Cryptanalysis and Security Improvements of ‘Two-Factor User Authentication in Wireless Sensor Networks’

User authentication in wireless sensor networks (WSN) is a critical security issue due to their unattended and hostile deployment in the field. Since sensor nodes are equipped with limited computing power, storage, and communication modules; authenticating remote users in such resource-constrained environments is a paramount security concern. Recently, M.L. Das proposed a two-factor user authentication scheme in WSNs and claimed that his scheme is secure against different kinds of attack. However, in this paper, we show that the M.L. Das-scheme has some critical security pitfalls and cannot be recommended for real applications. We point out that in his scheme: users cannot change/update their passwords, it does not provide mutual authentication between gateway node and sensor node, and is vulnerable to gateway node bypassing attack and privileged-insider attack. To overcome the inherent security weaknesses of the M.L. Das-scheme, we propose improvements and security patches that attempt to fix the susceptibilities of his scheme. The proposed security improvements can be incorporated in the M.L. Das-scheme for achieving a more secure and robust two-factor user authentication in WSNs.

Consequently, L.C. Ko proposed a modified scheme which attempts to overcome the aforementioned security pitfalls of Tseng et al. 's protocol and proved that his scheme has better security features than Tseng et al.'s scheme. [7] Binod et al. [10] cryptanalyzed the authentication schemes of Wong et al. and Tseng et al. and proposed their improved scheme. Binod et al. showed that their scheme is more robust than previously published schemes and can withstand replay attack, forgery attack, man-in-the-middle attack and provides mutual authentication between login node and gateway node.
Recently, M.L. Das [11] proposed a two-factor user authentication scheme in WSNs. M.L. Das also identified that Wong et al.'s protocol is vulnerable to many logged-in users with the same login-id threat, that is, who has a valid user's password can easily login to the sensor network [11]. He also identified that Wong et al.'s protocol is susceptible to stolen-verifier attack, because the GW-node and login-node maintain the lookup table of all the registered users' credentials. Consequently, M.L. Das proposed his protocol to overcome the security flaws of Wong et al.'s scheme. His protocol uses the two factor authentication concept based on password and smart card and resists many logged-in users with the same login identity, stolen-verifier, guessing, replay, and impersonation attacks.
More recently, Nyang and Lee pointed out that the protocol of M.L. Das is vulnerable to offline password guessing attack, sensor node compromising attack, and does not protect query response messages by establishing a unique secure channel from sensor node to a user, which is an important way of serving a registered user in a secure and legitimate way [17]. Consequently, Nyang and Lee proposed their improved two-factor authentication protocol for WSNs, which attempts to overcome their identified discrepancies in the M.L. Das scheme.
However, in this paper, we identify that the M.L. Das-scheme is still not secure and vulnerable to several critical security attacks. In addition to the problems identified by Nyang and Lee, we show that the M.L. Das-scheme is defenseless against GW-node by-passing attack, does not provide mutual authentication between GW-node and sensor nodes, has the security threat of insider attack, and does not have provision for changing or updating passwords of registered users. To fix the aforementioned weaknesses of the M.L. Das-scheme, we propose security improvements in our paper. Our enhanced security patch contains secure features of changing or updating passwords of users, provides protection against insider attack, overcomes the GW-node bypassing attack, and provides mutual authentication between GW-node and sensor node. The proposed security improvements can easily be incorporated into the M.L. Das-scheme to take the benefit of more secure and robust two-factor user authentication in WSNs.
The rest of the paper is organized as follows; Section 2 briefly reviews the M.L. Das-scheme, Section 3 elaborates on the weaknesses and security pitfalls of his scheme, Section 4 presents our proposed security patch, improvements and analysis over the M.L. Das-scheme, Section 5 reveals the performance analysis of the presented scheme, and finally, Section 6 concludes this paper.

Review of the M.L. Das-Scheme
In this section, we briefly review user the authentication scheme of M.L. Das, which is divided into two phases, namely the registration phase and the authentication phase.

Registration Phase
When a user wants to perform registration with the WSN, he submits his and to the Gateway node (GW-node) in a secure manner. Upon receiving the registration request, the GW-node computes || , where K is a symmetric key that is secure to the GW-node, and '||' is a bit-wise concatenation operator. Now, the GW-node personalizes the smart card with the parameters . , , , and , where . is a one-way secure hash function and is a secret value generated securely by the GW-node and stored in some designated sensor nodes before deploying the WSN. At the end of this phase, gets his personalized smart card in a secure manner.

Authentication Phase
The authentication phase is invoked when wants to login into WSN or access data from the network. This phase is further sub-divided into two phases, namely login and verification phases.

1) Login Phase
In the login phase, inserts his smart card into terminal and inputs and . The smart card validates the and with the stored values. If is successfully authenticated, the smart card performs the following steps: Step-L1: Computes || || , where is the current timestamp of system Step-L2: Computes || || , then send , , to the GW-node

2) Verification Phase
Upon receiving the login request , , at time , the GW-node authenticates by the following steps: Step-V1: Checks if ∆ then GW-node proceeds to the next step, otherwise verification step is terminated. Here ∆ shows the expected time interval for the transmission delay Step-V2: Computes || || and
Step-V4: GW-node now sends a message , , to some nearest sensor over a public channel to respond the query data what is looking for, where the value of is || || || , where is the current timestamp of the GW-node. Here, the value of is used to ensure that the message originally comes from the real GW-node.
Step-V5: After receiving the message , , , the validates the timestamp. If the timestamp is within valid interval, then computes | || | and checks whether it is equal to . If this step is passed, then responds to the 's query.

GW-Node Bypassing Attack
In the M.L. Das-scheme, after performing the verification phase and accepting the login request of , the GW-node sends an intimation message , , to some nearest sensor node to inform about the successful login of , and requests to respond the query/data of . Here, is computed by || || || , where is a secret parameter which is known to GW-node, sensor node and stored in the smart card of . is the timestamp of GW-Node and is the dynamic ID of user, which is calculated by || || . In the M.L. Das-scheme, the value of is used to ensure that message is coming from the legitimate GW-node. Here, we assume that if the value of is extracted from smart card of by some means [12,13], then himself or any adversary can login the without going through the verification of GW-node, so Das  and checks whether the value of ? or not. If it holds, responds to the adversary's query, and , who is an adversary and not a legitimate user of the sensor network system, enjoys the resources as an authorized user without being a member of the system.

No Mutual Authentication between GW and Sensor Nodes
In the M.L. Das-scheme, after accepting the login request of , the GW-node sends a message , , to some nearest sensor node . Here the value of is computed by , where is the current timestamp of GW-node. This message informs the sensor node to respond the query/data, which is requesting from the sensor network. In this message, the value of is used to ensure the sensor node that it is come from the real GW-node. However, sensor node verifies the authenticity of GW-node but there is no authenticity that the sensor node is fake or real. Thus, the M.L. Das-scheme only provides unilateral authentication between the GW-node and sensor node, and there is not mutual authentication between the two nodes, which is an indispensable property of authentication protocol designing [14].

Privileged-Insider Attack
In a real environment, it is a common practice that many users use same passwords to access different applications or servers for their convenience of remembering long passwords and ease-of-use whenever required. However, if the system manager or a privileged-insider of the GW-node knows the passwords of , he may try to impersonate by accessing other servers where could be a registered user. In the M.L. Das-scheme, performs registration with GW-node by presenting his password in plain format i.e., . Thus, his scheme has pitfalls in terms of insider's attack of GW-node by a privileged user who has come to know the password of and can misuse the system in future [15].

No Provision for Changing/Updating Passwords
In the M.L. Das-scheme, there is no provision for to change or update his password whenever required. It is widely recommended security policy for highly secure applications that user's should update or change their passwords frequently, while there is no such option in the M.L. Das-scheme.

Proposed Security Improvements and Analysis
In this section, we propose security improvements over the scheme of M.L. Das and perform analysis of our security patches as follows:

Introducing Password Change Phase
In this subsection, we introduce the password-change/update phase in the M.L. Das-scheme. In the password-change phase, when a user wants to change his password to a new password , he inserts his smart card into the terminal and enters his ID and password. Smart card validates his and with the stored values and if the entered and are correct, then the smart performs the following operations without interacting with GW-node: , where the value of is already stored on smart card i.e.

(ii)
Smart card replaces the old value of with the new values and . Now, the new password is successfully changed and this phase is terminated.

Protection against Insider Attack
As we have mentioned in subsection 3.3, the M.L. Das-scheme has vulnerability of privilegedinsider attack due to the reason of presenting his plain text password to the GW-node. This problem can simply be overcome if only submits to the GW-node, which is the hashed value of plain text password. Thus in the registration phase, the GW-node would compute || , instead of just || , and the person except will never know his secret password, which can protect from the possibility of privileged-insider attack [16].

Overcoming GW-node Bypassing Attack and Providing Mutual Authentication
It was identified in subsection 3.1 that there is the possibility of GW-node bypassing attack in M.L. Das-scheme and an adversary without passing the login from the GW-node can access the resources of the sensor network. The reason for the possibility of GW-node bypassing attack is due to sharing of secret parameter with the sensor node and user . If the value of is compromised, then the whole sensor network will become vulnerable to the GW-node bypassing attack.
Thus, we propose not to share the same secret parameters with and , and that every entity has its own secret parameter or key. Here, we suggest that the GW-node should only share with and there should be another secret parameter , which should only be known to the GW-node and sensor nodes, and can be stored in sensor nodes before their deployment in the field. These sensor nodes are responsible to respond users for their queries.
To overcome this security flaw, the Step-V4 and Step-V5 in the verification phase of the M.L. Dasscheme can be amended by the following steps: After accepting the login request of , the GW-node sends message , , , to some nearest sensor node to respond the query/data of , where is computed by || || || . Here is the secret parameter, which is securely stored in sensor node and shared only with the GW-node, and is the current timestamp of GW-node's system. and checks whether ? or not. If it is true, then GW-node establishes trust on sensor node, otherwise, GW-node intimates about the possibility of malicious sensor node in the network and sends a process-termination message. (vii) After successful authentication, enjoys the resources provided by the sensor network.
Although, in the proposed security patch, the introduction of one more secret parameter creates storage overhead on the GW-node, but its benefits are two-fold and cannot be overlooked. The first benefit, as defined previously, is to overcome the GW-node bypassing attack, while the second benefit is the ease of secret parameter (key) updating incase of compromise of by an adversary. In the M.L. Das-scheme, if is compromised and GW-node has to revoke with a new secret parameter , then the cost of revoking is very high because it needs to be updated on all 's smart cards as well as all the sensor nodes in the field. While on the other hand, in our proposed security improvement/patch, the cost of revoking secret parameters either or can be halved due to assigning different values and to and , respectively.

Performance Analysis of Proposed Scheme
In this section, we summarize security features and performance analysis of our proposed scheme and compare its security and robustness with the schemes of M.L. Das [11], and Nyang and Lee [17]. Table 1 demonstrates that our scheme is more secure and robust than the schemes of [11] and [17], and achieves more security features, which were not considered in the aforementioned schemes and are essentially required to implement a practical and universal two-factor user authentication protocol in WSNs. Furthermore, it can be seen from Table 1 that our scheme needs only 13 hashing operations, in contrast to the protocols of M.L. Das and Nyang-Lee, which require 10 and 17 hash computations, respectively. Our scheme provides protection against insider attack, gateway node bypassing attack, password change/update option, and achieves mutual authentication between gateway and sensor nodes, which require few more hashing operations than [11] to enhance the security of overall authentication system. Hence, the computational overhead of the proposed scheme are not too high, but the scheme contains several enhanced security features, which are indispensable for implementing a reliable and trustworthy remote user authentication scheme in the WSN environment.

Conclusions
In this paper, we have shown that a recently proposed two-factor user authentication scheme in WSN environment is insecure against different kinds of attack and should not be implemented in realapplications. We have demonstrated that in the M.L. Das-scheme, there is no provision for users to change or update their passwords, the GW-node bypassing attack is possible, it does not provide mutual authentication between GW-node and sensor node, and it is susceptible to privileged-insider attack. To remedy the aforementioned flaws, we have proposed security patches and improvements, which overcome the weak features of the M.L. Das-scheme. The presented security improvements can easily be incorporated in the M.L. Das-scheme for a more secure and robust two-factor user authentication in WSNs.