A Lightweight Secure User Authentication and Key Agreement Protocol for Wireless Sensor Networks

Wireless sensor networks (WSNs) have great potential for numerous domains of application because of their ability to sense and understand unattended environments. However, a WSN is subject to various attacks due to the openness of the public wireless channel. Therefore, a secure authentication mechanism is vital to enable secure communication within WSNs, and many studies on authentication techniques have been presented to build robust WSNs. Recently, Lu et al. analyzed the security defects of the previous ones and proposed an anonymous three-factor authenticated key agreement protocol for WSNs. However, we found that their protocol is vulnerable to some security weaknesses, such as the offline password guessing attack, known session-specific temporary information attack, and no session key backward secrecy. We propose a lightweight security-improved three-factor authentication scheme for WSNs to overcome the previously stated weaknesses. In addition, the improved scheme is proven to be secure under the random oracle model, and a formal verification is conducted by ProVerif to reveal that the proposal achieves the required security features. Moreover, the theoretical analysis indicates that the proposal can resist known attacks. A comparison with related works demonstrates that the proposed scheme is superior due to its reasonable performance and additional security features.

A wireless sensor network (WSN) is an intelligent network that can achieve data collection, data fusion, and data transmission independently. It combines the logical information world and the real physical world together closely to realize the "ubiquitous computing" mode [[1]–[3]]. A WSN comprises many tiny sensor nodes, which have limited battery power and computation capability, and they can be deployed in untended target fields, such as habitats [[4]], health care [[5]], agriculture [[6]], battlefields [[7]], and environmental monitoring [[8]]. These nodes sense the environment, collect data from the surrounding areas, and transmit them to the closest gateway node (GWN) via wireless channels for further transferring to external users. Thus, WSNs have wide application scenarios, such as city management, emergency medical care, temperature and humidity monitoring in agriculture, wildlife monitoring, antiterrorism, military defense, and so on. However, the messages transmitted in the wireless channel are easily eavesdropped, injected, rerouted, and altered by an adversary because of the broadcast nature and insecurity of wireless communication. Although the WSN has adequate security progress in its lower layers, such as link layer and network layer [[9]], it is still necessary to design mutual authentication schemes with key agreement in the application layer to prevent unauthorized access to the sensor node. As shown in Figure 1, authentication mechanisms should be provided to protect the secure communication between related parties in a WSN.

Graph: Figure 1 Typical architecture of wireless sensor networks.

In addition, traditional security service architectures, such as IPsec [[11]] and IKE [[12]], are not suitable for WSNs because the sensors in a WSN have limited battery power and computation capability. Consequently, the authentication with key establishment between sensors and the user outside the WSN should have lightweight computation and should be robust enough to withstand well-known attacks from adversaries. In other words, it is vital that the user should be authenticated before he is permitted to access the remote sensor to acquire data, and the sensor to be accessed should be an authorized one. In particular, a shared session key should be generated between the sensor and the user to protect the data transmission. Moreover, users likely prefer to keep their identity and other privacy undisclosed to avoid being tracked by adversaries when they communicate with the sensors in a WSN. Thus, the user's anonymity and untraceability are desirable security properties in the authentication scheme in WSNs.

In the last several years, many authentication schemes have been presented to prevent unauthorized access to transmitted data within WSN from malicious users or adversaries. Li-Xiong [[13]], Chen et al. [[14]], and Ramachandran-Shanmugam [[15]] proposed mutual authentication schemes on bilinear pairing for WSN and generated a session key among the related parties. However, employing bilinear pairing makes the computation burden very heavy, and thus, these schemes are not practical for WSNs.

In 2006, Wong et al. [[16]] proposed a user authentication scheme with hash function and exclusive-or (XOR) operation for WSNs. In their scheme, the user submits his identity and password to a system interface and directly accesses the sensor within the expiration time. However, Tseng found that Wong's scheme was vulnerable to the replay attack, stolen verifier attack, and impersonation attack and then put forward a modified version while adding a new password change phase to solve the problem of the static password [[17]]. Generally, the security of the type of scheme [[16]] only depending on the single factor of password easily leads to password guessing attack.

To address the above security issues, Das [[18]] first put forward the concept of two-factor authentication, that is, using a smart card along with a password. There is no doubt that Das's scheme [[18]] introduced the authentication concept of two-factor, removing the need to maintain a database on the gateway and store user-specific information on the sensor, thus paving a new way of application layer authentication for WSNs. The author claimed that his scheme has the security merits of only using hash function, requiring less communication overhead and resisting various attacks. However, several researchers [[19]–[21]] analyzed Das's scheme [[18]] and found that it had various loopholes. Nyang and Lee [[19]] found that Das's protocol [[18]] was vulnerable to the offline password guessing attack, and sensor node capture attack, and presented an improved version to overcome these weaknesses. In the same year, Huang et al. [[20]] examined Das's scheme [[18]] for weaknesses such as the inability to provide user anonymity and withstand sensor impersonation attack. Huang et al. [[20]] also proposed an enhanced scheme to repair the pitfalls in Das's scheme [[18]]. Later, He et al. [[21]] pointed out that Das's scheme [[18]] suffered from insider attack along with impersonation attack. As a countermeasure to these drawbacks, He et al. [[21]] presented an enhanced protocol to thwart these threats. However, Kumar and Lee [[22]] observed that He et al.'s protocol [[21]] failed to provide mutual authentication and could not generate a shared session key between the sensor and the user. Moreover, there have been many schemes [[23]–[29]] settling the security weaknesses in the two-factor authentication protocols for WSNs. In these schemes, the authors cryptanalyzed the previous schemes, found some vulnerabilities in them, and presented a new improved two-factor scheme as a remedy. Unfortunately, Wang et al. [[30]] criticized that most of these solutions and the similar two-factor authentication schemes were found to be vulnerable to various practical attacks that could lead to unintended consequences.

To overcome the security weakness in two-factor authentication schemes for WSNs and further improve their security strength, plenty of three-factor-based authenticated key agreement schemes have been proposed in the past few years [[32]–[38]]. In the three-factor schemes, a user is identified as a legal one only if his smart card, password, and biometric information are valid. Compared with the traditional authentication methods, biometrics has the following advantages [[39]]: (1) biometrics cannot be lost, forgotten, or forged; and (2) a biometric key is difficult to guess or breach.

In this section, we briefly describe the schemes closest to our work. In 2014, Das [[33]] came across the privileged insider attack, improper authentication, and inefficiency in Jiang et al.'s scheme [[40]] and proposed a three-factor user authentication protocol for WSNs with symmetric cryptographic primitives. In the next year, Das also presented another two three-factor schemes for WSNs [[34]]. However, Wu et al. [[41]] pointed out that these three schemes are vulnerable to offline password guessing attack, user impersonation attack, and destitution of strong forward security and proposed an enhanced one. Unfortunately, we found that if the user enters an incorrect password during the login phase in Wu et al.'s scheme [[41]], the smart card will not check whether the password is correct, and the protocol will proceed until GWN finds that the user's login request was invalid, thereby unnecessarily wasting precious computation resource of the user and the GWN.

In 2016, Amin et al. [[38]] reviewed Farash et al.'s authenticated key agreement scheme [[42]] for heterogeneous WSN and found that Farash et al.'s scheme [[42]] cannot withstand offline password guessing attack, known session-specific temporary information (KSSTI) attack, and user impersonation attack. To overcome these pitfalls, Amin et al. [[38]] proposed a secure improved three-factor scheme and claimed that their new scheme was secure enough to resist the known threats. However, Jiang et al. [[36]] proved that Amin et al.'s scheme [[38]] was insecure to smart-card-loss attack defined by [[43]], KSSTI attack, and tracking attack. As a remedy, Jiang et al. [[36]] built an improved three-factor user authentication scheme on the Rabin cryptosystem for WSN. We observe that Jiang et al.'s scheme [[36]] is skeptical to privileged insider attack because GWN also generates the session key which means GWN can decrypt all of the session messages between the user and the sensor. In 2017, Wang et al. [[44]] identified weaknesses (offline dictionary attack, impersonation attack, etc.) in previous ones, and proposed an enhanced anonymous three-factor user authentication protocol employing an elliptic curve cryptosystem (ECC) for WSN. Owing to the fuzzy verifier, their scheme can withstand the offline identity and password guessing attack. Unfortunately, their scheme is vulnerable to insider attack because the random number chosen by GWN for the user is stored in GWN's database, and the insider can access and modify it, resulting in user login failure. Moreover, their scheme is subject to KSSTI attack, which is similar to the analysis in Section 4.4. In 2018, Li et al. [[45]] introduced a three-factor authenticated scheme for WSNs in Internet of Things environments with adoption of fuzzy commitment to handle the user's biometric information. However, we discovered that their scheme fails to provide three-factor security if the lost/stolen smart card is obtained by the attacker and the biometric information is also collected by the attacker without the awareness of the owner, so their scheme is not as secure as they claimed. With a similar reason, schemes of [[46]–[48]] fail to provide true three-factor security. Although Li et al. employed fuzzy verifier technique and claimed that their protocol [[49]] for wireless medical sensor networks satisfies many security features, we found that it cannot resist replay attack.

In 2015, Das [[35]] proposed an efficient biometric-based authentication scheme for WSNs using smart card and demonstrated that the scheme can resist various attacks. However, Lu et al. [[50]] criticized that Das's scheme [[35]] has security weaknesses including lack of three-factor security along with user anonymity and user impersonation attack. To eliminate the security drawbacks, Lu et al. [[50]] proposed a new three-factor solution on ECC and claimed that their scheme was secure against the known attacks. Furthermore, their scheme has been equipped with a formal security proof in random oracle model, and thus they have full confidence in the security of their scheme.

In this paper, we examine the scheme of Lu et al. [[50]] and show that it cannot provide three-factor security along with a lack of strong session key security, suffers from KSSTI attack, and is unsuitable to the WSN environment. To overcome the security pitfalls found in Lu et al.'s scheme, we present an improved scheme and prove its security under random oracle model and heuristic security analysis. Moreover, we use the formal verification tool ProVerif to demonstrate that the improved scheme fulfills session key secrecy and mutual authentication. A comparison with other related schemes shows that our scheme is superior to theirs.

Motivated by the thought of overcoming the security vulnerabilities in Lu et al.'s scheme [[50]], we present a new secure three-factor authentication scheme exploiting ECC in the WSN context. In short, our main contributions are summarized as follows:

• (i) First, we cryptanalyze Lu et al.'s protocol [[50]] and show its security weaknesses.
• (ii) Second, we propose a new lightweight anonymous three-factor authentication and key agreement protocol on ECC for WSN. The proposal not only overcomes the security weaknesses in Lu et al.'s protocol, but also achieves more security features than the related competitive works.
• (iii) Third, we use the random oracle model to demonstrate the validity of the proposed scheme, and we conduct a formal verification by using ProVerif. Additionally, a performance comparison is made between our scheme and the related three-factor authentication schemes to show that it provides a better tradeoff between performance and security requirements, thereby making it more suitable for practical application in WSN environments.

To design a robust and efficient three-factor authenticated scheme for WSNs, the following security requirements should be fulfilled.

(1) Provide three-factor security: the scheme should still be secure even if any two of the three factors are compromised. (2) Attack resistance: the scheme should be secure against various attacks, such as user impersonation attack, gateway node impersonation attack, sensor impersonation attack, KSSTI attack, replay attack, privileged insider attack. (3) Forward and backward secrecy: if the long-term secret key is compromised, the attacker cannot compute the previous session and the future ones. (4) Resistance to sensor capture attack: if a single sensor is captured by the attacker, it is difficult for he/she to pretend to be any noncompromised sensors. (5) User anonymity: any attackers are incapable of revealing the identity of the user, and it is also an important privacy protection requirement for users. (6) Mutual authentication and key agreement: the user and the sensor should authenticate each other and generate a shared session key.

The remainder of the paper is organized as follows. In Section 2, we discuss the preliminaries of the fuzzy extractor and related mathematical assumptions. We review and cryptanalyze Lu et al.'s scheme in Section 3 and Section 4, respectively. Section 5 presents our new three-factor authenticated key agreement protocol for WSNs. Next, the validity of our scheme and the security analysis are demonstrated in Section 6, and the formal security verification via ProVerif is given in Section 7. Section 8 shows the performance comparison with the related studies. Finally, conclusions are drawn in Section 9.

The fuzzy extractor was introduced by Dodis et al. [[51]] in 2004, it is mainly used to address the issue of biometric templates authentication, and many protocols use this technology [[32], [52]–[54]] to improve their security.

The fuzzy extractor can produce a biological key δi and a public parameter τi from the user's biometric template Bio by utilizing certain error-correcting code technology. To recover δi, the reproduction algorithm is applied to τi and the other newly captured biometric template ${Bio}^{\ast }$ , which is similar to Bio. By comparing the similarity of the stored biometric template and the captured biometric template, the protocol can achieve biometric authentication with error tolerance. According to [[51]], the fuzzy extractor is given by two effective algorithms (Gen, Rep) which are defined as follows:

• Gen (Bio) = (δi, τi): Gen is a probabilistic generation algorithm. When the biometric template Bio is input, Gen will output a random string δi with an auxiliary random string τi.
• Rep ( ${Bio}^{\ast }$ , τi) = δi: Rep is a deterministic reproduction algorithm. Upon receiving a biometric template ${Bio}^{\ast }$ within an error-tolerant range and the auxiliary random string τi, Rep will recover δi.

Let Ep (a, b) be a set of elliptic curve points over the prime field Fp, which is defined by the equation style of y2 mod p = (x3 + ax + b) mod p, with a, b ∈ Fp, 4a3 + 27b2 mod p ≠ 0. An elliptic curve group G is defined on E/Fp with generator P. For simplicity, mod p is omitted in the following section. In this section, we briefly describe two important mathematical assumptions [[55]] that rely on the elliptic curve and are closely related to our scheme.

Elliptic curve discrete logarithm (ECDL) problem: given Q, P ∈ G, it is infeasible to find the integer a ∈ [1, _I_p_i_ − 1] such that Q = aP.

Computational Diffie-Hellman (CDH) problem: given (P, aP, bP) for any a, b ∈ [1, _I_p_i_ − 1], it is infeasible to calculate abP ∈ G.

Lu et al.'s three-factor authenticated scheme [[50]] consists of seven phases, i.e., predeployment, user registration, sensor node registration, login, authentication and key agreement, password change, and dynamic sensor node addition. The last two phases are omitted since they are not relevant. For convenience, the notations used in this paper are listed in Table 1.

Table 1 Notations.

• (1) GWN computes Kj = h (SIDj, XGWN) shared with each Sj
• (2) GWN stores Kj into Sj's memory and then deletes XGWN

• (1) Ui inputs his IDi and password PWi, imprints his biometrics Bio, and then computes Gen (Bio) = (δi, τi).
• (2) Ui sends {IDi, h (PWi, δi)} to GWN via a secure channel.
• (3) GWN computes RPWi = h (IDi) h (IDi, h (K)) and stores it in a smart card, where K is a nonce. Then, GWN sends the smart card to Ui via a secure channel.
• (4) Ui computes fi = h (IDi, h (PWi, δi)) and stores (fi, τi, Gen (), Rep (), h ()) on the smart card.

• (1) Sj sends {SIDj} to GWN
• (2) GWN computes h (SIDj, Kj) and sends it to Sj via a secure channel
• (3) Sj stores h (SIDj, Kj) in its memory

• (1) Ui inserts his smart card into a card reader, enters (IDi, PWi) and imprints biometrics ${Bio}^{\ast }$ .
• (2) The smart card computes Rep ( ${Bio}^{\ast }$ , τi) and checks whether h (IDi, h (PWi, δi)) = fi holds. If it is true, the smart card selects a nonce ai; computes Ai = aiP, Bi = IDi ⊕ aiXpub, Vi = h (IDi, h (IDi, h (K)), aiP, T1); and then sends M1 = {Ai, RPWi, Bi, Vi, T1} to GWN. Otherwise, the smart card rejects the login request.

• (1) On receiving M1 from Ui, GWN computes IDi = $x_g{A}_i$ ⊕ Bi, and checks whether Vi = h (IDi, h (IDi, h (K)), aiP, T1) holds. If it is successful, GWN selects a new nonce $K^{\ast }$ , computes ${\text{RPW}}_i^{\ast }$ = h (IDi, h (IDi, h ( $K^{\ast }$ )) and $V_j=E_{h\left({SID}_j,K_j\right)}\left({ID}_i,a_{i}P,T_2\right)$ , and then sends M2 = { ${\text{RPW}}_i^{\ast }$ , Vj, T2} to Sj.
• (2) _I_S_i__SB__I_j_i__sb_ decrypts _I_V_i__SB__I_j_i__sb_ and checks the validity of the timestamp _I_T_i__SB_2_sb_. If _I_T_i__SB_2_sb_ is valid, _I_S_i__SB__I_j_i__sb_ computes _I_h_i_ (_I_ID_SB_i_sb__i_, _I_h_i_ ( _HT_ _ht_ )) = _I_h_i_ (_I_ID_SB_i_sb__i_)_SP_−1_sp_ _HT_ _ht_ , selects a nonce _Ii_j, and computes sk = h (aibjP) and $C_i=E_{h\left({ID}_i,h\left(K^{\ast }\right)\right)}\left({ID}_i,b_{j}P,sk,T_3\right)$ . Finally, Sj sends M3 = {Ci, ${\text{RPW}}_i^{\ast }$ , T3} to Ui.
• (3) _I_U_i__SB__I_i_i__sb_ computes _I_h_i_ (_I_ID_SB_i_sb__i_, _I_h_i_ ( _HT_ _ht_ )) = _I_h_i_ (_I_ID_SB_i_sb__i_)_SP_−1_sp_ _HT_ _ht_ , replaces RPW_I__SB_i_sb__i_ with _HT_ _ht_ on the smart card, computes _HT_ _ht_ , _I_sk_i_′ = _I_h_i_ (_I_a_i__SB__I_i_i__sb__Ii_jP), and verifies whether sk′ = sk holds. If it holds, Ui believes that he has shared a session key sk with Sj. Otherwise, Ui aborts this session.

In this section, we discuss the security weaknesses of Lu et al.'s scheme [[50]], which include failure to provide three-factor security, no backward secrecy, and vulnerability to KSSTI attack. Before cryptanalyzing Lu et al.'s scheme [[50]], we summarize the adversarial model used in this paper based on [[38]] as follows:

• (1) The attacker has full control of the communication channel between the related participants. In other words, the attacker might eavesdrop, intercept, insert, delete, and modify messages transmitted over the public channel.
• (2) When the smart card is lost, stolen, or somehow obtained by an attacker, he/she could extract all of the secret data stored on the smart card by launching a differential power attack [[56]] or side-channel attacks [[57]]. Furthermore, the attacker might compromise two of the three factors (i.e., password and smart card, password and biometrics, or smart card and biometrics), but he is incapable of compromising all of the three factors.
• (3) The attacker can learn the user's identity as far as the attacks (e.g., impersonation attack) and security properties (e.g., mutual authentication and session key agreement) are concerned.
• (4) The attacker can guess the user's identity and password offline by choosing a pair (ID, PW) from the Cartesian product DID × DPW in polynomial time, where DID denotes identity space and DPW denotes the password space [[31], [59]].
• (5) The random nonce and the secret key selected by communication parties are adequately large to prevent the attacker from successfully guessing these data in polynomial time.

Generally, an authentication protocol providing three-factor security means that an attacker can launch impersonation attacks only if he learns all of the three factors (password, biometrics, and smart card). Lu et al. claimed that their protocol can provide three-factor security and withstands various attacks. Unfortunately, we found that if the lost/stolen smart card is obtained by the attacker and the biometrics of the user are also obtained by the attacker without the awareness of the owner, the attacker could perform the identity and password offline guessing attack resulting in failure to provide the privacy preservation and security properties as they claimed. The attacker carries out the attack as follows.

• (1) The attacker extracts the secret data {RPWi, fi, τi, Gen(), Rep(), h ()} from the smart card by performing side-channel analysis attack [[57]]
• (2) With the user's biometric template ${Bio}^{\ast }$ and τi as input, the attacker recovers δi by computing Rep ( ${Bio}^{\ast }$ , τi)
• (3) The attacker selects a pair ( ${ID}_i^{\ast }$ , ${\mathrm{PW}}_i^{\ast }$ ) from DID × DPW randomly and verifies whether fi = h (IDi, h (PWi, δi)) holds, where fi is recovered from the smart card
• (4) If it is false, the attacker repeats step 3∼4 until the correct pair ( ${\mathrm{ID}}_i^{\ast }$ , ${\mathrm{PW}}_i^{\ast }$ ) is found

The running time of the above attack is O (|DID | $\ast$ | DPW | $\ast$ 2Th), where |DID| and |DPW| denote the number of items in DID and DPW, respectively, and in reality, |DID| ≤ |DPW| ≈ 106 [[60]]; Th denotes the computing time of a hash function. Furthermore, because Th is almost negligible, the required time of this attack is linear to |DID | $\ast$ | DPW|. In practice, the attacker can offline guess the correct pair ( ${\mathrm{ID}}_i^{\ast }$ , ${\mathrm{PW}}_i^{\ast }$ ) from $D_{\mathrm{ID}}^{\ast }$ × $D_{\mathrm{PW}}^{\ast }$ within polynomial time [[43]].

With the disclosure of the user's identity and password, Lu et al.'s scheme [[50]] cannot preserve user privacy and other security features as they claimed.

Therefore, Lu et al.'s protocol fails to provide three-factor security.

Backward secrecy is essential since the authentication should immunize the subsequent session key from compromise by the attacker. In Lu et al.'s protocol [[50]], if an attacker has disclosed the identity IDi through the offline guessing attack mentioned above and captures the message {Ci, ${\text{RPW}}_i^{\ast }$ , T3} from the public channel, he can derive h (IDi, h ( $K^{\ast }$ )) by computing h (IDi)−1 ${\text{RPW}}_i^{\ast }$ , then he decrypts Ci using symmetrical key h (IDi, h ( $K^{\ast }$ )) and obtains (IDi, bjP, sk, T3), where the session key sk generated by sensor Sj is identical to the one generated by the user. Thus, the attacker is able to learn all the subsequent session keys between the user and the sensor once he obtains Ui's identity.

The root cause of this weakness is that the message verifier is only dependent on Ui's identity. Naturally, the attacker will make use of it to obtain the subsequent session keys of the Ui.

For the authentication protocol, if the session key is generated with ephemeral secret information, such as random numbers provided by each party, and it is secure even though this transient information is compromised, we can say that this protocol is secure against KSSTI attack. In Lu et al.'s protocol, the session key sk = h (aibjP), where ai and bj are random numbers chosen by the user and the sensor, respectively. Once the ephemeral information ai and bj are disclosed by the attacker, he can compute the session key easily. Therefore, Lu et al.'s protocol [[50]] cannot withstand KSSTI attack.

A WSN consists of many sensors that are deployed in unattended fields to continuously monitor the surroundings. As we pointed out earlier, the sensor node is small in size with limited battery power and computation capability as well as a short communication range. According to the communication experiments of the sensor reported in [[62]], the power consumption increases proportionally with the increase in the distance between the sensor and the communication participant. Therefore, reducing power consumption is an important problem for sensor nodes in communication to prolong their life cycle, and it is a reasonable solution that the messages exchanged between Ui and Sj should use GWN as a bridge. However, from the concrete authentication procedures described in Lu et al.'s scheme [[50]], we can see that the Sj delivers messages to Ui directly. Obviously, the distance from the user is far beyond the communication range of the sensor. Therefore, Lu et al.'s scheme [[50]] is inapplicable to the WSN environment.

In this section, we develop an improved three-factor authentication scheme with key agreement to overcome the security weaknesses existing in Lu et al.'s scheme. Meanwhile, our protocol employs ECC without bilinear pairing to reduce the computation cost while maintaining security strength in WSN environment. Our scheme consists of four phases, i.e., predeployment, user registration, login and authentication, and password update.

First, the GWN chooses a large prime number p and generates an elliptic curve E/Fp and an additive cyclic group G over E/Fp with a generator P. After that, GWN selects a private key $x_g$ and a secure one-way hash function h (). Finally, GWN selects an integer t ∈ [24, 28] as the parameter of the fuzzy verifier. A detailed description of the proposed scheme is as follows.

• (1) GWN chooses a unique identity SIDj for each sensor and calculates Kj = h (SIDj || XGWN)
• (2) GWN sends {SIDj, Kj, P} to Sj via a secure channel
• (3) Sj stores {SIDj, Kj, P} in its memory

• (1) Ui inputs his IDi, PWi, imprints his biometric Bio, and computes Gen (Bio) = (δi, τi). After that, Ui selects a random number ri and computers PIDi = h (IDi || δi || ri), fi = h (h (PWi || ri || δi) mod t), and then he sends {IDi, PIDi} to GWN through a secure channel.
• (2) GWN computes Ci = h (PIDi || $x_g$ ), and a smart card storing {h (),Ci, Ek(), Dk(), Gen(), Rep(), P} is sent to Ui via a secure channel.
• (3) Ui computes Ai = Ci ⊕ fi and Bi = h (IDi || δi || PWi) ⊕ ri and then stores {Ai, Bi, τi, fi} into the smart card.

The following steps are performed if Ui intends to access the WSN:

• (1) Ui inputs IDi and PWi, inserts the smart card and imprints his biometrics ${Bio}^{\ast }$ . The card computes ${\delta }_i^{\ast }$ = Rep (Bio, τi), $r_i^{\ast }$ = Bi ⊕ h (IDi || ${\delta }_i^{\ast }$ || PWi), and $f_i^{\ast }$ = h (h (PWi || ri || ${\delta }_i^{\ast }$ ) mod t) and checks whether $f_i^{\ast }$ = fi holds. If it is false, the smart card rejects Ui's login request. Otherwise, the card chooses two random number $r_i^{\text{new}}$ and ei, chooses a login-sensor node SIDj, and computes ${\text{PID}}_i^{\text{new}}$ = h (IDi || ${\delta }_i^{\ast }$ || $r_i^{\text{new}}$ ), m1 = Ai ⊕ fi ⊕ ei.
• (2) Ui selects a random number ai, and the timestamp T1, computes m2 = aiP, m3 = ${\text{PID}}_i^{\text{new}}$ ⊕ h (ei), m4 = (IDi || SIDj) ⊕ h (PIDi || ei), and m5 = h (IDi || PIDi || ${\text{PID}}_i^{\text{new}}$ || m2 || SIDj || T1), and sends M1 = {m1, m2, m3, m4, m5, PIDi, T1} to GWN.
• (3) On receiving M1, GWN checks the validity of T1. If it is false, GWN aborts the session; otherwise, GWN computes ei = m1 ⊕ h (PIDi || $x_g$ ), ${\text{PID}}_i^{\text{new}}$ = m3 ⊕ h (ei), ( ${\mathrm{ID}}_i^{\ast }$ || ${SID}_j^{\ast }$ ) = m4 ⊕ h (PIDi || ei), and $m_5^{\prime }$ = h ( ${\mathrm{ID}}_i^{\ast }$ || PIDi || ${\text{PID}}_i^{\text{new}}$ || m2 || ${SID}_j^{\ast }$ || T1). GWN will terminate this session if $m_5^{\prime }$ ≠m5. Otherwise, it selects a timestamp T2, and computes Kj = h( ${SID}_j^{\ast }$ || XGWN), ek = h ( ${SID}_j^{\ast }$ || Kj), $m_6=E_{e_k}\left(e_i,{\text{PID}}_i^{\text{new}}\right)$ , and m7 = h (Kj || ${\text{PID}}_i^{\text{new}}$ || ${SID}_j^{\ast }$ || m2 || T2). Finally, GWN forwards M2 = {m2, m6, m7, T2} to Sj.
• (4) After receiving _I_M_i__SB_2_sb_ from _I_GWN_i_, _I_S_i__SB__I_j_i__sb_ will reject the session if _I_T_i__SB_2_sb_ is invalid; otherwise, _I_S_i__SB_j_sb_ computes _I_e_i__SB__I_k_i__sb_′ = _I_h_i_ (_I_SID_SB_j_sb__i_ || _I_K_i__SB__I_j_i__sb_), and decrypts _I_m_i__SB_6_sb_ to obtain (_I_e_i__SB__I_i_i__sb_, _HT_ _ht_ ). Next, _I_S_i__SB__I_j_i__sb_ computes _HT_ _ht_ = _I_h_i_ (_I_K_i__SB__I_j_i__sb_ || _HT_ _ht_ || _I_SID_SB_j_sb__i_ || _I_m_i__SB_2_sb_ || _I_T_i__SB_2_sb_) and checks whether _I_m_i__SB_7_sb_′ = _I_m_i__SB_7_sb_ holds. If it is incorrect, _I_S_i__SB__I_j_i__sb_ stops the session; otherwise, _I_S_i__SB__I_j_i__sb_ chooses a random number _Ii_j and computes m8 = bjP, SKS-U = h (bjm2 || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei) and m9 = h (SKS-U || ${\text{PID}}_i^{\text{new}}$ || SIDj || m8 || T3), and m10 = h (Kj || ${\text{PID}}_i^{\text{new}}$ || m8 || T3), where T3 is Sj's current timestamp. Finally, Sj sends M3 = {m8, m9, m10, T3} to GWN.
• (5) Upon reception of M3, GWN checks the validity of T3, and GWN will reject the session if it is invalid. Otherwise, GWN computes m10' = h (Kj || ${\text{PID}}_i^{\text{new}}$ || m8 || T3) and checks the condition $m_{10}^{\prime }$ = m10. If the condition holds, GWN selects the current timestamp T4, computes m11 = h ( ${\text{PID}}_i^{\text{new}}$ || $x_g$ ) and m12 = h ( ${\text{PID}}_i^{\text{new}}$ || ei || m8 || T4), and then forwards M4 = {m8, m9, m11, m12, T3, T4} to Ui.
• (6) After the reception of M4, Ui first checks the validity of T4. If it is true, Ui further computes $m_{12}^{\prime }$ = h ( ${\text{PID}}_i^{\text{new}}$ || ei || m8 || T4) and checks whether $m_{12}^{\prime }$ = m12 holds. If it holds, Ui computes SKU-S = h (aim8 || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei) and $m_9^{\prime }$ = h (SKU-S || ${\text{PID}}_i^{\text{new}}$ || SIDj || m8 || T3) and checks the condition $m_9^{\prime }$ = m9. If it is false, Ui aborts the session; otherwise, Ui accepts SKU-S as the session key shared with Sj. Finally, the smart card computes $f_i^{\text{new}}$ = h (h (PWi || $r_i^{\text{new}}$ || ${\delta }_i^{\ast }$ ) mod t), $A_i^{\text{new}}$ = m11 ⊕ $f_i^{\text{new}}$ , and $B_i^{\text{new}}$ = h (IDi || δi || PWi) ⊕ $r_i^{\text{new}}$ and replaces (Ai, Bi, fi) with ( $A_i^{\text{new}}$ , $B_i^{\text{new}}$ , $f_i^{\text{new}}$ ).

The login and authentication phase is shown in Table 2.

Table 2 Login and authentication phase of the proposed scheme.

Similar to Lu et al.'s protocol, our improved scheme allows the authorized user to update his password with GWN if he likes.

U i keys IDi and the old password PWi, imprints biometrics ${Bio}^{\ast }$ , and inserts the smart card into a reader. Then, the smart card computes Gen ( ${Bio}^{\ast }$ ) = ( ${\delta }_i^{\ast }$ , ${\tau }_i^{\ast }$ ), $r_i^{\ast }$ = Bi ⊕ h (IDi || ${\delta }_i^{\ast }$ || PWi), and $f_i^{\prime }$ = h (h (IDi || $r_i^{\ast }$ || PWi) mod t) and checks whether $f_i^{\prime }$ = fi holds. The session is aborted if the condition is false.

• (1) Ui inputs a new password ${\mathrm{PW}}_i^{\text{new}}$ , calculates $f_i^{\text{new}}$ = h (h ( ${\mathrm{PW}}_i^{\text{new}}$ || $r_i^{\ast }$ || ${\delta }_i^{\ast }$ ) mod t), $A_i^{\text{new}}$ = Ci ⊕ $f_i^{\text{new}}$ and $B_i^{\text{new}}$ = h (IDi || ${\delta }_i^{\ast }$ || ${\mathrm{PW}}_i^{\text{new}}$ ) ⊕ $r_i^{\ast }$ , and replaces (Ai, Bi, fi) with ( $A_i^{\text{new}}$ , $B_i^{\text{new}}$ , $f_i^{\text{new}}$ ).

In this section, we first conduct a formal security analysis under the random oracle model [[63]] and then provide an informal security analysis to demonstrate that our improved scheme can withstand various attacks and meet the security requirement in WSNs.

This section justifies our security analysis of our lightweight user authentication and key agreement protocol for WSNs. For the sake of simplicity, we follow the security model in [[63]] to conduct our formal security proof.

Assume that ${\text{Adv}}_{P,D}^{\text{AKE}}\left(A\right)$ denotes the advantage of the attacker A in cracking the security of the improved protocol P and that ${\text{Adv}}_A^{\text{CDH}}\left(t\right)$ denotes the advantage of the attacker A in solving the CDH problem in polynomial time t, and the attacker asks at most qsSend queries, qeExecute queries, qh Hash queries. Then, we have

$$\begin{array}{}\text{(1)}& {\text{Adv}}_{P,D_{PW}}^{\text{AKE}}\left(A\right)\le \frac{22q_h+q_h^2+{\left(q_s+q_e\right)}^2}{2^{l_s}}+\frac{{\left(q_s+q_e\right)}^2}{n-1}+\frac{4q_s}{2^{n-1}}+2q_s\max \left\{\frac{1}{\left|D_{PW}\right|},\frac{1}{2^{l_b}},\epsilon \right\}+2q_h\left(1+{\left(q_s+q_e\right)}^2\right){\text{Adv}}_A^{\text{CDH}}\left(t+\left(q_s+q_e\right)T_m\right),\end{array}$$

where ls represents the security parameter, which also represents the length of the random number and hash value; n, DPW, |DPW|, lb, ε, and Tm represent the order of the elliptic curve group G over E/Fp, a password dictionary with a frequency distribution following Zipf's law [[64]], the size of password dictionary DPW, the length of BIOi, the probability of a "false positive" event, and the execution time of a point multiplication in G, respectively.

A series of games Gmi (0 ≤ i ≤ 5) are defined to demonstrate that our improved scheme is provably secure. In each game Gmi, Si (0 ≤ i ≤ 5) denotes the event that the attacker guesses a correct bit in the Test query, and Pr[Si] denotes the corresponding probability.

• Gm0: this game is considered to perform in a real attack scenario under random oracle model. Thus, we have
• $$\begin{array}{}\text{(2)}& {\text{Adv}}_{P,D}^{\text{AKE}}\left(A\right)=2\mathrm{Pr}\left[S_0\right]-1.\end{array}$$
• Gm1: in this game, we simulate Hash oracle h (), Send query, Test query, Execute query, and Corrupt query with respect to our improved scheme, and Lh, LA, and LT are used to store the query result of various oracle. Thus, we have
• $$\begin{array}{}\text{(3)}& \mathrm{Pr}\left[S_1\right]=\mathrm{Pr}\left[S_0\right].\end{array}$$
• Gm_SB_2_sb_: in this game, collisions of random oracle queries are considered. The simulation will be aborted if collision occurs on the hash oracle and transcripts _I_M_i__SB_1_sb_, _I_M_i__SB_2_sb_, _I_M_i__SB_3_sb_, _I_M_i__SB_4_sb_, and we let the attacker win. According to the birthday paradox, the collision probability on the hash oracle is _HT_ _ht_ at most, the collision probability of random nonces _I_a_i__SB__I_i_i__sb_ and _Ii_j is ${\left(q_s+q_e\right)}^2/n-1$ , and the collision probability of ei and $r_i^{\text{new}}$ is ${\left(q_s+q_e\right)}^2/2^{l_s+1}$ at most. Thus, we have
• $$\begin{array}{}\text{(4)}& \left|\mathrm{Pr}\left[S_2\right]-\mathrm{Pr}\left[S_1\right]\right|\le \frac{q_h^2+{\left(q_s+q_e\right)}^2}{2^{l_s+1}}+\frac{{\left(q_s+q_e\right)}^2}{2\left(n-1\right)}.\end{array}$$
• Gm3: in this game, we consider the collision probability of the attacker impersonating transcript messages M1∼M4 from the remaining oracle queries.

For Send (Uiμ, GWNλ, M1): the simulator reveals h (IDi || ${\delta }_i^{\ast }$ || PWi) of $r_i^{\ast }$ , h (IDi || ${\delta }_i^{\ast }$ || $r_i^{\text{new}}$ ) of ${\text{PID}}_i^{\text{new}}$ , h (PIDi || ei) of m4 to the attacker and checks whether M1∈LP holds. Thus, the total collision probability is $\left(3q_h/2^{l_s}\right)+\left(q_s/2^n\right)$ .

For Send (GWNλ, Sjν, M2): the simulator reveals h (PIDi || $x_g$ ) of ei, h ( ${\mathrm{ID}}_i^{\ast }$ || PIDi || ${\text{PID}}_i^{\text{new}}$ || m2 || ${SID}_j^{\ast }$ || T1) of m5, and h (Kj || ${\text{PID}}_i^{\text{new}}$ || ${SID}_j^{\ast }$ || m2 || T2) of m7 to the attacker and checks whether M2∈LP holds. Thus, the collision probability is $\left(3q_h/2^{l_s}\right)+\left(q_s/2^n\right)$ at most.

For Send (Sjν, GWNλ, M3): the simulator reveals h (Kj || ${\text{PID}}_i^{\text{new}}$ || ${SID}_j^{\ast }$ || m2 || T2) of m7, h (SKS-U || ${\text{PID}}_i^{\text{new}}$ || SIDj || m8 || T3) of m9, and h (Kj || ${\text{PID}}_i^{\text{new}}$ || m8 || T3) of m10 to the attacker and checks whether M3∈LP holds. Thus, the collision probability is $\left(3q_h/2^{l_s}\right)+\left(q_s/2^n\right)$ at most.

For Send (GWNλ, Uiμ, M4): the simulator reveals h (Kj || ${\text{PID}}_i^{\text{new}}$ || m8 || T3) of m10 and h ( ${\text{PID}}_i^{\text{new}}$ || ei || m8 || T4) of m12, to the attacker, and checks whether M4∈LP holds. Thus, the collision probability is $\left(2q_h/2^{l_s}\right)+\left(q_s/2^n\right)$ at most.

As a whole, we have

$$\begin{array}{}\text{(5)}& \left|\mathrm{Pr}\left[S_3\right]-\mathrm{Pr}\left[S_2\right]\right|\le \frac{11q_h}{2^{l_s}}+\frac{4q_s}{2^n}.\end{array}$$

• Gm_SB_4_sb_: in this game, the attacker encounters the CDH problem. If it is possible for the attacker to use _I_Corrupt_i_ query to get the session key, it means that the attacker can find a solution for the CDH problem and (_Ii_jaiP || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei) ∈ LA holds. It is necessary for the attacker to obtain the smartcard to breach the session key because the simulation will terminate if the attacker gets only PWi and BIOi. Thus, the game can be demonstrated as having three cases:

The attacker asks Corrupt (Uiμ, 2) to guess PWi within password space DPW with at most qsSend queries. The possibility is $q_s/\left|D_{\mathrm{PW}}\right|$ .

The attacker asks Corrupt (Uiμ, 0) and chooses one of the following approaches to obtain BIOi:

• (a) The attacker guesses _I_BIO_i__SB__I_i_i__sb_ with at most _I_q_i__SB__I_s_i__sb_ Send queries. The possibility is _HT_ _ht_ , where _I_l_i__SB__Ii__sb_ is the length of BIOi.
• (b) The attacker asks Send queries with his own biometrics to try the probability of a "false positive". The possibility of this event is ε.

It is noted that the attacker can ask at most two Corrupt (Uiμ, ω) ω ∈ {0,1,2}, and the above two cases cannot occur concurrently. Thus, the possibility of the above three cases is $q_s\max \left\{\left(1/\left|D_{\mathrm{PW}}\right|\right),\left(1/\left|2^{l_b}\right|\right),\epsilon \right\}$ .

To compromise the session key SK = h (bjaiP || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei), the attacker has to compute bjaiP using m2, m8, and P, where m2 = aiP and m8 = bjP. Then the attacker asks either Corrupt (Uiμ, 0) or Corrupt (Uiμ, 2) queries, as well as Execute query, and he will win the game with at least qhHash queries. Therefore, we have

$$\begin{array}{}\text{(6)}& \left|\mathrm{Pr}\left[S_4\right]-\mathrm{Pr}\left[S_3\right]\right|\le q_s\max \left\{\frac{1}{\left|D_{PW}\right|},\frac{1}{2^{l_b}},\epsilon \right\}+q_h{\text{Adv}}_A^{\text{CDH}}\left(t+\left(q_s+q_e\right)T_m\right).\end{array}$$

• Gm5: in this game, the strong forward security is considered. The attacker asks Corrupt (Uiμ\GWNλ\Sjν) after simulating a Test query, the two indexes of which are chosen from {1, 2, ..., qs + qe}. If the Test query cannot return the session key with the ith instance of Ui and the jth instance of Sj, the game will terminate. Thus, we have
• $$\begin{array}{}\text{(7)}& \left|\mathrm{Pr}\left[S_5\right]-\mathrm{Pr}\left[S_4\right]\right|\le q_h{\left(q_s+q_e\right)}^2{\text{Adv}}_A^{\text{CDH}}\left(t+\left(q_s+q_e\right)T_m\right).\end{array}$$

Taking all of the games into account, the attacker has no advantage in guessing the correct bit b, and thus we have

$$\begin{array}{}\text{(8)}& \mathrm{Pr}\left[S_5\right]=\frac{1}{2}.\end{array}$$

Combining equations (2)–(8) together, the theorem is proved.

We show that our enhanced scheme not only overcomes the vulnerability in Lu et al.'s scheme [[50]] but also withstands various attacks in this section.

Three-factor security means that the user can access the sensor data only when he has learned the password, smart card, and biometrics. That is, if the attacker has any two factors, he is incapable of mounting an impersonation attack. We will discuss that the enhanced scheme satisfies this security feature in three aspects.

Suppose the attacker has the user's smart card and password.

Assume that the attacker extracts the secret data {Ai, Bi, fi, τi, h (), Gen (), Rep ()} stored in the smart card, where fi = h (h (PWi || ri || δi) mod t), Ai = Ci ⊕ fi, and Bi = h(ID || δi || PWi) ⊕ ri. To masquerade as the user to log into GWN, the attacker calculates $r_i^{\prime }$ = Bi ⊕ h (IDi || δi || PWi) and $f_i^{\prime }$ = h (h (PWi || $r_i^{\prime }$ || δi) mod t). However, the attacker fails to verify the correctness of IDi and cannot recover δi due to the lack of the user's biometrics. Thus, the attacker cannot construct a correct $f_i^{\prime }$ to log into GWN.

Suppose that the attacker has the user's smart card and biometrics.

The attacker could also reveal the secret data {Ai, Bi, fi, τi, h (), Gen (), Rep ()} from the smart card and recovers δi by calculating Rep (Bio, τi). Afterwards, the attacker tries to guess IDi and PWi, calculates $r_i^{\ast }$ = Bi ⊕ h (IDi || δi || PWi), and then checks whether $f_i^{\ast }$ = h (h (PWi || $r_i^{\ast }$ || ${\delta }_i^{\ast }$ ) mod t) holds. However, he will not succeed because there are |DID | $\ast$ |DPW|/t 232 candidates of (IDi, PWi) (where |DPW| = |DID| = 106 and t = 28) [[59], [65]]. Then, if the attacker directly enters a pair of (IDi, PWi) and sends a login request to GWN to test the correctness of (IDi, PWi), the smart card will reject his/her request if the number of login requests exceeds the threshold and his/her dream will not come true.

Suppose that the attacker has the user's biometrics and password.

Undoubtedly, the attacker could not derive δi by computing Rep (Bio, τi), where the auxiliary string τi is stored on the smart card. The attacker can also intercept the message M1 = {m1, m2, m3, m4, m5, PIDi, T1} where m1 = Ai ⊕ fi ⊕ ei = h (PIDi || $x_g$ ) ⊕ ei, m2 = aP, m3 = ${\text{PID}}_i^{\text{new}}$ ⊕ h (ei), Wi = IDi ⊕ h (PIDi || ei), and m4 = h (IDi || PIDi || ${\text{PID}}_i^{\text{new}}$ || m2 || SIDj). If the attacker attempts to find some clues about τi in M1, his wish will not come true because none of the elements in M1 have a direct relationship with τi. Therefore, it is infeasible for the attacker to impersonate a legitimate user to log into GWN.

In the proposed scheme, the attacker is unable to masquerade as GWN to communicate with Ui or Sj. If the attacker intends to masquerade as GWN to Sj, he first intercepts the message M2 = {m2, m6, m7, T2} in the public channel. However, it is impossible for him to forge m6 because m6 is encrypted with the symmetric key h (SIDj || Kj), where Kj is the secret key to Sj and the attacker has no knowledge of it. On the other hand, to impersonate as GWN to Ui, it is necessary for the attacker to generate a valid message M4 = {m8, m9, m11, m12, T3, T4} and send it to Ui, where m9 = h (SKS-U || ${\text{PID}}_i^{\text{new}}$ || SIDj || m8 || T3), m11 = h ( ${\text{PID}}_i^{\text{new}}$ || $x_g$ ), and m12 = h ( ${\text{PID}}_i^{\text{new}}$ || ei || m8 || T4), which requires verification of m10 and m12. However, it is infeasible because the attacker has no knowledge of ${\text{PID}}_i^{\text{new}}$ , ei and Kj. Therefore, our improved scheme can resist the GWN impersonation attack.

If the attacker intends to impersonate a sensor Sj to communicate with GWN, he/she has to forge a valid message M3 = {m8, m9, m10, T3}, which is embedded with bj, Kj, ei, and ${\text{PID}}_i^{\text{new}}$ to cheat GWN. However, the attacker is unable to obtain these secret parameters since they are protected carefully by the communication parties. Therefore, our improved scheme can resist the sensor impersonation attack.

In Lu et al.'s protocol, the security of the session key h (aibjP) depends on the ephemeral random numbers ai and bj, which are generated by Ui and Sj, respectively. Naturally, the transient leakage of ai and bj will bring about the compromise of their session key. In the improved scheme, the session key SK = h (bjm2 || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei), where m2 = aiP. It is worth noting that SK relies not only on ai and bj, but also on Kj, ei, and ${\text{PID}}_i^{\text{new}}$ . Further, to obtain ${\text{PID}}_i^{\text{new}}$ , the attacker needs to learn (IDi, Bio, $r_i^{\text{new}}$ , ei), where ( $r_i^{\text{new}}$ , ei) will be different in every authentication session. Hence, it is difficult for the attacker to disclose these secret ephemeral random numbers to calculate the session key. Therefore, the proposed protocol can thwart KSSTI attack.

As shown in the login and authentication phase, the session key SKS-U = h (bjm2 || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei) is calculated by Sj and SKU-S = h (aim8 || ${\text{PID}}_i^{\text{new}}$ || SIDj || ei) is calculated by Ui. As analyzed above, the session key is related to (ai, bj, ${\text{PID}}_i^{\text{new}}$ , SIDj, ei), where (ai, bj, $r_i^{\text{new}}$ , ei) is generated randomly and unpredictably. Even if GWN's long-term secret key $x_g$ is compromised by the attacker and he/she obtains m2 and m8, it is infeasible for the attacker to calculate the session key because he/she heads to resolve the ECDL problem and CDH problem to obtain aibjP from m2 (= aiP) and m8(= bjP). Thus, the proposed protocol can provide perfect forward and backward secrecy.

It is generally true that timestamp mechanism is employed to overcome replay attack. However, addressing time synchronization is quite difficult in a large-scale network. It is noteworthy that time synchronization issue should not take place in a WSN since a WSN could be deployed in specific areas. The proposed protocol exploits the timestamp technique to prevent replay attack. When an attacker intercepts the login message M1 = {m1, m2, m3, m4, m5, PIDi, T1} and replays it to the receiver, he will fail because the receiver will check the freshness of timestamp and verify the hash value, which is calculated with a secret value ei shared between the sender and the receiver. Furthermore, if the attacker constructs a forgery message with a new timestamp, e. g, $M_1^{\prime }$ = {m1, m2, m3, m4, m5, PIDi, $T_1^{\prime }$ } under a new timestamp $T_1^{\prime }$ , it is easily detected by verifying the hash value m5 because T1 is a parameter of m5. Therefore, the proposed protocol is secure against replay attack.

The insider attack implies that the system insider can directly access user's password that is stored in GWN and impersonates the user to log into other systems and enjoy their services. In the proposed protocol, the user only submits {IDi, PIDi} to GWN in the registration phase. Thus, the insider cannot get the user's password information. Therefore, our scheme can overcome privileged insider attack.

Suppose that if a sensor node Sj has been captured physically by the attacker, he/she can compromise the identity SIDj and secret number Kj from the memory of the sensor. However, it is infeasible for the attacker to guess GWN's secret key XGWN successfully in relation Kj = h (SIDj || XGWN) in light of item 5 in the adversarial model described in Section 4. That is, if a single sensor is captured by the attacker, it is impossible for him/her to break the confidentiality during sessions between the user Ui and other noncaptured sensors. Therefore, the proposed scheme can withstand sensor capture attack.

In the proposed protocol, to log into GWN, Ui has to input his (IDi, PWi), imprint his biometric Bio, and insert his smart card into the card reader. Assume that users Ui and Uj have the same identity and password. Note that $f_i^{\ast }$ = h (h (PWi || $r_i^{\ast }$ || ${\delta }_i^{\ast }$ ) mod t) for Ui and $f_j^{\ast }$ = h (h (PWi || $r_j^{\ast }$ || ${\delta }_j^{\ast }$ ) mod t) for Uj are distinct since ${\delta }_i^{\ast }$ and ${\delta }_j^{\ast }$ are generated by a fuzzy extractor with different biometrics. As a result, the proposed scheme can resist many logged-in users with the same login-ID attack.

In our protocol, GWN verifies m5 to authenticate Ui, Sj verifies m7 to authenticate GWN, GWN verifies m10 to authenticate Sj, and Ui verifies m12 to authenticate GWN and verifies m9 to authenticate Sj, respectively.

Therefore, our scheme can provide mutual authentication and withstand the man-in-the-middle attack.

Assume that the attacker intercepts all of the exchanged messages between the related parties during the execution of the protocol and attempts to reveal Ui's identity. In our protocol, Ui's identity is included in m4 = (IDi || SIDj) ⊕ h(PIDi || ei) where PIDi is transmitted in the public channel. If the attacker wants to get the user's IDi, he/she has to compute ei = m1 ⊕ h (PIDi || $x_g$ ). It is infeasible because GWN's secret key $x_g$ is protected carefully by GWN and cannot be guessed successfully according to Item 5 in the adversarial model described in Section 4. Another way to obtain Ui's identity is to guess IDi from PIDi = h (IDi || δi || ri), which is also impossible because the attacker knows little about the user's biometric and random nonce ri. Therefore, our scheme can withstand tracking attack and achieves untraceability property.

This section presents the formal security verification of the proposed protocol by using the Pi calculus-based simulation tool ProVerif [[66]]. The researchers used this tool to test an authentication protocol and see whether the adversary is capable of compromising the session key, since ProVerif makes use of the Dolev-Yao model and implements many cryptographic primitives, such as symmetric encryption and asymmetric encryption, signature, hash function, etc. So far, many protocols have been verified by ProVerif to demonstrate their correctness and robustness properties [[66]]. In this section, we use ProVerif to rectify the secrecy and authentication properties of our protocol.

First, we define the following channels. Channels sch1 and sch2 are used for secure communication between Ui and GWN and between Sj and GWN, respectively. Meanwhile, channels ch1 and ch2 are used for public insecure communication between Ui and GWN and between Sj and GWN, respectively.

• ( $\ast$ --------Channels------- $\ast$ )
• free sch1:channel [private]. ( $\ast$ the secure channel between Ui and GWN $\ast$ )
• free sch2:channel [private]. ( $\ast$ the secure channel between Sj and GWN $\ast$ )
• free ch1:channel [private]. ( $\ast$ the public channel between Ui and GWN $\ast$ )
• free ch2:channel [private]. ( $\ast$ the public channel between Sj and GWN $\ast$ )

The variables and constants are defined as follows:

• const P: bitstring.
• const Bio:bitstring.
• const Bio′:bitstring.
• const t:bitstring.
• const X_GWN: bitstring [private]. ( $\ast$ GWN's password key $\ast$ )
• const x_g: bitstring [private]. ( $\ast$ GWN's private key $\ast$ )
• free IDi: bitstring [private]. ( $\ast$ the identity of user $\ast$ )
• free SIDj: bitstring. ( $\ast$ the identity of sensor $\ast$ )

The related function are modeled as follows:

• ( $\ast$ --------Concat operation-------- $\ast$ )
• fun con (bitstring, bitstring):bitstring.
• fun con3 (bitstring, bitstring, bitstring):bitstring.
• fun con4 (bitstring, bitstring, bitstring, bitstring):bitstring.
• fun con5 (bitstring, bitstring, bitstring, bitstring, bitstring):bitstring.
• fun mult (bitstring, bitstring):bitstring. ( $\ast$ Multiplication operation $\ast$ )
• fun syme (bitstring, bitstring):bitstring. ( $\ast$ Symmetric encryption operation $\ast$ )
• reduc forall m:bitstring, key:bitstring; symd (syme (m, key), key) = m. ( $\ast$ Symmetric decryption operation $\ast$ )
• fun mod (bitstring, bitstring):bitstring. ( $\ast$ Mod operation $\ast$ )
• fun xor (bitstring, bitstring):bitstring. ( $\ast$ XOR operation $\ast$ )
• fun h (bitstring):bitstring. ( $\ast$ Hash operation $\ast$ )
• fun Gen (bitstring):bitstring. ( $\ast$ Gen operation $\ast$ )
• fun Rep (bitstring, bitstring):bitstring. ( $\ast$ Rep operation $\ast$ )

In particular, we define four events to test the mutual authentication between Ui and Sj as follows:

• event beginSj (bitstring).
• event endSj (bitstring).
• event beginUi (bitstring).
• event endUi (bitstring).

According to the proposed protocol execution, we define the process of Ui as follows:

• let process Ui = new PWi:bitstring;
• let (delta_i:bitstring, tau_i:bitstring) = Gen (Bio) in
• new ri: bitstring;
• let PIDi = h (con3 (IDi, delta_i, ri)) in
• out (sch1, (IDi, PIDi));
• let fi = h (mod (h (con3 (PWi, ri, delta_i)),t)) in
• in (sch1, xCi:bitstring);
• let Ai = xor (xCi, fi) in
• let Bi = xor (h (con (con (IDi, delta_i),PWi)), ri) in

• ! (

• event beginUi (IDi);
• let delta_i′ = Rep (Bio′,tau_i) in
• let ri′ = xor (Bi, h (con3 (IDi, delta_i, PWi))) in
• let fi′ = h (mod (h (con3(PWi, ri′,delta_i′)),t)) in
• if fi′ = fi then
• new ri_new:bitstring;
• new ei:bitstring;
• let PIDi_new = h (con3 (IDi, delta_i′,ri_new)) in
• let m1 = xor (xor (Ai, fi),ei) in
• new ai:bitstring;
• new T1:bitstring;
• let m2 = mult (ai, P) in
• let m3 = xor (PIDi_new, h (ei)) in
• let m4 = xor (con (IDi, SIDj), h (con (PIDi, ei))) in
• let m5 = h (con (con5 (IDi, PIDi, PIDi_new, m2, SIDj),T1)) in
• out (ch1, (m1, m2, m3, m4, m5, PIDi, T1));
• in (ch1, (m8s:bitstring, m9s:bitstring, m11g:bitstring, m12g:bitstring, T3s:bitstring, T4g:bitstring));
• let m12′ = h (con4 (PIDi_new, ei, m8s, T4g)) in
• if m12′ = m12g then
• let SKu_s = h (con4 (mult (ai, m8s),PIDi_new, SIDj, ei)) in
• let m9′ = h (con5 (SKu_s, PIDi_new, SIDj, m8s, T3s)) in
• if m9′ = m9s then
• event endSj (SIDj);
• let fi_new = h (mod (con3 (PWi, ri_new, delta_i′),t)) in
• let Ai_new = xor (m11g, fi_new) in
• let Bi_new = xor (h (con3 (IDi, delta_i′,PWi)),ri_new) in

• 0

• ).

The process of Sj is modeled as follows:

• let processSensor = in (sch2, (xSIDj:
• bitstring, xKj:bitstring));

• ! (

• event beginSj (SIDj);
• in (ch2, (m2s:bitstring, m6s:bitstring, m7s:bitstring, xT2:bitstring));
• let ek′ = h (con (xSIDj, xKj)) in
• let (ei_s:bitstring, PIDi_new_s:bitstring) = symd (m6s, ek′) in
• let m7′ = h (con5 (xKj, PIDi_new_s, SIDj, m2s, xT2)) in
• if m7′ = m7s then
• event endUi (PIDi_new_s);
• new bj:bitstring;
• new T3:bitstring;
• let m8 = mult (bj, P) in
• let SKs_u = h (con4 (mult (bj, m2s),PIDi_new_s, SIDj, ei_s)) in
• let m9 = h (con5 (SKs_u, PIDi_new_s, SIDj, m8, T3)) in
• let m10 = h (con4 (xKj, PIDi_new_s, m8, T3)) in
• out (ch2, (m8, m9, m10, T3));

• 0

• ).

The process of GWN is modeled as follows:

• let processGWN = in (sch1, (xIDi:bitstring, xPIDi:bitstring));
• let Ci = h (con (xPIDi, x_g)) in
• let Kj = h (con (SIDj, X_GWN)) in
• out (sch2, (SIDj, Kj));
• out (ch1, Ci);

• ! (

• in (ch1, (m1′:bitstring, m2′:bitstring, m3′:bitstring, m4′:bitstring, m5′:bitstring, PIDi′:bitstring, T1′:bitstring));
• let ei′ = xor (m1′,h (con (PIDi′,x_g))) in
• let PIDi_new′ = xor (m3′, h (ei′)) in
• let (IDi′:bitstring, SIDj′:bitstring) = xor (m4′, h (con (PIDi′,ei′))) in
• let m5g = h (con (con5 (IDi′,PIDi′,PIDi_new′, m2′, SIDj′), $T_1^{\prime }$ )) in
• if m5′ = m5g then
• new T2:bitstring;
• let ek = h (con (SIDj, Kj)) in
• let m6 = syme (con (ei′,PIDi_new′),ek) in
• let m7 = h (con5 (Kj, PIDi_new′,SIDj, m2′, T2)) in
• out (ch2, (m2′, m6, m7, T2));
• in (ch2, (m8s:bitstring, m9s:bitstring, m10s:bitstring, T3s:bitstring));
• let m10' = h (con4 (Kj, PIDi_new′, m8s, T3s)) in
• if m10′ = m10s then
• new T4:bitstring;
• let m11 = h (con (PIDi_new′,x_g)) in
• let m12 = h (con5 (PIDi_new′, ei′, m8s, T3s, T4)) in
• out (ch1, (m8s, m9s, m11, m12, T4));

• 0

• ).

The queries are defined as follows:

• query attacker (SKu_s).
• query attacker (SKs_u).
• query id:bitstring; inj-event (endSj (id)) = =>inj-event (beginSj (id)).
• query id:bitstring; inj-event (endUi (id)) = =>inj-event (beginUi (id)).

The whole protocol is simulated as executing in parallel as follows:

• process !processUi | !processGWN | !processSensor

The outputs of the ProVerif verification are as follows:

• (1) RESULT not attacker (SKu_s[]) is true.
• (2) RESULT not attacker (SKs_u[]) is true.
• (3) RESULT inj-event (endSj (id)) = => inj-event (beginSj (id)) is true.
• (4) RESULT inj-event (endUi (id_18)) = => inj-event (beginUi (id_18)) is true.

Results (1) and (2) indicate the secrecy of the proposed scheme because of the failing query attack on session key SKS-U and SKU-S. Moreover, results (3) and (4) confirm the successfully mutual authentication between Ui and Sj. In other words, the proposed scheme not only provides the secrecy of the session key, but also achieves the authentication property by verifying the correspondence assertions in the Dolev–Yao model.

To evaluate the proposed scheme, we compare the performance and security with related schemes [[26], [29], [41], [44], [49]] in the login and authentication phase.

To compare computation cost fairly, we use the time cost of cryptographic calculations in [[41]] as the benchmark, which is shown in Table 3. The execution time of XOR and the concatenation operation is ignored because their computation cost is very trivial. In addition, we assume that the length of an identity, a hash value, a random nonce, and a timestamp are 32 bits, 160 bits, 128 bits, and 32 bits, respectively, and the prime p in Ep (a, b) is 160 bits (the 160 bit ECC has a security strength equivalent to that of a 1024 bit RSA [[67]]). In AES symmetric encryption/decryption, the block size of plaintext/ciphertext is 128 bits [[68]]. The performance comparison of our scheme and the related ones [[26], [29], [41], [44], [49]] is summarized in Table 4. It is worth noting that although scheme in [[50]] is not suitable for WSN environment, we still compare it as a related scheme to determine whether our scheme can maintain better performance while overcoming its security defects.

Table 3 Execution time of cryptographic calculations (ms) [[41]].

Table 4 Performance comparison.

In Table 4, we can see that (1) the computation time of our scheme is slightly higher than that of protocols [[26], [29], [41], [45]] and much lower than that of protocols [[44], [49]] and (2) the communication overhead of our scheme is slightly lower than that of protocol [[29]] and higher than that of the others. Meanwhile, from Table 5, it is evident that our scheme fulfills all of the security features, while other protocols suffer from some security weaknesses more or less. Specifically, our protocol overcomes the security pitfalls of Lu et al.'s protocol [[50]]. Compared with Li et al.'s protocol [[45]], our scheme makes use of the ECDL and CDH problem on ECC to enhance security, and thus, our protocol consumes more computation cost and needs more communication overhead. It is worth noting that security is the most important factor to be considered in cryptography protocols. Thus, it is worthwhile to gain a higher security level at the cost of a slightly increased computation cost or communication overhead. Although our protocol is not the most efficient one in performance compared with schemes [[26], [29], [41], [44], [49]], the security analysis in Section 6 has demonstrated that the proposed scheme thwarts security threats in [[26], [29], [41], [44], [49]]. In a word, the proposal provides a better tradeoff between performance and security requirements and is more suitable for practical application in WSN environments.

Table 5 Comparison of security properties.

1 F: feature. F1: provide three-factor security. F2: resistance to user impersonation attack. F3: resistance to GWN impersonation attack. F4: resistance to sensor impersonation attack. F5: resistance to KSSTI attack. F6: perfect forward and backward secrecy. F7: resistance to replay attack. F8: resistance to privileged insider attack. F9: resistance to sensor capture attack. F10: resistance to many logged-in users with the same login-ID attack. F11: resistance to man-in-the-middle attack. F12: user anonymity. F13: mutual authentication and key agreement.

Although many three-factor mutual authentication schemes have been presented for the WSN environment, most of them have been found to be unprotected from various attacks or lacking in functionality properties. In this paper, we have analyzed Lu et al.'s scheme and show its security defects of their scheme. To overcome these defects, we have proposed a lightweight secure three-factor authentication scheme for WSNs. Furthermore, we propose a security analysis, and show that the proposed protocol is secure against known security attacks, and address the vulnerability in Lu et al.'s scheme. The formal security proof of the proposal is proved under the random oracle model. Security verification is confirmed by the formal proof through ProVerif. A performance comparison between our scheme and the related recent ones in terms of computation cost and communication overhead demonstrates that our scheme offers a better tradeoff between security and efficiency. Based on these advantages, we believe that our scheme provides a reasonable lightweight solution for authentication in the WSN environment.

The data used to support the findings of this study have been cited within the text as references [[26], [29], [41], [44], [49]].

The authors declare that there are no conflicts of interest regarding the publication of this paper.

This work was partially supported by the National Natural Science Foundation of China (Project no. 61672007) and Science and Technology Innovation Guidance Project 2017 (Project no. 201704030605).