# Three-Factor User Authentication and Key Agreement Using Elliptic Curve Cryptosystem in Wireless Sensor Networks

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

#### 2.1. Notations

#### 2.2. Elliptic Curves Cryptosystem

**Definition**

**1**(Elliptic curve discrete logarithm (ECDL) problem)

**.**

**Definition**

**2**(Elliptic curve computational Diffie–Hellman (ECDH) problem)

**.**

**Definition**

**3**(Elliptic curve decisional Diffie–Hellman (ECDDH) problem)

**.**

#### 2.3. Fuzzy Extraction

- $\mathrm{Gen}(BI{O}_{i})=({R}_{i},{P}_{i}).$ This probabilistic algorithm takes a biometric template $BI{O}_{i}$ as an input and then outputs a biometric key ${R}_{i}$, which is a uniform and random string, and a helper string ${P}_{i}$. ${R}_{i}$ can be the same under the assistance of ${P}_{i}$ even if the biometric information changes slightly.
- $\mathrm{Rep}(BI{O}_{i}^{\prime},{P}_{i})=({R}_{i}).$ This deterministic algorithm takes noisy biometric information $BI{O}_{i}^{\prime}$ and a helper string ${P}_{i}$ as inputs, then reproduces the biometric key ${R}_{i}$. To reproduce the same ${R}_{i}$, the metric space distances between $BI{O}_{i}$ and $BI{O}_{i}^{\prime}$ have to meet the given verification threshold.

#### 2.4. Network Model

- ${U}_{i}$: A user who receives a smart card from $GWN$ and uses it to access multiple servers. After a successful authentication process with ${S}_{j}$, the user is given access to mobile services. Furthermore, the user’s smart card is not tamper-resistant and can be lost or stolen by an adversary.
- ${S}_{j}$: A sensor node that collects information and provides services to users who successfully complete the authentication process. Sensors are not equipped with tamper-resistant hardware due to cost constraints, thus an adversary will know all of the keying materials stored in that sensor’s memory.
- $GWN$: A trusted third-party that generates system parameters. It provides smart cards to users and pre-shared keys to sensors. $GWN$ is assumed to be trustworthy and never compromised by an adversary.

#### 2.5. Security Requirements

## 3. Review of Chang et al.’s Authentication and Key Agreement Scheme

#### 3.1. Registration Phase

- Step 1:
- ${U}_{i}$ chooses $I{D}_{i},p{w}_{i}$ and a random number $R{N}_{r}$, then computes $HP{W}_{i}=h(p{w}_{i}||R{N}_{r})$ and sends $\{I{D}_{i},HP{W}_{i}\}$ to $GWN$ via a secure channel.
- Step 2:
- $GWN$ computes $HI{D}_{i}=h(I{D}_{i}||K)$, ${X}_{{S}_{i}}=h(HI{D}_{i}||K)$, ${A}_{i}=h(HP{W}_{i}||{X}_{{S}_{i}})\oplus HI{D}_{i}$, ${B}_{i}=h(HP{W}_{i}\oplus {X}_{{S}_{i}})$, ${C}_{i}={X}_{{S}_{i}}\oplus h(I{D}_{S}||HP{W}_{i})$. Then, $GWN$ sends the smart card $S{C}_{i}=(I{D}_{S},h(\xb7),{A}_{i},{B}_{i},{C}_{i},TI{D}_{i})$ to ${U}_{i}$ via a secure channel. $GWN$ stores $(TI{D}_{i},TI{D}_{i}^{\circ},HI{D}_{i})$ in its storage, where $TI{D}_{i}=R{N}_{G}$, $R{N}_{G}$ is a nonce, and $TI{D}_{i}^{\circ}=\u2033\u2033$, where $TI{D}_{i}^{\circ}=\u2033\u2033$ means $TI{D}_{i}^{\circ}$ contains nothing.
- Step 3:
- ${U}_{i}$ computes $XP{W}_{i}=h(p{w}_{i})\oplus R{N}_{r}$ and inserts it into $S{C}_{i}$.

#### 3.2. Login Phase

- Step 1:
- ${U}_{i}$ inputs $I{D}_{i}^{*}$ and $p{w}_{i}^{*}$ into $S{C}_{i}$.
- Step 2:
- $S{C}_{i}$ computes $R{N}_{r}^{*}=h(p{w}_{i}^{*})\oplus XP{W}_{i}$, $HP{W}_{i}^{*}=h(p{w}_{i}^{*}||R{N}_{r}^{*})$, ${X}_{{S}_{i}}^{*}={C}_{i}\oplus h(I{D}_{S}||HP{W}_{i}^{*})$, ${B}_{i}^{*}=h(HP{W}_{i}^{*}\oplus {X}_{{S}_{i}}^{*}$. Then, $S{C}_{i}$ verifies ${B}_{i}^{*}\stackrel{?}{=}{B}_{i}$. If it is valid, $S{C}_{i}$ computes ${k}_{i}=h({X}_{{S}_{i}}^{*}||{T}_{i})$, $DI{D}_{i}=h(HP{W}_{i}^{*}||{X}_{{S}_{i}}^{*})\oplus {k}_{i}$, ${M}_{{U}_{i},G}=h({A}_{i}||{X}_{{S}_{i}}^{*}||{T}_{i})$, where ${T}_{i}$ is the timestamp.
- Step 3:
- ${U}_{i}$ sends $\{DI{D}_{i},{M}_{{U}_{i},G},{T}_{i},TI{D}_{i}\}$ to $GWN$.

#### 3.3. Authentication and Key Agreement Phase

- Step 1:
- $GWN$ checks the validity of ${T}_{i}$ and retrieves $HI{D}_{i}$ from $TI{D}_{i}$. Then, $GWN$ computes ${X}_{{S}_{i}}=h(HI{D}_{i}||K)$, ${k}_{i}=h({X}_{{S}_{i}}||{T}_{i})$, ${X}^{*}=DI{D}_{i}\oplus {k}_{i}$, ${M}_{{U}_{i},G}^{*}=h(({X}^{*}\oplus HI{D}_{i})||{X}_{{S}_{i}}||{T}_{i})$, then checks ${M}_{{U}_{i},G}^{*}\stackrel{?}{=}{M}_{{U}_{i},G}$. If it is correct, $GWN$ computes ${X}_{{S}_{j}}=h(SI{D}_{j}||K)$, ${M}_{G,{S}_{j}}=h(DI{D}_{i}||SI{D}_{j}||{X}_{{S}_{j}}||{T}_{G})$, then sends $\{DI{D}_{i},{M}_{G,{S}_{j}},{T}_{G}\}$ to ${S}_{j}$, where ${T}_{G}$ is the timestamp.
- Step 2:
- ${S}_{j}$ checks the validity of ${T}_{G}$ and computes ${M}_{G,{S}_{j}}^{*}=h(DI{D}_{i}||SI{D}_{j}||{X}_{{S}_{j}}^{*}||{T}_{G})$, then checks ${M}_{G,{S}_{j}}^{*}\stackrel{?}{=}{M}_{G,{S}_{j}}$. If it is successful, ${S}_{j}$ computes ${k}_{j}=h({X}_{{S}_{j}}||{T}_{j})$, ${Z}_{i}={M}_{G,{S}_{j}}^{*}\oplus {k}_{j}$, ${K}_{S}=f(DI{D}_{i},{k}_{j})$, ${M}_{{S}_{j},G}=h({Z}_{i}||{X}_{{S}_{j}}^{*}||{T}_{j})$, then sends $\{{M}_{{S}_{j},G},{T}_{j}\}$ to $GWN$, where ${T}_{j}$ is the timestamp.
- Step 3:
- $GWN$ checks the validity of ${T}_{j}$ and computes ${k}_{j}=h({X}_{{S}_{j}}||{T}_{j})$, ${Z}_{i}^{*}={M}_{G,{S}_{j}}^{*}\oplus {k}_{j}$, ${M}_{{S}_{j},G}^{*}=h({Z}_{i}||{X}_{{S}_{j}}^{*}||{T}_{j})$, then checks ${M}_{{S}_{j},G}^{*}\stackrel{?}{=}{M}_{{S}_{j},G}$. If it is correct, $GWN$ computes ${M}_{G,{U}_{i}}=h(DI{D}_{i}||{M}_{{U}_{i},G}^{*}||{k}_{j}||{X}_{{X}_{i}}||{T}_{G}^{\prime})$, ${y}_{i}={k}_{j}\oplus h({k}_{i})$, $TI{D}_{{i}_{new}}=h(HI{D}_{i}||{T}_{i})$, then sends $\{{y}_{i},{M}_{G,{U}_{i}},{T}_{G}^{\prime}\}$, where ${T}_{G}^{\prime}$ is the timestamp. Additionally, $GWN$ updates $(TI{D}_{i},TI{D}^{\circ})$ as $(TI{D}_{{i}_{new}},TI{D}_{i})$.
- Step 4:
- ${U}_{i}$ checks the validity of ${T}_{G}^{\prime}$ and computes ${k}_{j}={y}_{i}\oplus h({k}_{i})$, ${M}_{G,{U}_{i}}^{*}=h(DI{D}_{i}||{M}_{{U}_{i},G}||{k}_{j}||{X}_{{S}_{i}}||{T}_{G}^{\prime})$, then checks ${M}_{G,{U}_{i}}^{*}\stackrel{?}{=}{M}_{G,{U}_{i}}$ If it is correct, ${U}_{i}$ computes ${K}_{S}=f(DI{D}_{i},{k}_{j})$ and updates $TI{D}_{i}$ as $h(HI{D}_{i}||{T}_{i})$.

#### 3.4. Password Change Phase

- Step 1:
- ${U}_{i}$ inputs $\{I{D}_{i}^{*},p{w}_{i}^{*},p{w}_{ni}\}$ into $S{C}_{i}$, where $p{w}_{ni}$ is a new password.
- Step 2:
- The smart card computes $R{N}_{r}^{*}=h(p{w}_{i}^{*})\oplus XP{W}_{i}$, $HP{W}_{i}^{*}=h(p{w}_{i}^{*}||R{N}_{r}^{*})$, ${X}_{{S}_{i}}^{*}={C}_{i}\oplus h(I{D}_{s}||HP{W}_{i}^{*})$, ${B}_{i}^{*}=h(HP{W}_{i}^{*}\oplus {X}_{{S}_{i}}^{*})$, then checks ${B}_{i}^{*}\stackrel{?}{=}{B}_{i}$. If it is correct, $S{C}_{i}$ computes updated values $HP{W}_{ni}=h(p{w}_{ni}||R{N}_{r}^{*})$, ${A}_{ni}={A}_{i}\oplus h(HP{W}_{i}^{*}||{X}_{{S}_{i}}^{*})\oplus h(HP{W}_{ni}||{X}_{{S}_{i}}^{*})$, ${B}_{ni}=h(HP{W}_{ni}\oplus {X}_{{S}_{i}}^{*})$, ${C}_{ni}={X}_{{S}_{i}}^{*}\oplus h(I{D}_{S}||HP{W}_{ni}$. Then, $S{C}_{i}$ replaces $({A}_{i},{B}_{i},{C}_{i})$ with $({A}_{ni},{B}_{ni},{C}_{ni})$.

## 4. Security Weaknesses of Chang et al.’s Scheme

- An adversary $\mathcal{A}$ can be either a user or a sensor node, but not a gateway node [26].
- An adversary $\mathcal{A}$ has total control over the public communication channel. Thus, the adversary can intercept, insert, delete or modify any message transmitted via a public channel.
- An adversary $\mathcal{A}$ may steal a user’s smart card and extract the information stored in it by means of analyzing the power consumption [27].
- An adversary $\mathcal{A}$ can easily guess low-entropy passwords in an off-line manner, but the guessing of two secret parameters is computationally infeasible in polynomial time [28].

#### 4.1. Off-Line Password Guessing Attack

#### 4.2. Lack of Perfect Forward Secrecy

- Step 1:
- $\mathcal{A}$ intercepts and stores all messages exchanged in previous sessions, such as $DI{D}_{i}$ and ${T}_{i}$.
- Step 2:
- $\mathcal{A}$ computes ${k}_{j}=h({X}_{{S}_{j}}||{T}_{j})$, then finally retrieves a previous session key ${K}_{S}=f(DI{D}_{i},{k}_{j})$.

#### 4.3. Incorrectness of Password Change

- Step 1:
- Once the user performs the password change phase, the previous password $p{w}_{i}$ is changed into $p{w}_{ni}$, and information in the smart card, $({A}_{i},{B}_{i},{C}_{i})$, is replaced with $({A}_{ni},{B}_{ni},{C}_{ni})$.
- Step 2:
- Then, the user performs the login phase using the new password $p{w}_{ni}$; however, ${U}_{i}$ is not allowed to access for not computing the proper $R{N}_{r}$ from $XP{W}_{i}$. $XP{W}_{i}$ is not updated in the password change phase; therefore, $R{N}_{r}^{*}=XP{W}_{i}\oplus h(p{w}_{ni}^{*})\ne R{N}_{r}$ and, finally, ${B}_{i}^{*}\ne {B}_{i}$.

## 5. The Proposed Three-Factor Authentication and Key Agreement Scheme

#### 5.1. Registration Phase

- Step 1:
- ${U}_{i}\Rightarrow GWN$ : $\{I{D}_{i},HP{W}_{i}\}$${U}_{i}$ chooses $I{D}_{i}$ and $p{w}_{i}$ and imprints $BI{O}_{i}$, then ${U}_{i}$ computes $({R}_{i},{P}_{i})=\mathrm{Gen}(BI{O}_{i})$ and $HP{W}_{i}=h(p{w}_{i}||{R}_{i})$ and sends $\{I{D}_{i},HP{W}_{i}\}$ to $GWN$ through a secure channel.
- Step 2:
- $GWN\Rightarrow {U}_{i}$ : $S{C}_{i}=\{h(\xb7),{A}_{i},{B}_{i},{C}_{i},TI{D}_{i}\}$$GWN$ computes $HI{D}_{i}=h(I{D}_{i}||K)$, ${X}_{{S}_{i}}=h(HI{D}_{i}||K))$, ${A}_{i}=h(HP{W}_{i}||{X}_{{S}_{i}})\oplus HI{D}_{i}$, ${B}_{i}=h(HP{W}_{i}\oplus {X}_{{S}_{i}})$, ${C}_{i}={X}_{{S}_{i}}\oplus h(I{D}_{i}||HP{W}_{i})$.
- Step 3:
- $GWN$ stores parameters $(TI{D}_{i},TI{D}_{i}^{\circ},HI{D}_{i})$, where $TI{D}_{i}=R{N}_{G}$ ($R{N}_{G}$ is a nonce); $TI{D}_{i}^{\circ}=\u2033\u2033$. $TI{D}_{i}^{\circ}$ is empty at first time because $TI{D}_{i}$ has not been updated; however, this parameter is required to check the correctness of the received $TI{D}_{i}$ and retrieve $HI{D}_{i}$ safely when $GWN$ does not find a proper updated $TI{D}_{i}$ in the case of an unsuccessful update process.Then, $GWN$ issues the smart card $S{C}_{i}=\{h(\xb7),{A}_{i},{B}_{i},{C}_{i},TI{D}_{i}\}$ and sends it to ${U}_{i}$ through a secure channel.

#### 5.2. Login Phase

- Step 1:
- ${U}_{i}$ inserts $S{C}_{i}$, inputs $I{D}_{i}^{*}$, $p{w}_{i}^{*}$ and imprints $BI{O}_{i}^{*}$.
- Step 2:
- $S{C}_{i}$ computes ${R}_{i}^{*}=\mathrm{Rep}(BI{O}_{i}^{*},{P}_{i})$, $HP{W}_{i}^{*}=h(p{w}_{i}^{*}||{R}_{i}^{*})$, ${X}_{{S}_{i}}^{*}={C}_{i}\oplus h(I{D}_{i}^{*}||HP{W}_{i}^{*})$, ${B}_{i}^{*}=h(HP{W}_{i}^{*}\oplus {X}_{{S}_{i}}^{*})$. Then, $S{C}_{i}$ verifies ${B}_{i}^{*}\stackrel{?}{=}{B}_{i}$. If it is correct, $S{C}_{i}$ generates a random number $a\in {\mathbb{Z}}_{p}^{*}$ and computes ${X}_{i}=aP$, ${k}_{i}=h({X}_{{S}_{i}}^{*}||{T}_{i})$, $DI{D}_{i}=h(HP{W}_{i}^{*}||{X}_{{S}_{i}}^{*})\oplus {k}_{i}$, ${M}_{{U}_{i},G}=h({A}_{i}||{X}_{{S}_{i}}^{*}||{X}_{i}||{T}_{i})$, where ${T}_{i}$ is the current timestamp.
- Step 3:
- ${U}_{i}$ sends the login request message $\{DI{D}_{i},{X}_{i},{M}_{{U}_{i},G},{T}_{i},TI{D}_{i}\}$ to $GWN$.

#### 5.3. Authentication and Key Agreement Phase

- Step 1:
- $GWN\Rightarrow {S}_{j}$ : $\{DI{D}_{i},{X}_{i},{M}_{G,{S}_{j}},{T}_{G}\}$After receiving $\{DI{D}_{i},{X}_{i},{M}_{{U}_{i},G},{T}_{i},TI{D}_{i}\}$, $GWN$ checks the validity of ${T}_{i}$ and retrieves $HI{D}_{i}$ from $TI{D}_{i}$. If no $TI{D}_{i}$ is found, $GWN$ checks $TI{D}_{i}^{\circ}$. If it still is not found, $GWN$ rejects the login request; otherwise, $GWN$ computes ${X}_{{S}_{i}}=h(HI{D}_{i}||K)$ and ${k}_{i}=h({X}_{{S}_{i}}||{T}_{i})$. Then, $GWN$ verifies ${M}_{{U}_{i},G}\stackrel{?}{=}h((DI{D}_{i}\oplus {k}_{i}\oplus HI{D}_{i})||{X}_{{S}_{i}}||{X}_{i}||{T}_{i})$. If it is valid, $GWN$ authenticates ${U}_{i}$ and computes ${M}_{G,{S}_{j}}=h(DI{D}_{i}||SI{D}_{j}||{X}_{{S}_{j}}||{X}_{i}||{T}_{G})$, then sends $\{DI{D}_{i},{X}_{i},{M}_{G,{S}_{j}},{T}_{G}\}$ to ${S}_{j}$, where ${T}_{G}$ is the current timestamp.
- Step 2:
- ${S}_{j}\Rightarrow GWN$ : $\{{M}_{{S}_{j},G},{Y}_{j},{T}_{j}\}$After receiving $\{DI{D}_{i},{X}_{i},{M}_{G,{S}_{j}},{T}_{G}\}$, ${S}_{j}$ checks the validity of ${T}_{G}$ and verifies ${M}_{G,{S}_{j}}\stackrel{?}{=}h(DI{D}_{i}||{X}_{i}||{X}_{{S}_{j}}^{*}||{T}_{G})$ using its stored secret value ${X}_{{S}_{j}}^{*}=h(SI{D}_{j}||K)$. If it is valid, ${S}_{j}$ authenticates $GWN$ and computes ${k}_{j}=h({X}_{{S}_{j}}^{*}||{T}_{j})$, ${Z}_{i}={M}_{G,{S}_{j}}\oplus {k}_{j}$, where ${T}_{j}$ is the current timestamp. Then, ${S}_{j}$ generates a random number $b\in {\mathbb{Z}}_{p}^{*}$ and computes ${Y}_{j}=bP$ and a session key $SK={k}_{ji}=h(DI{D}_{i}||{k}_{j}||b{X}_{i})$. Finally, ${S}_{j}$ computes $({M}_{{S}_{j},G}=h({Z}_{i}||{X}_{{S}_{j}}^{*}||{X}_{i}||{Y}_{j}||{T}_{j}))$ and sends $\{{M}_{{S}_{j},G},{Y}_{j},{T}_{j}\}$ to $GWN$.
- Step 3:
- $GWN\Rightarrow {U}_{i}$ : $\{{e}_{i},{M}_{G,{U}_{i}},{Y}_{i},{T}_{G}^{\prime}\}$After receiving $\{{M}_{{S}_{j},G},{Y}_{i},{T}_{j}\}$, $GWN$ checks the validity of ${T}_{j}$, computes ${k}_{j}=h({X}_{{S}_{j}}||{T}_{j})$, ${Z}_{i}^{*}={M}_{G,{S}_{j}}^{*}\oplus {k}_{j}$ and verifies ${M}_{{S}_{j},G}\stackrel{?}{=}h({Z}_{i}^{*}||{X}_{{S}_{j}}||{X}_{i}||{Y}_{j}||{T}_{j})$. If it is valid, $GWN$ authenticates ${S}_{j}$ and computes ${e}_{i}={k}_{j}\oplus h({k}_{i})$, $({M}_{G,{U}_{i}}=h(DI{D}_{i}||{M}_{{U}_{i},G}||{k}_{j}||{X}_{{S}_{i}}||{X}_{i}||{Y}_{j}||{T}_{G}^{\prime}))$, $TI{D}_{{i}_{new}}=h(HI{D}_{i}||{T}_{i})$, where ${T}_{G}^{\prime}$ is the current timestamp. Then, $GWN$ sends $\{{e}_{i},{M}_{G,{U}_{i}},{Y}_{i},{T}_{G}^{\prime}\}$ to ${U}_{i}$ and updates $(TI{D}_{i},TI{D}_{i}^{\circ})$ as $(TI{D}_{{i}_{new}},TI{D}_{i})$ in its storage.
- Step 4:
- After receiving $\{{e}_{i},{M}_{G,{U}_{i}},{Y}_{i},{T}_{G}^{\prime}\}$, ${U}_{i}$ checks the validity of ${T}_{G}^{\prime}$, computes ${k}_{j}^{*}={e}_{i}\oplus h({k}_{i}^{*})$ and verifies ${M}_{G,{U}_{i}}\stackrel{?}{=}h(DI{D}_{i}||{M}_{{U}_{i},G}||{k}_{j}^{*}||{X}_{{S}_{i}}||{X}_{i}||{Y}_{j}||{T}_{G}^{\prime})$. If it is valid, ${U}_{i}$ computes the session key $SK={k}_{ij}=h(DI{D}_{i}||{k}_{j}||a{Y}_{i})$. Finally, ${U}_{i}$ updates $TI{D}_{i}$ as $h(HI{D}_{i}||{T}_{i})$.

#### 5.4. Password Change Phase

- Step 1:
- ${U}_{i}$ imprints $BI{O}_{i}^{*}$ and computes ${R}_{i}^{*}=\mathrm{Rep}(BI{O}_{i}^{*},{P}_{i})$, then inputs $\{I{D}_{i}^{*},{R}_{i}^{*},p{w}_{i}^{*},p{w}_{ni}\}$ into $S{C}_{i}$.
- Step 2:
- $S{C}_{i}$ computes $HP{W}_{i}^{*}=h(p{w}_{i}^{*}||{R}_{i}^{*})$, ${X}_{{S}_{i}}^{*}={C}_{i}\oplus h(I{D}_{i}^{*}||HP{W}_{i}^{*})$, ${B}_{i}^{*}=h(HP{W}_{i}^{*}\oplus {X}_{{S}_{i}}^{*})$. Then, $S{C}_{i}$ verifies ${B}_{i}^{*}={B}_{i}$ to check the validity of ${U}_{i}$. If it is correct, $S{C}_{i}$ computes updated values $HP{W}_{ni}=h(p{w}_{ni}||{R}_{i}^{*})$, ${A}_{ni}={A}_{i}\oplus h(HP{W}_{i}||{X}_{{S}_{i}}^{*})\oplus h(HP{W}_{ni}||{X}_{{S}_{i}}^{*})$, ${B}_{ni}=h(HP{W}_{ni}\oplus {X}_{{S}_{i}}^{*})$, ${C}_{ni}={X}_{{S}_{i}}^{*}\oplus h(I{D}_{i}^{*}||HP{W}_{ni})$. Then, $S{C}_{i}$ replaces $({A}_{i},{B}_{i},{C}_{i})$ with $({A}_{ni},{B}_{ni},{C}_{ni})$.

## 6. Analysis

#### 6.1. Proof of Authentication and Key Agreement Based on BAN Logic

- The BAN logic postulates:
- (a)
- Message meaning rule:$$\frac{P\text{believes}Q\stackrel{K}{\leftrightarrow}P,P\text{sees}{\{X\}}_{K}}{P\text{believes}Q\text{said}X}$$
- (b)
- Nonce-verification rule:$$\frac{P\text{believes fresh}(X),P\text{believes}Q\text{said}X}{P\text{believes}Q\text{believes}X}$$
- (c)
- Jurisdiction rule:$$\frac{P\text{believes}Q\text{controls}X,P\text{believes}Q\text{believes}X}{P\text{believes}X}$$
- (d)
- Freshness-conjuncatenation rule:$$\frac{P\text{believes fresh}(X)}{P\text{believes fresh}(X,Y)}.$$

- Security goals:The proposed scheme should satisfy the following goals:
- g
_{1}. - ${U}_{i}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}$
- g
_{2}. - ${S}_{j}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}$
- g
_{3}. - ${U}_{i}|\equiv {S}_{j}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}$
- g
_{4}. - ${S}_{j}|\equiv {U}_{i}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}$

- g
- Idealized scheme:We transform our scheme into the idealized form as follows:
- Msg
_{1}. - ${U}_{i}\to GWN:{(DI{D}_{i},K,{X}_{i},{T}_{i})}_{HI{D}_{i}}$
- Msg
_{2}. - $GWN\to {S}_{j}:{(DI{D}_{i},SI{D}_{j},K,{X}_{i},{T}_{G})}_{{X}_{{S}_{j}}}$
- Msg
_{3}. - ${S}_{j}\to GWN:{(DI{D}_{i},SI{D}_{j},K,{X}_{i},{Y}_{i},{T}_{j})}_{{X}_{{S}_{j}}}$
- Msg
_{4}. - $GWN\to {U}_{i}:{(DI{D}_{i},{k}_{j},K,{X}_{i},{Y}_{i},{T}_{G}^{\prime})}_{HI{D}_{i}}$

- Msg
- Initiative premises:We make the assumptions about the initial state of the scheme to analyze the proposed scheme as follows.
- p
_{1}. - $GWN|\equiv \#({T}_{i})$
- p
_{2}. - $GWN|\equiv \#({T}_{j})$
- p
_{3}. - ${S}_{j}|\equiv \#({T}_{G})$
- p
_{4}. - ${U}_{i}|\equiv \#({T}_{G}^{\prime})$
- p
_{5}. - $GWN|\equiv GWN\stackrel{{X}_{{S}_{j}}}{\leftrightarrow}{S}_{j}$
- p
_{6}. - ${S}_{j}|\equiv GWN\stackrel{{X}_{{S}_{j}}}{\leftrightarrow}{S}_{j}$
- p
_{7}. - ${U}_{i}|\equiv {U}_{i}\stackrel{HI{D}_{i}}{\leftrightarrow}GWN$
- p
_{8}. - $GWN|\equiv {U}_{i}\stackrel{HI{D}_{i}}{\leftrightarrow}GWN$
- p
_{9}. - ${U}_{i}|\equiv {S}_{j}\Rightarrow {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}$
- p
_{10}. - ${S}_{j}|\equiv {U}_{i}\Rightarrow {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}$

- p
- Security analysis of the idealized form of the proposed scheme:
- a
_{1}. - According to $Ms{g}_{1}$, we could get:$$\begin{array}{c}\hfill {s}_{1}:GWN\u22b2{(DI{D}_{i},K,{X}_{i},{T}_{i})}_{HI{D}_{i}}\end{array}$$
- a
_{2}. - According to ${p}_{8}$, we apply the message-meaning rule to obtain:$$\begin{array}{c}\hfill {s}_{2}:GWN|\equiv {U}_{i}|\sim {(DI{D}_{i},K,{X}_{i},{T}_{i})}_{HI{D}_{i}}\end{array}$$
- a
_{3}. - According to ${p}_{1}$, we apply the freshness-conjuncatenation rule to obtain:$$\begin{array}{c}\hfill {s}_{3}:GWN|\equiv \#{(DI{D}_{i},K,{X}_{i},{T}_{i})}_{HI{D}_{i}}\end{array}$$Then, from ${s}_{2}$ and ${s}_{3}$, we apply the nonce-verification rule to obtain:$$\begin{array}{c}\hfill {s}_{4}:GWN|\equiv {U}_{i}|\equiv {(DI{D}_{i},K,{X}_{i},{T}_{i})}_{HI{D}_{i}}\end{array}$$
- a
_{4}. - According to $Ms{g}_{2}$, we could get:$$\begin{array}{c}\hfill {s}_{5}:{S}_{j}\u22b2{(DI{D}_{i},SI{D}_{j},K,{X}_{i},{T}_{G})}_{{X}_{{S}_{j}}}\end{array}$$
- a
_{5}. - According to ${p}_{6}$, we apply the message-meaning rule to obtain:$$\begin{array}{c}\hfill {s}_{6}:{S}_{j}|\equiv GWN|\sim {(DI{D}_{i},SI{D}_{j},K,{X}_{i},{T}_{G})}_{{X}_{{S}_{j}}}\end{array}$$
- a
_{6}. - According to ${p}_{3}$, we apply the the freshness-conjuncatenation rule to obtain:$$\begin{array}{c}\hfill {s}_{7}:{S}_{j}|\equiv \#{(DI{D}_{i},SI{D}_{j},K,{X}_{i},{T}_{G})}_{{X}_{{S}_{j}}}\end{array}$$Then, from ${s}_{6}$ and ${s}_{7}$, we apply the nonce-verification rule to obtain:$$\begin{array}{c}\hfill {s}_{8}:{S}_{j}|\equiv GWN|\equiv {(DI{D}_{i},SI{D}_{j},K,{X}_{i},{T}_{G})}_{{X}_{{S}_{j}}}\end{array}$$
- a
_{7}. - According to $Ms{g}_{3}$, we could get:$$\begin{array}{c}\hfill {s}_{9}:GWN\u22b2{(DI{D}_{i},SI{D}_{j},K,{X}_{i},{Y}_{i},{T}_{j})}_{{X}_{{S}_{j}}}\end{array}$$
- a
_{8}. - According to ${p}_{5}$, we apply the message-meaning rule to obtain:$$\begin{array}{c}\hfill {s}_{10}:GWN|\equiv {S}_{j}|\sim {(DI{D}_{i},SI{D}_{j},K,{X}_{i},{Y}_{i},{T}_{j})}_{{X}_{{S}_{j}}}\end{array}$$
- a
_{9}. - According to ${p}_{2}$, we apply the the freshness-conjuncatenation rule to obtain:$$\begin{array}{c}\hfill {s}_{11}:GWN|\equiv \#{(DI{D}_{i},SI{D}_{j},K,{X}_{i},{Y}_{i},{T}_{j})}_{{X}_{{S}_{j}}}\end{array}$$Then, from ${s}_{10}$ and ${s}_{11}$, we apply the nonce-verification rule to obtain:$$\begin{array}{c}\hfill {s}_{12}:GWN|\equiv {U}_{i}|\equiv {(DI{D}_{i},SI{D}_{j},K,{X}_{i},{Y}_{i},{T}_{j})}_{{X}_{{S}_{j}}}\end{array}$$
- a
_{10}. - According to $Ms{g}_{4}$, we could get:$$\begin{array}{c}\hfill {s}_{13}:{U}_{i}\u22b2{(DI{D}_{i},{k}_{j},K,{X}_{i},{Y}_{i},{T}_{G}^{\prime})}_{HI{D}_{i}}\end{array}$$
- a
_{11}. - According to ${p}_{7}$, we apply the message-meaning rule to obtain:$$\begin{array}{c}\hfill {s}_{14}:{U}_{i}|\equiv GWN|\sim {(DI{D}_{i},{k}_{j},K,{X}_{i},{Y}_{i},{T}_{G}^{\prime})}_{HI{D}_{i}}\end{array}$$
- a
_{12}. - According to ${p}_{4}$, we apply the the freshness-conjuncatenation rule to obtain:$$\begin{array}{c}\hfill {s}_{15}:{U}_{i}|\equiv \#{(DI{D}_{i},{k}_{j},K,{X}_{i},{Y}_{i},{T}_{G}^{\prime})}_{HI{D}_{i}}\end{array}$$Then, from ${s}_{14}$ and ${s}_{15}$, we apply the nonce-verification rule to obtain:$$\begin{array}{c}\hfill {s}_{16}:{U}_{i}|\equiv GWN|\equiv {(DI{D}_{i},{k}_{j},K,{X}_{i},{Y}_{i},{T}_{G}^{\prime})}_{HI{D}_{i}}\end{array}$$
- a
_{13}. - Because $SK=h(DI{D}_{i}||{k}_{j}||b{X}_{i})$, according to ${s}_{16}$ and ${s}_{12}$, we could produce:$$\begin{array}{c}\hfill {s}_{17}:{U}_{i}|\equiv {S}_{j}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}\phantom{\rule{22.76228pt}{0ex}}(\mathrm{Goal}3)\end{array}$$Likewise, $SK=h(DI{D}_{i}||{k}_{j}||a{Y}_{i})$, according to ${s}_{8}$ and ${s}_{4}$, we could produce:$$\begin{array}{c}\hfill {s}_{18}:{S}_{j}|\equiv {U}_{i}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}\phantom{\rule{22.76228pt}{0ex}}(\mathrm{Goal}4)\end{array}$$
- a
_{14}. - According to ${s}_{17}$ and ${p}_{9}$, we apply the jurisdiction rule to produce:$$\begin{array}{c}\hfill {s}_{19}:{U}_{i}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}\phantom{\rule{22.76228pt}{0ex}}(\mathrm{Goal}1)\end{array}$$Likewise, according to ${s}_{18}$ and ${p}_{10}$, we apply the jurisdiction rule to produce:$$\begin{array}{c}\hfill {s}_{20}:{S}_{j}|\equiv {U}_{i}\stackrel{SK}{\leftrightarrow}{S}_{j}\phantom{\rule{22.76228pt}{0ex}}(\mathrm{Goal}2)\end{array}$$

According to Goal 1, Goal 2, Goal 3 and Goal 4, we conclude that both ${U}_{i}$ and ${S}_{j}$ believe they share the session key. - a

#### 6.2. Security Analysis against Various Attacks

- •
- User anonymity and untraceability: Our scheme provides anonymity of users. The user ${U}_{i}$ does not reveal a real identity $I{D}_{i}$ in open channels; instead, $GWN$ generates and sends a pseudonym identity $TI{D}_{i}=HI{D}_{i}=R{N}_{G}$ to ${U}_{i}$ in the registration phase and updates it as $TI{D}_{i}=h(HI{D}_{i}||{T}_{i})$ before finalizing the session. The identity is dynamic for every session; thus, an adversary $\mathcal{A}$ cannot obtain the user’s true identity. The proposed scheme also provides untraceability by having all messages used in the session satisfy a freshness requirement. Therefore, $\mathcal{A}$ cannot trace the user.
- •
- Perfect forward secrecy: A session key $SK$ is computed as $h(DI{D}_{i}||{k}_{j}||abP)$. Even though the long-term private keys ${X}_{{S}_{i}}$ and ${X}_{{S}_{j}}$ are disclosed to $\mathcal{A}$, he/she cannot compute previous session keys, because it is hard to compute $abP$ using ${X}_{i}$ and ${Y}_{i}$ due to the difficulty of ECDH. Thus, $\mathcal{A}$ cannot compute previous session keys using long-term private keys. Therefore, our scheme provides forward secrecy.
- •
- Mutual authentication: In our scheme, ${U}_{i}$ and $GWN$ authenticate each other, and $GWN$ and ${S}_{j}$ authenticate each other, respectively. $GWN$ authenticates ${U}_{i}$ by checking ${M}_{{U}_{i},G}\stackrel{?}{=}h((DI{D}_{i}\oplus {k}_{i}\oplus HI{D}_{i})||{X}_{{S}_{i}}||{X}_{i}||{T}_{i})$. $\mathcal{A}$ needs to compute ${X}_{{S}_{i}}$ and ${k}_{i}$ to reconstruct ${M}_{{U}_{i},G}$; however, only a legal user can compute those values. ${U}_{i}$ authenticates $GWN$ by checking $({M}_{G,{U}_{i}}=h(DI{D}_{i}||{M}_{{U}_{i},G}||{k}_{j}||{X}_{{S}_{i}}||{X}_{i}||{Y}_{j}||{T}_{G}^{\prime}))$. $\mathcal{A}$ needs to compute ${k}_{j}^{*}$ and ${X}_{{S}_{i}}$ to reconstruct $({M}_{G,{U}_{i}}$; however, only a legal $GWN$ can compute those values. Therefore, ${U}_{i}$ and $GWN$ mutually authenticate. Similarly, ${S}_{j}$ authenticates $GWN$ by checking ${M}_{G,{S}_{j}}$, and $GWN$ authenticates ${S}_{j}$ by checking ${M}_{{S}_{j},G}$. Additionally, only legal ${S}_{j}$ and $GWN$ can reconstruct them, then authenticate mutually. Therefore, our scheme provides proper mutual authentication.
- •
- Off-line password guessing attack: $\mathcal{A}$ may attempt to guess the password $p{w}_{i}$ by extracting the values stored in the smart card $S{C}_{i}$. $\mathcal{A}$ could guess correctly if he/she generates a series of equations and computes the valid ${B}_{i}$ using guessing passwords. However, $\mathcal{A}$ is required to know the biometric information of the user, which cannot be forged, for generating equations. Therefore, it is infeasible to correctly guess the user’s password in our scheme.
- •
- Smart card loss attack: $\mathcal{A}$ can extract values in the smart card by means of power analysis and other techniques. Suppose $\mathcal{A}$ obtains the user’s smart card and extracts stored parameters $\{h(\xb7),{A}_{i},{B}_{i},{C}_{i},TI{D}_{i}\}$. From these values, $\mathcal{A}$ cannot obtain any useful information because the parameters are safeguarded with a one-way hash function, and $TI{D}_{i}$ is just a nonce. Furthermore, $\mathcal{A}$ may attempt to log in by generating a login request message. However, $\mathcal{A}$ cannot even pass the login phase and generate a valid login request message without proper $I{D}_{i}$, $p{w}_{i}$ and ${B}_{i}$. Therefore, the proposed scheme withstands smart card loss attacks.
- •
- User impersonation attack: $\mathcal{A}$ who somehow possesses a valid smart card $S{C}_{i}$ of ${U}_{i}$ and wants to access ${S}_{j}$ is required to generate and send a valid login request message $\{DI{D}_{i},{X}_{i},{M}_{{U}_{i},G},{T}_{i},TI{D}_{i}\}$ to $GWN$. $\mathcal{A}$ must know $HP{W}_{i}$ and ${X}_{{S}_{i}}$ to compute these values. However, in our scheme, $I{D}_{i},p{w}_{i}$ and ${R}_{i}$ are not revealed. Thus, $\mathcal{A}$ cannot compute the temporal key ${k}_{i}$ and generate a valid login request message. Therefore, our scheme is secure against the user impersonation attack.
- •
- Man-in-the-middle attack and replay attack: $\mathcal{A}$ who knows public channel information and has the smart card $S{C}_{i}$ of ${U}_{i}$ may attempt to establish a secure channel with ${S}_{j}$. However, $\mathcal{A}$ cannot authenticate with $GWN$ because $\mathcal{A}$ cannot generate a valid login request message, as mentioned above. In addition, those messages captured in a public channel are refreshed in every session, so that $\mathcal{A}$ cannot use them repeatedly. Therefore, our scheme withstands man-in-the-middle and replay attacks.
- •
- Stolen verifier attack: $\mathcal{A}$ who obtains the verifier table of $GWN$ may attempt to attack users to gain some advantages. However, $\mathcal{A}$ still cannot compute $HP{W}_{i}$, ${X}_{{S}_{i}}$ and ${k}_{i}$ and will fail to pass the login phase. Of course, $\mathcal{A}$ will fail to compute a login request message without $p{w}_{i}$ and ${R}_{i}$. Therefore, even if $\mathcal{A}$ has the verifier table, our protocol withstands stolen verifier attacks.
- •
- Known-key attack: A session key $SK$ is computed as $h(DI{D}_{i}||{k}_{j}||abP)$, and $DI{D}_{i}$, ${k}_{j}$ and $abP$ are independent in each session. Though $\mathcal{A}$, who somehow possesses each value, attempts to generate other session keys, he/she will find that they cannot successfully derive valid session keys. Therefore, our proposed scheme withstands known-key attacks.

#### 6.3. Performance Comparisons

## 7. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Akyildiz, I.F.; Su, W.; Sankarasubramaniam, Y.; Cayirci, E. A survey on sensor networks. IEEE Commun. Mag.
**2002**, 40, 102–114. [Google Scholar] [CrossRef] - Yick, J.; Mukherjee, B.; Ghosal, D. Wireless sensor network survey. Comput. Netw.
**2008**, 52, 2292–2330. [Google Scholar] [CrossRef] - Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions. Futur. Gene Comput. Syst.
**2013**, 29, 1645–1660. [Google Scholar] [CrossRef] - Pathan, A.S.K.; Lee, H.W.; Hong, C.S. Security in wireless sensor networks: Issues and challenges. In Proceedings of the 8th International Conference Advanced Communication Technology (ICACT), Phoenix Park, Korea, 20–22 February 2006; pp. 1043–1048.
- Perrig, A.; Stankovic, J.; Wagner, D. Security in wireless sensor networks. ACM Commun.
**2004**, 47, 53–57. [Google Scholar] [CrossRef] - Al Ameen, M.; Liu, J.; Kwak, K. Security and privacy issues in wireless sensor networks for healthcare applications. J. Med. Syst.
**2012**, 36, 93–101. [Google Scholar] [CrossRef] [PubMed] - Wong, K.H.; Zheng, Y.; Cao, J.; Wang, S. A dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan, 5–7 June 2006; pp. 1–8.
- Das, M.L. Two-factor user authentication scheme in wireless sensor networks. IEEE Trans. Wirel. Commun.
**2009**, 8, 1086–1090. [Google Scholar] [CrossRef] - He, D.; Gao, Y.; Chan, S.; Chen, C.; Bu, J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens. Wirel. Netw.
**2010**, 10, 361–371. [Google Scholar] - Khan, M.K.; Alghathbar, K. Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks. Sensors
**2010**, 10, 2450–2459. [Google Scholar] [CrossRef] [PubMed] - Chen, T.H.; Shih, W.K. A robust mutual authentication protocol for wireless sensor networks. ETRI J.
**2010**, 32, 704–712. [Google Scholar] [CrossRef] - Vaidya, B.; Makrakis, D.; Mouftah, H. Two-factor mutual authentication with key agreement in wireless sensor networks. Secur. Commun. Netw.
**2016**, 9, 171–183. [Google Scholar] [CrossRef] - Kim, J.; Lee, D.; Jeon, W.; Lee, Y.; Won, D. Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks. Sensors
**2014**, 14, 6443–6462. [Google Scholar] [CrossRef] [PubMed] - Chang, I.P.; Lee, T.F.; Lin, T.H.; Liu, C.M. Enhanced two-factor authentication and key agreement using dynamic identities in wireless sensor networks. Sensors
**2015**, 15, 29841–29854. [Google Scholar] [CrossRef] [PubMed] - Yoon, E.J.; Yoo, K.Y. A biometric-based authenticated key agreement scheme using ECC for wireless sensor networks. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, Gyeongju, Korea, 24–28 March 2014; pp. 699–705.
- Das, A.K. A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wirel. Pers. Commun.
**2015**, 82, 1377–1404. [Google Scholar] [CrossRef] - Das, A.K. A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. Int. J. Commun. Syst.
**2015**, 2015, 1–25. [Google Scholar] [CrossRef] - Choi, Y.; Lee, Y.; Won, D. Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction. Int. J. Dist. Sens. Netw.
**2016**, 8572410, 1–16. [Google Scholar] [CrossRef] - Park, Y.; Lee, S.; Kim, C.; Park, Y. Secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks. Int. J. Dist. Sens. Netw.
**2016**, 12, 1–11. [Google Scholar] [CrossRef] - Li, C.T.; Hwang, M.S. An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comp. Appl.
**2010**, 33, 1–5. [Google Scholar] [CrossRef] - Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. Proc. R. Soc. Lond. A Math. Phys. Eng. Sci.
**1989**, 426, 233–271. [Google Scholar] [CrossRef] - Lu, R.; Cao, Z.; Chai, Z.; Liang, X. A Simple User Authentication Scheme for Grid Computing. IJ Netw. Sec.
**2008**, 7, 202–206. [Google Scholar] - Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; pp. 523–540.
- Tan, Z. A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J. Med. Syst.
**2014**, 38, 1–9. [Google Scholar] [CrossRef] [PubMed] - Jung, J.; Kim, J.; Choi, Y.; Won, D. An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks. Sensors
**2016**, 16, 1299. [Google Scholar] [CrossRef] [PubMed] - Yeh, H.L.; Chen, T.H.; Liu, P.C.; Kim, T.H.; Wei, H.W. A secured authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors
**2011**, 11, 4767–4779. [Google Scholar] [CrossRef] [PubMed] - Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Proceedings of the Advances in Cryptology-CRYPTO’99, Santa Barbara, CA, USA, 15–19 August 1999; Volume 1666, pp. 388–397.
- Amin, R.; Biswas, G.P. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw.
**2016**, 36, 58–80. [Google Scholar] [CrossRef] - He, D.; Kumar, N.; Chilamkurti, N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf. Sci.
**2015**, 321, 263–277. [Google Scholar] [CrossRef] - Jiang, Q.; Kumar, N.; Ma, J.; Shen, J.; He, D.; Chilamkurti, N. A privacy-aware two-factor authentication protocol based on elliptic curve cryptography for wireless sensor networks. Int. J. Netw. Manag.
**2016**. [Google Scholar] [CrossRef] - Lu, Y.; Li, L.; Yang, X.; Yang, Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE
**2015**, 10, e0126323. [Google Scholar] [CrossRef] [PubMed] - Liu, J.; Li, Q.; Yan, R.; Sun, R. Efficient authenticated key exchange protocols for wireless body area networks. EURASIP J. Wirel. Commun. Netw.
**2015**, 2015, 1–11. [Google Scholar] [CrossRef]

Notation | Meaning |
---|---|

$p,q$ | two large primes |

${U}_{i}$ | user i |

${S}_{j}$ | sensor node j |

$GWN$ | gateway node |

$S{C}_{i}$ | smart card of the user ${U}_{i}$ |

$I{D}_{i}/p{w}_{i}$ | identity/password of ${U}_{i}$ |

$BI{O}_{i}$ | biometric template of ${U}_{i}$ |

$TI{D}_{i}$ | temporal identity of ${U}_{i}$ |

$SI{D}_{j}$ | identity of ${S}_{j}$ |

$I{D}_{S}$ | identity of $S{C}_{i}$ |

$\mathcal{A}$ | adversary |

K | a master secret of $GWN$ |

${\mathbb{G}}_{1}$ | cyclic group of order q |

P | generator of ${\mathbb{G}}_{1}$ |

${T}_{i},{T}_{j},{T}_{G}$ | timestamps |

⨁ | XOR operation |

$||$ | concatenate operation |

$h(\xb7)$ | a secure one-way hash function |

Notations | Meaning |
---|---|

$P\mid \equiv X$ | P believes X |

$P\u22b2X$ | P sees X |

$P\mid \sim X$ | P once said X |

$P\Rightarrow X$ | P has jurisdiction over X |

$\#(X)$ | X is fresh |

$P\stackrel{K}{\leftrightarrow}Q$ | P and Q may use the shared key K |

$SK$ | The session key shared between two principals |

${\langle X\rangle}_{Y}$ | X combined with the formula Y |

${(X)}_{K}$ | X hashed under the key K |

${\{X\}}_{K}$ | X encrypted under the key K |

Kim et al.’ Scheme [13] | Chang et al.’ Scheme [14] | Yoon and Yoo’s Scheme [15] | Choi et al.’ Scheme [18] | Proposed Scheme | |
---|---|---|---|---|---|

Provides user anonymity | × | ∘ | × | × | ∘ |

Provides user untraceability | × | Δ | × | × | ∘ |

Provides forward secrecy | × | × | ∘ | ∘ | ∘ |

Provides secure password update | ∘ | × | − | − | ∘ |

Provides mutual authentication | ∘ | ∘ | ∘ | ∘ | ∘ |

Resists off-line password guessing attack | × | × | − | − | ∘ |

Resists user impersonation attack | × | Δ | ∘ | × | ∘ |

Resists lost smart card attack | × | Δ | ∘ | ∘ | ∘ |

Resists stolen verifier attack | × | Δ | − | − | ∘ |

Resists man-in-the-middle attack | × | Δ | ∘ | ∘ | ∘ |

Resists replay attack | ∘ | ∘ | ∘ | ∘ | ∘ |

Resist biometric recognition error | − | − | × | ∘ | ∘ |

Usage of biometrics | × | × | ∘ | ∘ | ∘ |

Usage of ECC | × | × | ∘ | ∘ | ∘ |

Scheme | Computation Cost | |||
---|---|---|---|---|

Registration | Login & Authentication | Total | ||

Kim et al.’s [13] | User | $2{T}_{h}+{T}_{x}$ | $9{T}_{h}+9{T}_{x}$ | $11{T}_{h}+10{T}_{x}$ |

$GWN$ | $6{T}_{h}+3{T}_{x}$ | $8{T}_{h}+8{T}_{x}$ | $14{T}_{h}+11{T}_{x}$ | |

Sensor | 0 | $2{T}_{h}+2{T}_{x}$ | $2{T}_{h}+2{T}_{x}$ | |

Chang et al.’s [14] | User | $2{T}_{h}+{T}_{x}$ | $9{T}_{h}+5{T}_{x}$ | $11{T}_{h}+6{T}_{x}$ |

$GWN$ | $5{T}_{h}+3{T}_{x}$ | $10{T}_{h}+4{T}_{x}$ | $15{T}_{h}+7{T}_{x}$ | |

Sensor | 0 | $4{T}_{h}+{T}_{x}$ | $4{T}_{h}+{T}_{x}$ | |

Yoon and Yoo’s [15] | User | ${T}_{h}$ | $3{T}_{h}+2{T}_{x}+2{T}_{E}$ | $4{T}_{h}+2{T}_{x}+2{T}_{E}$ |

$GWN$ | $2{T}_{h}+2{T}_{x}$ | $4{T}_{h}$ | $6{T}_{h}+2{T}_{x}$ | |

Sensor | 0 | $3{T}_{h}+2{T}_{E}$ | $3{T}_{h}+2{T}_{E}$ | |

Choi et al.’s [18] | User | ${T}_{h}+{T}_{F}$ | $10{T}_{h}+2{T}_{x}+{T}_{F}+{T}_{enc}+2{T}_{E}$ | $11{T}_{h}+2{T}_{x}+2{T}_{F}+{T}_{enc}+2{T}_{E}$ |

$GWN$ | $3{T}_{h}+3{T}_{x}$ | $10{T}_{h}+{T}_{x}+2{T}_{enc}$ | $13{T}_{h}+4{T}_{x}+2{T}_{enc}$ | |

Sensor | 0 | $6{T}_{h}+{T}_{enc}+2{T}_{E}$ | $6{T}_{h}+{T}_{enc}+2{T}_{E}$ | |

Proposed | User | ${T}_{h}+{T}_{F}$ | $9{T}_{h}+4{T}_{x}+{T}_{F}+2{T}_{E}$ | $10{T}_{h}+4{T}_{x}+2{T}_{F}+2{T}_{E}$ |

$GWN$ | $5{T}_{h}+3{T}_{x}$ | $11{T}_{h}+4{T}_{x}$ | $16{T}_{h}+7{T}_{x}$ | |

Sensor | 0 | $4{T}_{h}+{T}_{x}+2{T}_{E}$ | $4{T}_{h}+{T}_{x}+2{T}_{E}$ |

© 2016 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Park, Y.; Park, Y.
Three-Factor User Authentication and Key Agreement Using Elliptic Curve Cryptosystem in Wireless Sensor Networks. *Sensors* **2016**, *16*, 2123.
https://doi.org/10.3390/s16122123

**AMA Style**

Park Y, Park Y.
Three-Factor User Authentication and Key Agreement Using Elliptic Curve Cryptosystem in Wireless Sensor Networks. *Sensors*. 2016; 16(12):2123.
https://doi.org/10.3390/s16122123

**Chicago/Turabian Style**

Park, YoHan, and YoungHo Park.
2016. "Three-Factor User Authentication and Key Agreement Using Elliptic Curve Cryptosystem in Wireless Sensor Networks" *Sensors* 16, no. 12: 2123.
https://doi.org/10.3390/s16122123