An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks.

Wireless sensor networks (WSNs) can be quickly and randomly deployed in any harsh and unattended environment and only authorized users are allowed to access reliable sensor nodes in WSNs with the aid of gateways (GWNs). Secure authentication models among the users, the sensor nodes and GWN are important research issues for ensuring communication security and data privacy in WSNs. In 2013, Xue et al. proposed a temporal-credential-based mutual authentication and key agreement scheme for WSNs. However, in this paper, we point out that Xue et al.'s scheme cannot resist stolen-verifier, insider, off-line password guessing, smart card lost problem and many logged-in users' attacks and these security weaknesses make the scheme inapplicable to practical WSN applications. To tackle these problems, we suggest a simple countermeasure to prevent proposed attacks while the other merits of Xue et al.'s authentication scheme are left unchanged.

Introduction

Wireless sensor networks are innovative ad hoc networks that include a large number of sensor nodes with resource-constrained characteristics such as limited power, communication and computational capabilities [1-4]. As soon as sensor nodes are massively and randomly deployed in a target field, the basic functions of the gateway node are to collect sensitive data for authorized users [5,6]. In many cases, a WSN may be deployed in hostile environments and malicious intruders may launch possible attacks for disrupting the normal operations (such as impersonating a legal user to abuse the network resources, inject false messages or invalid sensors into the WSN, launch security attacks and so on) of a WSN. Therefore, entity authentication [7-16] plays an important role in WSNs and logging-in users and deployed sensors should be authenticated to be the admissible participants by the GWN.

In the recent literature, there are a few works that detail a complete secure user authentication schemes for wireless sensor networks with all their different features. In [17] Das proposed an efficient two-factor scheme of user authentication, which is based on easy-to-remember passwords and smart cards. In Das' scheme, it only needs XOR and hashing computations and this reduces the computational complexity, which is suitable for resource-constrained WSNs. Although Das' scheme enhances system performance, it did not make up for the security weaknesses [18-20]. Das' scheme has later attracted a lot of attention and several two-factor user authentication schemes with mutual authentication and key agreement have been proposed in Li et al. [20], Yeh et al. [21], Das et al. [22], Li et al. [23], and Xue et al. [24]. In [20], Li et al. proposed a secure billing service based on the framework of Das' scheme. In [21], Yeh et al. introduced an ECC-based user authentication scheme for preventing all the security flaws of the previous scheme [25]. However, in [23], Li et al. showed that Yeh et al.'s scheme is insecure against several security attacks and further proposed an improved version of Yeh et al.'s scheme, which covers all the identified weaknesses and is more efficient for practical WSN environments. In [24], Xue et al. suggest a lightweight temporal-credential-based mutual authentication and key agreement scheme that not only provides more functionality features with higher security, but also ensures low costs of computation, communication and storage.

We analyze the security weaknesses of one of the most recent temporal-credential-based authentication schemes for WSNs proposed by Xue et al. [24]. Xue et al. claimed that their authentication scheme is secure against various known attacks with mutual authentication and key agreement and is suitable for resource-constrained WSNs. However, we find that Xue et al.'s authentication scheme still has other security weaknesses such as disclosure of the password and failing to prevent the lost smart card problem and many logged-in users' attacks.

We propose an advanced scheme to prevent the security threats of Xue et al.'s authentication scheme and the phases in our scheme are shown to be efficient in terms of computational complexity and communication overhead.

Our advanced scheme provides both mutual authentication and key agreement among the user, GWN and the sensor node in wireless sensor networks.

Our three-party authentication scheme can be used to verify users and sensor nodes without revealing their passwords whenever it is deemed to be necessary.

A service period feature can be used to revoke users or sensor nodes in a controlled manner and prevent abuse by an authority node GWN.

Status-bit and login recording features are efficiently implemented and assist in catching misbehaving attackers trying to abuse network resources. The above-mentioned features are especially useful when non-registered attackers attempt illegal activities such as many logged-in user attacks.

Organization of the Paper

The remainder of the paper is organized as follows: Section 2 reviews Xue et al.'s authentication scheme [24], whose security weaknesses are shown in Section 3. We propose an advanced authentication scheme with higher security in Section 4, whose security and comparisons of related schemes are analyzed in Section 5 and Section 6, respectively. Section 7 concludes the paper.

A Review of Xue et al.'s Temporal-Credential-Based Authentication Scheme

In this section, we review Xue et al.'s temporal-credential-based mutual authentication scheme [24]. This scheme is mainly composed of three phases: registration, login, authentication and key agreement. Moreover, their scheme is composed of three roles: gateway node (GWN), sensor node (S) and user (U). For convenience of description, we summarize the notations used throughout this paper in Table 1.

Table 1.

Notations used throughout this paper.

Symbol	Description
Ui	User
Sj	Sensor node
GWN	Gateway node
IDi/PWi	Identity/Password of the user Ui
SIDj/PWj	Pre-configured identity/password of the sensor node Sj
KGWN_U/KGWN_S	Two private system parameters only know to GWN
TCi/TCj	A temporal credential issued by GWN to Ui/Sj
TS	The timestamp value
KEYij	The shared session key between Ui and Sj
TEi	The expiration time of Ui's temporal credential
⊕	The bitwise exclusive-OR operation
H(•)	The one-way hashing function
‖	The bitwise concatenation operation

Registration Phase

Before registration of the user U and the sensor node S, each U has a secure password pre-shared with GWN and U's identity ID and hash value of U's password H(PW) are stored in GWN's side. Moreover, each S has a pre-configured password PW and hash value of S's password H(PW) is stored in GWN's side. This phase has two parts for U and S and we review them as follows:

(U-1) U selects ID and computes VI = H(TS1‖ H(PW)) and sends {ID, TS1, VI} to GWN via an open and public channel, where TS1 is current timestamp value of U.

(U-2) After receiving the registration request from U, GWN checks if |TS1–T*| < ΔT, where T* is the current system timestamp of GWN and ΔT is the expected time interval for the transmission delay. If it does not hold, GWN sends REJ message back to U. Otherwise, GWN retrieves its own copy of H(PW) by using the key “ID”, computes VI* = H(TS1‖ H(PW)) and checks if VI* = VI. If not, GWN terminates it; otherwise, GWN computes P = H(ID‖TE), TC = H(K‖P‖TE) and PTC = TC⊕H(PW) and personalizes the smart card for U with the parameters:{H(•), ID, H(H(PW)), TE, PTC}.

Before deployment of sensor nodes in a target field, each S performs the following steps for registration:

(S-1) S computes VI = H(TS2‖H(PW)) and sends {SID, TS2} to GWN via an open and public channel, where TS2 is current timestamp value of S.

(S-2) After receiving the message from S, GWN checks if |TS–T* | < ΔT, where T* is the current system timestamp of GWN and ΔT is the expected time interval for the transmission delay. If it does not hold, GWN sends REJ message back to S. Otherwise, GWN retrieves its own copy of H(PW) by using the key “SID”, computes VI* = H(TS2‖H(PW)) and check if VI* = VI. If not, GWN terminates it; otherwise, GWN computes TC = H(K‖ SID) and REG = H(H(PW)‖TS3)⊕TC and sends {TS3, REG} to S.

(S-3) After receiving the message from GWN, S checks if |TS3 – T*| < ΔT, where T* is the current timestamp value of S. If not, S terminates it; otherwise, S computes its temporal credential TC = REG⊕H(H(PW)‖TS3) and stores it.

Login Phase

If the user U wants to access sensor data from the wireless sensor network, U inserts a smart card into a terminal and enters ID and PW. The terminal computes H(H(PW)) and checks the validity of ID and PW with the stored ID and H(H(PW)). If not, the smart card terminates this login request. Otherwise, U passes the verification and he/she can read the information stored in the smart card. U computes TC = PTC⊕H(PW).

(A-1) U computes DID = ID⊕H(TC‖TS4), C = H(H(ID‖TS4)⊕TC) and PKS = K⊕H(TC‖TS4‖“000”) and sends the mutual authentication message {DID, C, PKS, TS4, TE, P} to GWN, where TS4 is current timestamp value of U, K is a random key only known to U and the binary number “000” is used for distinguishing H(TC‖TS4‖“000”) and H(TC‖TS4).

(A-2) After receiving the message from U, GWN checks the validity of TS4. If TS4 is valid for the transmission delay, GWN computes ID = DID⊕H(H(K‖P‖TE)‖TS4), P* = H(ID‖TE), TC = H(K‖P‖TE) and C* = H(H(ID*‖TS4)⊕TC) and verifies whether C* ≠ C or P* ≠ P. If it holds, GWN rejects U's login request; otherwise, GWN computes K = PKS⊕H(TC‖TS4‖“000”) and chooses a nearby suitable sensor node S as the accessed sensor node. GWN further computes S's temporal credential TC = H(K‖SID), DID = ID⊕H(DID‖TC‖TS5), C = H(ID‖TC‖TS5) and PKS = K⊕H(TC‖TS5) and sends {TS5, DID, DID, C, PKS} to S, where TS5 is current timestamp value of GWN.

(A-3) After receiving the message from GWN, S checks the validity of TS5. If TS5 is valid for the transmission delay, S computes ID = DID⊕H(DID‖TC‖TS5) and and checks if . If not, S terminates this session. Else, S convinces that the received message is from a legitimate GWN. Moreover, S computes K = PKS⊕H(TC‖TS5), C = H(K‖ID‖SID‖TS6) and PKS = K⊕H(K‖TS6) and sends {SID, TS6, C, PKS} to U and GWN, where K is a random key chosen by S.

(A-4) After receiving the message from S, U and GWN separately computes K=PKS⊕H(K‖TS6) and C* = H(K‖ID‖SID‖TS6). For GWN, if C* = C, S is authenticated by GWN. For the user U, if C* = C, S and GWN are authenticated by U. Finally, U and S can separately compute a common session key KEY = H(K⊕K) and U and S will use KEY for securing communications in future.

Security Analysis on Xue et al.'s Scheme

Xue et al. claimed that their authentication scheme is robust and secure against insider, password guessing and stolen smart card attacks. In fact, based on our security analysis, we observe that Xue et al.'s temporal-credential based scheme is insecure against these security requirements. The details of our attacks are as follows.

Stolen Verifier and Insider Attack

In Xue et al.'s scheme, GWN needs to maintain the verifier table and it stores each U's identity ID and hash value to U's password H(PW) in GWN's side. In a practical environment, the PW chosen by U could be short and easily human memorizable, which might be convenient for U to remember easily and in practice many users use same identities and passwords to access various online applications or remote servers for their convenience. Thus, we assume that an attacker U may steal the password-verifier from GWN's database and launches off-line guessing attacks on it to obtain U's real password PW. The details of stolen verifier attack are as follows.

U steals verifier table from GWN's database and retrieves the hash value of U's password H(PW).

U guesses a password PW* and computes H(PW*).

U compares the result of H(PW*) with stolen H(PW).

A match in Step 3 above indicates the correct guessing of U's easy-to-remember password and Xue et al.'s authentication scheme then cannot resist the stolen verifier attack. Moreover, if a privileged insider of GWN knows U's password PW, he/she may try to use the knowledge of U's PW and ID to access other applications or servers.

Off-Line Password Guessing Attack

In step (U-1) of registration phase of Xue et al.'s scheme, U sends{ID, TS1, VI} to GWN via an open and public environment, where TS1 is current timestamp value of U and VI = H(TS1‖H(PW)). If an attacker U eavesdrops U's registration message {ID, TS1, VI}, U can launch the off-line password guessing attack by performing the following step:

U guesses a password PW* and computes VI* = H(TS1‖H(PW*)).

U compares the result of VI* with eavesdropped VI.

A match in Step 2 above indicates the correct guessing of U's easy-to-remember password and Xue et al.'s authentication scheme suffers from off-line password guessing attack in user side. On the other hand, in step (S-1) of registration phase, S sends {SID, TS2, VI} to GWN via an open and public environment, where TS2 is the current timestamp value of S and VI = H(TS2‖H(PW)). If an attacker U eavesdrops S's registration message {SID, TS2, VI}, U can launch an off-line password guessing attack by performing the following steps:

U guesses a password PW* and computes VI* = H(TS2‖H(PW*)).

U compares the result of VI* with eavesdropped VI.

A match in Step 2 above indicates the correct guessing of S's password and Xue et al.'s authentication scheme is then open to an off-line password guessing attack on the sensor side. Moreover, once U has successfully guessed S's random password, U can use PW* and the eavesdropped message in step (S-2) of the registration phase to derive S's temporal credential TC by computing TC=REG⊕H(H(PW*)‖TS3) = H(K‖SID). Finally, Xue et al.'s scheme may suffer from masquerading attacks and an attacker U who knows TC can easily impersonate the sensor node S.

Lost Smart Card Problem

Let us consider the scenario of a lost smart card problem. In the case where U's smart card is lost and it is picked up by an attacker U, the stored parameters can be extracted by launching a power analysis attack [22]. As we know, the content of U's smart card is {H(•), ID, H(H(PW)), TE, PTC}. With this information, U can launch another off-line password guessing attack by performing the following steps:

U guesses a password PW* and computes H(H(PW*)).

U compares the result of H(H(PW*)) with extracted H(H(PW*)).

If Step 2 holds, the guessed password PW* is the same as U's real password PW. Otherwise, U tries another password. Once U successfully guesses U's real password, U can use PW* and the content of U's smart card to derive U's temporal credential TC by computing TC = PTC⊕H(PW*) = H(K‖P‖TE). Thus, Xue et al.'s scheme may suffer from masquerading attacks and an attacker U who knows TC can easily impersonate a legal user U to log in to the gateway node and GWN is not aware of having caused any problem.

Many Logged-in Users' Problem

The many logged-in users attack [26,27] means that if a registered user U's smart card is massively duplicated and his/her identity ID and password PW are exposed to m non-registered users U, where a = 1, 2, …, m. Each one who has a smart card and knows ID and PW can log in to GWN at the same time and GWN is not aware of having caused any problem. In Xue et al.'s scheme, each non-registered user U generates his/her timestamp TS and random key K and sends a legal login message {DID, C, PKS, TS, TE, P} to GWN, where DID = ID⊕H(TC‖TS), C = H(H(ID‖TS)⊕TC) and PKS = K⊕H(TC‖TS‖“000”). After receiving all the login requests from U, GWN gets the same identity ID with different timestamps TS and random keys K and GWN allows them to log in and access U's account simultaneously.

Advanced Authentication Scheme

In this section, we propose an advanced scheme with strong security. Our advanced scheme consists of four phases, namely pre-registration phase, registration phase, login phase, authentication and key agreement phase. The details of each of these phases are as follows.

Pre-Registration Phase

Before registration of the user U and the sensor node S, each U has a pre-configured pair of identity and password with GWN and the unique parameter and are kept by GWN to check the validity of registration user. Moreover, each S has a pre-configured identity SID and a 160-bits random number r and the hash value of S's pre-configured identity and random number H(SID‖r) and SID are stored on the GWN's side.

This phase has two parts for U and S and the details will be described as follows:

(U-1) U selects his/her own ID and password PW. Then U computes , , and sends { , TS1, VI, CI, DI} to GWN via an open and public channel, where TS1 is current timestamp value of U and r is a random number generated by U.

(U-2) After receiving the registration request from U, GWN checks if |TS1–T* | < ΔT, where T* is the current system timestamp of GWN and ΔT is the expected time interval for the transmission delay. If it does not hold, GWN sends REJ message back to U. Otherwise, GWN retrieves its own copy of by using the parameter “ ”, computes and checks if VI* = VI. If not, GWN terminates it; otherwise, GWN computes Q=CI⊕H(ID‖PW) = H(ID‖PW‖r), ID = DI⊕H(ID‖PW), P = H(ID‖TE), TC = H(K‖P‖TE) and PTC = TC⊕Q and personalizes the smart card for U with the parameters:{H(•), H(Q), TE, PTC}. Note that GWN maintains a write protected file as depicted in Table 2, where the Status-bit indicates the status of the user, i.e., when U is logged-in to GWN, the status-bit is set to one, otherwise it is set to zero. Finally, GWN sends H(Q) and smart card to U via an public and open environment.

Table 2.

The identity table of GWN after finishing the registration phase.

User Identity	Password-Verifier	Status-Bit	Last Login	Service Period
…	…	…	…	…
IDi	Qi	0/1	N/A	TEi
…	…	…	…	…

(U-3) After receiving H(Q) and smart card from GWN, U checks whether the computed H(H(ID‖PW‖r)) is equal to H(Q). If they are not equal, U aborts this session and the smart card. Otherwise, GWN is authenticated by U. U enters r into his/her smart card and U's smart card contains {H(•), H(Q), TE, PTC, r}. Note that U does not need to remember r after finishing this phase. The communication handshakes of the registration phase of the user U are depicted in Figure 1.

Figure 1.

Communication handshakes of the registration phase of the user U.

Before deployment of sensor nodes in a target field, each S performs the following steps for registration.

(S-1) S computes VI = H(TS2‖H(SID‖r)) and sends {SID, TS2, VI} to GWN via an open and public channel, where TS2 is current timestamp value of S.

(S-2) After receiving the message from S, GWN checks if |TS2–T* | < ΔT, where T* is the current system timestamp of GWN and ΔT is the expected time interval for the transmission delay. If it does not hold, GWN sends REJ message back to S. Otherwise, GWN retrieves its own copy of H(SID‖r) by using the key “SID”, computes VI* = H(TS2‖H(SID‖r)) and checks if VI* = VI. If not, GWN terminates it; otherwise, GWN computes TC = H(K‖SID), Q = H(TS‖H(SID‖r)) and REG = H(H(SID ‖r) ‖TS3)⊕TC and sends {TS3, Q, REG} to S.

(S-3) After receiving the message from GWN, S checks if |TS3–T*| < ΔT, where T* is the current timestamp value of S. If not, S terminates it. Otherwise, S checks whether the computed H(TS3‖H(SID‖r) is equal to Q. If they are equal, S computes its temporal credential TC = REG⊕H(H(SID)‖r‖TS3) and stores it. Note that S does not need to store r after finishing the phase. The communication handshakes of the registration phase of sensor node S are depicted in Figure 2.

Figure 2.

Communication handshakes of the registration phase of sensor node S.

If the user U wants to access sensor data from the wireless sensor network, U inserts a smart card into a card reader and enters ID and PW. The smart card retrieves r, computes H(H(ID‖PW‖r)) ≠ H(Q), and the smart card terminates this login request. Otherwise, U passes the verification and he/she can read the information stored in the smart card. U computes TC = PTC⊕H(ID‖PW‖r). The details of the login phase are shown in Figure 3.

Figure 3.

Illustration of the login phase of our advanced scheme.

(A-1) U computes DID = ID⊕H(TC‖TS4), C = H(H(ID‖PW‖r)‖TS4)⊕TC) and PKS = K⊕H(TC‖TS4‖“000”) and H(TC‖TS4).

(A-2) After receiving the message from U, GWN checks the validity of TS4. If TS4 is valid for the transmission delay, GWN computes TC* = H(K‖P‖TE) and ID = DID⊕H(TC*‖TS4) and retrieves U's password-verifier of Q = H(ID‖PW‖r) by using the parameter “ID”. Then, GWN further computes C* = H(H(Q‖TS4)⊕TC) and verifies whether C* = C. If it does not hold, GWN rejects U's login request; otherwise, the status-bit is set to one and TS4 is recorded in the 4th field of the identity table to demonstrate U's last login. GWN computes K = PKS⊕H(TC‖TS4‖“000”) and chooses a nearby suitable sensor node S as the accessed sensor node. GWN further computes S's temporal credential TC = H(K‖SID), DID = ID⊕H(DID‖TC‖TS5), C = H(ID‖TC‖TS5) and PKS = K⊕H(TC‖TS5) and sends {TS5, DID, DID, C, PKS} to S, where TS5 is current timestamp value of GWN.

(A-3) After receiving the message from GWN, S checks the validity of TS5. If TS5 is valid for the transmission delay, S computes ID = DID⊕H(DID‖TC‖TS5) and C* = H(ID‖TC‖TS5) and check if C* = C. If not, S terminates this session. Else, S convinces that the received message is from a legitimate GWN. Moreover, S computes K = PKS⊕H(TC‖TS5), C = H(K‖ID‖SID‖TS6) and PKS = K⊕H(K‖TS6) and sends{SID, TS6, C, PKS} to U and GWN.

(A-4) After receiving the message from S, U and GWN separately computes K = PKS⊕H(K‖TS6) and C* = H(K‖ID‖SID‖TS6). For GWN, if C* = C, S is authenticated by GWN. For the user U, if C* = C, S and GWN are authenticated by U. Finally, U and S can separately compute a common session key KEY = H(K⊕K) and U and S will use KEY for securing communications in future.

Authentication and Key Agreement Phase

After finishing the authentication and key agreement phase, the identity table is updated and the content of the identity table is shown in Table 3. The detailed steps of the authentication and key agreement phase are shown in Figure 4.

Table 3.

The identity table of GWN after finishing the authentication and key agreement phase.

User Identity	Password-Verifier	Status-Bit	Last Login	Service Period
…	…	…	…	…
IDi	Qi	0/1	TS4	TEi
…	…	…	…	…

Figure 4.

Illustration of the authentication and key agreement phase of our advanced scheme.

Security Analysis on Our Advanced Authentication Scheme

In this section, for security analysis on our advanced authentication scheme, we use the threat model described in Section 3 and show that our proposed scheme can withstand the following security attacks. Let us consider the following threat scenarios.

We assume that a privileged-insider of GWN can steal Ui's identity and password verifier from the GWN's identity table.

We assume that an attacker can eavesdrop Ui's registration message.

We assume that a legal user's smart card has been stolen or lost and the attacker can extract the secret parameters stored in the smart card.

We assume that U's identity ID, password PW and login parameters {H(•), H(Q), TE, PTC, r} are leaked to more than one non-registered users.

Resistance to Stolen Verifier and Insider Attacks

In registration phase of our advanced authentication scheme, U registers to GWN by presenting Q = H(ID‖PW‖r) instead of PW and H(PW). For the threat model in Scenario 1, we assume that a privileged-insider of GWN can steal Ui's identity and password-verifier from GWN's identity table. Note that the value of r is not revealed to GWN and the bit length of |r| is large enough. If SHA-256 is used in our advanced scheme, the attacker may attempt to derive PW and r from password-verifier Q = H(ID‖PW‖r). Due to the intractability under the assumption of a secure one-way hashing function and the bit-length of r is 160 bits. Thus, the probability to guess correct r is 1/2. Moreover, the attacker must guess a correct password PW and the probability to guess a correct p character PW approximated to 1/2. Therefore, it is computationally infeasible for the attacker to derive U's password PW and random number r at the same time because the probability approximated to 1/2+. As a result, a privileged-insider still cannot derive U's real password PW by performing off-line password guessing attacks on H(ID‖PW‖r) and our advanced authentication scheme is secure against stolen verifier and insider attacks.

Resistance to Off-Line Password Guessing Attacks

In step (U-1) of registration phase of our scheme, U sends { , TS1, VI, CI, DI} to GWN via an open and public environment. For the threat model in Scenario 2, if an attacker U eavesdrops U's registration message { , TS1, VI, CI, DI}. First, U cannot derive U's password-verifier H(ID‖PW‖r) from because U does not know U's unique parameter . Second, U's password-verifier H(ID‖PW‖r) is under protection of a one-way hashing function and it is computationally infeasible without knowing U's identity ID, password PW and the random number r. We assume the bit-length of ID is q characters and the probability to guess a correct m character ID approximated to 1/2. Therefore, it is computationally infeasible for the attacker to derive U's identity ID, password PW and random number r at the same time because the probability approximated to 1/2++. On the other hand, in step (S-1) of registration phase of our scheme, S registers to GWN by presenting {SID, TS2, VI = H(TS2‖H(SID‖r))} instead of PW and H(PW). Therefore the attacker cannot launch an off-line guessing attack unless he/she knows the random number r. In this case, a possible off-line password guessing attack on user or sensor side is not working in our advanced scheme.

Resistance to Smart Card Lost Problem

The smart card lost problem is an inherent limitation of remote user authentication schemes. For the threat model in Scenario 3, we assume that U's smart card has been stolen or lost and the attacker U can extract the secret parameters {H(•), H(Q), TE, PTC, r} stored in the smart card. However, in order to log in to GWN by using U's lost or stolen smart card, U needs to guess real identity ID and password PW correctly at the same time. In fact, it is computationally infeasible to guess these two parameters correctly at the same time in polynomial time since ID and PW are well-protected by a one-way hashing function. Therefore, our proposed scheme can withstand this type of attack too.

Resistance to the Many Logged-in Users Problem

For the threat model in Scenario 4, we assume that U's identity ID, password PW and parameters {H(•), H(Q), TE, PTC, r} are leaked to more than one non-registered users. However, the gateway node GWN maintained a status-bit field and a last login field in its identity table. Therefore, no one is allowed to login GWN at the same time out of all who know ID, PW and valid parameters {H(•), H(Q), TE, PTC, r}. Based on the protection of GWN's identity table, the advanced scheme is secure against many logged-in users attacks.

Comparisons of Related Schemes

In this section, we will analyse the functionality and performance of our advanced scheme and compare it with Xue et al.'s scheme [24] and other related schemes [17,21]. Functionality and performance comparisons of our scheme and other related schemes [17,21,24] are shown in Table 4 and Table 5, respectively. In Table 4, we can see that our advanced scheme not only provides proper password protection and secure service billing, but also prevents many logged-in users attack and other attacks. According to the analysis results reported in [10,24], the time complexity of various operations in terms of T and T are listed in Table 5. We have compared the computational complexity using both formulated results and rough quantitative analysis in Table 5 for different phases: the registration, login and authentication phases of [17,21,24], and our scheme. For example in the test environment (CPU: 2.4 GHz, RAM: 4.0 G), we have run it 100 times to get the average result. T is about 3,000 times faster than T (T is nearly 0.0002 second on average when using SHA-256 and T is nearly 0.6 second on average when using ECC-160). Our advanced scheme, Yeh et al. [21] and Xue et al. [24] all provide the functions of session key agreement and mutual authentication between each two of the user, GWN and the sensor node.

Table 4.

Functionality comparisons of our advanced scheme and related schemes.

Items/Schemes	Das [17] (2009)	Yeh et al.[21] (2011)	Xue et al.[24] (2013)	Our Advanced Scheme
Mutual authentication	No	Yes	Yes	Yes
Key agreement	No	Yes	Yes	Yes
Password protection	No	No	No	Yes
Provision of service billing	No	No	Yes	Yes
Resistant to stolen verifier attack	Yes	Yes	No	Yes
Resistant to insider attack	No	Yes	No	Yes
Resistant to lost smart card attack	No	No	No	Yes
Resistant to many logged-in users' attack	No	No	No	Yes

Table 5.

Performance comparisons of our advanced scheme and related schemes.

Participant/Computations	Das [17] (2009)	Yeh et al.[21] (2011)	Xue et al.[24] (2013)	Our Advanced Scheme
User (Ui)	4 TH	1 TH + 2 TECC	7 TH	9 TH
Sensor (Sj)	1 TH	3 TH + 2 TECC	5 TH	6 TH
Gateway node (GWN)	7 TH	4 TH + 4 TECC	10 TH	11 TH
Computation costs	12 TH	8 TH + 8 TECC	22 TH	26 TH
Computation time	0.0024 s	4.8016 s	0.0044 s	0.0052 s

T: Time for SHA-256 one-way hashing computation; T: Time for ECC-160 encryption/decryption computation; s: Second.

Moreover, our scheme and Xue et al. [24] both provide the service billing function. Our advanced scheme requires 9T for the user, 6T for the sensor node and 11T for GWN. Assume T = 0.0002 second and T = 0.6 second according to our simulation.

Compared with other three schemes which cannot ensure password protection, all participants in three phases of our advanced scheme require about 0.0052 seconds, which can be almost ignored, so our advanced scheme does not increase too much computational complexity while providing more function requirements and preventing more security attacks.

Conclusions

In this paper, we have analyzed the vulnerability and security attacks existing in Xue et al.'s temporal-credential-based mutual authentication scheme and proposed an advanced secure authentication scheme which can satisfy mutual authentication and key agreement between the user, the gateway node and the sensor node. Compared to the existing schemes, our advanced scheme supports extra functionalities such as user password protection and login recording strategy for enhancing the system security. In addition, through the use of lightweight one-way hashing computation, our authentication scheme significantly reduces the implementation cost. Through informal security analysis, we have shown that our proposed scheme has the ability to resist various known attacks, including stolen verifier attacks, insider attacks, lost smart card problems and many logged-in users attack, etc. As a result, extra functionalities are added and its higher security along with low computational cost make our advanced scheme very appropriate for securing wireless sensor networks in practice.