- freely available
- re-usable

*Sensors*
**2011**,
*11*,
4767-4779;
doi:10.3390/s110504767

^{1}

^{2}

^{3}

^{4}

## Abstract

**:**User authentication is a crucial service in wireless sensor networks (WSNs) that is becoming increasingly common in WSNs because wireless sensor nodes are typically deployed in an unattended environment, leaving them open to possible hostile network attack. Because wireless sensor nodes are limited in computing power, data storage and communication capabilities, any user authentication protocol must be designed to operate efficiently in a resource constrained environment. In this paper, we review several proposed WSN user authentication protocols, with a detailed review of the M.L Das protocol and a cryptanalysis of Das’ protocol that shows several security weaknesses. Furthermore, this paper proposes an ECC-based user authentication protocol that resolves these weaknesses. According to our analysis of security of the ECC-based protocol, it is suitable for applications with higher security requirements. Finally, we present a comparison of security, computation, and communication costs and performances for the proposed protocols. The ECC-based protocol is shown to be suitable for higher security WSNs.

## 1. Introduction

As wireless communication technology has matured, the deployment of Wireless Sensor Networks (WSNs) has become more common. Wireless communication is a natural fit for sensor networks for the following reasons: it reduces the cost of infrastructure, allowing sensor networks to be deployed in areas that were once cost prohibitive and it allows a greater range of applications than fixed location sensor networks [1]. WSNs are now providing economical solutions in a host of diverse industries: electric utilities use WSNs for remote voltage monitoring, museums use WSNs for humidity monitoring and control, health care providers use WSNs for patient monitoring and notification, and they are in use in the military. Other applications include environment tracking and habitat monitoring, etc. [2–5].

A key requirement for WSN is user authentication [6,7]. The client devices (remote wireless sensor nodes) need to be authenticated before being allowed to join the WSN and have access to the WSN’s resources. To date, most user authentication methods have focused on protocol implementations in the network and link layers. Accordingly, we propose an efficient protocol implementation in the WSN application layer. It should be noted that, in order to limit power consumption by sensor nodes and to overcome limitations in computation capacity, user authentication in a WSN is typically done in dedicated gateway node (GW-node) [8].

Sastry and Wagner [9] proposed a security enhancement using access control lists (ACL’s) in the GW node. In addition to verifying a client’s identity and arranging the nearest sensor node, an ACL would be maintained. The ACL would be limited to 255 entries. Watro et al. [10] proposed a complex mathematical method for user authentication employing RSA and Diffie-Hellman algorithms to calculate an encrypted public key (TinyPK authentication), but this protocol is open to hostile attack by a user masquerading as a sensor node (spoofing). Wong et al. [11] proposed a less complex, light-weight, dynamic user authentication method using a hash-based protocol. Their method recommended using the security features of the IEEE 802.15.4 MAC sublayer. Das [12] and Tseng et al. [13] pointed out that both Watro’s and Wong’s user authentication methods were vulnerable to stolen-verifier, replay, and forgery attacks (made possible by allowing multiple users with a single login ID). Das [12] proposed a two factor method of user authentication. This method is designed to protect against the aforementioned stolen-verifier, replay, and forgery attacks. Tseng et al. [13] further pointed out that Wong’s method was vulnerable to stolen passwords and that Wong’s method prevented users from freely changing their password. Tseng et al. proposed an enhanced user authentication method that is design to prevent the various attacks and to reduce the vulnerability to stolen passwords. Khan et al. [14,15] and Chen et al. [16] reviewed the Das two factor method and found additional security issues. Chen et al. [16] proposed a more secure and robust two-factor user authentication in WSNs. Unfortunately, we find that the Chen et al. proposal fails to provide a secure method for updating user passwords and is vulnerable to the insider attack problem.

To address all of the issues raised in the above studies, we propose a novel user authentication protocol for wireless sensor networks, using Elliptic Curves Cryptography (ECC) and smart cards. Our proposal addresses the key security issues, while at the same time reducing computational load requirements. The remainder of this paper is organized as follows: in Section 2, we review the Das method and perform a detailed cryptanalysis of that method; next we present the ECC-based authentication protocol (EAP) for WSNs in Section 3. In Section 4, we present a security and performance analysis of the related protocols. Then, in Section 5, we provide some concluding remarks.

## 2. Related Works

#### 2.1. Review of Das’ Scheme

This section provides a brief review of the Das method and analyzes its protocol. Before this analysis we first summarize in Table 1 the notations used throughout this paper and their corresponding definitions.

Das’ protocol involves the registration phase, login phase and verification phase, and can be briefly described as follows:

(1) Registration phase:

In this phase, a user U_{i} submits his/her ID_{i} and PW_{i} to the GW-node in a secured manner. Then, the GW-node issues a license to U_{i}. The steps are described as follows:

Step 1: U

_{i}⇒ GW-node:{ID_{i}, PW_{i}}. A U_{i}enters an identity ID_{i}and a password PW_{i}and then sends {ID_{i}, PW_{i}} to the GW-node using a secure channel.Step 2: GW-node ⇒ smart card of U

_{i}:{ h(.), ID_{i}, N_{i}, h(PW_{i}), x_{a}}. The GW-node computes N_{i}= h(ID_{i}|| PW_{i}) ⊕ h(K) after receiving the registration request. Then, the GW-node personalizes the smart card with parameters {h(.), ID_{i}, N_{i}, h(PW_{i}), x_{a}}. U_{i}receives the smart card information using a secure channel.

(2) Login phase:

When user U_{i} enters an ID_{i} and a PW_{i} in order to carry out some inquiry or to access data from the WSN, the smart card must confirm the validity of U_{i} according to the following steps:

Step 1: Validate U

_{i}. The entered ID_{i}and PW_{i}are validated against the ID and PW stored on the user’s smart card. If U_{i}’s identification validation fails, the smart card will terminate this request.Step 2: U

_{i}’s smart card calculates DID_{i}and C_{i}.DID

_{i}= h(ID_{i}|| PW_{i})⊕h(x_{a}|| T), where T is the login system timestamp.C

_{i}= h(N_{i}|| x_{a}|| T).Step 3: U

_{i}→GW-node:{DID_{i}, C_{i}, T}.{DID

_{i}, C_{i}, T} is transmitted to the GW-node via public channel.

(3a) Verification phase (gateway node):

When the GW-node receives a login request {DID_{i}, C_{i}, T} at time T*, the GW-node performs the following steps to verify the identity of U_{i}:

Step 1: Validates if T*–T < ΔT.

If (T* – T) ≤ ΔT then the validity of T can be certain, and the GW-node proceeds to the next step. Otherwise, the GW-node rejects the request. Here, ΔT denotes the expected time interval for transmission delay.

Step 2: Calculates ${C}_{i}^{*}$.

h(IDi || PW

_{i})* = DID_{i}⊕h(x_{a}|| T)${C}_{i}^{*}\hspace{0.17em}=\hspace{0.17em}h(h(I{D}_{i}\hspace{0.17em}\left|\right|P{W}_{i})*\hspace{0.17em}||h(K)\hspace{0.17em}|\left|{x}_{a}\right||T)$.

Step 3: Confirms whether the ${C}_{i}\hspace{0.17em}=\hspace{0.17em}{C}_{i}^{*}$.

If the ${C}_{i}\hspace{0.17em}=\hspace{0.17em}{C}_{i}^{*}$, then the GW-node accepts the login request and sends a request to Sn.

Step 4: GW-node→S

_{n}:{DID_{i}, A_{i}, T'}.The GW-node calculates A

_{i}= h(DID_{i}|| S_{n}|| x_{a}|| T') and transmits a request {DID_{i}, A_{i}, T'} to S_{n}over a public channel. T' is the GW-node request timestamp. A_{i}is generated using the x_{a}parameter, thus the value of A_{i}can be used by S_{n}to ensure that the message originates from a valid GW-node.

(3b) Verification phase (sensor node):

When S_{n} receives request {DID_{i}, A_{i}, T'} at time T, S_{n} performs the following steps to verify the validity of the request:

Step 1: Validates if T – T’ < ΔT.

If (T – T’) ≤ ΔT then the validity of T' can be certain, and S

_{n}proceeds to the next step.Step 2: Recalculates A

_{i}.A

_{i}= h(DID_{i}|| S_{n}|| x_{a}|| T')Step 3: Confirms whether the value of the locally calculated A

_{i}is the same as the value of A_{i}in the GW-node request.If the value of the locally calculated A

_{i}is the same as the value of A_{i}in the GW-node request, then S_{n}responds to U_{i}’s original request. Otherwise, S_{n}rejects the request.

#### 2.2. Cryptanalysis of Das’ Protocol

Recently, several studies have analyzed security flaws in Das’ scheme [14–16]. In this section, we also discuss the requirements of security in WSNs and describe the primary flaw of Das’ protocol (it omits mutual authentication) and several secondary security issues [14–16].

#### 2.2.1. Security Requirements in Wireless Sensor Networks

Sastry and Wagner [9] noted several problems with regard to the security of user authentication provided by IEEE 802.15.4 [17]. They cited ACL management problems, loss of ACL state due to power interruptions, and key management problems. They concluded that IEEE 802.15.4 provides insufficient user authentication security and provided some solutions for the noted problems. However, above and beyond the security issues noted by Sastry and Wagner, there are two additional security issues that must be addressed:

Secure user authentication in WSNs should include, to the extent possible, methods for addressing application layer issues such as masquerade, replay, and forgery attacks.

Secure user authentication in WSNs should be based on mutual authentication.

#### 2.2.2. No Mutual Authentication

Because Das’ protocol does not provide mutual authentication [14–16], a malicious user can attack a WSN that uses the Das protocol by means of eavesdropping and masquerading. The attack could be accomplished as follows:

U

_{i}sends the message {DID_{i}, C_{i}, T} to the GW-node for accessing the WSN.The GW-node sends the message {DID

_{i}, A_{i}, T} to S_{n}for asking the service for U_{i}.The attacker captures the message {DID

_{i}, A_{i}, T} via eavesdropping.The attacker provides an S

_{M}which masquerades as S_{n}to get the U_{i}’s request data or hold back the request.Since S

_{M}co-works with U_{i}continuously, the U_{i}access requests will continue to fail.

With the Das method, after accepting the login request of U_{i}, the GW-node sends a message {DID_{i}, A_{i}, T’} to some nearest sensor node S_{n}. Here the value of A_{i} is computed by A_{i} = h(DID_{i} || S_{n} || x_{a} || T’), where T' is the current timestamp of GW-node. The value of A_{i} is used to assure the sensor node that the message has come from the real GW-node. The GW-node message directs the sensor node to reply to the query with the data which U_{i} has requested. However, there is no mechanism for the GW-node to be assured that the reply message was initiated from the queried sensor node. Thus, the Das-scheme only provides unilateral authentication between the GW-node and sensor node. There is no mutual authentication between the two nodes.

#### 2.2.3. No Protection against Insider Attacks

Nowadays users use a single common password for accessing different applications or servers. The situation is common practice and this is done for their convenience. It relieves the user from having to remember multiple passwords. Nevertheless, if the system manager or a privileged user of the GW-node obtains the common password of U_{i}, he/she may try to impersonate U_{i} by accessing other servers where U_{i} could be a registered user. In the Das scheme [14,15], U_{i} performs registration with the GW-node by presenting a password in plain format. Thus, the Das protocol does not provide sufficient protection against an insider attack on a GW-node by a privileged user.

#### 2.2.4. No Provision for Changing/Updating Passwords

The fixed password is definitely suffered from threats than an updating password. It is a widely recommended security policy, for highly secure applications, that users should update or change their passwords frequently. In the scheme [14,15], there is no provision for a user to easily change his/her password.

#### 2.2.5. No Protection against Forgery Attacks

A legal user of the system can launch a forgery attack against the WSN by eavesdropping and masquerading. A forgery attack can be launched as follows [16]:

A legal user of the system U* can login to the WSN at T

_{A}and T_{B}accurately.Suppose U* has embedded a synchronized Trojan virus into legal user U

_{i}’s system.When U

_{i}wants to login to the WSN at T_{A}and T_{B}, U* can eavesdrop on the messages {DID_{i}, C_{i}, T_{A}} and {DID_{i}, C_{i}, T_{B}} between the GW-node and U_{i}at T_{A}and T_{B}. To judge which message is DID_{i}or C_{i}as follows:Step 1.U* can obtain the following messages: DID

_{i}(T_{A}) = h(ID_{i}|| PW_{i})⊕h(x_{a}|| T_{A}) and DID_{i}(T_{B}) = h(ID_{i}|| PW_{i})⊕h(x_{a}|| T_{B}).Step 2. And then U* can forge the dynamic login identity DID*(T

_{A}) and DID*(T_{B}).DID*(T

_{A}) = h(ID* || PW*)⊕h(x_{a}|| T_{A})DID*(T

_{B}) = h(ID* || PW*)⊕h(x_{a}|| T_{B}).

U* can use the login phase formula to compute DID

_{i}(T_{B}), where DID_{i}(T_{B}) is calculated as DID_{i}(T_{B}) = DID_{i}(T_{A})⊕DID^{*}(T_{A})⊕DID^{*}(T_{B}) = h(ID_{i}‖PW_{i}) ⊕ ⊕ ⊕ ⊕ ⊕ h(x_{a}‖T_{B})After U* obtains U

_{i}’s DID_{i}(T_{B}), U* sends a new session message {DID_{i}(T_{B}), C_{i}, T_{S}} within ΔT timestamp for a new login request. The timestamp T_{S}, where T_{S}= T_{B}, is made by U* for attack on the WSN.Thus, the GW-node will verify message {DID

_{i}(T_{B}), C_{i}, T_{S}} from U* with following steps: U*→GW-node:{DID_{i}(T_{B}), C_{i}, T_{S}}Step 1. The GW-node receives {DID

_{i}(T_{B}), C_{i}, T_{S}} at T* and checks for T* – T_{S}< ΔT. The GW-node passes the verification and proceeds to the next step.(T* – T

_{B}< ΔT is known and T_{S}= T_{B}was made arbitrarily by U*)Step 2. The GW-node calculates h(ID

_{i}|| PW_{i})* = DIDi(T_{B}) ⊕ h(x_{a}|| T) and obtains ${C}_{i}^{*}\hspace{0.17em}=\hspace{0.17em}h(h(I{D}_{i}\hspace{0.17em}\left|\right|P{W}_{i})*||h(K)|\left|{x}_{a}\right||T)\hspace{0.17em}({C}_{i}^{*}={C}_{i})$ to pass the verification and proceed to the remaining steps.

Consequently, the Das protocol does not provide sufficient protection against a forgery attack by a legal user.

## 3. ECC-Based Authentication Protocol (EAP) for WSN

This section proposes a more efficient authentication mechanism using ECC. First, we review the fundamentals of Elliptic Curves and then survey the Elliptic Curves Cryptography (ECC) which is suitable for our construction of a secured authentication protocol for wireless sensor networks. The proposed five phases will be described later. The overall handshake of the proposed protocol is illustrated in Figure 1. The GW-node, S_{n} and user use the h(x_{Q}||x_{i}||x_{S}) as a session key with communication handshakes.

#### 3.1. ECC Based Authentication Protocol

In 1985 Miller and Kobiltz proposed a secure and efficient elliptic curve cryptosystem (ECC) [17,18]. Because ECC provides a smaller key size than any other cryptosystem, it is suitable for application in smart card and wireless systems.

An elliptic curve is a cubic equation of the form: E: y^{2} + axy + by = x^{3} + cx^{2} + dx + e, where a,b,c, d,e are real numbers. With regard to cryptography, we focus on the finite field of ECC and aim mainly at the prime p of elliptic curve group. The mathematical equation of ECC satisfies the form: E : y^{2} = (x_{3} + ax + b) mod p, where (4a^{3} + 27b^{2}) ≠ 0. Let F_{p} denote the finite field of points, where p is a large prime number and containing x, y, a,b elements. The equation points and the point at infinity **O** compose the elliptic curve group over real numbers. We find a large prime number n such that n × P = **O** using the elliptic curve addition algorithm. Here, × denotes an elliptic curve multiplication. The arithmetic of elliptic curve discrete logarithm problem (ECDLP) is given points Q and P, where Q, P∈ F_{p} and are both publicly known, determine the random number K, 0 < K < n-1, and compute Q as : Q =K×P is satisfies. It is hard to determine K given Q and P, namely, ECDLP is a complex mathematical problem such that the security is achieved. The analog of Diffie-Hellman key exchange uses elliptic curve characteristics to complete key exchange. The key exchange between U_{A} and U_{B} can be done as follows [18–20]:

The user U

_{A}chooses a random integer r_{A}as a private key, where r_{A}< n and computes the public key Q_{A}as: Q_{A}= r_{A}× P. Then, U_{A}sends Q_{A}to the user U_{B}.The user U

_{B}selects a random integer r_{B}as a private key, where r_{B}< n and computes the public key Q_{B}as: Q_{B}= r_{B}× P.U_{B}sends Q_{B}to U_{A}.U

_{A}can compute shared key K_{A}= r_{A}× Q_{B}= r_{A}× r_{B}× P and U_{B}can compute shared key K_{B}= r_{B}× Q_{A}= r_{B}× r_{A}× P. In this manner we find K_{A}= K_{B}.

#### 3.2. Registration Phase

This phase is invoked whenever user U_{i} performs registration with the WSN. Then, U_{i} submits {ID_{i}, PW_{B}} to the GW-node by the secured channel. Then, the GW-node performs the license to U_{i}. The following steps are performed to complete this phase:

Step 1: U

_{i}⇒ GW-node:{ID_{i}, PW_{B}}.U

_{i}chooses his/her ID_{i}and PW_{i}password and randomly chooses a large number b for computing PW_{B}= h(PW_{i}⊕ b).Step 2: After receiving the registration request, the GW-node computes K

_{IDi}= qs × H_{1}(ID_{i}) ∈ G_{p}_{,}where K_{IDi}is U_{i}’s authentication key and G_{p}denotes a cyclic addition group of P.Step 3: GW-node selects a base point P with the order n over E

_{p}(a, b), where n is a large number for the security considerations. Then, the GW node derives its private/public key pair (q_{s}, Q_{S}) by computing Q_{S}= q_{s}× P. (Here × denotes an elliptic curve multiplication).Step 4: GW node computes B

_{i}= h(ID_{i}⊕PW_{B}) and W_{i}= h(PW_{B}|| ID_{i})⊕K_{IDi}.Step 5: GW-node ⇒ smart card of U

_{i}:{B_{i}, W_{i}, h(·), b, H_{1}(.), H_{2}(.), H_{3}(.)}.GW-node stores {B

_{i}, W_{i}, h(·), H_{1}(.), H_{2}(.), H_{3}(.)} on a smart card and sends the smart card to U_{i}over a secure channel. Here H_{1}(.), H_{2}(.) and H_{3}(.) are one-way hash functions, H_{1}(.): {0, 1} →G_{p}, ${H}_{2}(.):\{0,1\}\hspace{0.17em}\to {Z}_{P}^{*}$ and ${H}_{3}(.):\{0,1\}\hspace{0.17em}\to {Z}_{P}^{*}$.Step 6: Upon U

_{i}receiving the smart card, U_{i}stores the random number b in the smart card. Such that the smart card contains {B_{i}, W_{i}, h(·), b, H_{1}(.), H_{2}(.), H_{3}(.)}.

#### 3.3. Login Phase

Assume that U_{i} enters in order to ask a service from the network, the smart card must perform the following steps to validate the legality of U_{i}:

Step 1: U

_{i}enters his/her ID_{i}and PW_{i}to login to obtain the message for GW-node request.Step 2: U

_{i}computes PW_{B}= h(PW_{i}⊕b) and B_{i}’ = h(ID_{i}⊕PW_{B}) and checks whether B_{i}’ = B_{i}. If it holds, U_{i}computes Q = h(PW_{B}||ID_{i}) and K_{IDi}= W_{i}⊕Q.

When the login request has been accepted, the user proceeds with the remaining steps:

Step 1: After U

_{i}obtaining his/her authentication key K_{IDi}, U_{i}chooses a random point R_{i}= (x_{i}, y_{i}) ∈ E_{P}(a, b), where x_{i}and y_{i}are x and y coordinating point of R_{i}.Step 2: U

_{i}computes t_{1}= H_{2}(T_{1}), M_{i}=R_{i}+ t_{1}× K_{IDi}and ${R}_{i}^{*}\hspace{0.17em}=\hspace{0.17em}{x}_{i}\hspace{0.17em}\times P$ at the timestamp T_{1}.Step 3: U

_{i}→GW-node: {T_{1}, ID_{i}, M_{i}, ${R}_{i}^{*}$}.U

_{i}sends message Msg(T_{1}, ID_{i}, M_{i}, ${R}_{i}^{*}$) to GW-node.

#### 3.4. Verification Phase

After receiving the login request message Msg(T_{1}, ID_{i}, M_{i},
${R}_{i}^{*}$) at T_{1} through the nearest sensor node (S_{n}), the GW-node executes the following steps to verify the user U_{i}:

Step 1: Compute Q

_{IDi}and R_{i}’GW-node performs the following computations to obtain Q

_{IDi}= (x_{Q}, y_{Q}) and R_{i}’ = (x_{i}’, y_{i}’) of U_{i}.QIDi = H1 (IDi)

t

_{1}= H_{2}(T_{1})R

_{i}’ = M_{i}– qs× t_{1}× Q_{IDi}Step 2: The GW node verifies whether ${R}_{i}^{*}\hspace{0.17em}=\hspace{0.17em}{x}_{i}^{\text{'}}\hspace{0.17em}\times P$. If it holds, U

_{i}is authenticated by GW-node.Step 3: GW-node→ U

_{i}: {T_{2}, M_{S}, M_{k}} through S_{n}.The GW node chooses a random point R

_{S}= (x_{S}, y_{S}) ∈ E_{P}(a, b) and computes t_{2}= H_{2}(T_{2}), M_{S}=R_{S}+ t_{2}× qs× Q_{IDi}, session key k = H_{3}(x_{Q}|| x_{i}|| x_{S}) and M_{k}= (k + x_{S}) × P.

GW-node sends a message Msg(T_{2}, M_{S}, M_{k}) through the public channel in order to respond to the request of S_{n} at the timestamp T_{2}.

#### 3.5. Mutual Authentication Phase

The GW-node sends Msg(T_{2}, M_{S}, M_{k}) to the S_{n} and then S_{n} sends Msg(ACC-LOGIN) to the GW-node. The steps are described as follows:

Step 1: Compute Q

_{IDi}and R’_{S}After receiving Msg(T2, MS, Mk), the S

_{n}execution obtains the following computationQIDi = (x

_{Q}, y_{Q}) and R’_{S}= (x’_{S}, y’_{S}) of the GW-node.Q

_{IDi}= H_{1}(ID_{i})t

_{2}= H_{2}(T_{2})R’

_{S}= M_{S}– t_{2}× K_{IDi}Step 2: S

_{n}computes k’ = H_{3}(x_{Q}|| x_{i}|| x’_{S}) and M’_{k}= (k’ + x’_{S}) × P to verify whether M’_{k}= M_{k}. If it holds, GW-node is successfully authenticated by S_{n}.

#### 3.6. The Password-Changing Phase

When a user U_{i} enters an ID_{i} and a PW_{i} in order to request a password change, the smart card must compute a new value of
$P{W}_{B}^{*}\hspace{0.17em}=\hspace{0.17em}h(P{W}_{i}^{*}\oplus b)$ to the GW-node. After receiving the password change request, the GW-node computes
${B}_{i}^{*}$ and
${W}_{i}^{*}$.

Step 1: GW-node computes ${B}_{i}^{*}\hspace{0.17em}=\hspace{0.17em}h(I{D}_{i}\oplus P{W}_{B}^{*})$ and ${W}_{i}^{*}\hspace{0.17em}=\hspace{0.17em}h(P{W}_{B}^{*}||I{D}_{i})\oplus {K}_{IDi}$.

Step 2: GW-node stores the new vale on smart card.

The smart card replaces the original values of B

_{i}, W_{i}with the new value ${B}_{i}^{*}$, ${W}_{i}^{*}$ and $P{W}_{B}^{*}\hspace{0.17em}=\hspace{0.17em}h(P{W}_{i}^{*}\oplus b)$.

## 4. Security and Performance Analysis

#### 4.1. Security Analysis

The studies we have referenced in this paper have discussed the security issues of remote user authentication. Below is a summary of those security issues, along with the reasons we believe our proposed ECC protocol can address those issues.

**Resistance to insider attack:** It is common practice for users to apply the same common password to access different applications. If a privileged insider has knowledge of another user U_{i}’s password, it hey may try to impersonate user U_{i} to access network applications. Our proposed protocol registers user U_{i} using cipher code PW_{B} = h(PWi⊕b) over a secure channel. This provides protection against stolen passwords. Thus, our protocol resists insider attacks.

**Resistance to masquerade attack:** To successfully complete a masquerade attack, an attacker must know U_{i}’s password in order to pass verification in the login phase and to be able to interpret the verification message correctly for mutual authentication. An attacker, even a legitimate user U*, cannot masquerade as a different legitimate user U_{i} without U_{i}’s password for forging the messages sent to the GW-node.

**Mutual authentication:** Mutual authentication is an important feature for a verification service that is resistant to server spoofing attacks. Our protocol provides a mutual authentication between the user U_{i} and the GW-node by using ECC-based public and private keys exchange.

**Securely change/update password:** There is provision for users to update or change their password in our proposed scheme. Namely, a user can send a new password to the GW-node and then the GW-node computes new value of
${B}_{i}^{*}$,
${W}_{i}^{*}$ and stores them on the smart card.

We recall that the protocol [12–16] of Wong et al. does not provide for mutual authentication, and can be vulnerable to forgery and replay attacks. Besides, the proposal of Watro et al. has security weaknesses against masquerade attacks, and Das’ protocol does not provide mutual authentication with an authenticated procedure using the hash function. Further, the weaknesses of Das’ scheme are that it may suffer from an insider attack and a forgery attack. Chen et al.’s scheme is similar in Das’ scheme, and also has the insider attack problem. Besides, the referenced proposals all fail to provide a secure method for updating user passwords. Table 2 compares our proposed protocol with the other referenced protocols in terms of protection against attacks. When compared against each other, our protocol provides a solution for user authentication that is more secure than the other referenced protocols.

#### 4.2. Performance Analysis

For comparing performance between our protocol and related protocols, we estimate the computation costs. In the definition of computation costs, we define the notation t_{h} as the hash computation time, t_{PA} as the elliptic curve point addition computation time, t_{PM} as the elliptic curve point multiplication computation time, t_{E} as the elliptic curve polynomial computation time, t_{PR} as the private key computation time, and t_{PU} as the public key computation time. Note that the computation costs of t_{PU} and t_{PR} are considerably higher than t_{h} (t_{PU} ≫ t_{h} and t_{PR} ≫ t_{h}) because t_{PU} and t_{PR} usually need polynomial computation cost to obtain the public and private keys. Obviously, t_{E}, t_{PA}, t_{PM} calculates a cubic equation at most and t_{h} calculates a linear equation or quadratic equation at most. The comparison of related protocols is illustrated in Table 3.

When considering the computation cost in the authentication phase (which includes the verification and mutual authentication phases), our protocol requires only 11 t_{h} + 4 t_{PA} + 6 t_{PM} + 2 t_{E}. That is, our protocol needs one point addition operation, four point multiplication operations and one polynomial operation in ECC. However, Watro et al.’s protocol needs two hash functions and four polynomial computations for private key and public key computation. It uses complex RSA and Diffie-Hellman algorithms for user authentication. The polynomial computation time calculates a prime exponential function which is considerably higher than cubic equation [12,17]. In addition, Watro et al.’s protocol needs four polynomial computations, for t_{PR} and t_{PU}, are more than the other referenced protocols [12–16]. Besides, our proposed protocol is computed through combination of point addition and point multiplication, point multiplication is defined by repeated addition. Considering the computation costs, ECC can generate smaller key sizes but maintain equivalent levels of security with RSA [18–20]. This is the reason the ECC-based protocol is more practical than Watro et al.’s protocol.

Lastly, when considering the communication cost, the proposed protocol has higher computation cost than other protocols, except for Watro et al.’s protocol. However, the protocol of Das does not provide mutual authentication. The method we propose solves most of the Das method problems. Furthermore, although Das’s scheme needs five hash computation operations, Wong’s needs four hash computation operations and Chen et al.’s protocol performs wireless sensor networking using seven t_{h}, their protocols suffer from security issues. Our proposed protocol addresses these issues and provides better security than the other related protocols.

## 5. Conclusions

In this paper, we have analyzed Das’ scheme for user authentication in WSNs. The Das protocol, which does not provide mutual authentication, is susceptible to insider and forgery attacks. We have also reviewed the protocols of Wong et al., which is vulnerable to forgery and replay attacks, of Watro et al., which is vulnerable to masquerade attacks, and Chen et al.’s protocol, which is susceptible to insider attacks. Additionally, a user cannot change his/her password with the former schemes. Since WSNs needs more efficient methods to perform mutual authentication in an insecure network environment, we use an ECC-based mechanism to accomplish this. The proposed protocol can prevent all the problems of the former schemes and provide mutual authentication to protect inside security and outside security. Furthermore, it not only inherits the merits of ECC-based mechanism but also enhances the WSN authentication with higher security than other protocols. Therefore, the proposed protocol is more suited to WSNs environments.

## Acknowledgments

This paper is supported by the National Science Council, Taiwan, R.O.C., Grant No. NSC 99-2219-E-007-007.

## References

- Callaway, EH. Wireless Sensor Networks, Architectures and Protocols; Auerbach Publications; Taylor & Francis Group: Boca Raton, FL, USA, 2003. [Google Scholar]
- Yick, J; Mukherjee, B; Ghosal, D. Wireless Sensor Network Survey. Comput. Network
**2008**, 52, 2292–2330. [Google Scholar] - Sundararaman, B; Buy, U; Kshemkalyani, AD. Clock Synchronization for Wireless Sensor Network: A Survey. Ad-Hoc Networks
**2005**, 3, 281–323. [Google Scholar] - Martinez, K; Hart, JK; Ong, R. Environmental Sensor Networks. Computer
**2004**, 37, 50–56. [Google Scholar] - Szewezyk, R; Osterweil, E; Polastre, J; Hamilon, M; Mainwaring, A; Estrin, D. Habitat Monitoring with Sensor Networks. Commun. ACM
**2004**, 47, 34–40. [Google Scholar] - Das, ML; Saxena, A; Gulati, VP. A Dynamic Id-Based Remote User Authentication Scheme. IEEE Trans. Consum. Electron
**2004**, 50, 629–631. [Google Scholar] - Leung, KC; Cheng, LM; Fong, AS; Chan, CK. Cryptanalysis of a Modified Remote User Authentication Scheme Using Smart Cards. IEEE Trans. Consum. Electron
**2003**, 49, 1243–1245. [Google Scholar] - Akyildiz, IF; Weilian, S; Sankarasubramaniam, Y; Cayirci, E. A Survey on Sensor Networks. IEEE Commun. Mag
**2002**, 40, 102–114. [Google Scholar] - Sastry, N; Wagner, D. Security Considerations for IEEE 802.15.4 Networks. In Proceedings of ACM Workshop on Wireless Security; Philadelphia, PA, USA; 1; October; 2004; pp. 32–42. [Google Scholar]
- Watro, R; Kong, D; Cuti, S-F; Gardiner, C; Lynn, C; Kruus, P; Tiny, PK. Securing Sensor Networks with Public Key Technology. Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks, Washington, DC, USA, 25 October 2004, 59–64. [Google Scholar]
- Wong, KHM; Zheng, Y; Cao, J; Wang, S. A Dynamic User Authentication Scheme for Wireless Sensor Networks. Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan, 5–7 June 2006; pp. 244–251.
- Das, ML. Two-Factor User Authentication in Wireless Sensor Networks. IEEE Trans. Wirel. Commun
**2009**, 8, 1086–1090. [Google Scholar] - Tseng, HR; Jan, RH; Yang, W. An Improved Dynamic User Authentication Scheme for Wireless Sensor Networks. Proceedings of IEEE Globecom, Washington, DC, USA, 26–30 November 2007; pp. 986–990.
- Khan, MK; Alghathbar, K. Security Analysis of Two-Factor Authentication in Wireless Sensor Networks. Proceedings of Advances in Computer Science and Information Technology: AST/UCMA/ISA/ACN 2010 Conferences, Miyazaki, Japan, 23–25 June 2010; pp. 55–60.
- Khan, MK; Alghathbar, K. Cryptanalysis and Security Improvements of ‘Two-Factor User Authentication in Wireless Sensor Networks’. Sensors J
**2010**, 10, 2450–2459. [Google Scholar] - Chen, TH; Shih, WK. A Robust Mutual Authentication Protocol for Wireless Sensor Networks. ETRI J
**2010**, 32, 704–712. [Google Scholar] - IEEE Standards for 802.15.4, Part 15, Amendment 4. In Wireless Medium Access Control and Physical Layer Specifications for Low-Rate Wireless Personal Area Networks; IEEE: Washington, DC, USA, 2003.
- Koblitz, N. Elliptic Curve Cryptosystems. Math. Comput
**1987**, 48, 203–209. [Google Scholar] - Miller, VS. Use of Elliptic Curves in Cryptography. In Advances in Cryptology—CRYPTO '85: Proceedings; LNCS Cryptography Volume; Springer: Berlin/Heidelberg, Germany, 1986; p. 417. [Google Scholar]
- Menezes, AJ; Oorschot, PC; Vanstone, SA. Handbook of Applied Cryptography; CRC Press Inc: Boca Raton, FL, USA, 1997. [Google Scholar]

Symbol | Definition |
---|---|

U | A user |

ID | A user’s identity |

PW | A user’s password |

DID | A user’s dynamic login identity |

GW-node | Gateway node of WSN |

S_{n} | Nearest sensor node of WSN |

h(.) | A secure one-way hash function |

x_{a} | A permanent secret parameter generated securely by the GW-node and stored in some defined sensor nodes before deploying the WSN |

K | A symmetric key of GW-node which shared between the GW-node, users and the sensor nodes |

|| | A string concatenation operation |

⊕ | A string XOR operation |

⇒ | A secure channel |

→ | A public channel |

Item | Proposed | Chen et al.’s | Das’ | Watro et al.’s | Wong et al.’s |
---|---|---|---|---|---|

Avoiding insider attack | Yes | No | No | Yes | Yes |

Securely change/update password | Yes | No | No | No | No |

Avoiding forgery attack | Yes | Yes | No | Yes | No |

Mutual authentication | Yes | Yes | No | Yes | No |

Avoiding masquerade attack | Yes | Yes | Yes | No | Yes |

Avoiding replay attack | Yes | Yes | Yes | Yes | No |

Avoiding guessing attack | Yes | Yes | Yes | Yes | Yes |

Proposed | Chen et al. | Das | Watro et al. | Wong et al. | |
---|---|---|---|---|---|

Authentication (Verification and Mutual Authentication) | 11 t_{h} + 4 t_{PA} + 6 t_{PM} + 2 t_{E} | 7 t_{h} | 5t_{h} | 2t_{h}+2t_{PR}+2t_{PU} | 4t_{h} |

© 2011 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).