Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks.

User authentication and key management are two important security issues in WSNs (Wireless Sensor Networks). In WSNs, for some applications, the user needs to obtain real-time data directly from sensors and several user authentication schemes have been recently proposed for this case. We found that a two-factor mutual authentication scheme with key agreement in WSNs is vulnerable to gateway node bypassing attacks and user impersonation attacks using secret data stored in sensor nodes or an attacker's own smart card. In this paper, we propose an improved scheme to overcome these security weaknesses by storing secret data in unique ciphertext form in each node. In addition, our proposed scheme should provide not only security, but also efficiency since sensors in a WSN operate with resource constraints such as limited power, computation, and storage space. Therefore, we also analyze the performance of the proposed scheme by comparing its computation and communication costs with those of other schemes.

Introduction

A wireless sensor network (WSN) is composed of a number of sensors (tens to thousands) that are deployed to collect data in a target area [1,2]. The number of potential applications for WSNs is increasing in various fields, including environmental monitoring, healthcare, agriculture, manufacturing, military sensing and tracking, and disaster alert [1-5]. The design of a specific WSN is dependent on the given application and the environment under which it operates [1]. In addition, sensors in a WSN operate with resource constraints such as limited power, computation, and storage space [1,3,6-8]. In WSNs, user queries are generally transmitted to the gateway [1,3,8,9]. However, for some applications, the user needs to obtain real-time data directly from sensors [1,3,8,9]. In this case, only legitimate users should be able to access the WSN.

Several schemes for user authentication in WSNs have been proposed recently. Wong et al. [10] proposed a user authentication scheme that uses only one-way hash functions for computation efficiency on sensor nodes [10]. However, Das [3] pointed out that Wong et al.'s scheme does not prevent many logged-in users with the same login-ID threats and stolen-verifier attacks [3]. Das [3] proposed a two-factor user authentication in WSNs using a smart card and a password instead of maintaining a password/verifier table [3]. Other researchers, however, pointed out that Das' scheme still has security flaws. Chen and Shih [11] insisted that Das' scheme does not provide mutual authentication, and proposed a mutual authentication scheme between the user, the gateway, and the sensor node [11]; He et al. [9] said that Das' scheme has security weaknesses against insider attacks and impersonation attacks [9]; and Khan and Alghathbar [4] pointed out that Das' scheme is vulnerable to gateway node bypassing attacks and privileged-insider attacks [4]. In 2012, Vaidya et al. [12] pointed out that the schemes proposed by Das [3], Kan and Alghathbar [4] and Chen and Shih [11] are all insecure against stolen smart card attacks and sensor node impersonation attacks with node capture attacks and do not provide key agreement [12]. Therefore, they proposed a novel two-factor mutual authentication and key agreement scheme to prevent these attacks. In addition, they insisted that computational costs for gateway and sensor nodes in their proposed scheme are not so high. However, we found that their proposed scheme still has security flaws.

In this paper, we present that gateway node bypassing attacks and user impersonation attacks are possible using secret data stored in a sensor or an attacker's own smart card in Vaidya et al.'s scheme. Additionally, we propose an improved scheme that eliminates such security weaknesses from Vaidya et al.'s scheme. We verify that the proposed scheme is secure against possible attacks. We also analyze the performance of the proposed scheme by comparing its computation cost and communication cost with those of other schemes.

The remainder of the paper is organized as follows. Section 2 presents a review of Vaidya et al.'s scheme. Section 3 is devoted to analyzing the security of Vaidya et al.'s scheme. Section 4 proposes the improved scheme. Section 5 analyzes the security of the proposed scheme against possible attacks. Section 6 is devoted to analyzing the performance of the proposed scheme and Section 7 concludes this paper.

Review of Vaidya et al.'s Scheme

There are three communication parties in Vaidya et al.'s scheme [12]: a user, a gateway node, and a sensor node. This scheme is composed of four phases: registration phase, login phase, authentication-key agreement phase, and password change phase. We describe each phase in detail in Sections 2.1–2.4, and Table 1 shows the notations used in the remainder of the paper.

Table 1.

Notations [12].

Symbol	Description
Ui	i-th user
Sj	j-th sensor node
GW	Gateway node
IDi	Identity of
pWi	Password of
SIDj	Identity of
IDs	Identity of smart card
K	Secret key known to only
Xs	Secret value generated by and shared between only and
h(·)	One-way hash function
RNi	Random nonce of
RNj	Random nonce of
⊕	XOR operation
∥	Concatenation operation
=?, ≤?	Verification operation
Ks	Session key
f(x,k)	Pseudo-random function of variable with key k
Ti,Ti′	Current timestamp of Ui
TG,TG′	Current timestamp of GW
Tj	Current timestamp of Sj
ΔT	The maximum of transmission delay time permitted
	Secure channel
	Insecure channel

Registration phase begins when the user sends a registration request with his/her identity and a hashed password to the gateway node. Then, the gateway node personalizes a smart card for the user and sends it to him/her as a response to the registration request. In the registration phase, all these communication messages are transmitted in secure channels.

Login phase begins when the user inserts his/her smart card into the terminal and inputs his/her identity and password. After the verification of the user's input value, the smart card computes and sends the authentication request to the gateway node. When the gateway node receives the authentication request from the user side, the authentication-key agreement phase begins. The gateway node verifies whether the authentication request comes from a legitimate user. If the verification is successful, the gateway node sends the authentication request to a sensor node which can respond to a request or a query from the user. In this phase, three authentication requests are transmitted. The first request is from the gateway node to the sensor node, the second is from the sensor node to the gateway node, and the final is from the gateway node to the user. As stated, when one party receives an authentication request, the party verifies its validity and sends a new authentication request to the other party. In login phase and authentication-key agreement phase, these request messages are transmitted in insecure channels. If all verifications are passed successfully, the user and the sensor node then share the session key for communication. The password change phase begins whenever the user wants to change his/her password. In the password change phase, the user side does not have to communicate with other parties.

Registration Phase

We describe the registration phase in this subsection. U selects ID and pw, computes H_PW=h(pw) and sends the registration request {ID(pw)} to GW. Then, GW personalizes a smart card for U and sends it to U. Figure 1 shows the registration phase of Vaidya et al.'s scheme.

Figure 1.

Registration phase of Vaidya et al.'s scheme [12].

Meanwhile, SID and a secret value x generated by GW are stored in S before it is deployed into a target field.

Login Phase

The login phase begins when U inserts U's smart card into a terminal and inputs and . In this phase, U sends the authentication request to GW. Figure 2 illustrates the login phase of Vaidya et al.'s scheme.

Figure 2.

Login phase of Vaidya et al.'s scheme [12].

Authentication-Key Agreement Phase

When GW receives the authentication request from U, the authentication-key agreement phase begins. In this phase, U, GW, S and send and receive authentication requests from one another. Figure 3 depicts the authentication-key agreement phase of Vaidya et al.'s scheme. The following describes this process in detail.

Figure 3.

Authentication-key agreement phase of Vaidya et al.'s scheme [12].

Password Change Phase

The password change phase proceeds when U changes U's existing password to a new one. In the password change phase, U does not communicate with GW.

Security Analysis of Vaidya et al.'s Scheme

In this section, we analyze the security of Vaidya et al.'s scheme. We found that gateway node bypassing attacks are possible in Vaidya et al.'s scheme if an attacker captures a sensor node and extracts secret values stored in it. Additionally, an attacker can know secret values x and h(K) from the attacker's own smart card and use them for user impersonation attacks or gateway node bypassing attacks.

In Sections 3.1–3.3, we describe possible attacks in Vaidya et al.'s scheme in detail. We assume that an attacker can eavesdrop on or intercept all messages sent or received between communication parties. We also assume that an attacker can read data stored in a smart card in any manner like in the related works [2,6,13-16]. In addition, we have to note that data stored in sensor nodes are not secure since an attacker can capture sensor nodes that are deployed in unattended environments and can then extract data from them.

Gateway Node Bypassing Attacks Using Secret Data Stored in a Sensor Node

In Vaidya et al.'s scheme, if an attacker extracts the secret data x from a sensor node, he/she can impersonate GW and communicate with U. These attacks proceed as explained below. U denotes an attacker here.

User Impersonation Attacks Using an Attacker's Own Smart Card

If an attacker U registers with GW, U receives the smart card personalized with U's own identity and password, ID and pw. U can compute x and h(K) using ID, pw, and secret values stored in the smart card.

U can impersonate a legitimate user who has registered with GW using x and h(K). In addition, U can also log in with any temporary identity that does not actually exist.

Logging in with Any Temporary Identity

We describe the process where U logs in with any temporary identity that does not actually exist using x and h(K).

Logging in with the Identity of a Legitimate User

We describe when U impersonates a legitimate user U who has registered with GW using x and h(K).

Gateway Node Bypassing Attacks Using an Attacker's Own Smart Card

As discussed in Section 3.2, if an attacker U obtains x and h(K) using data stored in his/her own smart card, he/she can impersonate GW. The following shows the attack process in detail. U denotes an attacker here.

The Proposed Scheme

In this section, we propose an improved scheme that can overcome the security weaknesses presented in Section 3. The reason why Vaidya et al.'s scheme is vulnerable to sensor node capture attacks is that x is stored in plaintext form in S though it is a secret value. To make matters worse, x is shared between all sensor nodes in the WSN. Also, in Vaidya et al.'s scheme, an attacker can compute and use x and h(K) for attacks because they are stored in all users' smart cards. Therefore, the main ideas of our proposed scheme are as follows:

When GW personalizes a smart card for U in the registration phase, GW uses Xs = h(H_ID ∥x) and h(H_ID∥K; instead of x and h(K) to prevent an attacker from computing x or h(K). Since Xsi and h h(H_ID∥K; are unique for each user, an attacker cannot reuse them to impersonate a legitimate user.

In the proposed scheme, instead of x is stored in Sto prevent an attacker from extracting x from S. Since is unique for each sensor node, we can attenuate the effects of sensor node capture attacks as much as possible.

We describe each phase in detail in Sections 4.1 through 4.4. Before describing the proposed scheme in detail, we present the security requirements for the proposed scheme.

The proposed scheme has to be secure against possible attacks such as replay, password guessing, user impersonation, gateway node bypassing and parallel session attacks.

The proposed scheme has to minimize the damage caused by sensor node capture attacks. The authentication scheme cannot be a perfect solution that blocks sensor node capture attacks completely. Nevertheless, the proposed scheme should attenuate the effects of sensor node capture attacks as much as possible.

We assume an attacker can obtain all data from a smart card. Therefore, our proposed scheme has to be devised considering stolen smart card attacks, lost smart card problems, and attacks that use an attacker's own smart card, as shown in Section 3.

The proposed scheme must be secure against privileged-insider attacks or stolen-verifier attacks.

The proposed scheme has to provide methods for mutual authentication, key agreement between U and S, and password change.

In the registration phase, U selects ID and pw. U computes and sends the registration request {ID, h(pw)∥RN)} to the gateway node, where RN is a random nonce. Then, GW personalizes a smart card for U. Figure 4 illustrates the registration phase of the proposed scheme. Meanwhile, SID and are stored in S, where

Figure 4.

Registration phase of the proposed scheme.

before S is deployed into a target field.

The login phase begins when U inserts U's smart card into a terminal and inputs and . In this phase, U sends the authentication request to GW. Figure 5 depicts the login phase of the proposed scheme.

Figure 5.

Login phase of the proposed scheme.

When GW receives an authentication request from U, the authentication-key agreement phase begins. In this phase, U, GW, S and send and receive authentication requests from one another. Figure 6 shows the authentication-key agreement phase of the proposed scheme. The following describes this process in detail.

Figure 6.

Authentication-key agreement phase of the proposed scheme.

The password change phase proceeds when U changes U 's existing password to a new one. In the password change phase, U does not have to communicate with GW.

Security Analysis of the Proposed Scheme

This section is devoted to the security analysis of our proposed scheme. We discuss the security of our proposed scheme in terms of the security requirements presented in Section 4. Table 2 shows a security comparison of the proposed scheme.

Table 2.

Security comparison of the proposed scheme.

Security Features	Das' Scheme [3]	Khan and Alghathbar's Scheme [4]	Vaidya et al.'s Scheme [12]	The Proposed Scheme
Replay attacks	Yes	Yes	Yes	Yes
User impersonation attacks	No	No	No	Yes
Gateway node bypassing attacks	No	No	No	Yes
Parallel session attacks	No	No	Yes	Yes
Password guessing attacks	No	No	Yes	Yes
Sensor node capture attacks	No	No	No	Yes
Stolen smart card attacks	No	No	Yes	Yes
Lost smart card problems	No	No	Yes	Yes
Privileged-insider attacks	No	Yes	Yes	Yes
Stolen-verifier attacks	Yes	Yes	Yes	Yes
Mutual authentication	No	No	Yes	Yes
Key agreement	No	No	Yes	Yes
Password change phase	No	Yes	Yes	Yes

(Yes: The scheme resists the attacks or provides the functionality; No: The scheme does not resist the attacks or provide the functionality).

Replay attacks: The proposed scheme resists replay attacks because all authentication requests include current timestamps, such as T of {DID, M−, v, T, H_ID}.

User impersonation attacks and gateway node bypassing attacks: In the proposed scheme, an attacker cannot create valid authentication requests {DID, M−, v, T, H_ID} and {y, w, M−,q,T′} because he/she cannot compute the secret data x and h(K). Therefore, user impersonation attacks and gateway node bypassing attacks are impossible.

Parallel session attacks: The proposed scheme is secure against parallel session attacks because all authentication requests include random nonces such as DID, and v of {DID, M−, v, T, H_ID}.

Password guessing attacks: pw cannot be guessed by an attacker because it is transmitted as the results which are concatenated with some secret values and one-way hashed. Even a privileged-insider cannot guess U's password from the registration request {ID,H_PW} because RN in H_PW = h(pw∥RN) is a unknown value to him/her.

Sensor node capture attacks: Though an attacker captures a sensor node and obtains secret data SID and from it, the attacker cannot impersonate U, GW, or other sensor nodes. Since is the unique secret data only for S, an attacker cannot compute Xs for U or x for GW. In addition, he/she cannot compute the secret data of other sensor nodes except S.

Stolen smart card attacks and lost smart card problems: Though an attacker extracts ID, H_ID, h(·), A, B, C, and X_PW from U's smart card, he/she cannot compute any secret data h(K)or x for attacks. Therefore, the proposed scheme is secure against stolen smart card attacks or lost smart card problems. In addition, though an attacker extracts, ID, H, h(·), A, B, C, and X_PW from his/her own smart card, he/she cannot compute any secret data h(K) or x for attacks. Therefore, the proposed scheme prevents attacks using an attacker's own smart card.

Privileged-insider attacks: The proposed scheme resists privileged-insider attacks because pw is transmitted as a digest of some other secret components.

Stolen-verifier attacks: The proposed scheme is secure against stolen-verifier attacks, since does not maintain a verifier table.

Mutual authentication, key agreement, and password change phase: The proposed scheme provides mutual authentication, key agreement between U and S, and password change phase.

Performance Analysis of the Proposed Scheme

Table 3 shows the computation cost comparison of the proposed scheme. Das' scheme [3], Khan and Alghathbar's scheme [4], Vaidya et al.'s scheme [12], and the proposed scheme use only hash and XOR operations. We compare these schemes in terms of the number of hash and XOR operations. The proposed scheme needs seven hash operations more than Vaidya's et al.'s [12]. Nevertheless, one of our main concerns is the computation cost of a sensor node rather than that of the entire scheme, because sensor nodes are resource-constrained. The computation cost of in the proposed scheme is the same as that of Vaidya et al.'s [12]. This means that the computation cost increase of the entire scheme is negligible considering the enhanced security. Meanwhile, with respect to communication cost, the number of messages transmitted in the proposed scheme is four, which is the same as that of Vaidya et al.'s scheme.

Table 3.

Computation cost comparison of the proposed scheme.

Phases		Das' Scheme [3]	Khan and Alghathbar's Scheme [4]	Vaidya et al.'s Scheme [12]	The Proposed Scheme
Registration phase	Ui	0	1H	1H	2H + 1X
	GW	3H + 1X	2H + 1X	4H + 3X	6H + 3X
	Sj	0	0	0	0
Login phase	Ui	3H + 1X	3H + 1X	6H + 4X	7H + 5X
	GW	0	0	0	0
	Sj	0	0	0	0
Authentication and key agreement phase	Ui	0	0	1H + 3X	1H + 4X
	GW	4H + 2X	5H + 2X	6H + 6X	8H + 8X
	Sj	1H	2H	2H + 2X	2H + 2X
Password change phase	Ui	-	3H + 2X	8H + 6X	9H + 7X
	GW	-	0	0	0
	Sj	-	0	0	0
Total		11H + 4X	16H + 6X	28H + 24X	35H + 30X

(H: The number of hash operations; X: The number of XOR operations).

Conclusions

We have proposed an improved mutual authentication and key agreement scheme to overcome the security weaknesses of Vaidya et al.'s scheme. The proposed scheme resists user impersonation attacks and gateway node bypassing attacks using secret data stored in an attacker's own smart card or a sensor. In addition, the proposed scheme prevents possible attacks such as replay attacks, parallel session attacks, password guessing attacks, sensor node capture attacks, stolen smart card attacks, lost smart card problems, privileged-insider attacks, and stolen-verifier attacks. The proposed scheme is also efficient in terms of computation and communication cost considering the limited resources of sensors.