Security Analysis and Improvements of Two-Factor Mutual Authentication with Key Agreement in Wireless Sensor Networks

Abstract

User authentication and key management are two important security issues in WSNs (Wireless Sensor Networks). In WSNs, for some applications, the user needs to obtain real-time data directly from sensors and several user authentication schemes have been recently proposed for this case. We found that a two-factor mutual authentication scheme with key agreement in WSNs is vulnerable to gateway node bypassing attacks and user impersonation attacks using secret data stored in sensor nodes or an attacker's own smart card. In this paper, we propose an improved scheme to overcome these security weaknesses by storing secret data in unique ciphertext form in each node. In addition, our proposed scheme should provide not only security, but also efficiency since sensors in a WSN operate with resource constraints such as limited power, computation, and storage space. Therefore, we also analyze the performance of the proposed scheme by comparing its computation and communication costs with those of other schemes.

1. Introduction

A wireless sensor network (WSN) is composed of a number of sensors (tens to thousands) that are deployed to collect data in a target area [1,2]. The number of potential applications for WSNs is increasing in various fields, including environmental monitoring, healthcare, agriculture, manufacturing, military sensing and tracking, and disaster alert [1–5]. The design of a specific WSN is dependent on the given application and the environment under which it operates [1]. In addition, sensors in a WSN operate with resource constraints such as limited power, computation, and storage space [1,3,6–8]. In WSNs, user queries are generally transmitted to the gateway [1,3,8,9]. However, for some applications, the user needs to obtain real-time data directly from sensors [1,3,8,9]. In this case, only legitimate users should be able to access the WSN.

Several schemes for user authentication in WSNs have been proposed recently. Wong et al. [10] proposed a user authentication scheme that uses only one-way hash functions for computation efficiency on sensor nodes [10]. However, Das [3] pointed out that Wong et al.'s scheme does not prevent many logged-in users with the same login-ID threats and stolen-verifier attacks [3]. Das [3] proposed a two-factor user authentication in WSNs using a smart card and a password instead of maintaining a password/verifier table [3]. Other researchers, however, pointed out that Das' scheme still has security flaws. Chen and Shih [11] insisted that Das' scheme does not provide mutual authentication, and proposed a mutual authentication scheme between the user, the gateway, and the sensor node [11]; He et al. [9] said that Das' scheme has security weaknesses against insider attacks and impersonation attacks [9]; and Khan and Alghathbar [4] pointed out that Das' scheme is vulnerable to gateway node bypassing attacks and privileged-insider attacks [4]. In 2012, Vaidya et al. [12] pointed out that the schemes proposed by Das [3], Kan and Alghathbar [4] and Chen and Shih [11] are all insecure against stolen smart card attacks and sensor node impersonation attacks with node capture attacks and do not provide key agreement [12]. Therefore, they proposed a novel two-factor mutual authentication and key agreement scheme to prevent these attacks. In addition, they insisted that computational costs for gateway and sensor nodes in their proposed scheme are not so high. However, we found that their proposed scheme still has security flaws.

In this paper, we present that gateway node bypassing attacks and user impersonation attacks are possible using secret data stored in a sensor or an attacker's own smart card in Vaidya et al.'s scheme. Additionally, we propose an improved scheme that eliminates such security weaknesses from Vaidya et al.'s scheme. We verify that the proposed scheme is secure against possible attacks. We also analyze the performance of the proposed scheme by comparing its computation cost and communication cost with those of other schemes.

The remainder of the paper is organized as follows. Section 2 presents a review of Vaidya et al.'s scheme. Section 3 is devoted to analyzing the security of Vaidya et al.'s scheme. Section 4 proposes the improved scheme. Section 5 analyzes the security of the proposed scheme against possible attacks. Section 6 is devoted to analyzing the performance of the proposed scheme and Section 7 concludes this paper.

2. Review of Vaidya et al.'s Scheme

There are three communication parties in Vaidya et al.'s scheme [12]: a user, a gateway node, and a sensor node. This scheme is composed of four phases: registration phase, login phase, authentication-key agreement phase, and password change phase. We describe each phase in detail in Sections 2.1–2.4, and

Table 1. Notations [12].

Symbol	Description
Ui	i-th user
Sj	j-th sensor node
GW	Gateway node
IDi	Identity of
pWi	Password of
SIDj	Identity of
IDs	Identity of smart card
K	Secret key known to only
Xs	Secret value generated by and shared between only and
h(·)	One-way hash function
RNi	Random nonce of
RNj	Random nonce of
⊕	XOR operation
∥	Concatenation operation
=?, ≤?	Verification operation
Ks	Session key
f(x,k)	Pseudo-random function of variable with key k
Ti,Ti′	Current timestamp of Ui
TG,TG′	Current timestamp of GW
Tj	Current timestamp of Sj
ΔT	The maximum of transmission delay time permitted
	Secure channel
	Insecure channel

shows the notations used in the remainder of the paper.

Registration phase begins when the user sends a registration request with his/her identity and a hashed password to the gateway node. Then, the gateway node personalizes a smart card for the user and sends it to him/her as a response to the registration request. In the registration phase, all these communication messages are transmitted in secure channels.

Login phase begins when the user inserts his/her smart card into the terminal and inputs his/her identity and password. After the verification of the user's input value, the smart card computes and sends the authentication request to the gateway node. When the gateway node receives the authentication request from the user side, the authentication-key agreement phase begins. The gateway node verifies whether the authentication request comes from a legitimate user. If the verification is successful, the gateway node sends the authentication request to a sensor node which can respond to a request or a query from the user. In this phase, three authentication requests are transmitted. The first request is from the gateway node to the sensor node, the second is from the sensor node to the gateway node, and the final is from the gateway node to the user. As stated, when one party receives an authentication request, the party verifies its validity and sends a new authentication request to the other party. In login phase and authentication-key agreement phase, these request messages are transmitted in insecure channels. If all verifications are passed successfully, the user and the sensor node then share the session key for communication. The password change phase begins whenever the user wants to change his/her password. In the password change phase, the user side does not have to communicate with other parties.

2.1. Registration Phase

We describe the registration phase in this subsection. U_i selects ID_i and pw_i, computes H_PW_i=h(pw_i) and sends the registration request {ID_i,h(pw_i)} to GW. Then, GW personalizes a smart card for U_i and sends it to U_i. Figure 1 shows the registration phase of Vaidya et al.'s scheme.

R-1	Ui selects IDi and.PWi
R-2	Ui computes H_PWi=h(pwi)
	Ui sends a registration request {IDi, H_PWi} to GW in secure channels (it was not mentioned whether the registration request from Ui to GW is sent by secure channels [12], but we guess that it is sent this way).
R-3	GW computes the following when it receives the registration request from Ui.
	Ai=h(IDi∥H_PWi∥xs)⊕h(K)
	Bi=h(H_PWi⊕xs)
	Ci=xs⊕h(IDs∥H_PWi)
	GW personalizes the smart card with IDs, IDi, h(·), Ai, Bi and Ci.
	GW sends the smart card to Ui in secure channels.

Meanwhile, SID_j and a secret value x_s generated by GW are stored in S_j before it is deployed into a target field.

2.2. Login Phase

The login phase begins when U_i inserts U_i's smart card into a terminal and inputs $I{D}_i^{*}$ and $p{w}_i^{*}$. In this phase, U_i sends the authentication request to GW. Figure 2 illustrates the login phase of Vaidya et al.'s scheme.

L-1	Ui inserts Ui's smart card into a terminal and inputs $I{D}_i^{*}$ and $p{w}_i^{*}$
L-2	The smart card computes the following.
	$H\_P{W}_i^{*}=h\left(p{w}_i^{*}\right)$
	$x_s=C_i\oplus h(I{D}_s\Vert H\_P{W}_i^{*})$
	$B_i^{*}=h(H\_P{W}_i^{*}\oplus x_s)$
	The smart card compares $B_i^{*}$ with Bi. If, $B_i^{*}=B_i$, then the next step proceeds; otherwise, this phase is aborted.
L-3	The smart card generates a random nonce RNi and computes the following. Ti is the current timestamp of Ui system.
	$DI{D}_i=h(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s)h(x_s\Vert R{N}_i\Vert T_i)$
	MUi−G=h(Ai∥xs∥RNi∥Ti)
	vi=RNi⊕xs
	The smart card sends the authentication request {DIDi, MUi−G, vi, Ti} to GW.

2.3. Authentication-Key Agreement Phase

When GW receives the authentication request from U_i, the authentication-key agreement phase begins. In this phase, U_i, GW, S_j and send and receive authentication requests from one another. Figure 3 depicts the authentication-key agreement phase of Vaidya et al.'s scheme. The following describes this process in detail.

A-1	GW checks if (TG−Ti) ≤ ΔT, where TG is the current timestamp of GW system, and ΔT is the maximum permitted transmission delay time. If (TG−Ti) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-2	GW computes the following.
	RNi=vi⊕xs
	X*=DIDi⊕h(xs∥RNi∥Ti)
	MUi−G*=h((X*⊕h(K))∥xs∥RNi∥Ti)
	GW compares MUi−G* with MUi−G*. If MUi−G* =MUi−G, then the next step proceeds; otherwise, this phase is aborted.
A-3	GW computes MG−Sj=h(DIDi∥SIDj∥xs∥TG). TG is the current timestamp of GW system. Sj is the nearest sensor node that can respond to Ui's request.
	GW sends the authentication request {DIDi, MG−Sj, TG} to Sj.
A-4	GW checks if (Tj − TG) ≤ ΔT, where Tj is the current timestamp of Sj system.
	If (Tj −TG) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-5	Sj computes MG−Sj*=h(DIDi∥SIDj∥xs∥TG).
	Sj compares MG−Sj* with MG−Sj. If MG−Sj* = MG−Sj, then the next step proceeds; otherwise, this phase is aborted.
A-6	Sj generates a random nonce RNj and computes the following.
	yi = RNj⊕xs
	zi = MG−Sj*⊕RNj
	MSj−G = h(zi∥xs∥Tj)
	Sj sends the authentication request {yi, MSj−G, Tj} to GW.
A-7	GW checks if (TG′ − Tj) ≤ ΔT, where TG′ is the current timestamp of GW system.
	If (TG′−Tj) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-8	GW computes the following.
	RNj=yi ⊕ xs
	$z_i^{\ast }=M_{G-S_j}\oplus R{N}_j$
	$M_{S_j-G}*=h\left(z_i^{*}\Vert x_s\Vert T_j\right)$
	GW compares MSj−G* with MSj−G. If MSj−G* = MSj−G, then the next step proceeds; otherwise, this phase is aborted.
A-9	GW computes the following.
	MG−Ui = h(DIDi∥MG−Sj∥MUi−G∥xs∥TG′)
	$w_i=z_i^{*}{x}_s$
	GW sends the authentication request {yi, wi, MG−Ui, TG′} to Ui.
A-10	Ui checks if (Ti′ − TG′) ≤ ΔT, where Ti′ is the current timestamp of Ui system. If (Ti′ − TG′) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-11	The smart card computes the following.
	RNj = yi ⊕ xs
	$z_i^{*}=w_i\oplus x_s$
	$M_{G-S_j}=z_i^{*}\oplus R{N}_j$
	MG−Ui* = h(DIDi∥MG−Sj∥MUi−G∥xs∥TG′)
	The smart card compares MG−Ui* with MG−Ui. If MG−Ui* = MG−Ui, then mutual authentication between Ui and Sj is completed successfully; otherwise, this phase is aborted.
A-12	The smart card computes Ks = f((DIDi∥RNi),xs) to obtain a session key for communication with Sj. Meanwhile, Sj also computes KS = f((DIDi∥RNi),xs) to share a session key with Ui.

2.4. Password Change Phase

The password change phase proceeds when U_i changes U_i's existing password to a new one. In the password change phase, U_i does not communicate with GW.

P-1	Ui inserts Ui's smart card into a terminal and inputs, $I{D}_i^{*}$, $p{w}_i^{*}$, and pwni. pwni is Ui's new password.
P-2	The smart card computes the following.
	$H\_P{W}_i^{*}=h\left(p{w}_i^{*}\right)$
	$x_s=C_i\oplus h(I{D}_s\Vert H\_P{W}_i^{*})$
	$B_i^{*}=h(H\_P{W}_i^{*}\oplus x_s)$
	The smart card compares $B_i^{*}$ with Bi. If $B_i^{*}=B_i$, then the next step proceeds; otherwise, this phase is aborted.
P-3	The smart card computes the following.
	$H\_P{W}_{ni}=h(p{w}_{ni}\Vert R{N}_r^{\ast })$
	$A_{ni}=A_i\oplus h(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s)\oplus h\left(I{D}_i\Vert H\_P{W}_{ni}\Vert x_s\right)$
	Bni=h(H_PWni⊕xs)
	Cni=xs⊕h(IDs∥H_PWni)
	The smart card replaces the existing values Ai, Bi, and Ci with the new values Ani, Bni, and Cni.

3. Security Analysis of Vaidya et al.'s Scheme

In this section, we analyze the security of Vaidya et al.'s scheme. We found that gateway node bypassing attacks are possible in Vaidya et al.'s scheme if an attacker captures a sensor node and extracts secret values stored in it. Additionally, an attacker can know secret values x_s and h(K) from the attacker's own smart card and use them for user impersonation attacks or gateway node bypassing attacks.

In Sections 3.1–3.3, we describe possible attacks in Vaidya et al.'s scheme in detail. We assume that an attacker can eavesdrop on or intercept all messages sent or received between communication parties. We also assume that an attacker can read data stored in a smart card in any manner like in the related works [2,6,13–16]. In addition, we have to note that data stored in sensor nodes are not secure since an attacker can capture sensor nodes that are deployed in unattended environments and can then extract data from them.

3.1. Gateway Node Bypassing Attacks Using Secret Data Stored in a Sensor Node

In Vaidya et al.'s scheme, if an attacker extracts the secret data x_s from a sensor node, he/she can impersonate GW and communicate with U_i. These attacks proceed as explained below. U_α denotes an attacker here.

Step 1	Uα extracts xs and SIDj from a sensor node captured in the WSN.
Step 2	Login phase begins when Ui wants to access to the WSN as in Section 2.2. When Ui sends the authentication request {DIDi, MUi−G, vi, Ti} to GW, Uα eavesdrops on it.
Step 3	Uα computes the following using xs, SIDj and {DIDi, MUi−G, vi, Ti}. Tα and Tα′ denote the current timestamp of Uα system, and Tα < Tα′. Uα generates a random nonce RNα.
	yi=RNα⊕xs
	MG-Sj = h(DIDi∥SIDj ∥xs ∥Tα)
	$z_i^{*}=M_{G-S_j}\oplus R{N}_{\alpha }$
	$w_i=z_i^{*}\oplus x_s$
	MG−Ui*=h(DIDi∥MG−Sj∥MUi−G∥xs∥Tα′)
	Uα forges the authentication request sent from GW to Ui in authentication-key agreement phase using {yi, wi, MG−Ui),Tα′}.
Step 4	When Ui receives {yi, wi, MG−Ui, Tα′} from Uα, Ui checks if (TU′−Tα′) ≤ ΔT, where (TU′ is the current timestamp of Ui system. If (TU′−Tα′) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
Step 5	The smart card computes the following.
	RNα = yi ⊕ xs
	$z_i^{*}=w_i\oplus x_S$
	$M_{G-U_i}=h(DI{D}_i\Vert M_{G-S_j}\Vert M_{U_i-G}\Vert x_s\Vert T_{\alpha }\prime )$
	MG−Ui*=h(DIDi∥MG−Sj∥MUi−G∥xs∥Tα′)
	The smart card compares MG−Uiwith MG−Ui*. Since MG−Ui = MG−Ui*, Ui regards {yi, wi, MG−Ui,Tα′} as being transmitted from GW. Therefore, Uα can communicate with Ui using the session key Ks = f((DIDi∥RNα), xs).

3.2. User Impersonation Attacks Using an Attacker's Own Smart Card

If an attacker U_α registers with GW, U_α receives the smart card personalized with U_α's own identity and password, ID_α and pw_α. U_α can compute x_s and h(K) using ID_α, pw_α, and secret values stored in the smart card.

Step 1	As shown in the Section 2.1, Uα selects IDα and pwα.
Step 2	Uα computes H_PWα=h(pwα).
	Uα sends the registration request {IDα, h(pwα)} to GW.
Step 3	GW computes the following when it receives the registration request from Uα.
	Aα = h(IDα∥H_PWα∥xs)⊕h(K)
	Bα=h(H_PWα⊕xs)
	Cα=xs ⊕ h(IDs∥H_PWα)
	GW personalizes the smart card with IDs, IDα, h(·), Aα, Bα and Cα.
	GW sends the smart card to Uα.
Step 4	Uα reads IDs, IDα, Aα, Bα, and Cα from the smart card.
	Uα can know xs and h(K) by computing the following.
	xs= Cα ⊕ h(IDs∥H_PWα)
	h(K) = Aα ⊕ h(IDα∥H_PWα∥ xs)

U_α can impersonate a legitimate user who has registered with GW using x_s and h(K). In addition, U_α can also log in with any temporary identity that does not actually exist.

3.2.1. Logging in with Any Temporary Identity

We describe the process where U_α logs in with any temporary identity that does not actually exist using x_s and h(K).

Step 1	Uα selects any temporary identity and password IDβ and pwβ. Uα computes the authentication request as follows. Tα denotes the current timestamp of Uα system, and RNα is a random nonce generated by Uα.
	$H_P{W}_{\beta }^{*}=h(p{w}_{\beta })$
	$A_{\beta }=h(I{D}_{\beta }\Vert H\_W_{\beta }^{*}\Vert x_s)\oplus h(K)$
	$DI{D}_{\beta }=h(I{D}_{\beta }\Vert H\_P{W}_{\beta }^{*}||x_s)\oplus h(x_s\Vert R{N}_{\alpha }\Vert T_{\alpha })$
	MUβ−G=h(Aβ∥xs∥RNα∥Tα)
	vβ=RNα ⊕ xs
	Uα sends the authentication request {DIDβ, MUβ−G, vβ, Tα} to GW.
Step 2	When GW receives the authentication request, GW checks if (TG−Tα) ≤ ΔT, where TG is the current timestamp of GW system. If (TG−Tα) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
Step 3	GW computes the following.
	RNα=vβ⊕ xs
	X*=DIDβ ⊕ h(xs∥RNα∥Tα)
	MUβ−G* = h((X* ⊕ h(K))∥xs∥RNα∥Tα)
	GW compares MUβ−G with MUβ−G*. GW regards {DIDβ, MUβ−G, vβ, Tα} as being sent from a legitimate user because MUβ−G = MUβ−G*.

3.2.2. Logging in with the Identity of a Legitimate User

We describe when U_α impersonates a legitimate user U_i who has registered with GW using x_s and h(K).

Step 1	In the previous session, when Ui sends the authentication request {DIDi, MUi−G, vi, Ti} to GW as shown in Section 2.2, Uα eavesdrops on it.
Step 2	Uα computes the following. RNα is a random nonce generated by Uα. Tα is the current timestamp of Uα system. xs and h(K) are already known to Uα, as mentioned above.
	RNi=vi ⊕ xs
	$h\left(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s\right)=DI{D}_i\oplus h\left(x_s\left|\left|R{N}_i\right|\right|T_i\right)$
	$DI{D}_i=h(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s)\oplus h(x_s\Vert R{N}_i\Vert T_i)$
	$A_i=h(I{D}_i\Vert H\_P{W}_i^{*}\Vert x_s)\oplus h(K)$
	MUi−G = h(Ai∥xs∥RNα∥Tα)
	vi = RNα ⊕ xs
	Uα sends the authentication request {DIDi, MUi−G, vi, Tα} to GW.
Step 3	When GW receives {DIDi, MUi−G, vi, Tα}, GW checks if (TG−Tα) ≤ ΔT, where TG is the current timestamp of GW system. If (TG−Tα) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
Step 4	GW computes the following.
	RNα = vi ⊕ xs
	X*=DIDi ⊕ h(xs∥RNα∥Tα)
	MUi−G* = h((X* ⊕ h(K))∥xs∥RNα∥Tα)
	GW compares MUi−G with MUi−G*. GW regards {DIDi, MUi−G, vi, Tα} as being sent from a legitimate user because MUi−G=MUi−G*.

3.3. Gateway Node Bypassing Attacks Using an Attacker's Own Smart Card

As discussed in Section 3.2, if an attacker U_α obtains x_s and h(K) using data stored in his/her own smart card, he/she can impersonate GW. The following shows the attack process in detail. U_α denotes an attacker here.

Step 1	Login phase begins when Ui wants to access the WSN as described in Section 2.2.When Ui sends the authentication request {DIDi, MUi−G, vi, Ti} to GW, Uα eavesdrops on the transmission.
Step 2	Uα computes the following using xs and {DIDi, MUi−G, vi, Ti}. Tα and Tα′ denote the current timestamp of Tα system, and Tα < Tα′. Uα generates a random nonce RNα. SIDα is created by Uα.
	yi = RNα ⊕ xs
	MG−Sj = h(DIDi∥SIDα∥xs∥Tα)
	$z_i^{*}=M_{G-S_j}\oplus R{N}_{\alpha }$
	$w_i=z_i^{*}\oplus x_s$
	MG−Ui = h(DIDi∥MG−Sj∥MUi−G∥xs∥Tα′)
	Uα forges the authentication request sent from GW to Ui in authentication-key agreement phase using {yi, wi, MG−Ui, Tα′}.
Step 3	When Ui receives {yi, wi, MG−Ui, Tα′} from Uα, Ui checks if (TU′ − Tα′) ≤ ΔT, where TU′ is the current timestamp of Ui system. If (TU′ − Tα′) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
Step 4	The smart card computes the following.
	RNα = yi ⊕ xs
	$z_i^{*}=w_i\oplus x_s$
	$M_{G-Sj}=z_i^{*}\oplus R{N}_{\alpha }$
	MG−Ui*=h(DIDi∥MG−Sj∥MUi−G∥xs∥Tα′)
	The smart card compares MG−Uiwith MG−Ui*. Since MG−Ui=MG−Ui*, Ui regards {yi, wi, MG−Ui,Tα′} as being transmitted from GW. Therefore, Uα can communicate with Ui using the session key Ks = f((DIDi∥RNα), xs).

4. The Proposed Scheme

In this section, we propose an improved scheme that can overcome the security weaknesses presented in Section 3. The reason why Vaidya et al.'s scheme is vulnerable to sensor node capture attacks is that x_s is stored in plaintext form in S_j though it is a secret value. To make matters worse, x_s is shared between all sensor nodes in the WSN. Also, in Vaidya et al.'s scheme, an attacker can compute and use x_s and h(K) for attacks because they are stored in all users' smart cards. Therefore, the main ideas of our proposed scheme are as follows:

▪

When GW personalizes a smart card for U_i in the registration phase, GW uses Xs_i = h(H_ID_i ∥x_s) and h(H_ID_i∥K; instead of x_s and h(K) to prevent an attacker from computing x_s or h(K). Since Xs_i and h h(H_ID_i∥K; are unique for each user, an attacker cannot reuse them to impersonate a legitimate user.

▪

In the proposed scheme, $X{s}_j^{*}=h(SI{D}_j\Vert x_s)$ instead of x_s is stored in S_jto prevent an attacker from extracting x_s from S_j. Since $X{s}_j^{*}$ is unique for each sensor node, we can attenuate the effects of sensor node capture attacks as much as possible.

We describe each phase in detail in Sections 4.1 through 4.4. Before describing the proposed scheme in detail, we present the security requirements for the proposed scheme.

▪

The proposed scheme has to be secure against possible attacks such as replay, password guessing, user impersonation, gateway node bypassing and parallel session attacks.

▪

The proposed scheme has to minimize the damage caused by sensor node capture attacks. The authentication scheme cannot be a perfect solution that blocks sensor node capture attacks completely. Nevertheless, the proposed scheme should attenuate the effects of sensor node capture attacks as much as possible.

▪

We assume an attacker can obtain all data from a smart card. Therefore, our proposed scheme has to be devised considering stolen smart card attacks, lost smart card problems, and attacks that use an attacker's own smart card, as shown in Section 3.

▪

The proposed scheme must be secure against privileged-insider attacks or stolen-verifier attacks.

▪

The proposed scheme has to provide methods for mutual authentication, key agreement between U_i and S_j, and password change.

4.1. Registration Phase

In the registration phase, U_i selects ID_i and pw_i. U_i computes and sends the registration request {ID_i, h(pw_i)∥RN_r)} to the gateway node, where RN_r is a random nonce. Then, GW personalizes a smart card for U_i. Figure 4 illustrates the registration phase of the proposed scheme. Meanwhile, SID_j and $X{s}_j^{*}$ are stored in S_j, where $X{s}_j^{*}=h(SI{D}_j\Vert x_s)$

before S_j is deployed into a target field.

R-1	Ui selects IDi and pwi.
R-2	Ui generates a random nonce RNr and computes H_PWi = h(pwi∥RNr).
	Ui sends the registration request {IDi, H_PWi} to GW in secure channels.
R-3	GW computes the following when it receives a registration request from Ui.
	H_IDi = h(IDi∥K)
	Xsi = h(H_IDi∥xs)
	Ai=h(H_PWi∥Xsi) ⊕ h(H_IDi ∥K)
	Bi = h(H_PWi ⊕ Xsi)
	Ci = XSi ⊕ h(IDs∥H_PWi)
	GW personalizes the smart card with IDs, H_IDi, h(·),Ai,Biand Ci.
	GW sends the smart card to Ui in secure channels.
R-4	Ui computes X_PWi = h(pwi) ⊕ RNr and adds X_PWi to the smart card.

4.2. Login Phase

The login phase begins when U_i inserts U_i's smart card into a terminal and inputs $I{D}_i^{*}$ and $p{w}_i^{*}$. In this phase, U_i sends the authentication request to GW. Figure 5 depicts the login phase of the proposed scheme.

L-1	Ui inserts Ui's smart card into a terminal and inputs $I{D}_i^{*}$ and. $p{w}_i^{*}$
L-2	The smart card computes the following.
	$R{N}_r^{*}=h(p{w}_i^{*})\oplus X\_P{W}_i$
	$H\_P{W}_i^{*}=h(p{w}_i^{*}\Vert R{N}_r^{*})$
	$X{s}_i^{*}=C_i\oplus h\left(I{D}_s\Vert H\_P{W}_i^{*}\right)$
	$B_i^{*}=h\left(H\_P{W}_i^{*}\oplus X{s}_i^{*}\right)$
	The smart card compares $B_i^{*}$ with Bi. If $B_i^{*}=B_i$, then the next step proceeds; otherwise, this phase is aborted.
L-3	The smart card generates a random nonce RNi and computes the following. Ti is the current timestamp of Ui system.
	$DI{D}_i=h\left(H\_P{W}_i^{*}\Vert X{s}_i^{*}\right)\oplus h\left(X{s}_i^{*}\Vert R{N}_i\Vert T_i\right)$
	$M_{U_i-G}=h\left(A_i\Vert X{s}_i^{*}\Vert R{N}_i\Vert T_i\right)$
	$v_i=R{N}_i\oplus X{s}_i^{*}$
	The smart card sends the authentication request {DIDi, MUi−G, vi, Ti, H_IDi } to GW.

4.3. Authentication-Key Agreement Phase

When GW receives an authentication request from U_i, the authentication-key agreement phase begins. In this phase, U_i, GW, S_j and send and receive authentication requests from one another. Figure 6 shows the authentication-key agreement phase of the proposed scheme. The following describes this process in detail.

A-1	GW checks if (TG − Ti) ≤ ΔT, where TG is the current timestamp of GW system.
	If (TG − Ti) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-2	GW computes the following.
	XSi = h(H_IDi∥xs)
	RNi = vi ⊕ Xsi
	X* = DIDi ⊕ h(Xsi∥RNi∥Ti)
	MUi−G* = h((X* ⊕ h(H_IDi∥K))∥Xsi∥RNi∥Ti)
	GW compares MUi−G* with MUi−G. If MUi−G*=MUi−G, then the next step proceeds; otherwise, this phase is aborted.
A-3	GW computes the following. TG is the current timestamp of GW system. Sj is the nearest sensor node that can respond to Ui 's request.
	Xsj=h(SIDj∥xs)
	MG−Sj = h(DIDi∥SIDj∥Xsj∥TG)
	GW sends the authentication request {DIDi, MG−Sj, TG} to Sj.
A-4	GW checks if (T j − TG) ≤ ΔT, where Tj is the current timestamp of Sj.
	If (T j − TG) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-5	Sj computes ${M_{G-Sj}}^{*}=h\left(DI{D}_i\left|\left|SI{D}_j\right|\right|X{s}_i^{*}\Vert T_G\right).$
	Sj compares MG−Sj* with MG−Sj. If MG−Sj* = MG−Sj, then the next step proceeds; otherwise, this phase is aborted.
A-6	Sj generates a random nonce RNj and computes the following.
	$y_j=R{N}_j\oplus X{s}_j^{*}$
	zi = MG−Sj*⊕RNj
	$M_{S_j-G}=h(z_i\Vert X{s}_j^{*}\Vert T_j)$
	Sj sends the authentication request {yi, MSj−G, Tj} to GW.
A-7	GW checks if (TG′ − Tj) ≤ ΔT, where TG′ is the current timestamp of GW.
	If (TG′ − Tj) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted
A-8	GW computes the following.
	RNj = yj ⊕ Xsi
	$z_i^{*}=M_{G-S_j}\oplus R{N}_j$
	${M_{S_j-G}}^{*}=h\left(z_i^{*}\Vert X{s}_j\Vert T_j\right)$
	GW compares MSj−G* with MSj−G. If MSj−G = MSj−G, then the next step proceeds; otherwise, this phase is aborted.
A-9	GW computes the following:
	MG−Ui = h(DIDi ∥MG−Sj∥MUi−G∥Xsi∥TG′)
	$w_i=z_i^{*}\oplus X{s}_i$
	yi=RNj ⊕ Xsi
	qj=Xsj ⊕ RNj
	GW sends the authentication request {yi, wi, MG−Ui, qj, TG′)} to Ui.
A-10	Ui checks if (Ti′−TG′) ≤ ΔT, where Ti′ is the current timestamp of Ui. If (Ti′−TG′) ≤ ΔT, then the next step proceeds; otherwise, this phase is aborted.
A-11	The smart card computes the following:
	RNj =yi ⊕Xsi
	$z_i^{*}=w_i\oplus X{s}_i$
	$M_{G-S_j}^{*}=z_i^{*}\oplus R{N}_j$
	${M_{G-U_i}}^{*}=h\left(DI{D}_i\Vert M_{G-S_j}^{*}\Vert M_{U_i-G}\Vert X{s}_i\Vert T_G\prime \right)$
	The smart card compares MG−Ui* with MG−Ui. If MG−Ui* =MG−Ui, then mutual authentication between Ui and SNj is completed successfully; otherwise, this phase is aborted.
A-12	The smart card computes the following to get a session key for communication with Sj. Meanwhile, Sj also computes KS = f((DIDi ∥RNi), Xsj to share a session key with Ui.
	Xsj = qj ⊕ RNj
	Ks = f((DIDi∥RNj), Xsj)

4.4. Password Change Phase

The password change phase proceeds when U_i changes U_i 's existing password to a new one. In the password change phase, U_i does not have to communicate with GW.

P-1	Ui inserts its smart card into a terminal and inputs, $I{D}_i^{*}$, $p{w}_i^{*}$ and pwni. is Ui's new password.
P-2	The smart card computes the following.
	$R{N}_r^{*}=h(p{w}_i^{*})\oplus X\_P{W}_i$
	$H\_P{W}_i^{*}=h(p{w}_i^{*}\Vert R{N}_r^{*})$
	$X{s}_i^{*}=C_i\oplus h\left(I{D}_s\Vert H\_P{W}_i^{*}\right)$
	$B_i^{*}=h\left(H\_P{W}_i^{*}\oplus X{s}_i^{*}\right)$
	The smart card compares $B_i^{*}$ with Bi. If $B_i^{*}=B_i$, then the next step proceeds; otherwise, this phase is aborted.
P-3	The smart card computes the following.
	$H\_P{W}_{ni}=h(p{w}_{ni}\Vert R{N}_r^{*})$
	$A_{ni}=A_i\oplus h\left(H\_P{W}_i^{*}\Vert X{s}_i^{*}\right)\oplus h\left(H\_P{W}_{ni}\Vert X{s}_i^{*}\right)$
	$B_{ni}=h\left(H\_P{W}_{ni}\oplus X{s}_i^{*}\right)$
	$C_{ni}=X{s}_i^{*}\oplus h(I{D}_s\Vert H\_P{W}_{ni})$
	The smart card replaces the existing values Ai, Bi and Ci with the new values Ani, Bni and Cni.

5. Security Analysis of the Proposed Scheme

This section is devoted to the security analysis of our proposed scheme. We discuss the security of our proposed scheme in terms of the security requirements presented in Section 4.

Table 2. Security comparison of the proposed scheme.

Security Features	Das' Scheme [3]	Khan and Alghathbar's Scheme [4]	Vaidya et al.'s Scheme [12]	The Proposed Scheme
Replay attacks	Yes	Yes	Yes	Yes
User impersonation attacks	No	No	No	Yes
Gateway node bypassing attacks	No	No	No	Yes
Parallel session attacks	No	No	Yes	Yes
Password guessing attacks	No	No	Yes	Yes
Sensor node capture attacks	No	No	No	Yes
Stolen smart card attacks	No	No	Yes	Yes
Lost smart card problems	No	No	Yes	Yes
Privileged-insider attacks	No	Yes	Yes	Yes
Stolen-verifier attacks	Yes	Yes	Yes	Yes
Mutual authentication	No	No	Yes	Yes
Key agreement	No	No	Yes	Yes
Password change phase	No	Yes	Yes	Yes

(Yes: The scheme resists the attacks or provides the functionality; No: The scheme does not resist the attacks or provide the functionality).

shows a security comparison of the proposed scheme.

▪

Replay attacks: The proposed scheme resists replay attacks because all authentication requests include current timestamps, such as T_i of {DID_i, M_Ui−G, v_i, T_i, H_ID_i}.

▪

User impersonation attacks and gateway node bypassing attacks: In the proposed scheme, an attacker cannot create valid authentication requests {DID_i, M_Ui−G, v_i, T_i, H_{_}ID_i} and {y_i, w_i, M_G−Ui,q_j,T_G′} because he/she cannot compute the secret data x_s and h(K). Therefore, user impersonation attacks and gateway node bypassing attacks are impossible.

▪

Parallel session attacks: The proposed scheme is secure against parallel session attacks because all authentication requests include random nonces such as DID_i, and v_i of {DID_i, M_Ui−G, v_i, T_i, H_{_}ID_i}.

▪

Password guessing attacks: pw_i cannot be guessed by an attacker because it is transmitted as the results which are concatenated with some secret values and one-way hashed. Even a privileged-insider cannot guess U_i's password from the registration request {ID_i,H_PW_i} because RN_r in H_PW_i = h(pw_i∥RN_r) is a unknown value to him/her.

▪

Sensor node capture attacks: Though an attacker captures a sensor node and obtains secret data SID_j and $X{s}_j^{*}$ from it, the attacker cannot impersonate U_i, GW, or other sensor nodes. Since is the unique secret data only for S_j, an attacker cannot compute Xs_j for U_i or x_s for GW. In addition, he/she cannot compute the secret data of other sensor nodes except S_j.

▪

Stolen smart card attacks and lost smart card problems: Though an attacker extracts ID_s, H_{_}ID_i, h(·), A_i, B_i, C_i, and X_PW_i from U_i's smart card, he/she cannot compute any secret data h(K)or x_s for attacks. Therefore, the proposed scheme is secure against stolen smart card attacks or lost smart card problems. In addition, though an attacker extracts, ID_s, H_iD_α, h(·), A_α, B_α, C_α, and X_PW_α from his/her own smart card, he/she cannot compute any secret data h(K) or x_s for attacks. Therefore, the proposed scheme prevents attacks using an attacker's own smart card.

▪

Privileged-insider attacks: The proposed scheme resists privileged-insider attacks because pw_i is transmitted as a digest of some other secret components.

▪

Stolen-verifier attacks: The proposed scheme is secure against stolen-verifier attacks, since does not maintain a verifier table.

▪

Mutual authentication, key agreement, and password change phase: The proposed scheme provides mutual authentication, key agreement between U_i and S_j, and password change phase.

6. Performance Analysis of the Proposed Scheme

Table 3. Computation cost comparison of the proposed scheme.

Phases		Das' Scheme [3]	Khan and Alghathbar's Scheme [4]	Vaidya et al.'s Scheme [12]	The Proposed Scheme
Registration phase	Ui	0	1H	1H	2H + 1X
	GW	3H + 1X	2H + 1X	4H + 3X	6H + 3X
	Sj	0	0	0	0
Login phase	Ui	3H + 1X	3H + 1X	6H + 4X	7H + 5X
	GW	0	0	0	0
	Sj	0	0	0	0
Authentication and key agreement phase	Ui	0	0	1H + 3X	1H + 4X
	GW	4H + 2X	5H + 2X	6H + 6X	8H + 8X
	Sj	1H	2H	2H + 2X	2H + 2X
Password change phase	Ui	-	3H + 2X	8H + 6X	9H + 7X
	GW	-	0	0	0
	Sj	-	0	0	0
Total		11H + 4X	16H + 6X	28H + 24X	35H + 30X

(H: The number of hash operations; X: The number of XOR operations).

shows the computation cost comparison of the proposed scheme. Das' scheme [3], Khan and Alghathbar's scheme [4], Vaidya et al.'s scheme [12], and the proposed scheme use only hash and XOR operations. We compare these schemes in terms of the number of hash and XOR operations. The proposed scheme needs seven hash operations more than Vaidya's et al.'s [12]. Nevertheless, one of our main concerns is the computation cost of a sensor node rather than that of the entire scheme, because sensor nodes are resource-constrained. The computation cost of in the proposed scheme is the same as that of Vaidya et al.'s [12]. This means that the computation cost increase of the entire scheme is negligible considering the enhanced security. Meanwhile, with respect to communication cost, the number of messages transmitted in the proposed scheme is four, which is the same as that of Vaidya et al.'s scheme.

7. Conclusions

We have proposed an improved mutual authentication and key agreement scheme to overcome the security weaknesses of Vaidya et al.'s scheme. The proposed scheme resists user impersonation attacks and gateway node bypassing attacks using secret data stored in an attacker's own smart card or a sensor. In addition, the proposed scheme prevents possible attacks such as replay attacks, parallel session attacks, password guessing attacks, sensor node capture attacks, stolen smart card attacks, lost smart card problems, privileged-insider attacks, and stolen-verifier attacks. The proposed scheme is also efficient in terms of computation and communication cost considering the limited resources of sensors.