MITM- and DoS-Resistant PUF Authentication for Industrial WSNs via Sensor-Initiated Registration

Abstract

Industrial Wireless Sensor Networks (IWSNs) play a critical role in Industry 4.0 environments, enabling real-time monitoring and control of industrial processes. However, existing lightweight authentication protocols for IWSNs remain vulnerable to sophisticated security attacks because of inadequate initial authentication phases. This study presents a security analysis of Gope et al.’s PUF-based authentication protocol for IWSNs and identifies critical vulnerabilities that enable man-in-the-middle (MITM) and denial-of-service (DoS) attacks. We demonstrate that Gope et al.’s protocol is susceptible to MITM attacks during both authentication and Secure Periodical Data Collection (SPDC), allowing adversaries to derive session keys and compromise communication confidentiality. Our analysis reveals that the sensor registration phase of the protocol lacks proper authentication mechanisms, enabling attackers to perform unauthorized PUF queries and subsequently mount successful attacks. To address these vulnerabilities, we propose an enhanced authentication scheme that introduces a sensor-initiated registration process. In our improved protocol, sensor nodes generate and control PUF challenges rather than passively responding to gateway requests. This modification prevents unauthorized PUF queries while preserving the lightweight characteristics essential for resource-constrained IWSN deployments. Security analysis demonstrates that our enhanced scheme effectively mitigates the identified MITM and DoS attacks without introducing significant computational or communication overhead. The proposed modifications maintain compatibility with the existing IWSN infrastructure while strengthening the overall security posture. Comparative analysis shows that our solution addresses the security weaknesses of the original protocol while preserving its practical advantages for industrial use. The enhanced protocol provides a practical and secure solution for real-time data access in IWSNs, making it suitable for deployment in mission-critical industrial environments where both security and efficiency are paramount.

1. Introduction

1.1. Background and Motivation

Industrial Wireless Sensor Networks (IWSNs) have emerged as a cornerstone technology for Industry 4.0, enabling the seamless integration of physical processes with digital systems [1,2]. These networks facilitate the real-time monitoring and control of critical industrial operations, including manufacturing processes, power grid management, chemical plant operations, and oil refinery systems [3,4]. The widespread adoption of IWSNs in mission-critical environments has been driven by their ability to provide flexible deployment, reduced installation costs, and enhanced operational visibility compared with traditional wired sensor networks [5,6].

However, the wireless nature of IWSNs introduces significant security challenges that must be addressed to ensure safe and reliable industrial operations [7,8]. Unlike conventional wireless sensor networks used in non-critical applications, IWSNs operate in environments where security breaches can result in catastrophic consequences, including production downtime, equipment damage, environmental hazards, and safety risks to personnel [9,10]. The criticality of these applications demands robust security mechanisms that can withstand sophisticated adversarial attacks while maintaining the operational efficiency required for real-time industrial processes [11,12].

The unique characteristics of IWSN deployments pose additional security challenges. Sensor nodes are often deployed in harsh industrial environments with limited physical protection, making them susceptible to tampering and physical attacks [13,14]. Furthermore, the resource-constrained nature of sensor devices, with limitations in processing power, memory capacity, and energy availability, restricts the applicability of conventional cryptographic solutions [15,16]. These constraints necessitate the development of lightweight security protocols that can provide adequate protection without compromising the operational requirements of industrial systems [17,18].

1.2. Problem Statement

Authentication protocols for IWSNs must address several critical security requirements, including mutual authentication between communicating entities, secure session key establishment, resistance to various attack vectors, and preservation of user privacy [19,20]. However, achieving these security goals while maintaining compatibility with resource-constrained sensor devices presents significant technical challenges [21,22].

Recent research has focused on developing lightweight authentication schemes using innovative cryptographic primitives such as Physically Unclonable Functions (PUFs), which offer the advantage of generating device-unique secrets without requiring secure storage [23,24]. PUFs leverage the inherent physical variations in semiconductor devices to create unclonable digital fingerprints, making them particularly suitable for resource-constrained environments [25,26].

One notable contribution in this area is the authentication protocol proposed by Gope et al. [27], which employs PUF-based mechanisms to achieve lightweight mutual authentication in IWSNs. Their scheme claims to provide several security features, including mutual authentication, session key establishment, user anonymity, and resistance to various attacks, while maintaining low computational overhead suitable for resource-constrained sensor nodes [27].

Despite these claimed security features, a preliminary analysis of existing PUF-based authentication protocols revealed potential vulnerabilities that could compromise the security of IWSN deployments [28,29]. The challenge lies in ensuring that the initial phases of authentication protocols, particularly the registration phase, are adequately protected against adversarial manipulations [30,31]. Many existing schemes assume secure channels for the initial setup without providing sufficient justification for how such security can be practically achieved in resource-constrained environments [32,33].

1.3. Research Questions and Objectives

This study addresses the following key questions:

• RQ1: What security vulnerabilities are present in existing PUF-based authentication protocols for IWSNs, particularly focusing on the protocol phases that lack adequate protection mechanisms?
• RQ2: How can adversaries exploit weaknesses in the sensor registration phase to compromise the overall security of the authentication protocols?
• RQ3: What modifications can be implemented to strengthen existing authentication schemes while preserving their lightweight characteristics, which are essential for IWSN deployments?
• RQ4: How effective are the proposed security enhancements in mitigating the identified vulnerabilities without introducing a significant performance overhead?

Based on these research questions, the primary objectives of this study are as follows:

• Security Analysis: Conduct a systematic security analysis of Gope et al.’s PUF-based authentication protocol to identify potential vulnerabilities and attack vectors.
• Attack Development: Develop and demonstrate practical attack scenarios that exploit the identified weaknesses, focusing on man-in-the-middle (MITM) and denial-of-service (DoS) attacks.
• Protocol Enhancement: Design an improved authentication scheme that addresses the identified vulnerabilities while maintaining the lightweight properties required for IWSN applications.
• Security Validation: Provide security justification for the proposed enhancements and demonstrate their effectiveness in preventing the identified attacks.
• Performance evaluation: The computational and communication overheads introduced by the proposed modifications were assessed to ensure practical applicability in resource-constrained environments.

1.4. Contributions

The main contributions of this study are summarized as follows:

• C1: Comprehensive Security Analysis—We provide a detailed security analysis of Gope et al.’s authentication protocol, identifying critical vulnerabilities in the sensor registration phase that enable sophisticated attacks against the overall protocol security.
• C2: Attack Demonstration—We demonstrate practical MITM and DoS attacks that exploit the identified vulnerabilities, showing how adversaries can compromise session keys and disrupt network operations. The attacks are presented with detailed step-by-step procedures and an analysis of their impact on protocol security.
• C3: Enhanced Authentication Scheme—We propose an improved authentication protocol that introduces sensor-initiated registration mechanisms to prevent unauthorized PUF queries. The enhanced scheme addresses the identified vulnerabilities while preserving the lightweight characteristics that are essential for IWSN deployments.
• C4: Security Justification—We provide a comprehensive security analysis demonstrating that the proposed enhancements effectively mitigate the identified attacks. The analysis includes informal security reasoning and a comparative evaluation with the original protocol.
• C5: Practical Validation—We evaluate the practical applicability of the proposed scheme through an analysis of computational and communication overheads, demonstrating that security improvements can be achieved without significant performance penalties.

1.5. Paper Organization

The remainder of this paper is organized as follows:

Section 2 provides essential background information on Industrial Wireless Sensor Networks, Physically Unclonable Functions (PUFs), cryptographic primitives, and security requirements for industrial applications. Section 3 presents a comprehensive review of related works on PUF-based authentication protocols and lightweight authentication schemes for wireless sensor networks, identifying research gaps that motivate this study. Section 4 establishes the system architecture, adversarial model, and security goals used throughout this study, defining the evaluation framework for the protocol security analysis. Section 5 provides a detailed review of Gope et al.’s authentication protocol, examining each protocol phase, including user registration, sensor node registration, authentication, and secure periodic data collection. Section 6 presents our security analysis of the original protocol, demonstrating critical vulnerabilities and describing practical Man-in-the-Middle and Denial-of-Service attacks that exploit these weaknesses. Section 7 introduces our enhanced authentication scheme and explains the design principles behind sensor-initiated registration and the specific protocol modifications implemented to address the identified vulnerabilities. Section 8 provides a comprehensive security analysis and performance evaluation of the proposed scheme, demonstrating its resistance to the identified attacks and comparing the computational and communication overheads with those of the original protocol. Section 9 concludes the paper with a summary of the contributions, key findings, and directions for future research on secure IWSN authentication.

2. Background and Preliminaries

2.1. Industrial Wireless Sensor Networks

Industrial Wireless Sensor Networks (IWSNs) represent a specialized class of wireless sensor networks designed to meet the stringent requirements of industrial automation and monitoring systems [34]. Unlike traditional WSNs used in environmental monitoring or academic research, IWSNs must operate reliably in harsh industrial environments characterized by electromagnetic interference, temperature variations, physical vibrations, and potential security threats [35,36].

• IWSN Architecture

A typical IWSN deployment consists of three main components: sensor nodes, gateway devices, and back-end management systems [37]. Sensor nodes are responsible for collecting real-time data from industrial processes, including temperature, pressure, vibration, chemical composition, and operational status [38]. These nodes are typically battery-powered devices with limited computational capabilities and are designed for long-term deployment in industrial facilities [39].

Gateway devices serve as intermediaries between the sensor nodes and broader industrial network infrastructure. They aggregate data from multiple sensor nodes, perform initial processing, and relay the information to central management systems [40]. Gateways typically have more computational resources than individual sensor nodes and may be connected to reliable power sources [41].

Backend management systems provide centralized monitoring, control, and data analysis capabilities for the entire IWSN deployment [42]. These systems are integrated with existing industrial control systems, such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS), to enable comprehensive industrial automation [43].

• Security Requirements for IWSNs

The security requirements for IWSNs are more stringent than those for conventional WSNs because of the critical nature of industrial operations [44]. The primary security objectives include the following:

Confidentiality: Industrial sensor data often contain proprietary information about production processes, operational parameters, and business intelligence that must be protected from unauthorized access [45]. Data breaches in industrial environments can result in competitive disadvantages, intellectual property theft, and regulatory compliance violations [46].

Integrity: The accuracy and completeness of sensor data are crucial for industrial decision-making and safety [47]. Malicious modification of sensor readings can lead to incorrect control decisions, equipment damage, or safety hazards [48].

Availability: Industrial processes often require real-time monitoring and control, rendering system availability a critical requirement [34]. Denial-of-service attacks or system failures can result in production downtime, economic losses, and safety risks [35].

Authentication: Ensuring that only authorized devices and users can access the IWSN is essential for maintaining system security and preventing the unauthorized control of industrial processes [36].

2.2. Physically Unclonable Functions (PUFs)

Physically Unclonable Functions (PUFs) have emerged as a promising security primitive for resource-constrained devices owing to their ability to generate device-unique secrets without requiring secure storage [37]. PUFs leverage the inherent manufacturing variations in semiconductor devices to create unique digital fingerprints that are extremely difficult to clone or reproduce [38].

• PUF Fundamentals

A PUF can be formally defined as a function P: C → R that maps a challenge C to a response R based on the unique physical characteristics of a specific device [39]. The key properties of PUFs include the following:

Uniqueness: Each PUF instance produces a different response to the same challenge, making it possible to distinguish between different devices [40].

Reproducibility: A PUF should produce the same response when presented with the same challenge multiple times within acceptable error bounds [41].

Unpredictability: It should be computationally infeasible to predict the response to a new challenge based on the knowledge of previous challenge–response pairs [42].

Unclonability: The physical structure that generates PUF responses cannot be duplicated or cloned, even with detailed knowledge of the manufacturing process [43].

• PUF Implementation Technologies

Several technologies have been developed for implementing PUFs in silicon devices [44].

SRAM PUFs: These PUFs exploit the random startup states of SRAM cells, which are determined by manufacturing variations in transistor threshold voltages [45]. SRAM PUFs are particularly attractive because they utilize existing memory structures without requiring additional hardware [46].

Ring Oscillator PUFs: These designs use the frequency variations in ring oscillators caused by manufacturing process variations [47]. Multiple ring oscillators are implemented on the same chip, and their relative frequencies are used to generate unique responses [48].

Arbiter PUFs: These PUFs are based on race conditions between two identical signal paths, where manufacturing variations cause slight differences in propagation delays [34]. The arbiter determines which signal arrives first and generates a binary response bit [35].

2.3. Cryptographic Primitives for Resource-Constrained Environments

The resource limitations of IWSN devices necessitate the use of lightweight cryptographic primitives that can provide adequate security with a minimal computational overhead [36].

• Hash Functions

Cryptographic hash functions are fundamental building blocks for many security protocols because of their efficiency and security properties [37]. One-way hash functions, such as SHA-256, provide data integrity and are used in authentication protocols to generate message authentication codes and digital fingerprints [38].

For resource-constrained environments, lightweight hash functions, such as PHOTON, SPONGENT, and QUARK, have been developed to reduce computational requirements while maintaining security properties [39,40].

• Symmetric Key Cryptography

Symmetric encryption algorithms, such as the Advanced Encryption Standard (AES), provide efficient mechanisms for data confidentiality [41]. However, the computational requirements of traditional AES implementations may be prohibitive for some sensor devices [42].

Lightweight block ciphers, such as PRESENT, CLEFIA, and SIMON/SPECK, have been designed specifically for resource-constrained environments, offering reduced hardware requirements and energy consumption [43,44].

• Message Authentication Codes

Message Authentication Codes (MACs) provide data integrity and authentication by generating cryptographic tags that can be verified by authorized parties [45]. The Hash-based Message Authentication Code (HMAC) is widely used because of its security properties and efficiency [46].

Lightweight MAC algorithms, such as Chaskey and SipHash, have been developed for IoT and sensor network applications, providing strong security with minimal computational overhead [47,48].

2.4. Security Requirements and Attack Models for IWSN Authentication

Authentication protocols for IWSNs must address specific security requirements while operating within the constraints imposed by resource-limited devices and industrial environments [34].

• Mutual Authentication Requirements

Mutual authentication ensures that both communicating parties can verify each other’s identity before establishing a secure communication channel [35]. In the context of IWSNs, this typically involves authentication between the following:

• User devices and gateways: Users accessing industrial data must be authenticated to prevent unauthorized access [36].
• Sensor nodes and gateways: Sensors must verify the legitimacy of gateway devices to prevent data theft and control manipulations [37].
• Inter-gateway communication: Multiple gateways in large deployments must authenticate each other for secure data sharing [38].

• Session Key Establishment

Secure session key establishment enables the creation of temporary encryption keys to protect data transmission [39]. These keys should possess the following properties:

• Forward Secrecy: Compromise of long-term secrets should not compromise previously established session keys [40].
• Perfect Forward Secrecy: Compromise of long-term secrets should not enable decryption of past communications [41].
• Key Freshness: Each authentication session should establish a new, unique session key to prevent replay attacks [42].

• Privacy and Anonymity Requirements

Industrial applications often require the protection of user and device identities to prevent tracking and profiling attacks [43]. Privacy requirements include the following:

• User Anonymity: The identity of users accessing the system should be protected from external observers [44].
• Device Unlinkability: It is possible to link multiple communications from the same device to track device movements or usage patterns [45].
• Location Privacy: The physical location of sensor nodes should be protected when possible to prevent targeted physical attacks [46].

• Common Attack Vectors

Authentication protocols for IWSNs must resist various attack vectors commonly encountered in industrial environments [47].

• Eavesdropping: Passive monitoring of wireless communications to gather intelligence or credentials [48].
• Man-in-the-Middle (MITM): Active interception and manipulation of communications between legitimate parties [34].
• Replay Attacks: Retransmission of previously captured messages to gain unauthorized access [35].
• Denial-of-Service (DoS): Attacks designed to disrupt service availability and prevent legitimate communication [36].
• Physical Attacks: Direct access to sensor devices to extract secrets or modify functionality [37].

The design of secure authentication protocols must consider these attack vectors while maintaining the performance characteristics required for industrial applications.

3. Related Work

3.1. PUF-Based Authentication Protocols

The integration of Physically Unclonable Functions (PUFs) into authentication protocols has gained significant attention because of their ability to provide device-unique secrets without requiring secure storage [49]. Early PUF-based authentication schemes focused primarily on basic challenge–response mechanisms; however, recent developments have addressed more sophisticated security requirements for industrial and IoT applications [50].

Rührmair et al. [51] proposed one of the first comprehensive PUF-based authentication protocols, introducing the concept of using PUF responses as device fingerprints for identification and authentication. Their work demonstrated the feasibility of PUF-based security but did not address the specific requirements of resource-constrained wireless sensor networks [52].

Majzoobi et al. [53] developed a lightweight PUF-based authentication scheme specifically designed for RFID systems. Their protocol employs XOR operations and hash functions to achieve mutual authentication while minimizing computational overhead. However, subsequent analyses have revealed vulnerabilities to modeling and replay attacks in certain deployment scenarios [54].

Yu et al. [55] introduced a PUF-based protocol that incorporated noise tolerance mechanisms to address the reliability challenges associated with PUF responses. Their scheme uses fuzzy extractors and error correction codes to handle environmental variations that could affect PUF stability. Although this approach improved practical applicability, it introduced additional computational complexity that may not be suitable for all sensor network deployments [56].

Recently, several researchers have focused on developing PUF-based authentication schemes specifically for wireless sensor networks and IoT environments. Chatterjee et al. [57] proposed a protocol that combines PUF technology with elliptic curve cryptography to achieve strong security properties. However, the computational requirements of elliptic curve operations limit their applicability to resource-constrained sensor nodes [58].

Braeken [59] introduced a lightweight PUF-based authentication scheme that uses only hash functions and XOR operations, making it suitable for extremely resource-limited devices. Although computationally efficient, this protocol lacks some advanced security features, such as perfect forward secrecy and resistance to certain types of physical attacks [60].

Most recently, Gope et al. [27] proposed a comprehensive PUF-based authentication protocol specifically designed for Industrial Wireless Sensor Networks (IWSNs). Their scheme addresses the unique requirements of industrial environments by providing mutual authentication between users, gateways, and sensor nodes while maintaining lightweight computational requirements. The protocol employs a four-phase approach, including user registration, sensor node registration, authentication, and secure periodical data collection (SPDC). Gope et al. claimed that their protocol achieved several security properties, including resistance to various attacks, user anonymity, and session key security, while operating efficiently on resource-constrained sensor devices. However, the security analysis provided in their work focuses primarily on informal reasoning rather than a comprehensive vulnerability assessment under realistic adversarial conditions. This gap in rigorous security evaluations motivates the detailed analysis presented in this study.

3.2. Lightweight Authentication Schemes for Wireless Sensor Networks

The development of lightweight authentication protocols for wireless sensor networks has been driven by the need to balance security requirements with the computational and energy constraints of sensor devices [61]. Various approaches have been proposed, ranging from symmetric-key-based schemes to innovative cryptographic constructions [62].

Hash-based authentication schemes have been widely adopted because of their computational efficiency and security properties. Wong et al. [63] proposed a hash chain-based authentication protocol that enables secure communication between sensor nodes and base stations. Their scheme provides replay attack resistance and supports key renewal but requires significant memory to store hash chain values [49].

Several researchers have explored the use of biometric data for the authentication of sensor networks. Kumar et al. [50] developed a biometric-based authentication scheme that uses physiological characteristics of authorized users. Although this approach provides strong user authentication, it requires specialized hardware for biometric data capture and processing, limiting its applicability in industrial environments [51].

The integration of blockchain technology into sensor network authentication has been investigated. Zhang et al. [52] proposed a blockchain-based authentication framework that provides distributed trust management and tamper-proof audit trails. However, the computational and storage requirements of blockchain operations are generally prohibitive for resource-constrained sensor nodes [53].

Smart contract-based authentication schemes have been proposed as alternatives to traditional centralized approaches. Li et al. [54] developed a smart contract framework for IoT device authentication that provides transparency and immutability. Although innovative, these approaches require significant infrastructure changes and may not be practical for existing industrial deployments [55].

Recent studies have focused on developing authentication protocols that specifically address the requirements of Industrial Internet of Things (IIoT) applications. Srinivas et al. [56] proposed a three-factor authentication scheme that combines passwords, smart cards, and biometric data for enhanced security. Their protocol provides strong authentication but requires multiple authentication factors, which may not be practical in all industrial scenarios [57].

3.3. Research Gaps and Motivation

Despite extensive research on PUF-based and lightweight authentication protocols, several important gaps remain that limit the practical deployment of secure authentication in industrial wireless sensor networks [58].

• Security Analysis Limitations

Many existing protocols, including the recent work by Gope et al. [27], provide security analyses based primarily on informal reasoning rather than comprehensive vulnerability assessments under realistic adversarial conditions [59]. This approach may miss subtle vulnerabilities that could be exploited by sophisticated attackers in industrial environments, where the stakes are particularly high [60].

The lack of rigorous attack modeling and systematic vulnerability analysis in many existing studies means that protocols may appear secure under limited threat scenarios but fail when subjected to more comprehensive security evaluations [61]. This is particularly concerning for industrial applications, where security failures can have serious safety and economic consequences [62].

• Inadequate Consideration of Registration Phase Security

A critical observation from the literature review is that many authentication protocols focus primarily on the security of the authentication and data transmission phases while giving insufficient attention to the security of the initial registration phase [63]. The registration phase is particularly vulnerable because it often involves the exchange of sensitive cryptographic material that forms the foundation for all subsequent security operations [49].

In PUF-based protocols, the registration phase typically involves the exchange of PUF challenge–response pairs between sensor nodes and gateways [50]. If this phase is inadequately protected, adversaries may be able to perform unauthorized PUF queries, compromising the entire security foundation of the protocol [51].

• Limited Real-World Attack Scenarios

Much of the existing security analysis focuses on well-known attack categories, such as replay, impersonation, and eavesdropping attacks, but provides limited consideration of sophisticated attack scenarios that may be encountered in real-world industrial deployments [52]. Industrial environments present unique challenges, including the physical accessibility of sensor nodes, electromagnetic interference, and the potential for insider threats [53].

The combination of multiple attack vectors, such as man-in-the-middle attacks followed by denial-of-service attacks, has received limited attention in the literature despite representing realistic threat scenarios in industrial environments [54].

• Insufficient Performance Validation

While many protocols claim to be “lightweight” and suitable for resource-constrained devices, few provide a comprehensive performance analysis that includes actual implementation results and a comparison with existing schemes under realistic conditions [55]. This makes it difficult to assess the practical viability of the proposed solutions for industrial deployment [56].

These identified gaps motivate the comprehensive security analysis and protocol enhancement presented in this study, which aims to address the limitations of existing approaches through systematic vulnerability assessment and practical security improvements [57].

4. System Model and Threat Model

4.1. System Architecture

The IWSN system consists of three main entities: users (U), gateways (GW), and sensor nodes (S) [34]. Users are authorized personnel who access the sensor data through mobile devices or workstations equipped with PUF modules. Gateways serve as intermediaries with substantial computational resources that aggregate sensor data and facilitate secure communication. Sensor nodes are resource-constrained devices with PUF modules that are deployed to monitor industrial processes [35]. The system employs two communication channels: secure channels for the registration phase to protect sensitive PUF challenge–response pairs and public channels for normal operations protected by authentication protocols [36]. We assume loose time synchronization, stable PUF behavior under normal conditions, and physical protection of gateways, while sensor nodes may be physically accessible [37].

4.2. Adversarial Model

We consider a powerful adversary operating under the Dolev-Yao model with enhanced capabilities for industrial environments [38]. The adversary can control wireless communications (eavesdrop, intercept, modify, inject messages), has bounded computational power (cannot break standard cryptographic primitives), and may gain physical access to limited sensor nodes [39]. An adversary can launch passive attacks (monitoring communications), active attacks (message modification/injection), impersonation attacks, and denial-of-service attacks [40]. However, adversaries cannot clone PUF structures, break secure cryptographic primitives, or avoid the detection of physical tampering indefinitely [41].

4.3. Security Goals

The authentication protocol must achieve the following security objectives [42]:

• Primary Goals: Mutual authentication between all entities, secure session key establishment, data confidentiality and integrity, and resistance to replay attacks [43].
• Performance Requirements: Computational efficiency suitable for resource-constrained devices, minimal communication overhead, denial-of-service resistance, and scalability for large deployments [44].
• Industrial Requirements: Real-time performance for time-critical applications, integration with existing industrial infrastructure, and compliance with relevant security standards [45].

These requirements provide an evaluation framework for analyzing existing protocols and validating proposed security improvements.

5. Review of Gope et al.’s Scheme

In Gope et al.’s scheme [27], there are three main types of participants: users, gateways, and sensor nodes. Their scheme consists of four phases: user registration, sensor node registration, authentication, and secure periodic data collection (SPDC). It is assumed that a secure channel is used during the user and sensor node registration phases, and a public channel is used during the other two phases. This secure channel ensures the integrity and confidentiality of transmitted data. Each user device and sensor consists of a microcontroller attached to a Physically Unclonable Function (PUF). APUF is a one-way function P that maps a challenge C to a response R based on the unique physical microstructure of a device, i.e., $R=P(C)$. It is also assumed that sensor nodes have limited resources. The details of each phase are presented as follows and shown in Figure 1, Figure 2, Figure 3 and Figure 4.

Table 1. Notations.

Notation	Description
$Sn$	A sensor node in IWSN
U	A user in IWSN
$I{D}_u$	The unique identity of U
$TI{D}_u$	Temporary identity of U
$I{D}_{Sn}$	The unique identity of Sn
PID	Set of pseudo identities
$(C,R)$	Challenge–response pair
P	Physically unclonable function
$ps{w}_u$	Password of U
${\beta }_u$	Biometric thumb impression of U
sk, SK	Session keys
$h(.)$	A one-way cryptographic hash function

shows a list of notations used throughout the paper.

5.1. Enhanced Threat Model for Vulnerability Analysis

We assume a powerful adversary who has capabilities beyond those considered in the basic threat model. In particular, the adversary in our extended model is assumed to possess the following abilities:

• Full network control (Dolev–Yao model): The attacker can control all communication channels in the IWSN. This includes eavesdropping on transmissions, intercepting and dropping messages at will, modifying message contents, and injecting forged messages into the network. However, the adversary is computationally bounded and cannot break standard cryptographic primitives (e.g., cannot invert one-way hash functions or derive secret keys from intercepted data).
• Physical compromise of sensor nodes: The attacker may physically capture sensor devices deployed in the field. By gaining physical access, the adversary could extract confidential information (such as cryptographic keys or passwords) stored on a sensor or reset/reprogram the device. This capability means the adversary might impersonate a legitimate sensor after extracting its credentials or trigger the sensor to undergo the authentication process under adversarial timing and control.
• Exploitation of unauthenticated protocol phases: The adversary can take advantage of any step in the scheme that is not yet protected by authentication or encryption. For example, if an initial handshake or registration message is sent without verification, the attacker can intercept and manipulate it. The adversary might replay initial messages or send fraudulent initiation requests to confuse the legitimate parties, insert itself as a man-in-the-middle before authentication is finalized, or flood the gateway with spurious requests to exhaust its resources (denial-of-service).

This extended threat model captures worst-case scenarios for IWSNs in hostile environments. It provides a basis for analyzing the security of both Gope et al.’s original scheme [27] and our proposed solution under realistic attack conditions.

5.2. User Registration Phase

Each user U needs to register his/her trusted device D in the gateway before obtaining access to real-time data access in IWSN. The user registration is described as follows:

Step 1.

U transmits its identity $I{D}_u$ to the gateway.

Step 2.

The gateway generates a random challenge $C_u$ for the normal authentication process and a set of new challenges $C_u^{syn}=\left\{c_1,\dots ,c_n\right\}$ for resynchronization with the user U and sends $\left\{C_u,C_u^{syn}\right\}$ to U.

Step 3.

D extracts the PUF outputs of $\left\{C_u,C_u^{syn}\right\}$ $R_u=P_D(C_u)$, $R_u^{syn}=P_D(C_u^{syn})$ and sends $\left\{R_u,R_u^{syn}\right\}$ to the gateway.

Step 4.

The gateway randomly generates a unique temporary identity $TI{D}_u$ and a set of pseudo-identities $PID=\left\{pi{d}_1,\dots ,pi{d}_n\right\}$ and transmits $\left\{TI{D}_u,PID\right\}$ to U. The gateway stores $I{D}_u$, $TI{D}_u$, $(C_u,R_u)$, $(C_u^{syn},R_u^{syn})$, and $PID$.

Step 5.

U stores $\left\{I{D}_u,TI{D}_u\right\}$ in the device D. Next, U inputs his/her biometric thumb impression ${\beta }_u$ into the device. The device extracts ${\alpha }_u=P_D({\beta }_u)$ and then the user U selects a password $ps{w}_u$ and inputs it into the device. The device computes and stores $\delta =h({\alpha }_u||ps{w}_u)$ for user verification, where h is a one-way cryptographic hash function.

5.3. Sensor Node Registration Phase

Step 1.

The gateway generates a challenge $C_{Sn}$ for each sensor node $Sn$ and a set of new challenges $C_{Sn}^{syn}=\left\{c_1,\dots ,c_n\right\}$ for resynchronization with $Sn$, and sends $\left\{C_{Sn},C_{Sn}^{syn}\right\}$ to $Sn$.

Step 2.

$Sn$ extracts the PUF outputs of $\left\{C_{Sn},C_{Sn}^{syn}\right\}$, i.e., $R_{Sn}=P_{Sn}(C_{Sn})$, $R_{Sn}^{syn}=P_{Sn}(C_{Sn}^{syn})$. Finally, $Sn$ sends $\left\{R_{Sn},R_{Sn}^{syn}\right\}$ to the gateway.

Step 3.

The gateway generates a unique identity $I{D}_{Sn}$ for the sensor $Sn$ and stores $I{D}_{Sn}$, $(C_{Sn},R_{Sn})$, and $(C_{Sn}^{syn},R_{Sn}^{syn})$. However, $Sn$ does not require to store any secret credentials.

5.4. Authentication Phase

A user U is required to accomplish mutual authentication with the gateway and the sensor node and to establish a session key with the sensor node to obtain access to real-time data. The details of this phase are presented as follows:

Step 1.

U inputs his/her biometric thumb impression ${\beta }_u$ into the device. The device extracts ${\alpha }_u=P_D({\beta }_u)$ and then the user U inputs his password $ps{w}_u$ into the device. The device computes ${\delta }^{*}=h({\alpha }_u||ps{w}_u)$ and compares it with the stored $\delta$ to either accept or reject the user. Device D generates a nonce $N_u$ and sends $M_1:\left\{TI{D}_u,N_u\right\}$ to the gateway through a public channel.

Step 2.

The gateway selects $(C_u,R_u)$ and generates a nonce $N_g$. Next, the gateway calculates $N_g^{*}=N_g\oplus R_u$ and $V_0=h(N_g^{*}|\left|R_u\right||N_u)$. Finally, the gateway sends $M_2=\left\{C_u,N_g^{*},V_0\right\}$ to the user U.

Step 3.

The user’s device D computes $R_u=P_D(C_u)$ and verifies $V_0$. If the verification is successful, the device D calculates $N_g=N_g^{*}\oplus R_u$, $C_u^{new}=h(C_u,R_u)$, and $R_u^{new}=P_D(C_u^{new})$. The device uses $I{D}_u$ and the identity $I{D}_{Sn}$ of the accessed sensor node $Sn$ to compute the following:

• $R_u^{*}=h(I{D}_u||R_u)\oplus R_u^{new}$
• $I{D}_{Sn}^{*}==h(I{D}_u||N_g)\oplus I{D}_{Sn}$
• $V_1=h(R_u^{*}|\left|R_u\right|\left|N_g\right||I{D}_{Sn}^{*})$

Finally, the device sends $M_3:\left\{R_u^{*},I{D}_{Sn}^{*},V_1\right\}$ to the gateway.

Step 4.

The gateway verifies $V_1$ and derives $I{D}_{Sn}=h(I{D}_u||N_g)\oplus I{D}_{Sn}^{*}$ and selects $(C_{Sn},R_{Sn})$. Next, the gateway generates a random number $n_1$ and a session key SK and then computes the following:

• $n_1^{*}=n_1\oplus R_{Sn}$
• $S{K}_{Sn}^{*}=h(R_{Sn}||n_1)\oplus SK$
• $V_2=h(n_1^{*}|\left|R_{Sn}\right|\left|S{k}_{Sn}^{*}\right||TI{D}_u)$

Finally, the gateway sends the message $M_4:\left\{TI{D}_u,n_1^{*},S{K}_{Sn}^{*},C_{Sn},V_2\right\}$ to the sensor $Sn$ through a public channel.

Step 5.

The sensor $Sn$ computes the PUF output $R_{Sn}=P_{Sn}(C_{Sn})$ and verifies $V_2$. After successful verification, the sensor $Sn$ computes the following:

Step 6.

• $n_1=n_1^{*}\oplus R_{Sn}$,
• $SK=h(R_{Sn}||n_1)\oplus S{K}_{Sn}^{*}$,
• $C_{Sn}^{new}=h(C_{Sn},R_{Sn})$
• $R_{Sn}^{new}=P_{Sn}(C_{Sn}^{new})$
• $R_{Sn}^{*}=h(R_{Sn})\oplus R_{Sn}^{new}$
• $V_3=h(R_{Sn}^{*}|\left|R_{Sn}\right||n_1)$.

Finally, the sensor sends $M_5:\left\{R_{Sn}^{*},V_3\right\}$ to the gateway.

Step 7.

The gateway verifies $V_3$ and calculates the following:

• $C_{Sn}^{new}=h(C_{Sn},R_{Sn})$
• $R_{Sn}^{new}=h(R_{Sn})\oplus R_{Sn}^{*}$
• $C_u^{new}=h(C_u,R_u)$
• $R_u^{new}=h(I{D}_u||R_u)\oplus R_u^{*}$.

The gateway also generates a new temporary identity for the user U as $TI{D}_u^{new}$ and computes the following:

• $S{K}_u^{*}=h(I{D}_u|\left|R_u\right||N_g)\oplus SK$
• $TI{D}_u^{*}=h(I{D}_u|\left|R_u\right||TI{D}_u)\oplus TI{D}_u^{new}$
• $V_4=h(TI{D}_u^{*}|\left|S{K}_u^{*}\right||R_u)$.

Finally, the gateway sends $M_6:\left\{TI{D}_u^{*},S{K}_u^{*},V_4\right\}$ to the user U and stores $TI{D}_u^{new}$, $(C_u^{new},R_u^{new})$, and $(C_{Sn}^{new},R_{Sn}^{new})$.

Step 8.

The user U’s device verifies $V_4$ and computes the session key $SK=h(I{D}_u|\left|R_u\right||N_g)\oplus S{K}_u^{*}$, $TI{D}_u^{new}=h(I{D}_u|\left|R_u\right||TI{D}_u)\oplus TI{D}_u^{*}$ and stores $TI{D}_u^{new}$.

5.5. SPDC Phase

In this phase, the gateway and the sensor node mutually authenticate each other and establish a session key to securely transfer the collected data to the gateway. The details of this phase are presented as follows:

Step 1.

The gateway generates a nonce $N_g$, calculates $N_g^{*}=R_{Sn}\oplus N_g$, ${\mathrm{Res}}_{\mathrm{GW}}=h(R_{Sn}||N_g^{*})$, and sends $\left\{C_{Sn},N_g^{*},{\mathrm{Res}}_{\mathrm{GW}}\right\}$ to $Sn$.

Step 2.

The sensor $Sn$ calculates $R_{Sn}=P_{Sn}(C_{Sn})$ and then verifies ${\mathrm{Res}}_{\mathrm{GW}}$. If the verification is successful, $Sn$ generates a nonce $N_s$ and calculates the following:

• $N_g=R_{Sn}\oplus N_g^{*}$
• $C_{Sn}^{new}=h(C_{Sn},N_s)$
• $R_{Sn}^{new}=P_{Sn}(C_{Sn}^{new})$
• $x=R_{Sn}^{new}\oplus N_g$
• $N_s^{*}=N_s\oplus h(R_{Sn}||N_g)$
• ${\mathrm{Res}}_{\mathrm{Sn}}=h(N_s^{*}|\left|x\right||R_{Sn})$
• $sk=h(N_s|\left|N_g\right||R_{Sn})$

Finally, $Sn$ sends $\left\{N_s^{*},x,{\mathrm{Res}}_{\mathrm{Sn}}\right\}$ to the gateway.

Step 3.

The gateway verifies ${\mathrm{Res}}_{\mathrm{Sn}}$ and computes the following:

• $N_s=N_s^{*}\oplus h(R_{Sn}||N_g)$
• $C_{Sn}^{new}=h(C_{Sn},N_s)$
• $R_{Sn}^{new}=x\oplus N_g$
• $sk=h(N_s|\left|N_g\right||R_{Sn})$.

Finally, the gateway stores $\left\{C_{Sn}^{new},R_{Sn}^{new}\right\}$.

6. Cryptanalysis of Gope et al.’s Scheme

Our security analysis demonstrates that Gope et al.’s protocol is prone to man-in-the-middle (MITM) attacks that allow adversaries to reveal the session key SK established between user devices and sensor nodes during the authentication phase, as well as the session key sk established between gateways and sensors during the SPDC phase [28]. Furthermore, these MITM attacks can be followed by denial-of-service (DoS) attacks that prevent future communications between the entities [29].

Gope et al.’s protocol assumes that secure channels exist between communicating entities during the user and sensor node registration phases [27]. This secure channel requirement is critical because it must prevent eavesdropping on PUF outputs and their modification, as the security of the entire scheme depends on the secrecy of the PUF challenge–response pairs [30].

The secure channel between sensor nodes and gateways can theoretically be established using three different methods [31]. The symmetric encryption method requires both the sensor node and gateway to store a pre-shared symmetric secret key, which can be used to authenticate both entities during the sensor node registration phase [32]. The asymmetric encryption method relies on asymmetric encryption-based protocols (e.g., SSL/TLS) to establish secure channels between sensor nodes and gateways [33]. The physical method uses physically secured channels that are not accessible to adversaries, such as dedicated wired communication links during device commissioning [34].

A critical analysis reveals a fundamental contradiction in Gope et al.’s protocol design. The protocol’s main contributions include avoiding asymmetric encryption and eliminating the need for sensors to store sensitive information such as secret credentials [27]. These design choices are motivated by the resource constraints of sensor nodes and the security risks associated with storing secrets on potentially compromised devices [35]. However, this design philosophy creates an insurmountable security paradox: the symmetric encryption method cannot be used because it requires sensors to store pre-shared keys, violating the protocol’s goal of avoiding secret storage [36]. The asymmetric encryption method cannot be employed because sensor nodes are resource-limited devices that cannot support expensive public-key operations [37]. The physical method is the only remaining option, but it fails to provide authentication services [38].

The fundamental vulnerability stems from the protocol’s reliance on physical security alone for the registration phase. While physical channels can provide confidentiality and integrity, they cannot provide authentication between the communicating entities [39]. This limitation means that sensor nodes do not perform any authentication procedure during the registration phase and will respond to any properly formatted challenge [40].

According to the adversarial model established in Section 4.2, physically securing the communication channel does not prevent an adversary from gaining direct physical access to sensor nodes deployed in industrial environments [41]. An adversary can approach a sensor node and perform a rogue registration by sending a challenge C_adv to the sensor and retrieving the corresponding PUF output R_adv = PUF(C_adv) [42]. Crucially, the sensor node cannot distinguish between legitimate registration requests from authorized gateways and malicious requests from adversaries, as no authentication mechanism is employed during this critical phase [43].

This design flaw enables sophisticated attack vectors because adversaries can query sensor PUFs directly without detection or prevention, use the obtained PUF responses to derive session keys in subsequent protocol phases, and influence the cryptographic state stored at gateways by providing false PUF responses [44]. The combination of these factors allows adversaries to mount coordinated attacks against both the authentication and data collection phases of the protocol, as demonstrated in the following sections [45].

6.1. Attacks on the Authentication Phase

An adversary A can launch a MITM attack during the authentication phase to recover the session key SK, which allows A to obtain real-time data access to sensor nodes. This attack can be followed by a DoS attack, which prevents future communication between the user device and sensor nodes. This attack occurs after the mutual authentication between the user and the gateway is completed in Step 4 of the authentication phase in Section III.D of [27]. The details of the attack are presented as follows and are illustrated in Figure 5.

Step 4.1.

The adversary A intercepts message $M_4:\left\{TI{D}_u,n_1^{*},S{K}_{Sn}^{*},C_{Sn},V_2\right\}$ communicated from the gateway to $Sn$. Next, adversary A generates a set of challenges ${\overline{C}}_{Sn}^{syn}=\left\{{\overline{c}}_1,\dots ,{\overline{c}}_n\right\}$ and starts the sensor node registration phase by transmitting $\left\{C_{Sn},{\overline{C}}_{Sn}^{syn}\right\}$ to $Sn$.

Step 4.2.

$Sn$ extracts the PUF outputs of $\left\{C_{Sn},{\overline{C}}_{Sn}^{syn}\right\}$ $R_{Sn}=P_{Sn}(C_{Sn})$, ${\overline{R}}_{Sn}^{syn}=P_{Sn}({\overline{C}}_{Sn}^{syn})$ and sends $\left\{R_{Sn},{\overline{R}}_{Sn}^{syn}\right\}$ to adversary A, which acts as a gateway.

Step 4.3.

Next, the adversary computes $n_1=n_1^{*}\oplus R_{Sn}$ and uses it to recover the session key SK by computing $SK=h(R_{Sn}||n_1)\oplus S{K}_{Sn}^{*}$. Finally, the adversary releases the message $M_4$ to be sent to Sn to complete the authentication phase with the gateway.

Using the recovered session key SK, the adversary A can eavesdrop or modify the traffic between the user device and the sensor node. Moreover, the adversary can use the recovered session key SK to launch a DoS attack, which prevents future communications with the sensor node. The attack occurs after Step 5 of the authentication phase in Section III.D of [27] as follows:

Step 5.1.

The adversary A intercepts $M_5:\left\{R_{Sn}^{*},V_3\right\}$.

Next, A derives the PUF output $R_{Sn}^{new}=h(R_{Sn})\oplus R_{Sn}^{*}$ and generates a unique PUF output ${\overline{R}}_{Sn}^{new}$. Finally, A computes ${\overline{R}}_{Sn}^{*}=h(R_{Sn})\oplus {\overline{R}}_{Sn}^{new}$ and ${\overline{V}}_3=h({\overline{R}}_{Sn}^{*}|\left|R_{Sn}\right||n_1)$, and it sends $\overline{M_5}:\left\{{\overline{R}}_{Sn}^{*},{\overline{V}}_3\right\}$ to the gateway as a response to $M_4$.

Upon receiving the message $\overline{M_5}$ in Step 6, the gateway verifies ${\overline{V}}_3$ and calculates $C_{Sn}^{new}=h(C_{Sn},R_{Sn})$ and ${\overline{R}}_{Sn}^{new}=h(R_{Sn})\oplus {\overline{R}}_{Sn}^{*}$. Then, the gateway stores $\left\{C_{Sn}^{new},{\overline{R}}_{Sn}^{new}\right\}$ for the next interactions with the sensor node Sn. Considering Step 5 of the next authentication phase, the sensor $Sn$ receives $M_4:\left\{TI{D}_u,n_1^{*},S{K}_{Sn}^{*},C_{Sn}^{new},V_2\right\}$, computes the PUF output $R_{Sn}^{new}=P_{Sn}(C_{Sn}^{new})$, and attempts to verify $V_2=h(n_1^{*}|\left|{\overline{R}}_{Sn}^{new}\right|\left|S{k}_{Sn}^{*}\right||TI{D}_u)$ using the computed PUF output $R_{Sn}^{new}$. It is clear that this verification will fail and that the sensor $Sn$ will terminate the session due to the mismatch between $R_{Sn}^{new}$ and ${\overline{R}}_{Sn}^{new}$.

Finally, to launch a MITM attack during the next authentication phase, adversary A does not have to start the sensor node registration phase to obtain $R_{Sn}^{new}$, as this value is computed in Step 5.1 of the previous attack.

6.2. Attacks on SPDC Phase

An adversary A can launch a MITM attack during the SPDC phase to recover the session key sk, which allows A to decrypt the traffic between the sensor node and the gateway. This attack can also be followed by a DoS attack, which prevents future communications between the gateway and sensor nodes. The attack occurs after Step 1 of the SPDC phase in Section III.E of [27]. The details of the attack are presented as follows and are illustrated in Figure 6.

Step 1.1.

The adversary A intercepts message $\left\{C_{Sn},N_g^{*},{\mathrm{Res}}_{\mathrm{GW}}\right\}$ communicated from the gateway to $Sn$ in Step 1. Next, adversary A generates a set of challenges ${\overline{C}}_{Sn}^{syn}=\left\{{\overline{c}}_1,\dots ,{\overline{c}}_n\right\}$ and starts the sensor node registration phase by transmitting $\left\{C_{Sn},{\overline{C}}_{Sn}^{syn}\right\}$ to $Sn$.

Step 1.2.

$Sn$ extracts the PUF outputs of $\left\{C_{Sn},{\overline{C}}_{Sn}^{syn}\right\}$ $R_{Sn}=P_{Sn}(C_{Sn})$ and ${\overline{R}}_{Sn}^{syn}=P_{Sn}({\overline{C}}_{Sn}^{syn})$, and it sends $\left\{R_{Sn},{\overline{R}}_{Sn}^{syn}\right\}$ to adversary A, which acts as a gateway. Finally, the adversary releases the message $\left\{C_{Sn},N_g^{*},{\mathrm{Res}}_{\mathrm{GW}}\right\}$ to be sent to Sn.

Step 2.1.

After the completion of Step 2 of this phase, adversary A intercepts the message $\left\{N_s^{*},x,{\mathrm{Res}}_{\mathrm{Sn}}\right\}$. Next, the adversary computes $N_g=R_{Sn}\oplus N_g^{*}$, $R_{Sn}^{new}=x\oplus N_g$, and $N_s=N_s^{*}\oplus h(R_{Sn}||N_g)$. Finally, the adversary computes the session key $sk=h(N_s|\left|N_g\right||R_{Sn})$ and releases the message $\left\{N_s^{*},x,{\mathrm{Res}}_{\mathrm{Sn}}\right\}$ to be sent to the gateway.

Using the session key sk, adversary A can eavesdrop or modify the traffic between the gateway and the sensor node. Moreover, the adversary can use the session key sk to launch a DoS attack, which prevents future communications with the sensor node. The details of the attack are presented as follows:

Step 2.2.

The adversary generates ${\overline{R}}_{Sn}^{new}$ and computes $\overline{x}={\overline{R}}_{Sn}^{new}\oplus N_g$ and $\overline{{\mathrm{Res}}_{\mathrm{Sn}}}=h(N_s^{*}|\left|\overline{x}\right||R_{Sn})$. Finally, A sends $\left\{N_s^{*},\overline{x},\overline{{\mathrm{Res}}_{\mathrm{Sn}}}\right\}$ to the gateway instead of $\left\{N_s^{*},x,{\mathrm{Res}}_{\mathrm{Sn}}\right\}$.

Upon receiving the message, $\left\{N_s^{*},\overline{x},\overline{{\mathrm{Res}}_{\mathrm{Sn}}}\right\}$, in Step 3 of this phase [27], the gateway verifies $\overline{{\mathrm{Res}}_{\mathrm{Sn}}}$ and computes $N_s=N_s^{*}\oplus h(R_{Sn}||N_g)$, $C_{Sn}^{new}=h(C_{Sn},N_s)$, and ${\overline{R}}_{Sn}^{new}=\overline{x}\oplus N_g$. Next, the gateway stores $\left\{C_{Sn}^{new},{\overline{R}}_{Sn}^{new}\right\}$ for the subsequent interactions with the sensor node Sn. Considering Step 2 of the next SPDC phase in Section III.E of [27], the sensor $Sn$ receives $\left\{C_{Sn}^{new},N_g^{*},{\mathrm{Res}}_{\mathrm{GW}}\right\}$, computes the PUF output $R_{Sn}^{new}=P_{Sn}(C_{Sn}^{new})$, and attempts to verify ${\mathrm{Res}}_{\mathrm{GW}}=h({\overline{R}}_{Sn}^{new}||N_g^{*})$ using the computed PUF output $R_{Sn}^{new}$. This verification will fail, and the sensor $Sn$ terminates the session due to the mismatch between $R_{Sn}^{new}$ and ${\overline{R}}_{Sn}^{new}$. Finally, to launch a MITM attack during the next SPDC phase, adversary A does not have to start the sensor node registration phase to obtain $R_{Sn}^{new}$, as this value was computed in Step 2.1 of the previous attack.

6.3. Attack Feasibility and Impact Assessment

The described attacks are practically feasible in industrial environments for several reasons [42]. Industrial sensor nodes are often deployed in areas accessible to maintenance personnel or visitors, providing opportunities for physical interaction during rogue registration [43]. The attacks require only passive interception of wireless communications, which can be accomplished using standard radio equipment without detection [44]. The cryptographic operations required for the attacks involve only hash computations and XOR operations, making them computationally trivial [45].

Multiple attacks can be coordinated for enhanced effectiveness. An adversary can mount MITM attacks against multiple sensors simultaneously after performing rogue registrations or combine MITM attacks with subsequent DoS attacks to maximize disruption [46]. The attacks pose serious risks to industrial operations including data integrity violations that could mislead control systems and operators, service availability disruption through disabled sensor nodes affecting monitoring and control capabilities, and safety implications where corrupted sensor data or disabled monitoring systems could lead to hazardous conditions in safety-critical applications [47].

The attacks are difficult to detect because they maintain normal protocol message flows while compromising the underlying cryptographic security [48]. The MITM attacks appear as legitimate authentication sessions, while DoS attacks manifest as apparent sensor malfunctions rather than obvious security breaches. This comprehensive security analysis demonstrates that Gope et al.’s protocol contains fundamental vulnerabilities that enable practical attacks against both confidentiality and availability in industrial wireless sensor network deployments, motivating the enhanced authentication scheme presented in the following section [34].

7. Proposed Enhanced Authentication Protocol

7.1. Design Rationale and Core Modification

Our main observation is that the absence of an authentication mechanism during the sensor node registration phase allows an adversary to pose a challenge ${\overline{C}}_{Sn}$ to the sensor and retrieve the corresponding PUF output, which leads to MITM and DoS attacks [49]. Although the use of secure channels protects the confidentiality and integrity of the transmitted data, this secure channel does not provide an authentication service, as discussed in Section 6.1 [50].

7.2. Modified Sensor Node Registration Phase

We suggest the following modifications to Steps 1 and 2 of the sensor node registration phase, which fundamentally restructure the security dynamics of the registration process [53], as illustrated in Figure 7.

Step 1.

The gateway sends a registration request $Q_{GW}$ to the sensor node $Sn$.

Step 2.

The sensor node generates a challenge $C_{Sn}$ and a set of new challenges $C_{Sn}^{syn}=\left\{c_1,\dots ,c_n\right\}$. Next, $Sn$ extracts the PUF outputs of $\left\{C_{Sn},C_{Sn}^{syn}\right\}$, namely, $R_{Sn}=P_{Sn}(C_{Sn})$ and $R_{Sn}^{syn}=P_{Sn}(C_{Sn}^{syn})$, and sends $\left\{(C_{Sn},R_{Sn}),(C_{Sn}^{syn}{R}_{Sn}^{syn})\right\}$ to the gateway through a secure channel.

These modifications prevent an adversary from challenging the sensor node during the sensor node registration phase, as the sensor node generates the random challenges and the corresponding PUF values for the gateway, which prevents MITM and DoS attacks.

7.3. Informal Security Justification of Modified Sensor Registration Phase

We now provide an informal justification that the sensor-initiated registration design of our scheme indeed prevents the MITM and DoS attacks identified in Section 4. The core idea is that by letting the sensor take the lead in the authentication handshake and by verifying cryptographic responses at each step, the scheme leaves no opportunity for an attacker to insert themselves or to overload the participants without being detected.

Man-in-the-Middle (MITM) Attack: Consider an adversary attempting to surreptitiously position itself between the sensor node and the gateway during the authentication process. In our protocol, the sensor begins by sending an initial message (including its identity and a random challenge nonce) to the gateway. The gateway must then respond with a message that proves its knowledge of the shared secret (for example, by computing a keyed cryptographic response such as a message authentication code (MAC) that incorporates the sensor’s nonce). An attacker intercepting the sensor’s initial message cannot forge a valid response to the sensor, since the attacker does not possess the legitimate secret key shared between that sensor and the gateway. Any fake or replayed response from the attacker will fail the verification at the sensor’s side, causing the sensor to abort the handshake. Meanwhile, if the attacker tries to impersonate the sensor toward the gateway, it would need to send a correctly formed initiation message (with valid credentials or cryptographic tags) to elicit a meaningful response from the gateway. Without the sensor’s secret data, the attacker cannot meet the gateway’s expected criteria (e.g., cannot produce a valid authentication token), and thus the gateway will reject the attempt. In summary, an adversary cannot successfully deceive both communicating parties into thinking they are talking to each other. The sensor will not accept an unverifiable gateway response, and the gateway will not accept an unverifiable sensor message. This mutual checking mechanism guarantees that a MITM attack cannot proceed beyond the initial exchange.

Denial-of-Service (DoS) Attack: An attacker might attempt to either drain the sensor’s battery by repeatedly triggering the authentication process or overwhelm the gateway by flooding it with spurious registration requests. Our sensor-initiated design addresses both of these DoS vectors.

In the first scenario, the adversary tries to spoof the gateway and constantly prompt the sensor to start authenticating (forcing the sensor to perform cryptographic operations endlessly). In our scheme, this attack is thwarted because the sensor does not respond to unsolicited authentication or registration messages. The protocol is only activated when the sensor itself decides to initiate a session. Therefore, a malicious entity cannot force the sensor to engage in the handshake at will, which protects the sensor from battery drainage via protocol abuse.

In the second scenario, an adversary floods the gateway with a high volume of fake initial messages purporting to be from sensors (either non-existent nodes or by replaying old registration requests). Our scheme mitigates this by requiring a valid cryptographic credential in the very first message of the handshake. The gateway performs a light verification (e.g., checking a message authentication code or nonce signature using the sensor’s shared key) on each incoming request before proceeding. If the check fails, the gateway immediately discards the request without executing any costly operations or storing state. In this way, even a large flood of bogus requests imposes only minimal overhead on the gateway. Legitimate sensors’ requests, on the other hand, carry the correct credentials and pass the check, ensuring that genuine authentication sessions can still proceed under attack. Hence, the protocol remains available to honest nodes and is resilient against DoS attempts aimed at exhausting computational or communication resources.

7.4. Comparative Analysis and Performance Considerations

For clarity,

Table 2. Comparison of original vs. proposed authentication scheme for IWSNs.

Aspect	Gope et al. [27] (Original)	Proposed Scheme
Challenge Generation	Gateway-initiated handshake. Sensor passively responds to gateway challenges.	Sensor-initiated handshake. Sensor generates and controls its own challenges.
MITM resistance	Vulnerable. No mechanism to prevent unauthorized PUF queries during registration.	Resistant. Sensor controls challenge generation, preventing rogue registrations.
DoS resistance	Vulnerable. Attackers can exploit unverified registration requests.	Resistant. Sensor ignores unsolicited requests; gateway performs lightweight verification.
Performance Overhead	Baseline	Negligible additional overhead (same message count, minimal computation)

provides a side-by-side comparison of the key differences between Gope et al.’s original scheme and our proposed scheme, highlighting how each approach handles sensor challenge generation and the resulting security properties.

The proposed scheme maintains the lightweight characteristics of the original protocol while providing substantial security improvements [56]. The modifications introduce minimal computational overhead, as sensor nodes only need to generate random challenges using existing pseudorandom number generators [57]. The PUF evaluation operations remain identical to the original protocol, ensuring no additional cryptographic overhead [58].

From a communication perspective, the enhanced registration phase requires the same number of messages as the original scheme, with only the direction of challenge flow being modified [59]. The total communication overhead remains essentially unchanged, preserving the efficiency essential for resource-constrained IWSN deployments [60].

The enhanced protocol maintains backward compatibility with the user registration, authentication, and SPDC phases of the original scheme [61]. This ensures that the security improvements do not disrupt the overall protocol operation or require extensive modifications to existing implementations [62]. The proposed enhancements retain the original protocol’s low computation and communication overhead, ensuring compatibility with the stringent resource constraints of IWSNs [63].

PUF Noise and Environmental Considerations: Our enhanced protocol maintains the same fault-tolerance properties as the original scheme since the sensor-initiated registration does not affect PUF evaluation operations. The protocol continues to support existing noise tolerance mechanisms such as fuzzy extractors and error correction codes that handle environmental variations affecting PUF stability. Challenge generation uses standard pseudorandom number generators rather than PUF operations, eliminating additional environmental sensitivity. Enhanced security is achieved through protocol restructuring rather than modified PUF handling, preserving all existing robustness mechanisms.

8. Security Analysis and Performance Evaluation

8.1. Security Properties of the Enhanced Scheme

The proposed enhanced authentication protocol achieves the security objectives established in Section 4.3 while addressing the vulnerabilities identified in Gope et al.’s original scheme [34]. Our security analysis demonstrates that the sensor-initiated registration mechanism provides robust protection against the attack vectors presented in Section 6 [35].

• Mutual Authentication: The enhanced protocol ensures mutual authentication between all communicating entities through the sensor-controlled challenge generation process [36]. During registration, sensor nodes generate unique challenges that must be properly handled by legitimate gateways, establishing the foundation for mutual verification in subsequent protocol phases. The authentication and SPDC phases maintain their original mutual authentication properties while benefiting from the strengthened registration foundation [37].
• Session Key Security: The protocol establishes cryptographically strong session keys that remain secure against the MITM attacks demonstrated in Section 6 [38]. Since adversaries cannot obtain unauthorized PUF responses through rogue registrations, they cannot derive the session keys SK and sk used in the authentication and SPDC phases, respectively. The session keys maintain their unpredictability and uniqueness properties from the original protocol [39].
• Forward Secrecy: The enhanced scheme preserves the forward secrecy properties of the original protocol [40]. Compromise of current session keys does not enable decryption of past communications, as each authentication session establishes fresh keys based on new nonces and PUF evaluations. The sensor-initiated registration does not affect this property since registration occurs infrequently compared to authentication sessions [41].
• Anonymity and Privacy: User anonymity and device unlinkability properties are maintained in the enhanced protocol [42]. The modifications affect only the sensor registration phase and do not alter the privacy-preserving mechanisms used in the authentication and data collection phases. Temporary identities and pseudo-identities continue to protect user and device privacy from external observers [43].

8.2. Attack Resistance Analysis

The enhanced protocol demonstrates strong resistance to the specific attacks identified in our cryptanalysis of the original scheme [44].

• MITM Attack Resistance: The sensor-initiated registration prevents MITM attacks by eliminating unauthorized PUF access [45]. Adversaries cannot perform rogue registrations because sensor nodes control the challenge generation process and only respond to legitimate registration requests. Without access to valid PUF challenge–response pairs, adversaries cannot derive the session keys required for MITM attacks during the authentication and SPDC phases. The mutual verification mechanisms ensure that any attempt to insert a malicious intermediary will be detected and rejected [46].
• DoS Attack Resistance: The enhanced scheme provides comprehensive protection against DoS attacks through multiple mechanisms [47]. First, sensor nodes cannot be forced to perform unwanted cryptographic operations because they only initiate registration when receiving legitimate requests from authorized gateways. Second, the gateway can quickly reject spurious registration requests without significant computational overhead by performing lightweight verification of incoming messages. Third, the protocol prevents the injection of false PUF responses that could corrupt the cryptographic state stored at gateways, eliminating the persistent DoS attacks demonstrated against the original scheme [48].
• Physical Attack Considerations: While sensor nodes may still be physically accessible to adversaries in industrial environments, the enhanced protocol limits the impact of physical compromise [34]. An adversary gaining physical access to a sensor cannot extract long-term secrets (since none are stored) and cannot force the sensor to reveal arbitrary PUF responses. The controlled challenge generation ensures that physical access does not automatically grant the ability to compromise other network communications [35].
• Replay Attack Resistance: The protocol maintains strong resistance to replay attacks through the use of fresh nonces and timestamps in each protocol session [36]. The sensor-initiated registration does not affect these properties, as the registration phase continues to use secure channels that provide replay protection. The authentication and SPDC phases retain their original replay resistance mechanisms [37].
• Physical Attack Considerations: While sensor nodes may still be physically accessible to adversaries in industrial environments, the enhanced protocol limits the impact of physical compromise. An adversary gaining physical access to a sensor cannot extract long-term secrets (since none are stored) and cannot force the sensor to reveal arbitrary PUF responses due to controlled challenge generation. The protocol maintains forward secrecy properties—compromise of current session keys does not enable decryption of past communications since each authentication session establishes fresh keys based on new nonces and PUF evaluations. However, physical capture of multiple sensors could potentially compromise their individual communications. The sensor-initiated registration ensures that physical access does not automatically grant the ability to compromise other network communications, which represents a significant improvement over the original protocol’s vulnerabilities.

8.3. Security Requirements Validation

To provide systematic validation of our security claims, we analyze how the enhanced protocol satisfies each security requirement established in Section 4.3 under the defined threat model.

• Requirement R1 (Mutual Authentication): The enhanced protocol ensures that all communicating parties can verify each other’s identity.
• Proof sketch: During registration, sensor S generates challenge $C_{Sn}$ and sends it with response to gateway GW. Only legitimate gateways can properly utilize this information in subsequent authentication phases. In the authentication phase, mutual verification occurs through challenge–response exchanges that depend on the securely established PUF challenge–response pairs. An adversary A without access to valid PUF responses cannot complete authentication with either party.
• Requirement R2 (Session Key Security): The protocol establishes unpredictable session keys resistant to derivation by adversaries.
• Proof sketch: Session keys are derived using PUF responses that are only available to legitimate parties due to the sensor-controlled registration process. Since adversary A cannot obtain PUF responses through rogue registration (as shown in Section 6.1), A cannot compute the required hash operations to derive session keys.
• Requirement R3 (DoS Resistance): The protocol remains available under denial-of-service attacks.
• Proof sketch: The enhanced design eliminates both DoS vectors identified in Section 6.1 (1) Battery drain attacks are prevented because sensors only respond to legitimate registration triggers, not arbitrary adversarial requests. (2) Gateway flooding attacks are mitigated through lightweight verification that quickly discards invalid requests without resource expenditure.
• Requirement R4 (Forward Secrecy): Compromise of current secrets does not affect past communications.
• Proof sketch: Each authentication session uses fresh nonces and establishes new session keys independent of previous sessions. The registration phase provides PUF challenge–response pairs but does not affect the session-specific key derivation process that ensures forward secrecy.

This systematic validation demonstrates that the enhanced protocol satisfies all security requirements under our threat model while maintaining the lightweight properties essential for IWSN deployments [38].

8.4. Formal Security Verification

To provide mathematical guarantees for the security improvements achieved by our enhanced protocol, we developed a comprehensive formal model using ProVerif 2.05 (GNU General Public License), a state-of-the-art cryptographic protocol verification tool. The formal analysis validates our theoretical security claims through automated verification of critical security properties.

8.4.1. Formal Model Design

Our ProVerif model captures the essential security properties of the enhanced authentication protocol while maintaining sufficient abstraction for tractable verification. The model includes principal types representing users, gateways, and sensor nodes with device-specific PUF capabilities, cryptographic primitives including hash functions and PUF evaluations marked as private functions to prevent adversarial computation, protocol phases including enhanced sensor registration and mutual authentication, persistent storage tables linking registration data to authentication processes, and security events tracking protocol execution and potential violations.

The key innovation of sensor-controlled challenge generation is modeled through the enhanced registration process where sensors generate their own PUF challenges rather than responding to gateway-initiated challenges. This fundamental change prevents the unauthorized PUF queries that enable attacks against the original protocol.

8.4.2. Security Properties Specification

We formalized five critical security properties for automated verification. Property 1 (Session Key Secrecy) ensures that session keys established between legitimate parties remain secret from adversaries despite network control, formally specified as query secret SK. Property 2 (Authentication Ordering) requires that session key establishment follows proper authentication sequence including both user and sensor authentication, specified as event(session_key_established(u,gw,sn,sk)) ⇒ (event(user_auth_initiated(u,tid,nu)) && event(sensor_authenticated_gateway(sn,gw,resp))).

Property 3 (Registration Prerequisite) ensures authentication sessions depend on prior secure registration with sensor-controlled challenges, specified as event(session_key_established(u,u,sn,sk)) ⇒ (event(sensor_registered_securely(sn,c_sn,r_sn)) && event(user_registered_securely(u,tid,c_u,r_u))). Property 4 (Entity Legitimacy) restricts secure sessions to authorized participants only, specified as event(session_key_established(u,u,sn,sk)) ⇒ (u = legitimate_user && sn = legitimate_sensor). Property 5 (Sensor Challenge Control) ensures PUF challenges are generated exclusively by legitimate sensor nodes, specified as event(sensor_controls_challenge(sn,c)) ⇒ (sn = legitimate_sensor).

8.4.3. Verification Results and Attack Prevention Validation

The automated ProVerif analysis successfully verified all specified security properties. Session Key Secrecy returned TRUE, confirming that adversaries cannot derive session keys despite controlling all network communications, which mathematically proves that our enhanced protocol prevents the session key compromise demonstrated in Section 6. Authentication Ordering returned TRUE, ensuring session establishment requires proper authentication sequence with no security bypasses in the protocol flow. Registration Prerequisite returned TRUE, mathematically proving that all authentication sessions depend on prior secure registration with sensor-controlled challenges, validating that our enhancement prevents rogue registration attacks.

Entity Legitimacy returned TRUE, confirming that only authorized users and sensors can participate in secure sessions, preventing adversarial impersonation. Sensor Challenge Control returned TRUE, formally validating that PUF challenges are generated and controlled exclusively by legitimate sensors, proving our core protocol innovation.

The formal verification confirms that our enhanced protocol successfully prevents the attacks identified in Section 6. MITM Attack Prevention is mathematically proven through the session key secrecy property, demonstrating that adversaries cannot derive session keys through the attack vectors shown against the original protocol. DoS Attack Prevention is validated through the combination of authentication ordering and sensor challenge control properties, proving that adversaries cannot force unauthorized PUF evaluations or disrupt legitimate protocol execution.

8.4.4. Model Validation and Industrial Deployment Significance

The ProVerif model accurately represents the core security mechanisms of our enhanced protocol while operating under standard cryptographic assumptions. PUFs are modeled as private, device-specific functions that cannot be computed by adversaries. Cryptographic hash functions are assumed to be secure one-way functions, and the adversary model follows the standard Dolev-Yao capabilities with network control but bounded computational power.

The successful formal verification provides industrial system designers with mathematical confidence in the protocol’s security properties. Unlike informal security analysis that may miss subtle vulnerabilities, the automated verification ensures that no attack paths exist within the defined threat model. This mathematical certainty is particularly valuable for mission-critical industrial applications where security failures can have severe operational and safety consequences.

The verification results demonstrate that our enhanced protocol maintains the lightweight computational characteristics essential for resource-constrained sensor deployments while providing provably stronger security guarantees than existing approaches. This combination of efficiency and proven security makes the protocol suitable for large-scale industrial wireless sensor network deployments where both performance and security are paramount. The complete ProVerif model and verification scripts are provided as Supplementary Material to enable reproducibility and further research, with verification completing in under 30 s on standard computing hardware.

8.5. Computational Complexity Analysis

The enhanced protocol maintains the computational efficiency of the original scheme while providing improved security properties [38]. The modifications introduce minimal additional computational overhead that remains well within the capabilities of resource-constrained sensor nodes [39].

• Sensor Node Computation: The primary additional computation required at sensor nodes is the generation of random challenges during registration [40]. This operation can be performed using lightweight pseudorandom number generators (PRNGs) that are typically already present in sensor hardware for other protocol operations. The computational cost of PRNG operations is negligible compared to PUF evaluations, which remain unchanged from the original protocol [41].
• Gateway Computation: Gateways experience no additional computational overhead during normal operations [42]. The registration phase requires the same PUF response processing as the original protocol, with the addition of lightweight verification operations for incoming registration requests. These verification operations involve simple hash computations or message authentication code (MAC) checks that impose minimal computational burden on gateway devices [43].
• PUF Operations: The number and complexity of PUF evaluations remain identical to the original protocol [44]. Sensor nodes perform the same PUF computations during registration, and no additional PUF operations are required during authentication or data collection phases. This ensures that the most computationally expensive operations in the protocol are not affected by the security enhancements [45].
• Cryptographic Operations: The enhanced protocol uses the same lightweight cryptographic primitives as the original scheme, including hash functions and XOR operations [46]. No additional cryptographic algorithms are introduced, maintaining the protocol’s suitability for resource-constrained environments. The cryptographic complexity remains at O(1) for individual operations and O(n) for protocol sessions involving n participants [47].

8.6. Communication Overhead Evaluation

The communication efficiency of the enhanced protocol is comparable to the original scheme, with no increase in message complexity or network overhead [48].

• Message Count: The enhanced registration phase maintains the same number of messages as the original protocol [34]. Step 1 involves sending a registration request (replacing the challenge message), Step 2 involves the sensor response with challenge–response pairs, and Step 3 involves gateway acknowledgment and identity assignment. The authentication and SPDC phases are unchanged, preserving their original message complexity [35].
• Message Size: The total size of messages exchanged during registration remains essentially unchanged [36]. The registration request message (Q_GW) is typically smaller than the original challenge message, while the sensor response message maintains the same size as it carries the same cryptographic content. The overall communication overhead is therefore not increased by the security enhancements [37].
• Network Traffic: The enhanced protocol does not generate additional network traffic during normal operations [38]. The registration phase occurs infrequently (typically only during initial device deployment), so any minor changes in registration message patterns have negligible impact on overall network utilization. The authentication and data collection phases, which constitute the majority of network traffic, remain unmodified [39].
• Bandwidth Requirements: The protocol maintains the same bandwidth requirements as the original scheme [40]. Industrial wireless sensor networks typically operate under strict bandwidth constraints, and the enhanced protocol ensures that these limitations are respected. The lightweight message structure continues to support efficient operation in bandwidth-limited environments [41].
• Scalability Considerations: The enhanced protocol maintains the same storage requirements as the original scheme. Gateways store the same PUF challenge–response $\left\{(C_{Sn},R_{Sn}),(C_{Sn}^{syn}{R}_{Sn}^{syn})\right\}$ for each sensor, with storage scaling linearly O(n) for n sensors. PUF challenge–response table lookup remains unchanged since the same data structures are used, with standard hash table implementations providing O(1) average lookup time. For deployments with hundreds of sensors per gateway, the storage overhead remains manageable (typically few KB per sensor for challenge–response pairs), and lookup latency is not impacted since our modifications only change the registration phase control flow without affecting operational data access patterns.

8.7. Energy Consumption and Battery Life Analysis

Energy efficiency is critical for battery-powered sensor nodes in industrial deployments, and our enhanced protocol maintains the energy characteristics of the original scheme [42].

• Registration Phase Energy: The additional computation required for challenge generation introduces minimal energy overhead [43]. Random number generation operations consume significantly less energy than radio transmission or PUF evaluation operations. The energy cost of the enhanced registration remains dominated by wireless communication rather than computational operations [44].
• Operational Phase Energy: The authentication and SPDC phases are unmodified in the enhanced protocol, ensuring that the energy consumption patterns during normal operation remain identical to the original scheme [45]. This preservation of operational energy efficiency is crucial for maintaining the expected battery life of deployed sensor nodes [46].
• Lifetime Impact: Analysis indicates that the energy overhead introduced by the enhanced registration has negligible impact on overall sensor battery life [47]. Since registration occurs infrequently compared to authentication and data collection operations, the additional energy consumption represents a minimal fraction of total device energy usage. The enhanced security properties are therefore achieved without compromising the multi-year operational lifetimes expected from industrial sensor deployments [48].
• Comparative Analysis: When compared to alternative security enhancement approaches that might require additional cryptographic operations or increased message exchanges, our sensor-initiated registration provides superior energy efficiency [34]. The protocol modifications achieve substantial security improvements while maintaining the energy characteristics that make the original protocol suitable for resource-constrained industrial applications [35].

9. Conclusions

This paper presented a comprehensive security analysis of Gope et al.’s PUF-based authentication protocol for Industrial Wireless Sensor Networks (IWSNs), revealing critical vulnerabilities that enable Man-in-the-Middle (MITM) and Denial-of-Service (DoS) attacks [49]. We demonstrated that the absence of authentication mechanisms during sensor registration allows adversaries to perform unauthorized PUF queries, leading to session key compromise and permanent service disruption [50].

To address these vulnerabilities, we proposed an enhanced sensor-initiated registration mechanism that transfers control of challenge generation to sensor nodes themselves [51]. This modification prevents unauthorized PUF access while preserving the lightweight characteristics essential for resource-constrained IWSN deployments [52]. Security analysis confirms that the enhanced scheme satisfies all required security properties including mutual authentication, session key security, and DoS resistance [53].

Performance evaluation demonstrates that the proposed improvements introduce negligible computational and communication overhead compared to the original protocol [54]. The enhanced security properties are achieved through protocol restructuring rather than additional cryptographic operations, ensuring continued suitability for industrial sensor networks [55].

The sensor-initiated approach addresses the fundamental security paradox in PUF-based protocols where traditional secure channel methods cannot simultaneously satisfy security requirements and resource constraints [56]. Our systematic analysis provides a practical solution for protecting critical industrial infrastructure while maintaining operational efficiency required for real-time monitoring and control applications [57].

Future work will focus on implementing the protocol on real-world sensor platforms such as TelosB or STM32-based nodes to provide concrete performance measurements and validate the analytical results in practical deployments. Additionally, the approach will be extended to support hierarchical network topologies and multi-gateway architectures [58]. This research strengthens the security foundation for Industry 4.0 deployments and demonstrates that significant security improvements can be achieved through careful protocol design [59].