This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).
User authentication in wireless sensor networks (WSN) is a critical security issue due to their unattended and hostile deployment in the field. Since sensor nodes are equipped with limited computing power, storage, and communication modules; authenticating remote users in such resource-constrained environments is a paramount security concern. Recently, M.L. Das proposed a two-factor user authentication scheme in WSNs and claimed that his scheme is secure against different kinds of attack. However, in this paper, we show that the M.L. Das-scheme has some critical security pitfalls and cannot be recommended for real applications. We point out that in his scheme: users cannot change/update their passwords, it does not provide mutual authentication between gateway node and sensor node, and is vulnerable to gateway node bypassing attack and privileged-insider attack. To overcome the inherent security weaknesses of the M.L. Das-scheme, we propose improvements and security patches that attempt to fix the susceptibilities of his scheme. The proposed security improvements can be incorporated in the M.L. Das-scheme for achieving a more secure and robust two-factor user authentication in WSNs.
With the recent advances in communication technologies, wireless sensor networks (WSN) have emerged as a very active research avenue. WSNs have many common features with wireless ad hoc networks, and in several cases they are considered as a special case of them [1]. A WSN usually consists of a large number of autonomous sensor nodes, which are generally deployed in unattended environments. Each sensor node has some level of computing power, limited storage, and a small communication module to communicate with the outside world over an ad hoc wireless network [2]. WSNs are widely used, including in areas such as military, battlefield, homeland security, healthcare, environment monitoring, agriculture and cropping, manufacturing, etc.
Since the sensor network may operate in a hostile environment such as a military battlefield, security is critical. Robust techniques are needed to provide low-latency, survivable, and secure networks during the deployment of WSN. In addition, the network should be protected against intrusions and spoofing attacks [3]. Access control is an indispensable cryptographic primitive upon which other security primitives are built. A WSN should be smart enough to distinguish legitimate users from illegitimate users, resulting in the problem of user authentication [3]. If a WSN is deployed for a highly secure application, then the data collected within the sensor work is valuable and should only be given access to the registered or legitimate users. Benenson et al. first sketched the security issues of user authentication in WSN and introduced the notion of n-authentication [4]. Later on, Watro et al. proposed a TinyPK authentication protocol with public key cryptography that uses RSA and Diffie-Hellman algorithms [5], however, this protocol suffers from masquerade sensor node attack, in which an adversary can spoof the user.
In 2006, Wong et al. [6] proposed a light-weight dynamic user authentication scheme in WSN environment. They justified their scheme through security and cost analysis and discussed the implementation issues with the recommendations of using the security features of IEEE 802.15.4 MAC sublayer. Later, Tseng et al. [7] identified some security weaknesses in the scheme of Wong et al., which prevent it from being implemented in real-life environments. They showed that Wong et al.’s scheme is not protected from replay and forgery attacks, passwords can easily be revealed by any of the sensor nodes, and users cannot freely change their passwords. To overcome these discrepancies, Tseng et al. proposed an enhanced scheme and claimed that their scheme not only retains the advantages of Wong et al.’s scheme, but provides: resistance to replay and forgery attacks, reduction of password leakage risk, and capability of changeable password with better efficiency [7]. Lately, T.H. Lee [8] also analyzed Wong et al.’s scheme and proposed two simple dynamic user authentication protocols that are variations of Wong et al.’s scheme. In his first protocol, T.H. Lee simplified the authentication process by reducing the computational load of sensor nodes while preserving the same security level of Wong et al.’s scheme. On the other hand, in his second protocol, T.H. Lee proposed a scheme in which an intruder cannot impersonate the gateway node to grant access to illegitimate users.
L.C. Ko [9] proved that while Tseng et al.’s scheme achieves several security measures above Wong et al.’s scheme, it is still insecure under a reasonable attack model [9]. L.C. Ko discussed that Tseng et al.’s scheme does not achieve mutual authentication between the Gateway node (GW) and the Sensor node (SN), and between the User (U) and the SN. Furthermore, L.C. Ko identified that an adversary can forge the communication message which is sent from sensor node to the gateway node. Consequently, L.C. Ko proposed a modified scheme which attempts to overcome the aforementioned security pitfalls of Tseng et al.’s protocol and proved that his scheme has better security features than Tseng et al.’s scheme. [7]
Binod et al. [10] cryptanalyzed the authentication schemes of Wong et al. and Tseng et al. and proposed their improved scheme. Binod et al. showed that their scheme is more robust than previously published schemes and can withstand replay attack, forgery attack, man-in-the-middle attack and provides mutual authentication between login node and gateway node.
Recently, M.L. Das [11] proposed a two-factor user authentication scheme in WSNs. M.L. Das also identified that Wong et al.’s protocol is vulnerable to many logged-in users with the same login-id threat, that is, who has a valid user’s password can easily login to the sensor network [11]. He also identified that Wong et al.’s protocol is susceptible to stolen-verifier attack, because the GW-node and login-node maintain the lookup table of all the registered users’ credentials. Consequently, M.L. Das proposed his protocol to overcome the security flaws of Wong et al.’s scheme. His protocol uses the two factor authentication concept based on password and smart card and resists many logged-in users with the same login identity, stolen-verifier, guessing, replay, and impersonation attacks.
More recently, Nyang and Lee pointed out that the protocol of M.L. Das is vulnerable to offline password guessing attack, sensor node compromising attack, and does not protect query response messages by establishing a unique secure channel from sensor node to a user, which is an important way of serving a registered user in a secure and legitimate way [17]. Consequently, Nyang and Lee proposed their improved two-factor authentication protocol for WSNs, which attempts to overcome their identified discrepancies in the M.L. Das scheme.
However, in this paper, we identify that the M.L. Das-scheme is still not secure and vulnerable to several critical security attacks. In addition to the problems identified by Nyang and Lee, we show that the M.L. Das-scheme is defenseless against GW-node by-passing attack, does not provide mutual authentication between GW-node and sensor nodes, has the security threat of insider attack, and does not have provision for changing or updating passwords of registered users. To fix the aforementioned weaknesses of the M.L. Das-scheme, we propose security improvements in our paper. Our enhanced security patch contains secure features of changing or updating passwords of users, provides protection against insider attack, overcomes the GW-node bypassing attack, and provides mutual authentication between GW-node and sensor node. The proposed security improvements can easily be incorporated into the M.L. Das-scheme to take the benefit of more secure and robust two-factor user authentication in WSNs.
The rest of the paper is organized as follows; Section 2 briefly reviews the M.L. Das-scheme, Section 3 elaborates on the weaknesses and security pitfalls of his scheme, Section 4 presents our proposed security patch, improvements and analysis over the M.L. Das-scheme, Section 5 reveals the performance analysis of the presented scheme, and finally, Section 6 concludes this paper.
Review of the M.L. Das-Scheme
In this section, we briefly review user the authentication scheme of M.L. Das, which is divided into two phases, namely the registration phase and the authentication phase.
Registration Phase
When a user Ui wants to perform registration with the WSN, he submits his IDi and pwi to the Gateway node (GW-node) in a secure manner. Upon receiving the registration request, the GW-node computes Ni = h(IDi||pwi) ⊕ h(K), where K is a symmetric key that is secure to the GW-node, and ‘||’ is a bit-wise concatenation operator. Now, the GW-node personalizes the smart card with the parameters h(.), IDi, Ni, h(pwi) and xa, where h(.) is a one-way secure hash function and xa is a secret value generated securely by the GW-node and stored in some designated sensor nodes before deploying the WSN. At the end of this phase, Ui gets his personalized smart card in a secure manner.
Authentication Phase
The authentication phase is invoked when Ui wants to login into WSN or access data from the network. This phase is further sub-divided into two phases, namely login and verification phases.
Login Phase
In the login phase, Ui inserts his smart card into terminal and inputs IDi and pwi. The smart card validates the IDi and pwi with the stored values. If Ui is successfully authenticated, the smart card performs the following steps:
Step- L1: Computes DIDi = h(IDi||pwi) ⊕ h(xa||T), where T is the current timestamp of Ui system
Step- L2: Computes Ci = h(Ni||xa||T), then send < DIDi, Ci, T > to the GW-node
Verification Phase
Upon receiving the login request < DIDi, Ci, T > at time T*, the GW-node authenticates Ui by the following steps:
Step-V1: Checks if (T* − T) ≤ ΔT then GW-node proceeds to the next step, otherwise verification step is terminated. Here ΔT shows the expected time interval for the transmission delay
Step-V2: Computes h(IDi||pwi)* = DIDi ⊕ h(xa||T) and
Ci*=h((h(IDi||pwi)*⊕h(K))‖xa‖T)
Step-V3: if
Ci*=Ci then GW-node accepts the login request; otherwise login request is rejected.
Step-V4: GW-node now sends a message < DIDi, Ai, T′ > to some nearest sensor Sn over a public channel to respond the query data what Ui is looking for, where the value of Ai is Ai= h(DIDi||Sn||xa||T′), where T′ is the current timestamp of the GW-node. Here, the value of Ai is used to ensure Sn that the message originally comes from the real GW-node.
Step-V5: After receiving the message < DIDi, Ai, T′ >, the Sn validates the timestamp. If the timestamp is within valid interval, then Sn computes h(DIDi||Sn||xa||T′) and checks whether it is equal to Ai. If this step is passed, then Sn responds to the Ui’s query.
Cryptanalysis and Security Pitfalls of the M.L. Das-SchemeGW-Node Bypassing Attack
In the M.L. Das-scheme, after performing the verification phase and accepting the login request of Ui, the GW-node sends an intimation message < DIDi, Ai,T′ > to some nearest sensor node Sn to inform about the successful login of Ui, and requests Sn to respond the query/data of Ui. Here, Ai is computed by Ai= h(DIDi||Sn||xa||T′), where xa is a secret parameter which is known to GW-node, sensor node and stored in the smart card of Ui. T′is the timestamp of GW-Node and DIDi is the dynamic ID of user, which is calculated by DIDi = h(IDi||pwi) ⊕ h(xa||T). In the M.L. Das-scheme, the value of xa is used to ensure Sn that Ai message is coming from the legitimate GW-node. Here, we assume that if the value of xa is extracted from smart card of Ui by some means [12,13], then Ui himself or any adversary can login the Sn without going through the verification of GW-node, so Das et al.’s scheme is vulnerable to ‘GW-node by-passing attack’. In the following, we show how this attack works on the M.L Das-scheme:
Suppose an adversary or Ui himself computes a fake dynamic identity DIDa by using the extracted xa from smart card DIDf = h(IDf ||pwf) ⊕ h(xa||Tf), where IDf is a fake ID of adversary, pwf is a randomly chosen fake password, and Tf is the current timestamp of adversary’s machine.
Adversary computes Af= h(DIDf||Sn||xa||Tf), where Sn is the nearest sensor node for querying the data.
Now, adversary sends the message < DIDf, Af, Tf > to Sn over insecure communication channel.
After receiving the message, Sn first validates Tf. If (T* − Tf) ≤ ΔT, then Sn proceeds to next step, otherwise terminates the operation. Here, ΔT shows the expected time interval for the transmission delay.
Sn now computes A′f= h(DIDf||Sn||xa||Tf) and checks whether the value of
A′f=?Af or not. If it holds, Sn responds to the adversary’s query, and Ua, who is an adversary and not a legitimate user of the sensor network system, enjoys the resources as an authorized user without being a member of the system.
No Mutual Authentication between GW and Sensor Nodes
In the M.L. Das-scheme, after accepting the login request of Ui, the GW-node sends a message < DIDi, Ai, T′ > to some nearest sensor node Sn. Here the value of Ai is computed by Ai= h(DIDi||Sn||xa||T′), where T′ is the current timestamp of GW-node. This message informs the sensor node to respond the query/data, which Ui is requesting from the sensor network. In this message, the value of Ai is used to ensure the sensor node that it is come from the real GW-node. However, sensor node verifies the authenticity of GW-node but there is no authenticity that the sensor node is fake or real. Thus, the M.L. Das-scheme only provides unilateral authentication between the GW-node and sensor node, and there is not mutual authentication between the two nodes, which is an indispensable property of authentication protocol designing [14].
Privileged-Insider Attack
In a real environment, it is a common practice that many users use same passwords to access different applications or servers for their convenience of remembering long passwords and ease-of-use whenever required. However, if the system manager or a privileged-insider of the GW-node knows the passwords of Ui, he may try to impersonate Ui by accessing other servers where Ui could be a registered user. In the M.L. Das-scheme, Ui performs registration with GW-node by presenting his password in plain format i.e., pwi. Thus, his scheme has pitfalls in terms of insider’s attack of GW-node by a privileged user who has come to know the password of Ui and can misuse the system in future [15].
No Provision for Changing/Updating Passwords
In the M.L. Das-scheme, there is no provision for Ui to change or update his password whenever required. It is widely recommended security policy for highly secure applications that user’s should update or change their passwords frequently, while there is no such option in the M.L. Das-scheme.
Proposed Security Improvements and Analysis
In this section, we propose security improvements over the scheme of M.L. Das and perform analysis of our security patches as follows:
Introducing Password Change Phase
In this subsection, we introduce the password-change/update phase in the M.L. Das-scheme. In the password-change phase, when a user wants to change his password pwi to a new password
pwi*, he inserts his smart card into the terminal and enters his ID and password. Smart card validates his IDi and pwi with the stored values and if the entered IDi and pwi are correct, then the smart performs the following operations without interacting with GW-node:
Computes
Ni*=Ni⊕h(IDi||pwi)⊕h(IDi||pwi*), where the value of Ni is already stored on smart card i.e. Ni = h(IDi||pwi) ⊕ h(K)
Smart card replaces the old value of Ni with the new values
Ni* and
h(pwi*). Now, the new password is successfully changed and this phase is terminated.
Protection against Insider Attack
As we have mentioned in subsection 3.3, the M.L. Das-scheme has vulnerability of privileged-insider attack due to the reason of presenting his plain text password pwi to the GW-node. This problem can simply be overcome if Ui only submits h(pwi) to the GW-node, which is the hashed value of plain text password. Thus in the registration phase, the GW-node would compute Ni = h(IDi||h(pwi)) ⊕ h(K), instead of just Ni = h(IDi||pwi) ⊕ h(K), and the person except Ui will never know his secret password, which can protect from the possibility of privileged-insider attack [16].
Overcoming GW-node Bypassing Attack and Providing Mutual Authentication
It was identified in subsection 3.1 that there is the possibility of GW-node bypassing attack in M.L. Das-scheme and an adversary without passing the login from the GW-node can access the resources of the sensor network. The reason for the possibility of GW-node bypassing attack is due to sharing of secret parameter xa with the sensor node Sn and user Ui. If the value of xa is compromised, then the whole sensor network will become vulnerable to the GW-node bypassing attack.
Thus, we propose not to share the same secret parameters with Sn and Ui, and that every entity has its own secret parameter or key. Here, we suggest that the GW-node should only share xa with Ui and there should be another secret parameter xs, which should only be known to the GW-node and sensor nodes, and can be stored in sensor nodes before their deployment in the field. These sensor nodes are responsible to respond users for their queries.
To overcome this security flaw, the Step-V4 and Step-V5 in the verification phase of the M.L. Das-scheme can be amended by the following steps:
After accepting the login request of Ui, the GW-node sends message < DIDi, Ai, T′ >, to some nearest sensor node Sn to respond the query/data of Ui, where Ai is computed by Ai = h(DIDi||Sn||xs||T′). Here xs is the secret parameter, which is securely stored in sensor node Sn and shared only with the GW-node, and T′ is the current timestamp of GW-node’s system.
Upon receiving the message < DIDi, Ai, T′ >, the designated sensor node validates the timestamp. If (T″ − T′) ≤ ΔT, then Sn proceeds to next step, otherwise terminates the further operation. Here, ΔT shows the expected time interval for the transmission delay and T″ is the current timestamp of sensor node Sn.
Sn now computes
Ai*=h(DIDi‖Sn‖xs‖T′) and checks whether
Ai*=?Ai or not. If it holds, then Sn responds to Ui’s query, otherwise terminates the operation.
To provide mutual authentication between GW-node and sensor node, Sn now computes Bi = h(Sn||xs||T″′). Here T″′ is the current timestamp of sensor node’s system and sends back mutual authentication message < Bi, T″′ > to the GW-node.
After receiving the mutual authentication message < Bi, T″′ >, the GW-node first checks the validity of time-stamp. If (T″″ − T″′) ≤ ΔT, then GW node performs the further operations, otherwise the mutual authentication phase is terminated. Here, ΔT shows the expected time interval for the transmission delay and T″″ is the current timestamp of GW-node.
GW-node now computes
Bi*=h(Sn‖xs‖T′′′) and checks whether
Bi*=?Bi or not. If it is true, then GW-node establishes trust on sensor node, otherwise, GW-node intimates Ui about the possibility of malicious sensor node in the network and sends a process-termination message.
After successful authentication, Ui enjoys the resources provided by the sensor network.
Although, in the proposed security patch, the introduction of one more secret parameter xs creates storage overhead on the GW-node, but its benefits are two-fold and cannot be overlooked. The first benefit, as defined previously, is to overcome the GW-node bypassing attack, while the second benefit is the ease of secret parameter (key) updating incase of compromise of xs by an adversary. In the M.L. Das- scheme, if xa is compromised and GW-node has to revoke xa with a new secret parameter x′a, then the cost of revoking x′a is very high because it needs to be updated on all Ui’s smart cards as well as all the sensor nodes in the field. While on the other hand, in our proposed security improvement/patch, the cost of revoking secret parameters either xa or xs can be halved due to assigning different values xa and xs to Ui and Sn, respectively.
Performance Analysis of Proposed Scheme
In this section, we summarize security features and performance analysis of our proposed scheme and compare its security and robustness with the schemes of M.L. Das [11], and Nyang and Lee [17]. Table 1 demonstrates that our scheme is more secure and robust than the schemes of [11] and [17], and achieves more security features, which were not considered in the aforementioned schemes and are essentially required to implement a practical and universal two-factor user authentication protocol in WSNs.
Furthermore, it can be seen from Table 1 that our scheme needs only 13 hashing operations, in contrast to the protocols of M.L. Das and Nyang-Lee, which require 10 and 17 hash computations, respectively. Our scheme provides protection against insider attack, gateway node bypassing attack, password change/update option, and achieves mutual authentication between gateway and sensor nodes, which require few more hashing operations than [11] to enhance the security of overall authentication system. Hence, the computational overhead of the proposed scheme are not too high, but the scheme contains several enhanced security features, which are indispensable for implementing a reliable and trustworthy remote user authentication scheme in the WSN environment.
Conclusions
In this paper, we have shown that a recently proposed two-factor user authentication scheme in WSN environment is insecure against different kinds of attack and should not be implemented in real-applications. We have demonstrated that in the M.L. Das-scheme, there is no provision for users to change or update their passwords, the GW-node bypassing attack is possible, it does not provide mutual authentication between GW-node and sensor node, and it is susceptible to privileged-insider attack. To remedy the aforementioned flaws, we have proposed security patches and improvements, which overcome the weak features of the M.L. Das-scheme. The presented security improvements can easily be incorporated in the M.L. Das-scheme for a more secure and robust two-factor user authentication in WSNs.
References and NotesChiaraB.AndreaC.DavideD.RobertoV.An Overview on Wireless Sensor Networks Technology and EvolutionSensors200996869689610.3390/s9090686922423202CallawayE.H.Wireless Sensor Networks, Architectures and ProtocolsAuerbach Publications, Taylor & Francis GroupBoca Raton, FL, USA2003ChongC.Y.KumarS.Sensor Networks: Evolution, Opportunities, and ChallengesProc. IEEE2003911247125610.1109/JPROC.2003.814918BenensonZ.FelixC.G.DoganK.User Authentication in Sensor NetworksProceedings of Workshop Sensor NetworksUlm, Germany2004385389WatroR.DerrickK.Sue-fenC.CharlesG.CharlesL.PeterK.TinyPK: Securing Sensor Networks with Public Key TechnologyProceedings of the 2nd ACM workshop on Security of ad hoc and sensor networksWashington, DC, USA20045964WongK.H.MYuanZ.JiannongC.ShengweiW.A dynamic user authentication scheme for wireless sensor networksProceedings of Sensor Networks, Ubiquitous, and Trustworthy ComputingTaichung, Taiwan2006244251TsengH.R.JanR.H.YangW.An Improved Dynamic User Authentication Scheme for Wireless Sensor NetworksProceedings of IEEE GlobecomWashington, DC, USA2007986990TsernH.L.Simple Dynamic User Authentication Protocols for Wireless Sensor NetworksProceedings of 2nd International Conference on Sensor Technologies and ApplicationsCap Esterel, France2008657660KoL.C.A Novel Dynamic User Authentication Scheme for Wireless Sensor NetworksProceedings of IEEE ISWCSReykjavik, Iceland2008608612BinodV.JorgeS.S.JoelJ.P.C.R.Robust Dynamic User Authentication Scheme for Wireless Sensor NetworksProceedings of ACM Q2SWinetCanary Islands, Spain20098891DasM.L.Two-Factor User Authentication in Wireless Sensor NetworksIEEE Trans. Wireless Comm200981086109010.1109/TWC.2008.080128KocherP.JaffeJ.JunB.Differential Power AnalysisProceedings of 19th International Advances in Cryptology Conference CRYPTOSanta Barbara, CA, USA1999388397MessergesT.S.DabbishE.A.SloanR.H.Examining Smartcard Security under the Threat of Power Analysis AttacksIEEE Trans. Comp20025154155210.1109/TC.2002.1004593KhanM.K.ZhangJ.Improving the Security of ‘A Flexible Biometrics Remote User Authentication Scheme’Comp. Stand. Interf. Elsevier Sci200729828510.1016/j.csi.2006.01.002KuW.C.ChenS.M.Weaknesses and Improvements of An Efficient Password based Remote user Authentication Scheme using Smart CardsIEEE Trans. Cons. Elec20045020420710.1109/TCE.2004.1277863WangX.ZhangW.ZhangJ.KhanM.K.Cryptanalysis and Improvement on Two Efficient Remote User Authentication Scheme using Smart CardsComp. Stand. Intefr. Elsevier Sci200729507512NyangDH.LeeM.K.Improvement of Das’s Two-Factor Authentication Protocol in Wireless Sensor NetworksCryptologyePrint Archive 2009/631. Online PDF: http://eprint.iacr.org/2009/631.pdf (accessed on 28 February 2010).Table
Performance analysis and comparison of the proposed scheme.