Secure and Efficient Three-Factor Protocol for Wireless Sensor Networks

Wireless sensor networks are widely used in many applications such as environmental monitoring, health care, smart grid and surveillance. Many security protocols have been proposed and intensively studied due to the inherent nature of wireless networks. In particular, Wu et al. proposed a promising authentication scheme which is sufficiently robust against various attacks. However, according to our analysis, Wu et al.’s scheme has two serious security weaknesses against malicious outsiders. First, their scheme can lead to user impersonation attacks. Second, user anonymity is not preserved in their scheme. In this paper, we present these vulnerabilities of Wu et al.’s scheme in detail. We also propose a new scheme to complement their weaknesses. We improve and speed up the vulnerability of the Wu et al. scheme. Security analysis is analyzed by Proverif and informal analysis is performed for various attacks.


Introduction
A wireless sensor network (WSN) is a distributed network of autonomous sensors that are typically used to collect information about environmental or physical conditions. Wireless sensor networks are applicable to a variety of applications such as environmental monitoring, health care, smart grid and surveillance [1][2][3][4][5][6] because they can be easily deployed without a significant cost penalty.
In general, a WSN system consists of four entities: (1) user interface, (2) a sensor node that measures physical or environmental conditions, (3) a gateway node that forwards the information received from the sensor nodes to a central server, and (4) a central server that collects the information from the sensor nodes and analyze it. Naturally, however, the security of WSN is critical because network packets can be easily captured and modified in WSN due to the inherent characteristics of wireless networks. Therefore, we need to provide security protocols in order to ensure security properties such as confidentiality, integrity, and authenticity even when data packets on a WSN are captured and modified in an unauthorized manner.
Due to the inherent weakness of WSNs, many researchers have proposed security protocols to achieve fundamental security goals of WSNs. As one of the pioneers in this area, Watro et al. [7] proposed a security protocol using RSA (See Table A1 for details) for wireless sensor networks. To enhance the security of the authentication procedure, Das [2] extended their protocol to a two-factor user authentication protocol for WSNs where a user has to hold both a password and smartcard. Because their proposed authentication scheme provides reasonable security properties, it has been widely used for WSNs as a de-factor standard protocol [8][9][10]. However, He et al. [11] found that Das's protocol is vulnerable to several attacks such as insider attacks, impersonation attacks and lack of secure mutual authentication. They also suggested an authentication scheme by fixing the discovered problems. However, Kumar et al. [12] also discovered several security flaws such as information leakage, no session key agreement, no mutual authentication, and lack of anonymity in Das's protocol.
Recently, some researchers (e.g., [13]) have started to develop user authentication schemes for WSNs using ECC, which can provide the same security as RSA with a smaller key size. ECC is the most efficient algorithm that satisfies forward secrecy and backward secrecy among the algorithms so far. Xue et al. [14] particularly introduced a temporal-credential-based protocol to provide user anonymity. However, Jiang et al. [15] demonstrated that Xue et al.'s scheme has four critical security flaws: (1) identity guessing attacks, (2) online password guessing attacks by privileged insiders, and (3) offline password guessing attacks with a victim's smartcard. Jiang et al. also suggested a new authentication scheme to address their discovered issues.
More recently, Das [16] found that Jiang et al. [15]'s scheme has significant security issues such as the vulnerabilities to insider and de-synchronization attacks and lack of formal security proof of the proposed scheme. To address these issues, Das proposed several three-factor user authentication schemes [16][17][18] by introducing a new factor of user biometrics. Again, Wu et al. [1] found that all the Das' schemes [16][17][18] are vulnerable to de-synchronization and offline password guessing attacks. In addition, the protocols [17,18] are vulnerable to user impersonation and offline password guessing attacks. To fix such problems, Wu et al. [1] suggested a three-factor user authentication scheme using ECC for WSNs.
In this paper, however, we found that Wu et al.'s scheme [1] has two security flaws against outsider attackers. First, their scheme can lead to user impersonation attacks. Second, user anonymity is not preserved because the user identity can be revealed from an anonymous login request message. We will explain these in the reminder of this paper. Our key contributions are summarized below:

•
We discovered two security weaknesses in Wu et al.'s scheme [1], which was recently designed for user authentication using ECC in WSN systems. We demonstrated that a malicious outsider holding a smart card can extract the secret parameters from his/her smart card; the extracted secret parameters can be used to perform impersonation attacks and reveal the identity of the user from a login request message.

•
We also proposed a novel three-factor user authentication scheme for WSN by extending Wu et al.'s scheme [1]. The proposed authentication scheme not only accomplishes several important security properties but also improves the performance of the protocol in time.
The rest of the paper is structured as follows: Section 2 gives some preliminaries of the cryptographic primitives (i.e., ECC and fuzzy extractor) used in our paper and explains the threat model and assumptions. Section 3 provides a review of Wu et al.'s scheme [1]. Section 4 analyzes the security weaknesses of their scheme. Section 5 presents a novel three-factor user authentication scheme by fixing security issues in Wu et al.'s scheme. Sections 6 and 7 provide security and performance analysis results, respectively. We conclude in Section 8.

Preliminaries
In this section, we introduce elliptic curves, fuzzy extractors, and threat models to be used in this paper.

Elliptic Curve Cryptosystem
The Elliptic curve cryptosystem (ECC) is the most frequently used password system in modern passwords and has strong security characteristics. Miller [19] and Neal [20] create ECC in 1985 and 1987, respectively. ECC uses the following formula: The above equation is ECC on the F p . The following conditions must be met in order to ensure safety: This is a formula that guarantees the non-singularity of an elliptic curve. When using this elliptic curve, safety is ensured as follows: 1.

3.
Elliptic Curve Discrete Logarithm Problem (ECDLP): Given P, xP it is impossible to find x.
We hypothesized that P is the point on F p , xP is the result of calculating P times x, yP is the result of calculating P times y, and xyP is the result of calculating P times xy.

Fuzzy Extractor
The user's biometric information is very important information. In general, human biometric recognition is perceived differently each time, and the fuzzy extractor plays a role in correcting it. The fuzzy extractor can obtain a unique string using error tolerance. The fuzzy extractor is operated through two procedures (Gen, Rep), demonstrated as [17,21]: Gen is a probabilistic generation function for which the biometrics B returns a factored out string α ∈ {0, 1} k and a coadjutant string β ∈ {0, 1} * , and Rep is a function that restores β to α, and any vector B * close to B [22].

Threat Assumption
We introduce a threat model [8], and consider constructing the threat assumptions as follows: 1.
The attacker A can be a user, a gateway, or a sensor. Any registered user can act as an attacker.

2.
A can intercept or eavesdrop on all communication messages in a public channel, thereby capturing any message exchanged between a user and gateway or sensor.

3.
A has the ability to modify, reroute, or delete the intercepted message.

4.
Stored parameters can be extracted from smart cards using the side channel attack [23].

5.
An external attacker A (outsider) can also register, login and receive his/her smart card.

Review of Wu et al.'s Scheme
In this section, we perform an analysis on Wu et al.'s scheme in order to scrutinize the security weakness of their scheme in the next section. Wu et al.'s scheme consists of four phases: registration phase, login phase, authentication phase, and password change phase. In addition, it applies ECC such as the [17] schemes. To begin with, GW N creates G on E (F p ) with P as a generator and large prime n as an order. After that GW N picks a private key x under two hash functions h (·), h 1 (·) and security length l s . In their scheme, they assume that the length of all random numbers should be above l s . Other notations used in Wu et al.'s scheme are abridged in Table 1. Table 1. Notations used in this paper.

U i
The i-th user S j , SID j A j-th sensor and its identity Secret key of GW N r i Random number generated by U i h (·), h 1 (·) One-way hash function A group of points on a finite field F p elliptic curve P A point generator in F p with a large prime order n G A cyclic addition group under P as a generator sk u , sk s The session key generated by U i and S j , respectively.

Registration Phase
Registration phase is divided into two parts: user registration phase and registration phase.

1.
The user U i first decides his/her identification ID i and password PW i . With a random number r i , it imprints B i over a device for biometrics collection, and calculates Gen (B i ) = (R i , P bi ), DID i = h (ID i r i ) and HPW i = h (PW i r i R i ). He/she then requests the registration message {ID i , DID i } to the gateway node GW N over a secure channel.

2.
After the registration request message from the U i is received, GW N computes , where x is GW N's secret key, prepares a smart card for U i containing h (·), h 1 (·), P, and collects ID i in the database. The next thing is that GW N sends the smart card with B 1 to the U i securely.

3.
When receiving the smart card with B 1 from the GW N, U i computes B 1 = B 1 ⊕ HPW i and B 2 = h (ID i R i PW i ) ⊕ r i with storing B 1 , B 2 , P and P bi in the smart card.

1.
GW N determines an identity SIDj for new sensor node S j , computes hash function c j = h (SID j x), and sends {SID j , c j } to S j .

2.
S j stores P, SID j and c j , and enters the WSN.

Login Phase
The smart card produces random numbers r new i , e i and α ∈ [1, n − 1], and selects a special sensor SID j . Then, the smart card calculates DID new . The value C 4 is used to certify the integrity of the identities and the new data generated by the user side as well as to authenticate the source of the message M 1 .

3.
U i sends the login request messages

1.
After the login request messages M 1 arrives from the user U i , GW N first computes , and verifies the legitimacy of . GW N terminates the session if either verification fails. If three failures continuously occur in a certain time span as defined, U i 's account will be frozen; otherwise, GW N calculates c j = h (SID j x) and C 5 = h (c j DID j SID j C 2 ) and sends M 2 = {C 2 , C 5 , DID i } to the sensor node S j . The value C 5 is used to accredit the integrity of the strings containing c j , and the data can be used for the sensor S j to acquire the correct data for calculating the session key. This is also done for verification of the source of M 2 .

2.
S j checks the validity of C 5 , C 5 ? = h (c j DID i SID j C 2 ) with its identity SID j . If this step fails, S j will terminate the session. Otherwise, S j then chooses β ∈ [1, n − 1] and calculates The main functionality of C 7 is used for checking the integrity of the session key and C 6 , which is needed by U i to compute the session key. Both C 7 and C 8 are also used to validate the source of M 3 . In the end, S j sends M 3 = {C 6 , C 7 , C 8 } to GW N.

3.
GW N checks C 8 If the validation phase fails, GW N terminates the session; otherwise, GW N computes . The value C 10 is to check the validation of the source's message M 4 . Eventually, GW N sends the message M 4 = {C 6 , C 7 , C 9 , C 10 } to U i .

4.
U i checks C 10 ). U i then computes the session key sk u = αC 6 , and checks C 7 2 ) in each smart card separately.

1.
Same as the step 1 in the Login phase.

2.
The smart card produces random numbers r new i and e i , calculates DID new i , C 1 , C 3 , Z i and C 11 = h (ID i e i DID i DID new i ), and sends M 5 = {C 1 , C 3 , Z i , C 11 , DID i } with a password change request to GW N. The value C 11 is similar to C 4 , which is to confirm the integrity of the identities as well as to verify the source of M 5 .

3.
GW N obtains e i , ID i and DID new i as in step 1 of the authentication phase, and checks ID i ). If the verification stage fails, GW N terminates the session; otherwise, GW N computes ) and sends M 6 = {C 9 , C 12 } and a grant to U i . Here, C 12 is to verify the source of M 6 .

4.
U i checks C 12

Cryptanalysis of Wu et al.'s Scheme
We show that Wu et al.'s scheme [1] possesses certain some security vulnerabilities in this section. The following problems have been found and are described in detail below.

Extract Critical Information
1.
An attacker A who is a legitimate user and he/she can own his/her smart card. The smart card can extract the value {B 1A , B 2A , P, P bA }.

2.
A can thus obtain h (DID A x) = B 1A ⊕ HPW A , and use this variable for other attacks because this value is a critical value that be used on the user identification in the GW N.

No User Anonymity
Attacker A can extract the identity of U i from the login request message M i of U i . Assume that A eavesdrops on the login request message We also assume that attacker A has h (DID A x) through 5.1. Extract Critical Information. The details are as follows: 1.
Attacker A first generates random numbers r new A , e A , and α A ∈ [1, n − 1], and selects a special After receiving the login request message from A, GW N computes , and checks the validity of ID A and

5.
GW N tests C 8A ? = h (DID A SID j c j ). If this does not hold, GW N terminates the session; otherwise, GW N calculates This result shows that Wu et al.'s scheme does not ensure user anonymity.

User Impersonation Attack
An attacker A can impersonate any user through the identity of others and his/her own information. We assume the casualty is U i . We also assume that attacker A has h (DID A x) through Section 5.1. Extract Critical Information. The detailed method is as follows:

1.
Attacker A selects ID i who is the target of the user impersonation attack.

2.
A selects random numbers r new A , e A , and α A ∈ [1, n − 1] and selects a particular sensor SID j .
. C 4A is to check the new data produced on the user side and the integrity of the identities as well as to verify the source of M 1A .

3.
A forwards the login request message

4.
After obtaining the message from the A, GW N calculates DID A ), and checks the availability of ID i and checks . GW N continues to proceed with the scheme without detection. Unfortunately, the GW N mistakenly believes that he/she is communicating with the legitimate patient U i . Resultingly, the attacker A will be successfully confirmed as GW N by user U i . Hence, the user impersonation attack is successful.
In the next section, we discuss Wu et al.'s scheme to overcome the weakness of the scheme. Our scheme stores several variables in the database to prevent the vulnerability of Wu et al.

Proposed Scheme
We propose a new three-factor user authentication scheme for wireless sensor networks in this section. We use three participants: the user U i , the gateway node GW N and the sensor node S j . The gateway node GW N creates master keys x. The user U i and the sensor node S j computes on elliptic curve group F p .
We have defined the name of the variable as follows: Other variables do not have that special meaning. The proposed scheme is composed as follows: registration phase, login phase, authentication phase, and password/biometrics change phase.

Registration Phase
In this phase, a user U i chooses an identity ID i , imprints biometric template B i at the sensor, and then performs the following steps: 5.1.1. User Registration Phase

1.
U i selects ID i and PW i . imprints B i via a device for biometrics collection and computes Gen (B i ) = (R i , P bi ) and HPW i = h (ID i PW i R i ). Then, he/she sends ID i to GW N secretly.

2.
GW N generates a random number r i and computes GID i = h (ID i r i ).

3.
GW N computes G i = h (GID i x), prepares a smart card for U i containing h (.), h 1 (.), P, GID i and the fuzzy extractor.

4.
GW N stores ID i and GID i in its database and shares it with U i . By storing ID i and GID i in the database, Wu et al. [1]'s problems arising from existing DID i can be solved. 5.

1.
GW N selects an identity SID j for each new sensor S j , computes c j = h (SID j x) and sends {SID j , c j } to S j .

2.
S j stores P, SID j and c j and joins the WSN. Figure 1 illustrates the registration phase of the proposed scheme.

Login Phase
This allows U i to verify whether it has come in correctly.

2.
U i generates e i and α. U i computes HPW i = h (ID i PW i R i ), MU 1 = G 1 ⊕ HPW i ⊕ e i , MU 2 = αP and MU 3 = h (ID i e i GID i MU 2 SID j ).

3.
U i sends the message M 1 = {MU 1 , MU 2 , MU 3 , GID i , SID j } to GW N. Figure 2 illustrates the login and authentication phase of the proposed scheme.

1.
GW N finds ID i by using GID i from the database and computes e i = MU 1 ⊕ h (GID i x).
GW N checks the validity of MU 3 ? = h (ID i e i GID i MU 2 SID j ). If it fails, the session will be terminated. Otherwise, GW N computes c j = h (SID j x) and MG 1 = h (c j GID i SID j MU 2 ). When the operation has finished, GW N sends the message M 2 = {MU 2 , MG 1 , GID i } to S j .

2.
S j checks MG 1 ? = h (c j GID i SID j MU 2 ) with its identity SID j . If it is wrong, S j will stop the session. Otherwise, S j selects β ∈ [1, n − 1] and computes MS 1 = βP, session key sk s = βMU 2 , MS 2 = h 1 (MU 2 MS 1 sk s GID i SID j ) and MS 3 = h (GID i SID j c j ). It sends message  = h 1 (MU 2 MS 1 sk u GID i SID j ). If it is wrong, U i will stop the session.

5.
U i computes G new , P new bi ) for (G 1 , G 2 , P bi ) in the smart card, respectively.

Formal Security Analysis
The formal security analysis uses an automated analysis tool called ProVerif. ProVerif is an automated tool for analyzing cryptographic protocols that was developed by Bruno Blanchet. Digital signatures, hash functions, signature proofs, etc. are suitable for analyzing an authentication protocol. Recently, many researchers [1,4,24] have verified the authentication in the user authentication protocol using ProVerif. The formal security analysis shows the results of verifying and analyzing the security of the proposed scheme using ProVerif.
We use three channels. We provide the illustration of Table 2. cha is the channel in the registration phase and is used when the user U i and GW N exchange ID i in the registration phase. chc is the channel used by user U i and GW N to exchange messages in the login phase and chb is used when the GW N and Sensor node S j exchange messages in the login phase. Five initial variables were used: R i , ID i , ID g , SID j , and PW i . ID i and PW i are the personal information made by the user U i when registering. R i is a random string made up of the user's biometric information. ID g is the identity of the gateway and SID j is the unique string of the sensor node S j . x is defined as a secret key. P is a generator for creating a session key, which is the initial value used in ECC. The concatenate function and the xor function, including the multiplication in ECC and the hash function h and h 1 , are defined for the events that indicate the start and end of each.  (*--events--*) event beginUi(bitstring). event endUi(bitstring). event beginGWN(bitstring). event endGWN(bitstring). event beginSj(bitstring). event endSj(bitstring). Table 3 shows the registration phase of the user U i and the process of the login and authentication phase. Table 4 demonstrates the registration phase and the login and authentication phase of the GW N. Table 5 displays the authentication phase of the sensor node S j . Table 6 shows the query against the attack with the prover-sive, and Table 7 shows the result for Table 6. Table 3. U i protocol.
When the code that makes up the scheme is executed, ProVerif prints the following results: 1.
RESULT (QUERY) is false.
The first code means that the event has been verified and the authentication has been successful, while the second code means that the event has not been verified. The third code means that the query was proven and the attack was not successful. When the fourth code is displayed, the query is false, meaning that an attack is possible and the attack induction and tracking is thus displayed.
The ProVerif result of the proposed scheme is shown to be accurate for all events by simulating the result as shown in the figure (see Table 8). Therefore, the proposed scheme is safe from virtual attacker A and the virtual attack has been successfully terminated. The only value that the user sends in the registration center is the ID i . However, their ID i is used after hashing with other values at every subsequent step. It can not be used because it is used as hashed with values that are not exposed to the outside such as PW i or R i , GID i , GID new i , e i , MU 2 and SID j , MG 2 , and these values are not exposed. Therefore, it is safe from a privileged insider attack.

Outsider Attack
U i 's smart cards include h (.), h 1 (.), P, GID i , and fuzzy extractors. Information such as session key or ID i , which can be a critical value, or information such as a user's password are all hashed, or can not be extracted because the value can not be extracted from ECC. In addition, IDs and GIDs are kept in the database, and ID i information can not be extracted because ID i are not used directly in the protocol.

Offline ID Guessing Attack
PW i and ID i are not used directly in this phase. They are used through hashing by concatenating them with other variables, so ID i and PW i can not be directly obtained from public information. Therefore, ID i and PW i can not be obtained using login request messages MU 1 , MU 2 , MU 3 , GID i , and SID j . Since ID i and GID i are combined and stored in the database, it is impossible to extract the ID i from the protocol.

Online ID Guessing Attack
ID i and PW i are not directly used in the phase so the attacker can not guess the ID i s or passwords of others. It is impossible to retrieve a user's ID i in the protocol because the IDs and GIDs are stored in the database, and ID i is found by searching the database.

Session Key Disclosure Attack
The session key should be computed as β or α when knowing αP or βP with αβP. Neither β nor α are known to the user or the sensor node, so it is impossible to know the session key unless it is a user or a sensor node.

User Impersonation Attack
After the ID i is found in the database using the GID, e i = MU 1 + h (GID i ||x) is calculated in order to compare the MU 3 and h ( ID i ||e i ||GID i ||MU 2 ||SIDj ) . One can never be accepted as a specific user without knowing the ID and GID pair. Therefore, a User Impersonation Attack is impossible.

Server Impersonation Attack
The server is identified in MS 3 = h (GID i ||SID j ||c j ). c j = h (SID j ||x) and x is the secret key. Therefore, it is necessary to know the c j calculated by the secret key other than the GID i and the SID j included in the message in order to authenticate the server and c j is not used alone and and other values. In addition, the value x in the destination c j = h (SID j ||x) can not be determined because it is always used by hashing with SID j .

User Anonymity
In the login process, the user gives MU 1 , MU 2 , MU 3 , GID i , and SID j to the GW N. In this case, is continuously changed by the random number R i . Since ID i is used by hashing, one cannot guess ID i through MU 1 , MU 2 , MU 3 , GID i , and SID j .

Forward Secrecy and Backward Secrecy
Because of the nature of ECCDH, we can not find αP and βP through αβP, we can not find αβP through αP and βP, and we can not find α through P and αP.

Performance Analysis of the Proposed Scheme
Four symbols in total are used to analyze performance. T m is the time of the multiplicative operation used in ECC. This takes the most time in our scheme. T Rep assumes that it is equal to T m , the time to check for a match when recognizing the user's biometric B * i . T s means time in symmetric encryption or decryption. Finally, T h means the time it takes to use the hash function. These are listed in Table 9. The authors [26] measured the approximate execution time of each cryptographic operation under the following conditions: The proposed scheme produced the best results in time among all the three factor user authentication schemes using ECC (see Table 10).

Conclusions
Many user authentication schemes have been proposed for wireless sensor networks, but they have serious security flaws, respectively. Recently, Wu et al. also proposed a three-factor user authentication scheme, which is looking promising. However, we discovered vulnerabilities in the configuration of their scheme and proposed a new scheme to address the discovered issues. Finally, we provide security and performance analysis between the Wu et al. scheme and our proposed protocol, and provide formal analysis based on the ProVerif. The security and performance of the proposed scheme are significantly better than the existing user authentication schemes. Our scheme is not very fast yet. In the future, we will study the WSN protocol, which is safer, simpler and faster.

Conflicts of Interest:
The authors declare no conflict of interest. A probabilistic generation function for which the biometrics B returns a string α and a string β Rep A function that restore β to α and any vector B * close to B B

Appendix A
A vector with biometric information B * Any vector B * close to B GW N Gateway node ProVerif An analysis tool for protocol verification