Session-Dependent Token-Based Payload Enciphering Scheme for Integrity Enhancements in Wireless Networks

Abstract

Wireless networks have continued to evolve to offer connectivity between users and smart devices such as drones and wireless sensor nodes. In this environment, insecure public channels are deployed to link the users to their remote smart devices. Some of the application areas of these smart devices include military surveillance and healthcare monitoring. Since the data collected and transmitted to the users are highly sensitive and private, any leakages can have adverse effects. As such, strong entity authentication should be implemented before any access is granted in these wireless networks. Although numerous protocols have been developed for this purpose, the simultaneous attainment of robust security and privacy at low latencies, execution time and bandwidth remains a mirage. In this paper, a session-dependent token-based payload enciphering scheme for integrity enhancements in wireless networks is presented. This protocol amalgamates fuzzy extraction with extended Chebyshev chaotic maps to boost the integrity of the exchanged payload. The security analysis shows that this scheme offers entity anonymity and backward and forward key secrecy. In addition, it is demonstrated to be robust against secret ephemeral leakage, side-channeling, man-in-the-middle and impersonation attacks, among other security threats. From the performance perspective, the proposed scheme requires the least communication overheads and a relatively low execution time during the authentication process.

1. Introduction

Many wireless network technologies have been developed to facilitate data dissemination and the remote monitoring of physical phenomena. Among these technologies are Wireless Sensor Networks (WSNs), which comprise miniature and low-power devices referred to as sensor nodes [1]. These networks find applications in numerous fields such as in agriculture, disaster relief, military surveillance, transportation, industrial automation, wildlife and safety monitoring. In these environments, WSNs offer infrastructure-free data exchanges over shared network channels devoid of centralized access points [2]. A typical WSN comprises dynamic cooperating nodes that employ multi-hop information transfer [3]. According to [4], WSNs are robust networks that have self-managing and healing capabilities. As explained in [5], a WSN is basically made up of sensors, a gateway node (GWN) and the users. Compared with sensors, GWNs have high computation power, energy and memory [5,6]. Due to their ease of deployment and their self-configuring and self-healing nature, WSNs’ deployments are on the rise in multiple fields [7]. For instance, WSNs can monitor climatic conditions such as carbon dioxide, temperature, acidity, light and soil moisture [8].

Despite all the benefits that accrue from the deployment of WSNs, a number of challenges are encountered in these networks. According to [1], the provision of security during data transmission over public wireless channels is an uphill task. This problem is compounded by the fact that WSNs are typically deployed in untrusted environments [9]. As these sensors collect and transmit sensitive and private information, the privacy of users is at risk if leaked to malicious entities [10]. According to [1], attacks in WSN environments include smart card loss, sensor node capture and password guessing. However, authors in [4] identify Sybil, sinkhole and wormhole attacks as the main challenges. Authors in [11] have identified the broadcast nature of WSNs as being the source of numerous security attacks and vulnerabilities in these networks. Another challenge is that sensors in these networks are limited in terms of energy, memory, communication capabilities and processing power. As such, conventional encryption algorithms based on techniques such as Diffie and Hellman (DH) and Rivest–Shamir–Adleman (RSA) are unsuitable in WSNs due to the high overheads incurred during encryption or decryption [1,12].

It is evident that proper user authentication is required in WSN environments to offer security and privacy protection. Since the sensors are resource-constrained, these authentication schemes need to be lightweight. To offer enhanced privacy and thwart any privileged insider attacks, anonymity, untraceability and authorization must be assured during the authentication and data access process. After authentication, the users and the WSN entities must establish a session key to encipher the exchanged packets [1,13]. The specific contributions of this paper include the following:

• Fuzzy extraction is amalgamated with extended Chebyshev chaotic maps to generate authentication tokens that are shown to be session-specific for integrity enhancement.
• Symmetric encryption is deployed to generate temporary keys that are utilized during the authentication and key agreement phase to protect against backward and forward key secrecy compromise attacks.
• The mobile terminal and the gateway node negotiate a session key to encipher the payload exchanged over the public wireless channels.
• Extensive security analysis is carried out and shows that the proposed scheme offers strong mutual authentication and anonymity. In addition, our scheme is shown to be resilient against impersonation, side-channel, man-in-the-middle (MITM), secret ephemeral leakage and packet replay attacks.
• Performance evaluation is executed to show that the proposed scheme offers the best security features at relatively low execution time and communication costs.

The rest of this article is organized as follows: Section 2 presents related work regarding wireless network authentication and key agreement while Section 3 details the system model of the proposed scheme. On the other hand, Section 4 presents the comparative and evaluation results, while Section 5 concludes the paper.

2. Related Work

Numerous security and privacy-preserving techniques have been presented in the literature. However, most of these schemes still have security and privacy issues or have high overheads that render them unsuitable for WSN sensors. For instance, the remote user authentication protocol in [14] is susceptible to denial of service (DoS), off-line password guessing, sensor node capture and user impersonation attacks [15,16]. Similarly, the WSN security schemes in [17,18] cannot withstand off-line guessing attacks. On the other hand, the three-factor authentication in [19] does not offer sensor node anonymity and is vulnerable to de-synchronization attacks. The Chebyshev-chaotic-maps-based scheme is presented in [20], while cloud-centric authentication protocol is developed in [21]. Unfortunately, the scheme in [20,21] cannot withstand side-channeling attacks through power analysis. The same security challenges are inherent in the chaotic-map-based protocol presented in [22]. As such, the passwords and identities stored in the smart card can be leaked. In addition, the protocol in [21] cannot offer perfect backward and forward key secrecy.

To protect data exchanged over WSNs, authors in [23] have presented a novel authentication scheme. However, as demonstrated by [24], this protocol is vulnerable to both de-synchronization and user forgery attacks. Similarly, the authentication and key agreement protocol introduced in [25] has security flaws [26,27]. Other sets of authentication protocols are based on three factors such as smart cards (SC), passwords and biometrics. In this regard, authors in [28,29,30] have introduced three-factor authentication (3FA) for enhancing security in wireless networks. However, the protocol in [30] cannot withstand user forgery and off-line password guessing attacks [31]. On the other hand, the schemes in [28,29] fail to offer both strong forward key security and offer anonymity [31]. To address these issues, an improved lightweight 3FA protocol is developed in [32]. Unfortunately, this scheme is still vulnerable to both user tracking and off-line guessing attacks [33]. Another 3FA protocol based on bio-hashing is introduced in [15]. However, this approach cannot uphold user anonymity and is vulnerable to both privileged insider and sensor node capture attacks [28]. To address the security challenges in 3FA schemes, other protocols based on techniques such as elliptic curve cryptography (ECC), exclusive-or (XOR), hash functions and biometric and machine learning, have been introduced. For instance, an ECC-based authentication protocol is presented in [34]. However, this protocol is not resilient against ephemeral secret leakage (ESL) attacks.

Apart from security and privacy issues, most of the conventional WSN authentication techniques have high false positives, long latencies or very high communication and computation costs. For instance, the scheme developed in [35] for malicious behavior detection in WSNs generates excessive false positives. On the other hand, the schemes in [36,37] enhance security but at the expense of increased latencies. On their part, the machine-learning-based protocols in [38,39,40,41] improve anomaly detection in networks. However, these schemes have high computational overheads and hence are not suitable for WSN sensors. On the other hand, the scheme developed in [42] upholds confidentiality, non-repudiation, authentication and integrity. Unfortunately, this protocol deploys bilinear pairing operations, which makes it computationally expensive [1,43] and hence not ideal for WSN environment. On their part, authors in [44] have developed a dynamic key management and authentication protocol based on bilinear pairing operations. Although this approach boosts security in hierarchical sensor networks, the deployed pairing operations inadvertently increase its computational complexity [45].

It is clear from the discussions above that the attainment of robust security and privacy at low computation, latency and communication costs is still an open challenge. In this paper, we leverage fuzzy extraction and extended Chebyshev chaotic maps to develop a scheme that is demonstrated to achieve robust security at the lowest communication costs and relatively lower computation overheads.

3. System Model

In this section, the mathematical primitives of the proposed scheme are discussed followed by the step-by-step discussion of the proposed scheme.

3.1. Mathematical Primitives

As already alluded to above, fuzzy extraction and extended Chebyshev chaotic maps are among the main building blocks of the proposed scheme. The mathematical formulations of these two concepts are elaborated upon in the sub-sections below.

3.1.1. Fuzzy Extraction

In biometric-based authentication systems, a fuzzy extractor is commonly deployed. This extractor has two functions, which include Gen and Rep. Given biometric information βio, the operations of these two functions are as follows:

• (x₁, y₁) = Gen (β_io) implies that on receiving biometric β_io, function Gen(.) generates random string x₁ and auxiliary string y₁.
• x₁ = Rep(β_io^*, y₁) implies that on receiving a noise biometrics β_io^* that is fairly similar to β_io and auxiliary string y₁ of β_io, function Rep(.) reproduces random string x₁.

3.1.2. Chaotic Maps

The proposed scheme is hinged on an extended Chebyshev polynomial (ECP), from which two computationally complex problems are derived. This ECP is based on the extended Chebyshev chaotic map. The two problems derived from ECP include the chaotic-maps-based Diffie–Hellman problem (CMDHP) and chaotic-maps-based discrete logarithm problem (CMDLP). Taking ń as a large prime number and λ1 and λ2 as positive integers, the ECP is defined as follows:

Definition 1.

C_r(χ) = 2χ C_r−1 (χ) – C_r-2 (χ) mod ń, r ≥ 2.

Definition 2.

C₀(χ) =1, χ$\in$(−∞,+∞).

Definition 3.

C₁(χ) = χ mod ń, χ$\in$(−∞,+∞).

On the other hand, the ECP satisfies the following condition:

$$C_{{\lambda }_{\mathrm{1}}}(C_{{\lambda }_{\mathrm{2}}}(\chi ))=C_{{\lambda }_{\mathrm{2}}}(C_{{\lambda }_{\mathrm{1}}}(\chi ))\mathit{\text{mod ń}}$$

During the security analysis of the authentication protocols, the ECP’s CMDHP and CMDLP form the theoretical basis for guaranteeing the security of these protocols. These ECP problems are defined as follows:

• CMDHP: Given χ, $C_{{\lambda }_1}$(χ) mod ń and $C_{{\lambda }_2}$(χ) mod ń, it is infeasible to derive $C_{{\lambda }_1}$($C_{{\lambda }_2}(\chi$)) mod ń or $C_{{\lambda }_2}(C_{{\lambda }_1}\chi$)) using any polynomial time-bounded algorithm.
• CMDLP: Given χ and $C_{{\lambda }_1}$(χ) mod ń, it is infeasible to compute integer λ₁ using any polynomial time-bounded algorithm.

3.2. Proposed Scheme

Wireless networks make it possible for users to interact with their smart devices in order to access and process data collected from sensors. To accomplish this, mobile terminals such as smart-phones are deployed. As such, in the proposed scheme, the mobile terminal (MT), sensor node (SN), gateway node (GWN) and the trusted authority (TA) are the main components, as shown in Figure 1. The communication between the sensor nodes and their gateway nodes is assumed to be secure. In addition, during the registration phase, the communication between the gateway node and the trusted authority is assumed to be through secure transmission channels. Similarly, the communication between the mobile terminal and the trusted authority during the registration phase is thought to be through secure channels.

In this architecture, the SN perceives the physical environment and forwards the collected data to the GWN for onward transmission to the remote user. On the other hand, the TA executes the registration of all GWNs and MTs before the commencement of data exchanges.

Table 1. Deployed symbols.

Symbol	Description
ΩTA	TA’s private key
ƤTA	TA’s public key
IDOP	Operator identity
SCOP	Operator secret code
βOP	Operator biometrics
Ȓi	Random nonce
IDG	GWN identity
SCG	GWN secret code
ΩG	GWN private key
Ψ	GWN temporary key
EQ	Encryption using Q
DQ	Decryption using Q
ɸ	Session key shared between MT and GWN
h(.)	Hashing operation
||	Concatenation operation
⊕	XOR operation

presents the symbols used in this paper.

The proposed scheme executes in five main phases, which include system initialization, device registration, authentication, key agreement and data exchange. The description of these phases is presented in the sub-sections below.

3.2.1. System Initialization and Registration Phase

In this phase, the trusted authority (TA) initializes the system parameters, after which both the operator’s MT and the GWN are registered at the TA. To accomplish MT registration, the operator identity, biometrics and password are input to this terminal. Afterwards, the MT submits its pseudonym P_SN to the TA through some secure channels. The TA then validates the supplied P_SN before storing the MT’s security parameters in its database. The specific steps during initialization and registration are detailed below.

Step 1: The TA chooses a large prime number ń and random nonce Ȓ₁ as Chebyshev chaotic map parameters. Next, the trusted authority TA generates nonce ΩTA as its private key before computing its public key Ƥ_TA = $C_{{\mathsf{\Omega }}_{\mathrm{TA}}}$(Ȓ₁) mod ń, where ń is a large prime number. Taking m as the privacy message length, the TA selects two one-way hashing functions h₁: {0,1}* → {0,1}^m and h₂: {0,1}* → $Z_{\text{ń}}^{*}$ before publishing parameter set {ń, Ȓ₁, Ƥ_TA, h₁, h₂}.

Step 2: The operator inputs identity ID_OP and secret code SC_OP to the mobile terminal MT before imprinting biometrics β_OP on the MT sensor. Thereafter, the MT chooses nonce Ȓ₂$\in Z_{\text{ń}}^{*}$ as its secret key before deriving security parameters MT_S1 = $C_{{\mathrm{Ȓ}}_2}$(Ȓ₁) mod ń, MT_S2 = $C_{{\mathrm{Ȓ}}_2}$(Ƥ_TA) mod ń, A₁ = ID_OP⊕P_SN and MT_S3 = h₁(MT_S2)⊕A₁. The MT then sends registration request MReg_Req to the TA accompanied by security parameters set {MT_S3, MT_S1}.

Step 3: After receiving the MT’s registration request, the TA derives security parameters MT_S2^* = $C_{{\mathsf{\Omega }}_{\mathrm{TA}}}$(MT_S1) mod ń and A₁^* = h₁(MT_S2^*)⊕MT_S3. It then extracts the operator inputs identity ID_OP^* and P_SN^* from A₁ before validating pseudonym P_SN^* by confirming whether P_SN^* ≟ P_SN. Upon successful validation, the TA appends security set {ID_OP^*, MT_S2} to its database. Finally, it transmits a registration successful TReg_SU message to the MT, as shown in Figure 2.

Step 4: On receiving TReg_SU from the TA, the MT generates nonce Ȓ₃$\in Z_{\text{ń}}^{*}$ followed by the computation of (x₁, y₁) = Gen (β_OP), A₂ = h₂(SC_OP, x₁, Ȓ₃), A₃ = A₂⊕Ȓ₂, A₄ = Ȓ₃⊕h₂(ID_OP, SC_OP, x₁) and A₅ = h₂(ID_OP, A₂). Thereafter, it stores {A₄, A₅, A₃, y₁} to its memory.

Step 5: During GWN registration, it generates identity ID_G, secret code SC_G and nonce Ω_G as its private key. It then chooses nonce Ȓ₄$\in Z_{\text{ń}}^{*}$ before computing B₁ = $C_{{\mathrm{Ȓ}}_4}$(Ȓ₁) mod ń, B₂ = $C_{{\mathrm{Ȓ}}_4}$(Ƥ_TA) mod ń, B₃ = (ID_G||P_SN) and B₄ = h₁(B₂)⊕B₃. Finally, the GWN sends registration request GReg_Req to the TA together with parameter set {B₁, B₄}.

Step 6: On receiving GReg_Req from the GWN, the TA computes B₂^* = $C_{{\mathsf{\Omega }}_{\mathrm{TA}}}$(B₁) mod ń and B₃^* = h₁(B₂^*)⊕B₄. Next, it retrieves ID_G^* and P_SN from B₃ before verifying P_SN^* by confirming whether P_SN^* ≟ P_SN. Provided that this validation is successful, the TA stores security parameter set {ID_G^*, B₂^*} in its database. This is followed by the transmission of a registration successful GReg_SU message back to the GWN.

Step 7: After obtaining GReg_SU, the GWN chooses nonce Ȓ₅$\in Z_{\text{ń}}^{*}$ before deriving (x₂, y₂) = (Ω_G||Ȓ₅), B₅ = h₂(SC_G, x₂, Ȓ₅), B₆ = B₅⊕Ȓ₄, B₇ = Ȓ₅⊕h₂(ID_G, SC_G, x₂) and B₈ = h₂(ID_G, B₅). Lastly, the GWN stores security parameter set {y₂, B₆, B₇, B₈} in its memory.

These two phases can be summarized in the pseudo-code below:

BEGIN

1) Choose ń and Ȓ₁.

2) Generate Ω_TA and compute Ƥ_TA.

3) Select h₁ and h₂ and publish {ń, Ȓ₁, Ƥ_TA, h₁, h₂}.

4) Input ID_OP and SC_OP to the MT.

5) Imprint β_OP on the MT sensor.

6) Choose Ȓ₂ and compute MT_S1, MT_S2, A₁ and MT_S3.

7) MT → TA: {MT_S3, MT_S1}

  i) Derive MT_S2^*and A₁^*.

  ii) Extract ID_OP^* and P_SN^* from A₁.

  iii) Validate P_SN^*.

  iv) IF validation is successful, THEN:

     Append {ID_OP^*, MT_S2} to database.

    TA → MT: TReg_SU

   ELSE: terminate session.

8) Generate Ȓ₃ and compute (x₁, y₁), A₂, A₃, A₄ and A_5.

9) Store {A₄, A₅, A₃, y₁} in memory.

10) Generate ID_G, SC_G and Ω_G.

11) Choose Ȓ₄ and compute B₁, B₂, B₃ and B₄.

12) GWN → TA: {B₁, B₄}.

13) Compute B₂^*and B₃^*.

14) Retrieve ID_G^* and P_SN from B₃.

15) Verify PSN*.

16) IF verification is successful, THEN:

17)    Store {ID_G^*, B₂^*} in its database.

18)    TA → GWN: GReg_SU

19) ELSE: terminate session.

20) Choose Ȓ₅ and compute (x₂, y₂), B₅, B₆, B₇ and B₈.

21) Store {y₂, B₆, B₇, B₈} in memory.

END

3.2.2. Mutual Authentication and Key Agreement Phase

During this phase, the operator supplies the valid identity, secret code and biometrics to the MT, after which a valid signature is generated. This signature is then validated by the TA, after which it derives a temporary key for the GWN. Next, the MT and GWN utilize the TA-generated temporary key to authenticate each other, as described in the steps below.

Step 1: The operator inputs identity ID_OP and secret code SC_OP before imprinting β_OP on the MT sensor. The MT then derives x₁ = Rep (β_OP, y₁), Ȓ₃ = A₄⊕h₂(ID_OP, SC_OP, x₁) and A₂ = h₂(SC_OP, x₁, Ȓ₃). It then validates whether A₅ ≟ h₂(ID_OP, A₂). If this validation succeeds, the MT derives Ȓ₂ = A₂⊕A₃. Next, it generates Ȓ₆$\in Z_{\text{ń}}^{*}$, which it uses to compute D₁ = $C_{{\mathrm{Ȓ}}_6}$ (Ȓ₆) mod ń, D₂ = $C_{{\mathrm{Ȓ}}_6}$ (Ƥ_TA) mod ń, D₃ = h₁(D₂)⊕A₁, signature MAC_M = h₂(D₂, A₁), MT_S2^* = $C_{{\mathrm{Ȓ}}_2}$(Ƥ_TA) mod ń and D₄ = MAC_M + h₂(MT_S2, D₁). Lastly, the MT constructs authentication request MAuth_Req and transmits it to the TA together with {D₁, D₄, D₃}.

Step 2: After receiving MAuth_Req, the TA derives D₂^* = $C_{{\mathsf{\Omega }}_{\mathrm{TA}}}$(D₁) mod ń and A₁^* = h₁ (D₂^*)⊕D₃. Then the TA uses ID_OP^* to search for MT_S2 so as to validate the MT through checking whether D₄ − h₂(MT_S2^*, D₁) ≟ h₂(D₂^*, A₁^*). If this validation is successful, the TA computes D₅ = $C_{{\mathrm{Ȓ}}_7}$(Ȓ₁) mod ń, which it deploys to derive a temporary key for the GWN, Ψ = h₂(D₂^*, A₁^*, MT_S2^*, ID_G^*, D₅). It then computes D₆ = ID_OP^*⊕ P_SN^* and MAC_T = h₂(D₁, Ψ, D₆). To obscure both D₆ and Ψ, the TA derives E₁ = h₂(B₂^*, D₁)⊕( Ψ||D₆). Finally, the TA constructs authentication request GAuth_Req, which is sent to the GWN together with parameter set {MAC_T, E₁, D₁}, as shown in Figure 3.

Step 3: Upon receiving GAuthReq, the GWN derives (Ψ^*||D₆^*) = h₂(B₂, D₁)⊕E₁ followed by the confirmation of whether MAC_T ≟ h₂(D₁, Ψ^*, D₆^*). Provided that this verification is successful, the GWN generates nonce Ȓ₇$\in Z_{ń}^{*}$ which it uses to derive E₂ = $C_{{\mathrm{Ȓ}}_7}$(D₁) mod ń, E₃ = $E_{h_2\left({\mathrm{E}}_2\right)}$(A₁^*), MAC_G = h₂(A₁^*, Ψ^*, D₅). Finally, the GWN composes authentication response GAuth_Res, which it transmits directly to the MT together with parameter set {D₅, E₃, MAC_G}.

Step 4: After obtaining GAuth_Res, the MT derives E₂^* = $C_{{\mathrm{Ȓ}}_6}$(D₅) mod ń, A₁^New = $D_{h_2\left(E_2^{*}\right)}$(E₃) and Ψ^New = h₂(D₂, A₁, MT_S2, ID_G^*, D₅). It then checks whether MAC_G ≟ h₂(A₁^New, Ψ^New, D₅). If this verification is successful, the MT derives session key ɸ = h₂(E₂^*, Ψ^New) to be utilized with the GWN for traffic enciphering. Lastly, it derives MAC_New = h₂(ɸ, A₁^New) before sending it to the GWN together with authentication response message MAuth_Res.

Step 5: Once the GWN obtains MAuth_Res, it re-computes the session key ɸ^* = h₂(E₂, Ψ^* ) and confirms whether MAC_New ≟ h₂(ɸ^*, A₁^*). Provided that this verification is successful, the MT and GWN establish a secure channel between them and can now proceed to exchange network traffic. The mutual authentication and key agreement phase can be summarized in the following pseudo-code.

BEGIN

1) Input ID_OP and SC_OP.

2) Imprint β_OP to the MT.

3) Derive x₁, Ȓ₃ and A₂.

4) Validate A₅.

5) IF validation is successful, THEN:

6)   Compute Ȓ₂ and generate Ȓ₆.

7)    Derive D₁, D₂, D₃, MAC_M, MT_S2^* and D₄.

8)      MT → TA: {D₁, D₄, D₃}

9)   Derive D₂^*and A₁^*.

10)  Validate MT.

11) IF verification is successful, THEN:

12)  Compute D₅, Ψ, D₆, MAC_T and E₁.

13)   TA → GWN: {MAC_T, E₁, D₁}

14) ELSE: terminate session

15) Derive (Ψ^*||D₆^*) and validate MAC_T.

16) IF validation is successful, THEN:

17)   Generate Ȓ₇ and derive E₂, E₃ and MAC_G.

18)   GWN → MT: {D₅, E₃, MAC_G}

19) ELSE: terminate session.

20) Derive E₂^*, A₁^New and Ψ^New.

21) Validate MAC_G.

22) IF verification is successful, THEN:

23)  Derive ɸ and MAC_New.

24) MT → GWN: {MAuth_Res}

25) ELSE: terminate session.

26) Re-compute ɸ^* and authenticate MAC_New.

27) IF authentication is successful, THEN:

28)  Initiate packet transfers.

29) ELSE: terminate session.

END

3.2.3. WSN Node–MT Communication Phase

This phase is triggered whenever the operator through the MT wants to access some data from the wireless sensor network nodes. To accomplish this, the operator supplies valid identity ID_OP, secret code SC_OP and biometrics β_OP on the MT sensor. This is followed by the generation of a legitimate signature for the operator, which is then transmitted to the TA for validation. After this, the TA stores some required information in its database. The steps followed during this phase are elaborated upon below.

Step 1: The operator inputs ID_OP and SC_OP to the MT before imprinting β_OP on the MT sensor. This invokes local authentication, in which the MT derives and validates whether A₅ ≟ h₂(ID_OP, A₂), as described in Step 1 of the mutual authentication and key agreement phase. If this local authentication is successful, the MT sends service access request MServ_Req to the GWN.

Step 2: The GWN then derives x₂ = Rep (Ω_G, y₂), Ȓ₅ = B₇⊕h₂(ID_G, SC_G, x₂) and B₅ = h₂(SC_G, x₂, Ȓ₅). It then verifies whether B₈ ≟ h₂(ID_G, B₅). Provided that this validation is successful, the GWN computes Ȓ₄ = B₅⊕B₆. It then employs nonce Ȓ₇ to re-compute D₅ =$C_{{\mathrm{Ȓ}}_7}$(Ȓ₁) mod ń, F₁ = $C_{{\mathrm{Ȓ}}_7}$(Ƥ_TA) mod ń, F₂ = h₁(F₁)⊕A₁, MAC_G = h₂(F₁, A₁), B₂ = $C_{{\mathrm{Ȓ}}_4}$ (Ƥ_TA) mod ń and F₃ = MAC_G + h₂(B₂, D₅). Finally, the GWN sends access request GServ_Req to the WSN node (SN) together with parameter set {D₅, F₂, F₃}.

Step 3: Upon receiving GServ_Req, the SN derives F₁^* = $C_{{\mathsf{\Omega }}_{\mathrm{TA}}}$(D₅) mod ń and A₁^* = h₁(F₁^*)⊕F₂. It then retrieves ID_G^* from its memory and searches for B₂^*. It then checks whether F₃ − h₂(B₂^*, D₅) ≟ h₂(F₁^*, A₁^*). If this verification is successful, the SN temporarily stores parameters {A₁^*, D₅} in its memory for any subsequent verification with this particular GWN. Finally, the SN packages the requested data and enciphers it using ɸ before forwarding it to the GWN, which delivers it to the operator via the MT. This communication phase is summarized in the pseudo-code below.

BEGIN

1) Input ID_OP and SC_OP to the MT.

2) Imprint β_OP on the MT sensor.

3) Derives and validate A₅.

4) IF validation is successful, THEN:

5)     MT → GWN: {MServ_Req}

6)    Derive x₂, Ȓ₅ and B₅.

7) ELSE: terminate session.

8)     Verify B₈.

9) IF verification is successful, THEN:

10)     Compute Ȓ₄, D₅, F₁, F₂, MAC_G, B₂ and F₃.

11)      GWN → SN: {D₅, F₂, F₃}

12)      Derive F₁^*and A₁^*.

13)     Retrieve ID_G^* and search B₂^*.

14) ELSE: terminate session.

15) Validate F₃ - h₂ (B₂^*, D₅).

16) IF validation is successful, THEN:

17)     Temporarily store {A₁^*, D₅} in memory.

18)      Package and encipher requested data using ɸ.

19)   SN → GWN → MT: {Data}

20) ELSE: terminate session.

END

4. Comparative Analysis and Evaluation Results

In this section, the first part presents the security analysis of the proposed scheme. In the second part, the performance evaluation of the proposed scheme is given, together with a comparative evaluation of other related protocols.

4.1. Security Analysis

To show that the proposed scheme offers salient security and privacy features, seven hypotheses are formulated and proved as discussed below.

Hypothesis 1.

The proposed scheme offers both backward and forward key secrecy.

Proof. 

Suppose that an adversary Å has obtained the secret parameters {D₅, E₃, MAC_G} and MAC_New exchanged between the MT and GWN. Here, D₅ = $C_{{\mathrm{Ȓ}}_7}$ (Ȓ₁) mod ń, E₃ = $E_{h_2\left({\mathrm{E}}_2\right)}$(A₁^*), MAC_G = h₂(A₁^*, Ψ^*, D₅) and MAC_New = h₂(ɸ, A₁^New). The aim is to use these security parameters to compute session key ɸ = h₂(E₂^*, Ψ^New), where E₂^* = $C_{{\mathrm{Ȓ}}_6}$(D₅) mod ń and Ψ^New = h₂(D₂, A₁, MT_S2, ID_G^*, D₅). However, without a knowledge of secret parameters ID_G^*, Ȓ₆, D₂, A₁, MT_S2 and Ȓ₇, this session key can never be computed. In addition, an adversary is unable to derive ($C_{{\mathrm{Ȓ}}_7}$(Ȓ₁)) or $C_{{\mathrm{Ȓ}}_7}$((Ȓ₁)) devoid of Ȓ₆ or Ȓ₇. This is because these parameters are never transmitted over the network. □

Hypothesis 2.

Secret ephemeral leakage attacks are effectively thwarted in the proposed scheme.

Proof. 

In the proposed scheme, session key ɸ = h₂(E₂^*, Ψ^New) incorporates secret tokens Ψ and ${\mathrm{C}}_{{\mathrm{Ȓ}}_6}$ (${\mathrm{C}}_{{\mathrm{Ȓ}}_7}$(Ȓ₁)) among other parameters, where Ψ = h₂(D₂^*, A₁^*, MT_S2^*, ID_G^*, D₅). Suppose that all these parameters including Ȓ₆ and Ȓ₇ are compromised. However, the adversary still needs to derive Ψ, which requires knowledge of GWN identity ID_G^*, D₂^*, A₁^* and MT_S2^*. Since all these security parameters are never sent over the communication channels, they cannot be eavesdropped by Å and hence the leakage of ephemerals Ψ, $C_{{\mathrm{Ȓ}}_7}$(Ȓ₁) mod ń, $C_{{\mathrm{Ȓ}}_7}$(D₁) mod ń, Ȓ₆ and Ȓ₇ does not compromise the generated session key. □

Hypothesis 3.

The proposed scheme provides strong mutual authentication.

Proof. 

Upon the input of valid operator identity ID_OP, secret code SC_OP and biometrics β_OP, the MT derives private key Ȓ₂ = A₂⊕A₃, after which it generates signature MAC_M = h₂(D₂, A₁). Thereafter, the TA authenticates the MT by checking this signature. This is achieved through checking whether D₄ – h₂(MT_S2^*, D₁) ≟ h₂(D₂^*, A₁^*). Meanwhile, the TA derives a temporary key for the GWN, Ψ = h₂(D₂^*, A₁^*, MT_S2^*, ID_G^*, D₅). To securely transmit this temporary key to the GWN, the TA derives E₁ = h₂(B₂^*, D₁)⊕(Ψ||D₆). At the GWN, Ψ is deployed to generate signature MAC_G = h₂(A₁^*, Ψ^*, D₅), which is utilized by the MT to authenticate the GWN and TA. This is achieved by checking whether MAC_G ≟ h₂(A₁^New, Ψ^New, D₅). Similarly, the MT generates signature MAC_New = h₂(ɸ, A₁^New), which is employed by the GWN to authenticate the MT. This is executed by checking whether MAC_New ≟ h₂(ɸ^*, A₁^* ). Consequently, strong mutual authentication between the MT and GWN, the MT and TA and the TA and GWN is attained. □

Hypothesis 4.

Side-channeling attacks are prevented in the proposed scheme.

Proof. 

Suppose that an adversary Å manages to capture parameter set {A₄, A₅, B₆, y₁} stored in the MT through power analysis. The goal of Å is to use these security tokens to derive ID_OP, SC_OP and β_OP by performing the following: A₄ = Ȓ₃⊕h₂(ID_OP, SC_OP, x₁), A₂ = h₂(SC_OP, x₁, Ȓ₃) and A₅ = h₂(ID_OP, A₂). It is evident that all these computations require either the operator identity ID_OP, secret code SC_OP or biometric β_OP, which are unavailable in the MT’s memory. Similarly, even if an adversary Å uses power analysis to obtain {B₇, F₁, B₆, y₂} stored in GWN, all operator details cannot be obtained.  □

Hypothesis 5.

The proposed scheme establishes a session key between the GWN and MT.

Proof. 

After mutual authentication, the MT and GWN negotiate key ɸ = h₂(E₂^*, Ψ^New ) based on Ψ^New = h₂(D₂, A₁, MT_S2, ID_G^*, D₅) and ${\mathrm{C}}_{{\mathrm{Ȓ}}_6}$ (${\mathrm{C}}_{{\mathrm{Ȓ}}_7}$(Ȓ₁)). Here, D₅ = $C_{{\mathrm{Ȓ}}_7}$(Ȓ₁) mod ń, D₂ = $C_{{\mathrm{Ȓ}}_6}$(Ƥ_TA) mod ń, A₁ = ID_OP⊕ P_SN and MT_S2 = $C_{{\mathrm{Ȓ}}_2}$(Ƥ_TA) mod ń. To derive $C_{{\mathrm{Ȓ}}_6}$($C_{{\mathrm{Ȓ}}_7}$(Ȓ₁)) from D₁ and D₅ is equivalent solving the chaotic-maps-based Diffie–Hellman problem or chaotic-maps-based discrete logarithm problem. Since this is computationally infeasible, adversary Å is unable to derive the generated session key. □

Hypothesis 6.

The proposed scheme is resilient against packet replay and MITM attacks.

Proof. 

In the proposed scheme, we deploy nonces Ȓ₆ and Ȓ₇ in each session as elaborated upon in Hypothesis 5. Based on Hypothesis 3, the MT, TA and GWN execute strong mutual authentication before commencing packet exchanges. As such, adversary Å is unable to masquerade as the legitimate MT, GWN or TA so as to mount MITM attacks. □

Hypothesis 7.

The proposed scheme upholds MT anonymity.

Proof. 

In the proposed scheme, the MT identity ID_OP is masked in A₁, where A₁ = ID_OP⊕ P_SN. On the other hand, ID_OP is hashed in A_4, A₅ and Ȓ₃, where A₄ = Ȓ₃⊕h₂(ID_OP, SC_OP, x₁), A₅ = h₂(ID_OP, A₂) and Ȓ₃ = A₄⊕h₂(ID_OP, SC_OP, x₁). Since A₁ is never transmitted over the communication channels, adversary Å cannot capture it. On the other hand, the attacker needs to reverse the one-way hashing functions A_4, A₅ and Ȓ₃ to obtain this identity. Since this is computationally infeasible, the anonymity of the operator is upheld. □

4.2. Performance Analysis

In this sub-section, the cryptographic execution time, communication costs and resilience to attacks are used as the main metrics in the appraisal of the proposed scheme.

4.2.1. Execution Time

In this analysis, consideration is given to the cryptographic operations that are executed only during the mutual authentication and key agreement phase. During this phase, the fuzzy extraction T_F, elliptic curve point multiplication T_E, one-way hashing T_H and Chebyshev map T_C operations are executed. Based on the values in [46], T_E = 63.08 ms, T_C = 21.02 ms, T_F = 63.08 ms and T_H = 0.5 ms, as shown in

Table 2. Cryptographic runtimes.

Operation	Symbol	Runtime (ms)
Fuzzy extraction	TF	63.08
EC point multiplication	TE	63.08
Symmetric encryption/decryption	TED	8.70
One-way hashing	TH	0.5
Chebyshev chaotic map	TC	21.02
EC modular exponential	TEE	30
CRT	TCR	11

.

For other related schemes, symmetric encryption and decryption T_ED, the Chinese remainder theorem (CRT) T_CR and elliptic curve modular exponential T_EE operations are required. Based on [46], T_ED = 8.70 ms, the execution time for T_CR = 11 ms and for T_EE = 30 ms. During the mutual authentication and key agreement phase, the 1T_F, 6T_C and 23 T_H operations are executed.

Table 3. Execution time comparison.

Scheme	Operations	Runtime (ms)
Abbasinezhad-Mood et al. [20]	10TC + 1TED + 40TH	238.9
Li et al. [34]	1TF + 6TE + 22TH	452.56
Srinivas et al. [21]	1TEE +1TCR + 37TH	59.5
Wang et al. [22]	1TF + 6TC + 22TH	200.2
Proposed	1TF + 6TC + 23TH	200.7

gives the derivation of the execution times for the proposed scheme as well as other related schemes.

As shown in Table 3, the protocol in [34] has the highest runtime of 452.56 ms followed by the schemes in [20] with a runtime of 238.9 ms. On the other hand, the proposed scheme has the third highest execution time of 200.7 ms, while the protocol in [22] has the second lowest execution time of 200.2 ms. On the other hand, the scheme in [21] has the lowest runtime of only 59.5 ms.

Although the protocol in [21] has excellent execution time, it cannot withstand side-channeling attacks through power analysis and cannot offer both perfect backward and forward key secrecy. In addition, this scheme has extremely high communication costs. On the other hand, the scheme in [22] cannot withstand side-channeling attacks and has very high communication costs. As such, although the proposed scheme has a slightly high execution time, it offers most of the security features required in wireless networks.

4.2.2. Communication Costs

In this analysis, the size of the exchanged messages during mutual authentication and key agreement are taken into consideration. Here, the outputs of nonces, ECC, symmetric encryption and decryption, integer factorization cryptography, hashing, timestamp and Chebyshev chaotic map are 128 bits, 256 bits, 128 bits, 3072 bits, 128 bits, 32 bits and 128 bits, respectively, as shown in

Table 4. Message sizes.

Operation	Size (Bits)
Nonce	128
ECC	256
Symmetric encryption/decryption	128
One-way hashing	128
Chebyshev chaotic map	128
Timestamp	32
Integer factorization cryptography	3072

.

During the mutual authentication and key agreement phase, the following four messages are exchanged: {D₁, D₄, D₃}, {MAC_T, E₁, D₁}, {D₅, E₃, MAC_G} and MAC_New. The sizes of these messages are computed as follows:

MAuth_Req: {D₁ = D₄ = D₃ = 128} = 384 bits

GAuth_Req: {MAC_T = E₁ = D₁ = 128} = 384 bits

GAuth_Res: {D₅ = E₃ = MAC_G = 128} = 384 bits

MAuth_Res: MAC_New = 128 bits

Based on the computations above, the total size of the four exchanged messages is 1280 bits. On the other hand, the schemes in [20,21,22,34] are 2048 bits, 3200 bits, 4448 bits and 1664 bits, respectively.

Table 5. Communication Costs Comparison.

	Abbasinezhad-Mood et al. [20]	Li et al. [34]	Srinivas et al. [21]	Wang et al. [22]	Proposed
M1	768	896	3360	544	384
M2	512	768	544	416	384
M3	512	768	544	416	384
M4	256	768	-	288	128
Total	2048	3200	4448	1664	1280

presents the derivation of these message sizes for the various schemes.

As shown in Table 5, the protocol in [21] has the highest communication costs of 4448 bits, followed by the protocol in [34] with communication costs of 3200 bits. The scheme in [20] has the third highest communication costs of 2048 bits, while the protocol in [22] has the highest communication costs of 1664 bits.

On the other hand, the proposed scheme has the lowest communication costs of 1280 bits. Consequently, the proposed scheme is the most ideal for sensor nodes which are limited in terms of computation, energy, memory and communication capabilities.

4.2.3. Attacks Resilience

To show that the proposed scheme offers resilience against most of the typical attacks in wireless networks, its security and privacy features are compared against those provided by the protocols in [20,21,22,34].

Table 6. Security features comparison.

	Abbasinezhad-Mood et al. [20]	Li et al. [34]	Srinivas et al. [21]	Wang et al. [22]	Proposed
Backward and forward key secrecy	Y	Y	N	Y	Y
Secret ephemeral leakage	Y	N	Y	Y	Y
Mutual authentication	Y	Y	Y	Y	Y
Side channeling	N	Y	N	N	Y
Session key agreement	Y	Y	Y	Y	Y
Packet replay	Y	Y	Y	Y	Y
MITM	Y	Y	Y	Y	Y
Anonymity	Y	Y	Y	Y	Y
	Key Y = Security feature supported N = Security feature not supported

presents this comparison using backward and forward key secrecy, secret ephemeral leakage, mutual authentication, side-channeling, session key agreement, packet replay, MITM and anonymity as key metrics.

Based on the results in Table 6, the scheme in [21] supports the least security and privacy features, followed by the schemes in [20,22,34], which lack one security feature. On the other hand, the proposed scheme offers support for all the security and privacy features. As such, it offers robust integrity protection in wireless networks.

4.2.4. Complexity Level Comparisons

In the performance evaluation of network security protocols, computation and communication complexities are frequently utilized. Here, the computation complexities indicate the duration it takes for various cryptographic operations to be executed. On the other hand, communication complexity denotes the number or length of the messages exchanged in these protocols. In this paper, computation complexity is measured using the execution time, while communication complexity is measured using the communication costs. These complexities are then compared with those obtained in other related schemes developed in [20,21,22,34].

In terms of computation complexity, it has been shown that the proposed scheme incurs the third highest execution time of 200.7 ms. However, the proposed scheme incurs the lowest communication complexity of only 1280 bits. On the other hand, the scheme developed in [34] has the highest computation complexity of 452.56 ms. Similarly, the scheme presented in [21] has the highest communication complexity of 4448 bits. Among the related schemes, the one developed in [22] has the lowest communication complexity of 1664 bits. As such, the proposed protocol offers a 23.08% improvement in the communication complexity.

5. Conclusions

The literature reviewed has pointed to the existence of many security schemes for the protection of the information exchanged over wireless sensor networks. It has been observed that these protocols are based on techniques such as machine learning, bilinear pairing operations, elliptic curve cryptography, chaotic maps, biometrics and smart cards, among other methods. However, it has been shown that long authentication latencies and execution times, as well as high communication overheads, are major performance issues in these protocols. Although these schemes improve some aspects of WSN security and privacy, the majority of them have been shown to be weak against common attacks in typical wireless networks. To address these issues, the developed scheme incorporates biometrics and extended Chebyshev chaotic maps during the authentication and key agreement process. Thus, the proposed scheme has the lowest execution time of 200.7 milliseconds and the highest security aspect compared to the related methods. In detail, the results show that this effectively renders the developed scheme resilient against numerous attacks such as packet replays, side-channeling and entity impersonations. In terms of performance evaluation, the deployed cryptographic operations are relatively lightweight and hence the execution time as well as the communication overheads of the proposed protocol are relatively low. Compared with other related schemes, the proposed protocol offers the best security features at the lowest communication overheads and a relatively low execution time. Future work could push towards decentralization in authentication, access and authorization. This may facilitate distributed and decentralized security provisioning that could enable direct integration into client end-point devices.