A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks

Abstract

Due to their frequent use in unattended and hostile deployment environments, the security in wireless sensor networks (WSNs) has attracted much interest in the past two decades. However, it remains a challenge to design a lightweight authentication protocol for WSNs because the designers are confronted with a series of desirable security requirements, e.g., user anonymity, perfect forward secrecy, resistance to de-synchronization attack. Recently, the authors presented two authentication schemes that attempt to provide user anonymity and to resist various known attacks. Unfortunately, in this work we shall show that user anonymity of the two schemes is achieved at the price of an impractical search operation—the gateway node may search for every possible value. Besides this defect, they are also prone to smart card loss attacks and have no provision for perfect forward secrecy. As our main contribution, a lightweight anonymous authentication scheme with perfect forward secrecy is designed, and what we believe the most interesting feature is that user anonymity, perfect forward secrecy, and resistance to de-synchronization attack can be achieved at the same time. As far as we know, it is extremely difficult to meet these security features simultaneously only using the lightweight operations, such as symmetric encryption/decryption and hash functions.

1. Introduction

Wireless sensor networks (WSNs) have gained a great deal of attention from researchers in the academic and industrial field mainly because of two reasons: first, they consist of a large number of resource-constrained sensor nodes, which are deployed randomly in a target region [1], and second, they can be widely used in various kinds of applications, such as healthcare monitoring [2], environment sensing [3], industrial monitoring [4], etc. Generally, WSNs are developed to monitor physical or environmental conditions, such as temperature, humidity, sound, etc. and collect real-time information about these conditions. In many applications [5,6,7], external users need to access to this real-time information from the sensor nodes. Figure 1 describes a way for real-time information access in WSNs. For example, using a WSN in the healthcare environment, the patient’s real-time information such as temperature, blood pressure, and pulse rate, will be collected by sensor nodes. Then, legitimate medical workers are able to access these data directly from the sensor nodes.

Although it seems appealing for users to access the real-time data from the sensor nodes, user authentication has been a critical issue in WSNs due to their frequent use in unattended and hostile environments [8]. Because many applications for WSNs operate in such environments, such as battlefields, a malicious adversary could easily control the communication channel, i.e., he/she would be able to eavesdrop, insert, block, and alter the transmitted data. Thus, WSNs are subject to various types of attacks. To ensure that only authorized users can access the reliable sensor nodes and to protect the real-time information, it is indispensable to achieve mutual authentication and establish a session key between the user and the sensor node. Nowadays, there are mainly three ways to accomplish authenticated key establishment scheme in WSNs [9].

• The first and the simplest solution for the authenticated key establishment is a shared symmetric key between the user and the sensor node. In this case, if a WSN has n sensor nodes and m users, each sensor node needs to store m symmetric keys, each user needs to store n symmetric keys, and the WSN needs to establish nm symmetric keys.
• Secondly, using public key cryptography, like ECC [10], RSA [11] or ElGamal [12], is another approach to complete authenticated key establishment.
• Third, the user and the sensor node can achieve mutual authentication and establish a session key through a trust gateway node (GWN) [13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30]. In this case, both the user and the sensor node need to share only a single key with the GWN. The GWN can help the user and the sensor authenticate each other and distribute a shared secret session key at each session. After this phase, the user can use this session key to access the real-time data from the desired sensor node without involving the GWN.

Obviously, the first method does not scale well, and the second way using public key cryptography primitives may tend to be resource intensive because most of them are based on the large integer. Hence, the authenticated key establishment scheme with the help of the GWN is even more admired owing to limited computation and communication resources, capability, bandwidth of sensor nodes. Additionally, identity masquerade and identity tracing have become common attacks in WSNs, which will cause the problem of identity privacy. Hence, there is a growing demand to achieve anonymous authentication in WSNs. Besides, since the sensor node is unattended, the long-term key of the sensor node may be compromised by an adversary. In this case, the previous session keys will be in danger. To address it, perfect forward secrecy should be considered. Therefore, anonymous authentication schemes with perfect forward secrecy for WSNs should be designed by using only the lightweight cryptographic primitives, such as symmetric key encryption/decryption and hash functions.

Many anonymous authentication schemes using lightweight cryptographic primitive have been proposed for WSNs in the past several years. However, as far as we know, most of them cannot consider perfect forward secrecy or suffer from de-synchronization attack. In this work, we design a lightweight authentication scheme for WSNs, which can achieve user anonymity, perfect forward secrecy, and resistance to de-synchronization attack at the same time.

1.1. Related Works

In some applications for WSNs, such as real-time healthcare monitoring, traffic control monitoring, and military surveillance, external users are interested in accessing real-time data directly from desired sensor nodes without involving the GWN. User authentication is an essential security measure for the user to be first authorized to the GWN as well as the sensor nodes before granting access to the real-time data. To achieve user authentication in WSNs, hundreds of schemes have been proposed in the last decade, such as remarkable schemes [13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30]. In 2006, Wong et al. [13] designed a dynamic strong-password authentication scheme for WSNs using lightweight operations, such as one-way hash function and XOR operations. But later, Das [14] pointed out that Wong et al.’s scheme is vulnerable to replay attack and stolen-verifier attack. In order to address these issues, Das [14] presented a two-factor authenticated key establishment scheme for WSNs, which claimed to provide strong authentication and resist various kinds of attacks. Unfortunately, a series of articles [15,16,17,18,19] have indicated that Das’s scheme [14] has still some drawbacks and flaws, such as susceptibility to privileged-insider attacks, smart card loss attacks, and parallel session attacks.

Although the abovementioned schemes [15,16,17,18,19] have much better performance than Das’ scheme [14], they are still prone to several security flaws, such as smart card loss attacks and forgery attacks. In 2012, Das et al. [20] developed a better scheme to solve these weaknesses. However, the security of Das et al.’s new scheme was not satisfactory, because of its vulnerability to some attacks [21,22,23]. After that, Xue et al. [24] designed a temporal-credential based authenticated key agreement scheme for WSNs using the hash function and XOR operations, which claimed to provide identity and password protection, and resiliency of smart card loss attacks. Unfortunately, Jiang et al. [25] described how the Xue et al.’s scheme [24] was insecure against identity guessing attack, privileged insider attack, tracking attack and smart card loss attack. They proposed an efficient two-factor user authentication scheme with unlinkability property in WSNs. The unlinkability pseudonym identity can help the GWN to quickly search the exact communicating user. Besides, it is able to provide user anonymity and resistance to smart card loss attack. In 2016, Das [26] proposed an enhanced authentication scheme based on Jiang et al.’s scheme [25]. He insisted that their scheme can provide higher security level than other schemes.

To the designers’ disappointment, both Jiang et al.’s scheme and Das’ scheme have been found vulnerable to the desynchronization attack [31]. Most recently, Gope and Hwang [27] proposed a realistic authentication scheme for WSNs, which can ensure various kinds of imperative security properties like mutual authentication, user anonymity, perfect forward secrecy, etc. For the communication between the user and the GWN, Gope and Hwang’s scheme employed a set of unlinkable shadow-IDs and emergency keys to prevent de-synchronization attack [31]. This is the preferred way to solve the de-synchronization attack. However, for the communication between the GWN and the sensor node, if the adversary blocks the response message flow from the sensor node, the communication will be lost in synchronization. Thus the sensor node needs to ask the GWN for the new secret shared key. Besides, we observe that their scheme also cannot resist against known session-specific temporary information attack [28]. When the session-specific temporary information N_u is disclosed to the adversary, it is obvious that K_ug can be resumed from transmitted message N_x = N_u⊕K_ug. Then, the adversary generates his own Ts*_ugnew and the session key SK*, and computes Ts* = h(K_ug||ID_U||N_u)⊕Ts*_ugnew, SK*’’ = h(K_ug||ID_U||N_u)⊕SK*, V₄ = h(SK*’’||N_u||Ts*||K_ug), where ID_U is the identity of the user, which can be off-line guessed by transmitted messages Ks_ug and AID_U = h(ID_U||K_ug||N_u||Ks_ug). Thus, the adversary can successfully forge a legal gateway node authentication message and get the session key.

In the same year, the authors of [28,29] proposed a lightweight authentication scheme, which uses a ‘dynamic ID technique’ to achieve user anonymity and is secure in resisting known session-specific temporary information attack. Unfortunately, we find that the two schemes are insecure against smart card loss attacks. Besides, both schemes have two design flaws, including impractical GWN search operation and no provision for perfect forward secrecy.

On the other hand, perfect forward secrecy is an important security property for authenticated schemes. Unfortunately, to the best of our knowledge, most of the authentication schemes only using lightweight cryptographic primitives cannot provide perfect forward secrecy (e.g., the recent pertinent authentication schemes [24,25,26,28,29,30]). Although Mir et al. [30] claimed that their scheme is secure in perfect forward secrecy, we find out it is still prone to forward secrecy attack. In this scheme, the authors proved that the session key SK = h(K_i||K_j||ID_i||SID_i||T₁) is secure under the assumption that the adversary A does not obtain the identity ID_i of the user. However, if GWN’s secret key d is compromised, A can offline guess ID_i through the transmitted message M as below. A guesses a candidate ID’_i and computes X’_i = h(ID’_i||d), ID_i||K_i||T₁||H_i = D_X’i(M). A checks whether ID’_i and ID_i are equivalent. If they are equal, A can obtain the correct ID_i. Otherwise, A repeats this operation until the correct ID_i is obtained. Hence, Mir et al.’s scheme is unable to achieve perfect forward secrecy. Several articles [32,33,34] pointed out that it is intrinsically unable to provide perfect forward secrecy in the scheme that does not employ public-key primitives. To the best of our knowledge, some schemes [27] tried to address this issue using the one-time hash chain technique. However, it may cause de-synchronization attack because the hash chain value will be updated after each successful session.

1.2. Motivation and Contributions

Two previously-thought sound schemes [28,29] use ‘dynamic ID technique’ to achieve user anonymity at the price of the impractical exhaustive search operations. The reason is that users’ real identities are encoded into dynamic identities, no one is able to get the identity information of the user without the secret key. When the user wants to access the WSNs systems, it is difficult for the GWN to tell apart the real identity of the user. As a result, the GWN needs to search for every possible parameter to figure out the exact user. Generally, to address this, a pseudonym identity method [25,26] is used to help the GWN to read the correct information from the user information table. In this way, both of the user and the GWN store a randomly generated pseudonym identity, which is updated after each successful session. Since the pseudonym identity is different at each session, the adversary cannot track a specific user. However, Wang et al. [31] pointed out the scheme using pseudonym identity may easily suffer from the de-synchronization attacks, which may render the scheme completely unusable unless the user or the sensor node re-registers.

To the best of our knowledge, the hash chain technique can be employed to ensure perfect forward secrecy for lightweight cryptographic protocols [27]. However, like the pseudonym identity method, both communicating parties need to update their shared one-time hash chain value after completion of each session. Thus, the technique may also cause the de-synchronization attack.

Motivated by the above facts, we construct a new efficient authentication scheme for WSNs using the pseudonym identity method and one-time hash chain technique to achieve user anonymity and perfect forward secrecy. For the communication between the user and the GWN, the back-end of GWN stores two pseudonym identities PID_i0 and PID_i1 to resist against de-synchronization attack. PID_i0 stores the value of the new pseudonym identity. PID_i1 has two functions: the one is storing the value of the old pseudonym identity, the other is a tag for updating hash chain. If PID_i1 = ⊥, it means that the value of hash chain has updated in the previous session. Otherwise, the value of hash chain does not change, where ⊥ denotes null. For the communication between the GWN and the sensor node, serial number technique is used to resist against de-synchronization attack.

Altogether, in this paper, we analyze the security of two representative schemes [28,29] for WSNs and show their vulnerability to smart card loss attack, impractical GWN search operation and no provision for perfect forward secrecy. To overcome these weaknesses, we design a lightweight anonymous authentication protocol for WSNs based on the one-time hash chain and pseudonym identity. The main contributions of our scheme are summarized as follows:

(1)

The proposed scheme is resilient to various kinds of known attacks, such as de-synchronization attack, known session-specific temporary information attack;

(2)

The proposed scheme can provide mutual authentication, user anonymity, and perfect forward secrecy, etc.

(3)

The proposed scheme uses lightweight cryptographic primitives, such as symmetric encryption/decryption and hash functions. It is very suitable for the resource constrained sensor nodes.

1.3. Adversary Model

An adversary A has five goals. The first is that A can successfully impersonate the user U_i authenticating to GWN. The second is that A can successfully impersonate GWN authenticating to U_i. The third is that A can successfully impersonate the sensor node S_nj authenticating to GWN. The fourth is that A can successfully impersonate GWN authenticating to S_nj. And the last is that A can obtain the session key among U_i, GWN and S_nj. We assume that A is a probabilistic polynomial time attacker, and the feasible attacks are summarized as follows:

➢

A can control the channel among U_i, GWN and S_nj. It means that A can eavesdrop, insert, block, and alter the transmitted messages through the public communication channel.

➢

A can obtain one of the two authentication factors, smart card or password. If A has obtained the smart card, he can extract the secret value in the smart card and has the capability of enumerating identity and password space |D_ID*D_PW|.

➢

A may be another legitimate but malicious user in the system.

➢

A may be a legitimate but malicious sensor node.

1.4. Notations

All the notations mentioned in two related schemes and our proposed scheme are defined in

Table 1. Notations.

Notation	Descriptions
Ui	The user
Snj	The sensor node
GWN	The gateway node
SC	The smart card
IDi,PWi	Unique identity and password of Ui
SIDj	Unique identity of Snj
IDGWN	Unique identity of GWN
PID	Pseudonym identity
PIDi	Pseudonym identity of Ui in the user side
TIDi	A random number of Ui generated in the GWN
x	The secret key of GWN
xi	The shared secret key between GWN and Ui
KGWN_S	The shared secret key between GWN and Snj
bi	A random number generate by Ui
SK	The session key
EK,DK	Encryption/Decryption using the symmetric key K
h,h0,h1,h3	One-way hash function
h2	One-way hash function, h2:{0,1}*→{0,1,...,1023}
T,T1,T2,T3,T4	Current timestamp
||	String concatenation operation
⊕	XOR operation

.

1.5. Organization of the Paper

This paper takes two relate schemes [28,29] as case studies, we present a concrete attack to show that the two schemes are insecure against the smart card loss attack. Besides, we also show both schemes have two design flaws, including impractical GWN search operation and no provision for perfect forward secrecy. Then, we put forward a new way to deal with de-synchronization attack and design an efficient anonymous authentication scheme with perfect forward secrecy for WSNs.

The rest of this paper is organized as follows: Section 2 reviews two related schemes for WSNs. Section 3 presents the detailed procedure of the proposed scheme. Section 4 gives security analysis of our scheme. The computation and communication costs analysis of the proposed scheme are discussed in Section 5. Finally, Section 6 concludes this paper.

2. Review of Two Related Schemes

This section will describe two related authenticated key establishment schemes for WSNs, which are Lu et al.’s scheme [28] and Jung et al.’s scheme [29]. The reason for choosing these two schemes is that they are the typical representations of recent schemes in WSNs which have the security flaws in smart card loss attack, impractical GWN search operation and no provision for perfect forward secrecy. First, we will give briefly review of two schemes. Later on, the detailed weaknesses of the two schemes will be described.

2.1. Review of Lu et al.’s Scheme

Lu et al.’s authentication scheme [28] is shown in Figure 2. This scheme consists of four phases: the user registration, the sensor node registration, login and authentication, password change.

2.1.1. User Registration

Step 1: A new user U_i selects the identity ID_i and the password PW_i, generates a random number b_i. Then U_i computes C_i = h(PW_i||b_i), U_i transmits {ID_i,C_i} to GWN through a secure channel.

Step 2: Upon receipt of the message, the GWN computes A_i = h(h(ID_i)||C_i), B_i = h(TID_i||x)⊕C_i, M_i = h(ID_i||x)⊕h(h(ID_i)⊕C_i). After that, GWN stores {TID_i} in its memory, and stores {A_i,B_i,M_i} into smart card SC. Finally, GWN sends SC to U_i via a private channel.

Step 3: After receiving SC from GWN, U_i stores b_i into SC.

2.1.2. Sensor Node Registration

Step 1: A new sensor node S_nj selects identity SID_j and transmits {SID_j} to GWN through a secure channel.

Step 2: The GWN computes A_j = h(SID_j⊕K_{GMN_S}), and returen it to S_nj after storing {SID_j,A_j} into its memory.

Step 3: After receiving SID_j, A_j from GWN, S_nj stores them into its memory as the secret.

2.1.3. Login

When a user U_i desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and S_nj. As shown in Figure 2, the process of mutual authentication is described as follows.

Step 1: U_i inputs ID_i and PW_i into the smart card SC. SC computes C_i = h(PW_i||b_i), A’_i = h(h(ID_i)||C_i), and compares A’_i with the stored value A_i. If they are not equal, SC terminates the session. Otherwise, SC believes U_i as a legitimate user. Next, SC generates a random number r_i, and computes h(ID_i||x) = M_i⊕h(h(ID_i)⊕C_i), EK = h(TID_i||x) = B_i⊕C_i, CT₁ = E_EK(ID_i||T₁||TID_i||r_i), E_i = h(h(ID_i||x)||r_i||T₁), where T₁ is the timestamp. Finally, SC sends the login request {CT₁,E_i} to GWN through the public channel.

Step 2: After receiving the login messages, the GWN computes EK = h₁(TID_i||x), ID_i||T₁||TID_i||r_i = D_EK(CT₁). Then, the GWN checks the timestamp T₁, computes E’_i = h(h(ID_i||x)||r_i||T₁), and checks whether E’_i matches with the received E_i. If it does not hold, GWN terminates the session. Otherwise, the GWN generates a random numnber r_k, and computes CT₂ = E_{h(SIDj⊕KGMN_S)}(r_k⊕r_i||TID_i||T₁||T₂), G_i = h(TID_i||SID_j||h(SID_j⊕K_{GMN_S})||ID_GWN||T₂||r_k⊕r_i), where T₂ is the timestamp. Finally, the GWN sends {CT₂,G_i} to the sensor node S_nj that U_i wants to interact with via the public channel.

Step 3: Upon receiving the messages {CT₂,G_i} from GWM, S_nj at first computes r_k⊕r_i||TID_i||T₁||T₂ = D_{h(SIDj⊕KGMN_S)}(CT₂). Then, S_nj checks the timestamp T₂, computes G’_i = h(TID_i||SID_j||h(SID_j⊕K_{GMN_S})||ID_GWN||T₂||r_k⊕r_i), and checks whether G’_i matches with the received G_i. If it does not hold, S_nj terminates the session. Otherwise, the S_nj generates a random numnber r_j, and computes SK = h(r_k⊕r_i⊕r_j||T₁||T₂||T₃), CT₃ = E_{h(SIDj⊕KGMN_S)}(r_j||T₃||r_k⊕r_i), I_i = h(SID_j||TID_i||T₃||SK), where T₃ is the timestamp. Finally, S_nj transmits {CT₃, I_i} to GWN.

Step 4: GWN first computes r_j||T₃||r_k⊕r_i = D_{h(SIDj⊕KGMN_S)}(CT₃). Then, the GWN checks the timestamp T₃, and computes SK = h(r_k⊕r_i⊕r_j||T₁||T₂||T₃), I’_i = h(SID_j||TID_i||T₃||SK), and checks whether I’_i matches with the received I_i. If it does not hold, GWN terminates the session. Otherwise, the GWN computes CT₄ = E_h(IDi⊕x)(r_k⊕r_j||r_i||SID_j||ID_GWN||T₂||T₃||T₄), V_i = h(SK||T₄||h(TID_i||x)), where T₄ is the timestamp. Finally, GWN transmits {CT₄, V_i} to U_i.

Step 5: U_i computes r_k⊕r_j||r_i||SID_j||ID_GWN||T₂||T₃||T₄ = D_h(IDi⊕x)(CT₄), and checks the timestamp T₄. Then U_i computes SK = h(r_k⊕r_i⊕r_j||T₁||T₂||T₃), V’_i = h(SK||T₄||h(TID_i||x)), and checks whether V’_i matches with the received V_i. If it holds, U_i completes the authentication. Otherwise, U_i fails to authenticate the GWN.

2.1.4. Password Update Phase

When a user U_i wants to update the password, he/she needs to execute the following steps:

Step 1: U_i inputs ID_i, PW_i into the smart card SC. SC computes C_i = h(PW_i||b_i), h(TID_i||x) = B_i⊕C_i, h(ID_i||x) = M_i⊕h(h(ID_i)⊕C_i), A’_i = h(h(ID_i)||C_i), and checks whether A’_i and A_i are equal. If not, SC fails to authenticate U_i, and rejects the request of the password update. Otherwise U_i inputs a new password PW*_i.

Step 2: SC computes C*_i = h₀(PW*_i||b_i), B*_i = h(TID_i||x)⊕C_i⊕C*_i, M*_i = h(ID_i||x)⊕h(h(ID_i)⊕C*_i) and A*_i = h(h(ID_i)||C*_i).

Step 3: Finally, A*_i,B*_i, and M*_i are stored in SC to replace A_i, B_i, and M_i respectively.

2.2. Review of Jung et al.’s Scheme

Jung et al.’s authentication scheme [29] is shown in Figure 3. This scheme consists of three phases: registration, login and authentication, password change. This scheme has not sensor node registration phase. When the sensor node is developed, a shared key K_{GWN_S} between the sensor node and the GWN is assigned.

2.2.1. User Registration

Step 1: A new user U_i selects the identity ID_i and the password PW_i, generates a random number b_i. Then U_i computes C_i = h(PW_i||b_i), U_i transmits {ID_i,C_i} to GWN through a secure channel.

Step 2: Upon receipt of the message, the GWN computes v = h(x_i), N_i = h(ID_i||C_i)⊕v, M_i = h(C_i||v). After that, GWN stores {v} in its memory, and stores {N_i,M_i,h} into smart card SC. Finally, GWN sends SC to U_i via a private channel.

Step 3: After receiving SC from GWN, U_i stores b_i into SC.

2.2.2. Login and Authentication

When a user U_i desires the WSNs services, he/she needs to achieve mutual authenticate with GWN and S_nj. Figure 3 illustrates the process of mutual authentication for the proposed scheme. In detail, the process is:

Step 1: U_i inputs ID_i and PW_i into the smart card SC. SC computes C_i = h(PW_i||b_i), v = h(ID_i||C_i)⊕N_i, M’_i = h(C_i||v), and compares M’_i with the stored value M_i. If they are not equal, SC terminates the session. Otherwise, SC believes U_i as a legitimate user. Next, SC generates a random number R₁, and computes DID_i = h(ID_i||R₁), EK = h(DID_i||v||T₁), CT₁ = E_EK(DID_i||R₁||T₁), where T₁ is the timestamp. Finally, SC sends the login request {DID_i, CT₁, T₁} to GWN through the public channel.

Step 2: After receiving the login messages, the GWN first checks the timestamp T₁, and computes EK = h(DID_i||h(x_i)||T₁), DID_i||R₁||T₁ = D_EK(CT₁). Then, the GWN checks whether DID_i and T₁ matches with the received values. If they do not hold, GWN terminates the session. Otherwise, the GWN generates a random numnber R₂, and computes CT₂ = R₂⊕h(x_S||SID_j), SK = h(DID_i||h(K_{GWN_S}||SID_j)||R₂||T₂), B_i = h(DID_i||SK||h(K_{GWN_S}||SID_j)||SID_j||T₂), where T₂ is the timestamp. Finally, the GWN sends {CT₂,DID_i,B_i,T₂} to the sensor node S_nj.

Step 3: Upon receiving the messages {CT₂,DID_i,B_i,T_2i} from GWM, S_nj first checks the timestamp T₂, and computes R₂ = CT₂⊕h(K_{GWN_S}||SID_j), SK = h(DID_i||h(K_{GWN_S}||SID_j)||R₂||T₂), B’_i = h(DID_i||SK||h(K_{GWN_S}||SID_j)||SID_j||T₂). Then, the S_nj checks whether B’_i matches with the received B_i. If it does not hold, S_nj terminates the session. Otherwise, the S_nj computes C_i = h(h(K_{GWN_S}||SID_j)||SK||DID_i||SID_j||T₃), where T₃ is the timestamp. Finally, S_nj transmits {C_i,T₃} to GWN.

Step 4: GWN first checks the timestamp T₃, and computes C’_i = h(h(K_{GWN_S}||SID_j)||SK||DID_i||SID_j||T₃). Then, the GWN checks whether C’_i matches with the received C_i. If it does not hold, GWN terminates the session. Otherwise, the GWN computes CT₃ = E_EK(DID_i||SID_j||SK||R₁||T₄), where T₄ is the timestamp. Finally, GWN transmits {CT₃, T₄} to U_i.

Step 5: U_i checks the timestamp T₄ and computes DID_i||SID_j||SK||R₁||T₄ = D_EK(CT₃). Then U_i checks whether DID_i, R₁, and T₄ matches with the previous values. If it holds, U_i completes the authentication. Otherwise, U_i fails to authenticate the GWN.

2.2.3. Password Update Phase

When a user U_i wants to update the password, he/she needs to execute the following steps:

Step 1: U_i inputs ID_i, PW_i into the smart card SC. SC computes C_i = h(PW_i||b_i), v = h(ID_i||C_i)⊕N_i, M’_i = h(C_i||v), and checks whether M’_i and the stored M_i are equal. If not, SC fails to authenticate U_i, and rejects the request for the password update. Otherwise U_i inputs a new password PW*_i.

Step 2: SC computes C*_i = h₀(PW*_i||b_i), N*_i = v⊕h(ID_i||C*_i), and M*_i = h(C*_i||v).

Step 3: Finally, N*_i and M*_i are stored in SC to replace N_i and M_i respectively.

2.3. Security Analysis of Two Related Schemes

The security of the above two related schemes will be discussed in this section. Both of them are claimed that they can resist against various kinds of attacks and fulfill the desirable security requirements. However, we find that these two schemes are prone to smart card loss attack. Besides, they also suffer from two design flaws, including the impractical GWN search operation and no provision for perfect forward security.

2.3.1. Smart Card Loss Attack

The smart card loss attack means that the password in the smart card can be guessed offline in the case where the smart card is lost or stolen. The authors of the above two schemes [28,29] have proved that their schemes are secure against this attack. The proofs assume that the identity of the user is unable to be guessed. However, since the identity of the user is a weak strength with low entropy, several articles [32,35,36] have proposed that the identity may be leaked when the smart card is lost or stolen. We now describe the details of this attack.

For Lu et al.’s scheme [28], suppose that the adversary A has obtained the smart card of U_i, and can extract secret information <A_i,B_i,M_i,b_i,h> from it, where A_i = h(h(ID_i)||C_i), B_i = h(TID_i||x)⊕C_i, M_i = h(ID_i||x)⊕h(h(ID_i)⊕C_i), C_i = h(PW_i||b_i). Then A can successfully guess the ID_i and PW_i as below.

Step 1: A guesses a candidate pair ID’_i and PW’_i, and computes C’_i = h(PW’_i||b_i), A’_i = h(h(ID’_i)||C’_i).

Step 2: A checks whether A’_i and A_i stored in smart card are equivalent. If they are equal, A can obtain the correct ID_i and PW_i pair. Otherwise, A repeats the steps 1 and 2 until the correct ID_i and PW_i pair is obtained.

For Jung et al.’s scheme [29], the smart card stores <N_i,M_i,b_i,h>, where N_i = h(ID_i||C_i)⊕v, M_i = h(C_i||v), v = h(x_i), C_i = h(PW_i||b_i). Therefore, the process of launching smart card loss attack is similar, in many ways, to the process of attacking Lu et al.’s scheme. A can guess the correct ID_i and PW_i pair through checking whether M_i = h(h(PW’_i||b_i)||N_i⊕h(ID’_i||h(PW’_i||b_i))) holds or not.

Since the identity space |D_ID| and the password space |D_PW| are usually not more than 10⁶, the time required for A to complete this attack is linear [35]. As a result, Lu et al.’s scheme and Jung et al.’s scheme still fail to smart card loss attack.

2.3.2. Impractical GWN Search Operation

User anonymity is an important security feature of authentication scheme for WSNs, which consists of two properties, user identity-protection, and untraceability [36]. User identity-protection means that the adversary could not know the real identity of the user, and user untraceability guarantees that the adversary can neither determine who the user is nor distinguish whether two sessions are executed by the same user. To achieve user anonymity, the ‘dynamic ID technique’ is widely adopted in most schemes, so do Lu et al.’s scheme [28] and Jung et al.’s scheme [29]. In the two schemes, a user requires concealing his real identity into a dynamic identity. When the user wants to log in GWN, it is difficult for GWN to tell apart the real identity of the user. As a result, the GWN needs to search for every possible parameter or have a back-end channel to figure out the exact user, which is impractical [27]. The detailed of this operation will be described as follows.

For Lu et al.’s scheme, the user sends a login message {CT₁,E_i} to GWN, where CT₁ = E_EK(ID_i||T₁||TID_i||r_i), E_i = h(h(ID_i||x)||r_i||T₁), EK = h(TID_i||x) = B_i⊕C_i. After receiving the message {CT₁,E_i} from the user, the GWN decrypts CT₁ by the symmetric key EK = h(TID_i||x). Now, there is a problem that the GWN does not figure out exactly which TID_i is the communicating user’s because all of the users’ TID_i are stored in the GWN. The GWN has to perform an exhaustive search operation to obtain the exact user’s TID_i. Let L is the size of user’s information table, T_h is the execution time for hash operation and T_E is the execution time for the decryption operation. The time complexity of the above operation is O(L*T_h*T_E). This is obviously impractical.

The similar problem can also be found in Jung et al.’s scheme. The user sends a login message {DID_i,CT₁,T₁} to GWN, where CT₁ = E_EK(DID_i||R₁||T₁), EK = h(DID_i||v||T₁), DID_i = h(ID_i||R₁), v = h(x_i). After receiving the message {DID_i,CT₁,T₁} from the user, GWN decrypts CT₁ by the symmetric key EK = h(DID_i||h(x_i)||T₁), where x_i is the shared symmetric key between the user and the GWN. Since all users’ shared symmetric keys are stored in the GWN, the GWN does not figure out exactly which one is the communicating user’s. It is obviously unrealistic for the GWN to perform an exhaustive search operation to obtain the exact user’s x_i. Because the time complexity of the above operation is O(L*2T_h*T_E), where L is the size of user’s key table, T_h is the execution time for hash operation and T_E is the execution time for the decryption operation.

2.3.3. No Provision for Perfect Forward Secrecy

Perfect forward secrecy is one of the important security properties for authenticated key establishment protocols. A protocol is said to achieve the notion of perfect forward secrecy if the compromise of long-term keys does not compromise the previous session keys [33]. In the practical application, such as battlefield, the sensor node is unattended, which make it be dangerous in compromised by the adversary. Then the long-term key of the sensor node may be compromised and the previous session keys will be retrieved. Therefore, perfect forward secrecy should be considered for WSNs. However, none of the above two schemes [28,29] can provide perfect forward secrecy.

For Lu et al.’s scheme, suppose the user’s long-term secret key h(ID_i||x) and h(TID_i||x) are compromised by the adversary A, and A has captured all the previous transmitted messages through the public communication channel. In this case, A is able to obtain all the previous message CT₄. Thus, A can retrieve the past session keys through r_k⊕r_j||r_i||SID_j||ID_GWN||T₂||T₃||T₄ = D_h(IDi⊕x)(CT₄), SK = h(r_k⊕r_i⊕r_j||T₁||T₂||T₃). Meanwhile, if the GWN’s long-term secret key x and the sensor node’s long-term secret key K_{GMN_S} are compromised, the previous session keys will also be retrieved.

The similar problem can also be found in Jung et al.’s scheme, if the user’s long-term secret key v is compromised by A, and A has captured all the previous transmitted messages DID_i, CT₃, T₁ through the public communication channel. Thus, A can retrieve the past session keys through EK = h(DID_i||v||T₁), DID_i||SID_j||SK||R₁||T₄ = D_EK(CT₃). Meanwhile, if the GWN’s long-term secret key x_i and the sensor node’s long-term secret key K_{GWN_S} are compromised, the previous session keys will also be retrieved.

3. The Proposed Scheme

This section will describe each phase of the proposed anonymous authentication scheme for WSNs. It uses PID instead of the user’s real identity to protect user anonymity. In order to achieve the perfect forward secrecy, the transmitted messages in public channel are protected by the one-time hash chain technique. The back-end of GWN stores new PID and old PID during execution so as to resist against de-synchronization attack. The old PID will be set null until the GWN completes the authentication successfully. The proposed scheme consists of four phases: registration phase, authentication and key agreement phase, password update phase, and dynamically deploy sensor nodes phase. We will describe the detail in the upcoming subsection.

3.1. Registration Phase

The registration phase includes user registration phase and sensor node registration. The details of these processes are described as follows. Figure 4 illustrates the registration phase for the proposed scheme.

3.1.1. User Registration

When a user U_i wants to access a sensor node S_nj, he/she needs to register in GWN first. The GWN issues a smart card to U_i as a response to the registration request. As shown in Figure 4a, the procedure of user registration is described as follows.

Step 1: A new user U_i selects identity ID_i and password PW_i, generates a random number b_i. Then U_i computes C_i = h₀(ID_i||PW_i||b_i), U_i transmits {ID_i,C_i} to GWN through a secure channel.

Step 2: The GWN checks whether ID_i exists in the user information table. If it exists, GWN rejects the registration request. Otherwise, GWN generates three random numbers u_i,a,b, sets NC_i = a, PID_i = PID_i0 = b, PID_i1 = ⊥, and computes K_i = h₁(ID_i||x||u_i), F_i = K_i⊕C_i,V = h₂(h₃(K_i||C_i)), where ⊥ denotes null. After that, GWN updates the user identity information table with the new entry {PID_i0,PID_i1,ID_i,NC_i,u_i}, and stores {PID_i,F_i,NC_i,V} into smart card SC. Finally, GWN sends SC to U_i via a private channel.

Step 3: After receiving SC from GWN, U_i stores b_i into SC.

3.1.2. Sensor Node Registration

When a new sensor node S_nj is deployed, S_nj is required to register in GWN. As shown in Figure 4b, the procedure of sensor node registration is described as follows.

Step 1: The new sensor node S_nj selects identity SID_j and transmits {SID_j} to GWN through a secure channel.

Step 2: The GWN checks whether SID_j exists in the sensor node information table. If it exists, the GWN rejects the registration request. Otherwise, the GWN generates a random number K_GWN-S, and sets the initial sequence numbers NS_j = NS_j0 = 0. After that, GWN updates the sensor node information table with the new entry {SID_j,NS_j0,K_GWN-S}, and sends {NS_j,K_GWN-S } to S_nj via a private channel.

Step 3: After receiving NS_j,K_GWN-S from GWN, S_nj stores them into its memory as secret.

3.2. Authentication and Key Agreement Phase

When a user U_i wants to gain access to WSNs, U_i needs to achieve mutual authenticate with GWN and S_nj. As shown in Figure 5, the process of mutual authentication is described as follows.

Step 1: U_i inputs ID_i and PW_i into the smart card SC. SC computes C_i = h₀(ID_i||PW_i||b_i), K_i = F_i⊕C_i, V’ = h₂(h₃(K_i||C_i)), and compares V’ with the stored value V. If they are not equal, SC terminates the session. Otherwise, SC believes U_i as a legitimate user. Next, SC generates a random number r_A, and computes EK = h₁(PID_i||K_i||NC_i), CT₁ = E_EK(r_A||T), V₁ = h₃(ID_i||r_A||K_i||PID_i||NC_i||T), where T is the timestamp. Finally, SC sends the login request {PID_i,CT₁,V₁} to GWN through the public channel.

Step 2: After receiving the login messages, GWN at first checks the timestamp T. Then GWN searches its back-end database to get each pair of the pseudonym identity (PID_i0,PID_i1) and operates as follows:

(1)

GWN checks whether the pseudonym identity exists in the user information table.

• If PID_i = PID_i0, it means that both the user’s and GWN’s pseudonym identity are updated in the previous session. Then GWN needs to verify whether the one-time hash chain value updates or not. GWN checks whether PID_i1 = ⊥ holds.

  ✧

  If the equation does not hold, it means that the GWN’s hash chain value does not update in the previous session. So, GWN computes NC’_i = h₁(NC_i), K_i = h₁(ID_i||x||u_i), EK = h₁(PID_i0||K_i||NC’_i), r_A||T = D_EK(CT₁), V’₁ = h₃(ID_i||r_A||K_i||PID_i0||NC’_i||T). The GWN checks whether V’₁ matches with the received V₁. If it holds, GWN generates a random PID’_i0, and sets PID_i1 = PID_i0, PID_i0 = PID’_i0, NC_i = NC’_i. Otherwise, GWN terminates the session.

  ✧

  Otherwise, GWN computes K_i = h₁(ID_i||x||u_i), EK = h₁(PID_i0||K_i||NC_i), r_A||T = D_EK(CT₁), V’₁ = h₃(ID_i||r_A||K_i||PID_i0||NC_i||T). The GWN checks whether V’₁ matches with the received V₁. If it holds, GWN generates a random PID’_i0, and sets PID_i1 = PID_i0, PID_i0 = PID’_i0. Otherwise, GWN terminates the session.

• If PID_i = PID_i1, it means that the user’s pseudonym identity and hash chain are not updated in the previous session. GWN computes K_i = h₁(ID_i||x||u_i), EK = h₁(PID_i1||K_i||NC_i), r_A||T = D_EK(CT₁), V’₁ = h₃(ID_i||r_A||K_i||PID_i1||NC_i||T). GWN checks whether V’₁ matches with the received V₁. If it holds, GWN generates a random PID’_i0, and sets PID_i0 = PID’_i0. Otherwise, GWN terminates the session.
• If PID_i ≠ PID_i0, PID_i ≠ PID_i1, GWN terminates the session.

(2)

GWN randomly generates a session key sk and chooses a specified sensor node SID_j, and computes CT₂ = (sk||ID_i)⊕h₀(K_GWN-S||SID_j||NS_j0), V₂ = h₃(ID_i||SID_j||sk||K_GWN-S||NS_j0). Subsequently, GWN updates K_GWN-S = h₁(K_GWN-S||SID_j), NS_j0 = NS_j0 + 1.

(3)

GWN sends {CT₂,V₂,NS_j0} to the sensor node S_nj that U_i wants to interact with via the public channel.

Step 3: Upon receiving the messages {CT₂,V₂,NS_j0} from GWM, S_nj at first verifies whether 1≤NS_j0-NS_j ≤N, where N is a threshold, which sets according to specific requirements of applications. If it does not hold, S_nj terminates the session. Otherwise, S_nj set K’_GWN-S = K_GWN-S, and computes N-1 times K’_GWN-S = h₁(K’_GWN-S||SID_j), if N-1 = 0, there is no hash function operation. Next, S_nj computes sk||ID_i = CT₂⊕h₀(K’_GWN-S||SID_j||NS_j0-1), V₂’ = h₃(ID_i||SID_j||sk||K’_GWN-S||NS_j0-1). Then, S_nj checks whether V’₂ matches with the received V₂. If it holds, S_nj computes V₃ = h₃(SID_j||ID_i||sk||NS_j0), and updates K_GWN-S = h₁(K’_GWN-S||SID_j), NS_j = NS_j0. Otherwise, S_nj terminates the session. Finally, S_nj transmits {SID_j, V₃} to GWN.

Step 4: GWN first computes V’₃ = h₃(SID_j||ID_i||sk||NS_j0), and checks whether V’₃ matches with the received V₃. If it holds, GWN computes GEK = h₁(r_A||PID_i1||K_i||NC_i), CT₃ = E_GEK(sk||PID_i0||SID_j), V₄ = h₃(ID_i||sk||r_A||PID_i0). Otherwise, GWN terminates the session. Finally, GWN transmits {CT₃, V₄} to U_i.

Step 5: U_i computes GEK = h₁(r_A||PID_i||K_i||NC_i), sk||PID_i0||SID_j = D_GEK(CT₃), V₄’ = h₃(ID_i||sk||r_A||PID_i0), and checks whether V’₄ matches with the received V₄. If it holds, U_i computes V₅ = h₃(SID_j||ID_i||PID_i0||sk), and updates NC_i = h₁(NC_i), PID_i = PID_i0. Otherwise, U_i terminates the session. Finally, U_i sends {V₅} to GWN.

Step 6: After receiving the message V₅ from U_i, GWN computes V’₅ = h₃(SID_j||ID_i||PID_i0||sk), and checks whether V’₅ matches with the received V₅. If it holds, GWN updates NC_i = h₁(NC_i), PID_i1 = ⊥. Otherwise, GWN fails to authenticate U_i.

Thus, the authentication key agreement among three-party is successful, and they establish the session key sk with each other as summarized in Figure 5.

3.3. Password Update Phase

When a user U_i wants to update the password, he/she needs to run the following steps:

Step 1: U_i inputs ID_i, PW_i into the smart card SC. SC computes C_i = h₀(ID_i||PW_i||b_i), K_i = F_i⊕C_i, V’ = h₂(h₃(K_i||C_i)), and checks whether V’ and V are equal. If not, SC fails to authenticate U_i, and rejects the request of the password update. Otherwise U_i inputs a new password PW*_i.

Step 2: SC computes C*_i = h₀(ID_i||PW*_i||b_i), F*_i = K_i⊕C_i⊕C*_i, V* = h₂(h₃(K_i||C*_i)).

Step 3: Finally, F*_i and V* are stored in SC to replace F_i and V respectively.

3.4. Dynamically Deploy Sensor Nodes Phase

When the system administrator deploys a new sensor node in the existing system, the deployed sensor node is required to apply to register in the GWN. The procedure of sensor node registration follows the steps described in Section 3.1.2.

4. Security Analysis of Our Scheme

In the section, we will discuss the security of our proposed scheme. First, the strand space model will be adopted to demonstrate the validity of our scheme. Second, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif. Finally, further security analysis illustrates the ability of the proposed scheme to resist various known attacks.

4.1. Authentication Proof Based on Strand Space Model

Strand space model [37,38] is a well-known formal analysis method to verify the security of cryptographic protocols. Before we prove the correctness of our proposed scheme using stand space mode, we will describe the basic notions as below.

4.1.1. The Basic Notion of Strand Space Model

According to [37,38], a stand space is a set Σ of stands with a trace mapping tr:Σ → (±A)*, which includes various protocol participant stands and penetrator strands. Where A is a set, the elements of which are the transmitted messages between principals. (±A)* is the set of finite sequences. The elements of A is denoted as terms t. t₁ $⊏$ t is defined as that t₁ is a subterm of t. Due to the limitations of space, only the fundamental notations and lemmas in strand space model are enumerated here:

• +t/-t: send/receive a term t.
• <s,i>: a node of s, where s ∈ Σ, 1 ≤ i ≤ length(tr(r)). If n = <s,i>, then, index(n) = i, strand(n) = s, term(n) is the ith signed term in the trace of s, and uns_term(n) is the unsigned part of the ith signed term in the strand of s.
• n₁ → n₂: it means that the node n₁ sends a message and n₂ receives the message.
• n₁ $\Rightarrow$ n₂: it means that n₁ is an immediate causal predecessor of n₂, n₁ = <s,i> and n₂ = <s,i + 1>.
• n₁ $\Rightarrow$ ⁺ n₂: it means that n₁ is a precedence of n₂, n₁ = <s,i> and n₂ = <s,j>, i < j.
• S: a set of edges with respect to the causal relations →, $\Rightarrow$ and $\Rightarrow$ ⁺.
• n ${\prec }_S$ n’: it means that there are one or more edges in S leading from n to n’.
• n ${\underset{\_}{\prec }}_S$ n’: it means that there are zero or more edges in S leading from n to n’.
• T: a set of atomic messages.
• K: a set of cryptographic keys, which disjoints from T.
• {m}_K: it means that the message m is encrypted by the key K.

Lemma 1.

Suppose C is a bundle. Then ${\underset{\_}{\prec }}_C$ is a partial order, i.e., a reflexive, anti-symmetric, transitive relation. Every non-empty subset of the nodes in C has ${\underset{\_}{\prec }}_C$-minimal members.

Lemma 2.

Suppose C is a bundle. and suppose S is a set of nodes such that uns_term(m) = uns_term(m’) implies that m $\in$ S iff m’ $\in$ S, for all nodes m,m’. If n is a ${\underset{\_}{\prec }}_C$-minimal member of S, then the sign of n is positive.

4.1.2. Penetrator Strands

The following describes the abilities of an adversary, which are mainly characterized by the two factors, the one is the key set K_p possessed by the adversary, the other is the capability of the adversary to generate new messages from messages he intercepts. The strands of the adversary/penetrator are as follows:

M. Text message: < + t>, the penetrator sends an atomic messages t, where t ∈ T.

F. Flushing: <-g>, the penetrator receives message g.

T. Tee: <-g, + g, + g>, the penetrator receives message g and forward it.

C. Concatenation: <-g,-h, + gh>, after receiving messages g and h, the penetrator joins them to get gh, then sends gh.

S. Separation into components: <-gh, + g, + h>, upon receiving message gh, the penetrator sends message g and h.

K. Key: < + K>, the penetrator sends a key K, where K ∈ K_P.

E. Encryption: <-K,-h, + {h}_K>, after receiving a key K and a message h, the penetrator encrypts h using K, and gets {h}_K. Then, he sends {h}_K.

D. Decryption: <-K⁻¹,-{h}_K, + h>, after receiving a private key K⁻¹ and a ciphertext {h}_K, the penetrator decrypts {h}_K using K, and gets h. Then, he sends h.

H. Hash:<-K,-M, + H(K,M)>, after receiving a key K and a message M, the penetrator compute the hash value of K||M, and gets H{K||M}. Then, he sends H{K||M}.

4.1.3. Authentication Proof Based on the Stand Space Model

The process of our proposed authentication scheme is as follows:

(1)

U_i → GWN: PID_i, CT₁, V₁

(2)

GWN → S_nj: CT₂, V₂, NS_j0

(3)

S_nj → GWN: SID_j, V₃

(4)

GWN → U_i: CT₃, V₄

(5)

U_i → GWN: V₅

where EK = h₁(PID_i||K_i||NC_i), CT₁ = E_EK(r_A||T), V₁ = h₃(ID_i||r_A||K_i||PID_i||NC_i||T), CT₂ = (sk||ID_i)⊕h₀(K_GWN-S||SID_j||NS_j0), V₂ = h₃(ID_i||SID_j||sk||K_GWN-S||NS_j0), V₃ = h₃(SID_j||ID_i||sk||NS_j0), GEK = h₁(r_A||PID_i1||K_i||NC_i),CT₃ = E_GEK(sk||PID_i0||SID_j),V₄ = h₃(ID_i||sk||r_A||PID_i0), V₅ = h₃(SID_j||ID_i||PID_i0||sk).

The security goal of our proposed scheme is that the three participants should authenticate each other and share a secret key sk. In order to make the process of proof description clearer, we will refer to our proposed scheme using abbreviations LAAP.

Definition 1.

Let (Σ,P) be an infiltrated strand space. The strands space model is shown in Figure 6. (Σ,P) is a LAAP space if Σ have four kinds of strands.

(1) 

Penetrator strands s ∈ P.

(2) 

‘User strands’ with trace U[ID_i,SID_j,T, r_A,PID_i,PID_i0,K_i,NC_i,sk], defined to be < + {PID_i, CT₁, V₁}, -{CT₃, V₄}, + {V₅}>, where ID_i, SID_j ∈ T_name, r_A, sk,PID_i ∈ T, K_i,NC_i ∈ K, r_A $\notin$ T_name, r_A $\notin$ K.

(3) 

‘GWN strands’ with trace G[ID_i,SID_j,T, r_A,PID_i0, PID_i1,K_i,NC_i,sk,K_GWN-S, NS_j0],defined to be < −{PID_i, CT₁, V₁}, + { CT₂,V₂,NS_j }, −{SID_j, V₃}, + { CT₃,V₄}, −{V₅} >, where ID_i, SID_j ∈ T_name, r_A, sk,PID_i,PID_i0,PID_i1 ∈ T, K_i,NC_i,K_GWN-S ∈ K, sk $\notin$ T_name, sk $\notin$ K.

(4) 

‘Sensor node’ strands with trace Sn[ID_i,SID_j,sk,K_GWN-S,NS_j0],defined to be <−{CT₂,V₂,NS_j0}, + {SID_j, V₃} >

If the user, the GWN, and the sensor node can achieve successful authentication with each other, our scheme is a secure authentication scheme. The details in the proof of our proposed scheme using strand space model is described in the Appendix A.

4.2. Formal Security Validation Using ProVerif

In this section, we will demonstrate that our scheme provides mutual authentication and session key security using automated protocol verifier tool ProVerif [39,40,41]. ProVerif is one of the widely used formal verification tools for cryptography protocols, which supports many cryptographic primitives, including symmetric and asymmetric cryptography, digital signatures, hash functions, Diffie-Hellman key agreements, and signature proofs of knowledge.

In order to analyze the security of our scheme by ProVerif, we define two public channels, c1 is the public channel between the user and the GWN and c2 is the public channel between the GWN and the sensor node. The proposed scheme is modeled as the parallel execution of three distinct processes: the user, the GWN and the sensor node. We have implemented the specifications in the latest version 1.96 of Proverif [42] for three processes. The implementation details of the proposed scheme are provided in the supplementary material available at [43].

ProVerif allows the verifier encrypts some free names using the secrecy session key, and verifies the security of session key by test the secrecy of that free names [41]. As shown in Figure 3, we use four names secretA, secretB, secretC and secretD for secrecy queries to analyze the secrecy of session key sk. To verify mutual authentication, we declare eight events:

• event beginUGparam(host), event endUGparam(host),
• event beginGUparam(host), event endGUparam(host),
• event beginGSparam(host), event endGSparam(host),
• event beginSGparam(host), event endSGparam(host).

Intuitively, if one participant believes he has completed the scheme with another participant and hence executes the event endXXparam(host), where XX denotes UG, GU, GS, or SG. The results show that our scheme can achieve mutual authentication and session key security. We describe the results of the code as below:

➢

Query not attacker(secretA[]), not attacker(secretB[]),not attacker(secretC[]), not attacker(secretD[])

✧

RESULT not attacker(secretA[]), not attacker(secretB[]), not attacker(secretC[]), not attacker(secretD[]) are true.

✧

The result means that the adversary has not trace to reconstruct secretA, secretB, secretC, secretD. Hence, the session key sk is secure to resist cracking.

➢

Query inj-event(endGUparam(GWN)) ═> inj-event(beginGUparam(GWN))

✧

RESULT inj-event(endGUparam(GWN)) = = > inj-event(beginGUparam(GWN)) is true.

✧

This result means that the execution of the event beginGUparam(GWN) is preceded by the execution of the event endGUparam(GWN). Hence, the authentication of the user to the GWN holds.

➢

Query inj-event(endUGparam(user)) ═> inj-event(beginUGparam(user))

✧

RESULT inj-event(endUGparam(user)) ═> inj-event(beginUGparam(user)) is true.

✧

This result means that the execution of the event beginUGparam(user) is preceded by the execution of the event endUGparam(user). Hence, the authentication of the GWN to the user holds.

➢

Query inj-event(endGSparam(GWN)) ═> inj-event(beginGSparam(GWN))

✧

RESULT inj-event(endGSparam(GWN)) ═> inj-event(beginGSparam(GWN)) is true.

✧

This result means that the execution of the event beginGSparam(GWN) is preceded by the execution of the event endGSparam(GWN). Hence, the authentication of the sensor node to the GWN holds.

➢

Query inj-event(endSGparam(SN)) ═> inj-event(beginSGparam(SN))

✧

RESULT inj-event(endSGparam(SN)) ═> inj-event(beginSGparam(SN)) is true.

✧

This result means that the execution of the event beginSGparam(GWN) is preceded by the execution of the event endSGparam(GWN). Hence, the authentication of the GWN to the sensor node holds.

4.3. Further Security Analysis of Our Scheme

In this section, the ability of the proposed scheme to resist various known attacks will be analyzed.

4.3.1. Resistance to De-synchronization Attack

Our scheme employs PID and one-time hash chain techniques to provide user anonymity and perfect forward secrecy. Hence, it needs an additional synchronization method to maintain the consistency of several one-time values among the user, the GWN, and the sensor node. In the proposed scheme, the consistencies of PID and hash chain value will be ensured by using two pseudonym identities < PID_i0,PID_i1 > for the communication between the user and the GWN. For the communication between the GWN and the sensor node, we use the serial number to resist de-synchronization attack. Since the hash function is one way, we let the initiator updates the hash chain value at first. As a result, even if the adversary blocked the message, the hash chain value of the GWN and the sensor node can re-synchronize. In order to make our analysis clearer, a brief framework of our scheme is shown in Figure 7.

The adversary can launch the following malicious scenarios:

Scenario 1: If the adversary blocks the ① message flow, obviously, this attack will not work because all the participants have not even started updating. So, this scenario will be omitted.

Scenario 2: If the ② message flow is blocked by the adversary, the communication will be jammed. For the communication between the U_i and the GWN, this scenario is the same as scenario 4. For the communication between the GWN and S_nj, the hash chain values of two participants will not match each other. This attack does not cause our scheme completely unusable because we use serial number NS_j0 and NS_j to record the number of hash chain updated, where NS_j0 is the serial number of GWN side, NS_j is the serial number of S_nj side. When the GWN sends the ② message flow, the value of hash chain and NS_j0 in GWN side must be updated. The S_nj receives the ② message {CT₂,V₂,NS_j0}, he/she can synchronize the one-time hash chain value through performing NS_j0-NS_j time hash functions. Therefore, this scenario will cause asynchronous between the GWN and the S_nj, but it will not have any impact on the future session.

Scenario 3: If the adversary blocks the ③ message flow, obviously, this attack will not work between the GWN and the S_nj because the two participants have updated their hash chain values, and the hash chain values are equal to each other. For the communication between the U_i and the GWN, this scenario is the same as scenario 4. Therefore, this scenario will be omitted.

Scenario 4: If the ④ message flow is blocked by the adversary, this attack will not work between the GWN and the S_nj because both of them have updated hash chain values. But the communication between the U_i and the GWN will be jammed. In this scenario, since both the hash chain values in two participants are not changed, only the synchronization of pseudonym identities are required to consider. The value of PID_i0 in the GWN side has been a new pseudonym identity, while the value of PID_i in the U_i side does not change. Fortunately, the old pseudonym identity is stored in PID_i1 in the GWN side, that is PID_i1 = PID_i. So, when the next session is initiated by the U_i using unchanged PID_i, the GWN is still able to recognize it and continues to complete the authentication. Therefore, this scenario will cause pseudonym identity asynchronous between the U_i and the GWN, but it will not have any impact on the future session.

Scenario 5: If the ⑤ message flow is blocked by the adversary, like scenario 4, this attack will not work between the GWN and the S_nj. However, for the communication between the U_i and the GWN, it will be jammed. Since the pseudonym identities values of two participants have updated, it means PID_i0 = PID_i, we only need to worry about the synchronization of two participants’ hash chain values. In this scenario, the hash chain value in the U_i side is updated, while the value hash chain in the GWN side is unchanged. When U_i using changed hash chain value initiates a new session, the GWN will update its hash chain value through checking whether the value of PID_i1 is non-null or not. Therefore, even if this scenario will cause hash chain value asynchronous between the U_i and the GWN, the two pseudonym identities will make the hash chain values synchronize again. As a result, our scheme can resist de-synchronization attack through the above analyses.

4.3.2. Mutual Authentication

According to the proofs of Proposition A1–Proposition A4 and the formal validation using ProVerif, it is infeasible for an adversary to forge a legitimate user’s or GWN’s or sensor node’s authentication message. Thus, the user, the GWN, and the sensor node can successfully authenticate each other.

4.3.3. User Anonymity

To protect user’s identity, the proposed scheme employs pseudonym identity as a transmitted message instead of user’s real identity. The pseudonym identity is randomly generated and changes after completing each session. Thus, the pseudonym identity is different for every session. Moreover, it is almost impossible for an adversary to get the user’s real identity from transmitted messages. Therefore, our scheme is able to support user anonymity and untraceability.

4.3.4. Perfect Forward Secrecy

In the proposed scheme, suppose the adversary has obtained the long-term keys of two participants, that are K_i, NC_i, and K_GWN-S, he/she still cannot get the session key sk. The reason is that after each successful session, the keys NC_i and K_GWN-S will be updated by one-way hash function, that is NC’_i = h₁(NC_i), K’_GWN-S = h₁(K_GWN-S||SID_j). Because the hash function is one way, the adversary cannot obtain NC_i and K_GWN-S from NC’_i and K’_GWN-S. Therefore, our scheme can provide perfect forward secrecy.

4.3.5. Resistance to Smart Card Loss Attack

Suppose the adversary steals the user’s smart card and obtains the data {PID_i,F_i,NC_i,V,b_i}, where K_i = h₁(ID_i||x||u_i), F_i = K_i⊕C_i,V = h₂(h₃(K_i||C_i)), C_i = h₀(ID_i||PW_i||b_i). The adversary cannot guess the correct password, because there exist |D_ID|*|D_PW|/1024 candidates of the password, where |D_ID|is the space of the identity and |D_PW| is the space of the password. This method is called ‘fuzzy verifier’ [23,44,45], which prevents the adversary from obtaining the exacting correct password. Therefore, our proposed scheme can resist smart card loss attack.

4.3.6. Resistance Known Session-Specific Temporary Information Attack

In the proposed scheme, suppose the adversary gets the ephemeral random number r_A, he still cannot obtain information of session key sk. The reason is that the adversary has no way to compute the long-term key K_i, one-time hash chain values NC_i and K_GWN-S. Moreover, transmitted messages in the public channel are unhelpful to compute sk. Therefore, the proposed scheme has the ability to prevent the session-specific temporary information attack.

4.3.7. Resistance to Stolen Verifier Table Attack

In our scheme, no any password-verifier table of the user is stored in the GWN side. Therefore, our scheme can resist stolen verifier table attack.

4.3.8. Resistance to User Impersonation Attack

In our scheme, in order to forge a user, the adversary has to generate a valid value {T,PID_i,CT₁,V₁}. However, it is infeasible because the adversary does not know the secret keys K_i and NC_i. Therefore, our proposed scheme can resist against user impersonation attack.

4.3.9. Resistance to Sensor Node Spoofing Attack

Proposition A1–Proposition A4 and the formal validation using ProVerif show that the adversary cannot forge a legitimate user’s or sensor node’s authentication message without the secret keys K_i, NC_i or K_{GWN_S}. In the proposed scheme, the sensor node only has his own secret value and does not know the secret values of other sensor nodes or users. Therefore, he cannot spoof any user or other sensor nodes.

4.3.10. Resistance to Replay Attack

The proposed scheme uses timestamp, nonce and serial number to prevent the replay attack. For the communication between the user and the GWN, the first message flow includes a current timestamp T, and other message flow employs challenge-response mechanism to resist reply attack. For the communication between the GWN and the sensor node, the serial number is used in every message flow, which is updated after each successful authentication session. As a result, when the user and the sensor node accept each other, it must be the current session, not previous session. Therefore, our proposed scheme can avoid the replay attack.

4.3.11. Resistance to Man-in-the-middle Attack

In the proposed scheme, the transmitted messages are protected by the secret values K_i, NC_i and K_{GWN_S}, anyone without them cannot forge legal authentication messages. Therefore, our scheme can resist man-in-the-middle attack.

4.3.12. Resistance to Wrong Password Login/Update Attack

In the proposed scheme, the password verification information V = h₂(h₃(K_i||C_i)) is stored in the mobile device, which is designed to check the correctness of password. If the user inputs wrong password PW’_i, the verification data V and V’ = h₂(h₃(F_i⊕h₀(ID_i||PW’_i||b_i)||h₀(ID_i||PW’_i||b_i))) will not be equal. Therefore, our scheme can quickly detect unauthorized login and password update.

4.4. Security Comparisons

The security features of our proposed scheme with the two prior related schemes [28,29] will be compared in this section. The results of the comparison are listed in

Table 2. Security features comparisons of our scheme and the two related schemes.

Features	Lu et al. [28]	Jung et al. [29]	Ours
Resistance to de-synchronization attack	√	√	√
Mutual authentication	√	√	√
User anonymity	√	√	√
Perfect forward security	×	×	√
Smart card loss attack	×	×	√
Resistance to known session-specific temporary information attack	√	√	√
Resistance to stolen verifier table attack	√	√	√
Resistance to user impersonation attack	√	√	√
Resistance to sensor node spoofing attack	√	√	√
Resistance to replay attack	√	√	√
Resistance to man-in-the-middle attack	√	√	√
Resistance to wrong password login/update attack	√	√	√

.

From Table 2, it can be concluded that the proposed scheme is the only one who can resist against various kinds of known attacks and fulfill the desirable security features. Therefore, our scheme has better security than the previously related schemes.

5. Performance Analysis

This section will compare the communication and communication costs of our proposed scheme with the two prior related schemes [28,29]. Since the registration phase and password update phase are not used frequently, we only concentrate on comparing authentication phase.

5.1. Computation Analysis

For efficiency analysis, we compare the computation costs of our scheme with the two prior related schemes [28,29]. To facilitate analysis, we use the following notations to measure computation costs.

• T_h: the time complexity of the general hash function.
• T_E/D: the time complexity of general symmetric-key encryption/decryption algorithm.

As pointed out in [46,47], the running time of a one-way hash function operation, and symmetric-key encryption/decryption operation are 0.00032s and 0.0056s respectively. Thus, we have T_h ≈ 0.00032s, T_E/D ≈ 0.0056s. The results of the computation complexity comparisons of our scheme and two related schemes are summarized in

Table 3. Computation complexity comparisons of our scheme and the two related schemes.

Schemes	Users	GWN	Sensor Node	Total
Lu et al. [28]	7Th + 2TE/D ≈ 0.01344s	8Th + 4TE/D ≈ 0.02496s	4Th + 2TE/D ≈ 0.01248s	19Th + 8TE/D ≈ 0.05088s
Jung et al. [29]	5Th + 2TE/D ≈ 0.0128s	5Th + 2TE/D ≈ 0.0128s	4Th ≈ 0.00128s	13Th + 4TE/D ≈ 0.02688s
Ours	9Th + 2TE/D ≈ 0.01408s	11Th + 2TE/D ≈ 0.01472s	4Th ≈ 0.00128s	25Th + 4TE/D ≈ 0.03008s

. It shows that our scheme is as efficient as the most efficient one of these prior related schemes at sensor nodes. Although the computation cost for the user and the GWN of our proposed scheme is higher than that of Jung et al.’s scheme, it should be toleratable because our proposed scheme provides higher security, and resists most well-known attacks.

5.2. Communication Analysis

In this section, we compare the communication cost of our proposed scheme with the two prior related schemes [28,29]. To achieve convincing comparisons, we assume that the bit length of identity (ID_i,SID_j,ID_GWN), password (PW_i), pseudonym identity (PID_i,PID_i0,PID_i1), timestamp (T,T₁,T₂,T₃,T₄), serial number (NS_j0, NS_j), random number (r_A,sk), hash (h,h₁,h₃) output and hash (h₀) output are 64, 64, 64, 160, 64, 256, 160 and 320 bits, the block length of the symmetric encryption is 128 bits, respectively. Since the bit length of ciphertext using the symmetric encryption is the multiples of 128 bits, the bit length of CT₁ and CT₃ are 512 and 384 bits, respectively.

Table 4. Communication cost comparisons of our scheme and the two related schemes.

Schemes	Number of Message Required	Number of Bits Required
Lu et al. [28]	4 Messages	3840
Jung et al. [29]	4 Messages	2624
Ours	5 Messages	2208

shows the communication cost comparison among our scheme and the prior related schemes. In our scheme, the message {PID_i,CT₁,V₁}, {CT₂,V₂,NS_j0}, {SID_j,V₃}, {CT₃,V₄} and {V₅} require (64 + 512 + 160) = 736, (320 + 160 + 64) = 544, (160 + 64) = 224, (384 + 160) = 544 and 160 bits, respectively. Adding the five values, the total communication cost of our scheme is 2208 bits.

For Lu et al.’s scheme [28], the message {CT₁,E_i}, {CT₂,C_i}, {CT₃,I_i} and {CT₄,V_i}require ((64 + 160 + 64 + 256) + 160) = 128 × 5 + 160 = 800, ((256 + 64 + 160 + 160) + 160) = 128 × 5 + 160 = 800, ((256 + 256 + 160) + 160) = 128 × 6 + 160 = 928, and ((256 + 256 + 64 + 64 + 160 × 3) + 160) = 128 × 9 + 160 = 1312 bits, respectively. Adding the four values, the total communication cost of Lu et al.’s scheme is 3840 bits.

For Jung et al.’s scheme [29], the message {DID_i,CT₁,T₁}, {CT₂,DID_i,B_i,T₂}, {C_i,T₃} and {CT₃,T₄} require (64 + (64 + 256 + 160) + 160) = 64 + 128 × 4 + 160 = 736, (256 + 64 + 160 + 160) = 640, (160 + 160) = 320, and ((64 + 64 + 160 + 256 + 160) + 160) = 128 × 6 + 160 = 928 bits, respectively. Adding the four values, the total communication cost of Jung et al.’s scheme is 2624 bits.

Using the above similar approach, the total communication cost of the other related schemes can be computed in Table 4. From comparison in Table 4, it can be concluded that the proposed scheme has the least communication cost among the above schemes.

6. Conclusions

In this paper, we propose a lightweight anonymous authentication protocol for WSNs based on a one-time hash chain and pseudonym identity. The proposed scheme can provide mutual authentication, user anonymity, perfect forward secrecy, etc. Besides, it is resilient to various kinds of known attacks, such as de-synchronization attack, and known session-specific temporary information attack. Formal security analysis and simulations are also conducted by ProVerif to demonstrate that our scheme is secure against active and passive attacks. Furthermore, the proposed scheme only uses symmetric key encryption/decryption and hash functions. It is very suitable for the resource constrained sensor nodes.