Efficient and Security Enhanced Anonymous Authentication with Key Agreement Scheme in Wireless Sensor Networks

At present, users can utilize an authenticated key agreement protocol in a Wireless Sensor Network (WSN) to securely obtain desired information, and numerous studies have investigated authentication techniques to construct efficient, robust WSNs. Chang et al. recently presented an authenticated key agreement mechanism for WSNs and claimed that their authentication mechanism can both prevent various types of attacks, as well as preserve security properties. However, we have discovered that Chang et al’s method possesses some security weaknesses. First, their mechanism cannot guarantee protection against a password guessing attack, user impersonation attack or session key compromise. Second, the mechanism results in a high load on the gateway node because the gateway node should always maintain the verifier tables. Third, there is no session key verification process in the authentication phase. To this end, we describe how the previously-stated weaknesses occur and propose a security-enhanced version for WSNs. We present a detailed analysis of the security and performance of our authenticated key agreement mechanism, which not only enhances security compared to that of related schemes, but also takes efficiency into consideration.


Introduction
Wireless Sensor Networks (WSNs) are distributed networks composed of tiny autonomous sensors capable of collecting information related to the environment or physical conditions of a target region [1]. WSNs can be implemented in various use cases-including military battlefields, healthcare services and smart grid networks-to provide convenience to users [2]. Figure 1 illustrates the WSN system architecture. As shown in Figure 1, WSN systems are comprised of three parties, including the user, the gateway nodes and the sensor nodes [1,2]. WSN is made of sensor nodes that are wirelessly connected to a gateway that is then connected to a user. On the other hand, in some WSNs, the sensor nodes can also be connected to each other in order to facilitate multi-hop wireless mesh networks.
Although users enjoy the simplicity and efficiency in WSNs, security has emerged as a major issue in both academia and industry [3]. Specifically, confidential information including the user's identity and password should not be exposed even if an unauthorized user eavesdrops on data packets transmitted in the WSN [4]. To guarantee reliability among the communicating parties, an authentication mechanism can afford confidentiality and integrity when users access WSNs [3,4]. At this point, in order to design a secure authentication mechanism for WSNs, the following security requirements should be commonly considered [5][6][7][8][9][10][11][12][13]. • User anonymity: Even if an attacker extracts some information stored in the user's smart card or if it eavesdrops on the messages transmitted in the communication group, the user's identity should be protected.

•
Mutual authentication: An authentication mechanism should execute several steps to achieve mutual authentication, which is to test all transmitted messages to judging the legitimacies.

•
Session key agreement: After the mutual authentication process has completed, the session key should be securely assigned to communication parties on the network. • Password verification process: If a user mistakenly enters an incorrect password in the login phase, the password should be promptly detected before performing the authentication phase.

•
User friendliness: An authentication mechanism provides a password change procedure with which a user can freely update their password without communicating with the gateway node. • Robustness: User authenticated key agreement schemes should withstand different types of attacks, such as off-line password guessing attacks, replay attacks, insider attacks and impersonation attacks.
Furthermore, the efficiency aspect should be considered when applying the authentication mechanism to the WSN environment because the sensor nodes are limited in terms of their computing resources and power [5]. In other words, when constructing an authentication mechanism for WSNs, a hash function-based method is recommended for use since it requires less computation overhead than public-key cryptosystems, such as RSA, elliptic curves cryptography (ECC) and El-gamal, all of which have a high computational overhead [6,7]. Therefore, the authentication protocol implemented for WSNs should be simple and efficient while also conforming to the required security.

Related Studies
In 2006, Wong et al. [8] first presented a lightweight user authentication protocol for WSNs. Their protocol improved the efficiency by only employing a one-way hash function and exclusive-OR operation. However, Das [9] pointed out that Wong et al.'s scheme [8] could not withstand many logged-in users with the same login identity attacks and stolen-verifier attacks. Das [9] then suggested an improved version that solved the flaws present in Wong et al.'s method. Unfortunately, Khan and Alghathbar [10] demonstrated in 2010 that Das's scheme [9] could not withstand a privileged-insider attack and gateway node bypass attack and proposed an enhanced new strategy. In the same year, Chen and Shih [11] also demonstrated that Das's scheme [9] overlooks parallel session attacks and cannot support a mutual authentication property. Chen and Shih [11] then proposed an enhanced version. In 2012, Vaidya et al. [12] pointed out that Das's scheme [9], Khan and Alghathbar's scheme [10] and Chen and Shih's scheme [11] contained the same vulnerabilities against a lost smart card attack and sensor node impersonation attack. To compensate for these defects, Vaidya et al. [12] suggested their own authentication scheme, arguing that it can withstand various attack types. However, Kim et al. [13] proved in 2014 that Vaidya et al.'s scheme [12] has some weaknesses, such as to user impersonation attacks and gateway node bypass attacks, and thus proposed an upgraded scheme. In 2015, Chang et al. [14] demonstrated that Kim et al.'s scheme [13] could not prevent an impersonation attack, lost smart card attack or man-in-the-middle attack, and it did not provide session key security. Chang et al. [14] then proposed an improved scheme. However, Park and Park [15] pointed out recently that Chang et al's scheme [14] still had some weaknesses, such as off-line password guessing attack, perfect forward secrecy problem and incorrectness of password change, and proposed an enhanced new version.
In particular, various cryptography techniques were employed in their protocols in order to improve the security for WSNs. Lee [16] and Kumari et al. [17] apply a chaotic map technique in their authentication mechanism. In 2015, Cheng et al. [18] presented an RSA-based authentication method for WSNs. In addition, Yeh et al. [19] proposed an authentication protocol based on elliptic curves cryptography (ECC) for WSNs. However, Han [20] pointed out that Yeh et al.'s scheme [19] could not achieve perfect forward secrecy and fails to provide mutual authentication. To address these weaknesses, Shi and Gong [21] presented a new authentication mechanism for WSNs using an ECC technique. However, Choi et al. [22] demonstrated that Shi and Gong's mechanism [21] could not satisfy security requirements because their scheme is unsafe against lost smart card attacks and does not provide session key security.

Motivations and Contributions
In 2015, Chang et al. [14] presented a two-factor user authenticated key agreement scheme for WSNs. They claimed that their scheme could resist an off-line password guessing attack and an impersonation attack, as well as provide session key security. However, we have discovered that Chang et al.'s scheme [14] comprises critical security weaknesses. Their scheme (i) still cannot guarantee protection against an off-line password guessing attack or user impersonation attack, (ii) fails to provide session key security, (iii) is faced with a scalability problem because the gateway nodes in their scheme always maintain verifier tables (iv) and cannot provide session key verification processes.
Our main contribution in this study is as follows. First, we concretely explain the weaknesses in Chang et al.'s scheme. Second, we propose a more developed authentication protocol for WSNs. Third, we show that the proposed mechanism satisfies various security requirements. Finally, we demonstrate that the proposed protocol has better performance than other related studies in terms of the computation cost and time consumption.

Preliminaries
In this subsection, we first introduce the biohash function [23], which is used in our proposed scheme. Then, we list the notations of Chang et al.'s scheme [14] and our proposed scheme in Table 1. The user's biometric information is very sensitive data. Thus, when user identification is carried out using biometric data, a secure and sophisticated matching technique is required. In order to handle this concern, in 2004, Jin et al. [23] presented a fingerprint-based function to identify the user's legitimacy. The biohash technique employs the particular tokenized pseudo-random numbers to each of the users measuring biometric feature arbitrarily onto two-fold strands. Figure 2 describes the user recognition mechanism employing the user's biometric information and biohashing technique. When a device recognizes user's biometric template T, it transforms T into the form of feature vector and then transmits to transform function H(·). Transform function H(·) creates transformed template H(T, K) by inputting the transmitted template T and random key K. Furthermore, the device creates biohash code, H(Q, K) from the random key K and the stored value, which is a biometric query, in order to judge whether the user is registered or not, comparing to the new value, H(T, K). The biohashing technique is also applied in our scheme, illustrated in Section 5. We use an input value Bio as a combination of the user's biometric information and a random key for convenience, like other authentication schemes [24][25][26][27]   The biohash function H(·) is a one-way function with a feature that can reduce the probability of the denial of service. That is to say, the identical biometric information creates the identical value of H(Bio), and it is impossible to calculate an input value Bio from the result value of H(Bio). Until now, many authentication studies have been conducted [24][25][26][27] based on the biohashing technique. Our proposed scheme also adopts the user's biometric information applying a biohashing, and the details are given below in Section 5.

Scalability and Practicability in Terms of Authentication Using Biometric Information
The three-factor authentication protocol has been frequently employed in recent days, which complements the two-factor authentication protocol using the identity and password by adding biometric information. Basically, an authentication mechanism using biometric information requires a smart card terminal capable of recognizing a smart card and a device capable of recognizing the user's biometric (fingerprint) information. To reduce this inconvenience, Baratelli [28] and Kozlay [29] devised a new smart card-based fingerprint identification technology by adding a fingerprint recognition device in the smart card, and Clancy [30] proposed a self-fingerprint authentication technique using a smart card. In other words, a new device that combines a smart card terminal and a fingerprint reader has already been developed. In fact, authentication research does not really mean the inconvenience of fingerprint terminal devices and assumes that devices that can recognize both smart cards and fingerprints are used. In addition, a number of research works with respect to three-factor authentication protocol already [24][25][26][27] have applied user's biometric information.
First of all, the most important reason for using biometric information in the authentication mechanism is to increase the security of the protocol by preventing identity/password guessing attack. For this reason, our proposed scheme also uses the biometric information of the user, and it is confirmed that the proposed scheme is very safe. A detailed description of the protocol can be found in Section 4, and a security analysis can be found in Section 5.

Notations
The notations used in this paper are listed in Table 1.

Organization of the Paper
The remainder of this paper is structured as follows. In Section 2, we briefly explain Chang et al.'s authentication scheme. Section 3 demonstrates the vulnerabilities in Chang et al.'s scheme. A detailed explanation of our proposed scheme is provided in Section 4. In Section 5, we evaluate whether our proposed scheme can withstand various attacks. Further, we conduct a formal security proof using the random oracle model in Section 6. In Section 7, we analyze the performance of the proposed scheme, and in Section 8, we provide the conclusion to the paper.

Review of Chang et al.'s Scheme
In this section, we briefly review Chang et al.'s authenticated key agreement scheme [14] to then cryptanalyze their scheme. It is composed of four phases: registration, login, authentication and password change. In Chang et al.'s scheme [14], there are three communication parties, including a user U i , a gateway node GW N and a sensor node S j . We describe each phase in detail, and Table 1 shows the notations used in Chang et al.'s scheme.

Registration Phase
(1) U i selects ID i and PW i , and U i then generates a random number RN r . U i computes HPW i = h(PW i ||RN r ) and sends a registration request ID i , HPW i to GW N through a secure channel.
GW N chooses a smart card and writes {ID s , A i , B i , C i , TID i , h(·)} into the smart card's memory. Then, GW N sends the smart card to U i through a secure channel.
(3) U i computes XPW i = h(PW i ) ⊕ RN r and stores XPW i in the smart card's memory. Finally, the smart card contains the information {ID s ,

Login Phase
(1) U i inserts U i 's smart card into a terminal and inputs the ID i and PW i . The smart card computes S i ) and compares B * i with the stored value B i . If this condition is satisfied, the smart card acknowledges the legitimacy of U i and proceeds with the next step. Otherwise, it terminates this phase.
(2) The smart card computes

Authentication Phase
(1) GWN first checks the validity of the time stamp |T 1 − T 1 | < ∆T and retrieves HID i from TID i corresponding to TID i in its database. If GWN cannot search the TID i , GWN retrieves If this condition is satisfied, GWN acknowledges the legitimacy of the U i and proceeds with the next step. Otherwise, it terminates this phase.
If this condition is satisfied, S j believes that the GWN is authentic. Otherwise, it terminates this phase.
and then sends the message M S j ,G , T 3 to GWN through a public channel.
and compares M * S j ,G with the received value M S j ,G . If true, GWN believes that the S j is authentic. Otherwise, GWN terminates this phase.
and compares M * G,U i with the received value M G,U i . If the verification does not hold, this phase is terminated. Otherwise, U i believes that the GWN is authentic and computes the shared session key . Lastly, U i updates TID i as h(HID i ||T 1 ) and successfully ends the authentication phase.

Password Change Phase
(1) U i inserts U i 's smart card into a card reader and inputs ID i , the old password PW i and new and compares B * i with the stored value B i . If this condition is not satisfied, it terminates this phase. Otherwise, the smart card proceeds with the next step.
(2) The smart card computes HPW new

Security Weaknesses of Chang et al.'s Scheme
In this section, we show that Chang et al.'s scheme [14] possesses a number of security vulnerabilities. The following vulnerabilities are based on the two assumptions that

•
An attacker can extract all parameters stored in the smart card by physically monitoring its power consumption [31]. • An attacker can eavesdrop or reform any messages in the public channel [32,33].
Under these two assumptions, the following problems have been found, and their detailed descriptions are given below.

Off-Line Password Guessing Attack
This attack attempts to input a password until the correct password is discovered because many users have a tendency to employ simple, brief passwords for the sake of convenience. For this reason, the authentication mechanism for all passwords should be invented to guarantee protection against a guessing attack. However, Chang et al.'s scheme [14] has a weakness in this situation, and we therefore propose a scenario for an off-line password-guessing attack. The following is a detailed description: s stolen smart card by physically monitoring its power consumption [31].
Step 2. The attacker collects a valid login request DID i , M U i ,G , T 1 , TID i from the previous session [32,33].
Step 3. The attacker selects a password candidate PW * i .

Step 4. The attacker computes HPW
Step 5. The attacker then computes: Step 6. The attacker repeats the steps above from 3-5 until the computed result B * i equals the breached secret B i .
Step 7. If they correspond with each other, PW * i would be an accurate password. If not, the attacker repeats the above steps until the correct password is found. Therefore, we can realize that Chang et al.'s scheme [14] is vulnerable to the off-line password guessing attack.

User Impersonation Attack
The security of the password-based authentication mechanism relies on the complexity of the password. Thus, if an attacker obtains a password, the attacker can pretend to be a legal user. Unfortunately, Chang et al.'s scheme [14] allows an attacker to impersonate a legal user if the attacker obtains the user's password PW i through a guessing attack. The following is a detailed description of this scenario: Step 1. An attacker extracts {ID s , A i , B i , C i , TID i , h(·), XPW i } from U i 's stolen smart card [31].
Step 2. The attacker collects a valid login request DID i , M U i ,G , T 1 , TID i from the previous session.
Step 3. The attacker obtains the user's PW i through an off-line password guessing attack.
Step 4. The smart card computes: Step 5. The attacker then sends a counterfeited login request DID * i , M * U i ,G , T 1 , TID i to GWN through a public channel.
Step 6. After receiving the Finally, GWN successfully finishes the verification process because M * U i ,G , which is computed by the attacker, is correctly equal to M U i ,G , which is computed by the GWN.
Through the aforementioned descriptions, the attacker can successfully pass the checking process and be disguised as a legal user under Chang et al.'s scheme [14].

Session Key Compromise
In Chang et al.'s scheme [14], if an attacker knows U i 's password PW i , the attacker can establish the session key using the acquired PW i , which has been previously compromised as in Section 3.1. With the combined {y i , C i , ID s , PW i , XPW i , T 1 } values, the attacker can successfully construct the K S = f (DID i , k j ).

Scalability Problem
In order to provide convenience, Chang et al. [14] suggested that the GWN maintains a verifier table in the database to save the information, such as the user's temporary identities (TID i , TID • i ) and HID i = h(ID i ||K) value. Accordingly, the GWN should always need to retain each user's verifier table. However, the increased amount of user information that needs to be retained places greater burden on the GWN since the number of verifier tables will increase as the number of users' increases. Moreover, the use of the verifier table is inefficient in terms of the computation time since the changed values at each phase need to be updated in the verifier table.

Absence of a Session Key Verification Process
According to [34,35], the authenticated key agreement mechanism recommends a verification procedure to verify the coherence of the generated session keys between the communicating parties. In the authentication phase in Chang et al.'s scheme [14], U i generates his/her own session key K S after verifying the message y i , M G,U i , T 4 through M * G,U i ? = M G,U i . However, in this case, because of the M S j ,G = h(z i ||X * S j ||T 3 ) has no information about the session key generated by S j , and the U i can hardly be sure whether a new generated session key K S is precisely the same as the S j 's session key or not. Therefore, the following procedures [34] are required to ensure an accurate session key distribution between a U i and a S j : (1) after generating a session key, S j sends a message, including information regarding the generated session key; (2) the U i should guarantee the accuracy of the session key from the S j , verifying the received message.

The Proposed Scheme
In this section, we suggest an improved version of the authenticated key agreement mechanism for the WSN in order to provide improved security by resolving Chang et al.'s [14] weaknesses. In the proposed scheme, to guarantee protection from the off-line password guessing attack, we employ biometrics information with the biohashing technique H(·) [23], as mentioned in Section 1.3. By preventing an off-line password guessing attack, our scheme can guarantee protection against an impersonation attack and against session key compromise. In addition, we remove the verifier table stored in GWN to increase efficiency. Our proposed scheme also consists of four phases: registration, login, authentication and password change. We describe each phase in detail, and Figures 3-5 describe our scheme. The notation used in the proposed scheme is displayed in Table 1.

Registration Phase
The registration phase begins when the U i sends a request message for registration to GWN through a secure channel. The GWN then issues a smart card, including some information, and sends it to U i . Meanwhile, S j stores pre-defined values SID j and X * S j in its memory, where X * S j = h(SID j ||K). The following describes this process in detail, and Figure 2 illustrates the registration phase for our proposed scheme.
(1) U i selects ID i and PW i , and U i then imprints his/her biometrics Bio i . U i computes HPW i = h(PW i ||H(Bio i )), generates a random number u and computes TID i = h(ID i ||u). U i sends a registration request TID i , HPW i to GWN through a secure channel.

Login Phase
The login phase is executed whenever the U i wants to gain access to WSN using his/her ID i , PW i and smart card. In this phase, U i sends the login request to GWN. Figure 3 illustrates the login and authentication phase for our proposed scheme. The following describes this process in detail.
(1) U i inserts U i 's smart card into a terminal and inputs the ID i , PW i and imprints biometric Bio i . The smart card computes and compares B * i with the stored value B i . If this condition is satisfied, the smart card acknowledges the legitimacy of the U i and proceeds to the next step. Otherwise, it terminates this phase.
(2) The smart card computes DID i = TID i ⊕ HID * i and M U i ,G = h(TID i ||HPW * i ||HID * i ||T 1 ). (3) Finally, U i sends a login request DID i , M U i ,G , C i , T 1 to GWN through a public channel.

Authentication Phase
The authentication phase begins when GWN receives the login request from the U i . This phase performs several steps to achieve mutual authentication, as well as a session key agreement between U i , GWN and S j involved within the WSN. The following describes this process in detail.
(1) GWN first checks the validity of the time stamp |T 1 − T 1 | < ∆T and computes TID * i = DID i ⊕ C i ⊕ K, HID i = C i ⊕ K and HPW * i = HID i ⊕ h(TID * i ||K). GWN further computes M * U i ,G = h(TID * i ||HPW * i ||HID i ||T 1 ) and compares it with the received value M U i ,G . If this condition is satisfied, GWN acknowledges the legitimacy of the U i and proceeds with the next step. Otherwise, it terminates this phase. (2) GWN generates a random number R and computes X S j = h(SID j ||K), M j = R ⊕ X S j , K S = f (DID i , R) and M G,S j = h(DID i ||SID j ||X S j ||K S ||T 2 ). GWN then sends the message DID i , M G,S j , M j , T 2 to S j through a public channel.
(3) S j checks whether |T 2 − T 2 | < ∆T and computes R * = M j ⊕ X * S j and K * S = f (DID i , R * ). S j further computes M * G,S j = h(DID i ||SID j ||X * S j ||K * S ||T 2 ) and compares it with the received value M G,S j . If this condition is satisfied, S j believes that the GWN is authentic. Otherwise, it terminates this phase. (4) S j computes k j = h(X * S j ||T 3 ) and M S j ,G = h(k j ||X * S j ||K * S ||T 3 ). S j then sends the message M S j ,G , T 3 to GWN through a public channel.
and compares M * S j ,G with the received value M S j ,G . If true, GWN believes that the S j is authentic. Otherwise, GWN terminates this phase.
and compares it with the received value M G,U i . If this condition is not satisfied, this phase is terminated. Otherwise, U i believes that the GWN is authentic and successfully ends the authentication phase

Password Change Phase
The password change phase begins when the U i intends to change the original password PW i to a new password PW new i . Figure 4 illustrates the password change phase for our proposed scheme. The following describes this process in detail.
(1) U i inserts U i 's smart card into a terminal, inputs ID i , PW i , PW new i and then imprints biometric Bio i . The smart card computes and compares B * i with the stored value B i . If this condition is not satisfied, it terminates this phase. Otherwise, the smart card proceeds with the next step.

Security Analysis and Proof of the Proposed Scheme
In this section, we first describe whether the proposed scheme can withstand various attacks and also satisfy the basic requirements. Moreover, we adopt Burrows-Abadi-Needham (BAN) logic [36] to prove that a session key can be correctly generated between U i and S j . The results are described as follows.
The proposed scheme preserves user anonymity: User anonymity is a valuable property for the user authentication protocol because the exposure of a user's identity can allow an unauthorized party to track the user's login pattern. Suppose that the attacker has intercepted U i 's login request DID i , M U i ,G , C i , T 1 and extracted information , H(·)} in a stolen smart card [31]. The attacker may then try to compute ID i through h(ID i ||u) = DID i ⊕ H ID i . However, it is impossible to know H ID i since H ID i consists of (C i ⊕ K) and the secret key K is only known to GW N. In addition, u includes H(Bio i ) information that is only known to U i . Therefore, the attacker cannot acquire the user's ID i .

•
The proposed scheme achieves mutual authentication: In the authentication phase of our scheme, U i , GW N and S j authenticate each other through some checking processes. In detail, GW N first verifies the login request DID i , M U i ,G , C i , T 1 by checking whether M * U i ,G = M U i ,G . S j also verifies the message DID i , M G,S j , M j , T 2 by checking whether M * G,S j = M G,S j . In addition, GW N and U i verify the messages M S j ,G , T 3 and k i , M G,U i , T 4 by checking M * S j ,G ? = M S j ,G and M * G,U i ? = M G,U i , respectively. Thus, all transmitted messages in our scheme are successfully verified, and our scheme can achieve mutual authentication.

•
The proposed scheme withstands stolen smart card attacks: In our scheme, even if an attacker extracts secret values {A i , B i , C i , D i , h(·), H(·)} stored in a stolen smart card through the power consumption technique [31], the attack cannot lead to other malicious attacks. In order to obtain the ID i , the attack has to know the secret key K and H(Bio i ). However, it is impossible to know the K and H(Bio i ). Therefore, if the attacker does not know the user's ID i , the attacker cannot impersonate a legitimate user. Thus, our proposed scheme can withstand a stolen smart card attack.

•
The proposed scheme withstands replay attacks: In our scheme, all transmitted messages include current time stamp values, such as T 1 , T 2 , T 3 or T 4 . Therefore, even if an attacker intercepts the login request message and tries to login GW N, the attacker cannot pass the time stamp checking process during the authentication phase. Thus, our proposed scheme can withstand a replay attack.

•
The proposed scheme withstands off-line password guessing attacks: An off-line password guessing attack occurs when an attacker attempts to guess a password and eventually finds the exact user's password in an off-line environment. This comes from the tendency that many users create simple and brief passwords for their personal convenience, which makes the attacker easily acquire the users' password by guessing the off-line password without a time limit [37]. For these reasons, the authentication schemes for all password-based users should be designed to prevent a guessing attack.
In our scheme, the attacker can obtain {A i , B i , C i , D i , h(·), H(·)} from the stolen smart card [31] and can intercept the login request DID i , M U i ,G , C i , T 1 . Using these values, the attacker may try to guess the correct identity ID i and password PW i through However, without knowing Bio i , the attacker cannot guess PW i . In addition, H(Bio i ) is hashed biometric information, which is only known by U i . Therefore, our proposed scheme is secure against off-line password guessing attacks.

•
The proposed scheme withstands user impersonation attacks: In order to impersonate a legitimate U i , the attacker should modify the login request DID i , M U i ,G , C i , T 1 after obtaining the value of ID i . However, as we mentioned above, it is impossible for an attacker to obtain the value of ID i . Thus, the attacker fails to compute DID i = TID i ⊕ H ID i and cannot generate a sufficient login request to cheat GW N. Therefore, our proposed scheme can withstand a user impersonation attack.

•
The proposed scheme withstands sensor node impersonation attacks with node capture: Suppose that the attacker captures the sensor node S j and extracts information (SID j , X * S j ) [13]. The attacker then tries to modify the message M S j ,G , T 3 to impersonate a legitimate S j . However, the attacker cannot generate a valid message because X * S j consists of h(SID j ||K), and it is not feasible to obtain the K. Therefore, the attacker cannot impersonate a valid sensor node.

•
The proposed scheme provides password verification process: There is a possibility that a user inputs an incorrect password by mistake. However, for the password verification procedure, the incorrect password will be detected after performing the authentication phase. Our scheme considers this kind of inefficiency situation, verifying the correctness of password PW i by checking the value B i at the beginning of the login phase.

•
The proposed scheme provides the session key verification process: In our scheme, after generating a session key K * S = f (DID i , R * ), S j computes M S j ,G = h(k j ||X * S j ||K * S ||T 3 ) and sends the message M S j ,G , T 3 to GWN. GWN then computes k i = R ⊕ h(TID * i ||K) and M G,U i = h(K S ||k i ||T 4 ), and sends the message k i , M G,U i , T 4 to U i . After receiving the message, and then compares M * G,U i with the received value M G,U i . Since M G,U i includes the information of the session key K S , U i may be sure that the K S generated by S j and GWN is accurate if the comparison result M * G,U i = M G,U i is correct. Therefore, our scheme provides a session key verification process.

•
The proposed scheme withstands privileged-insider attacks: An insider attack means that an insider can directly obtain the user's password from the server and can then access the user's account in another server by using the same password. During the registration phase of our scheme, PW i is transmitted not as a revealed condition, but as a form of HPW i = h(PW i ||H(Bio i )) when U i sends a registration request TID i , HPW i to GWN. Accordingly, the insider attacker in GWN cannot identify the U i 's PW i . Thus, our scheme can withstand an insider attack.

•
The proposed scheme provides session key security: In our scheme, in order to compromise the session key K S = f (DID i , R), the attacker should know the random number R. Therefore, the attacker may try to obtain R through R = M j ⊕ h(SID j ||K). However, it is impossible for an attacker to compute R because the attacker cannot obtain K, which is only known to GWN. Thus, our authentication scheme ensures session key security.

•
The proposed scheme provides an efficient password change phase: In general, when a password change occurs, it is encouraged for the verification process to be carried out without any assistance from the GWN to ensure user friendliness and efficiency [24]. Our proposed scheme performs existing password checks in the self-verification process within the smart card. After checking the process through • The proposed scheme withstands gateway node bypass attacks: During the authentication phase of our scheme, the attacker may try to construct the message DID i , M G,S j , M j , T 2 using the parameters {A i , B i , C i , D i , h(·), H(·)} stored in the stolen smart card [31] in order to impersonate a legitimate GWN. However, the attacker cannot compute X S j = h(SID j ||K) because K is not public information. Thus, the attacker cannot construct a sufficient message to cheat S j . Eventually, the attacker cannot impersonate a valid GWN.

•
The proposed scheme withstands off-line identity guessing attacks: Suppose that the attacker extracts all of the secret information {A i , B i , C i , D i , h(·), H(·)} from the smart card and intercepts U i 's login request DID i , M U i ,G , C i , T 1 . Using these values, the attacker may try to guess the correct identity ID i through TID i = h(ID i ||u), HID i = DID i ⊕ TID i , K = C i ⊕ HID , HPW i = HID i ⊕ h(TID i ||K ) and B i = h(DID i ⊕ TID i ⊕ h(TID i ||K )||DID i ⊕ TID i ). However, in order to successfully guess the ID i , the attacker should know the random number u. Even though the attacker knows the D i , the attacker fails to compute u = D i ⊕ H(Bio i ) because H(Bio i ) is not public information. Therefore, our proposed scheme can withstand an off-line identity guessing attack.

Authentication Proof Using BAN Logic
In this subsection, we use BAN logic to verify the legitimacy of the session keys distributed to participants who communicate in the proposed scheme. BAN logic [36] is applied as a well-known formal logic to analyze the security of cryptographic protocols. The basic notation for BAN logic is as follows.
• U C: U sees condition C. • U |≡ C: Condition C is believed by U • (C): It makes a fresh C. • U |∼ C: U expresses the condition C.
• U K ←→ S: U and S share a secret key K. • U ⇒ C: Condition C is handled by U. • (C) K : Perform the hash operation on C using K.
BAN logic also offers five logic rules as follows.
• Rule 1. Message-meaning rule: : if U trusts that the key K is shared with S, U sees the C combined with K, then U trusts S once said C.

U|≡#(C),U|≡S|∼C U|≡S|≡C
: if U trusts that C's freshness and U trusts S once said C, then U trusts that S trusts C. : if U trusts that S has jurisdiction over C, and U trusts that S trusts a condition C, then U also trusts C.
Through our analysis, we will intend to satisfy the following four goals.

•
Goal 1: Next, all transmitted messages can be transmuted into an idealized form as follows.
In order to analyze our authentication mechanism, we define some assumptions as follows.
Now, we describe our main proof as follows. In order to describe our proof, we use predefined information, including five logic rules, four messages and ten assumptions.

•
According to the Message 1, we could derive the following: • Based on V4, V8 and the session key K S = f (DID i , k i ⊕ HPW i ⊕ HID i ), we derive: • Based on Assumption A9, V17 and Rule 5, we derive: • Based on assumption A10, V18 and Rule 5, we derive: The above description clearly shows that U i , GWN and S j achieve the mutual authentication property. In addition, based on Goal 1, Goal 2, Goal 3 and Goal 4, we can assure that the session key K S is securely shared between them.

Formal Security Proof of the Proposed Scheme
In this section, we have demonstrated that the proposed scheme is secure through a formal proof using the random oracle model. First, we specify a cryptographic one-way hash function as follows.

Definition 1.
A hash function f : {0, 1} * → {0, 1} n is a one-direction function [38,39] that takes the input x ∈ {0, 1} * of arbitrary length and outputs a bit string with a fixed-length f (x) ∈ {0, 1} n , which is referred to as the "message digest" or "hash value". When using cryptographic hash functions, the following three common levels of security must be considered:

•
It is impossible to acquire the input x under the conditions of the hash value y = h(x) and the given hash function h(·). • It is impossible to acquire another input x , when given the input x and f (x ) = f (x). • It is impossible to acquire the inputs (x, x ), where x = x , when given f (x) = f (x ).
Reveal: Given the hash result y = h(x), this random oracle will unconditionally output the input x.
Theorem 1. A one-way hash function h(·) is assumed to operate like an oracle. Under this assumption, our proposed mechanism is provably secure against an attacker A to protect U i 's personal information, such as identity ID i , password PW i , biometrics Bio i and the GWN's secret key K.  Based on the total cost results in Table 3, we have performed an experiment on the execution time to obtain an objective comparison between our scheme and other related schemes [10,[12][13][14][15]. The following methods are generally used to measure the execution time for the authentication protocol: (i) determine computational overhead; (ii) measure the execution time of the cryptographic operations used in the protocol; and (iii) substitute the measured time obtained by (ii) into (i). We have measured the execution times using these measurement methods, and the results are shown in the execution time field of Table 3.
The results of the simulation in Li et al.'s and Wazid et al.'s research [40,41] show that the actual execution time for the cryptographic one-way hash function T H and ECC multiplication T E is 0.0005 s and 0.063 s, respectively. In addition, according to [41], the execution time of the fuzzy extractor operation T F is almost the same as the ECC multiplication operation T E . Thus, we assumed that the time consumption of these two operations is the same. On the other hand, XOR operation T X is not considered in our measurement because the execution time of the XOR operation T X is extremely short. Based on the T H ≈ 0.0005, T E ≈ 0.063, T F ≈ 0.063 and the total computation cost, we finally analyze the execution time. As shown in Table 3, we observed that the execution time of our proposed scheme is of only 0.017 s (34T H ≈ 34×0.0005 s), so it can be considered as a negligible significance. In contrast, the execution times of Kim et al.'s scheme [13], Chang et al.'s scheme [14] and Park and Park's scheme [15] are 0.0185 s (37T H ≈ 37×0.0005 s), 0.0185 s (37T H ≈ 37×0.0005 s) and 0.4605 s (39T H + 3T F + 4T E ≈ 39×0.0005 s + 7×0.063 s), respectively. Therefore, our scheme turned out to have a slightly better efficiency than these schemes [13][14][15]. Even if our scheme requires slightly more computation time than Khan and Alghathbar's scheme [10] and Vaidya et al.'s scheme [12], this is acceptable because our scheme has more effective security features and a higher security level, as shown in Table 2.

Conclusions
In this paper, we have demonstrated that Chang et al.'s scheme has a number of critical weaknesses, and we propose an authentication mechanism with enhanced security to overcome these weaknesses. Our proposed scheme has been thoroughly verified in terms of its variety of security features, and the proof result demonstrates that our scheme can guarantee protection against various types of attacks, even if the smart card is stolen by an attacker. In addition, a performance comparison for the proposed scheme in relation to the schemes proposed in other studies was carried out, and we consider that our proposed scheme has sufficient efficiency for WSNs.