Journal of Network and Computer Applications 103 (2018) 194–204

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

A three-factor anonymous authentication scheme for wireless sensor MARK

networks in internet of things environments
⁎
Xiong Lia,b, , Jianwei Niub,⁎⁎, Saru Kumaric, Fan Wud, Arun Kumar Sangaiahe, Kim-
Kwang Raymond Choof
a
School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China
b
State Key Laboratory of Virtual Reality Technology and Systems, School of Computer Science and Engineering, Beihang University, Beijing 100191, China
c
Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India
d
Department of Computer Science and Engineering, Xiamen Institute of Technology, Xiamen 361021, China
e
School of Computing Science and Engineering, VIT University, Vellore, Tamilnadu 632014, India
f
Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio TX 78249, USA

A R T I C L E I N F O A BS T RAC T

Keywords: Internet of Things (IoT) is an emerging technology, which makes the remote sensing and control across
Internet of Things heterogeneous network a reality, and has good prospects in industrial applications. As an important
Anonymous infrastructure, Wireless Sensor Networks (WSNs) play a crucial role in industrial IoT. Due to the resource
Authentication constrained feature of sensor nodes, the design of security and efficiency balanced authentication scheme for
Wireless Sensor Networks
WSNs becomes a big challenge in IoT applications. First, a two-factor authentication scheme for WSNs
Biometrics
proposed by Jiang et al. is reviewed, and the functional and security flaws of their scheme are analyzed. Then,
we proposed a three-factor anonymous authentication scheme for WSNs in Internet of Things environments,
where fuzzy commitment scheme is adopted to handle the user's biometric information. Analysis and
comparison results show that the proposed scheme keeps computational efficiency, and also achieves more
security and functional features. Compared with other related work, the proposed scheme is more suitable for
Internet of Things environments.

1. Introduction of Things, and it is essential for the establishment of aforementioned

Internet of Things (IoT) (Atzori et al., 2010) is a burgeoning
paradigm of modern wireless telecommunications, which makes the
remote sensing and control across heterogeneous network a reality for
special goals by using Radio Frequency IDentification (RFID) and
Wireless Sensor Networks (WSNs). By combining with cloud comput-
ing (Xia et al., 2016a, 2016b; Fu et al., 2017; Kong et al., 2017; Shen
et al., 2017a, 2017b), various smart environments such as smart grid,
smart healthcare and intelligent transportation system can be built by
using IoT. The core of the “smart” is the use of smart sensors to collect
environment information. The WSN is composed of many sensor
nodes, where each sensor connect other sensors via wireless commu-
nication channel. The WSNs are used in many industrial and consumer
applications, such as industrial process monitoring and management,
machine health monitoring and fault diagnosis, to collection the
corresponding environment information automatically. Therefore,
WSNs (Akyildiz et al., 2002) play a crucial role in industrial Internet
smart environments (IoT applications). Generally, a WSN is composed
of large numbers of sensor nodes with limited power, storage space and
computational capacities. WSNs are often deployed in the target area of
unattended, so how to extend the lifecycle of the WSNs is a big
challenge. Research in Heinzelman et al. (2002) have pointed out that
the energy consumption of sensor node is proportional to the distance
between the sensor node and communication party, so in order to
extend the lifecycle of sensor nodes, a gateway node is usually adopted
as a bridge of communication between user and sensor nodes. Due to
the resource limitation of sensor nodes and open feature of wireless
channel, security become a big challenge in the application of WSNs.
With the development of WSNs, a user can access the sensory data at
anywhere, and authentication (Wang et al., 2015a, 2015b; Shen et al.,
2016; Jiang et al., 2015; Li et al., 2013a, 2013b, 2015a) is an vital issue
in the security of WSNs.
In 2009, Das (2009) presented a pioneering work on user authen-
tication for WSNs using smart card, and it spawned many subsequent

⁎
Corresponding author at: School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China.
⁎⁎
Corresponding author.
E-mail addresses: lixiongzhq@163.com (X. Li), niujianwei2008@gmail.com (J. Niu).

http://dx.doi.org/10.1016/j.jnca.2017.07.001
Received 1 February 2017; Received in revised form 8 May 2017; Accepted 4 July 2017
Available online 11 July 2017
1084-8045/ © 2017 Elsevier Ltd. All rights reserved.
X. Li et al.
work. The work in He et al. (2010), Khan and Alghathbar (2010), Yeh
et al. (2011) found some weaknesses of scheme in Das (2009), i.e. it
lacks feature of mutual authentication, key agreement and user
anonymity, and also suffers from some attacks, such as gateway
bypassing, password guessing, sensor node capture and denial-of-
service attacks. In 2011, Yeh et al. (2011) presented an two-factor
authentication protocol for WSNs by using elliptic curves cryptosystem
(ECC), where ECC provides better security features with lower compu-
tational cost when compared with traditional public cryptosystem.
However, their scheme cannot achieve mutual authentication as they
said, and does not support the function of user anonymity and key
agreement. In 2013, based on the scheme in Yeh et al. (2011), Shi and
Gong (2013) proposed an improved ECC-based authentication scheme
for WSNs. The protocol in Shi and Gong (2013) is efficient and can
provide more features than the protocol in Yeh et al. (2011).
Unfortunately, Choi et al. (2014) pointed out that the protocol in Shi
and Gong (2013) is suffer from unknown key share attack and stolen
smart card attack, and they presented an enhanced protocol for WSNs.
Xue et al. (2013) designed a user authentication scheme for WSNs
using temporal credential. Their scheme has high efficiency due to only
hash and XOR operations are used in their scheme. However, He et al.
(2015) found that off-line password guessing, impersonation, and
modification attacks are applicable to Xue et al.'s scheme (Xue et al.,
2013). He et al. (2015) proposed an improved scheme to remove the
weaknesses of Xue et al.'s scheme (Xue et al., 2013). But, the scheme in
He et al. (2015) is found to be vulnerable to stolen smart card, user
impersonation, and tracking attacks. Based on scheme in He et al.
(2015), Jiang et al. (2016) proposed an untraceable user authentication
scheme using ECC. In their design, the ECC point multiplication
operations are performed by user and gateway node, and sensor node
just needs hash function operations. However, we find some common
flaws of schemes in Xue et al. (2013), He et al. (2015), Jiang et al.
(2016), (1) all these schemes lack wrong password detection and
password change mechanisms; (2) they don't suitable for to Internet of
Thing environments since user exchanges messages directly with
sensor nodes; (3) they are all vulnerable to known session-specific
temporary information attack and clock synchronization problem.
Based on previous work, this paper present a three-factor anonymity
authentication scheme for WSNs in IoT environments by using
biometric, where we adopt fuzzy commitment scheme and error-
correcting codes to handle the user's biometric information. Analysis
and comparison results show that our new scheme not only keeps
computational efficiency, but also achieves more security and func-
tional features. Compared with other related schemes, our scheme is
more suitable for Internet of Things environments.
The remaining parts of this paper are as follow: Section 2
introduces some preliminaries used in this paper; the review and
comment on scheme in Jiang et al. (2016) are given in Section 3; The
proposed scheme is illustrated in Section 4; Section 5 and Section 6
give the BAN logic analysis and other security analysis of the proposed
scheme, respectively. Section 7 compares our scheme with other
related schemes. Finally, Section 8 concludes the full paper.
2. Preliminaries
In this part, we introduce some preliminaries, such as error-
correcting codes and the fuzzy commitment scheme based on it.
2.1. Error-correcting codes
Error-correcting codes play a significant role in fuzzy commitment
scheme, which enable the transmission of messages correctly via a
noisy communication channel. For a messages set M = {0, 1}k , an
error-correcting code is composed of a set of codewords C ⊆ {0, 1}n .
The message m ∈ M should be mapped to an element in C before it to
be transmitted, and it is required that n > k to achieve redundancy. An
195
Journal of Network and Computer Applications 103 (2018) 194–204
error-correcting code contains two functions, i.e. a translation function
g : M → C and a decoding function f : {0, 1}n → C ∪ {ϕ}. If successful, f
maps a n bit string x to nearest codeword in C in term of Hamming
distance. Or else, f outputs ϕ. As an example, given a f with a correction
threshold t, for a codeword c ∈ C and any error term e ∈ {0, 1}n with
hamming weight ∥ e ∥ ≤ t , we have f (c ⊕ e) = c . More information
about error-correcting codes can be find in reference (Juels and
Wattenberg, 1999).
2.2. Fuzzy commitment scheme
Support h: {0, 1}n → {0, 1}l is a secure hash function.
F: ({0, 1}n , {0, 1}n ) → ({0, 1}l , {0, 1}n ) is a fuzzy commitment scheme,
which can commit a codeword c ∈ C using a n bit witness y as
F (c, y) = (α , δ ), where α = h (c ) and δ = y ⊕ c . The commitment
F (c, y) = (α , δ ) can be opened using witness y′, which is relatively
close to y, but no need to be the same as y. To open the commitment
using y′, the receiver computes c′ = f ( y′ ⊕ δ ) = f (c ⊕ ( y′ ⊕ y)), and
?
checks α = h (c′). If they are equal, the commitment is opened success-
fully. Otherwise, the witness y′ is not valid. Due to the noisy
characteristic of biometric, i.e. the input biometric information is not
the same as the template exactly, and it can be used in fuzzy
commitment scheme. In this scenarios, biometric template can be seen
as the witness y, and c can be opened by the input biometric y′, which is
close to y. For more detailed information about fuzzy commitment
scheme, please refer to Juels and Wattenberg (1999).
3. Review and comment on Jiang et al.'s protocol
We first review Jiang et al.'s authentication protocol for wireless
sensor networks (Jiang et al., 2016) in this section, and then point out
some security and function flaws of their scheme. The used notations of
full article are shown in Table 1.
3.1. Review of Jiang et al.'s protocol
Their scheme contains three phases, i.e. user registration, sensor
registration, login and authentication phase. Before the execution of
the protocol, some parameters should be generated by GWN. First, an
additive group G over a finite field Fp on an elliptic curve is selected by
GWN, where the generator is point P and its order is a large prime n.
Then GWN generates a random number x ∈ Z n* as the private key and
calculates the corresponding public key X=xP. Finally, x is stored
secretly and the parameters {E (Fp ), G, P, X} are published by GWN.
Table 1
Notations description.
Notations Description
Ui, GWM and Sj ith user, gateway node and jth sensor node
IDi and SIDj Identity of user Ui and Sj
PWi Password of user Ui
bi Biometric of user Ui
SC Ui's smart card
DIDi, DIDGWN Dynamic identity of Ui and GWN
Ki and Kj Keys generated by Ui and Sj
SK Session key
h (·) A secure hash function
C ⊆ {0, 1}n A set of codewords
F (,) A fuzzy commitment scheme
f (·) A decoding function
ri,rg and rj Random numbers generated by Ui, GWN and Sj, respectively
TS Timestamp
TEi Expiration time of Ui's temporal credential
∥ Concatenation function
⊕ XOR function
X. Li et al.
3.1.1. User registration
At first, a password PWi is supposed to be shared between Ui and
GWN, and {IDi , h (PWi )} is maintained by Ui secretly. So as to register
as a user, the following steps should be performed between Ui and
GWN.
1. Ui generates random numbers a, ri ∈ Z n*, and calculates A=aP,
A′ = aX = axP , VIi = h (TS1 ∥ h (PWi )∥ A ∥ A′∥ h (PWinew ∥ IDi ∥ ri )),
new
and TPWi = h (PWi ∥ IDi ∥ ri ) ⊕ h (TS1 ∥ h (PWi )∥ A ∥ A′). Then the
registration message {IDi , TS1, VIi, TPWi , A} is submitted to GWN by
Ui.
2. When obtaining the registration message, GWN checks if timestamp
TS1 is valid. If it is beyond the predetermined interval, the request is
rejected by GWN. Otherwise, GWN calculates A″ = xA = axP ,
h (PWinew ∥ IDi ∥ ri ) = TPWi ⊕ h (TS1 ∥ h (PWi )∥ A ∥ A″), and checks
whether h (TS1 ∥ h (PWi )∥ A ∥ A″∥ h (PWinew ∥ IDi ∥ ri )) equals to VIi.
The session is terminated if they are not equal. Otherwise, GWN
calculates TCi = h (KGWN − U ∥ IDi ∥ TEi ), and PTCi = TCi ⊕ h (PWinew ∥ IDi ∥ ri ),
where TWi is the expiration time of Ui's temporal credential. Then,
GWN updates Ui's identity information in the database as {IDi , TEi}.
Finally, GWN stores {h (·), TEi, PTCi} into a SC and distributes it to
Ui.
3. At last, Ui stores ri into the SC.
3.1.2. Sensor node registration
Before the sensor network is deployed, the password information of
sensor node Sj is pre-shared between Sj and GWN, and data pair
{SIDj , h (PWj )} are maintained by GWN. The details of this phase are
described below.
1. Sj selects a random number b ∈ Z n*, and calculates B=bP,
B′ = bX = bxP , and VIj = h (TS2 ∥ h (PWj ∥ B ∥ B′)), where TSj is time-
stamp of current time. Then, Sj forwards {SIDj , TS2, VIj , B} to GWN
by a secure way.
2. After getting the message, GWN checks if TS2 is in normal interval.
If not, GWN rejects the request. Otherwise, GWN obtains h (PWj )
corresponding to SIDj, and calculates B″ = xB . Then GWN checks if
h (TS2 ∥ h (PWj )∥ B ∥ B″) equals to VIj, the session is rejected if they
are not equal. Otherwise, GWN calculates TCj = h (KGWN − S ∥ SIDj ),
REGj = TCj ⊕ h (TS3 ∥ h (PWj )∥ B ∥ B″) and VIGWN = h (TCj ∥ h (TS3 ∥ h (PWj )∥ B ∥ B″)) .
At last, GWN responses Sj with the massage {TS3, RWGj , VIGWN }.
3. When gaining the message, Sj checks if TS3 is in allowed interval.
The session is terminated by Sj if it is beyond the predetermined
interval. Otherwise, Sj calculates TCj = REGj ⊕ h (TS3 ∥ h (PWj )∥ B ∥ B′), and
?
checks h (TCj ∥ h (TS3 ∥ h (PWj )∥ B ∥ B′) = VIGWN . The session is ter-
minated if they are not equal. Otherwise, TCj is stored in Sj.
3.1.3. Login and authentication
When Ui wants to access the sensory data of Sj, the following login
and authentication procedures should be performed among Ui, GWN
and Sj.
1. Ui inserts the SC into a reader, and keys in IDi and PWi. Ui chooses a
nonce c ∈ Z n* and a random key Ki. Then the SC calcu
lates TCi = PTCi ⊕ h (PWi ∥ IDi ∥ ri ), Ci = ci P , Di = cX = cxP ,
DIDi = IDi ⊕ h (Ci ∥ Di ), PKSi = Ki ⊕ h (TCi ∥ TS4 ∥ Di ), and
Ei = h (h (IDi ∥ TS4 ) ⊕ Di ⊕ PKSi ⊕ TCi ), where TC4 is the current
time. At last, Ui forwards the login request {DIDi , Ci, PKSi, TS4, Ei} to
GWN.
2. When getting the login request message, GWN first checks if TS4 is
in normal interval. If it is beyond the predetermined interval, the
request is rejected by GWN. Otherwise, GWN calculates
D′i = xCi = xcP , ID′i = DIDi ⊕ h (Ci ∥ D′i ), and retrieves TEi accord-
ing to ID′i . Then GWN calculates TC′i = h (KGWN − U ∥ ID′i ∥ TEi ), and
?
checks h (h (ID′i ∥ TS4 ) ⊕ D′i ⊕ PKSi ⊕ TC′i ) = Ei . The session is ter-
196
Journal of Network and Computer Applications 103 (2018) 194–204
minated if they are not equal. Otherwise, GWN calculates
Ki = PKSi ⊕ h (TCi ∥ TS4 ∥ D′i ). Then GWN chooses the target
sensor node Sj, and gets the current time TS5, and cal
culates TCj = h (KGWN − S ∥ SIDj ), DIDGWN = IDi ⊕ h (DIDi ∥ TCj ∥ TS5),
CGWN = h (IDi ∥ TCj ∥ TS5), and PKSGWN = Ki ⊕ h (TCj ∥ TS5). At last,
GWN submits the message {TS5, DIDi , DIDGWN , CGWN , PKSGWN } to Sj.
3. When obtaining the message from GWN, Sj checks if TS5 is in
normal interval. If not, the session is rejected by Sj. Otherwise, Sj
calculates IDi = DIDGWN ⊕ h (DIDi ∥ TCj ∥ TS5), and checks
?
h (IDi ∥ TCj ∥ TS5) = CGWN . The session is terminated if they are not
equal. Otherwise, Sj generates a random key Kj, and calculates
Ki = PKSGWN ⊕ h (TCj ∥ TS5), SKij = h (Ki ⊕ Kj ). Then, Sj generates
the current time TS6 and calculates Cj = h (Kj ∥ IDi ∥ SIDj ∥ TS6 ) and
PKSj = Kj ⊕ h (Ki ∥ TS6 ). At last, Sj returns message
{SIDj , TS6, Cj , PKSj} to user Ui.
4. When getting the message from Sj, Ui first checks if the timestamp
TS6 is in normal interval. The session is rejected if it is beyond the
predetermined interval. Otherwise, Ui calculates
?
Kj = PKSj ⊕ h (Ki ∥ TS6 ), and checks h (Kj ∥ IDi ∥ SIDj ∥ TS6 ) = Cj .
The session is aborted if they are not equal. Otherwise, Sj and
GWN are authenticated by Ui. Finally, Ui calculates the shared
session key SKij = h (Ki ⊕ Kj ), and Ui can access the sensory data of Sj
secretly using the session key.
3.2. Functional and security flaws on Jiang et al.'s protocol
In this section, some functional and security flaws of Jiang et al.'s
scheme (Jiang et al., 2016) are analysed, and we find their scheme
lacks user friendliness, and the user cannot change the password as
like. In addition, the detection mechanism for unauthorized login is
absence in their scheme, it not only wastes unnecessary computation
and communication costs to detect unauthorized login, but also needs
additional operations if user wants to update the password. Besides,
their scheme is not suitable for IoT environments since sensor contacts
user directly. Furthermore, the known session-specific temporary
information attack is applicable to their scheme.
3.2.1. Lack of user friendliness
Password authentication is the easiest method to implement for
identity authentication since the validity of user can be authenticated
by server via checking the password information. In real life, users
usually tend to choose the easy to remember password from a special
dictionary. Therefore, password based authentication schemes are
vulnerable to password related attacks. For security consideration,
freely choose and change password are two ideal functions for pass-
word authentication scheme. However, the scheme in Jiang et al.
(2016) does not allow users to change the passwords, and their scheme
lacks user friendliness.
3.2.2. Without the detection mechanism for unauthorized login
In real life, user usually be involved in many applications, and has
to manage different identity and password information for various
applications. Therefore, wrong identity or password may be input by
user unintentionally in login phase since he/she may unable to
remember the identity and password pair for special application.
Therefore, the detection mechanism of unauthorized login is essential
for a password based authentication scheme, through which the wrong
password login can quickly be rejected at the beginning of login phase,
and it can avoid the unnecessary computation and communication
costs. However, the scheme in Jiang et al. (2016) lacks this mechanism,
and the unauthorized login will be detected and rejected by GWN after
some information exchange between Ui and GWN. We illustrate this
situation as below.
1. When Ui wants access the sensory data of Sj, he/she inserts the SC
X. Li et al.
into a reader, and inputs IDi and a wrong password PWi* (≠PWi ). Ui
chooses a nonce c ∈ Z n* and a random key Ki. Then the SC calculates
TCi* = PTCi ⊕ h (PWi* ∥ IDi ∥ ri ) = TCi ⊕ h (PWinew ∥ IDi ∥ ri ) , Ci = ci P ,
⊕ h (PWi* ∥ IDi ∥ ri )(≠h (KGWN − U ∥ IDi ∥ TEi ) = TCi )
Di = cX = cxP , DIDi = IDi ⊕ h (Ci ∥ Di ), PKSi* = Ki ⊕ h (TCi* ∥ TS4 ∥ Di ),
Ei* = h (h (IDi ∥ TS4 ) ⊕ Di ⊕ PKSi* ⊕ TCi*), where TC4 is the current
time. At last, Ui forwards the login request {DIDi , Ci, PKSi*, TS4, Ei*}
to GWN.
2. When getting the message, GWN first checks if TS4 is in normal
interval. If it is valid, GWN calculates D′i = xCi = xcP ,
ID′i = DIDi ⊕ h (Ci ∥ D′i ), and retrieves TEi according to ID′i . Then
GWN calculates TC′i = h (KGWN − U ∥ ID′i ∥ TEi ) ≠ TCi*, and the session
is rejected since GWN finds h (h (ID′i ∥ TS4) ⊕ D′i ⊕ PKSi* ⊕ TC′i ) ≠ Ei .
Till now, the wrong password login is detected and rejected by
GWN, and it wasted some unnecessary computation and communica-
tion costs.
3.2.3. Inapplicable to IoT environments
WSN is composed of sensor nodes with low power supply and short
transmission distance, which play an important role in Internet of
Things to collecting information of specific regions. WSN usually be
deployed in unattended area, such as in forest and industrial environ-
ment with intense radiation, and energy conversation of sensor node is
an important issue for WSN. In order to prolong the life cycle of sensor
nodes, the communication cost such as total bits of sensor node should
be low, and the power consumption of the sensor node should be as low
as possible. Research in Heinzelman et al. (2002) has shown that the
power consumption of sensor node is proportional to the distance
between the communication party and sensor node. Therefore in most
of situation, it is best for a user to access the sensory data via gateway
node GWN rather than directly from sensor nodes. However, from the
description of the scheme in Jiang et al. (2016), the sensor node
exchanges information and transmits data directly to the user. The
distance between user and sensor node would be higher than the
communication radius of sensor node, so the communication model of
the scheme in Jiang et al. (2016) is not suitable for IoT environments.
3.2.4. Suffer from known session-specific temporary information
(KSSTI) attack
For a user authentication scheme with key agreement, if the session
key is secure even though the session-specific temporary information
(SSTI), such as random numbers generated by user and server for the
session key, is compromised, the authentication scheme can be called
secure against to KSSTI attack. In Jiang et al.'s scheme (Jiang et al.,
2016), the session key SKij = h (Ki ⊕ Kj ), where Ki and Kj are two
temporary keys generated by Ui and Sj respectively. If the SSTI Ki and
Kj are revealed by an adversary, he/she can calculate the session key
SKij = h (Ki ⊕ Kj ). Therefore, Jiang et al.'s scheme (Jiang et al., 2016) is
vulnerable to KSSTI attack.
3.2.5. Clock synchronization problem
Replay attack is a common attack in the field of network security,
where an adversary wants to imitate as an protocol participant by
replaying previous used messages. Generally, there are two mechan-
isms to tackle this attack, i.e. random number and timestamp, and the
primary idea of these mechanisms is to guarantee the freshness of the
communication messages. In wireless sensor networks, the commu-
nication between user and GWN may be through wired or wireless
channel, and GWN communicates sensor nodes via wireless channel.
Therefore, the clock synchronization of these three parties is a big
challenge in itself. The scheme in Jiang et al. (2016) adopted both of
random number and timestamp mechanisms, and their scheme may
encounter clock asynchronization problem.
197
Journal of Network and Computer Applications 103 (2018) 194–204
4. Proposed protocol
Fingerprint identification is a mature biometric technology, and it is
widely be used as a identity authentication mechanism in our daily life
such as in mobile devices. In this section, a fingerprint identification
based three-factor user authentication scheme for WSNs in IoT
environments is proposed, where the fuzzy commit scheme is adopted
to verify the validity of fingerprint information. The proposed scheme
not only keeps the merit of the scheme in Jiang et al. (2016), but also
removes the functional and security flaws of their scheme. Our scheme
also has three parties, i.e. Ui, GWN and Sj, where GWN is supposed to
be a trusted participant and a bridge of information exchange between
Ui and Sj. First, GWN chooses the parameters {E (Fp ), G, P, x, X} like
Jiang et al.'s scheme (Jiang et al., 2016). Besides, GWN chooses a
master secret key KGWN . GWN keeps x and KGWN secretly, and publishes
{E (Fp ), G, P, X}. The proposed scheme contains four phases, i.e. sensor
registration, user registration, login and authentication, and password
change. We describe these phases as follow.
4.1. Sensor registration
Some information should be stored in the memory of sensors in
advance before they are deployed in particular areas. GWN selects an
identity SIDj for each sensor, and computes the secret key
KGWN − S = h (SIDj ∥ KGWN ) for SIDj. Then GWN stores {SIDj , KGWN − S} in
the memory of the sensor, and deploys these sensors in a particular
area to forming a wireless sensor network .
4.2. User registration
When a user hopes to acquire the sensory data of sensor nodes in
the wireless sensor network in specific area, he/she needs register to
the GWN. We describe this phase as follow and it also can be seen in
Fig. 2.
1. User Ui chooses an identity IDi and a password PWi, and generates a
nonce ai and calculates RPWi = h (PWi ∥ ai ). Then, Ui imprints the
biometric on specific device and gets the biometric information bi. At
last, Ui submits the registration quest message {IDi , RPWi , bi} to
GWN via a secure manner.
2. When obtaining the registration request, GWN chooses a random
codeword ci ∈ C for Ui, and calculates F (ci , bi ) = (α , δ ), where
α = h (ci ) and δ = ci ⊕ bi . Then, GWN calculates
Ai = h (IDi ∥ RPWi ∥ ci ), Bi = h (IDi ∥ KGWN ) ⊕ h (RPWi ∥ ci ). After that,
GWN stores {α , δ, Ai , Bi , X , f (·)} into a SC, and distributes it to Ui
via a secure channel. Finally, GWN stores IDi in its database and
deletes other information.
3. When gets the SC, Ui stores ai into it, and the SC contains
parameters {α , δ, Ai , Bi , X , f (·), ai}.
4.3. Login and authentication
When Ui wants to access the sensory data of the sensor SIDj, he/she
should be authenticated by the GWN first, and the following steps
should be performed among Ui, GWN and SIDj. This phase also can be
found in Fig. 3.
1. Ui inserts SC into a card reader, and imprints the biometric
b′i on a special device. Then, the SC calculates
?
c′i = f (δ ⊕ b′i ) = f (ci ⊕ (bi ⊕ b′i )), and checks h (c′i ) = α = h (ci ).
The session is terminated by SC if they are not equal. Otherwise,
Ui passes the biometric verification and inputs identity IDi and
password PWi. Ui calculates A′i = h (IDi ∥ h (PWi ∥ ai )∥ c′i ), and
?
checks A′i = Ai . The session is rejected by the SC if they are not
equal. Otherwise, the user's identity and password are verified by the
X. Li et al. Journal of Network and Computer Applications 103 (2018) 194–204

Fig. 1. Login and authentication phase of Jiang et al.'s protocol.

SC. The SC chooses a random number ri and s ∈ Z n*, and calculates
M1 = Bi ⊕ h (h (PWi ∥ ai )∥ c′i ), M2 = sP , M3 = sX = sxP , M4 = IDi ⊕ M3,
M5 = M1 ⊕ ri , M6 = h (IDi ∥ ri ) ⊕ SIDj , and M7 = h (M1 ∥ SIDj ∥ M3 ∥ ri ).
At last, Ui submits the login request message {M2, M4, M5, M6, M7} to
GWN.
2. When receiving the login request, GWN calculates M ′3 = xM2 = xsP ,
ID′i = M4 ⊕ M ′3, and checks if ID′i in the database. If not, the
request is terminated by GWN. Otherwise, GWN calculates
M ′1 = h (ID′i ∥ KGWN ), r′i = M5 ⊕ M ′1, SID′ j = M6 ⊕ h (ID′i ∥ r′i ),
?
M ′7 = h (M ′1 ∥ SID′ j ∥ M ′3 ∥ r′i ), and checks M ′7 = M7. The session is
rejected by GWN if they are not equal. Otherwise, GWN generates a
random number rg, and calculates K ′GWN − S = h (SID′ j ∥ KGWN ),
M8 = ID′i ⊕ K ′GWN − S , M9 = rg ⊕ h (ID′i ∥ K ′GWN − S ), M10 = rg ⊕ r′i and
M11 = h (ID′i ∥ SID′ j ∥ K ′GWN − S ∥ r′i ∥ rg ). At last, GWN submits mes-
sage {M8, M9, M10 , M11} to SIDj.
3. When receiving the message, Sj calculates ID″i = M8 ⊕ KGWN − S ,
r′g = h (ID″i ∥ KGWN − S ) ⊕ M9 , r″i = r′g ⊕ M10 , M ′11 = h (ID″i ∥ SIDj ∥ KGWN − S ∥ r ″i ∥ r ′g ) ,
?
and checks M ′11 = M11. The session is rejected by Sj if the equation
is not true. Otherwise, Sj generates a random number rj, and
calculates M12 = rj ⊕ KGWN − S , SKj = h (ID″i ∥ SIDj ∥ r″i ∥ r′g ∥ rj ),
M13 = h (KGWN − S ∥ SKj ∥ rj ). Finally, Sj responses the message
{M12, M13} to GWN.

Fig. 2. Registration phase of the proposed protocol.

198
X. Li et al. Journal of Network and Computer Applications 103 (2018) 194–204

Fig. 3. Login and authentication phase of the proposed protocol.

4. After getting the message from Sj, GWN calcu 4.4. Password change
lates r′ j = M12 ⊕ K ′GWN − S , SKGWN = h (ID′i ∥ SID′ j ∥ r′i ∥ rg ∥ r′ j ),
?
M ′13 = h (K ′GWN − S ∥ SKGWN ∥ r′ j ), and checks M ′13 = M13. The session This section allows a user change the password as he/she like
is rejected if they are not equal. Otherwise, GWN calculates without communicating with GWN, and the procedures of password
M14 = M ′1 ⊕ rg , M15 = r′i ⊕ r′ j , and M16 = h (ID′i ∥ SKGWN ∥ rg ∥ r′ j ). change phases are as follow:
Finally, GWN submits the message {M14, M15, M16} to Ui. When Ui wants to update the password, he/she inserts SC into a
5. When receiving messages from GWN, Ui calculates reader, and imprints the biometric information b′i on a special device.
r″g = M14 ⊕ M1, r″ j = M15 ⊕ ri , SKi = h (IDi ∥ SIDj ∥ ri ∥ r″g ∥ r″ j ), Then, SC calculates c′i = f (δ ⊕ b′i ) = f (ci ⊕ (bi ⊕ b′i )) , and checks
?
?
M ′16 = h (IDi ∥ SKi ∥ r″g ∥ r″ j ), and checks M ′16 = M16 . The session is h (c′i ) = α = h (ci ). The session is rejected by the SC if the equation is
rejected if they are not equal. Otherwise, the authentication process not true. Otherwise, Ui passes the biometric verification and inputs
is completed. identity IDi and password PWi. Ui calculates
?
A′i = h (IDi ∥ h (PWi ∥ ai )∥ c′i ), and checks A′i = Ai . If they are not equal,
Finally, Ui can access the sensory data of Sj via GWN, and a session the request is declined by the SC. Otherwise, a new password PWi* is
key SKi (=SKGWN = SKj ) is shared among Ui, GWN and Sj. allowed to be input. The SC calculates Ai* = h (IDi ∥ h (PWi* ∥ ai )∥ c′i )
Note: The login and authentication phases of Jiang et al.'s scheme and Bi* = Bi ⊕ h (h (PWi ∥ ai )∥ c′i ) ⊕ h (h (PWi* ∥ ai )∥ c′i ). Finally, SC
(Jiang et al., 2016) and our scheme can be found at Figs. 1 and 3, updates Ai and Bi with Ai* and Bi*, respectively, which finishes the
respectively, and there are three easy to see differences between them. password change.
First, our scheme is three-factor authentication scheme, while Jiang
et al.'s scheme is a two-factor authentication scheme. Second, time- 5. Formal verification using BAN logic
stamp mechanism is adopted by Jiang et al.'s scheme and our scheme
avoided to using timestamp. Furthermore, our scheme is more suitable In this section, we formally analyze the secure goals of our scheme
for IoT applications since the sensor node connects user via gateway. using Burrows-Abadi-Needham logic (BAN logic) tool (Burrows et al.,
However, in Jiang et al.'s scheme, the sensor node connects user 1989; Li et al., 2015b), and some notations about the BAN logic
directly, and it may reduce the life cycle of sensor node if it is far away analysis are as follows:
from the user. P| ≡ X : P believes X.
P◃X : P sees X, i.e. P have received message X and may read it.

199
X. Li et al. Journal of Network and Computer Applications 103 (2018) 194–204

P| ∼ X : P once said X or P had sent message X. D1:

P ⇒ X : P has jurisdiction over X. GWN ◃{sP, 〈IDi 〉sX , 〈ri 〉h (IDi ∥ KGWN ) , 〈SIDj 〉h (IDi ∥ ri ) , (SIDj ∥ ri )sX , h (IDi ∥ KGWN ) }
♯(X ): X is fresh. According to D1, P6 and message meaning rule, we get
(X , Y ): X or Y is a part of message (X , Y ). D2: GWN | ≡ Ui ∼ {sP, 〈IDi 〉sX , 〈ri 〉h (IDi ∥ KGWN ) , 〈SIDj 〉h (IDi ∥ ri )
〈X 〉Y : X is encrypted with Y.
, (SIDj ∥ ri )sX , h (IDi ∥ KGWN ) }
(X , Y )K : X or Y is hashed with the K. According to D2, P1, freshness conjucatenation and nonce verifica-
K
P⟷Q : P and Q can communicate with the shared key K. tion rules we get
Next we introduce some BAN logic Krules as follows: D3: GWN | ≡ Ui | ≡ {sP, 〈IDi 〉sX , 〈ri 〉h (IDi ∥ KGWN ) , 〈SIDj 〉h (IDi ∥ ri )
Rule 1. Message meaning rule: P |≡ P ⟷ Q, P◃〈X 〉Y
P |≡ Q |∼ X , (SIDj ∥ ri )sX , h (IDi ∥ KGWN ) }
Rule 2. Nonce verification rule: P |≡ ♯ (X ), P |≡ Q |∼ X
P |≡ Q ⇒ X , P |≡ P |≡
QQ|≡ |≡
XX According to D3, P6, P12 and Jurisdiction rule, we get
Rule 3. Jurisdiction rule:
P |≡ X D4:
Rule 4. Freshness conjuncatenation rule: P |≡ ♯ (X )
P |≡ ♯ (X , Y ) GWN | ≡ {sP, 〈IDi 〉sX , 〈ri 〉h (IDi ∥ KGWN ) , 〈SIDj 〉h (IDi ∥ ri ) , (SIDj ∥ ri )sX , h (IDi ∥ KGWN ) }
Rule 5. Belief rule: P |≡ (X ), P |≡ (Y )
P |≡ (XP , Y|≡
) ♯ (X ), P |≡ Q |≡ X According to D4 and session key rule, we get
Rule 6. Session keys rule: K
SKGWN
P |≡ P ⟷ Q D5: GWN | ≡ GWN ←⎯⎯⎯⎯⎯→Ui (Goal 5)
Using D5, P12 and nonce-verification rule, we get
SKGWN
The proposed protocol needs to satisfy the following goals to ensure D6: GWN | ≡ Ui | ≡ GWN ←⎯⎯⎯⎯⎯→Ui (Goal 6)
its security under BAN logic, using the above assumptions and Considering the Msg2 and Msg4 of the idealized form:
postulates. Msg2:
GWN → Sj : {〈ID′i 〉KGWN − S , 〈rg 〉h (ID ′i ∥ K GWN
′ − S ) , 〈ri 〉rg , (IDi ∥ SIDj )(ri, rg, K GWN
′ −S ) }
SKj Msg4: GWN → Ui: {〈rg 〉h (IDi ∥ KGWN ) , 〈r′ j 〉r ′i , (ID′i )(rg, r ′j , SKGWN ) }
Goal 1: Sj | ≡ Sj ⟷Ui
SKj By applying seeing rule for Msg2 and Msg4, we get
Goal 2: Sj | ≡ Ui | ≡ Sj ⟷Ui
SKi D7: Sj ◃{〈ID′i 〉KGWN − S , 〈rg 〉h (ID ′i ∥ K ′GWN − S ) , 〈ri 〉rg , (IDi ∥ SIDj )(ri, rg, K ′GWN − S ) }
Goal 3: Ui | ≡ Sj ⟷Ui
SKi D8: Ui ◃{〈rg 〉h (IDi ∥ KGWN ) , 〈r′ j 〉r ′i , (ID′i )(rg, r ′j , SKGWN ) }
Goal 4: Ui| ≡ Sj | ≡ Sj ⟷Ui
SKGWN Using D7, P9 and message meaning rule, we get
Goal 5: GWN | ≡ GWN ←⎯⎯⎯⎯⎯→Ui
SKGWN D9: Sj | ≡ GWN ∼ {〈ID′i 〉KGWN − S , 〈rg 〉h (ID ′i ∥ K GWN ′ − S ) , 〈ri 〉rg
Goal 6: GWN | ≡ Ui | ≡ GWN ←⎯⎯⎯⎯⎯→Ui
SKGWN
Goal 7: GWN | ≡ GWN ←⎯⎯⎯⎯⎯→Sj , (IDi ∥ SIDj )(ri, rg, K GWN
′ −S ) }
SKGWN
Goal 8: GWN | ≡ Sj | ≡ GWN ←⎯⎯⎯⎯⎯→Sj Using D8, P4 and message meaning rule, we get
D10: Ui | ≡ GWN ∼ {〈rg 〉h (IDi ∥ KGWN ) , 〈r′ j 〉r ′i , (ID′i )(rg, r ′j , SKGWN ) }
According to D9, P2, P14, freshness conjucatenation and nonce
First, we transfer the communication messages of our scheme into verification rules we get
idealized form as follows. D11: Sj | ≡ GWN | ≡ {〈ID′i 〉KGWN − S , 〈rg 〉h (ID ′i ∥ KGWN − S ′) , 〈ri 〉rg
Msg1: Ui → GWN : {M2, M4, M5, M6, M7}:
, (IDi ∥ SIDj )(ri, rg, KGWN − S ′) }
{sP, 〈IDi 〉sX , 〈ri 〉h (IDi ∥ KGWN ) , 〈SIDj〉h (IDi ∥ ri ) , (SIDj ∥ ri )sX , h (IDi ∥ KGWN )} According to D10, P2, P11, freshness conjucatenation and nonce
Msg2: GWN → Sj : {M8, M9, M10 , M11}: verification rules we get
{〈ID′i 〉KGWN − S , 〈rg 〉h (ID ′i ∥ K GWN
′ − S ) , 〈ri 〉rg , (IDi ∥ SIDj )(ri, rg, K GWN
′ −S ) } D12:
Msg3: Sj → GWN : {M12, M13}:
Ui | ≡ GWN | ≡ {〈nk 〉Kj , 〈Ji, SIDj , R2 , R3 〉zi , 〈Gi 〉h (zi ∥ R2) , 〈R1, R3, nk 〉Kj }
{〈rj 〉KGWN − S , (rj )(SKj, K ′GWN − S ) }
From D12, P11 and jurisdiction rule, we get
Msg4: GWN → Ui: {M14, M15, M16}:
D14: Ui | ≡ {〈nk 〉Kj , Ji, SIDj , R2 , R3 z , 〈Gi 〉h (zi ∥ R2) , 〈R1, R3, nk 〉Kj }
{〈rg 〉h (IDi ∥ KGWN ), 〈r′ j 〉r ′i , (ID′i )(rg, r ′j , SKGWN ) } i

Secondly, the following premises can be given to prove the security According to D13, we apply the session key rule as
SKj
of proposed protocol. D15: Sj | ≡ Sj ⟷GWN
SKj
P1: Ui | ≡ ♯ri Hence, Sj | ≡ Sj ⟷Ui (Goal 1)
P2: GWN | ≡ ♯rg According to D13, P14 we apply the session key rule as
P3: Sj | ≡ ♯rj SKj
xsP
D16: Sj | ≡ GWN | ≡ Sj ⟷GWN
P4: Ui | ≡ Ui ⟷GWN SKj
SKj Thus, Sj | ≡ Ui | ≡ Sj ⟷Ui (Goal 2)
P5: Ui | ≡ Ui ⟷Sj According to D14, we apply the session key rule as
sxP SKi
P6: GWN | ≡ GWN ⟷Ui D17: Ui | ≡ Ui ⟷GWN
KGWN − S SKi
P7: GWN | ≡ GWN ←⎯⎯⎯⎯⎯⎯⎯→Sj Hence, Ui | ≡ Sj ⟷Ui (Goal 3)
SKj
P8: Sj | ≡ Sj ⟷Ui According to D14, P11, P5 we apply the session key rule as
KGWN − S SKi
P9: Sj | ≡ Sj ←⎯⎯⎯⎯⎯⎯⎯→GWN D18: Ui | ≡ GWN | ≡ Ui ⟷GWN
SKi
P10: Ui | ≡ Sj ⇒ rj , SKj Hence, Ui | ≡ Sj | ≡ Sj ⟷Ui (Goal 4)
P11: Ui | ≡ GWN ⇒ rg, SKGWN Next, considering M3 idealized form:
P12: GWN | ≡ Ui ⇒ ri, SKi, xsP Msg3: Sj → GWN : {〈rj 〉KGWN − S , (rj )(SKj, KGWN − S ′) }
P13: GWN | ≡ Sj ⇒ rj ⊕ KGWN − S By applying seeing rule for Msg3, we get
P14: Sj | ≡ GWN ⇒ rg ⊕ h (IDi ∥ KGWN − S ) D19: GWN ◃{〈rj 〉KGWN − S , (rj )(SKj, KGWN − S ′) }
P15: Sj | ≡ Ui ⇒ ri, SKi Using D19, P7 and message meaning rule, we get
Then, based on the idealized form of the messages and assump- D20: GWN | ≡ Sj ∼ {〈rj 〉KGWN − S , (rj )(SKj, KGWN − S ′) }
tions, we prove our scheme achieves the secure goals using BAN logic According to D20, P3, freshness conjucatenation and nonce ver-
rules. ification rules, we get
Considering the idealized form of Msg1: D21: GWN | ≡ Sj | ≡ {〈rj 〉KGWN − S , (rj )(SKj , KGWN − S ′)}
Msg1: Ui → GWN : {M2, M4, M5, M6, M7}: From D21, P7, P13 and jurisdiction rule, we get
{sP, 〈IDi 〉sX , 〈ri 〉h (IDi ∥ KGWN ) , 〈SIDj 〉h (IDi ∥ ri ) , (SIDj ∥ ri )sX , h (IDi ∥ KGWN ) } D22: GWN | ≡ {〈rj 〉KGWN − S , (rj )(SKj, KGWN − S ′) }
By applying seeing rule for Msg1, we get According to D22, P8 we apply the session key rule as

200
X. Li et al.
SKGWN
D23: GWN | ≡ Sj ←⎯⎯⎯⎯⎯→GWN (Goal 7)
According to D22, P13, P15 we apply the session key rule as
SKGWN
D24: GWN | ≡ Sj | ≡ Sj ←⎯⎯⎯⎯⎯→GWN (Goal 8)
Hence, the above logic proves that the contributed scheme achieves
mutual authentication and the session key SKi = SKj = SKGWN is
mutually established between Ui and Sj with the assistance of GWN.
6. Security analysis
This section discusses the security and functional features of our
scheme, and our scheme resists most of known attacks and achieves
some ideal functional features.
6.1. Resist replay attack without using timestamp
Due to the clock synchronization is a big challenge in wireless
sensor networks, the proposed scheme adopted the random number
method to ensure the freshness of exchanged messages, and avoided to
use timestamp. In each session of the proposed scheme, random
numbers ri and s, rg, and rj are generated by Ui, GWN, and Sj,
respectively and the communication messages of each session are
calculated rely on these random numbers. These random numbers
make sure the freshness of exchanged messages of a session, and the
messages are valid for current session. Therefore, our scheme is free
from replay attack, and does not need to face the clock synchronization
problem.
6.2. User anonymity and untraceability
User anonymity is that user's real identity is shielded without
knowing by any adversary, it is an ideal feature for user authentication
scheme, especially on environments with high privacy protection
requirements, such as in online-finance and remote healthcare. In
the proposed scheme, the plaintext of user's real identity IDi does not
contained in any messages, and any adversary cannot get user's real
identity from the communication messages directly. On the contrary,
Ui's real identity IDi is implied in messages M4 and M8. When receiving
the login request message {M2, M4, M5, M6, M7} from Ui, with knowing
the master secret key x, GWN can recover Ui's real identity by
calculating M ′3 = xM2 = xsP and ID′i = M4 ⊕ M ′3. When receiving
{M8, M9, M10 , M11} from GWN, Sj recovers ID″i = M8 ⊕ KGWN − S by using
KGWN − S . Without knowing x and KGWN − S , any adversary cannot reveal
Ui's real identity from the communication messages.
Untraceability is that any adversary cannot trace the different
sessions of a particular user from exchanged messages via public
channel. In our scheme, the random numbers ri and s are generated by
Ui for each session, which makes the login request message
{M2, M4, M5, M6, M7} of one session is different to those of other session.
Therefore, our scheme achieves the feature of untraceability.
6.3. Sensor node anonymity
In our scheme, sensor node Sj's real identity SIDj does not
contained in any of communication messages. Therefore, any adversary
cannot get the identity of Sj from the exchanged messages directly.
Besides, without GWN's secret keys x and KGWN , any adversary cannot
retrieve SIDj from login request message {M2, M4, M5, M6, M7}.
Furthermore, the different random numbers ri, rg and rj of each
session make sure that the communication messages are dynamically
change for different sessions, and no adversary can trace different
sessions from a special sensor node. Therefore, our scheme provides
the anonymity feature for sensor node.
201
Journal of Network and Computer Applications 103 (2018) 194–204
6.4. Resist stolen smart card attack
Some references (Kocher et al., 1999; Messerges et al., 2002)
had pointed out that the information in SC can be retrieved by using
side-channel attacks such as power analysis attack, therefore the stolen
smart card attack should be taken into consideration when
design an authentication scheme using smart card. In our
scheme, Ui's SC contains parameters {α , δ, Ai , Bi , X , f (·), ai},
where α = h (ci ), δ = ci ⊕ bi , Ai = h (IDi ∥ h (PWi ∥ ai )∥ ci ),
Bi = h (IDi ∥ KGWN ) ⊕ h (h (PWi ∥ ai )∥ ci ), ci and ai are a codeword and
a random number chosen by GWN and Ui, respectively. If Ui's SC is
stolen by an adversary, and information {α , δ, Ai , Bi , X , f (·), ai} in it is
retrieved by the adversary, the adversary cannot guess IDi and PWi
from Ai without knowing ci, and also cannot guess these key informa-
tion from Bi since he/she does not know ci and KGWN . Without Ui's
identity and password information, the adversary cannot impersonate
as the user. Therefore, our scheme is robust even if the smart card is
stolen.
6.5. Resist forgery attack
Forgery attack is a common attack in network based applications,
and an adversary may want to impersonate as any party involved in the
scheme by using available information such as the communication
messages collected from public channel and the user's smart card
information and so on. In the proposed scheme, IDi and
M1 = h (IDi ∥ KGWN ) are necessary information to generate Ui's login
request message {M2, M4, M5, M6, M7}. However, as we can seen in
Section 6.2, any adversary cannot reveal Ui's real identity from the
public channel. Meanwhile, the adversary cannot get the required
information M1 = h (IDi ∥ KGWN ) since it shielded by PWi, ai and ci.
Besides, as shown in 6.4, an adversary cannot impersonate as a user
even if he/she gets the user's smart card information. Therefore, the
user forgery attack can be avoided.
Besides, in our scheme, the secret keys x and KGWN are essential
information for GWN to generate communication messages. Therefore,
any adversary cannot impersonate as GWN since he/she has not any
information about x and KGWN , and our scheme avoids gateway node
forgery attack. Almost based on the similar reason, without knowing
Sj's secret key KGWN − S = h (SIDj ∥ KGWN ), an adversary could not im-
personate as a sensor node.
6.6. Mutual authentication and key agreement
In our scheme, GWN is a trusted party and a bridge of commu-
nication between Ui and Sj, and the mutual authentication among three
parties can be achieved explicitly or implicitly. Particularly, when
receiving user's login request message {M2, M4, M5, M6, M7}, GWN first
restores ID′i using secret key x, and checks if ID′i in the database. Then,
GWN retrieves M′1, r′i , SID′ j , M′7, and can verify the validity of Ui by
?
checking M ′7 = M7. In step 3 of Section 4.3, when receiving the
message {M8, M9, M10 , M11} from GWN, Sj first retrieves ID″i , r′g ,
r″i = r′g ⊕ M10 , M′11 by using KGWN − S , and verifies the validity of the
?
message by checking M ′11 = M11. In step 4 of 4.3, when getting response
message {M12, M13} from Sj, GWN restores r′ j using K′GWN − S and then
?
calculates SKGWN, M′13, and authenticates Sj by checking M ′13 = M13.
Similarly, when obtaining message {M14, M15, M16} from GWN, Ui
retrieves r″g , r″ j and calculates SKi, M16. Finally, the validity of the
message can be affirmed by Ui if M ′16 = M16
6.7. Resist KSSTI attack
In our scheme, a session key SK = h (IDi ∥ SIDj ∥ ri ∥ rg ∥ rj ) is
generated among Ui, GWN and Sj, which is calculated based on the
random numbers ri, rg and rj, and the anonymous identity IDi and
X. Li et al. Journal of Network and Computer Applications 103 (2018) 194–204

Table 2 6.10. Efficient password change

Comparison of security and functional features.
Due to the existence of detection mechanism for unauthorized
Security properties Choi et al. He et al. Jiang et al. Ours
(2014) (2015) (2016) login, our scheme allows the user to update the password freely without
communicate with GWN, and it can be seen in Section 4.4.
Mutual authentication Yes No Yes Yes
Session key agreement Yes Yes Yes Yes
6.11. Suitable for IoT environments
User anonymity No Yes Yes Yes
Untraceability No No Yes Yes
Freely password change Yes No No Yes The communication cost of sensor node is proportional to the
Detection mechanism for Yes No No Yes distance between the communication party and sensor node, therefore
unauthorized login
the schemes in He et al. (2015) and Jiang et al. (2016) are inapplicable
Suitable for IoT environments No No No Yes
Resistant to replay attack Yes Yes Yes Yes for IoT environments since the sensor node communicate with the user
Resistant to stolen smart card No No Yes Yes directly. However, in our scheme, the exchange of information between
attack Ui and Sj is achieved through the trusted party GWN. This architecture
Resistant to session-specific No No No Yes allows a user to access the sensory data of sensor node remotely, and
temporary information attack
will expand the lifecycle of the sensor node as much as possible.
Resistant to user impersonation Yes No Yes Yes
attack Therefore, our scheme is fit for IoT environments.
Resistant to GWN Yes Yes Yes Yes
impersonation attack 7. Comparisons with other related schemes
Resistant to sensor node Yes Yes Yes Yes
impersonation attack
Avoid of clock synchronization No No No Yes In this section, security and functional features of our scheme and
problem schemes in Choi et al. (2014), He et al. (2015), Jiang et al. (2016) are
compared first. Then the performance and communication costs
comparisons of schemes are presented, respectively.
SIDj. From the analysis of Sections 6.2 and 6.3, we can see that no
adversary can retrieve IDi and SIDj from the exchanged messages 7.1. Comparison of security and functional features
among Ui, GWN and Sj. In consequence, even if the random numbers
ri, rg and rj are compromised by an adversary, he/she cannot calculate The comparison of security and functional features of our scheme
the session key without knowing IDi and SIDj, and our scheme is free and schemes in Choi et al. (2014), He et al. (2015), and Jiang et al.
from KSSTI attack. (2016) are shown in Table 2. From Table 2 we can see that all the
schemes in Choi et al. (2014), He et al. (2015), and Jiang et al. (2016)
are face the clock synchronization problem, and all these schemes are
vulnerable to session-specific temporary information attack.
6.8. Resist insider attack Meanwhile, due to the sensor node contacts the user directly, all the
schemes in Choi et al. (2014), He et al. (2015), and Jiang et al. (2016)
Insider attack is that the privileged insider such as system admin- are not suitable for IoT environments. Besides, the scheme in Choi
istrator may get the users' registration information, and then imitates et al. (2014) lacks the features of user anonymity, untraceability, and
as the victim using the registration information where the victim had vulnerable to stolen smart card attack. Both schemes in He et al. (2015)
registered using the same information. When Ui register to GWN in our and Jiang et al. (2016) lack the detection mechanism for unauthorized
scheme, Ui submits the registration request message {IDi , RPWi , bi} to login, and do not support freely password change. Furthermore,
GWN when he/she wants to registers as a valid user. An adversary scheme in He et al. (2015) does not provide the features of mutual
cannot get Ui's password PWi from RPWi since it is shielded by the authentication and untraceability, and vulnerable to user impersona-
random number ai, and the insider attack to our scheme can be tion attack. Compared with related schemes, our scheme achieves more
avoided. ideal functional features and resists most of attacks.

7.2. Comparison of computational costs

6.9. Efficient detection mechanism for unauthorized login
To facilitate the evaluation of computation costs, TE and Th are
defined as the time cost of a ECC point multiplication and a hash
Detection mechanism for unauthorized login is essential for a
function operations, respectively. Generally TE is much larger than Th,
password based authentication scheme, it not only saves unnecessary
and according to the reference (Wu et al., 2016), TE and Th are
communication and computation cost if a wrong password is input by
0.427576 ms and 0.0000328 respectively. Table 3 shows the perfor-
user in login phase, but also makes the password change is readily
mance comparisons of our scheme and the schemes in Choi et al.
achievable. Our scheme is based on three factors, and our scheme
(2014), He et al. (2015), and Jiang et al. (2016). It can be seen from
adopted fuzzy commitment scheme to verify the validity of users'
biometric information. In the login phase of our scheme, Ui inserts SC
Table 3
into a reader, and imprints the biometric b′i on a special device. Then, Computational costs comparison of our scheme with other related schemes.
the SC calculates c′i = f (δ ⊕ b′i ) = f (ci ⊕ (bi ⊕ b′i )) , and can verify if
?
the biometric is valid by checking h (c′i ) = α = h (ci ). Biometric verifica- Ui's cost GWN's cost Sj's cost Total cost
tion is an important factor of our scheme, and only the validity of Choi et al. 3TE + 9Th 1TE + 5Th 2TE + 6Th 6TE + 20Th = 2.566112 ms
biometric is verified, the user is allowed to input identity and password. (2014)
After all the biometric, identity and password are verified, the user can He et al. 8Th 9Th 6Th 23Th = 0.0007544 ms
access the system. The process of these verifications can be found at (2015)
Jiang et al. 2TE + 8Th TE + 9Th 6Th 3TE + 23Th = 1.2834824 ms
Section 4.3. Therefore, our scheme can detect unauthorized login
(2016)
quickly in the beginning of login and authentication phase when user Our scheme 2TE + 8Th TE + 9Th 4Th 3TE + 21Th = 1.2834168 ms
inputs wrong information.

202
X. Li et al.
Table 4
Communication costs comparison of our scheme with other related schemes.
Choi et al. (2014)
User to Gateway – 6*128=768 bits
User to Sensor 5*128+160=800 bits
Gateway to Sensor 3*128=384 bits
Sensor to Gateway 7*128+2*160=1216 bits
Sensor to User 4*128+160=672 bits
Gateway to User – –
Total costs 3072 bits
Table 3 that our scheme almost needs the same computation costs as
the scheme in Jiang et al. (2016), and is more efficient than the scheme
in Choi et al. (2014). The scheme in He et al. (2015) is the most
efficient one since their scheme does not need ECC point multiplication
operations, but their scheme lacks some functional features and
vulnerable to some attacks, which can be seen in Table 2. Compared
with other public cryptosystem, ECC is suitable for low power device
such as smart card. Beside, in our scheme, sensor node does not need
to perform ECC point multiplication operations. Overall, our scheme
not only keeps the efficiency of computation, but also achieves well
known functional and security features.
7.3. Comparison of communication costs
In order to facilitate the analysis of communication costs, we
assume the length of random number, timestamp, output of one-way
hash function, secret key, identity and password are 128 bits, and the
length of ECC point multiplication is 160 bits. Table 4 lists the
comparison result of communication costs among our scheme and
the schemes in Choi et al. (2014), He et al. (2015), and Jiang et al.
(2016). The total communication costs of the scheme (Choi et al.,
2014), the scheme in He et al. (2015), the scheme in Jiang et al. (2016)
and our scheme are 3072 bits, 2048 bits, 1856 bits, and 1856 bits,
respectively. Our scheme has the same communication efficiency with
the scheme in Jiang et al. (2016), and is more efficient in communica-
tion aspect than the schemes in Choi et al. (2014) and He et al. (2015).
8. Conclusion
In this paper, we first reviewed an recently proposed two-factor
authentication scheme for WSNs. Then the functional and security flaws
of their scheme are pointed out, and we find their scheme lacks the
functions of password change and detection for wrong password login.
Besides, their scheme suffers from known session-specific temporary
information attack and faces the clock synchronization problem, and not
applicable to IoT applications. Then, we designed a three-factor anonymous
authentication scheme for WSNs in IoT environments, where fuzzy
commitment scheme is used to handle the user's biometric information.
The analysis results show that our scheme can resist most of known attacks,
and achieves some ideal functions, such as freely password change, quickly
detection of unauthorized login. Compared with other related schemes, our
scheme fulfills most security and functional features and also keeps
computational efficiency at the same time. Therefore, our scheme is
applicable to WSNs in IoT environments. In the future, we will do some
simulation work using NS-2 tool to evaluate the efficiency of our scheme.
Besides, since WSN plays an important role in series of smart environments
such as smart grid, smart healthcare and intelligent transportation system,
we will study the security schemes for these IoT applications.
Journal of Network and Computer Applications 103 (2018) 194–204
He et al. (2015) Jiang et al. (2016) Our scheme
2*160+3*128=704 bits 2*160+3*128=704 bits
– – –
6*128 = 768 bits 5*128 = 640 bits 4*128 = 512 bits
– – 2*128 = 256 bits
4*128 = 512 bits 4*128 = 512 bits –
– 3*128 = 384 bits
2048 bits 1856 bits 1856 bits
Acknowledgements
This work was supported by the National Natural Science
Foundation of China under Grant Nos. 61300220 & 61572013 &
61572188, the Scientific Research Fund of Hunan Provincial
Education Department under Grant No. 16B089, the General and
Special Financial Grant from China Postdoctoral Science Foundation
under Grant Nos. 2014M550590 & 2015T80035, Fujian Education and
Scientific Research Program for Young and Middle-aged Teachers
under Grant No. JA14369, University Distinguished Young Research
Talent Training Program of Fujian Province (Year 2016). Saru Kumari
is sponsered by the University Grants Commission, India through
UGC-BSR Start-up grant under Grant no. 3(A)(60)31.
References
Akyildiz, I.F., Su, W., Sankarasubramaniam, Y., Cayirci, E., 2002. Wireless sensor
networks: a survey. Comput. Netw. 38, 393–422.
Atzori, L., Iera, A., Morabito, G., 2010. The internet of things: a survey. Comput. Netw.
54, 2787–2805.
Burrows, M., Abadi, M., Needham, R.M., 1989. A logic of authentication. In: Proceedings
of the Royal Society of London A: Mathematical, Physical and Engineering Sciences,
volume 426, The Royal Society, pp. 233–271.
Choi, Y., Lee, D., Kim, J., Jung, J., Nam, J., Won, D., 2014. Security enhanced user
authentication protocol for wireless sensor networks using elliptic curves
cryptography. Sensors 14, 10081–10106.
Das, M.L., 2009. Two-factor user authentication in wireless sensor networks. IEEE
Trans. Wirel. Commun. 8, 1086–1090.
Fu, Z., Huang, F., Ren, K., Weng, J., Wang, C., 2017. Privacy-preserving smart semantic
search based on conceptual graphs over encrypted outsourced data. IEEE Trans. Inf.
Forensics Secur. 12, 1874–1884.
He, D., Gao, Y., Chan, S., Chen, C., Bu, J., 2010. An enhanced two-factor user
authentication scheme in wireless sensor networks. Ad hoc Sens. Wirel. Netw. 10,
361–371.
He, D., Kumar, N., Chilamkurti, N., 2015. A secure temporal-credential-based mutual
authentication and key agreement scheme with pseudo identity for wireless sensor
networks. Inf. Sci. 321, 263–277.
Heinzelman, W.B., Chandrakasan, A.P., Balakrishnan, H., 2002. An application-specific
protocol architecture for wireless microsensor networks. IEEE Trans. Wirel.
Commun. 1, 660–670.
Jiang, Q., Ma, J., Lu, X., Tian, Y., 2015. An efficient two-factor user authentication
scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw. Appl. 8,
1070–1081.
Jiang, Q., Ma, J., Wei, F., Tian, Y., Shen, J., Yang, Y., 2016. An untraceable temporal-
credential-based two-factor authentication scheme using ecc for wireless sensor
networks. J. Netw. Comput. Appl. 76, 37–48.
Juels, A., Wattenberg, M., 1999. A fuzzy commitment scheme. In: Proceedings of the 6th
ACM conference on Computer and communications security. ACM, pp. 28–36.
Khan, M.K., Alghathbar, K., 2010. Cryptanalysis and security improvements of two-factor
user authentication in wireless sensor networks. Sensors 10, 2450–2459.
Kocher, P., Jaffe, J., Jun, B., 1999. Differential power analysis. In: Annual International
Cryptology Conference, Springer, pp. 388–397.
Kong, Y., Zhang, M., Ye, D., 2017. A belief propagation-based method for task allocation
in open and dynamic cloud environments. Knowl.-Based Syst. 115, 123–132.
Li, X., Niu, J., Khan, M.K., Liao, J., 2013a. An enhanced smart card based remote user
password authentication scheme. J. Netw. Comput. Appl. 36, 1365–1371.
Li, X., Ma, J., Wang, W., Xiong, Y., Zhang, J., 2013b. A novel smart card and dynamic id
based remote user authentication scheme for multi-server environments. Math.
Comput. Model. 58, 85–95.
Li, X., Niu, J., Liao, J., Liang, W., 2015a. Cryptanalysis of a dynamic identity-based
remote user authentication scheme with verifiable password update. Int. J. Commun.
Syst. 28, 374–382.
203
X. Li et al.
Li, X., Niu, J., Kumari, S., Liao, J., Liang, W., 2015b. An enhancement of a smart card
authentication scheme for multi-server architecture. Wirel. Personal. Commun. 80,
175–192.
Messerges, T.S., Dabbish, E.A., Sloan, R.H., 2002. Examining smart-card security under
the threat of power analysis attacks. IEEE Trans. Comput. 51, 541–552.
Shen, J., Chang, S., Shen, J., Liu, Q., Sun, X., 2016. A lightweight multi-layer
authentication protocol for wireless body area networks. Future Gener. Comput.
Syst.. http://dx.doi.org/10.1016/j.future.2016.11.033.
Shen, J., Shen, J., Chen, X., Huang, X., Susilo, W., 2017a. An efficient public auditing
protocol with novel dynamic structure for cloud data. IEEE Trans. Inf. Forensics
Secur.. http://dx.doi.org/10.1109/TIFS.2017.2705620.
Shen, J., Liu, D., Shen, J., Liu, Q., Sun, X., 2017b. A secure cloud-assisted urban data
sharing framework for ubiquitous-cities. Pervasive Mob. Comput.. http://dx.doi.org/
10.1016/j.pmcj.2017.03.013.
Shi, W., Gong, P., 2013. A new user authentication protocol for wireless sensor networks
using elliptic curves cryptography. Int. J. Distrib. Sens. Netw..
Wang, D., He, D., Wang, P., Chu, C.-H., 2015a. Anonymous two-factor authentication in
distributed systems: certain goals are beyond attainment. IEEE Trans. Dependable
Secur. Comput. 12, 428–442.
204
Journal of Network and Computer Applications 103 (2018) 194–204
Wang, D., Wang, N., Wang, P., Qing, S., 2015b. Preserving privacy for free: efficient and
provably secure two-factor authentication scheme with user anonymity. Inf. Sci. 321,
162–178.
Wu, F., Xu, L., Kumari, S., Li, X., Das, A.K., Khan, M.K., Karuppiah, M., Baliyan, R.,
2016. A novel and provably secure authentication and key agreement scheme with
user anonymity for global mobility networks. Secur. Commun. Netw. 9, 3527–3542.
Xia, Z., Wang, X., Zhang, L., Qin, Z., Sun, X., Ren, K., 2016a. A privacy-preserving and
copy-deterrence content-based image retrieval scheme in cloud computing. IEEE
Trans. Inf. Forensics Secur. 11, 2594–2608.
Xia, Z., Wang, X., Sun, X., Wang, Q., 2016b. A secure and dynamic multi-keyword ranked
search scheme over encrypted cloud data. IEEE Trans. Parallel Distrib. Syst. 27,
340–352.
Xue, K., Ma, C., Hong, P., Ding, R., 2013. A temporal-credential-based mutual
authentication and key agreement scheme for wireless sensor networks. J. Netw.
Comput. Appl. 36, 316–323.
Yeh, H.-L., Chen, T.-H., Liu, P.-C., Kim, T.-H., Wei, H.-W., 2011. A secured
authentication protocol for wireless sensor networks using elliptic curves
cryptography. Sensors 11, 4767–4779.