A Secure and Anonymous Authentication Protocol Based on Three-Factor Wireless Medical Sensor Networks

Abstract

Wireless medical sensor networks (WMSNs), a type of wireless sensor network (WSN), have enabled medical professionals to identify patients’ health information in real time to identify and diagnose their conditions. However, since wireless communication is performed through an open channel, an attacker can steal or manipulate the transmitted and received information. Because these attacks are directly related to the patients’ lives, it is necessary to prevent these attacks upfront by providing the security of WMSN communication. Although authentication protocols are continuously developed to establish the security of WMSN communication, they are still vulnerable to attacks. Recently, Yuanbing et al. proposed a secure authentication scheme for WMSN. They emphasized that their protocol is able to resist various attacks and can ensure mutual authentication. Unfortunately, this paper demonstrates that Yuanbing et al.’s protocol is vulnerable to smart card stolen attacks, ID/password guessing attacks, and sensor node capture attacks. In order to overcome the weaknesses and effectiveness of existing studies and to ensure secure communication and user anonymity of WMSN, we propose a secure and anonymous authentication protocol. The proposed protocol can prevent sensor capture, guessing, and man-in-the-middle attacks. To demonstrate the security of the proposed protocol, we perform various formal and informal analyses using AVISPA tools, ROR models, and BAN logic. Additionally, we compare the security aspects with related protocols to prove that the proposed protocol has excellent security. We also prove the effectiveness of our proposed protocol compared with related protocols in computation and communication costs. Our protocol has low or comparable computation and communication costs compared to related protocols. Thus, our protocol can provide services in the WMSN environment.

1. Introduction

With the development of wireless internet technology, the Internet of Things (IoT) has experienced rapid expansion, with a large number of sensors being deployed in IoT devices. Wireless Sensor Network (WSN) is an essential IoT technology that enables data collection, monitoring, and exchange in diverse environments, e.g., smart grid monitoring and smart healthcare using WSN [1,2,3]. Applying WSN to a smart healthcare environment and using it for medical monitoring is called Wireless Medical Sensor Networks (WMSNs).

Based on WMSN, medical personnel, such as doctors and nurses, can continuously monitor the health of patients. These healthcare systems collect various medical factors, such as pulse, blood pressure, ECG, and body temperature by medical sensors attached to the patient [4]. By continuously monitoring this information, medical personnel can quickly diagnose a patient. WMSNs, similar to typical WSNs, comprise of users, gateways, and medical sensor nodes. The user (medical professional) and the medical sensor node register their respective information in the gateway node, and the users is able to obtain the patient’s bio-information through the medical sensor node. However, since devices equipped with medical sensors have limited capabilities (e.g, transmission range, calculation, and storage capabilities), protocols that use heavy computations may cause communication failure of the system [4]. In addition, because WMSN exchanges information through wireless open channels vulnerable to attack, if an attacker obtains the information shared on the wireless channel, the attacker can obtain the patient’s medical information or deliver incorrect medical information to the user [5]. Thus, a communication failure of the system and manipulation of medical information by an attacker may result in a situation in which the patient’s condition cannot be determined. Since this is directly related to the patients’ lives, lightweight authentication among users, gateways, and sensor nodes based on a predetermined session key is essential for secure information exchange.

Therefore, in order to provide secure services using WMSN, researchers have proposed two-factor authentication protocols by adopting passwords and smart cards. However, the typical two-factor authentication protocol is not secure against guessing attacks and smartcard stolen attacks. Additionally, some researchers have argued that it is possible for attackers to guess ID/password pairs since users generate easy-to-remember ID/password pairs for their convenience [6,7,8].

In 2021, Yuanbing et al. [9] proposed an authentication scheme for smart healthcare by applying a WMSN. They argued that their protocol can resist against smartcard stolen, off-line guessing, and man-in-the-middle (MITM) attacks. They also said that their scheme can ensure mutual authentication and session key security. Unfortunately, we figure out that Yuanbing et al.’s scheme is not secure against off-line guessing, impersonation, sensor node capture, and MITM attacks. Furthermore, we discover that their scheme cannot provide session key security and mutual authentication. Our research contributions, motivations, and methodologies are discussed in Section 1.1.

1.1. Research Contributions, Motivations, and Methodology

Yuanbing et al. [9] analyzed Farash et al.’s protocol for secure authentication in smart healthcare systems and suggested an enhanced protocol. However, we identify security vulnerabilities in Yuanbing et al.’s protocol. Their protocol is vulnerable to offline ID/password pair guessing, impersonation, sensor capture, sensor impersonation, and MITM attacks over an WMSN, and does not guarantee essential security features. In addition, their protocol adopts elliptic curve cryptography (ECC), so the computation cost is high.

To overcome these problems, we propose a secure authentication protocol for smart healthcare based on WMSN. We adopt three-factor using the user’s biometrics, as well as smart card adoption to defend against ID/password pair guessing attacks. We also introduce Physical Unclonable Function (PUF) [10] technology to defend against sensor node physical capture attacks.

To prove the security of our protocol, we conduct formal and informal (non-mathematical) security analysis. We use the widely adopted Real-Or-Random (ROR) model [11] and Burrows Abadi Needham (BAN) logic [12] to perform formal analysis. Furthermore, we use the AVISPA [13] for proving that the proposed protocol can be secure against replay and MITM attacks. By comparing the proposed protocol with other authentication protocols, the efficiency is analyzed in terms of security, communication costs, and computational costs.

1.2. Organization of the Paper

The rest of this paper is structured as follows: In Section 2, we review diverse authentication protocols using WMSN. We briefly describe the protocol’s system model, adversary model, PUF, and fuzzy extraction in Section 3. We review the protocol of Yuanbing et al. in Section 4. We present a cryptographic analysis of the protocol in Section 5. Section 6 explains our proposed protocol and there is a security analysis in Section 7. We analyze the computation and communication costs of the protocol in Section 8. Finally, the work is summarized in Section 9.

2. Related Works

Research on authentication protocol for the WSN environment has been continued since Lamport [14] proposed a password-based authentication protocol for various network environments in 1981. We briefly review authentication protocols related to WMSN and wearable devices in the WSN environment. In 2012, Kumar et al. [15] suggested a new authentication protocol in the WMSN environment. They explained that the proposed protocol using only symmetric encryption and hash functions is effective to protect communication security. However, He et al. [6] found that the scheme of Kumar et al. was not secure against offline password guessing attacks, which could lead to guessing the user’s identity. To overcome this security vulnerability, He et al. proposed an improved authentication protocol for resource-limited sensors. Unfortunately, Li et al. [16] pointed out that He et al.’s protocol is wrong in the protocol in the authentication and session key agreement phase. Li et al. proposed an authentication scheme using biometrics. Das et al. [17] found that Li et al.’s scheme is vulnerable to privileged insider attacks, smart device physical capture attacks, and fails to maintain the anonymity of users and smart devices. In 2018, Amin et al. [18] suggested a lightweight two-factor authentication protocol for protecting data transmitted in the WMSN environment. However, Jiang et al. [19] discovered that their protocol is vulnerable to mobile device loss attacks due to failed delivery, sensor key exposure, and desynchronization attacks. Jan et al. [20] also found that security flaws of Amin et al.’s protocol. Then, Jan et al. introduced a two-factor-based authentication scheme for WMSN. In 2020, Fotouhi et al. [21] proposed a lightweight two-factor-based authentication protocol for healthcare monitoring systems. However, Nashwan [22] figured out that Fotouhi et al.’s scheme cannot support full mutual authentication. In 2021, Masud et al. [23] designed a lightweight and privacy-protected authentication protocol for IoT-based healthcare using the sensors of an IoT device carried out by a patient. However, Masud et al.’s protocol is also insecure against offline password guessing, user impersonation, and privileged insider attacks, and do not provide user anonymity [24].

Moreover, some researchers have pointed out that these traditional two-factor authentication protocols are vulnerable to ID/password simultaneous guess attacks [6,7,8]. Accordingly, a three-factor authentication protocol was proposed using the user’s biometric information.

In 2018, Ali et al. [25] discovered the problems of the protocol of Amin et al. [18] and introduced an authentication protocol based on three factors to solve the problem. However, their proposed protocol also cannot protect against desynchronization attacks or achieve full forward secrecy [26]. Shuai et al.’s protocol [26] uses a pseudonymous identification method to ensure forward secrecy, provide user anonymity, and resist desynchronization attacks. However, Nashwan [22] discovered that Shuai et al.’s protocol is not able to support the sensor node’s anonymous service and cannot protect against sensor node impersonation attacks. Mo et al. [27] also found that Shuai et al.’s protocol has a flaw at the password change phase. Then, Mo et al. proposed an enhanced protocol for WMSN. Li et al. [28] suggested an authentication scheme that guarantees perfect forward secrecy in the WMSN environment by using a three-factor method. However, their protocol also cannot guarantee the security of the sensor node and is vulnerable to sensor node spoofing attacks [29].

Since the three-factor-based authentication protocol for the WMSN-based medical system is also vulnerable to sensor node vulnerabilities and sensor node spoofing attacks, an improved system is designed according to a new technology called PUF. In 2018, Gope and Sikdar [30] designed a two-factor authentication scheme using PUF technology in the IoT environment. However, their protocol cannot resist ephemeral secret leakage (ESL) attacks and desynchronization attacks [31].

Authentication protocols using technologies such as multi-factor and PUF have been continuously proposed for the WMSN environment, but security vulnerabilities still exist. When security vulnerabilities occur in the WMSN environment, the patient’s medical information can be manipulated or leaked by a malicious attacker. The recently proposed protocol of Yuanbing et al. [9] is not safe against ID/password pair guessing attacks and spoofing attacks, and the security of sensor nodes cannot be guaranteed either. In this paper, we not only analyze the security vulnerabilities of Yuanbing et al.’s protocol, but also the proposed protocol, which can solve the security vulnerabilities that can occur even when using three-factor and PUF technology.

3. Preliminaries

We introduce the system model of the proposed protocol and the adversary model for protocol security analysis. In addition, the security technologies adopted by the proposed protocol, PUF, and fuzzy extraction will be briefly described. The symbols used in this paper are given in Abbreviations.

3.1. System Model of Our Protocol

The proposed system model is shown in Figure 1. Our proposed protocol consists of the following entities:

• User (Medical Professional): The user obtains the patient’s sensor node information by requesting communication to the gateway. To this end, users register their information with the gateway and agree on a session key with the sensor node. In the future, only registered users can request communication to the gateway and use secure services through the session key.
• Sensor node (patient): The sensor node that the patient is equipped with collects various health information of the patient (e.g., body temperature, blood pressure, pulse, and ECG). The patient’s sensor nodes transmit the collected information to the user through the session key. Through this, the user can identify and diagnose the patient’s condition. Sensor nodes are resource-limited devices.
• Gateway node: A gateway is a trusted entity that performs registration and authentication processes, and regulates the authentication of users and sensor nodes. All users and sensor nodes must be registered with the gateway to acquire session keys and to communicate.
• Access point: The access point is a wireless connection between the patient’s sensor node and the gateway and between the user and the gateway. The communication between each access point and each entity is considered securely authenticated.

Sensor nodes and users must first register through the gateway. When sensor nodes and users request registration, the gateway stores their related registration information and controls communication between the users and sensor nodes. The users and relevant sensor nodes agree on a session key through the gateway, and secure communication can be achieved later through the agreed session key. The proposed protocol is composed of registration, login and authentication, and password and biometric update phases. At the registration phase, sensor nodes and users register their information through the gateway. Users, gateways, and sensor nodes perform mutual authentication at the login and authentication phase, and they agree on a session key for communication. At this time, our protocol uses the user’s biometric information to defend against malicious attacker’s ID/password pair guessing attack. In addition, the sensor node has a built-in PUF technology that guarantees security against physical capture attacks. Later, the user is able to safely collect the sensor node information by using the session key, and can manage the patient’s health based on this. At the password and biometric update phase, users are able to update passwords and biometrics.

3.2. Physical Unclonable Function

To securely store secret values and identity information in sensor nodes, we adopt PUF technology. PUF is able to be portrayed as “the representation of the instance-specific functionality, non-replicable, and unique of a physical entity” [10]. The uncertainty and randomity of the integrated circuit manufacturing are less likely to generate a duplicate value, so the PUF attracts more attention. A PUF receives challenge C and then obtains the response R through the physical properties of integrated chip and C. The allowed C and the generated R can be represented by the string of the bit. This operation can be expressed as Equation (1).

$$R=PUF(C)$$

(1)

and this is like the nature of a one-way function. Ideally, there is a one-to-one correspondence between the PUF and the C/R pair. Furthermore, if the same PUF is challenged multiple times, responses will be the same, but the responses obtained for different PUFs will be different when given the same challenge. Additional characteristics of PUF are:

• It is not possible to clone a PUF to generate the same sensors or devices [32].
• If an attacker tries to change the sensor or device that the PUF is mounted on, the sensor or device will change the behavior of the PUF and destroy the PUF [33].
• In practical circuit manufacturing, the differences in input and output function mapping are fixed and unpredictable [34].

However, in a realistic situation, due to environmental and circuit noise, it is difficult for a PUF to always return the same R because of the small margin of error of C. To solve this, PUF has been applied together with fuzzy extraction technology [35].

3.3. Fuzzy Extraction

Fuzzy extraction [35] can be used to solve noise problems that may occur in biometric inputs. Furthermore, fuzzy extraction can also help with noisy PUF. The fuzzy extractor can get the same value by removing the noise through the $Gen$ function and the $Rep$ algorithm.

The $Gen$ algorithm generates key information that can respond to input values such as C of PUF or $BIO$ of biometric information. In other words, if the data $D_i$ is used as an input to the $Gen$ algorithm, the secret key data $R_i$ is output, and it is a uniform random string. At the same time that $R_i$ is output, the fuzzy extractor outputs the $P_i$ to help recover the key values and remove noise. This algorithm could be presented as Equation (2).

$$Gen(D_i)=<R_i,P_i>$$

(2)

The $Rep$ algorithm can restore the secret key $R_i$ from $P_i$ and the entered C and $BIO$ values. First, input data $D_i$ such as C or $BIO$ and $P_i$ helper strings are input to the $Rep$ algorithm. This can cause noise in data $D_i$. In this case, $P_i$ helps remove noise and restore data to output the correct $R_i$. The metric spatial distance between $D_i$ and $D_i^{{}^{\prime }}$ must be within the specified tolerance for the fuzzy extractor to recover a matching $R_i$. This algorithm could be presented as Equation (3).

$$Rep(D_i,P_i)=R_i$$

(3)

3.4. Adversary Model

We use the “Dolev–Yao (DY) adversary model [36]” to conduct the security analysis of the protocol proposed by Yuanbing et al. To this end, we first discuss the attack potential of attackers according to the DY model.

• According to the DY model, attackers have full control and learning of the messages exchanged on open wireless channels that are vulnerable to attack. They can then modify, remove, or insert legitimate messages.
• Attackers can obtain or steal users’ legitimate smart cards. After that, they can obtain the secret information stored on the smartcard by performing power analysis attacks [37,38].
• After obtaining the secret information of the smart card or sensor node, the attacker can try potential attacks such as offline identity guessing attacks, impersonation, and so on [39,40].
• Attackers can guess a user’s identity and password pairs in polynomial time.

In addition to the DY model, we also adopt the “Canetti–Krawczyk (CK) adversary model” [41]. The CK model is a more practical attacker model compared to the DY model. According to the CK model, for the consensus session key to be secure, the key exchange protocol must minimize the impact of long-term or short-term secret leaks.

4. Review of Yuanbing et al.’s Protocol

This section briefly presents the Yuanbing et al.’s authentication protocol for a smart healthcare system based on WMSN.

4.1. Pre-Deployment Phase

In this phase, a system administrator adopts $X_{GWN}$ that only the $GWN$ knows in offline mode, and predefined $SI{D}_j$, which is the ID of each sensor node $S{N}_j$. The system administrator also sets a pre-shared key $X_{GWN-S{N}_j}$ for each $S{N}_j$ with the associated $GWN$. The protocol of Yuanbing et al. uses the shared key $X_{GWN-S{N}_j}$ at the sensor node registration phase. It is important to note the password $X_{GWN-S{N}_j}$ is deleted from $S{N}_j$’s memory once $S{N}_j$ is successfully registered.

4.2. Sensor Node Registration Phase

$S{N}_j$ registers its information in $GWN$ at this phase. The detailed steps are as follows.

Step 1: $S{N}_j$ chooses a random nonce $r_j$, and calculates $M{P}_j=h(X_{GWN-S{N}_j}$$\left|\right|r_j\left|\right|SI{D}_j\left|\right|T_1)$ and $M{N}_j=r_j\oplus X_{GWN-S{N}_j}$. After that, $S{N}_j$ transmits $\{SI{D}_j,M{N}_j,$$M{P}_j,$$T_1\}$ to the gateway.

Step 2: $GWN$ checks the timestamp. If the condition holds, $GWN$ calculates $r_j^{{}^{\prime }}=M{N}_j\oplus X_{GWN-S{N}_j}$. Then, $GWN$ computes $M{P}_j^{{}^{\prime }}=h(X_{GWN-S{N}_j}\left|\right|$$r_j^{{}^{\prime }}\left|\right|SI{D}_j\left|\right|T_1)$ and checks if $M{P}_j=M{P}_j^{{}^{\prime }}$. If it is the same, $GWN$ computes $x_j=h(SI{D}_j\left|\right|X_{GWN})$, $e_j=x_j\oplus X_{GWN-S{N}_j}$, $d_j=h(X_{GWN}\left|\right|1)\oplus h(X_{GWN-S{N}_j}\left|\right|T_2)$, and $f_j=h(x_j\left|\right|d_j\left|\right|X_{GWN-S{N}_j}\left|\right|T_2)$. Then, $GWN$ sends $\{d_j,f_j,e_j,T_2\}$ to $S{N}_j$.

Step 3: $S{N}_j$ checks the timestamp. If the condition is correct, $S{N}_j$ calculates $x_j=e_j\oplus X_{GWN-S{N}_j}$ and checks if $f_j=h(x_j\left|\right|d_j\left|\right|X_{GWN-S{N}_j}\left|\right|T_2)$. If it is correct, $S{N}_j$ computes $h(X_{GWN}\left|\right|1)=d_j\oplus h(X_{GWN-S{N}_j}\left|\right|T_2)$. $S{N}_j$ stores $\{x_j,h(X_{GWN}\left|\right|1)\}$ in its memory. Then, $S{N}_j$ deletes the $X_{GWN-S{N}_j}$ and sends a respond message to $GWN$.

Step 4: Upon receiving the response message, $GWN$ removes $\{SI{D}_j,X_{GWN-S{N}_j}\}$.

4.3. User Registration Phase

Users (such as nurses and doctors) must first register with the $GWN$ when they want to obtain the patient’s medical data at this phase. The detailed steps are as follows.

Step 1: The user $U_i$ selects their $I{D}_i$ and $P{W}_i$, $r_i$. Then, $U_i$ calculates $MI{D}_i=h(r_i\left|\right|I{D}_i)$, $M{P}_i=h(r_i\left|\right|P{W}_i)$, and $RS{P}_i=h(I{D}_i\left|\right|M{P}_i)$. After that, $U_i$ sends $\{RS{P}_i,MI{D}_i\}$ to $GWN$.

Step 2: $GWN$ calculates $e_i=h(RS{P}_i\left|\right|MI{D}_i)$, $d_i=h(MI{D}_i\left|\right|X_{GWN})$, $g_i=h(X_{GWN})\oplus h(RS{P}_i\left|\right|d_i)$, and $f_i=d_i\oplus h(RS{P}_i\left|\right|e_i)$. Then, $GWN$ stores $\{e_i,f_i,g_i\}$ into $SC$ and issues it to $U_i$.

Step 3: $U_i$ computes $r_i^{*}=h(I{D}_i\left|\right|P{W}_i)\oplus r_i$ and stores $r_i^{*}$ into $SC$.

4.4. Login and Authentication Phase

At this phase, $U_i$ agrees on a session key by conducting mutual authentication with $S{N}_j$ before accessing the patient’s medical information. The detailed steps are shown in Figure 2 and described below.

Step 1: The user $U_i$ inserts $SC$, and inputs $I{D}_i$ and $P{W}_i$. $SC$ computes $r_i^{{}^{\prime }}=r_i^{*}\oplus h(I{D}_i\left|\right|P{W}_i)$, $MI{D}_i^{{}^{\prime }}=h(r_i^{{}^{\prime }}\left|\right|I{D}_i)$, $M{P}_i^{{}^{\prime }}=h(r_i^{{}^{\prime }}\left|\right|P{W}_i)$, and $RS{P}_i^{{}^{\prime }}=h(I{D}_i\left|\right|M{P}_i^{{}^{\prime }})$. Then, $U_i$ checks if $e_i=?h(RS{P}_i^{{}^{\prime }}\left|\right|MI{D}_i^{{}^{\prime }})$. If it corrects, $SC$ generates random nonce a and c, and computes $d_i=f_i\oplus h(RS{P}_i^{{}^{\prime }}\left|\right|e_i)$, $h(X_{GWN})=g_i\oplus h(RS{P}_i^{{}^{\prime }}\left|\right|d_i)$. $SC$ also calculates $R_1=aP$, $MI{D}_1=h(c||I{D}_i)$, $x_i=h(MI{D}_1\left|\right|h(X_{GWN}))$, $M_1=MI{D}_1\oplus h(h(X_{GWN})\left|\right|T_1)$, and $M_2=h(M_1\left|\right|x_i\left|\right|R_1\left|\right|T_1)$. Then, $U_i$ sends $\{M_1,M_2,R_1,$$T_1\}$ to $S{N}_j$ through an open channel.

Step 2: $S{N}_j$ checks $|T_1-T_c|<\Delta T?$. If this condition holds, $S{N}_j$ generates timestamp $T_2$ and random nonce b. $S{N}_j$ computes $ESI{D}_j=SI{D}_j\oplus h(h(X_{GWN})\left|\right|1)||T_2)$, $R_2=bP$, $R_3=b{R}_1$ and $M_3=h(SI{D}_j\left|\right|x_j\left|\right|R_2\left|\right|T_1\left|\right|T_2)$. After that, $S{N}_j$ transmits $\{M_1,M_2,M_3,T_1,T_2,$$ESI{D}_j,R_1,$$R_2\}$ to $GWN$ through an open channel.

Step 3: After receiving the message, $GWN$ checks $|T_2-T_c|<\Delta T?$. If this condition holds, $GWN$ computes $SI{D}_j^{{}^{\prime }}=ESI{D}_j\oplus h(h(X_{GWN}\left|\right|1)||T_2)$ and $x_j^{{}^{\prime }}=h(SI{D}_j^{{}^{\prime }}\left|\right|X_{GWN})$. Then, $GWN$ checks $M_3=?h(SI{D}_j^{{}^{\prime }}\left|\right|x_j^{{}^{\prime }}$$\left|\right|R_2\left|\right|T_1\left|\right|T_2)$. If it holds, $GWN$ computes $MI{D}_1^{{}^{\prime }}=M_1\oplus h(h(X_{GWN})\left|\right|T_1)$ and $x_i^{{}^{\prime }}=h(MI{D}_1^{{}^{\prime }}\left|\right|h(X_{GWN}))$. $GWN$ checks $M_2=?h(M_1\left|\right|x_i^{{}^{\prime }}\left|\right|R_1\left|\right|T_1)$. If it is correct, $GWN$ computes $M_4=h(x_i^{{}^{\prime }}\left|\right|R_2\left|\right|T_3)$, $M_5=h(x_j^{{}^{\prime }}\left|\right|R_1\left|\right|T_3)$, and $M_6=MI{D}_1^{{}^{\prime }}\oplus h(x_j^{{}^{\prime }}\left|\right|T_3)$. Then, $GWN$ sends $\{M_4,M_5,M_6,R_1,T_3\}$ to $S{N}_j$.

Step 4: Upon receiving the message, $S{N}_j$ checks $|T_3-T_c|<\Delta T?$. If this condition holds, $S{N}_j$ checks $M_5=?h(x_j\left|\right|R_1\left|\right|T_3)$. If these values are the same, $S{N}_j$ computes $MI{D}_1^{{}^{\prime }}=M_6\oplus h(x_j\left|\right|T_3)$, $SK=h(MI{D}_1^{{}^{\prime }}|\left|SI{D}_j\right|\left|R_3\right||$$T_3\left|\right|T_4)$, and $M_7=h(SK||M_4\left|\right|T_3\left|\right|T_4)$. Finally, $S{N}_j$ sends $\{M_4,M_7,$$R_2,T_3,T_4\}$ to $U_i$.

Step 5: Upon receiving the message, $U_i$ checks $|T_4-T_c|<\Delta T?$. If this condition holds, $U_i$ computes $M_4=h(x_i\left|\right|R_2\left|\right|T_3)$, $R_4=a{R}_2$, and $SK=h(MI{D}_1|\left|SI{D}_j\right||R_4$$\left|\right|T_3\left|\right|T_4)$. After that, $U_i$ checks $M_7=?h(SK||M_4\left|\right|T_3\left|\right|T_4)$. If it corrects, $U_i$ and $S{N}_j$ shares the same $SK$ at the end.

5. Security Analysis of Yuanbing et al.’s Protocol

We conduct the security analysis proposed by Yuanbing et al. [9] in this section. Yuanbing et al. demonstrated the ability of their protocol to resist diverse types of attacks. They also claimed that it is capable of providing anonymity. However, we contend that their protocol is vulnerable to smartcard theft, impersonation, sensor node capture attacks, and so on. Further, we prove that it fails to provide user anonymity in some cases.

5.1. Off-Line Guessing Attacks

A malicious attacker $ATT$ is able to acquire secret credentials stored in the smartcard, as discussed at Section 3.4. Furthermore, $ATT$ can also obtain transmitted messages over insecure channels. Finally, $ATT$ is able to guess the ID and password pair. The detailed steps are as follows:

Step 1: $ATT$ can obtain the stored values $\{e_i,f_i,g_i,r_i^{*}\}$ from the smartcard through power analysis attacks, and $ATT$ selects the guessing ID/password pair $I{D}_{att}/P{W}_{att}$.

Step 2: $ATT$ computes $r_{att}^{{}^{\prime }}=r_i^{*}\oplus h(I{D}_{att}\left|\right|P{W}_{att})$, $MI{D}_{att}^{{}^{\prime }}=h(r_{att}^{{}^{\prime }}\left|\right|I{D}_{att})$, $M{P}_{att}^{{}^{\prime }}=h(r_{att}^{{}^{\prime }}\left|\right|P{W}_{att})$, and $RS{P}_{att}^{{}^{\prime }}=h(I{D}_{att}\left|\right|M{P}_{att}^{{}^{\prime }})$. Then, $ATT$ checks if $e_i=h(RS{P}_{att}^{{}^{\prime }}\left|\right|MI{D}_{att}^{{}^{\prime }})?$.

Step 3: If these values match, $ATT$ is considered to have successfully guessed the legitimate user’s ID and password pair. If they do not match, $ATT$ repeats Step 1 and 2 again to guess $I{D}_i/P{W}_i$.

5.2. Impersonation Attacks

If $ATT$ can successfully guess the legitimate identity and password pair of a user through Section 5.1, $ATT$ computes a valid $RS{P}_i$ to perform user impersonation attacks. The detailed steps of user impersonation attacks are as follows.

Step 1: If $ATT$ succeeds in guessing the ID/password pair of $U_i$, then $ATT$ can compute a valid $RS{P}_i$. Then, $ATT$ can calculate $d_i=f_i\oplus h(RS{P}_i\left|\right|e_i)$ using the values $e_i$ and $f_i$ stored in the $U_i$’s smartcard. $ATT$ can also compute $h(X_{GWN})=g_i\oplus h(RS{P}_i\left|\right|d_i)$ using $g_i$ stored values in the smartcard.

Step 2: After that, $ATT$ chooses random nonces $a_{att}$ and $c_{att}$ and timestamp $T_{att}$. Subsequently, $ATT$ can compute $R_{1att}=a_{att}P$, $MI{D}_{1att}=h(c_{att}\left|\right|I{D}_i)$, $x_i=h(MI{D}_1\left|\right|h(X_{GWN}))$, $M_{1att}=MI{D}_{1att}\oplus h(h(X_{GWN})\left|\right|T_{att})$, and $M_{2att}=h(M_{1att}\left|\right|x_i\left|\right|R_1\left|\right|T_{att})$. Thus, $ATT$ can compute the login request message $\{M_{1att},M_{2att},R_{1att},T_{att}\}$. Therefore, $ATT$ can conduct successful impersonation attacks.

5.3. Sensor Node Impersonation Attacks

$ATT$ can obtain the $\{SI{D}_j,x_j,h(X_{GWN}\left|\right|1)\}$ stored in $S{N}_j$ through sensor node capture attacks. $ATT$ can then use the obtained values to compute a valid message and impersonate it as a valid $S{N}_j$. After the sensor node capture attacks, $ATT$ can perform sensor node impersonation attacks as follows:

Step 1: $ATT$ can acquire the values stored $\{SI{D}_j,x_j,$$h(X_{GWN}||1)\}$ in $S{N}_j$ through the sensor node capture attack. Then, $ATT$ chooses random nonces $b_{att}$ and $T_{att}$. Subsequently, $ATT$ calculates $ESI{D}_{att}=SI{D}_j\oplus h(h(X_{GWN}$$\left|\right|1)||T_{att})$.

Step 2: $ATT$ can obtain the values $\{M_1,M_2,R_1,T_1\}$ through the message sent to insecure channels. $ATT$ can calculate $R_{2att}=b_{att}P$, $R_{3att}=b_{att}{R}_1$, $M_{3att}=h(SI{D}_j\left|\right|x_j$$\left|\right|R_{2att}\left|\right|T_1\left|\right|$$T_{att})$. $ATT$ chooses a random nonce $b_{att}$ and timestamp $T_{att}$. Subsequently, $ATT$ can compute $R_{2att}=b_{att}P$, $R_{3att}=b_{att}{R}_1$, $M_{3att}=h(SI{D}_j\left|\right|x_j\left|\right|$$R_{2att}\left|\right|T_1\left|\right|T_{att})$. Then, $ATT$ sends the message $\{M_1,M_2,M_{3att},T_1,T_{2att},$$ESI{D}_j,R_1,$$R_{2att}\}$ to $GWN$. Thus, we can say that $ATT$ can impersonate the sensor node.

5.4. MITM Attacks

After sensor node impersonation attacks, $ATT$ can conduct MITM attacks using $R_{3att}$. The detailed steps are as follows:

Step 1: When $ATT$ receives the message $\{M_4,M_5,M_6,$$R_1,T_3\}$, $ATT$ computes $MI{D}_1^{{}^{\prime }}=M_6\oplus h(x_j\left|\right|T_3)$ using $x_j$ obtained through sensor node capture attacks.

Step 2: Then, $ATT$ can compute the fake session key $S{K}_{att}=h(MI{D}_1^{{}^{\prime }}\left|\right|SI{D}_j\left|\right|R_{3att}\left|\right|T_3\left|\right|T_4)$. $ATT$ also computes $M_{7att}=h(S{K}_{att}\left|\right|M_4\left|\right|T_3\left|\right|T_4)$. Finally, $ATT$ sends the message $\{M_4,M_{7att},R_2,T_3,T_4\}$ to $U_i$.

5.5. Fail to Ensure Anonymity and Mutual Authentication

Yuanbing et al. argued that the proposed protocol guarantees anonymity and provides mutual authentication. However, according to Section 5.1, $ATT$ is able to obtain the legitimate user’s real ID $I{D}_i$. Furthermore, according to Section 5.2 and Section 5.3, $ATT$ can impersonate the user or sensor node. In particular, according to Section 5.4, $ATT$ can interfere with mutual authentication by performing a man-in-the-middle attack. Therefore, Yuanbing et al.’s protocol fails to ensure user anonymity and mutual authentication.

6. Proposed Protocol

We propose a secure authentication protocol to overcome the problems of Yuanbing et al.’s proposed protocol. It utilizes the user’s biometrics to prevent off-line guessing attacks of ID/password pairs. We also introduce PUF technology to prevent capture attacks of sensor nodes. Therefore, the proposed protocol is found to be secure against various attacks. Additionally, the proposed protocol is a lightweight protocol to take into account the resource limitations of sensor nodes.

6.1. User Registration Phase

A user $U_i$ who wants to communicate with a specific $SN$ must register with $GWN$. The detailed steps are shown in Figure 3 and explained below.

Step URP1: User $U_i$ chooses identity $I{D}_i$ and password $P{W}_i$, and imprints their biometrics $BI{O}_i$. $U_i$ generates a random nonce $R{N}_u$. Then, $U_i$ computes $Gen(BI{O}_i)=<U{R}_i,P_i>$, $HI{D}_i=h(U{R}_i\left|\right|I{D}_i)$, $HP{W}_i=h(R{N}_u\left|\right|U{R}_i\left|\right|$$I{D}_i\left|\right|P{W}_i)$, and $RS{P}_i=h(I{D}_i\left|\right|HP{W}_i)$. Subsequently, $U_i$ sends $\{HI{D}_i,RS{P}_i,HP{W}_i\}$ to $GWN$ through a secure channel.

Step URP2: Upon receiving the message $\{HI{D}_i,RS{P}_i,$$HP{W}_i\}$, $GWN$ checks if $HI{D}_i$ is in its database. If not, $GWN$ creates a random nonce $R{N}_{gw}$. $GWN$ calculates ${\alpha }_i=h(HI{D}_i\left|\right|X_{GWN}\left|\right|R{N}_{gw})$, ${\beta }_i={\alpha }_i\oplus HP{W}_i$, and ${\gamma }_i=h(HI{D}_i\left|\right|RS{P}_i\left|\right|{\alpha }_i)$. Subsequently, $GWN$ saves $\{HI{D}_i,R_{gw}\}$ in its database and also stores $\{{\beta }_i,{\gamma }_i\}$ in $SC$. Then, $GWN$ issues $SC$ to $U_i$ via a closed channel.

Step URP3: After receiving $SC$ from $GWN$, $U_i$ computes $L_i=h(U{R}_i\left|\right|P{W}_i)\oplus R{N}_u$ and stores $L_i$ and $U{P}_i$ in $SC$. Finally, $SC$ stores $\{{\beta }_i,{\gamma }_i,L_i,U{P}_i\}$.

6.2. Sensor Node Registration Phase

$S{N}_j$ is assigned an ID $SI{D}_j$ by the system administrator before being deployed. To register in $GWN$, $S{N}_j$ selects the PUF’s challenge and computes $R_j$ and the registration request message. After $GWN$ receives the registration request message, $GWW$ calculates and sends the values required for authentication to $S{N}_j$. The proposed protocol considers the data load for sensor nodes with limited capabilities. The sensor node stores only $\{SI{D}_j,PSI{D}_j,K_j,SN{P}_j\}$. Assuming that the ID and hash values are 160 bits, the value stored by the sensor node is only 640 bits. The sensor node registration steps are as follows and shown in Figure 3.

Step SRP1: $S{N}_j$ chooses challenge value $C_j$, and generates random nonces $R{N}_{sn}$. Then, $S{N}_j$ computes the response value $R_j=PUF(C_j)$. Furthermore, $S{N}_j$ computes $Gen(R_j)=$$<SN{R}_j,SN{P}_j>$, $Re{q}_j=SI{D}_j\oplus h(R{N}_{SN})$, and $H{S}_j=h(SI{D}_j\left|\right|SN{R}_j)$. $S{N}_j$ sends $\{Re{q}_j,R{N}_{sn},$$C_j,H{S}_j\}$ to $GWN$ via a closed channel.

Step SPR2: When $GWN$ receives the message $\{Re{q}_j,$$R{N}_{sn},$$C_j,H{S}_j\}$, $GWN$ computes $SI{D}_j=Re{q}_j\oplus h(R{N}_{sn})$. $GWN$ creates a random secret key $y_{GWN}$, and calculates $PSI{D}_j=h(SI{D}_j\left|\right|R{N}_{sn})$ and $K_j=h(PSI{D}_j\left|\right|$$X_{GWN}\left|\right|y_{GWN})$. $GWN$ stores $\{PSI{D}_j,y_{GWN},H{S}_j,C_j\}$ in its database and sends $\{PSI{D}_j,K_j\}$ to $S{N}_j$.

Step SPR3: Upon receiving the message $\{PSI{D}_j,y_{GWN},$$H{S}_j,C_j\}$, $S{N}_j$ stores $\{SI{D}_j,$$PSI{D}_j,K_j\}$ in its secure memory.

6.3. Login and Authentication Phase

In the login and authentication phase, a session key is generated for $U_i$ to communicate with a specific $S{N}_j$. All entities perform mutual authentication through message verification, and when mutual authentication is successful, a session key $SK$ for future communication is agreed upon. In the proposed protocol, the user manually selects a new pseudo ID $HI{D}_{inew}$. When authentication is complete, the user updates the ${\beta }_{inew}$ and ${\gamma }_{inew}$ values associated with $HI{D}_{inew}$. It is assumed that the IEEE 802.15.4 protocol is used for communication between the sensor node and the $GWN$, and the IEEE 802.11 protocol is used for communication between the $GWN$ and the user [42]. The detailed steps are shown in Figure 4 and are described in detail below.

Step AP1: $U_i$ inserts $SC$ and inputs $I{D}_i,P{W}_i,BI{O}_i$. $SC$ computes $Rep(BI{O}_i,U{P}_i)=U{R}_i$, $R{N}_u=L_i\oplus h(U{R}_i\left|\right|P{W}_i)$, $HI{D}_i=h(U{R}_i\left|\right|I{D}_i)$, $HP{W}_i=h(R{N}_u\left|\right|$$U{R}_i\left|\right|I{D}_i\left|\right|P{W}_i)$, ${\alpha }_i={\beta }_i\oplus HP{W}_i$, and ${\gamma }_i^{*}=h(HI{D}_i\left|\right|$$h(I{D}_i\left|\right|HP{W}_i)||A_i)$. Then, $SC$ checks ${\gamma }_i^{*}\stackrel{?}{=}{\gamma }_i$. If it holds, $U_i$ generates a random nonce $N_u$ and timestamp $T_1$. $U_i$ computes $M_1=h(N_u\left|\right|A_i)\oplus h(T_1\left|\right|A_i\left|\right|PSI{D}_j)$ and $M_2=h(HI{D}_i\left|\right|$$h(N_u\left|\right|{\alpha }_i)||PSI{D}_j)$. $U_i$ picks new pseudo identity $HI{D}_{inew}=h(U{R}_i\left|\right|I{D}_i\left|\right|N_u)$ and computes $M_3=HI{D}_{inew}\oplus h(h(N_u\left|\right|{\alpha }_i)||T_1)$. Then, $U_i$ sends $\{HI{D}_i,PSI{D}_j,M_1,M_2,M_3,T_1\}$ to $GWN$ through insecure channels.

Step AP2: Upon receiving the message $\{HI{D}_i,PSI{D}_j,$$M_1,M_2,M_3,T_1\}$, $GWN$ checks $|T_1-T_c|<\Delta T?$. If it holds, $GWN$ retrieves $R_{gw}$ from its database and calculates ${\alpha }_i^{{}^{\prime }}=h(HI{D}_i\left|\right|X_{GWN}\left|\right|R_{gw})$, $h(N_u\left|\right|{\alpha }_i^{{}^{\prime }})=h(T_1\left|\right|{\alpha }_i$$\left|\right|PSI{D}_j)\oplus M_1$, and $M_2^{*}=h(HI{D}_i\left|\right|h(N_u\left|\right|{\alpha }_i^{{}^{\prime }})$$\left|\right|PSI{D}_j)$. $GWN$ checks $M_2^{*}\stackrel{?}{=}{M}_2$. If it is not correct, then $GWN$ terminates the session. Otherwise, $GWN$ calculates $HI{D}_{inew}=M_3\oplus h(h(N_u\left|\right|{\alpha }_i)||T_1)$. Then, $GWN$ fetches $(C_j,y_{GWN})$ corresponding to $PSI{D}_j$. $GWN$ generates a random nonce $N_g$ and timestamp $T_2$. $GWN$ computes $K_j=h(PSI{D}_j$$\left|\right|X_{GWN}\left|\right|y_{GWN})$, $M_4=C_j\oplus h(PSI{D}_j\left|\right|K_j)$, $M_5=h(h(N_u\left|\right|{\alpha }_i)||N_g)\oplus h(PSI{D}_j\left|\right|H{S}_j\left|\right|K_j)$, and $M_6=h(h(h(N_u$$\left|\right|{\alpha }_i)||N_g)||T_2\left|\right|H{S}_j)$. After that, $GWN$ sends $\{M_4,M_5,M_6,T_2\}$ to $S{N}_j$ through an open channel.

Step AP3: After receiving the message $\{M_4,M_5,M_6,T_2\}$ from $GWN$, $S{N}_j$ checks $|T_2-T_c|<\Delta T?$. If it holds, $S{N}_j$ computes $C_j=M_4\oplus h(PSI{D}_j\left|\right|K_j)$, $PUF(C_j)=R_j$, $Rep(R_j,SN{P}_j)=SN{R}_j$, $H{S}_j=h(SI{D}_j\left|\right|SN{R}_j)$, $h(h(N_u\left|\right|{\alpha }_i)||N_g)=M_5\oplus h(PSI{D}_j\left|\right|H{S}_j\left|\right|K_j)$, and $M_6^{*}=h(h(h(N_u\left|\right|{\alpha }_i)||N_g)||T_2\left|\right|H{S}_j)$. $S{N}_j$ checks $M_6^{*}\stackrel{?}{=}{M}_6$. If it corrects, $S{N}_j$ generates a timestamp $T_3$ and calculates $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$. $S{N}_j$ computes $M_7=h(SK$$\left|\right|T_3\left|\right|K_j\left|\right|H{S}_j)$ and sends $\{M_7,T_3\}$ to $GWN$.

Step AP4: When $GWN$ receives the message $\{M_7,T_3\}$, $GWN$ checks $|T_3-T_c|<\Delta T?$. If it holds, $GWN$ computes the session key $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$, and computes $M_7^{*}=h(SK||T_3\left|\right|K_j\left|\right|H{S}_j)$. Then, $GWN$ checks $M_7^{*}\stackrel{?}{=}{M}_7$. If they are same, $GWN$ computes ${\alpha }_{inew}=h(HI{D}_{inew}\left|\right|X_{GWN}\left|\right|N_g)$, $M_8=SK\oplus h(N_u\left|\right|{\alpha }_i)$, $M_9={\alpha }_{inew}\oplus h(HI{D}_{inew}\left|\right|HI{D}_i\left|\right|h(N_u\left|\right|{\alpha }_i))$, and $M_{10}=h({\alpha }_{inew}\left|\right|SK\left|\right|HI{D}_{inew})$. $GWN$ sends the message $\{M_8,$$M_9,M_{10}\}$. If session key agreement is successful, $GWN$ updates $\{HI{D}_i,R_{gw}\}$ to $\{HI{D}_{inew},N_g\}$. Otherwise, $GWN$ keeps $HI{D}_i$.

Step AP5: When $U_i$ receives the message $\{M_8,M_9,M_{10}\}$, $U_i$ calculates $SK=M_8\oplus h(N_u\left|\right|{\alpha }_i)$, and computes ${\alpha }_{inew}=M_9\oplus h(HI{D}_{inew}\left|\right|HI{D}_i\left|\right|h(N_u\left|\right|{\alpha }_i))$, and $M_{10}^{*}=h({\alpha }_{inew}$$\left|\right|SK\left|\right|HI{D}_{inew})$. $U_i$ checks $M_{10}^{*}\stackrel{?}{=}{M}_{10}$. If they are same, $U_i$ computes ${\beta }_{inew}={\alpha }_{inew}\oplus HP{W}_i$ and ${\gamma }_{inew}=h(HI{D}_{inew}\left|\right|h(I{D}_i\left|\right|HP{W}_i)||{\alpha }_{inew})$. Then, $U_i$ updates ${\beta }_{inew},{\gamma }_{inew}$ and $HI{D}_{inew}$. Finally, $U_i$, $GWN$, and $S{N}_j$ agrees the same session key $SK$.

6.4. User’s Password and Biometrics Update Phase

$U_i$ may want to change their password and biometrics. To reduce computation and communication costs, we propose this phase to be executed locally without additional connections with $GWN$.

Step 1: $U_i$ inserts their $SC$ and inputs $I{D}_i$, $P{W}_i$, and biometrics $BI{O}_i$. Then, $SC$ computes $Rep(BI{O}_i,U{P}_i)=U{R}_i$, $R{N}_u=L_i\oplus h(U{R}_i\left|\right|P{W}_i)$, $HI{D}_i=h(U{R}_i\left|\right|I{D}_i)$, $HP{W}_i=h(R{N}_u\left|\right|U{R}_i\left|\right|I{D}_i\left|\right|P{W}_i)$, ${\alpha }_i={\beta }_i\oplus HP{W}_i$, and ${\gamma }_i^{*}=h(HI{D}_i\left|\right|h(I{D}_i\left|\right|HP{W}_i)||{\alpha }_i)$. $SC$ checks ${\gamma }_i={\gamma }_i^{*}$. If it corrects, $SC$ asks $U_i$ to input a new biometrics $BI{O}_{inew}$ and a new password $P{W}_{inew}$.

Step 2: $U_i$ inputs a new biometrics $BI{O}_{inew}$ and a new password $P{W}_{inew}$. $SC$ proceeds to compute parameters $Gen(BI{O}_{inew})=(U{R}_{inew},U{P}_{inew})$, $HP{W}_{inew}=h(R{N}_u\left|\right|U{R}_{inew}\left|\right|I{D}_i$$\left|\right|P{W}_{inew})$, $L_{inew}=$$h(U{R}_{inew}$$\left|\right|$$P{W}_{inew})$$\oplus R{N}_u$, $RS{P}_{inew}=h(I{D}_i\left|\right|HP{W}_{inew})$, ${\beta }_{inew}={\alpha }_i\oplus HP{W}_i\oplus HP{W}_{inew}$, and ${\gamma }_{inew}=h(HI{D}_i\left|\right|RS{P}_{inew}\left|\right|{\alpha }_i)$. Then, $SC$ replaces ${\beta }_i,{\gamma }_i,L_i,U{P}_i$ with ${\beta }_{inew},$${\gamma }_{inew},L_{inew},$$U{P}_{inew}$.

7. Security Analysis

This section analyzes the security of the proposed protocol. We prove that session key agreement and mutual authentication of our protocol can be securely achieved through the commonly used ROR model and BAN logic. Through AVISPA simulation tools, we show that the protocol is secure against replay and MITM attacks. At last, through informal security analysis, we demonstrate that the proposed protocol is secure against a variety of attacks.

7.1. ROR Model

Thorugh the ROR model, we demonstrate the session key security of the proposed protocol [43,44,45]. We present the brief explanation of the ROR model. In the ROR model of our protocol, there are three participants ${\mathcal{P}}^t$, which are user node ${\mathcal{P}}_{U_i}^{t_1}$, gateway node ${\mathcal{P}}_{GWN}^{t_2}$, and sensor node ${\mathcal{P}}_{S{N}_j}^{t_3}$. $t_1$, $t_2$, and $t_3$ are the instances for $U_i$, $GWN$, and $S{N}_j$, respectively. We assume that $\mathcal{A}$ can intercept, eavesdrop, delete, or modify messages exchanged via an open wireless channel. Additionally, $\mathcal{A}$ can conduct security attacks through various queries, such as $Execute$, $CorruptSC$, $Reveal$, $Send$, and $Test$. Detailed descriptions of these queries are as follows.

• $Execute({\mathcal{P}}_{U_i}^{t_1},{\mathcal{P}}_{GWN}^{t_2},{\mathcal{P}}_{S{N}_j}^{t_3})$: $\mathcal{A}$ can conduct this query for obtaining transmitted messages via public channels between ${\mathcal{P}}_{U_i}^{t_1}$, ${\mathcal{P}}_{GWN}^{t_2}$, and ${\mathcal{P}}_{S{N}_j}^{t_3}$.
• $CorruptSC({\mathcal{P}}_{U_i}^{t_1})$: $CorruptSC$ indicates that the adversary can extract secret data stored in $SC$ of ${\mathcal{P}}_{U_i}^{t_1}$.
• $Reveal({\mathcal{P}}^t)$: $\mathcal{A}$ is able to reveal the current session key $SK$ between ${\mathcal{P}}_{U_i}^{t_1}$, ${\mathcal{P}}_{GWN}^{t_2}$, and ${\mathcal{P}}_{S{N}_j}^{t_3}$ by executing this query. $SK$ is safe if $\mathcal{A}$ fails to reveal $SK$ using this query.
• $Send({\mathcal{P}}^t,M)$: Using the $Send$ query, an adversary is able to send a message to participants and receive response messages.
• $Test({\mathcal{P}}^t)$: An unbiased coin $uc$ is flipped to start the game, and the result is only known to $\mathcal{A}$. $\mathcal{A}$ uses this result to determine the $Test$. When $\mathcal{A}$ runs the $Test$ query, ${\mathcal{P}}^t$ returns $SK$ for $uc$ = 1 or a random number for $uc$ = 0. Otherwise, it returns a null (⊥).

$\mathcal{A}$ must distinguish the result value after $\mathcal{A}$ conducts $Test$ query over ${\mathcal{P}}^t$. $\mathcal{A}$ checks the consistency of the random bit $uc$ using results of the $Test$ query. $\mathcal{A}$ is able to win the game if the guessed bit $u{c}^{\prime }$ equals $uc$. Additionally, ${\mathcal{P}}^t$ has access to the collision-resistant cryptographic one-way hash function $h(·)$, which is modeled as a random oracle, $Hash$.

Security Proof

Theorem 1. 

An adversary $\mathcal{A}$ attempts to calculate $SK$ in polynomial time. Let $Ad{v}_{\mathcal{A}}^{our}$ be the advantage that $\mathcal{A}$ can break the session key security of the proposed protocol. Then, we obtain the following.

$$Ad{v}_{\mathcal{A}}^{our}\le {\displaystyle \frac{q_{hash}^2}{\left|Hash\right|}}+{\displaystyle \frac{q_{puf}^2}{\left|PUF\right|}}+2max\{C·q_{send}^s,{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

$\left|PUF\right|$ and $\left|Hash\right|$ indicate that they are the span spaces of the $PUF$ function $PUF(·)$ and the hash function $h(·)$, respectively. $q_{send}$, $q_{hash}$, and $q_{puf}$ are the number of $Send$, $Hash$, and $PUF$ queries, respectively. In addition, $l_D$ is the number of bits in biometric $BI{O}_i$ of $U_i$, and C and s denote Zipf’s parameters.

Proof. 

The five games, $G{M}_i$, where $i\in [0,4]$, are conducted to prove the security of $SK$ of the proposed protocol. $Suc{c}_{\mathcal{A},i}$ indicates the event in which $\mathcal{A}$ wins $G{M}_i$ by guessing the random bit $uc$ correctly. We represent the probability that $\mathcal{A}$ wins the game $G{M}_i$ as $Pr\left[Suc{c}_{\mathcal{A},G{M}_i}\right]$. This is followed by the description of each game.

• $G{M}_0$: $\mathcal{A}$ executes a real attack to our protocol. $\mathcal{A}$ chooses a random bit $uc$ at the beginning of $G{M}_0$. The following advantage of $\mathcal{A}$ is about this game.

  $$Ad{v}_{\mathcal{A}}^{our}=|2Pr\left[Suc{c}_{\mathcal{A},G{M}_0}\right]-1|$$

  (4)
• $G{M}_1$: $\mathcal{A}$ executes the $Execute({\mathcal{P}}_{U_i}^{t_1},{\mathcal{P}}_{GWN}^{t_2},{\mathcal{P}}_{S{N}_j}^{t_3})$ query and eavesdrops messages $<HI{D}_i,$$PSI{D}_j,M_1,M_2,M_3,T_1>$, $<M_4,M_5,M_6,T_2>$, $<M_7,T_3>$, and $<M_8,M_9,M_{10}>$. After that, $\mathcal{A}$ performs $Reveal$ and $Test$ queries to verify whether the derived $SK$ is real. In the proposed protocol, $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$ is made up of long-term and short-term secrets. To derive $SK$, $\mathcal{A}$ needs to know the identities and random nonces of $U_i$, $GWN$, and $S{N}_j$. As a result, $\mathcal{A}$ cannot increase the winning probability of $G{M}_1$. Therefore, the probabilities of $G{M}_0$ and $G{M}_1$ are indistinguishable.

  $$Pr\left[Suc{c}_{\mathcal{A},G{M}_1}\right]=Pr\left[Suc{c}_{\mathcal{A},G{M}_0}\right]$$

  (5)
• $G{M}_2$: In this game, $\mathcal{A}$ executes $Hash$ and $Send$ queries to obtain the session key. $\mathcal{A}$ attempts to attack by modifying the exchanged message. However, all messages are masked with one-way hash function $h(·)$, random nonces, and secret credentials. $\mathcal{A}$ cannot derive any information due to a computationally infeasible problem of $h(·)$. Hence, using the birthday paradox, we can get the following equation.

  $$|Pr\left[Suc{c}_{\mathcal{A},G{M}_2}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_1}\right]|\le {\displaystyle \frac{q_{hash}^2}{2\left|Hash\right|}}$$

  (6)
• $G{M}_3$: This game is performed in analogy as described in $G{M}_2$. $\mathcal{A}$ executes $Send$ and $PUF$ queries. However, the probability obtained by the $PUF$ query is similar with the $Hash$ query since the physical function $PUF(·)$ has security properties mentioned in Section 3.2. Therefore, we are able to acquire the following equation.

  $$|Pr\left[Suc{c}_{\mathcal{A},G{M}_3}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_2}\right]|\le {\displaystyle \frac{q_{puf}^2}{2\left|PUF\right|}}$$

  (7)
• $G{M}_4$: In the final game $G{M}_4$, $\mathcal{A}$ tries to get $SK$ with the $CorruptSC$ query. With $CorruptSC$ query, $\mathcal{A}$ is able to extract sensitive values $\{{\beta }_i,{\gamma }_i,L_i,U{P}_i\}$ stored in the smart card of $U_i$, which are expressed as ${\beta }_i={\alpha }_i\oplus HP{W}_i$, ${\gamma }_i=h(HI{D}_i\left|\right|RS{P}_i\left|\right|{\alpha }_i)$, and $L_i=h(U{R}_i\left|\right|P{W}_i)\oplus R{N}_u$. For computing $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$, $\mathcal{A}$ should guess these parameters from the extracted values since $\mathcal{A}$ has no knowledge of identity $I{D}_i$, password $P{W}_i$, and biometric $BI{O}_i$. However, it is a computationally infeasible task for $\mathcal{A}$ to guess $I{D}_i$, $P{W}_i$, and $BI{O}_i$ simultaneously. In conclusion, $G{M}_3$ and $G{M}_4$ are indistinguishable. We can derive the following result by utilizing Zipf’s law.

  $$|Pr\left[Suc{c}_{\mathcal{A},G{M}_4}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_3}\right]|\le max\{C·q_{send}^s,{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

  (8)

After all games are completed, $\mathcal{A}$ must guess the $uc$ to win the game. Therefore, we obtain the following equation.

$$Pr\left[Suc{c}_{\mathcal{A},G{M}_4}\right]=\frac{1}{2}$$

(9)

By combining (4)–(9), we obtain the result using the triangular inequality as follows.

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{\mathcal{A}}^{our}& =|Pr[Suc{c}_{\mathcal{A},G{M}_0}-\frac{1}{2}]|=|Pr[Suc{c}_{\mathcal{A},G{M}_1}-\frac{1}{2}]|\hfill \\ \hfill & =|Pr\left[Suc{c}_{\mathcal{A},G{M}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_4}\right]|\hfill \\ \hfill & =|Pr\left[Suc{c}_{\mathcal{A},G{M}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_4}\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_{\mathcal{A},G{M}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_3}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{\mathcal{A},G{M}_3}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_4}\right]|\hfill \\ \hfill & \le |Pr\left[Suc{c}_{\mathcal{A},G{M}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_2}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{\mathcal{A},G{M}_2}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_3}\right]|\hfill \\ \hfill & +|Pr\left[Suc{c}_{\mathcal{A},G{M}_3}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_4}\right]|\hfill \\ \hfill & \le \frac{q_{hash}^2}{2\left|Hash\right|}+{\displaystyle \frac{q_{puf}^2}{2\left|PUF\right|}}+max\{C·q_{send}^s,{\displaystyle \frac{q_{send}}{2^{l_D}}}\}\hfill \end{array}$$

(10)

Finally, the desired result can be obtained by multiplying both sides of Equation (10) by two.

$$Ad{v}_{\mathcal{A}}^{our}\le \frac{q_{hash}^2}{\left|Hash\right|}+{\displaystyle \frac{q_{puf}^2}{\left|PUF\right|}}+2max\{C·q_{send}^s,{\displaystyle \frac{q_{send}}{2^{l_D}}}\}$$

(11)

Therefore, we prove Theorem 1. □

7.2. BAN Logic

BAN logic is a widely used mathematical proof method for demonstrating mutual authentication in security schemes [46,47]. With BAN logic, we prove that the proposed protocol can ensure mutual authentication. The notations of BAN logic are described in

Table 1. BAN Logic Notation.

Notation	Description
$Skey$	Secret key
$E|\equiv T$	E believes statement T
$\#T$	Statement T is fresh
$E◃T$	E receives statement T
$E|\sim T$	E once said T
$E\Rightarrow T$	E controls statement T
$<T{>}_S$	Statement T is combined with secret statement S
${\{T\}}_{Skey}$	Statement T is masked by $Skey$
$E\stackrel{Skey}{⟷}K$	E and K share $Skey$ to communicate with each other

.

7.2.1. Rules

The rules used in BAN logic are as follows.

• Nonce verification rule ($NVR$):

  $$\frac{E|\equiv \#(T),E|\equiv K|\sim T}{E|\equiv K|\equiv T}$$
• Message meaning rule ($MMR$):

  $$\frac{E|\equiv E\stackrel{Skey}{⟷}K,E◃{\{T\}}_{Skey}}{E|\equiv K|\sim T}$$
• Jurisdiction rule ($JR$):

  $$\frac{E|\equiv K|\Rightarrow T,E|\equiv K|\equiv T}{E|\equiv T}$$
• Freshness rule ($FR$):

  $$\frac{E|\equiv \#(T)}{E|\equiv \#(T,S)}$$
• Belief rule ($BR$):

  $$\frac{E|\equiv (T,S)}{E|\equiv T}$$

7.2.2. Goals for Mutual Authentication

To prove that the proposed protocol provides mutual authentication, we present the following goals.

Goal 1: 

$U_i|\equiv (U_i\stackrel{SK}{⟷}GWN)$

Goal 2: 

$U_i|\equiv GWN|\equiv (U_i\stackrel{SK}{⟷}GWN)$

Goal 3: 

$GWN|\equiv (U_i\stackrel{SK}{⟷}GWN)$

Goal 4: 

$GWN|\equiv U_i|\equiv (U_i\stackrel{SK}{⟷}GWN)$

Goal 5: 

$S{N}_j|\equiv (S{N}_j\stackrel{SK}{⟷}GW)$

Goal 6: 

$S{N}_j|\equiv GWN|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)$

Goal 7: 

$GWN|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)$

Goal 8: 

$GWN|\equiv S{N}_j|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)$

7.2.3. Idealized Form of Exchanged Messages

We describe the idealized form of BAN logic as the message exchanged in the authentication phase as follows.

$M_1$:

$U_i\to GWN:\{PSI{D}_j,h(N_u\left|\right|{\alpha }_i{)\}}_{{\alpha }_i}$

$M_2$:

$GWN\to S{N}_j:\{h(h(N_u\left|\right|{\alpha }_i)||h(N_g){)\}}_{K_j}$

$M_3$:

$S{N}_j\to GWN:{\{SK,T_3\}}_{K_j}$

$M_4$:

$GWN\to U_i:{\{SK\}}_{h(N_u||{\alpha }_i)}$

7.2.4. BAN Logic Initial State Assumptions

We construct all the considered assumptions as follows.

$A_1$:

$GWN|\equiv U_i\stackrel{{\alpha }_i}{⟷}GW$

$A_2$:

$GWN|\equiv \#(N_u)$

$A_3$:

$S{N}_j|\equiv GWN\stackrel{K_j}{⟷}S{N}_j$

$A_4$:

$S{N}_j|\equiv \#(N_g)$

$A_5$:

$GWN|\equiv GWN\stackrel{K_j}{⟷}S{N}_j$

$A_6$:

$GWN|\equiv \#(T_3)$

$A_7$:

$U_i|\equiv U_i\stackrel{h(N_u||{\alpha }_i)}{⟷}GWN$

$A_8$:

$U_i|\equiv \#(N_g)$

$A_9$:

$U_i|\equiv GWN|\Rightarrow (U_i\stackrel{SK}{⟷}GWN)$

$A_{10}$:

$GWN|\equiv U_i|\Rightarrow (U_i\stackrel{SK}{⟷}GWN)$

$A_{11}$:

$S{N}_j|\equiv GWN|\Rightarrow (S{N}_j\stackrel{SK}{⟷}GWN)$

$A_{12}$:

$GWN|\equiv S{N}_j|\Rightarrow (S{N}_j\stackrel{SK}{⟷}GWN)$

7.2.5. Proof of Providing Mutual Authentication

We will now prove that our protocol can guarantee mutual authentication with an idealized form, predefined BAN logic rules, and assumptions. The proof process is as follows.

Step 1: 

$S_1$ is obtained from $M_1$.

$$S_1:GWN◃\{PSI{D}_j,h(N_u\left|\right|{\alpha }_i{)\}}_{{\alpha }_i}$$

Step 2: 

$S_2$ is obtained from the $MMR$ using $S_1$ and $A_1$.

$$S_2:GWN|\equiv U_i|\sim \{PSI{D}_j,h(N_u\left|\right|{\alpha }_i{)\}}_{{\alpha }_i}$$

Step 3: 

$S_3$ can be gained from the $FR$ with $S_2$ and $A_2$.

$$S_3:GWN|\equiv \#(PSI{D}_j,h(N_u\left|\right|{\alpha }_i))$$

Step 4: 

$S_4$ can be acquired by applying the $NVR$ with $S_2$ and $S_3$.

$$S_4:GWN|\equiv U_i|\equiv (PSI{D}_j,h(N_u\left|\right|{\alpha }_i))$$

Step 5: 

$S_5$ is obtained from $M_2$.

$$S_5:S{N}_j◃\{h(h(N_u\left|\right|{\alpha }_i)||h(N_g){)\}}_{K_j}$$

Step 6: 

$S_6$ is gained from $MMR$ using $S_5$ and $A_3$.

$$S_6:S{N}_j|\equiv GWN|\sim \{h(h(N_u\left|\right|{\alpha }_i)||h(N_g){)\}}_{K_j}$$

Step 7: 

$S_7$ can be obtained by applying $FR$ with $S_6$ and $A_4$.

$$S_7:S{N}_j|\equiv \#(h(h(N_u\left|\right|{\alpha }_i)||h(N_g)))$$

Step 8: 

$S_8$ can be obtained from $NVR$ with $S_6$ and $S_7$.

$$S_8:S{N}_j|\equiv GWN|\equiv (h(h(N_u\left|\right|{\alpha }_i)||h(N_g)))$$

Step 9: 

From $M_3$, $S_9$ is obtained.

$$S_9:GWN◃{\{SK,T_3\}}_{K_j}$$

Step 10: 

$S_{10}$ is gained from $MMR$ with $S_9$ and $A_5$.

$$S_{10}:GWN|\equiv S{N}_j|\sim {\{SK,T_3\}}_{K_j}$$

Step 11: 

$S_{11}$ can be obtained by applying $FR$ with $S_{10}$ and $A_6$, since $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$.

$$S_{11}:GWN|\equiv \#(SK,T_3)$$

Step 12: 

$S_{12}$ can be obtained from $NVR$ with $S_{10}$ and $S_{11}$.

$$S_{12}:GWN|\equiv S{N}_j|\equiv (SK,T_3)$$

Step 13: 

$S_{13}$ is obtained from $M_4$.

$$S_{13}:U_i◃{\{SK\}}_{h(N_u||{\alpha }_i)}$$

Step 14: 

$S_{14}$ is obtained from $MMR$ with $S_{13}$ and $A_7$.

$$S_{14}:U_i|\equiv GWN|\sim {\{SK\}}_{h(N_u||{\alpha }_i)}$$

Step 15: 

$S_{15}$ can be obtained from $FR$ with $S_{14}$ and $A_8$, since $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$.

$$S_{15}:U_i|\equiv \#(SK)$$

Step 16: 

$S_{16}$ can be obtained by using $NVR$ on $S_{14}$ and $S_{15}$.

$$S_{16}:U_i|\equiv GWN|\equiv (SK)$$

Step 17: 

$S_{17}$ and $S_{18}$ can be obtained from $S_8$ and $S_{12}$ since $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$.

$$S_{17}:S{N}_j|\equiv GWN|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{6})$$

$$S_{18}:GWN|\equiv S{N}_j|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{8})$$

Step 18: 

$S_{19}$ and $S_{20}$ can be obtained from $JR$ with $S_{17}$, $S_{18}$, $A_{11}$, and $A_{12}$.

$$S_{19}:S{N}_j|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{5})$$

$$S_{20}:GWN|\equiv (S{N}_j\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{7})$$

Step 19: 

$S_{21}$ and $S_{22}$ can be obtained from $S_4$ and $S_{16}$ since $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|$${\alpha }_i)||N_g)||K_j)$.

$$S_{21}:U_i|\equiv GWN|\equiv (U_i\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{2})$$

$$S_{22}:GWN|\equiv U_i|\equiv (U_i\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{4})$$

Step 20: 

$S_{23}$ and $S_{24}$ can be obtained by applying $JR$ from $S_{21}$, $S_{22}$, $A_9$, and $A_{10}$.

$$S_{23}:U_i|\equiv (U_i\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{1})$$

$$S_{24}:GWN|\equiv (U_i\stackrel{SK}{⟷}GWN)(\mathbf{Goal}\mathbf{3})$$

We prove that the proposed scheme meets all the goals in Section 7.2.2. Therefore, the proposed protocol ensures secure mutual authentication.

7.3. AVISPA Simulation Analysis

We use the “AVISPA Simulation Tool” [13] in this section to validate our proposed system security against man-in-the-middle and replay attacks.

In AVISPA, there are four backends: “Tree Automata based on Automatic Approximations for “Tree Automata based on Automatic Approximations for Analysis of Security Protocols (TA4SP)”, “SAT based model checker (SATMC)”, “On-the-fly-mode-checker (OFMC)”, and “Const- raint-logic-based Attack Searcher” (CL-AtSe)”. Among these, SATMC and TA4SP backends can not aid “bitwise exclusive OR (XOR)”. However, since our system has an XOR operation, two backends are not suitable for analysis. Therefore, we adopt two backends, OFMC and CL-AtSe, which support XOR operations, and use them for analysis. In the proposed system, “High-Level Protocol Specification Language (HLPSL)”, a language supported by AVISPA, is used to implement the basic roles of $U_i$, $GWN$ and $S{N}_j$. Figure 5 shows the HLPSL implementation of the role user.

At transition 1, $U_i$ sends the request message $\{HI{D}_i,$$RS{P}_i,HP{W}_i\}$ to $GWN$ using the $SND$ operation and $SKuaga$, which means the secure channel. The declaration $secret(\{PWi,$$URi\},sp1,\{UA\})$ means that the password $P{W}_i$ and biometrics $U{R}_i$ is only known to $U_i$. The declaration $secret(\{HPWi\},sp2,\{UA,GA\})$ means that $HP{W}_i$ is only known to $U_i$ and $GWN$.

At transition 2, $U_i$ receives the smartcard. In login and authentication phase, $U_i$ sends the message $\{HI{D}_i,PSI{D}_j,$$M_1,M_2,M_3,T_1\}$ to $GWN$ through insecure channels. The declaration $witness(UA,GA,ua\_ga\_ni,N{u}^{\prime })$ means that $U_i$ generates a random nonce $N_u$ for $GWN$.

At transition 3, $U_i$ receives the message $\{M_8,M_9,M_{10}\}$ from $GWN$. The declaration $request(GA,UA,ga\_ua\_ng,$$N{g}^{\prime })$ specifies the $GWN$ request to the $U_i$ for checking the value of $N_g$.

The HLPSL of the gateway node and sensor node is implemented similarly to the user’s HLPSL. In addition, it implements the “composite roles and goals for sessions and environment” of the proposed system through HLPSL. In the sessions and environment, it specifies whether secret maintenance and authentication of each value are successfully performed through $secret$, $witness$, and $request$ declared in the HLPSL of each entity. AVISPA used in this section is a security validation simulation based on the DY model [37].

Figure 6 is a screen showing the intruder simulation step-by-step according to the HLPSL configured in the CL-AtSe mode. It is a simulation in which knowledge is leaked to the intruder one-by-one for each step. In addition, the intruder knows the message transmitted through the wireless channel. Although this information is leaked to the intruder, we can see that our protocol is safe, as shown in Figure 7. Therefore, for replay attack inspection, AVIPA backends (such as OFMC and CL-AtSe) first verify that a legitimate agent can execute a specific protocol. It then provides the intruder’s knowledge of some legitimate sessions between legitimate agents. In addition, the DY model ensures that OFMC and CL-AtSe backends are capable of MITM attacks by intruders. Figure 7 gives the analysis results performed on the CL-ATse and OFMC backends. The results are shown in Figure 7 show that the proposed protocol is “safe” on the backends, which proves that our protocol is secure against replay and MITM attacks.

7.4. Informal Security Analysis

We demonstrate through informal security analysis that the proposed protocol can provide various security features are secure against various attacks.

7.4.1. Offline Guessing Attack

Adversary $ATT$ attempts to guess the user’s identity or password from the values contained in the user’s smartcard or messages on public channels. $ATT$ can obtain sensitive information through the guessed ID/password. However, our protocol is secure against offline guessing attacks. $ATT$ is able to obtain $\{{\beta }_i,{\gamma }_i,L_i,U{P}_i\}$ stored in $SC$ through smartcard stolen attack. $ATT$ needs to compute ${\gamma }_i^{*}$ to guess the ID/password of a valid $U_i$. However, ${\gamma }_i^{*}$ consists of $HI{D}_i$ and $HP{W}_i$. In order for $ATT$ to calculate $HI{D}_i$, it needs to know the user’s biometric key $U{R}_i$ and the user’s ID. Furthermore, in order for $ATT$ to figure out $HP{W}_i$, $ATT$ must have the biometric key $U{R}_i$, as well as valid $I{D}_i$, $P{W}_i$ and random nonce $R{N}_u$. Therefore, $ATT$ cannot compute the user’s $HI{D}_i$ and $HP{W}_i$ according to the “computational infeasible problem”. Therefore, since $ATT$ cannot guess the user’s ID and password, the proposed protocol can guarantee the resilience of offline guessing attacks.

7.4.2. Privacy Preserving and Anonymity

$ATT$ may trace the use of services of $U_i$ through an identity or pseudonymous ID or intercept personal information. However, our protocol guarantees privacy by preserving $U_i$ and can provide anonymity. $ATT$ tries to obtain $U_i$’s real identity information through $SC$’s information or transmitted messages. However, $ATT$ cannot obtain the real identity or pseudo identity because these values are hidden in the hash function and $U{R}_i$. Although pseudo identity $HI{D}_i$ is transmitted via an open channel, $HI{D}_{inew}$ is updated when the authentication and key agree. Moreover, $HI{D}_{inew}$ is masked by $N_u$. Therefore, $HI{D}_i$ is always updated in every session. Therefore, the proposed protocol can preserve $U_i$’s privacy and anonymity property.

7.4.3. Impersonation Attack

$ATT$ attempts to impersonate $U_i$, $GWN$, and $S{N}_j$ to obtain valid information. To obatin valid information, $ATT$ must be able to calculate messages sent via wireless channels. However, messages sent to the public channel change every session due to the $N_u$, $N_g$, and timestamp values. Furthermore, $ATT$ cannot compute a valid message because $HI{D}_i$ is also updated to $HI{D}_{inew}$ upon successful authentication. Therefore, our protocol is security from impersonation attacks.

7.4.4. Sensor Node Physical Capture Attack

$ATT$ performs sensor node physical attack to acquire $\{SI{D}_j,PSI{D}_j,K_j,SN{P}_j\}$ stored in $S{N}_j$. However, $ATT$ cannot compute the correct session key even if it gets the stored values. For $ATT$ to compute the session key, $h(h(N_u\left|\right|{\alpha }_i)||N_g)=M_5\oplus h(PSI{D}_j\left|\right|H{S}_j\left|\right|K_j)$ needs to be calculated. However, in the sensor node registration phase, the valid $R_j$ and $SN{R}_j$ cannot be obtained because the sensor randomly generates $C_j$, which is different from the value of each sensor. Because $R_j$ is a value that $PUF$ generates, it cannot be physically replicated. Furthermore, the compromise in $S{N}_j$ does not help compute the session key between $U_i$ and any other uncompromised medical sensor. Therefore, the proposed protocol is used to secure the sensor node’s physical capture attack.

7.4.5. Replay and MITM Attack

$ATT$ is able to obtain the information stored in $S{N}_j$ and $SC$ of valid $U_i$ and can acquire messages sent to the public channel. However, $Adv$ cannot count valid messages generated by $U_i$ and $S{N}_j$, as mentioned in Section 7.4.3 and Section 7.4.4. In addition, every message changes every session because of the $N_u,N_g$ and timestamp values. Therefore, it can be said that our protocol is safe to replay MITM attacks.

7.4.6. Desynchronization Attack

An attacker could delay the updating of $HI{D}_{inew}$, thereby interrupting the entity from being authenticated. These attacks are called desynchronization attacks. In our protocol, $U_i$ picks up a new $HI{D}_{inew}$ during the login and authentication phase and passes it to the $GWN$. After that, $GWN$ updates $HI{D}_i$ and $R{N}_{gw}$ with $HI{D}_{inew}$ and $N_g$ upon successful authentication, and transmits the related values to $U_i$. At this time, $GWN$ maintains $\{HI{D}_i,R{N}_{gw}\}$ if authentication is not successful. Moreover, if $U_i$ does not succeed in authentication, the existing $HI{D}_i$ is kept, and the login and authentication phase is performed again. Therefore, even if the login and authentication phase is blocked by $ATT$, $U_i$ and $GWN$ can keep the original $HI{D}_i$. Therefore, the proposed technique can resist desynchronization attacks.

7.4.7. Stolen Verifier Attack

Even if the information in the verfier table stored in the gateway is leaked to $ATT$, $ATT$ must not be able to impersonate the user and sensor, and $ATT$ must also be unable to calculate the session key. Assume that $ATT$ obtains $GWN$’s verification tables $\{HI{D}_i,R{N}_{gw}\}$ and $\{PSI{D}_j,H{S}_j,$$y_{gwn},C_j\}$ to perform impersonation attacks or compute the $SK$. However, $ATT$ cannot compute ${\alpha }_i=h(HI{D}_i\left|\right|X_{GWN}\left|\right|R{N}_{gw})$ and $K_j=h(PSI{D}_j\left|\right|X_{GWN}$$\left|\right|y_{GWN})$ without $GWN$’s secret key $X_{GWN}$. Furthermore, owing to the nature of the $PUF$, $ATT$ could not calculate $R_j=PUF(C_j)$. Thus, $ATT$ cannot perform impersonation attack and compute $SK$. Therefore, the proposed protocol can be said to be resistant against a stolen verifier attack.

7.4.8. Perfect Forward Secrecy

Even if the private key of $GWN$ is leaked to $ATT$, $ATT$ should not be able to compute the session key of the previous session. Assuming that the private key $X_{GWN}$ of $GWN$ is leaked by $ATT$, $ATT$ attempts to calculate a valid $SK$ using the obtained $X_{GWN}$. However, in the registration phase of $U_i$ and $S{N}_j$, ${\alpha }_i$ and $K_j$ are masked with $R{N}_{gw}$ and $y_{GWN}$ is randomly generated by $GWN$. Therefore, $ATT$ cannot compute valid ${\alpha }_i$ and $K_j$, so it is impossible to compute valid $SK$. Therefore, our protocol can guarantee complete forward secrecy.

7.4.9. Session-Specific Random Number Leakage Attack

Assume that $N_u,N_g$, a random nonce generated in the session, is leaked to $ATT$. Using this value, $ATT$ will help compute $SK$. However, $ATT$ is not able to calculate the valid $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)||K_j)$. To calculate a valid $SK$, $ATT$ needs to calculate ${\alpha }_i$ and $K_j$. In order to calculate ${\alpha }_i$ and $K_j$, $ATT$ need to compute or obtain the values of $X_{GWN}$, $y_{GWN}$, and $HP{W}_i$, but it is impossible. Therefore, the proposed protocol is secure against session-specific random number leak attacks.

7.4.10. Ephmeral Secret Leakage Attack

According to the CK attack model, when long-term or short-term secrets are leaked to $ATT$, $ATT$ can calculate a valid session key. In our protocol, $ATT$ has acquired long-term secrets (e.g., $X_{gwn}$ and $y_{GWN}$). In this way, the session key $SK=h(PSI{D}_j\left|\right|h(h(N_u\left|\right|{\alpha }_i)||N_g)$$\left|\right|K_j)$= $h(PSI{D}_j\left|\right|h(h(N_u\left|\right|h(HI{D}_i\left|\right|X_{GWN}\left|\right|R{N}_{gw}))\left|\right|$$N_g)$$\left|\right|$$h(PSI{D}_j|\left|X_{GWN}\right||y_{GWN}))$ includes $X_{gwn}$ and $y_{GWN}$ as well as $N_u,R{N}_{gw},N_g$ is also included. $ATT$ cannot calculate the correct $SK$ without knowing these values. Furthermore, according to Section 7.4.9, even if a short-term secret value is leaked, $ATT$ cannot compute $SK$. Therefore, our method is resistant to ESL attacks.

7.4.11. Session Key Security and Mutual Authentication

$ATT$ computes $SK$ to obtain sensitive information or attempts mutual authentication by disguising itself as a valid entity. However, as discussed in Section 7.4.7–Section 7.4.10, $ATT$ cannot compute a valid $SK$ because of a “computationally infeasible problem”. Additionally, in our proposed protocol, all entities verify each message and mutually authenticate each other. At this time, messages are changed every session due to random number and timestamp and are encrypted with long-term key and short-term key. Therefore, an attacker cannot impersonate a valid entity. Therefore, the proposed protocol guarantees secure session key security and mutual authentication.

8. Efficiency Analysis

We compare communication and computation costs, and security aspect with related protocols for showing the efficiency of our proposed protocol.

8.1. Functionality and Security Features Comparison

This section compares the proposed protocol to related protocols in replay and MITM, guessing, impersonation, device or sensor capture, and desynchronization attacks. We also compare the provision of security features such as forward secrecy and anonymity.

Table 2. Security and functional properties comparison.

Security Properties	Our Protocol	Yuanbing et al. [9]	Ali et al. [25]	Li et al. [28]	Masud et al. [23]
Replay attack	o	o	o	o	o
MITM attack	o	x	o	o	o
Guessing attack	o	x	o	o	x
Impersonation attack	o	x	o	x	x
Smart card stolen attack	o	x	o	o	-
Device or sensor capture attack	o	x	x	x	x
Desynchronization attack	o	-	x	-	-
Anonymity	o	x	o	x	x
Perfect forward secrecy	o	o	x	o	o
Using three factors	o	x	o	o	x
Using PUF	o	x	x	x	x
Secure mutual authentication	o	x	o	x	o

x: insecure against an attack; o: secure against an attack; -: not considered.

indicates that the proposed protocol meets all essential security for communication in a WMSN, whereas existing protocols do not satisfy all security requirements.

8.2. Computation Costs Comparison

The cryptographic computation costs in [30,48] are used for comparative analysis of the computational costs. For the computation cost of cryptographic functions, except PUF and fuzzy extractor, the PBC library (version 0.5.12) built in the GMP library is used on a personal computer environment with Intel Pentium Dual CPU E2200 2.20 GHz processor, 2048 MB RAM, and Ubuntu 12.04.1 LTS 32-bit operating system [48]. The computational costs of PUF and fuzzy functions are obtained in the environment of a single-core 798 MHz CPU with 256 MB RAM, adopting a code offset mechanism using BCH, assuming a 128-bit arbiter PUF [30]. Accordingly, we assumed the times for the notation of the cryptographic function and the computational cost of the function as follows: $T_{hash}$, $T_{pm}$, $T_{enc}$, $T_{dec}$, $T_{fuzzy}$, $T_{puf}$, and $T_{rg}$ denote hash function, point multiplication, encryption, decryption, fuzzy extraction, PUF function, and random nonce generation. The execution time for $T_{hash}$, $T_{pm}$, $T_{enc}$, $T_{dec}$, $T_{fuzzy}$, $T_{puf}$, and $T_{rg}$ are 0.23 ms, 2.226 ms, 3.85 ms, 3.85 ms, 2.68 ms, 12 ms, and 53.9 ms.

Table 3. Computation costs at login and authentication phase.

Protocol	User	Gateway/Sever	Sensor Node	Total Cost
Ali et al. [25]	10$T_{hash}+1T_{enc}+1T_{dec}+1T_{rg}$	$13T_{hash}+2T_{enc}+1T_{dec}$	$5T_{hash}+1T_{dec}$	$28T_{hash}+T_{rg}+3T_{enc}+3T_{dec}(83.44ms)$
Li et al. [28]	8$T_{hash}+3T_{pm}+1T_{rg}$	$8T_{hash}+1T_{pm}+1T_{rg}$	$5T_{hash}+1T_{pm}+1T_{rg}$	$20T_{hash}+6T_{pm}+3T_{rg}(179.656ms)$
Masud et al. [23]	3$T_{hash}+1T_{rg}$	$4T_{hash}+2T_{rg}$	$2T_{hash}+1T_{rg}$	$9T_{hash}+4T_{rg}(217.67ms)$
Yuanbing et al. [9]	$14T_{hash}+2T_{pm}+2T_{rg}$	$10T_{hash}$	$6T_{hash}+2T_{pm}+1T_{rg}$	$30T_{hash}+4T_{pm}+3T_{rg}(177.504ms)$
Ours	$13T_{hash}+1T_{rg}+1T_{fuzzy}$	$15T_h+1T_{rg}$	$6T_h+1T_{puf}+1T_{fuzzy}$	$34T_h+2T_{rg}+1T_{puf}+2T_{fuzzy}(132.98ms)$

provides an overview of the comparison results.

8.3. Communication Costs Comparison

In this secion, we compare the communication costs of our protocol and related protocols at the login and authentication phases. For comparison, assume that the hash value, entity ID, random nonce, and symmetric encryption value are 160 bits and the ECC value is 320 bits at the 160 bit security level of Fp, AES, and SHA1 [49]. We also assume that the timestamp value is 32 bits [50]. Based on these assumptions, the communication cost of our protocol is analyzed. Message $\{HI{D}_i,PSI{D}_j,M_1,M_2,M_3,T_1\}$, $\{M_4,M_5,M_6,T_2\}$, $\{M_7,T_3\}$, and $\{M_8,M_9,M_{10}\}$ have (160 + 160 + 160 + 160 + 160 + 32 = 832), (160 + 160 + 160 + 32 = 512), (160 + 32 = 192), and (160 + 160 + 160 = 480) bits are required. The total communication cost is $832+512+192+480=2016$ bits.

Table 4. Communication costs at login and authentication phase.

Protocol	Total Communication Costs
Ali et al. [25]	1952 bits
Li et al. [28]	2720 bits
Masud et al. [23]	2560 bits
Yuanbing et al. [9]	3552 bits
Ours	2016 bits

shows an analysis of communication costs of related protocols.

8.4. Results of Comparative Analysis

The results of the comparative analysis of the proposed protocol and other studies are as follows. Our proposed protocol has higher computation and communication costs than Ali et al.’s protocol [25]. However, in terms of security, Ali et al.’s protocol is vulnerable to sensor capture and desynchronization attacks and does not guarantee perfect forward secrecy, but the proposed protocol is safe against various attacks and guarantees perfect forward secrecy. In addition, our protocol has a computation cost of 132.98 ms, which is lighter than other papers except for the protocol of Ali et al. Furthermore, the communication cost of our protocol is 2016 bits, which is higher than that of Ali et al., 1952 bits, but there is no big difference. In other papers, the communication cost of the proposed protocol is low. Moreover, from a security perspective, our proposed protocol is secure to replay, MITM, impersonation, smartcard stolen, and desynchronization attacks. PUF and three-factor can be used to provide security against ID/password pair guessing and sensor node capture attacks. Therefore, the proposed protocol can provide secure services to users in a WMSN environment and is a lightweight protocol that considers the resource limitations of sensor nodes.

9. Conclusions

With the development of WSN, patient status identification and medical diagnostic services using WMSNs, a type of WSN, have become common. However, since WMSN exchanges information through an open channel, it is vulnerable to attacks by attackers, and this vulnerability is an important security problem directly related to the patient’s life. Therefore, in order to provide a secure WMSN service, an authentication protocol is required. In this study, we identify the problems of various authentication protocols using two-factor, three-factor, and PUF, and analyze the security vulnerabilities of Yuanbing et al.’s protocol in 2021. To address security vulnerabilities in these protocols, in this paper, we propose a secure authentication protocol applied with three-factor and PUF technology. To prove that the proposed protocol is secure against various attacks and provides security functions, formal verification and informal verification were performed through the ROR model, BAN logic, and AVISPA tool. In addition, through a comparative analysis of protocols, it was found that the calculation and communication costs were lower than those of the related protocols, and provide a more secure service in WMSN environments. Therefore, our proposed protocol can be secure against guessing, replay, MITM, impersonation, and sensor capture attacks and can provide anonymity, perfect forward secrecy, and secure mutual authentication. Our protocol also solves the problem of the sensor node, which has resource limitation, and ultimately can be applied to the actual WMSN environment. In the future, we plan to develop a better protocol by constructing and applying the proposed protocol to a practical testbed.