Next Article in Journal
Design and Development of a Three-Component Force Sensor for Milling Process Monitoring
Next Article in Special Issue
Bluetooth Low Power Modes Applied to the Data Transportation Network in Home Automation Systems
Previous Article in Journal
Real-Time Telemetry System for Monitoring Motion of Ships Based on Inertial Sensors
Previous Article in Special Issue
Design and Implementation of an Intelligent Windowsill System Using Smart Handheld Device and Fuzzy Microcontroller
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Improving Biometric-Based Authentication Schemes with Smart Card Revocation/Reissue for Wireless Sensor Networks

1
Department of Electrical and Computer Engineering, Sungkyunkwan University, 2066 Seobu-ro, Jangan-gu, Suwon-si, Gyeonggi-do 16419, Korea
2
Department of Cyber Security, Howon University, 64 Howondae 3-gil, Impi-myeon, Gunsan-si, Jeonrabuk-do 54058, Korea
3
Department of Computer Engineering, Sungkyunkwan University, 2066 Seobu-ro, Jangan-gu, Suwon-si, Gyeonggi-do 16419, Korea
*
Author to whom correspondence should be addressed.
Sensors 2017, 17(5), 940; https://doi.org/10.3390/s17050940
Submission received: 8 March 2017 / Revised: 30 March 2017 / Accepted: 4 April 2017 / Published: 25 April 2017
(This article belongs to the Special Issue Sensors for Home Automation and Security)

Abstract

:
User authentication in wireless sensor networks is more difficult than in traditional networks owing to sensor network characteristics such as unreliable communication, limited resources, and unattended operation. For these reasons, various authentication schemes have been proposed to provide secure and efficient communication. In 2016, Park et al. proposed a secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks. However, we found that their scheme was still insecure against impersonation attack, and had a problem in the smart card revocation/reissue phase. In this paper, we show how an adversary can impersonate a legitimate user or sensor node, illegal smart card revocation/reissue and prove that Park et al.’s scheme fails to provide revocation/reissue. In addition, we propose an enhanced scheme that provides efficiency, as well as anonymity and security. Finally, we provide security and performance analysis between previous schemes and the proposed scheme, and provide formal analysis based on the random oracle model. The results prove that the proposed scheme can solve the weaknesses of impersonation attack and other security flaws in the security analysis section. Furthermore, performance analysis shows that the computational cost is lower than the previous scheme.

1. Introduction

Wireless Sensor Networks (WSNs) generally consist of gateways, users, and a large number of sensor nodes. The sensor node is tiny and can be easily deployed in various kinds of severe environments. However, each sensor node has limited resources, is lacking in memory, has low computational capabilities and short radio transmission range [1]. Data collected from sensor nodes in WSNs sometimes include valuable and classified information such as the environmental surrounding the wartime, a patient’s personal information, monitoring information of museums, and the power company’s voltage variation monitoring data. To ensure the confidentiality and reliability of deployed WSNs, only registered and legitimate users should be able to access them. In addition, establishing secure protocol actively requires a mutual authentication between the user and the sensor node. For these reasons, secure user authentication is one of the major issues in WSNs.
To support message confidentiality and secure authentication for sensor networks, various authentication schemes for WSNs have been proposed. However, a problem that occurs with respect to password-based authentication schemes is that a server must maintain a password table to legitimately verify a login user. Therefore, the server requires additional memory space to store the password table. For this reason, many researchers have proposed a new type of remote user authentication scheme whereby personal biological characteristics are used, such as a fingerprint or an iris. The main advantage biometrics is uniqueness. A smart card can be used as a tool to store biometric information. Since the smart card has its own calculation function, it can operate at more than one level. In 2004, Watro et al. [2] proposed a user authentication scheme using the RSA and DH algorithms for WSNs. After that, Wong et al. [3] proposed a hash-based dynamic user authentication scheme in 2006. However, Tseng et al. [4] found that Wong et al.’s authentication scheme was vulnerable to replay, stolen verifiers, and forgery attacks. In 2009, Das [5] proposed and claimed that his scheme can resist various real-time attacks. Unfortunately, He et al. [6] found that Das’s scheme was vulnerable to insider and impersonation attacks, and proposed an improved two factor scheme to solve these security problems. In the same year, Khan and Alghathbar [7] demonstrated that Das’s scheme did not provide mutual authentication, and was vulnerable to gateway bypassing and privileged insider attacks, and Chen et al. [8] also found that Das’s scheme did not provide mutual authentication between the gateway and the sensor, proposed a robust mutual authentication scheme for WSNs, and claimed that their scheme provides greater security than Das’s scheme. In 2010, Yuan et al. [9] proposed a biometric-based user authentication scheme. However, Yoon et al. demonstrated that Yuan et al.’s scheme was vulnerable to insiders, user impersonation, gateway node impersonation and sensor node impersonation attacks. To solve these problems, Yoon et al. [10] proposed an improved user authentication scheme. Unfortunately, He et al. [11] found that Yoon et al.’s scheme was still vulnerable to denial of service (DoS) and sensor impersonation attacks, and then proposed an improved scheme to overcome these security problems.
In 2013, Yoon and Kim [12] pointed out that He et al.’s scheme had various security vulnerabilities such as poor repairability, and was vulnerable to user and sensor node impersonation attacks. They then proposed an advanced biometrics-based user authentication scheme for WSNs. They claimed that their scheme was more effective and had stronger security than other related schemes. However, Choi et al. [13] found that Yoon and Kim’s scheme [12] had various security problems, including a biometric recognition error, a user verification problem, lack of anonymity, perfect forward secrecy, session key exposure by the gateway node, vulnerability to DoS attacks, and a revocation problem. To overcome these vulnerabilities, they proposed a biometric-based user authentication scheme using a fuzzy extractor, and claimed that their scheme is more secure than other authentication schemes. Unfortunately, Park et al. [14] demonstrated that Choi et al.’s scheme [13] was still insecure against user impersonation attacks, and had security weakness in the revocation/reissue phase. They then proposed an enhanced biometric-based authentication scheme for WSNs that has improved security functions. After careful analysis, however, we found that Park et al.’s scheme [14] was still insecure against impersonation attack, and also had a problem in the smart card revocation/reissue phase.
In this paper, we show how an adversary can impersonate a legitimate user or a sensor node, and perform an illegal smart card revocation/reissue. After demonstrating these problems, we propose an improved biometric authentication scheme. Finally, we analyze our proposed scheme for security properties and computational cost. The proposed scheme is more secure and efficient than other related authentication schemes.
The rest of this paper is organized as follows. In Section 2, we briefly introduce the elliptic curve cryptosystem, threat assumptions and fuzzy extractors that we adopt in our scheme. In Section 3 and Section 4, we review and analyze, respectively, Park et al.’s scheme [14]. In Section 5, we propose an improved authentication scheme for WSNs. In Section 6, we present a security analysis of the proposed scheme. Section 7 shows performance analysis comparing our scheme with previous schemes. Our conclusions are presented in Section 8.

2. Preliminaries

In this section, we briefly introduce the elliptic curve cryptosystem, threat assumptions, and fuzzy extractor.

2.1. Elliptic Curve Cryptosystem

The elliptic curve cryptosystem (ECC) was first proposed by Koblitz [15] and Miller [16] to design public key cryptosystems, and presently it is widely used in several cryptographic schemes to provide desired levels of security and performance. An elliptic curve E K defined over a field K of the characteristic ≠ 2 or 3 is the set of solutions ( x , y ) K 2 to the equation:
y 2 = x 3 + a x + b , a , b K , 4 a 3 + 27 b 2 0 .
Cryptosystems based on GF( q ) * can be translated to systems using the group E, where E is an elliptic curve defined over a GF(q). The point multiplications k P = ( P + P + . . . + P , k times) that means k times addition of point P. Given an elliptic curve E defined over a GF(q) and two points P, QE, it finds an integer x such that Q = x P , if such x exists. This problem proved to be more intractable than the typically discrete logarithm problem. The details of the ECC definitions can be found in [15]. There are several computational problems based on ECC which are presented below:
Definition 1.
The elliptic curve discrete logarithm problem ( E C D L P ) is defined as: given two elements Q, R G p , find an integer k [ 1 , n 1 ] such that R = k Q .
Definition 2.
The computational Diffie–Hellman problem ( C D H P ) is defined as: given three elements ( P , a P , b P ) for any a, b [ 1 , n 1 ] , computation of a b P is very hard to the group G p .
Definition 3.
The elliptic curve factorization problem ( E C F P ) is defined as: given two elements P Q G p , where Q = s P + t P and ( s , t ) [ 1 , n 1 ] , then computation of s P and t P is impossible.
Definition 4.
The decisional Diffie–Hellman problem ( D D H P ) is defined as: given four elements ( P a P , b P , c P ) for any ( a , b, c ) [ 1 , n 1 ] , decide whether or not c P = a b P i.e., c = a b m o d p or not.
Definition 5.
The weak Diffie–Hellman problem ( W D H P ) is defined as: for Q G p and some k [ 1 , n 1 ] from the given three elements ( P , Q, k P ) , computation of k Q is very hard.

2.2. Threat Assumptions

We introduce the Dolev–Yao [17] and some threat model [18,19], and consider the risk of side channel attack [20] to construct the threat assumptions, which are described as follows:
  • An adversary A can be either a user, gateway, or sensor node. Any registered user can act as an adversary.
  • An adversary A can eavesdrop every communication in a public channel, thereby capturing any message exchanged between a user and gateway or sensor node.
  • An adversary A has the ability to alter, delete or reroute the captured message.
  • Information can be extracted from the smart card by examining the power consumption of the card.

2.3. Fuzzy Extractor

In this subsection, we describe the basis for a biometric-based fuzzy extractor, which converts biometric information data into a random value. Based on [21,22,23], the fuzzy extractor is given by two procedures ( G e n , R e p ). The mechanism of a fuzzy extractor consists of two procedures ( G e n , R e p ), which is demonstrated as:
  • G e n ( B I O ) R , P ,
  • R e p ( B I O * , P ) = R if B I O * is reasonably close to B I O .
The function G e n is a probabilistic generation procedure, which on biometric input B I O outputs an “extracted” string R { 0 , 1 } l and an auxiliary string P { 0 , 1 } * . R e p is a deterministic reproduction procedure, which recovery of R from the corresponding auxiliary string P, and any vector B I O * close to B I O . The detailed information about fuzzy extractors can be founded in the literature [24].

3. Review of Park et al.’s Authentication Scheme

In this section, we review Park et al.’s authentication scheme [14]. The notations used in the paper are listed in Table 1. The G W generates two master keys, x and y, and provides a long-term secret key h ( S I D j | | y ) to the sensor S j before the scheme is executed. Their scheme involves three parties, i.e., the user U i , the gateway G W and the sensor S j , to communicate with each other to perform the following three phases: registration, login/authentication, and revocation/reissue.

3.1. Registration Phase

In this phase, a user U i chooses an identity I D i , imprints biometric template B i , and then performs the following steps:
  • U i computes R i , P i = G e n ( B i ) and A i = h ( R i ) . U i then sends I D i , A i to the gateway G W .
  • Upon receiving I D i , A i from U i , G W computes the authentication parameters as:
    V i = h ( I D i | | A i ) M i = h ( x | | y | | A i ) N i = M i A i C i = E x ( A i | | u p i ) .
  • G W stores h ( · ) and the authentication parameters; V i , N i , C i , h ( · ) in the smart card S C i . G W then issues S C i to U i through a secure channel.
  • After receiving the smart card from G W , U i stores P i in the smart card.

3.2. Login and Authentication Phase

If a user U i wants to log in to the G W and S j , U i performs the login phase, and then U i , G W and S j verify each other’s authenticities. Finally, U i and S j generate a session key in this phase as follows:
  • U i enters I D i and imprints biometric template B i * . S C i then computes R i * , A i * and V i * using fuzzy extraction, and compares V i * with V i as:
    R i * = R e p ( B i * , P i ) A i * = h ( R i * ) V i * = h ( I D i | | A i * ) v e r i f i e s V i = ? V i * .
  • S C i generates a random number r i and computes X i and M i as:
    X i = r i × P M i = N i A i .
  • U i picks up T i and computes A I D i and W i as:
    A I D i = I D i h ( M i | | T i ) W i = h ( M i | | I D i | | X i | | T i ) .
    U i then sends the login request message M 1 = A I D i , X i , C i , T i , W i to G W .
  • After receiving M 1 , G W retrieves T and verifies T T i T . If this holds, G W computes A i * , M i * , I D i * and W i * , and compares W i * with W i as:
    A i * | | u p i = D x ( C i ) M i * = h ( x | | y | | A i * ) I D i * = A I D i h ( M i * | | T i ) W i * = h ( M i * | | I D i * | | X i * | | T i ) v e r i f i e s W i = ? W i * .
    If this holds, G W verifies the legitimacy of U i .
  • G W picks up T g and computes k g , C g and W g ,
    k g = h ( h ( S I D j | | y ) | | T g ) C g = E k g ( A I D i | | X i ) W g = h ( h ( S I D j | | y ) | | A I D i | | C g | | T g ) .
    G W then sends the authentication message M 2 = A I D i , C g , T g , W g to S j .
  • When receiving M 2 from G W , S j retrieves T , and verifies T T g T . If this holds, S j verifies the validity of W g by comparing it with h ( h ( S I D j | | y ) | | A I D i | | C g | | T g ) to check the legitimacy of G W . After that, S j computes k g * , and decrypts C g using k g * . S j then checks the validity of the received A I D i by comparing A I D i * as:
    k g * = h ( h ( S I D j | | y ) | | T g ) D k g * = A I D i * | | X i * v e r i f i e s A I D i = ? A I D i * .
  • S j generates a random number r s and computes K S U , Y i and a session key s k . S j then picks up T s and computes R M , V s as:
    K S U = r x × X i * Y i = r s × P s k = h ( A I D i | | K S U | | T s ) R M = Response to the query of  U i V s = h ( A I D i | | X i | | Y i | | R M | | T s ) .
    S j hence sends M 3 = R M , Y i , V s , T s to U i .
  • Upon receiving M 3 , U i retrieves T s , and checks the sameness of V s . U i then computes K U S and s k as:
    V s * = h ( A I D i | | X i | | Y i | | R M | | T s ) v e r i f i e s V s * = ? V s K U S = r i × Y i s k = h ( A I D i | | K U S | | T s ) .
    Only the legitimate U i can compute K U S and s k . U i then accepts R M . Finally, U i and S j can communicate securely using the common s k .

3.3. Revocation or Reissue Phase

To make up for smart card loss or long term key disclosure, the smart card should be revoked and reissued in cycles.
  • U i who wants to revoke and reissue a smart card inputs the previous identity I D i and the new identity I D i * to prevent adversaries from registering with the same identity I D i . Then, U i imprints biometric template B i and computes R i = R e p ( B i , P i ) , A i = h ( R i ) and M i = N i A i .
  • U i computes Z i = I D i M i and sends the revocation/reissue request message I D i , I D i * , A i , Z i to G W .
  • G W computes M i * , Z i * and checks the legitimacy of the user as:
    M i * = h ( x | | y | | A i ) Z i * = I D i M i * v e r i f i e s Z i * = ? Z i .
  • If this holds, G W revokes I D i and records it on the revocation look-up table. Then, G W computes new authentication parameters V i , N i and C i as:
    V i = h ( I D i * | | A i ) N i = M i * A i C i = E x ( A i | | u p i * ) .
  • G W stores h ( · ) and the new authentication parameters; V i , N i , C i , h ( · ) in the smart card S C i . G W then reissues S C i to U i through a secure channel.
  • U i stores P i in the smart card.

4. Cryptanalysis of Park et al.’s Authentication Scheme

In this section, we analyze the security problems of Park et al.’s scheme [14]. Park et al. cryptanalyzed a scheme of Choi et al. [13] and improved it to support better security functionality. However, we found that Park et al.’s scheme [14] was still insecure against impersonation attack and had a problem with smart card revocation/reissue. The following attacks are based on the threat assumptions that a malicious adversary A was completely monitored through the communication channel connecting U i , G W and S j in the login and authentication phases, and that the A obtained the information saved in their own smart card [20]. A therefore can eavesdrop, modify, insert, or delete any message transmitted over a public channel. We now reveal the details of these problems.

4.1. User Impersonation Attack

  • Let A be an active adversary who is he/she legal user and owns a smart card to extract information V a , N a , C a , h ( · ) , P a .
  • A then imprints one’s biometric template B a * and computes R a * = R e p ( B a * , P a ) and A a * = h ( R a * ) .
  • A generates a random number r A , and selects any identity I D i . A then computes login request message M 1 as:
    X a = r a × P M a = N a A a * A I D i = I D i h ( M a | | T a ) W a = h ( M a | | I D i | | X a | | T a ) .
    A then sends the login request message M 1 = A I D i , X a , C a , T a , W a to G W .
  • When receiving M 1 , G W retrieves T and verifies T T a T . If this holds, G W computes A a * , M a * , I D i * , W a * and compares W a * with W a as:
    A a * | | u p a = D x ( C a ) M a * = h ( x | | y | | A a * ) I D i * = A I D i h ( M a * | | T a ) W a * = h ( M a * | | I D i * | | X a * | | T a ) v e r i f i e s W a = ? W a * .
    If this holds and I D i does exist in the database, the gateway G W continues to proceed the scheme without detected. Otherwise, A selects another identity nominee and performs the same processes until he/she locates the valid identity.
  • G W picks up T g and computes k g , C g and W g :
    k g = h ( h ( S I D j | | y ) | | T g ) C g = E k g ( A I D i | | X a ) W g = h ( h ( S I D j | | y ) | | A I D i | | C g | | T g ) .
    G W then sends the authentication message M 2 = A I D i , C g , T g , W g to S j .
  • Upon receiving M 2 from G W , S j retrieves T and verifies T T g T . If this holds, S j verifies the validity of W g by comparing it with h ( h ( S I D j | | y ) | | A I D i | | C g | | T g ) to check the legitimacy of G W . After that, S j computes k g * and decrypts C g using k g * . S j then checks the validity of the received A I D i by comparing A I D i * as
    k g * = h ( h ( S I D j | | y ) | | T g ) D k g * = A I D i * | | X a * v e r i f i e s A I D i = ? A I D i * .
  • S j generates a random number r s and computes K S U , Y i and a session key s k . S j then computes R M , V s as:
    K S U = r x × X a * Y i = r s × P s k = h ( A I D i | | K S U | | T s ) R M = Response to the query of  U i V s = h ( A I D i | | X a | | Y i | | R M | | T s ) ,
    where T s is current timestamp. S j then sends M 3 = R M , Y i , V s , T s to A .
  • After receiving M 3 , A retrieves T s , and checks the sameness of V s . Then, A computes K U S and s k as:
    V s * = h ( A I D i | | X a | | Y i | | R M | | T s ) v e r i f i e s V s * = ? V s K U S = r a × Y i s k = h ( A I D i | | K U S | | T s ) .
    Lastly, A and S j “successfully” agree on a session key s k . Unfortunately, the sensor S j mistakenly believes that he/she is communicating with the legitimate user U i .

4.2. Sensor Node Impersonation Attack

Park et al. [14] claimed that if A wants to masquerade as the sensor node S j , A is required to compute h ( S I D j | | y ) . This is because the symmetric key k g = h ( h ( S I D j | | y ) | | T g ) . However, if A obtains the login request message M 1 = A I D i , X i , C i , T i , W i of the legitimate user U i , A then can easily impersonate the sensor node S j .
  • After receiving M 2 from G W , A generates a random number r a and computes K A U , Y a , R M , V a and a session key s k as:
    K A U = r a × X i Y a = r a × P s k = h ( A I D i | | K A U | | T a ) R M = Any response to the query of  U i V a = h ( A I D i | | X i | | Y a | | R M | | T a ) ,
    where T a is current timestamp. A then sends M 3 = R M , Y a , V a , T a to U i .
  • Upon receiving M 3 from A , U i retrieves T a and checks the sameness of V a . Then, U i computes K U A and s k as:
    V a * = h ( A I D i | | X i | | Y a | | R M | | T a ) v e r i f i e s V a * = ? V a K U A = r i × Y a s k = h ( A I D i | | K U A | | T a ) .
    Lastly, U i and A “successfully” agree on a session key s k . Unfortunately, the user U i mistakenly believes that he/she is communicating with the legitimate sensor S j .

4.3. Illegal Smart Card Revocation/Reissue Attack

Park et al. [14] claimed that, although A could get the identity I D i in some way, G W  checks the legitimacy of the user on the requested identity, and A cannot compute M i and the revocation/reissue request message Z i without the biometric information of U i . However, A can modify the revocation/reissue request message. This is because G W cannot distinguish whether or not the user who wishes to revoke I D i is the real user U i .
  • Suppose A owns a smart card to extract information V a , N a , C a , h ( · ) , P a and obtains the identity I D i of the legitimate user U i by using a user impersonation attack.
  • Next, A imprints the personal biometric information B a at the sensor. The sensor hence sketches B a and extracts R a , P a from G e n ( B a ) R a , P a .
  • A computes A a * = h ( R a ) and Z i = I D i N a A a * and sends the revocation/reissue request message I D i , I D i * , A a * , Z i to G W .
  • G W computes M i * , Z i * , and checks the legitimacy of the user as:
    M a * = h ( x | | y | | A a * ) Z i * = I D i M a * v e r i f i e s Z i = ? Z i * .
  • If this holds, G W revokes I D i and records it on the revocation look-up table. Then, G W computes new authentication parameters V i , N i and C i as:
    V i = h ( I D i * | | A a * ) N i = M a * A a * C i = E x ( A a * | | u p i * ) .
  • G W stores the new authentication parameters V i , N i , C i , h ( · ) in the smart card S C i . G W then reissues S C i to A through a secure channel.
  • A stores P a in the smart card.
Adversary A can revoke the smart card of an authenticated user who does not wish the said smart card to be revoked without permission because G W has no proper process for checking the legitimacy of the user on the previous identity I D i .

5. The Proposed Scheme

In this section, we will propose a new biometric-based password authentication scheme using a smart card. In our scheme, there are also three participants, the user U i , the gateway G W and the sensor S j . The G W generates two master keys x and y, and sends a long-term secret key h ( S I D j | | y ) to the sensor S j before the scheme is executed. After that, G W computes x × P where x P is the public key of the gateway. The proposed scheme consists of three phases: registration, login and authentication, and revocation/reissue.

5.1. Registration Phase

In this phase, a user U i chooses an identity I D i , imprints biometric template B i at the sensor, and then performs the following steps:
  • The sensor sketches B i , extracts R i , P i from G e n ( B i ) R i , P i , and stores P i in the memory. U i then sends I D i , A i = h ( R i ) to G W over a secure channel.
  • When receiving the registration request message I D i , A i from U i , the gateway G W computes the authentication parameters as:
    C i = h ( I D i | | x | | y ) M i = h ( C i ) A i N i = x C i y V i = h ( I D i | | A i ) .
  • G W stores the authentication parameters M i , N i , V i , h ( · ) in the smart card S C i . G W hence issues S C i to U i via a secure channel.
  • Lastly, U i stores P i in the smart card.
Figure 1 illustrates the registration phase of the proposed scheme.

5.2. Login and Authentication Phase

In this phase, U i performs the login phase, and hence U i , G W and S j verify each other’s authenticity. Finally, U i and S j generates a common session key in this phase as follows:
  • U i inserts his/her smart card S C i into the card reader, inputs the identity I D i , and imprints the personal biometrics B i * at the sensor.
  • The sensor then sketches B i * and extracts R i from R e p ( B i * , P i ) R i . Then, S C i computes A i * and V i * using fuzzy extraction and compares V i * with V i as:
    R i * = R e p ( B i * , P i ) A i * = h ( R i * ) V i * = h ( I D i | | A i * ) v e r i f i e s V i = ? V i * .
  • S C i generates random numbers r 1 and r 2 and hence computes
    X i = r 1 × P h ( C i ) = M i A i * A I D i = I D i h ( r 2 ) M 1 = r 2 h ( C i ) M 2 = h ( A I D i | | h ( C i ) | | X i | | r 2 | | T i ) M 3 = N i ( r 1 × x P ) ,
    where T i is current timestamp. Then, U i sends the login request message A I D i , X i , M 1 , M 2 , M 3 , T i to G W .
  • Upon receiving a login request message from U i , G W retrieves T and verifies T T i T . If this is true, G W computes C i * , r 2 * , I D i * and M 2 * and compares C i * with h ( I D i * | | x | | y ) and M 2 * with M 2 as:
    C i * = M 3 ( x × X i ) x y r 2 * = M 1 h ( C i * ) I D i * = A I D i h ( r 2 * ) v e r i f i e s C i * = h ( I D i * | | x | | y ) M 2 * = h ( A I D i | | h ( C i * ) | | X i | | r 2 * | | T i ) v e r i f i e s M 2 = ? M 2 * .
    If this holds, G W verifies the legitimacy of U i .
  • G W computes k g , C g and W g ,
    k g = h ( h ( S I D j | | y ) | | T g ) C g = E k g ( A I D i | | r 2 | | X i ) W g = h ( h ( S I D j | | y ) | | A I D i | | C g | | T g ) ,
    where T g is current timestamp. G W then sends the authentication message A I D i , C g , T g , W g to S j .
  • When receiving the authentication message from G W , S j retrieves T and verifies T T g T . If this is true, S j verifies the validity of W g by comparing it with h ( h ( S I D j | | y ) | | A I D i | | C g | | T g ) to check the legitimacy of G W . After that, S j computes k g * , and decrypts C g using k g * . Then, S j checks the validity of the received A I D i by comparing the computed A I D i * as
    k g * = h ( h ( S I D j | | y ) | | T g ) D k g * = A I D i * | | r 2 * | | X i * v e r i f i e s A I D i = ? A I D i * .
  • S j generates a random number r s and computes K S U , Y i , R M , V s and a session key s k as:
    K S U = r s × X i * Y i = r s × P s k = h ( A I D i | | K S U | | T s ) R M = Response to the query of  U i V s = h ( A I D i | | r 2 * | | Y i | | s k | | R M | | T s ) ,
    where T s is current timestamp. S j then sends R M , Y i , V s , T s to U i .
  • After receiving response message R M , Y i , V s , T s from S j , U i computes s k and checks whether V s * is equal to V s :
    K U S = r 1 × Y i s k = h ( A I D i | | K U S | | T s ) V s * = h ( A I D i | | r 2 | | Y i | | s k | | R M | | T s ) v e r i f i e s V s * = ? V s .
    The legitimate user U i can only compute K U S and s k . U i and S j can communicate securely using the common session key s k .
Figure 2 illustrates the login and authentication phase of the proposed scheme.

5.3. Revocation or Reissue Phase

To make up for smart card loss or long term key disclosure, the smart card should be revoked and reissued in cycles.
  • If U i wants to revoke and reissue a smart card, he/she inserts his/her smart card S C i into the card reader, inputs the previous identity I D i and the new identity I D i * to prevent adversaries from registering with the same identity I D i , and then imprints the personal biometrics B i * at the sensor.
  • The sensor then sketches B i * and extracts R i from R e p ( B i * , P i ) R i . Then, S C i computes A i * and V i * using fuzzy extraction,
    R i = R e p ( B i * , P i ) A i = h ( R i ) .
  • U i computes Z i = I D i M i and sends the revocation/reissue request message I D i , I D i * , A i , Z i to G W over a secure channel.
  • G W first checks whether I D i is the same as I D i * or not. If they are different, G W computes M i * , Z i * and checks the legitimacy of the user as:
    C i * = h ( I D i | | x | | y ) Z i * = I D i h ( C i * ) A i v e r i f i e s Z i * = ? Z i .
  • If this is true, G W revokes I D i and records it on the revocation look-up table. Then, G W computes new authentication parameters V i , N i and C i as:
    C i = h ( I D i * | | x | | y ) M i = h ( C i ) A i N i = x C i y V i = h ( I D i * | | A i ) .
  • G W stores h ( · ) and the new authentication parameters M i , N i , V i , h ( · ) in the smart card S C i . G W then reissues S C i to U i through a secure channel.
  • U i stores P i in the smart card.
Figure 3 illustrates the revocation/reissue phase of the proposed scheme.

6. Security Analysis

In this section, we demonstrate that the proposed scheme, which retains the merits of Park et al.’s scheme [14], can withstand several types of possible attacks; and we also show that the scheme supports several security properties. The security analysis of the proposed scheme was conducted with the threat assumptions made in the Preliminaries.

6.1. Formal Security Analysis

In this subsection, we have demonstrated that the proposed scheme is secure through a formal proof using the random oracle model [18,25]. At first, we specify a collision-free one-way hash function as follows.
Definition 6.
The collision-resistance one-way hash function f : { 0 , 1 } * { 0 , 1 } n pick up an input as a binary string x { 0 , 1 } * that has a random length, produces a binary string h ( x ) { 0 , 1 } n , and gratifies the following requirements:
  • Given the y Y , it is not possible to find out computationally about x X such that y = h ( x ) .
  • Given the x X , it is not possible to find out computationally about another x x X , such that h ( x ) = h ( x ) .
  • It is not possible to find out computationally about a pair ( x , x ) X × X , with x x , such that h ( x ) = h ( x ) .
Theorem 1.
According to the assumption that if the collision-free one-way hash function h ( · ) closely acts like an oracle, the proposed scheme is then distinctly secure against an adversary A for the protection of the sensitive information including the identity I D i , nearly random binary string r 2 and master secret key x, y of the gateway node G W .
Proof. 
This random oracle can extract the input value x from the given hash result y = h ( x ) without fail. A now executes the experimental algorithm as shown in Algorithm 1, E X P H A S H , A J H K A S , for the proposed scheme as JHKAS, for example. Let us define the probability of success for E X P H A S H , A J H K A S as S u c c e s s H A S H , A J H K A S = | P r [ E X P H A S H , A J H K A S = 1 ] 1 | , where P r ( · ) means the probability of E X P H A S H , A J H K A S . The advantage function for this algorithm then becomes A d v H A S H , A J H K A S ( t , q R ) = m a x S u c c e s s , where the t is the execution time and q R is the number of queries. Discuss the algorithm as shown in Algorithm 1 for the A . If A has the capability to solve the hash function problem given in Definition 6, then he/she can immediately retrieve the identity I D i , nearly random binary string r 2 and master secret key x, y of the gateway node G W . In that case, the A will detect the complete connections between the U i and the G W ; however, the inversion of the input from a given hash value is not possible computationally, i.e., A d v H A S H , A J H K A S ( t ) ϵ , for all ϵ > 0 . Thus, A d v H A S H , A J H K A S ( t , q R ) ϵ , since A d v H A S H , A J H K A S ( t , q R ) depends on A d v H A S H , A J H K A S ( t ) . In conclusion, there is no way for A to detect the complete connections between the U i and the G W , and the proposed scheme is distinctly secure to an adversary A for retrieving ( I D i , r 2 , x, y). ☐
Algorithm 1 E X P H A S H , A J H K A S
1.  Eavesdrop login request message A I D i , X i , M 1 , M 2 , M 3 , T i during the login phase.
2.  Call the Reveal oracle. Let ( A I D i , h ( C i ) , X i , r 2 , T i ) Reveal( M 2 )
3.  if ( A I D i == A I D i ) then
4.   Accept h ( C i ) , X i , r 2 , T i as the correct of user U i
5.   Call the Reveal oracle. Let ( C i ) Reveal( h ( C i ) )
6.   Call the Reveal oracle. Let ( C i ) Reveal( M 1 r 2 )
7.   if ( C i == C i ) then
8.    Accept the C i as the correct of user U i
9.    Call the Reveal oracle. Let ( I D i , x , y ) Reveal( C i )
10.   Compute I D i = A I D i h ( r 2 )
11.   if ( I D i == I D i ) then
12.    Accept x , y as the correct secret key x, y of gateway node G W
13.    return 1(Success)
14.   else
15.    return 0
16.  else
17.   return 0
18.  end if
19. else
20.  return 0
21. end if

6.2. Simulation for Formal Security Verification Using the AVISPA Tool

In this subsection, we simulate the proposed scheme using the widely accepted AVISPA for the formal security verification. The main purpose of the simulation is to verify whether the proposed scheme is secure to replay and man-in-the middle attacks. The AVISPA tool consists of four back-ends: (i) On-the-fly Model-Checker (OFMC); (ii) Constraint-Logic-based Attack Searcher; (iii) SAT-based Model Checker; and (iv) Tree Automata based on Automatic Approximations for the Analysis of Security Protocols. In the AVISPA, the protocol is implemented in HLPSL [26], which is based on: the basic roles for representing each participant role and composition roles for representing the scenarios of the basic roles. The basic types available in the HLPSL are [27]:
  • agent : The agent denotes a principal name. The intruder always has the special identifier i.
  • symmetric_key : The symmetric_key is the key for a symmetric-key cryptosystem.
  • text : The text values are often used as nonces. They can also be applied for messages.
  • nat : The nat is used for denoting the natural numbers in non-message contexts.
  • const : This type represents constants.
  • hash_func : The base type hash_func represents cryptographic one-way hash functions.
The role of the initiator, the user U i , is provided in Algorithm 2. The U i first receives the start signal and updates its state value from 0 to 1. The state value is maintained by the variable State. In a similar way, the roles of the gateway G W and sensor node S j of the proposed scheme are implemented and shown in Algorithm 3 and 4, respectively. The specifications in HLPSL language for the role of session, goal, and environment are specified in Algorithm 5. The simulation result for the formal security verification of the proposed scheme using CL-AtSe is shown in Algorithm 6. It is clear that the proposed scheme is secure to passive and active attacks including the replay and man-in-the middle attacks.
Algorithm 2 Role specification for user U i
role user (Ui, GW, Sj: agent,
SKug, SKus: symmetric_key,
H, F: function,
SND, RCV: channel (dy))
 
played_by Ui def=
 
local State : nat,
IDi, Ri, P, Ai, Mi, Ni, Vi: text,
AIDi, R1, R2, Xi, Ci, Di, M1, M2, M3, Ti, Rs: text,
RM, Yi, Vs, Ts, Gx, Gy, Kus: text
 
init State := 0
 
transition
 
0. State = 0 ∧ RCV(start) =|>
State’:= 5 ∧ Ai’ := H(Ri)
∧ secret(Ri, scrt0, Ui)
∧ secret(IDi, scrt1, {Ui, GW})
∧ SND({IDi.Ai’}_SKug)
 
5. State = 2 ∧ RCV({Mi’.Ni’.Vi’}_SKug.P’) =|>
State’:= 8 ∧ R1’:=new()
∧ R2’:=new()
∧ Ti’:=new()
∧ Xi’:=F(R1’.P’)
∧ Di’:=xor(Mi’, Ai’)
∧ AIDi’:=xor(IDi, H(R2’))
∧ M1’:=xor(R2’, Di’)
∧ M2’:=H(AIDi’.Di’.Xi’.R2’.Ti’)
∧ M3’:=xor(Ni’, F(R1’.F(Gx’.P)))
∧ secret({Gx’, Gy’}, scrt2, GW)
∧ SND(AIDi’, Xi’, M1’, M2’, M3’, Ti’)
∧ witness(Ui, Sj, ui_sj_r1, R1’)
 
8. State = 8 ∧ RCV({RM’.Yi’.Vs’.Ts’}_SKug.P’) =|>
State’:= 9 ∧ Vs’:=H(AIDi’.Xi’.Yi’.RM’.Ts’)
∧ Kus’:= F(R1’.F(Rs’.P))
∧ SKus’:=H(AIDi’.Kus’.Ts’)
∧ witness(Ui, GW, ui_gw_r2, R2’)
∧ request(Sj, Ui, sj_ui_rs, Rs’)
 
end role
Algorithm 3 Role specification for gateway G W
role gateway (Ui, GW, Sj: agent,
SKug, SKgs, Kg: symmetric_key,
H, F: function,
SND, RCV: channel (dy))
 
played_by GW def=
 
local State : nat,
IDi, R1, R2, Ri, P, Ai, Mi, Ni, Vi, Rs: text,
AIDi, SIDj, Ks, Xi, Ci, Di, M1, M2, M3, Ti: text,
Cg, Tg, Wg, Gx, Gy: text
 
init State := 1
 
transition
 
1. State = 1 ∧ RCV({IDi.Ai’}_SKug) =|>
State’:= 6 ∧ Ci’:= H(IDi.Gx’.Gy’)
∧ P’:=new()
∧ Di’:=H(Ci’)
∧ Mi’:=xor(Di’, H(Ri))
∧ Ni’:=xor(Gx’, Ci’, Gy’)
∧ Vi’:=H(IDi.H(Ri))
∧ secret({Gx’, Gy’}, scrt2, GW)
∧ SND({Mi’.Ni’.Vi’}_SKug.P’)
 
3. State = 3 ∧ RCV({SIDj}_SKgs) =|>
State’:= 6 ∧ Ks’:=H(SIDj.Gy’)
∧ SND({Ks’}_SKgs.P’)
 
6. State = 6 ∧ RCV(AIDi’.Xi’.M1’.M2’.M3’.Ti’) =|>
State’:= 9 ∧ Tg’ = new()
∧ Di’:=H(xor(M3’, F(R1’.F(Gx’.P)), Gx’, Gy’))
∧ R2’:=xor(M1’, Di’)
∧ IDi’:=xor(AIDi’, H(R2’))
∧ Kg’:=H(H(SIDj’.Gy’).Tg’)
∧ Cg’:={AIDi’.R2’.Xi’}_Kg’
∧ Wg’:=H(H(SIDj’.Gy’).AIDi’.Cg’.Tg’)
∧ secret({Gx’, Gy’}, scrt2, GW)
∧ secret(H(SIDj’.Gy’), scrt4, {GW, Sj})
∧ SND(AIDi’.Cg’.Tg’.Wg’)
∧ request(Ui, Sj, ui_sj_r1, R1’)
 
end role
Algorithm 4 Role specification for sensor S j
role sensor (Ui, GW, Sj: agent,
SKgs, Kg, SKus: symmetric_key,
H, F: function,
SND, RCV: channel (dy))
 
played_by Sj def=
 
local State : nat,
IDi, Ri, P, Ai, Mi, Ni, Vi, R1, R2: text,
AIDi, SIDj, Ks, Xi, Ci, M1, M2, M3, Ti: text,
Cg, Tg, Wg: text,
RM, Yi, Vs, Ts, Gx, Gy, Rs, Kus:text
 
init State := 2
 
transition
 
2. State = 2 ∧ RCV(start) =|>
State’:= 4 ∧ SND({SIDj}_SKgs.P’)
 
4. State = 4 ∧ RCV({H(SIDj.Gy’)}_SKgs.P’) =|>
State’:= 7 ∧ secret({Gx’, Gy’}, scrt2, GW)
 
7. State = 7 ∧ RCV(AIDi’.Xi’.M1’.M2’.M3’.Ti’) =|>
State’:= 10∧ Kg’:=H(H(SIDj’.Gy’).Tg’)
∧ Kus’:=F(R1’.F(Rs’.P))
∧ Yi’:=F(Rs’.P)
∧ Ts’:=new()
∧ SKus’:=H(AIDi’.Kus’.Ts’)
∧ RM’:=new()
∧ Vs’:=H(AIDi’.Xi’.Yi’.RM’.Ts’)
∧ SND(RM’, Yi’, Vs’, Ts’)
∧ secret(H(SIDj.Gy’), scrt4, {GW, Sj})
∧ witness(Sj, Ui, sj_ui_rs, Rs’)
∧ request(Ui, Sj, ui_sj_r1, R1’)
 
end role
Algorithm 5 Role specification for session, goal and environment
role session(Ui, GW, Sj: agent, SKug, SKus, SKgs, Kg: symmetric_key, H, F: function) def=
 
local Z1, Z2, Z3, S1, S2, S3: channel (dy)
 
composition
 
user(Ui, GW, Sj, SKug, SKus, H, F, Z1, S1)
∧ gateway(Ui, GW, Sj, SKug, SKgs, Kg, H, F, Z2, S2)
∧ sensor(Ui, GW, Sj, SKgs, Kg, SKus, H, F, Z3, S3)
 
end role
 
role environment() def=
 
const ui, gw, sj : agent,
skug, skgs, skus, kg : symmetric_key,
h, f : function,
aidi, sidj, p, xi : text,
xi, m1, m2, m3, ti : text,
cg, tg, wg : text,
rm, yi, vs, ts : text,
ui_sj_r1, ui_gw_r2, sj_ui_rs : protocol_id,
scrt0, scrt1, scrt2, scrt3, scrt4 : protocol_id
 
intruder_knowledge = {ui, gw, sj, h, f, p, aidi, sidj, xi, m1, m2, m3, ti, cg, tg, wg, rm, yi, vs, ts}
 
composition
 
session(ui, gw, sj, skug, skgs, kg, skus, h, f)
 
end role
 
goal
 
secrecy_of scrt0
secrecy_of scrt1
secrecy_of scrt2
secrecy_of scrt3
secrecy_of scrt4
 
authentication_on ui_sj_r1
authentication_on ui_gw_r2
authentication_on sj_ui_rs
 
end goal
Algorithm 6 Role specification for session, goal and environment
SUMMARY
SAFE
 
DETAILS
BOUNDED_NUMBER_OF_SESSIONS
 
PROTOCOL
/home/span/span/testsuite/results/testrv.if
 
GOAL
As Specified
 
BACKEND
CL-AtSe
 
STATISTICS
 
Analysed : 1 states
Reachable : 0 states
Translations: 0.03 s
Computation: 0.00 s

6.3. Informal Security Analysis

Table 2 compares the security features provided by the proposed scheme with other related schemes.

6.3.1. User Anonymity

Suppose an adversary A intercepts the login request message A I D i , X i , M 1 , M 2 , M 3 , T i of a legitimate user U i . However, I D i cannot be derived from A I D i without the knowledge of a random number r 2 ; furthermore, the r 2 cannot be derived from M 1 without a hash value h ( C i ) = h ( h ( I D i | | x | | y ) ) . The U i and G W can only compute h ( C i ). The proposed scheme therefore provides user anonymity.

6.3.2. Mutual Authentication

The proposed scheme not only guarantees secrecy as the other authentication scheme, but also U i , S j and G W authenticate each other. G W authenticates U i by checking whether M 2 is valid or not because only a legitimate user can compute a valid h ( C i ) using a biometric template. Then, S j authenticates G W by checking W g , which only G W can compute using the shared long-term key h ( S I D j | | y ) and the time stamp T g . Finally, the U i authenticates S j by checking the validity of V s because only U i and S j can compute the session key s k .

6.3.3. Message Confidentiality

Message confidentiality is an important security aspect that provides secrecy by limiting the adversary’s access to the message. Communication messages in the public channel do not affect the disclosure of secret values, such as I D i , r 1 , r 2 , r s and s k . A cannot compute important information from A I D i , X i , M 1 , M 2 , M 3 , C g , W g , Y i and V s . Furthermore, T i , T g , T s and R M are basically public information, so they do not need to be protected.

6.3.4. Perfect Forward Secrecy

The perfect forward secrecy means that if one long-term key is compromised, a session key that is derived from these long-term keys will not be compromised in the future [28]. In our scheme, a session key s k between user U i and sensor S j is calculated as follows:
X i = r 1 × P Y i = r s × P K U S = K S U = r s × X i = r 1 × Y i s k = h ( A I D i | | K U S | | T s ) .
Even if the gateway G W ’s long-term key (x, y) is compromised, adversary A cannot retrieve r 1 and r s to generate the session keys between U i and S j . The session key of our proposed scheme is based on a elliptic curve discrete logarithm problem (ECDLP). An adversary A cannot obtain r 1 × r s × P from r 1 × P and r s × P . Our scheme therefore provides the perfect forward secrecy.

6.3.5. User Impersonation Attack

Suppose A owns a smart card to extract information V a , N a , C a , h ( · ) , P a and intercepts the login request message A I D i , X i , M 1 , M 2 , M 3 , T i of legitimate user U i . A can then try modifying a login request message. Even if A guesses or obtains U i ’s identity I D i , G W verifies whether C i * is equal to h ( I D i * | | x | | y ) . The A cannot compute C i and h ( C i ) , and then fails to impersonate a legitimate user U i . The proposed scheme therefore can resist user impersonation attack.

6.3.6. Gateway or Sensor Node Impersonation Attack

If A wants to masquerade as the gateway node G W or a sensor node S j , the hash value h ( S I D j | | y ) is needed. However, it is computationally difficult to guess h ( S I D j | | y ) or k g correctly. Furthermore, even if A obtains the login request message A I D i , X i , M 1 , M 2 , M 3 , T i , A does not know r 2 . Thus, V s = h ( A I D i | | r 2 | | Y i | | s k | | R M | | T s ) cannot be computed. The proposed scheme therefore can resist gateway or sensor node impersonation attack.

6.3.7. Illegal Smart Card Revocation/Reissue Attack

Even if A obtains the identity I D i of a legitimate user U i , A cannot compute h ( C i ) without the value A i = h ( R i ) . Furthermore, G W checks the legitimacy of the user on the request identity by computing C i * = h ( I D i | | x | | y ) and Z i * = I D i h ( C i * ) A i . Therefore, even if A sends the revocation/reissue request message I D i , I D i * , A a = h ( R a ) , Z a = I D i h ( C a ) A a to G W , A fails to revoke I D i and reissue the smart card with I D i . The proposed scheme therefore can resist an illegal smart card revocation/reissue attack.

6.3.8. Session Key Exposure by GW

The gateway G W can intercept communication messages and obtain both X i = r 1 × P and Y i = r s × P . However, G W cannot derive r 1 and r s and therefore cannot compute the common session key s k . This is because our proposed scheme based on the elliptic curve discrete logarithm problem (ECDLP).

6.3.9. Denial of Service Attack

In the proposed scheme, U i , S j and G W basically check for freshness of timestamp in each authentication step. Each message for verification such as M 2 , W g and V s includes the current timestamp T. Furthermore, each entity checks whether the calculated value is equal to the received value. The proposed scheme can resist denial of service attack.

6.3.10. User Verification Problem

G W checks for the sameness in the identity I D i to verify the status a legitimate user U i by computing C i * = h ( I D i * | | x | | y ) . Furthermore, U i can compute constant values including A i = h ( R i ) as a result of the fuzzy extractor. G W can authenticate a legal user even if the user inputs slightly different biometric information B i * . Our proposed scheme therefore can prevent user verification problems.

6.3.11. Stolen Verifier Attack

In the proposed scheme, G W and S j do not store any identification, password table or user biometrics. G W stores only the master secret key (x, y), and S j stores only h ( S I D j | | y ) . The proposed scheme therefore can resist stolen verifier attacks.

6.3.12. Replay Attack

Even if the adversary A obtains the communication message, and sends them again with the current timestamps T i , T g , and T s , A cannot compute M 2 , W g , V s using the current timestamps. The proposed scheme therefore can resist replay attacks.

7. Performance Analysis

In this section, we compare the computational costs of the proposed scheme with the other related schemes [13,14,29,30]. Table 3 shows a comparison of the computational costs of the proposed scheme with the other related schemes. In the comparisons, XOR operations are not considered because these also can be ignored. Compared to Park et al.’s scheme [14], the proposed scheme performs three further hash operations and two elliptic curve computations. However, we reduce three encryption/decryption operations. Additionally, the proposed scheme provides the revocation and reissue phase, and can resist well-known attacks.

8. Conclusions

The various authentication schemes for WSNs have been proposed. Recently, Park et al. demonstrated the security vulnerabilities of Choi et al.’s scheme and proposed an enhanced authentication scheme. However, in this paper, we have identified vulnerabilities in Park et al.’s scheme in terms of impersonation and revocation/reissue. To overcome these vulnerabilities, we proposed a new biometric-based authentication scheme with improved security. Security and performance analysis shows that our proposed scheme is more secure and efficient than other related schemes.

Acknowledgments

This work was supported by the Institute for Information & Communications Technology Promotion(IITP) grant funded by the Korea government (Ministry of Science, ICT and Future Planning) (No. R0126-15-1111, the Development of Risk-Based Authentication·Access Control Platform and Compliance Technique for Cloud Security).

Author Contributions

J.M., D.L. and Y.L. conceived and designed the experiments; J.M. performed the experiments; J.M. and D.L. analyzed the data; and J.M. and D.W. wrote the paper.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Yick, J.; Mukherjee, B.; Ghosal, D. Wireless sensor network survey. Comput. Netw. 2008, 52, 2292–2330. [Google Scholar] [CrossRef]
  2. Watro, R.; Kong, D.; Cuti, S.; Gardiner, C.; Lynn, C.; Kruus, P. TinyPK: Securing sensor networks with public key technology. In Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks, Washington, DC, USA, 25 October 2004; pp. 59–64. [Google Scholar]
  3. Wong, K.; Zheng, Y.; Cao, J.; Wang, S. A dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan, 5–7 June 2006; Volume 1, pp. 1–8. [Google Scholar]
  4. Tseng, H.; Jan, R.; Yang, W. An improved dynamic user authentication scheme for wireless sensor networks. In Proceedings of the Global Telecommunications Conference, Washington, DC, USA, 26–30 November 2007; pp. 986–990. [Google Scholar]
  5. Das, M. Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 2009, 8, 1086–1090. [Google Scholar] [CrossRef]
  6. He, D.; Gao, Y.; Chan, S.; Chen, C.; Bu, J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 2010, 10, 361–371. [Google Scholar]
  7. Khan, H.; Alghathbar, K. Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’. Sensors 2010, 10, 2450–2459. [Google Scholar] [CrossRef] [PubMed]
  8. Chen, T.; Shih, W. A robust mutual authentication protocol for wireless sensor networks. ETRI J. 2010, 32, 704–712. [Google Scholar] [CrossRef]
  9. Yuan, J.; Jiang, C.; Jiang, Z. A biometric-based user authentication for wireless sensor networks. Wuhan Univ. J. Nat. Sci. 2010, 15, 272–276. [Google Scholar] [CrossRef]
  10. Yoon, E.; Yoo, K. A new biometric-based user authentication scheme without using password for wireless sensor networks. In Proceedings of the 20th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative, Paris, France, 27–29 June 2011; pp. 279–284. [Google Scholar]
  11. He, D.; Zhang, Y.; Chen, J. Robust biometric-based user authentication scheme for wireless sensor networks. IACR Cryptol. ePrint Arch. 2012, 2012, 203–217. [Google Scholar]
  12. Yoon, E.; Kim, C. Advanced biometric-based user authentication scheme for wireless sensor networks. Sens. Lett. 2013, 11, 1836–1843. [Google Scholar] [CrossRef]
  13. Choi, Y.; Lee, Y.; Won, D. Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction. Int. J. Distrib. Sens. Netw. 2016, 2016, 1–16. [Google Scholar] [CrossRef]
  14. Park, Y.; Lee, S.; Kim, C.; Park, Y. Secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks. Int. J. Distrib. Sens. Netw. 2016, 12, 1–11. [Google Scholar] [CrossRef]
  15. Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 1987, 48, 203–209. [Google Scholar] [CrossRef]
  16. Miller, V. Use of elliptic curves in cryptography. Adv. Cryptol. 1985, 218, 417–426. [Google Scholar]
  17. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  18. Moon, J.; Choi, Y.; Jung, J.; Won, D. An improvement of robust biometrics-based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE 2015, 10, 1–15. [Google Scholar] [CrossRef] [PubMed]
  19. Choi, Y.; Lee, D.; Kim, J.; Jung, J.; Nam, J.; Won, D. Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors 2014, 14, 10081–10106. [Google Scholar] [CrossRef] [PubMed]
  20. Kocher, P.; Jaffe, J.; Jun, B.; Rohatgi, P. Introduction to differential power analysis. J. Cryptogr. Eng. 2011, 1, 1–23. [Google Scholar] [CrossRef]
  21. Das, A. A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. Int. J. Commun. Syst. 2015, 2015, 1–25. [Google Scholar] [CrossRef]
  22. Wang, C.; Zhang, X.; Zheng, Z. Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS ONE 2016, 11, 1–25. [Google Scholar] [CrossRef] [PubMed]
  23. Dodis, Y.; Kanukurthi, B.; Katz, J.; Smith, A. Robust fuzzy extractors and authenticated key agreement from close secrets. IEEE Trans. Inf. Theory 2013, 58, 6207–6222. [Google Scholar] [CrossRef]
  24. Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; pp. 523–540. [Google Scholar]
  25. Das, A. A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communication. Netw. Sci. 2013, 2, 12–27. [Google Scholar] [CrossRef]
  26. Von Oheimb, D. The high-level protocol specification language hlpsl developed in the eu project avispa. In Proceedings of the Applied Semantics 2005 Workshop, Frauenchiemsee, Germany, 12–15 September 2005; pp. 1–17. [Google Scholar]
  27. Avispa Tool Documentation. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 28 March 2016).
  28. Zhu, H.; Hao, X. A provable authenticated key agreement protocol with privacy protection using smart card based on chaotic maps. Nonlinear Dyn. 2015, 81, 311–321. [Google Scholar] [CrossRef]
  29. Nam, J.; Kim, M.; Park, J.; Lee, Y.; Won, D. A provably-secure ECC-based authentication scheme for wireless sensor networks. Sensors 2014, 14, 21023–21044. [Google Scholar] [CrossRef] [PubMed]
  30. Park, Y.; Park, Y. Three-factor user authentication and key agreement using elliptic curve cryptosystem in wireless sensor networks. Sensors 2016, 16, 2123. [Google Scholar] [CrossRef] [PubMed]
Figure 1. Registration phase of the proposed scheme.
Figure 1. Registration phase of the proposed scheme.
Sensors 17 00940 g001
Figure 2. Login and authentication phase of the proposed scheme.
Figure 2. Login and authentication phase of the proposed scheme.
Sensors 17 00940 g002
Figure 3. Revocation/reissue phase of proposed scheme.
Figure 3. Revocation/reissue phase of proposed scheme.
Sensors 17 00940 g003
Table 1. Notations used in this paper.
Table 1. Notations used in this paper.
TermDescription
U i user i
A adversary
B i biometric template of U i
E k ( · ) / D k ( · ) encryption or decryption with key k
G W gateway node
G 1 cyclic groups of order q
h ( · ) hash function
h ( S I D j | | y ) long-term secret of S j generated by G W
I D i actual identity of U i
Pgenerator of G 1
r i , r 1 , r 2 random number generated by U i
r s random number generated by S j
S j sensor node j
S C i smart card of user U i
S I D j identity of S j
T i time stamp
u p i i-th update phase
x , y two master keys of G W
R M Response to the query message
concatenation operation
bitwise XOR operation
Table 2. Comparison of security features.
Table 2. Comparison of security features.
FeaturesYoon and KimChoi et al.Park et al.The Proposed
[12][13][14]
Provides user anonymityN/A×
Provides mutual authentication
Provides message confidentiality
Provides perfect forward secrecyN/A
Resists insider attack×
Resists impersonation attack××
Resists illegal smart card revocation/reissue attack×××
Resists biometric recognition error×
Resists session key exposure by gateway×
Resists denial of service attack×
Resists user verification problem×
Resists stolen verifier attack
Resists replay attack
Security factorTwo-factorTwo-factorTwo-factorTwo-factor
◯: scheme provides the property; ×: scheme does not provide the property; N/A: scheme does not consider the property.
Table 3. Comparison of computational costs.
Table 3. Comparison of computational costs.
PhasesChoi et al.Park et al.Nam et al.Park et al.The Proposed
[13][14][29][30]
Registration U i T H + T F T H + T F T H T H + T F T H + T F
G W N 3 T H 2 T H + T E T H + T E + T e 5 T H T e + 3 T H
S j -----
Login and authentication U i 10 T H + T F + T E + 2 T e 6 T H + T F + 2 T e 3 T H + 3 T e + T E + T M 10 T H + T F + 2 T e 6 T H + T F + 3 T e
G W N 10 T H + 2 T E 7 T H + 2 T E T H + 2 T E + T e + 3 T M 11 T H 6 T H + T e + T E
S j 6 T H + T E + 2 T e 4 T H + T E + 2 T e T H + 2 T e + 2 T M 4 T H + 2 T e 4 T H + T E + 2 T e
Revocation and reissue U i T H + T F T H + T F -- T H + T F
G W N 3 T H 2 T H + T E --5 T H
S j -----
Total cost34 T H + 3 T F 23 T H + 3 T F 7 T H + 4 T E 31 T H + 2 T F 26 T H + 3 T F
+ 4 T E + 4 T e + 5 T E + 4 T e + 7 T e + 6 T M + 4 T e + 2 T E + 6 T e
T e : computational time for elliptic curve computation; T E : computational time for encryption/decryption; T F : computational time for fuzzy extraction; T H : computational time for hash function; T M : computational time for massage authentication code.

Share and Cite

MDPI and ACS Style

Moon, J.; Lee, D.; Lee, Y.; Won, D. Improving Biometric-Based Authentication Schemes with Smart Card Revocation/Reissue for Wireless Sensor Networks. Sensors 2017, 17, 940. https://doi.org/10.3390/s17050940

AMA Style

Moon J, Lee D, Lee Y, Won D. Improving Biometric-Based Authentication Schemes with Smart Card Revocation/Reissue for Wireless Sensor Networks. Sensors. 2017; 17(5):940. https://doi.org/10.3390/s17050940

Chicago/Turabian Style

Moon, Jongho, Donghoon Lee, Youngsook Lee, and Dongho Won. 2017. "Improving Biometric-Based Authentication Schemes with Smart Card Revocation/Reissue for Wireless Sensor Networks" Sensors 17, no. 5: 940. https://doi.org/10.3390/s17050940

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop