Fuzzy Extractor and Elliptic Curve Based Efﬁcient User Authentication Protocol for Wireless Sensor Networks and Internet of Things

: To improve the quality of service and reduce the possibility of security attacks, a secure and efﬁcient user authentication mechanism is required for Wireless Sensor Networks (WSNs) and the Internet of Things (IoT). Session key establishment between the sensor node and the user is also required for secure communication. In this paper, we perform the security analysis of A.K.Das’s user authentication scheme (given in 2015), Choi et al.’s scheme (given in 2016), and Park et al.’s scheme (given in 2016). The security analysis shows that their schemes are vulnerable to various attacks like user impersonation attack, sensor node impersonation attack and attacks based on legitimate users. Based on the cryptanalysis of these existing protocols, we propose a secure and efﬁcient authenticated session key establishment protocol which ensures various security features and overcomes the drawbacks of existing protocols. The formal and informal security analysis indicates that the proposed protocol withstands the various security vulnerabilities involved in WSNs. The automated validation using AVISPA and Scyther tool ensures the absence of security attacks in our scheme. The logical veriﬁcation using the Burrows-Abadi-Needham (BAN) logic conﬁrms the correctness of the proposed protocol. Finally, the comparative analysis based on computational overhead and security features of other existing protocol indicate that the proposed user authentication system is secure and efﬁcient. In future, we intend to implement the proposed protocol in real-world applications of WSNs and IoT


Introduction
Recent advancements in the micro-electro-mechanical system enable the production of low-cost sensor nodes with small-scale sensing module, a radio frequency transceiver, a small processing module for limited computation, small-scale memory and a short-lived power unit.For instance, a sensor node can have temperature, pressure, humidity and light sensors with 7.7 MHz 8-bit ATmega 128 processor, 4 K byte RAM, 128 K byte ROM, 512 K byte EEPROM, and 2 AA battery.The sensing module may consist of few sensors with analog to digital converters (ADCs).These sensors can measure the change in physical parameters such as temperature, humidity, light, pressure.The analog signals produced by the sensor node based on the measured physical parameters can be transformed into the digital signal using ADC.Then, the digital signals can be fed into the processing element to perform the necessary calculation on raw data, and the transceiver unit communicates with its adjacent sensor nodes.Nowadays, we find sensors are on our smart phones, watches, vehicles, homes, offices, cities, and industries which connect our world more than we ever thought possible.
A WSN [1] or IoT [2] may consist of a large number of scattered sensor nodes capable of collecting data from their surroundings for specific users, communicating with the neighboring sensor nodes using wireless medium and routing the data to the gateway node having trusted high-performance computing resources.Some important aspects of WSNs are as follows:

•
The sensor nodes of WSNs sufferer with energy constraints, memory limitations, unreliable communications, higher latency in communication and unattended operation of networks.

•
The topology of WSNs can vary very often.

•
The sensor node can be deployed densely in WSNs area.
The IoT aims at overcoming the gap between the physical world and its characterization within the digital world.The term things refer to an object that has sensors attached to it, and can transmit data to the internet, where it can be processed, analyzed and used to make decisions, one such example is medical health care system.
An example of medical health care system for monitoring patient's condition and recovery by authentic medical practitioners and doctors using wireless body area network (WBAN) is shown in Figure 1.The sensor nodes are planted in patient's body for measuring various parameters like ECG, blood pressure, temperature, visual straight, etc.The measured parameters from different sensor nodes are transmitted to a master sensor node.The master sensor node processes the data locally and sends to the gateway node.Only the authentic medical practitioners and doctors are allowed to access the confidential and real-time data of high-profile patients from the master sensor node and the gateway respectively.The conventional specializations of WSNs, embedded systems, control systems and automation (including smart home, smart city, industry and building automation) contribute to facilitating the IoT.The advances in IoT technology facilitate wearable devices which broadly cover health, fitness and entertainment requirements.These devices are installed with sensors which collect the sensitive data about the human beings and transmit these data to the neighboring device, base station or gateway node for further processing and analysis.If the data is security sensitive, only an authentic user should be allowed to pre-process the data to extract essential insights about the patient.With the rise of IoT where the number of sensor devices would grow multi-fold, it would be infeasible for a user to make the system secure using traditional authentication mechanism.
Therefore, it is important to address this concern by devising ways in which multiple advanced factors of authentication and session key establishment would be required to gain access to any smart devices of WSNs/IoT and at the same time its usability would be at high level.
The members of a smart home, city, and office (which has an automated system for monitoring temperature, light, air conditioners, windows, doors, refrigerator, alarms, alerts, etc.) should be given access by configuring the security system.However, to enhance system's security, it is important to have multiple hierarchies of authentication and session key establishment scheme.Authenticating users who connect to the sensor nodes of WSNs and IoT is a process of validating the identity (based on one or more factors such as user's inherence, possession, knowledge) using sensor devices.The security of traditional user authentication protocols for WSNs is based on low entropy password which is easy to break through dictionary attacks.However, the biometric information can not be lost, forgotten, guessed easily or shared.Therefore, the biometric based user authentication scheme is more secure and reliable than traditional password based systems.
From last decades, WSNs and IoT have drawn attention in many applications including health-care, battlefield surveillance, smart home, smart banking, financial office and other secure, real-time applications where efficient user authentication and session key establishment is required.A secure and efficient user authentication scheme should provide various security features (e.g., confidentiality, integrity, freshness, etc.) and it should resist various security attacks (e.g., user impersonation, sensor impersonation, stolen smart card and energy exhausting attacks, etc.) with less computation and communication overhead of sensor node.The traditional cryptographic algorithm cannot be implemented on resource constraint sensor nodes for efficient user authentication system.Therefore, we aim to design a secure and light-weight cryptographic mechanism of user authentication and session key establishment for WSNs/IoT.
The significant contributions of our work are as follows: • In this paper, we first discuss various security issues involved in authenticating the users of WSNs and IoT.

•
We perform the security analysis of various existing protocols of user authentication for WSNs.
Through security analysis, we show that the existing protocols are vulnerable to various attacks like user impersonation attack, sensor node impersonation attack, attacks based on legitimate users.

•
We propose a secure and efficient protocol for authenticating the users of WSNs and IoT considering mutual authentication, session key establishment, data freshness, and confidentiality.

•
Through informal security analysis, we show that our proposed protocol resists the stolen smart card, sensor node compromise, gateway node compromise, man-in-the-middle and replay attacks.

•
We execute "proof of security" using random oracle model to ensure the correctness of various security features involved in our proposed protocol.• Subsequently, we verify the proposed protocol on popular and robust security verification tool such as AVISPA and Scyther.

•
We use BAN logic to determine whether exchanged messages of the proposed protocol are trustworthy and secure against eavesdropping.

•
Finally, we present the comparative analysis of our proposed protocol with other existing protocols based on security and computational overhead.
The remaining portions of this paper are structured as follows: Section 2 appraises the security features and deficiencies of existing user authentication schemes.Section 3 explains the notations and cryptography procedures we used in security analysis and proposed protocol.Section 4 demonstrates the recent protocols of user authentication and their cryptanalysis.Section 5 illustrates our proposed scheme.Section 6 performs the security analysis of our proposed scheme.Section 7 shows the results of comparative study.Section 8 represents the comprehensive analysis.Section 9 concludes our research work.

Related Work
In 2002, Akyildiz et al. [1] explored many significant aspects of WSNs and discussed critical open research issues of WSNs.Afterwards, several user authentications and session key agreement mechanism for WSNs have been proposed.Unfortunately, many of them still suffer from various security vulnerability.In 2004, Benenson et al. [3] proposed a user authentication and access control mechanism for WSNs.Consequently, Watro et al. [4] (in 2004) developed a public-key (RSA) based user authentication scheme TinyPK using Diffie-Hellman key exchange mechanism which provides mutual authentication and withstand sensor node impersonation attack.Subsequently (in 2005), Benenson et al. [5] designed an elliptic curve cryptography based user authentication system.In 2006, Wong et al. [6] declared that Benenson et al.'s [5] scheme is resistless to denial of service and impersonation attacks.Then, Wong et al. [6] designed a secure hash function based authentication scheme to enhance the security features but it does not support mutual authenticity and session key establishment between the user and sensor node.However, in 2007, Tseng et al. [7] [8] revealed that Wong et al. [6] scheme exhibit more computational overhead on sensor node compared to gateway node and proposed an improved authentication scheme by fixing the security drawbacks of Wong et al. scheme with less computation overhead of sensor node.Later, L.C. Ko [9] indicated that Tseng et al.'s scheme does not provide mutual authentication.Then, L.C. Ko [9] proposed mutual authenticity and time-stamp based user authentication scheme in 2008.In 2009, Vaidya et al. [10] elaborated mutual authentication scheme with formal verification.In 2009, Das [11] developed a secure mechanism to provide authenticity using smart card and user's password (two-factor) but it does not offer session key between the user and sensor node.In 2010, Khan-Alghathbar (2010) [12] identified the gateway node bypass attack, insider attack and lack of password update mechanism in Das's [11] scheme and improved Das's scheme by including password update and mutual authentication technique.
The proposed two-factor authentication mechanism based on user's identity and password is generally not reliable because the user intends to choose a low-entropy password that can be easily cracked by applying simple dictionary attacks.
To improve the security feature of two-factor user authentication mechanism that are vulnerable to password guessing attacks and subject to inefficient password update procedure in WSNs, biometric-based user authentication mechanism, accompanied with user passwords and smart cards, have drawn considerable attention.In 2010, Yuan et al. [13] provided a bio-metric based scheme but it is unprotected from node capture and denial of service attack.In 2012, Yoo et al. [14] designed a scheme that provides secure session key and mutual authentication.In 2013, Xue et al. [15] designed a mutual authentication scheme based on temporal information.However, in 2014, Jiang et al. [16] revealed that Xue et al.'s scheme is susceptible to stolen smart card and privilege insider attack.In 2015, A.K. Das [17] proposed fuzzy extractor based authentication scheme which resists well known security attacks of WSNs and have more security features compared to Althobaiti et al. (2013) [18] scheme.Sharaf et al. [19] proposed (in 2016) an object authentication system in order to exploit device-specific data, known as fingerprints, to authenticate the objects associated with the IoT.In 2016, Alizadeh et al. [20] presented a comprehensive survey of authentication schemes of mobile cloud computing (MCC) to explain MCC authentication and differentiate it with that of cloud computing schemes.However, in this paper we performed the cryptanalysis of A.K.Das [17] scheme and found that it is susceptible to stolen smart card attack.Similarly, we found that Choi et al. [21] (proposed in 2016), Park et al. [22] (introduced in 2016), and Moon et al.'s [23] (proposed in 2017) schemes are also insecure against various security attacks as we have illustrated in Section 4 of this paper.

Notations
Some important notations used for design and analysis of user authentication protocol for WSNs and IoT are listed in Table 1.

Assumptions
• Sensor node may not fix up with tamper-resistant hardware and if a node is captured by an adversary, all the prominent and confidential information stored in its memory can be accessed by the adversary.If the sensor nodes are tamper-resistant the adversary can know the information stored in the memory by measuring the power consumption of the captured sensor nodes.

•
The base station or the gateway node is the trusted entity, and it works both as an authentication as well as a key distribution center.

•
The adversary A can intercept the public communication channel, inject packets and replay the previously transmitted packets.

•
The adversary A can capture the smart card SC i of user U i and it can extract the sensitive information stored in the card through simple and differential power analysis techniques [24].

•
We assume that the WSNs and IoT consist of few users (with smart card which can be captured or stolen by the adversary A), hundreds of sensor nodes (it can be captured by A) and the trusted gateway node.

•
The processed data from the sensor nodes are gathered periodically at the gateway node GW N. The gathered data may not always be real-time and fresh at GW N. Therefore, the authentic user should be allowed to access the data directly from the sensor node SN j to make quick decision for secure and real-time applications of WSNs and IoT.

Cryptography Concepts Used
Some basic cryptography concepts used in the security analysis of existing protocols and also in our proposed protocol are defined as follows: Definition 1. Secure Hash Function [25]: A function h : In → Out, with a binary string s ∈ In {0, 1} * of arbitrary length as input and a binary string d ∈ Out {0, 1} m of fixed length m as an output, is a secure hash function if the following conditions holds: ≤ τ, for any sufficiently small τ > 0.
where (s, s ) ← R indicates that the pair (s, s ) is randomly chosen by A and Pr represents the probability of the event (s, s ) ← R A with execution time t 1 .
Definition 2. Secure Encryption Scheme [25]: For any probabilistic, polynomial time adversary A, an encryption algorithm Enc is said to be IND-CPA (indistinguishability of encryption and chosen plaintext attack the advantage function of A and τ ← R {0, 1} denotes that the bit τ is a randomly chosen from set {0, 1}.t 2 denotes the execution time.Definition 3. Elliptic Curve Diffie-Hellman [26]: If p > 3 be a prime number, the elliptic curve E p (a, b) considered over the finite field Z * p is represented by the solutions (x, y) ∈ Z * p × Z * p of the equation y 2 = x 3 + ax + b, along with a point O of infinity, where 4a 3 + 27b 2 = 0 mod p.If P be a generator or a base point of a cyclic subgroup G of the elliptic curve E p (a, b) considered over the finite field F * p , i.e., G = (P), the elliptic curve Diffie-Hellman (ECDH) key exchange can be described as follows: Initially, U i and SN j agree on a generator point P and choose their private key as r U i and r SN j respectively.Afterwards, they construct and exchange their public keys as X U i = r U i × P and Y SN j = r SN j × P. Finally, U i and SN j calculate the common secret key as r U i × (r SN j × P) and r SN j × (r U i × P) respectively.Where r U i × (r SN j × P) = r SN j × (r U i × P) and it is intractable to find r U i and r SN j for an adversary A who knows X U i and Y SN j .i.e., The advantage in finding r U i is defined by Adv ECDH Where Adv ECDH A (t 3 ) ≤ τ, for any sufficient small τ > 0 and (r U i , P) ← R A means the pair (r U i , P) is randomly selected by A with execution time t 3 , such that X U i = r U i × P. Definition 4. Fuzzy Extractor for user authentication: Fuzzy extractor [27] is a cryptography mechanism for securely authenticating a user using bio-metric credentials.Suppose a finite set M is a metric space with a distance function dis along with an error tolerance limit T calculated using error correction codes for any particular distance metric (hamming distance, set difference metric, edit distance metric etc.) such that: The fuzzy extractor consists of two randomized operations i.e., Generator (Gen) and Reproduction (Rep) with the following characteristics:

•
The Gen() operation takes a bio-metric credential B i ∈ M of user U i as an input and produces outputs-a secret string σ i ∈ {0, 1} l and a public accessory string τ i ∈ {0, 1} * , i.e., Gen(B i ) = (σ i , τ i ) • The Rep() operation takes a noisy bio-metric credential B i ∈ M of user U i and the public accessory string τ i as an input and reproduces the secret string σ i ∈ {0, 1} l as an output i.e., Rep(B i , τ i ) = σ i if and only if dis(B i , B i ) ≤ T .

Review and Cryptanalysis of Various Recent Schemes of User Authentication for WSNs
In this section, we concisely review and present the security analysis of the various recently proposed user authentication protocols of WSNs.The security analysis performed in this section illustrates that the existing protocols have various security vulnerability based on the logical proofs and the assumptions considered in the Section 3.2 of this paper.This section provides an awareness of what needs to be fixed and how the user authentication protocol should be design to withstand the miscellaneous attacks incorporated into the WSNs/IoT.

Review of A.K.Das's Scheme
A.K.Das [17] performed the security analysis of Althobaiti et al.'s [18] scheme and proposed an improved scheme of user authentication using the fuzzy extractor in order to resist node capture attack, impersonation attack, man-in-the-middle attack.A.K.Das [17] proposed a novel approach (considering the resource constraints of sensor node) for bio-metric based user authentication using the fuzzy extractor.For evaluating the security features of A.K.Das's Scheme, the user registration phase of Das's scheme is described in the follwing Step DR1, Step DR2, Step DR3 and the authentication-key agreement phase is summarized in the Steps DA1, Step DA2, Step DA3 based on the notations of Table 1.We summarize the user registration, authentication and key agreement phase of A.K.Das's scheme in Tables 2 and 3 respectively.
Step DR1: The user U i inputs ID U i , PW U i and B i and generates 1024 bit random number K.
Subsequently, U i calculates RPW i = h(ID U i || K|| PW U i ) and selects a key ek i .Then, U i transmits ID U i , RPW i , ek i to GW N using secure communication channel.Step 1: For User (U i ) Step 2: For Gateway (GW N) The user U i inputs ID U i , PW U i and B i and generates 1024 bit random number K. Subsequently, U i calculates RPW i = h(ID U i || K|| PW U i ) and selects a key ek i .
Then, U i transmits After receiving the message ID U i , RPW i , ek i , the gateway node GW N generates 1024 bit key X s , evaluates Step 3: For User (U i ) Step 1: For User (U i ) Step 2: For Gateway (GW N) The registered user U i inserts his/her smart card SC i into card reader device and provides the ID U i , secret PW U i , B i .Then, Evaluates The user U i terminates this phase After receiving the message

GW N aborts this phase
Step 3: For User (U i ) Step 4: For Gateway (GW N) After receiving the Random challenge R, U i evaluates ek i = BE i ⊕ h(ID U i ||σ i ).Then, Step 5: For Sensor Node (SN j ) Step 6: For User (U i ) if T 2 and ID U i are valid then SN j Evaluate the session key Step DR2: After receiving the message ID U i , RPW i , ek i , the gateway node GW N generates 1024 bit key X s , evaluates Step DA1: The registered user U i inserts his/her smart card SC i into the card reader device and provides the ID U i , secret PW U i , bio-metric information B i .Then, evaluates Otherwise, U i aborts this phase.
Step DA2: After receiving the message ID U i , req , GW N verifies the message.If ID U i is valid, GW N sends a Random challenge R to U i via public communication channel.Otherwise, GW N aborts this phase.
Step DA3: After receiving the Random challenge R, U i evaluates Finds the current time-stamp T 1 .Then, U i transmits Enc ek i (R, T 1 , ID SN j ) to GW N via public communication channel.
Step DA4: GW N evaluates R, T 1 , ID SN j using decryption operation based on key Finally, GW N transmits ID U i , Y j to SN j via public communication channel.Otherwise, GW N aborts this phase immediately.
Step DA5: is fresh and ID U i is valid, SN j finds the current time-stamp T 3 and evaluates the session key Then, SN j sends h(SK ij ), T 3 to U i via public communication channel and stores SK ij in its memory.Otherwise, SN j aborts this phase immediately.Finally, SN j stores SK ij in its memory.
Step DA6: establishes the session key SK ij with the sensor node SN j .Otherwise, U i aborts this phase immediately.

Cryptanalysis of A.K.Das's Scheme
In this section, we perform the cryptanalysis of the A.K.Das's scheme and found that A.K.Das's scheme is also vulnerable.The vulnerabilities involve in A.K.Das's scheme are elaborated in the following subsection:

Stolen Smart Card Attacks
The adversary A ascertains the value of {τ i , e i , r i , BE i , f * , h(.), Gen(.), Rep(.), T } from stolen SC i by measuring the power consumption of smart card [24].Then, A computes: Afterwards, the adversary A find out the value of K and ek i by implementing one of the following three mechanism: 1.
Derives the value of K and ek i using the frequency analysis of stream cipher BE i , r i and BE i ⊕ r i .

2.
Eavesdrops R and E ek i (R, T, ID SN j ) and implements the known plain text attack to find out the value of ek i .Thereafter, A find out the value of K = ek i ⊕ (K ⊕ ek i ).

3.
Steals the bio-metric information B i of U i (where d(B i , B i ) ≤ T ) and find out the value of Eavesdrops the value of ID U i from public communication channel and then evaluates the value of Subsequently, A chooses its own identity ID A , password PW A , biometric information B A and computes: Finally, A replaces the information {τ i , e i , r i , BE i , f * , h(), Gen(.), Rep(.), T } of SC i with {τ A , e A , r A , BE A , f * , h(), Gen(.), Rep(.), T } respectively.
The login phase of the adversary A is as follows:

•
A insert SC i and inputs ID A , PW A and imprints B A .
) and e A = h(ID A RPW A σ A ).Then, it verifies if e A = e A .It would be true i.e., both the password and bio-metric verification would be correct.

•
Afterwards, U i sends the login message ID A , req to GW N via a public channel.However, the adversary A intercepts the message ID A , req and replaces ID A , req with ID U i , req .
Authentication and key agreement phase for the adversary A is illustrated as follows: • Since ID U i is valid, therefore GW N generates a random challenge R and send it to A. • A select the login sensor node SN j and sends , GW N decrypt it using ek i and verifies the validity of T 1 and R. Subsequently, GW N computes

Review of Choi et al.'s Scheme
Choi et al. [21] performed the security analysis of Yoon and Kim's [28] protocol and proposed an improved protocol (considering the resource constraints of sensor node of WSNs) of user authentication using the fuzzy extractor and biometric information.The Choi et al.'s protocol solves the problems of biometric recognition inaccuracy, user verification difficulty, lack of anonymity, perfect forward secrecy, session key revelation by the GWN, DoS attack, and a revocation problem.In this scheme, the gateway node GW N originates master keys, x and y, and allocates h(ID SN j ||y) to the sensor node SN j .The registration phase of this scheme is summarized in Step CR1, Step CR2 and Step CR3.The authentication, and session key establishment phase is summarized in Table 4.
Step CR1: The user U i inputs his/her identity ID U i , biometric information B i and computes: Step CR1: After receiving the message ID U i , A i , the gateway node GW N generates 1024 bit secret key x and computes Finally, GW N sends the smart card SC i to the user U i Step CR2: After receiving the smart card SC i , the user U i stores τ i into SC i .

Cryptanalysis of Choi et al.'s Scheme
In this section, we perform the cryptanalysis of the Choi et al.'s scheme and found that Choi et al.'s scheme is also vulnerable.The vulnerabilities involve in this scheme are elaborated in the following subsection: Step 1: For User (U i ) Step 2: For Gateway (GW N) The registered user U i inputs ID U i , B i and computes Then, GW N construct the message else GW N aborts this phase.
else GW N abort this phase.
Step 3: For Sensor Node (SN j ) Step 4: For User (U i ) In this scheme, a legitimate user U L can be an adversary U A , because U L can find out the hashed master key h(x||y) and then it can derive the secret information of user U i as follows: If verification succeeds, U A generate random number r A , and computes

User Impersonation Attack
An adversary A with an stolen smart card SC i can impersonate a legitimate user U i as follows: ), τ i from the smart card SC i of the user U i and computes Subsequently, A establishes the session key sk = h(AID A ||r A × r s × P) with SN j using Steps 2-4 of authentication and session key establishment phase of Choi et al. protocol.

Review of Park et al.'s Scheme
Park et al. [22] performed the security analysis of Chang et al.'s [29] scheme.Then, Park et al. proposed an improved scheme of user authentication using the fuzzy extractor and biometric information in order to provide forward secrecy, accurate password update phase and resist off-line password guessing attacks.In this scheme the gateway node GW N originates master keys, x and y, and allocates a key h(ID SN j ||y) to the sensor node SN j .Afterwards, the scheme follows the registration, login and authentication phase as shown in Tables 5 and 6.

Cryptanalysis of Park et al.'s Scheme
In this section, we perform the cryptanalysis of the Park et al.'s scheme and found that Park et al.'s scheme is also vulnerable and it has the following security vulnerabilities: 4.6.1.Sensor Node Impersonation Attack According to Park et al., to impersonate a sensor node SN j , an adversary A need to have the key k GW N = h(h(ID SN j ||y)||T GW N ).Although, an adversary A can impersonate the sensor node SN j without having k GW N with the help of following steps:

•
The adversary A intercepts the message Then, A generates a random number r A , finds current times-stamp T A and computes: Therefore, the adversary A succeeds in impersonating the sensor node SN j and establishing the session key sk with the user U i .Step 1: For User (U i ) Step 2: For Gateway (GW N) U i selects the identity ID U i , imprints bio-metric information B i and computes: GW N computes 1024 bit secret key x and Computes:

. User Impersonation Attack
In Park et al.'s scheme, a legitimate user U k can be an adversary U A to impersonate the user U i because U k can find out the hashed master key h(x||y) and then it can derive the secret information of user U i as follows: • First, the adversary A extract the information V U k , N U k , C U k , h(.), P U k from the smart card.

•
Then, A imprints its biometric information B k and computes Afterwards, A generates random number r A , selects an identity ID U i and computes: , the GW N finds the current time stamp T GW N and computes: , SN j generates a random number r SN j and computes: • Then, SN j sends M 3 = RM, Y U i , V SN j , T SN j to the adversary A. Step 1: For User (U i ) Step 2: For Gateway (GW N) U i inserts the smart card SC i , inputs ID U i and imprints B i .Then, computes and computes Then, U i constructs a message Find the current time-stamp T GW N and computes Then, GW N constructs the message else Abort this phase.
Step 3: For Sensor Node (SN j ) Step 4: For User (U i ) else Abort this phase.else Abort this phase.
• After receiving M 3 , if (T − T SN j ) ≤ ∆T, the adversary A computes:

Proposed Protocol
In our proposed protocol, we consider that the WSNs and IoT consist of few users (with the smart card which can be captured or stolen by the adversary A), hundreds of sensor nodes (these nodes can be captured by A) and trusted gateway node.Considering these entities, we design the protocol which consists of four critical components (i) Set-up before the deployment of WSNs/IoT (ii) Registration of U i by the GW N (iii) U i 's authentication and session key establishment phase (iv) U i 's credentials update phase.

Set-Up before the Deployment of WSNs/IoT
In this phase, we select a high-performance and trusted computing node as a gateway GW N. The GW N assigns a unique identity ID SN j to each sensor node SN j and loads a unique secret key K GSN j = h(ID SN j ||K GW N ) into the memory of SN j .

Registration of U i by the GW N Using Secure Communication Channel
In this phase, a legitimate user U i sends the hashed secret credential to GW N using a secure communication channel and the GW N provides a smart card (consisting of some secret parameter which is known only to the GW N) SC i to U i .The steps associated with the proposed user registration phase are described in following Steps R1, R2, R3 and summarized in Table 7 (using Steps 1-3).Step 1: For User (U i ) Step 2: For Gateway (GW N) GW N computes 1024 bit secret key x and Computes: Step 3: For User (U i ) U i stores T , h(), Gen(), Rep() and the value of τ i into SC i .
Step R1: A legitimate user U i selects her identity ID U i , password PW U i and inputs his/her biometric information B i into the generator function Gen() which generates a secret information σ i and a public reproduction parameter τ i .Then, U i calculates PB i = h(PW U i ||σ i ) using secure hash function h() and sends ID U i , PB i to the gateway node GW N.
Step R2: GW N generates a secret key x, selects a generator point P of G with order q and computes: where "×" is the scalar multiplication operator of elliptic curve), Finally, the gateway node GW N stores the value of P, A U i , B U i , W U i into the smart card SC i and sends SC i to the user U i .
Step R3: After receiving the SC i from GW N, the user U i stores function h(), Gen(), Rep() and the values of T , τ i into SC i .

User Authentication and Session Key Establishment Phase
In this module, we use the reproduction procedure Rep(.) of fuzzy extractor for authentication the user U i with its noisy biometric credential B i and we use Elliptic curve Diffie-Hellman procedure for sharing the common session key SK between user U i and sensor node SN j .The detail descriptions of this phase are illustrated in following Steps A1-A4 and summarized in Table 8 (using Steps 1-4).Step 1: For User (U i ) Step 2: For Gateway (GW N) Construct the message Replay and energy exhausting attack possible.Abort this phase.
Step 3: For Sensor Node (SN j ) Step 4: For User (U i ) Replay and energy exhausting attack possible.Abort this phase.
Replay and energy exhausting attack possible.Abort this phase.
Step A1: U i inputs ID U i , PW U i , imprints her noisy biometric information B i and computes σ i = Rep(B i , τ i ) using reproduction function of fuzzy extractor as described in Definition 4.Then, If the equivalent condition B U i = B U i does not fulfill; abort the protocol.Otherwise, U i evaluates , generates a random number r U i ∈ Z * q .and find out her current time stamp T U i .Then, the user U i calculates X U i = r U i × P, X U i = r U i × K U i (where "×" is the scalar multiplication operator of elliptic curve) and encrypts the message (ID SN j ||T U i ) considering X U i as a symmetric key to find: α and sends M 1 to the gateway node GW N.
Step A2: After receiving the message M 1 , the gateway node GW N compute and decrypts the cipher text α considering X U i as a symmetric key to find: And if the condition T − T U i ≤ ∆T does not fulfill; the GW N aborts the protocol.
Otherwise, the gateway node GW N generates a random number r SN j ∈ Z * q and calculates Y SN j = r SN j × P, the session key sk = r SN j × X U i (where "×" is the scalar multiplication operator of elliptic curve).Then, the gateway node GW N finds its current time-stamp T GW N and calculates: Finally, GW N construct the message M 2 = γ and sends M 2 to the sensor node SN j .
Step A3: After receiving the message M 2 , SN j decrypts the cipher text β using symmetric key K GSN j to find out: SN j stores the session key sk and finally transmits β to U i Step A4: After receiving the message M 3 , the user U i decrypts the message β considering X U i as a symmetric key and find out: Once the condition (T − T GW N ) ≤ 2∆T fulfills, the user U i establishes the session key sk = r U i × Y SN j with SN j .Where r U i × Y SN j = r SN j × X U i based on ECDH problem.

User's Credential Update Phase
If a legitimate user gets authenticated using her identity ID U i , password PW U i , biometric information B i and the smart card SC i , she can update her password and biometric information using the mechanism described in Table 9.

U i inserts SC i into the card reader and Inputs
User U i is unauthenticated.Abort protocol to avoid stolen smart card attack.

Security Analysis:
To estimate the security strength of our proposed protocol, we perform the informal and formal analysis of security features.

Informal Analysis
Our proposed protocol can withstand various known security attacks as illustrated in the following propositions.
Proposition 1.The proposed protocol is secure against Stolen Smart Card Attack.
Proof.An adversaryA who have stolen the smart card SC i can extract the intimate data such as A U i , B U i , W U i , h(.), Rep(.), Gen(.), τ i from the SC i using side channel attacks such as differential and simple power analysis.However, in our protocol the most important private information such as σ U i , x and K U i are stored in well-protected form.If A succeed to find out A U i , it can not find out PB i or h(ID U i ⊕ x) using frequency analysis attack.The private information σ U i also can not be extracted by A because it is hashed after concatenated with PW U i .Proposition 2. The proposed protocol is secure against node compromise attack.
Proof.According to our presumption, the sensor node SN j is not fixed with tamper resistant hardware, therefore an adversary A can capture the sensor node SN j and find out the value of the key K GSN j and session key sk.However, A can not use the same session key at next session because we made the session key unique using the random number r U i and r SN j .If A captures the key K GSN j from SN j , it can establish a session key with any user who wants to access data from SN j but it can not establish a session key with any other user associated with non-compromised sensor node because the key K GSN j is uniquely given to SN j .Proposition 3. The proposed protocol is secure against Man-in-the-middle attack.
Proof.Suppose an adversary A eavesdrops the message M 1 during user authentication and session key establishment phase, generates a random number r A and the current time-stamp T A .However, A can not evaluate the value of X U i without knowing the bio-metric information and smart card credentials of U i in order to decrypt and modify the value of α.Likewise, it is computationally infeasible for an adversary A to modify the value of γ and β without knowing the key K GSN j and X U i respectively.Therefore, our scheme is secure against the Man-in-the-middle attack.Proposition 4. The proposed protocol is secure against replay attack.

Proof. Suppose an adversary A intercepts the message
from the public communication channel established between Step 1 and Step 2 of user authentication and session key establishment phase of our proposed protocol.Sometime later, A resends M 1 to the gateway node GW N. At the gateway node GW N, the message M 1 will be declared as replayed because the time-stamp T U i will not be fresh and the condition T − T U i ≤ ∆T will not be satisfied.Similarly, if the adversary A intercepts and replays the messages M 2 and M 3 from the public communication channels of user authentication and session key establishment phase, they will be declared (after time-stamp verification) as replayed messages by the sensor node SN j and the user U i respectively.Therefore, our scheme is secure against the replay attack.
Proposition 5.The proposed protocol is resilience against gateway node capture attack.
Proof.In the registration phase of our proposed protocol, the user U i transmits only the value of PB U i = h(PW U i ||σ U i ), instead of sending the original biometric information B i , to the gateway node GW N. Where, σ i is generated using Fuzzy extractor and the function h(.) is a secure one-way hash function.Therefore, for an adversary A, it is not possible to find out the value of user's password PW U i and biometric information B i from the captured Gateway node GW N.Then, A can not impersonate the user U i based on the authentication phase of our proposed protocol.Hence, our proposed protocol is resilience against gateway node capture attack.

Formal Security Analysis
In this section, we first use random oracle model to perform the formal security analysis of our proposed protocol.Then, we use Scyther tool [30] to verify all the security claims specified in different roles.Afterwards, we automatically validate the safety of our protocol using AVISPA [31] (version v1.1) tool based on Dolev-Yao intruder model with OFMC and CL-AtSe back-ends.We do logical verification using BAN logic to ensure that our protocol works correctly and achieve the specified security feature.

Formal Security Verification Using Random Oracle Model
The random oracle model (ROM) is a robust tool proposed by Bellare and Rogaway in [32] to make it possible to execute meticulous "proofs of security" for particular fundamental cryptographic protocols.
A random oracle is a theoretical black box that responds to every individual query with an accurate random response chosen uniformly from its output domain.If a query is occurring several times, it responds the same way every time that query is performed.
Based on random oracle model, the following Theorem 1 shows that our protocol can resist various security attacks.
With the help of random oracle model we prove that for an adversary A it is not possible to obtain the value of legitimate user's identity ID U i , password PW U i , biometric information B i , and the session key sk.Considering the method of contradiction, we assume that there exist some random oracles as illustrated in following Definitions 5-7.Theorem 1.If the hash function h(), encryption mechanism Enc, and elliptic curve Diffie-Hellman problem ECDH follows the random oracle Reveal1, Reveal2 and Reveal3 respectively; our scheme resist the adversary A for deriving the values of user U i 's secret parameters PW U i , σ i , K U i and X U i .
Proof of Theorem 1.If we assume that, there exist the oracle Reveal1, Reveal2, Reveal3 which can derive string s from the hash digest d = h(s), string s from the cipher-text Enc k [s] and private key r from the public parameter X = r × P respectively.Then, the adversary A can design an procedure EXP h−Enc−ECDH A as shown in Algorithm 1 such that probability of success of

The advantage function for EXP h−Enc−ECDH
A can be represented as: According to Algorithm 1, there exist oracle Reveal1, Reveal2, Reveal3 capable of finding the preimage of h(), the plain-text s from the cipher-text Enc k [s] and private key r from the public parameter X = r × P.

Algorithm 1: EXP
T , h(), Gen(), Rep()} from SC i using simple and differential power analysis attacks.Where 5: Call Reveal1 oracle on input B U i to retrieve the information of 6: Call Reveal1 oracle on input PB i to retrieve the information of Call Reveal2 oracle on input α to retrieve the information Accept the derived ID U i , PW i , σ i andX U i as the correct identity, password, secret biometric data and the established secret information of the user U i Return 1 (Success)

else
Return 0 (Failure) else Return 0 (Failure) Therefore, the adversary A can get the values of PW U i , σ i , K U i , X U i .However, according to Definitions 1-3 ( defined in Section 3) we have ) is negligible for any probabilistic polynomial time adversary A. Now, we find that the secure hash function h(), encryption mechanism Enc k [s] and elliptic curve Diffie-Hellman problem ECDH defined in Section 3 contradicts the oracle Reveal1, Reveal2 and Reveal3 respectively considered in Algorithm 1.This indicates that our scheme resist the adversary A for deriving the values of the secret parameters PW U i , σ i , K U i , and X U i .Hence, the theorem is proved.
Where q R 1 , q R 2 , q R 3 represents the total number of queries made to the Reveal1, Reveal2, Reveal3 oracle respectively.

Verification Using Scyther tool
The Scyther tool algorithm provides some novel features, including:

•
Guaranteed termination, after which the result is either unbounded correctness, falsification, or bounded correctness.

•
Efficient generation of a finite representation of an infinite set of traces concerning patterns, also known as a complete characterization.

•
State-of-the-art performance, which has made new types of protocol analysis feasible, such as multi-protocol analysis.
The proposed protocol is specified in Security Protocol Description Language(SPDL).The protocol specification defines sequence of roles of U i , GW N and SN j .Every role encompasses sequences of events (i.e., send, receive, declarations and claim events).The protocol specification and the roles of U i , GW N and SN j are represented in Tables 10-13 respectively.The verification result obtained using Scyther tool is shown in Figure 2. The result indicates that no attacks found on each of the claims specified in our protocol.

Verification Using AVISPA Tool
In this section, we first explain the setup procedure and some basic features of AVISPA tool which we use for the formal security analysis of our protocol.Afterwards, we describe the implementation of our protocol using High-Level Protocol Specification Language (HLPSL).Finally, we discuss about the results obtained.In order to simulate the proposed protocol on AVISPA v1.1, we use a Security Protocol ANimator (SPAN) Version 1.6 on a computer system having ubuntu 16.04 LTS operating system (64 bit), Intel (R) core (TM) i7-6500U CPU @ 2.50 GHz x4 processor, and 8 GB RAM.We extract the archive avispa-package-1.1_Linux-i686.tgz,set up the environment variable AVISPA_PACKAGE and keep the script of the avispa protocol in the execution path.We implement our protocol considering minimal number of entities involved in WSNs/IoT (i.e, one user U i , one sensor node SN j and one gateway node GW N) using Dolev-Yao model [33] with a bounded number of sessions, specified goal, On-the-Fly Model-Checker(OFMC) and Constraint-Logic based Attack Searcher (CL-AtSe) backend.

Implementation of the Proposed Protocol Using HLPSL
The HLPSL specification of the protocol consist of some important section as follow: 1.
Basic Role: Basic role explains the activity of the entities (e.g., User Ui, Gateway GW N and Sensor node SNj) involve in the protocol.
• Each role may have some parameter like U i , GW N, SN j of type agent and Kui1, Kgsnj of type symmetric_key.

•
The parameter RCV and SND denotes the agent's communication channels for receiving and sending the information.

•
The parameter (dy) represents the Dolev-Yao intruder model for the channel.

•
The function H, Gen, Rep, EccMul, Enc, Dec and XOR corresponding to the hash function, fuzzy extractor's generator, fuzzy extractor's reproduction, elliptic curve scalar multiplication, encryption, decryption and logical XOR operations respectively.

•
The term hash_func represents all the functions which are not easily invertible because the random non-invertible arithmetic operators are not supportable in HLPSL.

•
The term "played_by Ui" denotes that the role User is played by Ui.
The HLPSL specification of roles of U i , GW N and SN j are shown in Tables 14-16 respectively.2.
Transitions: The transitions are declared in steps.It consist of trigger which fires when an event occurs.For any States in a transition if a message received on channel RCV, then transition fires and allocates a new value to the State.

3.
Composed Roles: It makes one or more basic roles to execute together and represent the sessions involve in the protocol.The operator ∧ represents the parallel execution of the roles.
The HLPSL specification of proposed protocol's session is shown in Table 17.

4.
Environment: It consist of global constant and session composition, where the adversary may execute some role as a authorized user.
The HLPSL specification of proposed protocol's environment is shown in Table 18.

5.
Security Goal: This module specifies the security Goal of the protocol.Some important predicates used in this module are as follows: • secret({PWi,Bi,SIGi'}, sub1, Ui): It indicates that the information {PWi,Bi,SIGi'} is secretly shared to Ui and it can be recognize with a constant identity sub1 in goal section.The HLPSL specification of proposed protocol's goal is shown in Table 19.The output generated by AVISPA tool describes the final result obtained under various conditions after the security analysis of the protocol.The output produced by the AVISPA tool consist of following sections and subsections: • Summary: This section specifies the security reliability of the protocol regarding safe, unsafe or inconclusive.• Details: In this portion, the output specifies the environment and the context under which the protocol is claimed to be safe, unsafe or inconclusive.

•
Protocol: It indicates the name of the protocol given as an input for security verification.

•
Goal: This section represents the specified security goal of the protocol.

•
Backend: This section represents one of the four back-ends used for the analysis of the protocol.
The verification result of AVISPA [31] tool is shown in Table 20 which represents that the proposed protocol is safe from various attacks (like man-in-the-middle attack, replay attack etc.) using Dolev-Yao model [33] with bounded number of sessions, specified goal, On-the-Fly Model-Checker(OFMC) and Constraint-Logic based Attack Searcher (CL-AtSe) backend.∧ gateway(Ui, GWN, SNj, Xui1, Kgsnj,H,Gen, Rep, EccMul, Enc, Dec, XOR, GWNGWN,RGWN) end role   In this subsection, we use BAN logic [34] to verify the freshness of time-stamp to avoid replay attack and we validate the message origin to achieve authenticity.The notation we use for logical verification is shown in Table 21.In order to achieve the better security features, the proposed protocol should achieve the security Goals as defined in Table 22.
Table 22.Goals: The goals made to analyze the proposed scheme.

Goal 1 U
Hypotheses: Some important assumptions (as shown in Table 23) about the initial state are made to analyze the proposed scheme.Now, based on the hypothesis as described in Table 23 and the rules of the BAN logic, we validate that the proposed protocol can accomplish the intended goals and the clear explanations are as follows:

H 1: U
Derivation of user U i 's trusts on the truth of secret information K U i .
That is, if U i believes that GW N has jurisdiction over K U i then U i trusts GW N on the truth of K U i .Therefore, we achieve Goal 1.

2.
Derivation of sensor node SN j 's trusts on the truth of secret information K GSN j .
That is, if sensor node SN j believes that the gateway node GW N has jurisdiction over K GSN j then SN j trusts GW N on the truth of K GSN j .Therefore, we achieve Goal 2.

3.
Verification of freshness of user's time-stamp T U i on the gateway node GW N (using message-meaning and nonce verification rule): That is, if GW N believes that the time-stamp T U i is fresh and U i once said T U i , then GW N believes U i believes T U i .Therefore, we achieve Goal 3.

4.
Verification of freshness of gateway node's time-stamp T GW N on the sensor node SN j (using message-meaning and nonce verification rule): That is, if U i believes the secret X U i is shared with GW N and sees < Y SN j > X U i , then U i believes GW N once said Y SN j .Therefore, we achieve Goal 8.

Relative Security Analysis
Our comparative analysis of security features is based the popular features which need to be considered and the resistant against well-known attacks.Table 24 shows that our scheme overcomes the major attacks and provides more security.

Relative Performance Based on Computational Cost
The execution time as considered in [35,36], for the different cryptographic operation (performed by user U i and the gateway node GW N with a computer system having windows 7 operating system, Intel (R) core (TM) 2 Quad CPU Q8300, @2.50 Hz processor, and 2 GB RAM) are listed in following Table 25.We assumed the time for executing a fuzzy extractor is the same as that for executing a hash function because the fuzzy extractor [27] can be constructed from universal hash functions or error-correcting codes requiring only lightweight operations.The computational time and energy consumed by the various cryptographic operations (performed by MicaZ sensor node SN j with 8-bit ATmega128L Atmel processor, 4 K bytes ROM, 128 K bytes ROM, 512 K bytes EEPROM, 2 AA battery with TinyOS [37] and nesC [38] programming language) are listed in following Table 26.
The comparison of user authentication protocols based on computational cost is shown in Table 27.In the proposed protocol, the registration phase has computation costs T h ≈ 0.50 millisecond and 4T h + T e ≈ ((4 × 0.50 + 50.3) = 52.30)millisecond associated with U i and GW N respectively; the authenticated session key establishment phase has computational costs 3T h ≈ 1.50 millisecond, 3T h + T e ≈ ((1.50 + 50.3) = 51.80)millisecond and TS E ≈ 5.05 millisecond associated with U i , GW N and SN j respectively.Similarly the computational cost for Das et al. [17], Choi et al. [21], Park et al. [22] and Moon et al.'s [23] schemes are evaluated, represented and compared in Table 27.This comparison indicates that the execution time for the sensor node is very less (because we shifted the overload of performance of elliptic curve point multiplication from sensor node to the gateway node with improved security features) in the proposed protocol.
The energy consumption of the cryptographic operations on the sensor node is evaluated based on the following equation: The comparison of user authentication protocols based on energy consumption is shown in Table 28 which illustrate that the proposed protocol consumes less energy compared to other existing protocols.
For the comparative analysis of communicational overhead, we assume that ID U i , message request req, message response R/RM, encrypted message Enc k [s], time-stamp T U i /T GW N /T SN j , hash function h(.) and the point on elliptic curve take 160, 32, 32, 128, 32, 160 and 160 bits respectively.In our proposed protocol, during the authentication and session key establishment phase, the message ID U i , X U i , α requires (160 + 160 + 128 = 448) bits, whereas the messages (β) and α require (128 + 128 = 265) bits.As a result, the total communication overhead of our proposed protocol becomes 713 bits based on 3 communicated messages.For A.K.Das's [17] protocol, in the login phase, the message (ID U i , req) requires (160 + 32) = 192 bits, whereas in the authentication and key agreement phase, the messages R, Enc ek i (R, T 1 , ID SN j ), (ID U i , Y j ) and (h(SK ij ), T 3 ) require 32, 128, 288, and 352 bits, respectively.As a result, the total communication overhead of A.K.Das's scheme becomes 832 bits.Similarly the communicational overhead for Choi et al. [21], Park et al. [22] and Moon et al.'s [23] schemes are evaluated, represented and compared in Table 29.The comparative analysis of Table 29 illustrates that the proposed protocol has less communication overhead (which saves communication energy and bandwidth) compared to other existing protocols.

Comprehensive Analysis and Lessons Learnt
The security analysis of existing user authentication protocols of the literature demonstrates that the protocols are vulnerable to various attacks like user impersonation attack, sensor node impersonation attack and attacks based on legitimate users.The performance analysis illustrates that the existing protocols are inefficient considering the computational cost.Whereas, the comparative security and performance analysis indicate that our proposed protocol is secure against stolen smart card attack, user impersonation attack, sensor node impersonation attack, sensor node capture attack, replay attack, man-in-the-middle attack.The proposed authentication protocol provides various security features such as mutual authentication, three-factor authentication, secure password and biometric information update, confidentiality, integrity, freshness.The proposed protocol is efficient concerning the computational cost of the resource-constrained sensor nodes, and it saves communication energy, bandwidth.As a result, the protocol is appropriate for applications of resource-constrained ubiquitous computing devices.Therefore, the proposed protocol can be used in various real-world applications consisting of resource constraint sensor devices of WSNs and IoT where bio-metric based secure user authentication and efficient session key establishment is required.The proposed protocol can be used for the implementation of bio-metric based secure authentic banking and financial transactions using the smart card, automated teller machines (ATM), point-of-sale (POS) machines.

Conclusions and Future Work
In this paper, we have discussed the security issues involved with the sensor nodes of WSNs and performed the security analysis of various existing protocols of user authentication for WSNs.We have proposed an efficient user authentication, session key establishment protocol for WSNs and IoT using the smart card, fuzzy extractor, ECDH techniques.We have presented security proof using random oracle model and BAN logic to ensure the correctness of various security features involved in the proposed protocol.Afterwards, we have performed the security analysis and verification using well-known and robust tools such as AVISPA and Scyther.Through the precise security analysis using mathematical functions and simulation tools, we have demonstrated that the proposed protocol fulfills the desirable security requirements and withstands the security drawbacks found in existing protocols of user authentication for WSNs.Finally, we have presented the comparative analysis of our protocol with other existing protocols based on security features and computational overhead which justify that our proposed protocol is secure, efficient and suitable for WSNs/IoT.In future, we would like to propose hyper-elliptic curve cryptography based authenticated key exchange protocol suitable for WSNs and IoT.

Definition 5 .Definition 6 .Definition 7 .
Reveal1: Given a hash value y = h(s), this oracle unconditionally outputs the string s.Reveal2: Given an encrypted value Enc k [s], this oracle unconditionally outputs the string s without knowing the key k.Reveal3: Given P ∈ E p (a, b) and the public parameter X = r × P ∈ E p (a, b), this oracle outputs the private key r.

6. 3 . 1 .
Experimental Setup and the Size of the Entities Involved in WSNs/IoT for the Simulation of Proposed Protocol Using AVISPA Tool
specified that Watro et al.'s [4] and Wong et al.'s [6] schemes exhibit replay and forgery attack.Further, Tseng et al. improved Wong et al.'s scheme and recommended password update mechanism.In 2008, Lee

Table 2 .
User registration phase of A.K.Das's scheme.

Table 3 .
Login, authentication and key sharing phase of A.K.Das's scheme.

Table 4 .
Authentication and session key establishment phase of Choi et al. protocol.

,
Accept PM.Where sk = h(AID i ||r i × r s × P||T s ) • Therefore, we find that Choi et al. scheme does not provide user anonymity i.e., an adversary A can compute user U i 's identification ID U i .However, Choi et al. claimed that their protocol provides user anonymity.• Furthermore A intercepts the cipher text C i = E k i (ID U i ||X i ) and derives the plain-text (ID U i ||X i ), therefore Choi et al. scheme is vulnerable to known plain-text attack.

Table 5 .
User registration phase of Park et al.'s protocol.

Table 6 .
U i 's authentication and session key sharing phase of Park et al. protocol.
accepts RM and establishes the session key sk = h(AID U i ||r U i × r SN j × P||T SN j ) with SN j .
[23]establishes the session key sk = h(AID U k ||K US ||T SN j ) with sensor node SN j .Therefore, Park et al.'s scheme is vulnerable to user impersonation attack.Similar attack is possible in Moon et al.'s scheme[23]also, since the value of C U i in Moon et al.'s scheme can be evaluated using x, y and N U i .

Table 7 .
User registration phase of proposed protocol.

Table 8 .
User authentication and session key establishment phase of the proposed protocol.

Table 9 .
User's credential update phase of proposed protocol.

Table 10 .
Specification of the proposed protocol in SPDL.

Table 11 .
Specification of the user's role in SPDL.

Table 12 .
Specification of the gateway node's role in SPDL.

Table 13 .
Specification of the sensor's role in SPDL.
• witness(Ui, GWN, gateway_user_gu, Tui,Alpha'): It represents the weak authenticity of Ui by GW N and Ui is the witness for the data {Tui', Alpha'}.The identity of this goal is represented as gateway_user_gu in goal section.

Table 14 .
Specification of U i 's role in HLPSL.

Table 15 .
Specification of GW N's role in HLPSL.

Table 16 .
Specification of SN j 's role in HLPSL.

Table 17 .
Specification of proposed protocol's session in HLPSL.

Table 19 .
Specification of proposed protocol's goal in HLPSL.

Table 20 .
Security verification result obtained using AVISPA tool.

Table 21 .
Notations used in verification using BAN logic.Q BAN Principals like U i , GW N, and SN j S Statements like T U i , T GW N , α, β etc.K Secret key or secret informations like K GSN j , X U i etc. P BAN | ≡ S P BAN believes S, or P BAN believes S is true.P BAN S P BAN has received a information containing S and it can read or repeat S P BAN | ∼ S P BAN once said S. P BAN sent a data containing S and it could be a fresh or old data.P BAN ⇒ S P BAN has jurisdiction over S. That is P BAN 's beliefs about S should be trusted #(S) The information S is fresh and it has not been sent before.is a secret data and it is only known to P BAN or Q BAN and perhaps to the trusted principals < S > S1 S1 is a secret and its presence gives the identity of whoever generates < S > S1 ←→Q BAN ,P BAN {S} k P BAN |≡Q BAN |∼S .That is, if P BAN believes that she shared the key K with Q BAN , and P BAN sees the message {S} encrypted with key K, P BAN believes that Q BAN once said S. Rule 2 Nonce verification rule: P BAN |≡#(S),P BAN |≡Q BAN |∼S P BAN |≡Q BAN ≡S .That is, if P BAN believes S is fresh and Q BAN once said S, P BAN believes Q BAN believes S. Rule 3 Jurisdiction rule: P BAN |≡Q BAN ⇒S,P BAN |≡Q BAN ≡S P BAN |≡S .That is, if P BAN believes that Q BAN had jurisdiction right to S and believes Q BAN believes S, P BAN believes S.

Table 23 .
Hypotheses: The assumptions made to analyze the proposed scheme.

Table 24 .
Comparison of protocols based on security features.

Table 25 .
Execution time on computer system for cryptographic operation.

Table 26 .
Execution time and energy consumption on MicaZ sensor node for cryptographic operations.

Table 28 .
Comparison of protocols based on energy consumption on sensor node SN j .

Table 29 .
Comparison of protocols based on communication overhead. A.K.