Cryptanalysis and Improvement of a Privacy-Preserving Three-Factor Authentication Protocol for Wireless Sensor Networks

Wireless sensor networks (WSNs) are of prominent use in unmanned surveillance applications. This peculiar trait of WSNs is actually the underlying technology of various applications of the Internet of Things (IoT) such as smart homes, smart cities, smart shopping complexes, smart traffic, smart health, and much more. Over time, WSNs have evolved as a strong base for laying the foundations of IoT infrastructure. In order to address the scenario in which a user wants to access the real-time data directly from the sensor node in wireless sensor networks (WSNs), Das recently proposed an anonymity-preserving three-factor authentication protocol. Das’s protocol is suitable for resource-constrained sensor nodes because it only uses lightweight cryptographic primitives such as hash functions and symmetric encryption schemes as building blocks. Das’s protocol is claimed to be secure against different known attacks by providing formal security proof and security verification using the Automated Validation of Internet Security Protocols and Applications tool. However, we find that Das’s protocol has the following security loopholes: (1) By using a captured sensor node, an adversary can impersonate a legal user to the gateway node, impersonate other sensor nodes to deceive the user, and the adversary can also decrypt all the cipher-texts of the user; (2) the gateway node has a heavy computational cost due to user anonymity and thus the protocol is vulnerable to denial of service (DoS) attacks. We overcome the shortcomings of Das’s protocol and propose an improved protocol. We also prove the security of the proposed protocol in the random oracle model. Compared with the other related protocols, the improved protocol enjoys better functionality without much enhancement in the computation and communication costs. Consequently, it is more suitable for applications in WSNs


Introduction
Wireless sensor networks (WSNs) play a pivotal role in the origin and propagation of the IoT, the notion that each object (virtual or physical) can be sensed, identified, accessed and interconnected via the Internet within a dynamic ubiquitous network. Wireless sensor networks (WSNs) are networks composed of a large number of randomly distributed sensor nodes. These sensor nodes jointly perceive environmental information and transmit the perceived information to the gateway node through a self-organizing multi-hop network. WSNs are widely used in battlefield situational awareness, The remaining sections of this article are arranged as follows: the second section summarizes the symbols used in this paper and reviews the Das's protocol; Section 3 shows our attack on Das's protocol. Section 4 describes our improved protocol; Section 5 gives the formal security proof of the improved protocol. The computational efficiency and communication efficiency of the improved protocol are compared in Section 6. Finally, the article is summarized in Section 7.

Review of Das's Protocol
In this section, we first summarize the symbols used in the paper and their corresponding meanings in Table 1, and then briefly review the multi-factor authentication protocol with anonymity designed by Das [18]. Das designed a multi-factor authentication protocol including registration phase, login phase, authentication and key establishment phase, password & biological information update phase, and sensor node dynamic join phase. We focus on the first three core phases of the protocol. For more details of the protocol, readers may refer to [18]. Table 1. The symbols and definitions used in this paper.

U i
The i th user ID i The identity information of user U i PW i The password of user U i B i The biological sample of user U i K The high entropy key of user U i GW The gateway node SN j The j th sensor node in the WSN ID SN j Identity information of the j th sensor node MK SN j The master key of the j th sensor node h(·) Anti-collision cryptographic one-way hash function X S Master key of the gateway node GW E k (m) Encrypt the plain-text m with a key k using an encryption algorithm D k (m) Using a decryption algorithm to decrypt a cipher text m using a key k RN X Participant X generated random number T i Current timestamp of the system ∆T Maximum transmission delay allowed in within WSNs ⊕ Bit XOR operation || Data cascading operation

Registration Phase
During the registration phase, a legitimate user U i registers with the gateway node GW over a secure channel. The registration phase includes the following steps: StepR1: The user U i selects his or her identity ID i , password PW i and samples its biometric template B i , and then randomly generates a 1024-bit key K. The user U i computes user Gen(B i ) = (σ i , τ i ) through the biometric key generation algorithm Gen(•) in the fuzzy extractor [21], where is the bio-key, and τ i is the public information for recovering σ i .
StepR2: The user U i calculates the masked password information RPW i = h(ID i K PW i ) and sends the message (ID i , RPW i ) to the gateway node GW over the secure channel.
StepR3: After receiving the registration request, the gateway node GW generates a 1024-bit key X S and calculates r i = h(ID i X S ) ; the gateway node GW issues a smart card SC i to the user U i through the secure channel, where the smart card contains information r i , h(•) .
StepsR4: After receiving the smart card SC i , the user U i calculates e i = h(ID i σ i ) ⊕ K , f i = h(ID i RPW i σ i ) , and r * i = r i ⊕ h(ID i K) ,. Finally, the user U i replaces r * i with r i and save the information and e i , f i , τ i , Gen(•), Rep(•) to the smart card.

Login Phase
If a user U i wants to pass the authentication of the gateway node GW and obtain real-time information from the sensor node, the user needs to perform the following steps: StepL1: The user U i first inserts his smart card SC i into the card reader, then enters his or her identity ID i , password PW i , and samples its biometric template B * i . StepL2: The smart card SC i uses the fuzzy key extractor's bio-key recovery algorithm to calculate, , the smart card SC i verifies whether f * i is equal to the stored f i . If they are equal, the smart card SC i passes the verification of the user's password and biometric information; otherwise the smart card refuses to run rest of the protocol.
StepL3: The smart card SC i calculates M 1 = r * i ⊕ h(ID i K * ) and generates a random number RN U i . Suppose the user U i wants to get the information collected by the sensor node SN j , then the where T 1 is the current timestamp of the system. The smart card SC i finally sends a message (ID SN j , M 2 , M 3 , T 1 ), to the gateway node GW.

Authentication and Key Establishment Phase
After receiving the authentication request information (ID SN j , M 2 , M 3 , T 1 ) of the user, the gateway node GW performs the following steps: StepA1: The gateway node GW first verifies the validity of the timestamp T 1 , that is, suppose the message is received at the time T 2 , and verifies whether |T 2 − T 1 |≤ ∆T is valid, where ∆T is the maximum delay allowed for the message transmission in the sensor network. If the above verification is passed, the gateway node GW further calculate The gateway node GW verifies whether M 6 = M 3 is valid. If so, the user identity is legal; otherwise, the gateway node GW terminates the protocol. StepA2: The gateway node GW calculates the encrypted cipher-text where MK SN j is the master key shared by the gateway node GW and the sensor node SN j and T 3 is the current timestamp of the system. The last gateway node GW sends a message (ID SN j , M 7 ) to the sensor node SN j .
StepA3: When the sensor node SN j receives the message (ID SN j , M 7 ) at the time T 4 , it first decrypts the message M 7 with its master key MK SN j , and then verifies whether the decrypted identity information ID SN j is correct and further verifies whether |T 4 − T 3 |≤ ∆T is established. If it is established, the message is legal, otherwise the sensor node SN j terminates the protocol operation.
StepA4: When the sensor node SN j generates a random number RN SN j , calculates the session key shared with the user, where T 5 is the current timestamp of the system; in addition, the sensor node SN j calculates M 8 = h(SK ij ) and M 9 = M 5 ⊕ RN SN j ⊕ ID i finally SN j sends (M 8 , M 9 , T 5 ) to the user U i .
StepA5: When the user U i receives the message (M 8 , M 9 , T 5 ) at the time T 6 , first verifies whether , through their smart cards SC i , as well. Finally, the user U i verifies whether M 11 = M 8 is true. If true, the user U i accepts the protocol operation and uses the session key SK ij and the sensor node SN j to perform confidential data transmission in subsequent communication.

Security Analysis of Das's Protocol
In this section we present a security analysis of the Das's protocol. We found that the Das's protocol has serious security vulnerabilities and security cannot be guaranteed.

Node Capture Attack
Since sensor nodes are typically deployed in unmanned or hostile areas, it is easy for an attacker to capture sensor nodes. It is usually required that sensor nodes are captured without affecting the remaining nodes and users in the network. However, in the Das's protocol, if an attacker captures a sensor node SN j , the master key MK SN j of the node can be obtained, and then the attacker can perform the following two types of attacks.

User Phishing Attack
After an attacker captures a sensor node SN j , any user U i can send a data request to the node SN j through the gateway node GW, and the attacker can obtain the private key of user U i through the authenticated message and can spoof the user to the gateway node GW. After obtaining the message (ID SN j , M 7 ) sent by the gateway node GW, the attacker decrypts M 7 with master key MK SN j and obtains ID i , ID SN j , M 5 , h(M 4 ), T 1 , T 3 . Note that M 5 = RN U i is a random number selected by the user U i and authentication request message ID SN j , M 2 , M 3 , T 1 .can be found by the attacker according to the timestamp T 1 . The value h(ID i X S ) can be recovered using M 2 = h(ID i X S ) ⊕ RN U i . Where, h(ID i X S ) is the secret value which is used by user U i to prove identity to the server. An attacker can obtain data of all nodes of the whole sensor network by imitating users. Specifically, an attacker only needs to select a random number RN U * i , then is the current timestamp of the system. Finally, the attacker sends a message (ID SN k , M * 2 , M * 3 , T * 1 ) to the gateway node GW, where,ID SN k is any sensor node that the attacker wants to get information. Obviously, the message (ID SN k , M * 2 , M * 3 , T * 1 ) will be validated by the gateway node GW. Through the above attack, the attacker can obtain the data of all nodes in the whole network by imitating the user after capturing a sensor node.

Sensor Node Phishing Attack
Similar to the above attack, the attacker can capture the sensor node SN j and can imitate the remaining sensor nodes to send false information to trick the user U i . When the attacker intercepts the message sent by the user U i , it only needs to use h(ID U i X S ) ⊕ M 2 to recover the random number selected by the user U i , and then impersonate the sensor node ID SN k to select the random number and return the message according to the description of the protocol. The attacker knows the user's secret information h(ID U i X S ) , so the attacker can successfully imitate the remaining sensor nodes to trick the user U i . Since sensor networks often involve sensitive military applications, false information can be sent to users through the above attacks, so node counterfeiting attacks can bring huge losses to the users.
It can be seen from the above two attacks that after the attacker captures a sensor node, not only the user's secret information can be obtained, but the other sensor nodes of the network can be misused to send false information to the user, which brings huge security threat to the protocol.

Denial of Service Attack
Das's protocol claims to implement anonymous protection for users, so the authentication information (ID SN j , M 2 , M 3 , T 1 ) of the user U i is not included in the user's authentication information. When receiving a message, the gateway node GW needs to verify the validity of the authentication information without knowing the identity of the user. The protocol description does not explain how the gateway node GW knows the identity of the user. Therefore, according to the implementation of the protocol, only the exhaustive method can be used to verify the user's authentication information, that is, for each possible identity ID, the gateway node GW calculates and further verifies whether M 6 = M 3 is true. The above process will consume a large amount of computing resources from the gateway node GW. If the attacker impersonates the user to send an authentication request, the gateway node GW will not discover that the authentication request is invalid until traverse all registered users. Therefore, Das's protocol cannot resist denial of service attacks due to user anonymity. Hence, Das' protocol does not offer user anonymity due to errors in protocol design.

Improved Protocol
In view of the security vulnerabilities of Das's protocol, we find that the root cause of node capture attack is that the user's secret information is exposed to the sensor node incorrectly in the protocol design. In fact, in the authentication process, the sensor node and the gateway node authenticate through the shared key, and the sensor node should not get any secret information of the user. The essential reason is that the protocol does not realize user anonymity, which is a protocol design error. Based on the above analysis, this section presents our improved protocol.

Registration Phase
In the registration phase, a legitimate user U i registers with the gateway node GW through a secure channel. The registration stage includes the following steps: StepR1: Users U i select their identity ID i , password PW i and sample their bio-template B i , and then calculate Gen(B i ) = (σ i , τ i ) using the bio-key generation algorithm Gen(•) in the fuzzy extractor, where σ i is the bio-key, and τ i the public information for recovering σ i .
StepR2: The user U i calculates the secret value RPW i = h(ID i σ i PW i ) and sends the message (ID i , RPW i ) to the gateway node GW through the secure channel.
StepR3: After receiving the registration request, the gateway node GW generates a 1024-bit key X S and chooses a random identity DID i for the user, then calculates r i = h(ID i DID i X S ) the gateway node GW issues a smart card SC i containing information r * i = r i ⊕ RPW i , DID i , h(•) to the user U i through the secure channel. GW adds record (DID i , ID i ) to its database and protects the database with its master key X S .
StepR4: After receiving the smart card SC i , the user U i deposits the information τ i , Gen(•), Rep(•) into the smart card.

Login Phase
If a user U i wants to authenticate the gateway node GW and obtain real-time information from the sensor node SN j , the user needs to perform the following steps: StepL1: The user U i first inserts his smart card SC i into the reader, then enters his identity ID i , password PW i and sampled his biological template B * i . StepsL2: Smart cards SC i computes σ * i = Rep(B * i , τ i ) using the bio-key recovery algorithm of the fuzzy extractor; then smart cards SC i computes, and generates a random number RN U i , where,T 1 is the current timestamp of the system. If the user U i wants to get the information SN j collected by the sensor node SN j , the smart card SC i calculates the ciphertext The smart card SC i finally sends a message (DID i , ID SN j , C 1 , T 1 ) to the gateway node GW.

Authentication and Key Establishment Phase
After receiving the authentication request information (ID SN j , M 2 , M 3 , T 1 ) of the user, the gateway node GW performs the following steps: StepA1: Gateway node GW first verifies the validity of the timestamp T 1 , that is, assuming that the message is received at time T 2 , verifies whether |T 2 − T 1 |≤ ∆T is valid, where, ∆T is the maximum allowable delay of message transmission in sensor network. If the above authentication passes, the gateway node GW further searches for the corresponding user's real identity ID i according to DID i . If the database contains the above records, the gateway node GW calculates K * 1 = h(h(ID i DID i X S ), T 1 ) and decrypts the cipher-text C 1 using the temporary key. If the decrypted message contains the correct DID i and T 1 , the user's identity is legitimate; otherwise, the gateway node GW terminates the operation of the protocol. StepA2: The gateway node GW calculates the encrypted cipher text where, MK SN j is the master key shared by the gateway node GW and the sensor node SN j , RN U i is the random number obtained by decryption, and T 3 is the current timestamp of the system. Finally, the gateway node GW sends a message (ID SN j , C 2 ) to the sensor node SN j .
StepA3: When the sensor node SN j receives the message (ID SN j , C 2 ) at the time T 4 , it first decrypts the message C 2 with its master key MK SN j , then verifies whether the decrypted identity ID SN j information is correct and further verifies whether |T 4 − T 3 |≤ ∆T is valid. If it is true, the message is legitimate; otherwise the sensor node SN j terminates the protocol.
StepA4: When the sensor node SN j generates a random number RN SN j calculates the session where T 5 is the current timestamp of the system; in addition, the sensor node SN j calculates StepA5: When the user U i receives the message (Auth 1 , C 3 , T 5 ) at the time T 6 , first verifies whether |T 6 − T 5 |≤ ∆T is valid. If true, the user U i calculates the temporary key K 2 = h(ID i , ID SN j , RN U i ), and decrypts the cipher-text C 3 . If the decrypted message contains the correct ID i , ID SN j then the user where, RN SN j is the random number which is decrypted from C 3 . Finally, the user U i verifies the validity of the protocol. If it is validated, the user accepts the protocol to run and in the subsequent communication the session key SK * ij is used to transmit confidential data with the sensor node SN j .

Password and Biological Template Update Phase
Assuming the user wants to update the current password, he performs the following steps: Step U1: The user U i inserts his/her smart card SC i into the card reader, then enters his/her identity ID i , original password PW i , new password PW * i , and samples his/her biometric template B * i . Steps U2: The smart card SC i uses the biological key recovery algorithm Rep(•) of fuzzy extractor to calculate σ * i = Rep(B * i , τ i ). The smart card SC i then calculates RPW i = h(ID i σ * i PW i ) and RPW * i = h(ID i σ * i PW * i ) . Finally, calculates r * i ⊕ RPW i ⊕ RPW * i and replaces the original r * i with that value.
Similarly, the user U i can take similar steps to update the biological template.

Security Certificate
In this section, we formalize the security proof of our improved protocol. Firstly, we briefly review the two-factor protocol security model in [8] and extend it to the application environment of multi-factor protocol. Then we prove the security of our improved protocol under the extended model.

Formal Security Analysis of the Improved Protocol Using Random Oracle Model
The participants of the protocol include user U, gateway node GW and sensor node SN. To be simple, it is usually assumed that the gateway node GW is unique in the wireless sensor network. Each user can activate and run multiple session instances simultaneously. We use key Π x P to represent the x th session instance of the protocol participant P, which can be a user, gateway node, or sensor node. Since the session key is shared by the user and sensor nodes, the session id sid x P defining the user instance or sensor node instance Π x P is a cascade of all messages (except the last one) that the instance sends and receives during the execution of the protocol. The partner id pid x P defining the user instance or sensor node instance Π x P is identified as the intended communicator with which the instance Π x P wants to establish the session key. Each user U i has three kinds of secret information, password PW i , smart card SC i , and biological template B i , after the registration stage. Among them PW i is the low-entropy password, randomly selected from the password dictionary space. The gateway node GW has a long-term key X S and holds a list of records about user authentication information, where each record corresponds to a user; in addition, GW shares a high-entropy symmetric key MK SN j with each sensor node SN j . Each sensor node SN j stores a symmetric key MK SN j shared with the gateway node. It is usually assumed that the sensor node is easily captured by the attacker, and the attacker can recover its master key MK SN j .
We call a user instance Π x U and a sensor node instance Π y SN partners if (1) both instances accept the protocol and generate a shared session key; (2) sid x U = sid y SN ,(3) pid x U = SN and pid y SN = U. A as the attacker of the protocol, is a probabilistic polynomial time attacker and controls the communication network of the whole protocol. That is, the attacker can intercept, eavesdrop, delete, delay, modify and forge messages. In addition, according to the security definition of multifactor protocol, an attacker A can capture arbitrary sensor nodes and recover their stored keys, and can also arbitrarily obtain two types of authentication factors of user's three types of authentication factors. It should be noted that attacker A are not allowed to corrupt gateway nodes, because once the gateway nodes are corrupted, any such protocol cannot guarantee session key security. We describe A's ability by following instructions and inquiries: Send(Π x P , m): This instruction describes A's ability to attack instance Π x P actively. Attacker A impersonates a protocol participant to send a message m to an instance Π x P and gets the message returned by the instance Π x P after receiving the message m according to the protocol description. Reveal(Π x P ): This instruction can only be used for user instances or sensor node instances to characterize known key attacks. With this query, the attacker A will get the session key generated by the instance Π x P ; if the instance Π x P does not generate the session key, the query will be returned to denote invalidity.
Corrupt (SN j ): This instruction simulates capture attacks on sensor nodes. The attacker A will get the private key MK SN j of the sensor node SN j and control the sensor node completely. If the attacker inquiries, the sensor node is said to be completely corrupted.
Corrupt (U i ): There are three types of corrupt inquiries about user U i : Corrupt (U i , 1): The attacker A will get the password of user U i through this corrupt inquiry. Corrupt (U i , 2): The attacker A will get an effective biological template for the user through this corrupt inquiry.
Corrupt(U i , 3): The attacker A will get the smart card SC i held by the user U i through this corrupt inquiry and recover all stored information in the smart card through reverse engineering.
If attacker A makes three kinds of corrupt queries to the user U i , the user U i is said to be completely corrupted. In addition, if an attacker A makes queries (Corrupt(U i , 2) and Corrupt(U i , 3)) to the user U i , the attacker A can recover the export order through an offline dictionary attack, so in this case we also call the user U i completely corrupted. We will explain this further in the next section.
Test(Π x P ): This instruction can only be used for user instance or sensor node instance. It does not describe the attacker's real attack ability but is used to measure the semantic security of protocol session key. To answer this instruction, a uniform coin toss is needed. Assuming that the participant instance Π x P has accepted the protocol and generated the session key, if the coin toss result is 1, the real session key of the instance is returned, and if the coin toss result is 0, a random number equal to the session key is returned. The attacker's goal is to guess the result of a coin toss when simulation Test inquiry. If the attacker succeeds in guessing the result of the coin toss, A is regarded as successful, and we record this event Succ.
In the above attack games, we need to define session freshness to exclude the situation where an attacker A can easily win the attack game. We limit that the attacker can implement Test inquiry to only new session instances. Defining user instances or sensor node instances is new if (1) Participants or their partners are not completely corrupted before the instance runs the protocol; (2) Attackers have not implement Reveal inquiry to the instance or its partner instances (if they exist).
Given a multifactor protocol P, the advantage of an attacker A to destroy the session key security of the protocol is defined as Adv m f ake P.D (A) = 2.Pr[Succ] − 1. If for an attacker A with arbitrary probabilistic polynomial time, the advantage Adv m f ake P.D (A) of destroying the session key security of the protocol P is negligible, it is said that the multifactor protocol P satisfies the session key security.

Security Proof
Theorem 1. P is the multifactor protocol proposed in Section 4, and A is a probabilistic polynomial time attacker. Assuming that the symmetric encryption algorithm E used in the protocol is indistinguishably secure against selective message attacks h(•) is a random predictive function, and the fuzzy extractor used in P is robust, the advantage of the session key to attack the security of the multi-factor protocol is a negligible function concerning security parameters. That is to say Adv m f ake Proof. We prove the security of the multifactor protocol in Section 4 by means of mixed game. We start with a real attack game and then gradually modify the simulated rules until the attacker has no advantage in differentiating session keys. For each attack experiment Exp i , we use Succ i to represent the attacker's attack advantage in this experiment; moreover, we use ∆ i to represent the difference between the experiment Exp i and the experiment Exp i+1 .
Exp0: This experiment simulates the attack game under the real protocol running conditions. From the definition of attacker advantage, we can know Exp1: In this experiment, we simulated random oracle function h by maintaining hash listsˆh. Specifically, for a random oracle function h query, assume that the input is h, the simulator first queries whether there is a record corresponding to m in the Hash listˆh and returns the corresponding output directly if it exists; otherwise, the simulator randomly selects a value from the range of the random oracle function as the output of the query and returns it to the attacker, and adds the corresponding record to the hash Listˆh * . In addition, we use similar rules to simulate a private random oracle function h * and maintain the corresponding hash listˆh * . As can be seen from the above rules, the random oracle function is perfectly simulated, so we have Exp2: In this experiment, we modify the simulation rules of the passive conversation conducted by the attacker, that is, to modify the simulation of the Execute inquiry. Specifically, when an attacker implement Execute inquiry, all simulations are performed according to the real protocol description, but when calculating the session key SK ij , we use the private random oracle function h * to calculate, and do not input the random number of users and sensor nodes, that is, we calculate SK ij = h * (ID i ID SN j T 1 T 5 ) . Correspondingly, when the user receives the last message, the input SK ij , is calculated in the above way when validating the validity of Auth 1 .
According to the randomness of random predictive function, experiment Exp2 and experiment Exp1 are indistinguishable unless the attacker implements (ID i ID SN j RN U i RN SN j T 1 T 5 ) inquiry to the random predictive function h. Because RN U i is randomly chosen by users and transmitted by symmetric encryption algorithm in passive session, assuming that the attacker can get RN U i , the simulator can use the attacker's decryption ability to attack the indistinguishable security of symmetric encryption algorithm. The simulator can use the challenge cipher-text of symmetric encryption algorithm as the cipher-text C 1 sent by users in the protocol. As the above-mentioned statute process is more intuitive, we will not elaborate on it for the sake of simplicity. From the above analysis, we can know: Exp3: In this experiment, we began to modify the simulation rules of active conversations with attackers, that is, to modify the simulation of Send inquiries. For queries , if sensor nodes SN j are not corrupted by attackers, the simulator makes user instances Π x U i refuse to run the protocol without authentication. If the sensor node SN j is corrupted, the simulation is performed according to the protocol description, and the simulation rules are unchanged. Experiment Exp3 and experiment Exp2 are indistinguishable unless the attacker succeeds in obtaining the random number RN U i chosen by the user and performs corresponding operations according to the protocol description to generate message (Auth 1 , C 3 , T 5 ). Since sensor node SN j are not corrupted by attackers, attackers can only obtain random number RN U i 's information through encrypted cipher text. Similar to the analysis of the previous experiment, if an attacker can get information about random numbers, we can use the attacker's decryption ability to attack the indistinguishable security of symmetric encryption algorithm. So, we have: Exp4: In this experiment, we continue to modify the simulation rules for active conversations with attackers. For the Send(Π z SN j , (ID MN j , C 2 )) queries received by the sensor node instance Π z SN j , if the message C 2 is not generated by the gateway in the corresponding session, we make the sensor node instance Π y SN j reject and terminate the protocol operation directly. Because sensor nodes SN j are not corrupted by attackers, attackers cannot use their master key MK SN j to encrypt a fresh timestamp. Otherwise, we can choose two identical messages like (ID i , ID SN j , RN U i , T 1 , * ) inquiry in the attack game against symmetric encryption algorithm. The last one of the messages chooses the current timestamp of the system and the other one chooses the previous timestamp. The simulator chooses one of them. Encryption as a challenge cipher text. In this way, the indistinguishable security of symmetric encryption algorithm for selective message attacks can be destroyed by attackers' attacks on protocols. So, we have: Exp5: In this experiment, we continue to modify the simulation rules for active conversations with attackers. When the gateway instance Π y GW receives Send(Π y GW , (DID i , ID SN j , C 1 , T 1 )) from the attacker, it first queries the identity ID i of the real user which the attacker counterfeit with DID i . If the user has been corrupted completely by the attacker, then the simulation rules are carried out according to the description of the protocol without any change. If the user's password and biological template are corrupted by the attacker, the simulator makes the gateway instance refuse directly and terminate the protocol operation. Experiment Exp5 and experiment Exp4 are indistinguishable unless the attacker can recover h(ID i DID i X S ) without getting the information in the smart card. For the high entropy of X S and the randomness of the random predictive function, the probability of the attacker's recovery h(ID i DID i X S ) without the data in the smart card is negligible. So, we have: Exp6: In this experiment, we last modified the simulation of an attacker's active conversation. Similar to the experiment Exp5, when the gateway instance Π y GW receives the message Send(Π y GW , (DID i , ID SN j , C 1 , T 1 )) from the attacker, it first queries the identity ID i of the real user which the attacker counterfeit with DID i . If the user has been completely corrupted by the attacker, then the simulation rules are carried out according to the description of the protocol without any change. If the user's password and smart card are corrupted by the attacker, the simulator makes the gateway instance refuse directly and terminate the protocol operation. Experiment Exp6, and experiment Exp5 are indistinguishable unless an attacker can recover h(ID i DID i X S ) without an effective biological template. Because what is stored in the smart card is h(ID i DID i X S ) ⊕ RPW i , the attacker must restore the biological key σ i to calculate RPW i , and then the attacker can restore h(ID i DID i X S ) . From the security of the fuzzy extractor, it can be seen that under the condition of only public information τ i , the uniform distribution of the biological key σ i and the range of the fuzzy extractor is statistically indistinguishable. So, we have: In the above experiments, the session keys in all passive sessions are randomly selected after constant modification of protocol simulation rules. In all active attack sessions conducted by an attacker, if the attacker's counterfeited participants are not completely corrupted, the active session will be rejected according to simulation rules (when the attacker's counterfeited participants are completely corrupted, the session is not new). Fresh, so the security of session key cannot be guaranteed. Therefore, in Exp5, the attacker's advantage in distinguishing session key from random number is 0.
Combining the conclusions of all the above mixed experiments, Theorem 1 is proved.
Note: When defining a user's complete corruption in the security model, we define that the user is also completely corrupted when the attacker gets the user's biological template and smart card. Correspondingly, in the proof of Theorem 1, we do not consider the counterfeit attack when the attacker gets the biological template and smart card, because the attacker can guess the password offline and verify the password guess by the message (DID i , ID SN j , C 1 , T 1 ). In the above attack scenario, the attacker can recover the user password through offline dictionary attack. As pointed out in document [22], any multifactor protocol without public key cryptosystem cannot resist the attack mentioned above. The above-mentioned problem is still an open and difficult one. In our improved protocol, we bind the user's real identity and password. Attackers need to guess the identity information and password at the same time. Usually, the identity information and password are 32 bits, respectively. Therefore, the ability of the protocol to resist dictionary attacks is enhanced to a certain extent.

Performance Analysis
In this section, we compare the computational cost, communication costs and the functionality features of the improved protocol with those of other similar protocols [3,6,8,10,18]. Since each user registers once, we focus on the login, authentication & key establishment phases for comparison of computational/communication cost. We are using T H , T sym , T f , T epm and T pub to denote the time complexity of the output of a hash operation, a symmetric encryption/decryption operation, a fuzzy extractor operation, an elliptic curve point multiplication operation, and a public key encryption/decryption operation respectively. The time complexity of a fuzzy extractor operation is higher than the time complexity of a hash operation. Comparison of computational costs is shown in Table 2.
For communication cost, we compare the number of rounds and bandwidth. We assume that a random number, a point on an elliptic curve group, and an output of hash function be 160 bits long; the identity and the password be 32 bits long; and the timestamp be 64 bits long. The cipher-text length of the symmetric encryption algorithm is the same as that of the plain-text, while the cipher-text length of the public key encryption algorithm is set twice that of the plain-text.

Compared Protocols Users Gateway Nodes Sensor Nodes
Reference [3] 4T H 4T H T H Reference [6] 5T H 5T H T H Reference [8] 2T H 5T H 2T H Reference [10] 8T H +T pub 8T H +T pub 2T H Reference [12] T Table 2, we can see that the computational cost of our improved protocol is comparable to that of the protocol in [18], higher than that in [3,6,8], but significantly better than that of the protocols in [10,12]. However, the protocol in [3,6] only achieves authentication and does not establish session keys for users and sensor nodes. The computational cost of the protocol in [3,6] will be comparable to our improved protocol after increasing computational complexity to achieve key generation.
As can be seen from Table 3, the number of communication rounds of our improved protocol has reached the optimum level, which is slightly higher in bandwidth than that of the protocols in [3,6,8]. The protocols in [3,6] save some communication bandwidth because it does not establish session key between the user and the sensor. However, the protocol in [8] uses the "challenge-response" mechanism, which leads to the high number of communication rounds. In wireless networks, reducing the number of communication rounds is far more important than reducing the computational cost and communication bandwidth and this feature is achieved by the proposed protocol. Next, we focus on the communication bandwidth on sensor-node (SN) as apparent from Table 3. For this specific comparison, we have considered incoming as well as outgoing messages on SN because when a SN receives any message it also exhausts its memory as well as battery power. We observe from Table 3 that the total communication bandwidth on sensor-node (SN), is least in the protocols in [3,6], highest in the protocol in [18], and it is same for our improved protocol & the protocol in [12]. However, if we consider the communication bandwidth in the context of the messages communicated by SN then, it is nil in the protocols in [3,6]; it is least in the protocol in [10]; and it is highest in the protocol in [12].
Besides, the average communication costs between the user and a sensor is given by 384 bits and 448 bits communication bandwidth in the protocol in [18] and the proposed protocol respectively; and it is nil in the remaining protocols [3,6,8,10] because the protocols in [3,6,8,10] do not allow the user to access the real time data directly from the SN. Table 4 compares the functionality features of the proposed protocol with the protocols in [3,6,8,10,18]. The protocol in [10] is said to provide only partial three-factor security because it uses simple hash function for handling the biometrics of the user which does not offer correct biometrics-matching. Further, it is noticeable that the protocol in [10] provides formal security analysis using BAN-Logic instead of using random oracle model or the standard model.