Security Enhanced User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography

Wireless sensor networks (WSNs) consist of sensors, gateways and users. Sensors are widely distributed to monitor various conditions, such as temperature, sound, speed and pressure but they have limited computational ability and energy. To reduce the resource use of sensors and enhance the security of WSNs, various user authentication protocols have been proposed. In 2011, Yeh et al. first proposed a user authentication protocol based on elliptic curve cryptography (ECC) for WSNs. However, it turned out that Yeh et al.'s protocol does not provide mutual authentication, perfect forward secrecy, and key agreement between the user and sensor. Later in 2013, Shi et al. proposed a new user authentication protocol that improves both security and efficiency of Yeh et al.'s protocol. However, Shi et al.'s improvement introduces other security weaknesses. In this paper, we show that Shi et al.'s improved protocol is vulnerable to session key attack, stolen smart card attack, and sensor energy exhausting attack. In addition, we propose a new, security-enhanced user authentication protocol using ECC for WSNs.


Introduction
Wireless sensor networks (WSNs) provide a feasible real-time monitoring system. Wireless sensors can be easily deployed in various environments such as military surveillance, forest fire detection, health care and wildlife monitoring. WSNs basically consist of users, sensors and gateways whose communication security is a significant concern in real-world applications [1]. Users and gateways have sufficient resources to be used in the system, but sensors are different. Sensors have limited computational ability, low battery, low bandwidth, and a small amount of memory. Therefore, in WSNs, it is important to reduce the use of sensors to extend their lifespans [2][3][4].
Various user authentication protocols have been proposed for securing WSNs while minimizing the use of sensors. In 2004, Watro et al. proposed a user authentication protocol employing the RSA and Diffie-Hellman algorithms [5]. In 2006, Wong et al. proposed an efficient dynamic user authentication protocol using a hash function [6]. However, Tseng et al. demonstrated that Wong et al.'s authentication protocol is vulnerable to stolen-verifier attack, replay attack and forgery attack [7,8]. Later in 2009, Das proposed a two-factor user authentication protocol using smart cards. Das showed how to design an authentication protocol where only the user who is in possession of both the smart card and the password can pass the verification of the gateway [8]. However, several security-related flaws in Das's protocol have been disclosed by later studies as summarized below: • He et al. demonstrated that Das's protocol is vulnerable to insider attacks and impersonation attacks, and that it does not allow users to change their passwords freely. He et al. proposed an improved two-factor protocol [9] which can resist insider and impersonation attacks. • Khan and Alghathbar showed that Das's protocol fails to provide mutual authentication between the gateway and the sensor, and due to this failure, it is not secure against a gateway bypassing attack and a privileged-insider attack [10]. • Chen et al. also pointed out that Das's protocol does not achieve mutual authentication between the gateway and the sensor, and proposed a robust authentication protocol that provides the property of mutual authentication [11].
In 2011, Yeh et al. [2] revealed that Chen et al.'s protocol has difficulty in updating users' passwords and is vulnerable to an insider attack. As an improvement of Chen et al.'s protocol, Yeh et al. presented the first user authentication protocol that uses elliptic curve cryptography (ECC) in WSN environments. However, Han [12] showed that Yeh et al.'s protocol has still some security weaknesses: it does not provide perfect forward secrecy and fails to achieve mutual authentication and key agreement between the user and the sensor. To address these problems with Yeh et al.'s protocol, Shi et al. [3] have recently proposed a new smart-card-based user authentication protocol using ECC for WSNs. Shi et al.'s protocol performs more efficiently, both in terms of computation and communication costs, and provides better security than Yeh et al.'s protocol. However, we found that Shi et al.'s improvement is not secure enough yet and their protocol is susceptible to session key attacks, stolen smart card attacks, and sensor energy exhausting attacks. In addition to reporting the security weaknesses, we also show how to enhance the security of Shi et al.'s protocol with no significant increase in communication and computation costs. We analyze and verify the security of the proposed protocol using non-monotonic cryptographic logic (Rubin logic).
Throughout the paper, we make the following assumptions on the capabilities of the probabilistic polynomial-time adversary A in order to properly capture security requirements of two-factor authentication protocols using smart cards in wireless sensor networks.
• A has the complete control of all message exchanges between the protocol participants: a user, a sensor and the gateway. That is, A can eavesdrop, insert, modify, intercept, and delete messages exchanged among the three parties at will. • A is able to (1) extract the sensitive information on the smart card of a user through a power analysis attack [13,14] or (2) find out the user's password possibly via shoulder-surfing or by employing a malicious card reader. However, it is assumed that A is unable to compromise both the two factors: the information on the smart card and the password of the user; it is clear that there is no way to prevent A from impersonating the user if both factors are compromised.

Overview of Elliptic Curves Cryptography
In 1985, Neal Koblitz and Victor S. Miller proposed the use of elliptic curves in cryptography. After various studies on ECC, it has been widely used since the early 21st century. ECC is a type of public-key cryptography and based on the algebraic structure of elliptic curves over finite fields. Elliptic curves are also used in several integer factorization algorithms. ECC provides the important benefit of a smaller key size, despite which it is able to maintain the same degree of security as other types of public-key cryptography, such as RSA, DH and DSA. Therefore, ECC is especially useful for wireless devices, which typically have limited CPU capacity, power and network connectivity. Table 1 shows the NIST guidelines on choosing key sizes in ECC and other public key cryptography [15]. Let p > 3 be a large prime and choose two field elements a, b ∈ F p satisfying 4a 3 + 27b 2 = 0 mod p to define the equation of a non-supersingular elliptic curve E: y 2 = x 3 + ax + b mod p over F p . Choose a generator point P = (xP , yP ) whose order is a large prime number q over E(F p ). In the same way, a subgroup G of the elliptic curve group E(F p ) with order q is constructed. Then, the three mathematical problems in ECC are defined at various study [16][17][18] as follows.
• ECDLP: Given a point element Q in G, find an integer x ∈ Z * q such that Q = xP , where xP indicates that the point P is added to itself x times by the elliptic curves operation.
• ECCDHP: For a, b ∈ Z * q , given two point elements aP , bP in G, compute abP in G. • ECDDHP: For a, b, c ∈ Z * q , given three point elements aP , bP and cP in G, decide whether cP = abP .

Review of Shi et al.'s Protocol
In Shi et al.'s protocol [3], the gateway is a trusted node that holds two sufficiently large master keys, x and y. Before starting the system, the gateway and the sensors share a long-term secret key SK GS = h(ID Sn y). Shi et al.'s protocol consists of four phases; user registration phase, login phase, authentication phase, and password update phase. For convenience, the notations used throughout this paper are summarized in Table 2. The identity of sensor S n pw U The user U 's password GW The gateway of WSN x, y The master keys of GW h(·) A secure one-way hash function A string concatenation operation ⊕ A bitwise XOR operation

Registration Phase
In this phase, the user U securely submits its identity ID U and password pw U to the gateway GW . Then, GW issues U a smart card containing the user authentication information, as shown in Figure 1.

Login and Authentication Phases
In the login and authentication phases, when U enters ID U and pw U into a smart card terminal, the smart card must validate the legitimacy of U . Then, U , S n and GW authenticate with each other. This protocol uses 4 messages (M 1 , M 2 , M 3 , M 4 ) for mutual authentication, as described in Figure 2. Lastly, U and S n share the session key sk. After the authentication phase, U and S n communicate with each other using the session key sk.

Password Update Phase
In the password update phase, U enters the identity ID U , the old password pw U , and the new password pw U . Then, the smart card updates the password after first checking the correctness of the old password, as shown in Figure 3.

Session Key Attack
In Shi et al.'s protocol, the user U and the sensor S n have to perform the login and authentication phases when they want to share a session key which will be used for protecting their subsequent communication. A problem occurs if U shares its session key with an attacker, not with the intended sensor S n . In the protocol, the gateway GW and the user U check each other's legitimacy using the authenticators α and δ, respectively. However, α and δ do not include information about the sensor S n with which U intends to establish a session key. The attacker exploits this design flaw in mounting a session key attack. The attack is depicted in Figure 4 and its description follows.
When U inputs ID U and pw U , and sends M 1 to sensor S n , the attacker intercepts M 1 and sends it to sensor S A which was previously stolen by the attacker. Upon receiving M 1 , the stolen sensor S A will generate the message A 2 and send it to the gateway GW . However, the attacker replaces ID Sn contained in A 2 with ID A to make GW believe that ID U wants to communicate with sensor S A , not with S n . After receiving A 2 , the gateway GW generates A 3 without noticing any discrepancy and sends it to sensor S A . Lastly, the attacker sends the user U the message A 4 generated by S A using the message A 3 from GW . Because there is no information about the sensor S n in A 4 and M 4 , the user U undoubtedly shares the session key with the attacker while thinking that it has shared the key with the sensor S n . (1) Session key (3) (4)

Stolen Smart Card Attack
Kocher et al. and Messerges et al. pointed out that the confidential information stored in smart cards could be extracted by physically monitoring its power consumption [13,14]. Therefore, it is fair to say that if a user loses his or her smart card, all information in the smart card may be revealed to the attacker.
In Shi et al.'s protocol, the smart card stores various information for user login and authentication. The smart card for the user ID U includes b U , B U , W U and h(·). Using these information and ID U , an attacker can guess U 's password pw U . If ID U is used in public communication, the attacker can obtain or steal it without difficulty. Figure 5 describes a stolen smart card attack against Shi et al.'s protocol.
The attacker can obtain information from the smart card using attacks such as simple power analysis (SPA) and differential power analysis (DPA). This information includes ). Using B U as a password verifier, the attacker can easily find out the password pw U by mounting an offline password guessing attack (also known as an offline dictionary attack) [19][20][21][22] if the password pw U is not long enough. After successfully mounting the password guessing attack, the attacker can login and authenticate with the sensor S n and the gateway GW using the identity ID U and the password pw U .
executes off−line password attack → figures out user ′ s password pw U → logins to WSNs using ID U and pw U

Sensor Energy Exhausting Attack
The computational cost of a sensor is a critical consideration in the design of WSNs as it increases the consumption of the battery power of the sensor. Often it is economically advantageous to discard a sensor rather than recharge it. For this reason, the battery power of a sensor is usually important in wireless devices, with its lifetime determining the sensor lifetime. Previous work have suggested several types of energy exhausting attacks. Buttyan et al. [23] investigated the reliability of transport protocols for WSNs. Brownfield et al. [24] researched the battery depletion effect through the reduction of sleep cycles. Khouzani et al. [25,26] investigated malware attacks in battery-constrained wireless networks. As shown by the previous researches, WSNs need to eliminate unnecessary computational costs of sensors so that the effects of an energy exhausting attack on sensors can be minimized.
In Shi et al.'s protocol, the sensor performs various cryptographic operations such as one-way hash function evaluations, scalar-point multiplications, random number generations, and map-to-point hash function evaluations. Scalar-point multiplications are much more expensive than hash function evaluations. The computational costs of generating a random number and evaluating a map-to-point hash function are about half the cost of performing a scalar-point multiplication. A sensor consumes a large amount of energy to perform a scalar-point multiplication and very little to perform a hash function evaluation [27][28][29]. Figure 6 shows the possibility of a sensor energy exhaustion attack. The attacker can keep sending malicious messages, A 1 , A 2 , A 3 , generated to consume the battery power of the sensor. The attacker can do so because the sensor only checks the freshness of the timestamp in M 1 . For each of these fake messages, the sensor checks the freshness of the timestamp and proceeds to perform the subsequent cryptographic operations, thereby consuming large amounts of energy. Accordingly, it is necessary to modify the protocol so that the sensor can check if the message M 1 is from a legitimate user, not from an imposter.

The Proposed Protocol
Like Shi et al.'s protocol, our proposed protocol is divided into three phases: the user registration phase, login and authentication phase, and password update phase. Before the protocol is ever executed, the gateway generates two master keys, x and y, and shares a long-term secret key SK GS = h(ID Sn y) with the sensor S n . In describing the protocol, we use the same notations as in Table 2 unless stated otherwise.

Registration Phase
For a user U , this phase is performed only once when U registers itself with the gateway GW . Figure 7 illustrates how the phase works, and its description follows: Figure 7. The registration phase.
(1) The user U chooses its identity ID U and password pw U freely, generates a random number b U , and computes pw U = h(pw U ⊕ b U ). U sends ID U and pw U to GW via a secure channel. (2) The gateway GW computes: (3) Lastly, U inputs the random number b U into the smart card.

Login and Authentication Phase
This phase is carried out whenever U wants to gain access to the WSN. During the phase, U establishes a session key with the sensor S n while being authenticated by the gateway GW . The phase proceeds as follows (see also Figure 8): Step 1. U inserts its smart card into the card reader and inputs its identity ID U and password pw U .
Then, the smart card computes: and checks if B U is equal to B U . If not equal, the smart card aborts the protocol. Otherwise, it retrieves the current timestamp T U , chooses a random number r U ∈ Z * q , and computes: After the computations, the smart card sends the message M 1 = ID U , ID Sn , X, T U , α, ω to the sensor S n .
Step 2. Upon receiving M 1 from U , the sensor S n retrieves the current timestamp T and verifies the freshness of U 's timestamp T U by checking that: where ∆T is the maximum allowed time difference between T U and T . If T U is not fresh, S n rejects U 's request and aborts the protocol. Otherwise, S n checks if ω is equal to the hash value h(ID U h(ID Sn h(x ⊕ y)) T U ). If they are not equal, S n aborts the protocol. Otherwise, S n generates a random number r S ∈ Z * q , retrieves the current timestamp T S , and computes: Then, S n sends the message M 2 = ID U , X, T U , α, ω, ID Sn , Y, T S , β to the gateway GW .

User (U )
Sensor (S n ) Gateway (GW ) Step 3. After receiving M 2 , GW retrieves the current timestamp T and verifies the freshness of the timestamp T S by checking that T − T S ≤ ∆T . If T S is not fresh, GW aborts the protocol. Otherwise, GW computes X = h(ID U x) × X and checks if α equals h(ID U ID Sn X X T U ω) and β equals h(SK GS ID U X T U α ω ID Sn Y T S ). If either of the checks fails, GW aborts the protocol. Otherwise, GW retrieves the current timestamp T G and computes: Then, GW sends M 3 = T G , γ, δ to the sensor S n .
Step 4. Having received M 3 , S n retrieves the current timestamp T and checks if T − T G ≤ ∆T and Only if both the checks hold, S n retrieves the new timestamp T S and computes: Then, S n sends M 4 = Y, T S , T S , δ, τ to the user U .
Step 5. With M 4 in hand, U retrieves the current timestamp T , computes K U S = r U × Y , and checks If any of the checks fail, U aborts the protocol. Otherwise, U computes:

Password Update Phase
Our protocol allows users to freely update their passwords. The password update phase works as follows (see also Figure 9): 1. The user U inserts its smart card into a smart card reader and enters the identity ID U , the old password pw U , and the new password pw U . y)) and checks if B is equal to B. If they are not the same, the password update phase stops. Otherwise, the smart card computes:

The smart card computes pw
and replaces A U , B U and W U with A U , B U and W U , respectively. inserts smart card  Notations used in Table 3  The computational costs of generating a random point and evaluating a map-to-point hash function are about half the cost of performing a scalar-point multiplication. Hash function evaluations and point addition operations are often ignored in cost estimates since they are much faster than scalar-point multiplications. If we ignore hash function evaluations, the computational costs described in Table 3 can be estimated as in Table 4. As shown in Tables 3 and 4

Security Analysis and Verification
In this section, we first provide a heuristic security analysis for the proposed protocol and then formally verify the security analysis by using Rubin logic.

Stolen-Verifier Attack
In WSNs, an attacker may attempt to mount a stolen-verifier attack if the gateway stores a password verifier [30] and then, impersonate a legal user using the verifier stolen from the gateway. However, in our protocol, the gateway does not store a password verifier of any kind but stores only the master secret keys x and y which are used in computing:

Insider Attack
An insider attack occurs when the gateway manager or system administrator can access a user's secret (e.g., user password) and then impersonate the user. However, in our protocol, the user U does not send a plain password to the gateway, but sends only the password-derived hash value pw U = h(pw U ⊕ b U ). Since b U is a sufficiently high-entropy random number, the gateway cannot learn the password pw U from the hash value pw U . In addition, the gateway does not manage any table for storing user passwords or their verifiers (e.g., an ID/password table) Therefore, an insider attack is not possible against our protocol.

Replay Attack
In our protocol, each of the protocol messages (M 1 , M 2 , M 3 and M 4 ) accompanies at least one of the authenticators (α, β, γ, δ, τ and ω) which are generated using a timestamp (T U , T S , T S or T G ) as part of the hash input. The protocol participants (U , S n and GW ) verify the authenticity of incoming messages by checking the freshness of the timestamps and the legitimacy of the authenticators. But, an attacker cannot compute any of the authenticators for a fresh timestamp without knowing an appropriate secret. Therefore, our proposed protocol is secure against replay attacks.

Man-in-the-Middle Attack
It is impossible for an attacker to mount a man-in-the-middle attack against our proposed protocol. In a typical man-in-the-middle attack, an attacker intercepts the messages being exchanged between the communicating parties and instead, sends arbitrary messages for its own benefit impersonating one of them to the other. But, our protocol allow the parties to authenticate all the protocol messages with the authenticators α, β, γ, δ, τ and ω, and therefore, is secure against man-in-the-middle attacks.

Gateway Impersonation Attack
An attacker cannot impersonate the gateway because it cannot forge the message: To generate γ or δ, one needs to know either SK GS or h(ID U x). However, h(ID U x) is the secret shared only between the user and the gateway while SK GS is the secret shared between the sensor and the gateway. Therefore, it is impossible for an attacker to mount a gateway impersonation attack.

User Impersonation Attack
It is impossible for an attacker to impersonate the user as it cannot forge the message: The attacker should know X to compute α and should know h(x ⊕ y) to compute ω. But, the attacker knows neither X nor h(x ⊕ y) and therefore, cannot mount a user impersonation attack.

Sensor Impersonation Attack
An attacker cannot impersonate the sensor because it can forge the messages M 2 = ID U , X, T U , α, ω, ID Sn , Y, T S , β and M 4 = Y, T S , T S , δ, τ . The attacker cannot compute β without knowing SK GS and cannot compute δ without knowing the secret h(ID U x). But, the attacker knows neither SK GS nor x and therefore, cannot mount a sensor impersonation attack.

Mutual Authentication
Mutual authentication is an important security property that an authentication protocol should achieve [31,32]. Our proposed protocol provides mutual authentication among the three parties: the user, the sensor and the gateway.
• The gateway authenticates the user using α in M 2 .
• The gateway authenticates the sensor using β in M 2 .
• The sensor authenticates the gateway using γ in M 3 .
• The user authenticates the gateway using δ in M 4 .
• The user and the sensor authenticate each other via δ from the gateway.
This means that our protocol achieves mutual authentication.

Perfect Forward Secrecy
Perfect forward secrecy means that a session key derived from a set of long-term keys will not be compromised even if one of the long-term keys is compromised in the future. The proposed protocol uses the session key sk = h(X Y r S × X) for the sensor and sk = h(X Y r U × Y ) for the user. Even though h(ID U x) and x are compromised, an attacker cannot know r U or r S . Under the assumption that the ECCDHP problem is hard, the attacker cannot compute r S from r S × X and r U from r U × Y . Therefore, our protocol provides perfect forward secrecy.

Key Agreement
The proposed protocol provides key agreement between the user and the sensor. To the session-key computation, the user contributes its random number r U while the sensor contributes its random number r S . It is straightforward to verify that K SU and K U S are equal: it is clear that the user and the sensor compute session keys of the same value:

Session Key Attack
In our protocol: • α is combined with two identities ID U and ID Sn , which indicates that the user U wants to communicate with the sensor S n , • δ is also combined with ID U and ID Sn , which indicates that the gateway has authenticated both the user ID U and the sensor ID Sn .
But, no attacker can compute α and δ, and therefore, can share a session key with the user.

Stolen Smart Card Attack
In Shi et al.'s protocol, the attacker can obtain b U and B U from the smart card and thus can use ) as the password verifier in its offline dictionary attack. However, in our protocol, B U is computed as B U = h(ID U pw U h(x ⊕ y)). Even if the attacker obtains b U and B U from the smart card, it cannot use B U as a password verifier since it does not know the hash value h(x ⊕ y). Therefore, no attacker can mount an offline dictionary attack against our protocol.

Sensor Energy Exhausting Attack
In Shi et al.'s protocol, the sensor has to generate a random number and execute a scalar-point multiplication whenever it receives the message M 1 from the user. Random number generations and scalar-point multiplications are expensive and exhaust a large amount of the sensor's energy. This makes Shi et al.'s protocol vulnerable to a sensor energy exhausting attack. However, in our protocol, the sensor first checks the validity of ω = h(ID U h(ID Sn h(x ⊕ y)) T U ) before generating a random number and performing a scalar-point multiplication. Checking the validity of ω only requires one hash function evaluation. Therefore, our proposed protocol is secure against a sensor energy exhausting attack. Table 5

Rubin Logic Verification
We analyze the proposed protocol using Rubin logic which can be applicable in analyzing an authentication protocol. Rubin logic integrates protocol analysis with specification and uses the notions of global sets, local sets, and actions. As the protocol run is progressed, the possession and belief sets (specified by local sets) are modified for each principal by inference rules (specified by global sets) and actions [33,34]. As the possession and belief sets are modified, secret set and observers sets (specified by global sets) are modified as well.
Global Sets. The first step of the specification of any protocol using Rubin logic is to instantiate the global sets with values. Global sets are public to each principal in a protocol specification.
• Principal Set: This set contains the principals who participate in a protocol.
• Rule Set: This set contains inference rules for deriving new statements from existing assertions.
• Secret Set: This set contains all of the secrets that exist at any given time in the system.
• Observers Sets: For each secret, its set contains all the principals who could possibly know the secret by listening to network traffic or generating it themselves.
Local Sets. Local sets are private to each principal in a protocol specification [35]. For each principal, P i , Rubin logic defines the following sets: • Possession Set(P i ): This set contains all the data relevant to security that this principal knows or possesses. We denote this set by POSS(P i ) = (poss 1 , poss 2 , · · · , poss n ). • Belief Set(P i ): This set contains all the beliefs hold by a principal. For example, the keys it holds between itself and other principals, beliefs about jurisdiction, beliefs about freshness, and beliefs about the possessions of other principals. We denote this set by BEL(P i ) = (bel 1 , bel 2 , · · · , bel n ).
• Behavior List(P i ): This item is a list rather than a set because the elements are ordered.
Actions. Rubin logic defines actions for dealing with the knowledge in a protocol [36]. The action lists that precede and follow message operations in a principal's behavior list determine a sequence of events performed by the principal during a protocol run. We use the following actions: Here, Concat(X 1 , X 2 , · · · , X n ) is the action that concatenates the submessages X 1 , X 2 , · · · , X n .

Protocol Specification
Notations used for the protocol specification is the same as those in Table 2. Phases 1, 2 and 3 represent the registration phase, the login and authentication phase, and the password updated phase. The global and local sets for the protocol are specified as follows: Global Sets. The global sets are specified as follows: • Principal set: A principal is one of U , S n and GW . U is the protocol initiator.  Table 6. Local sets specification for principal U .

Analysis and Verification
In phase 1, U initiates the protocol, and then the actions in BL(U ) are performed. Firstly, (U1)-(U3) actions in BL(U ) are performed, which represent that U sends ID U and pw U to GW for registration. Next, (GW1)-(GW8) actions in BL(GW ) are performed to generate A U , B U , K U and W U , and to send them to U . By (GW8), GW deletes ID U , pw U , A U , B U , K U and W U from POSS(GW ) and BEL(GW ). Lastly, the (U4) action in BL(U ) is executed, then phase 1 is finished. Due to the (GW8) forget action, the local sets of GW are not changed. However, the local sets of principal U are changed as described below.
Accordingly, the global sets are modified as follows: • Secret set: {pw U , b U , pw U , x, y, SK GS , h(x ⊕ y)} • Observers sets: In the (U5)-(U8) actions in BL(U ) of phase 2, the smart card authenticates U , who inputs ID U and pw U , by checking whether B U and B U are same or not. Next, the (U9)-(U15) actions are executed to generate the protocol values X, X , h(x ⊕ y), ω, α and r U . After the (U16) update action, the local sets of U are changed as follows: Then, the global sets are modified as follows: In phase 3, U changes its password and updates A U , B U and W U stored in the smart card. In this phase, the local sets of U and the global sets remain unchanged.
The following shows the final version of the global sets. This result implies that: • pw U , b U and pw U are known only to the user U . • x and y are known only to the gateway GW .
• The long-term key SK GS shared between S n and GW is not exposed.
• X is only known to U and GW .
• K U S and K SU are only available to U and S n .
• The session key sk is securely shared between U and S n .
• h(x ⊕ y) is only known to the authorized principals: U , S n and GW .
• U , S n and GW are mutually authenticated during the protocol execution.
This verifies the security claims we made in the previous subsection.

Conclusions
In this paper, we have identified that Shi et al.'s ECC-based authentication protocol designed for wireless sensor networks (WSNs) is vulnerable to: a session key attack, a stolen smart card attack, and a sensor energy exhausting attack. We have also proposed a new authentication protocol that addresses the identified security weaknesses. Our proposed protocol is as efficient as Shi et al.'s protocol and is better suited for WSNs than Yeh et al.'s protocol, the predecessor of Shi et al.'s protocol. As for the security of the proposed protocol, we have provided a heuristic analysis and formally verified the analysis using Rubin logic.