Professional Documents
Culture Documents
A R T I C L E I N F O A BS T RAC T
Keywords: Wireless sensor networks (WSNs) for Internet of Things (IoT) can be deployed in a wide range of industries
Smart card such as agriculture and military. However, designing a secure and reliable authentication scheme for WSNs that
Sensor capture attack can be deployed in IoT remains a research and operational challenge. For example, recently in 2016, Amin and
Wireless sensor network Biswas showed that the Turcanovi et al.'s scheme is vulnerable to smart card loss attack, user impersonation
Multi-gateway
attack, etc. They then proposed a new authentication scheme for WSNs with multi-gateway. In this paper, we
User anonymity
revisit the scheme of Amin and Biswas and reveal previously unknown vulnerabilities in the scheme (i.e. sensor
capture attack, user forgery attack, gateway forgery attack, sensor forgery attack and o-line guessing attack). In
addition, we demonstrate that the user in the scheme can be tracked due to the use of a constant pseudo-identity
and previously established session keys can be calculated by the attacker. Rather than attempting to x a broken
scheme, we present a novel authentication scheme for multi-gateway based WSNs. We then demonstrate the
security of the proposed scheme using Proverif, as well as evaluating the good performance of the scheme using
NS-2 simulation.
1. Introduction tration on various usages (Xie and Wang, 2014; Shen et al., 2015b).
However, due to the wireless nature of the communication channel,
Internet of Things (IoT) is an increasingly popular concept that has there are many inherent security and privacy risks (e.g. potentially
been widely adopted in a wide range of applications, partly due to vulnerable to eavesdropping, forgery attacks and o-line guessing
decreasing costs of digital devices (e.g. mobile and portable devices attacks).
such as sensors) and Internet services. In a typical IoT deployment, one To solve the security disadvantages, many aspects of schemes are
could obtain information sent by sensors installed in rural and remote presented, such as key agreement (Chaudhry et al., 2016a, 2016b; Li
areas as long as there is Internet connection, for example via WiFi or a et al., 2013a, 2013b, 2015; Chaudhry, 2015), signatures (Ren et al.,
wireless sensor network (WSN). WSNs are all around us from trac 2015; Guo et al., 2014), and frames for multi-layered security (Chang
monitoring to temperature and moisture collection, or from blood et al., 2016; Chang and Ramachandran, 2016) and location privacy
pressure detection to wildlife tracking. Initially, homogenous sensors (Sun et al., 2016a, 2016b). In the existing WSN security literature,
were used in a WSN, where every sensor within the WSN has the same designing schemes that provide both mutual authentication and
capacity, power and other parameters. However, a modern day WSN anonymity is one of current interests (see Jiang et al., 2015a, 2015b,
generally contains dierent heterogeneous sensors designed to collect 2016; Wu et al., 2015b, 2015d; Amin et al., 2016; Shen et al., 2015a;
dierent kinds of information from the surroundings in real-time (i.e. He et al., 2015). Mutual authentication guarantees that messages
sensors with dierent parameters), and researchers put their concen- received by the recipient in the session are indeed sent by the correct
corresponding authors.
E-mail addresses: conjurer1981@gmail.com (F. Wu), saryusiirohi@gmail.com, saru@ccsuniversity.ac.in (S. Kumari), lixiongzhq@163.com (X. Li),
raymond.choo@fulbrightmail.org (K.-K.R. Choo), mohammad.wazid@research.iiit.ac.in (M. Wazid), iitkgp.akdas@gmail.com, ashok.das@iiit.ac.in (A.K. Das).
http://dx.doi.org/10.1016/j.jnca.2016.12.008
Received 14 September 2016; Received in revised form 20 November 2016; Accepted 2 December 2016
1084-8045/ 2016 Elsevier Ltd. All rights reserved.
Please cite this article as: Wu, F., Journal of Network and Computer Applications (2016), http://dx.doi.org/10.1016/j.jnca.2016.12.008
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
sender. Anonymity is a relatively new property proposed in recent based authentication scheme for WSNs. Temporal credential is a hash
years. Identities, especially the users, are protected if this property is result containing user information such as identity and expiration time.
held. There are also attempts to include two-factor authentication (e.g. The scheme was subsequently broken by Jiang et al. (2015a), who
physical possession of a smart card and knowledge of the password) to pointed out that the scheme is vulnerable to o-line password guessing
enhance the security of WSN. In such a setting, a registered user can attack, identity guessing attack, and user tracking attack. Here the user
only successfully login to a system if the user has both items (e.g. smart tracking attack is stronger than pure user anonymity. Generally, we
card and password). Many such schemes have also been proposed in consider that a random string representing the user's identity in the
the literature (see Jiang et al., 2015a; Wu et al., 2015b, 2016b; Xu and session as the property user anonymity. But if this string appears in
Wu, 2015a, 2015b). every session, the attacker can track it and know that it is a special user.
Generally, there are three types of participants in a WSN. First, This is what user tracking attack means. To avoid this, it is better that
sensors are deployed on or in special objects in a region. Second, a the user should employ dierent random strings as the pseudo-identity
gateway is a special node with relatively strong computation power in in dierent sessions. Jiang et al. then presented an enhanced scheme,
the WSN. Third, users who wish to obtain information from particular and Wu et al. (2015c) pointed out that the revised scheme is vulnerable
objects can access the sensors after mutual authentication. Once the to de-synchronization and o-line guessing attacks. In 2014,
user is authenticated, a session key should be generated and will be Turkanovi et al. (2014) presented a new two-factor authentication
used as the symmetric key to encrypt subsequent messages. Xue et al. and key agreement scheme for WSNs. The scheme includes only two
(2013) listed ve dierent authentication structures for WSNs. For kinds of computations, namely: hash functions and exclusive-or.
example, the user contacts the gateway, who then communicates with However, subsequent research (Farash et al., 2016; Amin and
the sensor. In the schemes presented in Turkanovi et al. (2014) and Biswas, 2016) pointed out that the scheme is not able to withstand
Farash et al. (2016), however, the sensor is designed to be the media identity guessing attack, o-line password guessing attack and user
sitting between a user and the server. However, Amin and Biswas impersonation attack. More recently in 2016, Amin et al. (2016) also
(2016) explained that the setting in Turkanovi et al. (2014) and demonstrated that the scheme in Farash et al. (2016) is vulnerable to
Farash et al. (2016) is not suitable for WSN due to the drain on the o-line password guessing attack and user forgery attack, and pre-
battery life of the sensors involved. Generally once the sensors and the sented a x.
gateway nodes are placed, they are stationary. In wireless circum- In this work, we revisit the scheme in Amin and Biswas (2016) and
stance, the cost of sending and receiving messages increases while the point out that the scheme is vulnerable to sensor capture, the o-line
distance between the participants and the whole network increase guessing and de-synchronization attacks. We then present a novel and
simultaneously. It is better to make only the gateway nodes have the ecient authentication scheme for multi-gateway WSNs, and seek to
ability to communicate with the users who is relatively far away. prove its security using Proverif and a security analysis. Also, a
However, data ow with high speed may collide and the performance of simulation with the famous tool NS-2 is shown to illustrate the
the WSN will be slow down where there is only one gateway. So if the practicality of our scheme.
sensors are distributed in a large scale, more gateway nodes are The remainder of the paper is organized as follows. Background
needed. Thus, to cater for situations where user needs to have access materials are presented in Section 2. We revisit the scheme of Amin
to sucient sensors which may be located a fair distance away, an and Biswas (2016) and reveal the weaknesses in Section 3. Our scheme
authentication scheme for WSNs based on multi-gateway is proposed and the security analysis are presented in Sections 4 and 5, respec-
in paper (Amin and Biswas, 2016). In their scheme, users can register tively. We evaluate the performance of the scheme in Section 6 as well
with a gateway in the vicinity (referred to as home gateway node as using NS-2 simulation in Section 7. Finally, we conclude this paper
HGWN). Other gateways are then referred to as foreign gateway nodes in Section 8.
(FGWNs). Through the nearby FGWNs, users have the capability to
access sensors physically located at a distance away, as long as they are 2. Background
managed by participating FGWNs see Fig. 1.
There have been a large number of proposed authentication and key 2.1. Notations
agreement (also known as key establishment) schemes for WSNs in the
literature. For example, Watro et al. and Das (2009) presented an The notations used in this paper are described in Table 1.
authentication scheme for WSNs based on RSA and a two-factor
authentication scheme for WSNs, respectively. Other two-factor 2.2. Threat model
authentication schemes designed for WSNs include those detailed in
Althobaiti et al. (2013); Amin and Biswas (2016); Amin et al. (2016); In the threat model we use to argue the security of the proposed
Chen and Shih (2010); Choi et al. (2014); Farash et al. (2016); He et al. scheme, an adversary ( has the following capabilities.
(2010); Jiang et al. (2015a); Khan and Alghathbar (2010); Khan and
Kumari (2014); Kumar and Lee (2011) and Shi and Gong (2013). Assumption 1. Data in smart card could potentially be obtained
However, papers (Chen and Shih, 2010; He et al., 2010; Khan and using side-channel attacks (Kocher et al., 1999); thus, we allow ( to
Alghathbar, 2010) showed that weaknesses such as destitution of obtain information stored on a smart card that ( has physical access to
mutual authentication, and vulnerability to the user forgery attack (e.g. misplaced or stolen card).
existed in the scheme of Das (2009). Similar to the history of key
Assumption 2. In Item 3, Section 1.5 of Amin and Biswas (2016),
establishment protocols not specically designed for WSNs (see Choo
Amin and Biswas show a hypothesis that in polynomial time ( could
et al.; Choo, 2009; Choo et al., 2006), a number of schemes were
guess either Ui's password or identity since the two strings are in two
subsequently found to be vulnerable to attacks. For example, Yoo et al.
small dictionaries, respectively. But they consider that it is impossible
(2012) and Kumar and Lee (2011) illustrated that the schemes in Chen
to guess the both two strings simultaneously in polynomial time. And
and Shih (2010), He et al. (2010), Khan and Alghathbar (2010) suer
there is no any explanation for such expression. That does not make
from a number of security vulnerabilities. Chen et al.'s scheme (Chen
sense. So we suppose that ( can guess both the identity and the
and Shih, 2010) is vulnerable to replay and forgery attacks. He et al.'s
password in polynomial time.
scheme (He et al., 2010) does not achieve user anonymity and mutual
authentication, as claimed. Similarly, Khan et al.'s scheme (Khan and Assumption 3. There are two styles of the communication channels:
Alghathbar, 2010) does not provide mutual authentication. In 2013, the private channel, or the secure channel; and the public channel, or
Xue et al. (2013) presented a lightweight and temporal-credential- the insecure channel. ( can control the public channel under the two-
2
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
Table 1 including Choi et al. (2014); Shi and Gong (2013); Wu et al. (2015c),
Summary of notations. which illustrate new authentication schemes for WSNs, and the review
(Kumari et al., 2015). So we employ this attack for the adversary.
Notation Meaning
Ui,IDi,PWi the i th user with his identity and password Assumption 6. We show the insider attack as a separate kind of
Sj,SIDj,xj the j th sensor with its identity and secret key attack here. It means that the malicious server administrator may get
HGWN,IDhg,xhg the home gateway node with its identity and secret key
some information from the user's submitted data in registration phase.
FGWN,IDfg,xfg the foreign gateway node with its identity and secret key
SA the system administrator
For example, if user's password is a plaintext in the registration phase,
SKu,SKs the session keys formed by the user and the sensor, it can be easily obtained by the administrator without diculty. Note
respectively that this assumption is not contradict to Assumption 3, since the secret
SKhg,SKfg the session keys formed by the home gateway and the foreign information is not obtained from the private channel, but on the server
gateway, respectively
side.
( the adversary
h (.) the hash function
T1, T2 timestamps
T the defined transmission time delay 3. Revisiting the scheme of Amin and Biswas
the exclusive-or operation
the concatenation operation 3.1. The scheme
There are seven phases in the scheme (Amin and Biswas, 2016),
factor circumstance (Wu et al., 2015c, 2016b, 2016a). But ( cannot get and similarities between the dynamic node addition phase and the
any information from the private channel, which is only for sensor registration phase. The password change phase plays no role in
registrations. the attacks we will be describing. Hence, we only list the remaining ve
phases.
Assumption 4. The hash function results, random numbers and
secret keys cannot be guesses by ( because they reach the security
length l. Besides that, hash function is secure against collision 3.2. System setup
exploration in polynomial time.
The systems administrator SA chooses SIDj for the Sj, selects a
Assumption 5. ( is permitted to compromise some sensors in random number rsr and computes xj = h (SIDj rsr ). SA stores
WSNs, but not the special one which communicates with Ui. It is (SIDj , xj , rsr ) into Sj. Here rsr is known to all GWNs and secretly stored.
called the sensor capture attack, for which we discuss the relation of the
secret keys of sensors. In some schemes, such as Amin and Biswas
(2016), the sensors are injected with a common secret string at the very 3.3. Sensor registration
beginning and such string may be leaked due to the wrong arrangement
in the scheme. After the leakage from one sensor, other sensors are Sj computes Aj = xj rsr and sends {SIDj , Aj } to HGWN via a public
threatened by the attackers who master the string. This attack is channel. HGWN computes xj = Aj rsr and stores (SIDj , xj ) in data-
broadly accepted by researchers and applied in research papers base. Then HGWN sends a permission to Sj. Sj nally deletes rsr.
3
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
3.4. User registration Step 3: FGWN selects T7, and checks if |T7 T6 | T . Then it
computes Z1 = h (TIDi x fg ) and ru2 = D12 Z1, and checks
Step 1: Ui selects IDi, PWi and a nonce r0, calculates D11 ?= h (TIDi Z1 ru2 T6 ). If both checks are right, the next step
DIDi = h (IDi r0 ) and HPWi = h (PWi r0 ), and sends {DIDi , HPWi } can be continued.
to HGWN via a secure way. Step 4: FGWN generates a nonce rfg, computes D13 = h (TIDi
Step 2: HGWN generates a pseudo-identity TIDi for Ui and Z1 r fg xj T7 ru2 ) , D14 = r fg xj and D15 = h (xj ) Z1, and
computes B1 = h (DIDi HPWi ) and B2 = h (DIDi TIDi xhg ) sends the message M6 = {TIDi , D12 , D13, D14 , D15, T7} to Sj.
h (DIDi HPWi ) . Step 5: Sj selects T8 and checks if |T8 T7 | T . Then it computes
Step 3: HGWN stores (TIDi , DIDi ) in database and issues a smart r fg = D14 xj , Z1 = h (xj ) D15 and ru2 = D12 Z1, and checks
card containing (B1, B2 , IDhg , TIDi ) to Ui via a secure way. Finally Ui D13 ?= h (TIDi Z1 r fg xj T7 ru2 ). If both checks are right, the
stores r0 in the card. next step will be continued.
Step 6: Sj generates rs2, computes W1 = h (SIDj xj ),
3.5. Login D16 = h (TIDi rs2 W1 T8), D17 = rs2 W1 and D18 = Z1 W1,
and sends the message M7 = {TIDi , D16 , D17, D18, T8} to FGWN.
Step 1: Ui inserts his smart card on the terminal and inputs IDi and Here we should express that D17 is missed in Amin and Biswas
PWi. The smart card computes DIDi = h (IDi r0 ) and (2016). If FGWN cannot get D17, FGWN and Ui will not have rs2
HPWi = h (PWi r0 ), and checks B1 ?= h (DIDi HPWi ). If so, the next to form the session key. So we add it.
step will be done. Step 7: FGWN selects T9 and checks if |T9 T8 | T . If so,
Step 2: The smart card selects SIDj, a nonce ru, and the timestamp FGWN computes W1 = h (SIDj xj ), rs2 = D17 W1 and
T1, computes D0 = B2 h (DIDi HPWi ), D1 = h (IDhg D0 ru T1) D19 = rs2 r fg and sends the message M8 = {TIDi , D16 , D18,
and D2 = D0 ru , and sends the message M1 = {IDhg , TIDi , SIDj , D19, T8, T9} to Ui.
D1, D2 , T1} to HGWN. Step 8: Ui selects T10 and checks if |T10 T9 | T . Then the
smart card computes W1 = D18 Z1, rs2 = D17 W1 and
3.6. Authentication and key agreement r fg = D19 rs2 and checks D16 ?= h (TIDi rs2 W1 T8). Either
failed checking will lead to the rejection. At last Ui, Sj and
HGWN should check if SIDj is in its own database. If so, Case-1 is FGWN share the same session key SKu = SKs = SKfg
executed. Otherwise, HGWN broadcasts the message {SIDj , TIDi , IDhg} =h (TIDi SIDj ru2 rs2 r fg ) .
and Case-2 has to be done.
3.7. Previous unpublished attacks
Case-1:
Step 1: HGWN picks up T2 and checks if |T2 T1 | T . Then it 3.7.1. Sensor capture attack and session key leakage
extracts DIDi from database according to TIDi, calculates From sensor registration phase, we notice that HGWN gets all xj
D0 = h (DIDi TIDi xhg ) and ru = D2 D0 , and checks with a xed secret string rsr. Note that no any information about SIDj
D1 ?= h (IDhg D0 ru T1). The session will be rejected if either in HGWN's database when system setup phase is over. So rsr is a
checking is unsuccessful. constant for every sensor in the whole system, and ( can do the
Step 2: HGWN generates a nonce rhg, computes following operations: A legal insider ( masters a sensor Sk after
D3 = h (IDhg DIDi xj rhg T2 ), D4 = xj rhg , D5 = ru h (rhg ) system setup, and gets its stored data (SIDk , xk , rsr ) before the registra-
and D6 = DIDi h (IDhg rhg ), and sends the message tion. Then he can eavesdrop all newer registration messages from other
M2 = {D3, D4, D5, D6, T2} to Sj. sensors. We take the message {SIDj , Aj } from Sj for example. ( can
Step 3: Sj picks up T3 and checks if |T3 T2 | T . Then it calculate xj = Aj rsr . Also, ( could get SIDj from M1 and compute the
computes rhg = D4 xj , ru = D5 h (rhg ) and DIDi = D6 h corresponding secret key xj = h (SIDj rsr ). Then ( can get the session
(IDhg rhg ) and checks if D3 ?= h (IDhg DIDi xj rhg T2 ). The keys after eavesdropping messages from a past session, and the two
session will be rejected if either checking is unsuccessful. cases can be illustrated below:
Step 4: Sj generate a nonce rs, computes D7 = h (D3 DIDi rs T3)
and D8 = rhg rs , and sends the message M3 = {D7, D8, T3} to For Case 1, ( calculates rhg old
= D4old xj , ruold = D5old h (rhg
old
),
HGWN. rsold = D8old old old
rhg and DIDi = D6 h (IDhg rhg ). old
Step 5: HGWN picks up T4, and checks if |T4 T3 | T . Then it For Case 2, ( calculates r fg old
= D14old xj , rsold old old
2 = D19 r fg and
computes rs = D8 rhg and checks D7 ?= h (D3 DIDi rs T3). ruold old
h (xj ) D15old .
2 = D12
The session will be rejected if either checking is unsuccessful.
After checking, HGWN calculates D9 = h (D3 DIDi rs rhg T4 ) And the session key SKuold = SKsold = SKhg
old
= h (DIDi ruold rsold rhg
old
)
and D10 = rs ru , and sends the message can be calculated.
M4 = {D3, D8, D9, D10 , T4} to Ui.
Step 6: Ui picks up T5 and checks if |T5 T4 | T . Then Ui 3.7.2. User forgery attack
computes rs = D10 ru and rhg = D8 rs , and checks if After ( gets rsr and DIDi in the sensor capture attack, he can use
D9 ?= h (D3 DIDi rs rhg T4 ). The session will be rejected if the information {IDhg , TIDi , Z 2old , Z 3old} from a historical session in
either checking is unsuccessful. At last Ui, Sj and HGWN share which Ui communicated with some sensor Sk in a foreign WSN.
SKu = SKs = SKhg = h (DIDi ru rs rhg ). Then ( calculates Z1old = Z 2old rsr and D0 = Z 3old Z1old and he selects
Case-2: a nonce r( and the timestamp T1( , and computes
Step 1: If one foreign gateway FGWN nds out SIDj from its D1( = h (IDhg D0 r( T1( ) and D2( = D0 r( . At last ( selects a
database, it searches xj according to SIDj, and computes sensor Sj and sends the legal message
Z1 = h (TIDi x fg ) and Z 2 = Z1 rsr , and sends {Z 2, IDfg} to M1( = {IDhg, TIDi , SIDj , D1( , D2( , T1( } to FGWN. The following opera-
HGWN. HGWN computes D0, Z1 = Z 2 rsr and Z 3 = D0 Z1, tions can be divided into two cases:
and sends {Z 3, IDfg} to Ui.
Step 2: Ui extracts Z1 = Z 3 D0 , picks up T6 and a nonce ru2, 1. If Sj can be found by HGWN, ( can calculate rs = D10 r( ,
computes D11 = h (TIDi Z1 ru2 T6 ) and D12 = Z1 ru2 , and rhg = D8 rs and SK( = h (DIDi r( rs rhg ) after receiving M4
sends the message M5 = {TIDi , D11, D12, T6} to FGWN.
4
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
So Ui's messages are perfectly forged. At rst, HGWN and FGWN share a common secret key Kfh. Each
pair of gateway nodes should have one key and it can be found
3.7.3. Gateway forgery attack according to the identity of the gateway node.
After ( gets rsr, xj and D0 from Sections 3.7.1 and 3.7.2, he uses
the old messages M1old and M2old in a past session for Case 1 and 4.2. Registration
old
calculates rhg = D4old xj , ruold = D5old h (rhg
old
) and DIDi = D6old h
old
(IDhg rhg ) . For Case 2, ( eavesdrops {Z 2, IDfg} and computes We divide this phase into two parts and messages in both of them
Z1 = Z 2 rsr . Here we concentrate on a targeted FGWN as an example. are transmitted via a secure channel. Unlike Amin and Biswas (2016),
So all necessary information about Ui and Sj is ready. registration for sensors via a secure channel is widely accepted (Choi
et al., 2014; Jiang et al., 2015a; Khan and Kumari, 2014; Shi and Gong,
For Case 1, ( rst shields HGWN and when receiving M1 whose 2013; Wu et al., 2015a, 2015c, 2016b). Moreover, it is normal to set
suitable data in sensor and then to place it in WSN via a secure
target is Sj, he selects a timestamp T2( and a nonce r( , calculates
ru = D2 D0 , D3( = h (IDhg DIDi xj r( T2( ), D4( = xj r( , registration process. So we use the common way, not the idea in Amin
D5( = ru h (r( ) and D6( = DIDi h (IDhg r( ). So a legal and Biswas (2016).
M2( = {D3A, D 4A, D5( , D6( , T2( } is produced. Moreover, After (
receives M3 from Sj, he selects a timestamp T4( and calculates 1. Sensor registration: SA selects SIDj for Sj, computes
rs = D8 r( , D9( = h (D3( DIDi rs r( T4A) and D10( = rs ru . xj = h (SIDj xhg ) and stores (SIDj , xj , IDhg ) in Sj secretly. Then Sj is
So the second legal message M4( = {D3( , D8, D9( , D10( , T4( } is placed in the WSN and SIDj is stored in the database of HGWN.
generated and the session key SK( = h (DIDi ru rs r( ) can be 2. User registration:
computed. Step 1: Ui selects IDi, PWi and a nonce r0, computes
For Case 2, ( rst shields FGWN, and answers HGWN with the HPWi = h (PWi r0 ) and sends {IDi , HPWi } to HGWN via a secure
channel.
xed message {Z 2, IDfg}. After ( receives M5, he selects a
timestamp T7( and a nonce r( and computes ru2 = D12 Z1, Step 2: SA checks if IDi is valid. If so, IDi is stored in the database
D13 = h (TIDi Z1 r( xj T7( ru2 ), D14 = r( xj and D15 = h (xj ) for auditing. Then SA selects TIDi as the pseudo-identity for Ui,
Z1 . So the legal message M6( = {TIDi , D12, D13( , D14( , T7( } is computes B1 = h (TIDi IDhg xhg ) h (IDi HPWi ) and
generated. Then after ( gets M7( , ( selects T9( and computes B2 = h (IDi xhg ) HPWi , stores (TIDi , B1, B2 , IDhg ) into a smart
W1 = h (SIDj xj ), rs2 = D17 W1 and D19 = rs2 r( . So a legal mes- card and sends the smart card to Ui via a secure channel.
sage M8( = {TIDi , D16 , D18, D19( , T8, T9( } is produced. Also, ( can Step 3: Ui stores B3 = h (IDi PWi ) r0 into the smart card.
calculate SK( = h (TIDi SIDj ru2 rs2 r( ) as the session key.
4.3. Login
So the gateways are successfully impersonated.
The details are shown in Fig. 2. Ui inserts his smart card and inputs
3.7.4. Sensor forgery attack IDi and PWi, selects a nonce ru, a timestamp T1 and the sensor SIDj,
computes r0 = B3 h (IDi PWi ), HPWi = h (PWi r0 ), D0 = B1 h (IDi
From Section 3.7.3, ( owns xj and DIDi. We suppose ( shields Sj.
HPWi ) , D1 = D0 ru , D2 = h (ru TIDi IDhg SIDj ) IDi and
5
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
Case 1:
Step 1: HGWN selects T2 and checks if |T2 T1 | T . Then
HGWN computes D0 = h (TIDi IDhg xhg ), ru = D0 D1 and
IDi = D2 h (ru TIDi IDhg ) and checks D3 ?= h (IDi SIDj
ru T1) . The session will be rejected if either checking is
unsuccessful. If the checks are correct, HGWN generates a nonce
rhg, computes xj = h (SIDj xhg ), D4 = xj rhg , D5 = ru h (rhg )
and D6 = h (IDhg xj ru rhg SIDj T2 ), and sends the message
M2 = {D4, D5, D6, T2} to Sj.
Step 2: Sj picks up T3 and checks if |T3 T2 | T . Then Sj Fig. 4. Case 2 of authentication and key agreement phase.
computes rhg = D4 xj and ru = D5 h (rhg ), and checks
D6 ?= h (IDhg xj ru rhg SIDj T2 ). The session will be rejected
if either checking is unsuccessful. If the checks are passed, Sj D11 = D0new h (IDi xhg ) ru and D12 = h (IDhg SKhg TIDinew
generates a nonce rs, computes SKs = h (ru rhg rs ), D7 = rhg rs D0new D0 T4 ) . HGWN sends the message M4 = {D7, D9,
and D8 = h (IDhg xj SKs SIDj T3), and sends the message D10 , D11, D12 , T4} to Ui.
M3 = {D7, D8, T3} to HGWN. Step 4: Ui selects T5 and checks if |T5 T4 | T . Then the smart
Step 3: HGWN picks up T4 and checks if |T4 T3 | T . Then it card computes rs = D9 ru , rhg = D7 rs , SKu = h (ru rhg rs ),
computes rs = D7 rhg and SKhg = h (ru rhg rs ) and checks TIDinew = D10 h (ru SIDj T4 ) and D0new = D11 B2 HPWi
D8 ?= h (IDhg xj SKhg SIDj T3). The session will be rejected ru , and checks D12 ?= h (IDhg SKu TIDinew D0new D0 T4 ). The
if either checking is unsuccessful. If passed, HGWN selects a new session will be rejected if either checking is unsuccessful. If
pseudo-identity TIDinew for Ui, computes D9 = ru rs , passed, the smart card computes B1new = D0new h (IDi HPWi )
D10 = TIDinew h (ru SIDj T4 ), D0new = h (TIDinew IDhg xhg ), and replaces (TIDi , B1) with (TIDinew , B1new ).
6
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
7
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
For Case 1, ( gets {TIDi , B1, B2 , IDhg} from Ui's smart card and
(M1old , M2old , M3old , M4old ) from the last session. Then ( guesses the
pair (ID*, PW *), and computes r0* = B3 h (ID* PW *) and
HPW * = h (PW * r0*). The formulas B1 h (ID* HPW *)
=D11old B2 HPW * ruold and ruold = B1old h (ID* HPW *) can
be used by ( . But B1old has disappeared. From D5old , D7old and D9old ,
ruold cannot be gained, either.
For Case 2, ( gets {TIDi , B1, B2 , IDhg} from Ui 's smart card and
Fig. 5. Premises for the code. (Z 2, Z 3, Z 4, Z 5, Z 6, IDfg , M1old , M5old , M6old , M7old , M8old ) from the last
session. Like the above case, ( guesses (ID*, PW *), and com-
The rst column is the code for the user. Also there are ve lines putes r0* and HPW *. The formulas B1 h (ID* HPW *) = Z5old
above the double-line for the registration and the rest are for the B2 HPW * ruold , ruold = D0old D1old can be used. But D0old is
login and authentication and key agreement phases. protected in Z 3 by a hash function and ruold. ( cannot get ruold
The top part of the second column is the code for the sensor. The or D0old from Z 3 , not to say guessing the identity and the
password.
registration content is the same as Case 1 and the rest is for the
operations in Case 2, Section 4.4.
The bottom part of the second column and the top part of the third So ( cannot guess Ui's identity and password.
column is the code for HGWN. Seven lines above the rst double-
line are for HGWNReg, which is the content of user registration. The 5.5.3. Resistance to user forgery attack
code from the rst double-line to the second is for the operations in Every time if ( wants to forge Ui's message, he should master
Case 2, Section 4.4. The last line let HGWN = HGWNReg|HGWNAuth D0 = h (TIDi IDhg xhg ) to forge D1 in M1. But xhg is the secret key of
illustrates the whole process of HGWN. HGWN and ( cannot calculate D0, not to say D1 or M1.
The last part is the code for FGWN. Three lines above the rst
double-line are the content of sensor registration, and the code
5.5.4. Resistance to gateway forgery attack
between the rst double-line and the second is for the corresponding
In Case 1, if ( wants to forge M2, he should get xj = h (SIDj xhg )
operations in Case 2, Section 4.4. The last line
which is an imperative parameter to construct D4 and D6. To forge M4,
let FGWN = FGWNReg|FGWNAuth denotes the whole process of
at the last step of the two cases, D12 is an imperative element for
FGWN.
checking. They all need xhg as one of the input strings. Like the
expression in Section 5.5.3, ( cannot obtain xhg and this attack can be
Furthermore, all the processes in the two cases are executed by a
avoided. In Case 2, if ( wants to forge Z2 as FGWN, he should know
command process ! User| ! GWN | ! Sensor .
Kfh and xfg. To forge M6, xj is a necessary number and to forge M8, D0
To make the variables clear to readers, we give the explanations
is an imperative element. If ( wants to forge HGWN's message, he
about them. For user and sensor registration phases in both cases, all
must calculate D0 in Z6 for verication on the user side. However, it is
produced and received variables, along with the dened constants,
impossible to compute strings Kfh, xfg and xj and from Section 5.5.3.
which should be rst used on the user and sensor side, are the same as
So we know D0 is hard for ( to calculate.
in the protocol, such as r0, HPWi, IDi, SIDj and xj. And we use the
prexes gr- and fgr- in HGWN and FGWN registration phases for
the produced and received variables, respectively, such as grTIDi, grxj, 5.5.5. Resistance to sensor forgery attack
grB1, and fgrxj. Also, the generated and received variables in user ( must calculate D8 or D19 to forge M3 or M7 in the two cases.
authentication, sensor authentication, HGWN authentication and However, D0 is needed in both of them. Like we have analyzed in
FGWN authentication employ prexes u-, s- g-, and fg-, Section 5.5.3, the two messages from the sensor cannot be generated by
respectively, such as uD0, sD6, gD0, and fgz1. (.
8
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
5.5.8. Resistance to session key leakage the secret strings xhg or xfg fundamentally. According to our hypoth-
Unlike scheme (Amin and Biswas, 2016), ( has no breakthrough esis in Section 2.2, the two strings cannot be obtained. Thus, our
point like a common secret rsr which is prone to be obtained by A. scheme is away from session key leakage.
Every random number for constructing the session key is protected by
9
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
6. Performance evaluation
Fig. 8. Results for the queries. We evaluate and compare our scheme with those presented in Amin
and Biswas (2016) and Das et al. (2016) for the performance, in terms
of the following:
10
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
Table 2
Comparative summary: security.
Property Our scheme Das et al. (2016) Amin and Biswas (2016)
Tm (time of one scalar multiplication on elliptic curve) is proposed scheme oers better security as compared to other
0.427576 ms (ms) (Wu et al., 2016a). schemes.
TRep (time of a Rep operation for biometrics) is approximate Tm The storage of smart card in our scheme is equal to the scheme in
(Das, 2016). Amin and Biswas (2016) and is much better than the scheme in Das
Ts (time of one average symmetric encryption/decryption) is et al. (2016). The main reason is that the smart card in Das et al.
0.0214385 ms (Wu et al., 2016a). (2016) must store some parameters such as identity of FGWN and
Th (time of a one-way hash function) is 0.0000328 ms (Wu et al., login parameters for FGWN. In our scheme and Amin and Biswas
2016a). (2016), there is no storage burden like that.
The bit lengths of hash output, random nonce/number, identity and The most important index is the security. From Table 2, our scheme
timestamp are assumed to be 160 bits (if we use SHA-1 hash satises all requirements while the other two cannot.
algorithm, 160 bits, 160 bits, and 32 bits, respectively. The bit
length of a sensor node is assumed to be 32 bits. So our scheme is applicable for practical deployment.
The comparative summary is shown in Table 3, and described 7. Practical perspective: NS2 simulation study
below:
The proposed scheme is simulated using the widely-accepted NS2
For the aspect of user time in the two cases, the time cost of our simulator tool to provide the practical perspective.
scheme is only 0.0001 ms more than (Amin and Biswas, 2016) for
both cases. And it is better than (Das et al., 2016). 7.1. Simulation parameters
For the aspect of HGWN time, our scheme is in the middle in Case 1
and costs most in Case 2. The reason is that HGWN needs to We have simulated our scheme on a Ubuntu 14.04 LTS platform
calculate the data for Ui's next session. Such calculations are using the NS2 2.35 simulator. NS2 is widely used for the discrete event
necessary for security of our scheme. simulations of dierent protocols, such as TCP/UDP protocols, routing
FGWN time only happens in Case 2. Our scheme is same as the protocols (i.e., AODV), and multicast protocols over wired and wireless
scheme in Amin and Biswas (2016), and is better than the scheme in networks (Issariyakul and Hossain, 2011). The values of dierent types
Das et al. (2016). of network parameters used in simulation are given in Table 4. The
In both Case 1 and Case 2, our scheme costs the least in sensor time simulation time is taken as 1800 s (30 min).
and is much better than (Das et al., 2016).
Considering all transmitted messages, our scheme takes more
7.2. Simulation environment
communication cost as compared to other schemes (Amin and
Biswas, 2016; Das et al., 2016). This is justiable because the
We have considered three dierent network simulation scenarios
Table 3
Comparative summary: performance.
Time for user (ms) Case 1: 9Th=0.0002592 Case 1: TRep + Ts + 10Th 0.4493425 Case 1: 7Th=0.0002296
Case 2: 11Th=0.0003608 Case 2: TRep + 2Ts + 9Th 0.4707122 Case 2: 8Th=0.0002624
Time for HGWN (ms) Case 1: 11Th=0.0003608 Case 1: 2Ts + 5Th = 0.043041 Case 1: 8Th=0.0002624
Case 2: 7Th=0.0002296 Case 2: 0 Case 2: Th=0.0000328
Time for sensor (ms) Case 1: 4Th=0.0001312 Case 1: Ts + 4Th = 0.0215697 Case 1: 5Th=0.000164
Case 2: 4Th=0.0001312 Case 2: Ts + 3Th = 0.0215369 Case 2: 5Th=0.000164
11
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
Table 4 scenario 1
Simulation parameters. 100 scenario 2
scenario 3
Parameter Description
80
throughput (bps)
Platform Ubuntu 14.04 LTS
Tool used NS2 2.35
Deployment area 400 m40 m 60
Number of home gateway nodes 4 (for scenarios 1, 2, 3)
Number of users 4 (for scenarios 1, 2, 3)
Number of sensors 20 (for Scenario 1)
40
40 (for Scenario 2)
60 (for Scenario 3)
Communication range of home gateway nodes 200 m
20
Communication range of sensors 25 m
Simulation time 1800 s
0
scenario 1 scenario 2 scenario 3
scenarios
for Case-1 of the proposed scheme. In a similar way, the Case-2 of the
proposed scheme can also be simulated. In each scenario, we have four Fig. 9. Throughput.
0.3
7.3. Discussion on simulation results
0.2
12
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
13
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx
homogeneous wireless sensor networks. Wirel. Pers. Commun. 78, 231246. 245260.
Xu, L., Wu, F., 2015a. Cryptanalysis and improvement of a user authentication scheme Xue, K., Ma, C., Hong, P., Ding, R., 2013. A temporal-credential-based mutual
preserving uniqueness and anonymity for connected health care. J. Med. Syst. 39, authentication and key agreement scheme for wireless sensor networks. J. Netw.
19. Comput. Appl. 36, 316323.
Xu, L., Wu, F., 2015b. An improved and provable remote user authentication scheme Yoo, S.G., Park, K.Y., Kim, J., 2012. A security-performance-balanced user
based on elliptic curve cryptosystem with user anonymity. Secur. Commun. Netw. 8, authentication scheme for wireless sensor networks. Int. J. Distrib. Sens. Netw..
14