A secured authentication protocol for wireless sensor networks using elliptic curves cryptography.

User authentication is a crucial service in wireless sensor networks (WSNs) that is becoming increasingly common in WSNs because wireless sensor nodes are typically deployed in an unattended environment, leaving them open to possible hostile network attack. Because wireless sensor nodes are limited in computing power, data storage and communication capabilities, any user authentication protocol must be designed to operate efficiently in a resource constrained environment. In this paper, we review several proposed WSN user authentication protocols, with a detailed review of the M.L Das protocol and a cryptanalysis of Das' protocol that shows several security weaknesses. Furthermore, this paper proposes an ECC-based user authentication protocol that resolves these weaknesses. According to our analysis of security of the ECC-based protocol, it is suitable for applications with higher security requirements. Finally, we present a comparison of security, computation, and communication costs and performances for the proposed protocols. The ECC-based protocol is shown to be suitable for higher security WSNs.

Introduction

As wireless communication technology has matured, the deployment of Wireless Sensor Networks (WSNs) has become more common. Wireless communication is a natural fit for sensor networks for the following reasons: it reduces the cost of infrastructure, allowing sensor networks to be deployed in areas that were once cost prohibitive and it allows a greater range of applications than fixed location sensor networks [1]. WSNs are now providing economical solutions in a host of diverse industries: electric utilities use WSNs for remote voltage monitoring, museums use WSNs for humidity monitoring and control, health care providers use WSNs for patient monitoring and notification, and they are in use in the military. Other applications include environment tracking and habitat monitoring, etc. [2-5].

A key requirement for WSN is user authentication [6,7]. The client devices (remote wireless sensor nodes) need to be authenticated before being allowed to join the WSN and have access to the WSN’s resources. To date, most user authentication methods have focused on protocol implementations in the network and link layers. Accordingly, we propose an efficient protocol implementation in the WSN application layer. It should be noted that, in order to limit power consumption by sensor nodes and to overcome limitations in computation capacity, user authentication in a WSN is typically done in dedicated gateway node (GW-node) [8].

Sastry and Wagner [9] proposed a security enhancement using access control lists (ACL’s) in the GW node. In addition to verifying a client’s identity and arranging the nearest sensor node, an ACL would be maintained. The ACL would be limited to 255 entries. Watro et al. [10] proposed a complex mathematical method for user authentication employing RSA and Diffie-Hellman algorithms to calculate an encrypted public key (TinyPK authentication), but this protocol is open to hostile attack by a user masquerading as a sensor node (spoofing). Wong et al. [11] proposed a less complex, light-weight, dynamic user authentication method using a hash-based protocol. Their method recommended using the security features of the IEEE 802.15.4 MAC sublayer. Das [12] and Tseng et al. [13] pointed out that both Watro’s and Wong’s user authentication methods were vulnerable to stolen-verifier, replay, and forgery attacks (made possible by allowing multiple users with a single login ID). Das [12] proposed a two factor method of user authentication. This method is designed to protect against the aforementioned stolen-verifier, replay, and forgery attacks. Tseng et al. [13] further pointed out that Wong’s method was vulnerable to stolen passwords and that Wong’s method prevented users from freely changing their password. Tseng et al. proposed an enhanced user authentication method that is design to prevent the various attacks and to reduce the vulnerability to stolen passwords. Khan et al. [14,15] and Chen et al. [16] reviewed the Das two factor method and found additional security issues. Chen et al. [16] proposed a more secure and robust two-factor user authentication in WSNs. Unfortunately, we find that the Chen et al. proposal fails to provide a secure method for updating user passwords and is vulnerable to the insider attack problem.

To address all of the issues raised in the above studies, we propose a novel user authentication protocol for wireless sensor networks, using Elliptic Curves Cryptography (ECC) and smart cards. Our proposal addresses the key security issues, while at the same time reducing computational load requirements. The remainder of this paper is organized as follows: in Section 2, we review the Das method and perform a detailed cryptanalysis of that method; next we present the ECC-based authentication protocol (EAP) for WSNs in Section 3. In Section 4, we present a security and performance analysis of the related protocols. Then, in Section 5, we provide some concluding remarks.

Related Works

Review of Das’ Scheme

This section provides a brief review of the Das method and analyzes its protocol. Before this analysis we first summarize in Table 1 the notations used throughout this paper and their corresponding definitions.

Table 1.

Notations.

Symbol	Definition
U	A user
ID	A user’s identity
PW	A user’s password
DID	A user’s dynamic login identity
GW-node	Gateway node of WSN
Sn	Nearest sensor node of WSN
h(.)	A secure one-way hash function
xa	A permanent secret parameter generated securely by the GW-node and stored in some defined sensor nodes before deploying the WSN
K	A symmetric key of GW-node which shared between the GW-node, users and the sensor nodes
||	A string concatenation operation
⊕	A string XOR operation
⇒	A secure channel
→	A public channel

Das’ protocol involves the registration phase, login phase and verification phase, and can be briefly described as follows:

(1) Registration phase:

In this phase, a user U submits his/her ID and PW to the GW-node in a secured manner. Then, the GW-node issues a license to U. The steps are described as follows:

Step 1: U ⇒ GW-node:{ID, PW}. A U enters an identity ID and a password PW and then sends {ID, PW} to the GW-node using a secure channel.

Step 2: GW-node ⇒ smart card of U :{ h(.), ID, N, h(PW), x}. The GW-node computes N = h(ID || PW) ⊕ h(K) after receiving the registration request. Then, the GW-node personalizes the smart card with parameters {h(.), ID, N, h(PW), x}. U receives the smart card information using a secure channel.

(2) Login phase:

When user U enters an ID and a PW in order to carry out some inquiry or to access data from the WSN, the smart card must confirm the validity of U according to the following steps:

Step 1: Validate U. The entered ID and PW are validated against the ID and PW stored on the user’s smart card. If U’s identification validation fails, the smart card will terminate this request.

Step 2: U’s smart card calculates DID and C.

DID = h(ID || PW)⊕h(x|| T), where T is the login system timestamp.

C = h(N || x || T).

Step 3: U→GW-node:{DID, C, T}.

{DID, C, T} is transmitted to the GW-node via public channel.

(3a) Verification phase (gateway node):

When the GW-node receives a login request {DID, C, T} at time T*, the GW-node performs the following steps to verify the identity of U:

Step 1: Validates if T*–T < ΔT.

If (T* – T) ≤ ΔT then the validity of T can be certain, and the GW-node proceeds to the next step. Otherwise, the GW-node rejects the request. Here, ΔT denotes the expected time interval for transmission delay.

Step 2: Calculates .

h(IDi || PW)* = DID⊕h(x || T)

.

Step 3: Confirms whether the .

If the , then the GW-node accepts the login request and sends a request to Sn.

Step 4: GW-node→S:{DID, A, T'}.

The GW-node calculates A = h(DID || S || x || T') and transmits a request {DID, A, T'} to S over a public channel. T' is the GW-node request timestamp. A is generated using the x parameter, thus the value of A can be used by S to ensure that the message originates from a valid GW-node.

(3b) Verification phase (sensor node):

When S receives request {DID, A, T'} at time T, S performs the following steps to verify the validity of the request:

Step 1: Validates if T – T’ < ΔT.

If (T – T’) ≤ ΔT then the validity of T' can be certain, and S proceeds to the next step.

Step 2: Recalculates A.

A = h(DID || S || x || T')

Step 3: Confirms whether the value of the locally calculated A is the same as the value of A in the GW-node request.

If the value of the locally calculated A is the same as the value of A in the GW-node request, then S responds to U’s original request. Otherwise, S rejects the request.

Cryptanalysis of Das’ Protocol

Recently, several studies have analyzed security flaws in Das’ scheme [14-16]. In this section, we also discuss the requirements of security in WSNs and describe the primary flaw of Das’ protocol (it omits mutual authentication) and several secondary security issues [14-16].

Security Requirements in Wireless Sensor Networks

Sastry and Wagner [9] noted several problems with regard to the security of user authentication provided by IEEE 802.15.4 [17]. They cited ACL management problems, loss of ACL state due to power interruptions, and key management problems. They concluded that IEEE 802.15.4 provides insufficient user authentication security and provided some solutions for the noted problems. However, above and beyond the security issues noted by Sastry and Wagner, there are two additional security issues that must be addressed:

Secure user authentication in WSNs should include, to the extent possible, methods for addressing application layer issues such as masquerade, replay, and forgery attacks.

Secure user authentication in WSNs should be based on mutual authentication.

No Mutual Authentication

Because Das’ protocol does not provide mutual authentication [14-16], a malicious user can attack a WSN that uses the Das protocol by means of eavesdropping and masquerading. The attack could be accomplished as follows:

U sends the message {DID, C, T} to the GW-node for accessing the WSN.

The GW-node sends the message {DID, A, T} to S for asking the service for U.

The attacker captures the message {DID, A, T} via eavesdropping.

The attacker provides an S which masquerades as S to get the U’s request data or hold back the request.

Since S co-works with U continuously, the U access requests will continue to fail.

With the Das method, after accepting the login request of U, the GW-node sends a message {DID, A, T’} to some nearest sensor node S. Here the value of A is computed by A = h(DID || S || x || T’), where T' is the current timestamp of GW-node. The value of A is used to assure the sensor node that the message has come from the real GW-node. The GW-node message directs the sensor node to reply to the query with the data which U has requested. However, there is no mechanism for the GW-node to be assured that the reply message was initiated from the queried sensor node. Thus, the Das-scheme only provides unilateral authentication between the GW-node and sensor node. There is no mutual authentication between the two nodes.

No Protection against Insider Attacks

Nowadays users use a single common password for accessing different applications or servers. The situation is common practice and this is done for their convenience. It relieves the user from having to remember multiple passwords. Nevertheless, if the system manager or a privileged user of the GW-node obtains the common password of U, he/she may try to impersonate U by accessing other servers where U could be a registered user. In the Das scheme [14,15], U performs registration with the GW-node by presenting a password in plain format. Thus, the Das protocol does not provide sufficient protection against an insider attack on a GW-node by a privileged user.

No Provision for Changing/Updating Passwords

The fixed password is definitely suffered from threats than an updating password. It is a widely recommended security policy, for highly secure applications, that users should update or change their passwords frequently. In the scheme [14,15], there is no provision for a user to easily change his/her password.

No Protection against Forgery Attacks

A legal user of the system can launch a forgery attack against the WSN by eavesdropping and masquerading. A forgery attack can be launched as follows [16]:

A legal user of the system U* can login to the WSN at T and T accurately.

Suppose U* has embedded a synchronized Trojan virus into legal user U’s system.

When U wants to login to the WSN at T and T, U* can eavesdrop on the messages {DID, C, T } and {DID, C, T } between the GW-node and U at T and T. To judge which message is DID or C as follows:

Step 1.U* can obtain the following messages: DID(T) = h(ID || PW)⊕h(x || T) and DID(T) = h(ID || PW)⊕h(x || T).

Step 2. And then U* can forge the dynamic login identity DID*(T) and DID*(T).

DID*(T) = h(ID* || PW*)⊕h(x || T)

DID*(T) = h(ID* || PW*)⊕h(x || T).

U* can use the login phase formula to compute DID(T), where DID(T) is calculated as DID(T) = DID(T)⊕DID*(T)⊕DID*(T) = h(ID‖PW) ⊕ ⊕ ⊕ ⊕ ⊕ h(x‖T)

After U* obtains U’s DID(T), U* sends a new session message {DID(T), C, T} within ΔT timestamp for a new login request. The timestamp T, where T = T, is made by U* for attack on the WSN.

Thus, the GW-node will verify message {DID(T), C, T } from U* with following steps: U*→GW-node:{DID(T), C, T}

Step 1. The GW-node receives {DID(T), C, T} at T* and checks for T* – T < ΔT. The GW-node passes the verification and proceeds to the next step.

(T* – T < ΔT is known and T = T was made arbitrarily by U*)

Step 2. The GW-node calculates h(ID || PW)* = DIDi(T) ⊕ h(x || T) and obtains to pass the verification and proceed to the remaining steps.

Consequently, the Das protocol does not provide sufficient protection against a forgery attack by a legal user.

ECC-Based Authentication Protocol (EAP) for WSN

This section proposes a more efficient authentication mechanism using ECC. First, we review the fundamentals of Elliptic Curves and then survey the Elliptic Curves Cryptography (ECC) which is suitable for our construction of a secured authentication protocol for wireless sensor networks. The proposed five phases will be described later. The overall handshake of the proposed protocol is illustrated in Figure 1. The GW-node, S and user use the h(x||x||x) as a session key with communication handshakes.

Figure 1.

Communication handshakes of the proposed scheme.

ECC Based Authentication Protocol

In 1985 Miller and Kobiltz proposed a secure and efficient elliptic curve cryptosystem (ECC) [17,18]. Because ECC provides a smaller key size than any other cryptosystem, it is suitable for application in smart card and wireless systems.

An elliptic curve is a cubic equation of the form: E: y2 + axy + by = x3 + cx2 + dx + e, where a,b,c, d,e are real numbers. With regard to cryptography, we focus on the finite field of ECC and aim mainly at the prime p of elliptic curve group. The mathematical equation of ECC satisfies the form: E : y2 = (x3 + ax + b) mod p, where (4a3 + 27b2) ≠ 0. Let F denote the finite field of points, where p is a large prime number and containing x, y, a,b elements. The equation points and the point at infinity compose the elliptic curve group over real numbers. We find a large prime number n such that n × P = using the elliptic curve addition algorithm. Here, × denotes an elliptic curve multiplication. The arithmetic of elliptic curve discrete logarithm problem (ECDLP) is given points Q and P, where Q, P∈ F and are both publicly known, determine the random number K, 0 < K < n-1, and compute Q as : Q =K×P is satisfies. It is hard to determine K given Q and P, namely, ECDLP is a complex mathematical problem such that the security is achieved. The analog of Diffie-Hellman key exchange uses elliptic curve characteristics to complete key exchange. The key exchange between U and U can be done as follows [18-20]:

The user U chooses a random integer r as a private key, where r < n and computes the public key Q as: Q = r × P. Then, U sends Q to the user U.

The user U selects a random integer r as a private key, where r < n and computes the public key Q as: Q = r × P.U sends Q to U.

U can compute shared key K = r × Q = r × r × P and U can compute shared key K = r × Q = r × r × P. In this manner we find K = K.

Registration Phase

This phase is invoked whenever user U performs registration with the WSN. Then, U submits {ID, PW} to the GW-node by the secured channel. Then, the GW-node performs the license to U. The following steps are performed to complete this phase:

Step 1: U ⇒ GW-node:{ID, PW}.

U chooses his/her ID and PW password and randomly chooses a large number b for computing PW = h(PW ⊕ b).

Step 2: After receiving the registration request, the GW-node computes K = qs × H(ID) ∈ G, where K is U’s authentication key and G denotes a cyclic addition group of P.

Step 3: GW-node selects a base point P with the order n over E(a, b), where n is a large number for the security considerations. Then, the GW node derives its private/public key pair (q, Q) by computing Q = q × P. (Here × denotes an elliptic curve multiplication).

Step 4: GW node computes B = h(ID⊕PW) and W = h(PW || ID)⊕K.

Step 5: GW-node ⇒ smart card of U :{B, W, h(·), b, H(.), H(.), H(.)}.

GW-node stores {B, W, h(·), H(.), H(.), H(.)} on a smart card and sends the smart card to U over a secure channel. Here H(.), H(.) and H(.) are one-way hash functions, H(.): {0, 1} →G, and .

Step 6: Upon U receiving the smart card, U stores the random number b in the smart card. Such that the smart card contains {B, W, h(·), b, H(.), H(.), H(.)}.

Login Phase

Assume that U enters in order to ask a service from the network, the smart card must perform the following steps to validate the legality of U:

Step 1: U enters his/her ID and PW to login to obtain the message for GW-node request.

Step 2: U computes PW = h(PW⊕b) and B’ = h(ID⊕PW) and checks whether B’ = B. If it holds, U computes Q = h(PW||ID) and K = W⊕Q.

When the login request has been accepted, the user proceeds with the remaining steps:

Step 1: After U obtaining his/her authentication key K, U chooses a random point R = (x , y) ∈ E (a, b), where x and y are x and y coordinating point of R.

Step 2: U computes t1 = H2 (T1), M =R + t × K and at the timestamp T.

Step 3: U→GW-node: {T, ID, M, }.

U sends message Msg(T, ID, M , ) to GW-node.

Verification Phase

After receiving the login request message Msg(T, ID, M, ) at T through the nearest sensor node (S), the GW-node executes the following steps to verify the user U:

Step 1: Compute Q and R’

GW-node performs the following computations to obtain Q = (x, y) and R’ = (x’, y’) of U.

QIDi = H1 (IDi)

t1 = H2 (T1)

R’ = M – qs× t× Q

Step 2: The GW node verifies whether . If it holds, U is authenticated by GW-node.

Step 3: GW-node→ U: {T, M, M} through S.

The GW node chooses a random point R = (x, y) ∈ E (a, b) and computes t2 = H2 (T2), M =R + t× qs× Q, session key k = H (x || x || x) and M = (k + x) × P.

GW-node sends a message Msg(T, M, M) through the public channel in order to respond to the request of S at the timestamp T.

Mutual Authentication Phase

The GW-node sends Msg(T, M, M) to the S and then S sends Msg(ACC-LOGIN) to the GW-node. The steps are described as follows:

Step 1: Compute Q and R’

After receiving Msg(T2, MS, Mk), the S execution obtains the following computation

QIDi = (x, y) and R’ = (x’, y’) of the GW-node.

Q = H (ID)

t2 = H2 (T2)

R’ = M – t2 × K

Step 2: S computes k’ = H (x|| x || x’) and M’= (k’ + x’) × P to verify whether M’ = M. If it holds, GW-node is successfully authenticated by S.

The Password-Changing Phase

When a user U enters an ID and a PW in order to request a password change, the smart card must compute a new value of to the GW-node. After receiving the password change request, the GW-node computes and .

Step 1: GW-node computes and .

Step 2: GW-node stores the new vale on smart card.

The smart card replaces the original values of B, W with the new value , and .

Security and Performance Analysis

Security Analysis

The studies we have referenced in this paper have discussed the security issues of remote user authentication. Below is a summary of those security issues, along with the reasons we believe our proposed ECC protocol can address those issues.

Resistance to insider attack: It is common practice for users to apply the same common password to access different applications. If a privileged insider has knowledge of another user U’s password, it hey may try to impersonate user U to access network applications. Our proposed protocol registers user U using cipher code PW = h(PWi⊕b) over a secure channel. This provides protection against stolen passwords. Thus, our protocol resists insider attacks.

Resistance to masquerade attack: To successfully complete a masquerade attack, an attacker must know U’s password in order to pass verification in the login phase and to be able to interpret the verification message correctly for mutual authentication. An attacker, even a legitimate user U*, cannot masquerade as a different legitimate user U without U’s password for forging the messages sent to the GW-node.

Mutual authentication: Mutual authentication is an important feature for a verification service that is resistant to server spoofing attacks. Our protocol provides a mutual authentication between the user U and the GW-node by using ECC-based public and private keys exchange.

Securely change/update password: There is provision for users to update or change their password in our proposed scheme. Namely, a user can send a new password to the GW-node and then the GW-node computes new value of , and stores them on the smart card.

We recall that the protocol [12-16] of Wong et al. does not provide for mutual authentication, and can be vulnerable to forgery and replay attacks. Besides, the proposal of Watro et al. has security weaknesses against masquerade attacks, and Das’ protocol does not provide mutual authentication with an authenticated procedure using the hash function. Further, the weaknesses of Das’ scheme are that it may suffer from an insider attack and a forgery attack. Chen et al.’s scheme is similar in Das’ scheme, and also has the insider attack problem. Besides, the referenced proposals all fail to provide a secure method for updating user passwords. Table 2 compares our proposed protocol with the other referenced protocols in terms of protection against attacks. When compared against each other, our protocol provides a solution for user authentication that is more secure than the other referenced protocols.

Table 2.

Security comparison among the referenced protocols.

Item	Proposed	Chen et al.’s	Das’	Watro et al.’s	Wong et al.’s
Avoiding insider attack	Yes	No	No	Yes	Yes
Securely change/update password	Yes	No	No	No	No
Avoiding forgery attack	Yes	Yes	No	Yes	No
Mutual authentication	Yes	Yes	No	Yes	No
Avoiding masquerade attack	Yes	Yes	Yes	No	Yes
Avoiding replay attack	Yes	Yes	Yes	Yes	No
Avoiding guessing attack	Yes	Yes	Yes	Yes	Yes

Performance Analysis

For comparing performance between our protocol and related protocols, we estimate the computation costs. In the definition of computation costs, we define the notation th as the hash computation time, tPA as the elliptic curve point addition computation time, tPM as the elliptic curve point multiplication computation time, tE as the elliptic curve polynomial computation time, tPR as the private key computation time, and tPU as the public key computation time. Note that the computation costs of tPU and tPR are considerably higher than th (tPU ≫ th and tPR ≫ th) because tPU and tPR usually need polynomial computation cost to obtain the public and private keys. Obviously, tE, tPA, tPM calculates a cubic equation at most and th calculates a linear equation or quadratic equation at most. The comparison of related protocols is illustrated in Table 3.

Table 3.

Performance comparison among related protocols.

	Proposed	Chen et al.	Das	Watro et al.	Wong et al.
Authentication (Verification and Mutual Authentication)	11 th + 4 tPA + 6 tPM + 2 tE	7 th	5th	2th+2tPR+2tPU	4th

When considering the computation cost in the authentication phase (which includes the verification and mutual authentication phases), our protocol requires only 11 th + 4 tPA + 6 tPM + 2 tE. That is, our protocol needs one point addition operation, four point multiplication operations and one polynomial operation in ECC. However, Watro et al.’s protocol needs two hash functions and four polynomial computations for private key and public key computation. It uses complex RSA and Diffie-Hellman algorithms for user authentication. The polynomial computation time calculates a prime exponential function which is considerably higher than cubic equation [12,17]. In addition, Watro et al.’s protocol needs four polynomial computations, for tPR and tPU, are more than the other referenced protocols [12-16]. Besides, our proposed protocol is computed through combination of point addition and point multiplication, point multiplication is defined by repeated addition. Considering the computation costs, ECC can generate smaller key sizes but maintain equivalent levels of security with RSA [18-20]. This is the reason the ECC-based protocol is more practical than Watro et al.’s protocol.

Lastly, when considering the communication cost, the proposed protocol has higher computation cost than other protocols, except for Watro et al.’s protocol. However, the protocol of Das does not provide mutual authentication. The method we propose solves most of the Das method problems. Furthermore, although Das’s scheme needs five hash computation operations, Wong’s needs four hash computation operations and Chen et al.’s protocol performs wireless sensor networking using seven th, their protocols suffer from security issues. Our proposed protocol addresses these issues and provides better security than the other related protocols.

Conclusions

In this paper, we have analyzed Das’ scheme for user authentication in WSNs. The Das protocol, which does not provide mutual authentication, is susceptible to insider and forgery attacks. We have also reviewed the protocols of Wong et al., which is vulnerable to forgery and replay attacks, of Watro et al., which is vulnerable to masquerade attacks, and Chen et al.’s protocol, which is susceptible to insider attacks. Additionally, a user cannot change his/her password with the former schemes. Since WSNs needs more efficient methods to perform mutual authentication in an insecure network environment, we use an ECC-based mechanism to accomplish this. The proposed protocol can prevent all the problems of the former schemes and provide mutual authentication to protect inside security and outside security. Furthermore, it not only inherits the merits of ECC-based mechanism but also enhances the WSN authentication with higher security than other protocols. Therefore, the proposed protocol is more suited to WSNs environments.