Open Access
Issue
Wuhan Univ. J. Nat. Sci.
Volume 28, Number 6, December 2023
Page(s) 541 - 552
DOI https://doi.org/10.1051/wujns/2023286541
Published online 15 January 2024

© Wuhan University 2023

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

0 Introduction

The ability to bring physical things into the digital world is becoming increasingly possible because of the high level of development of wireless communication and smart device technologies[1]. A very significant opportunity for wireless sensor networks (WSNs) has been offered by the rise of Internet of Things (IoT) era and the development of communication technology. As a combination of wireless networks and IoT sensors, WSNs have attracted more and more attention worldwide because of the excellent performance in industrial control, smart home, environmental monitoring and other aspects[2].

However, owing to the openness of the network and the broadcast nature of wireless communication, WSNs are facing a variety of threats that ordinary wireless networks may suffer from, such as replay attacks, information leakage, denial-of-service (DOS) attacks, in addition to the vulnerability of sensor nodes to physical access and disassembly until these sensor nodes are fully controlled by attackers. Sensor devices in WSNs are disposed in public environments to collect information in real time[3]. If one of the sensor nodes is compromised, its linkability will become a focal point. An attacker can use the compromised device as a springboard to attack other devices and systems. Coupled with the sensitive and critical nature of the transmitted data, the data must be protected by end-to-end services as it is transmitted between WSNs and entities outside of WSNs[4]. Therefore, it is crucial to provide an authentication scheme for WSNs that can guarantee secure communication between users and sensor nodes. In WSNs, the communication between devices requires the use of various protocols that will define the purpose of the communication, the sequence of steps to be performed during the communication, and the encryption techniques used to protect the transmitted information[5].

In recent years, researchers have been developing efficient ways to merge WSNs into IoT environments and have done a lot of research on authentication schemes that balance efficiency and security in WSNs, but numerous schemes have security concerns[6]. In 2019, Ostad-Sharif et al[6] proposed a secure and lightweight authenticated key agreement scheme for WSNs, and they claimed that their scheme not only was efficient but also provided perfect forward secrecy and was resistant to common attacks. In 2020, Chen et al[7] pointed out that Ostad-Sharif et al's scheme[6] not only had design errors in the login and authentication phase, which resulted in legitimately registered users not being able to access the system, but also did not provide password change and update capabilities. In 2021, Chunka et al[8] presented a smart card-based user authentication and session key agreement scheme. They claimed that their scheme not only was efficient but also was resistant to attacks such as sensor node capture attacks, gateway key leakage and so on. However, Lee et al[9] confirmed that Chunka et al's scheme[8] was vulnerable to known session-specific temporary information attacks, identity/password pair guessing attacks, impersonation attacks, etc. In 2022, Hu et al[10] proposed a two-factor authentication scheme for WSNs in IoT environment, and they claimed that their scheme could maximized the balance of security and computational cost as well as efficiency, and was able to resist many common attacks. However, we found that there were security risks in Hu et al's scheme. Firstly, this scheme could not resist stolen smart card attacks and DOS attacks. Secondly, during the login and key agreement phase of Hu et al's scheme, gateway (GWN) could not extract key values for subsequent computation based on the messages sent by the sensor nodes, resulting in the scheme's failure to achieve mutual authentication and key agreement.

Hu et al's authentication scheme is briefly reviewed in Section 1. In Section 2, we analyze the shortcomings of the Hu et al's scheme. An improved scheme is given in Section 3. In Section 4, we analyze the security for the improved scheme. The performance evaluation for the proposed scheme in different metrics and the comparison with the same type of schemes are presented in Section 5. In Section 6, we conclude the paper.

1 Review of Hu et al's Scheme

In Hu et al's scheme[10], users and sensor nodes complete mutual authentication and agree on session keys with the help of GWN. The scheme consists of four phases: initialization phase, registration phase, login and key agreement phase, and password and expiration time update phase. The notations involved in the scheme and their definitions are shown in Table 1.

Table 1

Notations used in Hu et al 's scheme

1.1 Intialization Phase

GWN chooses two random numbers KGU,KGSZq* as the private key of GWN. P is the generator in the elliptic curve. The public key of GWN is Ppub and the calculation formula is Ppub=KGUP.

1.2 Registration Phase

The current phase consists of a user registration phase and a sensor node registration phase. In this phase, the data is transmitted over a secure channel.

1.2.1 Registration for users

When a new user wants to access the services provided by WSNs, he/she must register with the gateway at first. The details of the user registration phase are as follows.

Step 1  Ui chooses IDi and PWi, generates a random number ri, and calculates

A i = h ( I D i | | P W i | | r i )

Then, Ui sends a message {IDi,Ai} to the GWN over a secure channel.

Step 2   Once GWN receives a message from Ui, it selects an expiration time TEi for the temporary credentials of Ui.

GWN calculates the public key Ppub=KGUP and Ui's temporal credential TCi=h(IDi||IDGWN||KGU||TEi).

GWN will store {IDGWN,TEi,Ppub,h(),PTCi} in a smart card SC and send SC to Uiover a secure channel.

Step 3  Ui computes TCi=PTCiAi, Bi=TCih(IDi||PWi), and stores {Bi} in SC.

1.2.2 Registration for sensor nodes

Each sensor node must register with GWN and only once, and its registration phase consists of the following operations.

Step 1   GWN selects an identity SIDj for the sensor node Sjand calculates

T C j = h ( K G S | | S I D j )

GWN sends a message {TCj,SIDj}to Sj over a secure channel.

Step 2  Sj receives the message from GWN and stores{TCj,SIDj}.

1.3 Login and Key Agreement Phase

In this phase, Ui and Sjagree on a session key with the help of GWN, thus performing a mutually authenticated key agreement to ensure further secure communication between them. The specific steps are as follows.

Step 1  Ui inserts SC and enters his/her identity IDi and password PWi. SC then generates two random numbers N1 and x1 based on the stored information and the extracted

T C i = B i h ( I D i | | P W i )

entered by Ui, and calculates

T 1 = x 1 P

T 2 = ( I D i | | T E i | | S I D j | | N 1 ) h ( x 1 P p u b )

where Ppub=KGUP is the public key of GWN,

T 3 = h ( T 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j )

Uisends a login request message M1={T1,T2,T3} to GWN.

Step 2   After receiving the message M1={T1,T2,T3} from Ui, GWN calculates

I D i | | T E i | | S I D j | | N 1 = T 2 h ( K G U T 1 )

and checks the validity of TEi. If it fails, GWN will reject Ui's login request. Otherwise, GWN calculates

T C i = h ( I D i | | I D G W N | | K G U | | T E i )

T 3 * = h ( T 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j )

GWN checks whether T3*=T3 is correct or not. If not, GWN terminates the current phase. Otherwise, GWN generates three random numbers N2, x as well as x2 and computes

T C j = h ( K G S | | S I D j )

T 4 = x 2 h ( T C j | | N 2 | | I D G W N )

T 5 = h ( I D i | | T E i | | x ) h ( N 2 | | T C j )

T 6 = h ( T 1 | | h ( I D i | | T E i | | x ) | | x 2 | | N 2 )

Then, GWN sends a message M2={T1,T4,T5,T6,N2} to Sj over a secure channel.

Step 3   After receiving the message from GWN, Sj recovers

x 2 = T 4 h ( T C j | | N 2 | | I D G W N )

h ( I D i | | T E i | | x ) = T 5 h ( N 2 | | T C j )

and calculates

T 6 * = h ( T 1 | | h ( I D i | | T E i | | x ) | | x 2 | | N 2 )

Sj checks whether T6*=T6 holds or not. if it does, Sj generates two random numbers N3, x3, and computes

S K = h ( h ( I D i | | T E i | | x ) | | S I D j | | x 3 T 1 | | T 1 | | T 7 ) ,

T 8 = h ( S K | | N 3 )

T 9 = ( T 8 | | T 7 | | N 3 ) h ( T C j | | N 2 )

T 10 = h ( T C j | | T 7 | | N 2 | | T 8 )

Sj transmits a messageM3={T9,T10}to GWN.

Step 4   After receiving the message from Sj, GWN extracts

T 8 | | T 7 | | N 3 = T 9 h ( T C | | N 2 )

and calculates T10*=h(TCj||T7||N2||T8).

Then, GWN verifies whether T10*=T10 or not. If not, GWN will terminate the current phase immediately. Otherwise, GWN calculates

T 11 = ( T 8 | | N 1 | | T 7 | | N 3 | | x ) h ( N 1 | | T C i )

GWN sends the message M4={T11} to Ui.

Step 5   Once Ui receives M4, it extracts

T 8 | | N 1 | | T 7 | | N 3 | | x = T 11 h ( N 1 | | T C i )

and calculates the session key

S K = h ( h ( I D i | | T E i | | x ) | | S I D j | | x 3 T 1 | | T 1 | | T 7 ) ,   T 8 * = h ( S K | | N 3 ) .  

Uichecks whether T8*=T8 holds or not. If it does, it means that Ui and Sj have successfully reached the session key.

1.4 Password and Expiration Time Update Phase

If Ui wants to update or change his/her password, he/she inserts a smart card SC and enters IDi, PWi. After that, SC will calculate

B i n e w = B i h ( I D i | | P W i ) h ( I D i | | P W i n e w )

and then replaces Bi with Binew.

If GWN wants to update the expiration time TEi for TCi, GWN can reselect a TEi' and recalculate

T C i ' = h ( I D i | | I D G W N | | K G U | | T E i ' )

T 11 ' = ( T 8 | | N 1 | | T 7 | | N 3 | | T C i ' | | T E i ' ) h ( N 1 | | T C i )

in Step 4 of the login and key agreement phase. After that, Ui can extract TEi' and TCi' from T11, update Bi and TEi in his/her own smart card.

2 Security Analysis of Hu et al's Scheme

This section analyzes the security of Hu et al's scheme[10], and demonstrates that Hu et al's scheme[9] has the following risks.

2.1 Vulnerability to Stolen Smart Card Attack and DOS Attack

If an attacker steals a smart card SC of one user Ui, and then attempts to log in by inserting the SC and entering his/her own identity IDk and password PWk, since SC does not verify whether the current user has registered legally, based on the information {IDGWN,TEi,Ppub,h(),Bi} stored in SC, the attacker can directly perform a series of calculations by using equation (1) and then send M1={T1',T2',T3'} to GWN. Although the attacker can neither pass the authentication

T 3 * = h ( T 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j )

of GWN nor participate in the subsequent operations, GWN has already carried out a series of calculations through equation (2), consuming a large amount of computational resources. If mass forged login requests are sent, GWN's resources will be exhausted, and GWN cannot process normal requests from legitimate users timely. In other words, legitimate users will not be able to get responses from the service.

Generate N1',x1'

{ T C i ' = B i h ( I D k | | P W k ) T 1 ' = x 1 ' P T 2 ' = ( I D k | | T E i | | S I D j | | N 1 ' ) h ( x 1 ' P p u b ) T 3 ' = h ( T 1 ' | | I D k | | I D G W N | | T C i ' | | N 1 ' | | T E i | | S I D j ) (1)

{ I D i | | T E i | | S I D j | | N 1 = T 2 h ( K G U T 1 ) T C i = h ( I D i | | I D G W N | | K G U | | T E i ) T 3 * = h ( T 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j ) (2)

2.2 GWN Cannot Extract Key Values

Hu et al[10] claimed that their scheme satisfied user anonymity, meaning that the user's identity IDi was only included in T2, T3, T4, T5 and not transmitted over a public channel. However, GWN not only served multiple sensor nodes and users simultaneously, but also received a huge amount of messages.

Since the identity of the sensor node and the identity of the specific user were missing in the message M3={T9,T10} sent by the sensor node to GWN, GWN was unable to recognize which sensor node was trying to contact which user after receiving M3. Therefore, GWN could not determine which temporary credential was used to calculate equation (3). Then, the following operations cannot work.

{ T 8 | | T 7 | | N 3 = T 9 h ( T C j | | N 2 ) T 10 * = h ( T C j | | T 7 | | N 2 | | T 8 ) (3)

2.3 Failure Mutual Authentication and Key Agreement

As described in Section 2.2, GWN cannot obtain SIDj and IDi from the message M3={T9,T10} sent by Sj during login and key agreement phase, so GWN is unable to compute equation (3), much less conduct further authentication by verifying whether T10*=T10 or not. It means that Hu et al's scheme[10] cannot continue to work. Therefore, the scheme fails to achieve mutual authentication and key agreement.

3 The Proposed Scheme

To overcome the shortcomings in Hu et al's scheme[10], this paper presents an improved scheme. Firstly, proposed scheme adds a user's pseudo-identity PIDi in the registration phase of users for the transmission of identity information in a public channel. The pseudo-identity is dynamic and updated promptly after each communication. Secondly, the proposed scheme incorporates a key authentication in the login phase of user, where the smart card verifies whether the current user is the legitimate registered one. Finally, the proposed scheme adds some necessary identity information in the transmitted messages. This measure ensures that GWN, upon receiving a message from a sensor node, can clearly know which sensor node wants to communicate with which user.

The proposed scheme satisfies mutual authentication and effectively enhances the anonymity of users. In addition, the proposed scheme not only resists the stolen smart card attacks and DOS attacks mentioned above, but also solves the problem that GWN cannot extract key values. For the sake of brevity, this section only describes the initialization phase, the registration phase, and the login and key agreement phase. The specific steps are as follows.

3.1 Initialization Phase

GWN selects an additive group G of order q and a generator P of G on an elliptic curve E. GWN chooses two private keys KGUZq* and KGSZq*, and computes its public key Ppub=KGUP.

3.2 Registration Phase

Any user and sensor can register with GWN. Unregistered entities are not able to communicate subsequently. The above approach can effectively guarantee the security of data transmission, thereby ensuring the network security of the whole system. This phase is divided into a user registration phase and a sensor node registration phase.

3.2.1 Registration of users

When a new user wants to access an IoT service and communicate with one of the sensor nodes, he/she must first register with GWN and obtain his/her SC through a secure channel. GWN stores the user's registration information in order to verify his/her identity during the login phase. In Fig.1, this phase is divided into three steps and the process is as follows.

Step 1   User Ui selects his/her unique identity IDi and password PWi, generates a random number riZq*, and calculates Ai and pseudo-identity PIDi according to equation (4). Then, Ui sends a registration message {IDi,Ai,PIDi} to the GWN over a secure channel.

{ A i = h ( I D i | | P W i | | r i ) P I D i = h ( I D i | | r i ) (4)

Step 2   GWN receives the registration message from Ui and chooses an expiration time TEi for Ui. GWN calculates its own public key Ppub, the user's temporary credentials TCi and PTCi by equation (5). GWN stores {IDi,TEi,PIDi} into its own database and embeds {IDGWN,TEi,Ppub,h(),PTCi} into a smart card SC. GWN then issues SC to Ui over a secure channel.

{ P p u b = K G U P T C i = h   ( I D i | | P I D i | | I D G W N | | K G U | | T E i ) P T C i = T C i A i (5)

Step 3   Once the SC is received, Ui performs equation (6) for the calculation in order to create the values required for the authentication in the next stage. After that, Ui stores {Ai,Bi,Ci} in SC and removes PTCi. As of now, the values stored in SC are {IDGWN,TEi,Ppub,h(),Ai,Bi,Ci}.

{ T C i = P T C i A i B i = T C i h ( I D i | | P W i | | T E i ) C i = r i h ( I D i | | P W i ) (6)

Fig. 1

Registration of users

3.2.2 Registration of sensor nodes

Any sensor node that interacts with GWN for the first time must register first. The registration process of sensor nodes is shown in Fig. 2, with the following steps.

Step 1   For a newly installed sensor node Sj, GWN first selects an identity SIDj for it and calculates the temporary credential TCj by TCj=h(KGS||SIDj).

Step 2  Sj receives a message {SIDj,TCj} sent from GWN over a secure channel and stores {SIDj,TCj} in memory.

Fig. 2

Registration of sensor nodes

3.3 Login and Key Agreement Phase

In this stage, the legally registered user Ui can share a session key with registered sensor node Sj that wants to register via GWN[11]. As shown in Fig.3, Ui authenticates with Sj mutually and establishes a session key for secure communication with the help of GWN. The detailed steps are described below.

Step 1  Ui inserts the smart card SC and enters his/her identity IDi and password PWi. After that, SC uses equation (7) for the calculation.

{ r i * = C i h ( I D i | | P W i ) A i * = h ( I D i | | P W i | | r i * ) (7)

SC checks Ai*=Ai holds or not. If this check fails, SC will reject the user's login request. Otherwise, it means that this user is the legitimate holder of SC, and also indicates ri*=ri. Then, SC recovers the temporary credentials TCi for Ui and computes pseudo-identity PIDiby equation (8).

{ T C i = B i h ( I D i | | P W i | | T E i ) P I D i = h ( I D i | | r i ) (8)

After that, SC selects two random numbers N1Zq*, x1Zq* and calculates the values F1, F2, F3 according to equation (9). Ui sends message M1={F1,F2,F3,PIDi} to GWN over a public channel.

{ F 1 = x 1 P F 2 = ( I D i | | T E i | | S I D j | | N 1 ) h ( x 1 P p u b ) F 3 = h ( F 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j ) (9)

Step 2   Once GWN receives the message M1 from Ui, it extracts the values needed for subsequent authentication according to equation (10).

I D i | | T E i | | S I D j | | N 1 = F 2 h ( K G U F 1 ) (10)

GWN verifies the effectiveness of TEi. If the verification fails, GWN rejects Ui's login request. Otherwise, GWN calculates the TCi and F3* by equation (11).

{ T C i = h ( I D i | | P I D i | | I D G W N | | K G U | | T E i ) F 3 * = h ( F 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j ) (11)

GWN verifies whether F3*=F3 holds or not. GWN rejects Ui's login request if the condition fails. Or else, it proves that Ui is a legitimate user who has registered with GWN. Then, GWN selects three random numbers N2Zq*,xZq*, x2Zq* and calculates the temporary credentials TCj of Sj and three values F4, F5, F6 according to equation (12).

{ T C j = h ( K G S | | S I D j ) F 4 = x 2 h ( T C j | | N 2 | | I D G W N ) F 5 = h ( I D i | | T E i | | x ) h ( N 2 | | T C j ) F 6 = h ( F 1 | | h ( I D i | | T E i | | x ) | | x 2 | | N 2 ) (12)

Lately, GWN sends a message M2={F1,F4,F5,F6,N2,PIDi} to Sj over a public channel.

Step 3   Upon receiving the message M2, Sj calculates a series of values according to equation (13) .

{ x 2 = F 4 h ( T C j | | N 2 | | I D G W N ) h ( I D i | | T E i | | x ) = F 5 h ( N 2 | | T C j ) F 6 * = h ( F 1 | | h ( I D i | | T E i | | x ) | | x 2 | | N 2 ) (13)

Sjverifies whether F6*=F6 holds or not, and aborts the current phase if equation is not matched. Otherwise, Sj generates two random numbers N3Zq*,x3Zq* and calculates the session key SKji and a set of values by equation (14).

{ F 7 = x 3 P S K j i = h ( P I D i | | S I D j | | x 3 F 1 | | F 1 | | F 7 ) F 8 = h ( S K j i | | N 3 ) F 9 = ( F 8 | | F 7 | | N 3 ) h ( T C j | | P I D i ) F 10 = h ( T C j | | F 7 | | N 3 | | F 8 ) (14)

Sj sends a message M3={F9,F10,SIDj,PIDi} to GWN over a public channel.

Step 4   As soon as GWN receives M3, it extracts the values to be used for the subsequent operation and the validation value F10* by equation (15).

{ F 8 | | F 7 | | N 3 = F 9 h ( T C j | | P I D i ) F 10 * = h ( T C j | | F 7 | | N 3 | | F 8 ) (15)

GWN verifies whether F10*=F10 holds or not. If

the condition fails, this session is aborted immediately. Otherwise, GWN updates PIDi by equation (16) and calculates some values.

{ P I D i n e w = P I D i h ( N 3 | | T C i ) F 11 = P I D i n e w h ( I D G W N | | T C i | | N 1 ) F 12 = h ( P I D i n e w | | T C i ) F 13 = ( F 8 | | F 7 | | N 3 ) h ( P I D i n e w ) (16)

GWN then sends a message M4={F11,F12,F13} to Ui over a public channel.

Step 5   After receiving the message from GWN, Ui extracts the updated pseudo-identity PIDinew* and calculates F12* through equation (17) .

{ P I D i n e w * = F 11 h ( I D G W N | | T C i | | N 1 ) F 12 * = h ( P I D i n e w * | | T C i ) (17)

Ui checks whether F12*=F12 holds or not. Ui terminates the session on the mismatch of equality. Otherwise, it indicates that Ui authenticates GWN and the accuracy of the transmitted message, and also means that PIDinew*=PIDinew. Then, Ui recovers and calculates some values by equation (18).

{ F 8 | | F 7 | | N 3 = F 13 h ( P I D i n e w ) S K i j = h ( P I D i | | S I D j | | x 1 F 7 | | F 1 | | F 7 ) F 8 * = h ( S K i j | | N 3 ) (18)

Ui verifies whether F8*=F8 holds or not. If the verification fails, Ui terminates the current session immediately. Otherwise, it means that Uiand Sj have successfully negotiated a session key, which can be used to secure subsequent communications.

Fig. 3

Login and key agreement phase

4 Security Analysis

The most basic requirement of any authentication scheme is security. In this section, we give a security analysis of the proposed scheme. The proposed scheme provides mutual authentication, satisfies user anonymity and untraceability, and is resistant to many common attacks as described below.

4.1 User Anonymity

For the sake of ensuring user's privacy, the authentication scheme must guarantee anonymity. In the proposed scheme, the identity IDi of Ui is neither transmitted in a public channel nor stored in SC. As shown in equation (19), the proposed scheme encrypts IDi with a random number ri chosen by Ui thereby generating the user's pseudo-identity PIDi. In the login and key agreement phase, the proposed scheme transmits the identity information in the public channel as PIDi instead of IDi, and even if an attacker intercepts PIDi, he/she cannot crack IDi due to the protection of h(·) with a random number ri. In summary, the proposed scheme satisfies user anonymity.

P I D i = h ( I D i | | r i ) (19)

4.2 User Untraceability

Ui sends a login message M1={F1,F2,F3,PIDi} to GWN through a public channel, and an attacker can intercept M1. However, as equation (20) shows,{F1,F2,F3}are all related to the random numbers x1 or N1, and the random numbers are different in each session. Similarly, the random numbers make PIDi vary from session to session. That is, all values in M1 cannot be associated with a specific user. Therefore, the attacker cannot trace the user's actions during the login and key agreement phase. Meanwhile, after GWN authenticates Sj in the login and key agreement phase, it updates PIDi by equation (21) and transmits it to Ui, which means that Ui's pseudo-identity is dynamic. Usually, an attacker intercepts messages from different sessions and tries to find the relationship between them to determine whether they belong to the same device[12]. In the proposed scheme, GWN does not transmit PIDinew directly through a public channel after it updates PIDi, but protects PIDinew by equation (22) before transmitting F11. In this way, attacker cannot obtain the correlation between PIDi and PIDinew by intercepting both of them. As shown above, proposed scheme not only satisfies user untraceability, but also enhances user anonymity because of dynamic identity.

{ F 1 = x 1 P F 2 = ( I D i | | T E i | | S I D i | | N 1 ) h ( x 1 P p u b ) F 3 = h ( F 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j ) (20)

P I D i n e w = F 11 h ( I D G W N | | T C i | | N 1 ) (21)

F 11 = P I D i n e w h ( I D G W N | | T C i | | N 1 ) (22)

4.3 Mutual Authentication

The three parties involved in the communication, i.e., Ui, GWN, and Sj, must authenticate each other to ensure the legitimacy of either party. In the login phase, SC authenticates the currently logged-in user as the legitimate holder of SC by verifying Ai in equation (23). GWN authenticates Ui by verifying F3 in equation (23), in particular TCi contained therein, before responding to Ui's login request. GWN authenticates Sj by checking F10 in equation (23) according to integrity and accuracy, especially TCj contained therein. Sj achieves authentication of GWN by examining F6 in equation (23), especially h(IDi||TEi||x) contained therein. Ui authenticates GWN by verifying F12 in equation (23), and verifies that the session key reached with Sj is consistent by checking F8. In conclusion, if the whole authentication process can be completed, the participants can trust each other, which means that proposed scheme supports mutual authentication.

{ A i = h ( I D i | | P W i | | r i ) F 3 = h ( F 1 | | I D i | | I D G W N | | T C i | | N 1 | | T E i | | S I D j ) F 10 = h ( T C j | | F 7 | | N 3 | | F 8 ) F 6 = h ( F 1 | | h ( I D i | | T E i | | x ) | | x 2 | | N 2 ) F 12 = h ( P I D i n e w | | T C i ) F 8 = h ( S K i j | | N 3 ) (23)

4.4 Resistance to Replay Attack

Although the proposed scheme still does not use timestamps as Hu et al's scheme[10], all values transmitted in a public channel are added with random numbers N1, x1, N2, x, x2, N3, x3 chosen randomly by Ui, Sj, and GWN in the login and key agreement phase, and these random numbers vary from session to session. Even if an attacker intercepts messages M1, M2, M3, M4 over a public channel and replays them, the attacker cannot compute the correct session key. As shown in equation (24), if the attacker wants to compute the session key, he/she must know F7 at first. However, he/she cannot obtain F7 in the session key from the intercepted messages. It is because the attacker must first obtain the random number x3 chosen by Sj and the base point P of the elliptic curve in order to compute F7, but he/she cannot know these values from the messages transmitted over the public channel, so the attacker cannot compute the session key. It follows that the proposed scheme is able to resist replay attacks.

S K j i = h ( P I D i | | S I D j | | x 3 F 1 | | F 1 | | F 7 ) (24)

4.5 Resistance to Man-in-the-Middle(MITM) Attack

If an attacker tries to eavesdrop, manipulate, or intercept messages transmitted in the public channel, he/she will be detected by the mutual authentication mechanism at each entity involved in the communication. As shown in Sections 4.3 and 4.4, such a malicious attempt will not succeed even if the attacker attempts to replay or tamper with the values in the transmitted message. Thus, the proposed scheme is resistant to MITM attacks.

4.6 Resistance to DOS Attack

An attacker may send a large number of fake request messages to the target device multiple times in an attempt to prevent legitimate users from accessing the service, resulting in the target device being unable to provide normal service. In the proposed scheme, SC verifies the Ui's login information. In equation (25), IDi and PWi are the identity and password entered by Ui, and ri is recovered from h(·) and Ci, both of which are stored in SC inserted by Ui. Therefore, SC can verify whether Ui is the legitimate holder of SC or not by verifying Ai. In addition to this, each message in the proposed scheme authenticates the sender before proceeding to the next operation. If authentication is successful, the session will proceed normally. Otherwise, it will be terminated immediately. Thus, the proposed scheme is resistant to DOS attacks.

{ r i = C i h ( I D i | | P W i ) A i = h ( I D i | | P W i | | r i ) (25)

4.7 Perfect Forward Secrecy

In the proposed scheme, a new session key will be generated between Uiand Sj after each communication is completed. If this session key is corrupted by an attacker, however, the attacker cannot find significant correlation between past, present and future session keys because the random numbers x1 and x3 contained in each session key change from session to session. As a result, the proposed scheme achieves perfect forward secrecy.

4.8 Resistance to Impersonation Attack

An attacker may impersonate Ui to launch an attack. In the proposed scheme, Ui communicates by using a pseudo-identity PIDi, which is updated at the end of each authentication phase. Therefore, it is difficult for the attacker to impersonate a legitimate user using some outdated pseudo-identity. Even if the attacker happens to guess the identity of Ui, he/she can never send a valid message to the GWN to prove his/her identity. It is because the attacker cannot know the temporary credential TCi and the expiration time TEi issued by GWN to the legitimate user. In summary, the proposed scheme is able to resist impersonation attacks.

4.9 Resistance to Stolen Smart Card Attack

If the attacker steals the smart card SC, then he/she may impersonate Ui to log in, insert SC, and then enter his/her own identity and password. However, the attacker cannot pass the authentication of equation (26). That is, even if the attacker steals SC and leaks the data stored inside, he/she still cannot obtain the important authentication information. So the proposed scheme is resistant to stolen smart card attacks.

{ A i * = h ( I D i | | P W i | | r i * ) C h e c k s A i * = A i (26)

4.10 Resistance to Known Session Key Attack

If an attacker wants to use an old or compromised session key for a session, the scheme is considered vulnerable to known session key attacks. As shown in equation (27), the session key in the proposed scheme contains random numbers x1 and x3 that are refreshed with each communication, so the attacker is hard to know F1 and F7. Meanwhile, due to the complexity of computational Diffie-Hellman problem (CDH), it is infeasible for the attacker to obtain new information from the old session key and extract{x1,x3}from{F1,F7}.

{ S K j i = S K i j = h ( P I D i | | S I D j | | x 3 F 1 | | F 1 | | F 7 )           = h ( P I D i | | S I D j | | x 1 F 7 | | F 1 | | F 7 ) F 1 = x 1 P F 7 = x 3 P (27)

4.11 Resistance to Off-Line Password Guessing Attack

Suppose an attacker tries to guess PWi of the legitimate user using the stolen smart card or any previously transmitted message, so as to pass the verification of equation (27), he/she must know the real identity IDi and ri* of the legitimate user. However, the attacker cannot obtain IDi based on the intercepted message. Moreover, ri is an independent and unique random number chosen arbitrarily by the legitimate user during the registration phase. The user must extract ri* at the login stage based on the registered IDi and PWi as well as Ci stored in the SC in order to pass the verification of equation (27). That is, even if the attacker guesses PWi correctly by chance, it will not be able to pass the verification of SC. Therefore, the proposed scheme can resist the off-line password guessing attacks.

4.12 No Key Control

Each entity in the session cannot compute the session key separately by controlling the key negotiation process. Not only x1 and x3, but also F1 and F7 are chosen and computed independently by Ui and Sj, respectively. As shown in equation (27), if Uidoes not extract F7 created by Sj based on the received message M4, then SKij cannot be computed. Similarly, if Sj does not extract F1 created by Ui based on M2, then SKji cannot be computed.

5 Performance Analysis

This section presents a comparison of Hu et al's scheme[10] with the proposed scheme and other schemes of the same type in terms of both performance and security features.

5.1 Implementation Setup

We refer to the experimental results of Xie et al[13]. To make it easier, we only consider four main cryptographic operations: ① one-way Hash function, ② point multiplication, ③ symmetric encryption and decryption, and ④ fuzzy extraction function. We do not consider the XOR operation because it can be neglected. The encryption times of the Hash function, encryption/decryption, point multiplication in elliptic curves, and fuzzy extraction function are denoted as Th, Ts, Te, and Tf, and the estimated time are 0.068, 0.56, 2.501, and 2.501 ms, respectively.

5.2 Computation Comparisons

Table 3 shows the comparison of proposed scheme with other similar schemes. Although proposed scheme has a slightly longer running time than Hu et al's scheme[10], it has better security and can effectively improve the security flaws of Hu et al's scheme[10]. Moreover, the computational cost of proposed scheme is significantly lower than the schemes of Sutrala et al[14], Xie et al[15], Srinivas et al[16] and Sahoo et al[17] .

Table 3

Computational cost of the schemes

5.3 Comparison of Safety Features and Functions

Table 4 shows that the existing schemes do not meet all the security requirements, and the proposed scheme provides sufficient security advantages compared to other schemes and is suitable for wireless sensor networks in the IoT environment.

Table 4

Security comparison among relevant schemes

6 Conclusion

In this paper, we review a two-factor authentication scheme proposed by Hu et al for WSNs in an IoT environment, and point out some flaws of it. Then, we propose an improved scheme that addresses Hu et al's scheme security concerns, and takes into account computational efficiency. We demonstrate the security of proposed scheme through security analysis, and show that proposed scheme is resistant to a wide range of known attacks and meets all security requirements. In addition, we compare and analyze the performance of proposed scheme and Hu et al's scheme as well as similar schemes in recent years. The analysis results show that proposed scheme achieves desired efficiency and is compatible with low-cost, restricted IoT devices.

References

  1. Tran-Dang H, Krommenacker N, Charpentier P, et al. Toward the Internet of Things for physical Internet: Perspectives and challenges[J]. IEEE Internet of Things Journal, 2020, 7(6): 4711-4736. [CrossRef] [Google Scholar]
  2. Bin Abu Bakar K, Zuhra F T, Isyaku B, et al. A review on the immediate advancement of the Internet of Things in wireless telecommunications[J]. IEEE Access, 2023, 11: 21020-21048. [NASA ADS] [CrossRef] [Google Scholar]
  3. Du J Q, Kang B Y, Han Y B. Improvement on a biometric based user authentication scheme in wireless sensor networks using smart cards[J]. Wuhan University Journal of Natural Sciences, 2020, 25(2): 155-161. [Google Scholar]
  4. Chander B, Kumaravelan G. An improved 2-factor authentication scheme for WSN based on ECC[J]. IETE Technical Review, 2023, 40(2): 167-178. [CrossRef] [Google Scholar]
  5. Szymoniak S, Kesar S. Key agreement and authentication protocols in the Internet of Things: A survey[J]. Applied Sciences, 2022, 13(1): 404. [CrossRef] [Google Scholar]
  6. Ostad-Sharif A, Arshad H, Nikooghadam M, et al. Three party secure data transmission in IoT networks through design of a lightweight authenticated key agreement scheme[J]. Future Generation Computer Systems, 2019, 100: 882-892. [CrossRef] [Google Scholar]
  7. Chen C T, Lee C C, Lin I C. Efficient and secure three-party mutual authentication key agreement protocol for WSNs in IoT environments [J]. PLoS One, 2020, 15(4): e0232277. [Google Scholar]
  8. Chunka C, Banerjee S, Goswami R S. An efficient user authentication and session key agreement in wireless sensor network using smart card[J]. Wireless Personal Communications, 2021, 117(2): 1361-1385. [CrossRef] [Google Scholar]
  9. Lee J, Oh J, Kwon D, et al. PUFTAP-IoT: PUF-based three-factor authentication protocol in IoT environment focused on sensing devices[J]. Sensors, 2022, 22(18):7075. [NASA ADS] [CrossRef] [PubMed] [Google Scholar]
  10. Hu B, Tang W, Xie Q. A two-factor security authentication scheme for wireless sensor networks in IoT environments[J]. Neurocomputing, 2022, 500: 741-749. [CrossRef] [Google Scholar]
  11. Li R, Kang B Y, Mai K Q. Analysis and improvement on a hash-based authentication scheme for multi-server architecture[J]. Wuhan University Journal of Natural Sciences, 2021,26(5): 394-404. [Google Scholar]
  12. Yang S, Zheng X, Liu G, et al. IBA: A secure and efficient device-to-device interaction-based authentication scheme for Internet of Things[J]. Computer Communications, 2023, 200: 171-181. [Google Scholar]
  13. Xie Q, Wong D S, Wang G, et al. Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model[J]. IEEE Transactions on Information Forensics and Security, 2017, 12(6): 1382-1392. [CrossRef] [Google Scholar]
  14. Sutrala A K, Obaidat M S, Saha S, et al. Authenticated key agreement scheme with user anonymity and untraceability for 5G-enabled softwarized industrial cyber-physical systems[J]. IEEE Transactions on Intelligent Transportation Systems, 2022, 23(3): 2316-2330. [Google Scholar]
  15. Xie Q, Li K H, Tan X, et al. A secure and privacy-preserving authentication protocol for wireless sensor networks in smart city[J]. EURASIP Journal on Wireless Communications and Networking, 2021(2021): 119. [CrossRef] [Google Scholar]
  16. Srinivas J, Das A K, Wazid M, et al. Designing secure user authentication protocol for big data collection in IoT-based intelligent transportation system[J]. IEEE Internet of Things Journal, 2021, 8(9): 7727-7744. [CrossRef] [Google Scholar]
  17. Sahoo S S, Mohanty S, Majhi B. A secure three factor based authentication scheme for health care systems using IoT enabled devices[J]. Journal of Ambient Intelligence and Humanized Computing, 2021, 12(1): 1419-1434. [Google Scholar]

All Tables

Table 1

Notations used in Hu et al 's scheme

Fig. 1

Registration of users

Fig. 2

Registration of sensor nodes

Fig. 3

Login and key agreement phase

Table 3

Computational cost of the schemes

Table 4

Security comparison among relevant schemes

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.