RUASN: A Robust User Authentication Framework for Wireless Sensor Networks

In recent years, wireless sensor networks (WSNs) have been considered as a potential solution for real-time monitoring applications and these WSNs have potential practical impact on next generation technology too. However, WSNs could become a threat if suitable security is not considered before the deployment and if there are any loopholes in their security, which might open the door for an attacker and hence, endanger the application. User authentication is one of the most important security services to protect WSN data access from unauthorized users; it should provide both mutual authentication and session key establishment services. This paper proposes a robust user authentication framework for wireless sensor networks, based on a two-factor (password and smart card) concept. This scheme facilitates many services to the users such as user anonymity, mutual authentication, secure session key establishment and it allows users to choose/update their password regularly, whenever needed. Furthermore, we have provided the formal verification using Rubin logic and compare RUASN with many existing schemes. As a result, we found that the proposed scheme possesses many advantages against popular attacks, and achieves better efficiency at low computation cost.


Introduction
Wireless sensor networks (WSNs) are becoming more and more popular in everyday life as they offer economically viable, real time monitoring solutions. These wireless sensors can be quickly and easily deployed in hostile environments, and WSNs are now widely used in a variety of real-time applications, such as vehicular tracking, habitat monitoring, environment control, military surveillance, healthcare monitoring, wildlife monitoring and traffic monitoring. One recent survey declared that, in the near future, WSNs will become an intelligent and integral part of daily lives [1].
A WSN consists of a discrete group of independent, low cost, low power nodes with limited memory and computation power. They communicate wirelessly over limited frequency and low bandwidth [1]. More specifically, sensor nodes collectively monitor the area and sense substantial amounts of data, which are transmitted to the base-station traversing some nodes via RF signals and routing schemes.
As sensor nodes are resource constrained devices and are often deployed in a hostile environment and have to sense the information properly and efficiently. So the potential deployment of WSNs for any real-time applications has to deal with many challenges, including security, system architecture and protocol functionalities. Providing security to these resource hungry sensor networks is a very tedious task as compared to conventional networks, such as local area networks (LANs) and wide area networks (WANs). Consequently, providing suitable security has emerged as one of the critical issue in wireless sensor networks, and the state-of-art should therefore pay attention to how to deploy user-friendly, reliable and secure WSNs.
In real-time WSNs, sensor data queries are commonly issued from the base-station nodes or the backend application system. Moreover, these sensor networks can be accessed from anywhere in an ad-hoc manner. As sensor nodes provide services to users by themselves, it is necessary to control who is accessing the information and whether the intended user is authenticated to do so. Therefore, access control is a core requirement for WSNs to protect the data from access by unauthorized parties. In general user authentication where each user must verify their legitimacy is considered as one of the basic solutions for the access control issue.
So far, a number of significant schemes that provide adequate security for wireless sensor networks at the link layer [2][3][4][5][6] and the network layer [7] have been proposed. However, secure user authentication at the application layer has not been addressed effectively in order to prevent illegal access to sensor data. A review of current literature on WSNs reveals that only a few user authentication schemes have been adequately addressed [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22] at the application layer. In [8][9][10][11][12][13][14], protocols are based on traditional passwords, where secrets are stored at the base station or the gateway. While, the protocols presented in [18][19][20][21] are based on two-factor user authentication with limited functionality (e.g., no mutual authentication, no secure session key, and no confidentiality) at high computation cost. Therefore, one of the primary concerns in wireless sensor network applications is the design and development of a robust user authentication scheme which is suitable for hostile or unattended environments.
In this paper, we have considered the above challenges and present a robust user authentication framework for wireless sensor networks (RUASN) at the application layer, which uses the two factor approach. The first factor (something you know) refers to something that is known by the user, such as a password, while the second factor (something you have) refers that something that is embedded on a device, such as smart cards, software tokens, digital certificates or biometric identifiers (e.g., fingerprint scans and so on) [23].
The proposed RUASN framework achieves user authentication (access control) for wireless sensor networks, where a user must login with same identity. The proposed scheme is resists many popular attacks, such as replay attack, impersonation attack, insider attack, stolen-verifier attack, password guessing attack, and man-in-the-middle attack. RUASN provides user privacy protection (i.e., user anonymity), mutual authentication, and secure session key establishment. In addition, a user can update his/her password whenever demanded. Our framework uses one-way hash functions along with XOR operations to attain low computational overheads. Moreover, this paper further demonstrated the analysis and verification of the proposed protocol using Rubin Logic [24], which is very close to actual implementation.
The rest of the paper is structured as follows: Section 2 briefly reviews the related literature and the perceived weaknesses of existing schemes. In Section 3 we discuss the design goals, security requirements and system architecture of RUASN. In Section 4, we propose a robust two-factor user authentication framework in detail. Section 5 discusses the nonmonotonic cryptographic protocol and formal verification of proposed protocol using Rubin Logic. Section 6 discusses the security analysis, efficiency evaluation and comparison with existing schemes for wireless sensor networks. Finally, Section 7 conclusions are drawn for RUASN.

Literature Review
In this section, we will discuss the literature on user authentication schemes that have been recently proposed to verify the legitimacy of wireless sensor networks users.
Benenson et al. [8] first described several security issues in WSNs, especially the access control problem, and proposed the notion of n-authentication, where users can successfully authenticate with at least (n-t) of n-sensors, where t is the number of sensor nodes that the adversary can compromise. Subsequently, Benenson et al. [9] proposed another solution for the user authentication problem in the face of node capture attacks. The proposed scheme is based on public key cryptography (PKC) and elliptic curve cryptography (ECC). Some major weaknesses were pointed out in the Benenson et al. scheme, such as the fact that impersonation attacks or denial-of-service (DoS) attacks could be mounted by sending many bogus signatures during the authentication phase [10]. Moreover, the computation cost of PKC and ECC is very high for sensor networks.
Wong et al. [10] proposed a dynamic user authentication scheme for wireless sensor networks, which is based on passwords. This scheme imposes a very light computation cost that requires only one-way hash functions and simple XOR operations. The scheme consists of three phases: registration phase, login and authentication phase. Unfortunately, the Wong et al. scheme is vulnerable to many attacks such as replay attacks, forgery attacks, stolen-verifier attacks and password guessing attacks [11,12,14,18].
Vaidya et al. [14] pointed out some weaknesses of the Tseng et al. [11], Wong et al. [10] and Ko [14] schemes such as replay of account-login attacks, man-in-the-middle (MITM) attacks, forgery attacks and stolen-verifier attack with node capture attacks. They proposed two user authentication schemes for wireless sensor networks, which are based on traditional password schemes and claimed that their proposed scheme provides better security features as compared to the Wong et al., Tseng et al. and Ko et al. schemes. Recently, Das [18] pointed out some security flaws in Wong et al. [10] scheme, such as the fact this scheme is vulnerable to many logged in users with the same login-id threat and also susceptible to stolen-verifier attacks. Das [18] proposed a two-factor user authentication for wireless sensor networks, where the legitimate users must prove the possession of both a password and a smart card. Das [18] claimed that his scheme is secure against many types of attacks (e.g., user authentication, replay, guessing, impersonation, node compromise, and stolen-verifier attacks).
Nyang and Lee [19] noted that Das' scheme is not practical and is vulnerable to an offline password guessing attack by insiders, node compromise attacks and does not care about other security issues, i.e., encryption and authenticity verification of query responses. Consequently they proposed an enhanced two-factor user authentication protocol for WSNs, which overcome the Das scheme's security flaws with some additional security services such as confidentiality and authenticity of user query responses. However, their scheme also does not care about mutual authentication and there is no provision for password updates.
Khan and Alghathbar [20] pointed out that the Das et al. [18] scheme is still not secure and cannot resist many other security attacks, such as gateway-node bypass attacks, and it is vulnerable to insider attacks, as well as not facilitating mutual authentication between the gateway and the sensor nodes and there is no provision for users to change their passwords. Khan and Alghathbar [20] overcome the security weaknesses of Das' scheme and proposed an improved two-factor user authentication in WSNs, which provides protection against insider attacks, gateway bypass attacks and introduced a password change phase for users. They suggested two secret (X a and X s ) values to be used to overcome the gateway-bypass attacks. For example, X a is used between the user and the gateway, and X s is used between the gateway and the sensor nodes. Furthermore, to overcome the room for insider attack, they passed hashed passwords instead of plain passwords. Their scheme also does not however provide mutual authentication between the user and the gateway.
More recently, He et al. [21] have shown that Das' protocol is susceptible to insider attacks, impersonation attacks and also found design weaknesses (i.e., concerning real identity of user). Later, they proposed an enhanced two-factor user authentication scheme for WSNs that facilitates user anonymity, protection against insider attacks and allows users to change their passwords. Their scheme does not care about mutual authentication between all parties (i.e., user, gateway and sensor). Moreover, the communication cost is quite high as compared with other schemes (see [10][11][12][13][14][18][19][20]).
As we have seen above, a number of user authentication schemes have been proposed in order to authenticate user legitimacy for sensor networks. These schemes are not designed properly [10][11][12][13][14] (i.e., stored secrets at the gateway) and in [18][19][20][21] they do not provide essential services to the users. Consequently, we conclude that the above schemes have many security flaws and provide less security services. Thus, these security weaknesses and constrained nature of sensor nodes motivated us to design a robust user authentication framework that provides adequate security and provides users with many services, as discussed in the next section.

Design Goals, Security Requirements and System Architecture
In this section, we discuss the design goals, security requirements and system architecture for robust user authentication for wireless sensor networks.
Moreover, Liao et al. [27] identified some security requirements to evaluate a smart card and password based authentication protocol. Their requirements solve most of the problems in smart card oriented schemes. As sensor networks are resource constrained devices, WSN could adopt Liao et al. requirements, which are listed below:  The password tables should not be stored inside the gateway.  Verification table should not be stored inside the gateway.  The password should not be transmitted as plain text over the public network.  Schemes should resist insider-attacks.  Password length should be sufficient.  The password is not exposed by the gateway administrator.  Scheme should resist offline password guessing attacks.

System Architecture
Wireless sensor networks consist of a number N of low-cost sensor devices, which are scattered in a hostile environment. These sensors sense the environmental information, (e.g., humidity, pressure, and temperature) and transmit information to the users for further analysis. A user can access real-time WSN data using their mobile devices (e.g., laptop, PDA or smart-phone) through wireless communication. WSN data could be easily accessible from anywhere in ad-hoc manner. In real-time environment it is obvious that the gateway nodes and the users are able to access the sensor data directly. The basic system architecture is shown in Figure 1, where a user directly request to the sensor node, upon receiving user request sensor node first verify user authenticity through the gateway node. After confirmation of the user's legitimacy he/she can access the real-time sensor data. Furthermore, the gateway node provides a middle ground between the users and the sensor network.

RUASN: Robust User Authentication for Wireless Sensor Network
To solve the potential problems of user authentication for WSNs, we propose RUASN which ensures WSN data are only accessed by legitimate users. Thus, before issuing a query to a sensor node, each user must register with the gateway in a secure manner so that they can access the real time sensors' data. Upon the successful user registration request, the gateway node personalizes a smart card for every registered user, as shown in Figure 1. Then, a user can submit his/her query in an authentic way and access the sensor network data at any time within an administratively configurable period [10].
In order to execute the proposed framework, we considered that the gateway is a trusted node and it hold two master keys (x and y), which are sufficiently large for the sensor network. Before starting the system, it is assumed that the gateway and the sensor nodes share a long-term common secret key, i.e., SK gs = h(Sn||y) using any key agreement protocol. For example, [4] demonstrated that, with the careful design, D-H key agreement protocol [28] and RSA public key cryptosystem [29] can be easily deployed on most constrained devices. Here, h(.) is a collision free one-way hash function (i.e., SHA-1), which has an output length of 160-bits [30] and is used throughout this paper. It is assumed that some identical secure symmetric cryptosystems are publically available and stored on the user device, on the gateway and the sensor node. As a result only the users registered with the gateway have access privileges to the sensors, which share a long-term secret with the gateway. The framework is divided into four phases, namely, user registration phase, login phase, authentication phase and password update phase. For convenience Table 1 provides a list of some notations and symbols will be used throughout the rest of paper. Table 1. Notation and symbols used in the paper.

Notation
Descriptions GW node WSN gateway node U k k th User to be login Password of U k x and y Gateway master keys r Arbitrary random number selected by user l Random number generated by the GW node E key [m] Message m is encrypted with symmetric key D key [m] Message m is decrypted with symmetric key MAC_ key (m) [31] Message authentication code over message m with secret key S n Sensor Node ID X g Secret parameter generated by the user U k h(.) Cryptographic hash function  Bitwise XOR operation || Concatenation operation

Registration Phase (RP)
In the registration phase, initially, each user must register with the GW node. A user U k chooses his/her identity (ID k ). Now user U k chooses password (PW k ) and selects an arbitrary random number r which should be sufficiently large and computes h(r  PW k ). The ID k and PW k should include uppercase, lower case characters and 0-9 numeric characters [32]. Afterward, the user submits a registration request to the GW node over a secure channel. Upon receiving the U k registration request, the GW node computes: Thereafter, the GW node personalizes a smart card for the user with the parameters Here, l is random number which is generated by the GW node and x is the gateway secret key and h(.) is a collision free one-way function, e.g., SHA-1 [30]. Subsequently, user U k enters r into his/her smart card, by doing so, user U k need not memorize the arbitrary random number. Now the smart card contains [.], r}. This step completes the registration phase and the process flow is shown in Figure 2.
Upon receiving the smart card, the user stores the random number r into the smart card; now smart card have This phase is invoked whenever a user U k wants to submit his/her query to access the sensor, every time he/she has to complete the login phase. Figure 3 shows both the login phase and the authentication phase. The user U k inserts his/her smart card into the terminal and inputs his ID k and PW k .  V k * = h(ID k ||h(rPW k )) and verify V k * = V k , if not, then reject the login request.
Obtains [X g *||Ts*] from L  Verify: Xg = Xg* and Ts = Ts*, if not, then abort As a result, he/she believes that the sensor node Sn is authentic, otherwise not.

User GW Sensor
Now, the smart card performs the following operations: (LP-1). Compute: V k * = h(ID k ||h(rPW k )).
(LP-2). Check whether V k * and V k are equal or not. If not, then reject the login request, otherwise, the user is a legal user and go to the next step.
here, Tk Tu = (Tu||H k ) is short-term key and Sn is the sensor node, which the user U k wants to access. Here, X g is a secret random number generated by the user U k at login time, which is helpful to generate the session key between the user and the sensor node.
Tu is denoting the current timestamp of U k 's system, which resist replay attacks.
(LP-5). Send the login message M1 = < B k , AID k , Tu > to the sensor node. Now, this is the end of login phase and the user login request message <M1> is send to the sensor node over a public channel.

Authentication Phase (AP)
The authentication phase is invoked when a sensor node receives the user login request message <M1> at time Ts. The sensor node authenticates users' requests by the following steps: (AP-1). The sensor node, Sn validates the Tu: Check, if (Ts−Tu) ≥ ∆T, if yes, then Sn reject this request and terminates the process. Otherwise, it continues with the next step. Here, Ts is the current timestamp of Sn and ∆T is the defined time interval for the transmission delay.
(AP-3). Upon receiving the message M2 and Q from the sensor node, the GW node performs the following actions: 1. The GW node validates the time Ts: Check if (Tg−Ts) ≥ ∆T, if yes, then the GW node rejects this request and terminates the process, otherwise, it continues with the next step. Here, Tg is the current timestamp of the GW node and ∆T is the defined time interval for the transmission delay.
2. The GW node computes Q′ on the message M2 using long-term secret key SK gs and verifies Q′ = Q, if yes, then the GW node considers that this is an original message and proceeds to the next step, otherwise, it rejects the request and terminates further operations.
3. The GW node decrypts B k using secret key x and obtains ID k ′ and l′ of U k . Now, the GW node computes h(ID k ′), A k ′ = h(ID k ′ l′) and H k ′ = h(A k ′). Subsequently, the GW node generates a temporary key Tk Tu (Tu||H k ′). After that, the GW node decrypts the sub-message AID k by using the Tk Tu and obtains [h(ID k *)||Sn*||X g ]. Afterwards, the GW node compares h(ID k ′) with h(ID k *), if this check is successful then the user is a legal user. Here, h(ID k *) is sub-message of AID k . At the same time, the GW node verifies whether Sn is equal to Sn*, which is included in sub-message of AID k and if yes, then the GW node considers that Sn is a legal node that user U k wants to access. Otherwise, the GW node rejects the authentication process. 4. After authenticating the user and the sensor node; the GW node informs the sensor node that user U k is a legitimate user, therefore, the GW node computes message M3 = <Tg, C> and sends message M3 to the sensor node. Here, C = E SKgs [h(ID k )||X g ||Tg] and Tg is the current timestamp of the GW node.
(AP-4). Upon receiving the message M3 from the GW node, the sensor node performs the following: 1. Firstly, Sn validate the time Tg: Check if (Ts−Tg) ≥ ∆T, if yes, then the sensor node rejects this request and terminates the process. Otherwise, it continues with the next step. Here, Ts is the current timestamp of the sensor node and ∆T is the defined time interval for the transmission delay.
2. Now, with the knowledge of SK gs , the sensor node decrypts the sub-message C = D SKgs [h(ID k )||Xg||Tg*] and verifies whether Tg is equal to Tg* or not. If Tg is not verified then the process is terminated; otherwise, the sensor node considers the GW node a legal node and message M3 is generated by the original GW node.
3. Thereafter, Sn computes a session key Ses K = h(h(ID k )||Xg||Sn||Ts||Tu) for secure communication between the sensor node and the user. Now, Sn generates a message M4 = <L, Ts>, and sends it to the user U k . Here, L = E SesK [Xg||Ts] and Ts is the current time stamp of the sensor node.
(AP-5). While receiving the message M4 from the sensor node, the user U k performs the following: 1. Firstly, U k validates the time Ts: Check if (Tu − Ts) ≥ ∆T, if yes, then the sensor node rejects this request and terminates the process. Otherwise, it continues with the next step. Here, Tu is the current timestamp of the user U k and ∆T is the defined time interval for the transmission delay.
2. Now, the user U k computes the session key Ses K = h(h(ID k )||X g ||Sn||Ts||Tu) and decrypts the sub-message L (i.e., D SesK [X g *||Ts*]) and obtains X g * and Ts*. The user U k checks X g = X g * and Ts = Ts*, if yes, then he/she believes that Sn is a real sensor node, otherwise not.
3. Moreover, now the user U k and Sn share the symmetric session key Ses K = h(h(ID k )||X g ||Sn||Ts||Tu) for performing further subsequent operation during a session.
As a result, a legitimate user can communicate with real sensor nodes and access the network data.

Password-Update Phase (PUP)
The password update phase is invoked whenever user U k wants to update his/her old password (PW k ). The password update phase is described below: (PUP-1). User U k inserts his/her smart card into the terminal and enters his/her identity (ID k ) and password (PW k ).
(PUP-2). Firstly, the smart card validates the U k 's entered ID k and PW k with the stored values by computing the following: Vk* = h(ID k ||h(rPW k )).
(PUP-3). Verify whether V k * and V k are equal or not. If not, then reject the password update request; otherwise, proceed to the next steps. (PUP-4). Upon receiving the U k 's new password (PW knew *), the smart card computes V knew * = h(ID k ||h(rPW knew *)) (PUP-5). Now, the smart card replaces V k with V knew *.
After performing the above steps, the password update phase takes place successfully. The flow of the password update phase is shown in Figure 4. Replace V k with V knew * in the smart card.

Nonmonotonic Cryptographic Protocol and RUASN Analysis and Verification
This section presents, first, the nonmonotonic cryptographic protocol (NCP) [24], and second, formal analysis and verification of RUASN using the NCP protocol.

Nonmonotonic Cryptographic Protocol
This sub-section describes the nonmonotonic cryptographic protocol (NCP), which is also known as Rubin Logic. The NCP logic assumed that involved entities are trusted, and state of knowledge (i.e., current state of the protocol), and describes the authentication logic. In [24][25][26][27][28][29][30][31][32][33][34] the authors state that the NCP logic does not require any idealization step in specifying the protocol and is very close to real implementation. In Rubin logic the roles are assigned to entities, which are considered as independent processes. The nonmonotonic logic consists of two sets, global set and local set. These sets are directly applicable for protocol analysis, as follows. For more details the reader may refer to [24] and [35].

Global Set and Local Set
Global set: The global sets are publically known to each principal in a protocol specification, and consist of principal set, rule set, secret set and observers set. These sets represent the information of the protocol and the contents of these global sets may get updated as the protocol progresses.

Actions
Actions are operations which play essential roles in the protocol specification. These actions control the state of knowledge and possessions for involved entities (such as, constructs messages, hashing, concatenation, encryption /decryption, secret generation, update, and abort operations, are few example). For a complete list of actions readers may refer to [24,35]. As per our requirements, we have defined the following actions, as shown below, which are directly adopted from [24][25][26][27][28][29][30][31][32][33][34]. The action is marked with ▪ to show that it has been successful and moved to the next action.
Description: The abort action takes place when a checked action could not satisfy the established conditions. Furthermore, this action aborts the system, if a protocol run is illegal. As a result, analysis reports a failure.

Inference Rules
A procedure which combines known facts and produce new fact is called an inference rule [24]. These inference rules are used to fact about beliefs during the protocol execution and are applied whenever they are relevant to protocol progress. The following inference rules are defined as per our requirements, which are directly adopted from [24,35].
Notation: X contains Y: Y appears as a sub-message of X.

S: = f(S): S is replaced by the value of f(S).
X from E: X is received from E.
For a complete list of inference rules, readers may refer to [24] and [35].

RUASN Analysis and Verification Using Rubin-Logic
This sub-section presents the analysis and verification of the proposed RUASN using well-known Rubin logic [24]. The NCP logic integrates protocol analysis with protocol specification and thus, beliefs of involved entities and current state of knowledge is updated as the protocol run progresses. For RUASN analysis and verification, only three phases are accounted, namely, registration phase, login phase and authentication phase, as follows.

RUASN Specification
For convenience, a list of some additional notations and symbols will be used in the RUASN analysis and verification, as shown in Table 2. Local sets: The local sets consist of U, GW, and Sn and are as shown in Table 3.   ;ID k ,X g ,Sn,Ts, Tu)))→SesK  Decrypt({L} SesK and obtain (X g *, Ts*)  Check(X g , X g *)  Check(Ts, Ts*)

RUASN Analysis and Verification
Once the protocol specification has been completed, the analysis begins. This subsection analyzes the proposed scheme, which is very close to real implementation. We have considered three phases, namely, registration phase, login phase and authentication phase, where three entities are involved in the protocol progress [i.e., user(U), gateway(GW) and sensor(Sn)].
As we can see the Phase-I in Table 3, the entity U is the initiator of the protocol, so user behavior list actions are executed first [i.e., BL(U)]. The first three actions are executed in BL(U) and once the Update action is performed, the next actions have to be executed in the GW behavior list, since the Send operation (i.e., Send(GW,{ID k ,Pass})) is specifies GW list, as shown below: It is clear that after the end of the user and the gateway Phase-I, there is no significant change in their global sets, whereas, in the local sets of both entities (i.e., user and gateway) have are some changes, as shown:
Subsequently, Phase-II begins and two entities (i.e., User and Sensor) are involved in this phase. As, U is the initiator of the protocol, and thus next operations have to be executed in U's behavior list (BL(U)), as follows: After the Update operation, the following changes will takes place in BL(U).
The global set of entity U will change with the following: After applying the Update operation on the received message, the following changes will occur in the Sn entity: The following changes will occur in the global set of the entity Sn:  (.); ID k , X g , Sn, Ts, Tu)))→Ses K  Decrypt({L} SesK ) and obtain (X g *, Ts*)  Check(X g , X g *)  Check(Ts, Ts*) In the Check operation U's verify X g , which was generated by him/her and verify time-stamp Ts. If the Check operations are successful then the following changes will occur in BL(U): The application of Rubin logic in our framework is illustrated above, which closely resembles the structure of real user authentication system in wireless sensor network. Our specifications are designed to resemble actual implementation as much as possible.

Evaluation of RUASN
In this section, we present our proposed RUASN evaluation in terms of security analysis (i.e., can it resist against several well-known attacks), and efficiency analysis in terms of computational and communication cost. Finally, we show a functionality comparison with existing schemes.
Before evaluating the RUASN, it is assumed that an adversary may have full control over the network with following capabilities:  An adversary may intercept all the messages (i.e., M1, M2, M3 and M4) at any time.
 He/she may intercept, delete or modify, and insert any message over the public network.
 In addition, we assume that an adversary may hack either passwords or steal user U k 's smart card, extract secrets [36,37], but cannot do both at the same time [38].
 As per the current literature, extracting secrets from the smart card memory is quite difficult and some smart card manufacturer companies provide countermeasures against risk of side channel attacks [18,36]. Furthermore, [39] has proposed countermeasures against power analysis attacks.
Based on above assumptions, an attacker may execute certain attacks to breach the proposed RUASN scheme.

Security Analysis
In this subsection, we analyze the security of proposed RUASN and further compare with the M.L, Das [18], He et al. [21], Wong et al. [10], and Vaidya et al. [14] schemes. We prove that the presented scheme can resist certain popular attacks that are found in the existing wireless sensor network literature.

Mutual Authentication.
Our scheme provides mutual authentication, where all entities (i.e., user, gateway and sensor node) are mutually authenticating each other. More specifically, when the GW node receives the message M2 (i.e., <B k , AID k , Tu, Ts, Sn>) and Q, it can make sure that the user message M1 (i.e., <B k , AID k , Tu>) is included in the sensor node message M2. When the sensor node receives message M3 (i.e., <Tg, C>), it ensures that this message is generated by the GW node. Furthermore, when the user receives message M4 (i.e., <L, Ts>), he/she can also confirm that this message is generated by the sensor node. Hence, mutual authentication is achieved.
User anonymity. In our scheme, user anonymity U k is preserved at the registration phase by computing A k = h(ID k  l) and B k = E x [ID k ||l]. In addition, it is impossible to extract ID k from the AID k , which is E TkTu [h(ID k )||Sn||X g ], and it is also very difficult to revert the h(ID k ). So, our scheme can preserve user anonymity.
attempt will not work, as the false AID k * will not be verified at the GW node and the GW node cannot get the original sub-message {h(ID k *)||Sn*} by decrypting AID k *. Thus, man-in-the-middle attacks are not applicable to the RUASN scheme. Secure Password Update. In the secure password update phase, our framework first verifies the old ID k , PW k and only then requests a new password. Otherwise, it rejects all password update requests. Therefore, our framework updates passwords securely.
Gateway Secret Key Guessing Attacks. In our scheme, the gateway secret keys (x and y) are very long and possess high entropy. In addition, neither x nor y are transmitted in plain text over the public channel, instead x and y are mainly used as a key to encrypt data (Ex[IDk||l], SKgs = h(Sn||y)). Hence, it is very difficult to guess both the gateway master keys, x and y.

Efficiency Analysis
In this subsection, we present an efficiency analysis (i.e., computational cost and communication cost) of our scheme and compare it with existing schemes (Das [18], He et al. [21], Wong et al. [10] and Vaidya et al. [14]) for wireless sensor networks. The evaluation parameters are shown below: H: performing one-way hash function. S: symmetric cryptosystem. MAC: the time for performing a MAC.
Computation Cost: RUASN adopts low-cost computations like a one-way hash function and symmetric cryptosystem, which is acceptable for WSNs and provides more security features with reasonable computational costs. As we can see the computation cost comparisons of our scheme and other related scheme are summarized in Table 4. It is easy to see that, in the registration phase (i.e., one-time job) our scheme requires 4H and one symmetric cryptosystem, whereas in [21] and [14] 6H and 4H are required, respectively. Furthermore, in the login and authentication phase the proposed scheme requires 9H, 6S and 2MAC, whereas, [18,21] and [14] require 9H, 11H and 9H, respectively. This is due to fact that in order to provide more functionality such as mutual authentication, user anonymity, message confidentiality, and secure session key establishment, more computational costs are incurred. Communication Cost: It is easy to visualize from Figure 3 that RUASN requires four message exchanges for the whole communication and confirmation of all entities (i.e., user, gateway and sensor), which is practical for real-time applications.

Functionality Analysis
From Table 5, it is easy to see that the RUASN has more security functionality as compared to other existing proposed protocols for WSNs. Our scheme has robust security features such as mutual authentication between all entities (i.e., user, gateway and sensor), user anonymity, confidentiality, secure session key establishment, secure password update phase and secure against insider attacks, and it meets all the requirements of Liao et al. [27], which are discussed in Section 3. Table 5. Functionality comparison of RUASN with existing schemes.

Security Features
Das [18] He et al. [21] Wong et al. [10] Vaidya et al. [14] Proposed RUASN imperative requirement for wireless sensor networks to protect the data access from unauthorized parties.
In this regard, we have proposed a robust user authentication framework for wireless sensor networks, RUASN, which is based on a two-factor approach (i.e., password and smart card) by exploiting the advantages of cryptographic hash functions and cryptosystems. We have shown a security analysis and performance analysis of the RUASN framework and compared it with recent existing schemes. Through analysis, we show that our scheme is more robust against many popular attacks, which are prominent risks for wireless sensor network and that it provides many security services (i.e., mutual authentication, user anonymity, confidentiality, secure session key and allow users to choose/updates their password ) at reasonable computational costs.