Improving Biometric-Based Authentication Schemes with Smart Card Revocation/Reissue for Wireless Sensor Networks

User authentication in wireless sensor networks is more difficult than in traditional networks owing to sensor network characteristics such as unreliable communication, limited resources, and unattended operation. For these reasons, various authentication schemes have been proposed to provide secure and efficient communication. In 2016, Park et al. proposed a secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks. However, we found that their scheme was still insecure against impersonation attack, and had a problem in the smart card revocation/reissue phase. In this paper, we show how an adversary can impersonate a legitimate user or sensor node, illegal smart card revocation/reissue and prove that Park et al.’s scheme fails to provide revocation/reissue. In addition, we propose an enhanced scheme that provides efficiency, as well as anonymity and security. Finally, we provide security and performance analysis between previous schemes and the proposed scheme, and provide formal analysis based on the random oracle model. The results prove that the proposed scheme can solve the weaknesses of impersonation attack and other security flaws in the security analysis section. Furthermore, performance analysis shows that the computational cost is lower than the previous scheme.


Introduction
Wireless Sensor Networks (WSNs) generally consist of gateways, users, and a large number of sensor nodes. The sensor node is tiny and can be easily deployed in various kinds of severe environments. However, each sensor node has limited resources, is lacking in memory, has low computational capabilities and short radio transmission range [1]. Data collected from sensor nodes in WSNs sometimes include valuable and classified information such as the environmental surrounding the wartime, a patient's personal information, monitoring information of museums, and the power company's voltage variation monitoring data. To ensure the confidentiality and reliability of deployed WSNs, only registered and legitimate users should be able to access them. In addition, establishing secure protocol actively requires a mutual authentication between the user and the sensor node. For these reasons, secure user authentication is one of the major issues in WSNs.
To support message confidentiality and secure authentication for sensor networks, various authentication schemes for WSNs have been proposed. However, a problem that occurs with respect to password-based authentication schemes is that a server must maintain a password table to legitimately verify a login user. Therefore, the server requires additional memory space to store the password table. For this reason, many researchers have proposed a new type of remote user authentication scheme whereby personal biological characteristics are used, such as a fingerprint or an iris. The main advantage biometrics is uniqueness. A smart card can be used as a tool to store biometric information. Since the smart card has its own calculation function, it can operate at more than one level. In 2004, Watro et al. [2] proposed a user authentication scheme using the RSA and DH algorithms for WSNs. After that, Wong et al. [3] proposed a hash-based dynamic user authentication scheme in 2006. However, Tseng et al. [4] found that Wong et al.'s authentication scheme was vulnerable to replay, stolen verifiers, and forgery attacks. In 2009, Das [5] proposed and claimed that his scheme can resist various real-time attacks. Unfortunately, He et al. [6] found that Das's scheme was vulnerable to insider and impersonation attacks, and proposed an improved two factor scheme to solve these security problems. In the same year, Khan and Alghathbar [7] demonstrated that Das's scheme did not provide mutual authentication, and was vulnerable to gateway bypassing and privileged insider attacks, and Chen et al. [8] also found that Das's scheme did not provide mutual authentication between the gateway and the sensor, proposed a robust mutual authentication scheme for WSNs, and claimed that their scheme provides greater security than Das's scheme. In 2010, Yuan et al. [9] proposed a biometric-based user authentication scheme. However, Yoon et al. demonstrated that Yuan et al.'s scheme was vulnerable to insiders, user impersonation, gateway node impersonation and sensor node impersonation attacks. To solve these problems, Yoon et al. [10] proposed an improved user authentication scheme. Unfortunately, He et al. [11] found that Yoon et al.'s scheme was still vulnerable to denial of service (DoS) and sensor impersonation attacks, and then proposed an improved scheme to overcome these security problems.
In 2013, Yoon and Kim [12] pointed out that He et al.'s scheme had various security vulnerabilities such as poor repairability, and was vulnerable to user and sensor node impersonation attacks. They then proposed an advanced biometrics-based user authentication scheme for WSNs. They claimed that their scheme was more effective and had stronger security than other related schemes. However, Choi et al. [13] found that Yoon and Kim's scheme [12] had various security problems, including a biometric recognition error, a user verification problem, lack of anonymity, perfect forward secrecy, session key exposure by the gateway node, vulnerability to DoS attacks, and a revocation problem. To overcome these vulnerabilities, they proposed a biometric-based user authentication scheme using a fuzzy extractor, and claimed that their scheme is more secure than other authentication schemes. Unfortunately, Park et al. [14] demonstrated that Choi et al.'s scheme [13] was still insecure against user impersonation attacks, and had security weakness in the revocation/reissue phase. They then proposed an enhanced biometric-based authentication scheme for WSNs that has improved security functions. After careful analysis, however, we found that Park et al.'s scheme [14] was still insecure against impersonation attack, and also had a problem in the smart card revocation/reissue phase.
In this paper, we show how an adversary can impersonate a legitimate user or a sensor node, and perform an illegal smart card revocation/reissue. After demonstrating these problems, we propose an improved biometric authentication scheme. Finally, we analyze our proposed scheme for security properties and computational cost. The proposed scheme is more secure and efficient than other related authentication schemes.
The rest of this paper is organized as follows. In Section 2, we briefly introduce the elliptic curve cryptosystem, threat assumptions and fuzzy extractors that we adopt in our scheme. In Sections 3 and 4, we review and analyze, respectively, Park et al.'s scheme [14]. In Section 5, we propose an improved authentication scheme for WSNs. In Section 6, we present a security analysis of the proposed scheme. Section 7 shows performance analysis comparing our scheme with previous schemes. Our conclusions are presented in Section 8.

Preliminaries
In this section, we briefly introduce the elliptic curve cryptosystem, threat assumptions, and fuzzy extractor.

Elliptic Curve Cryptosystem
The elliptic curve cryptosystem (ECC) was first proposed by Koblitz [15] and Miller [16] to design public key cryptosystems, and presently it is widely used in several cryptographic schemes to provide desired levels of security and performance. An elliptic curve E K defined over a field K of the characteristic = 2 or 3 is the set of solutions (x, y) ∈ K 2 to the equation: Cryptosystems based on GF(q) * can be translated to systems using the group E, where E is an elliptic curve defined over a GF(q). The point multiplications kP = (P + P + ... + P, k times) that means k times addition of point P. Given an elliptic curve E defined over a GF(q) and two points P, Q ∈ E, it finds an integer x such that Q = xP, if such x exists. This problem proved to be more intractable than the typically discrete logarithm problem. The details of the ECC definitions can be found in [15]. There are several computational problems based on ECC which are presented below: Definition 1. The elliptic curve discrete logarithm problem (ECDLP) is defined as: given two elements Q, R ∈ G p , find an integer k ∈ [1, n − 1] such that R = kQ.

Definition 2.
The computational Diffie-Hellman problem (CDHP) is defined as: given three elements (P, aP, bP) for any a, b ∈ [1, n − 1], computation of abP is very hard to the group G p . Definition 3. The elliptic curve factorization problem (EC FP) is defined as: given two elements P, Q ∈ G p , where Q = sP + tP and (s, t) ∈ [1, n − 1], then computation of sP and tP is impossible.

Definition 5.
The weak Diffie-Hellman problem (WDHP) is defined as: for Q ∈ G p and some k ∈ [1, n − 1] from the given three elements (P, Q, kP), computation of kQ is very hard.

Threat Assumptions
We introduce the Dolev-Yao [17] and some threat model [18,19], and consider the risk of side channel attack [20] to construct the threat assumptions, which are described as follows: 1. An adversary A can be either a user, gateway, or sensor node. Any registered user can act as an adversary. 2. An adversary A can eavesdrop every communication in a public channel, thereby capturing any message exchanged between a user and gateway or sensor node. 3. An adversary A has the ability to alter, delete or reroute the captured message. 4. Information can be extracted from the smart card by examining the power consumption of the card.

Fuzzy Extractor
In this subsection, we describe the basis for a biometric-based fuzzy extractor, which converts biometric information data into a random value. Based on [21][22][23], the fuzzy extractor is given by two procedures (Gen, Rep). The mechanism of a fuzzy extractor consists of two procedures (Gen, Rep), which is demonstrated as: The function Gen is a probabilistic generation procedure, which on biometric input BIO outputs an "extracted" string R ∈ {0, 1} l and an auxiliary string P ∈ {0, 1} * . Rep is a deterministic reproduction procedure, which recovery of R from the corresponding auxiliary string P, and any vector BIO * close to BIO. The detailed information about fuzzy extractors can be founded in the literature [24].

Review of Park et al.'s Authentication Scheme
In this section, we review Park et al.'s authentication scheme [14]. The notations used in the paper are listed in Table 1. The GW generates two master keys, x and y, and provides a long-term secret key h(SID j ||y) to the sensor S j before the scheme is executed. Their scheme involves three parties, i.e., the user U i , the gateway GW and the sensor S j , to communicate with each other to perform the following three phases: registration, login/authentication, and revocation/reissue. Table 1. Notations used in this paper.

Term Description
encryption or decryption with key k GW gateway node G 1 cyclic groups of order q h(·) hash function h(SID j ||y) long-term secret of S j generated by GW ID i actual identity of U i P generator of G 1 r i , r 1 , r 2 random number generated by U i r s random number generated by S j S j sensor node j SC i smart card of user U i SID j identity of S j T i time stamp up i i-th update phase x, y two master keys of GW RM Response to the query message concatenation operation ⊕ bitwise XOR operation

Registration Phase
In this phase, a user U i chooses an identity ID i , imprints biometric template B i , and then performs the following steps: 1. U i computes R i , P i = Gen(B i ) and A i = h(R i ). U i then sends ID i , A i to the gateway GW. 2. Upon receiving ID i , A i from U i , GW computes the authentication parameters as: 3. GW stores h(·) and the authentication parameters; GW then issues SC i to U i through a secure channel. 4. After receiving the smart card from GW, U i stores P i in the smart card.

Login and Authentication Phase
If a user U i wants to log in to the GW and S j , U i performs the login phase, and then U i , GW and S j verify each other's authenticities. Finally, U i and S j generate a session key in this phase as follows: 1. U i enters ID i and imprints biometric template B * i . SC i then computes R * i , A * i and V * i using fuzzy extraction, and compares V * i with V i as: If this holds, GW verifies the legitimacy of U i . 5. GW picks up T g and computes k g , C g and W g , GW then sends the authentication message M 2 = AID i , C g , T g , W g to S j . 6. When receiving M 2 from GW, S j retrieves T , and verifies T − T g ≤ T. If this holds, S j verifies the validity of W g by comparing it with h(h(SID j ||y)||AID i ||C g ||T g ) to check the legitimacy of GW. After that, S j computes k * g , and decrypts C g using k * g . S j then checks the validity of the received AID i by comparing AID * i as: 7. S j generates a random number r s and computes K SU , Y i and a session key sk. S j then picks up T s and computes RM, V s as: Upon receiving M 3 , U i retrieves T s , and checks the sameness of V s . U i then computes K US and sk as: Only the legitimate U i can compute K US and sk. U i then accepts RM. Finally, U i and S j can communicate securely using the common sk.

Revocation or Reissue Phase
To make up for smart card loss or long term key disclosure, the smart card should be revoked and reissued in cycles.
1. U i who wants to revoke and reissue a smart card inputs the previous identity ID i and the new identity ID * i to prevent adversaries from registering with the same identity ID i . Then, U i imprints biometric template B i and computes and checks the legitimacy of the user as: 4. If this holds, GW revokes ID i and records it on the revocation look-up table. Then, GW computes new authentication parameters V i , N i and C i as:

GW stores h(·) and the new authentication parameters;
GW then reissues SC i to U i through a secure channel. 6. U i stores P i in the smart card.

Cryptanalysis of Park et al.'s Authentication Scheme
In this section, we analyze the security problems of Park et al.'s scheme [14]. Park et al. cryptanalyzed a scheme of Choi et al. [13] and improved it to support better security functionality. However, we found that Park et al.'s scheme [14] was still insecure against impersonation attack and had a problem with smart card revocation/reissue. The following attacks are based on the threat assumptions that a malicious adversary A was completely monitored through the communication channel connecting U i , GW and S j in the login and authentication phases, and that the A obtained the information saved in their own smart card [20]. A therefore can eavesdrop, modify, insert, or delete any message transmitted over a public channel. We now reveal the details of these problems.

User Impersonation Attack
1. Let A be an active adversary who is he/she legal user and owns a smart card to extract information V a , N a , C a , h(·), P a . 2. A then imprints one's biometric template B * a and computes R * a = Rep(B * a , P a ) and A * a = h(R * a ). 3. A generates a random number r A , and selects any identity ID i . A then computes login request message M 1 as: A then sends the login request message If this holds and ID i does exist in the database, the gateway GW continues to proceed the scheme without detected. Otherwise, A selects another identity nominee and performs the same processes until he/she locates the valid identity. 5. GW picks up T g and computes k g , C g and W g : GW then sends the authentication message M 2 = AID i , C g , T g , W g to S j . 6. Upon receiving M 2 from GW, S j retrieves T and verifies T − T g ≤ T. If this holds, S j verifies the validity of W g by comparing it with h(h(SID j ||y)||AID i ||C g ||T g ) to check the legitimacy of GW. After that, S j computes k * g and decrypts C g using k * g . S j then checks the validity of the received AID i by comparing AID * i as 7. S j generates a random number r s and computes K SU , Y i and a session key sk. S j then computes RM, V s as: where T s is current timestamp. S j then sends M 3 = RM, Y i , V s , T s to A. 8. After receiving M 3 , A retrieves T s , and checks the sameness of V s . Then, A computes K US and sk as: Lastly, A and S j "successfully" agree on a session key sk. Unfortunately, the sensor S j mistakenly believes that he/she is communicating with the legitimate user U i .

Sensor Node Impersonation Attack
Park et al. [14] claimed that if A wants to masquerade as the sensor node S j , A is required to compute h(SID j ||y). This is because the symmetric key the legitimate user U i , A then can easily impersonate the sensor node S j .
1. After receiving M 2 from GW, A generates a random number r a and computes K AU , Y a , RM, V a and a session key sk as: where T a is current timestamp. A then sends M 3 = RM, Y a , V a , T a to U i . 2. Upon receiving M 3 from A, U i retrieves T a and checks the sameness of V a . Then, U i computes K U A and sk as: Lastly, U i and A "successfully" agree on a session key sk. Unfortunately, the user U i mistakenly believes that he/she is communicating with the legitimate sensor S j .

Illegal Smart Card Revocation/Reissue Attack
Park et al. [14] claimed that, although A could get the identity ID i in some way, GW checks the legitimacy of the user on the requested identity, and A cannot compute M i and the revocation/reissue request message Z i without the biometric information of U i . However, A can modify the revocation/reissue request message. This is because GW cannot distinguish whether or not the user who wishes to revoke ID i is the real user U i .

Suppose
A owns a smart card to extract information V a , N a , C a , h(·), P a and obtains the identity ID i of the legitimate user U i by using a user impersonation attack. 2. Next, A imprints the personal biometric information B a at the sensor. The sensor hence sketches B a and extracts R a , P a from Gen(B a ) → R a , P a . 3. A computes A * a = h(R a ) and Z i = ID i ⊕ N a ⊕ A * a and sends the revocation/reissue request and checks the legitimacy of the user as: 5. If this holds, GW revokes ID i and records it on the revocation look-up table. Then, GW computes new authentication parameters V i , N i and C i as: 6. GW stores the new authentication parameters V i , N i , C i , h(·) in the smart card SC i . GW then reissues SC i to A through a secure channel. 7. A stores P a in the smart card.
Adversary A can revoke the smart card of an authenticated user who does not wish the said smart card to be revoked without permission because GW has no proper process for checking the legitimacy of the user on the previous identity ID i .

The Proposed Scheme
In this section, we will propose a new biometric-based password authentication scheme using a smart card. In our scheme, there are also three participants, the user U i , the gateway GW and the sensor S j . The GW generates two master keys x and y, and sends a long-term secret key h(SID j ||y) to the sensor S j before the scheme is executed. After that, GW computes x × P where xP is the public key of the gateway. The proposed scheme consists of three phases: registration, login and authentication, and revocation/reissue.

Registration Phase
In this phase, a user U i chooses an identity ID i , imprints biometric template B i at the sensor, and then performs the following steps: 1. The sensor sketches B i , extracts R i , P i from Gen(B i ) → R i , P i , and stores P i in the memory.
U i then sends ID i , A i = h(R i ) to GW over a secure channel. 2. When receiving the registration request message ID i , A i from U i , the gateway GW computes the authentication parameters as: 3. GW stores the authentication parameters M i , N i , V i , h(·) in the smart card SC i . GW hence issues SC i to U i via a secure channel. 4. Lastly, U i stores P i in the smart card. Figure 1 illustrates the registration phase of the proposed scheme.

Login and Authentication Phase
In this phase, U i performs the login phase, and hence U i , GW and S j verify each other's authenticity. Finally, U i and S j generates a common session key in this phase as follows: 1. U i inserts his/her smart card SC i into the card reader, inputs the identity ID i , and imprints the personal biometrics B * i at the sensor. 2. The sensor then sketches B * i and extracts R i from Rep(B * i , P i ) → R i . Then, SC i computes A * i and V * i using fuzzy extraction and compares V * i with V i as: 3. SC i generates random numbers r 1 and r 2 and hence computes where T i is current timestamp. Then, U i sends the login request message AID i , X i , M 1 , M 2 , M 3 , T i to GW.

Upon receiving a login request message from U i , GW retrieves T and verifies T − T i ≤ T.
If this is true, GW computes C * i , r * 2 , ID * i and M * 2 and compares C * i with h(ID * i ||x||y) and M * 2 with M 2 as: If this holds, GW verifies the legitimacy of U i . 5. GW computes k g , C g and W g , where T g is current timestamp. GW then sends the authentication message AID i , C g , T g , W g to S j . 6. When receiving the authentication message from GW, S j retrieves T and verifies T − T g ≤ T.
If this is true, S j verifies the validity of W g by comparing it with h(h(SID j ||y)||AID i ||C g ||T g ) to check the legitimacy of GW. After that, S j computes k * g , and decrypts C g using k * g . Then, S j checks the validity of the received AID i by comparing the computed AID * i as 7. S j generates a random number r s and computes K SU , Y i , RM, V s and a session key sk as: where T s is current timestamp. S j then sends RM, Y i , V s , T s to U i . 8. After receiving response message RM, Y i , V s , T s from S j , U i computes sk and checks whether V * s is equal to V s : The legitimate user U i can only compute K US and sk. U i and S j can communicate securely using the common session key sk. User U i GW node Sensor node S j ID i , smart card x, y, xP h(SID j y) Inserts smart card Inputs ID i and biometric B *

Revocation or Reissue Phase
To make up for smart card loss or long term key disclosure, the smart card should be revoked and reissued in cycles.
1. If U i wants to revoke and reissue a smart card, he/she inserts his/her smart card SC i into the card reader, inputs the previous identity ID i and the new identity ID * i to prevent adversaries from registering with the same identity ID i , and then imprints the personal biometrics B * i at the sensor.

The sensor then sketches B *
i and extracts R i from Rep(B * i , P i ) → R i . Then, SC i computes A * i and V * i using fuzzy extraction, 3. U i computes Z i = ID i ⊕ M i and sends the revocation/reissue request message ID i , ID * i , A i , Z i to GW over a secure channel. 4. GW first checks whether ID i is the same as ID * i or not. If they are different, GW computes M * i , Z * i and checks the legitimacy of the user as:

If this is true, GW revokes ID i and records it on the revocation look-up table. Then, GW
computes new authentication parameters V i , N i and C i as:

GW stores h(·) and the new authentication parameters
GW then reissues SC i to U i through a secure channel. 7. U i stores P i in the smart card. Figure 3 illustrates the revocation/reissue phase of the proposed scheme.
Inputs P i into the smart card

Security Analysis
In this section, we demonstrate that the proposed scheme, which retains the merits of Park et al.'s scheme [14], can withstand several types of possible attacks; and we also show that the scheme supports several security properties. The security analysis of the proposed scheme was conducted with the threat assumptions made in the Preliminaries.

Formal Security Analysis
In this subsection, we have demonstrated that the proposed scheme is secure through a formal proof using the random oracle model [18,25]. At first, we specify a collision-free one-way hash function as follows.
Definition 6. The collision-resistance one-way hash function f : {0, 1} * → {0, 1} n pick up an input as a binary string x ∈ {0, 1} * that has a random length, produces a binary string h(x) ∈ {0, 1} n , and gratifies the following requirements: • Given the y ∈ Y, it is not possible to find out computationally about x ∈ X such that y = h(x).

•
Given the x ∈ X, it is not possible to find out computationally about another It is not possible to find out computationally about a pair (x , x) ∈ X × X, with x = x, such that h(x ) = h(x).

Theorem 1.
According to the assumption that if the collision-free one-way hash function h(·) closely acts like an oracle, the proposed scheme is then distinctly secure against an adversary A for the protection of the sensitive information including the identity ID i , nearly random binary string r 2 and master secret key x, y of the gateway node GW.
Accept h(C i ) , X i , r 2 , T i as the correct of user U i 5.
Call the Reveal oracle.
Accept the C i as the correct of user U i 9.
Call the Reveal oracle. Let (ID i , x , y ) ← Reveal(C i ) 10. Compute Accept x , y as the correct secret key x, y of gateway node GW 13.

Simulation for Formal Security Verification Using the AVISPA Tool
In this subsection, we simulate the proposed scheme using the widely accepted AVISPA for the formal security verification. The main purpose of the simulation is to verify whether the proposed scheme is secure to replay and man-in-the middle attacks. The AVISPA tool consists of four back-ends: (i) On-the-fly Model-Checker (OFMC); (ii) Constraint-Logic-based Attack Searcher; (iii) SAT-based Model Checker; and (iv) Tree Automata based on Automatic Approximations for the Analysis of Security Protocols. In the AVISPA, the protocol is implemented in HLPSL [26], which is based on: the basic roles for representing each participant role and composition roles for representing the scenarios of the basic roles. The basic types available in the HLPSL are [27]: • agent : The agent denotes a principal name. The intruder always has the special identifier i. • symmetric_key : The symmetric_key is the key for a symmetric-key cryptosystem. • text : The text values are often used as nonces. They can also be applied for messages. • nat : The nat is used for denoting the natural numbers in non-message contexts. • const : This type represents constants. • hash_func : The base type hash_func represents cryptographic one-way hash functions.
The role of the initiator, the user U i , is provided in Algorithm 2. The U i first receives the start signal and updates its state value from 0 to 1. The state value is maintained by the variable State. In a similar way, the roles of the gateway GW and sensor node S j of the proposed scheme are implemented and shown in Algorithm 3 and 4, respectively. The specifications in HLPSL language for the role of session, goal, and environment are specified in Algorithm 5. The simulation result for the formal security verification of the proposed scheme using CL-AtSe is shown in Algorithm 6. It is clear that the proposed scheme is secure to passive and active attacks including the replay and man-in-the middle attacks.   Table 2 compares the security features provided by the proposed scheme with other related schemes.

User Anonymity
Suppose an adversary A intercepts the login request message AID i , X i , M 1 , M 2 , M 3 , T i of a legitimate user U i . However, ID i cannot be derived from AID i without the knowledge of a random number r 2 ; furthermore, the r 2 cannot be derived from M 1 without a hash value h(C i ) = h(h(ID i ||x||y)). The U i and GW can only compute h(C i ). The proposed scheme therefore provides user anonymity.

Mutual Authentication
The proposed scheme not only guarantees secrecy as the other authentication scheme, but also U i , S j and GW authenticate each other. GW authenticates U i by checking whether M 2 is valid or not because only a legitimate user can compute a valid h(C i ) using a biometric template. Then, S j authenticates GW by checking W g , which only GW can compute using the shared long-term key h(SID j ||y) and the time stamp T g . Finally, the U i authenticates S j by checking the validity of V s because only U i and S j can compute the session key sk.

Message Confidentiality
Message confidentiality is an important security aspect that provides secrecy by limiting the adversary's access to the message. Communication messages in the public channel do not affect the disclosure of secret values, such as ID i , r 1 , r 2 , r s and sk. A cannot compute important information from AID i , X i , M 1 , M 2 , M 3 , C g , W g , Y i and V s . Furthermore, T i , T g , T s and RM are basically public information, so they do not need to be protected.

Perfect Forward Secrecy
The perfect forward secrecy means that if one long-term key is compromised, a session key that is derived from these long-term keys will not be compromised in the future [28]. In our scheme, a session key sk between user U i and sensor S j is calculated as follows: Even if the gateway GW's long-term key (x, y) is compromised, adversary A cannot retrieve r 1 and r s to generate the session keys between U i and S j . The session key of our proposed scheme is based on a elliptic curve discrete logarithm problem (ECDLP). An adversary A cannot obtain r 1 × r s × P from r 1 × P and r s × P. Our scheme therefore provides the perfect forward secrecy.

User Impersonation Attack
Suppose A owns a smart card to extract information V a , N a , C a , h(·), P a and intercepts the login request message AID i , X i , M 1 , M 2 , M 3 , T i of legitimate user U i . A can then try modifying a login request message. Even if A guesses or obtains U i 's identity ID i , GW verifies whether C * i is equal to h(ID * i ||x||y). The A cannot compute C i and h(C i ), and then fails to impersonate a legitimate user U i . The proposed scheme therefore can resist user impersonation attack. 6.3.6. Gateway or Sensor Node Impersonation Attack If A wants to masquerade as the gateway node GW or a sensor node S j , the hash value h(SID j ||y) is needed. However, it is computationally difficult to guess h(SID j ||y) or k g correctly. Furthermore, even if A obtains the login request message AID i , X i , M 1 , M 2 , M 3 , T i , A does not know r 2 . Thus, V s = h(AID i ||r 2 ||Y i ||sk||RM||T s ) cannot be computed. The proposed scheme therefore can resist gateway or sensor node impersonation attack.

Illegal Smart Card Revocation/Reissue Attack
Even if A obtains the identity ID i of a legitimate user U i , A cannot compute h(C i ) without the value A i = h(R i ). Furthermore, GW checks the legitimacy of the user on the request identity by computing C * i = h(ID i ||x||y) and Z * i = ID i ⊕ h(C * i ) ⊕ A i . Therefore, even if A sends the revocation/reissue request message ID i , ID * i , A a = h(R a ), Z a = ID i ⊕ h(C a ) ⊕ A a to GW, A fails to revoke ID i and reissue the smart card with ID i . The proposed scheme therefore can resist an illegal smart card revocation/reissue attack.

Session Key Exposure by GW
The gateway GW can intercept communication messages and obtain both X i = r 1 × P and Y i = r s × P. However, GW cannot derive r 1 and r s and therefore cannot compute the common session key sk. This is because our proposed scheme based on the elliptic curve discrete logarithm problem (ECDLP).

Denial of Service Attack
In the proposed scheme, U i , S j and GW basically check for freshness of timestamp in each authentication step. Each message for verification such as M 2 , W g and V s includes the current timestamp T. Furthermore, each entity checks whether the calculated value is equal to the received value. The proposed scheme can resist denial of service attack.

User Verification Problem
GW checks for the sameness in the identity ID i to verify the status a legitimate user U i by computing C * i = h(ID * i ||x||y). Furthermore, U i can compute constant values including A i = h(R i ) as a result of the fuzzy extractor. GW can authenticate a legal user even if the user inputs slightly different biometric information B * i . Our proposed scheme therefore can prevent user verification problems.

Stolen Verifier Attack
In the proposed scheme, GW and S j do not store any identification, password table or user biometrics. GW stores only the master secret key (x, y), and S j stores only h(SID j ||y). The proposed scheme therefore can resist stolen verifier attacks.

Replay Attack
Even if the adversary A obtains the communication message, and sends them again with the current timestamps T i , T g , and T s , A cannot compute M 2 , W g , V s using the current timestamps. The proposed scheme therefore can resist replay attacks.

Performance Analysis
In this section, we compare the computational costs of the proposed scheme with the other related schemes [13,14,29,30]. Table 3 shows a comparison of the computational costs of the proposed scheme with the other related schemes. In the comparisons, XOR operations are not considered because these also can be ignored. Compared to Park et al.'s scheme [14], the proposed scheme performs three further hash operations and two elliptic curve computations. However, we reduce three encryption/decryption operations. Additionally, the proposed scheme provides the revocation and reissue phase, and can resist well-known attacks.