Enhanced Two-Factor Authentication and Key Agreement Using Dynamic Identities in Wireless Sensor Networks

Key agreements that use only password authentication are convenient in communication networks, but these key agreement schemes often fail to resist possible attacks, and therefore provide poor security compared with some other authentication schemes. To increase security, many authentication and key agreement schemes use smartcard authentication in addition to passwords. Thus, two-factor authentication and key agreement schemes using smartcards and passwords are widely adopted in many applications. Vaidya et al. recently presented a two-factor authentication and key agreement scheme for wireless sensor networks (WSNs). Kim et al. observed that the Vaidya et al. scheme fails to resist gateway node bypassing and user impersonation attacks, and then proposed an improved scheme for WSNs. This study analyzes the weaknesses of the two-factor authentication and key agreement scheme of Kim et al., which include vulnerability to impersonation attacks, lost smartcard attacks and man-in-the-middle attacks, violation of session key security, and failure to protect user privacy. An efficient and secure authentication and key agreement scheme for WSNs based on the scheme of Kim et al. is then proposed. The proposed scheme not only solves the weaknesses of previous approaches, but also increases security requirements while maintaining low computational cost.


Authentication and Key Agreement for WSNs
An authentication and key agreement scheme for WSNs comprises users, sensor nodes and a gateway node (GWN), and enables a user and sensor nodes to realize mutual authentication and to negotiate a common secret key via the help of the GWN. The legitimate user and sensor nodes then establish a secure and authentication channel [1][2][3][4][5][6][7][8][9], as shown in Figure 1. A password-based authentication and key agreement scheme only uses a weak password for user authentication, and is the most convenient authentication method. However, these schemes tend to suffer from some possible attacks, and thus have poor security. To improve security, many authentication and key agreement schemes supplement password authentication with long-term secret keys stored in RFID tags or smartcards [1,[8][9][10][11][12]. Since long-term secret keys are not easy to guess and break, two-factor authentication schemes that realize identification using passwords and smartcards may increase security, and thus are suitable for WSNs. negotiate a common secret key via the help of the GWN. The legitimate user and sensor nodes then establish a secure and authentication channel [1][2][3][4][5][6][7][8][9], as shown in Figure 1. A password-based authentication and key agreement scheme only uses a weak password for user authentication, and is the most convenient authentication method. However, these schemes tend to suffer from some possible attacks, and thus have poor security. To improve security, many authentication and key agreement schemes supplement password authentication with long-term secret keys stored in RFID tags or smartcards [1,[8][9][10][11][12]. Since long-term secret keys are not easy to guess and break, two-factor authentication schemes that realize identification using passwords and smartcards may increase security, and thus are suitable for WSNs. Several efficient two-factor authentication and key agreement schemes for WSNs have been presented recently. For example, in 2009 Das proposed a two-factor authentication and key agreement scheme using passwords and smartcards [1]. The scheme of Das has low computational cost, and is suitable for resource-constrained WSNs. Many improved authentication and key agreement schemes [9][10][11][12][13] were proposed later to solve the security weaknesses in the Das scheme. Yeh et al. Chen and Shih [11] in 2010 provided an improved scheme based on the Das scheme to ensure that a legal user can use a WSN in a public environment. Yeh et al. [14] in 2011 presented a user Several efficient two-factor authentication and key agreement schemes for WSNs have been presented recently. For example, in 2009 Das proposed a two-factor authentication and key agreement scheme using passwords and smartcards [1]. The scheme of Das has low computational cost, and is suitable for resource-constrained WSNs. Many improved authentication and key agreement schemes [9][10][11][12][13] were proposed later to solve the security weaknesses in the Das scheme. Yeh et al. Chen and Shih [11] in 2010 provided an improved scheme based on the Das scheme to ensure that a legal user can use a WSN in a public environment. Yeh et al. [14] in 2011 presented a user authentication scheme based on Elliptic Curves Cryptography (ECC) to overcome the perceived security weaknesses of the scheme of Chen and Shih [11]. However, the scheme of Yeh et al. [14] requires time-consuming scalar multiplications on an elliptic curve, and is still insecure against several possible types of attack, and thus fails to provide a secure and efficient solution for WSNs. Vaidya et al. [15] in 2012 showed that the Das scheme and its derivatives not only have security flaws, but also do not provide key agreement. Additionally, Kim et al. [16] pointed out in 2014 that the scheme of Vaidya et al. fails to resist gateway node bypassing and user impersonation attacks, and also proposed an improved scheme that eliminates such security weaknesses and is efficient in term of computational and communication cost. However, their scheme still fails to withstand some possible attacks, as any legitimate user can obtain the secret keys of sensor nodes such that an adversary can perform impersonation, lost smartcard and man-in-the-middle attacks. Moreover, their scheme violates session key security, and fails to provide user privacy protection.

Our Contributions
This investigation presents an efficient and secure authentication and key agreement scheme for WSNs to address the weaknesses of the two-factor scheme of Kim et al. [16]. The proposed scheme protects user privacy by using dynamic identities, and by eliminating constant parameters in request messages. Our scheme also encrypts the communicating messages with temporary secret keys rather than constant secret keys of users and sensor nodes, and diminishes redundant variables to ensure session key security. It overcomes the weaknesses in previous schemes, increases security requirements and maintains low computational cost.

Organization of the Paper
The remainder of this investigation is organized as follows: Section 2 lists the notations and definitions adopted in this investigation, reviews the two-factor authentication and key agreement scheme for WSNs of Kim et al. [16], and analyzes its weaknesses. Section 3 presents the proposed authentication and key agreement scheme using dynamic identities for WSNs. Section 4 and Section 5 present the results of the security and performance evaluation, respectively. Finally, Section 6 draws the conclusions.

Preliminaries
This section lists the notations adopted in this paper, describes the underlying primitives used in this investigation, briefly reviews the two-factor authentication and key agreement scheme for WSNs of Kim et al. [16], and then addresses the weaknesses of the their scheme.
Assume that U i denotes the ith user; S j denotes the jth sensor node, and GWN denotes the gateway node in which U i and S j are registered. Table 1 lists the notations used throughout this paper.

The timestamp values h(¨)
A collision free one-way hash function f(x, k) Pseudo-random function of variable x with key k A ÑB:M A sends message M to B through a common channel. Kim et al. [16] in 2014 proposed an improved two-factor authentication and key agreement scheme for WSNs. Their improved scheme comprises registration, login, authentication and key agreement, and password change phases, which are described as follows:

Registration Phase
In the registration phase, U i registers his/her identity and password to GWN. Then, GWN personalizes a smartcard for U i . Meanwhile, S j keeps (SID j , X S j * ) in its storage before being deployed, where X S j * = h(SID j x s ): Step 1: U i ñ GWN:{ID i , HPW i } U i selects ID i , password pw i , a random number RN r , computes HPW i = h(pw i RN r ) and sends {ID i , HPW i } to GWN via a secure channel. Step 1: U i inserts his/her smart card into a terminal and enters ID i * and PW i * .
Step 2: The smart card computes RN r h(ID s HPW i * ), B i * = h(HPW i * ' X S i * ) and verifies B i * = ? B i . If unsuccessful, the smart card aborts this request; otherwise, the smartcard computes where RN i is a nonce and T i is the current timestamp. Then the smartcard sends the authentication request

Authentication and Key Agreement Phase
This phase enables U i and S j to authenticate each other and to negotiate a secret key, and functions as follows: Step 1: If successful, GWN computes X S j = h(SID j x s ), M G,S j = h(DID i SID j X S j T G ) and sends {DID i , M G,S j , T G } to S j , where S j is the nearest sensor node for U i and T G is current timestamp.
Step 2: S j Ñ GWN: {y j , M S j ,G , T j } S j checks the validity of T G , computes M G,S j * = h(DID i SID j X S j * T G ) and checks Step 4: The smart card checks the validity of T G 1 and computes RN j = y j ' X S j , z i If successful, U i computes X S j = q j ' RN j and the session key K S = f ((DID i RN j ), X S j ). Then, U i and S j successfully realize mutual authentication and have a common session key K S .

Password Change Phase
This phase provides user U i to change his/her password by performing the following steps: Step 1: U i inserts his smartcard and inputs his/her identity ID i * , old password pw i * , and a new password pw ni .
Step 2: The smart card computes RN r , and checks B i * = ? B i . If successful, the smart card

Limitations of the Authentication and Key Agreement Scheme of Kim et al.
This subsection addresses the weaknesses of the authentication and key agreement scheme of Kim et al. [16], which include: vulnerability to impersonation, lost smartcard and man-in-the-middle attacks; violation of session key security, and failure to protect user privacy.

Security Against Impersonation Attacks
In the scheme of Kim et al., any legitimate user can obtain the sensor node S j 's secret X S j * after performing the login phase followed by the authentication and key agreement phase. Malicious user A can then easily impersonate S j to communicate with GWN and any user U i by using the following steps: Step 1: On receiving the message Step 2: Next, A is authenticated by GWN since GWN successfully checks T j and M S j ,G Step 3: Then, A computes the session key K S = f ((DID i RN j 1 ), X S j ) shared with U i . Thus, A successfully impersonates S j to communicate with GWN and U i .

Security against Lost Smart Card Attacks
The malicious user A gets (ID s , impersonate U i to communicate with GWN and any sensor node S j by using the following steps: Step 1: A collects previous messages between U i , GWN and S j 0 , which include ( , and has S j 0 's secret X S j 0 .
Step 2: Step 3: Step 4: The adversary A computes RN j = y j ' X S j and X S j = q j ' RN j . Then, A successfully has the session key K S = f ((DID i 1 RN j ), X S j ) shared with S j .

Security against Man-in-the-Middle Attacks
Additionally, a legitimate user A has S j 's secret X S j * and can successfully perform the man-in-the-middle attack by using the following steps: Step 1: User A intercepts the communications between GWN and S j . After receiving the message Step 2: On receiving the message {y j , is a nonce selected by S j and RN j 1 is a nonce selected by A, respectively Step 3: GWN successfully checks T j , computes RN j Step 4: The smart card successfully checks T G 1 and computes RN j Then U i computes X S j = q j 1 ' RN j 1 and the session key K S 1 = f ((DID i RN j 1 ), X S j ) shared with A. S j computes the session key K S " = f ((DID i RN j ), X S j ) shared with A.

Violation of Session Key Security
Moreover, the legitimate A can derive each RN j by computing y j ' X S j * and calculate all used session keys K S = f ((DID i RN j ), X S j ) of U i and S j since A has X S j * and DID i . Then, A derives all transmitted secrets between U i and S j . Therefore, the scheme of Kim et al. violates session key security.

Failure to Privacy Protection of Users
In the scheme of Kim et al., U i 's identity ID i is protected with GWN's secret key K and hash function h(¨), and is not revealed. However, the parameter HID i = h(ID i K) in the request message {DID i , M U i ,G , v i , T i , HID i } from U i relies on U i 's ID i and is constant. An adversary can then easily distinguish whether any two request messages are from the same user using HID i . Thus, the scheme of Kim et al. fails to exhibit data unlinkability, and cannot realize privacy protection of users [17].

Proposed Authentication and Key Agreement Scheme Using Dynamic Identities for WSNs
This section presents a secure authentication and key agreement scheme based on the scheme of Kim et al. [16] for WSNs. The proposed scheme appends a dynamic identity for the user and eliminates constant parameters from the user's request messages such that any two request messages are independent and indistinguishable. It also encrypts the communicating messages with the temporary secret keys rather than the constant secret keys of users and sensor nodes, and diminishes redundant variables. Additionally, the proposed scheme modifies sensor nodes' secret keys such that a sensor node cannot derive other sensor nodes' secret keys. Consequently, an adversary cannot discover the secret keys of users and sensor nodes, and thus used session keys and transmitted secrets. The proposed scheme also has registration, login, authentication & key agreement and password change phases. The password change phase is the same as that of the scheme of Kim et al., and therefore is not presented here.

Registration Phase
In the registration phase, U i registers his/her identity and password to GWN. Then, GWN personalizes a smart card for U i . Meanwhile, S j keeps (SID j , X S j * ) in its storage before being deployed, where X S j * = h(SID j K): Step 1: U i ñ GWN: {ID i , HPW i } U i selects ID i , password pw i , a random number RN r , computes HPW i = h(pw i RN r ) and sends {ID i , HPW i } to GWN via a secure channel.
and personalizes the smartcard for U i with the parameters: Then, GWN sends the smartcard to U i via a secure channel. GWN also stores parameters (TID i , TID i˝, HID i ) in its storage for U i , where TID i is the temporal identity for U i 's next login and TID i = RN G , RN G is a nonce, and TID i˝= "".
Step 3: U i computes XPW i = h(pw i ) ' RN r and inserts XPW i into his/her smartcard.

Login Phase
In this phase, user U i inserts his/her smart card, inputs his/her identity and password, and sends the service request to GWN. Figure 2 illustrates the login phase, which works as follows.
Step 1: U i inserts his/her smart card into a terminal and enters ID i * and pw i * .
Step 2: The smartcard computes RN r h(ID s HPW i * ), B i * = h(HPW i * ' X S i * ) and verifies B i * = ? B i . If unsuccessful, the smartcard aborts this request; otherwise, the smart card computes a temporary secret key k i = h(X S i * T i ), where T i is the current timestamp. Then the smartcard sends the authentication request {DID i , M U i ,G , T i , TID i } to GWN.

Login Phase
In this phase, user Ui inserts his/her smart card, inputs his/her identity and password, and sends the service request to GWN. Figure 2 illustrates the login phase, which works as follows.
Step 1: i U inserts his/her smart card into a terminal and enters IDi * and pwi * .

Authentication and Key Agreement Phase
This phase enables U i , GWN and S j to authenticate each other, and to establish a common session key of U i and S j . Figure 3 illustrates the authentication and key agreement phase, which works as follows: Sensors 2015, 15 9

Authentication and Key Agreement Phase
This phase enables Ui, GWN and Sj to authenticate each other, and to establish a common session key of Ui and Sj. Figure 3 illustrates the authentication and key agreement phase, which works as follows:   Step 1: GWN Ñ S j : {DID i , M G,S j , T G }GWN checks the validity of T i , retrieves U i ,'s information HID i by using TID i . If TID i is not found, then GWN retrieves HID i by using TID i˝. If unsuccessful, GWN rejects this service request; otherwise, GWN computes X S i = h(HID i K), k i = h(X S i T i ), GWN computes X S j = h(SID j K), M G,S j = h(DID i SID j X S j T G ) and sends {DID i , M G,S j , T G } to S j , where S j is the nearest sensor node for U i and T G is current timestamp.
Step 2: S j Ñ GWN: {M S j ,G , T j }S j checks the validity of T G , computes M G,S j * = h(DID i SID j X S j * T G ) and checks M G,S j * = ? M G,S j . If successful, S j computes a temporary secret key k j = h(X S j * T j ), where T j is current timestamp.

Security Analyses
This section analyzes the security of the proposed authentication and key agreement scheme. The benefits of the proposed scheme provide mutual authentication, session key security, user privacy protection, known-key security and resistance to privileged insider, impersonation and stolen verifier attacks. Since the proposed scheme is based on the scheme of Kim et al. [16], the analyses of the resistance to possible attacks, including replay attacks, parallel session attacks, privileged insider attacks and password guessing attacks, closely resemble those for the scheme of Kim et al., and so are not presented here.
The following descriptions show that the proposed scheme provides the indistinguishability in the Real-or-Random model [17][18][19].

AKE Security (Session Key Security)
This definition defines that an adversary cannot effectively distinguish between two messages from a challenger. One message is computed by the real session key and the other one is computed by a random string via an unbiased coin c. The adversary selects one message and sends to the challenger. The challenger then decides to return the message computed by the real session key if c = 1 or computed by a random string if c = 0 by flipping an unbiased coin c. The adversary aims to correctly guess the value of the hidden bit c. The advantage that an adversary violates the indistinguishability of a scheme is denoted as Adv ake (A), and is defined as: where E denotes the event that the adversary wins this game. The scheme is AKE-secure if Adv ake (A) is negligible [17][18][19].

Mutual Authentication (MA) Security
In executing a scheme, the adversary A violates mutual authentication if A can successfully fake the authenticator M U i ,G , M G,S j , M S j ,G or M G,U i . The probability of this event is denoted by Adv ma (A). The scheme is MA-secure if Adv ma (A) is negligible [17][18][19].
The Difference Lemma [20] is made used within our sequence of games (SOG), which is described as follows: Lemma 1. (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that A^ F ô B^ F . Then | PrrAs´PrrBs | ď PrrFs

Session Key Security
Theorem 1. The advantage that an adversary breaks the AKE security of the proposed scheme: where Adv sk denotes the advantage that an adversary breaks the long-term secret key and l is a security parameter.

Proof:
The proof consists of a sequence of games starting at the game G 0 . Each game G i defines the probability of the event E i that the adversary wins this game. The first game is the real attack against the protocol and the terminal game G 2 concludes that the adversary has a negligible advantage to break the AKE security of the proposed scheme. Assume that the challenger A 1 attempts to breaks long-term secret keys (X S i and X S j ), and the adversary A ake is constructed to break the session key security. Then A ake tries to distinguish the real session key from the random string. The challenger A 1 sets up the used parameters, starts simulating the scheme and returns the real session key or a random string to A ake by flipping an unbiased coin c P t0, 1u. The adversary A ake outputs its guess bit c 1 and wins if c 1 = c.

Game G 1 :
This game transforms game G 0 into game G 1 by replacing the long-term secret keys, X S i and X S j , with two random numbers. Thus, by using Lemma 1, we have: Game G 2 : This game transforms game G 1 into game G 2 by replacing k i (= h(=X S i T i )) and k j (= h(X S j T j )) with two random numbers. Then, games G 1 and G 2 are indistinguishable except collisions of a hash function in G 2 . Thus, by using the birthday paradox and Lemma 1, we have: Game G 3 : This game transforms previous game except for replacing K S with a random number. Similarly, games G 2 and G 3 are indistinguishable except collisions of a hash function in G 3 , and thus we have: Therefore, the probability of the event that A 1 outputs 1 when the response message is obtained by using the real session key is equal to the probability of the event that A ake correctly guesses the hidden bit c in game G 2 . Similarly, the probability of the event that A 1 outputs 1 when the response message obtained by a random string is equal to the probability of the event that A ake correctly guesses the hidden bit c in game G 3 . All session keys are random and independent, and no information about c is revealed. Thus, we have: Combining Equations (1)-(5), we have: Adv ake pA ake q ď 3{2 l´1`4¨A dv sk pA 1 q Then the proof is concluded.

Mutual Authentication
Theorem 2. Let Adv ma be the advantage in violating the mutual authentication of the proposed scheme. Then, Adv ma is negligible, and thus the proposed scheme provides mutual authentication.
Proof: The proof also consists of a sequence of games. The first game G 0 is the real attack against the proposed protocol and the terminal game G 3 concludes that the adversary has a negligible advantage to break mutual authentication of the proposed protocol. Assume that Adv sk denotes the advantage that an adversary breaks the long-term secret keys and l is a security parameter. The challenger A 2 attempts to break long-term secret keys of the proposed scheme, and the adversary A ma is constructed to break mutual authentication security for the scheme. The adversary A ma wins this game if he/she successfully fakes the authenticator M U i ,G , M G,S j , M S j ,G or M G,U i .
Game G 0 : This game corresponds to the real attack. By definition, we have: Game G 1 : This game transforms game G 0 into game G 1 by replacing X S i and X S j with two random numbers. Thus, by using Lemma 1, we have: Game G 2 : This game transforms game G 1 into game G 2 by replacing k i and k j with two random numbers. Thus, by using the birthday paradox and Lemma 1, we have: Game G 3 : This game transforms previous game by replacing the authenticators with random numbers. Similarly, games G 2 and G 3 are indistinguishable except collisions of a hash function in G 3 , and thus we have: Therefore, the probability of the event that A 2 outputs 1 when the authenticator is computed by using the real secret key is equal to the probability of the event that A ma correctly guesses the hidden bit c in game G 2 . Similarly, the probability of the event that A 2 outputs 1 when the authenticator obtained by a random string is equal to the probability of the event that A ma correctly guesses the hidden bit c in game G 3 . Since no information on the authenticator is leaked to the adversary, we have: Combining Equations (6)-(10), we have the advantage that the adversary violates the mutual authentication of the proposed scheme is: Adv ma pA ma qď 4¨Adv sk pA 2 q`3{2 l´2 (11) and thus is negligible.

Privacy Protection of Users
Theorem 3. The proposed scheme provides privacy protection of users.

Proof:
The proposed scheme does not reveal the user's real identity ID i ; it replaces the constant temporal identity HID i with a dynamic user identity TID i , and eliminates constant parameters from the user's request messages. Consequently, any two request messages are independent and indistinguishable. The proposed scheme thus exhibits user anonymity, unlinkability and data untrackability [21]. Accordingly, the proposed scheme provides users with privacy protection.

Known-Key Security
Theorem 4. The proposed scheme provides privacy known-key security.
Proof: Since the parameters DID i and k j are independent among scheme executions, the session keys K S = f(DID i , k j ) generated in different runs are independent where DID i = h(HPW i X S i ) ' h(X S i T i ) and k j = h(X S j T i ). Accordingly, the proposed scheme provides known-key security.

Resistance to Impersonation Attacks
Theorem 5. The proposed scheme provides privacy known-key security.
Proof: An adversary who tries to impersonate U i fails to compute k i = h(X S i T i ),

Resistance to Lost Smartcard Attacks
Theorem 7. The proposed scheme withstands lost smart card attacks.
Proof: An adversary who steals user U i 's smartcard and copies the message (ID s , h(¨), , and fails to send out the correct authentication request {DID i , M U i ,G , T i , TID i } without the correct ID i and pw i . Consequently, a failed login is detected by GWN in the authentication and key agreement phase, and thus the enhanced scheme withstands lost smartcard attacks.

Resistance to Sensor Node Capture Attacks
Theorem 8. The proposed scheme withstands sensor node capture attacks.

Proof:
The enhanced scheme eliminates the shared secret key x s of all sensor nodes and GWN in the WSN, and modifies the sensor node S j 's secret key as X S j = h(SID j K). That is, each S j does not require maintaining x s . Thus, an attacker A who has captured S j 1 and obtained (SID j 1 , X S j 1 ) cannot derive other S j 's secret key, and also cannot impersonate U i , GWN or other S j . Tables 2 and 3 [16], where H denotes the execution time for a one-way hash function operation, and X denotes the execution time for an exclusive-or operation. Table 4 lists our simulation environment, including hardware/software specifications and used algorithms. The proposed scheme involves a user U i , a sensor node S j , and a gateway node GWN. The user U i is simulated by using a personal computer, the sensor node S j is simulated by using a mobile device and the gateway node GWN is simulated by using a powerful server, respectively.  The first comparison item in Table 2 lists the computational cost used in login and authentication-key agreement phases. Vaidya et al. [15] requires 15 hash function and 13 exclusive-or operations; Li et al. [9] requires 11 hash function and 5 exclusive-or operations; Kim et al. [16] requires 11 hash function and 5 exclusive-or operations, and the proposed scheme requires 25 hash function and 10 exclusive-or operations, respectively. The subsequent comparison item is uses random numbers. The proposed scheme requires three random numbers, which is less than that required by related schemes. The comparison item in Table 3 lists the simulation time used in login and authentication-key agreement phases. Although the proposed scheme requires more computations and spends much time in simulation than related schemes, it is still computationally simple and retains low energy consumption. Table 5 compares the functionality of the proposed scheme with that of comparable schemes. The comparison items include resisting possible attacks and providing security requirements. Kim et al.'s improved scheme [16] is based on Vaidya et al.'s scheme [15], and therefore has the similar security problems. Accordingly, both Vaidya et al. [15] and Kim et al. schemes [16] fail to withstand possible attacks, including impersonation, lost smartcard and man-in-the-middle attacks. They never provide session key security and protect user privacy. Additionally, Li et al.'s scheme [9] fails to withstand impersonation and stolen-verifier attacks, and fail to provide privacy protection. The proposed scheme appends a dynamic identity, eliminates redundant parameters, encrypts the communicating messages with the temporary secret keys, and modifies sensor nodes' secret keys such that a sensor node cannot derive other sensor nodes' secret keys, and thus withstands possible attacks and provides privacy protection. Therefore, the proposed scheme provides more functionalities and security properties than other examined schemes, and retains low computational cost. Table 5. The comparisons of the related schemes and the proposed scheme.