*Article* **A Light and Anonymous Three-Factor Authentication Protocol for Wireless Sensor Networks**

**Lianghong Zhu 1,†, Huaikun Xiang 1,† and Kai Zhang 2,\***


† These authors contributed equally to this work.

**Abstract:** Recently, wireless sensor networks (*WSNs*) have been widely used in a variety of fields, and make people's lives more convenient and efficient. However, *WSNs* are usually deployed in a harsh and insecure environment. Furthermore, sensors with limited hardware resources have a low capacity for data processing and communication. For these reasons, research on efficient and secure real-time authentication and key agreement protocols based on the characteristics of *WSNs* has gradually attracted the attention of academics. Although many schemes have been proposed, most of them cannot achieve all known security features with satisfactory performance, among which anonymity, N-Factor security, and forward secrecy are the most vulnerable. In order to solve these shortcomings, we propose a new lightweight and anonymous three-factor authentication scheme based on symmetric cryptographic primitives for *WSNs*. By using the automated security verification tool *ProVerif*, *BAN*-logic verification, and an informal security analysis, we prove that our proposed scheme is secure and realizes all known security features in *WSNs*. Moreover, we show that our proposed scheme is practical and efficient through the comparison of security features and performance.

**Keywords:** authentication and key agreement; symmetric cryptographic primitives; three-factor; security analysis; wireless sensor networks

#### **1. Introduction**

A wireless sensor network (*WSN*) is a distributed and self-organizing sensor network, which is composed of a large number of sensor nodes that can perceive and understand the external world. In *WSNs*, sensor nodes cooperate to sense, collect, and process information in the network coverage area and send it to the gateway node. In recent years, *WSNs* have been widely used in various practical applications in industrial and agricultural fields [1–4], such as temperature monitoring in agriculture, power consumption monitoring in smart grids, and human health monitoring in medical care. In these application environments, many scattered users, various randomly distributed sensor nodes, and one or more relatively powerful gateway nodes form a powerful network system. For example, in the field of health care, the sensors deployed on the patient's body can monitor and obtain the patient's body data, and the medical staff can directly and remotely obtain the patient's current body temperature, blood pressure, pulse times, and other information in real-time through the wireless sensor network, so as to improve the health status of healthy patients. Figure 1 shows the network architecture of *WSNs*.

However, when sensor nodes are active in an unattended or hostile wireless network environment, attackers can easily intercept, delete, and modify transmission messages and launch various attacks [5]. Therefore, the network security and privacy of these sensors become very critical. In order to ensure that only authorized legitimate users can access sensors and protect the communication security of real-time sensing data, it is extremely

**Citation:** Zhu, L.; Xiang, H.; Zhang, K. A Light and Anonymous Three-Factor Authentication Protocol for Wireless Sensor Networks. *Symmetry* **2022**, *14*, 46. https:// doi.org/10.3390/sym14010046

Academic Editors: Alexander Zaslavski, Yi Fang, Long Shi and Pingping Chen

Received: 19 October 2021 Accepted: 27 December 2021 Published: 30 December 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

necessary for users and sensors to authenticate each other directly. Moreover, they also need to be able to establish a session key to ensure the security of future communication. Authentication and key agreement protocols are effective ways to achieve these goals. However, due to the limited resources of sensor nodes, an authentication protocol based on complex asymmetric cryptographic primitives is difficult to apply to wireless sensor networks. Therefore, the balance between security and performance is highly significant for the design of identity authentication protocols in the wireless sensor network environment.

**Figure 1.** Network model of wireless sensor networks.

Lamport proposed the first password-based authentication and key agreement protocol in 1980 [6], and, since then, research on authentication protocols has been a hot topic. In recent years, research on authentication and key agreement protocols in *WSNs* has been conducted [7–18]. In 2006, Wong et al. [19] proposed a lightweight password-based authentication scheme for *WSNs*. However, Das et al. point out that Wong et al.'s scheme cannot resist replay attacks and stolen-verifier attacks [20]. Furthermore, Das et al. put forward an improved scheme. Unfortunately, there are also many security flaws in Das et al.'s scheme [21,22]. Based on Farash et al.'s scheme [23], Amin et al. provided an anonymity three-factor authentication scheme [24] for *WSNs* in 2016. However, Jiang et al. found that the scheme could not resist smart card stolen attacks and known session-specific temporary information attacks [25]. Although many schemes have been proposed, most of them cannot achieve all known security features with satisfactory performance.

In 2019, Shin et al. proposed a lightweight three-factor authentication and key agreement protocol for *WSNs* [26] and claimed that the protocol can achieve all known security features with satisfactory performance. This article analyzes Shin et al.'s scheme. It is found that their scheme is vulnerable to de-synchronization attacks and cannot achieve forward secrecy and three-factor security.

Our crucial contributions are as follows:


The rest of this paper is organized as follows. We introduce the relevant preliminaries in Section 2 and review the scheme of Shin et al. in Section 3. In Section 4, the scheme of Shin et al. is subjected to cryptanalysis and the attack method is given. The new scheme is proposed in Section 5, and the security analysis and performance analysis of the new scheme are carried out in Sections 6 and 7, respectively. Section 8 summarizes the paper.

#### **2. Preliminaries**

#### *2.1. Fuzzy Extractor*

At different times, there may be subtle differences in the biometrics extracted by the same user. The fuzzy extractor can eliminate these subtle differences. In other words, the fuzzy extractor can produce the same output even if the inputs are slightly different. Fuzzy logic is widely used in supply chains and healthcare logistics [27–29]. The fuzzy extractor consists of two parts:


#### *2.2. Adversary Model*

In this paper, we adopt the most rigorous (but practical) adversary model proposed by Wang et al. [30] and Huang et al. [31]. Table 1 shows the capabilities of the adversary, *A*.


**Table 1.** The capabilities of the adversary.

#### *2.3. Notations*

The notations used thereinafter are listed in Table 2.

#### **Table 2.** Notations.



#### **3. Revisiting of Shin et al.'s Scheme**

In 2019, Sooyeon Shin et al. proposed a lightweight anonymous three-factor authentication protocol for micro-sensors in wireless sensor networks [26]. Taking their protocol as an example, we analyze and point out the security defects of such authentication protocols.

Shin et al.'s protocol consists of four phases: the initialization phase, registration phase, authentication phase, and password update phase. The system completes the selection of parameters and encryption algorithm in the initialization phase. The registration phase realizes user registration and the distribution of smart cards. The authentication phase completes the mutual authentication and session key agreement between the user and the sensor. It should be noted that the communication channel in the authentication phase is public and insecure.

The specific process of the agreement is as follows:

#### *3.1. Initialization Phase*

Step 1: The *GWN* selects *KU*, *KS* as master secrets and stores them safely.

Step 2: For sensor *Sj*, the *GWN* chooses *SIDj* as the identity of *Sj* and calculates *XSj* = *h*(*SID <sup>j</sup>* ||*KS*).

Step 3: The sensor *Sj* stores *XSj* secretly.

#### *3.2. User Registration Phase*

Step 1: The user *Ui*. selects his identity *IDi* and password *PWi* and imprints *Bioi*. Then, *Ui* chooses a random number *ui* and calculates *GEN*(*Bio <sup>i</sup>* ) = (*b <sup>i</sup>* , *pairi* ), *HPWi* = *h*(*PW <sup>i</sup>* ||*bi*), and *TIDi* = *h*(*IDi* ||*ui*). Further, *Ui* sends the registration request {*TIDi* , *HPWi*} towards the *GWN* via a private secure channel.

Step 2: The *GWN* receives {*TIDi* , *HPWi*} and freely chooses *PID*<sup>1</sup> *<sup>i</sup>* . as a pseudonym. Then, the *GWN* calculates *HIDi* = *h*(*TIDi* ||*KU*), *Ai* = *h*(*HPW <sup>i</sup>* ||*TIDi*) - *HIDi*, *Bi* = *h*(*HPW <sup>i</sup>* ||*HIDi*), and *<sup>C</sup>*<sup>1</sup> *<sup>i</sup>* = *h*(*TIDi* ||*HIDi*) - *PID*<sup>1</sup> *<sup>i</sup>* . Then, the *GWN* writes {*Ai* , *Bi*, *C*<sup>1</sup> *i* into *SCi*. and stores (*PID*<sup>1</sup> *<sup>i</sup>* , *TIDi*). Finally, the *GWN* transmits *SCi* towards *Ui* via a private, secure channel.

Step 3: *Ui* receives *SCi* and calculates *Di* = *ui h*(*IDi* ||*bi*). Finally, *Ui* write {*Di* , *pairi* } into *SCi*.

The process of the User registration phase is shown in Figure 2.

#### *3.3. Authentication Phase*

Step 1: *Ui* inserts *SCi*, inputs *IDi* and *PWi*, and imprints *Bioi*. *SCi* calculates *bi* = *REP*(*Bio <sup>i</sup>* , *pairi* ), *ui* = *Di h*(*IDi* ||*bi*), *TIDi* = *h*(*IDi* ||*ui*), *HPW*<sup>∗</sup> *<sup>i</sup>* = *h*(*PW <sup>i</sup>* ||*bi*), *HID*∗ *<sup>i</sup>* = *Ai h*(*HPW* ∗ *<sup>i</sup>* ||*TIDi*), and *B*<sup>∗</sup> *<sup>i</sup>* = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) and verifies the equality check for *Bi* ? = *B*<sup>∗</sup> *<sup>i</sup>* . If it does not hold true, *SCi* rejects the login request. Otherwise, *SCi* generates a random number *ri* and the current timestamp *T*1, and calculates *PID*<sup>1</sup> *<sup>i</sup>* = *<sup>C</sup>*<sup>1</sup> *i h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ), *Ri* = *h*(*TIDi* ||*PID*<sup>1</sup> *<sup>i</sup>* ||*ri*), *Mi* = *ri h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*T*1), and *MUG* = *h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*PID*<sup>1</sup> *<sup>i</sup>* ||*Ri*||*T*1). Finally, *SCi* transmits the login request {*PID*<sup>1</sup> *<sup>i</sup>* , *Mi*, *MUG*, *T*<sup>1</sup> towards the *GWN*.


**Figure 2.** User registration phase of Shin et al.'s scheme.

Step 2: The *GWN* receives {*PID*<sup>1</sup> *<sup>i</sup>* , *Mi*, *MUG*, *T*<sup>1</sup> and checks the validity of *T*1. Then, the *GWN* searches (*PID*<sup>1</sup> *<sup>i</sup>* , *TIDi*) in memory using *PID*<sup>1</sup> *<sup>i</sup>* and calculates *HID*<sup>∗</sup> *<sup>i</sup>* = *h*(*TIDi* ||*KU*), *r*∗ *<sup>i</sup>* = *Mi h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*T*1), *R*<sup>∗</sup> *<sup>i</sup>* = *h*(*TIDi* ||*PID*<sup>1</sup> *<sup>i</sup>* ||*r*<sup>∗</sup> *<sup>i</sup>* ), and *M*<sup>∗</sup> *UG* = *h*(*TIDi* ||*HID*<sup>∗</sup> *i* || *PID*<sup>1</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*1). Further, the *GWN* checks the equality of *M*<sup>∗</sup> *UG* ? = *MUG*. If it does not hold true, the *GWN* rejects the login request. Otherwise, the *GWN* selects *SIDj*, generates the current timestamp *T*2, and calculates *XSj* = *h*(*SID <sup>j</sup>* ||*KS*), *MG* = *R*<sup>∗</sup> *i h*(*X Sj* ||*T*2), and

*M*GS = *h*(*PID*<sup>1</sup> *<sup>i</sup>* ||*SIDj*||*XSj* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*2). Finally, the *GWN* transmits {*PID*<sup>1</sup> *<sup>i</sup>* , *MG*, *M*GS, *T*<sup>2</sup> towards *Sj*.

Step 3: Upon the reception of {*PID*<sup>1</sup> *<sup>i</sup>* , *MG*, *M*GS, *T*<sup>2</sup> from the *GWN*, *Sj* checks whether *T*<sup>2</sup> is a valid timestamp. Then, *Sj* calculates *R*<sup>∗</sup> *<sup>i</sup>* = *MG h*(*X Sj* ||*T*2) and *M*∗ GS <sup>=</sup> *<sup>h</sup>*(*PID*<sup>1</sup> *<sup>i</sup>* ||*SIDj*||*XSj* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*2) and verifies the equality check *M*<sup>∗</sup> GS ? = *M*GS. If the verification fails, *Sj* aborts the session. Otherwise, *Sj* generates a random number *rj* and the current timestamp *T*3, and calculates *Rj* = *h*(*SID <sup>j</sup>* ||*rj*), *Mj* = *rj h*(*X Sj* ||*T*3), *SKij* = *h*(*R*<sup>∗</sup> *<sup>i</sup>* ||*Rj*), *M*SG = *h*(*PID*<sup>1</sup> *<sup>i</sup>* ||*SIDj*||*XSj* ||*Rj*||*SKij*||*T*3). Finally, *Sj* sends {*M <sup>j</sup>* , *M*SG, *T*<sup>3</sup> back to the *GWN*.

Step 4: The *GWN* receives {*M <sup>j</sup>* , *M*SG, *T*<sup>3</sup> and checks the validity of *T*3. Then, the *GWN* calculates *r*∗ *<sup>j</sup>* = *Mj h*(*X Sj* ||*T*3), *R*<sup>∗</sup> *<sup>j</sup>* = *h*(*SID <sup>j</sup>* ||*r*<sup>∗</sup> *<sup>j</sup>* ),*SK*<sup>∗</sup> *ij* = *h*(*R*<sup>∗</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *<sup>j</sup>* ), and *M*∗ SG <sup>=</sup> *<sup>h</sup>*(*PID*<sup>1</sup> *<sup>i</sup>* ||*SIDj*||*XSj* ||*R*<sup>∗</sup> *<sup>j</sup>* ||*SK*<sup>∗</sup> *ij*||*T*3) and verifies the equality check *M*<sup>∗</sup> SG ? = *M*SG. If the verification fails, the *GWN* aborts the session. Otherwise, the *GWN* generates the current timestamp *T*<sup>4</sup> and a new pseudonym *PID*<sup>2</sup> *<sup>i</sup>* , and calculates *C*<sup>2</sup> *<sup>i</sup>* = *h*(*TIDi* ||*HID*<sup>∗</sup> *i* ) - *PID*<sup>2</sup> *i* , *p*2 *<sup>i</sup>* <sup>=</sup> *<sup>C</sup>*<sup>2</sup> *i h*(*HID*∗ *<sup>i</sup>* ||*T*4), *M*- *<sup>G</sup>* = *R*<sup>∗</sup> *j h*(*PID*<sup>1</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ), and *<sup>M</sup>*GU <sup>=</sup> *<sup>h</sup>*(*PID*<sup>1</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*C*<sup>2</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *j* || *SK*∗ *ij*||*T*4). Finally, the *GWN* sends {*<sup>p</sup>* <sup>2</sup> *<sup>i</sup>* , *M*- *<sup>G</sup>*, *M*GU, *T*<sup>4</sup> back to *Ui*. and replaces *PID*<sup>1</sup> *<sup>i</sup>* with *PID*<sup>2</sup> *<sup>i</sup>* in memory.

Step 5: *Ui* receives {*<sup>p</sup>* <sup>2</sup> *<sup>i</sup>* , *M*- *<sup>G</sup>*, *M*GU, *T*<sup>4</sup> and checks whether *T*<sup>4</sup> is a valid timestamp. Then, *Ui* calculates *R*<sup>∗</sup> *<sup>j</sup>* = *M*- *G h*(*PID*<sup>1</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ), *SK*<sup>∗</sup> *ij* = *h*(*Ri* ||*R*<sup>∗</sup> *<sup>j</sup>* ), *<sup>C</sup>*<sup>2</sup> *<sup>i</sup>* = *<sup>p</sup>*<sup>2</sup> *i h*(*HID*∗ *<sup>i</sup>* ||*T*4), and *M*∗ GU <sup>=</sup> *<sup>h</sup>*(*PID*<sup>1</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*C*<sup>2</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *<sup>j</sup>* ||*SK*<sup>∗</sup> *ij*||*T*4) and checks the equality of *M*<sup>∗</sup> GU ? = *M*GU. If it holds true, *Ui* replaces *C*<sup>1</sup> *<sup>i</sup>* with *<sup>C</sup>*<sup>2</sup> *<sup>i</sup>* in *SCi*.

The process of the authentication phase is shown in Figure 3.

**Figure 3.** Authentication phase of Shin et al.'s scheme.

*3.4. Password Update Phase*

Step 1: *Ui* inserts *SCi* to the reader, inputs *IDi* and *PWi*, and imprints *Bioi*. Step 2: *SCi* calculates *bi* = *REP*(*Bio <sup>i</sup>* , *pairi* ), *ui* = *Di h*(*IDi* ||*bi*), *TIDi* = *h*(*IDi* ||*ui*), *HPW*∗ *<sup>i</sup>* = *h*(*PW <sup>i</sup>* ||*bi*), *HID*<sup>∗</sup> *<sup>i</sup>* = *Ai h*(*HPW* ∗ *<sup>i</sup>* ||*TIDi*), and *B*<sup>∗</sup> *<sup>i</sup>* = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) and verifies the equality check for *Bi* ? = *B*<sup>∗</sup> *<sup>i</sup>* . If it does not hold true, *SCi* rejects the request. Otherwise, *Ui* inputs a new password *PWnew <sup>i</sup>* .

Step 3: *SCi* calculates *HPWnew <sup>i</sup>* <sup>=</sup> *<sup>h</sup>*(*PWnew <sup>i</sup>* ||*bi*), *<sup>A</sup>new <sup>i</sup>* <sup>=</sup> *<sup>h</sup>*(*HPWnew <sup>i</sup>* ||*TIDi*) - *HID*∗ *<sup>i</sup>* , and *Bnew <sup>i</sup>* <sup>=</sup> *<sup>h</sup>*(*HPWnew <sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ). At last, *SCi* replaces *Ai* and *Bi* with *Anew <sup>i</sup>* and *<sup>B</sup>new <sup>i</sup>* , respectively.

#### **4. Cryptanalysis of Shin et al.'s Scheme**

We show that Shin et al.'s scheme is vulnerable to de-synchronization attacks and can not achieve forward secrecy and three-factor security in this section.

#### *4.1. De-Synchronization Attack*

Suppose that an adversary blocks {*<sup>p</sup>* <sup>2</sup> *<sup>i</sup>* , *M*- *<sup>G</sup>*, *M*GU, *T*<sup>4</sup> , which is sent from the *GWN* to *Ui*. On the side of the *GWN*, the pseudonym of *Ui* is *PID*<sup>2</sup> *<sup>i</sup>* at this point. However, *Ui* is unable to obtain *C*<sup>2</sup> *<sup>i</sup>* without {*<sup>p</sup>* <sup>2</sup> *<sup>i</sup>* , *M*- *<sup>G</sup>*, *M*GU, *T*<sup>4</sup> . Thus, the pseudonyms on the side of *Ui* and the *GWN* become out of synchronization. When *Ui* wants to access a sensor node through the *GWN* in the next session, the *GWN* will reject *Ui*'s login request. Therefore, Shin et al.'s scheme is vulnerable to de-synchronization attacks.

#### *4.2. Forward Secrecy*

Suppose that an adversary occasionally obtains *XSj* , which is the long-term private key of *Sj*. Furthermore, the adversary intercepted {*PID*<sup>1</sup> *<sup>i</sup>* , *MG*, *M*GS, *T*<sup>2</sup> and {*M <sup>j</sup>* , *M*SG, *T*<sup>3</sup> in the previous session of *Ui* and *Sj*. The adversary could obtain the previous session key of *Ui* and *Sj* via following steps.

Step 1: The adversary calculates *R*∗ *<sup>i</sup>* = *MG h*(*X Sj* ||*T*2), *r*<sup>∗</sup> *<sup>j</sup>* = *Mj h*(*X Sj* ||*T*3), and *R*∗ *<sup>j</sup>* = *h*(*SID <sup>j</sup>* ||*r*<sup>∗</sup> *j* ).

Step 2: The adversary obtains the previous session key of *Ui* and *Sj*, *SKij* = *h*(*R*<sup>∗</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *j* ). Therefore, Shin et al.'s scheme can not achieve forward secrecy.

#### *4.3. Three-Factor Security*

For a three-factor authentication scheme, when two of the authentication factors are captured by an adversary, it is necessary to ensure that the remaining authentication factor is still secure. Suppose that an adversary captures *Ui*'s smart card *SCi* and biometric *Bioi* simultaneously. The adversary is able to obtain the password of *Ui* via the following steps.

Step 1: The adversary extracts {*Ai* , *Bi*, *C*<sup>1</sup> *<sup>i</sup>* , *Di*, *pairi* from *SCi* using side-channel technology and calculates *bi* = *REP*(*Bioi*, *pairi* ).

Step 2: The adversary guesses a candidate identity *ID*∗ *<sup>i</sup>* and a candidate password *PW*∗ *<sup>i</sup>* from *Did* and *Dpw*, where *Did* and *Dpw* are user identity space and password space, respectively.

Step 3: The adversary calculates *u*∗ *<sup>i</sup>* = *Di h*(*ID*∗ *<sup>i</sup>* ||*bi*), *TID*<sup>∗</sup> *<sup>i</sup>* = *h*(*ID*<sup>∗</sup> *<sup>i</sup>* ||*u*<sup>∗</sup> *i* ), *HPW*∗ *<sup>i</sup>* = *h*(*PW* <sup>∗</sup> *<sup>i</sup>* ||*bi*), *HID*<sup>∗</sup> *<sup>i</sup>* = *Ai h*(*HPW* ∗ *<sup>i</sup>* ||*TID*<sup>∗</sup> *<sup>i</sup>* ), and *B*<sup>∗</sup> *<sup>i</sup>* = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *i* ).

Step 4: The adversary checks whether *Bi* ? = *B*<sup>∗</sup> *<sup>i</sup>* holds. If not, the adversary repeats Steps 2–4 until he acquires the true password. Otherwise, the adversary succeeds in obtaining the true password of *Ui*.

The computational overhead of this attack is (5*T <sup>h</sup>* + 2*Txor*) ∗ |*Did*|∗|*Dpw*|, where *Th* is the running time of the one-way hash function, *Txor* is the running time of the *XOR* operation, and *Did* and *Dpw* are the spaces of user identity and password, respectively. According to the literature [20], we know that |*Did*|≤|*Dpw*| ≤ 106. According to the experimental data from the literature [32], *Th* ≈ 0.591μs, *Txor* ≈ 0.006 μs. The adversary can break the password of *Ui* in 35 days. If you use a high-performance cloud computing platform, the password will be cracked within a few hours.

#### **5. The Proposed Scheme**

The proposed protocol includes the following phases: initialization phase, user registration phase, sensor node registration phase, authentication phase, password, and biometric update phase.

The detailed description of the agreement is as follows:

#### *5.1. Initialization Phase*

The gateway node *GWN* creates two information tables in its memory (*UserInfoTable* and *SensorInfoTable*), which is used to store relevant information of users and sensors. Then, the *GWN* freely chooses two master keys, *Ku* and *Ks*, and two secure hash functions, *<sup>h</sup>* : {0, 1}<sup>∗</sup> -{0, 1}<sup>128</sup> and *<sup>H</sup>* : {0, 1}<sup>∗</sup> -{0, 1}256.

#### *5.2. Sensor Registration Phase*

The sensor registration phase is completed by the gateway node *GWN*. The *GWN* selects a unique identity *SIDj* for each sensor node and calculates *XSj* = *h*(*SID <sup>j</sup>* ||*Ks*). Furthermore, *GWN* selects two random integers, *nj* and *c*, defines and sets *Nj* = *NGj* = *c*. Then, the *GWN* inserts the {*SID <sup>j</sup>* , *NGj*, *XSj* , *nj* into *SensorInfoTable* in its memory. Before *Sj* is deployed, the *GWN* stores {*SID <sup>j</sup>* , *Nj*, *XSj* , *nj*} into *Sj*.

#### *5.3. User Registration Phase*

Step 1: *Ui* chooses *IDi* and *PWi* freely, imprints *Bioi*. Then *Ui* calculates *GEN*(*Bio <sup>i</sup>* ) = (*b <sup>i</sup>* , *pairi* ), *HPWi* = *h*(*PW <sup>i</sup>* ||*bi* ), and *TIDi* = *h*(*IDi* ). Finally, *Ui* sends the registration request {*TIDi* , *HPWi*} towards the *GWN* via a private secure channel.

Step 2: The *GWN* receives {*TIDi* , *HPWi*} and checks if *UserInfoTable*() contains the element (*TIDi* , ∗, ∗, ∗, ∗). If yes, the *GWN* rejects the registration request of *Ui*. Otherwise, the *GWN* chooses *a*, *b* randomly, and sets *NCi* = *a*, *PIDi* = *PIDnew <sup>i</sup>* = *<sup>b</sup>*, *PIDold <sup>i</sup>* = *Null*. Then, the *GWN* calculates *HIDi* = *h*(*TIDi* ||*Ku*), *Ai* = *h*(*HPW <sup>i</sup>* ||*TIDi*) - *HIDi*, *Bi* = *h*(*HPW <sup>i</sup>* ||*HIDi*) *mod n*, and *Ci* = *h*(*TIDi* ||*HIDi*) - *PIDi*, where 2<sup>4</sup> ≤ *<sup>n</sup>* ≤ 28 is an integer to determine the size of (*ID*, *PW*), and inserts the element (*PIDnew <sup>i</sup>* , *PIDold <sup>i</sup>* , *TIDi*, *NCi*) into table *UserInfoTable*. Further, the *GWN* writes {*Ai* , *bi*, *Ci*, *NCi*, *h*( · ), *H*( · )} into *SCi*, and transmits *SCi* towards *Ui* via a private secure channel.

Step 3: *Ui* receives *SCi*, and defines and sets *flag* = 0. Finally, *Ui* writes {*pairi* , *flag*, *GEN*(·), *REP*(·)} into *SCi*.

**Figure 4.** User registration phase of the proposed scheme.

#### *5.4. Authentication Phase*

Step 1: *Ui* inserts *SCi*, inputs *IDi* and *PWi*, and imprints *Bioi*. *SCi* calculates *bi* = *REP*(*Bio <sup>i</sup>* , *pairi* ), *TIDi* = *h*(*IDi* ), *HPW*∗ *<sup>i</sup>* = *h*(*PW <sup>i</sup>* ||*bi* ), *HID*∗ *<sup>i</sup>* = *Ai h*(*HPW* ∗ *<sup>i</sup>* ||*TIDi*), and *B*∗ *<sup>i</sup>* = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) *mod n* and verifies the equality check for *B*<sup>∗</sup> *<sup>i</sup>* ? = *Bi*. If it does not hold true, *SCi* rejects the login request. Otherwise, *SCi* checks if *flag* ? = 0 holds. If yes, *SCi* updates *NCi* = *h*(*NCi* ), *flag* = 1. Then, *SCi* generates the current timestamp *T*<sup>1</sup> and a random number *ri*, chooses *SIDj* which he wants to access and calculates *PIDi* = *Ci h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ), *Ri* = *h*(*TIDi* ||*PIDi*||*NCi*||*ri*), *M*<sup>1</sup> = (*ri* ||*SIDj*) - *H*(*TIDi* || *HID*∗ *<sup>i</sup>* ||*NCi*||*T*1), and *MUG* = *h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*PIDi*||*Ri*||*T*1). Finally, *SCi* transmits the login request {*PIDi* , *M*1, *MUG*, *T*1} towards the *GWN*.

Step 2: The *GWN* receives {*PIDi* , *M*1, *MUG*, *T*1} and checks the validity of *T*1. Then, the *GWN* searches (*PIDnew <sup>i</sup>* , *PIDold <sup>i</sup>* , *TIDi*, *NCi*) in *UserInfoTable* using *PIDi* and operates as below.

Case 1: If there exists an element (*PIDnew <sup>i</sup>* , *PIDold <sup>i</sup>* , *TIDi*, *NCi*) of *UserInfoTable* which satisfies *PIDi* = *PIDnew <sup>i</sup>* , then the *GWN* calculates *NC*- *<sup>i</sup>* = *h*(*NCi* ), *HID*∗ *<sup>i</sup>* = *h*(*TIDi* ||*Ku*), *Ki* = *H*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*NC*- *<sup>i</sup>*||*T*1), (*r* <sup>∗</sup> *<sup>i</sup>* ||*SIDj*) = *Ki* - *M*1, *R*∗ *<sup>i</sup>* = *h*(*TIDi* ||*PIDnew <sup>i</sup>* ||*NC*- *i*||*r*<sup>∗</sup> *<sup>i</sup>* ), and *M*∗ *UG* = *h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*PIDnew <sup>i</sup>* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*1). The *GWN* verifies the equality check *M*<sup>∗</sup> *UG* ? = *MUG*. If the verification fails, the *GWN* rejects the login request. Otherwise, the *GWN* chooses a new *tPIDnew <sup>i</sup>* randomly, and sets *PIDold <sup>i</sup>* = *PIDnew <sup>i</sup>* , *PIDnew <sup>i</sup>* = *tPIDnew <sup>i</sup>* , *NCi* = *NC*- *i* .

Case 2: If there exists an element (*PIDnew <sup>i</sup>* , *PIDold <sup>i</sup>* , *TIDi*, *NCi*) of *UserInfoTable* which satisfies *PIDi* = *PIDold <sup>i</sup>* , then the *GWN* calculates *HID*<sup>∗</sup> *<sup>i</sup>* = *h*(*TIDi* ||*Ku*), *Ki* = *H*(*TIDi* ||*HID*<sup>∗</sup> *i* ||*NCi*||*T*1), (*r* <sup>∗</sup> *<sup>i</sup>* ||*SIDj*) = *Ki* - *M*1, *R*<sup>∗</sup> *<sup>i</sup>* = *h*(*TIDi* ||*PIDold <sup>i</sup>* ||*NCi*||*r*<sup>∗</sup> *<sup>i</sup>* ), and *M*<sup>∗</sup> *UG* = *h*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*PIDold <sup>i</sup>* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*1). The *GWN* verifies the equality check *M*<sup>∗</sup> *UG* ? = *MUG*. If the verification fails, the *GWN* rejects the login request. Otherwise, the *GWN* chooses a new *tPIDnew i* randomly, and sets *PIDnew <sup>i</sup>* = *tPIDnew <sup>i</sup>* .

Case 3: If the above two cases do not exist, the *GWN* rejects the login request.

Further, the *GWN* generates the current timestamp *T*2, searches {*SID <sup>j</sup>* , *NGj*, *XSj* , *nj* in *SensorInfoTable* using *SIDj*, and updates *NGj* = *NGj* + *nj*, *XSj* = *h*(*SID <sup>j</sup>* ||*XSj* ). Then, the *GWN* calculates *M*<sup>2</sup> = (*R*<sup>∗</sup> *<sup>i</sup>* ||*PIDold <sup>i</sup>* ) - *H*(*X Sj* ||*T*2) and *<sup>M</sup>*GS <sup>=</sup> *<sup>h</sup>*(*PIDold <sup>i</sup>* ||*SIDj*||*XSj* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*2). Finally, the *GWN* transmits {*M*2, *M*GS, *NGj*, *T*<sup>2</sup> towards *Sj*.

Step 3: Upon the reception of {*M*2, *M*GS, *NGj*, *T*<sup>2</sup> from the *GWN*, *Sj* checks whether *T*<sup>2</sup> is a valid timestamp. Then, *Sj* calculates *N*- = *NGj* − *NSj*/*nj* and checks if 1 ≤ *N*- ≤ *N* holds, where *N* is the initial threshold for preserving the computing resources of sensors. If it holds true, *Sj* sets *X*- *Sj* = *XSj* and calculates *<sup>N</sup>* times *X*- *Sj* <sup>=</sup> *<sup>h</sup>*(*<sup>X</sup>* - *Sj* ||*SIDj*). Further, *Sj* calculates (*R*∗ *<sup>i</sup>* ||*PIDold <sup>i</sup>* ) = *M*<sup>2</sup> - *H*(*X* - *Sj* ||*T*2) and *M*<sup>∗</sup> GS <sup>=</sup> *<sup>h</sup>*(*PIDold <sup>i</sup>* ||*SIDj*||*X*- *Sj* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*T*2) and verifies the equality check *M*∗ GS ? = *M*GS. If the verification fails, *Sj* aborts the session. Otherwise, *Sj* generates the current timestamp *T*<sup>3</sup> and a random number *rj* and calculates *Rj* = *h*(*SID <sup>j</sup>* ||*rj*), *M*<sup>3</sup> = (*R <sup>j</sup>* ||*PIDold <sup>i</sup>* ) - *H*(*X* - *Sj* ||*T*3), *SKji* = *h*(*R*<sup>∗</sup> *<sup>i</sup>* ||*Rj*), and *<sup>M</sup>*SG <sup>=</sup> *<sup>h</sup>*(*PIDold i* ||*SIDj*||*X*- *Sj* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*Rj*||*T*3). *Sj* updates *XSj* = *X*- *Sj* , *Nj* = *NGj*. Finally, *Sj* sends {*SIDj*, *M*3, *M*SG, *T*3} back to the *GWN*.

Step 4: The *GWN* receives {*SID <sup>j</sup>* , *M*3, *M*SG, *T*<sup>3</sup> and checks the validity of *T*3. Then, the *GWN* searches {*SID <sup>j</sup>* , *NGj*, *XSj* , *nj* in *SensorInfoTable* using *SIDj* and calculates (*R <sup>j</sup>* ||*PIDold <sup>i</sup>* ) = *M*<sup>3</sup> - *H*(*X Sj* ||*T*3), and *M*<sup>∗</sup> SG <sup>=</sup> *<sup>h</sup>*(*PIDold <sup>i</sup>* ||*SIDj*||*XSj* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *<sup>j</sup>* ||*T*3). The *GWN* verifies the equality check *M*∗ SG ? = *M*SG. If the verification fails, the *GWN* aborts the session. Otherwise, the *GWN* generates the current timestamp *T*<sup>4</sup> and searches (*PIDnew <sup>i</sup>* , *PIDold <sup>i</sup>* , *TIDi*, *NCi*) in *UserInfoTable* using *PIDold <sup>i</sup>* . Further, the *GWN* calculates *Cnew <sup>i</sup>* = *h*(*TIDi* ||*HID*<sup>∗</sup> *i* ) - *PIDnew <sup>i</sup>* , *<sup>p</sup>new <sup>i</sup>* <sup>=</sup> *<sup>C</sup>new i* - *HID*∗ *i* - *T*4, *M*<sup>4</sup> = *R*<sup>∗</sup> *j* - *Ki*, and *M*GU = *h*(*PIDold <sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*Cnew <sup>i</sup>* ||*R*<sup>∗</sup> *<sup>i</sup>* ||*R*<sup>∗</sup> *<sup>j</sup>* ||*T*4). Finally, the *GWN* sends {*<sup>p</sup> new <sup>i</sup>* , *M*4, *M*GU, *T*<sup>4</sup> to *Ui*.

Step 5: Upon the reception of {*<sup>p</sup> new <sup>i</sup>* , *M*4, *M*GU, *T*<sup>4</sup> from the *GWN*, *Ui* checks whether *T*<sup>4</sup> is a valid timestamp. Then, *Ui* calculates *R*<sup>∗</sup> *<sup>j</sup>* = *M*<sup>4</sup> - *H*(*TIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*NCi*||*T*1), *SKij* = *h*(*Ri* ||*R*<sup>∗</sup> *<sup>j</sup>* ), *<sup>C</sup>new <sup>i</sup>* = *<sup>p</sup>new i* - *HID*∗ *i* - *T*4, and *M*∗ GU = *h*(*PIDi* ||*HID*<sup>∗</sup> *<sup>i</sup>* ||*Cnew <sup>i</sup>* ||*Ri*||*R*<sup>∗</sup> *<sup>j</sup>* ||*T*4). Then, *Ui* verifies the equality check *M*<sup>∗</sup> GU ? = *M*GU. If the verification fails, *Ui* aborts the session. Otherwise, *Ui* updates *Ci* = *Cnew <sup>i</sup>* , *flag* = 0.

The process of the authentication phase is shown in Figure 5.

*5.5. Password and Biometric Update Phase*

Step 1: *Ui* inserts *SCi*, inputs *IDi* and *PWi*, and imprints *Bioi*. *SCi* calculates *bi* = *REP*(*Bio <sup>i</sup>* , *pairi* ), *TIDi* = *h*(*IDi* ), *HPW*∗ *<sup>i</sup>* = *h*(*PW <sup>i</sup>* ||*bi* ), *HID*∗ *<sup>i</sup>* = *Ai h*(*HPW* ∗ *<sup>i</sup>* ||*TIDi*), and *B*∗ *<sup>i</sup>* = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) *mod n* and verifies the equality check for *B*<sup>∗</sup> *<sup>i</sup>* ? = *Bi*. If it does not hold true, *SCi* rejects the request. Otherwise, *Ui* inputs a new password *PWnew <sup>i</sup>* and imprints a new biometric *Bionew <sup>i</sup>* .

Step 2: *SCi* calculates *GEN*(*Bio new <sup>i</sup>* ) = (*<sup>b</sup> new <sup>i</sup>* , *pairnew <sup>i</sup>* ), *HPWnew <sup>i</sup>* <sup>=</sup> *<sup>h</sup>*(*PWnew <sup>i</sup>* ||*b new <sup>i</sup>* ), *Anew <sup>i</sup>* = *HID*<sup>∗</sup> *i h*(*HPWnew <sup>i</sup>* ||*TIDi*), and *<sup>B</sup>new <sup>i</sup>* <sup>=</sup> *<sup>h</sup>*(*HPWnew <sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) *mod n*. At last, *SCi* replaces *pairi* , *Ai* and *Bi*, with *pairnew <sup>i</sup>* , *<sup>A</sup>new <sup>i</sup>* and *<sup>B</sup>new <sup>i</sup>* , respectively.

#### **6. Security Analysis**

*6.1. Security Verification Using ProVerif*

*ProVerif* [33] is one of the widely accepted automated security verification tools for communication protocols. ProVerif supports main cryptographic primitives including hash function, encryption, digital signatures, etc. In this section, we use ProVerif to check the mutual authentication and session key secrecy of the proposed scheme.

First, we define two insecure channels, c1 for communication between users and the *GWN* and c2 for communication between the *GWN* and sensors.

(\*–Two public channel–\*)

free c1: channel. (\*–The channel between users and GWN–\*) free c2: channel. (\*–The channel between sensors and GWN–\*) Then, we define the parameters and constructors as follows: (\*–The basic variables–\*) free user, GWN, SN: bitstring. (\*—three participants–\*) free PID: bitstring. (\*—the pseudonym identity shared by user and GWN–\*) free Ku: bitstring[private]. (\*—the masterkey of GWN–\*) free Ks: bitstring[private]. (\*—the masterkey of GWN–\*) free XSj: bitstring[private]. (\*—the shared key between GWN and sensor–\*) table Table\_user\_info( bitstring, bitstring, bitstring). (\*—the user's info table—\*) table Table\_sensor\_info(bitstring, bitstring). (\*—the sensor's info table—\*) (\*–Encryption operation–\*) fun encrypt(bitstring, bitstring): bitstring. fun decrypt(bitstring, bitstring): bitstring. equation forall x: bitstring, y: bitstring; decrypt(encrypt(x, y), y) = x. (\*–Hash operation–\*) fun h1(bitstring): bitstring. fun h2 (bitstring, bitstring): bitstring. fun h4 (bitstring, bitstring, bitstring, bitstring):bitstring. fun h5 (bitstring, bitstring, bitstring, bitstring, bitstring): bitstring. fun h6 (bitstring, bitstring, bitstring, bitstring, bitstring, bitstring): bitstring. (\*–XOR operation–\*) fun XOR (bitstring, bitstring): bitstring. equation forall x: bitstring, y: bitstring; XOR(XOR(x, y), y) = x. (\*–Concat and Divide operation–\*) fun Concat (bitstring, bitstring): bitstring. fun Div1 (bitstring):bitstring. fun Div2 (bitstring):bitstring. equation forall x: bitstring, y: bitstring; Div1(Concat(x, y)) = x. equation forall x: bitstring, y: bitstring; Div2(Concat(x, y)) = y. (\*–Check the Freshness of timestamp operation–\*) fun isFresh (bitstring, bool): bool reduc forall T: bitstring; isFresh (T, true) = true. In order to check the mutual authentication and session key secrecy, we define the

following eight events and two secrets:

(\*–Mutual authentication queries–\*) event beginUG(bitstring). event endUG(bitstring). event beginGU(bitstring). event endGU(bitstring). event beginGS(bitstring). event endGS(bitstring). event beginSG(bitstring). event endSG(bitstring). query x: bitstring; inj-event(endUG(x)) ==> inj-event(beginUG(x)). query x: bitstring; inj-event(endGU(x)) ==> inj-event(beginGU(x)). query x: bitstring; inj-event(endGS(x)) ==> inj-event(beginGS(x)). query x: bitstring; inj-event(endSG(x)) ==> inj-event(beginSG(x)). (\*–Session key secrecy queries–\*) free secretA, secretB: bitstring [private]. query attacker(secretA); attacker(secretB). Three distinct processes *processUser*, *processSensor*, and *processGWN* are declared to model *Ui*, *Sj* and *GWN*, respectively. (\*—————-User Ui———————\*) let processUser(IDi: bitstring, PWi: bitstring, bi: bitstring, Ai: bitstring, Bi: bitstring, Ci: bitstring, NCi: bitstring, SIDj: bitstring) = let TIDi = h1(IDi) in let HPWi' = h2(PWi, bi) in let HIDi' = XOR(Ai, h2(HPWi', TIDi)) in let Bi' = h2(HPWi',HIDi') in if Bi'=Bi then event beginGU(GWN); new ri: bitstring; new T1: bitstring; let PIDi = XOR(Ci, h2(TIDi, HIDi')) in let Ri = h4(TIDi, PIDi, NCi, ri) in let M1 = XOR(Concat(ri, SIDj), h4 TIDi, HIDi', NCi, T1)) in let MUG = h5 (TIDi, HIDi', PIDi, Ri, T1) in out (c1, (PIDi, M1, MUG, T1)); in (c1, (M4:bitstring, MGU:bitstring, T4:bitstring)); if isFresh (T4, true) = true then let Rj' = XOR(M4,h4(TIDi, HIDi',NCi, T1)) in let SKij' = h2(Ri, Rj') in let MGU' = h5(PIDi, HIDi', Ri, Rj', T4) in if MGU' =MGU then event endUG(user); out(c1, encrypt(secretA, SKij')). (\*—————-GWN———————\*) let processGWN() = in(c1, (PIDi: bitstring, M1: bitstring, MUG: bitstring, T1:bitstring)); if isFresh(T1, true) = true then get Table\_user\_info(=PIDi, TIDi, NCi) in let HIDi' = h2(TIDi, Ku) in let Ki = h4(TIDi, HIDi', NCi, T1) in let ri' = Div1(XOR(M1,Ki)) in let SIDj = Div2(XOR(M1,Ki)) in let Ri' = h4(TIDi, PIDi, NCi, ri') in event beginUG(user);

```
let MUG' = h5(TIDi, HIDi', PIDi, Ri', T1) in
    if MUG' =MUG then
    event beginSG(SN);
    new T2: bitstring;
    get Table_sensor_info(=SIDj, XSj) in
    let M2 = XOR(Concat(Ri', PIDi),h2(XSj, T2)) in
    let MGS = h5(PIDi, SIDj, XSj, Ri', T2) in
    out(c2, (M2, MGS, T2));
    in(c2,(SIDj:bitstring, M3:bitstring, MSG:bitstring, T3: bitstring));
    if isFresh(T3, true) = true then
    let Rj' = Div1(XOR(M3,h2(XSj, T3))) in
    let PIDi = Div2(XOR(M3, h2(XSj, T3))) in
    let MSG' = h6(PIDi, SIDj, XSj, Ri',Rj', T3) in
    if MSG' = MSG then
    new T4: bitstring;
    event endGS(GWN);
    let M4 = XOR(Rj',Ki) in
    let MGU = h5(PIDi, HIDi', Ri', Rj', T4) in
    out(c1, (M4, MGU, T4));
    event endGU(GWN);
    0.
    (*—————-Sensor Sj———————*)
    let processSensor(SIDj:bitstring, XSj:bitstring) =
    in(c2, (MG:bitstring, MGS:bitstring, T2:bitstring));
    event beginGS(GWN);
    let Ri' =Div1(XOR(MG, h2(XSj, T2))) in
    let PIDi =Div2(XOR(MG, h2(XSj, T2))) in
    let MGS' = h5(PIDi, SIDj, XSj, Ri', T2) in
    if MGS'=MGS then
    new T3: bitstring;
    new rj: bitstring;
    let Rj = h2(SIDj, rj) in
    let Mj = XOR(Concat(rj, PIDi),h2(XSj, T3)) in
    let SKij = h2(Ri', Rj) in
    let MSG = h6(PIDi, SIDj, XSj, Ri', Rj, T3) in
    out(c2, (SIDj, Mj, MSG, T3));
    event endSG(SN);
    out(c2, encrypt(secretB, SKij)).
    We simulate the unbounded parallel execution of processes processUser, processSensor,
and processGWN as follows:
    (*–Start process–*)
    process
    new IDi: bitstring;
    new PWi: bitstring;
    new bi: bitstring;
    new PIDi: bitstring;
    new SIDj: bitstring;
    new NCi: bitstring;
    let HPWi = h2(PWi, bi) in
    let TIDi = h1(IDi) in
    let HIDi = h2(TIDi, Ku) in
    let Ai = XOR(h2(HPWi, TIDi), HIDi) in
    let Bi = h2(HPWi, HIDi) in
    let Ci = XOR(h2(TIDi, HIDi),PIDi) in
```
let XSj = h2(SIDj, Ks) in insert Table\_user\_info(PIDi, TIDi, NCi); insert Table\_sensor\_info(SIDj, XSj); ( (\*– Launch an unbounded number of sessions of the user –\*) (!processUser(IDi, PWi, bi, Ai, Bi, Ci, NCi, SIDj)) | (\*– Launch an unbounded number of, sessions of the GWN–\*) (!processGWN()) | (\*– Launch an unbounded number of sessions of the sensor–\*) (!processSensor(SIDj, XSj)) ) The simulation results are shown as follows: Query inj-event(endUG(x)) ==> inj-event(beginUG(x)) is true. Query inj-event(endGU(x)) ==> inj-event(beginGU(x)) is true. Query inj-event(endGS(x)) ==> inj-event(beginGS(x)) is true. Query inj-event(endSG(x)) ==> inj-event(beginSG(x)) is true. Query not attacker(secretA[]) is true. Query not attacker(secretB[]) is true. The results mean that the proposed scheme is able to achieve mutual authentication. Meanwhile, the session key *SKij* generated by the user *Ui* and the sensor *Sj* is secure.

#### *6.2. BAN-Logic*

Burrows–Abadi–Needham logic (*BAN*-logic) [34] is a widely used tool for the formal analysis of authentication schemes which was proposed by Burrows et al. In this section, we use *BAN*-logic to prove the session key agreement between the user *Ui* and the sensor node *Sj* after the execution of the proposed scheme. Table 3 introduces the notations for the *BAN*-logic analysis and some basic rules for *BAN*-logic are described in Table 4.

**Table 3.** *BAN*-logic notations.


**Table 4.** Basic logical postulates of *BAN*-logic.


(1) The idealized form of the proposed scheme: Message 1: *Ui* → *GWN* : (*ri* , *SIDj*)

Message 2: *GWN* → *Sj* : (*Ri* , *PIDold <sup>i</sup>* ) *GWN XSj* ↔ *Sj* Message 3: *Sj* → *GWN* : (*R <sup>j</sup>* , *PIDold <sup>i</sup>* ) *Sj XSj* ↔ *GWN* Message 4: *GWN* → *Ui* : (*R <sup>j</sup>* ) *GWN*(*HIDi*, *NCi*) <sup>↔</sup> *Ui* (2) Verification goals: Goal 1: *Ui*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*). Goal 2: *Ui*| ≡ *Sj*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*). Goal 3: *Sj*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*). Goal 4: *Sj*| ≡ *Ui*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*). (3) Assumptions about the initial state: A1: *Ui*| ≡ (*ri* , *rj*). A2: *Sj*| ≡ (*ri* , *rj*). A3: *GWN*| ≡ (*ri* , *rj*). A4: *Ui*| ≡ (*U <sup>i</sup>* (*PIDi*, *HIDi*, *NCi*) <sup>↔</sup> *GWN*). A5: *GWN*| ≡ (*U <sup>i</sup>* (*PIDi*, *HIDi*, *NCi*) <sup>↔</sup> *GWN*). A6: *GWN*| ≡ (*GWN XSj* ↔ *Sj*). A7: *Sj*| ≡ (*GWN XSj* ↔ *Sj*). A8: *Ui*| ≡ *Sj* ⇒ (*U <sup>i</sup> SK* ↔ *Sj*). A9: *Sj*| ≡ *Ui* ⇒ (*U <sup>i</sup> SK* ↔ *Sj*) (4) Proofs: Step 1: From Message 1, we can get: *GWN* - (*ri* Step 2: According to Step 1, A5, and the message meaning rule, it can be inferred that: *GWN*| ≡ *Ui*|~(*ri* , *SIDj*) *Ui* (*HIDi*, *NCi*) <sup>↔</sup> *GWN* . Step 3: According to Step 2, A3, and the nonce verification rule, we obtain: *GWN*| ≡

*Ui*| ≡ (*ri* , *SIDj*) *Ui* (*HIDi*, *NCi*) <sup>↔</sup> *GWN* .

*GWN*

Step 4: From Message 2, we understand that: *Sj* - (*Ri* , *PIDold <sup>i</sup>* ) *GWN XSj*

↔ *Sj* Step 5: According to A7 and the message meaning rule, we obtain: *Sj*| ≡ *GWN*|~(*Ri* , *PIDold <sup>i</sup>* ) *XSj* .

, *SIDj*) *Ui*

(*HIDi*, *NCi*) <sup>↔</sup> *GWN*

.

.

.

↔ *Sj* Step 6: According to A2, *Ri* = *h*(*TIDi* ||*PIDi*||*NCi*||*ri*), and the freshness conjuncatenation rule, we can get: *Sj*| ≡ (*Ri* ).

Step 7: According to Step 5, Step 6, and the nonce verification rule, we get: *Sj*| ≡ *GWN*| ≡ (*Ri* , *PIDold <sup>i</sup>* ) *XSj* .

↔ *Sj* Step 8: According to Step 3, Step 7, *SKij* = *h*(*Ri* ||*Rj*), and *Ri* = *h*(*TIDi* ||*PIDi*||*NCi*||*ri*), we prove: *Sj*| ≡ *Ui*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*) (**Goal 4**).

Step 9: According to Step 8, A9, and the jurisdiction rule, we prove: *Sj*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*) (**Goal 3**).

Step 10: According to Message 3, we get: *GWN* - (*R <sup>j</sup>* , *PIDold <sup>i</sup>* ) *XSj*

*Sj* ↔ *GWN* Step 11: According to Step10, A6, and the message meaning rule, it can be inferred that: *GWN*| ≡ *Sj*|~(*R <sup>j</sup>* , *PIDold <sup>i</sup>* ) *Sj XSj* ↔ *GWN* .

*GWN*

Step 12: According to Step 11, A3, *Rj* = *h*(*SID <sup>j</sup>* ||*rj*), and the nonce verification rule, we obtain: *GWN*| ≡ *Sj*| ≡ (*R <sup>j</sup>* , *PIDold <sup>i</sup>* ) *XSj* .

*Sj* ↔ *GWN* Step 13: From Message 4, we obtain: *Ui* - (*R <sup>j</sup>* ) *GWN*(*HIDi*, *NCi*) <sup>↔</sup> *Ui*

Step 14: According to Step 13, A4, and the message meaning rule, we obtain: *Ui*| ≡ *GWN*|~(*R <sup>j</sup>* ) *GWN*(*HIDi*, *NCi*) <sup>↔</sup> *Ui* .

.

Step 15 According to Step 14, A1, *Rj* = *h*(*SID <sup>j</sup>* ||*rj*), and the nonce verification rule, we get: *Ui*| ≡ *Sj*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*). (**Goal 2**).

Step 16: According to Step 15, A8, and the jurisdiction rule, we prove: *Ui*| ≡ (*U <sup>i</sup> SK* ↔ *Sj*) (**Goal 1**).

From the proof results obtained from the above process, **Goal 1**–**4**, *Ui*, and *Sj* believe that they have completed the key agreement and generated the shared session key *SKij* = *SKjiji*.

#### *6.3. Informal Security Analysis*

(1) Anonymity and un-traceability

Suppose an adversary intercepted the information transmitted to a public channel from *Ui*, *GWN*, and *Sj*. Obviously, the adversary cannot obtain the user's actual identity *IDi*, because of the security of the one-way *hash* function. In addition, the pseudonym identity *PIDi* changes after each authentication, and *ri* and *rj* are randomly generated in each session. The adversary cannot determine whether two sessions are launched by the same user.

(2) Perfect forward secrecy

Suppose an adversary accidentally captured *Ui*'s private key *NCi*, *Sj*'s private key (*XSj* , *Nj*), and the *GWN*'s master key (*Ku*, *Ks*), and intercepted the information propagated in the public channel. The adversary cannot obtain the previous session key because *NCi*, *XSj* , *Nj* changes after each authentication, and the adversary cannot get the *NCi*, *XSj* , *Nj* in a previous session because of the security of the one-way *hash* function. Therefore, the proposed scheme can achieve perfect forward secrecy.

(3) Mutual authentication

In Section 6.1, we define eight events—event *beginUGparam*(bitstring), event *endUGparam*(bitstring), event *beginGUparam*(bitstring), event *endGUparam*(bitstring), event *beginGSparam*(bitstring), event *endGSparam*(bitstring), event *beginSGparam*(bitstring), and event *endSGparam*(bitstring)—to verify the mutual authentication of *Ui*, *GWN*, and *Sj*. The results show that our proposed scheme could achieve mutual authentication.

(4) Session key agreement

The user *Ui* and the sensor *Sj* reach a session key *SKij* = *h*2(*Ri*||*Rj*) for future communication after authentication. Since *Ri* and *Rj* are generated by *Ui* and *Sj*, respectively, both *Ui* and *Sj* have an influence on the outcome of the session key *SKij* = *h*(*Ri* ||*Rj*) = *SKji*.

(5) Three-factor security

Suppose an adversary captured the smart card *SCi* of *Ui* and obtained the biometrics *Bioi*. The adversary can extract the values {*Ai* , *bi*, *Ci*, *NCi*, *pairi* , *flag*} in *SCi*. Further, the adversary guesses *ID*- *i* , *PW*- *i* ) and calculates *bi* = *REP*(*Bio <sup>i</sup>* , *pairi* ), *TID*- *<sup>i</sup>* = *h*(*ID*- *i* ), *HPW*∗ *<sup>i</sup>* = *h*(*PW* - *i* ||*bi* ), *HID*∗ *<sup>i</sup>* = *Ai h*(*HPW* ∗ *<sup>i</sup>* ||*TID*- *i* ), and *b*∗ *<sup>i</sup>* = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) *mod n*. However, the adversary does not know the correctness of (*ID*- *i* , *PW*- *i* ) because *Bi* ? = *h*(*HPW* <sup>∗</sup> *<sup>i</sup>* ||*HID*<sup>∗</sup> *<sup>i</sup>* ) *mod n*. is a fuzzy verification process.

(6) Resistance of other known attacks

Insider attack: An insider adversary can obtain the user's registration information {*TIDi* = *h*(*IDi* ), *HPWi* = *h*(*PW <sup>i</sup>* ||*bi*)}. Because of the security of the one-way hash function and ignorance about *bi*, the adversary cannot capture *PWi*. Therefore, no effective insider attack can be launched.

Stolen verifier table attack: There is no password-related or biometric-related information stored inside the *GWN*. Therefore, the stolen verifier table attack is infeasible in our proposed scheme.

User impersonation attack: For generating valid login request information, the adversary needs to know *HIDi*. While we know *bi* = *REP*(*Bio <sup>i</sup>* , *pairi* ), *TIDi* = *h*(*IDi* ), *HPWi* = *h*(*PW <sup>i</sup>* ||*bi* ), and *HIDi* = *Ai h*(*HPW <sup>i</sup>* ||*TIDi*), where *Ai* and *pairi* are stored in *SCi*. Therefore, the adversary cannot forge *Ui* without getting *IDi*, *PWi*, *Bioi* and *SCi*. Thus our proposed scheme could resist user impersonation attacks.

Sensor Spoofing Attack: An adversary cannot forge a sensor node *Sj* without getting the secrets of *Sj* (NS*<sup>j</sup>* and *XSj* ). Therefore, no effective sensor spoofing attack can be launched.

Known session-specific temporary information attack: In our proposed scheme, the user *Ui* and the micro-sensor *Sj* reach a session key *SKij* = *h*(*Ri* ||*Rj*) = *h*(*h*(*TID <sup>i</sup>* ||*PIDi* ||*NCi*||*ri*)||*h*(*SID <sup>j</sup>* ||*rj*)). Even if an adversary captured the session-specific temporary information, *ri* and *rj*, he cannot launch a known session-specific temporary information attack without *NCi*. As a result, our proposed scheme can resist known session-specific temporary information attacks.

De-synchronization attack: We analyze five possible cases of de-synchronization attacks, shown in Figure 6.

**Figure 6.** Possible de-synchronization attack on our proposed protocol.

Case 1: Suppose an adversary blocked *C*1 : {*PIDi* , *M*1, *MUG*, *T*1}. Since none of the participants updated the information table, the attack is infeasible.

Case 2: Suppose an adversary blocked *C*2 : {*M*2, *M*GS, *NGj*, *T*<sup>2</sup> , the information stored on the *GWN* side and sensor side would be out of synchronization. However, by calculating

, it can be known how many times the communications between *Sj* and the *GWN* are blocked. The information on two sides would be resynchronized by calculating *N* times *X*- *Sj* <sup>=</sup> *<sup>h</sup>*(*<sup>X</sup>* - *Sj* ||*SIDj*) and updating *XSj* = *X*- *Sj* , *Nj* = *NGj*.

Case 3: If an adversary blocks *C*3 : {*SID <sup>j</sup>* , *M*3, *M*SG, *T*<sup>3</sup> . Both the *GWN* and *Sj* have updated the *XSj* and *NGj*/*Nj*. The synchronization between *Ui* and the *GWN* is the same as Case 4.

Case 4: If an adversary blocks *<sup>C</sup>*4 : {*<sup>p</sup> new <sup>i</sup>* , *M*4, *M*GU, *T*<sup>4</sup> . The communications between the *GWN* and *Sj* are in synchronization, while the communications between *Ui* and the *GWN* are out of synchronization. In this case, the *GWN* has completed the update of *PIDi*, and *PIDold <sup>i</sup>* records the previous *PIDi*. Since *<sup>C</sup>*4 : {*<sup>p</sup> new <sup>i</sup>* , *M*4, *M*GU, *T*<sup>4</sup> is not received, the user *Ui* does not update *Ci*, and the *PIDi* calculated in the next session is not updated. However, when *Ui* initiates the session request again, the *GWN* finds that the *PIDi* sent by *Ui* is the same as the *PIDold <sup>i</sup>* recorded in its memory. The *GWN* can identify the de-synchronization attack initiated by the adversary and synchronize the information according to Step 2 of the authentication phase. Therefore, the proposed new protocol can also resist the attacks of Case 3 and Case 4 of de-synchronization attacks.

In summary, our proposed scheme can resist de-synchronization attacks. On the other hand, we have shown that our proposed scheme can achieve forward secrecy in previous part of this section. Therefore, our proposed scheme can resist offline password-guessing attacks and stolen smart card attacks.

#### **7. Performance Analysis**

This section will compare and analyze the performance of the proposed new protocol with other similar protocols, including a computing cost comparison and communication cost comparison. Since the registration phase of users and sensors occurs only once, and users do not change their passwords and biometrics frequently, this section only discusses the performance comparison between authentication phases.

#### *7.1. Comparison of Computing Costs*

According to the experimental data in the literature [35], *Th* ≈ 0.32ms, the computing cost comparison between our proposed scheme and other similar schemes, is shown in Table 5. From the results, the proposed protocol has a lower computation cost than the other four similar protocols.


**Table 5.** Comparison of computing costs (milliseconds).

#### *7.2. Comparison of Communication Costs*

We assume that the length of identification, random number, timestamp, and other parameters involved in the proposed protocol and other similar protocols is 128 bits, and the length of the timestamp is 32 bits. *Hash* functions *<sup>h</sup>* : {0, 1}<sup>∗</sup> -{0, 1}<sup>128</sup> and *<sup>H</sup>* : {0, 1}<sup>∗</sup> -{0, 1}<sup>256</sup> have 128-bit and 256-bit outputs, respectively. Other related protocols use hash functions (such as *MD*5) with an output length of 128 bits.

In the authentication phase of the newly proposed protocol, there are four transmission messages: {*PIDi* , *M*1, *MUG*, *T*1}, {*M*2, *M*GS, *NGj*, *T*<sup>2</sup> , {*SID <sup>j</sup>* , *M*3, *M*SG, *T*<sup>3</sup> , and {*<sup>p</sup> new <sup>i</sup>* , *M*4, *M*GU, *T*<sup>4</sup> . The total length of the transmitted message is (128 + 256 + 128 + 32) + (256 + 128 + 128 + 32) + (128 + 256 + 128 + 32) + (128 + 128 + 128 + 32) = 2048 bits.

Table 6 shows the comparison of the communication costs between the proposed new protocol and other similar schemes. From the comparison results, our new proposed scheme is also at a good level in terms of communication costs.


**Table 6.** Comparison of communication costs.

#### **8. Conclusions**

Due to the insecurity of wireless sensor networks, abundant research on authentication and key agreement protocols for *WSN*s has been put forward. In 2019, Shin et al. proposed a lightweight three-factor authentication and key agreement protocol based on symmetric cryptographic primitives for *WSN*s, which looked promising. However, we found that there are some security risks in their protocol. To solve the shortcomings, we proposed a new lightweight and anonymous three-factor authentication scheme for *WSN*s. Furthermore, we proved that our proposed scheme is secure using the automated security verification tool *ProVerif*, *BAN*-logic verification, and an informal security analysis. Through a performance comparison and analysis, our new scheme shows a good level of computing and communication overhead and has high practicability. In future research, we will focus on finding a lighter mathematical model to realize the strong security of identity authentication in wireless sensor networks and apply the scheme to the actual environment.

**Author Contributions:** Conceptualization, L.Z.; Formal analysis, H.X.; Investigation, H.X.; Methodology, L.Z.; Supervision, H.X. and K.Z.; Validation, K.Z.; Writing—original draft, L.Z. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was supported by the Project of Educational Commission of Guangdong Province (No.6019210033S), Shenzhen Fundamental Research Project (No.JCYJ20180305163701198), Shenzhen Bureau of Education (No.zdzz20002).

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** Not applicable.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**

