Sie sind auf Seite 1von 17

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

Lightweight Three-factor Authentication and


Key Agreement Protocol for Internet-integrated
Wireless Sensor Networks
Qi Jiang, Sherali Zeadally, Jianfeng Ma, and Debiao He

applications, the integration of WSN with the Internet will have


Abstract—Wireless Sensor Networks (WSNs) will be integrated an active role in the evolution of the architecture of future
into the future Internet as one of the components of the Internet of Internet [1]-[3]. The Internet Engineering Task Force (IETF)
Things, and will become globally addressable by any entity has developed a suite of protocols and open standards for
connected to the Internet. Despite the great potential of this
integration, it also brings new threats, such as the exposure of
integrating WSN into Internet [4], such as 6LoWPAN [5] and
sensor nodes to attacks originating from the Internet. In this ROLL [6]. As illustrated in Fig. 1, sensor nodes (SNs) can be
context, lightweight authentication and key agreement protocols connected by low rate and low power wireless technologies
must be in place to enable end-to-end secure communication. such as IEEE 802.15.4, and can be further linked to the Internet
Recently, Amin et al. proposed a three-factor mutual via a 6LoWPAN gateway. Therefore, sensors will be globally
authentication protocol for WSN. However, we identified several addressable by any entity connected to the Internet thereby
flaws in their protocol. We found that their protocol suffers from
smart card loss attack where the user identity and password can
enabling the remote access of sensor data.
be guessed using offline brute force techniques. Moreover, the Despite its great potential, the integration of WSN with the
protocol suffers from known session-specific temporary Internet also brings new threats, such as the exposure of
information attack which leads to the disclosure of session keys in resource-constrained SNs and low rate wireless links in WSN
other sessions. Furthermore, the protocol is vulnerable to tracking to attacks emanating from the Internet [3], [7]-[12]. Given its
attack and fails to fulfill user untraceability. To address these sensitivity and criticality, the sensor data in transit must be
deficiencies, we present a lightweight and secure user
authentication protocol based on the Rabin cryptosystem which
protected by an end-to-end (E2E) secure channel between the
has the characteristic of computational asymmetry. We conduct a SN and the entity outside the WSN. The creation of such a
formal verification of our proposed protocol using ProVerif in channel requires authentication and key agreement
order to demonstrate that our scheme fulfills the required security mechanisms that allow two remote entities to mutually
features. We also present a comprehensive heuristic security authenticate and negotiate secret keys that are used to protect
analysis to show that our protocol is secure against all the possible the sensor data against various types of active and passive attacks
attacks and provides the desired security features. The results we
obtained show that our new protocol is a secure and lightweight
[2], [13], [14]. Note that even if the WSN itself has security
solution for authentication and key agreement for Internet- measures at a lower layer such as the link layer security
integrated WSNs. services defined by IEEE 802.15.4, the openness of the Internet
still requires authentication and key agreement protocols for
Index Terms—authentication, key management, privacy, Rabin establishing the E2E secure channel between the two
cryptosystem, smart card, wireless sensor networks communicating peers [2].
It is not possible to directly utilize current Internet-centric
security solutions because of the inherent characteristics of
I. INTRODUCTION WSN (e.g., the limited computational capabilities and power

O NE vision of future Internet is that objects and things with


sensing and actuating capabilities will be connected and
integrated making up the Internet of Things (IoTs). As Wireless
supply of sensors and mobile devices) [2]. As discussed in [15],
many attempts (for instance, IPsec [16], IKEv2 [17]) have been
made to adapt standard Internet security protocols in this
Sensor Network (WSN) is one of the core technologies scenario. However, resource limitation and the large number of
supporting the sensing capabilities required by future SNs hinder the adoption of these solutions. Therefore,

Manuscript received Jan. 31, 2017; revised xx xx, 2017; accepted xx xx, S. Zeadally is with the College of Communication and Information,
2017. This work was supported in part by National Science Foundation of China University of Kentucky, Lexington, KY 40506-0224 USA (e-mail:
(61672413, 61572379, 61501333, U1405255, 61372075, U1536202), in part by szeadally@uky.edu).
Natural Science Basic Research Plan in Shaanxi Province of China J. Ma is with School of Cyber Engineering, Xidian University, Xi’an 710071,
(2016JM6005), in part by Fundamental Research Funds for the Central China (e-mail: jfma@mail.xidian.edu.cn).
Universities (JB161501, JBG161511) D. He is with State Key Laboratory of Software Engineering, Wuhan
Q. Jiang (Corresponding author) is with School of Cyber Engineering, University, Wuhan 430072, and School of Computer and Software, Nanjing
Xidian University, Xi’an 710071, China (e-mail: jiangqixdu@gmail.com). University of Information Science and Technology, Nanjing 210044, China (e-
mail: hedebiao@163.com).

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

Internet

FIGURE 1. Typical architecture of Internet integrated wireless sensor networks


it is imperative to enable authentication and key establishment protocol by Turkanovic et al [32] is prone to SN spoofing
between the SN and the entity outside WSN in a secure and attack, stolen smart card attack, and stolen verifier attack, et al.
lightweight manner. However, past experiences [18]-[20] have Then they proposed two 2FA protocols P1 and P2 [37]. P1 is
shown that it is not trivial to design such security protocols. based on hash functions, while P2 employs Elliptic Curve
Cryptography (ECC).
A. Related works
Lu et al. [36] analyzed Amin-Biswas’s 2FA protocol [33] and
In the last decade, various security mechanisms [7], [21]-[25] identified several security drawbacks in their protocol. Next,
have been proposed to prevent unauthorized access to the sensor they proposed an enhanced 2FA scheme using symmetric key
data in transit. Li et al. [24] proposed a signcryption scheme to cryptography, which is claimed to be resilient to a variety of
protect the information flow between a sensor and an entity attacks. Wu et al. [37] also pointed out that the 2FA protocol of
outside the WSN, which fulfills confidentiality, integrity, Amin-Biswas [33] is insecure. Most recently, Das et al. [38]
authentication, and non-repudiation in one step. However, showed that both P1 and P2 by Chang and Le [35] are
bilinear pairing is used in the scheme, which makes it vulnerable to session specific temporary information attack and
unsuitable (because of its high computation and processing offline password guessing attack, etc. Amin et al. [39] found
overheads) for regular SNs. that the protocol of Farash et al. [34] cannot provide user
Astorga et al. [25] proposed the Ladon security protocol anonymity, or withstand SSLA, offline password guessing
which provides E2E authentication and key establishment attack, user impersonation attack, known session-specific
mechanism for resource-constrained devices. To prevent temporary information attack (KSSTIA).
potential eavesdroppers from tracking users’ access patterns, To address the vulnerabilities associated with the various
they also presented a privacy-enhanced Ladon protocol by 2FA approaches and further enhance the security strength of
integrating the original protocol with the PrivaKERB user 2FA protocols, three-factor authentication (3FA) protocols
privacy framework for Kerberos [7]. In these protocols, the long have attracted the attention of researchers [40]-[44]. In the
keys need to be securely stored and may be compromised. context of WSN, Das [45] presented a 3FA protocol based on
To improve WSN security, two-factor authentication (2FA) symmetric cryptographic primitives. Next, he also proposed
protocols [26] have been introduced in WSN. In such protocols, two other 3FA protocols [46]-[47]. Unfortunately, Wu et al. [48]
two different types of security credential are used, i.e., smart demonstrated that all the three protocols are not secure. To
card and password, to prove his/her identity. Over a dozen of address the drawbacks, they proposed an improved 3FA scheme
2FA schemes for WSNs have been proposed in recent years based on ECC. Independently, Li et al. [49] presented a novel
[18]-[20], [27]-[31]. We briefly review the ones closest to this 3FA protocol based on the concept of biohashing. However,
work. Das et al. [50] demonstrated that the protocol of Li et al. [49] is
In 2014, Turkanovic et al. [32] proposed a lightweight 2FA vulnerable to privileged insider attack, SN capture attack and
protocol based on hash function for WSNs, which is claimed cannot provide user anonymity.
to be energy efficient and secure. However, Amin and Biswas Most recently, to remedy these security loopholes in the
[33] showed that the protocol of Turkanovic et al. [32] has protocol of Farash et al. [34], Amin et al. [39] presented a new
several security weaknesses, including offline identity secure 3FA protocol, which is claimed to be secure against all
guessing attack, offline password guessing attack, the known security attacks. Additionally, to satisfy the practical
impersonation attack, etc. To address these security requirements, their protocol provides the functionalities of post
deficiencies, they proposed a 2FA protocol for multi-gateway deployment, identity update, password update, and smart card
WSN. Independently, Farash et al. [34] also revealed that the revocation. However, we observe that the protocol by Amin et
protocol of Turkanovic et al. [32] is susceptible to smart card al. still has some subtle security weaknesses.
loss attacks (SSLA), impersonation attack, session key
disclosure, et al. and proposed an improved 2FA protocol. In B. Our research contributions
the same year, Chang and Le [35] demonstrated that the 2FA Although several 3FA protocols [38] [39] [45]-[49] have

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

been proposed in the literature, all these protocols either fail to II. PRELIMINARY
provide adequate security protection or suffer from various
A. Biohashing
security vulnerabilities. In this paper, we use the most recent
3FA protocol of Amin et al. [39] as a case study to show the Biometric is widely used to verify the identity of a user. It
challenge of designing a lightweight authentication protocol offers several advantages over traditional authentication
suitable for Internet integrated WSN. Then we propose an methods, i.e., password and smart card. Biometric feature data
authentication protocol for Internet integrated WSN which is closely coupled with each individual and cannot be replaced.
exploits the computational asymmetry feature of Rabin As a result, the disclosure of biometric data leads to serious
cryptosystem. We summarize our main research contributions privacy risks. Numerous schemes have been proposed to
as follows: preserve the privacy of biometric template [52]-[55].
Biohashing [55], [56] is one of the mainstream privacy-
• First, we analyze the most recent 3FA protocol of Amin
et al. [39] and we present its security drawbacks. preserving biometric schemes. In the enrollment stage, a
Specifically, we found that their protocol suffers from biohash value BH ( K , B) is generated from the biometric
Type I SSLA (the secret data obtained from the smart card template B and a random secret key K . Specifically, a
is enough for an adversary to reveal user password) and preprocessing is performed on B in order to make the
Type II SSLA (the transcripts of an authentication session biometric feature invariant to small variations in the input
are needed for an attacker, in addition to the secret biometric signal. Then, the biohash value BH ( K , B) is
parameters in the user’s smart card). Specifically, the user generated by comparing the inner product of the random vector
identity and password can be exhaustively guessed in an generated from the user specific secret key K and the feature
offline manner along with the secrets stored in the stolen vector extracted against a predefined threshold. In the
smart card and the intercepted authentication messages. verification stage, by following the process used at the
Additionally, the protocol suffers from KSSTIA if the enrolment stage, a biohash value BH ( K , Bʹ) can be generated
temporal parameters in an authentication session are
from the received biometric signal B ʹ and the secret key given
disclosed. Furthermore, the protocol is prone to tracking
by the user. Afterwards, the verification is done by comparing
attack and cannot fulfill user untraceability.
BH ( K , Bʹ) with the stored value BH ( K , B) [52].
• Second, we present an efficient and secure 3FA protocol
based on the Rabin cryptosystem. Unlike other public B. Rabin cryptosystem
key-based encryption algorithms such as RSA and ECC,
The Rabin cryptosystem [57], [58] is a public key
Rabin has the characteristic of computational asymmetry.
cryptographic primitive based on integer factorization. The
In this case, the encryption is very efficient while the
scheme includes three algorithms, i.e., key generation,
decryption is relatively heavyweight. This feature is
encryption and decryption.
particular well suited for Internet integrated WSN
Key generation: We choose two large distinct primes p and
because the mobile device of users is generally resource-
constrained while the gateway has no such restriction. q such that p, q ≡ 3 (mod 4) , and computes N = pq . Then
• Third, we conducted a formal verification using ProVerif N is the public key, and ( p, q) is the private key.
[51] to demonstrate that our protocol fulfills the required Encryption: We encrypt a plaintext m by computing
security features. Furthermore, we also present c = m 2 mod N .
comprehensive heuristic security analysis to demonstrate
that our protocol is capable of withstanding all the Decryption: We decrypt a ciphertext m = c mod N .
possible active and passive attacks including the security Specifically, the receiver who knows the private keys ( p, q)
weaknesses revealed in the protocol of Amin et al., and can apply the Chinese remainder theorem to derive the four
we show how it provides the desired security features. possible plaintexts {m1 , m2 , m3 , m4 } . One common technique
Additionally, performance analysis shows that our used to identify the correct plaintext is to add some pre-defined
proposed protocol is a practical solution that can provide padding in the plaintext or requires the plaintext to conform to
authentication and key agreement for Internet integrated some pre-defined format.
WSN, while achieving both security and efficiency. If y has a square root x , i.e., there is a solution for
The remainder of this paper is organized as follows. The
preliminaries of Biohashing and Rabin cryptosystem are given y = x 2 mod N , then y is a quadratic residue mod N . The
in Section 2. We review and analyze Amin et al.’s protocol [39] quadratic residue problem is described as follows: for y ∈ QRn ,
in Section 3 and 4 respectively. In Section 5, we propose a novel where QRn is the set of all quadratic residues mod N , it is
3FA and key agreement protocol for Internet integrated WSN.
computationally infeasible to find x without knowing p and
Section 6 and Section 7 present security and efficiency analyses
of the new protocol. Section 8 concludes the paper. q due to the hardness of factoring N .

III. REVIEW OF AMIN ET AL.’S PROTOCOL


Amin et al.’s 3FA protocol [39] consists of 9 phases, i.e.,

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

system setup, SN registration, user registration, login, Step 1. Sj computes S1 = ID j ⊕ h( Rshrd || Ts1 ) and
authentication, post-deployment, identity update, password
S2 = h( ID j || X j || Rshrd || Ts1 ) , and then sends < S1 , S2 , Ts1 > to
change, and smartcard revocation. We use the notations listed
in Table 1 throughout this paper. GWN .
Table 1 Notations Step 2. GWN verifies whether | TGWN − Ts1 |≤ ΔT holds. If it
Notation Description is false, GWN rejects the request of S j ; otherwise it computes
U i User
IDʹj = S1 ⊕ h( Rshrd ||Ts1 ) , X ʹ = h( IDʹj || X GWN ) , and
Sj SN
S2ʹ = h( IDʹj || X ʹj || Rshrd ||Ts1 ) and checks whether S2ʹ = S2
SA System administrator
Smart card number holds. If it is not true, GWN rejects S j ; otherwise, it accepts
SCN i
GWN Gateway node S j and stores ID j into the database. Then GWN sends a
PWi U i ’s password confirmation message to S j .
IDi U i ’s identity Step 3. After receiving the confirmation message, S j deletes
ID j S j ’s identity Rshrd from its memory.
X GWN − S j : The key shared between GWN and S j
C. User registration
X GWN : GW ’s secret key
In this phase, U i executes the following procedure to
Xj S j ’s secret key
register with SA .
Ki , K j Random number chosen by U i and S j , Step 1. U i sends the selected identity IDi and personal
respectively credentials to SA through a secure channel.
T Timestamp Step 2. SA checks whether IDi exists in the database. If it
fngi : U i ’s biometric template
does, SA indicates U i to select a new identity; otherwise, SA
ΔT Time delay threshold
SK Session key established in the protocol computes di = h( IDi || X GWN ) and Li = h( SCNi || X GWN ) , then
h() One-way hash algorithm the smart card storing < di , Li , SCNi , BK () > is delivered to U i
H () Bio-hashing algorithm defined in Amin et al.’s securely. SA maintains a database storing U i ’s IDi and
protocol [52] credentials.
BK () The biometric key extraction algorithm defined
Step 3. U i inserts the card into a card reader. U i then enters
in Amin et al.’s protocol
BH (⋅, ⋅) The two-factor bio-hashing algorithm defined in < IDi , PWi > and fingerprint fngi . The card computes
the new protocol [52] Bi = BK ( H ( fngi )) , ei = h( IDi || PWi || Bi ) ,
Bi Biometric key of fngi
fi = di ⊕ h( IDi || PWi ) , and gi = Li ⊕ h( PWi ⊕ IDi ) . Then the
|| Concatenation
card stores < Bi , ei , fi , gi , SCNi , BK () > and deletes < di , Li > .
⊕ Bitwise XOR operation
D. Login
A. System setup The following procedure is performed when U i wishes to
SA selects and computes the system parameters in off-line access sensor data.
mode. Step 1. U i inserts the smart card and imprints the fingerprint
Step1. SA chooses a master secret key X GWN . fngi . Then, the card computes Bi* = BK ( H ( fngi )) and checks
Step2. SA selects an identity ID j and computes the secret whether Bi* =Bi . If Bi* ≠ Bi , the card denies U i ’s login request;
key X j = h( ID j || X GWN ) for each SN S j (1 ≤ j ≤ m ) . otherwise, U i continues to enter his/her identity IDi* and
Step 3. SA randomly generates a number Rshrd , which is password PWi * , and the card computes
shared between GWN and S j . Finally, Sj stores * * * *
e = h( ID || PWi || B ) . The card rejects U i ’s login request if
i i i
< ID j , X j , Rshrd > in its memory. ei* ≠ ei ; otherwise, the entered IDi* and PWi * are valid.
B. SN registration Step 2. The card generates a random number Ki and the
When GWN and S j (1 ≤ j ≤ m ) are deployed to form a timestamp T1 , computes di* = fi ⊕ h( IDi* || PWi* ) ,
WSN. Each S j executes the following procedure to register L*i = gi ⊕ h( PWi* ⊕ IDi* ) , M 1 = IDi* ⊕ h( L*i ||T1 ) ,
* *
with GWN . M 2 = Ki ⊕ h(d ||T1 ) i
, M 3 = h(d || Ki ||T1 )
i
and

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

SCTi = SCNi ⊕ h(T1 ) . M 9ʹ = h( SKGWN || X ʹj || K ʹj ||T3 ) . GWN rejects the session if


Step 3. U i selects the identity ID j of the sensor that he/she M 9* ≠ M 9 ; otherwise, it computes
wishes to access, then the card computes M 11 = h( SKGWN || IDiʹ || di || K ʹj ) . Finally, GWN sends
EID j = ID j ⊕ h( IDi || Ki ||T1 ) and sends
MSG6 =< M11 ,M10 > to U i .
MSG1 =< M 1 , M 2 , M 3 , T1 , SCTi , EID j > to GWN . Step 7. Ui computes K *j = M10 ⊕ Ki ,
E. Authentication SKi = h( IDi || ID j || Ki || K ) *
j
, and
U i , GWN , and S j mutually authenticate each other and *
M = h(SKi || IDi || di || K ) . U i *
rejects the session if
11 j
negotiates a secret key through the following steps.
M 11* ≠ M 11 ; otherwise, U i accepts that GWN and S j are
Step 1. After receiving MSG1 from U i , GWN computes
authentic. The session key SKi = SK j = SKGWN are shared
SCNi = SCTi ⊕ h(T1 ) , Liʹ = h( SCNi || X GWN ) ,
among U i , S j , and GWN .
IDiʹ = M 1 ⊕ h( Liʹ ||T1 ) , diʹ = h( IDiʹ || X GWN ) ,
Kiʹ = M 2 ⊕ h(diʹ ||T1 ) , and M 3ʹ = h(d iʹ || Kiʹ ||T1 ) . GWN F. Post-deployment
In this phase, SNs can be deployed after the installation of a
aborts the current session if M 3ʹ ≠ M 3 ; otherwise, it computes
WSN. Assume that a new SN S k is required to be deployed in
M 4 = h(IDi || d iʹ ||T1 ) and then forwards MSG1 =< M 4 > to
the target field. SA first chooses the identity IDk of S k ,
Ui .
computes X k = h( IDk || X GWN ) , and writes < IDk , X k ,Rshrd >
Step 2. U i computes M 4* = h(IDi || d i* ||T1 ) . If M 4* ≠ M 4 , into the memory of S k . Then S k executes the SN registration
U i terminates the session; otherwise, he/she calculates phase to register with GWN .
M 5 = h(d i* || IDi || Ki ||T1 ) and transmits MSG3 =< M 5 > to G. Identity update
GWN .
In this phase, a registered user securely updates his/her
Step 3. GWN calculates M 5ʹ = h(d iʹ || IDiʹ || Kiʹ ||T1 ) and identity as follows.
aborts the connection if M 5ʹ ≠ M 5 ; otherwise it proceeds to Step 1. Step 1 of the login phase is performed to verify the
execute the next procedure. legitimacy of U i . Then U i inputs a new identity IDinew , and
Step 4. GWN computes IDʹj = EID j ⊕ h( IDi || Ki ||T1 ) , then the smart card computes d i* = f i ⊕ h( IDi || PWi ) ,
X ʹj = h( IDʹj || X GWN ) , L*i = gi ⊕ h( PWi ⊕ IDi ) , Zi = h(di* || IDi ||Tid ) ,
M 6 = h( IDiʹ || IDʹj || IDGWN || X ʹj || Kiʹ || T2 ) , Wi = IDi ⊕ h( Li || Tid ) , SCTi = SCN i ⊕ h(Tid ) , and
* new
M 7 = IDiʹ ⊕ h( IDGWN || X ʹj ||T2 ) , M 8 = Kiʹ ⊕ h( IDiʹ || X ʹj ) and DD = ID ⊕ h( Li || d i ||Tid ) . The card then sends
i i

then sends MSG4 =< IDGWN ,M6 ,M7 ,M 8 ,T2 > to S j . < Zi ,Wi ,DDi ,SCTi ,Tid > to GWN .
Step 5. S j checks whether | T3 − T2 |≤ ΔT holds, where T3 is Step 2. GWN computes SCTi = SCNi ⊕ h(Tid ) ,

the current timestamp. If it is invalid, S j immediately Liʹ = h(SCNi || X GWN ) , IDiʹ = Wi ⊕ h( Liʹ ||Tid ) ,
di = h( IDi || X GWN )
ʹ and Zi = h(di || IDi ||Tid )
ʹ ʹ ʹ , and then checks
terminates the session; otherwise, it computes
IDi** = M 7 ⊕ h( IDGWN || X j ||T2 ) , Ki** = M8 ⊕ h( IDi** || X j ) , whether Ziʹ = Zi holds. If it holds, GWN believes that U i is
authentic. GWN then computes
and M6** = M7 ⊕ h( IDi** || ID j || IDGWN || X j || Ki** ||T2 ) . S j new ** new
ID i = DDi ⊕ h( Liʹ || diʹ ||Tid ) , d = h(ID
i i || X GWN ) ,
aborts the connection if M 6** ≠ M 6 ; otherwise, it accepts that ** **
Yi = d ⊕ diʹ , ZZi = h(d || Ziʹ) , and sends ZZi ,Yi to the
i i
Ui and GWN are legitimate. Next, Sj computes
smart card and updates IDinew in the database.
SK j = h( IDi** || ID j || Ki** || K j ) , M 9 = h(SK j || X j || K j ||T3 ) ,
Step 3. The smart card calculates d i** = Yi ⊕ d iʹ and
and M10 = Ki** ⊕ K j , where K j is the random number
ZZi = h(d**
i || Z i )
, and checks whether ZZ i* = ZZ i holds. If it
generated by S j . Finally, S j forwards MSG5 =< M 9 ,M10 ,T3 >
holds, the card computes einew = h( IDinew || PWi || Bi ) ,
to GWN .
Step 6. GWN checks whether | T4 − T3 |≤ ΔT holds, where f i new = dd i** ⊕ h( IDinew || PWi ) , and
new new
T4 is the current timestamp. If it is invalid, GWN aborts the g i = Li ⊕ h( ID i ⊕ PWi ) . Finally, the card updates
session, otherwise it computes K ʹj = M 10 ⊕ Kiʹ , < ei , fi , gi > with < einew , fi new , ginew > .
SKGWN = h( IDiʹ || ID j || Kiʹ || K ʹj ) , and

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

H. Password change authentication and session key security) and attacks (such as
In this phase, U i updates the password PWi locally as impersonation attack and SSLA).
In [39], Amin et al. claimed that their protocol can withstand
follows.
various attacks even if the smart card is stolen. However, we
Step 1. U i inserts his or her smart card into the card reader show that Amin et al.’s protocol is prone to Type I SSLA, Type
and executes Step 1 of the login phase to verify the validity of II SSLA, KSSTIA and tracking attack. Thus, Amin et al.’s
fingerprint, password, and identity. protocol is not actually suitable for practical deployment.
Step 2. U i inputs a new password PWi new , and the card
A. Type I SSLA
computes einew = h( IDi || PWi new || Bi ) , diʹ = fi ⊕ h( IDi || PWi ) , In a SSLA, A attempts to guess U i ’s identity and password
fi new = dinew ⊕ h( IDi || PWi new ) , Liʹ = gi ⊕ h( PWi || IDi ) , and after extracting information from the smart card. It is worth
g new
i = Liʹ ⊕ h( IDi ⊕ PWi new ) . noting that it is widely accepted when designing password-
Step 3. The card updates with based protocols that the space of Dpw is enumerable [64].
< ei , fi , gi >
SSLAs can be classified into eight types [61]. In this paper, we
< einew , fi new , ginew > .
focus on the attacks involving the extraction of secret
I. Smart card revocation information from a lost smart card, and classify them into two
types, type I and II. In type I SSLA, the secret data obtained
If U i ’s smart card is stolen or lost, U i can obtain a new
from U i ’s card is enough for A to reveal U i ’s password. In
smart card as follows.
type II SSLA, the transcripts of an authentication session are
Step 1. U i sends the identity IDi and his credential to SA
needed for A , in addition to the secret parameters in U i ’s
through a secure channel. SA first verifies U i ’s credential, if
smart card.
it is valid, it computes dinew = h( IDi || X GWN ) and In [39], the authors assumed that the probability of guessing
Lnew = h( SCNinew || X GWN ) , where SCN inew is the new smart IDi and PWi using ei is negligible. However, Wang et al. [59]
i
card number. Then,
the new card storing pointed out that the identity of a user can be revealed by the
new new new attacker when the user’s smart card is stolen. Thus it is more
< di , Li , SCNi , BK () > is sent to U i securely. Then, SA
prudent to take this risk into consideration.
updates the database with SCN inew . Suppose that the smart card is somehow acquired by A , and
Step 2. U i attaches the smart card into a card reader, enters then A reveals the parameters < Bi , ei , fi , gi , SCNi , BK () >
IDi and PWi , and provides fingerprint fng i at the biometric from the card.
With the secret information
capturing device. The card then computes ei = h( IDi || PWi || Bi ) and Bi , A may conduct an offline
B new
= BK ( H ( fngi )) , ei = h( IDi || PWi || Binew )
new
, password guessing attack described below [61].
i
new Step 1. A guesses a possible value IDi* of IDi and a value
fi = dinew ⊕ h( IDi || PWi ) and ginew = Lnew
i ⊕ h( IDi ⊕ PWi ) .
Finally, the smart card stores PWi * of PWi .
< Binew , einew , fi new , ginew , SCNinew , BK () > into its memory, and Step 2. A calculates ei* = h( IDi* || PWi* || B i ) and validates
deletes < dinew ,Lnew >. the correctness of IDi* and PWi * by checking whether
i
ei ? = ei* holds. If it is positive, A has found out the correct pair
IV. WEAKNESSES OF THE PROTOCOL BY AMIN ET AL. of identity and password. Otherwise, A repeats the steps (1)
Before presenting the cryptanalysis of Amin et al.’s protocol, and (2) until ei = ei* .
we first briefly present the adversarial model [59]-[61].
Let | D pw | and | Did | denote the dictionary space of Dpw
1) The adversary A may capture all messages sent or
received in the authentication session. and Did , respectively. In practice, the dictionary size is
2) A can either (i) obtain the password of a registered user, | Dpw |≤| Did |≤ 106 [61]. The time complexity of the above
or (ii) obtain a stolen or lost smart card of the user, and reveal
the secret parameters in it by side channel attacks [62], [ 63], attack is O(| Dpw | * | Did | *TH ) , where TH is the execution time
but not both at the same time. for the Hash operation. Hence, the time needed for A to carry
3) A has the capability of enumerating offline all possible out this attack is linear to | D pw | * | Did | .
candidates in the Cartesian product Did * D pw in polynomial Thus, the root cause of the above attack is that there is a
time, where Did and Dpw denote the identity space and the definite password verifier (i.e., ei ) stored in U i ’s card. As a
password space respectively. result, it can be utilized by A to offline guess U i ’s password.
4) A may somehow learn the identity IDi of the victim
B. Type II SSLA
when considering security properties (such as mutual
Besides the assumption about the smart card in Type I SSLA,

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

it is widely accepted that A can capture the messages (e.g., Suppose that a legal user U i interacts with GWN . A first
MSG1 =< M 1 , M 2 , M 3 , T1 , SCTi , EID j > ) exchanged between captures Ui ’s message
U i and S in the process of authentication. Then, A can MSG1 = < M1 , M 2 , M 3 , T1 ,SCTi ,EID j > , then retrieves and
exhaustively guess U i ’s password PWi as follows: stores SCNi . Then A can threaten the privacy of U i through
Step 1. A guesses a possible value IDi* of IDi and a value two ways [29]. Firstly, if A obtains U i ’s identity by accident,
PWi * of PWi . then he/she is capable of identifying the user at the instant that
U i interacts with GWN by using the value SCNi . Moreover,
Step 2. A computes L*i = gi 排h( PWi* IDi* ) and
* * * even though A cannot obtain IDi , he/she is always capable of
M 1 ID i h( L || T1 ) , where gi is revealed from U i ’s smart
i
identifying different authentication sessions of U i via the value
card, T1 is captured from the open channel.
SCNi presented in each message
Step 3. A checks whether M 1*?=M 1 . If it is positive, A has
MSG1 = < M1 , M 2 , M 3 , T1 ,SCTi ,EID j > . Then, he/she might
found the correct pair of identity and password. Otherwise, A
collect various types of sensitive information related to U i ,
repeats the steps (1) to (3) until M 1* =M 1 .
The time complexity of the above attack is such as U i ’s traveling routes, sensor access patterns, which
O(| Dpw | * | Did | *2TH ) , and the time required for A to carry may help A to violate user anonymity provided in Amin et al.’s
protocol [39]. Therefore, Amin et al.’s protocol [39] is prone to
out this attack is linear to | D pw | * | Did | . tracking attack and cannot provide untraceability.
C. Known-session specific temporary information attack
V. OUR PROPOSED AUTHENTICATION PROTOCOL
In the authentication phase, if U i is legitimate, GWN sends
We enhance Amin et al.’s protocol as follows: (1) The public
MSG4 =< IDGWN ,M6 ,M7 ,M 8 ,T2 > to Sj , where key primitive Rabin cryptosystem is employed to avoid SSLA
M 8 = Ki ⊕ h( IDiʹ || X ʹj ) , K i is a random number chosen by U i . and tracking attack. (2) The concept of fuzzy verifier [60] is
adopted to achieve local password verification. (3) The
After verifying the authenticity of GWN , S j forwards
timestamp mechanism mitigates session specific temporary
MSG5 =< M 9 ,M10 ,T3 > to GWN , where M10 = Ki** ⊕ K j , and information attack. Our new protocol also has 9 phases. SN
registration and post-deployment phase which remain
K j is the random number generated by S j . The session key
unchanged are omitted here.
between U i and S j is SK j = h( IDi** || ID j || Ki** || K j ) . If K i
A. System setup
is compromised, A can derive the value
SA selects and computes the system parameters in off-line
h( IDiʹ || X ʹj ) = Ki ⊕ M 8 , which is static and remains unchanged mode.
throughout the authentication session between U i and S j . Step1. SA first generates two large primes p and q , and
With this value, A can derive all the previous and future computes N = pq , and keeps ( p, q) as the private key. Then
session key between U i and S j . A first derives the random SA selects a master secret key X GWN and an integer
**
numbers Ki M8 h(IDi || X j ) and K j = K ⊕ M10 , and i 24 ≤ l ≤ 28 as the parameter of fuzzy verifier.
then computes SK j = h( IDi** || ID j || Ki** || K j ) . We note that Step2. SA selects an identity ID j and computes the secret
the disclosure of a random number in one authentication session key X j = h( ID j || X GWN ) for S j (1 ≤ j ≤ m ) .
will compromise all the session keys. Therefore, Amin et al.’s Step 3. SA randomly generates a number Rshrd , which is
protocol has the problem of KSSTIA.
shared between GWN and S j . Finally, Sj stores
D. Tracking attack
< ID j , X j , Rshrd > in its memory.
When U i wishes to access sensory data, U i sends the
message MSG1 = < M1 , M 2 , M 3 , T1 ,SCTi ,EID j > to initiate the B. User registration

authentication session. Although IDi is concealed to M 1 , and In this phase, U i executes the following procedure to
each field in MSG1 is dynamic, the identity of the smart card register with SA as shown in Fig. 2.
Step 1. U i sends the selected identity IDi and personal
SCNi can be derived as SCNi SCTi h(T1 ) . Generally, the
credentials to SA through a secure channel.
value of SCNi is fixed for a specific user, which is generated
Step 2. SA checks whether IDi exists in the database. If it
by SA in the registration phase, and updated only in the smart
card revocation phase. With this fixed value, an adversary A does, SA indicates U i to select a new identity; otherwise, SA
can launch tracking attack as follows. generates a random number xi , computes

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

di = h( IDi || X GWN || xi ) and Li = h( SCNi || X GWN ) . Then SA random number ri , Bi = BH (ri , fngi ) ,
computes
delivers the smart card storing <di , Li , SCNi , l , n, BH (,), h()> ei = h(h(IDi || PWi || Bi ) mod l ) , fi = di ⊕ h( IDi || PWi || Bi ) ,
to U i securely. SA maintains a database storing each U i ’s and gi = Li ⊕ h( IDi ⊕ PWi ⊕ Bi ) . Finally, the smart card stores
parameters <IDi , SCNi , xi ,Personal credential> . < ei , fi ,gi ,SCNi ,l , n, ri ,BH (,), h() > into its memory and
Step 3. U i attaches the card into a card reader. Then he/she deletes < di , Li > .
enters < IDi , PWi > and imprints fngi . The card selects a

FIGURE 2. User registration phase of our proposed protocol

C. Login D. Authentication
The following procedure is performed when U i wishes to To achieve mutual authentication and session key agreement
access sensor data as shown in Fig. 2. among U i , GWN , and S j , the following steps are executed as
Step 1. U i attaches the smart card and enters the identity shown in Fig. 3.
* *
ID , password PWi , and fingerprint fngi . Then, the card Step 1. After receiving MSG1 from U i , GWN decrypts
i

computes Bi* = BH (ri , fngi ) and M 1 using p and q to obtain IDiʹ, SCNiʹ, Kiʹ , and then retrieves
* * * * xi according to ID ʹ , and verifies whether SCN ʹ matches the
e = h(h( ID || PWi || B ) mod l ) . The card rejects U i ’s login
i i i
value in the entry. If the two values do not match, then GWN
request if ei* ≠ ei . rejects the request and aborts; otherwise, GWN computes
Step 2. The card generates a random number Ki and a Liʹ = h(SCNiʹ || X GWN ) , diʹ = h( IDiʹ || X GWN || xi ) ,
timestamp T1 , calculates di* = fi ⊕ h( IDi* || PWi * || Bi* ) , Kiʹ = M 2 ⊕ h(diʹ ||T1 ) , and M 2ʹ = h(diʹ || Liʹ || Kiʹ ||T1 ) . GWN
* *
L = gi ⊕ h( ID ⊕ PWi ⊕ B )
i i
* *
i
, aborts the current session if M 2ʹ ≠ M 2 ; otherwise, GWN
2
M1 = ( IDi || SCNi || Ki ) mod n , M 2 = h(d || L || K i || T1 ) . * * computes IDʹj = EID j ⊕ h( IDi || Ki ||T1 ) , X ʹj = h( IDʹj || X GWN ) ,
i i

Step 3. U i selects the identity ID j of the sensor that he/she M 3 = h( IDiʹ || IDʹj || IDGWN || X ʹj || Kiʹ || T2 ) ,
wishes to access, then the card computes M 4 = IDiʹ ⊕ h( IDGWN || X ʹj || T2 ) ,
EID j = ID j ⊕ h( IDi || Ki ||T1 ) and sends M 5 = Ki ⊕ h( IDiʹ || IDʹj || X ʹj || T2 ) and then sends
MSG1 = < M 1 ,M 2 ,T1 ,EID j > to GWN . MSG2 = < IDGWN , M 3 , M 4 , M 5 , T2 > to S j .

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

FIGURE 3. Authentication and key agreement of our proposed protocol

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

10

Step 2. S j checks whether | T3 − T2 |≤ ΔT holds, where T3 is verifies whether SCNiʹ matches the value in the entry. If the
the current timestamp. If it is invalid, S j immediately two values do not match, then GWN terminates; otherwise,
GWN computes Liʹ = h(SCNiʹ || X GWN ) ,
terminates the session; otherwise, it computes
ID **
i M4 h(IDGWN || X j || T2 ) , diʹ = h( IDiʹ || X GWN || xi ) , Ziʹ = h(di* || L*i || IDinew || Tid ) . GWN
aborts the current session if Ziʹ ≠ Zi ; otherwise, GWN
Ki** = M5 ⊕ h(IDi** || IDj || X j || T2 ) , and
** ** ** computes di** = h( IDinew || X GWN || xi ) , Yi = di** ⊕ h(diʹ || Tid ) ,
M = h(ID || IDj || IDGWN || X j || K || T2 ) . S j aborts the
3 i i
and ZZi = h(di** || diʹ || Liʹ || IDinew || Tid ) . Then GWN sends
connection if M 3** M 3 ; otherwise, it accepts that U i and
GWN are legitimate. Next, Sj computes < ZZi ,Yi > to the card and updates IDinew in the database.
Step 3. The card computes di** = Yi ⊕ h(di* ||Tid ) and
SK j = h(IDi** || IDj || Ki** || K j ) , M 6 = h( SK j || X j || K j || T3 ) ,
ZZi* = h(di** || di* || L*i || IDinew || Tid ) , and checks whether
and M 7 Ki** K j , where K j is the random number
ZZ i* = ZZi holds. If it holds, the card computes
generated by Sj . Finally, Sj forwards
new new
e = h(h( ID || PWi || Bi ) mod l ) ,
MSG3 = < M 6 , M 7 , T3 > to GWN . i i
new ** new
Step 3. GWN checks whether | T4 − T3 |≤ ΔT holds, where fi = dd ⊕ h( ID
i i || PWi || Bi ) , and
new new
T4 is the current timestamp. If it is negative, GWN aborts the g i = Li ⊕ h( ID i ⊕ PWi ⊕ Bi ) . Finally, the card replaces the
session; otherwise it computes K ʹj = M 7 ⊕ K iʹ , old information with < einew , f i new , g inew > .

SKGWN = h( IDiʹ || ID j || Kiʹ || K ʹj ) , and F. Password change


M 6ʹ = h(SKGWN || X ʹj || Kiʹ || T3 ) . GWN rejects the session if In this phase, an authorized user U i updates the password

M 6ʹ ≠ M 6 ; otherwise, it computes PWi locally.


M 8 = h( SKGWN || IDiʹ || diʹ || K ʹj ) . Finally, GWN sends Step 1. U i inserts his/her smart card into a card reader and
carry out Step 1 of the login phase to verify the validity of
MSG4 = < M 7 , M8 > to U i . fingerprint, password, and identity.
Step 4. Ui computes K*j = M 7 Ki , Step 2. U i inputs a new password PWi new , and the card
SKi = h( IDi || IDj || Ki || K *j ) , and calculates einew = h(h( IDi || PWi new || Bi ) mod l ) ,
*
M8 = h(SKi || IDi || di || K ) . U i rejects the session if
j diʹ = fi ⊕ h( IDi || PWi || Bi ) , fi new
= diʹ ⊕ h( IDi || PWi new
|| Bi ) ,
*
M 8 M 8 ; otherwise, U i accepts that GWN and S j are Liʹ = gi ⊕ h( IDi ⊕ PWi new ⊕ Bi ) , and
new new
authentic. At this point, a session key SKi = SK j = SKGWN has g i = Liʹ ⊕ h( IDi ⊕ PWi ).
been established among U i , S j , and GWN . Step 3. The card updates < ei , fi , gi > with
new new new
<e i , fi ,g i >.
E. Identity update
In this phase, a registered user securely updates the identityas G. Smart card revocation
follows. If U i ’s smart card is stolen or lost, U i obtains a new smart
Step 1. U i attaches the card and enters the identity IDi* , card as follows.
password PWi * , and fingerprints fngi . Then, the card Step 1. U i sends the identity IDi and his/her credential to
computes Bi* = BH (ri , fngi ) and SA through a secure channel. SA first verifies U i ’s credential.
*
e = h(h( IDi || PWi || Bi ) mod l ) . The card rejects U i ’s login
i
If it is valid, it computes dinew = h( IDi || X GWN || xi ) and
request if ei* ≠ ei . Then U i inputs a new identity IDinew , and Lnew
i = h( SCNinew || X GWN ) , where SCN inew is the new smart
then the card generates a timestamp Tid , computes card number. Then the new card storing
d *
fi *
h( ID || PWi || B ) , L * * *
gi h( ID *
PWi * *
B ), <dinew , Lnew
i , SCN i
new
, l , n, BH (,), h()> is sent to U i securely.
i i i i i i

DDi = ( IDi || SCNi || ID new 2


) mod n , Then, SA updates the database with SCN inew .
i
Step 2. U i inserts the smart card into a card reader, inputs
Zi = h(di* || L*i || IDinew || Tid ) . The card then sends
< Zi ,DDi ,Tid > to GWN . < IDi , PWi > and imprints fngi . The card picks up a random
Step 2. GWN decrypts DDi using p and q to obtain number ri , computes Bi = BH (ri , fngi ) ,
new
IDiʹ, SCNiʹ, IDinew , then retrieves xi according to IDiʹ , and ei = h(h( IDi || PWi || Bi ) mod l ) ,

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

11

fi new = dinew ⊕ h( IDi || PWi || Bi ) , and fun bit2key(bitstring): key.


(* Check timestamp fresh *)
ginew = Lnew
i ⊕ h( IDi ⊕ PWi ⊕ Bi ) . Finally, the smart card stores fun checkFresh(timestamp, bool): bool
< einew , fi new ,ginew ,SCNinew ,l , n, ri ,BH (,), h() > into its memory reduc forall t: timestamp;
and deletes < dinew , Lnew checkFresh(t, true) = true
i >.
otherwise forall t: timestamp;
checkFresh(t, false) = false
VI. SECURITY ANALYSIS The secret keys are defined as follows:
We first conduct a formal verification using ProVerif to (* Secrecy assumptions *)
demonstrate that our protocol fulfills the required security not attacker(new p).
features. Furthermore, we also present comprehensive heuristic not attacker(new q).
security analysis comparison and efficiency analysis. not attacker(new XGWNTemp).
not attacker(new XjTemp).
A. Formal verification with ProVerif
The following events and queries are defined:
ProVerif [51] is a widely used formal verification tool for event scAccept(User).
automatic security analysis of security protocols, which is used event serverAccept(User).
to prove the secrecy and authentication properties of our event sensorGen(User, Server).
proposed protocol. event serverGen(Sensor).
First we define the channels and types. c1 is the public event userGen(Server, Sensor).
channel between the user device and GWN and c2 is the public query inj-event(userGen(server, sensor))
channel between GWN and the sensor. ==> inj-event(serverGen(sensor)).
free c1:channel. query inj-event(serverGen(sensor))
free c2:channel. ==> inj-event(sensorGen(user, server)).
The basic types of variables are defined as follows: query inj-event(sensorGen(user, server))
type key. ==> inj-event(serverAccept(user)).
type nonce. query event(serverAccept(user))
type fingerprint. ==> event(scAccept(user)).
type timestamp. The process of the user is modeled as follows:
type N. let processUser(IDiEx: bitstring, PWEx: bitstring, fngEx:
type Q. fingerprint, e: bitstring, g: bitstring, f: bitstring, r: nonce, B:
type P. bitstring, SCN: bitstring, l: bitstring, IDj: bitstring, IDi: bitstring) =
type User. let BEx = BH(r, fngEx) in
type Server. let e' = Hash(Mod(Hash(Concat(Concat(IDiEx, PWEx), B)),
type Sensor. l)) in
The cryptographic functions are modeled as follows: if e' = e then
(* Hash operation *) event scAccept(user);
fun Hash(bitstring): bitstring. let dEx = XORagain(f, Hash(Concat(Concat(IDiEx, PWEx),
(* BH operation *) BEx))) in
fun BH(nonce, fingerprint): bitstring. let LEx = XORagain(g, Hash(XOR(XOR(IDiEx, PWEx),
(* Rabin cryptosystem *) BEx))) in
fun rabinEnc(bitstring, N):bitstring. new KiTemp: nonce;
reduc forall x: bitstring, p: P, q: Q, n: N; let Ki = nonce2(KiTemp) in
rabinDec(n, p, q, rabinEnc(x, n)) = x. new T1: timestamp;
(* XOR operation *) let M1 = rabinEnc(Concat(Concat(IDi, SCN), Ki), n) in
fun XOR(bitstring, bitstring): bitstring. let M2 = Hash(Concat(Concat(Concat(dEx, LEx), Ki),
reduc forall x: bitstring, y: bitstring; timestamp2(T1))) in
XORagain(XOR(x, y), y) = x. let EIDj = XOR(IDj, Hash(Concat(Concat(IDi, Ki),
(* Mod operation *) timestamp2(T1)))) in
fun Mod(bitstring, bitstring): bitstring. out(c1, (M1, M2, T1, EIDj));
(* Concat operation *) in(c1, (M7: bitstring, M8: bitstring));
fun Concat(bitstring, bitstring):bitstring. let KjEx = XOR(M7, Ki) in
reduc forall x: bitstring, y: bitstring; let SKi = bit2key(Hash(Concat(Concat(Concat(IDi, IDj), Ki),
Split(Concat(x, y)) = (x, y). KjEx))) in
(* Type convertion *) let M8Ex = Hash(Concat(Concat(Concat(key2(SKi), IDi),
fun timestamp2(timestamp): bitstring. dEx), KjEx)) in
fun nonce2(nonce): bitstring. if M8Ex = M8 then
fun key2(key): bitstring. event userGen(server, sensor).

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

12

The process of the gateway node is modeled as follows: IDj), KiExEx), Kj))) in
let processServer(XGWN: bitstring, x: nonce, p: P, q: Q, IDi: new T3: timestamp;
bitstring, IDGWN: bitstring, IDj: bitstring) = let M6 = Hash(Concat(Concat(Concat(key2(SKj), Xj), Kj),
in(c1, (M1: bitstring, M2: bitstring, T1: timestamp, EIDj: timestamp2(T3))) in
bitstring)); let M7 = XOR(KiExEx, Kj) in
let (temp: bitstring, Ki': bitstring) = Split(rabinDec(n, p, q, event sensorGen(user, server);
M1)) in out(c2, (M6, M7, T3, true)).
let (IDi': bitstring, SCN': bitstring) = Split(temp) in The whole protocol is modeled as follows.
let L' = Hash(Concat(SCN', XGWN)) in (* Start process *)
let d' = Hash(Concat(Concat(IDi', XGWN), nonce2(x))) in process
(* let Ki' = XORagain(M2, Hash(Concat(d', (* Constants *)
timestamp2(T1)))) in *) (* Share constants between user and server *)
let M2' = Hash(Concat(Concat(Concat(d', L'), Ki'), new SCN: bitstring;
timestamp2(T1))) in new l: bitstring;
if M2' = M2 then new IDj: bitstring;
event serverAccept(user); new IDi: bitstring;
let IDj' = XORagain(EIDj, Hash(Concat(Concat(IDi, Ki'), new PW: bitstring;
timestamp2(T1)))) in new r: nonce;
let Xj' = Hash(Concat(IDj', XGWN)) in (* User/Smartcard constants *)
new T2: timestamp; new fng: fingerprint;
let M3 = Hash(Concat(Concat(Concat(Concat(Concat(IDi', (* Server constants *)
IDj'), IDGWN), Xj'), Ki'), timestamp2(T2))) in new x: nonce;
let M4 = XOR(IDi', Hash(Concat(Concat(IDGWN, Xj'), new XGWNTemp: key;
timestamp2(T2)))) in let XGWN = key2(XGWNTemp) in
let M5 = XOR(Ki', Hash(Concat(Concat(Concat(IDi', IDj'), new IDGWN: bitstring;
Xj'), timestamp2(T2)))) in (* Sensor constants *)
out(c2, (IDGWN, M3, M4, M5, T2, true)); new XjTemp: key;
in(c2, (M6: bitstring, M7: bitstring, T3: timestamp, isFresh: let Xj = key2(XjTemp) in
bool)); (* Rabin parameters *)
new T4: timestamp; new p: P;
if checkFresh(T4, isFresh) then new q: Q;
let Kj' = XORagain(M7, Ki') in (* Constants computed *)
let SKGWN = bit2key(Hash(Concat(Concat(Concat(IDi', let d = Hash(Concat(Concat(IDi, XGWN), nonce2(x))) in
IDj), Ki'), Kj'))) in let L = Hash(Concat(SCN, XGWN)) in
let M6' = Hash(Concat(Concat(Concat(key2(SKGWN), Xj'), let B = BH(r, fng) in
Ki'), timestamp2(T3))) in let e = Hash(Mod(Hash(Concat(Concat(IDi, PW), B)), l)) in
if M6' = M6 then let f = XOR(d, Hash(Concat(Concat(IDi, PW), B))) in
event serverGen(sensor); let g = XOR(L, Hash(XOR(XOR(IDi, PW), B))) in
let M8 = Hash(Concat(Concat(Concat(key2(SKGWN), IDi'), (
d'), Kj')) in (!(processUser(IDi, PW, fng, e, g, f, r, B, SCN, l, IDj, IDi))) |
out(c1, (M7, M8)). (!processServer(XGWN, x, p, q, IDi, IDGWN, IDj)) |
The process of SNs is modeled as follows: (!processSensor(Xj, IDj))
let processSensor(Xj: bitstring, IDj: bitstring) = )
in(c2, (IDGWN: bitstring, M3: bitstring, M4: bitstring, M5: The outcome of executing the processes in ProVerif version
bitstring, T2: timestamp, isFresh: bool)); 1.96 is listed as follows, which demonstrates that our protocol
if checkFresh(T2, isFresh) then achieves session key secrecy and mutual authentication.
let IDiExEx = XORagain(M4, Hash(Concat(Concat(IDGWN, RESULT event(serverAccept(user[])) ==>
Xj), timestamp2(T2)))) in event(scAccept(user[])) is true.
let KiExEx = XORagain(M5, RESULT inj-event(sensorGen(user[],server[])) ==>
Hash(Concat(Concat(Concat(IDiExEx, IDj), Xj), inj-event(serverAccept(user[])) is true.
timestamp2(T2)))) in RESULT inj-event(serverGen(sensor[])) ==>
let M3ExEx = inj-event(sensorGen(user[],server[])) is true.
Hash(Concat(Concat(Concat(Concat(Concat(IDiExEx, IDj), RESULT inj-event(userGen(server[],sensor[])) ==>
IDGWN), Xj), KiExEx), timestamp2(T2))) in inj-event(serverGen(sensor[])) is true.
if M3ExEx = M3 then RESULT not attacker(SKj[]) is true.
new Kj: bitstring; RESULT not attacker(SKGWN[]) is true.
let SKj = bit2key(Hash(Concat(Concat(Concat(IDiExEx, RESULT not attacker(SKi[]) is true.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

13

B. Analysis of security properties the ephemeral random number in other authentication sessions.
We first show that our 3FA protocol could overcome Thus our 3FA protocol is immune from KSSTIA.
weaknesses in Amin et al.’s authentication protocol, and then 4) Resisting user impersonation attack
we show that our protocol achieves all the desired security The opponent A cannot carry out user impersonation attack
features. against our protocol. Assume that A has the user U i ’s smart
1) Resisting type I SSLA card and hasextracted the data
Type I SSLA is infeasible in our protocol. We explain why < ei , fi ,gi ,SCNi ,l , n, ri ,BH (), h() > stored in it. We also
below. assume that A has intercepted the messages exchanged in the
Assume that the opponent A extracts the smart card previous authentication sessions. In our protocol, A has to
information < ei , fi ,gi ,SCNi ,l , n, ri ,BH (), h() > of the legal possess all the authentication factors, i.e., PWi , the smart card,
user Ui , Bi = BH (ri , fngi )
where , and the biometric, to produce a legal message
ei = h(h(IDi || PWi || Bi ) mod l ) , fi = di ⊕ h( IDi || PWi || Bi ) , MSG1 = < M 1 ,M 2 ,T1 ,EID j > . Specifically, the key to proving
and gi = Li ⊕ h( IDi ⊕ PWi ⊕ Bi ) . Then A can guess IDi* and the legitimacy of U i is the value M 2 = h(di* || L*i || K i || T1 ) .
PWi * , and computes ei* = h(h( IDi* || PWi* || Bi ) mod l ) , as The most critical fields of the computation of M 2 are the values
presented in Section 4.1. However, A cannot verify the di* fi h( IDi* || PWi* || Bi* ) and
correctness of IDi* and PWi * definitely because ei is a “fuzzy L *
i gi h( ID *
i PWi * *
B ) . However, without either PWi ,
i
verifier” [59] [60]. the smart card, or the biometric, A cannot calculate di* or L*i .
Therefore, our protocol is secure against type I SSLA.
5) Resisting gateway impersonation attack
2) Resisting type II SSLA
In our protocol, the opponent A is unable to impersonate as
Moreover, type II SSLA is also infeasible in our protocol.
GWN to either U i or S j . In order to impersonate as GWN to
Suppose A could also intercept the message
MSG1 = < M 1 ,M 2 ,T1 ,EID j > sent by U i in the login phase, Sj , A needs to compute a legal value

where di* fi h( IDi* || PWi* || Bi* ) , M3 = h(IDi || IDj || IDGWN || X j || Ki || T2 ) . However, without
L*i gi h( IDi* PWi* Bi* ) , knowing the value X ʹj = h( IDʹj || X GWN ) , it is infeasible for A

M1 = ( IDi || SCNi || Ki ) 2 mod n , M 2 = h(di* || L*i || K i || T1 ) . to compute M 3 . Moreover, since we use the hash algorithm and
timestamp, A cannot obtain any useful information from the
A can derive di* fi h( IDi* || PWi* || Bi* ) ,
messages from the previous authentication sessions.
* * * *
L gi h( ID PWi B ) , where gi is revealed from
i i i In contrast, to impersonate as GWN to either U i , A needs
U i ’s smart card. Due to the hardness of quadratic residue to compute a legal value M8 = h(SKGWN || IDi || di || K j ) . To do
problem, it is impossible for the adversary to compute R1 from so, A needs to have knowledge of K i to compute the value
2
the value M1 = ( IDi || SCN i || K i ) mod n . Therefore, A is SKGWN = h( IDi || ID j || Ki || K j ) . To get K i , A has to know
* * *
unable to calculate M = h(d || L || K i || T1 ) , which is a
2 i i the secret key p and q of GW . It is impossible because the
necessary to check the correctness of ID and PWi . *
i
*
secret key is carefully protected by the administrator. The other
Thus, our 3FA protocol is completely secure against type II way left for A is to decrypt the value
SSLA. M1 = ( IDi || SCNi || Ki ) 2 mod n , which is computationally
3) Resisting KSSTIA infeasible because of the hardness of quadratic residue problem.
In Amin et al.’s protocol, the static value h( IDi || X j ) is used Thus, the protocol can withstand the gateway node
impersonation attack.
to protect the ephemeral random numbers, where X j is the
6) Resisting SN impersonation attack
sensor key shared between S j and GW . As a result, the Suppose A tries to impersonate S j after capturing the
disclosure of ephemeral random number K i will lead to the messages exchanged in the previous authentication sessions. A
compromise of the static value h( IDi || X j ) , which in turn will needs to generate MSG3 = < M 6 , M 7 , T3 > to impersonate S j ,

cause the compromise of ephemeral random numbers in other where SK j = h(IDi** || IDj || Ki** || K j ) ,
authentication sessions. In our proposed protocol, we avoid this M 6 = h( SK j || X j || K j || T3 ) , and M 7 = K ⊕ K j . Thus, A **
i
risk by introducing the mechanism of timestamp and hash.
has to know Ki in order to compute
Specifically, we compute M5 Ki h(IDi || IDj || X j || T2 ) . In
M 6 = h( SK j || X j || K j || T3 ) . Similar to the analysis of gateway
this case, even though K i is compromised, the opponent can
impersonation attack, A is unable to obtain K i . Thus A
only obtain the hashed value h( IDi || IDj || X j || T2 ) , which is
cannot carry out the SN impersonation attack.
dynamic in each authentication session and will not endanger

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

14

7) Resisting modification attack 11) Mutual authentication


In our protocol, the opponent A is unable to modify any of An adversary cannot generate legal
the messages MSG1 = < M 1 ,M 2 ,T1 ,EID j > , * *
M 2 = h(di || Li || K i || T1 ) without knowing U i ’s private key
MSG2 = < IDGWN , M 3 , M 4 , M 5 , T2 > , di* and L*i . So GWN can authenticate U i by verifying the
MSG3 = < M 6 , M 7 , T3 > , or MSG4 = < M 7 , M8 > . Assume correctness of M 2 . Similarly, U i can authenticate GWN by
that A intercepts one of these messages, and then transmits a verifying the correctness of M 8 = h( SKGWN || IDiʹ || diʹ || K ʹj ) .
modified one. However, each message is protected by a hash
Hence, U i and GWN are mutually authenticated.
value computed with a secret value. For instance, in MSG1 , A
On the other hand, S j authenticates GWN by verifying the
cannot calculate M 2 = h(di* || L*i || K i || T1 ) , since
correctness of M 3 = h( IDiʹ || IDʹj || IDGWN || X ʹj || Kiʹ || T2 ) . At the
di* fi h( IDi* || PWi* || Bi* ) and
same time, GWN could authenticate S j by verifying the
L*i gi h( IDi* PWi* Bi* ) are secret values which cannot
correctness of M 6 = h( SK j || X j || K j || T3 ) . Hence, our 3FA
be computed without knowing either PWi , the smart card, or
protocol also achieves mutual authentication between GWN
the biometric. Any modification will be detected by the receiver
and S j .
of the message who will check the correctness of the hash value
in each message. Hence, our protocol is secure against 12) Session key agreement
modification attacks. In a successful authentication session, the session key
8) Resisting replay attack SK = h( IDi || ID j || Ki || K j ) is established between U i and S j
In our protocol, A may attempt to replay old messages sent to protect future communication. It is worth pointing out that
by the entities. However, the timestamp mechanism and the the secrecy of SK is dependent on the secrecy of the random
challenge-response mechanism are used in all the messages numbers involved. All these values are carefully protected by
involved to resist replay attacks. Specifically, the secret values shared between the participants in each
MSG1 = < M 1 ,M 2 ,T1 ,EID j > , message.
MSG2 = < IDGWN , M 3 , M 4 , M 5 , T2 > and Suppose the session key SK = h( IDi || ID j || Ki || K j ) of one
MSG3 = < M 6 , M 7 , T3 > are protected by a hash value which session is disclosed to the opponent A . However, he/she cannot
is computed with a shared secret between the sender and compute any of the past and future session keys by using SK
receiver. As a result, A cannot bypass the timestamp. If A because the session key is protected by h(⋅) and the random
would replay a previous message, it will be detected by the numbers < K i , K j > are different in each session. As a result,
receiver instantly through checking the timestamp and the hash
our 3FA protocol achieves session key agreement and known
value. key security.
On the other hand, MSG4 = < M 7 , M8 > contains a 13) User anonymity
challenge K i , which is chosen by U i . Additionally, these two Privacy is of increasing importance in the IoT and cloud
messages are also protected by a hash value computed with K i . computing era [65]-[70]. Suppose the opponent A first
captures all the messages transmitted between the participants
Thus, A cannot bypass the challenge-response mechanism.
during the protocol execution and then tries to guess the identity
Then GW and U i could discover message replay by
of the user. In our proposed protocol, U i ’s identity IDi is
validating the freshness of K i .
included in the field M 1 = ( IDi || SCN i || K i ) 2 mod n in the
Thus, our 3FA protocol could defend against replay attacks.
9) Resisting privileged insider attack first message. To get IDi , A has to know the secret key p and
In practice, users may register across different information q of GWN . It is impossible to do so because the secret key is
systems with the same password. If a privileged insider may carefully protected by the administrator. The other way left for
somehow obtain the password of the user, he/she can use it to A to obtain IDi is to decrypt the value
impersonate as this user to access the services of other systems.
M1 = ( IDi || SCNi || Ki ) 2 mod n , which is computationally
In our protocol, U i only submits IDi during the registration
infeasible due to the hardness of quadratic residue problem.
phase. As a result, an insider cannot obtain U i ’s password.
Hence, our 3FA protocol achieves user anonymity.
Hence, our protocol can withstand privileged insider attack. 14) User untraceability
10) Resisting stolen verifier attack To track a user, A captures these messages involved in
In this attack, an opponent steals the verification information different authentication sessions and checks whether they have
(e.g., plaintext or hashed passwords) stored in the server. In our the same field to learn whether the same user are involved.
protocol, the server maintains a database storing However, A cannot trace U i by capturing the authentication
<IDi , SCNi , xi ,Personal credential> , which has no information messages. Assume that A intercepts
related to the password. Thus, stolen verifier attack is not MSG1 = < M 1 ,M 2 ,T1 ,EID j > ,
possible in our protocol.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

15

MSG2 = < IDGWN , M 3 , M 4 , M 5 , T2 > , bit XOR operation because it requires very limited computation.
MSG3 = < M 6 , M 7 , T3 > , and MSG4 = < M 7 , M8 > . We note TH , TS , TM , TQR , TECM denote the cost for executing the hash,
that the computation of each field involves the timestamp and a the symmetric encryption/decryption, the modular squaring, the
random number which are different in each session. As a result, computation of a square root modulo N , and ECC point
the messages of each session are also different. Therefore, our multiplication respectively. It is worth noting that the modular
protocol resists user tracking attacks and achieves user squaring is as efficient as the hash operation while the
untraceability. computation of a square root modulo N is similar to modular
15) Biometric template privacy encryption.
Biometric template privacy is preserved. First, the user Table 3 shows the results of the comparison. Our protocol is
provides no biometric templates to the server, and the server as efficient as the most efficient one of the previously
stores no information related to the user’s biometric template. proposed protocols at the mobile device and SNs. Although the
Second, the biometric information is first converted by the computation cost for the gateway of our proposed scheme is
biohashing algorithm and then protected by the hash function. higher than that of Amin et al.’s protocol and Das’s protocol,
Since these two mechanisms are both one-way operation, the generally it is not a concern, because the gateway is powerful
information stored in the smart card will not leak biometrics. and has no resource constraints. Moreover, Das’s protocol and
Therefore, biometric template privacy is achieved in our Amin et al.’s protocol [39] is prone to SSLA.
protocol.
16) Smart card and user revocation VIII. CONCLUSION
In our scheme, a database storing the user identity and smart We have analyzed the three-factor mutual authentication
card number is maintained, through which the invalid smart protocol of Amin et al. and we have shown its security
card will be detected. Thus, lost/stolen smart card can be drawbacks. The protocol of Amin et al. suffers from Type I
revoked by removing the card number from the database. SSLA and Type II SSLA. In particular, the user identity and
C. Comparison of security features password can be exhaustively guessed in an offline manner with
In Table 2, we present the comparison of our 3FA protocol the secrets stored in the stolen smart card and the intercepted
with the ones in [48] and [39]. authentication messages. Furthermore, the protocol suffers
From Table 2, we note that both Wu et al.’s protocol and from KSSTIA when the temporal parameters in an
Amin et al.’s protocol are susceptible to several attacks, e.g., authentication session are disclosed. Finally, the protocol is
SSLA. Wu et al.’s protocol cannot provide smart card prone to tracking attack and fails to fulfill user untraceability.
revocation. Amin et al.'s protocol is prone to KSSTIA and Next, we have presented a lightweight and secure three-
cannot provide user untraceability. Table 2 shows that our new factor authentication protocol based on Rabin cryptosystem.
protocol is the only one that is free from security attacks and We conducted a formal verification of the proposed protocol by
provides the required functionality. using ProVerif to demonstrate that it fulfills the required
security features. Furthermore, we also present a
VII. EFFICIENCY ANALYSIS comprehensive heuristic security analysis to demonstrate that
our protocol is capable of withstanding all the possible active
We evaluate the efficiency of our new protocol compared and passive attacks including addressing the weaknesses
with other protocols. Since SNs are constrained in terms of revealed in the protocol of Amin et al., and we further show that
critical resources such as memory, processing power and our proposed protocol support all the desired security features.
energy, special attention must be given to the computation cost A performance analysis of our proposed protocol shows that it
of security protocols for WSN [71]. can be deployed in practice for Internet-integrated WSN, while
In Table 3, we summarize the computational time of our new achieving a balance between security and efficiency.
protocol and the related ones in [45], [38], [48], [49], [39]. We
focus only on the login and authentication phase and ignore the
Table 2 Comparison of security features
Wu et al.’s Amin et al.’s
Our protocol
protocol [48] protocol [39]
Resisting type I SSLA O O P
Resisting type II SSLA O O P
Resisting KSSTIA P O P
Resisting user impersonation attack P P P
Resisting gateway impersonation attack P P P
Resisting SN impersonation attack P P P
Resisting modification attack P P P
Resisting replay attack P P P
Resisting privileged insider attack P P P
Resisting stolen-verifier attack P P P

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

16

Mutual authentication P P P
Secure key agreement P P P
User anonymity P P P
User untraceability P O P
Biometric template privacy P P P
Smart card revocation O P P

Table 3. Efficiency comparisons


Ui GWN Sj Total
Das’s protocol [45] 9 TH 11 TH 5 TH 25 TH
Das et al.’s protocol [38] 12 TH +2 TECM 10 TH 9 TH +2 TECM 31 TH +4 TECM
Wu et al.’s protocol [48] 11 TH +2 TECM 10 TH 3 TH +2 TECM 24 TH +4 TECM
Li et al.’s protocol [49] 6 TH +2 TS 7 TH +6 TS 5 TH +2 TS 18 TH +10 TS
Amin et al.’s protocol [39] 12 TH 15 TH 5 TH 32 TH
Our protocol 8 TH +1 TM 12 TH +1 TQR 5 TH 25 TH + TM + TQR

[18] S. Kumari, M. K. Khan, M.Atiquzzaman, “User authentication schemes


REFERENCES for wireless sensor networks: A review,” Ad Hoc Networks, vol. 27, pp.
159-194, 2015.
[1] S. Hong et al., "SNAIL: An IP-based wireless sensor network approach
[19] Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user
to the internet of things", IEEE Wireless Commun., vol. 17, no. 6, pp. 34-
authentication scheme with unlinkability for wireless sensor networks,”
42, Dec. 2010.
Peer-to-Peer Netw. Appl., vol. 8, pp. 1070–1081, 2014.
[2] R. Roman, "Key Management Systems for Sensor Networks in the
[20] Debiao He, Neeraj Kumar, Naveen Chilamkurti. “A secure temporal-
Context of the Internet of Things", Computers & Electrical Eng., vol. 37,
credential-based mutual authentication and key agreement scheme with
no. 2, pp. 147-159, Mar. 2011.
pseudo identity for wireless sensor networks,” Information Sciences, vol.
[3] J. Granjal, E. Monteiro, J. S. Silva, "Security in the integration of low-
321, pp. 263-277, 2015.
power wireless sensor networks with the internet: A survey", Ad Hoc
[21] H.Xiong, “Cost-effective scalable and anonymous certificateless remote
Netw., vol. 24, pp. 264-287, Jan. 2015.
authentication protocol,” Information Forensics and Security, IEEE
[4] Z. Sheng, S. Yang, Y. Yu, A. Vasilakos, J. McCann, K. Leung, "A survey
Transactions on, vol. 9, no. 12, pp. 2327-2339, 2014.
on the IETF protocol suite for the Internet of Things: Standards challenges
[22] H. Xiong, Z.Qin, “Revocable and Scalable Certificateless Remote
and opportunities", IEEE Wireless Commun., vol. 20, no. 6, pp. 91-98,
Authentication Protocol With Anonymity for Wireless Body Area
Dec. 2013.
Networks,” IEEE Transactions on Information Forensics and Security,
[5] 6LoWPAN Working Group, http://tools.ietf.org/wg/6lowpan/
vol. 10, no. 7, pp. 1442-1455, 2015.
[6] ROLL Working Group, http://tools.ietf.org/wg/roll/.
[23] J. Shen, H Tan, S. Moh, et al. “Enhanced secure sensor association and
[7] R. Roman and J. Lopez, “Integrating wireless sensor networks and the
key management in wireless body area networks,” Journal of
Internet: A security analysis,” Internet Res., vol. 19, no. 2, pp. 246–259,
Communications and Networks, vol. 17, no. 5, pp. 453-462, 2015.
2009.
[24] F. Li, P. Xiong. "Practical secure communication for integrating wireless
[8] J. Astorga, E. Jacob, N. Toledo, et al. “Enhancing secure access to sensor
sensor networks into the internet of things," IEEE Sensors Journal, vol.
data with user privacy support,” Computer Networks, vol. 64, pp. 159-
13, no.10, pp. 3677-3684, 2013.
179, 2014.
[25] J. Astorga, E. Jacob, M. Huarte, M. Higuero, “Ladon: end-to-end
[9] J. Qi, X. Hu, Y. Ma, et al. "A Hybrid Security and Compressive Sensing-
authorisation support for resource-deprived environments,” IET Inf Secur,
Based Sensor Data Gathering Scheme," IEEE Access 3 (2015): 718-724.
vol. 6, no. 2, pp. 93–101, 2012
[10] Z. Fu et. al, "Achieving Efficient Cloud Search Services: Multi-keyword
[26] Q. Jiang, J. Ma, G. Li, X. Li, “Improvement of robust smart-card-based
Ranked Search over Encrypted Cloud Data Supporting Parallel
password authentication scheme,” International Journal of
Computing," IEICE Transactions on Communications, vol. E98-B, no. 1,
Communication Systems, vol. 28, no. 2, pp. 383-393, 2015.
pp.190-200, 2015.
[27] M. L. Das, “Two-factor user authentication in wireless sensor networks,”
[11] Z. Fu et. al, "Enabling Semantic Search based on Conceptual Graphs over
IEEE Trans. Wireless Commun., vol. 8, no. 3, pp. 1086–1090, Mar. 2009.
Encrypted Outsourced Data," IEEE Transactions on Services Computing,
[28] S. Kumari, X. Li, F. Wu, et al. “A user friendly mutual authentication and
DOI: 10.1109/TSC.2016.2622697
key agreement scheme for wireless sensor networks using chaotic maps,”
[12] H. Li, D. Liu, Y. Dai, et al. “Engineering searchable encryption of mobile
Future Generation Computer Systems, vol. 63, pp. 56-75, 2016.
cloud networks: when QoE meets QoP,” IEEE Wireless Communications,
[29] Q. Jiang, J. Ma, F. Wei, et al. “An untraceable temporal-credential based
vol. 22, no. 4, pp. 74-80, 2015.
two-factor authentication scheme using ECC for wireless sensor
[13] D. He, S. Zeadally, N. Kumar, J.-H. Lee, “Anonymous authentication for
networks,” Journal of Network and Computer Applications, vol. 76, pp.
wireless body area networks with provable security,” IEEE Systems
37-48, 2016.
Journal, DOI: 10.1109/JSYST.2016.2544805, 2016.
[30] Q. Jiang, N. Kumar, J. Ma, et al. “A privacy-aware two-factor
[14] D. He, S. Zeadally. “Authentication protocol for ambient assisted living
authentication protocol based on elliptic curve cryptography for wireless
system,” IEEE Communications Magazine, vol. 35, no. 1, pp. 71-77, 2015.
sensor networks,” International Journal of Network Management, 2016.
[15] K. T. Nguyena, M. Laurentb, N. Oualha, "Survey on secure
DOI: 10.1002/nem.1937.
communication protocols for the Internet of Things", Elsevier Ad Hoc
[31] F. Wei, J.Ma, Q. Jiang, et al. “Cryptanalysis and Improvement of an
Networks, vol. 32, pp. 17-31, September 2015.
Enhanced Two-Factor User Authentication Scheme in Wireless Sensor
[16] S. Raza, S. Duquennoy, A. Chung, D. Yazar, T. Voigt, U. Roedig,
Networks,” Information Technology And Control, vol. 45, no. 1, pp. 62-
"Securing communication in 6LoWPAN with compressed IPsec", Proc.
70, 2016.
7th Int. Conf. DCOSS, pp. 1-8, 2011-Jun.
[32] M. Turkanovic, B. Brumen, and M. Holbl, “A novel user authentication
[17] S. Ray, G. Biswas, "Establishment of ECC-based initial secrecy usable
and key agreement scheme for heterogeneous ad hoc wireless sensor
for IKE implementation", in Proceedings of the World Congress on
networks, based on the Internet of Things notion,” Ad Hoc Netw., vol. 20,
Engineering (WCE), Vol I, July 4 - 6, 2012, London, U.K pp. 1-6.
pp. 96–112, Sep. 2014.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2673239, IEEE Access

17

[33] R. Amin, G.P Biswas, "A secure lightweight scheme for user [52] I. Natgunanathan, A. Mehmood, Y. Xiang, et al., “Protection of Privacy
authentication and key agreement in multi-gateway based wireless sensor in Biometric Data,” IEEE Access, vol. 4, pp. 880-892, 2016.
networks", Ad Hoc Networks, vol. 36, pp. 58-80, 2016. [53] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate
[34] M.S. Farash, M. Turkanovic, M. Kumari, S. Holb, "An efficient user strong keys from biometrics and other noisy data,” in EUROCRYPT, 2004,
authentication and key agreement scheme for heterogenous wireless pp. 523–540.
sensor network tailored for the internet of things environment", Ad Hoc [54] A. Juels and M. Sudan, “A fuzzy vault scheme,” in International
Network, vol. 36, pp. 152-176, 2016. Symposium on Information Theory (ISIT). IEEE Press, 2002, p. 408.
[35] C.C. Chang, H.D. Le. “A provably secure, efficient and flexible [55] A. T. B. Jin, D. N. C. Ling, and A. Goh, “BioHashing: Two factor
authentication scheme for ad hoc wireless sensor networks,” IEEE authentication featuring fingerprint data and tokenised random number,”
Transactions on Wireless Communications, vol. 15, no. 1, pp. 357–366, Pattern Recognit., vol. 37, no. 11, pp. 2245–2255, Apr. 2004.
2016. [56] R. Lumini and L. Nanni, “An improved BioHashing for human
[36] Y. Lu, L. Li, H. Peng, et al. “An Energy Efficient Mutual Authentication authentication,” Pattern Recognit., vol. 40, no. 3, pp. 1057-1065, Mar.
and Key Agreement Scheme Preserving Anonymity for Wireless Sensor 2007.
Networks,” Sensors, vol. 16, no. 6, article no. 837, 2016. [57] M. Rabin, “Digitalized Signatures and Public-Key Functions as
[37] F. Wu, L. Xu, S. Kumari, X. Li, J. Shen, K.-K. R. Choo, M. Wazid, Ashok Intractable as Factorization,” MIT Laboratory for Computer Science,
K. Das. “An efficient authentication and key agreement scheme for multi- 1979.
gateway wireless sensor networks in IoT deployment,” Journal of [58] H.-Y. Chien, “Combining Rabin cryptosystem and error correction codes
Network and Computer Applications, 2016. to facilitate anonymous authentication with un-traceability for low-end
http://dx.doi.org/10.1016/j.jnca.2016.12.008. devices,” Computer Networks, vol. 57, no. 14, pp. 2705-2717, 2013.
[38] A. K. Das, S. Kumari, V. Odelu, et al. “Provably secure user [59] D. Wang, D. He, P. Wang, C.-H. Chu, “Anonymous two-factor
authentication and key agreement scheme for wireless sensor networks,” authentication in distributed systems: certain goals are beyond attainment,”
Security and Communication Networks, vol. 9, no. 16, pp. 3670-3687, IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4,
2016. pp. 428-442, 2015.
[39] R. Amin, SK Hafizul Islam, G.P. Biswas, M.Kh. Khan, L. Leng, N. [60] D. Wang, P. Wang, “Two Birds with One Stone: Two-Factor
Kumar, "Design of anonymity preserving three-factor authenticated key Authentication with Security Beyond Conventional Bound,” IEEE Trans.
exchange protocol for wireless sensor network", Computer Networks, vol. on Dependable and Secure Computing, 2016. Doi:
101, pp. 42-62, 2016. 10.1109/TDSC.2016.2605087.
[40] Debiao He, Ding Wang. “Robust biometrics-based authentication scheme [61] D. Wang, Q. Gu, H. Cheng, and P. Wang, “The Request for Better
for multi-server environment,” IEEE Systems Journal, vol. 9, no. 3, pp. Measurement: A Comparative Evaluation of Two-Factor Authentication
816-823, 2015. Schemes,” In Proceedings of the 11th ACM on Asia Conference on
[41] X. Li, J. Niu, Z. Wang, C. Chen, “Applying biometrics to design three- Computer and Communications Security, May 2016, pp. 475-486, ACM.
factor remote user authentication scheme with key agreement,” Security [62] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” in Proc.
and Communication Networks, vol. 7, no. 10, pp. 1488–1497, 2014. Adv. Cryptology, Santa Barbara, CA, USA, Aug. 1999, pp.388-397.
[42] Q. Jiang, F. Wei, S. Fu, J. Ma, G. Li, A. Alelaiwi, “Robust extended [63] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, “Examining Smart-Card
chaotic maps-based three-factor authentication scheme preserving Security Under the Threat of Power Analysis Attack,” IEEE Trans.
biometric template privacy,” Nonlinear Dynamics, vol. 83, no. 4, pp. Comput., vol. 51, no. 5, pp.541-552, May 2002.
2085–2101, 2016. [64] M. Abdalla, F. Benhamouda, and P. MacKenzie. “Security of the j-pake
[43] Q. Jiang, M. K. Khan, X. Lu, J. Ma, D. He. “A privacy preserving three- password-authenticated key exchange protocol,” In Proceedings of IEEE
factor authentication protocol for e-health clouds,” Journal of S&P 2015, pp. 571–587.
Supercomputing, vol. 72, no. 10, pp. 3826–3849, 2016. [65] A.G. Reddy, A.K. Das, E.J. Yoon, K.Y. Yoo, “A secure anonymous
[44] Qi Jiang, Jianfeng Ma, Fushan Wei. “On the Security of a Privacy-Aware authentication protocol for mobile services on elliptic curve cryptography,”
Authentication Scheme for Distributed Mobile Cloud Computing IEEE Access, vol. 4, pp. 4394–4407, 2016.
Services,” IEEE Systems Journal, 2016. DOI: [66] Z. Fu et. al, "Towards Efficient Content-aware Search over Encrypted
10.1109/JSYST.2016.2574719. Outsourced Data in Cloud", in Proceedings of the 35th Annual IEEE
[45] A. K. Das, “A secure and robust temporal credential-based three-factor International Conference on Computer Communications (IEEE
user authentication scheme for wireless sensor networks,” Peer-to-Peer INFOCOM), San Francisco, CA, 2016, DOI:
Netw. Appl., vol. 9, no. 1, pp. 223–244, 2014. 10.1109/INFOCOM.2016.7524606
[46] A. K. Das, “A secure and effective biometric-based user authentication [67] Z. Fu et. al, "Toward Efficient Multi-keyword Fuzzy Search over
scheme forwireless sensor networks using smart card and fuzzy extractor,” Encrypted Outsourced Data with Accuracy Improvement", IEEE
Int. J. Commun. Syst., vol. 30, no. 1, 2017. doi: 10.1002/dac.2933. Transactions on Information Forensics and Security, vol. 11, no. 12, pp.
[47] A. K. Das, “A secure and efficient user anonymity-preserving three factor 2706-2716, 2016.
authentication protocol for large-scale distributed wireless sensor [68] Z. Xia et. al, "A Secure and Dynamic Multi-keyword Ranked Search
networks,” Wireless Pers. Commun., vol. 82, no. 3, pp. 1377–1404, 2015. Scheme over Encrypted Cloud Data," IEEE Transactions on Parallel and
[48] F. Wu, L. Xu, S. Kumari, et al. “An improved and provably secure three- Distributed Systems, vol. 27, no. 2, pp. 340-352, 2015.
factor user authentication scheme for wireless sensor networks,” Peer-to- [69] Z. Xia et. al, "A Privacy-preserving and Copy-deterrence Content-based
Peer Networking and Applications, 2016. DOI: 10.1007/s12083-016- Image Retrieval Scheme in Cloud Computing," IEEE Transactions on
0485-9. Information Forensics and Security, vol. 11, no. 11, pp. 2594-2608, 2016.
[49] X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, M.K. Khan, “A new [70] S. Zeadally and M. Badra (Editors), Privacy in a Digital, Networked
authentication protocol for healthcare applications using wireless medical World - Technologies, Implications, and Solutions, Springer, London,
sensor networks with user anonymity,” Secur. Commun. Netw., vol. 9, no. United Kingdom, October 2015
15, pp. 2643–2655, October 2016. [71] Z. Liu, H. Seo, J. Großschädl, H.Kim, “Efficient Implementation of
[50] A K Das, A K Sutrala, V Odelu, et al. “A Secure Smartcard-Based NIST-Compliant Elliptic Curve Cryptography for 8-bit AVR-Based
Anonymous User Authentication Scheme for Healthcare Applications Sensor Nodes,” IEEE Transactions on Information Forensics and Security,
Using Wireless Medical Sensor Networks,” Wireless Personal vol.11, no. 7, pp. 1385-1397, 2016.
Communications, 2016. doi:10.1007/s11277-016-3718-6
[51] B. Blanchet, “An Efficient Cryptographic Protocol Verifier Based on
Prolog Rules,” in Proceedings of CSFW’01. IEEE Comp. Soc. Press,
2001, pp. 82–96.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.