Securing Heterogeneous Wireless Sensor Networks: Breaking and Fixing a Three-Factor Authentication Protocol

Heterogeneous wireless sensor networks (HWSNs) are employed in many real-time applications, such as Internet of sensors (IoS), Internet of vehicles (IoV), healthcare monitoring, and so on. As wireless sensor nodes have constrained computing, storage and communication capabilities, designing energy-efficient authentication protocols is a very important issue in wireless sensor network security. Recently, Amin et al. presented an untraceable and anonymous three-factor authentication (3FA) scheme for HWSNs and argued that their protocol is efficient and can withstand the common security threats in this sort of networks. In this article, we show how their protocol is not immune to user impersonation, de-synchronization and traceability attacks. In addition, an adversary can disclose session key under the typical assumption that sensors are not tamper-resistant. To overcome these drawbacks, we improve the Amin et al.’s protocol. First, we informally show that our improved scheme is secure against the most common attacks in HWSNs in which the attacks against Amin et al.’s protocol are part of them. Moreover, we verify formally our proposed protocol using the BAN logic. Compared with the Amin et al.’s scheme, the proposed protocol is both more efficient and more secure to be employed which renders the proposal suitable for HWSN networks.


Introduction
In wireless sensor networks (WSNs) there are many sensor nodes scattered in a defined area [1]. These networks can be categorized into two important classes: homogeneous and heterogeneous sensor networks. On the one hand, in homogeneous sensor networks, all the sensor nodes are equal in terms of energy and hardware complexity. On the other hand, heterogeneous sensor networks (HWSNs) include various types of wireless sensor nodes with different capabilities and functions. In HWSNs, the sensors share their functions and increase the reliability of the network without increasing the cost of implementation [2][3][4][5]. Some of these sensors are low-cost, low-power and consequently have constrained computational power, transmission range, storage capacity and battery life [6]. It is clear that there are great needs to design energy-efficient protocols for such networks. In HWSN, users communicate to the sensor nodes to acquire data of their own interest. Therefore, the user and sensor node authentication is an important line of research in HWSN security which has recently awakened interest from the network security research community. In HWSN, the gateway node (GWN) plays an essential part in the authorization procedure since this element is the connection (input/output) with the all the elements outside the network. As shown in Figure 1, there are five models in authenticating users and sensor nodes in HWSN [7]. In these five schemes, a user, a gateway node and a sensor node implement the authentication protocol by exchanging four messages (e.g., Figure 1(a.1-a.4)). In each scheme, there are four steps: (1) the gateway node authenticates the user (e.g., Figure 1(a.1)); (2) the sensor node authenticates the legitimate user and the gateway node (e.g., Figure 1(a.2)); (3) the sensor node verifies the legitimacy of the gateway node (e.g., Figure 1(a.3)); and finally, (4) in the last step, the user authenticates the legitimate sensor node (e.g., Figure 1(a.4)).
Since HWSN nodes face with to many limitations in power consumption and communication range, models, in which a user and a sensor are a long way apart, are not practical, Figure 1e,b,d [8,9]. To tackle with security challenges of HWSN networks, we need lightweight enough and secure schemes. In the literature, authentication protocols are the most common adopted solution [7,[10][11][12][13][14]. Unfortunately, most of them do not provide the required security and present important security pitfalls or are not energy-efficient. In this vein, recently, Amin et al. presented an untraceable and anonymous 3FA scheme for HWSNs. They used the model depicted in Figure 1a to design their protocol and asserted that their protocol can resist all common attacks known in the context of HWSN [15]. Nevertheless, in this article, we cryptanalyzed this protocol to show that this scheme is vulnerable against user impersonation, de-synchronization and session key disclosure attacks and also the adversary can trace the user. In order to hinder these attacks, we improve the Amin et al.'s protocol.

Our Contribution
The contributions of this article are summarized as below: • At first, we present several serious security attacks against the Amin et al.'s scheme [15]. Our proposed attacks include de-synchronization, user impersonation, user traceability and session disclosure attacks.

•
In order to increase the security level offered by Amin et al.'s protocol, we remedy the security faults found in their scheme.
• The security of the proposed scheme has be scrutinized from a formal and informal point of view. The attacks mentioned in Amin et al.'s protocol and other common security attacks have been considered in the design of the new protocol.

•
The efficiency of our proposal is higher than the offered by Amin et al.'s scheme. Therefore, our scheme can be used for resource constrained sensors as the ones employed in HWSNs.

Paper Organization
The organization of the article is as follows. In Section 2, some related work are presented. Section 3 introduces the required preliminaries and notations. We review Amin et al.'s protocol in Section 4. Section 5 shows the security pitfalls of this scheme. We propose the improved scheme in Section 6. Then, we discuss the security of the proposed protocol in an informally way in Section 7, while, in Section 8, a formal analysis is presented. Finally, we extract some conclusions in Section 9.

Related Work
In a wireless sensor network, to allow a legitimate user to obtain information from a target sensor, the system needs to verify the validity of user by running an authentication protocol. In this section, we briefly discuss some existing schemes that aim to increase the security level of these networks.
Two-factor Authentication Schemes: Several two-factor authentication (2FA) schemes have been proposed for WSN, where the login phase of these protocols is based on passwords and smartcards.
In 2006, Wong et al. [16] presented a 2FA protocol based on the use of a hash function for wireless sensor networks, but the authors in [11] found that the protocol suffers from serious security pitfalls (i.e., replay, stolen-verifier and forgery attacks). To overcome these important weaknesses, authors in [11] proposed a new 2FA protocol based on passwords and smartcards. However, this protocol also is not immune against denial of service attacks and the nodes can be compromised [17].
In 2010, to improve the [11] protocol, Chen et al. [10] presented a bilateral authentication protocol in which three entities are involved (i.e., users, sensor nodes and the gateway node). In the same year, Khan et al. [12] showed that [11] fails in the authentication and in the key updating mechanism and presented a new protocol that they claimed it hinders the mentioned attacks. Later, Vaidya et al. [18] introduced several security vulnerabilities in [10][11][12] based on the stolen smartcard assumption. Xue et al. in 2013 presented a mutual authentication protocol based on temporal credentials, which is mainly based on the use of hash functions [7]. Nevertheless, He et al. [19] showed how the above protocol [7] is not resistant against user node and sensor node impersonation attacks and proposed a new temporal-credential-based protocol to overcome these weaknesses. In addition, Mir et al. [20] compromised the security of the healthcare system designed by He et al. [21], uncovering impersonation and password disclosure attacks. In addition, Turkanovic et al. [22] presented another bilateral authentication scheme in the context of HWSNs. However, Amin and Biswas [23] examined the Turkanovic et al. scheme and identified certain security problems (e.g., offline identity and password guessing attacks) and finally claimed to remove these security pitfalls in an efficient protocol. In the same year, Farash et al. [6] showed also some security shortcomings in [22] and proposed a new lightweight protocol. In the context of lightweight cryptography, Gope et al. [24] presented a 2FA protocol with especial security features including user anonymity and forward/backward secrecy. Soon, in [25], the authors analyzed the Gope's protocol by presenting a session key disclosure attack.
Three-Factor Authentication Schemes: In 2016, Amin et al. [26] pointed out how the Farash et al. protocol is susceptible to a number of attacks and proposed a new mechanism which was claimed to be resistant against these attacks. To enhance the security flaws of 2FA protocols, Amin et al. proposed a three-factor authentication (3FA) scheme based on password, smartcard and biometric trait linked to the legitimate user. However, Arasteh et al. [27] proposed replay and Denial-of-Service (DoS) attacks against Amin et al.'s scheme. In 2017, the authors in [28] presented an smartcard loss attack against Amin et al.'s 3FA protocol [26]. They also showed that the attacker can reveal the session keys in other sessions of the protocol. To overcome the security flaws of this protocol, they proposed the enhanced scheme based on the Rabin's cryptosystem. In the same year, Jiang et al. [29] presented a solution to enhance the security of another 3FA protocol [30] that suffers from important security faults including traceability, identity guessing, offline password guessing, user impersonation and server impersonation attacks.
Chang et al. in [31] found several vulnerabilities in the Turkanovic et al. 2FA protocol [22] and presented an enhancement solution, but the scheme was shown to be vulnerable to a wide set of attacks such as traceability, information disclosure or session key attacks [15]. Eventually, Amin et al. [15] presented a new untraceable and anonymous 3FA scheme for HWSNs which was argued to be the improved version of Chang et al. scheme. Nevertheless, in this article, we scrutinize the security of this 3FA protocol and show how it is vulnerable to user impersonation, de-synchronization and session key disclosure attacks and also the adversary can trace the user. To prevent these attacks, we upgrade the Amin et al.'s protocol and analyze its security from a formal and informal perspective.
Privacy Schemes: In some of the protocols mentioned, the authors have stated that their schemes can preserve the user's privacy. To do this, the user's identifier is encoded using a dynamic identity. This anonymous identifier is used when the user communicates with the gateway node, and this information is useless for the attacker to reveal the user's identity [24]. In detail, in schemes [7,32,33], the authors claim that their proposals preserve users' privacy. Unfortunately, all of them fail in this purpose [24].
Threat Model: Our threat model mainly follows the Dolev-Yao model [34]. Therefore, the adversary can intercept, modify, delete and change any of messages transmitted over the insecure communication channel. The adversary can also execute side channel attacks and then obtain the secrets stored on the smartcard. In addition, the adversary can capture the sensors and reveal their private information stored in their memory as these devices do not have tamper protection mechanisms [24].

Preliminaries and Notations
This section first shows the notations used in this paper and then revises the proposed fuzzy extractor function for extracting the biometric parameters required for the third factor of the authentication procedure.

Notations
The notation used through this article is summarized in the Table 1.

Fuzzy Extractor
The facts that biometric tokens cannot be easily guessed, are difficult to be copied, shared and forged, and are not lost or forgotten makes biometric based authentication more preferable than traditional password based ones [35,36].
A fuzzy extractor can generate cryptography keys over noisy data. In other words, they are error tolerant. In detail, this is composed of two processes, a probabilistic algorithm GEN and a deterministic algorithm REP as described below: 1.
The generation procedure (GEN): given a biometric input B i , this probabilistic algorithm generates a secret key ψ i and a non-secret string θ i , i.e., GEN(B i ) = (ψ i , θ i ).

2.
The reproduction procedure (REP): given the noisy input B * i and the corresponding auxiliary string θ i , this algorithm is able to recover the same key ψ i as in the generation process, i.e., ψ i = REP(B * i , θ i ).

U i
The i-th user GW N The gateway node SC i The smartcard of U i S j The j-th sensor node Z * q Multiplicative group, where q is a large prime, Secret key linked to U i f j Secret key linked to S j PW i Password linked to U i B i Biometric trait linked to U i K i Nonce generated by U i K j Nonce generated by S j SK i , SK j , SK G Session key REP(·), GEN(·) Fuzzy extractor operations One-way hash function ⊕ Bitwise XOR operation Concatenation operation

Pre-Deployment Phase
Firstly, the gateway node GW N chooses X GW N as a long-term secret key and assigns identities SID j to the sensor nodes S j (1 ≤ j ≤ m for a population of m sensor nodes in the network). Then, the GW N calculates f j = h(SID j X GW N ) and stores SID j , f j into the memory of S j .

User Registration Phase
Using a secure channel, the user U i executes the following steps in conjunction with the GW N.
Step 1. U i chooses an identity ID i , attaches to it a personal credentials (e.g., social security number), and submits both values to the GW N.
Step 2. If the GW N does not find ID i in the database, it generates r i ∈ R Z * q and calculates MI i = h(ID i r i ) and f i = h(MI i X GW N ). Both values ( MI i , f i ) are stored in a new smartcard SC i and the device is handed over to U i .
Step 3. Once receiving the smartcard, U i chooses a password PW i and then uses a sensor device to obtain his biometric information B i and finally writes PW i , ID i , B i to the SC i . Step 4. SC i uses the fuzzy extractor technique to calculate (ψ i , Finally, the smartcard contains the tuple

Login Phase
The user U i follows these steps to access the data collected by sensor S j .
Step 1. U i inserts SC i into the terminal and then enters ID i and PW i and also uses the sensor device to imprint his biometric information B i .

Authentication and Session Key Agreement Phase
Two goals are achieved in this phase (see Figure 2): (1) U i and S j are authenticated through GW N; and (2) U i and S j set a session key. In particular, the following five steps are executed.
Step 1. After receiving the message If the condition is fulfilled, the GW N aborts the connection. Otherwise, it calculates and checks the validity of the received N i . If so, the GW N identifies to U i as an authorized user. If not, it aborts the connection.
Step 3. Upon receiving the message N j , SS j , V j , T 2 , S j checks the validity of timestamp and verifies the validity of received N j . If it is invalid, then S j aborts the session. Otherwise, it generates K j ∈ R Z * q and computes SK j = h(h(ID i ) SID j K i K j ) as a session key and then computes W j = h(SK j T 3 ) and K ij = K i ⊕ K j . Then, S j sends the tuple W j , K ij , T 3 to GW N.
Step 4. Once the message W j , K ij , T 3 is received, the GW N verifies the freshness of T 3 .
If | T 3 − T 4 |> ∆T, GW N aborts the connection. Otherwise, it decodes K j = K ij ⊕ K i and calculates the session key to verify the correctness of the received W j . If the above verification fails, then GW N discontinues the session. Otherwise, it calculates M 1 = h(SK G K j T 4 ) and forwards the message to verify the correctness of the received M 1 . Now the entities are mutually authenticated and a session key SK i = SK G = SK j has been negotiated.

Update Phase
In this phase, in order to achieve user untraceability, U i updates MI i , C i as follows: Step 1. U i computes M 2 = ID i ⊕ h(SK i K i ) and sends it to GW N as a confirmation message. After receiving the message, GW N decodes

Post-Deployment Phase
A new sensor node S k is used in this phase to replace a damaged sensor node S j . The GW N generates a new identity SID k and then calculates f k = h(SID k X GW N ) and stores SID k , f k in S k 's memory.

Password Recovery Phase
U i executes this phase when he forgets his password. U i needs to insert SC i in the card reader and enter his identity and sends the recovered password to the user.

Password Change Phase
The password of the user U i can be updated by executing the updating procedure with SC i and without the intervention of GW N. In detail, the following steps show how the user can update the old password PW i for a new one PW new i .
Step 1. U i inserts SC i in to the terminal and enters ID i , PW i along with biometric information B i .
Step 2. SC i uses the fuzzy extractor technique to calculate (ψ i , θ i ) = GEN(B i ), it then computes

Smartcard Revocation Phase
Generally, smartcards can be lost, stolen or damaged. Thus, the smartcard revocation phase is very important. This phase is executed as described below: Step 1. U i submits ID i and a personal credential (e.g., social security number) to the smartcard issuer.
Step 2. If the smartcard issuer can find ID i in the database, it generates r i ∈ R Z * q and calculates MI new

Security Analysis of Amin et al.'s Protocol
In [15], the authors claimed that the adversary/attacker A cannot trace or identify the user U i using the transmitted messages. Moreover, they claimed that the attacker cannot impersonate the user by accessing to the old login eavesdropped messages.
Unfortunately, for Amin et al.'s protocol, we show how the proposed protocol is not immune against user impersonation and de-synchronization attacks. The user can be also tracked by an attacker who eavesdrops on only one protocol session. In addition, we provide evidence of how an adversary can easily obtain the session key under the assumption that sensors are not tamper-resistant.

User Impersonation Attack
In this attack, we point out how an adversary A is authenticated by both the gateway node GW N and the sensor node S j . The attack is described below: • A eavesdrops on the message MI i , N i , P i , Q i , L i , T 1 sent by U i to the GW N, then he changes the Q i value to Q i .

•
After receiving the message MI i , N i , P i , Q i , L i , T 1 in the login phase, the GW N checks two issues: (1) timestamp condition | T 1 − T 2 |≤ ∆T and (2) validity of the received , which does not depend on Q i . Thus, the GW N accepts these two conditions and computes h(ID i ) = Q i ⊕ h(K i T 1 ) and SID j . It then calculates N i . Now, the GW N believes that A is an authorized user. • Then, GW N calculates f j and then computes N j S j check the correctness of timestamp and computes h( and checks validity of the received N j . It generates K j ∈ R Z * q and computes SK j = h(h(ID i ) SID j K i K j ) as a session key and then computes W j and K ij . Now, the S j also believes that A is an authorized user and sends the tuple W j , K ij , T 3 to GW N.

•
The GW N checks the validity of T 3 . It decodes K j and computes the session key SK G = h(h(ID i ) SID j K i K j ). It then computes W j = h(SK G T 3 ) and checks validity of the received W j and computes M 1 = h(SK G K j T 4 ) and sends the message M 1 , K ij , T 4 to U i which is the adversary. At this point, the adversary sends the random number M 2 to GW N as a confirmation message. After receiving the message, GW N uses the message to obtain ID i which is the random number. Due to the absence of any checking process, it employs this value to compute M 3 , M 4 and M 5 and then sends the tuple M 3 , M 4 , M 5 to the adversary.
Following this attack, the adversary cheats GW N and S j to pass the protocol with the success probability of "1". Moreover, GW N and S j establish the wrong session key along with h(ID i ) .

De-Synchronization Attack
In Amin et al.'s authentication phase, an adversary A by eavesdropping only one session can reveal the h(ID i ) of the user U i and uses it to render the user to a de-synchronization state as follows. Note that, in the proposed attack, the superscript j indicates the parameters of the j-th run of protocol, j = 1, 2. In addition, in the Amin et al. scheme, the values of h(ID i ) of the user U i is a constant value. In detail, the attack can be executed following the steps described below: A eavesdrops on the message MI 2 i from session 2; Following this attack, the adversary compels the U i to insert the wrong MI i , C i into SC i 's memory. Now, U i cannot use SC i to do the login.

User Traceability Attack
Following the privacy model proposed by Ouafi and Phan [37], the attacker can perform following phases to mount a traceability attack.
Step 1. In round n, A sends an Execute query(GW N, U 0 , n) and eavesdrops on messages MI Step 2. The adversary A selects two users U 0 and U 1 and sends a Test query(U 1 , U 0 , n + 1) and depending on the random bit b ∈ {0, 1} the adversary A receives Step 3. A sends an Execute query(GW N, U b , n + 1) and eavesdrops on messages MI n+1 with a probability higher than a random coin flip following the procedure described below.
Step 5. We have,

Session Key Disclosure Attack
As described in Section 5.2, A can extract h(ID i ) belonged to U i . Thus, if we assume that the sensor S j is not equipped with tamper-resistant, A obtains SID j , f j from sensor's memory-note that the adversary does not require f j to execute the proposed attack. Then, it executes the session key disclosure attack as follows: • A eavesdrops on messages T 1 and A computes the session key SK j using the SK j = h(h(ID i ) SID j K i K j ).
Therefore, an adversary can disclose the session key in Amin et al.'s protocol.
Finally, we would like to highlight that all our proposed attacks exploit the fact that the bitwise XOR operation is a source of vulnerability against passive and active attacks [38][39][40].

Our Proposed Protocol
We present an enhanced version of Amin et al.'s protocol to remedy its security pitfalls. The scheme, as the original proposal, is split into night phases: (1) pre-deployment; (2) user registration; (3) login; (4) authentication and key agreement; (5) update; (6) post-deployment; (7) password recovery; (8) password change; and (9) smart revocation. As we only enhanced the (3), (4), and (5) phases, these are the ones that we describe.  In summary, the enhanced authentication and key agreement phase, and update phase of the proposed scheme, as shown in the blue boxes in Figure 3, have five important changes. To prevent the user impersonation attack, the user makes uses of Q i in the message N i . Subsequently, the gateway node GW N verifies this value to authenticate the legitimate user (boxes number 1 and 2). To overcome the de-synchronization attack, we change the format of message M 3 as well as the equation the user employs to update MI i . Therefore, the attacker cannot obtain h(ID i ) by XORing these two values (boxes number 4 and 5). To avoid the replay attack, the gateway node GW N checks the validity of M 2 by verifying the value of h(ID i ) (box number 3).

Login Phase
In this phase, we employ the Q i in N i to guarantee the integrity of Q i . U i performs the following steps to login when it wishes to access data collected by S j : Step 1. U i inserts SC i into the terminal and then enters ID i and PW i and also uses the sensor device to imprint his biometric information B i .
After this, SC i forwards the tuple MI i , N i , P i , Q i , L i , T 1 to GW N using a public communication channel.

Authentication and Session Key Agreement Phase
At this point, U i and S j are authenticated through GW N and a session key is set between both entities. In addition, we modify the message M 3 to tackle the attacker when she tries to obtain h(ID i ) in the next session. In Figure 3, we summarize the details of this phase: Step 1. Once the message MI i , N i , P i , Q i , L i , T 1 is received in the Login phase, the GW N checks whether the timestamp condition | T 1 − T 2 |≤ ∆T holds. If the condition is fulfilled, the GW N terminates the connection. Otherwise, it calculates f i = h(MI i X GW N ) and then decodes K i = L i ⊕ h(MI i f i T 1 ) and SID j = P i ⊕ h( f i T 1 ). It then calculates N i = h(MI i K i f i T 1 SID j Q i ) and checks validity of the received N i . If so, the GW N identifies to U i as an authorized user. If not, it terminates the connection.
Step 2. Then, GW N obtains h(ID i ) = Q i ⊕ h(K i T 1 ) and calculates f j = h(SID j X GW N ) and then , T 2 being the current timestamp. GW N then forwards the tuple N j , SS j , V j , T 2 to S j . Step 3. Once the message N j , SS j , V j , T 2 is received, S j checks validity of the timestamp and checks validity of the received N j . If the verification fails, then S j aborts the session. Otherwise, it generates K j ∈ R Z * q and computes SK j = h(h(ID i ) SID j K i K j ) as the session key and then computes W j = h(SK j T 3 ) and K ij = K i ⊕ K j . Finally, S j sends the tuple W j , K ij , T 3 to GW N.
Step 4. Once the message W j , K ij , T 3 is received, the GW N verifies the correctness of T 3 . If | T 3 − T 4 |> ∆T, GW N aborts the connection. Otherwise, it decodes K j = K ij ⊕ K i and computes the session key SK G = h(h(ID i ) SID j K i K j ). It then computes W j = h(SK G T 3 ) and checks the validity of the received W j . If the above verification fails, then GW N discontinues the session. Otherwise, it calculates M 1 = h(SK G K j T 4 ) and forwards the message M 1 , K ij , T 4 to U i .
Step 5. Once the message M 1 , K ij , T 4 is received, U i checks whether the condition | T 4 − T 5 |≤ ∆T is satisfied. If it does not fulfilled, U i ends the session. Otherwise, it calculates K j = K ij ⊕ K i , SK i = h(h(ID i ) SID j K i K j ) and M 1 = h(SK i K j T 4 ) and checks the validity of M 1 . At this point, the entities are mutually authenticated and a session key SK i = SK G = SK j has been negotiated.

Update Phase
In this phase, U i updates MI i , C i in order to achieve user untraceability, as described in the next steps and depicted in Figure 3: Step 1. U i computes M 2 = ID i ⊕ h(SK i K i ) and sends it to GW N as a confirmation message.
After receiving the message, GW N decodes ID i = M 2 ⊕ h(SK G K i ) and checks if the condition h(ID i ) = Q i ⊕ h(K i T 1 ) holds. If the verification fails, then GW N aborts the session. Otherwise, it updates MI i = h(ID i r i ) and

Security Analysis of the Proposed Protocol
The proposed protocol is analyzed from an informal and formal point of view. This analysis shows how the proposed scheme withstands relevant and common security attacks.
The informal security analysis of a security scheme discusses its robustness against the common attacks known in its context. However, the formal security analysis methods employ mathematics or logic tools such as BAN-logic [41], AVISPA [42] or Proverif [43] to formally scrutinize the security of a cryptographic protocol. In this article, we employ the BAN-logic tool to formally verify our proposed protocol.

Informal Security Analysis
In this section, we point out how our proposed protocol withstands against relevant and well-known attacks.

Stolen Smartcard Attack
In our proposal, if the smartcard SC i is stolen or lost, the adversary can access its memory and obtain all the information MI i , A i , E i , C i , REC and REG i stored in the smartcard. Note that, in our protocol, the smartcard is not tamper-resistant. Since some values (ID i , PW i and B i ) are unknown for the adversary, s/he cannot compute without having any information about these parameters. Furthermore, it is also computationally unfeasible for the attacker to disclose the ID i , PW i and the secret biometric information B i of the user U i thanks to the collision-resistance property of the one-way hash function. Thus, the proposed protocol is secure against the stolen smartcard attack.

Offline Password Guessing Attack
In our scheme, the password PW i of the user U i is involved in A i , E i , C i and REC values, which are stored in the smartcard. As discussed above, the adversary A cannot use any of these stored items to obtain the password. In addition, using the messages transferred from the user U i , the attacker cannot relate these messages to the items stored on the smartcard to find useful information to verify her/his guess about PW i . Therefore, our proposed scheme is robust against offline password guessing attack.

Privileged Insider Attack
In this kind of attack, the insider attacker tries to impersonate the legitimate user by using this user's password. However, in the user registration phase of our scheme, U i only submits ID i as a registration request. In addition, all the messages transmitted via a public channel are independent of ID i . Thus, by no means can the insider of GW N get U i 's password. That is, our proposed protocol is resistant against the privileged insider attack.

Offline Identity Guessing Attack
On this occasion, the adversary tries to obtain knowledge about the real identity ID i of a user U i -the user and GW N are the unique entities who know this information. In our proposal, the adversary cannot derive ID i from information obtained from the smartcard. In addition, ID i is never passed over the public communication channel. As a consequence of using the one-way hash function h(·), the adversary cannot find any useful information related to ID i to verify her/his guess. Therefore, our proposed scheme is robust against identity guessing attack.

User Impersonation Attack
In this attack, the adversary aims to cheat GW N by attempting to take the place of a legitimate user in the logging phase. S/he may use the eavesdropped login message MI i , N i , P i , Q i , L i , T 1 of the previous sessions to conduct her/his attack. We show how our scheme is resistant against this attack. Once the eavesdropped message is received, the GW N checks the legitimacy of the user U i by validating N i = h(MI i K i f i T 1 SID j Q i ). A has to possess f i and h(ID i ) to forge N i . However, without having any knowledge about the password ID i , the biometric key and the SID j of the smartcard, the adversary A cannot calculate a valid N i . Therefore, our proposed scheme is secure against user impersonation attack.

Gateway Node Impersonation Attack
To impersonate the gateway node, the adversary has to forge the message N j , SS j , V j , T 2 . Thus, the adversary A needs to know f j , K i and h(ID i ) to compute N j = h(h(ID i ) f j T 2 K i ), which is impossible. Thus, A cannot forge the aforementioned message. In addition, A cannot compute M 1 = h(SK G K j T 4 ) and K ij = K i ⊕ K j , which are created by GW N. Therefore, our proposed scheme resists GW N impersonation attack.

Sensor Node Impersonation Attack
In the authentication phase, the typical sensor node S j computes W j = h(SK j T 3 ) and K ij = K i ⊕ K j and sends these values along with T 3 to the gateway node GW N. To forge the messages W j and K ij , the adversary A must compute SK j = h(h(ID i ) SID j K i K j ) and must know K i and K j . Moreover, A cannot compute SK j without the knowing h(ID i ) and SID j . Therefore, A cannot compute S j 's messages to execute a sensor node impersonation attack.

Session Key Security
In the authentication and session key agreement, the attacker can eavesdrop the messages W j = h(SK j T 3 ) and M 1 = h(SK G K j T 4 ).
Nevertheless, the session key SK j = SK G = h(h(ID i ) SID j K i K j ) is protected by the usage of the one-way hash function h(·). For this, it is computationally impossible for the adversary to derive the used key. Thus, our proposed scheme provides session key security.

User Anonymity
In our proposed protocol, the identity ID i of user U i is never passed in plain-text over an insecure communication channel. In this sense, h(ID i ) is the value transmitted in the public messages. Due to the collision-resistant property of the one-way hash function h(·), deriving ID i from h(ID i ) is computationally impossible for the attacker. Therefore, our proposed scheme preserves user anonymity.

Preserving User Untraceability
In this attack, an adversary A aims to determine whether two messages are generated by the same (unknown) user. Luckily, in our proposal, the attacker cannot be able to find any relationship between Q i , M 2 and user's identity ID i . Furthermore, it must be noted that, in our proposed protocol, all the parameters used in the messages MI i , N i , P i , Q i , L i , T 1 are random. Moreover, when the update phase of the protocol is executed, U i updates MI i , C i for the next session. Therefore, A cannot determine whether two protocol sessions are linked to the same user. Therefore, in our proposed protocol, users cannot be tracked.

Replay Attack
In the replay attack, the adversary forwards eavesdropped messages of the protocol (previous sessions) to try to deceive legitimate entities. The timestamp values and random numbers used in all messages of the protocol prevents any replay efforts from attacker. Therefore, replay attacks can be identified by verifying the freshness of the timestamp values and random numbers. Therefore, the replay attack does not work in our scheme.

Formal Security Analysis
We use BAN-logic [41] to conduct the security analysis of the authentication and key agreement phase of our proposal. Table 2 summarizes the used notation. Thereupon, we introduce the two main rules used in our analysis.

R1 (Shared key rule).
P|≡P k ←→Q,P [X] k P|≡Q|∼X , if P believes that s/he shared the key K with Q, and P receives the message [X] k ; then, P believes that Q sent X.

R2 (Belief rule).
P|≡Q|∼(X,Y) P|≡Q|∼X , if P believes Q sends the message set (X, Y); then, P believes Q sends the message X.
Our formal security analysis is split into the following steps: Step 1. Protocol messages. PM1: Step 2. Idealizing the protocol messages. At this point, the protocol messages are converted into the idealized format based on the BAN-logic notations. The results are denoted by IM1, ..., IM9 as below: Step 3. Explicit assumptions. The seven assumptions on the proposed scheme are described by A1, ..., A7 as below: Step 4. Security goals. The nine security goals which are expected to be verified after analyzing the protocol by BAN-logic are listed by G1, ..., G9 as below. For instance, the goal G1 states that the gateway node must believe that the user U i has sent the key K i : Step 5. Deriving the security goals. Finally, to show the achievement of the above-mentioned goals, we apply logical rules of the BAN-logic to the idealized messages and initial premises as described below.

Notation Description
P |≡ X P believes a proposition X P X P receives a message X P |∼ X P sent a message X P k X P and X share the secret key k and only these two entities can use k to prove its identity to each other.

(X)
It means that X is fresh {X} k Encryption of X using the secret k (X) k Hash computation of X using the secret k P k ↔ Q P and Q share a secret k P Q If P then Q Given the above steps, it can easily be concluded that the protocol can meet all preset goals. Therefore, we can state that our proposed scheme is secure.

Performance Comparison
In this work, we propose a new 3FA protocol to overcome the security weaknesses of the Amin et al. [15] scheme. We show how our enhanced protocol is not only secure but also efficient enough to be used in HWSNs. The discussion about the security features, computational overhead and computational cost offered by our proposed scheme and other related schemes, such as Amin et al. [15], Yeh et al. [32], Xue et al. [7], Das et al. [44], Jiang et al. [33], Das et al. [45] and Gope et al. [24] is presented in this section.

Security Features' Comparison
In Table 3, we sum up the security features offered by our proposed protocol and other similar ones. The symbol "Yes" indicates that the scheme is secure against the related attack and the symbol "No" indicates the contrary. From this, we can conclude that our proposal satisfies all the security features required and offers a higher security level than its predecessors. In addition, protocols [7,24,32,33] do not provide three-factor authentication while our scheme does.

Overall Computational Overhead Comparison
In HWSNs, sensors have limited energy so any authentication protocol designed for these networks should be lightweight and energy efficient. Moreover, we use the model represented in Figure 1a to design our scheme. In our scheme, we use the hash, and the fuzzy extractor functions, which are both efficient. In fact, using the low-power cryptographic functions, rather than a very demanding one, can reduce energy consumption [46]. According to the results of the experiments presented in [24], each modular exponential operation in ECC-160 algorithm consumes 1.2 Ws energy and takes t Exp = 11.69 ms execution time. Moreover, for symmetric key encryption/decryption (128-bit AES-CBC), the running time and energy consumption are approximately t sym = 4.62 ms and 0.72 Ws and for hash function (SHA-256) these two values are approximately t Hash = 1.06 ms and 0.27 Ws, respectively. These results were obtained using the MSB-430 sensor boards with the TI MSP430 micro controller [24]. Moreover, the time that the fuzzy extractor takes t f is about 17.1 ms [47]. In Table 4, previous works [7,15,24,32,33,44,45] and our proposed scheme are compared in terms of computational cost. As shown in this table, in our proposal, the total computational cost is only 25 × t Hash + t f . Although our proposed scheme consumes slightly more time than some proposals [7,24,33], these extra time is because of the additional operations needed for securing the scheme (improving security pitfalls of its predecessors) and the three-factor capability, which is critical for secure HWSN networks. Finally, it is worth noticing that our results are similar to [15,45], but we offer a higher security level. Table 4. Overall computational overhead of the authentication phase.

Scheme
User GW Sensor Node Total Cost

Computational Cost and Execution Time
To achieve better efficiency and taking into account the energy restrictions of sensor nodes, the computation costs of sensors should be kept as low as possible. In Table 5, we summarize both the computational cost and execution time of our proposal and its predecessors [7,15,32,33,44,45]. From this, it is clear that our proposal is one of the most efficient in terms of energy and execution time. That is, our proposal can be fitted in resource-limited sensor nodes.

Conclusions
In heterogeneous wireless sensor networks (HWSNs), we find sensors with different capabilities and functionalities and dispersed within a defined area. Generally, their capabilities, such as computation and energy, are very limited. The security of these devices is pivotal and challenging due to its constrained resources. In this vein, we propose a secure and efficient three-factor authentication (3FA) scheme that is suitable for HWSNs and enhances the security of a recent proposed protocol [15]. Meanwhile, we showed how [15] is not resistant to user impersonation and de-synchronization attacks and also the attacker can track the user by eavesdropping only one session. In addition, an adversary can disclose the session key under the common assumption that the hardware of sensors is not tamper-resistant. To scrutinize the security of our proposal, we informally and formally analyze its security and show how our protocol guarantees all the security features and provides the highest security level in comparison with their predecessors. Moreover, in relation to performance, our scheme consumes only few milliseconds and is very efficient in terms of energy consumption. All of this renders our scheme adequate for HWSNs in which sensors generally have very limited resources. Therefore, as a future work, we aim to propose a new scheme to support user access control that guarantees authorized users to access the information allowed in HWSNs.