An Enhanced User Authentication and Key Agreement Scheme for Wireless Sensor Networks Tailored for IoT

Abstract

A security protocol for wireless transmission is essential to defend sensitive information from malicious enemies by providing a variety of facilities such as privacy of the user’s information, secure session key, associated authentication, and user-repeal facility when a person’s authorizations are suddenly disclosed. Singh et al. proposed an improved user authentication and key agreement system for wireless sensor networks (WSNs). Authors are sure that their protocol is secure from various attacks. Here, we find several security pitfalls in their scheme, such as an offline password-guessing attack, failure to protect the session key, and a man-in-the-middle attack. To remove the identified pitfalls found in Singh et al.’s scheme, we design an enhanced authentication scheme for WSNs tailored for IoT. We prove the reliability of our proposed protocol using the real or random (RoR) model. We also evaluate the proposed scheme with the associated schemes and show its superior efficacy as compared to its counterparts.

1. Introduction

A wireless Sensor Network (WSN) consists of sensors or sensor nodes and plays a vital role in the Internet of Things (IoT) applications. The sensor nodes can be used at sensitive places in an unplanned or planned way. These kinds of nodes have the capacity to collect data from their neighboring fields, after which they send the data to nearby base stations (BSs), which process the received data for decision-making. Sensor nodes can communicate with each other via wireless radio communications. In WSNs, the BS (referred to as the gateway node (or GW-node)) is the most effective node, whereas sensors are the least effective nodes in regard to battery power, memory space, and computational ability.

WSNs can be utilized in different unattended fields, such as the army, climatic, medical, and agriculture, for goal monitoring, battleground vigilance, and invader identification. WSNs can also be deployed in various IoT applications such as smart homes, smart supply-chain management, smart cities, smart grids, smart traffic management, and industrial Internet. Due to the unattended surroundings of sensor nodes, an adversary has the ability to immediately capture a sensor node from the goal-tracking area. For this reason, an adversary has a possibility to at once seize a sensor node from the goal field and extract all of the data from its reminiscence, as nodes are not usually tamper-resistant because of their low cost.

The requirement to protect the data stored in WSNs is a crucial issue. Here we discuss some scenarios which necessitate a user verification protocol in WSNs. In WSNs, an intruder can create a bug in the network and can disturb or discontinue the commuted texts. Numerous crucial operations in WSNs, along with the utilization of the battleground surveillance and e-health services, rely on actual data to obtain which the users establish a direct connection with the sensor nodes with the help of the base station. Thus, in applications requiring actual data, the user’s authenticity is verified by the sensor nodes and the BS, which requires setting up a secret session key among the users and the accessed nodes so that no intruder can obtain the crucial data from the sensor nodes. Due to this motive, user authentication and key agreement protocols in WSNs are important research fields.

Motivation and Contribution

WSNs’ environment is challenging due to their resource-constrained nature and security requirements. The same is true for any IoT application due to its dependency on WSNs. Authentication and key agreement schemes are utilized to handle the application layer in WSNs/IoT. In these schemes, balancing efficiency and security is a big challenge. In this regard, research on establishing authentication and key agreement is in the developing stage. While reviewing some literature on authentication and key agreement scheme for WSN, we came across an article in which we felt scope for improvement. The contributions of this article are as follows:

• We analyze an authentication and key agreement scheme for WSNs and point out its flaws.
• As an enhancement of the analyzed scheme, we propose an authentication and key agreement scheme for WSNs tailored for the IoT.
• We have tried to achieve the maximum possible security features while keeping the minimum possible computational load.

2. Related Work

In 2009, Das [1] proposed two-factor user authentications in WSNs. The author claims that the proposed scheme resists many attacks in WSNs, but it suffers from denial-of-service and node compromise attacks. In 2011, Yeh et al. [2] worked on Das’s scheme and proposed an authentication protocol for WSNs using elliptic curve cryptography. Mutual authentication is important to prove the legitimacy of each party, and Yeh et al. [2] found that the scheme in [1] does not provide mutual authentication; they also found that the protocol in [1] suffers from insider attacks, user impersonation attacks, and no provision for changing updating passwords.

In 2013, Xue et al. [3] proposed a temporal credential-based mutual authentication scheme for WSNs. In 2014, Turkanovic et al. [4] suggested a user-mutual authentication key agreement protocol for heterogeneous ad hoc WSNs. This scheme concentrates on the Internet of things (IoT) notion. In 2015, Jiang et al. [5] found some security flaws in the protocol [3] and proposed an improvement of [3]. Jiang et al. found that the scheme in [3] suffers from insider attacks, weak stolen smart card attacks, identity guessing attacks, and tracking attacks. In 2015, He et al. [6] proposed mutual authentication and key agreement protocol for WSNs. He et al. [6] found that the scheme in [3] cannot withstand the security parameters, and protocol [3] suffers from offline password guessing attacks, user impersonation attacks, and sensor node impersonation attacks. He et al. [6] found that the scheme in [3] cannot provide legitimacy of the user.

In 2016, Kumari et al. [7] pointed out that the scheme in [6] has many disadvantages. Kumari et al. [7] showed that protocol [6] suffers from offline password-guessing attacks, session-specific temporary information attacks, the absence of password-changing facilities, and the absence of unauthorized login detection, and it does not provide legitimacy to the user. Kumari et al. [7] proposed a mutual authentication and key agreement scheme for WSNs using chaotic maps. In 2016, Jiang et al. [8] worked on the scheme in [6], and after analysis, they showed that the scheme in [6] fails to provide anonymity for the user. Jiang et al. [8] found that in the protocol [6], an adversary can easily track the user, and also, this scheme cannot stand with stolen smart card attacks. Jiang et al. [8] proposed an untraceable temporal-credential-based authentication scheme for WSNs.

In 2016, Farash et al. [9] noticed that the protocol in [4] does not resist man-in-the-middle attacks, the disclosure of the session key, sensor node impersonation attacks, and the disclosure of secret parameters. Farash et al. [9] also showed that the scheme in [4] does not provide sensor node anonymity, and any adversary who wants to track the user can easily do so. To remove the weakness, Farash et al. [9] proposed an enhanced scheme. In 2016, Amin and Biswas [10] found that the protocol in [4] undergoes offline password-guessing attacks, offline identity-guessing attacks, smart card theft attacks, user impersonation attacks, sensor-node impersonation attacks, and inefficient authentication phase. Amin and Biswas [10] also gave an authentication method after removing the weakness of the scheme in [4], and they claimed the enhanced security of their scheme over protocol in [4]. Amin and Biswas used BAN logic for formal security analysis of the proposed protocol.

In 2016, Amin et al. [11] showed that the scheme in [9] is vulnerable to smart card stolen attacks, offline password-guessing attacks, new smart issue attacks, user impersonation attacks, and known session-specific temporary information attacks. Amin et al. [11] found that the protocol in [9] does not provide user anonymity, and also the secret key of the gateway node is not safe in this protocol. To overcome the disadvantages of the scheme in [9], Amin et al. [11] put forward an improved version of WSNs. In 2016, Chang and Le [12] showed that protocol in [4] is vulnerable to impersonation attacks with node capture, stolen smart card attacks, sensor node spoofing attacks, and stolen verifier attacks, and it fails to ensure backward secrecy. To remove these security issues, Chang and Le [12] proposed an advanced scheme.

In 2017, Wu et al. [13] revealed that the scheme in [10] suffers from sensor capture attacks, session key leakage attacks, user forgery attacks, gateway forgery attacks, and sensor forgery attacks. Wu et al. [13] showed that in the scheme [10], the adversary could track the user easily, and this does not provide mutual authentication between parties. To remove the disadvantages in [10], Wu et al. [13] proposed an authentication scheme for multi-gateway-based WSNs. In 2017, Wu et al. [14] found that the scheme in [5] has many security pitfalls, such as offline password-guessing attacks, user forgery attacks, de-synchronization attacks, and a lack of strong forward security. Wu et al. [14] recommended a stepped-forward version of the protocol in [5]. They claimed their protocol to be secure. In 2017, Dhillon and Kalra [15] proposed multi-factor remote user authentication and key agreement scheme for IoT environments. They said that their proposal is to be defendable against all prospected threats.

In 2018, Amin et al. [16] designed a robust patient monitoring system using wireless medical sensor networks. They are sure that their protocol is secured against obvious violations. They used BAN logic to confirm the mutual authentication feature for their suggested protocol. In 2018, Jangirala et al. [17] designed an authentication and key agreement protocol for the industrial Internet of things. In the scheme of [17], they used the fuzzy extractor method for biometric authentication by the user’s smart card. In 2018, Li et al. [18] pointed out that the protocol in [8] cannot resist known session-specific temporary information attacks and clock synchronization, and this scheme is not applicable to IoT environments. To improve the scheme in [8], Li et al. [18] suggested a three-factor anonymous authentication scheme for WSNs. In 2018, He et al. [19] found that the scheme in [12] suffers from sensor capture attacks. They gave an improved version of [12].

In 2019, Gupta et al. [20] designed an anonymous user authentication and key-establishment scheme for wearable devices. They used BAN logic to justify mutual verification among the gateway/cellular terminal and the wearable gadget of the sensor. In 2019, Ghani et al. [21] proposed an IoT-based scheme for WSNs using a symmetric key. In 2020, Lee et al. [22] discovered that the protocol in [15] is vulnerable to a stolen mobile device attack and a user impersonation attack, and it lacks a provision for the agreement of the session key. In 2021, Mall et al. [23] proposed a physically unclonable function (PUF) based authentication protocol for drone-enabled WSNs. This protocol conducts communication among devices and the cloud by the relocatable drone.

In 2021, Chen et al. [24] suggested a group key agreement protocol for IoT. In this scheme, they introduce an entity known as the device manager. Device managers connect IoT devices with blockchain networks. In 2021, Chen and Liu [25] suggested a three-factor scheme for the IoT that used biological information. They proved their protocol in both a formal and informal manner. In 2021, Ali et al. [26] designed an ECC-based protocol for vehicle-to-vehicle communication in VANETs. In 2021, Sadri and Asaar [27] showed that the scheme in [21] has many security pitfalls, such as user impersonation attacks, malicious gateway attacks, and traceability attacks. To remove weaknesses found in [21], Sadri and Asaar [27] suggested a hash-based scheme for WSNs in IoT with forward secrecy. They analyzed their protocol with both formal and informal methods. In 2021, Rangwani et al. [28] proposed a three-factor scheme for the Industrial Internet of Things (IIoT). They also verified their scheme in both formal and informal ways. In 2021, Nashwan [29] designed a scheme for healthcare IoT. In this scheme, mutual authentication between all nodes is verified using BAN logic.

In 2022, Tanveer et al. [30] suggested a resource-capable scheme for the Industrial Internet of Things (IIoT). The authors claimed that their scheme is suitable for resource-constrained smart devices. In 2022, Kumar et al. [31] designed an RFID-based scheme using PUF for vehicular cloud computing. In 2022, Wu et al. [32] suggested a scheme that depends on a symmetric encryption algorithm and fog computing in the Internet of vehicles. In 2022, Li et al. [33] proposed a protocol for fog-enabled social internet of vehicles.

In 2016, Singh et al. [34] proposed a scheme to resolve the weaknesses of the protocol in [4]. Singh et al. claimed their scheme to be more secure and efficient for a real application environment. However, we show that the protocol in [34] has many security issues. The scheme in [34] suffers from many attacks like offline password-guessing attacks, man-in-the-middle attacks, and attacks on the session key.

Organization

In Section 3, we review Singh et al.’s scheme. The cryptanalysis of Singh et al.’s scheme is shown in Section 4. Section 5 describes our enhanced scheme. Section 6 explains the security analysis of the proposed scheme in both a formal and informal manner. Section 7 contains a comparison of the proposed scheme with some related schemes. The conclusion is in Section 8.

3. Review of Singh et al.’s Scheme

Firstly, we write the notations and their explanations used in this paper in Figure 1.

Figure 1. Notations and description.

3.1. Registration Phase

The system of registration begins after the placement of sensor nodes in the application space. The registration phase is split into two sub-phases. Phase one is between a user and the gateway, and phase two is between the sensor node and the gateway. Figure 2 illustrates all two stages.

Figure 2. Registration phase of Singh et al.’s scheme [34].

3.1.1. Registration Between User and Gateway

Identity (ID_i) and secure password (PW_i) are provided to every user. User identity and password hash value are saved in the gateway node. At first, the gateway selects a random key K_GW-U. With this key, GW can communicate with the user. The gateway further selects a different key K_GW-S. With this particular key, GW can communicate with sensor nodes. The procedure for this phase is as follows:

Step-1: User U_i selects a random number r_i and computes P_i = h(r_i||h(PW_i)).

Step-2: User generates time stamp T_s1 and sends {P_i, ID_i, T_s1} to GW through a protected channel.

Step-3: Following the received message, the gateway verifies the legitimacy of a time stamp.

If |T_S1 − T_c| < ∆T exists, then gateway calculates.

• α_i = h(K_GW-U ||ID_i);
• b_i = α_i ⨁ h(P_i ||h(PW_i));
• c_i = h(α_i||h(PW_i)||ID_i);

Step-4: Gateway customizes SC with {h(.), b_i, c_i, ID_i} and conveys to the user through a protected channel.

Step-5: User adds d_i = r_i ⨁ h(ID_i||PW_i) into SC. Now SC contains {h(.), b_i, c_i, d_i, ID_i}.

3.1.2. Registration Between Sensor node and gateway

Every sensor node has an identity (ID_sj) and a protected password (PW_sj). The identity and the hash value of the password for sensor node S_j are also saved in the gateway. The phase consists of the following steps:

Step-1: Sensor node S_j computes P_sj = h(ID_sj||h(PW_sj)||Ts₂) with its ID_sj and PW_sj.

Step-2: Sensor node dispatch message {P_sj, ID_sj, Ts₂} to the gateway.

Step-3: When information is received, the gateway confirms the validation of a time stamp. If |Ts₂ − T_c| < ∆T, then it moves ahead or else sends non-acceptance text to the sensor node.

Step-4: With secret key K_GW-S, GW calculates the following values:

• β_j = h(K_GW-S||ID_sj);
• b_sj = β_j ⨁ h(ID_sj||h(PW_sj));
• c_sj = h(β_j||h(PW_sj)||ID_sj||Ts₃);

Step-5: GW sends {b_sj, c_sj, Ts₃} to the sensor node through a non-private channel.

Step-6: After confirmation of obtaining the data, the sensor node verifies the legitimacy of a time stamp. If |Ts₃ − T_c| < ∆T, then move ahead to the succeeding step or else deliver a non-acceptance message to GW.

Step-7: Sensor node calculates β_j = b_sj ⨁ h(ID_sj||h(PW_sj)) and checks c_sj^* = h(β_j||h(PW_sj)||ID_sj||Ts₃) is equal to c_sj; after that, saves β_j into its memory or else sends a failure message to GW.

3.2. Login Phase

After the registration phase, the connection is established between the user and S_j via the GW node. Figure 3 describes the work-flow of the login phase. The steps are as follows:

Figure 3. Login phase of Singh et al.’s scheme [34].

Step-1: User U_i inserts his/her card into the insertion area and enters his/her ID_i^* and password PW_i^*.

Step-2: SC calculates r_i^* = d_i ⨁ h(ID_i^*||PW_i^*) with the saved value of d_i. Then it calculates MP_i^* = h(PW_i^*) and P_i = h(r_i^*||MP_i^*).

Step-3: Then, smartcard calculates α_i^* = b_i ⨁ h(P_i||MP_i^*).

Step-4: SC calculates one more time c_i^* = h(α_i^*||MP_i^*||ID_i^*) and verifies whether the original c_i or computed c_i^* are the same. If it is not equal, then the login progress will be terminated.

Step-5: If the entered password is exactly the same, the user selects an arbitrary number k_i and calculates M₁ = k_i ⨁ h(α_i||MP_i ) and M₂ = h(α_i||MP_i||k_i||T₁).

Step-6: User sends {M₁, M₂, ID_i, T₁} to GW through an open channel.

3.3. Authentication and Key Agreement Phase

Mutual confirmation among all groups is made after the success of the login phase. This procedure is performed in the authentication and key agreement phase. It takes three steps. The first one is for the user’s authority confirmation through GW. The second one represents the GW’s lawfulness confirmation by the user and the sensor node. Moreover, the third one is for the user to verify the authentication of the sensor node. The focus of this phase is providing a session key between the user and the sensor node. This phase is illustrated in Figure 4. The whole authentication and key agreement phase is discussed in the following steps.

Figure 4. Authentication phase of Singh et al.’s scheme [34].

Step-1: As the gateway obtains a message {M₁, M₂, ID_i, T₁} from the user U_i, the gateway verifies the time stamp’s validity by calculating |T₁ − T_c| < ∆T. If it is found valid, GW again calculates the upcoming step or else sends a failure message to U_i.

Step-2: With the help of h(PW_i), as per the accepted ID_i, the gateway calculates k_i^* = M₁ ⨁ h(α_i||h(PW_i)) and after that calculates its own version of M₂^* = h(α_i||h(PW_i)||k_i^*||T₁) and compares it with the received M₂. In case these are the same, then GW validates the user U_i or else sends a failure text to the user.

Step-3: Once the validation of the user is completed, GW calculates ϒ_ij = h(α_i||β_j||ID_i||ID_sj), M₃ = α_i ⨁ ϒ_ij, and M₄ = h(ϒ_ij||M₃||ID_i||T₂) and sends {M₃, M₄, ID_i, T₂} to the user; here, T₂ represents GW’s time stamp.

Step-4: After obtaining {M₃, M₄, ID_i, T₂}, the user verifies whether |T₂ − T_c| < ∆T and after that calculates its own version of ϒ_ij = α_i ⨁ M₃ and M₄^* = h(ϒ_ij||M₃||ID_i||T₂). The user checks whether M₄ =? M₄^*. If both are the same, then gateway authorization by the user U_i holds. If not, the user discontinues the procedure by sending a failure message to GW.

Step-5: At time T₂ when message is sent to user U_i, GW calculates M₅ = k_i ⨁ h(β_j||ID_sj), M₆ = β_j ⨁ ϒ_ij, and M₇ = h(ϒ_ij||k_i||ID_sj||T₃) after that forwards {M₅, M₆, M₇, ID_i, ID_sj, T₃} to sensor node S_j.

Step-6: When a message is received from GW, now S_j verifies if |T₃ − T_c| < ∆T then further calculates owned version of k_i^* = M₅ ⨁ h(β_j||ID_sj) by using saved β_j and after this calculates its own version of ϒ_ij = β_j ⨁ M₆ and M₇^* = h(ϒ_ij||k_i^*||ID_sj||T₃) and compares M₇^* with M₇. It checks the values; if both are equal, then GW is verified by S_j, or else S_j transmits a failure text to GW.

Step-7: When authentication of GW is complete, S_j chooses a random number k_j and calculates the session key, which is SK = h(k_i ⨁ k_j).

Step-8: In the end, thesensor node S_j calculates M₈ = k_j ⨁ϒ_ij and M₉ = h(k_j||ID_sj||T₄) and transmits {M₈, M₉, ID_i, ID_sj, T₄} to user U_i.

Step-9: When the text is received from sensor node S_j, the user verifies the legality of the time stamp |T₄ − T_c| < ∆Ta and verifies the validity of S_j by calculating its own version of k_j = M₈ ⨁ϒ_ij and M₉^* = h(k_j||ID_sj||T₄) and after that analyzes M₉^* with the accepted M₉. It checks if both are the same and furthermore calculates the session key as SK = h(k_i ⨁ k_j), then, as a result, efficiently ends the authentication phase.

4. Cryptanalysis of Singh et al.’s Scheme

4.1. Insider Attack

Suppose an insider at GW can obtain a user smart card and access the information saved in SC {h(.), b_i, c_i, d_i, ID_i}. In the registration phase, when U_i submits {P_i, ID_i}, the insider guesses the password PW_i and finds r_i in the following way:

r_i = d_i ⨁ h(ID_i||h(PW_i))

after that calculates P_i^# = h(r_i||h(PW_i)) and checks whether P_i = ? P_i^#

The insider guesses the password till he/she achieves the correct password.

4.2. Offline Password Guessing Attack

Secret parameters saved into smart card are {h(.), b_i, c_i, d_i, ID_i}

An adversary U_a can do guesswork PW_i^* for the password, and now computes r_i^# = d_i ⨁h(ID_i||PW_i^#)

Then, the adversary finds the value of P_i^# from P_i^# = h(r_i^#||h(PW_i^#)). The adversary computes the value

α_i^# = b_i ⨁ h(P_i^#||h(PW_i^#)). Then, the adversary computes c_i^# = h(α_i^#||h(PW_i^#)||ID_i) and checks whether c_i^# =? c_i. If it holds, the adversary obtains an exact password PW_i. In any other case, the adversary repeats the process.

4.3. Lack of User Anonymity

In Singh et al.’s scheme, messages {M₁, M₂, ID_i, T₁}, {M₃, M₄, ID_i, T₂}, and {M₈, M₉, ID_i, ID_sj,T₄} directly involve the identity ID_i of a valid user U_i in plain text. By spy monitoring the messages, an adversary recognizes ID_i. Subsequently, Singh et al.’s scheme does not hold the user anonymity property.

4.4. Man-In-The-Middle Attack

During the attack, an adversary U_a tries to know the actual session key.

• When the user U_i transmits the login message {M₁, M₂, ID_i, T₁} to GW via a pubic channel, the adversary U_a intercepts the message and plunders the smart card, then U_a can guess the secret keywords and find the value of α_i. U_a finds k_i = M₁⨁h(α_i||MP_i). Let U_a select random nonce k_i^# then modify the parameter M₁ and M₂ as M₁^# = k_i^# ⨁ h(α_i||MP_i) and M₂^# = h(α_i||MP_i||k_i^#||T₁^#). After that, U_a sends the modified message {M₁^#, M₂^#, ID_i, T₁^#} to GW.
• By gateway, after receiving the message {M₁^#, M₂^#, ID_i, T₁^#}, the gateway examines the legality of the time stamp by figuring out|T₁^# − T_c| < ∆T. If the legality stays, then there are further attempts to figure out the subsequent steps; if not, a rejection message drops to the user U_i.
• The gateway computes k_i^#* = M₁^# ⨁ h(α_i||h(PW_i)) and then computes M₂^* = h (α_i||h(PW_i)||k_i^#*||T₁^#) and checks whether M₂^* = ? M₂^#. If it holds, then the gateway authenticates the user U_i; if not, it sends a rejection message to the user.
• GW computes ϒ_ij = h(α_i||β_j||ID_i||ID_sj), M₃ = α_i ⨁ ϒ_ij, and M₄ = h(ϒ_ij||M₃||ID_i||T₂) and sends {M₃, M₄, ID_i,T₂} to the user.
• Adversary U_a intercepts the message {M₃, M₄, ID_i, T₂} and computes the value ϒ_ij = M₃ ⨁ α_i and changes the gateway’s time stamp and parameter M₄ as M₄^#.

• Now U_a delivers {M₃, M₄^#, ID_i, T₂^#} to the user U_i. After receiving {M₃, M₄^#, ID_i, T₂^#}, the user checks whether |T₂^# − T_c| < ∆T and then computes ϒ_ij = α_i ⨁ M₃ and M₄^* = h(ϒ_ij||M₃||ID_i||T₂^#) and checks whether M₄^* =? M₄^#. If it holds, then GW verification by the user holds; otherwise, abort the process.

6.

When a message is sent at time T₂ to the user U_i, GW immediately computes M₅ = k_i^# ⨁ h(β_j||ID_sj), M₆ = β_j ⨁ ϒ_ij, and M₇ = h(ϒ_ij||k_i^#||ID_sj||T₃), then sends { M₅, M₆, M₇, ID_i, ID_sj, T₃} to S_j.

7.

The adversary U_a intercepts the message {M₅, M₆, M₇, ID_i, ID_sj,T₃}. U_a changes the time stamp and parameter as M₇^# = h(ϒ_ij||k_i^#||ID_sj||T₃^#). Now the adversary U_a sends the message {M₅, M₆, M₇^#, ID_i, ID_sj, T₃^#} to S_j.

8.

When a message is received from the gateway, S_j confirms whether |T₃^# − T_c| < ∆T and then computes k_i^# = M₅ ⨁ h(β_j||ID_sj), ϒ_ij = β_j ⨁ M₆, and M₇^* = h(ϒ_ij||k_i^#||ID_Sj||T₃) and checks whether M₇^* =? M₇^#. If it holds, then the gateway is certified through the sensor node; if not, the sensor node sends a failure text to the gateway.

9.

Once the gateway verification is completed, S_j sensor node picks a random number k_j and calculates the session key as SK = h(k_i^# ⨁ k_j).

10.

S_j computes M₈ = k_j ⨁ ϒ_ij and M₉ = h(k_j||ID_Sj||T₄) then transmits {M₈, M₉, ID_i, ID_sj, T₄} to the user U_i.

11.

The adversary intercepts the message {M₈, M₉, ID_i, ID_sj, T₄}. U_a computes k_j = M₈ ⨁ ϒ_ij, M₉^* = h(k_j||ID_Sj||T₄) and checks whether M₉ = ? M₉^*. The adversary U_a computes the session key SK = h(k_i^# ⨁ k_j). Now U_a chooses random number k_j^# and computes M₈^# = k_j^# ⨁ ϒ_ij and M₉^# = h(k_j^#||ID_Sj||T₄^#). U_a transmits the message {M₈^#, M₉^#, ID_i,ID_sj,T₄^#} to the user U_i.

12.

Once the message is received from sensor node S_j, the user confirms the legality of the stamp |T₄^# − T_c| < ∆T. The user examines the effectiveness of the sensor node by figuring out its own version of k_j^#* = M₈^# ⨁ϒ_ij and M₉^#* = h(k_j^#*||ID_Sj||T₄^#) and confirms whether M₉^# = ? M₉^#*. If it holds, then it calculates the session key as SK = h(k_i ⨁ k_j^#).

Two session keys are established here: one is between the user and adversary SK = h(k_i ⨁ k_j^#). The second is SK = h(k_i^# ⨁ k_j), which is between the sensor node and the adversary. The adversary makes a fool of both the user and the sensor node by behaving like a middleman.

5. Proposed Scheme

Here, we propose an enhanced user authentication and key agreement scheme for WSNs tailored for IoT. This protocol is divided into four phases: registration, login, authentication and key agreement, and password change. Our scheme sorts out all the identified failures of Singh et al.’s scheme. The architecture of the sensors-enabled IoT network is shown in Figure 5. It depicts that the gateway node facilitates the establishment of a secure communication channel between the user and the sensor node.

Figure 5. Sensors Enabled IoT Network.

5.1. Registration

Here we split the phase into two sub-phases.

5.1.1. Sensor Registration

Each sensor node S_j has its identity ID_sj. This section is performed by the GW offline before the use of sensor nodes in the target area. It contains the following steps:

• For each sensor node S_j, the GW chooses an uncommon identity ID_sj;
• The gateway node computes a common secret key between GW and S_j

K_GW-Sj = h(ID_sj||K_GW)

Ultimately, every sensor node S_j which is used in the target area is preloaded with the information {ID_sj, K_GW-Sj}, and GW also stores ID_sj in its database. This phase is shown in Figure 6.

Figure 6. Sensor node pre-deployment phase.

5.1.2. User Registration

In this section, a lawful user U_i wishes to register with the GW. As a way to register to the GW, the user U_i wishes to execute the steps which are given below and shown in Figure 7.

Figure 7. Registration phase between U_i and GW.

Step-1: User U_i selects ID_i, PW_i, and random number r₁. U_i calculates

RPW_i = h(ID_i||PW_i||r₁)

RID_i = h(ID_i||r₁)

Now U_i forwards the registration request message {RPW_i, RID_i} to GW via a safe channel.

Step-2: GW investigates whether RID_i exists in the database. If it exists, then GW forwards a rejection notification to U_i. If not, GW saves RID_i in the database and computes.

A₁= h(GID_j||K_GW||RID_i) ⨁ RPW_i

A₂= h(RID_i||K_GW) ⨁ h(RID_i||RPW_i)

A₃= h(A₂||RPW_i||RID_i)

GW stores {A₁, A₂, A₃, GID_j} into SC and sends SC to U_i by a private channel.

Step-3: U_i computes A₄ = h(ID_i||PW_i) ⨁ r₁ and stores A₄ into SC {A₁, A₂, A₃, A₄, GID_j}.

5.2. Login Phase

Subsequent to the completion of the registration phase, the user can contact a sensor node by the GW. Comprehensive steps are given underneath.

Step-1: User U_i enters its smart card into the terminal and loads ID_i and PW_i.

Step-2: SC computes r₁ = A₄ ⨁ h(ID_i||PW_i);

And RPW_i = h(ID_i||PW_i||r₁), RID_i = h(ID_i||r₁);

And checks A₃ = ? h(A₂||RPW_i||RID_i);

Step-3: If they do not match, then the login process will be canceled.

Step-4: If the password entered by the user was correct, then it selects the random number r_u and required sensor ID_sj and computes

B₁ = A₁ ⨁ RPW_i = h(GID_j||K_GW||RID_i)

B₂ = B₁ ⨁ r_u

B₃ = h(GID_j||ID_sj||B₁||RID_i||r_u||T₁)

Finally, the message M₁ = {B₂, B₃, GID_j, RID_i, ID_sj, T₁} is sent to GW, where T₁ is an ongoing time stamp.

5.3. Authentication and Key Agreement Phase

Subsequent to accepting the login request message by the GW from U_i, subsequent steps are accomplished for mutual authentication and key establishment. The login and authentication phases are shown in Figure 8.

Figure 8. Authentication and key agreement phase.

Step-1: Firstly, GW checks if GID_j is right. After that, GW verifies the validity of the timestamp. If |T₁ − T_c| < ∆T holds, then GW proceeds to further steps; otherwise, abort the process. GW computes

B₁ = h(GID_j||K_GW||RID_i)

r_u^* = B₁ ⨁ B₂

Then checks B₃^* = h(GID_j||ID_sj||B₁||RID_i||r_u^*||T₁) = ? B₃

If this does not hold, the user account RID_i will be locked. Otherwise, GW searches for ID_sj from the database, chooses a random number r_g, and calculates

K_GW-Sj = h(ID_sj||K_GW)

B₄ = h(K_GW-Sj||ID_sj||GID_j) ⨁ r_u

B₅= h(r_u) ⨁ r_g

B₆ = h(K_GW-Sj||r_u||r_g||T₂)

GW sends the message M₂ = {ID_sj, B₄, B₅, B₆, T₂} to S_j, where T₂ is GW ongoing time stamp.

Step-2: Subsequent to accepting the message, S_j first checks if ID_sj is correct; after that, S_j verifies the legality of the time stamp. If |T₂ − T_c| <∆T holds, then S_j proceeds to further steps; otherwise, it sends a rejection message to GW.

S_j calculates r_u^* = B₄ ⨁ h(K_GW-Sj||ID_sj||GID_j)

and r_g^* = B₅ ⨁ h(r_u)

and verifies B₆^* = h(K_GW-Sj||r_u^*||r_g^*||T₂) = ? B₆

If the equation is right, S_j selects r_s and computes

SK_s = h(r_u||r_g||r_s)

B₇ = h(K_GW-Sj||r_g) ⨁ r_s

B₈ = ID_sj ⨁ h(r_s||B₇)

B₉ = h(SKs||ID_sj||GID_j||r_s||T₃)

Now S_j sends M₃ = {B₇, B₈, B₉, T₃} to GW

Step-3: Subsequent to accepting the message, GW verifies the legality of the time stamp. If |T₃ − T_c| < ∆T holds, then GW goes ahead to further steps; if not, abort the process.

GW computes r_s^* = B₇ ⨁ h(K_GW-Sj||r_g)

ID_sj^* = B₈ ⨁ h(r_s^*||B₇)

Then investigates ID_sj^* in the database. If it does not occur, then GW stops the process; otherwise, GW checks B₉^* = h(SK_g||ID_sj^*||GID_j||r_s^*||T₃) =? B₉

GW computes SK_g = h(r_u||r_g||r_s)

B₁₀ = h(r_u||RID_i) ⨁ r_g

B₁₁ = h(r_u||r_g) ⨁ r_s

B₁₂ = h(SK_g||RID_i||r_g||r_s||T₄)

GW sends the message M₄ = {B₁₀, B₁₁, B₁₂, T₄} to U_i.

Step-4: Subsequent to accepting the message, U_i investigates the legality of the time stamp. If |T₄ − T_c| < ∆T holds, then U_i proceeds to further steps; otherwise, it stops the process.

U_i computes r_g^* = B₁₀ ⨁ h(r_u||RID_i)

r_s^* = B₁₁ ⨁ h(r_u||r_g)

SK_u^* = h(r_u||r_g^*||r_s^*)

Then checks B₁₂^* = h(SK_u^*||RID_i||r_g^*||r_s^*||T₄) = ? B₁₂

Hence, Session key SK_u = h(r_u||r_g||r_s)

5.4. Password Change Phase

Step-1: User U_i inserts its SC into the terminal and inputs his/her ID_i and PW_i.

SC computes r₁ = A₄ ⨁ h(ID_i||PW_i)

RPW_i = h(ID_i||PW_i||r₁) and RID_i = h(ID_i||r₁)

Chooses a random number r_u and calculates B₁, B₂, and B₁₃ = h(GID_j||B₁||RID_i||r_u||T₅). Finally, it sends M₅ = {GID_j, RID_i, B₂, B₁₃, T₅} with to GW.

Step-2: GW investigates legality of time stamp T₅ after that calculates B₁, r_u, and checks B₁₃ =? h(GID_j||B₁||RID_i||r_u||T₅)

GW computes B₁₄ = h(GID_j||K_GW||RID_i) ⨁ h(r_u||RID_i)

B₁₅ = h(RID_i||GID_j||B₁₄||T₆)

Finally, it sends M₆ = {B₁₄, B₁₅} to U_i.

Step-3: After receiving M₆, SC checks the validity of time stamp and checks B₁₅ = ? h(RID_i||GID_j||B₁₄||T₆). If so, U_i inputs a new password PW_i^new, and the SC generates an arbitrary number r₁^new, and calculates

RPW_i^new = h(RID_i||PW_i^new||r₁^new)

A₁^new = B₁₄ ⨁ h(r_u||RID_i) ⨁ h(ID_i||PW_i^new||r₁)

A₂^new= A₂ ⨁ h(RID_i||RPW_i) ⨁ h(RID_i||RPW_i^new)

A₃^new = h(A₂^new||RPW_i^new||RID_i)

Finally, the SC replaces {A₁, A₂, A₃} with {A₁^new, A₂^new, A₃^new}.

6. Security Analysis

Here, we discuss the security of our scheme formally as well as informally.

6.1. Informal Security Analysis

6.1.1. Insider Attack Resistance

When a user sends a registration request message {RPW_i, RID_i} to GW, an insider of GW obtains these secret values. Moreover, the insider obtains the parameters stored in SC {A₁, A₂, A₃, A₄, GID_j}. To find the random number r₁, the adversary needs to guess ID_i^* and PW_i^* simultaneously because A₄ = h(ID_i||PW_i) ⨁ r₁. However, the probability of guessing ID_i^* and PW_i^* simultaneously is negligible. The adversary cannot find the random number r₁ and cannot guess ID_i^* and PW_i^*. The adversary cannot verify whether RPW_i =? RPW_i^* where RPW_i = h(ID_i||PW_i||r₁). Hence, an insider cannot guess the user’s password.

6.1.2. Offline Password Guessing Resistance

The adversary obtains the SC {A₁, A₂, A₃, A₄, GID_j} and obtains the parameter stored in it. From A₄ = h(ID_i||PW_i) ⨁ r₁, the adversary knows only A₄. To find the random number r₁, the adversary needs to guess ID_i^* and PW_i^* simultaneously. However, the probability of guessing ID_i^* and PW_i^* simultaneously is negligible. In other equations, A₁ = h(GID_j||K_GW||RID_i) ⨁ RPW_i, A₂ = h(RID_i||K_GW) ⨁ h(RID_i||RPW_i), and A₃ = h(A₂||RPW_i||RID_i) the password is used implicitly. From these equations, if the adversary wants to guess the password PW_i then he/she needs to know ID_i and the random number r₁. In these equations, the random number is not used in any of the equations, and ID_i is used implicitly. The adversary cannot guess the password from these equations. Thus the proposed scheme is safe against offline password-guessing attacks.

6.1.3. Identity Guessing Resistance

The correct value of the user identity (ID_i) is only known to U_i, and the gateway node saves RID_i = h(ID_i||r₁), in which ID_i concatenates with the random number r₁. The user does not use his/her identity for login or for authentication. In the whole scheme, the user identity is used only inside A₄ = h(ID_i||PW_i) ⨁ r₁. It is not possible for the adversary to find the random number r₁, and it can be easily seen that the adversary needs to accurately guess the PW_i and ID_i simultaneously, but at the same time, it is not possible. Hence, our scheme does not suffer from identity-guessing attacks.

6.1.4. User Forgery Resistance

If the adversary wants to forge the user, then the adversary needs to forge M₁ = {B₂, B₃, GID_j, RID_i, ID_sj, T₁}; the adversary must calculate B₂, B₃. However, in the calculation of B₂ = B₁ ⨁ r_u and B₃ = h(GID_j||ID_sj||B₁||RID_i||r_u||T₁), B₁= h(GID_j||K_GW||RID_i) is required. In the calculation of B₁, gateway node secret key K_GW is required. Thus it is not desirable for an adversary to forge a user. The user U_i and our scheme are secure against user forgery attacks.

6.1.5. Sensor Capture Resistance

If the adversary captured some sensors, other than S_j, which communicate with U_i, the adversary could not forge M₃ = {B₇, B₈, B₉, T₃} since K_GW-Sj is used to construct B₇ = h(K_GW-Sj||r_g) ⨁ r_s. The sensors are captured by the adversary and have no association with K_GW-Sj. So, even though other sensors are seized, U_a cannot execute this attack successfully.

6.1.6. Gateway Forgery Attack

To apply this attack, the adversary wants to forge M₂ or M₄, where M₂ = {ID_sj, B₄, B₅, B₆, T₂} and M₄ = {B₁₀, B₁₁, B₁₂, T₄}. To forge the message M₂, adversary must calculate B₄, B₅, and B₆ where B₄ = h(K_GW-Sj||ID_sj||GID_j) ⨁ r_u, B₅ = h(r_u) ⨁ r_g, and B₆ = h(K_GW-Sj||r_u||r_g||T₂). However, in the calculation of B₄ and B₆, K_GW-Sj shared secret key between GW and sensor node is required. To forge the message M₄, he/she must calculate B₁₀, B₁₁, and B₁₂ where B₁₀ = h(r_u||RID_i) ⨁ r_g, B₁₁ = h(r_u||r_g) ⨁ r_s, and B₁₂ = h(SK_g||RID_i||r_g||r_s||T₄). However, it is not possible to calculate B₁₀, B₁₁, and B₁₂ because random numbers and session keys are required. It is not possible to forge a gateway node. Hence, the proposed scheme is safe against gateway forgery attacks.

6.1.7. De-synchronization Resistance

De-synchronization is a very big security issue in WSNs. Our scheme includes a random number mechanism to assure the originality of interchanged messages and also uses a timestamp mechanism. In each session of our scheme, random numbers r_u, r_g, and r_s are generated by U_i, GW, and S_j, respectively. Hence, our scheme is free from de-synchronization problems.

6.1.8. No Adversarial Session Key Agreement

To change the session key, the adversary needs to change any of the random numbers r_u, r_g, and r_s.

When the message M₁ = {B₂, B₃, GID_j, RID_i, ID_sj, T₁} is sent to GW, if the adversary wants to agree on the session key with GW and S_j, then U_a selects a random number r_u. Now, the adversary needs to calculate B₂ and B₃. B₂ = B₁ ⨁ r_u and B₁ = A₁ ⨁ RPW_i = h(GID_j||K_GW||RID_i). In B₁ = A₁ ⨁ RPW_i, U_a cannot calculate B₁ from this because, in Section 5.2, the adversary cannot guess the user’s password. In B₁ = h(GID_j||K_GW||RID_i), K_GW is GW’s secret key which is only known by GW. The adversary cannot calculate B₁ with this. In the calculation of B₃ = h(GID_j||ID_sj||B₁||RID_i||r_u||T₁), he/she must know B₁ and random number r_u. As discussed above, we conclude that U_a cannot calculate B₁ and U_a also cannot calculate B₃. In message M₁, the adversary cannot make any type of changes.

When message M₂ = {ID_sj, B₄, B₅, B₆, T₂} is sent to S_j, If the adversary wants to change the session key, then U_a selects a random number r_g^*. Now, the adversary needs to calculate B₅ and B₆ where B₅ = h(r_u) ⨁ r_g. U_a does not know the random number r_u selected by U_i, then he/she cannot calculate B₅. In B₆ = h(K_GW-Sj||r_u||r_g||T₂), K_GW-Sj is a shared secret key between GW and S_j. The adversary cannot calculate B₆. In message M₂, the adversary cannot make any type of change.

When message M₃ = {B₇, B₈, B₉, T₃} is sent to GW, if U_a wants to change the session key, then U_a selects a random number r_s^*. Now, the adversary needs to calculate B₇, B₈, and B₉. The adversary needs to know K_GW-Sj and r_g to calculate B₇ = h(K_GW-Sj||r_g) ⨁ r_s, but K_GW-Sj shares the secret key only between GW and S_j, so the adversary cannot calculate B₇. To calculate B₈ = ID_sj ⨁ h(r_s||B₇), U_a needs to know B₇. Above, we conclude that U_a cannot calculate B₇ and the adversary cannot calculate B₈. U_a needs to know SKs in order to calculate B₉ = h(SKs||ID_sj||GID_j||r_s||T₃) where SKs = h(r_u||r_g||r_s). U_a does not know the random numbers r_u and r_g, and the adversary cannot calculate B₉.

Hence, our proposed scheme is safe from adversarial session key agreement.

6.1.9. Man-In-The-Middle Attack

To apply a man-in-the-middle attack, the adversary works as a middleman between the user and the sensor node. In this attack, one session key is conducted between the user and adversary, and another session key is established between the adversary and sensor node. Both the user and the sensor node believe they are communicating with each other, but in this attack, both are communicating with the adversary.

When message M₁ = {B₂, B₃, GID_j, RID_i, ID_sj, T₁} is sent to GW, then the adversary intercepts it and tries to find random number r_u where r_u = B₂ ⨁ B₁ and B₁ = A₁ ⨁ RPW_i = h(GID_j||K_GW||RID_i). The adversary does not know RPW_i and K_GW. As a result, he/she cannot find r_u and cannot able to apply this attack at this end.

Similarly, when the sensor node sends message M₃ = {B₇, B₈, B₉, T₃} to GW, then the adversary needs to know the random number r_s = B₇ ⨁ h(K_GW-Sj||r_g). However, the adversary does not know K_GW-Sj and r_g. So he/she cannot be able to find the random number r_s.

Hence, our proposed scheme is safe from a man-in-the-middle attack.

6.1.10. Stolen Smart Card Resistance

Suppose SC of the user has been lost, then all the information stored in SC obtains by an adversary. In our proposed scheme SC has the parameters {A₁, A₂, A₃, A₄, GID_j} where A₁ = h(GID_j||K_GW||RID_i) ⨁ RPW_i, A₂ = h(RID_i||K_GW) ⨁ h(RID_i||RPW_i), A₃ = h(A₂||RPW_i||RID_i), and A₄ = h(ID_i||PW_i) ⨁ r₁. However, without knowing (ID_i, r₁), U_a cannot obtain the user’s password. An adversary cannot obtain any secret information from it. Hence our proposed protocol resists stolen smart card attacks.

6.1.11. User Anonymity Provision

Our scheme protects ID_i with h(ID_i||r₁). It also protects PW_i with h(ID_i||PW_i||r₁). Thus in order to obtain ID_i, a random number r₁ is needed, and to obtain U_i^’s password U_i^’s identity and random number r₁ need to be known. Moreover, even if a stolen smart card is obtained by the adversary, U_a cannot obtain ID_i from A₄ = h(ID_i||PW_i) ⨁ r₁ since ID_i is protected by h(ID_i||PW_i) ⨁ r₁. The adversary cannot find the identity and password of the user. This proves that our suggested protocol provides user anonymity.

6.1.12. Mutual Authentication Provision

GW checks B₄ = h(K_GW-Sj||ID_sj||GID_j) ⨁ r_u to verify U_i, and B₉ = h(SK_g||ID_sj||GID_j||r_s||T₃) to verify S_j, S_j checks ID_Sj and B₆ = h(K_GW-Sj||r_u||r_g||T₂) to authenticate GW directly and U_i indirectly. U_i checks B₁₂ = h(SK_g||RID_i||r_g||r_s||T₄) to justify GW directly and S_j indirectly. So, either pair of parties achieves mutual authentication.

6.1.13. Password Updating/Changing Provision

Suppose a legitimate user has his/her smart card stolen. Suppose the information is acquired by the adversary who saves in SC. Suppose the adversary revealed the information which is saved in SC. To change the password, it is necessary for the adversary to know the existing password PW_i verification. Moreover, it is not possible to find the old password because the password is protected with RPW_i = h(ID_i||PW_i||r₁). In this way, an adversary needs to reckon the existing password before updating another password.

6.2. Formal Security Analysis

Here, we do a formal security analysis of our scheme with the help of a random oracle model. In this section, we use the Real or Random (RoR) [35] model to prove that the proposed protocol is secure. In the RoR model, the attacker is given the right to query and uses the interactive question and answer with a random oracle to verify the security of the proposed scheme. There are two participants in the proposed protocol: ${\mathsf{\Pi }}_I^m$ and ${\mathsf{\Pi }}_S^n$ represent the m-thIoT device instance and the n-th trusted server instance respectively. In addition, for formal security analysis, we define the following query model for attacker $A$.

$Execute\left(O\right): A$ by executing this query, he can intercept the messages transmitted by IoT devices and trusted server servers on the public channel, where $O=\left\{{\mathsf{\Pi }}_I^m,{\mathsf{\Pi }}_S^n\right\}$.

$Send\left(O, M\right):$By executing the query, $A$ can send message $M$ to $O$ and receive a response from $O$.

$Hash\left(string\right):$By executing the query, $A$ can enter a string and return its hash value.

$Test\left(O\right):A$ flips a coin $c$ by executing this query. If $c=1$, $A$ can obtain the correct session key. If $c=0$, $A$ can obtain a random string with the same length as the session key.

Theorem 1. 

In the R.O.R model, suppose $A$can execute the queries of $Execute\left(O\right)$, $Send\left(O, M\right), Hash\left(string\right)$, and $Test\left(Z\right)$, the probability $P$of A breaking the protocol in polynomial time is: $Ad{v}_A^P\left(\epsilon \right)\le \frac{q_h^2}{\left|Hash\right|}+\frac{q_P^2}{\left|PUF\right|}+2Ad{v}_A^{\Omega }\left(\epsilon \right)$. Here, $q_h$refers to the number of times the hash is executed, $q_p$refers to the number of times $PUF$is executed. $Hash$and $PUF$refer to scope space of hash function$H(·)$and $PUF$function $PUF(·)$. $Ad{v}_A^{\Omega }\left(\epsilon \right)$represents the advantage of $A$cracking the symmetric cipher $\Omega$, for a sufficiently small number $\gamma$, then $Ad{v}_A^{\Omega }\left(\epsilon \right)<\gamma$.

Proof. 

We defined five rounds of the game $G{M}_0-G{M}_4$ to simulate the attack process of $A$. In the process of proving, $Suc{c}_A^{G{M}_i}\left(\epsilon \right)$ represents the probability that $A$ can win multiple rounds of the game, $Ad{v}_A^P\left(\epsilon \right)$ means that $A$ can break the advantage of protocol. The proof steps are as follows:

$G{M}_0:$ In the ROR model, $G{M}_0$ game is a real attack on the authentication key exchange protocol proposed by $A$, and $A$ flips the coin $c$ at the beginning of the game. Therefore, we obtain the following results:

$$Ad{v}_A^P\left(\epsilon \right)=\left|2\mathit{Pr}\left[Suc{c}_A^{G{M}_0}\left(\epsilon \right)\right]-1\right|$$

$G{M}_1$: With $G{M}_0$ being different from $G{M}_1$ by executing the $Execute$ query, $A$ can intercept the messages $\{h(I{D}_A),Aut{h}_{req},T{S}_1,h(I{D}_A,T{S}_1)\}$,$\{C_{A,i},P_{A,i},T{S}_2,h(h(I{D}_A),C_{A,i},P_{A,i}),h(K_{A,i})\}$, and $\{P_{A,i},T{S}_3,h(h(I{D}_A),T{S}_3,K_{A,i},R_{A,i+1}),(R_{A,i+1}),{(R_{A,i+1})}_{h(K_{A,i})}\}$transmitted on the public channel. Then, $A$ will perform a $Test$ query to calculate the session key $h(K_{A,i})$, but the message intercepted on the public channel cannot help $A$ calculate $SK$. Therefore, the probability of $A$ winning $G{M}_1$ by eavesdropping information will not increase. So we obtain:

$$\mathit{Pr}\left[Suc{c}_A^{G{M}_1}\left(\epsilon \right)\right]=\mathit{Pr}\left[Suc{c}_A^{G{M}_0}\left(\epsilon \right)\right]$$

$G{M}_2:$Different from $G{M}_1$, $G{M}_2$ adds $Hash$ query and $Send$ query. In the intercepted messages$\{C_{A,i},P_{A,i},T{S}_2,h(h(I{D}_A),C_{A,i}),h(K_{A,i})\}$ and $\{P_{A,i},T{S}_3,h(h(I{D}_A),T{S}_3,R_{A,i+1}),(R_{A,i+1}),{(R_{A,i+1})}_{h(K_{A,i})}\}$, the parameters $h(h(I{D}_A),C_{A,i}),h(K_{A,i})$,$h(K_{A,i})$and $\{h(h(I{D}_A),T{S}_3,K_{A,i},R_{A,i+1})$ are based on the one-way hash function. In addition, $h(K_{A,i})$is different in each communication; the hash function will not collide. Therefore, according to the birthday paradox [36], we can obtain

$$\left|\mathit{Pr}\left[Suc{c}_A^{G{M}_2}\left(\epsilon \right)\right]-\mathit{Pr}\left[Suc{c}_A^{G{M}_1}\left(\epsilon \right)\right]\right|\le \frac{q_h^2}{2\left|Hash\right|}$$

$G{M}_3:$The difference between $G{M}_3$ and $G{M}_2$ is that $G{M}_3$ adds $PUF$ query. $A$ executes $Send$ and $PUF$ queries. Because the physical function $PUF$ has security attributes. Therefore, we can obtain

$$|\mathit{Pr}\left[Suc{c}_A^{G{M}_3}\left(\epsilon \right)\right]-\mathit{Pr}\left[Suc{c}_A^{G{M}_2}\left(\epsilon \right)\right]|\le \frac{q_P^2}{2\left|PUF\right|}$$

$G{M}_4:$In this game, $A$ tries to crack the encrypted message ${(R_{A,i+1})}_{h(K_{A,i})}$, In the security model in Section 3.2, it is defined that the attacker cannot crack the memory of the server, $A$ cannot obtain $h(K_{A,i})$, so $A$ cannot calculate $(R_{A,i+1})$. According to the security of $\Omega$ symmetric encryption algorithm, we can obtain

$$|\mathit{Pr}\left[Suc{c}_A^{G{M}_4}\left(\epsilon \right)\right]-\mathit{Pr}\left[Suc{c}_A^{G{M}_3}\left(\epsilon \right)\right]|\le Ad{v}_A^{\Omega }\left(\epsilon \right)$$

Because the probability of success and failure of $A$ is equal, so the probability that $A$ can guess the session key is

$$\mathit{Pr}\left[Suc{c}_A^{G{M}_4}\left(\epsilon \right)\right]=1/2.$$

According to the above formula, we can obtain

$$\frac{1}{2}Ad{v}_A^P\left(\epsilon \right)=\left|\mathit{Pr}\left[Suc{c}_A^{G{M}_0}\left(\epsilon \right)\right]-\frac{1}{2}\right|$$

$$=\left|\mathit{Pr}\left[Suc{c}_A^{G{M}_0}\left(\epsilon \right)\right]-\mathit{Pr}\left[Suc{c}_A^{G{M}_4}\left(\epsilon \right)\right]\right|$$

$$\le {\displaystyle \sum }_{i=0}^3\left|\mathit{Pr}\left[Suc{c}_A^{G{M}_{i+1}}\left(\epsilon \right)\right]-\mathit{Pr}\left[Suc{c}_A^{G{M}_i}\left(\epsilon \right)\right]\right|$$

$$=\frac{q_h^2}{2\left|Hash\right|}+\frac{q_P^2}{2\left|PUF\right|}+Ad{v}_A^{\Omega }\left(\epsilon \right)$$

Therefore, the probability that $A$ can crack the protocol is:

$$Ad{v}_A^P\left(\epsilon \right)\le \frac{q_h^2}{\left|Hash\right|}+\frac{q_P^2}{\left|PUF\right|}+2Ad{v}_A^{\Omega }\left(\epsilon \right)$$

7. Comparisons with other Related Schemes

7.1. Comparison of Security and Functionality Features

All the schemes [15,19,21,22,27,34] which are used in comparison suffer from security problems. The scheme in [34] suffers from insider attacks, offline password-guessing attacks, user forgery attacks, and session key disclosure attacks. This scheme does not provide user anonymity. The scheme in [15] suffers from user forgery attacks and stolen smart card attacks. The scheme in [19] does not provide user anonymity. The scheme in [21] suffers from insider attacks, user forgery attacks, sensor capture resistance, gateway forgery attacks, and password-changing provision. The scheme in [22,27] suffers from an insider attacks. Our proposed scheme resists all the security attacks which are mentioned in Figure 9. Our scheme provides functional features which cannot be seen in the related schemes [15,19,21,22,27,34].

Figure 9. Comparison of security and functional features [15,19,21,22,27,34].

7.2. Comparison of Computation Cost

Figure 10 defines cryptographic functions and their running time for comparison of computation cost. Figure 10 and Figure 11 together show the comparison of the computation cost of our scheme with schemes in [15,19,21,22,27,34].

Figure 10. Cryptographic function and their description for computation cost.

Figure 11. Comparison of computation cost.

On the user side, the scheme in [19] has the highest computation cost, while the scheme in [21] has the lowest computation cost. Protocol [22] and protocol [34] has equal computation cost. Our proposed scheme and the scheme in [27] have the second-highest computation cost. At the gateway node side, the scheme in [21] has the lowest computation cost, while the scheme in [15,19,22] has the same third-lowest computation cost. Our proposed scheme has the highest computation cost from the gateway node side. On the sensor node side, the scheme in [19] has the highest computation cost, while the scheme in [21] has the lowest computation cost. Our suggested scheme computation cost is slightly greater than the scheme in [22]. It is depicted in Figure 12 that the total computation cost of our scheme is slightly greater than the total computation cost of [22]. The scheme in [19] has the highest computation cost. The scheme in [21] has the lowest computation cost.

Figure 12. Comparison of computation cost [15,19,21,22,27].

Our proposed scheme can be a little bit more costly than other related schemes, but our scheme has passed various hurdles in security checks which makes it user-friendly. Our scheme neither uses complex cryptographic operations nor does it add much computational load when compared to its counterparts. Moreover, the running time of an operation is directly proportional to the power consumption required to run that operation. Therefore, the proposed scheme is a power-efficient protocol.

7.3. Comparison of Communication Cost

In pursuance of comparing the communication cost of the suggested protocol with the relevant protocols, we consider the length of the elliptic curve scalar-point multiplication function, and the random number is 160 bits. We suppose the length of the identities, such as ID_i and ID_sj, and every coordinate point from the output of the elliptic curve scalar-point multiplication function is 80 bits. Let the output of the message authentication code be 160 bits. We suppose that each element is 160 bits in the elliptic curve group. Here, we have the hash (h(.)) function SHA2-256 with the output of length 256 bits. We consider the length of the timestamp as 32 bits. In Figure 13 and in Figure 14, we show the communication costs of the three entities in our proposed scheme and the related schemes [15,19,21,22,27,34].

Figure 13. Comparison of communication cost [15,19,21,22,27,34].

Figure 14. Comparison of communication cost.

From Figure 13 and Figure 14, we see that, on the user side, the communication cost of the protocol [34] is 624 bits which is the minimum, and Dhillon and Kalra’s scheme has the highest communication cost of 1312 bits. Our suggested scheme has the second-highest communication cost of 960 bits. At the gateway node side, our proposed scheme has the highest communication cost of 1680 bits, and the scheme in [19] has the lowest communication cost of 800 bits. At the sensor node aspect, our suggested scheme has a communication cost of 800 bits, while the protocol in [21] has the lowest communication cost of 368 bits. Dhillon and Kalra’s scheme has the highest communication cost of 2320 bits. The total communication cost of Dhillon and Kalra’s scheme is the highest, and in the proposed scheme, it is the third-highest. The scheme in [21] has the lowest communication cost.

8. Conclusions

We have analyzed Singh et al.’s authentication and key agreement scheme for WSNs and found some security pitfalls in it. Then we developed an improved authentication and key agreement scheme for WSNs tailored for IoT. The informal analysis of the proposed scheme indicates its resistance to various sorts of adversarial activities. The formal security of the proposed scheme with the RoR model further supports its security. In the end, we have compared the performance of our scheme with that of the related schemes. For the proposed scheme, we have tried to control the cost along with maintaining security.