Security Analysis and Improvements of Two-Factor Mutual Authentication with Key Agreement in Wireless Sensor Networks

User authentication and key management are two important security issues in WSNs (Wireless Sensor Networks). In WSNs, for some applications, the user needs to obtain real-time data directly from sensors and several user authentication schemes have been recently proposed for this case. We found that a two-factor mutual authentication scheme with key agreement in WSNs is vulnerable to gateway node bypassing attacks and user impersonation attacks using secret data stored in sensor nodes or an attacker's own smart card. In this paper, we propose an improved scheme to overcome these security weaknesses by storing secret data in unique ciphertext form in each node. In addition, our proposed scheme should provide not only security, but also efficiency since sensors in a WSN operate with resource constraints such as limited power, computation, and storage space. Therefore, we also analyze the performance of the proposed scheme by comparing its computation and communication costs with those of other schemes.

/ Section 6 is devoted to analyzing the performance of the proposed scheme and Section 7 concludes this paper.

Review of Vaidya et al.'s Scheme
There are three communication parties in Vaidya et al.'s scheme [12]: a user, a gateway node, and a sensor node. This scheme is composed of four phases: registration phase, login phase, authentication-key agreement phase, and password change phase. We describe each phase in detail in Sections 2.1-2.4, and Table 1 shows the notations used in the remainder of the paper. Registration phase begins when the user sends a registration request with his/her identity and a hashed password to the gateway node. Then, the gateway node personalizes a smart card for the user and sends it to him/her as a response to the registration request. In the registration phase, all these communication messages are transmitted in secure channels.
Login phase begins when the user inserts his/her smart card into the terminal and inputs his/her identity and password. After the verification of the user's input value, the smart card computes and sends the authentication request to the gateway node. When the gateway node receives the authentication request from the user side, the authentication-key agreement phase begins. The gateway node verifies whether the authentication request comes from a legitimate user. If the verification is successful, the gateway node sends the authentication request to a sensor node which can respond to a request or a query from the user. In this phase, three authentication requests are transmitted. The first request is from the gateway node to the sensor node, the second is from the sensor node to the gateway node, and the final is from the gateway node to the user. As stated, when one party receives an authentication request, the party verifies its validity and sends a new authentication request to the other party. In login phase and authentication-key agreement phase, these request messages are transmitted in insecure channels. If all verifications are passed successfully, the user and the sensor node then share the session key for communication. The password change phase begins whenever the user wants to change his/her password. In the password change phase, the user side does not have to communicate with other parties.

Registration Phase
We describe the registration phase in this subsection.
selects and , computes and sends the registration request { , } to . Then, personalizes a smart card for and sends it to . Figure 1 shows the registration phase of Vaidya et al.'s scheme. R-1 selects and .
R-2 computes sends a registration request { , } to in secure channels (it was not mentioned whether the registration request from to is sent by secure channels [12], but we guess that it is sent this way).
R-3 computes the following when it receives the registration request from . ⊕ ⊕ ⊕ ) personalizes the smart card with , , , , and .
sends the smart card to in secure channels.
Meanwhile, and a secret value generated by are stored in before it is deployed into a target field.

Login Phase
The login phase begins when inserts 's smart card into a terminal and inputs and . In this phase, sends the authentication request to . Figure 2 illustrates the login phase of Vaidya et al.'s scheme.
L-1 inserts 's smart card into a terminal and inputs and .

L-2
The smart card computes the following.

⊕ ⊕
The smart card compares with . If , then the next step proceeds; otherwise, this phase is aborted.

L-3
The smart card generates a random nonce and computes the following. is the current

Authentication-Key Agreement Phase
When receives the authentication request from , the authentication-key agreement phase begins. In this phase, , , and send and receive authentication requests from one another. Figure 3 depicts the authentication-key agreement phase of Vaidya  If ( , then the next step proceeds; otherwise, this phase is aborted.

A-11
The smart card computes the following. ⊕

⊕ ⊕
The smart card compares with . If , then mutual authentication between and is completed successfully; otherwise, this phase is aborted.

A-12
The smart card computes to obtain a session key for communication with . Meanwhile, also computes to share a session key with .

Password Change Phase
The password change phase proceeds when changes 's existing password to a new one. In the password change phase, does not communicate with .
P-1 inserts 's smart card into a terminal and inputs , , and . is 's new password.

P-2
The smart card computes the following.

⊕ ⊕
The smart card compares with . If , then the next step proceeds; otherwise, this phase is aborted.

P-3
The smart card computes the following.
The smart card replaces the existing values , , and with the new values , , and .

Security Analysis of Vaidya et al.'s Scheme
In this section, we analyze the security of Vaidya et al.'s scheme. We found that gateway node bypassing attacks are possible in Vaidya et al.'s scheme if an attacker captures a sensor node and extracts secret values stored in it. Additionally, an attacker can know secret values and from the attacker's own smart card and use them for user impersonation attacks or gateway node bypassing attacks.
In Sections 3.1-3.3, we describe possible attacks in Vaidya et al.'s scheme in detail. We assume that an attacker can eavesdrop on or intercept all messages sent or received between communication parties. We also assume that an attacker can read data stored in a smart card in any manner like in the related works [2,6,[13][14][15][16]. In addition, we have to note that data stored in sensor nodes are not secure since an attacker can capture sensor nodes that are deployed in unattended environments and can then extract data from them.

Gateway Node Bypassing Attacks Using Secret Data Stored in a Sensor Node
In Vaidya et al.'s scheme, if an attacker extracts the secret data from a sensor node, he/she can impersonate and communicate with . These attacks proceed as explained below. denotes an attacker here.
Step 1 extracts and from a sensor node captured in the WSN.
Step 2 Login phase begins when wants to access to the WSN as in Section 2.2. When sends the authentication request , , , to , eavesdrops on it.
Step 3 computes the following using , and , , , . and denote the current timestamp of system, and < . generates a random nonce . ⊕ ⊕ ⊕ forges the authentication request sent from to in authentication-key agreement phase using , , .
Step 4 When receives , , from , checks if ( , where is the current timestamp of system. If ( , then the next step proceeds; otherwise, this phase is aborted.
Step 5 The smart card computes the following. ⊕

⊕ ⊕
The smart card compares with . Since , regards , , as being transmitted from . Therefore, can communicate with using the session key .

User Impersonation Attacks Using an Attacker's Own Smart Card
If an attacker registers with , receives the smart card personalized with 's own identity and password, and .
can compute and using , , and secret values stored in the smart card.
Step 1 As shown in the Section 2. can impersonate a legitimate user who has registered with using and . In addition, can also log in with any temporary identity that does not actually exist.

Logging in with Any Temporary Identity
We describe the process where logs in with any temporary identity that does not actually exist using and .
Step 1 selects any temporary identity and password and . computes the authentication request as follows. denotes the current timestamp of system, and is a random nonce generated by .
Step 2 When receives the authentication request, checks if ( , where is the current timestamp of system. If ( , then the next step proceeds; otherwise, this phase is aborted.
Step 3 computes the following. ⊕ ⊕ ⊕ compares with . regards , , , as being sent from a legitimate user because .

Logging in with the Identity of a Legitimate User
We describe when impersonates a legitimate user who has registered with using and .
Step 1 In the previous session, when sends the authentication request , , , to as shown in Section 2.2, eavesdrops on it.
Step 2 computes the following. is a random nonce generated by . is the current timestamp of system. and are already known to , as mentioned above. ⊕ ⊕ ⊕ ⊕ ⊕ sends the authentication request , , , to . Step

Gateway Node Bypassing Attacks Using an Attacker's Own Smart Card
As discussed in Section 3.2, if an attacker obtains and using data stored in his/her own smart card, he/she can impersonate . The following shows the attack process in detail. denotes an attacker here.
Step otherwise, this phase is aborted.
Step 4 The smart card computes the following. ⊕

⊕ ⊕
The smart card compares with . Since , regards , , as being transmitted from . Therefore, can communicate with using the session key .

The Proposed Scheme
In this section, we propose an improved scheme that can overcome the security weaknesses presented in Section 3. The reason why Vaidya et al.'s scheme is vulnerable to sensor node capture attacks is that is stored in plaintext form in though it is a secret value. To make matters worse, is shared between all sensor nodes in the WSN. Also, in Vaidya et al.'s scheme, an attacker can compute and use and for attacks because they are stored in all users' smart cards. Therefore, the main ideas of our proposed scheme are as follows: ▪ When personalizes a smart card for in the registration phase, uses and instead of and to prevent an attacker from computing or . Since and are unique for each user, an attacker cannot reuse them to impersonate a legitimate user. ▪ In the proposed scheme, ) instead of is stored in to prevent an attacker from extracting from . Since is unique for each sensor node, we can attenuate the effects of sensor node capture attacks as much as possible.
We describe each phase in detail in Sections 4.1 through 4.4. Before describing the proposed scheme in detail, we present the security requirements for the proposed scheme.
▪ The proposed scheme has to be secure against possible attacks such as replay, password guessing, user impersonation, gateway node bypassing and parallel session attacks.
▪ The proposed scheme has to minimize the damage caused by sensor node capture attacks. The authentication scheme cannot be a perfect solution that blocks sensor node capture attacks completely. Nevertheless, the proposed scheme should attenuate the effects of sensor node capture attacks as much as possible. ▪ We assume an attacker can obtain all data from a smart card. Therefore, our proposed scheme has to be devised considering stolen smart card attacks, lost smart card problems, and attacks that use an attacker's own smart card, as shown in Section 3. ▪ The proposed scheme must be secure against privileged-insider attacks or stolen-verifier attacks. ▪ The proposed scheme has to provide methods for mutual authentication, key agreement between and , and password change.

Registration Phase
In the registration phase, selects and . computes and sends the registration request { , } to the gateway node, where is a random nonce. Then, personalizes a smart card for . Figure 4 illustrates the registration phase of the proposed scheme. Meanwhile, and are stored in , where ) before is deployed into a target field.
R-2 generates a random nonce and computes sends the registration request { , } to in secure channels.
R-3 computes the following when it receives a registration request from .

Login Phase
The login phase begins when inserts 's smart card into a terminal and inputs and . In this phase, sends the authentication request to . Figure 5 depicts the login phase of the proposed scheme.
L-1 inserts 's smart card into a terminal and inputs and .

L-2
The smart card computes the following. ⊕ ⊕ ⊕ The smart card compares with . If , then the next step proceeds; otherwise, this phase is aborted.

L-3
The smart card generates a random nonce and computes the following. is the current

Authentication-Key Agreement Phase
When receives an authentication request from , the authentication-key agreement phase begins. In this phase, , , and send and receive authentication requests from one another. Figure 6 shows the authentication-key agreement phase of the proposed scheme. The following describes this process in detail.

A-11
The smart card computes the following: ⊕ ⊕ ⊕ The smart card compares with . If , then mutual authentication between and is completed successfully; otherwise, this phase is aborted.

A-12
The smart card computes the following to get a session key for communication with .
Meanwhile, also computes to share a session key with . ⊕ Figure 6. Authentication-key agreement phase of the proposed scheme.

Password Change Phase
The password change phase proceeds when changes 's existing password to a new one. In the password change phase, does not have to communicate with . P-1 inserts its smart card into a terminal and inputs , and .
is 's new password.

P-2
The smart card computes the following. ⊕ ⊕ ⊕ The smart card compares with . If , then the next step proceeds; otherwise, this phase is aborted.

P-3
The smart card computes the following.
The smart card replaces the existing values , and with the new values , and .

Security Analysis of the Proposed Scheme
This section is devoted to the security analysis of our proposed scheme. We discuss the security of our proposed scheme in terms of the security requirements presented in Section 4. Table 2 shows a security comparison of the proposed scheme. The Proposed Scheme cost, the number of messages transmitted in the proposed scheme is four, which is the same as that of Vaidya et al.'s scheme.

Conclusions
We have proposed an improved mutual authentication and key agreement scheme to overcome the security weaknesses of Vaidya et al.'s scheme. The proposed scheme resists user impersonation attacks and gateway node bypassing attacks using secret data stored in an attacker's own smart card or a sensor. In addition, the proposed scheme prevents possible attacks such as replay attacks, parallel session attacks, password guessing attacks, sensor node capture attacks, stolen smart card attacks, lost smart card problems, privileged-insider attacks, and stolen-verifier attacks. The proposed scheme is also efficient in terms of computation and communication cost considering the limited resources of sensors.