Efficient and Secure Temporal Credential-Based Authenticated Key Agreement Using Extended Chaotic Maps for Wireless Sensor Networks

A secure temporal credential-based authenticated key agreement scheme for Wireless Sensor Networks (WSNs) enables a user, a sensor node and a gateway node to realize mutual authentication using temporal credentials. The user and the sensor node then negotiate a common secret key with the help of the gateway node, and establish a secure and authenticated channel using this common secret key. To increase efficiency, recent temporal credential-based authenticated key agreement schemes for WSNs have been designed to involve few computational operations, such as hash and exclusive-or operations. However, these schemes cannot protect the privacy of users and withstand possible attacks. This work develops a novel temporal credential-based authenticated key agreement scheme for WSNs using extended chaotic maps, in which operations are more efficient than modular exponential computations and scalar multiplications on an elliptic curve. The proposed scheme not only provides higher security and efficiency than related schemes, but also resolves their weaknesses.


Introduction
Wireless sensor networks (WSNs) comprise a large number of sensor nodes, and are utilized in many environments, such as dangerous areas in which humans must be medically monitored, military OPEN ACCESS environments in which reconnaissance and communication must be carried out, and others. Owing to the hardware limitations, sensor nodes in WSNs cannot support heavy computation loads, extensive communications or extensive storage. Thus, developing a lightweight and secure authenticated key agreement scheme is very important for WSNs. Temporal credential-based authenticated key agreements enable communicating entities to authenticate each other and to establish a secure and authenticated channel by confirming their temporal credentials. A temporal credential-based authenticated key agreement scheme for WSNs is composed of three classes of entity-users, sensor nodes and a gateway node (GWN)-and has registration, login, authentication and key agreement, and password change phases. In the registration phase, users and sensor nodes register their secret keys to the GWN. Then the GWN issues one temporal credential to each user and sensor node for authentication. In the login, authentication and key agreement phases, the user, the sensor node and GWN authenticate each other using these temporal credentials. Additionally, the user and the each sensor node negotiate a common secret key with the help of GWN to establish a secure and authentication channel in the WSN. Finally, the password change phase enables users to update their passwords for increased security [1][2][3][4][5][6][7][8][9].
Recently, Xue et al. [8] presented the concept of temporal credentials and developed a lightweight temporal credential-based authenticated key agreement scheme for WSNs. The scheme of Xue et al. has a lower computational burden, less extensive communication needs and requires less storage than previous approaches, and tries to provide more functionality and higher security [10][11][12][13][14][15][16][17]. Later, Li et al. [9] noted that the scheme of Xue et al. fails to withstand stolen-verifier attacks, password guessing attacks, insider attacks and lost smartcard attacks, and so proposed an advanced temporal credential-based scheme for WSNs as an alternative. However, in the scheme of Li et al., an adversary can derive users' identities, temporal credentials, verification values in the GWN's verifier table and expiration time from revealed messages allowing the adversary to perform successful impersonation attacks and stolen verifier attacks, easily discovering the hidden identity of the sender of the request message. Moreover, the adversary can derive all previous session keys of users and sensor nodes, and thus access all transmitted secrets. Accordingly, these temporal credential-based schemes for WSNs fail to resist possible attacks and to protect the privacy of users.

Our Contributions
This work addresses the weaknesses of the scheme of Li et al. and proposes an efficient and secure temporal credential-based authenticated key agreement scheme for WSNs that uses extended chaotic maps, and involves operations that are more efficient than modular exponential computations and scalar multiplications on an elliptic curve [18][19][20]. The proposed scheme protects a user's identity using a temporary secret key of the user and the gateway node, which security is based on the extended chaotic maps-based Diffie-Hellman problem [21][22][23][24][25][26][27], and reduces the number of parameters concerning each user's identity and password such that an adversary cannot impersonate any user or communicate with the gateway node or the sensor nodes, even if the adversary has stolen the verifier table and obtained the user's private information. Additionally the ephemeral parameters are randomly selected and independent among executions of the scheme. Thus, the adversary cannot derive any previous session keys of the user and the sensor node. The proposed scheme avoids the weaknesses of previous schemes, has higher security and lower computational cost.

Enhanced Chebyshev Polynomial and Extended Chaotic Maps
Recent investigations have demonstrated that cryptosystems that use chaotic map operations are more efficient than those that use modular exponential computations and scalar multiplications on elliptic curves. Additionally, enhanced Chebyshev polynomials also exhibit the semi-group property and the commutative property, and they are subject to the discrete logarithm problem and the Diffie-Hellman problem [21][22][23][24][25][26][27], which are described as follows.

Enhanced Chebyshev Polynomial
The enhanced Chebyshev polynomial Tn(x) is a polynomial in x of degree n, defined by the following recurrence relation: where and p is a large prime number. The enhanced Chebyshev polynomials satisfy the semi-group property and are commutative under composition. Then: holds.

Extended Chaotic Map-Based Discrete Logarithm Problem
Given x, y and p, it is computationally infeasible to find the integer r satisfying:

Extended Chaotic Map-Based Diffie-Hellman Problem
Given Tu(x), Tv(x), T(.), x and p, where u, v  2, x(, ) and p is a large prime number, it is computationally infeasible to calculate:

Organization of the Paper
The rest of this paper is organized as follows: Section 2 reviews the temporal credential-based scheme of Li et al. for WNSs and elucidates its weaknesses. Section 3 presents the proposed efficient and secure temporal credential-based authenticated key agreement scheme for WSNs using extended chaotic maps. Sections 4 and 5 present the results of evaluations of the security and performance of the scheme, respectively. Finally, Section 6 draws conclusions.

The Temporal Credential-Based Scheme of Li et al. and Its Weaknesses
This section presents the notation used in this study, briefly reviews the advanced temporal credential-based scheme for wireless sensor networks proposed by Li et al. [9], and finally states its weaknesses.
Assume that Ui denotes the i-th user of WSNs; Sj denotes the j-th sensor node; and GWN denotes the Gateway node in which Ui and Sj are registered. Table 1 lists the notations which are used throughout this paper. Pre-configured identity of the sensor node S j K GWN_U , K GWN_S The long-term secret keys only known to GWN. p A large prime number The expiration time of U i 's temporal credential. t 1 ,t 2 ,…,t 6 The timestamp values. t The expected time interval for the transmission delay.

h(.)
A collision free one-way hash function [

Review of the Temporal Credential-Based Scheme of Li et al.
In 2013, Li et al. [9] proposed an advanced temporal credential-based scheme for WSNs, which consists of pre-registration, registration, login, authentication and key agreement phases, which are described as follows.

Pre-Registration Phase
Each user Ui has a pair of identity ID pre i and password PW pre i. GWN stores h(ID pre i||PW pre i) and ID pre i in its storage. Similarly, each sensor node Sj is pre-configured with its identity SIDj and a random number rj and the hash value h(SIDj||rj). Then rj and SIDj are stored on the GWN's storage.

Registration Phase
(1) Registration phase for users Step (2) Registration phase for sensor nodes Step where t3 is the current system timestamp.

Login Phase
Step 1: Ui inserts his/her smart card into a card reader and enters IDi and PWi.

Authentication and Key Agreement Phase
Step

Weaknesses of Temporal Credential-Based Scheme of Li et al.
This subsection elucidates the weaknesses of the temporal credential-based scheme of Li et al., which include vulnerability to impersonation and stolen verifier attacks, and failure to protect the privacy of users.

Vulnerability to Impersonation Attacks
In the registration phase of the scheme of Li et al., since (ID pre i, t1, VIi, CIi, DIi) and (h(.), h(Qi), Ei, PTCi) are public, where VIi = h(t1||h(ID pre i||PW pre i)), CIi = h(ID pre i||PW pre i)  h(IDi||PWi||ri), DIi = IDi  h(ID pre i||PW pre i) and t1 is the current timestamp, an adversary, , can obtain a correct PW pre i by guessing a password PW pre* i and checking VIi = ? h(t1||h(ID pre i||PW pre* i)) repeatedly. Next, the adversary can derive IDi, Qi ( =h(IDi||PWi||ri) ) and TCRi by computing DIi  h(ID pre i||PW pre i), h(ID pre i||PW pre i)  CIi and PTCi  Qi|, respectively.  can subsequently impersonate Ui and compromise Ui's privacy based on knowledge of (IDi, Qi, TCRi, Ei). By the following steps,  can successfully impersonate Ui, be authenticated, and communicate with GWN and Sj: Step 1: First, the adversary  retrieves Pi using Ei. In the authentication and key where t4 is the current timestamp. Then,  successfully impersonates Ui and sends {DIDi, Ci, PKSi, t4, Ei, Pi} to GWN.

Failure to Protect the Privacy of Users
In the scheme of Li et al., upon receiving the request message {DIDi, Ci, PKSi, t4, Ei, Pi} that is sent by Ui, whose identity is IDi, the adversary  easily determines that the request message belongs to Ui because  has the knowledge of (IDi, Qi, TCRi, Ei). Thus, the scheme of Li et al. fails to support user anonymity, data unlinkability, or untrackability [29]. Accordingly, the scheme of Li et al. cannot protect the privacy of users.

Proposed Temporal Credential-Based Scheme Using Chaotic Maps for WSNs
This section describes the use of chaotic maps in a new temporal credential-based authenticated key agreement scheme for WSNs. The novel scheme does not reveal the user's private parameters in the registration phase, and it protects the user's identity with a temporary secret key of the user and the gateway node. The security of this temporary secret key is based on the extended chaotic map-based Diffie-Hellman problem. The proposed approach also reduces the redundant parameters associated with the user's identity and password, which are stored in the GWN's verifier table, preventing an adversary from impersonating a user and communicating with the gateway node and sensor nodes, even if the adversary has stolen the verifier table and obtained the user's private information. The session key security is based on the extended chaotic map-based Diffie-Hellman problem, so the adversary cannot derive any previous session key of the user and the sensor node. In the proposed scheme, the user does not know which node it can access and communicate with, thus GWN requires choosing a nearby suitable sensor node as the accessed sensor node. The proposed scheme involves parameter generation, pre-registration, registration, login and authentication and password change phases, which are described below.

Parameter Generation Phase
Step 1: The gateway node GWN randomly selects KGWN as its master secret key.
Step 2: GWN computes PKG = TK GWN (x) mod p, where x is a random number, p is a large prime number and (PKG, T(.), x, p) are public parameters.

Pre-Registration Phase
Each user Ui has a pre-configured identity ID pre i, which is stored in the GWN's storage. Similarly, each sensor node Sj is pre-configured with its identity SIDj and a random number rj and the hash value h(SIDj║rj). Then h(SIDj║rj) and SIDj are stored on the GWN's storage. The pre-configured data is transferred by using physical delivery.

Registration Phase for Users
Step

Registration Phase for Sensor Nodes
Step

Login and Authentication Phase
In this phase, as shown in Figure 1, Ui and GWN authenticate each other by performing the following steps: Step Check t 5 ; sk' = T u (Z 1 ) mod p; Check Z 3 =? h(sk'║ID i ║SID j ║t 5 ).

Password Change Phase
A user Ui changes his/her password by performing the following steps: Step 1: Ui inserts his smart card and inputs his/her identity IDi, old password PWi, and a new password PWi'.

Security Analyses
This section analyzes the security of the proposed authenticated key agreement scheme, which provides mutual authentication, session key security and privacy protection for users, and resists potential attacks, including privileged insider attacks, password guessing attacks, impersonation attacks, stolen verifier attacks and many-logged-in-users attacks. The details are described below.

Communicating Participants:
The proposed scheme involves a user Ui, a sensor node Sj, and a gateway node GWN. Ui and Sj authenticate each other and establish a common session key sk with the help of the GWN. A participant may be involved in several instances, called oracles, of distinct concurrent executions of the proposed scheme P. The instance m of participant V is denoted as V m .

Oracle Queries:
Oracle queries model the capabilities of adversary , and are described below:

Session Key Security (AKE Security):
This definition allows an adversary to generate many Test queries. If a Test query is generated concerning a client instance that has not accepted, then the invalid symbol ⊥ is returned. If a Test query is generated concerning an instance of an honest participant whose intended partner is dishonest or an instance of a dishonest participant, then replies with the real session key. Otherwise, the reply to the Test query provides either the real session key or a random string, as determine by flipping an unbiased coin, c. The adversary seeks to guess correctly the value of the hidden bit c that is used by the Test oracle. The ake-advantage of the event that an adversary violates the indistinguishability of scheme P is denoted as AdvP ake (). The scheme P is AKE-secure if AdvP ake () is negligible [30][31][32].

Mutual Authentication (MA Security)
In the execution of P, the adversary  violates mutual authentication if A can fake the authenticator. The probability of this event is denoted by AdvP ma (). The scheme P is MA-secure if AdvP ma () is negligible [33].

Providing Session Key Security (AKE Security)
The following lemma describes the Difference Lemma, which is made used within our sequence of games [34].

|Pr[A] − Pr[B]|  Pr[F]
The following theorem shows that the proposed scheme involving Ui and Sj has AKE security if the used hash function is secure and the extended chaotic map-based Diffie-Hellman assumption holds.

Theorem 1. Let Adv ecmdh be the advantage that an ECMDH attacker solves the extended chaotic map-based Diffie-Hellman problem within time t. Then, the probability that an adversary breaks the AKE security of the proposed scheme:
AdvP ake (t', qexe, qtest, qse, qake)  2Adv ecmdh (t, qtest, qse, qake) within time t' and t'  t +4(qexe+qake), where qexe denotes the number of queries to the Execute oracle; qtest denotes the number of queries to the Test oracle; qse denotes the numbers of the Send queries; qake denotes the number of queries to the final AKE scheme; and τ is the time to perform an extended chaotic map operation.
Proof of Theorem 1. Each game Gi defines the probability of the event Ei that the adversary wins this game. The first game G0 is the real attack against the proposed scheme and the final game G2 concludes that the adversary has a negligible advantage to break the AKE security of the proposed scheme: Game G0: This game corresponds to the real attack. By definition, we have AdvP ake () = |2Pr[E0] − 1| (5) Game G1: This game simulates all oracles as in previous game except for modifying the simulation of Send queries refereeing the flows containing Tu(x) mod p and Tv(x) mod p of the proposed scheme, and the simulation of the Test(V m ) oracle to avoid relying on the knowledge of u, v and w used to compute the answer to these queries. Assume that (X, Y, Z) = (Tu(x) mod p, Tv(x) mod p, Tu v (x) mod p) is a random extended chaotic map-based Diffie-Hellman triple. A simulator Σ simulates the oracles for all sessions by using this triple (X, Y, Z) and the classical random self-reducibility of the extended chaotic map-based Diffie-Hellman problem. Next, Σ sets up all parameters and secret keys of the scheme, and picks a random number m  [1, qse] and answers the oracle queries according to the proposed scheme. Σ thus can correctly return the Test queries. Additionally, the random variables in G0 is replaced by another random variables in G1. Then we have that G0 and G1 is equivalent, and thus: Game G2: This game simulates all oracles as in previous game except that all rules are computed using a triple (X, Y, Z) from a random distribution (Tu(x) mod p, Tv(x) mod p, Tw(x) mod p), instead of an extended chaotic map-based Diffie-Hellman triple. Let a challenger ecdh try to violate the indistinguishability of the extended chaotic map-based Diffie-Hellman problem; and an adversary ake be constructed to break the session key security. ecdh returns the real session key sk (if c = 1) or a random string (otherwise) to ake by flipping an unbiased coin c  {0,1}. Then ake wins the game if its output bit c' equals c. ecmdh is asked Send, Corrupt or Test queries, and returns the responses by using a previous experiment except for (X, Y, Z) that it had received as input. If ake outputs c, then ecmdh outputs 1; otherwise, ecmdh outputs 0. If (X, Y, Z) is a real extended chaotic map-based Diffie-Hellman triple, then ecmdh runs ake in G1 and thus the probability of the event that ecmdh outputs 1 equals the probability of E1. If (X, Y, Z) is a random triple, ecmdh runs ake in G2 and thus the probability of the event that ecdh outputs 1 equals the probability of E2. Therefore, we have: Since the coin bit c and all sessions keys are random and independent, we have By combining Equations (5)-(8) and using Lemma 1, we have: Then the proof is concluded.

Providing Mutual Authentication
The following theorem shows that the proposed scheme has MA security if the used hash function is secure and the proposed scheme has AKE security: Theorem 2. Let AdvP ake denote the advantage that an adversary breaks the AKE security of the proposed scheme, and AdvP ma denote the advantage that an adversary violates the mutual authentication of the proposed scheme. Then: AdvP ma (t", qse, qh)  2AdvP ake (t', qse, qh) + qh 2 /2 l1 within time t" and t"  t' + (qse + qh)trelay + 2, where qh denotes the numbers of the Hash queries; trelay denotes the time to relay a query; l denotes the security parameter and the parameters qse, t' and τ are defined as in Theorems 1.
Proof of Theorem 2. The start game G ma 0 is the real attack against the proposed scheme and the final game G ma 2 concludes that the adversary has a negligible advantage to break MA security of the proposed scheme. The challenger 1 attempts to break AKE security of the proposed scheme and the adversary ma is constructed to break MA security of the proposed scheme.
where ma makes qh Hash queries involving Ui and GWN, and involving GWN and Sj.
Game G ma 2: This game simulates all oracles as in previous game except for replacing the session key sk with a random number. Then, ma is used for building an adversary 1 against the AKE security of the proposed scheme. Next, 1 arranges the parameters, simulates the proposed scheme and replies the oracle queries made by ma by using following scenarios.
-When receiving Send or Hash queries involving Ui and GWN, and involving GWN and Sj, 1 replies the results by executing the proposed scheme.
-When receiving Hash queries involving Ui and Sj, 1 replies corresponding authenticators to ma by making the same queries to the oracle Hash involving Ui and Sj. -When receiving Test queries, 1 replies these queries by using the coin bit c that it has previously selected and the computed session keys.
Therefore, the probability of the event that 1 outputs 1 when the authenticator is obtained by the real session key equals the probability of the event that ma correctly guesses the hidden bit c in game G ma 1. Similarly, the probability that 1 outputs 1 when the authenticator obtained by a random string equals the probability that ma correctly guesses the hidden bit c in game G ma 2. Thus, by Lemma 1, we have: Since no information on the authenticator is leaked to the adversary, we have Pr[E2] = 1/2 (12) Combining Equations (9)-(12) and using Lemma 1, we have Then the proof is concluded.

Protecting Privacy of Users
is a random number and t3' is a timestamp. The proposed scheme provides user anonymity and data unlinkability, and thus exhibits untrackability [29]. Accordingly, the privacy of users is protected.

Resistance to Privileged Insider Attacks
Theorem 4. The proposed scheme withstands privileged insider attacks.
Proof of Theorem 4. In the registration phase, the user sends REGi rather than (IDi, PWi) to GWN, where REGi = KUG  (ID pre i║IDi║h(IDi║PWi║ri), Ui's identity IDi and password PWi are protected by a random number ri. Therefore, the privileged insider fails to obtain (IDi, PWi) and REGi, and fails correctly to compute TCRi = D1  h(IDi║PWi║ri) (or h(KGMN||IDi||Ei)), so the proposed scheme withstands the privileged insider attack. Step 2 of the login and authentication phase, so the proposed scheme withstands lost smartcard attacks.

Resistance to Many Logged-in Users Attacks
Theorem 10. The proposed scheme withstands many-logged-in-users attacks.
Proof of Theorem 10. Assume that Ui's login information (IDi, PWi, T(.), x, p, h(.), ri) is leaked to more than one non-registered user. The GWN also maintains a status-bit field and a last login field in its verifier table to prevent simultaneous duplicate logins. Therefore, the proposed scheme withstands many-logged-in-users attacks. Table 2 compares the performance of the proposed scheme with those of the schemes developed by Yeh et al. [16], Xue et al. [8], Li et al. [9] and Kim et al. [35], where Th is the execution time for a one-way hash operation; Tc is the execution time for a Chebyshev chaotic map operation, and Te is the execution time for a scalar multiplication operation on an elliptic curve.

Performance Analyses
The first comparison made concerns the computational cost for user Ui, sensor node Sj and the gateway node GWN. The scheme of Yeh et al., [16] employs encryptions and decryptions on an elliptic curve, and has a greater computational cost than related schemes [8,9,35], which use only hash operations. Since Tc approximates Th, where Th is obtained by using the hash functions SHA-1 and MD5 [36][37][38], the proposed scheme requires six chaotic map operations and 13 hash function operations and so has a low computational burden.  Table 3 compares the proposed scheme and related schemes in terms of functionality, and specifically the meeting of security requirements and resistance to possible attacks. The schemes that were developed by Yeh et al., Xue et al., Li et al. and Kim et al. all fail to protect users' privacy. Additionally, the scheme of Yeh et al. fails to withstand password guessing, lost smart card and many-logged-in-users attacks. The scheme of Xue et al. fails to withstand privileged insider, password guessing, stolen verifier, lost smart card and many-logged-in-users attacks. The scheme of Li et al. fails to withstand impersonation and stolen verifier attacks. Only the proposed scheme withstands all possible attacks and protects privacy. Thus, the proposed scheme provides greater functionality; exhibits more favorable security-related properties, and has a lower computational cost than the other schemes.

Conclusions
This study addresses the weaknesses of the temporal credential-based authenticated key agreement scheme developed by Li et al., which enables an adversary to impersonate legitimate users, to perform a stolen verifier attack to calculate all used session keys and transmitted secrets of users and sensor nodes, and to reveal users' identities. A new temporal credential-based authenticated key agreement scheme that uses chaotic maps is developed for WSNs. The proposed scheme protects each user's identity using a temporary secret key; conceals each user's private parameters, and reduces the number of redundant parameters concerning the user's identity and password in the verifier table of the GWN. Therefore, the proposed scheme does not have any of the weaknesses of previous schemes. Additionally, session key security is based on the extended chaotic maps-based Diffie-Hellman problem, and the proposed scheme thus exhibits perfect forward secrecy and known-key security. The proposed scheme not only eliminates the weaknesses of previous approaches, but also increases security and efficiency.