ECC-based three-factor authentication and key agreement scheme for wireless sensor networks

Abstract

In wireless sensor networks (WSNs), protocols with authentication and key agreement functions can enhance the security of the interaction between users and sensor nodes, guaranteeing the security of user access and sensor node information. Existing schemes have various security vulnerabilities and are susceptible to security attacks (e.g., masquerading user, password guessing, internal privilege, and MITT attacks), so they cannot meet the anonymity requirements or achieve forward security. To effectively improve the security performance of WSNs, an elliptic curve cryptography (ECC)-based three-factor authentication and key agreement scheme for WSNs is proposed. The scheme is based on the ECC protocol and combines biometrics, smart card and password authentication technology; uses a challenge/response mechanism to complete the authentication between users, gateways, and sensors; and negotiates a secure session key. The Burrows, Abadi and Needham logic for formal security analysis proves the correctness and security of the scheme, and the informal analysis of multiple known attacks proves that the scheme can resist various attacks and has high security characteristics. The feasibility of the scheme has been analysed and verified with the ProVerif tool. The efficiency analysis results show that the scheme is suitable for resource-constrained WSNs.

Introduction

As wireless sensor networks (WSNs) are widely used in various application areas, securing their communication has become one of the focuses of researchers. The confidentiality of information communication is a major challenge, and protecting the privacy of data from unauthorized access by attackers is a major problem facing Internet of Things (IoT) WSNs¹. Current schemes suffer from various security vulnerabilities in authentication and key agreement functions and are susceptible to security attacks such as masquerading users, password guessing, insider privileges, and MITM (Man-in-the-Middle), so they cannot satisfy anonymity requirements or achieve forward security. In IoT WSNs, establishing user authentication protocols with session keys is an approach that is widely used to solve the above problems. In this context, this study aims to address the security vulnerabilities in existing WSNs, especially in the interaction between users and sensor nodes, to ensure the security of user access and sensor node information.

The significance of this research lies in the following points: (1) Safeguarding communication security: WSNs are widely used in environmental monitoring, health care, intelligent transportation, etc., which include data communication that often involves personal privacy and important information. By improving the security of authentication and key agreement, this study helps to secure user access and sensor node information against potential attack risks. (2) Filling existing security holes: In this study, it is found that there are various vulnerabilities in the current security protocols in WSNs, which may be subject to attacks such as camouflage and password guessing. By combining elliptic curve cryptography and multifactor authentication techniques, this scheme is expected to fill these loopholes and improve the overall security of WSNs. (3) Promotion of the development of security in the field of WSNs: With the evolution of the IoT, the range of applications of WSNs is expanding. Research on communication schemes with high security is crucial for the healthy development of WSNs. This study aims to offer fresh insights and approaches for enhancing security in WSNs. (4) Positive impact on practical applications: Not only is the correctness and security of the scheme verified through formal BAN logic and the ProVerif tool, but its ability to fight against a wide range of attacks through informal analysis is also verified. This makes the scheme more likely to succeed in practical applications and provides strong technical support for real-world deployments. (5) Suitable for resource-constrained environments: The results of the efficiency analysis show that the scheme is suitable for resource-constrained WSNs. This is a substantial advantage for sensor nodes that have limited computational and storage resources and is expected to have a positive impact in the real world.

To effectively enhance the security performance of WSNs, this study proposes a three-factor authentication and key agreement scheme based on elliptic curve cryptography (ECC). The scheme is based on the ECC protocol, combines biometric, smart card and cryptographic authentication techniques, uses a challenge/response mechanism to complete the authentication between the user, the gateway and the sensor, and negotiates a secure session key. The correctness and security of the scheme are validated through formal security analysis using BAN logic. In addition, the scheme is verified as highly secure against various attacks through informal analysis of a variety of known attacks. To ensure the feasibility of the research, the paper also provides an exhaustive analysis and validation of the scheme using the ProVerif tool. The final efficiency analysis results show that the scheme is suitable for resource-constrained WSNs and provides a feasible and efficient solution for secure communication in WSNs. The purpose of this study is to promote the development of security in the field of WSNs and to provide a more reliable protection mechanism for wireless sensor networks in practical applications.

Related works

In 2015, Lee et al.² proposed a nontamper smart card authentication key protocol scheme based on anonymous passwords. In 2017, Wu et al.³ noted that the scheme of Lee et al.² is not resistant to smart card loss, spoofed users, spoofed server attacks, and so forth. Wu et al. proposed an enhanced anonymous password authentication key agreement scheme. In 2016, Jiang et al.⁴ proposed a two-factor authentication scheme based on ellipse curve cryptography (ECC) for untraceable time vouchers in WSNs. In 2018, Li et al.⁵ found flaws in the work of Jiang et al.⁴, such as the lack of a password detection and change mechanism and a clock synchronization problem. Thus, Li et al. proposed a three-factor anonymous authentication scheme for WSNs in the IoT environment, using a fuzzy commitment scheme and error correction code to process user biometric information; however, the scheme proved to be unable to resist smart card loss attacks and achieve forward security. In 2022, Meriam et al.⁶ performed an informal security analysis of the protocol of Li et al.⁵, and the results showed that it cannot achieve anonymity and cannot resist session key leakage, internal, and other attacks. Thus, Meriam et al. proposed a three-factor mutual authentication and key agreement protocol for IoT WSNs based on lightweight ECC, using physically unclonable functions (PUFs) and ECC to improve security and effectively solve the security problem of Li et al.’s proposal⁵.

In 2017, Wu et al.⁷ proposed a user authentication scheme for WSNs based on the Internet of Things(IoT) and, in the same year, an efficient authentication and key agreement scheme for multigateway WSNs in the deployment of the IoT⁸. In 2019, Bayat et al.⁹ noted that the scheme of Wu et al.⁷ could not withstand certain security attacks. Thus, Bayat et al. proposed an analysis and improvement of the user authentication scheme of the IoT based on ECC. In 2019, Guo et al.¹⁰ found that the scheme of Wu et al.⁸ was inefficient and instead proposed a secure and efficient three-factor multigateway authentication protocol for WSNs; however, this scheme proved to be unable to resist offline password guessing and other attacks. In 2017, Jung et al.¹¹ proposed an efficient and secure anonymous authentication scheme based on key agreement in WSNs. In the same year, Sravani et al.¹² proposed an authentication key establishment scheme based on a secure signature for future IoT applications. However, the scheme was not resistant to man-in-the-middle attacks and was too complex and inefficient¹³.

In 2021, Azrour et al.¹⁴ proposed a new, enhanced IoT authentication protocol based on the literature^2,5, and⁹, that could resist replay, internal, and other attacks. In 2021, Vinoth et al.¹⁵ proposed a multifactor authentication key protocol scheme for industrial IoT security; however, this scheme could not deal with certain types of attacks, such as sensor node capture and replay attacks. In 2021, Xue et al.¹⁶ proposed a lightweight three-factor authentication and key agreement scheme for multigateway WSNs in the IoT based on a ummary of the literature^10,14, and ¹⁵ and proved the correctness and security of the proposed scheme through the BAN logic and BPR model. However, the scheme could not guarantee the security of the user's private key or negotiate a secure session key.

Motivation, contributions and road-map

Motivation

The motivation of this paper is to improve the security of wireless sensor networks (WSNs), especially to enhance the authentication and key agreement features in the interaction between users and sensor nodes. Currently existing schemes suffer from various security vulnerabilities and are susceptible to security attacks such as masquerading users, password guessing, internal privileges, and man-in-the-middle attacks. These vulnerabilities make it difficult for existing schemes to meet anonymity requirements and achieve forward security. In this article, they propose an integrated authentication and key agreement scheme based on the ECC protocol is proposed, combining multiple authentication techniques to improve the security performance of WSNs, and demonstrate its feasibility and high level of security through formal and informal security analysis.

Their contribution

1. 1)

   This paper proposes a three-factor authentication and key agreement scheme based on ECC for WSNs¹⁷. The new scheme is based on the ECC key agreement mechanism and introduces the challenge/response mechanism to establish authentication and key agreement mechanisms among users and gateways and sensors of WSNs. The security of the scheme is guaranteed by the security characteristics of biometrics, the elliptic curve discrete logarithm problem, and the one-way characteristics of the hash function.

2. 2)

   After the authentication and key agreement between the user and the sensor is completed, a password update and smart card logout scheme is proposed to assist users in better managing smart cards and enhance the security of the scheme.

3. 3)

   The proposed scheme is validated in several forms. The scheme's security is assessed through a formal analysis employing BAN logic. In addition, the nonformal security analysis proves the security performance of the scheme and its resistance to various attacks. Furthermore, simulations using the ProVerif tool validate the feasibility of the proposed scheme. Finally, the performance analysis shows that the scheme improves security without increasing energy consumption.

The road-map of the paper is as follows

In Section “Mathematical preliminaries”, they reviewed some of the basics of math and information security and defined the notations and descriptions and threat model used by the scheme. In Section “Safety analysis of existing schemes”, the advantages and some security vulnerabilities in the work of Xue et al.¹⁶ are discussed. Sections “The proposed scheme” and “Security analysis” present the proposed scheme and the corresponding security analysis, respectively. In Section “Efficiency analysis”, the performance of the proposed scheme is evaluated, and finally, the whole paper is concluded in Section “Conclusions”.

Mathematical preliminaries

Cryptanalysis

Cryptanalysis, a subset of cryptography, is the process of deciphering or breaking cryptographic systems. It utilizes techniques such as mathematics, computer science, and engineering to unveil encrypted data. The primary objective of cryptanalysis is to achieve unauthorized access to encrypted information by scrutinizing weaknesses in encryption algorithms, key management, and security mechanisms. This involves activities such as password guessing, analysing the mathematical aspects of encryption algorithms, identifying vulnerabilities in encryption keys, and exploiting errors in implementation. The efficacy of cryptanalysis hinges on the intricacy and robustness of the cryptosystem. This field plays a pivotal role in information security, contributing to the evaluation and enhancement of cryptographic system strength.

ECC and ECDH¹⁸

Elliptic Curve Cryptography (ECC) is a public key encryption algorithm that is widely used in the field of cryptography. The security of ECC is based on the discrete logarithmic problem on elliptic curves, which is considered to be difficult to solve; thus, encryption algorithms based on this mathematical puzzle provide a high level of security. Compared to traditional RSA algorithms based on the integer factorization problem, ECC can use shorter key lengths while providing the same level of security, thus reducing the computational and storage requirements. Overall, elliptic curve cryptography is an important part of the modern field of cryptography and provides a powerful tool for secure communication.

The elliptic Curve Diffie-Hellman key exchange (ECDH) is mainly used to establish secure shared encryption data in an insecure channel, generally exchanging private keys, which are generally used as "symmetric encryption" keys by both parties for subsequent data transmission. ECDH is based on the premise that given a point P on an elliptic curve and an integer k, it is easy to solve for Q = KP, but it is difficult to solve for K via Q, P.

BAN logic

BAN logic is a formal method for analysing and verifying cryptographic schemes, proposed by Burrows, Abadi, and Needham (BAN) in 1989¹⁹. The basic idea of BAN logic is to convert messages in a cryptographic scheme into a logical language representation and then use inference rules to derive the beliefs and goals of the participants in the scheme. BAN logic can be used to find vulnerabilities in a scheme to improve its security and efficiency.

Table 1 shows the notations used by BAN logic²⁰ and descriptions of these notations. The BAN logic rules used include: message meaning rule R1: \(\frac{{P| \equiv P\mathop \leftrightarrow \limits^{SK} Q,P \triangleleft \left\{ H \right\}_{SK} }}{{P\left| { \equiv Q} \right|{\sim }H}}\), random number verification rule R2: \(\frac{{P\left| { \equiv \# \left( H \right),P} \right| \equiv Q|{\sim }H}}{{P\left| { \equiv Q} \right| \equiv H}}\), arbitration rule R3: \(\frac{{P\left| { \equiv Q} \right| \equiv H,P\left| { \equiv Q} \right| \Rightarrow H}}{P| \equiv H}\), freshness rule R4: \(\frac{P| \equiv \# \left( H \right)}{{P| \equiv \# \left( {H,G} \right)}}\), belief rule R5: \(\frac{{P| \equiv \left( {H,G} \right)}}{P| \equiv G}\), and session secret key rule R6: \(\frac{{P\left| { \equiv \# \left( H \right),P} \right| \equiv Q| \equiv H}}{{P| \equiv P\mathop \leftrightarrow \limits^{SK} Q}}\).

Table 1 Notations used by BAN logic and descriptions of these notations.

Random oracle model

In 1993, Bellare and Rogaway formally proposed the Random Oracle Model (ROM) methodology, with which the past purely theoretical research of provable security methodology quickly made significant progress in the field of practical applications. A large number of fast and effective security programs have been proposed, and at the same time, they also produced the "concrete security or exact security", which means that they no longer only satisfy the asymptotic degree of security but can exactly obtain a more accurate security measure. Practical-oriented provable security theory has been widely accepted by academia and industry.

Inside cryptography, a random oracle is a prediction machine (simply put, like a black box for the theory) that returns a truly uniformly random output for any input, and for the same input, this prediction machine outputs the same output in the same way every time (i.e., if the query is repeated, it responds in the same way every time the query is submitted). In other words, a randomized prediction machine is a function that randomly maps all possible inputs to outputs.

The stochastic prediction machine model is usually an idealized stand-in for the real hash function and has its origins in the idea of viewing hash functions as pseudorandom. The stochastic prediction machine model has the following properties:

1. 1)

   Consistency: Inputs that are the same should produce matching outputs.

2. 2)

   Computability: the output can be calculated within a polynomial time frame.

3. 3)

   Uniform Distributability: The prediction machine's output is evenly spread across the value space without any overlaps.

4. 4)

   In the stochastic prediction machine model, it is assumed that the adversary will not exploit the weakness of the hash function to attack the cryptographic scheme.

Notations and descriptions

Table 2 shows the notations used in this paper and descriptions of these notations.

Table 2 Notations used in this paper and descriptions of these notations.

Threat model¹⁸

In this article, the following threat models are used:

1. 1)

   Communication conducted over a public channel is susceptible to eavesdropping, providing attackers with an advantage.

2. 2)

   Threats to any system can come from external entities or even legitimate users who may act as attackers.

3. 3)

   Attackers have the capability to manipulate, erase, redirect, and replay intercepted messages, compromising the integrity of the communication.

4. 4)

   The attacker is assumed to possess knowledge of the protocol used in the authentication system.

Safety analysis of existing schemes¹⁶

Scheme¹⁶ proposed an authentication and key agreement scheme for multigateway environments. In the scheme, biometrics, a crucial element, is extracted and authenticated using a fuzzy extractor. The program consists of the following six processes:

1. 1)

   System initialization. The SA assigns identity ID_hg, ID_fg and private keys x_hg, x_fg to HGWN and FGWN and establishes a shared key K_hf. The HGWN and FGWN independently choose three random numbers, denoted as R_h, R_f and R_fh, respectively.

2. 2)

   Registration. This stage comprises sensor registration and user registration. Both sensor nodes and users are needed to register their fundamental details with the nearest HGWN gateway. After the registration, U_i saves B₁ = h(α_i‖ID_i‖PW_i) ⊕ r_i, B₂ = h(HPW_i‖α_i‖ID_i‖r_i)mod n₀ to SC, HGWN saves SID_j, and S_j saves x_j.

3. 3)

   Login. U_i inputs ID_i, PW_i, and BIO_i, SC verifies the identity of U_i by calculating B₂ = h(HPW_i‖α_i‖ID_i‖r_i)mod n₀, if the verification passes, U_i sends M₁ = {TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} over the public channel to HGWN.

4. 4)

   Authentication and key agreement.After receiving the communication request between U_i and SID_j, HGWN initially verifies if the designated sensor S_j is within its communication range. If HGWN can retrieve SID_j from its local database, it can proceed following Case 1, and the three parties, U_i, HGWN, and SID_j, perform authentication and key agreement; otherwise, it operates according to Case 2, and the four parties, U_i, HGWN, FGWN, and SID_j, perform authentication and key agreement.

5. 5)

   Password update. User enters his or her ID_i, PW_i, and BIO_i, and SC verifies. If the verification passes, the user enters new password PW_i', SC computes new B₁^′, B₂^′, and e_i^′ and saves.

6. 6)

   Smart card logout. The user enters his or her ID_i, PW_i, and BIO_i and SC verifies it. If the verification passes, U_i sends M₀ = {TID_i, β_i, R₀, T₁} over the public channel to HGWN. HGWN verifies that K_i' is equal to K_i by computation. if the verification passes it deletes U_i's information {ID_i, K_i, honey_list}.

The existing scheme¹⁶ has some advantages in resisting password guessing, replay, and other attacks to achieve two-way authentication and key agreement; however, there are also security vulnerabilities, such as the inability to guarantee anonymity and the potential to suffer from MITT attacks. In this section, the advantages of the scheme and the existence of security vulnerabilities are presented²¹.

Advantages of the scheme¹⁶

The advantages of the schemes¹⁶ include the following:

1. 1)

   The use of biometric-based fuzzy extraction technology effectively enhances the security of user login via the three-factor authentication mechanism.

2. 2)

   Security of the authentication process is ensured through use of the challenge/response mechanism²².

3. 3)

   The user’s secret x_i and the sensor’s secret x_j are calculated using the hash function, and they are not transmitted in the public channel, which can prevent the secret from being cracked and ensure its forward security.

4. 4)

   The honey list technique, which can prevent password guessing attacks by setting the number of logins and avoid smart card loss attacks and offline guessing attacks, is adopted.

5. 5)

   Replay attacks are avoided by setting the timestamp T.

6. 6)

   Two-way authentication and key agreement are achieved as the negotiated session key SK contains a random number of users, gateways, and sensors to improve the security of the negotiated key²³.

Security vulnerabilities of the scheme¹⁶

The scheme’¹⁶ security vulnerabilities include the following:

1. 1)

   Unable to meet the anonymity requirement: During the registration process, U_i sends ID_i to HGWN, Sj sends SID_j to HGWN, and HGWN sends ID_hg to U_i. Attackers intercept ID_i, ID_hg, and SID_j in the public channel to easily obtain the identity ID_s of the user, gateway, and node. Therefore, the scheme cannot guarantee anonymity.

2. 2)

   Unable to secure user parameters²⁴: During the registration process, U_i sends {ID_i, HPW_i, β_i} to the HGWN. The attacker intercepts ID_i in the public channel. During the login process, U_i sends M₁ = {TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} to the HGWN. The attacker intercepts D₂ in the public channel and calculates:

   $$h(r_{u} ||x_{i} ) = ID_{i} \oplus D_{2}$$

   (1)

   The attacker intercepts D₀ and calculates:

   $$\beta_{i} = D_{0} \oplus h(x_{i} ||r_{u} )$$

   (2)
   $$K_{i} = h(ID_{i} ||\beta_{i} )$$

   (3)
   $$e_{i} = HPW_{i} \oplus K_{i} \oplus x_{i}$$

   (4)

   The attacker obtains all the parameters of the user login.

3. 3)

   Unable to secure user secrets x_i and sensor secrets x_j: During the registration process, U_i sends {ID_i, HPW_i, β_i} to HGWN and HGWN sends {TID_i, β_i, e_i, ID_hg} to U_i. The attacker intercepts HPW_i, ID_i, β_i, and e_i in the public channel and calculates:

   $$K_{i} = h(ID_{i} ||\beta_{i} )$$

   (5)
   $$x_{i} = HPW_{i} \oplus K_{i} \oplus e_{i}$$

   (6)

   The user secret x_i is cracked. Attackers directly obtain sensor secret x_j in the public channel.

4. 4)

   Unable to secure user private key r_u: During the login process, U_i sends M₁{TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} to HGWN, and the attacker intercepts D₁ in the public channel and can crack x_i by point (3) above and calculates:

   $$r_{u} = D_{1} \oplus x_{i}$$

   (7)

   The user private key r_u is cracked.

5. 5)

   Unable to secure gateway private key r_hg and sensor private key r_s: During the registration process, HGWN sends {x_j} to S_j. The attacker intercepts x_j in the public channel. During the authentication process, the HGWN sends M₂ = {D₀, D₄, D₅, D₆, T₂} to S_j and S_j sends M₃ = {D₇, D₈, T₃} to the HGWN. The attacker intercepts D₄, D₇, T₂, T₄ in the public channel and can crack²⁵:

   $$r_{hg} = D_{4} \oplus h(x_{j} ||T_{2} )$$

   (8)

   The attacker crack:

   $$r_{s} = D_{7} \oplus h(x_{j} ||r_{hg} ||T_{4} )$$

   (9)
6. 6)

   Unable to achieve secure two-way authentication: According to Points (2), (3), and (4) above, the attacker cracks x_i, r_u, K_i, During the registration process, U_i sends {ID_i, HPW_i, β_i} to the HGWN, and during the login process, U_i sends M₁ = {TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} to the HGWN. The attacker intercepts TID_i, ID_i, SID_j, T₁ in the public channel, and by calculating D₃ = h(TID_i‖ID_i‖SID_j‖r_u‖x_i‖K_i‖T₁) can crack D₃, so the gateway authentication user algorithm is cracked. During registration, HGWN sends {x_j} to S_j, during login, U_i sends M₁ = {TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} to HGWN, and during authentication, HGWN sends M₂ = {D₀, D₄, D₅, D₆, T₂} to S_j. According to Points (4) and (5) above, the attacker cracks r_u, r_hg and intercepts SID_j, ID_hg, x_j, T₂ in the public channel; D₆ can be cracked by calculating:

   $$D_{6} = h(SID_{j} ||ID_{hg} ||r_{u} ||r_{hg} ||x_{j} ||T_{2} )$$

   (10)

   The sensor authentication gateway algorithm is cracked.

7. 7)

   Unable to negotiate a secure session key: The negotiated key is SK_s = h(r_u‖r_hg‖r_s‖ID_hg). During the login process, U_i sends M₁ = {TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} to HGWN. According to Points (4) and (5) above, the attacker breaks r_u, r_hg, r_s and intercepts ID_hg in the public channel, which can crack:

   $$SK_{s} = h(r_{u} ||r_{hg} ||r_{s} ||ID_{hg} )$$

   (11)

   The scheme cannot negotiate a secure session key, and it has forward security problems.

8. 8)

   Unable to resist MITT attacks: The attacker records all M₁ = {TID_i, ID_hg, SID_j, D₀, D₁, D₂, D₃, T₁} sent to the GWN, all M₂ = {D₄, D₅, D₆, T₂} sent to S_j, and all x_j sent to S_j by the gateway, and then calculates:

   $$r_{hg}^{*} = D_{4} \oplus h(x_{j}^{*} ||T_{2} )$$

   (12)
   $$r_{u}^{*} = D_{5} \oplus h(r_{hg}^{*} ||x_{j}^{*} ||T_{2} )$$

   (13)

For each group M₁, the attacker calculates:

$$x_{i}^{*} = r_{u}^{*} \oplus D_{1}$$

(14)

$$\beta_{i}^{*} = D_{0} \oplus h(x_{i}^{*} ||r_{u}^{*} )$$

(15)

$$ID_{i}^{*} = D_{2} \oplus h(r_{u}^{*} ||x_{i}^{*} )$$

(16)

$$K_{i}^{*} = h(ID_{i}^{*} ||\beta_{i}^{*} )$$

(17)

Whether D₃^* = h(TID_i‖ID_i^*‖SID_j‖r_u^*‖x_i^*‖K_i^*‖T₁) is equal to D₃ is verified. If equal, the attacker can determine user U_i with its corresponding S_j and obtain the values of the parameters r_u, x_i, and so on. The attacker starts a new session with user U_i, selects r_hg, r_s, and TID_i^′, and calculates:

$$SK_{hg} = h(r_{u} ||r_{hg} ||r_{s} ||ID_{hg} )$$

(18)

$$D_{9} = r_{s} \oplus h(x_{i} ||r_{u} )$$

(19)

$$D_{10} = \, r_{hg} \oplus h(r_{u} ||x_{i} )$$

(20)

$$x_{i}^{{\prime }} = h(TID_{i}^{{\prime }} ||x_{hg} ) \oplus R_{h}$$

(21)

$$D_{11} = TID_{i}^{{\prime }} \oplus h(x_{i} ||ID_{i} ||r_{u} )$$

(22)

$$D_{12} = x_{i}^{{\prime }} \oplus h(TID_{i}^{{\prime }} ||x_{i} )$$

(23)

$$D_{13} = \, h(SK_{hg} ||x_{i}^{{\prime }} ||TID_{i}^{{\prime }} ||K_{i} ||T_{4} )$$

(24)

The attacker sends M₄ = {D₉, D₁₀, D₁₁, D₁₂, D₁₃, T₄} to U_i. U_i calculates:

$$r_{s}^{*} = D_{9} \oplus h(x_{i} ||r_{u} )$$

(25)

$$r_{hg}^{*} = \, D_{10} \oplus h(r_{u} ||x_{i} )$$

(26)

$$SK_{u}^{*} = h(r_{u} ||r_{hg}^{*} ||r_{s}^{*} ||ID_{hg} )$$

(27)

$$TID_{i}^{{{\prime * }}} = D_{11} \oplus h(x_{i} ||ID_{i} ||r_{u} )$$

(28)

$$x_{i}^{{{\prime }*}} = D_{12} \oplus h(TID_{i}^{{{\prime }*}} ||x_{i} )$$

(29)

U_i verifies whether D₁₃^* = h(SK_hg^*‖x^′*‖TID_i^′*‖K_i‖T₄) is equal to D₁₃. If equal, according to the rule, the user accepts this SK as the agreement key and the attacker successfully implements the MITT attack.

The proposed scheme

In this section, an ECC-based three-factor authentication and key agreement scheme for WSNs is proposed, the improvement measures of the scheme are introduced, and then a specific implementation scheme, including system initialization, node registration, user registration, two-way authentication and key agreement, password update, and smart card logout, is proposed¹⁷. The proposed scheme operates under the following security assumptions:

1. 1)

   The gateway is securely impenetrable and has unlimited computation, storage, and communication capabilities.

2. 2)

   The WSN network is a bidirectional channel, and nodes can communicate normally.

3. 3)

   The WSN network employs asymmetric encryption, meaning it utilizes both public and private keys.

4. 4)

   Upon successful completion of the key agreement in the WSN network, the user and the sensor node can establish communication using the session key.

Scheme improvement measures

1. 1)

   The authentication scheme is designed using an ECC key agreement protocol to ensure the forward security of the scheme.

2. 2)

   The user ID is replaced by the user identifier TID after the hashing operation, all IDs are forbidden to be sent explicitly, and no direct XOR calculation can be performed to ensure the anonymity of the scheme.

3. 3)

   Random numbers r_u and r_s are forbidden to be sent in clear text, and no direct XOR calculation can be performed to ensure secure two-way authentication and key agreement and resist MITT attacks²⁶.

4. 4)

   More complex parameters are selected to improve the security of the session key.

5. 5)

   The relevant parameters in the SC card are updated after two-way authentication and key agreement to ensure that the scheme is resistant to internal attacks²⁷.

Specific implementation plan

1. 1)

   System Initialization

   At the very beginning, the system needs to be initialized. GWN selects E(F_p), P, h(.) and the secret value K_G, publicly release E(F_p), P, h(.), save K_G.

2. 2)

   Node Registration

   After the system is initialized, the node can start registering. Node S_j applies for registration to the GWN, which selects the unique SID_j of the node, calculates x_j = h(SID_j‖K_G), and writes {SID_j, x_j} to node S_j.

3. 3)

   User Registration

   After the system is initialized, the user can start registering. The user registration process is shown in Fig. 1.

   • Step R1: User U_i inputs ID_i, PW_i, BIO_i, chooses random number r_i ∈ Z_p^*, calculates R_i = r_i·P, Gen(BIO_i) = (α_i, β_i), TID_i = h(ID_i‖α_i‖r_i), HPW_i = h(PW_i‖α_i), and U_i sends {TID_i, HPW_i, R_i} to GWN.

   • Step R2: The gateway GWN chooses a random number r_g ∈ Z_p^* and calculates R_g = r_g·P. After the GWN receives the U_i message, it calculates x_i = h(TID_i‖K_G), K_i = h(TID_i‖HPW_i), R_ig = r_g·R_i, e_i = x_i ⊕ R_ig ⊕ K_i, sets the number of logins List = 0, saves {TID_i, HPW_i, List = 0}. Write {R_g, e_i} to smart card SC_i and issue to U_i.

   • Step R3: User U_i receives the smart card SC_i, calculates K_i = h(TID_i‖HPW_i), R_ig = r_i·R_g, x_i = e_i ⊕ R_ig ⊕ K_i, B₁ = h(ID_i‖α_i‖PW_i) ⊕ r_i, B₂ = h(HPW_i‖ID_i‖α_i‖r_i)mod n₀, and writes {B₁, B₂, β_i} to the smart card SC_i.

4. 4)

   Authentication and Key Agreement

   After node and user registration is complete, the user, GWN, and node can start authentication and key agreement. Figures 2 and 3 shows the authentication and key agreement phase.

   • Step A1: User U_i inputs ID_i, PW_i, BIO_i, smart card SC_i calculates α_i^* = Rep(BIO_i, β_i), r_i^* = B₁ ⊕ h(ID_i‖α_i^*‖PW_i), HPW_i^* = h(PW_i‖α_i^*), B₂^* = h(HPW_i^*‖ID_i‖α_i^*‖r_i^*)mod n₀, SC_i verifies whether B₂^* is equal to B₂ and continues it is; otherwise, terminate. User U_i chooses a random number r_u ∈ Z_p^* and calculates R_u = r_u·P, R_ig = r_i·R_g, K_i = h(TID_i‖HPW_i), x_i = e_i ⊕ R_ig ⊕ K_i, TID_i^′ = h(ID_i‖α_i‖r_u), C_u = h(R_u‖x_i^′), D₀ = r_u·R_g, D₁ = h(D₀‖TID_i‖HPW_i), D₂ = TID_i^′ ⊕ (D₁‖x_i), choose time T₁, calculate D₃ = h(TID_i^′‖D₀‖x_i‖K_i‖T₁). U_i sends {R_u, D₂, D₃, TID_i, T₁} to the GWN.

   • Step A2: The gateway GWN receives the message and selects T₂, verifies whether |T₂ − T₁| is less than or equal to △T and continues if it is, otherwise terminates. The GWN calculates D₀^* = r_g·R_u, x_i = h(TID_i‖K_G), D₁^* = h(D₀^*‖TID_i‖HPW_i), TID_i^′* = D₂ ⊕ (D₁^*‖x_i), K_i = h(TID_i‖HPW_i), D₃^* = h(TID_i^′*‖D₀^*‖x_i‖K_i‖T₁), verifies whether D₃^* is equal to D₃ and continues if it is, List plus one; otherwise, it is terminated. GWN calculates x_i^′* = h(TID_i^′*‖K_G), C_u^* = h(R_u‖x_i^′*), D₄ = r_g ⊕ h(SID_j‖x_j‖T₂), D₅ = C_u ⊕ h(r_g‖x_j), D₆ = TID_i^′ ⊕ h(SID_j‖r_g), D₇ = h(TID_i^′‖SID_j‖C_u‖r_g‖x_j‖T₂), and the GWN sends {R_u, R_g, D₄, D₅, D₆, D₇, T₂} to S_j.

   • Step A3: The sensor S_j receives the message and selects T₃, verifies whether |T₃ − T₂| is less than or equal to △T and continues it is; otherwise, it is terminated. S_j selects a random number r_s ∈ Z_p^*, calculates R_s = r_s·P, r_g^* = D₄ ⊕ h(SID_j‖x_j‖T₂), C_u^* = D₅ ⊕ h(r_g^*‖x_j), TID_i^’* = D₆ ⊕ h(SID_j‖r_g^*), D₇^* = h(TID_i^′*‖SID_j‖C_u^*‖r_g^*‖x_j‖T₂), verifies whether D₇^* is equal to D₇ and continues if it is; otherwise, it is terminated. C_s = h(R_s‖x_j), R_su = r_s·R_u, SK_s = h(SID_j‖r_g‖R_su‖C_u‖C_s‖TID_i^′), D₈ = r_s·R_g, D₉ = h(SID_j‖r_g‖D₈‖x_j‖C_s‖T₃), D₁₀ = h(SID_j‖SK_s‖r_g‖TID_i^′) is calculated, and S_j sends {R_s, D₉, D₁₀, T₃} to the GWN.

   • Step A4: The gateway GWN receives the message and selects T₄, verifies whether |T₄ − T₃| is less than or equal to △T and continues if it is; otherwise, it is terminated. The GWN calculates C_s^* = h(R_s‖x_j), D₈^* = r_g·R_s, D₉^* = h(SID_j‖r_g‖D₈^*‖x_j‖C_s^*‖T₃), verifies whether D₉^* is equal to D₉ and continues if it is; otherwise, it is terminated. D₁₁ = r_g ⊕ h(D₀‖x_i^′‖T₄), D₁₂ = C_s ⊕ h(x_i^′‖r_g), D₁₃ = SID_j ⊕ h(D₁₂‖x_i^′‖r_g), K_i^′ = h(TID_i^′‖HPW_i), e_i^′ = x_i^′ ⊕ R_ug ⊕ K_i^′, D₁₄ = h(TID_i^′‖x_i^′‖K_i^′‖r_g‖C_s‖SID_j‖D₀‖T₄) is calculated and {TID_i^′, K_i^′, List} is updated, and the GWN sends {R_s, e_i^′, D₁₀, D₁₁, D₁₂, D₁₃, D₁₄, T₄} to U_i.

   • Step A5: User U_i receives the message and selects T₅, verifies whether |T₅ − T₄| is less than or equal to △T and continues it is; otherwise, it is terminated. U_i calculates K_i^′ = h(TID_i^′‖HPW_i), x_i^′* = e_i^′ ⊕ R_ug ⊕ K_i^′, C_u^* = h(R_u‖x_i^′*), r_g^* = D₁₁ ⊕ h(D₀‖x_i^′*‖T₄), C_s^* = D₁₂ ⊕ h(x_i^′*‖r_g^*), SID_j^* = D₁₃ ⊕ h(D₁₂‖x_i^′*‖r_g^*), D₁₄^* = h(TID_i^′‖x_i^′*‖K_i^′‖r_g^*‖C_s^*‖SID_j^*‖D₀‖T₄), verifies whether D₁₄^* is equal to D₁₄ and continues if equal; otherwise, it is terminated. R_us = r_u·R_s, SK_u = h(SID_j‖r_g‖R_us‖C_u‖C_s‖TID_i^′), D₁₀^* = h(SID_j‖SK_u‖r_g‖TID_i^′) is calculated, whether D₁₀^* is equal to D₁₀ is verified, and it continues if it is; otherwise, it is terminated. This completes the two-way authentication and negotiates the session key SK for user U_i and sensor S_j. Finally, U_i calculates B₁^′ = h(ID_i‖α_i‖PW_i) ⊕ r_u, B₂^′ = h(HPW_i‖ID_i‖α_i‖r_u)mod n₀ with B₁^′, B₂^′, e_i^′ replacing B₁, B₂, e_i within the smart card SC_i.

5. 5)

   Password Update.

   Users can also perform a password update at any time after completing the authentication and key agreement. The password update process is shown in Fig. 4.

   • Step P1: User U_i inputs ID_i, PW_i, BIO_i, smart card SC_i calculates α_i^* = Rep(BIO_i,β_i), r_u^* = B₁ ⊕ h(ID_i‖α_i^*‖PW_i), HPW_i^* = h(PW_i‖α_i^*), B₂^* = h(HPW_i^*‖ID_i^*‖α_i^*‖r_u^*)mod n₀, verifies whether B₂^* is equal to B₂ and continues if it is; otherwise, it is terminated. SC_i calculates TID_i = h(ID_i‖α_i‖r_u), K_i = h(TID_i‖HPW_i), R_ug = r_u·R_g, x_i = e_i ⊕ R_ug ⊕ K_i.

   • Step P2: User U_i enters the new password PW_i^new, smart card SC_i calculates HPW_i^new = h(PW_i^new‖α_i), K_i^new = h(TID_i‖HPW_i^new), e_i^new = R_ug ⊕ K_i^new ⊕ x_i, B₁^new = h(ID_i‖α_i‖PW_i^new) ⊕ r_u, B₂^new = h(HPW_i^new‖ID_i‖α_i‖r_u)mod n₀, replacing B₁,B₂,e_i in smart card SC_i with B₁^new, B₂^new, e_i^new, and the password update is completed.

6. 6)

   Smart Card Logout

   Smart Card Logout can be performed when the user's Smart Card is no longer in use. The smart card logout process is shown in Fig. 5.

   • Step S1: User U_i inputs ID_i, PW_i, BIO_i, calculates α_i^* = Rep(BIO_i,β_i), r_u^* = B₁ ⊕ h(ID_i‖α_i^*‖PW_i), HPW_i^* = h(PW_i‖α_i^*), B₂^* = h(HPW_i^*‖ID_i‖α_i^*‖r_u^*)mod n₀, verifies whether B₂^* is equal to B₂ and continues if it is; otherwise, it is terminated. K_i = h(TID_i‖HPW_i), R_ug = r_u·R_g, x_i = e_i ⊕ R_ug ⊕ K_i is calculated, time T₁ is chosen, L_o = x_i ⊕ h(K_i‖T₁) is calculated, and U_i sends {TID_i, L_o, T₁} to the GWN.

   • Step S2: The gateway GWN receives the message and selects T₂, verifies whether |T₂ − T₁| is less than or equal to △T and continues if it is; otherwise, it is terminated. The GWN calculates K_i^′ = h(TID_i‖HPW_i), x_i^* = L_o ⊕ h(K_i^′‖T₁), x_i = h(TID_i‖K_G), verifies whether x_i^* is equal to x_i and continues if it is; otherwise, it is terminated. Finally, the messages associated with U_i{TID_i, HPW_i, List} are deleted, and smart card revocation is completed.

Figure 1

Registration phase.

Figure 2

The authentication and key agreement phase 1.

Figure 3

The authentication and key agreement phase 2.

Figure 4

Password update.

Figure 5

Smart card logout.

Security analysis

This section provides a formal security analysis of the scheme using BAN logic. The informal security analysis is performed through Propositions 1 to 11 for a variety of known attacks. The security analysis proves the correctness of the scheme; it can resist various security attacks and has high security characteristics²⁸.

Formal analysis based on BAN logic

Next, BAN logic is used to demonstrate the security of the scheme.

1. 1)

   Goals

   G1: \(S_{j} | \equiv U_{i} \mathop \leftrightarrow \limits^{SK} S_{j}\) G2: \(S_{j} \left| { \equiv U_{i} } \right| \equiv U_{i} \mathop \leftrightarrow \limits^{SK} S_{j}\)

   G3: \(U_{i} | \equiv S_{j} \mathop \leftrightarrow \limits^{SK} U_{i}\) G4: \(U_{i} \left| { \equiv S_{j} } \right| \equiv S_{j} \mathop \leftrightarrow \limits^{SK} U_{i}\)

2. 2)

   Idealized Forms

   M1: \(U_{i} \to GWN:R_{u} ,D_{2} ,T_{1} ,TID_{i} , < TID_{i}^{{\prime }} ,D_{0} ,k_{i} >_{{x_{i} }}\)

   M2: \(GWN \to S_{j} :R_{u} ,R_{g} ,D_{4} ,D_{5} ,D_{6} ,T_{2} , < TID_{i}^{{\prime }} ,U_{i} | \equiv C_{u} ,r_{g} >_{{x_{j} }}\)

   M3: \(S_{j} \to GWN:R_{s} ,D_{10} ,T_{3} , < D_{8} ,r_{g} ,S_{j} | \equiv C_{s} >_{{x_{j} }}\)

   M4: \(GWN \to U_{i} :e_{i}^{{\prime }} ,R_{s} ,D_{10} ,D_{11} ,D_{12} ,D_{13} ,T_{4} , < TID_{i}^{{\prime }} ,x_{i}^{{\prime }} ,D_{0} ,r_{g} ,S_{j} | \equiv C_{s} >_{{k_{i}^{{\prime }} }}\)

3. 3)

   Assumptions

   A1: \(GWN| \equiv U_{i} \mathop \leftrightarrow \limits^{{x_{i} }} GWN\) A2: \(S_{j} | \equiv GWN\mathop \leftrightarrow \limits^{{x_{j} }} S_{j}\)

   A3: \(GWN| \equiv S_{j} \mathop \leftrightarrow \limits^{{x_{j} }} GWN\) A4: \(U_{i} | \equiv GWN\mathop \leftrightarrow \limits^{{k_{i}^{{\prime }} }} U_{i}\)

   A5: \(GWN| \equiv \# \left( {C_{u} } \right)\) A6: \(S_{j} | \equiv \# \left( {r_{g} } \right)\)

   A7: \(GWN| \equiv \# \left( {C_{s} } \right)\) A8: \(U_{i} | \equiv \# \left( {r_{g} } \right)\)

   A9: \(GWN\left| { \equiv U_{i} } \right| \Rightarrow < D_{3} >\) A10: \(S_{j} \left| { \equiv GWN} \right| \Rightarrow < D_{7} >\)

   A11: \(GWN\left| { \equiv S_{j} } \right| \Rightarrow < D_{9} >\) A12: \(U_{i} \left| { \equiv GWN} \right| \Rightarrow < D_{14} >\)

   A13: \(S_{j} | \equiv \# (C_{u} )\) A14: \(U_{i} | \equiv \# (C_{s} )\)

   A15: \(S_{j} \left| { \equiv U_{i} } \right|\sim U_{i} \mathop \leftrightarrow \limits^{SK} S_{j}\) A16: \(U_{i} \left| { \equiv S_{j} } \right|{\sim }U_{i} \mathop \leftrightarrow \limits^{SK} S_{j}\)

4. 4)

   Main Proofs

   From M1, they can get S1: \(GWN \triangleleft < D_{3} >_{{x_{i} }}\).

   From S1, A1, R1, they can get S2: \(GWN\left| { \equiv U_{i} } \right|\sim < D_{3} >\).

   From A5, R4, they can get S3: \(GWN| \equiv \# ( < D_{3} > )\).

   From S2, S3, R2, they can get S4: \(GWN\left| { \equiv U_{i} } \right| \equiv < D_{3} >\).

   From S4, A9, R3, they can get S5: \(GWN| \equiv < D_{3} >\).

   From M2, they can get S6: \(S_{j} \triangleleft < D_{7} >_{{x_{j} }}\).

   From S6, A2, R1, they can get S7: \(S_{j} \left| { \equiv GWN} \right|{\sim } < D_{7} >\).

   From A6, R4, they can get S8: \(S_{j} | \equiv \# ( < D_{7} > )\).

   From S7, S8, R2, they can get S9: \(S_{j} \left| { \equiv GWN} \right| \equiv < D_{7} >\).

   From S9, A10, R3, they can get S10: \(S_{j} | \equiv < D_{7} >\).

   From S10, R5, they can get S11: \(S_{j} \left| { \equiv U_{i} } \right| \equiv C_{u}\).

   $$SK = h\left( {SID_{j} ||r_{g} ||R_{su} ||C_{u} ||C_{s} ||TID_{i}^{{\prime }} } \right).$$

   From S11, A13, SK, R6, they can get S12: \(S_{j} | \equiv U_{i} \mathop \leftrightarrow \limits^{SK} S_{j}\), they have achieved G1.

   From S12, A13, A15, R2, R4, they can get S13: \(S_{j} \left| { \equiv U_{i} } \right| \equiv U_{i} \mathop \leftrightarrow \limits^{SK} S_{j}\), they have achieved G2.

   From M3, they can get S14: \(GWN \triangleleft < D_{9} >_{{x_{j} }}\).

   From S14, A3, R1, they can get S15: \(GWN\left| { \equiv S_{j} } \right|{\sim } < D_{9} >\).

   From A7, R4, they can get S16: \(GWN| \equiv \# ( < D_{9} > )\).

   From S15, S16, R2, they can get S17: \(GWN\left| { \equiv S_{j} } \right| \equiv < D_{9} >\).

   From S17, A11, R3, they can get S18: \(GWN| \equiv < D_{9} >\).

   From M4, they can get S19: \(U_{i} \triangleleft < D_{14} >_{{k_{i}^{{\prime }} }}\).

   From S19, A4, R1, they can get S20: \(U_{i} \left| { \equiv GWN} \right|{\sim } < D_{14} >\).

   From A8, R4, they can get S21: \(U_{i} | \equiv \# ( < D_{14} > )\).

   From S20, S21, R2, they can get S22: \(U_{i} \left| { \equiv GWN} \right| \equiv < D_{14} >\).

   From S22, A12, R3, they can get S23: \(U_{i} | \equiv < D_{14} >\).

   From S23, R5, they can get S24: \(U_{i} \left| { \equiv S_{j} } \right| \equiv C_{s}\).

   $$SK = h\left( {SID_{j} ||r_{g} ||R_{us} ||C_{u} ||C_{s} ||TID_{i}^{{\prime }} } \right).$$

   From S24, A14, SK, R6, they can get S25: \({U}_{i}|\equiv {S}_{j}\stackrel{SK}{\leftrightarrow }{U}_{i}\), they have achieved G3.

   From S25, A14, A16, R2, R4, they can get S26: \({U}_{i} |\equiv {S}_{j}|\equiv {S}_{j}\stackrel{SK}{\leftrightarrow }{U}_{i}\), they have achieved G4.

In summary, according to the BAN logic rules, the security objectives G1 to G4 of this scheme have been achieved, and the security of the scheme has been proven.

Formal analysis based on the random oracle model

Theorem 1

In a scenario where an adversary attacker (A) operates within probabilistic polynomial time (PPT) against a protocol (P) in a random oracle, A is allowed to make up to q_s Send (\(\mathop \prod \limits_{I}^{*} , m\)) queries, q_e Execute (\(\mathop \prod \limits_{U}^{i} , \mathop \prod \limits_{GWN}^{k} , \mathop \prod \limits_{S}^{j}\)) queries, and q_h oracle queries. Let D denote the password space, which follows a Zipf distribution with parameters C^′ and s^′16. Additionally, l represents the output length of the hash function and AKE represents authenticated key agreement. In the context of the random oracle model, the probability P of A successfully compromising the protocol in PPT is defined as follows:

$${\text{Adv}}_{{\text{P}}}^{{{\text{AKE}}}} \left( {\text{A}} \right) = 2\left| {{\text{Pr}}\left[ {{\text{S}}_{4} \left] { - {\text{Pr}}} \right[{\text{S}}_{0} } \right]} \right| \le {\text{max}}\left\{ {\frac{{{\text{q}}_{{\text{s}}} }}{{2^{{{\text{l}}_{{\upalpha }} - 1}} }},2{\text{C}}^{{\prime }} {\text{q}}_{{\text{s}}}^{{{\text{s}}{\prime }}} ,\frac{{{\text{q}}_{{\text{s}}} }}{{2^{{{\text{l}} - 1}} }}} \right\} + \frac{{{\text{q}}_{{\text{s}}} }}{{2^{{{\text{l}} - 1}} }} + \frac{{{\text{q}}_{{\text{h}}}^{2} }}{{2^{{\text{l}}} }} + \frac{{\left( {{\text{q}}_{{\text{s}}} + {\text{q}}_{{\text{e}}} } \right)^{2} }}{{{\text{p}} - 1}}$$

(30)

Proof: The scheme is divided into five games, labelled G_i(i = 1, 2, 3, 4, 5). In each game, there is a condition denoted as S_i, indicating that A successfully predicts a bit b before advancing in the game.

G₀: It mimics a real attack in the random oracle model, where A has full access to all oracles. Hence,

$${{\text{Adv}}}_{{\text{P}}}^{{\text{AKE}}}({\text{A}})=2{\text{Pr}}[{{\text{S}}}_{0}]-1$$

(31)

G₁: In G₁, A conducts a passive attack, intercepting messages through the Excute(*) query and attempting to guess the output of the Test (\({\prod }_{S}^{j})\) query. However, the impossibility of deducing SK = h(SID_j‖r_g‖R_us‖C_u‖C_s‖TID_i^′) means that A's advantage in a successful attack does not increase. Hence,

$${\text{Pr}}[{{\text{S}}}_{1}]={\text{Pr}}[{{\text{S}}}_{0}]$$

(32)

G₂: A is allowed to make Send (\({\prod }_{I}^{*}, m\)) and H queries to persuade the legitimate communicator with forged messages. The simulation concludes only if A manages to discover collisions and successfully constructs convincing messages. The probabilities of their occurrence, based on the birthday paradox²⁹, are (\({q}_{h}^{2}\)/\({2}^{l+1}\)) and ((q_s + q_e)²/2(p-1)). Hence,

$$|{\text{Pr}}[{{\text{S}}}_{2}]-{\text{Pr}}[{{\text{S}}}_{1}]|\le \frac{{{\text{q}}}_{{\text{h}}}^{2}}{{2}^{{\text{l}}+1}}+\frac{{({{\text{q}}}_{{\text{s}}}+{{\text{q}}}_{{\text{e}}})}^{2}}{2({\text{p}}-1)}$$

(33)

G₃: This game is distinct from the earlier games because if A successfully guesses the correct authentication Factors D₃, D₇, D₉, and D₁₄. The simulation concludes if H queries are not utilized. It is identical to the previous games in all aspects, except for situations where correct authentication is refused. Hence,

$$|{\text{Pr}}[{{\text{S}}}_{3}]-{\text{Pr}}[{{\text{S}}}_{2}]|\le \frac{{{\text{q}}}_{{\text{s}}}}{{2}^{{\text{l}}}}$$

(34)

G₄: In this game, A can acquire more information through the Corrupt (\({\prod }_{U}^{i}, a\)) query. A successfully guesses α_i with a length of l_α, with a probability of (q_s/2^l_α). Additionally, A successfully guesses the victim's password with a probability of C^′\(q_{s}^{{s{\prime }}}\). The likelihood of A guessing the correct x_i is (q_s/2^l). Hence,

$$|{\text{Pr}}[{{\text{S}}}_{4}]-{\text{Pr}}[{{\text{S}}}_{3}]|\le {\text{max}}\left\{\frac{{{\text{q}}}_{{\text{s}}}}{{2}^{{{\text{l}}}_{\mathrm{\alpha }}}},\mathrm{C{\prime}}{{\text{q}}}_{{\text{s}}}^{\mathrm{s{\prime}}},\frac{{{\text{q}}}_{{\text{s}}}}{{2}^{{\text{l}}}}\right\}$$

(35)

$${\text{Pr}}[{{\text{S}}}_{4}]=\frac{1}{2}$$

(36)

Based on Eqs. (31) to (36), they can infer either Conclusion (30) or Conclusion (37):

$${\text{Adv}}_{{\text{P}}}^{{{\text{AKE}}}} \left( {\text{A}} \right) = 2\left| {{\text{Pr}}\left[ {{\text{S}}_{4} \left] { - {\text{Pr}}} \right[{\text{S}}_{0} } \right]} \right| \le {\text{max}}\left\{ {\frac{{{\text{q}}_{{\text{s}}} }}{{2^{{{\text{l}}_{{\upalpha }} - 1}} }},2{\text{C}}^{{\prime }} {\text{q}}_{{\text{s}}}^{{{\text{s}}{\prime }}} ,\frac{{{\text{q}}_{{\text{s}}} }}{{2^{{{\text{l}} - 1}} }}} \right\} + \frac{{{\text{q}}_{{\text{s}}} }}{{2^{{{\text{l}} - 1}} }} + \frac{{{\text{q}}_{{\text{h}}}^{2} }}{{2^{{\text{l}}} }} + \frac{{\left( {{\text{q}}_{{\text{s}}} + {\text{q}}_{{\text{e}}} } \right)^{2} }}{{{\text{p}} - 1}}$$

(37)

Formal security verification via ProVerif³⁰

This section presents the formal security verification of the proposed scheme by using the Pi calculus-based simulation tool ProVerif. To date, ProVerif has been used to verify many protocols and demonstrate their correctness and robust properties, so ProVerif is used in this study to rectify the secrecy and authentication properties of the focal protocol.

The channels, variables, constants, operations and events are defined as shown in Fig. 6:

Figure 6

Define the channels, variables, constants, operations and events.

According to the proposed scheme execution, they define the process of U_i as shown in Fig. 7:

Figure 7

The process of U_i.

The process of GWN is modeled as shown in Fig. 8:

Figure 8

The process of GWN.

The process of S_j is modeled as shown in Fig. 9:

Figure 9

The process of S_j.

The queries are defined and the whole scheme is simulated as executing in parallel as shown in Fig. 10:

Figure 10

Define the queries and simulate the scheme.

The outputs of the ProVerif verification is shown in Fig. 11:

Figure 11

Outputs of the Proverif verification.

Results (1) and (2) indicate the secrecy of the proposed scheme because of the failing query attack on session keys SK_S and SK_U. Moreover, Results (3) and (4) confirm the successful mutual authentication between U_i and S_j. In other words, the proposed scheme not only provides the secrecy of the session key, but also achieves the authentication property by verifying the correspondence assertions in the Dolev-Yao model.

Informal analysis

This scheme can resist many common attacks and effectively address the shortcomings of existing schemes. The proof of this is as follows:

Proposition 1

The scheme has anonymity.

Proof

All identity ID in the scheme are not transmitted in clear text in the public channel, and the identity identifiers TID_i = h(ID_i‖α_i‖r_i) and TID_i^′ = h(ID_i‖α_i‖r_u) are used to replace the ID for transmission¹⁷. Assuming that the attacker intercepts TID_i, according to the one-way property of the hash function, the attacker cannot resolve ID_i³¹. In addition, even if the attacker intercepts both TID_i and TID_i^′, it is impossible to determine whether the two parameters come from the same ID; hence, the scheme has anonymity.

Proposition 2

The scheme is resistant to registered legitimate user attacks.

Proof

Suppose attacker U_a registers legitimate user ID_a and calculates TID_a = h(ID_a‖α_a‖r_a). U_a registers with gateway GWN, which calculates x_a = h(TID_a‖K_G), K_a = h(TID_a‖HPW_a). The TID_a generated by the attacker based on ID_a is different from the TID_s of other legitimate users, and the x and K generated by registering to GWN through TID_a are also different. Therefore, the scheme can resist registered legitimate user attacks by generating new identity information TID_s, and the attacker cannot obtain messages to any other legitimate user by registering a legitimate user.

Proposition 3

The scheme is resistant to smart card loss attacks and offline guessing attacks¹⁷.

Proof

Suppose that a user’s smart card is lost or stolen, and the attacker obtains the card and the information it contains, B₁ = h(ID_i‖α_i‖PW_i) ⊕ r_i, B₂ = h(HPW_i‖ID_i‖α_i‖r_i)mod n₀, by differential energy attack, because B₁ and B₂ are hash functions with one-way security. However, the attacker is unable to extract the password PW_i of user U_i from it. Second, if the attacker wishes to obtain the user's password PW_i through offline password guessing, he or she needs to have the biometric trait α_i and the private key r_i, however, the attacker is not in possession of α_i and r_i, and therefore, the attacker is unable to carry out an offline password guessing attack³². Again, B₂ = h(HPW_i‖ID_i‖α_i‖r_i)mod n₀, when n₀ is taken large enough, the number of password guesses grows exponentially and it is not feasible to obtain the password by offline guessing. Finally, the gateway records the number of user authentication List, and it is impossible for an attacker to complete an offline guessing attack within a limited number of guesses. Therefore, the scheme resists smart card loss attacks and offline guessing attacks by means of hash functions, biometrics, modulo arithmetic, and recording the number of authentication times, which are infeasible regardless of whether the attacker tries to extract the password from the smart card or crack the password through offline guessing.

Proposition 4

The scheme is resistant to spoofed user attacks.

Proof

To disguise a user login gateway, the attacker needs to send {R_u, D₂, D₃, TID_i, T₁} to the gateway, where R_u = r_u·P, TID_i^′ = h(ID_i‖α_i‖r_u), C_u = h(R_u‖x_i^′), D₀ = r_u·R_g, D₁ = h(D₀‖TID_i‖HPW_i), D₂ = TID_i^′ ⊕ (D₁‖x_i), D₃ = h(TID_i^′‖D₀‖C_u‖x_i‖K_i‖T₁); the attacker needs to master the user’s private key r_u, identifier TID_i, password PW_i, biometric α_i, secret x_i, key parameters K_i, and so on, so it is clear that the attacker cannot master the above parameters at the same time and cannot make a spoofed user attack. Therefore, the scheme can resist spoofed user attacks by setting various parameters.

Proposition 5

The scheme is resistant to internal attacks.

Proof

There is a possibility that insiders leak user information at the gateway. In the user registration stage, the user’s registered password PW_i is protected by HPW_i = h(PW_i‖α_i), and the insider may obtain HPW_i. Based on the unidirectional nature of the hash function, the insider is unable to compute PW_i by HPW_i = h(PW_i‖α_i)³³. In addition, HPW_i also contains the user’s biometric α_i, and the insider cannot obtain α_i to guess the correct PW_i by offline guessing. Therefore, the scheme can resist internal attacks by setting HPW_i.

Proposition 6

The scheme is resistant to tampering attacks.

Proof

Suppose the attacker tampers with the message sent by the user to the gateway, and the gateway receives the message and needs to verify whether D₃^* = h(TID_i^′‖D₀^*‖C_u‖x_i‖K_i‖T₁) is equal to D₃. To crack D₃, the attacker needs to have both the user's private key r_u, identifier ID_i, password PW_i, secret x_i, and key parameter K_i³⁴, etc. The above parameters are not propagated in plaintext over the public channel, and the attacker cannot verify them through the gateway. Therefore, the scheme makes it impossible for an attacker to authenticate D₃ by setting multiple parameters. The scheme is resistant to tampering attacks.

Proposition 7

The scheme is resistant to replay attacks.

Proof

A replay attack occurs when an attacker sends a packet that has been received by the target for the purpose of spoofing the system. All the messages sent in the two-way authentication process contain the timestamp T, and all parties need to verify whether the time difference is less than △T after receiving the message. If the attacker carries out replay attacks, the replayed message can be recognized by verifying the timestamp. The scheme resists replay attacks by adding timestamps.

Proposition 8

The scheme is resistant to MITT attacks.

Proof

According to the challenge/response mechanism, both the user and the gateway or the sensor and the gateway need to verify each other’s identity. According to Propositions 4 and 6, which have already been proven, the attacker cannot disguise the user or tamper with the message, so the attacker cannot launch a MITT attack disguised as an intermediary. The same can be proven for the communication between sensors and gateways. In addition, timestamps and random numbers are fresh and cannot be forged by an MITT attack³⁵. Therefore, an attacker cannot disguise him- or herself as an MITT to launch an attack. The scheme makes it impossible for the attacker to accomplish MITT attacks by authenticating the user, gateway, and sensor.

Proposition 9

The scheme is resistant to Denning-Sacco attacks³⁶.

Proof

Suppose the attacker steals the agreement key SK = h(SID_j‖r_g‖R_su‖C_u‖C_s‖TID_i^′). SK is the hash function’s hash value³⁷, and according to its one-way property, the attacker cannot obtain the parameters in SK. In addition, the parameters in SK such as user private key r_u, gateway private key r_g, sensor private key r_s, C_u, and C_s are not transmitted in the public channel, and the attacker cannot complete the Denning-Sacco attack.Therefore, the scheme resists Denning-Sacco attacks by performing hash transformations on the session key SK and by making SK have more complex parameters.

Proposition 10

The scheme has forward security.

Proof

Assuming that the attacker intercepts the public keys R_u and R_s of the user and the sensor, the calculation of SK also requires r_u, r_g, r_s, C_u, and C_s. None of these parameters are transmitted in the public channel, and they cannot be obtained by the attacker. An attacker trying to calculate r_s and r_u by R_s = r_s*P and R_u = r_s*P, or r_s*R_u and R_s*r_u by R_s*R_u cannot do so because the above computations involve ECCDLP mathematical puzzles. Therefore, the scheme is forward-safe.

Proposition 11

The scheme enables both two-way authentication and key agreement.

Proof

The scheme through D₃ = h(TID_i^′‖D₀‖C_u‖x_i‖K_i‖T₁) and D₁₄ = h(TID_i^′‖x_i^′‖K_i^′‖r_g‖C_s‖SID_j‖D₀‖T₄) achieves two-way authentication of the user and the gateway and through D₇ = h(TID_i^′‖SID_j‖C_u‖r_g‖x_j‖T₂) and D₉ = h(SID_j‖r_g‖D₈‖x_j‖C_s‖T₃) achieves two-way authentication of the gateway and the sensor, while the session key SK_s = h(SID_j‖r_g‖R_su‖C_u‖C_s‖TID_i^′) = h(SID_j‖r_g‖R_us‖C_u‖C_s‖TID_i^′) = SK_u is negotiated during the authentication process.

Table 3 shows the security comparison of each scheme. It can be seen that this scheme has better security.

Table 3 Comparison of security features.

Efficiency analysis

The sensor nodes of WSNs have the characteristics of limited resources and low computation. In this section, they analyze the performance of scheme in analysed from two aspects—computation overhead and communication overhead—and the scheme is proven to be suitable for resource-constrained WSNs through comparisons with other schemes³⁸.

Computational overhead

The computational overhead is mainly considered for recovering biometric features, point multiplication, modular exponentiation, symmetric encryption/decryption, hashing, and so forth. The computational overhead of XOR and concatenation is very small and negligible compared to other operations. Referring to the literature¹⁵, the computational elapsed time is shown in Table 4; the comparison of computational overheads of each scheme is shown in Table 5.

Table 4 The notations, descriptions, and time consuming required for computational time.

Table 5 Comparison of computational overhead.

From the computational time consumption in Table 4, it can be seen that the T_FE and T_ecm time consumption is high, and the T_FE of each scheme is similar, so the focus is on the point multiplication operation T_ecm. This scheme uses the ECC-based key agreement scheme, and the point multiplication operation overhead is higher than that of other schemes, but it has higher security compared to other schemes that only use hash computation or symmetric encryption and decryption schemes. WSNs focus on the computational overhead of resource-constrained sensor nodes. The computational overhead of the sensor nodes is increased only once compared to schemes^6,39, and⁴⁰, which also have point multiplication operations. This scheme does not put too much pressure on sensor computation. Although the other schemes have less computational overhead, the present scheme is more effective in dealing with various security threats and is more suitable for high security systems.

Communication overhead

The communication overhead is mainly for the data lengths of identity, hash value, fuzzy extractor public data, random numbers, timestamp, points of elliptic curve (public key), and symmetric encryption/decryption data. To facilitate the comparison, each data length in this scheme is set uniformly. The specific values are shown in Table 6, the comparison of communication overheads of each scheme is shown in Table 7, and the specific communication overhead quantization diagrams are shown in Figs. 12 and 13⁴¹.

Table 6 The notations, descriptions, and lengths required for communication data.

Table 7 Communication overhead comparison.

Figure 12

Total communication overhead comparison.

Figure 13

Comparison of node communication overhead.

This scheme is based on ECC, and as the communication process needs to send each party’s public key several times, the communication overhead is slightly higher than with other schemes. For the communication overhead of resource-constrained sensor nodes, this scheme is the same as scheme³⁹ and slightly higher than schemes^6,16 and⁴⁰, but still within the tolerance range of sensor nodes and suitable for WSNs.

Conclusions

This paper examines multifactor authentication for WSNs. First, related schemes from recent years are introduced, and based on this, the scheme of Xue et al.¹⁶ is examined, with a focus on its advantages and security vulnerabilities. Then, a three-factor authentication and key agreement scheme based on ECC is proposed for WSNs. The security of the scheme is demonstrated by the BAN logical and informal analysis, and efficiency analysis shows that the scheme is used for resource-constrained WSNs. Overall, the proposed scheme effectively improves the security performance of WSNs based on efficiency and has good application value. Due to the use of ECC dot-multiplication operations, the computational energy consumption of the scheme is still higher compared to the scheme with only hash operations; therefore, in the next step of this research, the efficiency of the scheme needs to be further improved to guarantee security.