A Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography

User authentication is a crucial service in wireless sensor networks (WSNs) that is becoming increasingly common in WSNs because wireless sensor nodes are typically deployed in an unattended environment, leaving them open to possible hostile network attack. Because wireless sensor nodes are limited in computing power, data storage and communication capabilities, any user authentication protocol must be designed to operate efficiently in a resource constrained environment. In this paper, we review several proposed WSN user authentication protocols, with a detailed review of the M.L Das protocol and a cryptanalysis of Das’ protocol that shows several security weaknesses. Furthermore, this paper proposes an ECC-based user authentication protocol that resolves these weaknesses. According to our analysis of security of the ECC-based protocol, it is suitable for applications with higher security requirements. Finally, we present a comparison of security, computation, and communication costs and performances for the proposed protocols. The ECC-based protocol is shown to be suitable for higher security WSNs.


Introduction
As wireless communication technology has matured, the deployment of Wireless Sensor Networks (WSNs) has become more common. Wireless communication is a natural fit for sensor networks for the following reasons: it reduces the cost of infrastructure, allowing sensor networks to be deployed in areas that were once cost prohibitive and it allows a greater range of applications than fixed location sensor networks [1]. WSNs are now providing economical solutions in a host of diverse industries: electric utilities use WSNs for remote voltage monitoring, museums use WSNs for humidity monitoring and control, health care providers use WSNs for patient monitoring and notification, and they are in use in the military. Other applications include environment tracking and habitat monitoring, etc. [2][3][4][5].
A key requirement for WSN is user authentication [6,7]. The client devices (remote wireless sensor nodes) need to be authenticated before being allowed to join the WSN and have access to the WSN's resources. To date, most user authentication methods have focused on protocol implementations in the network and link layers. Accordingly, we propose an efficient protocol implementation in the WSN application layer. It should be noted that, in order to limit power consumption by sensor nodes and to overcome limitations in computation capacity, user authentication in a WSN is typically done in dedicated gateway node (GW-node) [8].
Sastry and Wagner [9] proposed a security enhancement using access control lists (ACL's) in the GW node. In addition to verifying a client's identity and arranging the nearest sensor node, an ACL would be maintained. The ACL would be limited to 255 entries. Watro et al. [10] proposed a complex mathematical method for user authentication employing RSA and Diffie-Hellman algorithms to calculate an encrypted public key (TinyPK authentication), but this protocol is open to hostile attack by a user masquerading as a sensor node (spoofing). Wong et al. [11] proposed a less complex, light-weight, dynamic user authentication method using a hash-based protocol. Their method recommended using the security features of the IEEE 802.15.4 MAC sublayer. Das [12] and Tseng et al. [13] pointed out that both Watro's and Wong's user authentication methods were vulnerable to stolen-verifier, replay, and forgery attacks (made possible by allowing multiple users with a single login ID). Das [12] proposed a two factor method of user authentication. This method is designed to protect against the aforementioned stolen-verifier, replay, and forgery attacks. Tseng et al. [13] further pointed out that Wong's method was vulnerable to stolen passwords and that Wong's method prevented users from freely changing their password. Tseng et al. proposed an enhanced user authentication method that is design to prevent the various attacks and to reduce the vulnerability to stolen passwords. Khan et al. [14,15] and Chen et al. [16] reviewed the Das two factor method and found additional security issues. Chen et al. [16] proposed a more secure and robust two-factor user authentication in WSNs. Unfortunately, we find that the Chen et al. proposal fails to provide a secure method for updating user passwords and is vulnerable to the insider attack problem.
To address all of the issues raised in the above studies, we propose a novel user authentication protocol for wireless sensor networks, using Elliptic Curves Cryptography (ECC) and smart cards. Our proposal addresses the key security issues, while at the same time reducing computational load requirements. The remainder of this paper is organized as follows: in Section 2, we review the Das method and perform a detailed cryptanalysis of that method; next we present the ECC-based authentication protocol (EAP) for WSNs in Section 3. In Section 4, we present a security and performance analysis of the related protocols. Then, in Section 5, we provide some concluding remarks.

Review of Das' Scheme
This section provides a brief review of the Das method and analyzes its protocol. Before this analysis we first summarize in Table 1 the notations used throughout this paper and their corresponding definitions. Das' protocol involves the registration phase, login phase and verification phase, and can be briefly described as follows: (1) Registration phase: In this phase, a user U i submits his/her ID i and PW i to the GW-node in a secured manner. Then, the GW-node issues a license to U i . The steps are described as follows: Step 1: U i GW-node:{ID i , PW i }. A U i enters an identity ID i and a password PW i and then sends {ID i , PW i } to the GW-node using a secure channel.
Step 2: GW-node smart card of after receiving the registration request. Then, the GW-node personalizes the smart card with parameters {h(.), ID i , N i , h(PW i ), x a }. U i receives the smart card information using a secure channel.
(2) Login phase: When user U i enters an ID i and a PW i in order to carry out some inquiry or to access data from the WSN, the smart card must confirm the validity of U i according to the following steps: Step 1: Validate U i . The entered ID i and PW i are validated against the ID and PW stored on the user's smart card. If U i 's identification validation fails, the smart card will terminate this request.
Step 2: U i 's smart card calculates DID i and C i .
where T is the login system timestamp.
{DID i , C i , T} is transmitted to the GW-node via public channel.
(3a) Verification phase (gateway node): When the GW-node receives a login request {DID i , C i , T} at time T*, the GW-node performs the following steps to verify the identity of U i : Step 1: Validates if T*−T < ΔT.
If (T* − T) ≤ ΔT then the validity of T can be certain, and the GW-node proceeds to the next step. Otherwise, the GW-node rejects the request. Here, ΔT denotes the expected time interval for transmission delay.
Step 3: Confirms whether the C i = C i *.
If the C i = C i *, then the GW-node accepts the login request and sends a request to Sn.
Step 4: GW-node→S n : The GW-node calculates A i = h(DID i || S n || x a || T') and transmits a request {DID i , A i , T'} to S n over a public channel. T' is the GW-node request timestamp. A i is generated using the x a parameter, thus the value of A i can be used by S n to ensure that the message originates from a valid GW-node.
(3b) Verification phase (sensor node): When S n receives request {DID i , A i , T'} at time T, S n performs the following steps to verify the validity of the request: Step 1: If (T -T') ≤ ΔT then the validity of T' can be certain, and S n proceeds to the next step.
Step 3: Confirms whether the value of the locally calculated A i is the same as the value of A i in the GW-node request.
If the value of the locally calculated A i is the same as the value of A i in the GW-node request, then S n responds to U i 's original request. Otherwise, S n rejects the request.

Cryptanalysis of Das' Protocol
Recently, several studies have analyzed security flaws in Das' scheme [14][15][16]. In this section, we also discuss the requirements of security in WSNs and describe the primary flaw of Das' protocol (it omits mutual authentication) and several secondary security issues [14][15][16].

Security Requirements in Wireless Sensor Networks
Sastry and Wagner [9] noted several problems with regard to the security of user authentication provided by IEEE 802.15.4 [17]. They cited ACL management problems, loss of ACL state due to power interruptions, and key management problems. They concluded that IEEE 802.15.4 provides insufficient user authentication security and provided some solutions for the noted problems. However, above and beyond the security issues noted by Sastry and Wagner, there are two additional security issues that must be addressed:  Secure user authentication in WSNs should include, to the extent possible, methods for addressing application layer issues such as masquerade, replay, and forgery attacks.  Secure user authentication in WSNs should be based on mutual authentication.

No Mutual Authentication
Because Das' protocol does not provide mutual authentication [14][15][16], a malicious user can attack a WSN that uses the Das protocol by means of eavesdropping and masquerading. The attack could be accomplished as follows: (i) U i sends the message {DID i , C i , T} to the GW-node for accessing the WSN. (ii) The GW-node sends the message {DID i , A i , T} to S n for asking the service for U i . (iii) The attacker captures the message {DID i , A i , T} via eavesdropping. (iv) The attacker provides an S M which masquerades as S n to get the U i 's request data or hold back the request. (v) Since S M co-works with U i continuously, the U i access requests will continue to fail.
With the Das method, after accepting the login request of U i , the GW-node sends a message {DID i , A i , T'} to some nearest sensor node S n . Here the value of A i is computed by where T' is the current timestamp of GW-node. The value of A i is used to assure the sensor node that the message has come from the real GW-node. The GW-node message directs the sensor node to reply to the query with the data which U i has requested. However, there is no mechanism for the GW-node to be assured that the reply message was initiated from the queried sensor node. Thus, the Das-scheme only provides unilateral authentication between the GW-node and sensor node. There is no mutual authentication between the two nodes.

No Protection against Insider Attacks
Nowadays users use a single common password for accessing different applications or servers. The situation is common practice and this is done for their convenience. It relieves the user from having to remember multiple passwords. Nevertheless, if the system manager or a privileged user of the GW-node obtains the common password of U i , he/she may try to impersonate U i by accessing other servers where U i could be a registered user. In the Das scheme [14,15], U i performs registration with the GW-node by presenting a password in plain format. Thus, the Das protocol does not provide sufficient protection against an insider attack on a GW-node by a privileged user.

No Provision for Changing/Updating Passwords
The fixed password is definitely suffered from threats than an updating password. It is a widely recommended security policy, for highly secure applications, that users should update or change their passwords frequently. In the scheme [14,15], there is no provision for a user to easily change his/her password.

No Protection against Forgery Attacks
A legal user of the system can launch a forgery attack against the WSN by eavesdropping and masquerading. A forgery attack can be launched as follows [16]: (iv) U* can use the login phase formula to compute Consequently, the Das protocol does not provide sufficient protection against a forgery attack by a legal user.

ECC-Based Authentication Protocol (EAP) for WSN
This section proposes a more efficient authentication mechanism using ECC. First, we review the fundamentals of Elliptic Curves and then survey the Elliptic Curves Cryptography (ECC) which is suitable for our construction of a secured authentication protocol for wireless sensor networks. The proposed five phases will be described later. The overall handshake of the proposed protocol is illustrated in Figure 1. The GW-node, S n and user use the h(x Q ||x i ||x S ) as a session key with communication handshakes.

ECC Based Authentication Protocol
In 1985 Miller and Kobiltz proposed a secure and efficient elliptic curve cryptosystem (ECC) [17,18]. Because ECC provides a smaller key size than any other cryptosystem, it is suitable for application in smart card and wireless systems.
An . In this manner we find K A = K B .

Registration Phase
This phase is invoked whenever user U i performs registration with the WSN. Then, U i submits {ID i , PW B } to the GW-node by the secured channel. Then, the GW-node performs the license to U i . The following steps are performed to complete this phase: Step 1: U i GW-node:{ID i , PW B }. U i chooses his/her ID i and PW i password and randomly chooses a large number b for computing PW B = h(PW i ⊕b).
Step 2: After receiving the registration request, the GW-node computes K IDi = qs × H 1 (ID i )  G p, where K IDi is U i 's authentication key and G p denotes a cyclic addition group of P.
Step 3: GW-node selects a base point P with the order n over E p (a, b) , where n is a large number for the security considerations. Then, the GW node derives its private/public key pair (q s , Q S ) by computing Q S = q s × P. (Here × denotes an elliptic curve multiplication). Step 6: Upon U i receiving the smart card, U i stores the random number b in the smart card. Such that the smart card contains

Login Phase
Assume that U i enters in order to ask a service from the network, the smart card must perform the following steps to validate the legality of U i : Step 1: U i enters his/her ID i and PW i to login to obtain the message for GW-node request.
Step 2: U i computes PW B = h(PW i ⊕b) and B i ' = h(ID i ⊕PW B ) and checks whether When the login request has been accepted, the user proceeds with the remaining steps: Step 1: After U i obtaining his/her authentication key K IDi , U i chooses a random point ), where x i and y i are x and y coordinating point of R i .

Verification Phase
After receiving the login request message Msg(T 1 , ID i , M i , R i * ) at T 1 through the nearest sensor node (S n ), the GW-node executes the following steps to verify the user U i : Step 1: Compute Q IDi and R i ' GW-node performs the following computations to obtain Q IDi = (x Q , y Q ) and Step 2: The GW node verifies whether R i * = x i ' × P. If it holds, U i is authenticated by GW-node.
Step 3: GW-node→ U i : {T 2 , M S , M k } through S n . The GW node chooses a random point R S = (x S , y S )  E P (a, b) and computes ) GW-node sends a message Msg(T 2 , M S , M k ) through the public channel in order to respond to the request of S n at the timestamp T 2 .

Mutual Authentication Phase
The GW-node sends Msg(T 2 , M S , M k ) to the S n and then S n sends Msg(ACC-LOGIN) to the GW-node. The steps are described as follows: Step 1: Compute Q IDi and R' S After receiving Msg(T2, MS, Mk), the S n execution obtains the following computation QIDi = (x Q , y Q ) and R' S = (x' S , y' S ) of the GW-node.
holds, GW-node is successfully authenticated by S n .

The Password-Changing Phase
When a user U i enters an ID i and a PW i in order to request a password change, the smart card must compute a new value of PW B * = h(PW i * ⊕b) to the GW-node. After receiving the password change request, the GW-node computes B i * and W i * .
Step 2: GW-node stores the new vale on smart card.

Security Analysis
The studies we have referenced in this paper have discussed the security issues of remote user authentication. Below is a summary of those security issues, along with the reasons we believe our proposed ECC protocol can address those issues.
Resistance to insider attack: It is common practice for users to apply the same common password to access different applications. If a privileged insider has knowledge of another user U i 's password, it hey may try to impersonate user U i to access network applications. Our proposed protocol registers user U i using cipher code PW B = h(PWi⊕b) over a secure channel. This provides protection against stolen passwords. Thus, our protocol resists insider attacks.
Resistance to masquerade attack: To successfully complete a masquerade attack, an attacker must know U i 's password in order to pass verification in the login phase and to be able to interpret the verification message correctly for mutual authentication. An attacker, even a legitimate user U*, cannot masquerade as a different legitimate user U i without U i 's password for forging the messages sent to the GW-node.
Mutual authentication: Mutual authentication is an important feature for a verification service that is resistant to server spoofing attacks. Our protocol provides a mutual authentication between the user U i and the GW-node by using ECC-based public and private keys exchange.
Securely change/update password: There is provision for users to update or change their password in our proposed scheme. Namely, a user can send a new password to the GW-node and then the GW-node computes new value of B i * , W i * and stores them on the smart card.
We recall that the protocol [12][13][14][15][16] of Wong et al. does not provide for mutual authentication, and can be vulnerable to forgery and replay attacks. Besides, the proposal of Watro et al. has security weaknesses against masquerade attacks, and Das' protocol does not provide mutual authentication with an authenticated procedure using the hash function. Further, the weaknesses of Das' scheme are that it may suffer from an insider attack and a forgery attack. Chen et al.'s scheme is similar in Das' scheme, and also has the insider attack problem. Besides, the referenced proposals all fail to provide a secure method for updating user passwords. Table 2 compares our proposed protocol with the other referenced protocols in terms of protection against attacks. When compared against each other, our protocol provides a solution for user authentication that is more secure than the other referenced protocols.

Performance Analysis
For comparing performance between our protocol and related protocols, we estimate the computation costs. In the definition of computation costs, we define the notation t h as the hash computation time, t PA as the elliptic curve point addition computation time, t PM as the elliptic curve point multiplication computation time, t E as the elliptic curve polynomial computation time, t PR as the private key computation time, and t PU as the public key computation time. Note that the computation costs of t PU and t PR are considerably higher than t h (t PU >> t h and t PR >> t h ) because t PU and t PR usually need polynomial computation cost to obtain the public and private keys. Obviously, t E , t PA , t PM calculates a cubic equation at most and t h calculates a linear equation or quadratic equation at most. The comparison of related protocols is illustrated in Table 3.
When considering the computation cost in the authentication phase (which includes the verification and mutual authentication phases), our protocol requires only 11 t h + 4 t PA + 6 t PM + 2 t E . That is, our protocol needs one point addition operation, four point multiplication operations and one polynomial operation in ECC. However, Watro et al.'s protocol needs two hash functions and four polynomial computations for private key and public key computation. It uses complex RSA and Diffie-Hellman algorithms for user authentication. The polynomial computation time calculates a prime exponential function which is considerably higher than cubic equation [12,17]. In addition, Watro et al.'s protocol needs four polynomial computations, for t PR and t PU , are more than the other referenced protocols [12][13][14][15][16]. Besides, our proposed protocol is computed through combination of point addition and point multiplication, point multiplication is defined by repeated addition. Considering the computation costs, ECC can generate smaller key sizes but maintain equivalent levels of security with RSA [18][19][20]. This is the reason the ECC-based protocol is more practical than Watro et al.'s protocol.
Lastly, when considering the communication cost, the proposed protocol has higher computation cost than other protocols, except for Watro et al.'s protocol. However, the protocol of Das does not provide mutual authentication. The method we propose solves most of the Das method problems. Furthermore, although Das's scheme needs five hash computation operations, Wong's needs four hash computation operations and Chen et al.'s protocol performs wireless sensor networking using seven t h , their protocols suffer from security issues. Our proposed protocol addresses these issues and provides better security than the other related protocols.

Conclusions
In this paper, we have analyzed Das' scheme for user authentication in WSNs. The Das protocol, which does not provide mutual authentication, is susceptible to insider and forgery attacks. We have also reviewed the protocols of Wong et al., which is vulnerable to forgery and replay attacks, of Watro et al., which is vulnerable to masquerade attacks, and Chen et al.'s protocol, which is susceptible to insider attacks. Additionally, a user cannot change his/her password with the former schemes. Since WSNs needs more efficient methods to perform mutual authentication in an insecure network environment, we use an ECC-based mechanism to accomplish this. The proposed protocol can prevent all the problems of the former schemes and provide mutual authentication to protect inside security and outside security. Furthermore, it not only inherits the merits of ECC-based mechanism but also enhances the WSN authentication with higher security than other protocols. Therefore, the proposed protocol is more suited to WSNs environments.