An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks

More security concerns and complicated requirements arise in wireless sensor networks than in wired networks, due to the vulnerability caused by their openness. To address this vulnerability, anonymous authentication is an essential security mechanism for preserving privacy and providing security. Over recent years, various anonymous authentication schemes have been proposed. Most of them reveal both strengths and weaknesses in terms of security and efficiency. Recently, Farash et al. proposed a lightweight anonymous authentication scheme in ubiquitous networks, which remedies the security faults of previous schemes. However, their scheme still suffers from certain weaknesses. In this paper, we prove that Farash et al.’s scheme fails to provide anonymity, authentication, or password replacement. In addition, we propose an enhanced scheme that provides efficiency, as well as anonymity and security. Considering the limited capability of sensor nodes, we utilize only low-cost functions, such as one-way hash functions and bit-wise exclusive-OR operations. The security and lightness of the proposed scheme mean that it can be applied to roaming service in localized domains of wireless sensor networks, to provide anonymous authentication of sensor nodes.


Introduction
Privacy protection and security provision have been of great concern in proportion to the number of sensor nodes in wireless sensor networks. In addition, due to the features of wireless environments, efficiency is one noticeable aspect. The characteristics of low transmission bandwidth, insufficient memory, low computing power, and battery dependency demand more lightweight and efficient security mechanisms that provide a similar level of security to wired environments. Considering a mobile sensor node that travels in various networks and wants to receive roaming service from a foreign agent, an anonymous authentication scheme is necessary to preserve the sensor node's privacy and security. If the scheme is also lightweight, it is more suitable for wireless sensor networks. Figure 1 illustrates a simple model of wireless sensor networks for roaming service. If a mobile sensor node registered for its home agent visits a foreign network, it wants to access the foreign agent to receive roaming service. The foreign agent then needs to check the identification of the sensor node through its home agent. In this situation, a lightweight anonymous authentication scheme is necessary to guarantee secure authentication and efficient communication. In recent years, various anonymous authentication schemes and related protocols in wireless networks have been proposed . They have been followed by proofs of vulnerability of the schemes and associated improvements. Some of these schemes use high-cost functions, such as symmetric cryptographic functions, asymmetric cryptographic functions, and modular operations [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]. On the other hand, the others are based on low-cost functions, such as one-way hash functions and bit-wise exclusive-OR operations [19][20][21][22][23][24][25]. To analyze these schemes, we categorize them into two groups according to the computation cost: schemes based on high-cost functions and schemes based on low-cost functions. If all of them provide the same security level, schemes based on low-cost functions are more suitable for wireless sensor networks, since they consume less energy. Farash et al. [18] proposed one of the most recent anonymous authentication schemes for roaming service. They claimed that their scheme improved security and reduced computation time. However, their scheme still has security weaknesses, and does not have computational benefit.
The contributions of this paper are two points. Firstly, we point out that Farash et al.'s scheme does not provide anonymity against a legitimate but malicious adversary, foreign agent authentication, or password replacement. In addition, we present that Farash et al.'s scheme has less computational merits than our proposed scheme, even if their scheme is superior to other previous schemes in terms of the computation cost. Secondly, we propose an enhanced lightweight anonymous authentication scheme that resolves the above weaknesses. Our proposed scheme has the advantage of security and efficiency. In other words, it has enhanced security features and resistance against well-known attacks, as well as the fastest running time among other schemes. More specifically, the proposed scheme preserves weak and strong anonymity, hop-by-hop authentication, and untraceability; resistance against password guessing, impersonation, forgery, and known session key attack; and fair key agreement. There have been no recent schemes, which guarantee all the above. In addition, since the proposed scheme is based only on low-cost functions, it runs faster and more efficiently than previous schemes. Although most schemes including ours are adaptable to wireless sensor networks, our proposed scheme, due to better efficiency, has superiority over other previous schemes.
The remainder of this paper is organized as follows. Section 2 briefly describes related works, and Section 3 reviews Farash et al.'s scheme. Section 4 then presents its weaknesses. Section 5 proposes our enhanced scheme, and Section 6 presents the formal analysis of our proposed protocol. Sections 7 and 8 then analyze the security and performance of our scheme, respectively. Finally, Section 9 concludes the paper.

Related Works
Previous schemes, which have recently been proposed, show the following research trends. Zhu and Ma [1] in 2004 proposed an anonymous authentication scheme based on high-cost functions, and Lee et al. [2] proved that it has security weaknesses. Wu et al. [3] argued that both In recent years, various anonymous authentication schemes and related protocols in wireless networks have been proposed . They have been followed by proofs of vulnerability of the schemes and associated improvements. Some of these schemes use high-cost functions, such as symmetric cryptographic functions, asymmetric cryptographic functions, and modular operations [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]. On the other hand, the others are based on low-cost functions, such as one-way hash functions and bit-wise exclusive-OR operations [19][20][21][22][23][24][25]. To analyze these schemes, we categorize them into two groups according to the computation cost: schemes based on high-cost functions and schemes based on low-cost functions. If all of them provide the same security level, schemes based on low-cost functions are more suitable for wireless sensor networks, since they consume less energy. Farash et al. [18] proposed one of the most recent anonymous authentication schemes for roaming service. They claimed that their scheme improved security and reduced computation time. However, their scheme still has security weaknesses, and does not have computational benefit.
The contributions of this paper are two points. Firstly, we point out that Farash et al.'s scheme does not provide anonymity against a legitimate but malicious adversary, foreign agent authentication, or password replacement. In addition, we present that Farash et al.'s scheme has less computational merits than our proposed scheme, even if their scheme is superior to other previous schemes in terms of the computation cost. Secondly, we propose an enhanced lightweight anonymous authentication scheme that resolves the above weaknesses. Our proposed scheme has the advantage of security and efficiency. In other words, it has enhanced security features and resistance against well-known attacks, as well as the fastest running time among other schemes. More specifically, the proposed scheme preserves weak and strong anonymity, hop-by-hop authentication, and untraceability; resistance against password guessing, impersonation, forgery, and known session key attack; and fair key agreement. There have been no recent schemes, which guarantee all the above. In addition, since the proposed scheme is based only on low-cost functions, it runs faster and more efficiently than previous schemes. Although most schemes including ours are adaptable to wireless sensor networks, our proposed scheme, due to better efficiency, has superiority over other previous schemes.
The remainder of this paper is organized as follows. Section 2 briefly describes related works, and Section 3 reviews Farash et al.'s scheme. Section 4 then presents its weaknesses. Section 5 proposes our enhanced scheme, and Section 6 presents the formal analysis of our proposed protocol. Sections 7 and 8 then analyze the security and performance of our scheme, respectively. Finally, Section 9 concludes the paper.

Related Works
Previous schemes, which have recently been proposed, show the following research trends. Zhu and Ma [1] in 2004 proposed an anonymous authentication scheme based on high-cost functions, and Lee et al. [2] proved that it has security weaknesses. Wu et al. [3] argued that both Zhu and Ma's and Lee et al.'s schemes fail to preserve anonymity and backward secrecy, and they presented improvements of Lee et al.'s scheme. However, Lee et al. [5] and Xu [6] showed vulnerabilities of Wu et al.'s scheme. Kun et al. [7] improved Xu and Feng's scheme, but Tsai et al. [8] showed that Kun et al.'s scheme is also vulnerable. In addition, Mun et al. [9] showed Wu et al.'s scheme suffers from various attacks, and proposed an enhanced scheme. However, Zhao et al. [10] proved that Mun et al.'s scheme is insecure.
Independently, Chang et al. [19] in 2009 proposed an enhanced authentication scheme that uses only low-cost functions. Unfortunately, Youn et al. [20] proved that Chang et al.'s scheme is vulnerable. In addition, Zhou and Xu [13] showed that Chang et al.'s scheme has weaknesses, and they proposed an improved scheme. Lately, Gope and Hwang [24] have proved that Zhou and Xu's scheme suffers from some security faults, such as unsuccessful key agreement and vulnerability to replay attack. They showed that a malicious adversary, by replacing transmission messages, can disturb valid communication between a normal user and a foreign agent. In addition, they proved that an attacker can successfully retransmit authentication messages that have been transmitted during a previous session of communication. At the same time, they proposed an improved scheme. Their improved scheme guarantees several security features as follows. Since all participants can normally verify parameters in each message, their scheme preserves mutual authentication. The fact that each participant makes the same contribution to the freshness of a session key provides their scheme with fair key agreement. In addition, both passive eavesdroppers and active intruders cannot identify or keep track of a normal user. Since only a legitimate user can form a valid one-time-alias using a real identity, secret value, nonce, and timestamp, no attackers can forge the alias to cheat users. In addition, it is impossible to accomplish a known session key attack because there is no significant relation among any session keys. It means that the compromised session key never helps to recover any past or future session keys. Moreover, since their scheme is based on low-cost functions, it has computational merits.
Meanwhile, He et al. [21] proved that Chang et al.'s scheme has a security fault, and that their scheme is not efficient. After that, Jiang et al. [14] showed the weaknesses of He et al.'s scheme. They proposed an enhanced protocol, but Wen et al. [15] presented its weaknesses. Subsequently, Gope and Hwang [17] showed that Wen et al.'s scheme suffers from several attacks. In Wen et al.'s scheme, an attacker, by performing an exhaustive search operation of all possible values, can obtain secret information stored in the lost or stolen smart card. After jamming all transmission messages and resetting a counter, he or she can also establish a session key between a normal user and a foreign agent. Since a session key contains only one random number generated by one side of the participants, it fails to preserve fair key agreement. In addition, Gope and Hwang proposed an enhanced scheme that preserves mutual authentication, fair key agreement, user anonymity, resistance against forgery attack, and security assurance in the case of a lost smart card. In their schemes, all participants can authenticate each other by verifying parameters. While computing a session key, each participant contributes equally, by providing independent random numbers. Since the difficulty of the quadratic residue problem makes a real identity secure, the identity cannot be revealed. No attackers can forge transmission messages because they do not have the knowledge of a secret key and a real identity. In addition, an attacker cannot use the lost or stolen smart card to perform any masquerade attacks because there is no way to obtain a secret key, an identity, and a password from the smart card.
In addition, Shin et al.

Review of Farash et al.'s Scheme
In this section, we review the lightweight anonymous authentication scheme proposed by Farash et al. Their scheme consists of three phases: registration, login and authentication, and password change. Three different entities are involved in each phase. MN is a mobile node that wants to receive roaming service while visiting a foreign network. FA is the foreign agent of a foreign network, and H A is the home agent of the mobile node MN. When MN visits a foreign network, it sends a login request message to FA to be authenticated. Then, FA sends an authentication request message to H A for authentication of MN, since FA is not the home agent of MN, and it cannot directly check MN's identity. After H A authenticates MN using the message received from FA, H A sends a response message to FA. Finally, FA sends a response message to MN and shares a common session key with MN. In this process, it is supposed that H A and FA are in a trusting relationship, and that they secretly share and store a long-term secret key. Because of this, it is possible for FA to anonymously authenticate MN through H A. Table 1 denotes the notations used in this paper. Secret key of an entity X n X Random nonce generated by an entity X t X Timestamp generated by an entity X E K (.) /D K (.) Symmetric encryption and decryption using a secret key K h (.) Collision free one-way hash function || Concatenation ⊕ Bit-wise exclusive-OR operation

Registration Phase
To register for H A, MN first selects ID MN , PW MN , and the random number r. Then, MN sends ID MN and h(PW MN ||r) to H A in a secure manner. After receiving ID MN and h(PW MN ||r) , H A computes the following parameters for MN: Next, H A sends A MN , B MN , and h (.) to MN; and MN stores r, as well as A MN , B MN , and h (.).

Login and Authentication Phase
MN and FA perform the login and authentication phase to achieve the following goals with the aid of H A: • FA anonymously authenticates MN; • MN and FA mutually authenticate each other; • MN and FA share a session key.
In this phase, it is supposed that the common secret key KFH is shared between FA and H A beforehand. Figure 2 illustrates the login and authentication phase. The procedure of this phase is as follows: In this phase, it is supposed that the common secret key is shared between and beforehand. Figure 2 illustrates the login and authentication phase. The procedure of this phase is as follows: (1). inputs and . Then generates the random nonce , and loads , , , and ℎ(. ) to compute 's verifiers: Next, sends the message 1 = { 2 , 3 , 5 } to . (2). Upon receiving 1 , generates the random nonce , and encrypts 1 and using the symmetric encryption function such that ( 1 , ) . Then, sends the message first checks to confirm that is a valid agent. If so, retrieves , and makes the following computations: If checks the equivalence between the received 5 and the computed ℎ( 2 || 3 || * 4 ) normally, computes the following session key, and encrypts it with : Next, MN sends the message M 1 = {MV 2 , MV 3 , MV 5 } to FA. (2) Upon receiving M 1 , FA generates the random nonce n FA , and encrypts M 1 and n FA using the symmetric encryption function such that E KFH (M 1 , n FA ). Then, FA sends the message After receiving M 2 , H A first checks ID FA to confirm that FA is a valid agent. If so, H A retrieves KFH, and makes the following computations: If H A checks the equivalence between the received MV 5 and the computed h (MV 2 ||MV 3 || MV * 4 ) normally, H A computes the following session key, and encrypts it with KFH: Then, H A sends the message Then, FA sends the message M 4 = {ID FA , FV 1 , n FA } to MN.Upon receiving M 4 , MN computes the session key: By checking the validity of the session key after computing h(SK MN ||n FA ) , MN confirms that FA successfully authenticates MN, and the session key is established between them at the same time.

Password Change Phase
MN, which wants to change its password, is supposed to perform the password change phase. In this phase, MN renews the password after acquiring the confirmation from H A. Figure 3 describes the password change phase.
By checking the validity of the session key after computing ℎ( || ), confirms that successfully authenticates , and the session key is established between them at the same time.

Password Change Phase
, which wants to change its password, is supposed to perform the password change phase. In this phase, renews the password after acquiring the confirmation from .  (1).
inputs the identity , the current , and the new password . Then, generates the random nonce , and computes the following verifiers in a similar way to what it does in the login and authentication phase: After computing ℎ( 2 || 3 || * 4 || * ), checks the validity of 5 . The successful check means authenticates normally. Then, computes the following verifier 1 , and sends 2 = { 1 } to : Next, MN sends the message

Weaknesses of Farash et al.'s Scheme
Farash et al. proved that their scheme guarantees MN authentication, FA authentication, anonymity and untraceability, resistance against offline password guessing attack, secure key establishment, and no verification table at H A. However, there still remain several security weaknesses in their scheme. In this section, we will prove that Farash et al.'s scheme does not guarantee anonymity or FA authentication. In addition, we will show that their scheme does not achieve password replacement.

Anonymity
(3) Next, by computing as follows, MN gets ID MN : As a result, a malicious mobile node that eavesdrops the message can easily know the other's identity, so anonymity is not guaranteed. Clearly, SK MN contains MV 4 which is computed as follows:

Authentication
Since H A is the only entity that can compute h(K H ||ID MN ) , MN can only authenticate H A through a successful checking of SK MN , namely FV 1 = h(SK FA ||n FA ) . This implies that there is no way for MN to authenticate FA. In addition, if failure while checking FV 1 occurs, MN cannot confirm whether H A or FA is illegal. For these reasons, authenticating the foreign agent is impossible.

Password Replacement
In the password change phase, MN computes the following MV 4 , while H A computes MV * 4 : Since MV 4 is not equal to MV * 4 , there is no equivalence between MV 5 and h(MV 2 ||MV 3 || MV * 4 ||ID * MN ) , as shown in: To originally authenticate MN, H A needs to confirm the validity of MV 5 ; but it is impossible to check this. As a result, the home agent cannot authenticate a mobile node in the password change phase, and the password replacement cannot be accomplished. Moreover, there is no H A contribution to change the password. This means that by computing B new MN can change the password as it wants, without accomplishing any other steps.

The Proposed Scheme
In this section, we propose an enhanced scheme to remedy the faults of Farash et al.'s scheme. Our scheme also consists of three phases. In each phase, MN, FA, and H A are involved, and use a timestamp as a nonce. After receiving a message, they first validate a timestamp to ensure that old messages cannot be used in replay attacks. We use the same terms as Farash et al.'s scheme does. However, to apply our scheme to wireless sensor networks, we regard MN as a mobile sensor node. Clearly, FA and H A are server systems, which have a powerful computing capability. On the other hand, MN is a battery-powered sensor node, which has less computing capability. In the registration phase, MN registers for H A, and H A gives MN secret parameters in a secure manner. MN and H A establish a trusting relationship through this phase. Then, MN roams in a foreign network, and tries to receive roaming service from FA. Since MN is not a mobile sensor node of FA, FA wants to authenticate MN through H A. For this, the login and authentication phase is necessary. It is assumed that FA and H A share a long-term secret key KFH beforehand, the same as in Farash et al.'s scheme. FA and H A are supposed to use KFH when they try to authenticate each other. Meanwhile, in the password change phase, MN, with the aid of H A, securely changes the secret key, as well as the password. Each phase is described in detail as follows.

Registration Phase
The first thing MN accomplishes is to register for H A in the registration phase. Figure 4 shows this phase: as well as the password. Each phase is described in detail as follows.

Registration Phase
The first thing accomplishes is to register for in the registration phase. Figure 4 shows this phase:  MN selects its identity ID MN and the password PW MN . In addition, MN chooses the random number r as a salt of a one-way hash function. MN then submits ID MN and h(PW MN ||r) to H A through a secure channel. Upon receiving the registration request message, H A, using its secret key K H , computes three secret parameters for MN as follows:

Login and Authentication Phase
When MN visits a foreign network and logins to FA, FA anonymously authenticates MN through H A. MN and FA then share a session key for secure communication. Figure 5 illustrates the login and authentication phase: then submits and ℎ( || ) to through a secure channel. Upon receiving the registration request message, , using its secret key , computes three secret parameters for as follows: where is the secret key allocated only to . Then, secretly stores {ℎ( || ), , } in its database, and sends , , , and ℎ(. ) to in a secure way. Finally, stores , , , , and ℎ(. ).

Login and Authentication Phase
When visits a foreign network and logins to , anonymously authenticates through . and then share a session key for secure communication. Figure 5 illustrates the login and authentication phase: (1). inputs and to make the login request message. Then, generates the timestamp , and loads , , , , and ℎ(. ) to compute 's verifiers: Then, H A sends the authentication response message M 3 = {HV 1 , HV 2 , HV 3 , t H A } to FA.
(5) After receiving M 4 , MN first checks t FA , and computes the session key:

Password Change Phase
In this phase, MN not only renews its password, but also the secret key. MN can change the password for itself, without being authenticated by H A. However, in order to change the secret key, it is necessary for MN to accomplish the password change procedure with H A. Figure 6 shows this phase: (1). inputs its identity , the current , and the new password . In addition, chooses the new random number as a new salt of a one-way hash function, and generates the timestamp . Then, computes the following verifiers in the same form as they are in the login and authentication phase: Finally, MN computes the following secret parameters, and replaces {r,

Protocol Analysis
In this section, we present the formal analysis of our proposed scheme usingBurrows-Abadi-Needham logic [26] (also known as the BAN logic), which is a useful model to prove the validity of authentication and key agreement protocol. The main goal of the login and authentication phase in our scheme is that MN and FA authenticate each other, and share a session key. Since both MN and FA participate and equally contribute while establishing a session key, it can be regarded as a two-way key agreement. In addition, in the password change phase, it is the main goal that MN and H A authenticate each other, and renew MN's secret key. Only H A contributes while generating MN's secret key. Therefore, renewing MN's secret key can be regarded as a one-way key agreement.
To prove that our proposed scheme meets these goals, we need to transform the scheme into the idealized form by the analytic procedures of BAN logic. We first define the constructs and some rules of BAN logic as follows: [Constructs] • P|≡ X : P believes X. • P X: P sees X. • P| ∼ X: P said X. • P ⇒ X : P has jurisdiction over X. • # (X): Formula X is fresh.
• P K ↔ Q: P and Q may use the shared key K to communicate.
[Rules] • R 1 , Message-meaning rule: Then, using BAN logic rules, we transform our goals into the following forms. The login and authentication phase needs mutual authentication and a two-way key agreement. In addition, the password change phase needs mutual authentication and a one-way key agreement.
[Transformation of the goals of the login and authentication phase] [Transformation of the goals of the password change phase] Next, the messages M 1 , M 2 , M 3 , and M 4 in Figure 5, and M 5 and M 6 in Figure 6 are transformed into the idealized messages as follows: In addition, we make the following assumptions to analyze our proposed scheme. [Assumptions] In this step, we achieve G 2 .
(15) We apply R 3 and A 11 to S 15 to derive In this step, we achieve G 4 .
(16) We apply R 2 , A 1 , and A 10 to M 4 to derive against known session key attack, and fair key agreement. We define two different anonymity preservations in this paper. One is weak anonymity preservation against a passive adversary who accomplishes a passive attack, like eavesdropping. The other is strong anonymity preservation against a valid but malicious node. Clearly, a malicious node is more powerful than a passive adversary because it possesses a valid sensor. If a scheme guarantees strong anonymity, it also absolutely preserves weak anonymity. The detail analysis of our scheme is described below.

Strong Anonymity
Among the transmission messages, only MV 4 and HV 5 contain MN's identity ID MN , which is formed as: An adversary who refers to a malicious sensor node can know h (K H ) and t MN . Clearly, a valid sensor node can provide h (K H ), while M 1 can reveal t MN . Thus, it is easy for the adversary to know h (K H ) and t MN . However, although knowing h (K H ) and t MN , there is no way to get ID MN from MV 4 and HV 5 . This is because ID MN is one of the input parameters of a one-way hash function, and it is always used with the secret key K H or K M . Namely, only the entity who knows K H or K M can obtain ID MN . As a result, the proposed scheme guarantees strong anonymity against a malicious sensor node.

Hop-by-Hop Authentication
In the login and authentication phase, each entity, MN

Untraceability
If there are transmission messages that have the same value throughout several sessions, an adversary can trace those messages, and know all the messages that originate from one sensor node. However, since they always contain different timestamps, every transmission message in the proposed scheme is unique in each session. In addition, an adversary cannot link two or more different sessions of the same sensor node. Therefore, the proposed scheme preserves the freshness and untraceability of every message in every session.

Resistance Against Password Guessing Attack
An adversary can eavesdrop any transmission messages, but there is no way to get the sensor node's password from those messages. The reason is that no transmission messages contain the password itself, or even related information. Even if the secret parameters and a salt stored in the sensor node are revealed, it is still impossible to obtain the password. An adversary can generate a lookup table to make pre-computed hash values with candidate passwords and salt. However, changing salts in the password change phase makes it impossible to generate pre-computed hash values. Therefore, in the proposed scheme, the possibility to verify the correctness of a guessed password does not exist, and a password guessing attack is impossible.

Resistance Against Impersonation and Forgery Attacks
If an adversary can compute MV 5 formed as h (K M ||ID MN || t MN ), he or she is able to impersonate MN, by sending a valid login and authentication request message. However, this is absolutely impossible, since the adversary cannot know K M and ID M . Meanwhile, suppose that the adversary makes the following forged message M 1 = {MV 4 , MV 5 , t MN , ID H A }, and sends it to H A via FA: where ID adv is the identity of the adversary, t adv is the timestamp generated by the adversary, K adv is the secret key of the adversary, and K H is the fake secret key of H A. Then, after computing MV 4 ⊕ h (K H ) ⊕ t adv , H A tries to search h(K H ||ID adv ) in its database. Unfortunately, H A finds no matching value, and then it recognizes the fact that the adversary sent MV 4 .

Resistance Against Known Session Key Attack
Even if the session key established between MN and FA is revealed, there is no way to compute the next session key, using the exchanged messages, HV 1 and HV 2 . To compute the session key, it is necessary to know the sensor node's secret key K M or the long-term secret key KFH, which is shared between FA and H A. Clearly, an adversary cannot compute the session key, since he or she does not know K M or KFH. Moreover, since every session key contains unique timestamps, they have no relation with each other. For this reason, the proposed scheme is resistant against known session key attack.

Fair Key Agreement
When MN, FA, and H A perform the login and authentication phase, the session key contains two timestamps generated by MN and FA, respectively. This implies that MN and FA make the same contribution to the freshness and randomness of the session key. In other words, both MN and FA contribute equally during the establishment of the session key. As a result, the proposed scheme achieves fair key agreement.

Security and Performance Comparisons
In this section, we compare security and performance of our scheme with the previous schemes of Jiang et al., Wen  In addition, we apply the experiment result of Li et al. [4] to analyze performance. The following notations show the execution times of each operation: To describe concisely, we also use the following terms: • P1: Phase of login and authentication, • P2: Phase of password change.  Meanwhile, Table 3 compares the computation cost in the login and authentication phase. Our proposed scheme, which is based only on low-cost functions, needs the lowest computation cost among all schemes. Table 4 shows the performance comparison in the password change phase. In the schemes of Jiang et al., Wen et al., and Gope and Hwang, MN changes his or her password without any help of H A. Whereas, the schemes of Shin et al., Farash et al., and our scheme require that both MN and H A participate while updating MN's password. Clearly, the schemes that MN performs the password change phase alone have a little bit better efficiency. However, the computation cost of the password change phase in each scheme is slightly different, and thus it does not affect the performance of all over the scheme. Table 5 shows the total computation cost of each scheme. Consequently, as shown in Table 5, our proposed scheme runs the fastest and has the highest efficiency.

Conclusions
In this paper, we first prove that Farash et al.'s scheme fails to guarantee strong anonymity, foreign agent authentication, or password replacement. To remedy these weaknesses, we propose an enhanced security authentication scheme. The secret key for each sensor node and the password by hashing with a different salt enhance the security of our scheme. By comparing our scheme with other recent schemes, we show that it is more secure from various aspects. In addition, to reduce the computation time, our scheme only uses low-cost functions. Performance comparison shows that, as compared with the previous ones, our proposed scheme provides better lightness. This means that it provides better efficiency. Consequently, the proposed scheme is more suitable for battery-powered sensors and wireless sensor networks.