An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks

In wireless sensor networks (WSNs), a registered user can login to the network and use a user authentication protocol to access data collected from the sensor nodes. Since WSNs are typically deployed in unattended environments and sensor nodes have limited resources, many researchers have made considerable efforts to design a secure and efficient user authentication process. Recently, Chen et al. proposed a secure user authentication scheme using symmetric key techniques for WSNs. They claim that their scheme assures high efficiency and security against different types of attacks. After careful analysis, however, we find that Chen et al.’s scheme is still vulnerable to smart card loss attack and is susceptible to denial of service attack, since it is invalid for verification to simply compare an entered ID and a stored ID in smart card. In addition, we also observe that their scheme cannot preserve user anonymity. Furthermore, their scheme cannot quickly detect an incorrect password during login phase, and this flaw wastes both communication and computational overheads. In this paper, we describe how these attacks work, and propose an enhanced anonymous user authentication and key agreement scheme based on a symmetric cryptosystem in WSNs to address all of the aforementioned vulnerabilities in Chen et al.’s scheme. Our analysis shows that the proposed scheme improves the level of security, and is also more efficient relative to other related schemes.


Introduction
Wireless sensor networks (WSNs) are progressive ad hoc networks that are composed of quite a lot of resource-constrained sensor nodes that are randomly deployed over the target region [1]. Such networks provide cost-effective keys to a scope of monitoring problems, such as military battlefields, health care services, smart grid networks, and ubiquitous computing environments [2]. Moreover, the advanced technologies in the field of WSNs that a sensor attached to a device communicates with other ambient sensors are enabling to open the IoT environment. For these reasons, WSNs have been widely studied, both in the academic and industrial fields.
In WSNs, data gathered from sensor nodes sometimes include valuable and classified information such as details of the environmental surroundings during wartime, patient's private information, monitoring information of museums, and the voltage variation monitoring data in electric power companies. In order to ensure the confidentiality and reliability of deployed WSNs, it is important that access be allowed to registered and legitimate users only. In addition, secure protocol construction positively requires a mutual authentication between an user and a sensor node. That is to say, a sensor node should be able to verify transmitted packet from a user to test a user's legitimacy.
Meanwhile, a user also should be able to verify transmitted packet from a sensor node to test a normality of the sensor node. Besides, because of resource-constrained characteristics such as limited power, communication and computational capabilities [3], the mutual authentication and key agreement protocol should not be complex and resource consuming. For example, an asymmetric key cryptosystem, like RSA [4,5], ECC [6] or El-gamal [7,8], requires a high computational overhead that is unsuitable for the energy constraints of WSNs. Therefore, the authentication and key agreement protocols for WSNs should be designed to consider both security and efficiency perspectives.

Related Studies
In 1981, Lamport [9] first proposed a remote password authentication protocol for insecure channels, and since then, many authentication protocols have been studied [10][11][12][13][14][15][16][17][18][19][20][21][22][23][24], in order to enhance security and efficiency. In 2006, Wong et al. [10] proposed a password-based user authentication scheme with a light computational overhead using a one-way hash function and exclusive-OR operations. However, Tseng et al. [11] pointed out that Wong et al.'s scheme [10] could not resist replay and forgery attacks, and then proposed an enhanced scheme. They claimed that their scheme was secure against reply and forgery attacks, and that it provided improved efficiency in the password change process. In 2009, Vaidya et al. [12] described how neither the schemes provided by Wong et al. [10] and Tseng et al. [11] were secure against replay attacks and man-in-the-middle attacks. They also proposed a robust user authentication scheme for the WSN environment. In the same year, Das [13] proposed an enhanced authentication scheme as the basis for Wong et al.'s scheme [10]. He insisted that their scheme can resist different types of attacks, such as many logged-in-users with the same login identity attacks, off-line password guessing attacks, stolen-verifier attacks and impersonation attacks. However, Khan and Alghathbar [14] pointed out in 2010 that Das's scheme [13] could not resist gateway node bypassing attacks and privileged-insider attacks, and thus proposed an improved authentication scheme. In the same year, Vaidya et al. [15] demonstrated that Das's scheme [13] and Khan-Alghathbar's scheme [14] could not resist stolen smart card attacks, and they then proposed a enhanced version. Chen and Shih [16] also pointed out that Das scheme [13] could not resist parallel session attacks, and did not provide mutual authentication. In 2011, Fan et al. [17] proposed a user authentication protocol for two-tiered wireless sensor networks, and Yeh et al. [18] proposed an authentication protocol based on elliptic curves cryptography. In 2012, Das et al. [19] and Xue et al. [20] proposed a user authentication and key agreement scheme for WSNs based on the use of a smart card. These were both designed to fulfill various security requirements, such as key agreement, mutual authentication, password protection and prevention against several attacks. In 2014, Yuan [21] proposed an user authentication scheme based on biometric technique for WSNs. In the same year, Turkanović et al. [22] proposed a hash function based user authentication and key agreement protocol for heterogeneous ad hoc WSNs. They claimed that their scheme ensures a secure key agreement and mutual authentication and that it is also resilient against different types of attacks. However, Farash et al. [23] pointed out some security flaws in Turkanović et al.'s scheme [22], including a vulnerability to stolen-smart card attacks, man-in-the-middle attacks and sensor node impersonation attacks as well as the disclosure of secret parameters and the session key. They also suggested a user authentication and key agreement scheme for heterogeneous WSNs tailored for IoT environments. Recently, Amin et al. [24] demonstrated that Farash et al.'s scheme [23] could not resist stolen-smart card attacks, off-line password guessing attacks, user impersonation attacks, and known session-specific temporary information attacks, and proposed a improved version. Additionally, two-way authentication solutions on constraint devices using Datagram Transport Layer Security (DTLS) and Bellare-Canetti-Krawczyk (BCK) are proposed [25,26]. Porambage et al. [27] proposed an ECC-based authentication and key establishment scheme for WSNs in distributed IoT applications.
(1) An attacker can control the communication channels between the user, gateway node, and sensor node, meaning that the attacker can intercept or modify any messages that are transmitted via the public channel [35,36]. (2) An attacker can modify and resend the intercepted/eavesdropped message [37].
(3) All of the existing smart cards are vulnerable, because the confidential information that is stored within them can be extracted by physically monitoring the power consumption [38], meaning that an attacker could read the data that is stored on a smart card. (4) Due to the hostile environments in the deployment field, sensor nodes can be physically captured by an attacker. However, the gateway node is secure, meaning that an attacker cannot obtain the parameters from the gateway node [18,19]. (5) An attacker can easily guess low-entropy passwords and identities in an off-line manner, but the guessing of two secret parameters (e.g., password, identity) is computationally infeasible in polynomial time [39].
(1) User anonymity: A user's identity should be protected even if an attacker exploits user's smart card used for authentication scheme or if the messages which exchanged in communication group are exposed. (2) Mutual authentication: Mutual authentication should be carried out between the user and gateway node, the gateway node and sensor node, and the sensor node and user, respectively. (3) Session key agreement: The session key should be securely shared among other communication parties after the verification procedure is finished. (4) Quick detection of the incorrect password: If a user enters the incorrect password by mistake in login phase, the password should be detected before performing verification phase. (5) User friendliness: This property allows users to freely change/update their password without needing to communicate with the gateway node.
(6) Robustness: User authentication schemes should withstand different types of attacks.
• Smart card loss attacks: If an attacker steals a user's smart card, the attacker can extract the contents by the power consumption technique [38]. With obtained information, the attacker can try to launch various types of attacks. • Off-line identity/password guessing attacks: An attacker tries to guess a identity/password and eventually find out the exact identity/password in an off-line environment by using the information stored in the smart card. • User impersonation attacks: An attacker pretends to be the registered user with the forged login message by using the secret or public information that is collected from the smart cards and the data packets. • Replay attacks: An attacker intercepts data packets for the purpose of making use of that data in some manner. Typically, this type of attack connotes copying and possibly modifying the data in various ways. • Privileged-insider attacks: A privileged-insider attack literally means the attack mounted by a malicious insider. The malicious insiders have a noticeable advantage over external attackers because they have an authorized system admission and also may be familiar with the network design and system actions. Commonly, the malicious insiders want to obtain the users' private information such as their passwords. • Denial of Service (DoS) attacks: A DoS attack is any event that diminishes or eliminates a network's capability of performing its expected function. In other words, an attacker mounts a DoS attack to make the server unavailable. • Stolen-verifier attacks: An attacker steals a password-verifier from the gateway node and directly use it to masquerade as a legitimate user. • Gateway node impersonation attacks: An attacker pretends to be the valid gateway node using the captured information.

Notations
All the notations mentioned in our proposed scheme and Chen et al.'s are specified in Table 1. The secret parameter generated by the GW N, The shared key between the GW N and S n h(x s ||SID n ) The secret key instead of x s stored in S n , (GW N h(xs||SIDn) A random number chosen by U i R i Cryptographic random numbers or nonces h(·) One-way hash function X||Y Concatenate operation ⊕ XOR operation T 1 ,T 2 ,T 3 ,T 4 Current timestamp SK Session key ∆T The maximum of transmission delay time

Organization of the Paper
The remainder of this paper is organized as follows: Section 2 reviews Chen et al.'s scheme, while Section 3 points out the weaknesses in Chen et al.'s scheme. Sections 4 and 5 present the proposed scheme and the security analysis of the proposed scheme, respectively. Section 6 analyzes the performance of the proposed scheme in terms of the computational and communication costs; and lastly, Section 7 concludes the paper.

Review of Chen et al.'s Scheme
In this section, we describe Chen et al.'s authentication scheme [28]. Three communication parties comprise a user U i , a gateway node GW N, and a sensor node S n . This scheme is composed of four phases: registration, login, verification, and password change. We describe each phase in detail, and Figures 1-3 also illustrate Chen et al.'s scheme. Additionally, we describe the information on the sizes of all transmitted messages in the login and the verification phases. In order to compute the message size, based on [23], we set that both the block size of the symmetric encryption (E k , D k ) and one-way hash function h(·) are 20 bytes long, the identity ID i and password PW i are 8 bytes, the random number b is 16 bytes, and the timestamp T 1 -T 4 are 19 bytes long.

Registration Phase
(1) U i selects ID i and PW i , and U i then generates a random nonce b that is only known to the U i . U i computes a masked password PW i = h(PW i ||b), and sends registration request message ID i , PW i to GW N through a secure channel.
Chooses ID i and P W i Selects a random nonce b P W i = h(P W i ||b) Inserts b into the smartcard Finally, smartcard contains (ID i , N i , h(·), b)

Login Phase
(1) U i inserts U i 's smart card into a terminal, and inputs the ID i and PW i . The smart card compares ID i with the stored value ID i . If this condition is satisfied, the smart card acknowledges the legitimacy of the U i , and proceeds with the next step. Otherwise, it terminates this phase. (2) The smart card computes PW i = h(PW i ||b) and k = h((N i ⊕ PW i )||T 1 ), then chooses a random nonce R 1 ∈ {0, 1} l , and computes A i = E k (ID i ||R 1 ||T 1 ).

Verification Phase
(1) GW N first checks the validity of the time-stamp |T 1 − T 1 | < ∆T. GW N computes k = h(h(ID i ||x a )||T 1 ) and decrypts D k (A i ) = {ID i , R 1 , T 1 }. GW N then compares ID i and T 1 with the received values. If this condition is satisfied, GW N acknowledges the legitimacy of the U i and proceeds with the next step. Otherwise, it terminates this phase.
then sends the message ID i , B i , T 2 to S n through a public channel.
. S n compares B * i with the received value B i . If this condition is satisfied, S n believes that the GW N is authentic. Otherwise, it terminates this phase. (4) S n computes C i = h(h(x s ||SID n )||SK||ID i ||SID n ||T 3 ), and then sends the message C i , T 3 to GW N through a public channel.
, and compares it with the received value C i . If true, GW N believes that the S n is authentic. Otherwise, GW N terminates this phase. (6) GW N computes D i = E k (ID i ||SID n ||SK||R 1 ||T 4 ), and sends the message D i , T 4 to U i through a public channel.

Password Change Phase
(1) U i inserts U i 's smart card into a terminal and inputs ID i , the old password PW i and new password PW * i . The smart card compares the entered value ID i with the ID i stored in the smart card. If this condition is not satisfied, it terminates this phase. Otherwise, the smart card proceeds with the next step.
(2) The smart card computes (3) The smart card replaces the existing value N i with the new value N * i . Finally, the smart card contains the information {ID i , N * i , h(·), b}.

Security Weaknesses of Chen et al.'s Scheme
In this section, we analyze the security of Chen et al.'s scheme [28]. Chen et al. claim that the scheme can withstand different types of attacks; however, based on attacker capabilities in Section 1.3, we found that their scheme is still vulnerable to smart card loss attack, and is also susceptible to denial of service attack, because it uses the incorrect verification method. In addition, we found that their scheme cannot preserve user anonymity. Since user's identity included in a login request message is in plain-text form when it transmitted to GW-node in login phase. In detail, user's identity on a public channel can be easily exposed to attackers, because they are able to eavesdrop on a public channel, as mentioned in Section 1.3. Furthermore, Chen et al.'s scheme missed a verification process to test input password, which led to the inefficiency problem. Since it is not able to detect an incorrect password during login phase, the login request message composed of incorrectly entered password sends to GW-node, and then GW-node detects the wrong message while performing a checking process on the login request message. Generally, the verification on the input password is recommended to perform immediately in login phase to avoid inefficiency problem [40]. We now describe the detailed weaknesses of Chen et al.'s schemes.

Smart Card Loss Attack
Suppose the smart card of U i is stolen by the attacker, who extracts the stored secret values {ID i , N i , h(·), b} through physically monitoring the power consumption [38] as described in Section 1.3. With this information, the attacker can successfully lead to following malicious scenarios. Scenario 1: If the attacker obtains the smart card, he or she can easily expose a user's identity ID i through physically monitoring the power consumption [38]. Disclosure of the user's identity ID i may allow tracking of the U i 's behavior and his or her current location.
Scenario 2: Using obtained smart card, the attacker can successfully pass the checking process of the login phase through using the ID i in the smart card, because their checking process just compares the entered ID i with the stored ID i in the smart card. The same situation also happens for the password change phase.
Therefore, Chen et al.'s scheme still suffers from smart card loss attack.

Denial of Service Attack
When the attacker steals the user's smart card, the attacker can obtain the user's identity ID i through physically monitoring the power consumption [38]. Through using this, in the password change phase, the attacker can easily set a new password, since it is invalid for verification to simply compare an entered ID i and a stored ID i in smart card. The following is a detailed description: Step 1. The attacker inserts the U i 's smart card into a terminal, and enters the ID i , PW a and PW * a , where PW a and PW * a are the attacker's arbitrary new passwords.
Step 2. The smart card compares the entered value ID i with the ID i stored in the smart card. At this time, it is obvious that this verification process turns out to be successful, since the entered ID i is the same as the stored one in the smart card.
Step 4. The smart card successfully replaces N i with the new value N a .
If an attacker stole the U i 's smart card and changed the password to an arbitrary new password as described above steps, then succeeding login requests by the legal user U i will be rejected, unless they re-register with the GW N again. Therefore, Chen et al.'s scheme is vulnerable to a denial of service attack.

Failure to Preserve User Anonymity
User anonymity is a highly desirable requirement for user authentication schemes, because of the leakage of user's identity may allow an unauthorized entity to track the user's login record and behavior pattern. However, Chen et al.'s scheme states that a user's identity ID i is in plaintext form during the login and verification phase. As described in Section 1.3, using an eavesdropping attack, the attacker can maliciously monitor the public channels [35,36], and also identify some of the valuable information in messages transmitted over these public channels.
In this manner, an attacker can without difficulty eavesdrop on login messages to collect the plaintext identities of communicating users. All of the eavesdropped messages can be analyzed by the attacker to track down the connections among the U i , GW N and S n , and for this reason, user anonymity cannot be preserved in Chen et al.'s proposal [28].

Incorrect Password Cannot be Quickly Detected
During the login phase of Chen et al.'s scheme [28], if the U i inputs his/her identity and password, the smart card does not verify the validity of the U i 's password; therefore, if the U i inputs an incorrect password by mistake, the login and verification phases are still carried out until they have been checked by GW N, leading to unnecessary communication and computational costs. The following detailed scenario explains this further.
Assume that the U i inputs the ID i and incorrect password PW * i during the login phase; the smart card then computes the following: After receiving the login request message, GW N checks the validity of the time-stamp GW N then compares ID i and T 1 with the received values. If this comparison is satisfied, the GW N believes that the U i is authentic. If not, it rejects the login request. However, it is obvious that GW N cannot decrypt D k (A * i ), since k * is not equal to k. Therefore, GW N belatedly realizes that entered password PW * i is an incorrect value, and GW N then terminates this procedure.

The Proposed Scheme
In this section, we propose an anonymous two-factor user authentication and key agreement scheme based on a symmetric cryptosystem in WSNs that addresses the security vulnerabilities in Chen et al.'s scheme [28]. Our proposed scheme also consists of the following four phases: registration, login, verification, and password change. We describe each phase in detail, and also describe the information on the sizes of all transmitted messages in the login and the verification phases. Table 1 summarizes the notation for the proposed scheme.

Registration Phase
The user registration phase begins when the U i sends a registration request with his/her identity and a hashed password to GW N. The GW N then issues a smart card that stores some information, and sends it to U i as a response to the registration request. The following describes this process in detail, and Figure 4 illustrates the registration phase for our proposed scheme.
(1) U i selects ID i and PW i , and U i then generates a random nonce b, that is only known to the U i . U i computes a masked password PW i = h(PW i ||b) and sends registration request message Chooses ID i and P W i Selects a random nonce b

Login Phase
The login phase is executed whenever the U i wants to gain access to WSN. In this phase, U i sends the login request to GW N. Figure 5 illustrates the login and verification phase for our proposed scheme. In detail, this process is: (1) U i inserts U i 's smart card into a terminal, and inputs the ID i and PW i . The smart card computes the masked password PW i , and compares it with the stored value M i . If this condition is satisfied, the smart card acknowledges the legitimacy of the U i , and proceeds with the next step. Otherwise, it terminates this phase. (2) The smart card chooses a random nonce R 1 ∈ {0, 1} l , and computes DID i = h(ID i ||R 1 ).
The smart card then computes k = h(DID i ||v * ||T 1 ) and From the above descriptions, in login phase of our propose scheme, the message size of the login request DID i , A i , T 1 can be computed as (8 + 20 + 19) = 47 bytes.

Verification Phase
This phase executes several steps to achieve mutual authentication which is to test all transmitted message for judging the legitimacies of a U i , GW N, and sensor node. As well as a session key agreement between all parties involved within the network. When GW N receives the login request message from the U i , the verification phase begins. The following describes this process in detail.
(1) GW N first checks the validity of the time-stamp |T 1 − T 1 | < ∆T. GW N computes k = h(DID i ||h(x a )||T 1 ) and decrypts D k (A i ) = {DID i , R 1 , T 1 }. GW N then compares DID i and T 1 with the received values. If this condition is satisfied, GW N acknowledges the legitimacy of the U i and proceeds with the next step. Otherwise, it terminates this phase.
, and then sends the message M i , DID i , B i , T 2 to S n through a public channel. (3) S n first checks whether |T 2 − T 2 | < ∆T. If this condition does not hold, this phase is terminated. Otherwise and compares it with the received value B i . If this condition is satisfied, S n believes that the GW N is authentic. Otherwise, it terminates this phase.
, and then sends the message C i , T 3 to GW N through a public channel.
, and compares it with the received value C i . If true, GW N believes that the S n is authentic. Otherwise, it terminates this phase.
If the relationship does not hold, it terminates this phase.
Otherwise, it computes D k (D i ) = {DID i , SID n , SK, R 1 , T 4 }, and compares DID i , R 1 and T 4 with the previous values. If the verification does not hold, it terminates this phase. Otherwise, the U i believes that GW N is authentic, and successfully ends the verification phase.
From the above descriptions, in verification phase of our proposed scheme, the message size

Password Change Phase
The password change phase is invoked whenever the U i wants to change his or her old password to a new password. In the password change phase of our proposed scheme, U i communicates without any assistance from the GW N. Figure 6 illustrates the password change phase for our proposed scheme. We now describe this process in further detail:

Security Analysis and Proof of the Proposed Scheme
In this section, we present a security analysis of our proposed scheme. We first examine whether our proposed scheme is safe, and we also consider its ability to resist various known attacks as described in Section 1.4. Then we adopt Burrows-Abadi-Needham (BAN) logic [41] to prove that a session key can be correctly generated between U i , GW N and S n .

Security Analysis of the Proposed Scheme
In this subsection, we scrutinize whether our proposed scheme can not only withstand various attacks, but also satisfy basic requirements that the security scheme claims. Moreover, we conduct a comparative analysis [13][14][15][16][17][18][19][20]28], which describes in Table 2. Details of the results are illustrated below.

Proposition 1. The proposed scheme preserves user anonymity
Proof. Suppose that the attacker has intercepted U i 's login request message DID i , A i , T 1 . The attacker may then try to analyze the login request message by retrieving any static parameters from this message. However, it is not feasible to derive ID i from the login request message because the login request message includes DID i instead of ID i . Thus the use of DID i ensures that the attacker cannot acquire any information related to the user identity.

Proposition 2. The proposed scheme achieves mutual authentication
Proof. In our proposed scheme, the GW N can authenticate the user by checking whether the login request message is correct, and the S n can authenticate the GW N by checking whether the message M i , DID i , B i , T 2 is correct. To authenticate the S n , the GW N verifies whether the message C i , T 3 received by the S n is valid or not. Also, the U i can authenticate the GW N by checking whether the message D i , T 4 is correct. If all these verification processes are successfully finished, mutual authentication has been executed properly.

Proposition 3. The proposed scheme provides the session key agreement
Proof. In our proposed scheme, the user and the sensor node can share the session key after the verification procedure. As a result of the randomness and independence of the generation of R 2 in all sessions, the shared session key SK = h(DID i ||h(x s ||SID n )||R 2 ||T 2 ) differs for each session. Therefore, it is difficult for the attacker to compute the session key from the intercepted messages.

Proposition 4. The proposed scheme withstands smart card loss attacks
Proof. Suppose smart card of U i is stolen by the attacker, who extracts secret values {N i , M i , h(·), b} through the studies [38]. Even if the attacker obtains {N i , M i , h(·), b}, the attacker cannot know the user's ID i , because our proposed scheme does not allow the ID i to be stored in the smart card. In addition, as the ID in the smart card is erased, our proposed scheme uses a suitable password-based checking process, instead of a vulnerable id-based checking process.

Proposition 5. The proposed scheme withstands off-line password guessing attacks
Proof. Suppose that the attacker extracts all of the secret information from the smart card. To successfully carry out a password guessing attack, the attacker has to know the U i 's identity ID i . However, in our proposed scheme, it is impossible for the attacker to obtain the ID i . Furthermore, the guessing of two secret parameters (e.g., password, identity) is computationally infeasible in polynomial time. Thus, our proposed scheme is secure against off-line password guessing attacks.

Proposition 6. The proposed scheme withstands user impersonation attacks
Proof. An attacker tries to impersonate a legal user U i in order to deceive other parties. To start a new session, the attacker has to modify the login request message DID i , A i , T 1 . In order to change these values, the attacker has to know the ID i . However, there is no way to obtain the user's ID i . Therefore, our proposed scheme is secure against user impersonation attacks.

Proposition 7. The proposed scheme quickly detects the incorrect password
Proof. In our proposed scheme, when the user inputs the incorrect password PW a , the smart card calculates PW a = h(PW a ||b) and v a = N i ⊕ h(ID i ||PW a ). The smart card further computes M a = h(PW a ||v a ) and compares it with the stored value M i . If this condition is satisfied, the card knows the user has entered the incorrect password. However, it is obvious that M a is not equal to M i . Therefore, unlike Chen et al.'s scheme, the smart card can promptly detect the incorrect password at the beginning of the login phase.

Proposition 8. The proposed scheme withstands replay attacks
Proof. An attacker can intercept data packets to make use of the data that is contained in some manner and can then try to login to the sensor node by using the intercepted packets that were transmitted between all parties involved. However, all messages transmitted in our proposed scheme include a current timestamp, such as T 1 , T 2 , T 3 or T 4 . Hence, our proposed scheme can defend against replay attacks.

Proposition 9. The proposed scheme withstands privileged-insider attacks
Proof. There is a possibility that a privileged insider can directly acquire the user's password from the GW N to then access the user's account in other systems by using the same password. This attack is a result of the disclosure of the user's password during the registration phase. In our proposed scheme, the U i submits the password information to the GW N in the form of PW i = h(PW i ||b), instead of the form PW i . Accordingly, the privileged insider cannot acquire the user's password as an attacker.

Proposition 10. The proposed scheme withstands denial of service attacks
Proof. Suppose that the attacker obtains the user's smart card, and extracts all of the information from the smart card. The attacker then tries to modify the password for denial of service attack. However, the attacker cannot change the password, because our proposed scheme uses a secure verification method at the beginning of the password change phase. To successfully pass this verification procedure, the attacker has to know the user ID i and PW i . Therefore, our proposed scheme is secure for denial of service attack.

Proposition 11. The proposed scheme withstands stolen-verifier attacks
Proof. An attacker acquires a password-verifier from the gateway node to immediately impersonate an authenticated user. To succeed in a stolen-verifier attack, the attacker needs to know the user's password. However, as is shown in our proposed scheme, no verification table is stored in our proposed scheme.

Proposition 12. The proposed scheme withstands off-line identity guessing attacks
Proof. Suppose that the attacker extracts all of the secret information from the smart card. To successfully carry out an off-line identity guessing attack, the attacker has to know user's password PW i . However, in our proposed scheme, the attacker cannot acquire the user's password. Moreover, it is not feasible to obtain ID i from the login request because the login request includes DID i instead of ID i . Therefore, the attacker does not know the user's identity in our proposed scheme.

Proposition 13. The proposed scheme provides a friendly and efficient password change phase
Proof. The ideal user authentication scheme allows the user to freely change his/her password, and this should be carried out without any assistance from other parties to ensure user friendliness and efficiency. In our proposed scheme, when the user wants to change an old password, the smart card first checks the validity of the old password

Proposition 14. The proposed scheme withstands GW-node impersonation attacks
Proof. Suppose that the attacker obtains all transmitted message such as DID i , A i , T 1 and M i , DID i , B i , T 2 , and tries to impersonate as a legal gateway node. However, It is not feasible to decrypt the A i = E k (DID i ||R 1 ||T 1 ) without the symmetry key k. Therefore, the attacker can not impersonate as a valid gateway node.

Authentication Proof with BAN Logic
We prove the way in which a session key can be correctly generated between communicating parties during the authentication process using a well-known formal logic known as BAN logic [41]; BAN logic is a formal means that is widely used to analyze the security of cryptographic protocols. The basic notation for figuring out BAN logic follows below.
• A S: The A sees the sentence S. : If A establishes that B has jurisdiction over S, and A trusts that B trusts a statement S, then A also trusts S.
Our analysis based on BAN logic will fulfill the following goals: Our message can be transformed into idealized form as follows: We define some assumptions as follows, and these assumptions will be used in further proof.
Using the BAN logic rules, idealized form, and pre-defined some assumptions, we deploy our proof as follows: Based on Message 1, we could derive: According to the assumption A11 and the message meaning rule, we obtain: According to the assumption A1 and the freshness conjuncatenation rule, we obtain: According to the S2, S3 and the nonce verification rule, we obtain: According to the S4 and the believe rule, we obtain: According to the assumption A15 and the jurisdiction rule, we obtain: According to the Message 2, we obtain: According to the S7, assumption A11 and the message meaning rule, we obtain: According to the assumption A1, A6 and the freshness conjuncatenation rule, we obtain: According to the S8, S9 and the nonce verification rule, we obtain: According to the S5, S6, S10 and the believe rule, we obtain: According to the assumption A16 and the jurisdiction rule, we obtain: According to the Message 3, we obtain: S13 S n (SID n , T 2 , GW N SID n ←→ S n ) h(x s ||SID n ) According to the S13, assumption A12 and the message meaning rule, we obtain: S14 S n |≡ GW N |∼ (SID n , T 2 , GW N SID n ←→ S n ) According to the assumption A2 and the freshness conjuncatenation rule, we obtain: S15 S n |≡ (SID n , T 2 , GW N SID n ←→ S n ) According to the S14, S15 and the nonce verification rule, we obtain: S16 S n |≡ GW N |≡ (SID n , T 2 , GW N SID n ←→ S n ) According to the S16 and the believe rule, we obtain: S17 S n |≡ GW N |≡ (GW N SID n ←→ S n ) According to the assumption A17 and the jurisdiction rule, we obtain: S18 S n |≡ (GW N SID n ←→ S n ) According to the Message 4, we obtain: According to the S19, assumption A12 and the message meaning rule, we obtain: According to the assumption A2, A7 and the freshness conjuncatenation rule, we obtain: According to the S20, S21 and the nonce verification rule, we obtain: According to the S17, S18, S21 and the believe rule, we obtain: According to the assumption A18 and the jurisdiction rule, we obtain: According to the Message 5, we obtain: According to the S25, assumption A14 and the message meaning rule, we obtain: According to the assumption A3 and the freshness conjuncatenation rule, we obtain: According to the S26, S27 and the nonce verification rule, we obtain: According to the S17, S18, S28 and the believe rule, we obtain: According to the assumption A19 and the jurisdiction rule, we obtain: According to the Message 6, we obtain: According to the S31, assumption A13 and the message meaning rule, we obtain: According to the assumption A3, A8 and the freshness conjuncatenation rule, we obtain: According to the S32, S33 and the nonce verification rule, we obtain: According to the S17, S18, S29, S34 and the believe rule, we obtain: According to the assumption A21 and the jurisdiction rule, we obtain: S36 GW N |≡ (U i SK ←→ GW N) (Goal 3.) According to the Message 7, we obtain: According to the S37, assumption A10 and the message meaning rule, we obtain: According to the assumption A4, A9 and the freshness conjuncatenation rule, we obtain: According to the S38, S39 and the nonce verification rule, we obtain: According to the S5, S6, S39 and the believe rule, we obtain: According to the assumption A20, S41 and the jurisdiction rule, we obtain: According to the Message 8, we obtain: According to the S43, assumption A10 and the message meaning rule, we obtain: According to the assumption A5, A9 and the freshness conjuncatenation rule, we obtain: According to the S44, S45 and the nonce verification rule, we obtain: According to the S5, S6, S41, S46 and the believe rule, we obtain: According to the assumption A22 and the jurisdiction rule, we obtain: Based on (Goal 1-Goal 4), we can assure that our proposed scheme provides the mutual authentication and agreement of the session key SK, which is correctly shared between U i and GW N.

Performance Analysis of the Proposed Scheme
In this section, we summarize the performance analysis of our proposed scheme in terms of the computation and communication complexities. These two factors are the most important when measuring the performance of any user authentication and key agreement protocol for WSN, and it would be more efficient for the complexities to be less than that of existing schemes. We thus present a performance evaluation to compare our proposed scheme to other related schemes [13][14][15][16][17][18][19][20]28].

Computational Performance Analysis
In this subsection, we present a comparison of the computational costs, and measure the execution time. The computational analysis of an authentication protocol is generally conducted by focusing on operations performed by each party within the protocols. Therefore, for analysis of the computational costs, we concentrated on the operations that are conducted by the parties in WSNs: namely a user, a gateway node, a sensor node, and a base station. A base station is used to gather the information detected by sensor node or gateway node. Our scheme also analyzes the messages which are delivered in each communication party within the protocols. This analysis of the message size is relevant to the communication cost, and there are more details in Section 6.2. In order to facilitate the analysis of the computational costs, we define the following notation.
• T H : the time to execute a one-way hashing operation • T E/D : the time to compute a symmetric-key encryption/decryption • T ECC : the time to compute an encryption/decryption operation in ECC-160 algorithm In addition, in order to achieve accurate measurement, we performed an experiment. This experiment was performed using the Crypto++ Library [42] on a system using the 64-bits Windows 7 operating system, 3.2 GHz processor, 4 GB memory, Visual C++ 2013 Software, the SHA-1 hash function, the AES symmetric encryption/decryption function, and the ECC-160 function. According to our experiment, T H is nearly 0.0002 s on average, T E/D is nearly 0.0087 s on average and T ECC is nearly 0.6 s on average. Table 3 compiles a comparative analysis of the computational cost among the related schemes [13][14][15][16][17][18][19][20]28]. For example to calculate computational costs, the computation costs of sensor node are 3T H from our proposed scheme in Table 3. Sensor node is the sum of three values from hash operation, SK = h(DID i ||h(x s ||SID n )||R 2 ||T 2 ), B * i = h(DID i ||SK||h(x s ||SID n )||SID n ||T 2 ), and C i = h(h(x s ||SID n )||SK||DID i ||SID n ||T 3 ), in login and verification phase. However, the value of h(x s ||SID n ) is not counted, since it is already contained in sensor node. Using this computation method, we analyze by comparing the computational load during the login and verification phases. Table 3 shows that Yeh et al.'s scheme [18] imposes the highest computational load, because their scheme uses an ECC operation. In contrast with Chen et al.'s scheme [28], the total computational costs for the proposed scheme uses only three more hash operations. However, there is almost no difference between them in terms of computational complexities, because the hash function is an extremely lightweight operation. In addition, even though our proposed scheme is more computationally costly than some of the other schemes, this should be easily tolerated because our proposed scheme assures higher security, and affords resistance to most well known attacks, while providing functionality. Table 3. Comparison of the computational cost between our proposed scheme and other related schemes.

Communication Performance Analysis
In this subsection, we analyze the messages that are delivered to each party within the protocols. This analysis of the message size is relevant to the communication cost. We compare the number of messages and the total number of bytes for all messages to be transmitted during the login and verification phases. Table 5 shows the communication cost between our proposed scheme and the other schemes [13][14][15][16][17][18][19][20]28]. We have analyzed all the schemes mentioned in Table 5, and the details of algorithms of related works [13][14][15][16][17][18][19][20] are described in Appendixes A-H. Based on [23], we set that both the block size of the symmetric encryption and one-way hash function h(·) are 20 bytes long, the identity ID i and password PW i are 8 bytes, the random number b, R 1 , and R 2 are 16 bytes, the timestamp T 1 -T 4 are 19 bytes, and ECC function is 15 bytes long. Table 5 shows that in Chen et al.'s scheme [28], the login request message ID i , A i , T 1 requires (8 + 20 + 19) = 47 bytes, and the authentication message ID i , B i , T 2 requires (8 + 20 + 19) = 47 bytes. The last two authentication messages C i , T 3 and D i , T 4 require (20 + 19) = 39 bytes and (20 + 19) = 39 bytes, respectively. Thus, their scheme requires a total of 172 bytes. Table 5. Comparison of the communication cost between our proposed scheme and other related schemes.

Schemes Total Number of Messages Required Total Number of Bytes Required
Proposed scheme 4 Messages 216 Bytes Chen et al. [28] 4 Messages 172 Bytes Xue et al. [20] 6 Messages 284 Bytes Das et al. [19] 4 Messages 253 Bytes Yeh et al. [18] 3 Messages 118 Bytes Fan et al. [17] 3 Messages 126 Bytes Chen and Shih [16] 4 Messages 170 Bytes Vaidya et al. [15] 5 Messages 157 Bytes Khan and Alghathbar [14] 4 Messages 157 Bytes Das et al. [13] 3  Table 5 shows that our proposed scheme requires a little more communication cost than Chen et al.'s scheme [28]. However, our scheme corrects the flaws of Chen et al.'s scheme, such as smart card loss attack, and denial of service attack. Also, even though our scheme requires a little more communication cost than some of the other schemes, we consider this acceptable because our proposed scheme assures security and provides additional functionalities, as Table 2 shows.

Conclusions
In this study, we analyze the security weaknesses of Chen et al.'s scheme, and show that their scheme is susceptible to smart card loss attack and denial of service attack. In addition, we also show that Chen et al.'s scheme cannot preserve user anonymity, and their scheme cannot quickly detect an incorrect password during the login phase. So, we propose a security enhanced user authentication and key agreement scheme using a symmetric cryptosystem for WSNs. The proposed scheme not only preserves the merits of Chen et al.'s scheme, but also fixes its security flaws. Our security and performance comparison shows that our protocol achieves both stronger security and higher efficiency. Therefore, we estimate that our proposed scheme is more suitable for applications in WSNs.
Author Contributions: J.J., J.K. and Y.C. conceived and designed the experiments; J.J. performed the experiments; J.J. and Y.C. analyzed the data; J.J. and D.W. wrote the paper.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Das et al.'s Authentication Scheme [13]
Das et al.'s authentication scheme is shown in Figures A1 and A2.
Chooses ID i and P W i K : symmentric key and x a : secret parameter

Appendix B. Khan and Alghathbar's Authentication Scheme [14]
Khan and Alghathbar's authentication scheme is shown in Figures B1 and B2.
Chooses ID i and P W i K : symmentric key and x a : secret parameter Figure B1. Registration phase for the Khan and Alghathbar's scheme [14].

User (U )
Gateway (GW ) Sensor (S n ) Figure B2. Login and verification phase for the Khan and Alghathbar's scheme [14].

Appendix C. Vaidya et al.'s Authentication Scheme [15]
Vaidya et al.'s authentication scheme is shown in Figures C1 and C2.
Chooses ID i and P W i γ i = h(P W i ) K : secret key and x s : secret parameter  [15].

Accept login
Query response/data

Appendix D. Chen and Shih's Authentication Scheme [16]
Chen and Shih's authentication scheme is shown in Figures D1 and D2.
Chooses ID i and P W i K : symmentric key and x a : secret parameter Figure D1. Registration phase for the Chen and Shih's scheme [16].

User (U )
Gateway (GW ) Sensor (S n ) Respond to the query of U i Figure D2. Login and verification phase for the Chen and Shih's scheme [16].

Appendix E. Fan et al.'s Authentication Scheme [17]
Fan et al.'s authentication scheme is shown in Figures E1 and E2.
Base station (BS) Chooses ID i and P W i X : symmentric key and Y j : secret parameter Chooses a random number User (U ) Gateway (GW ) Sensor (S n )

Appendix F. Yeh et al.'s Authentication Scheme [18]
Yeh et al.'s authentication scheme is shown in Figures F1 and F2.
User (U i ) Gateway (GW N ) Chooses ID i and P W i Generates a random number b P W B = h(P W i ⊕ b)  Figure F1. Registration phase for the Yeh et al.'s scheme [18].

Appendix G. Das et al.'s Authentication Scheme [19]
Das et al.'s authentication scheme is shown in Figures G1 and G2.

User (U i ) Base station (BS)
Chooses ID i and P W i Generates a random number y RP W i = h(y||P W i ) Smart card (ID i , y, X A , r i , e i , h(·), (K j , ID CHj )) Finally, smartcard contains (ID i , y, X A , r i , e i , h(·), (K j , ID CHj )) ID i , RP W i Smart card  [19].

Appendix H. Xue et al.'s Authentication Scheme [20]
Xue et al.'s authentication scheme is shown in Figures H1 and H2.