A Light and Anonymous Three-Factor Authentication Protocol for Wireless Sensor Networks

Abstract

Recently, wireless sensor networks (WSNs) have been widely used in a variety of fields, and make people’s lives more convenient and efficient. However, WSNs are usually deployed in a harsh and insecure environment. Furthermore, sensors with limited hardware resources have a low capacity for data processing and communication. For these reasons, research on efficient and secure real-time authentication and key agreement protocols based on the characteristics of WSNs has gradually attracted the attention of academics. Although many schemes have been proposed, most of them cannot achieve all known security features with satisfactory performance, among which anonymity, N-Factor security, and forward secrecy are the most vulnerable. In order to solve these shortcomings, we propose a new lightweight and anonymous three-factor authentication scheme based on symmetric cryptographic primitives for WSNs. By using the automated security verification tool ProVerif, BAN-logic verification, and an informal security analysis, we prove that our proposed scheme is secure and realizes all known security features in WSNs. Moreover, we show that our proposed scheme is practical and efficient through the comparison of security features and performance.

1. Introduction

A wireless sensor network (WSN) is a distributed and self-organizing sensor network, which is composed of a large number of sensor nodes that can perceive and understand the external world. In WSNs, sensor nodes cooperate to sense, collect, and process information in the network coverage area and send it to the gateway node. In recent years, WSNs have been widely used in various practical applications in industrial and agricultural fields [1,2,3,4], such as temperature monitoring in agriculture, power consumption monitoring in smart grids, and human health monitoring in medical care. In these application environments, many scattered users, various randomly distributed sensor nodes, and one or more relatively powerful gateway nodes form a powerful network system. For example, in the field of health care, the sensors deployed on the patient’s body can monitor and obtain the patient’s body data, and the medical staff can directly and remotely obtain the patient’s current body temperature, blood pressure, pulse times, and other information in real-time through the wireless sensor network, so as to improve the health status of healthy patients. Figure 1 shows the network architecture of WSNs.

Figure 1. Network model of wireless sensor networks.

However, when sensor nodes are active in an unattended or hostile wireless network environment, attackers can easily intercept, delete, and modify transmission messages and launch various attacks [5]. Therefore, the network security and privacy of these sensors become very critical. In order to ensure that only authorized legitimate users can access sensors and protect the communication security of real-time sensing data, it is extremely necessary for users and sensors to authenticate each other directly. Moreover, they also need to be able to establish a session key to ensure the security of future communication. Authentication and key agreement protocols are effective ways to achieve these goals. However, due to the limited resources of sensor nodes, an authentication protocol based on complex asymmetric cryptographic primitives is difficult to apply to wireless sensor networks. Therefore, the balance between security and performance is highly significant for the design of identity authentication protocols in the wireless sensor network environment.

Lamport proposed the first password-based authentication and key agreement protocol in 1980 [6], and, since then, research on authentication protocols has been a hot topic. In recent years, research on authentication and key agreement protocols in WSNs has been conducted [7,8,9,10,11,12,13,14,15,16,17,18]. In 2006, Wong et al. [19] proposed a lightweight password-based authentication scheme for WSNs. However, Das et al. point out that Wong et al.’s scheme cannot resist replay attacks and stolen-verifier attacks [20]. Furthermore, Das et al. put forward an improved scheme. Unfortunately, there are also many security flaws in Das et al.’s scheme [21,22]. Based on Farash et al.’s scheme [23], Amin et al. provided an anonymity three-factor authentication scheme [24] for WSNs in 2016. However, Jiang et al. found that the scheme could not resist smart card stolen attacks and known session-specific temporary information attacks [25]. Although many schemes have been proposed, most of them cannot achieve all known security features with satisfactory performance.

In 2019, Shin et al. proposed a lightweight three-factor authentication and key agreement protocol for WSNs [26] and claimed that the protocol can achieve all known security features with satisfactory performance. This article analyzes Shin et al.’s scheme. It is found that their scheme is vulnerable to de-synchronization attacks and cannot achieve forward secrecy and three-factor security.

Our crucial contributions are as follows:

• We review and analyze Shin et al.’s three-factor authentication scheme for WSNs. Further, we show that their scheme is vulnerable to de-synchronization attacks and cannot achieve forward secrecy and three-factor security.
• We present a new, lightweight anonymous three-factor authentication with perfect forward secrecy in WSNs. The operation of the scheme is based on a symmetric cryptosystem, so the computational overhead of the scheme is lightweight and the scheme is suitable for WSNs. The new scheme can achieve all known strong security functions with satisfactory performance, including anonymity, perfect forward secrecy, n-factor security, and so on.
• By using the automated security verification tool ProVerif and BAN-logic, we prove that our proposed scheme is secure and realizes the mutual authentication of communication participants in WSNs.
• Through the comparison of security features and performance, it can be found that our proposed scheme is practical.

The rest of this paper is organized as follows. We introduce the relevant preliminaries in Section 2 and review the scheme of Shin et al. in Section 3. In Section 4, the scheme of Shin et al. is subjected to cryptanalysis and the attack method is given. The new scheme is proposed in Section 5, and the security analysis and performance analysis of the new scheme are carried out in Section 6 and Section 7, respectively. Section 8 summarizes the paper.

2. Preliminaries

2.1. Fuzzy Extractor

At different times, there may be subtle differences in the biometrics extracted by the same user. The fuzzy extractor can eliminate these subtle differences. In other words, the fuzzy extractor can produce the same output even if the inputs are slightly different. Fuzzy logic is widely used in supply chains and healthcare logistics [27,28,29]. The fuzzy extractor consists of two parts:

• ${\mathit{GEN}(\mathit{Bio}}_i{)=(b}_i{,\mathit{pair}}_i)$, with ${\mathit{Bio}}_i$. as input, the probability generation mechanism $\mathit{GEN}$ outputs a random string $b_i$ and a random helper string ${\mathit{pair}}_i$.
• ${\mathit{REP}(\mathit{Bio}}_i^{\prime }{,\mathit{pair}}_i{)=b}_i$, with ${\mathit{Bio}}_i^{\prime }$ and ${\mathit{pair}}_i$ as inputs, the deterministic mechanism $\mathit{REP}$ can regenerate $b_i$, where ${\mathit{dis}(\mathit{Bio}}_i^{\prime }{,\mathit{Bio}}_i)\le \Delta t$.

2.2. Adversary Model

In this paper, we adopt the most rigorous (but practical) adversary model proposed by Wang et al. [30] and Huang et al. [31]. Table 1 shows the capabilities of the adversary, $A$.

Table 1. The capabilities of the adversary.

Symbol	Description
C1	$A$ can enumerate every possibility of user identity and password.
C2	$A$ can eavesdrop, intercept, insert, delete, or block messages transmitted in the public channel.
C3	For a three-factor protocol (password, smart card, and biometric), $A$ can capture two of the authentication factors simultaneously.
C4	Expired session keys can be captured.
C5	$A$ can obtain the long-term private keys of users, GWNs, or sensors (only when evaluating forward secrecy).

2.3. Notations

The notations used thereinafter are listed in Table 2.

Table 2. Notations.

Symbol	Description
GWN	Gateway Node
$U_i$	User
${\mathit{ID}}_i$	Identification of $U_i$
${\mathit{PW}}_i$	Password of $U_i$
${\mathit{SC}}_i$	Smart card of $U_i$
${\mathit{Bio}}_i$	Biometric of $U_i$
$b_i$	Random string generated by a fuzzy extractor
${\mathit{pair}}_i$	Random helper string generated by a fuzzy extractor
${\mathit{PID}}_i$	Pseudo identification of $U_i$
$S_j$	Sensor Node
${\mathit{SID}}_j$	Identification of $S_j$
${\mathit{SK}}_{\mathit{ij}}$	Session Key of $U_i$ and $S_j$
$T_1{,T}_2{,T}_3{,T}_4$	Timestamp
$⨁$	XOR Operation
H(*)/h(*)	Hash Function
$||$	Concatenation operation

3. Revisiting of Shin et al.’s Scheme

In 2019, Sooyeon Shin et al. proposed a lightweight anonymous three-factor authentication protocol for micro-sensors in wireless sensor networks [26]. Taking their protocol as an example, we analyze and point out the security defects of such authentication protocols.

Shin et al.’s protocol consists of four phases: the initialization phase, registration phase, authentication phase, and password update phase. The system completes the selection of parameters and encryption algorithm in the initialization phase. The registration phase realizes user registration and the distribution of smart cards. The authentication phase completes the mutual authentication and session key agreement between the user and the sensor. It should be noted that the communication channel in the authentication phase is public and insecure.

The specific process of the agreement is as follows:

3.1. Initialization Phase

Step 1: The GWN selects $K_U{,K}_S$ as master secrets and stores them safely.

Step 2: For sensor $S_j$, the GWN chooses ${\mathit{SID}}_j$ as the identity of $S_j$ and calculates $X_{S_j}{=h(\mathit{SID}}_j||K_S)$.

Step 3: The sensor $S_j$ stores $X_{S_j}$ secretly.

3.2. User Registration Phase

Step 1: The user $U_i$. selects his identity ${\mathit{ID}}_i$ and password ${\mathit{PW}}_i$ and imprints ${\mathit{Bio}}_i$. Then, $U_i$ chooses a random number $u_i$ and calculates ${\mathit{GEN}(\mathit{Bio}}_i{)=(b}_i{,\mathit{pair}}_i)$, ${\mathit{HPW}}_i{=h(\mathit{PW}}_i||b_i)$, and ${\mathit{TID}}_i{=h(\mathit{ID}}_i||u_i)$. Further, $U_i$ sends the registration request ${\{\mathit{TID}}_i{,\mathit{HPW}}_i\}$ towards the GWN via a private secure channel.

Step 2: The GWN receives ${\{\mathit{TID}}_i{,\mathit{HPW}}_i\}$ and freely chooses ${\mathit{PID}}_i^1$. as a pseudonym. Then, the GWN calculates ${\mathit{HID}}_i{=h(\mathit{TID}}_i||K_U)$, $A_i{ =h(\mathit{HPW}}_i||{\mathit{TID}}_i)⨁{\mathit{HID}}_i$, $B_i{ =h(\mathit{HPW}}_i||{\mathit{HID}}_i)$, and $C_i^1{ =h(\mathit{TID}}_i||{\mathit{HID}}_i)⨁{\mathit{PID}}_i^1$. Then, the GWN writes ${\{A}_i{,B}_i{,C}_i^1\}$ into ${\mathit{SC}}_i$. and stores ${(\mathit{PID}}_i^1{,\mathit{TID}}_i)$. Finally, the GWN transmits ${\mathit{SC}}_i$ towards $U_i$ via a private, secure channel.

Step 3: $U_i$ receives ${\mathit{SC}}_i$ and calculates $D_i{=u}_i⨁{h(\mathit{ID}}_i||b_i)$. Finally, $U_i$ write ${\{D}_i{,\mathit{pair}}_i\}$ into ${\mathit{SC}}_i$.

The process of the User registration phase is shown in Figure 2.

Figure 2. User registration phase of Shin et al.’s scheme.

3.3. Authentication Phase

Step 1: $U_i$ inserts ${\mathit{SC}}_i$, inputs ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$, and imprints ${\mathit{Bio}}_i$. ${\mathit{SC}}_i$ calculates $b_i{=\mathit{REP}(\mathit{Bio}}_i{,\mathit{pair}}_i)$, $u_i{=D}_i⨁{h(\mathit{ID}}_i||b_i)$, ${\mathit{TID}}_i{=h(\mathit{ID}}_i||u_i)$, ${\mathit{HPW}}_i^{\ast }{=h(\mathit{PW}}_i||b_i)$, ${\mathit{HID}}_i^{\ast }{=A}_i⨁{h(\mathit{HPW}}_i^{\ast }||{\mathit{TID}}_i)$, and $B_i^{\ast }{=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })$ and verifies the equality check for $B_i{?=B}_i^{\ast }$. If it does not hold true, ${\mathit{SC}}_i$ rejects the login request. Otherwise, ${\mathit{SC}}_i$ generates a random number $r_i$ and the current timestamp $T_1$, and calculates ${\mathit{PID}}_i^1{=C}_i^1⨁{h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast })$, $R_i{=h(\mathit{TID}}_i||{\mathit{PID}}_i^1||r_i)$, $M_i{=r}_i⨁{h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||T_1)$, and $M_{\mathit{UG}}{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{PID}}_i^1||R_i||T_1)$. Finally, ${\mathit{SC}}_i$ transmits the login request ${\{\mathit{PID}}_i^1{,M}_i{,M}_{\mathit{UG}},T_1\}$ towards the GWN.

Step 2: The GWN receives ${\{\mathit{PID}}_i^1{,M}_i{,M}_{\mathit{UG}},T_1\}$ and checks the validity of $T_1$. Then, the GWN searches ${(\mathit{PID}}_i^1{,\mathit{TID}}_i)$ in memory using ${\mathit{PID}}_i^1$ and calculates ${\mathit{HID}}_i^{\ast }{=h(\mathit{TID}}_i||K_U)$, $r_i^{\ast }{=M}_i⨁{h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||T_1)$, $R_i^{\ast }{=h(\mathit{TID}}_i||{\mathit{PID}}_i^1||r_i^{\ast })$, and $M_{\mathit{UG}}^{\ast }{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{PID}}_i^1||R_i^{\ast }||T_1)$. Further, the GWN checks the equality of $M_{\mathit{UG}}^{\ast }{?=M}_{\mathit{UG}}$. If it does not hold true, the GWN rejects the login request. Otherwise, the GWN selects ${\mathit{SID}}_j$, generates the current timestamp $T_2$, and calculates $X_{S_j}{=h(\mathit{SID}}_j||K_S)$, $M_G{=R}_i^{\ast }⨁{h(X}_{S_j}||T_2)$, and $M_{\mathrm{GS}}{=h(\mathit{PID}}_i^1||{\mathit{SID}}_j||X_{S_j}||R_i^{\ast }||T_2)$. Finally, the GWN transmits ${\{\mathit{PID}}_i^1{,M}_G{,M}_{\mathrm{GS}}{,T}_2\}$ towards $S_j$.

Step 3: Upon the reception of ${\{\mathit{PID}}_i^1{,M}_G{,M}_{\mathrm{GS}}{,T}_2\}$ from the GWN, $S_j$ checks whether $T_2$ is a valid timestamp. Then, $S_j$ calculates $R_i^{\ast }{=M}_G⨁{h(X}_{S_j}||T_2)$ and $M_{\mathrm{GS}}^{\ast }{=h(\mathit{PID}}_i^1||{\mathit{SID}}_j||X_{S_j}||R_i^{\ast }||T_2)$ and verifies the equality check $M_{\mathrm{GS}}^{\ast }{?=M}_{\mathrm{GS}}$. If the verification fails, $S_j$ aborts the session. Otherwise, $S_j$ generates a random number $r_j$ and the current timestamp $T_3$, and calculates $R_j{=h(\mathit{SID}}_j||r_j)$, $M_j{=r}_j⨁{h(X}_{S_j}||T_3)$, ${\mathit{SK}}_{\mathit{ij}}{=h(R}_i^{\ast }||R_j)$, $M_{\mathrm{SG}}{=h(\mathit{PID}}_i^1||{\mathit{SID}}_j||X_{S_j}||R_j||{\mathit{SK}}_{\mathit{ij}}||T_3)$. Finally, $S_j$ sends ${\{M}_j{,M}_{\mathrm{SG}}{,T}_3\}$ back to the GWN.

Step 4: The GWN receives ${\{M}_j{,M}_{\mathrm{SG}}{,T}_3\}$ and checks the validity of $T_3$. Then, the GWN calculates $r_j^{\ast }{=M}_j⨁{h(X}_{S_j}||T_3)$, $R_j^{\ast }{=h(\mathit{SID}}_j||r_j^{\ast })$,${\mathit{SK}}_{\mathit{ij}}^{\ast }{=h(R}_i^{\ast }||R_j^{\ast })$, and $M_{\mathrm{SG}}^{\ast }{=h(\mathit{PID}}_i^1||{\mathit{SID}}_j||X_{S_j}||R_j^{\ast }||{\mathit{SK}}_{\mathit{ij}}^{\ast }||T_3)$ and verifies the equality check $M_{\mathrm{SG}}^{\ast }{?=M}_{\mathrm{SG}}$. If the verification fails, the GWN aborts the session. Otherwise, the GWN generates the current timestamp $T_4$ and a new pseudonym ${\mathit{PID}}_i^2$, and calculates $C_i^2{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast })⨁{\mathit{PID}}_i^2$, $p_i^2{=C}_i^2⨁{h(\mathit{HID}}_i^{\ast }||T_4)$, $M_G^{\prime }{=R}_j^{\ast }⨁{h(\mathit{PID}}_i^1||{\mathit{HID}}_i^{\ast })$, and $M_{\mathrm{GU}}{=h(\mathit{PID}}_i^1||{\mathit{HID}}_i^{\ast }||C_i^2||R_j^{\ast }||{\mathit{SK}}_{\mathit{ij}}^{\ast }||T_4)$. Finally, the GWN sends ${\{p}_i^2{,M}_G^{\prime }{,M}_{\mathrm{GU}}{,T}_4\}$ back to $U_i$. and replaces ${\mathit{PID}}_i^1$ with ${\mathit{PID}}_i^2$ in memory.

Step 5: $U_i$ receives ${\{p}_i^2{,M}_G^{\prime }{,M}_{\mathrm{GU}}{,T}_4\}$ and checks whether $T_4$ is a valid timestamp. Then, $U_i$ calculates $R_j^{\ast }{=M}_G^{\prime }⨁{h(\mathit{PID}}_i^1||{\mathit{HID}}_i^{\ast })$, ${\mathit{SK}}_{\mathit{ij}}^{\ast }{=h(R}_i||R_j^{\ast })$, $C_i^2{=p}_i^2⨁{h(\mathit{HID}}_i^{\ast }||T_4)$, and $M_{\mathrm{GU}}^{\ast }{=h(\mathit{PID}}_i^1||{\mathit{HID}}_i^{\ast }||C_i^2||R_j^{\ast }||{\mathit{SK}}_{\mathit{ij}}^{\ast }||T_4)$ and checks the equality of $M_{\mathrm{GU}}^{\ast }{?=M}_{\mathrm{GU}}$. If it holds true, $U_i$ replaces $C_i^1$ with $C_i^2$ in ${\mathit{SC}}_i$.

The process of the authentication phase is shown in Figure 3.

Figure 3. Authentication phase of Shin et al.’s scheme.

3.4. Password Update Phase

Step 1: $U_i$ inserts ${\mathit{SC}}_i$ to the reader, inputs ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$, and imprints ${\mathit{Bio}}_i$.

Step 2: ${\mathit{SC}}_i$ calculates $b_i{=\mathit{REP}(\mathit{Bio}}_i {,\mathit{pair}}_i)$, $u_i{=D}_i⨁{h(\mathit{ID}}_i||b_i)$, ${\mathit{TID}}_i{=h(\mathit{ID}}_i||u_i)$, ${\mathit{HPW}}_i^{\ast }{=h(\mathit{PW}}_i||b_i)$, ${\mathit{HID}}_i^{\ast }{=A}_i⨁{h(\mathit{HPW}}_i^{\ast }||{\mathit{TID}}_i)$, and $B_i^{\ast }{=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })$ and verifies the equality check for $B_i{?=B}_i^{\ast }$. If it does not hold true, ${\mathit{SC}}_i$ rejects the request. Otherwise, $U_i$ inputs a new password ${\mathit{PW}}_i^{\mathit{new}}$.

Step 3: ${\mathit{SC}}_i$ calculates ${\mathit{HPW}}_i^{\mathit{new}}{=h(\mathit{PW}}_i^{\mathit{new}}||b_i)$, $A_i^{\mathit{new}}{=h(\mathit{HPW}}_i^{\mathit{new}}||{\mathit{TID}}_i)⨁{\mathit{HID}}_i^{\ast }$, and $B_i^{\mathit{new}}{=h(\mathit{HPW}}_i^{\mathit{new}}||{\mathit{HID}}_i^{\ast })$. At last, ${\mathit{SC}}_i$ replaces $A_i$ and $B_i$ with $A_i^{\mathit{new}}$ and $B_i^{\mathit{new}}$, respectively.

4. Cryptanalysis of Shin et al.’s Scheme

We show that Shin et al.’s scheme is vulnerable to de-synchronization attacks and can not achieve forward secrecy and three-factor security in this section.

4.1. De-Synchronization Attack

Suppose that an adversary blocks ${\{p}_i^2{,M}_G^{\prime }{,M}_{\mathrm{GU}}{,T}_4\}$, which is sent from the GWN to $U_i$. On the side of the GWN, the pseudonym of $U_i$ is ${\mathit{PID}}_i^2$ at this point. However, $U_i$ is unable to obtain $C_i^2$ without ${\{p}_i^2{,M}_G^{\prime }{,M}_{\mathrm{GU}}{,T}_4\}$. Thus, the pseudonyms on the side of $U_i$ and the GWN become out of synchronization. When $U_i$ wants to access a sensor node through the GWN in the next session, the GWN will reject $U_i$’s login request. Therefore, Shin et al.’s scheme is vulnerable to de-synchronization attacks.

4.2. Forward Secrecy

Suppose that an adversary occasionally obtains $X_{S_j}$, which is the long-term private key of $S_j$. Furthermore, the adversary intercepted ${\{\mathit{PID}}_i^1{,M}_G{,M}_{\mathrm{GS}}{,T}_2\}$ and ${\{M}_j{,M}_{\mathrm{SG}}{,T}_3\}$ in the previous session of $U_i$ and $S_j$. The adversary could obtain the previous session key of $U_i$ and $S_j$ via following steps.

Step 1: The adversary calculates $R_i^{\ast }{=M}_G⨁{h(X}_{S_j}||T_2)$, $r_j^{\ast }{=M}_j⨁{h(X}_{S_j}||T_3)$, and $R_j^{\ast }{=h(\mathit{SID}}_j||r_j^{\ast })$.

Step 2: The adversary obtains the previous session key of $U_i$ and $S_j$, ${\mathit{SK}}_{\mathit{ij}}{=h(R}_i^{\ast }||R_j^{\ast })$.

Therefore, Shin et al.’s scheme can not achieve forward secrecy.

4.3. Three-Factor Security

For a three-factor authentication scheme, when two of the authentication factors are captured by an adversary, it is necessary to ensure that the remaining authentication factor is still secure. Suppose that an adversary captures $U_i$’s smart card ${\mathit{SC}}_i$ and biometric ${\mathit{Bio}}_i$ simultaneously. The adversary is able to obtain the password of $U_i$ via the following steps.

Step 1: The adversary extracts ${\{A}_i{,B}_i{,C}_i^1{,D}_i{,\mathit{pair}}_i\}$ from ${\mathit{SC}}_i$ using side-channel technology and calculates $b_i=\mathit{REP}({\mathit{Bio}}_i{,\mathit{pair}}_i)$.

Step 2: The adversary guesses a candidate identity ${\mathit{ID}}_i^{\ast }$ and a candidate password ${\mathit{PW}}_i^{\ast }$ from $D_{\mathit{id}}$ and $D_{\mathit{pw}}$, where $D_{\mathit{id}}$ and $D_{\mathit{pw}}$ are user identity space and password space, respectively.

Step 3: The adversary calculates $u_i^{\ast }{=D}_i⨁{h(\mathit{ID}}_i^{\ast }||b_i)$, ${\mathit{TID}}_i^{\ast }{=h(\mathit{ID}}_i^{\ast }||u_i^{\ast })$, ${\mathit{HPW}}_i^{\ast }{=h(\mathit{PW}}_i^{\ast }||b_i)$, ${\mathit{HID}}_i^{\ast }{=A}_i⨁{h(\mathit{HPW}}_i^{\ast }||{\mathit{TID}}_i^{\ast })$, and $B_i^{\ast }{=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })$.

Step 4: The adversary checks whether $B_i{?=B}_i^{\ast }$ holds. If not, the adversary repeats Steps 2–4 until he acquires the true password. Otherwise, the adversary succeeds in obtaining the true password of $U_i$.

The computational overhead of this attack is ${(5T}_h+{2T}_{\mathit{xor}})\ast |D_{\mathit{id}}|\ast |D_{\mathit{pw}}|$, where $T_h$ is the running time of the one-way hash function, $T_{\mathit{xor}}$ is the running time of the XOR operation, and $D_{\mathit{id}}$ and $D_{\mathit{pw}}$ are the spaces of user identity and password, respectively. According to the literature [20], we know that $|D_{\mathit{id}}|\le |D_{\mathit{pw}}|\le {10}^6$. According to the experimental data from the literature [32], $T_h\approx 0.591\mathsf{\mu }\mathrm{s}$, $T_{\mathit{xor}}\approx 0.006\mathsf{\mu }\mathrm{s}$. The adversary can break the password of $U_i$ in 35 days. If you use a high-performance cloud computing platform, the password will be cracked within a few hours.

5. The Proposed Scheme

The proposed protocol includes the following phases: initialization phase, user registration phase, sensor node registration phase, authentication phase, password, and biometric update phase.

The detailed description of the agreement is as follows:

5.1. Initialization Phase

The gateway node GWN creates two information tables in its memory (UserInfoTable and SensorInfoTable), which is used to store relevant information of users and sensors. Then, the GWN freely chooses two master keys, $K_u$ and $K_s$, and two secure hash functions, ${h:\{0,1\}}^{\ast }⨁{\{0,1\}}^{128}$ and ${H:\{0,1\}}^{\ast }⨁{\{0,1\}}^{256}$.

5.2. Sensor Registration Phase

The sensor registration phase is completed by the gateway node GWN. The GWN selects a unique identity ${\mathit{SID}}_j$ for each sensor node and calculates $X_{S_j}{=h(\mathit{SID}}_j||K_s)$. Furthermore, GWN selects two random integers, $n_j$ and c, defines and sets $N_j{=\mathit{NG}}_j=c$. Then, the GWN inserts the ${\{\mathit{SID}}_j{,\mathit{NG}}_j{,X}_{S_j}{,n}_j\}$ into SensorInfoTable in its memory. Before $S_j$ is deployed, the GWN stores ${\{\mathit{SID}}_j{,N}_j{,X}_{S_j}{,n}_j\}$ into $S_j$.

5.3. User Registration Phase

Step 1: $U_i$ chooses ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$ freely, imprints ${\mathit{Bio}}_i$. Then $U_i$ calculates ${\mathit{GEN}(\mathit{Bio}}_i) {=(b}_i{,\mathit{pair}}_i)$, ${\mathit{HPW}}_i{=h(\mathit{PW}}_i{||b}_i)$, and ${\mathit{TID}}_i{=h(\mathit{ID}}_i)$. Finally, $U_i$ sends the registration request ${\{\mathit{TID}}_i{,\mathit{HPW}}_i\}$ towards the GWN via a private secure channel.

Step 2: The GWN receives ${\{\mathit{TID}}_i{,\mathit{HPW}}_i\}$ and checks if UserInfoTable() contains the element ${(\mathit{TID}}_i, \ast , \ast , \ast , \ast )$. If yes, the GWN rejects the registration request of $U_i$. Otherwise, the GWN chooses $a,b$ randomly, and sets ${\mathit{NC}}_i=a$, ${\mathit{PID}}_i{=\mathit{PID}}_i^{\mathit{new}}=b$, ${\mathit{PID}}_i^{\mathit{old}}=\mathit{Null}$. Then, the GWN calculates ${\mathit{HID}}_i{=h(\mathit{TID}}_i||K_u)$, $A_i{=h(\mathit{HPW}}_i||{\mathit{TID}}_i)⨁{\mathit{HID}}_i$, $B_i{=h(\mathit{HPW}}_i||{\mathit{HID}}_i)\mathit{mod}n$, and $C_i{=h(\mathit{TID}}_i||{\mathit{HID}}_i)⨁{\mathit{PID}}_i$, where $2^4\le n\le 2^8$ is an integer to determine the size of $(\mathit{ID},\mathit{PW})$, and inserts the element ${(\mathit{PID}}_i^{\mathit{new}}, {\mathit{PID}}_i^{\mathit{old}}{,\mathit{TID}}_i{,\mathit{NC}}_i)$ into table UserInfoTable. Further, the GWN writes ${\{A}_i{,b}_i{,C}_i{,\mathit{NC}}_i,h(\cdot ),H(\cdot )\}$ into ${\mathit{SC}}_i$, and transmits ${\mathit{SC}}_i$ towards $U_i$ via a private secure channel.

Step 3: $U_i$ receives ${\mathit{SC}}_i$, and defines and sets $\mathit{flag}=0$. Finally, $U_i$ writes ${\{\mathit{pair}}_i,\mathit{flag},\mathit{GEN}(\cdot ),\mathit{REP}(\cdot )\}$ into ${\mathit{SC}}_i$.

The process of the user registration phase is shown in Figure 4.

Figure 4. User registration phase of the proposed scheme.

5.4. Authentication Phase

Step 1: $U_i$ inserts ${\mathit{SC}}_i$, inputs ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$, and imprints ${\mathit{Bio}}_i$. ${\mathit{SC}}_i$ calculates $b_i{=\mathit{REP}(\mathit{Bio}}_i{,\mathit{pair}}_i)$, ${\mathit{TID}}_i{=h(\mathit{ID}}_i)$, ${\mathit{HPW}}_i^{\ast }{=h(\mathit{PW}}_i{||b}_i)$, ${\mathit{HID}}_i^{\ast }{=A}_i⨁{h(\mathit{HPW}}_i^{\ast }||{\mathit{TID}}_i)$, and $B_i^{\ast }{=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })\mathit{mod}n$ and verifies the equality check for $B_i^{\ast }{?=B}_i$. If it does not hold true, ${\mathit{SC}}_i$ rejects the login request. Otherwise, ${\mathit{SC}}_i$ checks if $\mathit{flag}?=0$ holds. If yes, ${\mathit{SC}}_i$ updates ${\mathit{NC}}_i{=h(\mathit{NC}}_i)$, $\mathit{flag}=1$. Then, ${\mathit{SC}}_i$ generates the current timestamp $T_1$ and a random number $r_i$, chooses ${\mathit{SID}}_j$ which he wants to access and calculates ${\mathit{PID}}_i{=C}_i⨁{h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast })$, $R_i{=h(\mathit{TID}}_i||{\mathit{PID}}_i||{\mathit{NC}}_i||r_i)$, $M_1{=(r}_i||{\mathit{SID}}_j)⨁{H(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{NC}}_i||T_1)$, and $M_{\mathit{UG}}{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{PID}}_i||R_i||T_1)$. Finally, ${\mathit{SC}}_i$ transmits the login request ${\{\mathit{PID}}_i{,M}_1{,M}_{\mathit{UG}}{,T}_1\}$ towards the GWN.

Step 2: The GWN receives ${\{\mathit{PID}}_i{,M}_1{,M}_{\mathit{UG}}{,T}_1\}$ and checks the validity of $T_1$. Then, the GWN searches ${(\mathit{PID}}_i^{\mathit{new}}{,\mathit{PID}}_i^{\mathit{old}}{,\mathit{TID}}_i{,\mathit{NC}}_i)$ in UserInfoTable using ${\mathit{PID}}_i$ and operates as below.

Case 1: If there exists an element ${(\mathit{PID}}_i^{\mathit{new}}{,\mathit{PID}}_i^{\mathit{old}}{,\mathit{TID}}_i{,\mathit{NC}}_i)$ of UserInfoTable which satisfies ${\mathit{PID}}_i{=\mathit{PID}}_i^{\mathit{new}}$, then the GWN calculates ${\mathit{NC}}_i^{\prime }{=h(\mathit{NC}}_i)$, ${\mathit{HID}}_i^{\ast }{=h(\mathit{TID}}_i||K_u)$, $K_i{=H(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{NC}}_i^{\prime }||T_1)$, ${(r}_i^{\ast }||{\mathit{SID}}_j{)=K}_i⨁M_1$, $R_i^{\ast }{=h(\mathit{TID}}_i||{\mathit{PID}}_i^{\mathit{new}}||{\mathit{NC}}_i^{\prime }||r_i^{\ast })$, and $M_{\mathit{UG}}^{\ast }{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{PID}}_i^{\mathit{new}}||R_i^{\ast }||T_1)$. The GWN verifies the equality check $M_{\mathit{UG}}^{\ast } {?=M}_{\mathit{UG}}$. If the verification fails, the GWN rejects the login request. Otherwise, the GWN chooses a new ${\mathit{tPID}}_i^{\mathit{new}}$ randomly, and sets ${\mathit{PID}}_i^{\mathit{old}}{=\mathit{PID}}_i^{\mathit{new}}$, ${\mathit{PID}}_i^{\mathit{new}}{=\mathit{tPID}}_i^{\mathit{new}}$, ${\mathit{NC}}_i{=\mathit{NC}}_i^{\prime }$.

Case 2: If there exists an element ${(\mathit{PID}}_i^{\mathit{new}}{,\mathit{PID}}_i^{\mathit{old}}{,\mathit{TID}}_i{,\mathit{NC}}_i)$ of UserInfoTable which satisfies ${\mathit{PID}}_i{=\mathit{PID}}_i^{\mathit{old}}$, then the GWN calculates ${\mathit{HID}}_i^{\ast }{=h(\mathit{TID}}_i||K_u)$, $K_i{=H(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{NC}}_i||T_1)$, ${(r}_i^{\ast }||{\mathit{SID}}_j{)=K}_i⨁M_1$, $R_i^{\ast }{=h(\mathit{TID}}_i||{\mathit{PID}}_i^{\mathit{old}}||{\mathit{NC}}_i||r_i^{\ast })$, and $M_{\mathit{UG}}^{\ast }{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{PID}}_i^{\mathit{old}}||R_i^{\ast }||T_1)$. The GWN verifies the equality check $M_{\mathit{UG}}^{\ast } {?=M}_{\mathit{UG}}$. If the verification fails, the GWN rejects the login request. Otherwise, the GWN chooses a new ${\mathit{tPID}}_i^{\mathit{new}}$ randomly, and sets ${\mathit{PID}}_i^{\mathit{new}}{=\mathit{tPID}}_i^{\mathit{new}}$.

Case 3: If the above two cases do not exist, the GWN rejects the login request.

Further, the GWN generates the current timestamp $T_2$, searches ${\{\mathit{SID}}_j{,\mathit{NG}}_j{,X}_{S_j}{,n}_j\}$ in SensorInfoTable using ${\mathit{SID}}_j$, and updates ${\mathit{NG}}_j{=\mathit{NG}}_j+n_j$, $X_{S_j}{=h(\mathit{SID}}_j||X_{S_j})$. Then, the GWN calculates $M_2{=(R}_i^{\ast }||{\mathit{PID}}_i^{\mathit{old}})⨁{H(X}_{S_j}||T_2)$ and $M_{\mathrm{GS}}{=h(\mathit{PID}}_i^{\mathit{old}}||{\mathit{SID}}_j||X_{S_j}||R_i^{\ast }||T_2)$. Finally, the GWN transmits ${\{M}_2{,M}_{\mathrm{GS}}{,\mathit{NG}}_j{,T}_2\}$ towards $S_j$.

Step 3: Upon the reception of ${\{M}_2{,M}_{\mathrm{GS}}{,\mathit{NG}}_j{,T}_2\}$ from the GWN, $S_j$ checks whether $T_2$ is a valid timestamp. Then, $S_j$ calculates $N^{\prime }={\mathit{NG}}_j-{\mathit{NS}}_j/n_j$ and checks if $1\le N^{\prime }\le N$ holds, where $N$ is the initial threshold for preserving the computing resources of sensors. If it holds true, $S_j$ sets $X_{S_j}^{\prime }{=X}_{S_j}$ and calculates $N^{\prime }$ times $X_{S_j}^{\prime }{=h(X}_{S_j}^{\prime }||{\mathit{SID}}_j)$. Further, $S_j$ calculates ${(R}_i^{\ast }||{\mathit{PID}}_i^{\mathit{old}}{)=M}_2⨁{H(X}_{S_j}^{\prime }||T_2)$ and $M_{\mathrm{GS}}^{\ast }{=h(\mathit{PID}}_i^{\mathit{old}}||{\mathit{SID}}_j||X_{S_j}^{\prime }||R_i^{\ast }||T_2)$ and verifies the equality check $M_{\mathrm{GS}}^{\ast }{?=M}_{\mathrm{GS}}$. If the verification fails, $S_j$ aborts the session. Otherwise, $S_j$ generates the current timestamp $T_3$ and a random number $r_j$ and calculates $R_j{=h(\mathit{SID}}_j||r_j)$, $M_3{=(R}_j{||\mathit{PID}}_i^{\mathit{old}})⨁{H(X}_{S_j}^{\prime }||T_3)$, ${\mathit{SK}}_{\mathit{ji}}{=h(R}_i^{\ast }||R_j)$, and $M_{\mathrm{SG}}{=h(\mathit{PID}}_i^{\mathit{old}}||{\mathit{SID}}_j||X_{S_j}^{\prime }||R_i^{\ast }||R_j||T_3)$. $S_j$ updates $X_{S_j}{=X}_{S_j}^{\prime }$, $N_j{=\mathit{NG}}_j$. Finally, $S_j$ sends ${\{\mathit{SID}}_j{,M}_3{,M}_{\mathrm{SG}}{,T}_3\}$ back to the GWN.

Step 4: The GWN receives ${\{\mathit{SID}}_j{,M}_3{,M}_{\mathrm{SG}}{,T}_3\}$ and checks the validity of $T_3$. Then, the GWN searches ${\{\mathit{SID}}_j{,\mathit{NG}}_j{,X}_{S_j}{,n}_j\}$ in SensorInfoTable using ${\mathit{SID}}_j$ and calculates ${(R}_j{||\mathit{PID}}_i^{\mathit{old}}{)=M}_3⨁{H(X}_{S_j}||T_3)$, and $M_{\mathrm{SG}}^{\ast }{=h(\mathit{PID}}_i^{\mathit{old}}||{\mathit{SID}}_j||X_{S_j}||R_i^{\ast }||R_j^{\ast }||T_3)$. The GWN verifies the equality check $M_{\mathrm{SG}}^{\ast }{?=M}_{\mathrm{SG}}$. If the verification fails, the GWN aborts the session. Otherwise, the GWN generates the current timestamp $T_4$ and searches ${(\mathit{PID}}_i^{\mathit{new}}{,\mathit{PID}}_i^{\mathit{old}}{,\mathit{TID}}_i{,\mathit{NC}}_i)$ in UserInfoTable using ${\mathit{PID}}_i^{\mathit{old}}$. Further, the GWN calculates $C_i^{\mathit{new}}{=h(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast })⨁{\mathit{PID}}_i^{\mathit{new}}$, $p_i^{\mathit{new}}{=C}_i^{\mathit{new}}⨁{\mathit{HID}}_i^{\ast }⨁T_4$, $M_4{=R}_j^{\ast }⨁K_i$, and $M_{\mathrm{GU}}{=h(\mathit{PID}}_i^{\mathit{old}}||{\mathit{HID}}_i^{\ast }||C_i^{\mathit{new}}||R_i^{\ast }||R_j^{\ast }||T_4)$. Finally, the GWN sends ${\{p}_i^{\mathit{new}}{,M}_4{,M}_{\mathrm{GU}}{,T}_4\}$ to $U_i$.

Step 5: Upon the reception of ${\{p}_i^{\mathit{new}}{,M}_4{,M}_{\mathrm{GU}}{,T}_4\}$ from the GWN, $U_i$ checks whether $T_4$ is a valid timestamp. Then, $U_i$ calculates $R_j^{\ast }{=M}_4⨁{H(\mathit{TID}}_i||{\mathit{HID}}_i^{\ast }||{\mathit{NC}}_i||T_1)$, ${\mathit{SK}}_{\mathit{ij}}{=h(R}_i||R_j^{\ast })$, $C_i^{\mathit{new}}{=p}_i^{\mathit{new}}⨁{\mathit{HID}}_i^{\ast }⨁T_4$, and $M_{\mathrm{GU}}^{\ast }{=h(\mathit{PID}}_i||{\mathit{HID}}_i^{\ast }||C_i^{\mathit{new}}||R_i||R_j^{\ast }||T_4)$. Then, $U_i$ verifies the equality check $M_{\mathrm{GU}}^{\ast }{?=M}_{\mathrm{GU}}$. If the verification fails, $U_i$ aborts the session. Otherwise, $U_i$ updates $C_i{=C}_i^{\mathit{new}}$, $\mathit{flag}=0$.

The process of the authentication phase is shown in Figure 5.

Figure 5. Authentication phase of the proposed scheme.

5.5. Password and Biometric Update Phase

Step 1: $U_i$ inserts ${\mathit{SC}}_i$, inputs ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$, and imprints ${\mathit{Bio}}_i$. ${\mathit{SC}}_i$ calculates $b_i{=\mathit{REP}(\mathit{Bio}}_i{,\mathit{pair}}_i)$, ${\mathit{TID}}_i{=h(\mathit{ID}}_i)$, ${\mathit{HPW}}_i^{\ast }{=h(\mathit{PW}}_i{||b}_i)$, ${\mathit{HID}}_i^{\ast }{=A}_i⨁{h(\mathit{HPW}}_i^{\ast }||{\mathit{TID}}_i)$, and $B_i^{\ast }{=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })\mathit{mod}n$ and verifies the equality check for $B_i^{\ast }{?=B}_i$. If it does not hold true, ${\mathit{SC}}_i$ rejects the request. Otherwise, $U_i$ inputs a new password ${\mathit{PW}}_i^{\mathit{new}}$ and imprints a new biometric ${\mathit{Bio}}_i^{\mathit{new}}$.

Step 2: ${\mathit{SC}}_i$ calculates ${\mathit{GEN}(\mathit{Bio}}_i^{\mathit{new}}) {=(b}_i^{\mathit{new}}{,\mathit{pair}}_i^{\mathit{new}})$, ${\mathit{HPW}}_i^{\mathit{new}}{=h(\mathit{PW}}_i^{\mathit{new}}{||b}_i^{\mathit{new}})$, $A_i^{\mathit{new}}{=\mathit{HID}}_i^{\ast }⨁{h(\mathit{HPW}}_i^{\mathit{new}}||{\mathit{TID}}_i)$, and $B_i^{\mathit{new}}{=h(\mathit{HPW}}_i^{\mathit{new}}||{\mathit{HID}}_i^{\ast })\mathit{mod}n$. At last, ${\mathit{SC}}_i$ replaces ${\mathit{pair}}_i$, $A_i$ and $B_i$, with ${\mathit{pair}}_i^{\mathit{new}}$, $A_i^{\mathit{new}}$ and $B_i^{\mathit{new}}$, respectively.

6. Security Analysis

6.1. Security Verification Using ProVerif

ProVerif [33] is one of the widely accepted automated security verification tools for communication protocols. ProVerif supports main cryptographic primitives including hash function, encryption, digital signatures, etc. In this section, we use ProVerif to check the mutual authentication and session key secrecy of the proposed scheme.

First, we define two insecure channels, c1 for communication between users and the GWN and c2 for communication between the GWN and sensors.

(*--Two public channel--*)

free c1: channel. (*--The channel between users and GWN--*)

free c2: channel. (*--The channel between sensors and GWN--*)

Then, we define the parameters and constructors as follows:

(*--The basic variables--*)

free user, GWN, SN: bitstring. (*---three participants--*)

free PID: bitstring. (*---the pseudonym identity shared by user and GWN--*)

free Ku: bitstring[private]. (*---the masterkey of GWN--*)

free Ks: bitstring[private]. (*---the masterkey of GWN--*)

free XSj: bitstring[private]. (*---the shared key between GWN and sensor--*)

table Table_user_info( bitstring, bitstring, bitstring). (*---the user’s info table---*)

table Table_sensor_info(bitstring, bitstring). (*---the sensor’s info table---*)

(*--Encryption operation--*)

fun encrypt(bitstring, bitstring): bitstring.

fun decrypt(bitstring, bitstring): bitstring.

equation forall x: bitstring, y: bitstring; decrypt(encrypt(x, y), y) = x.

(*--Hash operation--*)

fun h1(bitstring): bitstring.

fun h2 (bitstring, bitstring): bitstring.

fun h4 (bitstring, bitstring, bitstring, bitstring):bitstring.

fun h5 (bitstring, bitstring, bitstring, bitstring, bitstring): bitstring.

fun h6 (bitstring, bitstring, bitstring, bitstring, bitstring, bitstring): bitstring.

(*--XOR operation--*)

fun XOR (bitstring, bitstring): bitstring.

equation forall x: bitstring, y: bitstring; XOR(XOR(x, y), y) = x.

(*--Concat and Divide operation--*)

fun Concat (bitstring, bitstring): bitstring.

fun Div1 (bitstring):bitstring.

fun Div2 (bitstring):bitstring.

equation forall x: bitstring, y: bitstring; Div1(Concat(x, y)) = x.

equation forall x: bitstring, y: bitstring; Div2(Concat(x, y)) = y.

(*--Check the Freshness of timestamp operation--*)

fun isFresh (bitstring, bool): bool

reduc forall T: bitstring; isFresh (T, true) = true.

In order to check the mutual authentication and session key secrecy, we define the following eight events and two secrets:

(*--Mutual authentication queries--*)

event beginUG(bitstring).

event endUG(bitstring).

event beginGU(bitstring).

event endGU(bitstring).

event beginGS(bitstring).

event endGS(bitstring).

event beginSG(bitstring).

event endSG(bitstring).

query x: bitstring; inj-event(endUG(x)) ==> inj-event(beginUG(x)).

query x: bitstring; inj-event(endGU(x)) ==> inj-event(beginGU(x)).

query x: bitstring; inj-event(endGS(x)) ==> inj-event(beginGS(x)).

query x: bitstring; inj-event(endSG(x)) ==> inj-event(beginSG(x)).

(*--Session key secrecy queries--*)

free secretA, secretB: bitstring [private].

query attacker(secretA);

attacker(secretB).

Three distinct processes processUser, processSensor, and processGWN are declared to model $U_i$, $S_j$ and GWN, respectively.

(*----------------User Ui---------------------*)

let processUser(IDi: bitstring, PWi: bitstring, bi: bitstring, Ai: bitstring, Bi: bitstring, Ci: bitstring, NCi: bitstring, SIDj: bitstring) =

let TIDi = h1(IDi) in

let HPWi’ = h2(PWi, bi) in

let HIDi’ = XOR(Ai, h2(HPWi’, TIDi)) in

let Bi’ = h2(HPWi’,HIDi’) in

if Bi’=Bi then

event beginGU(GWN);

new ri: bitstring;

new T1: bitstring;

let PIDi = XOR(Ci, h2(TIDi, HIDi’)) in

let Ri = h4(TIDi, PIDi, NCi, ri) in

let M1 = XOR(Concat(ri, SIDj), h4 TIDi, HIDi’, NCi, T1)) in

let MUG = h5 (TIDi, HIDi’, PIDi, Ri, T1) in

out (c1, (PIDi, M1, MUG, T1));

in (c1, (M4:bitstring, MGU:bitstring, T4:bitstring));

if isFresh (T4, true) = true then

let Rj’ = XOR(M4,h4(TIDi, HIDi’,NCi, T1)) in

let SKij’ = h2(Ri, Rj’) in

let MGU’ = h5(PIDi, HIDi’, Ri, Rj’, T4) in

if MGU’ =MGU then

event endUG(user);

out(c1, encrypt(secretA, SKij’)).

(*----------------GWN---------------------*)

let processGWN() =

in(c1, (PIDi: bitstring, M1: bitstring, MUG: bitstring, T1:bitstring));

if isFresh(T1, true) = true then

get Table_user_info(=PIDi, TIDi, NCi) in

let HIDi’ = h2(TIDi, Ku) in

let Ki = h4(TIDi, HIDi’, NCi, T1) in

let ri’ = Div1(XOR(M1,Ki)) in

let SIDj = Div2(XOR(M1,Ki)) in

let Ri’ = h4(TIDi, PIDi, NCi, ri’) in

event beginUG(user);

let MUG’ = h5(TIDi, HIDi’, PIDi, Ri’, T1) in

if MUG’ =MUG then

event beginSG(SN);

new T2: bitstring;

get Table_sensor_info(=SIDj, XSj) in

let M2 = XOR(Concat(Ri’, PIDi),h2(XSj, T2)) in

let MGS = h5(PIDi, SIDj, XSj, Ri’, T2) in

out(c2, (M2, MGS, T2));

in(c2,(SIDj:bitstring, M3:bitstring, MSG:bitstring, T3: bitstring));

if isFresh(T3, true) = true then

let Rj’ = Div1(XOR(M3,h2(XSj, T3))) in

let PIDi = Div2(XOR(M3, h2(XSj, T3))) in

let MSG’ = h6(PIDi, SIDj, XSj, Ri’,Rj’, T3) in

if MSG’ = MSG then

new T4: bitstring;

event endGS(GWN);

let M4 = XOR(Rj’,Ki) in

let MGU = h5(PIDi, HIDi’, Ri’, Rj’, T4) in

out(c1, (M4, MGU, T4));

event endGU(GWN);

0.

(*----------------Sensor Sj---------------------*)

let processSensor(SIDj:bitstring, XSj:bitstring) =

in(c2, (MG:bitstring, MGS:bitstring, T2:bitstring));

event beginGS(GWN);

let Ri’ =Div1(XOR(MG, h2(XSj, T2))) in

let PIDi =Div2(XOR(MG, h2(XSj, T2))) in

let MGS’ = h5(PIDi, SIDj, XSj, Ri’, T2) in

if MGS’=MGS then

new T3: bitstring;

new rj: bitstring;

let Rj = h2(SIDj, rj) in

let Mj = XOR(Concat(rj, PIDi),h2(XSj, T3)) in

let SKij = h2(Ri’, Rj) in

let MSG = h6(PIDi, SIDj, XSj, Ri’, Rj, T3) in

out(c2, (SIDj, Mj, MSG, T3));

event endSG(SN);

out(c2, encrypt(secretB, SKij)).

We simulate the unbounded parallel execution of processes processUser, processSensor, and processGWN as follows:

(*--Start process--*)

process

new IDi: bitstring;

new PWi: bitstring;

new bi: bitstring;

new PIDi: bitstring;

new SIDj: bitstring;

new NCi: bitstring;

let HPWi = h2(PWi, bi) in

let TIDi = h1(IDi) in

let HIDi = h2(TIDi, Ku) in

let Ai = XOR(h2(HPWi, TIDi), HIDi) in

let Bi = h2(HPWi, HIDi) in

let Ci = XOR(h2(TIDi, HIDi),PIDi) in

let XSj = h2(SIDj, Ks) in

insert Table_user_info(PIDi, TIDi, NCi);

insert Table_sensor_info(SIDj, XSj);

(

(*-- Launch an unbounded number of sessions of the user --*)

(!processUser(IDi, PWi, bi, Ai, Bi, Ci, NCi, SIDj)) |

(*-- Launch an unbounded number of, sessions of the GWN--*)

(!processGWN()) |

(*-- Launch an unbounded number of sessions of the sensor--*)

(!processSensor(SIDj, XSj))

)

The simulation results are shown as follows:

Query inj-event(endUG(x)) ==> inj-event(beginUG(x)) is true.

Query inj-event(endGU(x)) ==> inj-event(beginGU(x)) is true.

Query inj-event(endGS(x)) ==> inj-event(beginGS(x)) is true.

Query inj-event(endSG(x)) ==> inj-event(beginSG(x)) is true.

Query not attacker(secretA[]) is true.

Query not attacker(secretB[]) is true.

The results mean that the proposed scheme is able to achieve mutual authentication. Meanwhile, the session key SKij generated by the user $U_i$ and the sensor $S_j$ is secure.

6.2. BAN-Logic

Burrows–Abadi–Needham logic (BAN-logic) [34] is a widely used tool for the formal analysis of authentication schemes which was proposed by Burrows et al. In this section, we use BAN-logic to prove the session key agreement between the user $U_i$ and the sensor node $S_j$ after the execution of the proposed scheme. Table 3 introduces the notations for the BAN-logic analysis and some basic rules for BAN-logic are described in Table 4.

Table 3. BAN-logic notations.

Symbol	Description
$P|\equiv X$	$P$ believes $X$.
$P⊲X$	$P$ sees $X$.
$P|\text{~}X$	$P$ sends $X$.
$P\Rightarrow X$	$P$ has jurisdiction over $X$.
$⋕(X)$	$X$ is fresh.
$(X,Y)$	$X$ or $Y$ is part of $(X,Y)$.
${(X)}_K$	Use the key $K$ to compute $X$.
$P\stackrel{\mathit{SK}}{\leftrightarrow }Q$	$P$ and $Q$ achieve the shared key $\mathit{SK}$ for communication.

Table 4. Basic logical postulates of BAN-logic.

Symbol	Description
Message meaning rule	$\frac{P|\equiv (P\stackrel{K}{\leftrightarrow }Q),P◁{(X)}_K}{P|\equiv Q|\text{~}X}$
Freshness conjuncatenation rule	$\frac{P|\equiv ⋕(X)}{P|\equiv ⋕(X,Y)}$
Nonce verification rule	$\frac{P|\equiv ⋕(X), P|\equiv Q|\text{~}X}{P|\equiv Q|\equiv X}$
Jurisdiction rule	$\frac{P|\equiv Q|\Rightarrow X,P|\equiv Q|\equiv X}{P|\equiv X}$
Believe rule	$\frac{P|\equiv Q|\equiv (X,Y)}{P|\equiv Q|\equiv X}, \frac{P|\equiv X,P|\equiv Y}{P|\equiv (X,Y)}$

(1)

The idealized form of the proposed scheme:

Message 1: $U_i\to \mathit{GWN}: {{(r}_i{,\mathit{SID}}_j)}_{U_i\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }\mathit{GWN}}$

Message 2: $\mathit{GWN}\to S_j:{{(R}_i{,\mathit{PID}}_i^{\mathit{old}})}_{\mathit{GWN}\stackrel{X_{S_j}}{\leftrightarrow }{S}_j}$

Message 3: $S_j\to \mathit{GWN}:{{(R}_j{,\mathit{PID}}_i^{\mathit{old}})}_{S_j\stackrel{X_{S_j}}{\leftrightarrow }\mathit{GWN}}$

Message 4: $\mathit{GWN}\to U_i:{{(R}_j)}_{\mathit{GWN}\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }{U}_i}$

(2)

Verification goals:

Goal 1: $U_i|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$.

Goal 2: $U_i|\equiv S_j|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$.

Goal 3: $S_j|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$.

Goal 4: $S_j|\equiv U_i|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$.

(3)

Assumptions about the initial state:

A1: $U_i|\equiv ⋕{(r}_i{,r}_j)$.

A2: $S_j|\equiv ⋕{(r}_i{,r}_j)$.

A3: $\mathit{GWN}|\equiv ⋕{(r}_i{,r}_j)$.

A4: $U_i|\equiv {(U}_i\stackrel{({\mathit{PID}}_i, {\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }\mathit{GWN})$.

A5: $\mathit{GWN}|\equiv {(U}_i\stackrel{({\mathit{PID}}_i, {\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }\mathit{GWN})$.

A6: $\mathit{GWN}|\equiv (\mathit{GWN}\stackrel{X_{S_j}}{\leftrightarrow }{S}_j)$.

A7: $S_j|\equiv (\mathit{GWN}\stackrel{X_{S_j}}{\leftrightarrow }{S}_j)$.

A8: $U_i|\equiv S_j\Rightarrow {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$.

A9: $S_j|\equiv U_i\Rightarrow {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$

(4)

Proofs:

Step 1: From Message 1, we can get: $\mathit{GWN}◁{{(r}_i,{\mathit{SID}}_j)}_{U_i\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }\mathit{GWN}}$.

Step 2: According to Step 1, A5, and the message meaning rule, it can be inferred that: $\mathit{GWN}|\equiv U_i{|\text{~}(r}_i,{\mathit{SID}}_j{)}_{U_i\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }\mathit{GWN}}$.

Step 3: According to Step 2, A3, and the nonce verification rule, we obtain: $\mathit{GWN}|\equiv U_i|\equiv {{(r}_i,{\mathit{SID}}_j)}_{U_i\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }\mathit{GWN}}$.

Step 4: From Message 2, we understand that: $S_j◁{{(R}_i{,\mathit{PID}}_i^{\mathit{old}})}_{\mathit{GWN}\stackrel{X_{S_j}}{\leftrightarrow }{S}_j}$.

Step 5: According to A7 and the message meaning rule, we obtain: $S_j|\equiv {\mathit{GWN}|\text{~}(R}_i{,\mathit{PID}}_i^{\mathit{old}}{)}_{\mathit{GWN}\stackrel{X_{S_j}}{\leftrightarrow }{S}_j}$.

Step 6: According to A2, $R_i{=h(\mathit{TID}}_i||{\mathit{PID}}_i||{\mathit{NC}}_i||r_i)$, and the freshness conjuncatenation rule, we can get: $S_j|\equiv ⋕{(R}_i)$.

Step 7: According to Step 5, Step 6, and the nonce verification rule, we get: $S_j|\equiv \mathit{GWN}|\equiv {{(R}_i{,\mathit{PID}}_i^{\mathit{old}})}_{\mathit{GWN}\stackrel{X_{S_j}}{\leftrightarrow }{S}_j}$.

Step 8: According to Step 3, Step 7, ${\mathit{SK}}_{\mathit{ij}}{=h(R}_i||R_j)$, and $R_i{=h(\mathit{TID}}_i||{\mathit{PID}}_i||{\mathit{NC}}_i||r_i)$, we prove: $S_j|\equiv U_i|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$ (Goal 4).

Step 9: According to Step 8, A9, and the jurisdiction rule, we prove: $S_j|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$ (Goal 3).

Step 10: According to Message 3, we get: $\mathit{GWN}◁{{(R}_j{,\mathit{PID}}_i^{\mathit{old}})}_{S_j\stackrel{X_{S_j}}{\leftrightarrow }\mathit{GWN}}$.

Step 11: According to Step10, A6, and the message meaning rule, it can be inferred that: $\mathit{GWN}|\equiv S_j{|\text{~}(R}_j{,\mathit{PID}}_i^{\mathit{old}}{)}_{S_j\stackrel{X_{S_j}}{\leftrightarrow }\mathit{GWN}}$.

Step 12: According to Step 11, A3, $R_j{=h(\mathit{SID}}_j||r_j)$, and the nonce verification rule, we obtain: $\mathit{GWN}|\equiv S_j|\equiv {{(R}_j{,\mathit{PID}}_i^{\mathit{old}})}_{S_j\stackrel{X_{S_j}}{\leftrightarrow }\mathit{GWN}}$.

Step 13: From Message 4, we obtain: $U_i◁{{(R}_j)}_{\mathit{GWN}\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }{U}_i}$.

Step 14: According to Step 13, A4, and the message meaning rule, we obtain: $U_i|\equiv {\mathit{GWN}|\text{~}(R}_j{)}_{\mathit{GWN}\stackrel{{(\mathit{HID}}_i, {\mathit{NC}}_i)}{\leftrightarrow }{U}_i}$.

Step 15 According to Step 14, A1, $R_j{=h(\mathit{SID}}_j||r_j)$, and the nonce verification rule, we get: $U_i|\equiv S_j|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$. (Goal 2).

Step 16: According to Step 15, A8, and the jurisdiction rule, we prove: $U_i|\equiv {(U}_i\stackrel{\mathit{SK}}{\leftrightarrow }{S}_j)$ (Goal 1).

From the proof results obtained from the above process, Goal 1–4, $U_i$, and $S_j$ believe that they have completed the key agreement and generated the shared session key ${\mathit{SK}}_{\mathit{ij}}{=\mathit{SK}}_{\mathit{ji}\mathit{ji}}$.

6.3. Informal Security Analysis

(1) Anonymity and un-traceability

Suppose an adversary intercepted the information transmitted to a public channel from $U_i$, $\mathit{GWN}$, and $S_j$. Obviously, the adversary cannot obtain the user’s actual identity ${\mathit{ID}}_i$, because of the security of the one-way hash function. In addition, the pseudonym identity ${\mathit{PID}}_i$ changes after each authentication, and $r_i$ and $r_j$ are randomly generated in each session. The adversary cannot determine whether two sessions are launched by the same user.

(2) Perfect forward secrecy

Suppose an adversary accidentally captured $U_i$’s private key ${\mathit{NC}}_i$, $S_j$’s private key ($X_{S_j}$, $N_j$), and the GWN’s master key ($K_u$, $K_s$), and intercepted the information propagated in the public channel. The adversary cannot obtain the previous session key because ${\mathit{NC}}_i{,X}_{S_j}{,N}_j$ changes after each authentication, and the adversary cannot get the ${\mathit{NC}}_i{,X}_{S_j}{,N}_j$ in a previous session because of the security of the one-way hash function. Therefore, the proposed scheme can achieve perfect forward secrecy.

(3) Mutual authentication

In Section 6.1, we define eight events—event beginUGparam(bitstring), event endUGparam(bitstring), event beginGUparam(bitstring), event endGUparam(bitstring), event beginGSparam(bitstring), event endGSparam(bitstring), event beginSGparam(bitstring), and event endSGparam(bitstring)—to verify the mutual authentication of $U_i$, $\mathit{GWN}$, and $S_j$. The results show that our proposed scheme could achieve mutual authentication.

(4) Session key agreement

The user $U_i$ and the sensor $S_j$ reach a session key ${\mathit{SK}}_{\mathit{ij}}{=h}_2(R_i||R_j)$ for future communication after authentication. Since $R_i$ and $R_j$ are generated by $U_i$ and $S_j$, respectively, both $U_i$ and $S_j$ have an influence on the outcome of the session key ${\mathit{SK}}_{\mathit{ij}}{=h(R}_i||R_j{)=\mathit{SK}}_{\mathit{ji}}$.

(5) Three-factor security

Suppose an adversary captured the smart card ${\mathit{SC}}_i$ of $U_i$ and obtained the biometrics ${\mathit{Bio}}_i$. The adversary can extract the values ${\{A}_i{,b}_i{,C}_i{,\mathit{NC}}_i{,\mathit{pair}}_i,\mathit{flag}\}$ in ${\mathit{SC}}_i$. Further, the adversary guesses $({\mathit{ID}}_i^{\prime },{\mathit{PW}}_i^{\prime })$ and calculates $b_i{=\mathit{REP}(\mathit{Bio}}_i{,\mathit{pair}}_i)$, ${\mathit{TID}}_i^{\prime }{=h(\mathit{ID}}_i^{\prime })$, ${\mathit{HPW}}_i^{\ast }{=h(\mathit{PW}}_i^{\prime }{||b}_i)$, ${\mathit{HID}}_i^{\ast }{=A}_i⨁{h(\mathit{HPW}}_i^{\ast }||{\mathit{TID}}_i^{\prime })$, and $b_i^{\ast }{=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })\mathit{mod}n$. However, the adversary does not know the correctness of ${(\mathit{ID}}_i^{\prime },{\mathit{PW}}_i^{\prime })$ because $B_i{?=h(\mathit{HPW}}_i^{\ast }||{\mathit{HID}}_i^{\ast })\mathit{mod}n$. is a fuzzy verification process.

(6) Resistance of other known attacks

Insider attack: An insider adversary can obtain the user’s registration information ${\{\mathit{TID}}_i{=h(\mathit{ID}}_i{),\mathit{HPW}}_i{=h(\mathit{PW}}_i{||b}_i)\}$. Because of the security of the one-way hash function and ignorance about $b_i$, the adversary cannot capture ${\mathit{PW}}_i$. Therefore, no effective insider attack can be launched.

Stolen verifier table attack: There is no password-related or biometric-related information stored inside the GWN. Therefore, the stolen verifier table attack is infeasible in our proposed scheme.

User impersonation attack: For generating valid login request information, the adversary needs to know ${\mathit{HID}}_i$. While we know $b_i{=\mathit{REP}(\mathit{Bio}}_i{,\mathit{pair}}_i)$, ${\mathit{TID}}_i{=h(\mathit{ID}}_i)$, ${\mathit{HPW}}_i{=h(\mathit{PW}}_i{||b}_i)$, and ${\mathit{HID}}_i{=A}_i⨁{h(\mathit{HPW}}_i||{\mathit{TID}}_i)$, where $A_i$ and ${\mathit{pair}}_i$ are stored in ${\mathit{SC}}_i$. Therefore, the adversary cannot forge $U_i$ without getting ${\mathit{ID}}_i$, ${\mathit{PW}}_i$, ${\mathit{Bio}}_i$ and ${\mathit{SC}}_i$. Thus our proposed scheme could resist user impersonation attacks.

Sensor Spoofing Attack: An adversary cannot forge a sensor node $S_j$ without getting the secrets of $S_j$ (${\mathrm{NS}}_j$ and $X_{S_j}$). Therefore, no effective sensor spoofing attack can be launched.

Known session-specific temporary information attack: In our proposed scheme, the user $U_i$ and the micro-sensor $S_j$ reach a session key ${\mathit{SK}}_{\mathit{ij}}{=h(R}_i||R_j{)=h(h(\mathit{TID}}_i||{\mathit{PID}}_i||{\mathit{NC}}_i||r_i)||{h(\mathit{SID}}_j||r_j))$. Even if an adversary captured the session-specific temporary information, $r_i$ and $r_j$, he cannot launch a known session-specific temporary information attack without ${\mathit{NC}}_i$. As a result, our proposed scheme can resist known session-specific temporary information attacks.

De-synchronization attack: We analyze five possible cases of de-synchronization attacks, shown in Figure 6.

Figure 6. Possible de-synchronization attack on our proposed protocol.

Case 1: Suppose an adversary blocked ${C1:\{\mathit{PID}}_i{,M}_1{,M}_{\mathit{UG}}{,T}_1\}$. Since none of the participants updated the information table, the attack is infeasible.

Case 2: Suppose an adversary blocked ${C2:\{M}_2{,M}_{\mathrm{GS}}{,\mathit{NG}}_j{,T}_2\}$, the information stored on the GWN side and sensor side would be out of synchronization. However, by calculating

, it can be known how many times the communications between $S_j$ and the GWN are blocked. The information on two sides would be resynchronized by calculating $N_{\prime }$ times $X_{S_j}^{\prime }{=h(X}_{S_j}^{\prime }||{\mathit{SID}}_j)$ and updating $X_{S_j}{=X}_{S_j}^{\prime }$, $N_j{=\mathit{NG}}_j$.

Case 3: If an adversary blocks ${C3:\{\mathit{SID}}_j{,M}_3{,M}_{\mathrm{SG}}{,T}_3\}$. Both the GWN and $S_j$ have updated the $X_{S_j}$ and ${\mathit{NG}}_j/N_j$. The synchronization between $U_i$ and the GWN is the same as Case 4.

Case 4: If an adversary blocks ${C4:\{p}_i^{\mathit{new}}{,M}_4{,M}_{\mathrm{GU}}{,T}_4\}$. The communications between the GWN and $S_j$ are in synchronization, while the communications between $U_i$ and the GWN are out of synchronization. In this case, the GWN has completed the update of ${\mathit{PID}}_i$, and ${\mathit{PID}}_i^{\mathit{old}}$ records the previous ${\mathit{PID}}_i$. Since ${C4:\{p}_i^{\mathit{new}}{,M}_4{,M}_{\mathrm{GU}}{,T}_4\}$ is not received, the user $U_i$ does not update $C_i$, and the ${\mathit{PID}}_i$ calculated in the next session is not updated. However, when $U_i$ initiates the session request again, the GWN finds that the ${\mathit{PID}}_i$ sent by $U_i$ is the same as the ${\mathit{PID}}_i^{\mathit{old}}$ recorded in its memory. The GWN can identify the de-synchronization attack initiated by the adversary and synchronize the information according to Step 2 of the authentication phase. Therefore, the proposed new protocol can also resist the attacks of Case 3 and Case 4 of de-synchronization attacks.

In summary, our proposed scheme can resist de-synchronization attacks. On the other hand, we have shown that our proposed scheme can achieve forward secrecy in previous part of this section. Therefore, our proposed scheme can resist offline password-guessing attacks and stolen smart card attacks.

7. Performance Analysis

This section will compare and analyze the performance of the proposed new protocol with other similar protocols, including a computing cost comparison and communication cost comparison. Since the registration phase of users and sensors occurs only once, and users do not change their passwords and biometrics frequently, this section only discusses the performance comparison between authentication phases.

7.1. Comparison of Computing Costs

According to the experimental data in the literature [35], $T_h\approx 0.32\mathrm{ms}$, the computing cost comparison between our proposed scheme and other similar schemes, is shown in Table 5. From the results, the proposed protocol has a lower computation cost than the other four similar protocols.

Table 5. Comparison of computing costs (milliseconds).

Protocol	User	GWN	Sensor	Total
Shin et al. [26]	${13T}_h\approx 4.16$	${15T}_h\approx 4.8$	${6T}_h\approx 1.92$	${34T}_h\approx 10.88$
Ostad et al. [36]	${11T}_h\approx 3.52$	${17T}_h\approx 5.44$	${5T}_h\approx 1.6$	${33T}_h\approx 10.56$
Wu et al. [13]	${10T}_h\approx 3.2$	${15T}_h\approx 4.8$	${5T}_h\approx 1.6$	${31T}_h\approx 9.92$
Amin et al. [24]	${12T}_h\approx 3.84$	${15T}_h\approx 3.2$	${5T}_h\approx 1.6$	${32T}_h\approx 10.24$
Proposed	${11T}_h\approx 3.52$	${10T}_h\approx 3.2$	${6T}_h\approx 1.92$	${27T}_h\approx 8.64$

7.2. Comparison of Communication Costs

We assume that the length of identification, random number, timestamp, and other parameters involved in the proposed protocol and other similar protocols is 128 bits, and the length of the timestamp is 32 bits. Hash functions ${h:\{0,1\}}^{\ast }⨁{\{0,1\}}^{128}$ and ${H:\{0,1\}}^{\ast }⨁{\{0,1\}}^{256}$ have 128-bit and 256-bit outputs, respectively. Other related protocols use hash functions (such as MD5) with an output length of 128 bits.

In the authentication phase of the newly proposed protocol, there are four transmission messages: ${\{\mathit{PID}}_i{,M}_1{,M}_{\mathit{UG}}{,T}_1\}$, ${\{M}_2{,M}_{\mathrm{GS}}{,\mathit{NG}}_j{,T}_2\}$, ${\{\mathit{SID}}_j{,M}_3{,M}_{\mathrm{SG}}{,T}_3\}$, and ${\{p}_i^{\mathit{new}}{,M}_4{,M}_{\mathrm{GU}}{,T}_4\}$. The total length of the transmitted message is (128 + 256 + 128 + 32) + (256 + 128 + 128 + 32) + (128 + 256 + 128 + 32) + (128 + 128 + 128 + 32) = 2048 bits.

Table 6 shows the comparison of the communication costs between the proposed new protocol and other similar schemes. From the comparison results, our new proposed scheme is also at a good level in terms of communication costs.

Table 6. Comparison of communication costs.

Protocol	Number of Messages	Length of Interactive Information
Shin et al. [26]	4 Messages	1664 bits
Ostad et al. [36]	6 Messages	2208 bits
Wu et al. [13]	4 Messages	2176 bits
Amin et al. [24]	6 Messages	2016 bits
Proposed	4 Messages	2048 bits

8. Conclusions

Due to the insecurity of wireless sensor networks, abundant research on authentication and key agreement protocols for WSNs has been put forward. In 2019, Shin et al. proposed a lightweight three-factor authentication and key agreement protocol based on symmetric cryptographic primitives for WSNs, which looked promising. However, we found that there are some security risks in their protocol. To solve the shortcomings, we proposed a new lightweight and anonymous three-factor authentication scheme for WSNs. Furthermore, we proved that our proposed scheme is secure using the automated security verification tool ProVerif, BAN-logic verification, and an informal security analysis. Through a performance comparison and analysis, our new scheme shows a good level of computing and communication overhead and has high practicability. In future research, we will focus on finding a lighter mathematical model to realize the strong security of identity authentication in wireless sensor networks and apply the scheme to the actual environment.