Improvement of Wu et al.’s Three-Factor User Authentication Scheme for Wireless Sensor Networks

(1)

Improvement of Wu et al.’s Three-Factor User

Authentication Scheme for Wireless Sensor Networks

Jihyeon Ryu1, Hakjun Lee2, Hyoungshick Kim3and Dongho Won3,*

1 _{Department of Platform Software, Sungkyunkwan University, Sungkyunkwan University, 2066 Seobu-ro,}

Jangan-gu, Suwon-si, Gyeonggi-do 16419, Korea; [email protected];

2 _{Department of Electrical and Computer Engineering, Sungkyunkwan University, 2066 Seobu-ro, Jangan-gu,}

Suwon-si, Gyeonggi-do 16419, Korea; [email protected];

3 _{Department of Computer Engineering, Sungkyunkwan University, 2066 Seobu-ro, Jangan-gu, Suwon-si,}

Gyeonggi-do 16419, Korea; [email protected](H.K.); [email protected](D.W.);

* Correspondence: [email protected]; Tel.: +82-31-290-7107

Version November 9, 2018 submitted to Preprints

Abstract: Wireless sensor networks are widely used in many applications such as environmental 1

monitoring, health care, smart grid and surveillance. Many security protocols have been proposed and 2

intensively studied due to the inherent nature of wireless networks. In particular, Wu et al. proposed 3

a promising authentication scheme which is sufficiently robust against various attacks. However, 4

according to our analysis, Wu et al.’s scheme has two serious security weaknesses against malicious 5

outsiders. First, their scheme can lead to user impersonation attacks. Second, user anonymity is not 6

preserved in their scheme. In this paper, we present these vulnerabilities of Wu et al.’s scheme in 7

detail. We also propose a new scheme by fixing such vulnerabilities and improving the performance 8

of the protocol. 9

Keywords:wireless sensor networks; user authentication; biometric; smart card 10

1. Introduction 11

A wireless sensor network (WSN) is a distributed network of autonomous sensors that are 12

typically used to collect information about environmental or physical conditions. Wireless sensor 13

networks are applicable to a variety of applications such as environmental monitoring, health care, 14

smart grid and surveillance [1–4] because they can be easily deployed without a significant cost penalty. 15

In general, a WSN system consists of four entities: (1) user interface, (2) sensor node that measures 16

physical or environmental conditions, (3) gateway node that forwards the information received 17

from the sensor nodes to a central server, (4) central server that collects the information from the 18

sensor nodes and analyze it. Naturally, however, the security of WSN is critical because network 19

packets can be easily captured and modified in WSN due to the inherent characteristics of wireless 20

networks. Therefore, we need to provide security protocols in order to ensure security properties 21

such as confidentiality, integrity, and authenticity even when data packets on a WSN are captured and 22

modified in au unauthorized manner. 23

Recently, Wu et al. [1] proposed a promising user authentication scheme using elliptic curve

24

cryptography (ECC) [5,6] which was designed for WSN. In this paper, however, we found that Wu

25

et al.’s scheme [1] has two security flaws against outsider attackers. First, their scheme can lead to 26

user impersonation attacks. Second, user anonymity is not preserved because the user identity can 27

be revealed from an anonymous login request message. We will explain these in the reminder of this 28

paper. Our key contributions are summarized below: 29

• We discovered two security weaknesses in Wu et al.’s scheme [1] which was recently designed

30

for user authentication using ECC on WSN systems. We demonstrated that a malicious outsider 31

holding a smart card can extract the secret parameters from his/her smart card; the extracted 32

(2)

secret parameters can be used to perform impersonation attacks and reveal the identity of the 33

user from a login request message. 34

• We also proposed a novel three-factor user authentication scheme for WSN by extending Wu et

35

al.’s scheme [1]. The proposed authentication scheme not only accomplishes several important

36

security properties but also improves the performance of the protocol in time. 37

The rest of the paper is structured as follows: Section2summarizes the related work. Section 3

38

gives some preliminaries of the cryptographic primitives (i.e., ECC and fuzzy extractor) used in our 39

paper and explains the threat model and assumptions. Section4provides a review of Wu et al.’s

40

scheme [1]. Section5analyze the security weaknesses of their scheme. Section6presents a novel

41

three-factor user authentication scheme by fixing security issues in Wu et al.’s scheme. Section7and8

42

provide security and performance analysis results, respectively. We conclude in Section9. 43

2. Related work 44

Due to the inherent weakness of WSNs, many researchers have proposed security protocols to 45

achieve fundamental security goals of WSNs. As one of the pioneers in this area, Watro et al. [7]

46

proposed a security protocol using RSA for wireless sensor networks. To enhance the security of 47

the authentication procedure, Das [2] extended their protocol to a two-factor user authentication

48

protocol for WSNs where a user has to hold both of password and smartcard. Because their proposed 49

authentication scheme provides reasonable security properties, it had been widely used for WSNs as a 50

de-factor standard protocol [8–10]. However, He et al. [11] found that Das’s protocol is vulnerable to 51

several attacks such as insider attacks, impersonation attacks and lack of secure mutual authentication. 52

They also suggested an authentication scheme by fixing the discovered problems. However, Kumar et 53

al. [12] also discovered several security flaws such as information leakage, no session key agreement, 54

no mutual authentication, and lack of anonymity in Das’s protocol. 55

Recently, some researchers (e.g., [13]) have started to develop user authentication schemes for 56

WSNs using ECC which can provide the same security as RSA with a smaller key size. ECC is the most 57

efficient algorithm that satisfies forward secrecy and backward secrecy among the algorithms so far. 58

Xue et al. [14] particularly introduced a temporal-credential-based protocol to provide user anonymity. 59

However, Jiang et al. [15] demonstrated that Xue et al.’s scheme has four critical security flaws: (1) 60

identity guessing attacks, (2) on-line password guessing attacks by privileged insiders, and (3) off-line 61

password guessing attacks with a victim’s smartcard. Jiang et al. also suggested a new authentication 62

scheme to address their discovered issues. 63

More recently, Das [16] found that Jiang et al. [15]’s scheme has significant security issues such 64

as the vulnerabilities to insider and de-synchronization attacks and lack of formal security proof of 65

the proposed scheme. To address these issues, Das proposed several three-factor user authentication 66

schemes [16–18] by introducing a new factor of user biometrics. Again, Wu et al. [1] found that all the 67

Das’ schemes [16–18] are vulnerable to de-synchronization and off-line password guessing attacks. 68

Also, the protocols [17,18] are vulnerable to user impersonation and off-line password guessing attacks. 69

To fix such problems, Wu et al. [1] suggested a three-factor user authentication scheme using ECC for 70

WSNs. 71

In this paper, however, we found that Wu et al.’s scheme [1] is vulnerable to user impersonation 72

attacks and cannot provide user anonymity. We also propose a new three-factor user authentication 73

scheme to fix the discovered security flaws in Wu et al.’s scheme. In the following sections, we will 74

explain how the proposed scheme can solve the security problems of Wu et al.’s scheme. 75

3. Preliminaries 76

In this section, we introduce elliptic curves, fuzzy extractors, and threat models to be used in this 77

(3)

3.1. Elliptic curve cryptosystem 79

The Elliptic curve cryptosystem (ECC) is the most frequently used password system in modern passwords and has strong security characteristics. Miller [6] and Neal [5] create ECC in 1985 and 1987, respectively. ECC uses the following formula:

y2=x3+ax+b mod p a,b∈Fp (1)

The above equation is ECC on theFp. The following conditions must be met in order to ensure

safety.

4a3+27b26=0 mod p (2)

This is a formula that guarantees the non-singularity of an elliptic curve. When using this elliptic 80

curve, safety is ensured as follows : 81

1. Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP):GivenxyP, it is impossible to find 82

xP,yP. 83

2. Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP):GivenxP,yPit is impossible to find 84

xyP. 85

3. Elliptic Curve Discrete Logarithm Problem (ECDLP):GivenP,xPit is impossible to findx. 86

We hypothesized thatPis the point onFp,xPis the result of calculatingPtimesx,yPis the result

87

of calculatingPtimesy, andxyPis the result of calculatingPtimesxy. 88

3.2. Fuzzy extractor 89

The user’s biometric information is very important information. In general, human biometric 90

recognition is perceived differently each time, and the fuzzy extractor plays a role in correcting it. 91

The fuzzy extractor can obtain a unique string using error tolerance. The fuzzy extractor is operated 92

through two procedures (Gen,Rep), demonstrated as [19,20] : 93

Gen(B)→ hα,βi (3)

Rep(B∗,β) =α (4)

Genis a function that biometricsBsends a factored out stringα∈ {0, 1}kand a coadjutant string

94

β∈ {0, 1}∗.Repis function thatGenis a probabilistic generation function for which the biometricsB

95

returns a factored out stringα∈ {0, 1}kand a coadjutant stringβ∈ {0, 1}∗, andRepis a function that

96

restoreβtoα, and any vectorBIO∗close toBIO[21].

97

3.3. Threat assumption 98

We introduce a threat model [8], and consider constructing the threat assumptions as follows: 99

1. The attackerAcan be a user, a gateway, or a sensor. Any registered user can act as an attacker. 100

2. A can intercept or eavesdrop on all communication messages in a public channel, thereby

101

capturing any message exchanged between a user and gateway or sensor. 102

3. Ahas the ability to modify, reroute, or delete the intercepted message. 103

4. Stored parameters can be extracted from smart cards using the side channel attack [22]. 104

5. An external attackerA(outsider) can also register, login and receive his/her smart card. 105

4. Review of Wu et al.’s scheme 106

In this section, We perform an analysis on Wu et al.’s scheme in order to scrutinize the security 107

weakness of their scheme in next section. Wu et al.’s scheme consists of four phases: registration phase, 108

login phase, authentication phase, and password change phase. In addition, it applies ECC such as 109

the [19] schemes. To begin with,GW NcreatesGonE(Fp)withPas a generator and large primen

(4)

as an order. After thatGW Npicks a private keyxunder two hash functionsh(·),h1(·)and security

111

lengthls. In their scheme, they assume that the length of all random numbers should abovels. Other

112

notations used in Wu et al.’s scheme are abridged in Table1. 113

Table 1.Notations used in this paper.

Notations Description

Ui Thei-th user

Sj,SIDj Aj-th sensor and its identity

IDi Ui’s identification

PWi Password ofUi

Bi Ui’s Biometric information summarized

A An evil-minded attacker

x Secret key ofGW N

ri Random number generated byUi

h(·),h1(·) One-way hash function

X||Y Concatenation operator

⊕ Bitwise XOR operator

E(Fp) A group of points on a finite fieldFpelliptic curve

P A point generator inFpwith a large prime ordern G A cyclic addition group underPas a generator

sku,sks The session key generated byUiandSjrespectively.

4.1. Registration Phase 114

Registration phase is divided in to two parts: user registration phase and registration phase. 115

4.1.1. User registration 116

1. The userUifirst decides his/her identificationIDiand passwordPWi. With a random numberri,

117

imprintsBiover a device for biometrics collection, and calculatesGen(Bi) = (Ri,Pbi),DIDi =h

118

(IDikri)andHPWi =h(PWi kri kRi). He/she then requests the registration message{IDi,

119

DIDi}to the gateway nodeGW Nover a secure channel.

120

2. After the registration request message from theUiis received,GW NcomputesB10 =h(DIDi kx)

121

wherexisGW N’s secret key, prepares a smart card forUicontainingh(·),h1(·),P, and collects

122

IDiin database. The next thing is thatGW Nsends the smart card withB10 to theUisecurely.

123

3. When receiving the smart card withB₁0 from the GW N,UicomputesB1 = B01 ⊕ HPWiand

124

B2=h(IDi kRikPWi) ⊕ riwith storingB1,B2,PandPbiinto the smart card.

125

4.1.2. Sensor registration 126

1. GW N determines an identitySIDjfor new sensor nodeSj, computes hash functioncj = h

127

(SIDjkx), and sends{SIDj,cj}toSj.

128

2. SjstoresP,SIDjandcj, and enters the WSN.

129

4.2. Login Phase 130

1. UientersIDi,PWiandBi0. And then, the smart card computesRep(Bi0,Pbi) =Ri,ri =B2 ⊕ h

131

(IDi kRikPWi),HPWi=h(PWikri kRi)andDIDi =h(IDikri).

132

2. The smart card produces random numbersr_inew,eiandα∈[1,n−1], and selects a special sensor

133

SIDj. Then, The smart card calculateDIDnewi =h(IDikrinew),C1=B1 ⊕ HPWi ⊕ ei,C2=αP,

134

C3=h(ei) ⊕ DIDnew_i ,Zi =IDi ⊕ h(ei kDIDi)andC4=h(IDikei kDIDi kDID_inewkC2k

135

SIDj). The valueC4is used to certify the integrity of the identities and the new data generated

136

by the user side as well as to authenticate the source of the messageM1.

137

3. Uisends the login request messagesM1={C1,C2,C3,C4,Zi,DIDi,SIDj}toGW N.

(5)

4.3. Authentication Phase 139

1. Being arrived the login request messagesM1from the userUi,GW Nfirst computesei=C1 ⊕ h

140

(DIDi k x),DIDinew = C3 ⊕ h(ei)andIDi = Zi⊕h (ei k DIDi), and verify the legitimacy

141

of IDi andC4 ?

= h (IDi k ei k DIDi k DIDnewi k C2 k SIDj). GW N terminates the session

142

if either verification is failed. If three failures continuously occur in a certain time span as 143

defined,Ui’s account will be frozen; otherwise,GW Ncalculatescj =h(SIDj kx)andC5=h

144

(cjkDIDjkSIDjkC2)and sendsM2={C2,C5,DIDi}to the sensor nodeSj. The valueC5is

145

used to accredit the integrity of the strings containingcj, and the data can be used for the sensor

146

Sjto acquire the correct data for calculating the session key. This is also done for verification of

147

the source ofM2.

148

2. Sjchecks the validity ofC5,C5=? h(cj k DIDi kSIDj kC2)with its identitySIDj. If this step

149

is failed,Sjwill terminate the session. Otherwise,Sjthen choosesβ∈[1,n−1]and calculates

150

C6=βP,sks =βC2,C7=h1(C2kC6ksks kDIDi kSIDj)andC8=h(DIDikSIDj kcj). The

151

main functionality ofC7is used for checking the integrity of the session key andC6, which is

152

needed byUito compute the session key. BothC7andC8are also used to validate the source of

153

M3. In the end,SjsendsM3={C6,C7,C8}toGW N.

154

3. GW N checks C8 =? h (DIDi k SIDj k cj). If validation phase is failed, GW N terminates

155

the session; otherwise, GW N computesC9 = h (DIDnew_i k x)⊕h (DIDi k ei) andC10 = h

156

(IDi kSIDjkDIDikDIDinewkei kC9). The valueC10is to check the validation of the source’s

157

messageM4. Eventually,GW Nsends the messageM4={C6,C7,C9,C10}toUi.

158

4. UichecksC10 =? h(IDi kSIDj kDIDi kDIDnew_i kei kC9). Uithen computes the session key

159

sku =αC6, and checksC7 =? h1(C2 kC6 ksku kDIDi kSIDj).Uiterminates the session ifUi

160

fails verification phase. Otherwise,UicomputesHPW_inew=h(PWi krnew_i kRi),Bnew1 =C9 ⊕ h

161

(DIDi k ei) ⊕ HPWinewandB2new = h(IDi k Ri k PWi) ⊕ rinew, and replaces(B1, B2)with

162

(Bnew

1 ,B2new)in each smart card separately.

163

4.4. Password and Biometrics Change Phase 164

1. Same as the step 1 in the Login phase. 165

2. The smart card produces random numbersrnew_i andei, calculatesDIDnewi ,C1,C3,ZiandC11 =h

166

(IDikei kDIDikDID_inew), and sendsM5={C1,C3,Zi,C11,DIDi}with a password change

167

request toGW N. The valueC11is similar toC4which is to confirm the integrity of the identities

168

as well as to verify the source ofM5.

169

3. GW N obtains ei, IDi and DIDinew as in step 1 of the authentication phase, and checks IDi

170

and C11 =? h (IDi k ei k DIDi k DIDinew). If verification stage is failed, GW N terminates

171

the session; otherwise, GW N computesC9 = h(DIDnewi k x) ⊕ h(DIDi k ei)andC12 = h

172

(IDi kDIDi kDIDnewi kei kC9)and sendsM6 ={C9,C12}and a grant toUi. HereC12 is to

173

verify the source ofM6.

174

4. Ui checksC12 =? h (IDi k DIDi k DIDinew k ei k C9). If two values are not equal, thenUi

175

terminates this session; otherwise, Ui inputs a new password PWinew and a new biometric

176

information Bnew_i . Next thing is that the smart card computes Gen (Bnew_i ) = (Rnew_i , P_binew), 177

HPW_inew2=h(PW_inewkrnew_i kRnew_i ),B1new2=C9 ⊕ h(DIDikei) ⊕ HPW_inew2andBnew2 2=h

178

(IDi kRnewi kPWinew) ⊕ rnewi . Finally,Uisubstitutes(B1new2,B2new2,Pbinew2)for(B1,B2,Pbi)in the

179

smart card respectively. 180

5. Cryptanalysis of Wu et al.’s scheme 181

We show that Wu et al.’s scheme [1] possesses certain some security vulnerabilities in this section. 182

(6)

5.1. Extract critical information 184

1. An attackerAwho is a legitimate user and he/she can own his/her smart card. Smart card can

185

be extracted the value{B1A,B2A,P,PbA}. 186

2. A can thus obtainh (DID_A k x) = B1A ⊕ HPWA, and use this variable for other attacks,

187

because this value is an critical value that be used on the user identification in theGW N. 188

5.2. No user anonymity 189

AttackerAcan extract the identity ofUifrom the login request messageMiofUi. Assume thatA

190

eavesdrops on the login request messageM1={C1,C2,C3,C4,Zi,DIDi,SIDj}ofUi. We also assume

191

that attackerAhash(DID_A kx)through 5.1. Extract Critical Information. The details are as follows. 192

1. AttackerAfirst generates random numbersrnew_A ,e_A, andα_A ∈[1,n−1], and selects a special

193

sensorSIDj.C1A=B1A ⊕ HPWA ⊕ eA,C2A=α_AP,C3A=h(eA) ⊕ DIDi,ZA =IDA ⊕ h 194

(e_A kDID_A)andC4A =h(IDA keA kDIDA kDIDi kC2AkSIDj).

195

2. Aforwards the login request messageM1A = {C1A,C2A,C3A,C4A,ZA,DIDA,SIDj}to the

196

gateway nodeGW N.

197

3. After receiving the login request message fromA,GW Ncomputese_A=C1A ⊕ h(DIDAkx), 198

DIDi =C3A ⊕ h(eA)andIDA =ZA ⊕ h(eA k DIDA), and checks the validity ofIDAand 199

C4A =? h(IDAkeAkDIDAkDIDikC2A kSIDj).GW Nthen computescj=h(SIDjkx)and

200

C5A =h(cjkDIDjkSIDj kC2A)and sendsM2A ={C2A,C5A,DIDA}toSj.

201

4. Sj checksC5A =? h(cj k DIDA kSIDj kC2A)with its identitySIDj. If this does not hold,Sj

202

terminates the session.Sjthen selectsβ_A ∈[1,n−1]and computesC6A=β_AP,sks =β_AC2A, 203

C7A = h1 (C2A k C6A k sks k DID_A k SIDj)and C8A = h (DIDA k SIDj k cj). Sj sends

204

M3A ={C6A,C7A,C8A}toGW N. 205

5. GW N testsC8A =? h(DIDA kSIDj kcj). If this does not hold,GW Nterminates the session;

206

otherwise,GW NcalculatesC9A =h(DIDikx) ⊕ h(DIDA keA)andC10A =h(IDA kSIDjk

207

DID_AkDIDi keA kC9A). FinallyGW Nsends the messageM4A ={C6A,C7A,C9A,C10A}to 208

attackerA. 209

6. A calculates h (DIDi k x) = h (DIDA k eA) ⊕ C9A. Now A can computeei = C1 ⊕ h

210

(DIDikx). Eventually,Acan findIDi=h(ei kDIDi) ⊕ Zi.

211

This result shows that Wu et al.’s scheme does not ensure user anonymity. 212

5.3. User impersonation attack 213

An attacker A can impersonate any user through the identity of others and his/her own

214

information. We assume the casualty is Ui. We also assume that attackerA has h (DIDA k x)

215

through 5.1. Extract Critical Information. The detailed method is as follows. 216

1. AttackerAselectsIDiwho is the target of the user impersonation attack.

217

2. Aselects random numbersrnew_A ,e_A, andα_A ∈[1,n−1]and selects a particular sensorSIDj. And

218

thenAcalculatesDIDnew

A =h(IDA krAnew),C1A =B1A ⊕ HPWA ⊕ eA,C2A =α_AP,C3A =h 219

(e_A) ⊕ DID_Anew,Z_A = IDi ⊕ h (eA k DIDA)andC4A = h (IDi k eA k DIDA k DIDAnew k 220

C2A kSIDj).C4A is to check the new data produced on the user side and the integrity of the 221

identities as well as to verify the source ofM1A. 222

3. Aforwards the login request messageM1A ={C1A,C2A,C3A,C4A,ZA,DIDA,SIDj}toGW N.

223

4. After obtaining the message from theA,GW Ncalculatese_A =C1A ⊕ h(DIDAkx),DIDnew_A = 224

C3A ⊕ h(eA)andIDi =ZA ⊕ h(eA kDIDA), and checks the availability ofIDiand checks

225

C4A =? h (IDi k eA k DIDA k DIDnew_A k C2A k SIDj). GW N continues to proceed with

226

the scheme without detection. Unfortunately, the GW N mistakenly believes that he/she is

227

communicating with the legitimate patientUi.

(7)

Resultingly, the attackerAwill be successfully confirmed asGW Nby userUi. Hence, the user

229

impersonation attack is successful. 230

In the next section, we discuss Wu et al.’s scheme to overcome the weakness of the scheme. Our 231

scheme stores several variables in the database to prevent the vulnerability of Wu et al. 232

6. Proposed scheme 233

We propose a new three-factor user authentication scheme for wireless sensor networks in this 234

section. We use three participants : the userUi, the gateway nodeGW Nand the sensor nodeSj. The

235

gateway nodeGW Ncreates master keysx. The userUiand the sensor nodeSjcomputes on elliptic

236

curve groupFp.

237

The proposed scheme composed as follows : registration phase, login phase, authentication phase, 238

and password/biometrics change phase. 239

6.1. Registration phase 240

In this phase, a userUichooses an identityIDi, imprints biometric templateBiat the sensor, then

241

performs the following steps: 242

6.1.1. User registration phase 243

1. UiselectsIDiandPWi. imprintsBivia a device for biometrics collection and computesGen(Bi)

244

=(Ri,Pbi) andHPWi=h(IDi kPWikRi). Then he/she sendsIDitoGW Nsecretly.

245

2. GW Ngenerates a random numberriand computesGIDi=h(IDi kri).

246

3. GW NcomputesG0_i =h(GIDi kx), prepares a smart card forUicontainingh(.),h1(.),P,GIDi

247

and the fuzzy extractor. 248

4. GW NstoresIDiandGIDiin its database and shares it withUi. By storingIDiandGIDiin the

249

database, Wu et al. [1]’s problems arising from existingDIDican be solved.

250

5. UicomputesG1=G10 ⊕ HPWi,G2= h(IDi kRi kPWi) ⊕ GIDiandG3=h(IDi kGIDi).

251

{G1,G2,G3,h(.),h1(.)P}are stored in the smart card.

252

6.1.2. Sensor registration phase 253

1. GW N selects an identitySIDjfor each new sensorSj, computescj = h(SIDj kx) and sends

254

{SIDj,cj} toSj.

255

2. SjstoresP,SIDjandcjand joins the WSN.

256

Figure1illustrates the registration phase of the proposed scheme. 257

6.2. Login phase 258

1. Ui inputs IDi,PWi andB_i0. The smart card executesRep(B0_i, Pbi) = Ri andGIDi = G2 ⊕ h

259

(IDi kRikPWi).Uichecksh(IDi kGIDi)=? G3. This allowsUito verify whether it has come in

260

correctly. 261

2. Uigeneratesei andα. Ui computesHPWi = h(IDi k PWi k Ri),MU1 = G1 ⊕ HPWi ⊕ ei,

262

MU2=αPandMU3=h(IDi keikGIDikMU2kSIDj).

263

3. Uisends the messageM1={MU1,MU2,MU3,GIDi,SIDj} toGW N.

264

Figure2illustrates the login and authentication phase of the proposed scheme. 265

6.3. Authentication phase 266

1. GW N finds IDi by usingGIDi from the database and computesei = MU1 ⊕ h (GIDi k x).

267

GW Nchecks the validity ofMU3=? h(IDi kei kGIDi kMU2kSIDj). If it fails, the session will

268

be terminated. Otherwise,GW Ncomputescj=h(SIDjkx) andMG1=h(cj kGIDi kSIDjk

269

MU2). When the operation has finished,GW Nsends the messageM2={MU2,MG1,GIDi}to

270

Sj.

(8)

User

U

i

GW node

h

ID

i

, P W

i

,

smart card

i

h

x

i

Select ID

i

, P W

i

Gen

(

B

i

) = (

R

i

, P

bi

)

HP W

i

=

h

(

ID

i

||

P W

i

||

R

i)

Generate r

i

GID

i

=

h

(

ID

i

||

r

i

)

G

′₁

=

h

(

GID

i

||

x

)

ID

i

, GID

i

are stored in database

G1

=

G

′₁

⊕

HP W

i

G2

=

h

(

ID

i

||

R

i

||

P W

i)

⊕

GID

i

G

3

=

h

(

ID

i

||

GID

i

)

h

ID

i

h

(

.

)

, h

1

(

.

)

, P, G

′1

, GID

i

Figure 1.Registration phase of the proposed scheme.

2. Sj checks MG1 =? h(cj k GIDi k SIDj k MU2) with its identitySIDj. If it is wrong,Sj will

272

stop the session. Otherwise, Sj selectsβ ∈ [1, n−1] and computes MS1 = βP, session key

273

sks =βMU2,MS2=h1(MU2k MS1 ksks kGIDikSIDj) andMS3=h(GIDi kSIDj kcj). it

274

sends messageM3={MS1,MS2,MS3}when all operations have finished.

275

3. GW NchecksMS3=? h(GIDi kSIDjkcj). If it is wrong, the session will be stopped. Otherwise,

276

GW N generatesrnew_i and calculates GIDnew_i = h (IDi k rnew_i ), MG2 = h (GIDnew_i k x) ⊕h

277

(GIDi kei), MG3= h(IDi kSIDj kGIDi k GIDnewi kei k MG2) andMG4= h(ei)⊕GIDinew.

278

FinallyGW Nsends the messageM4={MS1,MS2,MG2,MG3,MG4}toUi.

279

4. UicomputesGIDnewi =MG4 ⊕ h(ei) and checksMG3=? h(IDikSIDj kGIDi kGIDinewkeik

280

MG2). If not, the session will be stopped.Uicomputessku=αMS1=αβPand checksMS2=? h1

281

(MU2kMS1ksku kGIDi kSIDj). If it is wrong,Uiwill stop the session.

282

5. UicomputesG1new= MG2 ⊕ h(GIDikei)⊕HPWi,G2new=G2 ⊕GIDi ⊕ GIDnewi andG3new=h

283

(IDi k GIDnewi ). Finally,Ui substitutes (G1new,G2new,G3new) for (G1,G2,G3) in the smart card

284

respectively. 285

6.4. Password and biometrics change phase 286

1. Uiinputs IDi, PWi andBi0. The smart card executesRep (Bi0, Pbi) = Ri andGIDi = G2 ⊕ h

287

(IDi kRikPWi).Uichecksh(IDi kGIDi)

?

=G3. This allowsUito verify whether it has come in

288

correctly. 289

2. Uiis asked to input a new passwordPWinewand a new biometric informationBnewi . The following

290

data are computed: Gen(B_inew) =(Rnew_i ,P_binew),HPW_inew2 =h(IDi kPW_inew kRnew_i ),G1new2 =

291

G1 ⊕HPWi ⊕HPWinew2,G2new2=G2 ⊕ h(IDi kRikPWi) ⊕ h(IDi kRi kPWinew2). Finally,

292

Uisubstitutes (Gnew1 2,Gnew2 2,Pbinew) for (G1,G2,Pbi) in the smart card respectively.

(9)

UserUi GW node Sensor nodeSj

hIDi, P Wi,smart cardi hxi hh(SIDj||x)i

Inserts smart card

InputsIDi, P Wi,and biometricBi∗ R∗

i=Rep(Bi∗, Pi), GIDi=G2⊕h(IDi||Ri||P Wi) h(IDi||GIDi)=?G3

Generate ei, α

HP Wi=h(IDi||P Wi||Ri) M U1=G1⊕HP Wi⊕ei M U2=αP

M U3=h(IDi||ei||GIDi||M U2||SIDj)

ei=M U1⊕h(GIDi||x) M U3=?h(IDi||ei||GIDi||M U2||SIDj)

cj=h(SIDj||x) M G1=h(cj||GIDi||SIDj||M U2)

M G1=? h(cj||GIDi||SIDj||M U2) Generate β M S1=βP sks=βM U2=αβP M S2=h1(M U2||M S1||sks||GIDi||SIDj) M S3=h(GIDi||SIDj||cj)

M S3=? h(GIDi||SIDj||cj) Generate rnew

i GIDnew

i =h(IDi||rnewi ) M G2=h(GIDnewi ||x)⊕h(GIDi||ei) M G3=h(IDi||SIDj||GIDi||GIDinew||ei||M G2)

M G4=h(ei)⊕GIDnewi GIDnew

i stores in database

GIDnew

i =M G4⊕h(ei)

M G3=?h(IDi||SIDj||GIDi||GIDnewi ||ei||M G2) sku=αM S1=αβP

M S2=?h1(M U2||M S1||sku||GIDi||SIDj) Gnew

1 =M G2⊕h(GIDi||ei)⊕HP Wi Gnew

2 =G2⊕GIDi⊕GIDinew Gnew

3 =h(IDi||GIDinew)

Replace(G1, G2, G3)with(Gnew1 , Gnew2 , Gnew3 ) Accepts RM

hM U1, M U2, M U3, GIDi, SIDji

hM U2, M G1, GIDii

hM S1, M S2, M S3i

hM S1, M S2, M G2, M G3, M G4i

Sharedsk=αβP

(10)

7. Security analysis of the proposed scheme 294

7.1. Formal security analysis 295

The formal security analysis uses an automated analysis tool called ProVerif. ProVerif is an 296

automated tool for analyzing cryptographic protocols that was developed by Bruno Blanchet. Digital 297

signatures, hash functions, signature proofs, etc. are suitable for analyzing an authentication protocol. 298

Recently, many researchers [1,4?] have verified the authentication in the user authentication protocol 299

using ProVerif. The formal security analysis shows the results of verifying and analyzing the security 300

of the proposed scheme using ProVerif. 301

We use three channels. We provide the illustration of Table2.chais the channel in the registration 302

phase and is used when the userUi andGW N exchange IDi in the registration phase. chcis the

303

channel used by userUiandGW N to exchange messages in the login phase andchbis used when

304

theGW Nand Sensor nodeSjexchange messages in the login phase. Five initial variables were used:

305

Ri,IDi,IDg,SIDj, andPWi. IDi andPWi are the personal information made by the userUiwhen

306

registering.Riis a random string made up of the user’s biometric information. IDgis the identity of

307

the gateway andSIDjis the unique string of the sensor nodeSj. xis defined as a secret key. Pis a

308

generator for creating a session key, which is the initial value used in ECC. The concatenate function 309

and thexorfunction, including the multiplication in ECC and the hash functionhandh1, are defined

310

for the events that indicate the start and end of each. 311

Table3shows the registration phase of the userUiand the process of the login and authentication

312

phase. Table4demonstrates the registration phase and the login and authentication phase of theGW N. 313

Table5displays the authentication phase of the sensor nodeSj. Table6shows the query against the

314

attack with the prover- sive, and Table7shows the result for Table6. 315

When the code that makes up the scheme is executed, ProVerif prints the following results: 316

1. RESULT inj-event(EVENT) ==> inj-event(EVENT) is true. 317

2. RESULT inj-event(EVENT) ==> inj-event(EVENT) is false. 318

3. RESULT (QUERY) is true. 319

4. RESULT (QUERY) is false. 320

The first code means that the event has been verified and the authentication has been successful, 321

while the second code means that the event has not been verified. The third code means that the query 322

was proven and the attack was not successful. When the fourth code is displayed, the query is false 323

meaning that an attack is possible and the attack induction and tracking thus displayed. 324

The ProVerif result of the proposed scheme is shown to be accurate for all events by simulating 325

the result as shown in the figure. Therefore, the proposed scheme is safe from virtual attacker A and 326

the virtual attack has been successfully terminated. 327

7.2. Informal security analysis 328

7.2.1. Privileged insider attack 329

The only value that the user sends in the registration center is theIDi. However, their IDiis

330

used after hashing with other values at every subsequent step. It can not be used because it is used as 331

hashed with values that are not exposed to the outside such asPWiorRi,GIDi,GID_inew,ei,MU2and

332

SIDj,MG2, and these values are not exposed. Therefore, it is safe from a privileged insider attack.

333

7.2.2. Outsider attack 334

Ui’s smart cards includeh(.),h1(.),P,GIDi, and fuzzy extractors. Information such as session

335

key orIDi, which can be a critical value, or information such as a user’s password are all hashed, or

336

(11)

Table 2.Define values and functions

(*—-channels—-*) free cha:channel [private]. free chb:channel.

free chc:channel.

(*—-constants—-*) free Ri:bitstring [private]. free IDi:bitstring [private]. free IDg:bitstring.

free SIDj:bitstring.

free PWi:bitstring [private].

(*—-secret key—-*) free x:bitstring [private].

(*—-shared key—-*) free P:bitstring [private].

(*—-functions—-*)

fun concat(bitstring, bitstring) : bitstring. fun xor(bitstring, bitstring) : bitstring. fun h(bitstring) : bitstring.

fun h1(bitstring) : bitstring.

fun mult(bitstring, bitstring) : bitstring.

equation forall a:bitstring, b:bitstring; mult(a,b) = mult(b,a). equation forall a:bitstring, b:bitstring; xor(xor(a, b), b) = a.

(*—-events—-*)

event beginUi(bitstring). event endUi(bitstring). event beginGWN(bitstring). event endGWN(bitstring). event beginSj(bitstring). event endSj(bitstring).

kept in the database, andIDiinformation can not be extracted becauseIDiare not used directly in the

338

protocol. 339

7.2.3. Off-line ID guessing attack 340

PWiandIDiare not used directly in this phase. They are used through hashing by concatenating

341

them with other variables, so IDi andPWi can not be directly obtained from public information.

342

Therefore,IDiandPWican not be obtained using login request messagesMU1,MU2,MU3,GIDi, and

343

SIDj. SinceIDiandGIDiare combined and stored in the database, it is impossible to extract theIDi

344

from the protocol. 345

7.2.4. On-line ID guessing attack 346

IDiandPWiare not directly used in the phase so the attacker can not guess theIDis or passwords

347

of others. It is impossible to retrieve a user’sIDiin the protocol because theIDs andGIDs are stored

348

in the database, andIDiis found by searching the database.

(12)

Table 3.Uiprotocol

(*—-Ui process—-*) let Ui =

let HPWi = h(concat(concat(IDi, PWi), Ri)) in out(cha,(IDi));

in(cha,(XGIDi:bitstring)); let G1’ = h(concat(XGIDi, x)) in let G1 = xor(G1’, HPWi) in

let G2 = xor(h(concat(concat(IDi, Ri), PWi)), XGIDi) in let G3 = h(concat(IDi, XGIDi)) in

event beginUi(IDi); new ei:bitstring; new alpha:bitstring;

let GIDi = xor(G2, h(concat(concat(IDi, Ri), PWi))) in if h(concat(IDi, XGIDi)) = G3 then

let HPWi = h(concat(concat(IDi, PWi), Ri)) in let MU1 = xor(xor(G1, HPWi), ei) in

let MU2 = mult(alpha, P) in

let MU3 = h(concat(concat(IDi, ei), concat(concat(XGIDi, MU2), SIDj))) in out(chc,(MU1, MU2, MU3, GIDi, SIDj));

in(chc,(XXMS1:bitstring, XXMS2:bitstring,

XMG2:bitstring, XMG3:bitstring, XMG4:bitstring)); let GIDinew = xor(XMG4, h(ei)) in

if XMG3 = h(concat(concat(IDi, SIDj),

concat(concat(GIDi, GIDinew), concat(ei, XMG2)))) then let sku = mult(alpha, XXMS1) in

if XXMS2 = h1(concat(concat(MU2, XXMS1), concat(concat(sku, GIDi), SIDj))) then

let G1new = xor(XMG2, xor(h(concat(GIDi, ei)), HPWi)) in let G2new = xor(G2, xor(GIDi, GIDinew)) in

let G1 = G1new in let G2 = G2new in event endUi(IDi).

7.2.5. Session key disclosure attack 350

The session key should be computed asβorαwhen knowingαPorβPwithαβP. Neitherβnorα

351

are not known to the user or the sensor node, so it is impossible to know the session key unless it is a 352

user or a sensor node. 353

7.2.6. User impersonation attack 354

After theIDiis found in the database using theGID,ei = MU1+h(GIDi||x)is calculated in

355

order to compare theMU3andh(IDi||ei||GIDi||MU2||SIDj). One can never be accepted as a specific 356

user without knowing theIDandGIDpair. Therefore, a User Impersonation Attack is impossible.

357

7.2.7. Server impersonation attack 358

The server is identified in MS3=h (GIDi||SIDj||cj). cj = h (SIDj||x)andx is the secret key.

359

Therefore, it is necessary to know thecj calculated by the secret key other than theGIDi and the

360

SIDjincluded in the message in order to authenticate the server andcjis not used alone andMG1=

(13)

Table 4.GW Nprotocol

(*—-GWN process—-*) let GWN =

in(cha, (XIDi:bitstring)); new ri:bitstring;

let GIDi = h(concat(XIDi, ri)) in let G1’ = h(concat(GIDi, x)) in out(cha, (GIDi));

in(chc, (XMU1:bitstring, XMU2:bitstring, XMU3:bitstring, XGIDi:bitstring, XSIDj:bitstring)); event beginGWN(IDg);

let ei = xor(XMU1,h(concat(XGIDi, x))) in if XMU3 = h(concat(concat(XIDi, ei), concat(concat(XGIDi, XMU2), XSIDj))) then let cj = h(concat(XSIDj, x)) in

let MG1 = h(concat(concat(cj, XGIDi), concat(XSIDj, XMU2))) in out(chb, (XMU2, MG1, XGIDi));

in(chb, (XMS1:bitstring, XMS2:bitstring, XMS3:bitstring));

if XMS3 = h(concat(concat(XGIDi, XSIDj), cj)) then new rinew:bitstring;

let GIDinew = h(concat(XIDi, rinew)) in

let MG2 = xor(h(concat(GIDinew, x)), h(concat(XGIDi, ei))) in

let MG3 = h(concat(concat(XIDi, XSIDj), concat(concat(XGIDi, GIDinew), concat(ei, MG2)))) in let MG4 = xor(h(ei), GIDinew) in

out(chc, (XMS1, XMS2, MG2, MG3, MG4)); event endGWN(IDg).

Table 5.Sjprotocol

(*—-Sj process—-*) let Sj =

in(chb, (XXMU2:bitstring, XMG1:bitstring, XXGIDi:bitstring)); event beginSj(SIDj);

let scj = h(concat(SIDj, x)) in

if XMG1 = h(concat(concat(scj, XXGIDi), concat(SIDj, XXMU2))) then new beta:bitstring;

let MS1 = mult(beta, P) in let sks = mult(beta, XXMU2) in

let MS2 = h1(concat(concat(XXMU2, MS1), concat(concat(sks, XXGIDi), SIDj))) in let MS3 = h(concat(concat(XXGIDi, SIDj), scj)) in

out(chb, (MS1, MS2, MS3)); event endSj(SIDj).

h(cj||GIDi||SIDj||MU2),MS3=h(GIDi||SIDj||cj)and other values. In addition, the valuexin the

362

destinationcj=h(SIDj||x)can not be determined because it is always used by hashing withSIDj.

(14)

Table 6.Queries

(*—-queries—-*)

query attacker(P).

query id:bitstring; inj-event(endUi(id)) ==> inj-event(beginUi(id)). query id:bitstring; inj-event(endGWN(id)) ==> inj-event(beginGWN(id)). query id:bitstring; inj-event(endSj(id)) ==> inj-event(beginSj(id)).

process

((!Ui)|(!GWN)|(!Sj))

Table 7.Output of queries

RESULT inj-event(endSj(id)) ==> inj-event(beginSj(id) is true.

RESULT inj-event(endGWN(id_12209)) ==> inj-event(beginGWN(id_12209) is true. RESULT inj-event(endUi(id_25655)) ==> inj-event(beginUi(id_25655) is true. RESULT not attacker(P[]) is true.

Table 8.Performance comparison

Features Wu et al. [1] Park et al. [3] Park et al. [?] Ours

Defence of privileged insider attack O O O O

Defence of outsider attack X X X O

Defence of off-line ID guessing attack O O O O

Defence of on-line ID guessing attack X X X O

Defence of session key disclosure attack O O O O

Defence of user impersonation attack X X O O

Defence of server impersonation attack O X O O

User anonymity X O X O

Forward secrecy and backward secrecy O O O O

7.2.8. User anonymity 364

In the login process, the user givesMU1,MU2,MU3,GIDi, andSIDjto theGW N. In this case,

365

GIDi=G2+h(IDi||Ri||PWi) is continuously changed by the random numberRi. SinceIDiis used by

366

hashing, one cannot guessIDithroughMU1,MU2,MU3,GIDi, andSIDj.

367

7.2.9. Forward secrecy and backward secrecy 368

Because of the nature of ECCDH, we can not findαPandβPthroughαβPwe can not findαβP

369

throughαPandβP, and we can not findαthroughPandαP.

(15)

8. Performance analysis of the proposed scheme 371

Four symbols in total are used to analyze performance. Tm is the time of the multiplicative

372

operation used in ECC. This takes the most time in our scheme.TRepassumes that it is equal toTm,

373

the time to check for a match when recognizing the user’s biometricB_i∗.Tsmeans time in symmetric

374

encryption or decryption. Finally,Thmeans the time it takes to use the hash function. These are listed

375

in Table9. 376

Table 9.Notations of time symbol

Symbol Meaning Time (ms)

Tm time of multiplication in Field 7.3529 [23]

TRep time ofRep =Tm[24]

Ts time of symmetric encryption or decryption 0.1303 [23]

Th time of hash operation 0.0004 [23]

The proposed scheme produced the best results in time among all the three factor user 377

authentication schemes using ECC (see Table10).

378

Table 10.Performance comparison

Wu et al. [1] Park et al. [3] Park et al. [?] Ours

UserUi 10Th+ 1TRep+ 2Tm 6Th+ 1TRep+ 2Tm 10Th+ 1TRep+ 2Tm 8Th+ 1TRep+ 2Tm

GW N 10Th 7Th+ 2Te 11Th 10Th

Sensor nodeSj 2Th+ 2Tm 6Th+ 2Tm+ 1Te 4Th+ 2Tm 3Th+ 2Tm

Total costs 22Th+ 4Tm+ 1TRep 19Th+ 4Tm+ 3Te+ 1TRep 25Th+ 4Tm+ 1TRep 21Th+ 4Tm+ 1TRep

Total costs (ms) 36.7733 37.163 36.7745 36.7729

9. Conclusions 379

Many user authentication schemes have been proposed for Wireless sensor networks, but they 380

have serious security flaws, respectively. Recently, Wu et al. also proposed a three factor user 381

authentication scheme which is looking promising. However, we discovered vulnerabilities in the 382

configuration of their scheme and proposed a new scheme to address the discovered issues. Moreover, 383

the security and performance of the proposed scheme are significantly better than the existing user 384

authentication schemes. 385

Conflicts of Interest:The authors declare no conflict of interest.

386

References 387

1. Wu, F., Xu, L., Kumari, S., Li, X.: An Improved and Provably Secure Three-Factor User Authentication

388

Scheme for Wireless Sensor Networks.Peer-to-Peer Networking and Applications.2018, 11(1), 1–20.

389

2. Das, M.: Two-Factor User Authentication in Wireless Sensor Networks.IEEE transactions on wireless 390

communications.2009, 8(3), 1086—1090.

391

3. Park, Y.; Lee, S.; Kim, C.; Park, Y. Secure biometric-based authentication scheme with smart card

392

revocation/reissue for wireless sensor networks.Int. J. Distrib. Sens. Netw.2016, 12, 1—11.

393

4. Kumari, S., Chaudhry, S. A., Wu, F., Li, X., Farash, M. S., Khan, M. K. An improved smart card based

394

authentication scheme for session initiation protocol.Peer-to-Peer Networking and Applications.2017, 10(1),

395

92–105.

396

5. Koblitz, N.: Elliptic curve cryptosystems.Mathematics of computation.1987, 48, 203–209.

397

6. Miller, V.: Uses of Elliptic Curves in Cryptography.In: Advances in Cryptology Crypto.1986, 218, 417–426.

(16)

7. Watro, R., Kong, D., Cuti, Sf., Gardiner, C., Lynn, C., Kruus, P.: Tinypk: Securing Sensor Networks with

399

Public Key Technology.In: Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks. ACM.

400

2004, 59–64.

401

8. Moon, J., Choi, Y., Jung, J., Won, D.: An Improvement of Robust Biometrics-based Authentication and Key

402

Agreement Scheme for Multi-Server Environments using Smart Cards.PLoS One.2015, 10, 1–15.

403

9. Choo, K. K. R., Nam, J., Won, D.: A mechanical approach to derive identity-based protocols from

404

Diffie–Hellman-based protocols.Information Sciences.2014, 281, 182–200.

405

10. Moon, J., Choi, Y., Kim, J., Won, D.: An improvement of robust and efficient biometrics based password

406

authentication scheme for telecare medicine information systems using extended chaotic maps.Journal of 407

medical systems.2016, 40(3), 70.

408

11. He, D., Gao, Y., Chan, S., Chen, C., Bu, J.: An enhanced two-factor user authentication scheme in wireless

409

sensor networks.Ad hoc and Sensor wireless network.2010, 10(4), 361–371.

410

12. Kumar, P., Lee, H. J.: Cryptanalysis on two user authentication protocols using smart card for wireless sensor

411

networks.IEEE Wireless advanced (WiAd).2011, 241—245.

412

13. Yeh, H. L., Chen, T. H., Liu, P. C., Kim, T. H., Wei, H. W.: A secured authentication protocol for wireless

413

sensor networks using elliptic curves cryptography.Sensors.2011, 11(5), 4767–4779.

414

14. Xue, K., Ma, C., Hong, P., Ding, R.: A temporal-credential-based mutual authentication and key agreement

415

scheme for wireless sensor networks.Journal of Network and Computer Applications.2013, 36(1), 316–323.

416

15. Jiang, Q., Ma, J., Lu, X., Tian, Y.: An efficient two-factor user authentication scheme with unlinkability for

417

wireless sensor networks.Peer-to-peer Networking and Applications.2015, 8(6), 1070–1081.

418

16. Das, A. K.: A secure and robust temporal credential-based three-factor user authentication scheme for

419

wireless sensor networks. Peer-to-peer Networking and Applications,2016, 9(1), 223–244.

420

17. Das, A. K.: A secure and effective biometricbased user authentication scheme for wireless sensor networks

421

using smart card and fuzzy extractor.International Journal of Communication Systems.2017, 30(1), e2933.

422

18. Das, A. K.: A secure and efficient user anonymity-preserving three-factor authentication protocol for

423

large-scale distributed wireless sensor networks.Wireless Personal Communications.2015, 82(3), 1377–1404.

424

19. Das, A.: A Secure and Effective Biometric-based User Authentication Scheme for Wireless Sensor Networks

425

using Smart Card and Fuzzy Extractor.International Journal of Communication Systems.2015, 1–25.

426

20. Dodis, Y., Kanukurthi, B., Katz, J., Smith, A.: Robust fuzzy extractors and authenticated key agreement from

427

close secrets.IEEE Transactions on Information Theory 58.2013, 6207–6222.

428

21. Dodis, Y., Reyzin, L., Smith, A.: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other

429

Noisy Data. In: Proceedings on the International Conference on the Theory and Applications of Cryptographic 430

Techniques.2004, 523–540.

431

22. Messerges, T. S., Dabbish, E. A., Sloan, R. H.: Examining smart-card security under the threat of power

432

analysis attacks.IEEE transactions on computers.2002, 51(5), 541-552.

433

23. Xu, L., Wu, F.: Cryptanalysis and improvement of a user authentication scheme preserving uniqueness and

434

anonymity for connected health care.Journal of medical systems.2015, 39(2), 10.

435

24. Das, A. K.: A secure and robust temporal credential-based three-factor user authentication scheme for

436

wireless sensor networks.Peer-to-peer Networking and Applications.2016, 9(1), 223-244.