An Enhanced Lightweight Dynamic Pseudonym Identity Based Authentication and Key Agreement Scheme Using Wireless Sensor Networks for Agriculture Monitoring

Agriculture plays an important role for many countries. It provides raw materials for food and provides large employment opportunities for people in the country, especially for countries with a dense population. To enhance agriculture productivity, modern technology such as wireless sensor networks (WSNs) can be utilized to help in monitoring important parameters in thw agricultural field such as temperature, light, soil moisture, etc. During the monitoring process, if security compromises happen, such as interception or modification of the parameters, it may lead to false decisions and bring damage to agriculture productivity. Therefore, it is very important to develop secure authentication and key agreement for the system. Recently, Ali et al. proposed an authentication and key agreement scheme using WSNs for agriculture monitoring. However, it fails to provide user untraceability, user anonymity, and session key security; it suffers from sensor node impersonation attack and perfect forward secrecy attack; and even worse has denial of service as a service. This study discusses these limitations and proposes a new secure and more efficient authentication and key agreement scheme for agriculture monitoring using WSNs. The proposed scheme utilizes dynamic pseudonym identity to guarantee user privacy and eliminates redundant computations to enhance efficiency.


Introduction
Agriculture plays an important role for many countries around the world. In some countries, agriculture is not only essential to provide food and raw material supply for its citizen, but also to provide large employment opportunities for its people. In some dense populated countries like India [1], Nigeria [2], and Pakistan [3], agriculture even becomes their economic backbone. Since agriculture is essential for life, when the world population is rising, the demand for agriculture products is also increasing and if there is no improvement in agriculture production, someday people may face challenges about food availability.
Food availability depends on crops productivity and many other diverse factors such as livestock, labor, sophisticated machines, etc. While other diverse factors such as livestock, labor, climates, soils, tools, and technology vary from country to country or even from farm to farm [4]; the factors related to crop productivity almost remain similar anywhere, such as whether the farms have enough water, fertilizer, temperature, light, etc. On the other hand, farmers are also facing many challenges such as

Literature Reviews
Agriculture monitoring will help farmers to optimize their natural or artificial resources in their agricultural activities, which will influence their crop productivity. Some initial researches about the framework for agriculture monitoring based on WSNs [5−8] give important background about WSNs utilization in agriculture, especially about how this system can help decision support systems through better monitoring of their agriculture field. For example, Luis, et al. [5] gave a review about wireless sensor technologies for the agriculture and food industry; Jiber, et al. [6] and Anurag, et al. [7] presented a precision agriculture monitoring framework using WSNs; and Panchard, et al. [8] showed how wireless sensor technology can be used to help farming decision support. However, those existing frameworks do not explain about how those particular participants are authenticated between each other.
In recent years, more and more researchers proposed an authentication and key-agreement scheme for WSNs environment [9−26]. Most of them proposed schemes for general purposes [9][10][11][12][13][14][15]17,24] and few of them proposed schemes for specific purposes [16,[18][19][20]25,26]. For example, in 2009, Pecori and Veltri [25] proposed a new alternative key agreement protocol for setting up multimedia sessions between user agents (UAs) without requiring any pre-shared key or trust relationship or PKI, and it has been implemented and integrated in a publicly available VoIP UA. In 2012, Pecori [26] developed a new protocol for establishing a security association between two peers willing to set up a VoIP or multimedia communication through the standard SIP protocol. The proposed protocol is based on the MIKEY protocol and the Diffie-Hellman algorithm for key establishment, and allows the authentication via peer certificates without using any centralized PKI. In the same year, Das, et al. [9] proposed a dynamic password-based user authentication scheme for large-scale hierarchical WSNs. It consists of three entities which are the user, base station, and cluster head. Then, in 2013, Xue et al. [10] proposed a temporal-credential-based for WSNs and Shi et al. [11] proposed a new user authentication protocol using elliptic curves cryptography for WSNs. In 2015, there was even a study about group key management for WSNs [13]. Followed these studies, there were Li et al. [12] and He et al. [15] whose showed weaknesses of Xue et al.'s scheme [10] and both of them then proposed an improved scheme. In 2015, Lee [14] showed weaknesses of Li et al.'s scheme [12] and then proposed an improved scheme using extended chaotic maps. In the same year, Mesit and Brusta [24] proposed a secured node-to-node key agreement protocol, whose shared key is based on a symmetric encryption algorithm to solve the resource-constrained problem. Moreover, in 2016,

Literature Reviews
Agriculture monitoring will help farmers to optimize their natural or artificial resources in their agricultural activities, which will influence their crop productivity. Some initial researches about the framework for agriculture monitoring based on WSNs [5][6][7][8] give important background about WSNs utilization in agriculture, especially about how this system can help decision support systems through better monitoring of their agriculture field. For example, Luis, et al. [5] gave a review about wireless sensor technologies for the agriculture and food industry; Jiber, et al. [6] and Anurag, et al. [7] presented a precision agriculture monitoring framework using WSNs; and Panchard, et al. [8] showed how wireless sensor technology can be used to help farming decision support. However, those existing frameworks do not explain about how those particular participants are authenticated between each other.
In recent years, more and more researchers proposed an authentication and key-agreement scheme for WSNs environment [9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26]. Most of them proposed schemes for general purposes [9][10][11][12][13][14][15]17,24] and few of them proposed schemes for specific purposes [16,[18][19][20]25,26]. For example, in 2009, Pecori and Veltri [25] proposed a new alternative key agreement protocol for setting up multimedia sessions between user agents (UAs) without requiring any pre-shared key or trust relationship or PKI, and it has been implemented and integrated in a publicly available VoIP UA. In 2012, Pecori [26] developed a new protocol for establishing a security association between two peers willing to set up a VoIP or multimedia communication through the standard SIP protocol. The proposed protocol is based on the MIKEY protocol and the Diffie-Hellman algorithm for key establishment, and allows the authentication via peer certificates without using any centralized PKI. In the same year, Das, et al. [9] proposed a dynamic password-based user authentication scheme for large-scale hierarchical WSNs. It consists of three entities which are the user, base station, and cluster head. Then, in 2013, Xue et al. [10] proposed a temporal-credential-based for WSNs and Shi et al. [11] proposed a new user authentication protocol using elliptic curves cryptography for WSNs. In 2015, there was even a study about group key management for WSNs [13]. Followed these studies, there were Li et al. [12] and He et al. [15] whose showed weaknesses of Xue et al.'s scheme [10] and both of them then proposed an improved scheme. In 2015, Lee [14] showed weaknesses of Li et al.'s scheme [12] and then proposed an improved scheme using extended chaotic maps. In the same year, Mesit and Brusta [24] proposed a secured node-to-node key agreement protocol, whose shared key is based on a symmetric encryption algorithm to solve the resource-constrained problem. Moreover, in 2016, Kumari et al. [17] mentioned weaknesses of both Li et al.'s scheme [12] and He et al.'s scheme [15] and then proposed an improved scheme using chaotic maps.

Motivation and Contributions
The importance of modern technology utilization in agriculture is already described in above. It also followed by how essential a secure and efficient user authentication and key-agreement scheme for agriculture monitoring using WSNs.
Dynamic pseudonym identity schemes [27][28][29], which were used by both Ali et al.'s scheme [23] and the proposed scheme, are quite popular and widely used in many security researches area. Dynamic pseudonym identity means that the transaction uses anonym identity and that the specific anonym identity dynamically changes in every new transaction. Anonymity is important in the agriculture area because it provides legitimate users with protection of their real identities. In the agriculture environment, we can assume that sensor nodes are put openly in the field. If a system does not provide anonymity, an attacker who targeting a particular participant can easily distinguish a transaction belongs to whom. Then he/she is able to perform attacks to his/her particular target. For example, Alice is an epidemic specialist and works on a farm. An adversary who tries to harm the farm facilities obtains Alice's identity and knows that she is responsible for assisting in monitoring the farm's temperature, humidity, and pests. The adversary may perform social engineering or dictionary attacks to obtain Alice's password or login information, and then can log in to the system for agriculture monitoring to tamper with information and damage facilities. Therefore, by using dynamic pseudonym identity, the scheme is expected to be able to provide un-traceability, privacy and user anonymity to its user. However, Ali et al.'s scheme fails to provide user anonymity and user un-traceability. It also suffered from other severe security compromises such as insider attack, sensor node attack, perfect forward secrecy, and session key security. Moreover, Ali et al.'s scheme even suffered from denial of service which happened after a user/agriculture professional has successfully updated their password.
The rest of this study is organized as follows. Section 2 reviews Ali et al.'s scheme and discusses the detail of security weaknesses in Ali et al.'s scheme. Section 3 presents the proposed scheme. Section 4 presents security analysis of the proposed scheme. Section 5 analyzes security and performances comparisons with Ali et al.'s scheme. Finally, Section 6 draws conclusions.

Preliminary
Although this study discusses the weaknesses of Ali et al.'s scheme, this study also recognizes the importance and advantages of their scheme, especially because of the novelty of their study. This study also followed their architecture for agriculture monitoring using WSNs, also utilizes dynamic pseudonym identity and three-factor-security, which are similar with Ali et al.  Table 1. Table 1. Notations of the proposed scheme.

Symbol Description
Shared key between BS and U i X Secret key of BS X BS−GW N j Secret key shared between BS and GW N j RI j Secret key shared between BS and SN j R U , Ali et al. proposed a novel authentication and key agreement scheme using WSNs for agriculture monitoring. At first, they mentioned about how important agriculture is for economic systems and how WSNs technology can be utilized to face many challenges that exist in agriculture. Then, they reviewed some literature that related to security in the WSNs environment and summarized security requirements that need to be fulfilled in a scheme. Then, they presented their scheme, the security analysis and the performance evaluation of their scheme.
Compare with other existing WSNs schemes where most of them consist of three entities, Ali et al.'s scheme consist of four entities instead, which are the user/agriculture professional, base station BS, sensor node, and gateway node. The BS acts as system administrator and becomes the central entity to authenticate other entities. Without BS, other entities will never have the chance to truly trust each other in the authentication and key agreement scheme.

Ali et al.'s Scheme
In 2017, Ali et al. [23] proposed a WSNs scheme for agriculture monitoring, which consists of system setup phase; user/agriculture professional registration phase; login, authentication, and session key agreement phase; password update phase; and dynamic node addition phase.

System Setup Phase
To initialize the organization, the system administrator SA selects distinct identity ID SN j for m sensor node SN j , where 1 ≤ j ≤ m and also selects distinct identity ID GW N j for each gateway node GW N j . SA computes the shared key RI j = h ID SN j X for SN j , where X is the secret key of the base station BS and computes the shared key h(X BS−GWN j ) for GWN j . Finally, SA keeps RI j , ID SN j into SN j 's memory and keeps {h(X BS−GWN j ), ID GWN j } into GWN j 's memory. Then, SA deploys each sensor node SN j and GWN j in a target area. Here, the SA acts as BS representative to initialize the identity and the shared key with SN j and GWN j .  Figure 2, user/agriculture professional U i needs to register to the base station BS. The following steps were executed when U i want to become a legitimate user in this agriculture monitoring system.
Step 1: The U i selects his/her own identity ID i , password PW i and imprints biometric F i on the sensor device and then computes Gen(F i ) = (X F , P F ), RPW i = h(PW i X F ), where Gen(.) is a generate function of fuzzy extractor and (X F , P F ) are, respectively, secret and public keys. Now, U i sends {ID i , RPW i } to BS via trustworthy channel.
Step 2: When obtained the registration request from U i , BS firstly calculates Afterwards, BS issues a smartcard having parameters, i.e., {B i , C i , D i , h(.)} and sends it to U i via the same channel.
Step 3: After obtaining the smartcard from BS, U i embeds P F and Gen(.) in the memory of smartcard, i.e., Step 3: After obtaining the smartcard from , embeds and  in the memory of smartcard, i.e., , , , ℎ  , ,  .

Login Phase
When a user/agriculture professional wants to know the environmental information such as temperature, light, humidity, soil etc., he/she has to login to access these information. As shown in Figure 3, the following steps were executed to accomplish this login phase.
Step 1: The inserts his/her own smartcard into card reader and inputs , and also imprints on a sensor device. Now, the card reader computes , and verifies if * equals . If this verification holds then the system continues the process. Otherwise, the session is terminated.

Login Phase
When a user/agriculture professional U i wants to know the environmental information such as temperature, light, humidity, soil etc., he/she has to login to access these information. As shown in Figure 3, the following steps were executed to accomplish this login phase.
Step 1: The U i inserts his/her own smartcard into card reader and inputs ID i , PW i and also imprints F i on a sensor device. Now, the card reader computes If this verification holds then the system continues the process. Otherwise, the session is terminated.
Step 2: Now, U i generates a random nonce R U and enumerates

Authentication and Session Key Agreement Phase
As shown in Figure 3, after login phase is successfully authenticated, the authentication and session-key phase were executed in the following steps.
Step 1: If it holds, then U i is legal and BS goes to next step. Otherwise, the session is rejected.
Step 2: Now, the BS produces a random nonce R BS and computes Step 3: After getting request message {M 3 , M 2 , M 5 } from BS, the GW N j computes = M 5 hold. If both conditions are true then it proceeds further. Otherwise, the session is terminated.
Step 4: Now, the GW N j generates a random nonce R GW N j and calculates Step 5: Upon obtaining the message from GW N j , the SN j computes If both are true, then SN j goes to the next step, Otherwise, the session is terminated.
Step 6: Now, the SN j generates a random nonce R SN j , computes Step 7: After getting the message from SN j , GW N j firstly verifies if T 8 − T 7 ≤ ∆T holds. If true, the process continues. Otherwise, the session expires. Then, GW N j calculates R * = M 9 . If it holds, the next step proceeds. Otherwise, the session is terminated.
Step 8: The GW N j computes M 10 = E h(R U ID i ) RI j T 9 R GW N j R SN j M 2 and sends { M 9 , M 10 } to U i via public channel.
Step 9: After getting the message from GW N j , U i computes and verifies if T 10 − T 9 ≤ ∆T holds. If it holds, the next step proceeds.
Step 10: = M 9 holds. If it holds, mutual-authentication and session-key agreement holds.

Password Updates or Change Phase
In Ali et al.'s password update or change phase, user U i modifies his/her password without intervention with the base station. As shown in Figure 4, the following steps were executed to update or change password.
Step 1: The U i inserts his/her own smartcard into the card reader and enters ID i , PW i and imprints F i on a sensor device. Now, the card reader computes If this verification holds, then continues the process. Otherwise, the session is terminated.
Step 2: The U i enters new password PW new i and computes RPW new Step 2: The enters new password and computes = ℎ(

Dynamic Node Addition Phase
This phase was used to add, replace, or drop a sensor node in the field. Let becomes a sensor node that will be added into the field. chooses of , calculates = ℎ( ǁ ) and keeps { , } into sensor nodes memory. At last, deploys to the field.

Weaknesses of Ali et al.'s Scheme
This section discusses the weaknesses of Ali et al.'s scheme in detail. Ali et al.'s scheme weaknesses are divided into three sections which are violation of traceability, insider attack, and denial of service as a service. For the insider attack, it is divided into four other sub-sections which are violation of user anonymity, sensor node impersonation attack, perfect forward secrecy, and violation of session key security. The details are described as follows.

Violation of User Traceability
User traceability means the ability to distinguish if any transactions belong to or came from a certain user. Ali et al.'s scheme was trying to protect users' real identity by using pseudonym identity , where = ⊕ ℎ( ǁ ). However, the value of is constant in every transaction. By using or checking the , the adversary is able to distinguish existing transactions easily whether Inserts smartcard into card reader, enters , and imprints

Dynamic Node Addition Phase
This phase was used to add, replace, or drop a sensor node in the field. Let S n becomes a sensor node that will be added into the field. SA chooses ID n of S n , calculates RI n = h(ID n X) and keeps {RI n , ID n } into sensor nodes memory. At last, SA deploys S n to the field.

Weaknesses of Ali et al.'s Scheme
This section discusses the weaknesses of Ali et al.'s scheme in detail. Ali et al.'s scheme weaknesses are divided into three sections which are violation of traceability, insider attack, and denial of service as a service. For the insider attack, it is divided into four other sub-sections which are violation of user anonymity, sensor node impersonation attack, perfect forward secrecy, and violation of session key security. The details are described as follows.

Violation of User Traceability
User traceability means the ability to distinguish if any transactions belong to or came from a certain user. Ali et al.'s scheme was trying to protect users' real identity by using pseudonym identity However, the value of DID i is constant in every transaction. By using or checking the DID i , the adversary is able to distinguish existing transactions easily whether they are generated from the same user or not. Since the transaction is easily be distinguished, therefore, the scheme of Ali et al. fails to provide user un-traceability.

Insider Attack
Insider attack happens when a malicious legal participant successfully captures key values of others, such as a shared key, and then uses that key to launch some security violations or attacks. In Ali et al.'s scheme, each sensor node SN j has a shared key RI j with base station BS, where RI j = h ID SN j X and it should be known only by BS and SN j . But, other legal participants such as GW N j and U i can also obtain RI j automatically from a legal transaction during the authentication and session key agreement phase. GW N j and U i obtain RI j when they decrypt D A (M 1 ) and D h(R U ID i ) (M 10 ), respectively, where M 1 = E Ai R U ID SN j ID GW N j T 1 and M 10 = E h(RU IDi) RI j T 9 R GW N j R SN j M 2 . After these legal GW N j and U i obtain RI j , they can use RI j to release some security violations or attacks such as sensor node capture attacks, impersonation attacks, and perfect forward secrecy attacks.

Violation of User Anonymity
User anonymity is important since it protects the real identity ID i of a user U i and ensures his/her privacy. In Ali et al.'s scheme, once a legal participant obtained a shared key RI j , he/she can catch others' existing transactions {M 2 , M 6 , M 7 } from the public channel, use RI j to decrypt M 6 , and then get the ID i of U i , where D RI j (M 6 ) = R BS T 5 R U R GW N j ID i . Therefore, the proposed scheme fails to provide user anonymity.
Sensor Node Impersonation Attack Sensor node impersonation attack occurred when a malicious insider successfully acts as a legitimate sensor node. When a legitimate sensor node is breached or captured by an adversary, it might result in severe security breaches [30], such as eavesdropping, node malfunctioning, denial of service, node subversion, node outage, message corruption, false nodes, and node replication. In Ali et al.'s scheme, when a malicious user U adv or gateway node GW N adv tries to impersonate a sensor node SN j by using the shared key RI j , first they catch the request message {M 2 , M 6 , M 7 } and then decrypt M 6 , such as shown in previous subsection Violation of user anonymity. After that, they generate a timestamp T 7 , a random nonce R SN j and then compute M 8 , SK and M 9 , where M 8 = Then, he/she sends { M 8 , M 9 , T 7 } to GW N j and GW N j will send it to the user. Since both the key and procedure are true during computation, both U i and GW N j will not find any suspicious activity and will trust that malicious SN j . Therefore, Ali et al.'s scheme cannot withstand sensor node impersonation attack.

Perfect Forward Secrecy Attack
A perfect forward secrecy attack occurs when an adversary can successfully obtain previous session keys by using a compromised key. In Ali et al.'s scheme, a malicious user U adv or gateway node GW N adv tries to generate previous session key SK by using known shared key RI j . First, he/she obtains R U and ID i through M 6 , such as shown in in previous subsection Violation of user anonymity.
Then, using R U and ID i , he/she decrypts M 10 , where RI j T 9 R GW N j R SN j M 2 = D h(R U ID i ) (M 10 ).
Then, he/she calculates SK * and M * 9 , respectively, where SK * = h R GW N j R U R SN j RI j M 2 and M * 9 = h(SK * ID i ). To verify if SK * is true, the attacker compares M * 9 with previous publicly known M 9 in { M 8 , M 9 , T 7 }. If equals, the adversary has confirmation that SK * is true. Therefore, Ali et al.'s scheme cannot withstand perfect forward secrecy attack.

Violation of Session Key Security
A session key is important to ensure the communication between legal participants in each session is secure. Violation of session key security happens when a non-legal participant can successfully generate a session key with other legal participants. In Ali et al.'s scheme, such as described in previous subsection Sensor node impersonation attack, a malicious insider successfully acts as a legitimate sensor node and is authenticated by a legal user U i . When authentication and key agreement succeed, they will generate a session key and use that session key to communicate with each other. Therefore, Ali et al.'s scheme fails to provide session key security.

Denial of Services as a Service in Authentication and Key Agreement Phase
Denial of Service as a Service (DoSaaS) happened when a service cannot continue to the next step simply because of the incompatibility procedures of the exchange scheme or because of false data calculation procedures in the scheme. In Ali et al.'s scheme, the denial of services as a service happens after user U i successfully updates his/her password.
In the update password phase, when U i wants to update his/her password, he/she first inserts his/her smart card and password, then inserts his/her new password PW new i . Then, , respectively. When U i wants to login after successfully updating his/her password, the login process fails due to denial of service. Details are explained below.
As shown in the login phase in Section 2.3,

Proposed Authentication and Key-Agreement Scheme Using WSNs for Agriculture Monitoring
The proposed scheme proposed some significant improvements compared to Ali et al.'s scheme. For example, to overcome violation of traceability in Ali et al.'s scheme, instead of using static A i and DID i , the proposed scheme uses dynamic A i and DID i . The proposed scheme also eliminates sensor node impersonation attack, perfect forward secrecy and violation of user anonymity by keeping the shared secret key RI j to be known only by BS and SN j , while in Ali et al.'s scheme, the RI j is known by all participants. To overcome Denial of Service as a Service in Ali et al.'s scheme, the proposed scheme proposes a different structure for password update phase, where in order to complete the password update process, the user U i needs to send the new updated parameters to the base station BS to be processed. Moreover, to significantly improved efficiency, the proposed scheme only uses hash function in its computation, while Ali et al. used symmetric encryption-decryption for their scheme.
The proposed scheme consists of six phases, which are system setup phase; user/agriculture professional registration phase; login phase, authentication and session key agreement phase; password update or change phase; and dynamic node addition phase. Since the system setup phase and the dynamic node addition phase of the proposed scheme are similar with Ali et al.'s scheme, they are not presented here. Therefore, only user/agriculture professional registration phase; login phase; authentication and session key agreement phase; and password update or change phase are described in detail as follows.

User/Agriculture Professional Registration Phase
In this phase, the user/agriculture professional U i registers to the base station BS. Each user U i has a SC which contains a pre-configured identity ID i pre and a random number r 0 . The pre-configured data is also stored in BS's storage. The SC is transferred by using physical delivery. As shown in Figure 5, the following steps are executed to complete the registration phase.
Step 1: The U i selects his/her own identity ID i , password PW i , and imprints biometric F i on the sensor device and then computes Gen(F i ) = (X F , P F ), RPW i = h(PW i X F ), where Gen(.) is a generate function of fuzzy extractor and (X F , P F ) are secret and public key respectively. Now, U i computes REG i = r 0 ⊕ (ID i ||RPW i ||A i ) and sends { ID i pre , REG i } to BS.
Step 2: When the registration request is received from U i , if BS successfully verifies that (ID i pre , r 0 ) is in BS's storage and has not been registered, then BS computes Step 3: After receiving the response from BS, U i computes (B i ||D i ) = RSP i ⊕ h((ID i ||r 0 ), and embeds A i , B i , D i , h(.), P F and Gen(.) in the memory of SC.
configured data is also stored in BS's storage. The is transferred by using physical delivery. As shown in Figure 5, the following steps are executed to complete the registration phase.

Login Phase
When a user/agriculture professional wants to know the environmental information such as temperature, light, humidity, soil etc., he/she has to login to access these information. As shown in Figure 6, the following steps are executed to accomplish the login phase.
Step 1: The inserts his/her own smartcard into card reader, inputs , and imprints his/her biometric on sensor device. Now, the card reader computes ( , ) = * ,

Login Phase
When a user/agriculture professional U i wants to know the environmental information such as temperature, light, humidity, soil etc., he/she has to login to access these information. As shown in Figure 6, the following steps are executed to accomplish the login phase.
Step 1: The U i inserts his/her own smartcard into card reader, inputs ID i , PW i and imprints his/her biometric F i on sensor device. Now, the card reader computes Rep(F i , If the verification holds, the system continues to process the request. Otherwise, the session is terminated.
Step 2: Now, U i generates a random nonce R U , computes DID i = (ID i R U ) ⊕ h(h(A i X) T 1 ) and M 1 = h(R U ID i T 1 h(A i X)), then send A i , DID i , T 1 , M 1 , ID SN j , ID GW N j to BS via public channel. * = ℎ( ǁ * ) , [ℎ( ǁ )] * = ⊕ ℎ( ǁ * ) , * = ℎ( * ǁ * ǁ ) and verifies if * equals . If the verification holds, the system continues to process the request. Otherwise, the session is terminated.

Authentication and Session Key Agreement Phase
As shown in Figure 7, after the is successfully authenticated in the login phase, the authentication and session-key agreement phase is executed as the following steps. Step

Authentication and Session Key Agreement Phase
As shown in Figure 7, after the U i is successfully authenticated in the login phase, the authentication and session-key agreement phase is executed as the following steps.
Step 1: If this does not true then session expires. Otherwise, BS calculates = M 4 holds. If the condition is true then it proceeds further. Otherwise, the session is terminated.
Step 4: Now, the GW N j generates a random nonce R GW N j , calculates M 6 = Step 5: Upon obtaining the message from GW N j , the SN j checks if T 6 − T 5 ≤ ∆T holds. If this does not true then session expires. Otherwise, SN j calculates R * = M 7 holds. If the condition is true then it proceeds further. Otherwise, the session is terminated.
Step 6: Now, the SN j generates a random nonce R SN j , computes Step 7: Upon receiving the message from SN j , GW N j firstly verifies if T 8 − T 7 ≤ ∆T holds. If this is not true then the session expires. Otherwise, GW N j calculates R * SN j = M 8 ⊕ h R GW N j R BS T 7 , SK * = h R GW N j R U R * SN j R BS ID i M 1 and M * 9 = h(SK * R BS R U M 2 T 7 ), then checks if M * 9 ?
= M 9 holds. If the condition is true then further is proceeded. Otherwise, the session is terminated. Step 8: The GW N j computes M 10 = h(R U ID i ) ⊕ R GW N j R * SN j R BS and M 11 = h R U R * SN j M 2 SK T 9 . Then, GW N j sends { M 2 , M 10 , M 11 , T 9 } to U i . Step 9: Upon receiving the message from GW N j , U i firstly verifies if T 8 − T 7 ≤ ∆T holds. If this does not true then session expires. Otherwise, and verifies if M *

?
= M 11 holds. If the condition is true then mutual authentication and session key agreement holds. Otherwise, the session is terminated.

Password Updates or Change Phase
As shown in Figure 8, the following steps were executed to update or change user's password.
Step 1: The user U i inserts his/her own smartcard into card reader and enters ID i , PW i and imprints F i on sensor device. The card reader computes Rep(F i , If condition is true then further is proceeded. Otherwise, the session is terminated.
Step 2: The U i enters new password PW new i and computes RPW new

Authentication Proof of the Proposed Scheme Using BAN Logic
This section validates session key agreement and mutual authentication of the proposed scheme using BAN (Burrows-Abadi-Needham) logic [31]. The BAN includes a set of rules to verify the message source, freshness, and trustworthiness of the scheme. Table 2 lists the notations and their respective abbreviations related to the BAN logic. Some rules or logical postulates used in the BAN logic are given as follows: • Rule 1. Message-meaning rule:

≡ ~
If the entity believes that the secret is shared with and sees message is encrypted using , then believes that once said .
Inserts smartcard into card reader, enters , and imprints If * ? holds, then enters new password .

Authentication Proof of the Proposed Scheme Using BAN Logic
This section validates session key agreement and mutual authentication of the proposed scheme using BAN (Burrows-Abadi-Needham) logic [31]. The BAN includes a set of rules to verify the message source, freshness, and trustworthiness of the scheme. Table 2 lists the notations and their respective abbreviations related to the BAN logic. Table 2. BAN (Burrows-Abadi-Needham) logic notations and respective abbreviations.

Notation Abbreviation
P |≡ X The entity P believes the statement X P =⇒ X P has jurisdiction on the statement X P | ∼ X P once said X P X P sees X {X} K Formula X is encrypted under the key K P K ↔ Q P and Q communicate via shared key K P → Q : m P sends the message m and Q receives it #X The message #X is freshly generated

Basic Rules of BAN Logic
Some rules or logical postulates used in the BAN logic are given as follows: • Rule 1. Message-meaning rule: If the entity P believes that the secret K is shared with Q and sees message X is encrypted using K, then P believes that Q once said X.

P|≡Q=⇒X, P|≡Q|≡X P|≡X
If the entity P believes that Q has jurisdiction over X and Q believes X, then P believes that X is true. • Rule 3. Nonce-verification rule: If the entity P believes that X is fresh and the entity Q once said X, then P believes that Q believes X. If the entity P believes that X is fresh and Q believes X, then P believes the secret K that is shared between both entities P and Q. • Rule 5. Freshness-conjuncatenation rule: P|≡#(X, Y) If the entity P believes that X is fresh, then P believes the freshness of (X, Y).

Goals
The proposed scheme needs to satisfy the following goals to ensure its security under BAN logic, using the above assumptions and postulates.

Idealized Form
Initially, the message of login, authentication, and key agreement scheme in the proposed scheme can be transformed into idealized form in the following manner.

Assumptions
The following initial assumptions have been established to prove the security of the proposed scheme using BAN logic.

Verification
Verification shows the correctness of the proposed scheme confirmed by analyzing the idealized form using the above assumptions and the rules of the BAN logic.
By using Message 1: V 3 : BS |≡ U i |≡ R U Then, from A 6 , V 3 and Rule 2: V 4 : BS |≡ R U According to A 2 , V 3 and Rule 4: Further, using A 2 , V 5 and Rule 3: By using Message 2: V 10 : GW N j |≡ R BS According to A 3 , V 9 and Rule 4: Further, using A 3 , V 11 and Rule 3: Further, using A 4 , V 17 and Rule 3: By using Message 4: 19 and Rule 1: 20 and Rule 3: V 21 : GW N j |≡ SN j |≡ R SN j Then, from A 12 , V 21 and Rule 2: V 22 : GW N j |≡ R SN j According to A 3 , V 21 and Rule 4: Further, using A 4 , V 17 and Rule 3: By using Message 5: 25 and Rule 1: V 29 : U i |≡ R GW N j , R SN j , R BS According to V 27 , V 28 and Rule 4: Then, using V 27 , V 30 and Rule 3:

Informal Security Analysis
This section presents informal security analysis of the proposed scheme. Table 2 summarizes security analysis comparisons between Ali et al.'s scheme [23] and the proposed scheme.

User Anonymity
When base station BS gets a request message A i , DID i , T 1 , M 1 , ID SN j , ID GW N j from user U i , base station BS checks whether the request message comes from a legitimate user U i by calculating (ID i R U ) = DID i ⊕ h(h(A i X) T 1 ), where X is BS's secret key that is known only by BS. BS checks whether h(R U ID i T 1 h(A i X)) equals M 1 . If it holds, BS confirms that the request message is coming from a legitimate U i .
Assume an adversary tries to get the real identity ID i of a legitimate user U i from an existing message A i , DID i , T 1 , M 1 , ID SN j , ID GW N j that can be obtained from public channel. In order to successfully get the real ID i , the adversary needs to calculate DID i ⊕ h(h(A i X) T 1 ). However, X is only known by the legitimate BS and is also protected by the hash operation that makes X is computationally infeasible to calculate. Without knowledge of X, the adversary cannot derive the real ID i . Therefore, the proposed scheme provides user anonymity.

User Traceability
In the proposed scheme, the real identity ID i of a user is protected by using dynamic pseudonym identity DID i , where DID i = (ID i R U ) ⊕ h(h(A i X) T 1 ). R U is random and T 1 is timestamp that newly generated for each transaction, means DID i is dynamic for every transaction. Moreover, different values of A i , DID i , T 1 , M 1 for each transaction prevents adversaries to identify a transaction belonging to whom or related with any specific user. Therefore, the proposed scheme provides protection to user traceability.

Three-Factor Security
To provide protection in the login phase, the proposed scheme uses three-factor security which means only a user with the correct password, correct biometric characteristics, and correct smart card is allowed to login to the remote server [32].
Assume an adversary has any two factors of security which are password and smartcard, or smartcard and biometric, or password and smartcard. When he/she tries to login into the system, the proposed scheme will check whether h A i RPW * Based on this checking, the system always completely checks three factor security first before allowed any request to successfully login into the system. This process means an adversary who has only two factors of security does not have a chance to enter into the system. Therefore, the proposed scheme provides three-factor security.

Session Key Security
In an authentication and key agreement phase, the session key SK must be made and known only by legal participants. In the proposed scheme, SK is computed by using random numbers from each legal participant that freshly generated in each session. Furthermore, SK also depends on ID i and M 1 , where M 1 = h(R U ID i T 1 h(A i X)) and it was protected by h(A i X) that is only known by U i and BS. It is also computationally infeasible to calculate the session key SK = h R GW N j R U R SN j R * BS ID i M 1 due to the characteristics of the hash operation. Therefore, the proposed scheme withstands session key computation attack.

Perfect Forward Secrecy Attack
The proposed scheme ensures the secrecy of previous session keys even if the master secret key of the server or shared secret key between legal participants are compromised.
In the proposed scheme, the session key is not related to the master secret key X that belongs to the base station BS. Also, the session key is not related with any shared secret key that exists between legal participants, such as the shared key between BS and gateway node X BS−GW N j or the shared key between BS and sensor node RI j . Instead, the session key is built from each random number that is freshly generated by every legal participant from each session. Therefore, the proposed scheme provides perfect forward secrecy.

Sensor Node Impersonation Attack
Assume an adversary tries to impersonate a sensor node by sending a request message { M 1 , M 2 , M 8 , M 9 , T 7 } to a gateway node GW N j . Upon receiving the request message, to verify if the request message comes from a legitimate sensor node SN j or not, GW N j computes M * 9 = h(SK * R BS R U M 2 T 7 ) and checks if M * 9 equals M 9 or not. In the proposed scheme, in order to compute verifiable M 9 , both SN j and GW N j need to obtain R * BS , where R BS is a random nonce belongs to the base station BS. As shown in authentication and session key agreement phase, in order to obtain R BS , both SN j and GW N j need to use their own shared secret key with the BS, where GW N j uses its shared secret key X BS−GW N j and SN j uses its shared secret key RI j . Without shared secret key, an adversary will not be able to obtain R BS . Without the right R BS , M 9 will never be successfully verified by GW N j . By verifying the M 9 , GW N j will immediately detect that the request message is coming from legal SN j or not. Therefore, the proposed scheme withstands sensor node impersonation attack.

Gateway Node Impersonation Attack
Gateway node impersonation attack occurs when an adversary acts as a legitimate gateway node GW N j by sending a request message to user U i or sensor node SN j and that request message is successfully authenticated as a legitimate GW N j by U i or SN j .
Assume an adversary tries to impersonate GW N j by sending a request message To compute M 6 , M 7 , M 10 and M 11 , the adversary needs to obtain R U , R BS and ID i using shared key X BS−GW N j , where (R U R BS ID i ) = M 3 ⊕ h X BS−GW N j T 3 . However, without the knowledge of X BS−GW N j , it is computationally infeasible to calculate these parameters due to the characteristics of the hash operation. Without the right parameters, U i and SN j will immediately recognize if the request is not coming from a legitimate GW N j . Therefore, the proposed scheme withstands a gateway node impersonation attack.

User/Agriculture Impersonation Attack
A user impersonation attacks occur when an adversary acts as a legitimate user and is successfully authenticated by the base station BS.
Assume an adversary tries to impersonate a legitimate user U i by sending a request message However, it is impossible for an adversary to calculate [h(A i X)] * due to biometrics, unknown user identity ID i and user password PW i .
Upon receiving the request message from U i , BS will immediately recognize that the request message is coming from a legitimate user or not by checking whether h(R U ID i T 1 h(A i X)) equals M 1 or not. Therefore, the proposed scheme withstands user/agriculture impersonation attack.

Offline Password Guessing Attack
An off-line password guessing attack occurs when a smart card is lost or stolen and the adversary tries to guess the password to log into the system. Let us assume an adversary obtains information within the smart card by using channel side attacks and successfully obtains To guess the password through the parameter that are stored inside the smart card, the adversary needs to invert the value of B i or D i . However, inverting the values of B i or D i is computationally infeasible due to the characteristics of the hash operation. Neither ID i . or PW i are ever directly revealed or exposed and an adversary for sure cannot guess or change the password. Therefore, the proposed scheme withstands an offline password guessing attack.

Replay Attack
An off-line password guessing attack occurs when a smart card is lost or stolen and the adversary replay attack happens when an adversary tries to retransmit previous request message as a new transaction request and it has successfully been accepted as a new legitimate request by other legal participants.
Assume an adversary tries to replay existing messages as a new transaction request. However, any message contains a timestamp T 1 , T 3 , T 5 , T 7 , or T 9 . Other legitimate participants will immediately identify the replay attack when they check the freshness of T 1 , T 3 , T 5 , T 7 , and T 9 . Therefore, the proposed scheme withstands replay attack.

Insider Attack
An insider attack happens when a malicious legal participant successfully captures key values of others, such as a shared key, and then uses that key to launch some security violations or attacks. The proposed scheme ensures that the key shared between participants is known only by the right participant and will never be leaked to other irrelevant participants.
Assume a malicious legal participant tries to obtain a shared secret key that belongs to another legal participant. In the proposed scheme, there are three shared secret key which are X BS−GWN j , RI j and h(A i X). All of them are generated by base station BS and contains BS secret key X. Since the secret key of BS is only known by BS and never revealed to others, and since the shared key between participants is never revealed to other irrelevant participants too, the proposed scheme is safe from shared secret key leakage. Therefore, the proposed scheme withstands insider attack.

Performance and Functionality Comparisons
This section analyzes and compares Ali et al.'s scheme with the proposed scheme. Security functionality comparisons and performance comparisons in login, authentication, and key agreement phase are presented as follows. Table 3

Performance Comparisons
As WSNs has limited power capacity, the computation cost for login, authentication, and key-agreement scheme must be made as minimal as possible. Table 4 shows the comparison of login, authentication, and key agreement phases between the proposed scheme and Ali et al.'s scheme in terms of performance. Table 5 shows hardware/software specifications and used algorithms in our simulation environment. The proposed scheme involves a user U i , a base station BS, a gateway node GW N j , and a sensor node SN j . T H denotes the execution time of hash operation and T s donates the execution time of symmetric encryption/decryption. Ali et al.'s scheme [23] requires 19 hash function and nine symmetric en/decryption operations. Although the proposed scheme requires more hash function operations, it does not require nine symmetric en/decryption operations. Therefore, the proposed scheme provides better efficiency compared with the previous scheme.

Conclusions
This paper reviewed Ali et al.'s scheme and demonstrated that it cannot provide user anonymity, user traceability, session key security, and is insecure against insider attacks, perfect forward secrecy attacks, and sensor node impersonation attacks. Moreover, after a user successfully updates his/her password, Ali et al.'s scheme will immediately suffer from Denial of Service as a Service (DoSaaS) in its authentication and key agreement scheme. The proposed scheme eliminated those security weaknesses by proposed four new phases of six existing phases. To promote efficiency, the proposed scheme eliminates symmetric encryption-decryption computation that was used in the previous scheme and only utilizes hash operation in its computation. The proposed scheme not only eliminates weaknesses in Ali et al.'s scheme, but is also 80 times more efficient compares with Ali et al.'s scheme. The efficiency, security and functionalities showed in the proposed scheme overcomes Ali et al.'s scheme. Therefore, the proposed scheme is more suitable for agriculture monitoring using WSNs.