger than the preset value. Then, the smart card will be revoked, and nobody can login to the system with the card unless $U_i$ re-register. Otherwise, $GW$ rejects the request.

5.5. Re-Register Phase

If a user $U_i$ with correct password and identity is still rejected by $S_j$, then can re-register as follows:

• $U_i⟹GW$: $\{I{D}_i,HW{R}_i,P_i,re-register\}$.
• Firstly, $GW$ looks for $I{D}_i$ from $User-list$, checks whether $Honey\_List\ge$ the preset value. If so, $GW$ believes the card is suspended, then performs the corresponding steps in Section 5.1.

6. Security Analysis

To prove the security of our scheme, we analyze it from two aspects: a formal way using the Burrows–Abadi–Needham (BAN) logic [43]; a informal/heuristic way. Through the formal way, we prove our scheme achieves four basic security goals. These goals ensure that the user and the sensor node are mutual trust, and they both compute the session key successfully; furthermore, the session keys computed by them are equal. Through the informal/heuristic way, we prove that our scheme not only satisfies many desired attributes such as user anonymity and forward security, but also is resistant to various attacks such as offline dictionary attack, impersonation attack, and de-synchronized attack.

6.1. Formal Analysis Based on BAN Logic

The BAN logic [43] is a simple and efficient way to analyze the design logic and security of a protocol. It has a set of particular notions (shown in

Table 2. Notations in BAN logic.

$P\mid \equiv X$	P believes X, i.e., the principal P believes the statement X is true.
$P◃X$	P sees X, i.e., the principal P receives a message that contains X.
$P\mid \Rightarrow X$	P has jurisdiction over X, i.e., the principal P can generate or compute X.
$P\mid \sim X$	P said X, i.e., the principal P has sent a message containing X.
$♯(X)$	X is fresh, i.e., X is sent in a message only at the current run of the protocol, it is usually a timestamp or a random number.
$P\stackrel{K}{\leftrightarrow }Q$	K is the shared key for P and Q.
$P\stackrel{Y}{\rightleftharpoons }Q$	Y is the secret known only to P and Q or some principals trusted by them.
${\langle X\rangle }_Y$	X combined with Y, and Y is usually a secret.
${\left\{X\right\}}_K$	X encrypted with K.
$\frac{P\mid \equiv P\stackrel{K}{\leftrightarrow }Q,P◃{\left\{X\right\}}_K}{P\mid \equiv Q\mid \sim X}$ or $\frac{P\mid \equiv P\stackrel{Y}{\rightleftharpoons }Q,P◃{\langle X\rangle }_Y}{P\mid \equiv Q\mid \sim X}$	$RULE(1)$: the message-meaning rule.
	This rule will be used in the proving process.
$\frac{P\mid \equiv ♯(X),P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X}$	$RULE(2)$: the nonce-verification rule.
	This rule will be used in the proving process.
$\frac{P\mid \equiv Q\mid \Rightarrow X,P\mid \equiv Q\mid \equiv X}{P\mid \equiv X}$	$RULE(3)$: the jurisdiction rule.
	This rule will be used in the proving process.
$\frac{P\mid \equiv ♯(X)}{P\mid \equiv ♯(X,Y)}$	$RULE(4)$: the freshness-conjuncatenation rule.
	This rule will be used in the proving process.

) to depict the logic of the protocol. We will prove the security of our scheme according to its notions and processes.

In BAN logic, the goals of our authentication scheme are defined as:

• Goal 1: $U_i\mid \equiv S_j\mid \equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j)$.
• Goal 2: $U_i\mid \equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j)$.
• Goal 3: $S_j\mid \equiv U_i\mid \equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j)$.
• Goal 4: $S_j\mid \equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j)$.

According to the proof steps in BAN logic, we re-describe our scheme into an idealized form:

• $M_1$: $U_i\to GW$: ${\langle X_i,k_i,T_i,DI{D}_i,U_i\stackrel{X}{\leftrightarrow }GW\rangle }_{U_i\stackrel{X_{s_i}}{\leftrightarrow }GW}$.
• $M_2$: $GW\to S_j$: ${\langle X_i,h(k_i),SI{D}_j,T_G\rangle }_{S_j\stackrel{X_{s_j}}{\leftrightarrow }GW}$.
• $M_3$: $S_j\to GW$: ${\langle X_j,k_j,h(k_i),T_j\rangle }_{S_j\stackrel{X_{s_j}}{\leftrightarrow }GW}$.
• $M_4$: $GW\to U_i$: ${\langle X_j,k_i,X,T_G^{\prime }\rangle }_{U_i\stackrel{X_{s_i}}{\leftrightarrow }GW}$.

Then, some assumptions are defined as follows:

• $H_1$: $U_i\mid \equiv ♯(T_G^{\prime })$.
• $H_2$: $S_j\mid \equiv ♯(T_G)$.
• $H_3$: $GW\mid \equiv ♯(T_i)$.
• $H_4$: $GW\mid \equiv ♯(T_j)$.
• $H_5$: $GW\mid \equiv S_j\stackrel{X_{s_j}}{\leftrightarrow }GW$.
• $H_6$: $S_j\mid \equiv S_j\stackrel{X_{s_j}}{\leftrightarrow }GW$.
• $H_7$: $GW\mid \equiv U_i\stackrel{X_{s_i}}{\leftrightarrow }GW$.
• $H_8$: $U_i\mid \equiv GW\stackrel{X_{s_i}}{\leftrightarrow }RC$.
• $H_9$: $U_i\mid \equiv S_j\mid \Rightarrow U_i\stackrel{SK}{\leftrightarrow }{S}_j$.
• $H_{10}$: $S_j\mid \equiv U_i\mid \Rightarrow U_i\stackrel{SK}{\leftrightarrow }{S}_j$.

Based on the definition above, we perform the BAN logic proof as follows:

From $M_1$, it is easy to get $S_1$: $GW◃{\langle X_i,k_i,T_i,DI{D}_i,U_i\stackrel{X}{\leftrightarrow }GW\rangle }_{X_{s_i}}.$

Then, according to $H_7$, $S_1$, $RULE(1)$, we get $S_2$: $GW\mid \equiv U_i\mid \sim \langle X_i,k_i,T_i,DI{D}_i,U_i\stackrel{X}{\leftrightarrow }GW\rangle .$

According to $H_3$ and $RULE(4)$, we get $S_3$: $GW\mid \equiv ♯\langle X_i,k_i,T_i,DI{D}_i,U_i\stackrel{X}{\leftrightarrow }GW\rangle .$

In addition, according to $S_2$, $S_3$ and $RULE(2)$, $S_4$: $GW\mid \equiv U_i\mid \equiv \langle X_i,k_i,T_i,DI{D}_i,U_i\stackrel{X}{\leftrightarrow }GW\rangle$

From $M_2$, it is easy to get $S_5$: $S_j◃{\langle X_i,h(k_i),SI{D}_j,T_G\rangle }_{X_{s_j}}.$

Then, according to $H_7$, $S_1$, $RULE(1)$, we get $S_6$: $S_j\mid \equiv GW\mid \sim \langle X_i,h(k_i),SI{D}_j,T_G\rangle .$

According to $H_3$ and $RULE(4)$, we get $S_7$: $S_j\mid \equiv ♯\langle X_i,h(k_i),SI{D}_j,T_G\rangle .$

In addition, according to $S_2$, $S_3$ and $RULE(2)$, we get $S_8$: $S_j\mid \equiv GW\mid \equiv \langle X_i,h(k_i),SI{D}_j,T_G\rangle .$

From $M_3$, it is easy to get $S_9$: $GW◃{\langle X_j,k_j,h(k_i),T_j\rangle }_{X_{s_j}}.$

Then, according to $H_7$, $S_1$, $RULE(1)$, we get $S_{10}$: $GW\mid \equiv S_j\mid \sim \langle X_j,k_j,h(k_i),T_j\rangle .$

According to $H_3$ and $RULE(4)$, we get $S_{11}$: $GW\mid \equiv ♯\langle X_j,k_j,h(k_i),T_j\rangle .$

In addition, according to $S_2$, $S_3$ and $RULE(2)$, we get $S_{12}$: $GW\mid \equiv S_j\mid \equiv \langle X_j,k_j,h(k_i),T_j\rangle .$

From $M_4$, it is easy to get $S_{13}$: $U_i◃{\langle X_j,k_i,X,T_G^{\prime }\rangle }_{X_{s_i}}.$

Then, according to $H_7$, $S_1$, $RULE(1)$, we get $S_{14}$: $U_i\mid \equiv GW\mid \sim \langle X_j,k_i,X,T_G^{\prime }\rangle .$

According to $H_3$ and $RULE(4)$, we get $S_{15}$: $U_i\mid \equiv ♯\langle X_j,k_i,X,T_G^{\prime }\rangle .$

In addition, according to $S_2$, $S_3$ and $RULE(2)$, we get $S_{16}$: $U_i\mid \equiv GW\mid \equiv \langle X_j,k_i,X,T_G^{\prime }\rangle .$

As $SK$ = $h(X_i|\left|X_j\right||\alpha X_j)$, and combining $S_{12}$, $S_{16}$, we get: $S_{17}$: $U_i\mid \equiv S_j\mid \equiv U_i\stackrel{SK}{\leftrightarrow }{S}_j$ (Goal 1).

Similarly, as $SK$ = $h(X_i|\left|X_j\right||\beta X_i)$, with $S_4$, $S_8$, we get: $S_{18}$: $S_j\mid \equiv U_i\mid \equiv U_i\stackrel{SK}{\leftrightarrow }{S}_j$ (Goal 3).

Finally, according to $H_2$, $S_{17}$ and $RULE(3)$, we get: $S_{19}$: $U_i\mid \equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j)$ (Goal 2).

In addition, according to $H_{10}$, $S_{18}$ and $RULE(3)$, we get: $S_{20}$: $S_j\mid \equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j)$ (Goal 4).

Therefore, we prove our scheme achieves Goals 1–4 successfully. In other words, our scheme promises that $U_i$ and $S_j$ have been authenticated mutually, and they further compute and share the same session key $SK$.

6.2. Informal Analysis

The heuristic way plays an important role in testing the security of the user authentication protocol. It makes up for the defects of formal proofs in some security requirements. For example, the formal proofs cannot capture user anonymity and user friendly problems. Therefore, in this section, we apply the heuristic method to prove the security of our scheme.

6.2.1. Mutual Authentication

In step 2 and step 5 of Section 5.2, the gateway node and the user authenticate each other via their shared secret parameter $X_{s_i}$ and X. On the user side, only with the correct password, biometrics, and the corresponding smart card can $U_i$ compute $X_{s_i}$, so the gateway can authenticate $U_i$ via this parameter. On the gateway node, after receiving $X_i$, only the one with the long-term key x, can compute X, so the user authenticate $GW$ via X.

In step 3 and step 4 of Section 5.2, the gateway node and the sensor node authenticate each other via $X_{s_j}$. If an adversary wants to compute $X_{s_j}$, then he/she has to guess the long-term key x, and the probability of such an event can be ignored.

Therefore, the user and the sensor node have authenticated the gateway, and the gateway has also authenticated them. Furthermore, from the authentication relationship among the three parties, equivalently, the user and the sensor node get authenticated with each other. All in all, our scheme achieves mutual authentication well.

6.2.2. User Anonymity

In our scheme, $I{D}_i$ is concealed in $DI{D}_i$, which is changed with X in every session. To get $I{D}_i$, $\mathcal{A}$ has to compute X, which means that $\mathcal{A}$ without $\alpha$ or x has to solve the elliptic curve discrete logarithm problem. As we introduced in Section 2.1, such a problem cannot be solved in polynomial time. Thus, in our scheme, the user identity is not only well protected, but also untraceable.

Furthermore, note that an obvious difference in user anonymity between the wireless sensor network and the distributed network is about whether the user identity can be known by other participants. In a distributed network, there are only two participants: the user and the server. In such a condition, the user identity can be known by the server to build a session key. While in the wireless sensor network, there are three participants: the user, the gateway node and the sensor node. The gateway node acts as a register center and is protected well, so it can know the user identity. While the sensor node is usually deployed in an unattended environment, it is of high possibility to be controlled by the adversary. Thus, the user identity should not be exposed to it. In addition, our scheme achieves such a goal: the user identity is not transmitted to the sensor node.

6.2.3. Forward Secrecy

The session key $SK$ = $h(X_i|\left|Y_j\right||\beta X_i)$ = $h(X_i|\left|Y_j\right||\alpha Y_j)$. The key parameter is $\beta X_i$ or $\alpha Y_j$. If an adversary $\mathcal{A}$ intercepts the message in an open channel, acquires the secret key x, then $\mathcal{A}$ knows $X_i$ and $X_j$. Thus, $\mathcal{A}$ needs to compute $\beta X_i$ or $\alpha Y_j$. However, computing $\beta X_i$ or $\alpha Y_j$ for $\mathcal{A}$ is equivalent to solving the Elliptic curve discrete logarithm problem, and it is bound to fail. Therefore, $\mathcal{A}$ cannot compute $SK$, and our scheme achieves forward secrecy.

6.2.4. Offline Dictionary Attack

A sound three-factor user authentication scheme should ensure that even if $\mathcal{A}$ gets any two of the three factors, he/she cannot break the system. In our scheme, if $\mathcal{A}$ gets the password and biometrics, he/she still cannot compute $X_{s_i}$ to construct a valid login request; if $\mathcal{A}$ gets the password and the smart card, he/she can neither compute $X_{s_i}$ nor guess the biometrics, thus also fails to perform an attack; if $\mathcal{A}$ gets the smart card and biometrics, then $\mathcal{A}$ may conduct an offline dictionary attack by using $M_{u_i,G}$ or $B_i$ as the verification parameter to check the correctness of the guessed value.

If $\mathcal{A}$ uses $B_i$, then he/she may make the offline dictionary attack as follows: guesses $I{D}_i$ and $P{W}_i$ to be $I{D}_i^{\ast }$ and $P{W}_i^{\ast }$, respectively, computes $R_i^{\ast }$ = $Rep(BI{O}_i,P_i)$, $HP{W}_i^{\ast }$ = $h(P{W}_i^{\ast }||R_i^{\ast })$, then verifies $I{D}_i^{\ast }$ and $P{W}_i^{\ast }$ by checking $B_i$ ?= $h(h(HP{W}_i^{\ast })\oplus h(I{D}_i)\oplus h(P_i))$ mod $n_0$. However, even $\mathcal{A}$ gets a pair of $\{I{D}_i^{\ast },P{W}_i^{\ast }\}$ such that $B_i$ == $h(h(HP{W}_i^{\ast })\oplus h(I{D}_i)\oplus h(P_i))$ mod $n_0$, he/she may not find the correct $I{D}_i$ and $P{W}_i$, for there are $|{\mathcal{D}}_{pw}|\ast |{\mathcal{D}}_{id}|\backslash n_0\approx 2^{32}$ candidates of $\{I{D}_i,P{W}_i\}$ pair (where $n_0=2^8$ and $|{\mathcal{D}}_{pw}|=|{\mathcal{D}}_{id}|=2^6$) [30]. Thus, $\mathcal{A}$ then has to test the $\{I{D}_i^{\ast },P{W}_i^{\ast }\}$ via sending the login request to the gateway node, and once the number of login failures exceeds the preset value, the smart card will be suspended and the attack fails.

If $\mathcal{A}$ uses $M_{u_i,G}$, then he/she can compute $HP{W}_i^{\ast }$ as above, and further compute $X_{s_i}^{\ast }$ = $A_i\oplus HP{W}_i^{\ast }\oplus P_i$, $k_i$ = $h(X_{s_i}^{\ast }||T_i)$, $DI{D}_i$ = $I{D}_i^{\ast }\oplus h(X_i\left|\right|X)$. However, $\mathcal{A}$ cannot compute X, as we explained in Section 6.2.2, and thus fails to finish such an attack.

In conclusion, our scheme is resistant to dictionary attack.

6.2.5. Privileged Insider Attack

In our scheme, the user submits $\{I{D}_i,HP{W}_i,P_i\}$ to the gateway node. The password is well protected by a long-term number $R_i$, so $GW$ cannot learn any useful information from it. Therefore, our scheme is secure against privileged insider attack.

6.2.6. Verifier-Stolen Attack

The verifier table stored in $GW$ does not expose sensitive messages; even if an adversary acquires the table, he/she cannot make any attack. Thus, our scheme is resistant to verifier-stolen attack.

6.2.7. Replay Attack

The timestamp is used to prevent replay attack. On the one hand, if $\mathcal{A}$ replays the history message directly, the corresponding communication party will find it via checking the freshness of the timestamp. On the other hand, if $\mathcal{A}$ tries to forge the message in the open channel, such as $\{DI{D}_i,X_i,M_{U_i,G},T_i\}$, then he/she has to know $X_{s_i}$. However, to compute $X_{s_i}$, it is asked that $\mathcal{A}$ has to know x or $U_i$’s password, biometrics and smart card, which is impossible. Similarly, $\mathcal{A}$ also cannot replay or construct other message flows.

7. Performance Analysis

To better evaluate our scheme, we make a comparison among the related schemes for wireless sensor networks [25,26,29,44]. From

Table 3. Performance comparison among relevant schemes in wireless sensor networks.

	Computation Overhead			Communication Cost			The Proposed Evaluation Criteria
	Login (ms)	Auth. (ms)		Login	Auth.		S1	S2	S3	S4	S5	S6	S7	S8	S9	S10	S11	S12	S13
Amin et al. [44]	$8T_H\approx 0.055$	$25T_H\approx 0.017$		768 bits	1536 bits		√	×	√	×	√	√	√	×	√	√	√	√	√
Jiang et al. [29]	$T_M$+$6T_H\approx 1.2$	$T_M$+$19T_H\approx 1.2$		1408 bits	1280 bits		√	×	√	×	√	√	√	×	√	√	√	√	√
Jung et al. [25]	$5T_H\approx 0.0035$	$14T_H\approx 0.097$		512 bits	1024 bits		√	×	√	×	×	√	√	×	√	√	√	×	√
Park et al. [26]	$T_E$+$6T_H\approx 0.51$	$3T_E$+$18T_H\approx 1.5$		1536 bits	4096bits		√	×	√	√	×	×	√	×	√	√	√	√	√
Our scheme	$2T_E$+$8T_H\approx 1.0$	$4T_E$+$18T_H\approx 2.0$		1408 bits	3968 bits		√	√	√	√	√	√	√	√	√	√	√	√	√

$T_M$ is the time of modular exponentiation operation, $T_E$ is the time of scalar multiplication on elliptic curve, $T_H$ is the time of hash computation, $T_M\gg T_E\gg T_H$ (according to Wang et al. [28], $T_M\approx 1.169$ ms, $T_E\approx 0.508$ ms, $T_H\approx 0.693$$\mathsf{\mu }$s) and the lightweight operation such as “XOR” and “$\left|\right|$” can be ignored. Let $n_0$ be 32-bit long; Let $I{D}_i$, $P{W}_i$, $h(\ast )$, output of symmetric encryption, timestamp, random numbers be 128-bit long; Let p, g, y be 1024-bit long. √ means the property is satisfied; × means the property is not satisfied.

, it is obvious that our scheme is more competitive than other schemes: our scheme achieves all the security requirements while others [25,26,29,44] all have some attributes that fail to satisfy more or less; the computation of our scheme is similar or slightly high to that of other schemes. Furthermore, achieving all the security requirements is more significant to an authentication scheme, and it is not advisable to sacrifice security for efficiency.

8. Conclusions

In this paper, we first introduced the system architecture of wireless sensor networks. Based on this, we summarized the adversary model and security requirements in such a special environment. Secondly, we identified the security flaws in two recent three-factor authentication schemes, and analyzed the inherent reasons for those flaws. Thirdly, we proposed an enhanced scheme resistant to various attack and with many desirable attributes. Then, we proved the security of our scheme via BAN logic and the heuristic analysis. Furthermore, the comparison with other related schemes showed the great advantage of our scheme. Finally, with the development of technology, Internet of Things and Internet of Vehicles will become more and more integrated into our daily life, and the ensuing security problems will become more and more prominent. Therefore, in the future, we will focus on identifying the security requirements and designing a secure but practical protocol in the authentication of these new application scenarios.

References