An Energy Efficient Mutual Authentication and Key Agreement Scheme Preserving Anonymity for Wireless Sensor Networks

WSNs (Wireless sensor networks) are nowadays viewed as a vital portion of the IoTs (Internet of Things). Security is a significant issue in WSNs, especially in resource-constrained environments. AKA (Authentication and key agreement) enhances the security of WSNs against adversaries attempting to get sensitive sensor data. Various AKA schemes have been developed for verifying the legitimate users of a WSN. Firstly, we scrutinize Amin-Biswas’s currently scheme and demonstrate the major security loopholes in their works. Next, we propose a lightweight AKA scheme, using symmetric key cryptography based on smart card, which is resilient against all well known security attacks. Furthermore, we prove the scheme accomplishes mutual handshake and session key agreement property securely between the participates involved under BAN (Burrows, Abadi and Needham) logic. Moreover, formal security analysis and simulations are also conducted using AVISPA(Automated Validation of Internet Security Protocols and Applications) to show that our scheme is secure against active and passive attacks. Additionally, performance analysis shows that our proposed scheme is secure and efficient to apply for resource-constrained WSNs.


Introduction
With the advancement of short range radio communication coupled with advances in miniaturization of computing devices, WSNs (Wireless sensor networks) have drawn continuing attention from both academia and industrial areas due to its deployment scalability, power consumption constraint and wide applications. Within the infrastructure of WSNs, privacy and security are the two major challenges since nodes are generally deployed in hostile environments thus making the nodes vulnerable to attacks. From this context, secure information exchange over an untrusted network is a widely discussed issue in WSNs. In order to allow remote authorized users to access reliable sensor nodes which have been verified as legitimate ones, mutual AKA (Authentication and key agreement) between communicating entities is required in the scheme design. An AKA scheme for WSNs is composed of three classes of entity: users, sensor nodes and a gateway node (GWN), and has registration, login, authentication and key agreement, and password change phases. To date, research in an efficient and robust user authentication and session key agreement mechanism has gained a great deal of attention. A number of AKA schemes are developed in an attempt to enhance the security of the WSNs in the literature [1][2][3]. Among different kinds of cryptographic primitives (RSA [4], ECC [5,6] Elgamal [7] etc.) utilized in AKA for WSNs, lower computational cost scheme is even more admired owing to stringent constraints on limited computation capability, energy resources, storage and bandwidth of sensor nodes.
Wong et al. [8] released a hash function based AKA scheme for WSN, which sharply decreases computational load and makes the scheme adapt into a WSN environment. Nevertheless, as the scheme remains the lookup table of the registered user's private data in the GWN side, it was demonstrated to be defenseless to stolen-verifier attack [9]. Later on, Das [9] developed a better scheme in order to mitigate the security flaws over Wong et al. The scheme concentrates on temporal credential and timestamp under defense mechanism aiming at preventing DoS attack efficiently while maintaining lightweight style. Unfortunately, the scheme was analyzed by many researchers and the results illustrated that it had still some drawbacks and flaws [10][11][12][13][14], such as incapability of achieving mutual authentication, notwithstanding node compromise attack, failing to provide the user password update securely. With the hope of amending aforementioned security weaknesses, several authors developed modifications on Das's scheme but at the cost of increasing computational complexity [10,11,14]. Motivated by the thought of achieving better security and efficiency, Das et al.'s [15] built an efficient password based user AKA using only the hash function which encompasses the power of smart cards. They justified that compromise of a cluster head is free from node capture attacks. Their scheme allows only updating the password of the user locally without the help of the base station. Further, they evaluated their scheme in support of using no high computation except from the nominal task of assigning identity bits commitments and justified low memory requirement due to small size of identity bits commitment. Nevertheless, Turkanović [16], Wang-Wang [17] and Li [18] came across some additional problems in Das's scheme, like non resistance to insider, stolen-verifier and node capture attacks. After that, Xue et al. [19] proposed a temporal-credential-based lightweight and resource user AKA scheme for WSNs using hash and XOR computations. In their scheme, the gateway node issues a temporal credential to each user and sensor node with the help of password-based authentication. Unfortunately, He et al. [20] was later remarked that the scheme of Xue et al. is imperfection and not applicable for practical implementation, due to some design defects and susceptibility to some attacks. Most recently, Turkanović et al. [21] proposed a lightweight user authentication scheme for WSN based only on hash and Xor computations that tend to save both computation and communication resources. Such cryptographic techniques scheme launched with a claim of achieving the basic security attributes as well as thwarting many attacks along with better complexities. The AKA scheme drew considerable attention but was subsequently on determined insecure and susceptible. The authors of [22][23][24] studied the vulnerability of the scheme [21] that incurs several security drawbacks and not applicable for practical implementation in the presence of an attacker who can mount a smart card theft attack. Motivated by the thought of preventing the security threats of scheme [21], Amin-Biswas [24] developed a modified version of the hash and Xor operations in order to appropriate for resource constrained environments. The authors addressed both security and efficiency, claimed that their designs possess many attractive features in which the system contains multiple gateway nodes. However, problems related to the leakage of the session short-term secrets accidentally are the fatal pitfalls of such scheme. Our contribution is motivated by the above facts.

Review of Amin-Biswas's Scheme
This section briefly reviews Amin-Biswas's scheme, which consists of system setup phase, user and sensor node registration phases, login phase, authentication phase (Figure 1), password update phase and dynamic node addition phase. Moreover, their scheme is composed of three entities: user, gateway node, and sensor node. For convenience of description, Table 1 shows the notations used in Amin-Biswas's scheme. One-way hash function ⊕ Xor operation

System Setup
The system administrator deploys each SN j which stores {ID SN j , P j , S ran } into its memory, where P j = h(ID SN j , S ran ), S ran is a random number and is known to all the GWNs and maintains it securely.

Sensor Node Registration
Step 1: SN j sends {ID SN j , PS j } to the nearby GWN, where PS j = P j ⊕ S ran .
Step 2: The GWN stores {ID SN j , P j }, where P j = PS j ⊕ S ran . After that, the GWN sends a confirmation message to each sensor node.
Step 3: Upon receiving the confirmation message from the GWN, each SN j destroys S ran from the memory.

User Registration
Step 1: The new user U i computes DID i = h(ID i , r), PWR i = h(PW i , r) and sends {DID i , PWR i } to the HGW N via private channel, where r is a nonce, ID i is the identity and PW i is the password of U i .
Step 2: The HGW N computes where TID i is a random identity and X k is the HGW N's long term secret key.
Step 3: The HGW N issues a smart card which contains {Reg i , A i , ID GW N h , TID i , h()} and sends it to U i . Further, the HGW N stores {TID i , DID i } in its memory.
Step 4: When receiving the smart card, U i stores {r} in the smart card.

Login and Authentication
Step 1: U i inserts the smart card and inputs identity ID i and password PW i to the card reader. After that, the card reader computes DID i = h(ID i , r), PWR i = h(PW i , r) and checks whether Step 2: If it matches, the card reader computes Step 3: When receiving the message M 1 , the HGW N first checks whether the received timestamp T 1 is within the valid time period, the HGW N computes the HGW N extracts DID i from the database using TID i . Next, the HGW N checks whether the the sensor node SN j via public channel.
Step 4: After receiving the message M 2 , SN j checks whether |T 3 − T 2 | ≤ ∆T. If it holds, SN j computes r k = f i ⊕ P j , r i = y k ⊕ h(r k ), DID i = G i ⊕ h(ID SN j , r k ) and checks whether h(ID SN j , DID i , P j , r k , T 2 ) ? = E i . If it matches, SN j computes H j = h(E i , DID i , r j , T 3 ), K j = r k ⊕ r j and sends M 3 = {H j , K j , T 3 } to the HGW N via public channel.
Step 5: Upon receiving the message M 3 , the HGW N first checks the timestamp validity, i.e., |T 4 − T 3 | ≤ T, where T 4 is the current timestamp. The HGW N computes r j = K j ⊕ r k , Step 6: After receiving the message M 4 , U i checks whether the received timestamp is within the valid time intervals. If it holds, If it is true, U i confirms the authenticity of SN j and computes SK = h(DID i , r i , r j , r k ) between the entities involved in the system.

Dynamic Node Addition
According to the system setup phase, the system administrator deploys the new sensor node over the target region and the deployed sensor node executes sensor node registration phase to the nearby GWN.

Password Update
Step 1: A user keys his password PW i , the card reader computes

Security Analysis of Amin-Biswas's Scheme
Although Amin-Biswas claimed that their scheme achieves several security requirements including mutual authentication, user anonymity and resilience against some attacks. Unfortunately, we found that there was still something security vulnerability in Amin-Biswas's scheme.

Known Session-Specific Temporary Information Attack
Cheng et al. [25] has demonstrated that the exposure of session temporary information accidentally should not compromise the secrecy of generated session key. However, we will demonstrate that Amin-Biswas's scheme contraries to this security property which is necessary for a good or an ideal authentication scheme [26]. Without loss of generality, we assume that a temporary information r i is compromised by an adversary unintentionally, which may allow the adversary to frame the session key effortlessly and even more acquire the legitimate user's sensitive data by means of monitoring the transmitted data in the communication. To illustrate the process concretely, you can look at an attack in the next few steps ( Figure 2). Figure 2. Known session-specific temporary information attack on Amin-Biswas's schem.

a. Input
Step 1: The adversary could extract the session ephemeral secrets r k and r j from the results of Q i ⊕ K j ⊕ r i and Q i ⊕ r i , where Q i , K j are the known parameters stemmed from the transferred message Step 2: Based on the derived the session immediate secret r k , the adversary has ability to retrieve another important parameter DID i by computing G i ⊕ h(ID SN j , r k ), where G i is also obtained through the transmitted messages M 1 : Step 3: The adversary could compute the session key SK = h(DID i , r i , r j , r k ) with all those derived data. Not only that, the adversary could easily guess the user's identity ID i by attempting to check until making the equation true, where ID * i is a candidate identity and r is extracted with a stolen smart card. The adversary is further capable of retrieving the user's password PW i on the strength of the extracted secrets {Reg i } by checking Reg i ) from the legal user's smart card. The aforementioned cryptanalysis is based on the concrete fact that identity and passwords are low-entropy keys [27,28]. As a result, the adversary succeeds to get the user's identity ID i and the user's password PW i .
Step 4: The above analysis reveals that, all those information leaks allow the adversary to impersonate as a legitimate user to login the GWN and access the real-time information from sensor nodes. In other words, our analysis demonstrates that their scheme can be free from known session-specific temporary information attack, thereby Amin-Biswas's scheme is completely insecure.

Proposed Improved Scheme
This section will describe our proposed anonymity-preserving AKA scheme in detail. The proposed AKA scheme conceals the user's real identity in the encryption algorithm along with the hash of random identity and secret key as the symmetric key. The messages, which are transmitted in public channel, are the results of the hash or the encryption, thus avoiding the risk by intercepting the communication channel to acquire the plaintext directly. In order to conquer the known session-specific temporary information attack, each communicate entity only knows the xor results of the others' generated random numbers in computing the session key. The proposed AKA scheme inherits Amin-Biswas's scheme aiming at cope with the loopholes of the aforementioned security drawbacks of their scheme. Based on the previous analysis, the functionality of the proposed scheme has been greatly improved with a slight higher computation cost due to the symmetric cryptographic algorithm. Our proposed AKA scheme has five phases: User registration; Sensor node registration; Login; Authentication and key agreement ( Figure 3); Password change. We will introduce them as follows.

User Registration
Step 1: A new user U i chooses his identity ID i and password PW i , then he sends his registration request message {ID i , h(PW i , r)} to the gateway node GWN, where r is a random number.
Step 2: Upon receipt of the message, GWN computes r)). Next, GWN issues a smart card for each user after storing {A i , B i , C i } into the memory of smart card and thus sends back it to U i . At last, GWN stores {TID i } in its memory.
Step 3: After receiving the smart card, U i adds r to the smart card.

Sensor Node Registration
Step 1: The sensor node SN j transmits its identity ID SN j to GWN.
Step 2: GWN computes A j = h(ID SN j ⊕ S ran ) and returns it to SN j after storing {ID SN j , A j } into its memory.
Step 3: When receiving the message from GW N, SN j also keeps them securely.

Login
When a registered user U i desires the WSNs services, he needs to be prepare his personal information along with the smart card. The following procedure are required to be done by U i : Step 1: U i enters his identity ID i and password PW i into the smart card after inserting the smart card into the mobile device. The smart card computes h(h(ID i ), h(PW i , r)) and checks whether it is equal to A i . If it holds, U i is considered as a legal user.
Step 2: The card reader derives h(TID i , X k ) and h(ID i , X k ) by computing B i ⊕ h(PW i , r) and r)), respectively. Based on the two values, the card reader computes D i by encrypting the information {ID i , T 1 , TID i , r i } with the derived h(TID i , X k ) and computes E i by putting the information {h(ID i , X k ), r i , T 1 } into the hash function, where T 1 is the current timestamp at user side and r i is a random number. Next, the card reader sends a login message {D i , E i } to GWN.
Step 3: Upon receiving the login message, GWN decrypts D i by the symmetric key h(TID i , X k ) to retrieve {ID i , T 1 , r i }. Next, GWN checks whether |T 2 − T 1 | ≤ ∆T, where T 2 is the current timestamp at GWN side. If it is valid, GWN verifies h(h(ID i , X k ), r i , T 1 ) ? = E i . The validation of E i ensures U i is a legitimate user. Subsequently, GW N picks a random number r k and computes Step 4: When receiving the message from GW N, SN j decrypts F i using the symmetric key h(ID SN j ⊕ S ran ) to derive {r k ⊕ r i , TID i , T 1 , T 2 }. And then, SN j checks the timestamp T 2 is within a permissible temporal interval. Next, SN j computes h(ID SN j , TID i , ID GW N , h(ID SN j ⊕ S ran ), T 2 , r k ⊕ r i ) and checks whether it matches with the received G i . It it holds, SN j computes Step 5: After receiving the message from SN j , GW N also needs to decrypt the received H i to derive {r j , T 3 , r k ⊕ r i }. Upon retrieving T 3 , GW N verifies whether T 3 is a valid timestamp. If it is valid, GW N computes SK = h(r k ⊕ r i ⊕ r j , T 1 , T 2 , T 3 ) and checks whether h(ID SN j , TID i , T 3 , SK) Step 6: Once receiving the message from GW N, U i derives {r j ⊕ r k , ID SN j , ID GW N , T 2 , T 3 , T 4 } by decrypting J i using the symmetric key h(ID i , X k ). U i then checks whether T 4 is fresh. The freshness of T 4 is verified, U i proceeds to compute the session key SK = h(r k ⊕ r i ⊕ r j , T 1 , T 2 , T 3 ) and examine whether h(SK, T 4 , h(TID i , X k )) is equivalent to the received K i . If the equation is true, the handshake among three-party is successful, and they negotiate the session key SK with each other. The establishment of the session key is considered to be encrypted the following packs in their communication channel.

Password Change
When a user attempts to update his password into a new one, he needs to execute the following steps: Step 1: The user initially inserts the smart card into the card reader and inputs his identity ID i and old password PW i . Next, the card reader computes h(h(ID i ), h(PW i , r)) and checks whether it is equal to A i . If it holds, the user is considered as a legal one. And thus, the card reader asks the user to key a new password.
Step 2: After keying the new password, the card reader computes  Figure 3. Mutual authentication and key agreement of our scheme.

Security Analysis of Our Scheme
In this section, the strength of the proposed AKA scheme by considering the informal and formal analysis has been analyzed. To be specific, our scheme keeps to the system requirements and successfully withstands diverse attacks to enhance the security level. Next, using BAN logic [29] to demonstrate the validity of our AKA scheme. Then, the formal security analysis of our scheme is presented. Besides, the widely-accepted AVISPA tool [28,29] is used to simulated for the security experimental verification of our AKA scheme.

Informal Security Analysis
This section addresses a detailed security evaluation to indicate that the proposed scheme is secure against various known security attacks. Suppose that an adversary A can eavesdrop, intercept, modify, delete or replay the transmission over a public channel.

Session Key Agreement
The session key is established among the user U i , the sensor node SN j and the gate-way node GW N. Note that U i and SN j has no way to know other participates' random numbers excepts themselves. The established session key is to encrypt the real-time data to ensure the transmission are confidential through an unreliable channel. Therefore, the session key is different in each session due to it is generated by various random numbers, and it is challenging for A to extract the current session key from the eavesdropped messages because of the one-way property of the hash function.

Mutual Authentication
The gate-way node GW N first checks whether the received timestamp T 1 is valid as compare to the decrypted one from D i when receiving the message {D i , E i , T 1 }. Next, GW N verifies If both the condition are true, the validity of the user U i is authenticated by GW N. Similarly, U i checks the validness of the received timestamp with the derived one from J i after receiving the message {J i , K i , T 4 }. He then checks whether h(SK, T 4 , T 1 , T 2 ) ? = K i . If both the equation hold, the validity of GW N is confirmed by U i and thus the sensor node SN j is also verified due to only the valid SN j would forward the correct random number r j and thus compute the correct session key. Correspondingly, mutual authentication between SN j and GW N are performed by checking G i and I i .
With the same verification mode as GW N and U i , double authentication is utilized, i.e., to verify the freshness of the received timestamp with the retrieved one, to put the retrieved one to substitute in the awaiting verification value and thus checking the hashed value. In this way, A has no ability to modify the hashed value and only modify the timestamp, thus impersonating as any participates. Therefore, mutual authentication among the entities are provided in the proposed scheme.

Resistance to Insider Attack
It is probable that the users use the same identity and password across multiple networks. In our case, the GWN plays the role of a trusted third party, but some curious administrator can have access to the database which stores the user's personal information in order to gain something important. However, during the registration phase, the user U i transmitted masked password h(PW i , r) instead of plaintext password. In this way, the insider of system has no ability to derive the privacy of the user because of non-invertible property of one-way hash function. Therefore, the proposed AKA scheme is resilient against the privileged insider attack.

User Anonymity
We adopt two strategies to protect the user's identity from disclosing. One is the masked identity h(ID i , X k ) with the secret key X k of GW N. Note that the key is essentially a random number generated by GW N and thus it is computationally infeasible for A to extract the user's identity in plaintext. Another is directly the use of dynamic identity selected by GW N, which is hashed in the open channel. In essence, the random identity is no relation with the real one. Consequently, compromise of released one influences nothing on the actual identity of U i . Therefore, the proposed scheme mechanism is a dynamic identification process and we will verify the point later in simulation.

Resistance to Known Session-Specific Temporary Information Attack
Known session-specific temporary information security means if A gets the ephemeral information, such as the random values, r a (a = i, k, j) and X k , he still cannot acquire information of the session key. Since A has no way to compute the symmetrical key h(ID i , X k ) without knowing the identity of ID i and thus decrypting the packs transmitted in communication channel. More seriously, U i and SN j only receive the results of xor for the random numbers picked by the rest of participates. As such, attempting to intercept any hashed values in the public communication channel but are unhelpful to compute the session key. Therefore, it is not possible for any attacker to compute the session key on leakage or compromise of session specific temporary information.

Resistance to Denial-of-Service Attack
This attack is to secure against since our proposed scheme works on the principle of request-response communication. Additionally, the sensor node SN j will check the received packs and chooses refuse or pass the session from the sender. On the other hand, if A does the malicious flooding of the authentication requests to SN j , GW N first knows about malicious dropping of such control messages as a referee. And A needs to know the symmetric key between the legal user and the legitimate sensor node unless he can solve the one-way hash functions. Furthermore, we have introduced timestamps into the scheme, which mitigate any consequential request. As such, we say that our scheme has also the ability to withstand the denial-of-service attack.

Resistance to Sensor Node Impersonation Attack
Suppose A gets all transmitted information such as {E i , F i , G i } and {H i , I i } and plans to impersonate as a legitimate sensor node. However, it has no feasible way to decrypt the cryptographic packs like F i without knowing the symmetry key with the GW N, thus failing to compute the correct session key and thus excluding by GW N. Therefore, A can not impersonate as a valid sensor node.

Resistance to Off-Line Password Guessing with Smart Card Breach Attack
The system is secure even if the stored information {A i , B i , C i , r, h()} and the login message {D i , E i } are revealed. Since the user's identity and password are hashed by GW N's long-term private X k . The adversary A has no information about these private keys. Therefore, the proposed scheme is secure against off-line password guessing attack.

Authentication Proof Based on the BAN Logic
The BAN logic, which is the first suggestion to formalize the description and analysis of authentication schemes, is used to analyze existing schemes to bring out their flaws. We analyze the proposed scheme by establishing some required goals, making some assumptions about the initial state of the scheme and transforming the proposed AKA scheme to the idealized form. Some descriptions about its notations and formulas are shown as follows.
Notations & Formulas ·: PX: P has received message X ·: P| ≡ X: P believes X ·: P| ∼ X: P once said X ·: P ⇒ X: P has jurisdiction over X ·: P K → Q: P and Q shared key K ·: #(X): X is fresh ·: < X > K : the formula X encrypted under the formula K ·: (X, Y): X or Y is one part of (X, Y)

GW N Derivation process
According to D i , we get:

GW N
According to D 1 , A 2 and message rule, we derive: According to A 6 , D 2 and freshness distribution rule, we gain: D 3 . GW N| ≡ #(ID i , T 1 , TID i , r i ) According to D 2 -D 3 and nonce-verification rule, we achieve: D 4 . GW N| ≡ U i | ≡ (ID i , T 1 , TID i , r i ) According to D 4 and belief rule, we acquire: According to D 5 , A 7 and jurisdiction rule, we attain: Let Ω be secure. Under the assumption that the one-way hash function h(·) closely behaves as an oracle, the proposed scheme is provably secure against an adversary for protecting user anonymity and session key.
We consider the following two random oracles to construct an adversary A: Reveal 1: This oracle will unconditionally output the value x from the given hashed result y = h(x). Reveal 2: This oracle will unconditionally output the plaintext x from the given ciphertext C = Enc k (x).
Proof of Theorem 1. We assume that A has the ability to derive the identity ID i of the user U i and the session key SK among U i , the gateway node GW N and the sensor node SN j . Then he needs to execute the following experimental algorithm, say EXP1 Ω A (Algorithm 1), EXP2 Hash where t i denotes the maximum time interval, q i denotes the number of queries to the Reveali(i = 1, 2) oracle. However, according to Ω assumption and the one-way property of hash function, both they are hard problems within polynomial time, i.e., Adv1 Ω A (t 1 , q 1 ) ≤ , Adv2 Hash A (t 2 , q 2 ) ≤ , for any sufficiently small > 0. As a result, there is no way for the adversary A to retrieve the user identity ID i and the session key SK.  6: Accept SK as the session key among U i , GW N and SN j 7: return 1 8: else 9: return 0 10: end if

Simulation Results Using AVISPA Tool
AVISPA is one of the publicly accepted Internet schemes verification techniques among many developed semi-automated formal security analysis tools and several schemes [30,31] have been analyzed using it. It is a push-button tool for error detection based on the Dolev and Yao model [32] and provides a modular role-based expressive formal language called the HLPSL (High level protocol specification language) for targeting the design of the schemes. The HLPSL presentation of the protocol is translated into the lower level description language called IF (Intermediate Format) by the translator called HLPSL2IF, which is the entrance of architecture of AVISPA. IF presentation of the scheme is used as the start point to the four various back-ends: OFMC (On the-fly Model-Checker), CL-AtSe (CL-based Attack Searcher), SATMC (SAT-based Model-Checker) and TA4SP (Tree-Automata based Protocol Analyzer). These back-ends are utilized to analyze different security properties such as secrecy of the shared session key, authentication, the privacy of user and robustness against replay attacks. The OF (output format) is generated by using one of the four back-ends which measures whether the security scheme is SAFE or UNSAFE and under what conditions it has been obtained.
In order to evaluate the security of the proposed AKA scheme by the AVISPA tools, we have implemented the specifications for the user U i (Appendix A, Figure A1), the sensor node SN j (Appendix A, Figure A2), the gate-way node GW N (Appendix A, Figure A3), the session (Appendix A, Figure A4), goal and the environment (Appendix A, Figure A5) in HLPSL. The desired goals, mutual authentication between U i and GW N by checking E i and K i , between GW N and SN j by checking G i and I i , the secrecy of session key, user's identity and password are all achieved. We have chosen the widely-accepted OFMC and CL-AtSe back-ends for the execution tests and a bounded number of sessions model checking. In OFMC backend (Figure 4), the depth for the search is 12, the total number of nodes searched in this case is 9143, which takes 44.93 s. In CL-AtSe backend ( Figure 5), 7067 states were analyzed and 1360 states were reachable. Further, CL-AtSe backend took 0.46 s for translation and 0.8 s for computation. After simulation of the code through OFMC and CL-AtSe back-ends, the results show the proposed AKA scheme is guard against both the active and passive adversaries.

Performance Analysis
This section summarily presents the performance of the proposed AKA scheme and compares in terms of security analysis and computation overheads with existing hash-function based schemes. While computing the cost of the scheme, we assume the length of the identity is 128 bits, the AES encryption/decryption [33] require each 128 bits, the timestamp is 24 bits and the message digest of SHA-3 [34] is 256 bits. Let T h be the time for one hashing operation, and T s be the time for one symmetric cryptography operation, we omit xor operation due to its negligible computational cost. Table 2 shows the computational complexity and communication overhead analysis along the main security attributes with schemes Aim-Biswas [24], Farash et al. [23], Turkanović et al. [21] and Xue et al. [19] It is noted that the communication parameters of the proposed scheme are {ID i , h(PW i , r), ID SN j ), A i , B i , C i , A j , D i , E i , F i , G i , H i , I i , J i , K i } = 128 × 2 + 256 × 13 = 3680 bits, the cost of registration is 9T h , during the authentication process, the computation cost of the GWN is 5T h + 3T s , the computation cost of the simple resource constrained sensor node is 4T h + 2T s , the total time spent by the proposed scheme is 22T h + 7T s . According to our experiment results using the jPBC library (2.0.0, [35]) (CPU: 3.2 GHz, RAM: 4.0 GB), the arithmetic mean for executing T h is 0.0359 ms, T s is 0.1755 ms after running them 1000 times. Thus, the execution time of the user side is 0.6023 ms, the resource constrained sensor node is 0.4946 ms, the GWN is 0.9214 ms and the total execution time of the proposed AKA scheme is 2.0183 ms. The results shows that the computational cost of the user and the gateway node are considered to be taken on more than sensor node part due to its resource constrained environment. From Table 2, we can see that Farash et al.'s scheme [23] achieves more security, that is, resistance to stolen smart card attack and protection of sensor node's identity, although Farash et al.'s scheme consumes more computations than Turkanović et al. [21]. Even though the efficiency of Aim-Biswas's scheme [24] is higher than Turkanović et al. [21]'s scheme, Aim-Biswas's scheme is still vulnerable to known session-specific temporary information attack and no protection of sensor node anonymity. Xue et al. [19] is insecure against sensor node impersonation attack and denial-of-service attack excepts vulnerability to known session-specific temporary information attack even though its computational overheads is lower than Farash et al.'s scheme. Compared with other four schemes which cannot ensure known session-specific temporary information attack resistance, the proposed AKA scheme consumes a slight higher computation cost lies in using symmetric cryptographic operations. In the face of the perspective of practical application, we consider the security of a cryptographic protocol is the most important. It is acceptable with such high level of security at the expense of increasing computational cost moderately. Therefore, the proposed AKA scheme is very efficient and practical for the resource constrained WSNs environment.