An Enhanced User Authentication and Key Agreement Scheme for Wireless Sensor Networks Tailored for IoT

A security protocol for wireless transmission is essential to defend sensitive information from malicious enemies by providing a variety of facilities such as privacy of the user’s information, secure session key, associated authentication, and user-repeal facility when a person’s authorizations are suddenly disclosed. Singh et al. proposed an improved user authentication and key agreement system for wireless sensor networks (WSNs). Authors are sure that their protocol is secure from various attacks. Here, we find several security pitfalls in their scheme, such as an offline password-guessing attack, failure to protect the session key, and a man-in-the-middle attack. To remove the identified pitfalls found in Singh et al.’s scheme, we design an enhanced authentication scheme for WSNs tailored for IoT. We prove the reliability of our proposed protocol using the real or random (RoR) model. We also evaluate the proposed scheme with the associated schemes and show its superior efficacy as compared to its counterparts.


Introduction
A wireless Sensor Network (WSN) consists of sensors or sensor nodes and plays a vital role in the Internet of Things (IoT) applications. The sensor nodes can be used at sensitive places in an unplanned or planned way. These kinds of nodes have the capacity to collect data from their neighboring fields, after which they send the data to nearby base stations (BSs), which process the received data for decision-making. Sensor nodes can communicate with each other via wireless radio communications. In WSNs, the BS (referred to as the gateway node (or GW-node)) is the most effective node, whereas sensors are the least effective nodes in regard to battery power, memory space, and computational ability.
WSNs can be utilized in different unattended fields, such as the army, climatic, medical, and agriculture, for goal monitoring, battleground vigilance, and invader identification. WSNs can also be deployed in various IoT applications such as smart homes, smart supplychain management, smart cities, smart grids, smart traffic management, and industrial Internet. Due to the unattended surroundings of sensor nodes, an adversary has the ability to immediately capture a sensor node from the goal-tracking area. For this reason, an adversary has a possibility to at once seize a sensor node from the goal field and extract all of the data from its reminiscence, as nodes are not usually tamper-resistant because of their low cost.
The requirement to protect the data stored in WSNs is a crucial issue. Here we discuss some scenarios which necessitate a user verification protocol in WSNs. In WSNs, an intruder can create a bug in the network and can disturb or discontinue the commuted texts. Numerous crucial operations in WSNs, along with the utilization of the battleground

•
We analyze an authentication and key agreement scheme for WSNs and point out its flaws.

•
As an enhancement of the analyzed scheme, we propose an authentication and key agreement scheme for WSNs tailored for the IoT.

•
We have tried to achieve the maximum possible security features while keeping the minimum possible computational load.

Related Work
In 2009, Das [1] proposed two-factor user authentications in WSNs. The author claims that the proposed scheme resists many attacks in WSNs, but it suffers from denial-ofservice and node compromise attacks. In 2011, Yeh et al. [2] worked on Das's scheme and proposed an authentication protocol for WSNs using elliptic curve cryptography. Mutual authentication is important to prove the legitimacy of each party, and Yeh et al. [2] found that the scheme in [1] does not provide mutual authentication; they also found that the protocol in [1] suffers from insider attacks, user impersonation attacks, and no provision for changing updating passwords.
In 2013, Xue et al. [3] proposed a temporal credential-based mutual authentication scheme for WSNs. In 2014, Turkanovic et al. [4] suggested a user-mutual authentication key agreement protocol for heterogeneous ad hoc WSNs. This scheme concentrates on the Internet of things (IoT) notion. In 2015, Jiang et al. [5] found some security flaws in the protocol [3] and proposed an improvement of [3]. Jiang et al. found that the scheme in [3] suffers from insider attacks, weak stolen smart card attacks, identity guessing attacks, and tracking attacks. In 2015, He et al. [6] proposed mutual authentication and key agreement protocol for WSNs. He et al. [6] found that the scheme in [3] cannot withstand the security parameters, and protocol [3] suffers from offline password guessing attacks, user impersonation attacks, and sensor node impersonation attacks. He et al. [6] found that the scheme in [3] cannot provide legitimacy of the user.
In 2016, Kumari et al. [7] pointed out that the scheme in [6] has many disadvantages. Kumari et al. [7] showed that protocol [6] suffers from offline password-guessing attacks, session-specific temporary information attacks, the absence of password-changing facilities, and the absence of unauthorized login detection, and it does not provide legitimacy to the user. Kumari et al. [7] proposed a mutual authentication and key agreement scheme for WSNs using chaotic maps. In 2016, Jiang et al. [8] worked on the scheme in [6], and after analysis, they showed that the scheme in [6] fails to provide anonymity for the user. Jiang et al. [8] found that in the protocol [6], an adversary can easily track the user, and also, this scheme cannot stand with stolen smart card attacks. Jiang et al. [8] proposed an untraceable temporal-credential-based authentication scheme for WSNs. In 2016, Farash et al. [9] noticed that the protocol in [4] does not resist man-in-themiddle attacks, the disclosure of the session key, sensor node impersonation attacks, and the disclosure of secret parameters. Farash et al. [9] also showed that the scheme in [4] does not provide sensor node anonymity, and any adversary who wants to track the user can easily do so. To remove the weakness, Farash et al. [9] proposed an enhanced scheme. In 2016, Amin and Biswas [10] found that the protocol in [4] undergoes offline password-guessing attacks, offline identity-guessing attacks, smart card theft attacks, user impersonation attacks, sensor-node impersonation attacks, and inefficient authentication phase. Amin and Biswas [10] also gave an authentication method after removing the weakness of the scheme in [4], and they claimed the enhanced security of their scheme over protocol in [4]. Amin and Biswas used BAN logic for formal security analysis of the proposed protocol.
In 2016, Amin et al. [11] showed that the scheme in [9] is vulnerable to smart card stolen attacks, offline password-guessing attacks, new smart issue attacks, user impersonation attacks, and known session-specific temporary information attacks. Amin et al. [11] found that the protocol in [9] does not provide user anonymity, and also the secret key of the gateway node is not safe in this protocol. To overcome the disadvantages of the scheme in [9], Amin et al. [11] put forward an improved version of WSNs. In 2016, Chang and Le [12] showed that protocol in [4] is vulnerable to impersonation attacks with node capture, stolen smart card attacks, sensor node spoofing attacks, and stolen verifier attacks, and it fails to ensure backward secrecy. To remove these security issues, Chang and Le [12] proposed an advanced scheme.
In 2017, Wu et al. [13] revealed that the scheme in [10] suffers from sensor capture attacks, session key leakage attacks, user forgery attacks, gateway forgery attacks, and sensor forgery attacks. Wu et al. [13] showed that in the scheme [10], the adversary could track the user easily, and this does not provide mutual authentication between parties. To remove the disadvantages in [10], Wu et al. [13] proposed an authentication scheme for multi-gateway-based WSNs. In 2017, Wu et al. [14] found that the scheme in [5] has many security pitfalls, such as offline password-guessing attacks, user forgery attacks, desynchronization attacks, and a lack of strong forward security. Wu et al. [14] recommended a stepped-forward version of the protocol in [5]. They claimed their protocol to be secure. In 2017, Dhillon and Kalra [15] proposed multi-factor remote user authentication and key agreement scheme for IoT environments. They said that their proposal is to be defendable against all prospected threats.
In 2018, Amin et al. [16] designed a robust patient monitoring system using wireless medical sensor networks. They are sure that their protocol is secured against obvious violations. They used BAN logic to confirm the mutual authentication feature for their suggested protocol. In 2018, Jangirala et al. [17] designed an authentication and key agreement protocol for the industrial Internet of things. In the scheme of [17], they used the fuzzy extractor method for biometric authentication by the user's smart card. In 2018, Li et al. [18] pointed out that the protocol in [8] cannot resist known session-specific temporary information attacks and clock synchronization, and this scheme is not applicable to IoT environments. To improve the scheme in [8], Li et al. [18] suggested a three-factor anonymous authentication scheme for WSNs. In 2018, He et al. [19] found that the scheme in [12] suffers from sensor capture attacks. They gave an improved version of [12].
In 2019, Gupta et al. [20] designed an anonymous user authentication and keyestablishment scheme for wearable devices. They used BAN logic to justify mutual verification among the gateway/cellular terminal and the wearable gadget of the sensor. In 2019, Ghani et al. [21] proposed an IoT-based scheme for WSNs using a symmetric key. In 2020, Lee et al. [22] discovered that the protocol in [15] is vulnerable to a stolen mobile device attack and a user impersonation attack, and it lacks a provision for the agreement of the session key. In 2021, Mall et al. [23] proposed a physically unclonable function (PUF) based authentication protocol for drone-enabled WSNs. This protocol conducts communication among devices and the cloud by the relocatable drone. In 2021, Chen et al. [24] suggested a group key agreement protocol for IoT. In this scheme, they introduce an entity known as the device manager. Device managers connect IoT devices with blockchain networks. In 2021, Chen and Liu [25] suggested a three-factor scheme for the IoT that used biological information. They proved their protocol in both a formal and informal manner. In 2021, Ali et al. [26] designed an ECC-based protocol for vehicle-to-vehicle communication in VANETs. In 2021, Sadri and Asaar [27] showed that the scheme in [21] has many security pitfalls, such as user impersonation attacks, malicious gateway attacks, and traceability attacks. To remove weaknesses found in [21], Sadri and Asaar [27] suggested a hash-based scheme for WSNs in IoT with forward secrecy. They analyzed their protocol with both formal and informal methods. In 2021, Rangwani et al. [28] proposed a three-factor scheme for the Industrial Internet of Things (IIoT). They also verified their scheme in both formal and informal ways. In 2021, Nashwan [29] designed a scheme for healthcare IoT. In this scheme, mutual authentication between all nodes is verified using BAN logic.
In 2022, Tanveer et al. [30] suggested a resource-capable scheme for the Industrial Internet of Things (IIoT). The authors claimed that their scheme is suitable for resourceconstrained smart devices. In 2022, Kumar et al. [31] designed an RFID-based scheme using PUF for vehicular cloud computing. In 2022, Wu et al. [32] suggested a scheme that depends on a symmetric encryption algorithm and fog computing in the Internet of vehicles. In 2022, Li et al. [33] proposed a protocol for fog-enabled social internet of vehicles.
In 2016, Singh et al. [34] proposed a scheme to resolve the weaknesses of the protocol in [4]. Singh et al. claimed their scheme to be more secure and efficient for a real application environment. However, we show that the protocol in [34] has many security issues. The scheme in [34] suffers from many attacks like offline password-guessing attacks, man-inthe-middle attacks, and attacks on the session key.

Organization
In Section 3, we review Singh et al.'s scheme. The cryptanalysis of Singh et al.'s scheme is shown in Section 4. Section 5 describes our enhanced scheme. Section 6 explains the security analysis of the proposed scheme in both a formal and informal manner. Section 7 contains a comparison of the proposed scheme with some related schemes. The conclusion is in Section 8.

Review of Singh et al.'s Scheme
Firstly, we write the notations and their explanations used in this paper in Figure 1.

Registration Phase
The system of registration begins after the placement of sensor nodes in the application space. The registration phase is split into two sub-phases. Phase one is between a user and the gateway, and phase two is between the sensor node and the gateway. Figure 2 illustrates all two stages.

Registration Between User and Gateway
Identity (IDi) and secure password (PWi) are provided to every user. User identity and password hash value are saved in the gateway node. At first, the gateway selects a random key KGW-U. With this key, GW can communicate with the user. The gateway further selects a different key KGW-S. With this particular key, GW can communicate with sensor nodes. The procedure for this phase is as follows: Step-1: User Ui selects a random number ri and computes Pi = h(ri||h(PWi)).
Step-2: User generates time stamp Ts1 and sends {Pi, IDi, Ts1} to GW through a protected channel.
Step-3: Following the received message, the gateway verifies the legitimacy of a time stamp.

Registration Between User and Gateway
Identity (ID i ) and secure password (PW i ) are provided to every user. User identity and password hash value are saved in the gateway node. At first, the gateway selects a random key K GW-U . With this key, GW can communicate with the user. The gateway further selects a different key K GW-S . With this particular key, GW can communicate with sensor nodes. The procedure for this phase is as follows: Step-1: User U i selects a random number r i and computes P i = h(r i ||h(PW i )).
Step-2: User generates time stamp T s1 and sends {P i , ID i , T s1 } to GW through a protected channel.
Step-3: Following the received message, the gateway verifies the legitimacy of a time stamp.
Step-4: Gateway customizes SC with {h(.), b i , c i , ID i } and conveys to the user through a protected channel.

Registration Between Sensor node and gateway
Every sensor node has an identity (ID sj ) and a protected password (PW sj ). The identity and the hash value of the password for sensor node S j are also saved in the gateway. The phase consists of the following steps: Step-1: Sensor node S j computes P sj = h(ID sj ||h(PW sj )||Ts 2 ) with its ID sj and PW sj .
Step-2: Sensor node dispatch message {P sj , ID sj , Ts 2 } to the gateway.
Step-3: When information is received, the gateway confirms the validation of a time stamp. If |Ts 2 − T c | < ∆T, then it moves ahead or else sends non-acceptance text to the sensor node. Step-4: With secret key K GW-S , GW calculates the following values: Step-5: GW sends {b sj , c sj , Ts 3 } to the sensor node through a non-private channel.
Step-6: After confirmation of obtaining the data, the sensor node verifies the legitimacy of a time stamp. If |Ts 3 − T c | < ∆T, then move ahead to the succeeding step or else deliver a non-acceptance message to GW.
Step-7: Sensor node calculates β j = b sj ⊕ h(ID sj ||h(PW sj )) and checks c sj * = h(β j ||h(PW sj )||ID sj ||Ts 3 ) is equal to c sj ; after that, saves β j into its memory or else sends a failure message to GW.

Login Phase
After the registration phase, the connection is established between the user and S j via the GW node. Figure 3 describes the work-flow of the login phase. The steps are as follows: tity and the hash value of the password for sensor node Sj are also saved in the gateway. The phase consists of the following steps: Step-1: Sensor node Sj computes Psj = h(IDsj||h(PWsj)||Ts2) with its IDsj and PWsj.
Step-3: When information is received, the gateway confirms the validation of a time stamp. If |Ts2 − Tc| < ∆T, then it moves ahead or else sends non-acceptance text to the sensor node.
Step-4: With secret key KGW-S, GW calculates the following values: Step-5: GW sends {bsj, csj, Ts3} to the sensor node through a non-private channel.
Step-6: After confirmation of obtaining the data, the sensor node verifies the legitimacy of a time stamp. If |Ts3 − Tc| < ∆T, then move ahead to the succeeding step or else deliver a non-acceptance message to GW.

Login Phase
After the registration phase, the connection is established between the user and Sj via the GW node. Figure 3 describes the work-flow of the login phase. The steps are as follows: Step-1: User Ui inserts his/her card into the insertion area and enters his/her IDi * and password PWi * .
Step-3: Then, smartcard calculates αi * = bi ⨁h(Pi||MPi * ). Step-1: User U i inserts his/her card into the insertion area and enters his/her ID i * and password PW i * .
Step-2: SC calculates r i Step-4: SC calculates one more time c i * = h(α i * ||MP i * ||ID i * ) and verifies whether the original c i or computed c i * are the same. If it is not equal, then the login progress will be terminated.
Step-5: If the entered password is exactly the same, the user selects an arbitrary number k i and calculates Step-6: User sends {M 1 , M 2 , ID i , T 1 } to GW through an open channel.

Authentication and Key Agreement Phase
Mutual confirmation among all groups is made after the success of the login phase. This procedure is performed in the authentication and key agreement phase. It takes three steps. The first one is for the user's authority confirmation through GW. The second one represents the GW's lawfulness confirmation by the user and the sensor node. Moreover, the third one is for the user to verify the authentication of the sensor node. The focus of this phase is providing a session key between the user and the sensor node. This phase is This procedure is performed in the authentication and key agreement phase. It takes three steps. The first one is for the user's authority confirmation through GW. The second one represents the GW's lawfulness confirmation by the user and the sensor node. Moreover, the third one is for the user to verify the authentication of the sensor node. The focus of this phase is providing a session key between the user and the sensor node. This phase is illustrated in Figure 4. The whole authentication and key agreement phase is discussed in the following steps.
Step-1: As the gateway obtains a message {M1, M2, IDi, T1} from the user Ui, the gateway verifies the time stamp's validity by calculating |T1 − Tc| < ∆T. If it is found valid, GW again calculates the upcoming step or else sends a failure message to Ui.  Step-1: As the gateway obtains a message {M 1 , M 2 , ID i , T 1 } from the user U i , the gateway verifies the time stamp's validity by calculating |T 1 − T c | < ∆T. If it is found valid, GW again calculates the upcoming step or else sends a failure message to U i .
Step-2: With the help of h(PW i ), as per the accepted ID i , the gateway calculates k i * = M 1 ⊕ h(α i ||h(PW i )) and after that calculates its own version of M 2 * = h(α i ||h(PW i )||k i * ||T 1 ) and compares it with the received M 2 . In case these are the same, then GW validates the user U i or else sends a failure text to the user.
Step-3: Once the validation of the user is completed, GW calculates Step-4: After obtaining {M 3 , M 4 , ID i , T 2 }, the user verifies whether |T 2 − T c | < ∆T and after that calculates its own version of The user checks whether M 4 =? M 4 * . If both are the same, then gateway authorization by the user U i holds. If not, the user discontinues the procedure by sending a failure message to GW.
Step-5: At time T 2 when message is sent to user U i , GW calculates Step-6: When a message is received from GW, now S j verifies if |T 3 − T c | < ∆T then further calculates owned version of k i * = M 5 ⊕ h(β j ||ID sj ) by using saved β j and after this calculates its own version of γ ij = β j ⊕ M 6 and M 7 * = h(γ ij ||k i * ||ID sj ||T 3 ) and compares M 7 * with M 7 . It checks the values; if both are equal, then GW is verified by S j , or else S j transmits a failure text to GW.
Step-7: When authentication of GW is complete, S j chooses a random number k j and calculates the session key, which is SK = h(k i ⊕ k j ).
Step-8: In the end, thesensor node S j calculates M 8 = k j ⊕γ ij and M 9 = h(k j ||ID sj ||T 4 ) and transmits {M 8 , M 9 , ID i , ID sj , T 4 } to user U i .
Step-9: When the text is received from sensor node S j , the user verifies the legality of the time stamp |T 4 − T c | < ∆Ta and verifies the validity of S j by calculating its own version of k j = M 8 ⊕γ ij and M 9 * = h(k j ||ID sj ||T 4 ) and after that analyzes M 9 * with the accepted M 9 . It checks if both are the same and furthermore calculates the session key as SK = h(k i ⊕ k j ), then, as a result, efficiently ends the authentication phase.

Insider Attack
Suppose an insider at GW can obtain a user smart card and access the information In the registration phase, when U i submits {P i , ID i }, the insider guesses the password PW i and finds r i in the following way: after that calculates P i # = h(r i ||h(PW i )) and checks whether P i = ? P i # The insider guesses the password till he/she achieves the correct password.

Offline Password Guessing Attack
Secret parameters saved into smart card are {h(.), b i , c i , d i , ID i } An adversary U a can do guesswork PW i * for the password, and now computes r i # = d i ⊕h(ID i ||PW i # ) Then, the adversary finds the value of P i # from P i # = h(r i # ||h(PW i # )). The adversary computes the value ). Then, the adversary computes c i # = h(α i # ||h(PW i # )||ID i ) and checks whether c i # =? c i . If it holds, the adversary obtains an exact password PW i . In any other case, the adversary repeats the process.

Man-In-The-Middle Attack
During the attack, an adversary U a tries to know the actual session key.

1.
When the user U i transmits the login message {M 1 , M 2 , ID i , T 1 } to GW via a pubic channel, the adversary U a intercepts the message and plunders the smart card, then U a can guess the secret keywords and find the value of α i . U a finds k i = M 1 ⊕h(α i ||MP i ). Let U a select random nonce k i # then modify the parameter M 1 and M 2 as By gateway, after receiving the message {M 1 The gateway computes k i #* = M 1 # ⊕ h(α i ||h(PW i )) and then computes M 2 * = h (α i ||h(PW i )||k i #* ||T 1 # ) and checks whether M 2 * = ? M 2 # . If it holds, then the gateway authenticates the user U i; if not, it sends a rejection message to the user. 4.
Adversary U a intercepts the message {M 3 , M 4 , ID i , T 2 } and computes the value γ ij = M 3 ⊕ α i and changes the gateway's time stamp and parameter M 4 as M 4 # .
If it holds, then GW verification by the user holds; otherwise, abort the process. 6.
When a message is sent at time T 2 to the user U i , GW immediately computes The adversary U a intercepts the message {M 5 , M 6 , M 7 , ID i , ID sj ,T 3 }. U a changes the time stamp and parameter as M 7 When a message is received from the gateway, S j confirms whether |T 3 # − T c | < ∆T and and checks whether M 7 * =? M 7 # . If it holds, then the gateway is certified through the sensor node; if not, the sensor node sends a failure text to the gateway. 9.
Once the gateway verification is completed, S j sensor node picks a random number k j and calculates the session key as to the user U i . 11. The adversary intercepts the message {M 8 , M 9 , ID i , ID sj , T 4 }. U a computes k j = M 8 ⊕ γ ij , M 9 * = h(k j ||ID Sj ||T 4 ) and checks whether M 9 = ? M 9 * . The adversary U a computes the session key SK = h(k i # ⊕ k j ). Now U a chooses random number k j # and 12. Once the message is received from sensor node S j , the user confirms the legality of the stamp |T 4 # − T c | < ∆T. The user examines the effectiveness of the sensor node by figuring out its own version of k j and confirms whether M 9 # = ? M 9 #* . If it holds, then it calculates the session key as Two session keys are established here: one is between the user and adversary , which is between the sensor node and the adversary. The adversary makes a fool of both the user and the sensor node by behaving like a middleman.

Proposed Scheme
Here, we propose an enhanced user authentication and key agreement scheme for WSNs tailored for IoT. This protocol is divided into four phases: registration, login, authentication and key agreement, and password change. Our scheme sorts out all the identified failures of Singh et al.'s scheme. The architecture of the sensors-enabled IoT network is shown in Figure 5. It depicts that the gateway node facilitates the establishment of a secure communication channel between the user and the sensor node.

Proposed Scheme
Here, we propose an enhanced user authentication and key agreement scheme for WSNs tailored for IoT. This protocol is divided into four phases: registration, login, authentication and key agreement, and password change. Our scheme sorts out all the identified failures of Singh et al.'s scheme. The architecture of the sensors-enabled IoT network is shown in Figure 5. It depicts that the gateway node facilitates the establishment of a secure communication channel between the user and the sensor node.

Registration
Here we split the phase into two sub-phases.

Sensor Registration
Each sensor node Sj has its identity IDsj. This section is performed by the GW offline before the use of sensor nodes in the target area. It contains the following steps: • For each sensor node Sj, the GW chooses an uncommon identity IDsj; • The gateway node computes a common secret key between GW and Sj

KGW-Sj = h(IDsj||KGW)
Ultimately, every sensor node Sj which is used in the target area is preloaded with the information {IDsj, KGW-Sj}, and GW also stores IDsj in its database. This phase is shown in Figure 6.

Registration
Here we split the phase into two sub-phases.

Sensor Registration
Each sensor node S j has its identity ID sj . This section is performed by the GW offline before the use of sensor nodes in the target area. It contains the following steps:

•
For each sensor node S j , the GW chooses an uncommon identity ID sj ; • The gateway node computes a common secret key between GW and S j K GW-Sj = h(ID sj ||K GW ) Ultimately, every sensor node S j which is used in the target area is preloaded with the information {ID sj , K GW-Sj }, and GW also stores ID sj in its database. This phase is shown in Figure 6. Each sensor node Sj has its identity IDsj. This section is performed by the GW offline before the use of sensor nodes in the target area. It contains the following steps: • For each sensor node Sj, the GW chooses an uncommon identity IDsj; • The gateway node computes a common secret key between GW and Sj

KGW-Sj = h(IDsj||KGW)
Ultimately, every sensor node Sj which is used in the target area is preloaded with the information {IDsj, KGW-Sj}, and GW also stores IDsj in its database. This phase is shown in Table 5.

GW
Allot IDsj as identity of Sj Secret key shared between GW and Sj is KGW-Sj = h(IDsj||KGW) Sj is preloaded with the information {IDsj, KGW-Sj}. Sj is deployed in target field. GW also stores IDsj in its database.

User Registration
In this section, a lawful user Ui wishes to register with the GW. As a way to register to the GW, the user Ui wishes to execute the steps which are given below and shown in Table 6.
Step-1: User Ui selects IDi, PWi, and random number r1. Ui calculates Now Ui forwards the registration request message {RPWi, RIDi} to GW via a safe channel.
Step-2: GW investigates whether RIDi exists in the database. If it exists, then GW forwards a rejection notification to Ui. If not, GW saves RIDi in the database and computes.

User Registration
In this section, a lawful user U i wishes to register with the GW. As a way to register to the GW, the user U i wishes to execute the steps which are given below and shown in Figure 7.
GW stores {A1, A2, A3, GIDj} into SC and sends SC to Ui by a private channel.

Login Phase
Subsequent to the completion of the registration phase, the user can contact a sensor node by the GW. Comprehensive steps are given underneath.
Step-1: User Ui enters its smart card into the terminal and loads IDi and PWi.
Step-2: GW investigates whether RID i exists in the database. If it exists, then GW forwards a rejection notification to U i . If not, GW saves RID i in the database and computes.
GW stores {A 1 , A 2 , A 3 , GID j } into SC and sends SC to U i by a private channel. Step-3:

Login Phase
Subsequent to the completion of the registration phase, the user can contact a sensor node by the GW. Comprehensive steps are given underneath.
Step-1: User U i enters its smart card into the terminal and loads ID i and PW i .
Step-4: If the password entered by the user was correct, then it selects the random number r u and required sensor ID sj and computes Finally, the message M 1 = {B 2 , B 3 , GID j , RID i , ID sj , T 1 } is sent to GW, where T 1 is an ongoing time stamp.

Authentication and Key Agreement Phase
Subsequent to accepting the login request message by the GW from U i , subsequent steps are accomplished for mutual authentication and key establishment. The login and authentication phases are shown in Figure 8.  Step-1: Firstly, GW checks if GID j is right. After that, GW verifies the validity of the timestamp. If |T 1 − T c | < ∆T holds, then GW proceeds to further steps; otherwise, abort the process. GW computes Then checks B 3 * = h(GID j ||ID sj ||B 1 ||RID i ||r u * ||T 1 ) = ? B 3 If this does not hold, the user account RID i will be locked. Otherwise, GW searches for ID sj from the database, chooses a random number r g , and calculates GW sends the message M 2 = {ID sj , B 4 , B 5 , B 6 , T 2 } to S j , where T 2 is GW ongoing time stamp.
Step-2: Subsequent to accepting the message, S j first checks if ID sj is correct; after that, S j verifies the legality of the time stamp. If |T 2 − T c | <∆T holds, then S j proceeds to further steps; otherwise, it sends a rejection message to GW. S j calculates r u and r g * = B 5 ⊕ h(r u ) and verifies B 6 * = h(K GW-Sj ||r u * ||r g * ||T 2 ) = ? B 6 If the equation is right, S j selects r s and computes

} to GW
Step-3: Subsequent to accepting the message, GW verifies the legality of the time stamp. If |T 3 − T c | < ∆T holds, then GW goes ahead to further steps; if not, abort the process.
Step-4: Subsequent to accepting the message, U i investigates the legality of the time stamp. If |T 4 − T c | < ∆T holds, then U i proceeds to further steps; otherwise, it stops the process.

Password Change Phase
Step-1: User U i inserts its SC into the terminal and inputs his/her ID i and PW i .
Step-3: After receiving M 6 , SC checks the validity of time stamp and checks B 15 = ? h(RID i ||GID j ||B 14 ||T 6 ). If so, U i inputs a new password PW i new , and the SC generates an arbitrary number r 1 new , and calculates

Security Analysis
Here, we discuss the security of our scheme formally as well as informally.

Insider Attack Resistance
When a user sends a registration request message {RPW i , RID i } to GW, an insider of GW obtains these secret values. Moreover, the insider obtains the parameters stored in SC {A 1 , A 2 , A 3 , A 4 , GID j }. To find the random number r 1 , the adversary needs to guess ID i * and PW i * simultaneously because A 4 = h(ID i ||PW i ) ⊕ r 1 . However, the probability of guessing ID i * and PW i * simultaneously is negligible. The adversary cannot find the random number r 1 and cannot guess ID i * and PW i * . The adversary cannot verify whether RPW i =? RPW i * where RPW i = h(ID i ||PW i ||r 1 ). Hence, an insider cannot guess the user's password.

Offline Password Guessing Resistance
The adversary obtains the SC {A 1 , A 2 , A 3 , A 4 , GID j } and obtains the parameter stored in it. From A 4 = h(ID i ||PW i ) ⊕ r 1 , the adversary knows only A 4 . To find the random number r 1 , the adversary needs to guess ID i * and PW i * simultaneously. However, the probability of guessing ID i * and PW i * simultaneously is negligible. In other equations, A 1 = h(GID j ||K GW ||RID i ) ⊕ RPW i , A 2 = h(RID i ||K GW ) ⊕ h(RID i ||RPW i ), and A 3 = h(A 2 ||RPW i ||RID i ) the password is used implicitly. From these equations, if the adversary wants to guess the password PW i then he/she needs to know ID i and the random number r 1 . In these equations, the random number is not used in any of the equations, and ID i is used implicitly. The adversary cannot guess the password from these equations. Thus the proposed scheme is safe against offline password-guessing attacks.

Identity Guessing Resistance
The correct value of the user identity (ID i ) is only known to U i , and the gateway node saves RID i = h(ID i ||r 1 ), in which ID i concatenates with the random number r 1 . The user does not use his/her identity for login or for authentication. In the whole scheme, the user identity is used only inside A 4 = h(ID i ||PW i ) ⊕ r 1 . It is not possible for the adversary to find the random number r 1 , and it can be easily seen that the adversary needs to accurately guess the PW i and ID i simultaneously, but at the same time, it is not possible. Hence, our scheme does not suffer from identity-guessing attacks.

User Forgery Resistance
If the adversary wants to forge the user, then the adversary needs to forge M 1 = {B 2 , B 3 , GID j , RID i , ID sj , T 1 }; the adversary must calculate B 2 , B 3 . However, in the calculation of B 2 = B 1 ⊕ r u and B 3 = h(GID j ||ID sj ||B 1 ||RID i ||r u ||T 1 ), B 1 = h(GID j ||K GW ||RID i ) is required. In the calculation of B 1 , gateway node secret key K GW is required. Thus it is not desirable for an adversary to forge a user. The user U i and our scheme are secure against user forgery attacks.

Sensor Capture Resistance
If the adversary captured some sensors, other than S j , which communicate with U i , the adversary could not forge M 3 = {B 7 , B 8 , B 9 , T 3 } since K GW-Sj is used to construct B 7 = h(K GW-Sj ||r g ) ⊕ r s . The sensors are captured by the adversary and have no association with K GW-Sj . So, even though other sensors are seized, U a cannot execute this attack successfully.

Gateway Forgery Attack
To apply this attack, the adversary wants to forge M 2 or M 4 , where M 2 = {ID sj , B 4 , B 5 , B 6 , T 2 } and M 4 = {B 10 , B 11 , B 12 , T 4 }. To forge the message M 2 , adversary must calculate B 4 , B 5 , and B 6 where B 4 = h(K GW-Sj ||ID sj ||GID j ) ⊕ r u , B 5 = h(r u ) ⊕ r g , and B 6 = h(K GW-Sj ||r u ||r g ||T 2 ). However, in the calculation of B 4 and B 6 , K GW-Sj shared secret key between GW and sensor node is required. To forge the message M 4 , he/she must calculate B 10 , B 11 , and B 12 where B 10 = h(r u ||RID i ) ⊕ r g , B 11 = h(r u ||r g ) ⊕ r s , and B 12 = h(SK g ||RID i ||r g ||r s ||T 4 ). However, it is not possible to calculate B 10 , B 11 , and B 12 because random numbers and session keys are required. It is not possible to forge a gateway node. Hence, the proposed scheme is safe against gateway forgery attacks.

De-synchronization Resistance
De-synchronization is a very big security issue in WSNs. Our scheme includes a random number mechanism to assure the originality of interchanged messages and also uses a timestamp mechanism. In each session of our scheme, random numbers r u , r g , and r s are generated by U i , GW, and S j, respectively. Hence, our scheme is free from de-synchronization problems.

No Adversarial Session Key Agreement
To change the session key, the adversary needs to change any of the random numbers r u , r g , and r s .
When the message M 1 = {B 2 , B 3 , GID j , RID i , ID sj , T 1 } is sent to GW, if the adversary wants to agree on the session key with GW and S j , then U a selects a random number r u . Now, the adversary needs to calculate B 2 and B 3 . B 2 = B 1 ⊕ r u and B 1 = A 1 ⊕ RPW i = h(GID j ||K GW ||RID i ). In B 1 = A 1 ⊕ RPW i , U a cannot calculate B 1 from this because, in Section 5.2, the adversary cannot guess the user's password. In B 1 = h(GID j ||K GW ||RID i ), K GW is GW's secret key which is only known by GW. The adversary cannot calculate B 1 with this. In the calculation of B 3 = h(GID j ||ID sj ||B 1 ||RID i ||r u ||T 1 ), he/she must know B 1 and random number r u . As discussed above, we conclude that U a cannot calculate B 1 and U a also cannot calculate B 3 . In message M 1 , the adversary cannot make any type of changes.
When message M 2 = {ID sj , B 4 , B 5 , B 6 , T 2 } is sent to S j , If the adversary wants to change the session key, then U a selects a random number r g * . Now, the adversary needs to calculate B 5 and B 6 where B 5 = h(r u ) ⊕ r g . U a does not know the random number r u selected by U i , then he/she cannot calculate B 5 . In B 6 = h(K GW-Sj ||r u ||r g ||T 2 ), K GW-Sj is a shared secret key between GW and S j . The adversary cannot calculate B 6 . In message M 2 , the adversary cannot make any type of change.
When message M 3 = {B 7 , B 8 , B 9 , T 3 } is sent to GW, if U a wants to change the session key, then U a selects a random number r s * . Now, the adversary needs to calculate B 7 , B 8 , and B 9 . The adversary needs to know K GW-Sj and r g to calculate B 7 = h(K GW-Sj ||r g ) ⊕ r s , but K GW-Sj shares the secret key only between GW and S j , so the adversary cannot calculate B 7 . To calculate B 8 = ID sj ⊕ h(r s ||B 7 ), U a needs to know B 7 . Above, we conclude that U a cannot calculate B 7 and the adversary cannot calculate B 8 . U a needs to know SKs in order to calculate B 9 = h(SKs||ID sj ||GID j ||r s ||T 3 ) where SKs = h(r u ||r g ||r s ). U a does not know the random numbers r u and r g , and the adversary cannot calculate B 9 .
Hence, our proposed scheme is safe from adversarial session key agreement.

Man-In-The-Middle Attack
To apply a man-in-the-middle attack, the adversary works as a middleman between the user and the sensor node. In this attack, one session key is conducted between the user and adversary, and another session key is established between the adversary and sensor node. Both the user and the sensor node believe they are communicating with each other, but in this attack, both are communicating with the adversary.
When message M 1 = {B 2 , B 3 , GID j , RID i , ID sj , T 1 } is sent to GW, then the adversary intercepts it and tries to find random number r u where r u = B 2 ⊕ B 1 and B 1 = A 1 ⊕ RPW i = h(GID j ||K GW ||RID i ). The adversary does not know RPW i and K GW . As a result, he/she cannot find r u and cannot able to apply this attack at this end.
Similarly, when the sensor node sends message M 3 = {B 7 , B 8 , B 9 , T 3 } to GW, then the adversary needs to know the random number r s = B 7 ⊕ h(K GW-Sj ||r g ). However, the adversary does not know K GW-Sj and r g . So he/she cannot be able to find the random number r s .
Hence, our proposed scheme is safe from a man-in-the-middle attack.

Stolen Smart Card Resistance
Suppose SC of the user has been lost, then all the information stored in SC obtains by an adversary. In our proposed scheme SC has the parameters {A 1 , However, without knowing (ID i , r 1 ), U a cannot obtain the user's password. An adversary cannot obtain any secret information from it. Hence our proposed protocol resists stolen smart card attacks.

User Anonymity Provision
Our scheme protects ID i with h(ID i ||r 1 ). It also protects PW i with h(ID i ||PW i ||r 1 ). Thus in order to obtain ID i , a random number r 1 is needed, and to obtain U i ' s password U i ' s identity and random number r 1 need to be known. Moreover, even if a stolen smart card is obtained by the adversary, U a cannot obtain ID i from A 4 = h(ID i ||PW i ) ⊕ r 1 since ID i is protected by h(ID i ||PW i ) ⊕ r 1 . The adversary cannot find the identity and password of the user. This proves that our suggested protocol provides user anonymity.

Mutual Authentication Provision
GW checks B 4 = h(K GW-Sj ||ID sj ||GID j ) ⊕ r u to verify U i , and B 9 = h(SK g ||ID sj ||GID j ||r s ||T 3 ) to verify S j , S j checks ID Sj and B 6 = h(K GW-Sj ||r u ||r g ||T 2 ) to authenticate GW directly and U i indirectly. U i checks B 12 = h(SK g ||RID i ||r g ||r s ||T 4 ) to justify GW directly and S j indirectly. So, either pair of parties achieves mutual authentication.
6.1.13. Password Updating/Changing Provision Suppose a legitimate user has his/her smart card stolen. Suppose the information is acquired by the adversary who saves in SC. Suppose the adversary revealed the information which is saved in SC. To change the password, it is necessary for the adversary to know the existing password PW i verification. Moreover, it is not possible to find the old password because the password is protected with RPW i = h(ID i ||PW i ||r 1 ). In this way, an adversary needs to reckon the existing password before updating another password.

Formal Security Analysis
Here, we do a formal security analysis of our scheme with the help of a random oracle model. In this section, we use the Real or Random (RoR) [35] model to prove that the proposed protocol is secure. In the RoR model, the attacker is given the right to query and uses the interactive question and answer with a random oracle to verify the security of the proposed scheme. There are two participants in the proposed protocol: Π m I and Π n S represent the m-thIoT device instance and the n-th trusted server instance respectively. In addition, for formal security analysis, we define the following query model for attacker A.
Here, q h refers to the number of times the hash is executed, q p refers to the number of times PUF is executed. Hash and PUF refer to scope space of hash function H(·) and PUF function PUF(·). Adv Ω A (ε) represents the advantage of A cracking the symmetric cipher Ω, for a sufficiently small number γ, then Adv Ω A (ε) < γ.
Proof. We defined five rounds of the game GM 0 − GM 4 to simulate the attack process of A. In the process of proving, Succ GM i A (ε) represents the probability that A can win multiple rounds of the game, Adv P A (ε) means that A can break the advantage of protocol. The proof steps are as follows: GM 0 : In the ROR model, GM 0 game is a real attack on the authentication key exchange protocol proposed by A, and A flips the coin c at the beginning of the game. Therefore, we obtain the following results: With GM 0 being different from GM 1 by executing the Execute query, A can intercept the messages h(ID A ), Auth req , on the public channel. Then, A will perform a Test query to calculate the session key h(K A,i ), but the message intercepted on the public channel cannot help A calculate SK. Therefore, the probability of A winning GM 1 by eavesdropping information will not increase. So we obtain: GM 2 : Different from GM 1 , GM 2 adds Hash query and Send query. In the in- ) are based on the one-way hash function. In addition, h(K A,i ) is different in each communication; the hash function will not collide. Therefore, according to the birthday paradox [36], we can obtain The difference between GM 3 and GM 2 is that GM 3 adds PUF query. A executes Send and PUF queries. Because the physical function PUF has security attributes. Therefore, we can obtain In this game, A tries to crack the encrypted message (R A,i+1 ) h(K A,i ) , In the security model in Section 3.2, it is defined that the attacker cannot crack the memory of the server, A cannot obtain h(K A,i ), so A cannot calculate (R A,i+1 ). According to the security of Ω symmetric encryption algorithm, we can obtain Because the probability of success and failure of A is equal, so the probability that A can guess the session key is According to the above formula, we can obtain Therefore, the probability that A can crack the protocol is:

Comparison of Security and Functionality Features
All the schemes [15,19,21,22,27,34] which are used in comparison suffer from security problems. The scheme in [34] suffers from insider attacks, offline password-guessing attacks, user forgery attacks, and session key disclosure attacks. This scheme does not provide user anonymity. The scheme in [15] suffers from user forgery attacks and stolen smart card attacks. The scheme in [19] does not provide user anonymity. The scheme in [21] suffers from insider attacks, user forgery attacks, sensor capture resistance, gateway forgery attacks, and password-changing provision. The scheme in [22,27] suffers from an insider attacks. Our proposed scheme resists all the security attacks which are mentioned in Figure 9. Our scheme provides functional features which cannot be seen in the related schemes [15,19,21,22,27,34]. attacks, user forgery attacks, and session key disclosure attacks. This scheme does not provide user anonymity. The scheme in [15] suffers from user forgery attacks and stolen smart card attacks. The scheme in [19] does not provide user anonymity. The scheme in [21] suffers from insider attacks, user forgery attacks, sensor capture resistance, gateway forgery attacks, and password-changing provision. The scheme in [22,27] suffers from an insider attacks. Our proposed scheme resists all the security attacks which are mentioned in Table 8. Our scheme provides functional features which cannot be seen in the related schemes [15,19,21,22,27,34].  Table 9 defines cryptographic functions and their running time for comparison of computation cost. Table 9 and Figure 2 together show the comparison of the computation cost of our scheme with schemes in [15,19,21,22,27,34]. On the user side, the scheme in [19] has the highest computation cost, while the scheme in [21] has the lowest computation cost. Protocol [22] and protocol [34] has equal computation cost. Our proposed scheme and the scheme in [27] have the second-highest computation cost. At the gateway node side, the scheme in [21] has the lowest computa-    [15,19,21,22,27,34].  On the user side, the scheme in [19] has the highest computation cost, while the scheme in [21] has the lowest computation cost. Protocol [22] and protocol [34] has equal computation cost. Our proposed scheme and the scheme in [27] have the second-highest computation cost. At the gateway node side, the scheme in [21] has the lowest computation cost, while the scheme in [15,19,22] has the same third-lowest computation cost. Our proposed scheme has the highest computation cost from the gateway node side. On the sensor node side, the scheme in [19] has the highest computation cost, while the scheme in [21] has the lowest computation cost. Our suggested scheme computation cost is slightly greater than the scheme in [22]. It is depicted in Figure 12 that the total computation cost of our scheme is slightly greater than the total computation cost of [22]. The scheme in [19] has the highest computation cost. The scheme in [21] has the lowest computation cost.   Our proposed scheme can be a little bit more costly than other related schemes, but our scheme has passed various hurdles in security checks which makes it user-friendly.

Conclusions
We have analyzed Singh et al.'s authentication and key agreement scheme for WSNs and found some security pitfalls in it. Then we developed an improved authentication and key agreement scheme for WSNs tailored for IoT. The informal analysis of the proposed scheme indicates its resistance to various sorts of adversarial activities. The formal security of the proposed scheme with the RoR model further supports its security. In the end, we have compared the performance of our scheme with that of the related schemes. For the proposed scheme, we have tried to control the cost along with maintaining security.  Our proposed scheme can be a little bit more costly than other related schemes, but our scheme has passed various hurdles in security checks which makes it user-friendly. Our scheme neither uses complex cryptographic operations nor does it add much computational load when compared to its counterparts. Moreover, the running time of an operation is directly proportional to the power consumption required to run that operation. Therefore, the proposed scheme is a power-efficient protocol.

Comparison of Communication Cost
In pursuance of comparing the communication cost of the suggested protocol with the relevant protocols, we consider the length of the elliptic curve scalar-point multiplication function, and the random number is 160 bits. We suppose the length of the identities, such as ID i and ID sj , and every coordinate point from the output of the elliptic curve scalar-point multiplication function is 80 bits. Let the output of the message authentication code be 160 bits. We suppose that each element is 160 bits in the elliptic curve group. Here, we have the hash (h(.)) function SHA2-256 with the output of length 256 bits. We consider the length of the timestamp as 32 bits. In Figure 13 and in Figure 14, we show the communication costs of the three entities in our proposed scheme and the related schemes [15,19,21,22,27,34].

Conclusions
We have analyzed Singh et al.'s authentication and key agreement scheme for WSNs and found some security pitfalls in it. Then we developed an improved authentication and key agreement scheme for WSNs tailored for IoT. The informal analysis of the proposed scheme indicates its resistance to various sorts of adversarial activities. The formal security of the proposed scheme with the RoR model further supports its security. In the end, we have compared the performance of our scheme with that of the related schemes. For the proposed scheme, we have tried to control the cost along with maintaining security.   [15,19,21,22,27,34].
the communication costs of the three entities in our proposed scheme and the related schemes [15,19,21,22,27,34].  From Figure 13 and Figure 14, we see that, on the user side, the communication cost of the protocol [34] is 624 bits which is the minimum, and Dhillon and Kalra's scheme has  From Figures 13 and 14, we see that, on the user side, the communication cost of the protocol [34] is 624 bits which is the minimum, and Dhillon and Kalra's scheme has the highest communication cost of 1312 bits. Our suggested scheme has the secondhighest communication cost of 960 bits. At the gateway node side, our proposed scheme has the highest communication cost of 1680 bits, and the scheme in [19] has the lowest communication cost of 800 bits. At the sensor node aspect, our suggested scheme has a communication cost of 800 bits, while the protocol in [21] has the lowest communication cost of 368 bits. Dhillon and Kalra's scheme has the highest communication cost of 2320 bits. The total communication cost of Dhillon and Kalra's scheme is the highest, and in the proposed scheme, it is the third-highest. The scheme in [21] has the lowest communication cost.

Conclusions
We have analyzed Singh et al.'s authentication and key agreement scheme for WSNs and found some security pitfalls in it. Then we developed an improved authentication and key agreement scheme for WSNs tailored for IoT. The informal analysis of the proposed scheme indicates its resistance to various sorts of adversarial activities. The formal security of the proposed scheme with the RoR model further supports its security. In the end, we have compared the performance of our scheme with that of the related schemes. For the proposed scheme, we have tried to control the cost along with maintaining security.