Efficient and Secure Temporal Credential-Based Authenticated Key Agreement Using Extended Chaotic Maps for Wireless Sensor Networks.

A secure temporal credential-based authenticated key agreement scheme for Wireless Sensor Networks (WSNs) enables a user, a sensor node and a gateway node to realize mutual authentication using temporal credentials. The user and the sensor node then negotiate a common secret key with the help of the gateway node, and establish a secure and authenticated channel using this common secret key. To increase efficiency, recent temporal credential-based authenticated key agreement schemes for WSNs have been designed to involve few computational operations, such as hash and exclusive-or operations. However, these schemes cannot protect the privacy of users and withstand possible attacks. This work develops a novel temporal credential-based authenticated key agreement scheme for WSNs using extended chaotic maps, in which operations are more efficient than modular exponential computations and scalar multiplications on an elliptic curve. The proposed scheme not only provides higher security and efficiency than related schemes, but also resolves their weaknesses.

1. Introduction

Wireless sensor networks (WSNs) comprise a large number of sensor nodes, and are utilized in many environments, such as dangerous areas in which humans must be medically monitored, military environments in which reconnaissance and communication must be carried out, and others. Owing to the hardware limitations, sensor nodes in WSNs cannot support heavy computation loads, extensive communications or extensive storage. Thus, developing a lightweight and secure authenticated key agreement scheme is very important for WSNs. Temporal credential-based authenticated key agreements enable communicating entities to authenticate each other and to establish a secure and authenticated channel by confirming their temporal credentials. A temporal credential-based authenticated key agreement scheme for WSNs is composed of three classes of entity—users, sensor nodes and a gateway node (GWN)—and has registration, login, authentication and key agreement, and password change phases. In the registration phase, users and sensor nodes register their secret keys to the GWN. Then the GWN issues one temporal credential to each user and sensor node for authentication. In the login, authentication and key agreement phases, the user, the sensor node and GWN authenticate each other using these temporal credentials. Additionally, the user and the each sensor node negotiate a common secret key with the help of GWN to establish a secure and authentication channel in the WSN. Finally, the password change phase enables users to update their passwords for increased security [1,2,3,4,5,6,7,8,9].

Recently, Xue et al. [8] presented the concept of temporal credentials and developed a lightweight temporal credential-based authenticated key agreement scheme for WSNs. The scheme of Xue et al. has a lower computational burden, less extensive communication needs and requires less storage than previous approaches, and tries to provide more functionality and higher security [10,11,12,13,14,15,16,17]. Later, Li et al. [9] noted that the scheme of Xue et al. fails to withstand stolen-verifier attacks, password guessing attacks, insider attacks and lost smartcard attacks, and so proposed an advanced temporal credential-based scheme for WSNs as an alternative. However, in the scheme of Li et al., an adversary can derive users’ identities, temporal credentials, verification values in the GWN’s verifier table and expiration time from revealed messages allowing the adversary to perform successful impersonation attacks and stolen verifier attacks, easily discovering the hidden identity of the sender of the request message. Moreover, the adversary can derive all previous session keys of users and sensor nodes, and thus access all transmitted secrets. Accordingly, these temporal credential-based schemes for WSNs fail to resist possible attacks and to protect the privacy of users.

1.1. Our Contributions

This work addresses the weaknesses of the scheme of Li et al. and proposes an efficient and secure temporal credential-based authenticated key agreement scheme for WSNs that uses extended chaotic maps, and involves operations that are more efficient than modular exponential computations and scalar multiplications on an elliptic curve [18,19,20]. The proposed scheme protects a user’s identity using a temporary secret key of the user and the gateway node, which security is based on the extended chaotic maps-based Diffie-Hellman problem [21,22,23,24,25,26,27], and reduces the number of parameters concerning each user’s identity and password such that an adversary cannot impersonate any user or communicate with the gateway node or the sensor nodes, even if the adversary has stolen the verifier table and obtained the user’s private information. Additionally the ephemeral parameters are randomly selected and independent among executions of the scheme. Thus, the adversary cannot derive any previous session keys of the user and the sensor node. The proposed scheme avoids the weaknesses of previous schemes, has higher security and lower computational cost.

1.2. Enhanced Chebyshev Polynomial and Extended Chaotic Maps

Recent investigations have demonstrated that cryptosystems that use chaotic map operations are more efficient than those that use modular exponential computations and scalar multiplications on elliptic curves. Additionally, enhanced Chebyshev polynomials also exhibit the semi-group property and the commutative property, and they are subject to the discrete logarithm problem and the Diffie-Hellman problem [21,22,23,24,25,26,27], which are described as follows.

1.2.1. Enhanced Chebyshev Polynomial

The enhanced Chebyshev polynomial T(x) is a polynomial in x of degree n, defined by the following recurrence relation: where and p is a large prime number. The enhanced Chebyshev polynomials satisfy the semi-group property and are commutative under composition. Then: holds.

1.2.2. Extended Chaotic Map-Based Discrete Logarithm Problem

Given x, y and p, it is computationally infeasible to find the integer r satisfying:

1.2.3. Extended Chaotic Map-Based Diffie-Hellman Problem

Given T(x), T(x), T(.), x and p, where u, v ≥ 2, x∈(−∞, +∞) and p is a large prime number, it is computationally infeasible to calculate:

1.3. Organization of the Paper

The rest of this paper is organized as follows: Section 2 reviews the temporal credential-based scheme of Li et al. for WNSs and elucidates its weaknesses. Section 3 presents the proposed efficient and secure temporal credential-based authenticated key agreement scheme for WSNs using extended chaotic maps. Section 4 and Section 5 present the results of evaluations of the security and performance of the scheme, respectively. Finally, Section 6 draws conclusions.

2. The Temporal Credential-Based Scheme of Li et al. and Its Weaknesses

This section presents the notation used in this study, briefly reviews the advanced temporal credential-based scheme for wireless sensor networks proposed by Li et al. [9], and finally states its weaknesses.

Assume that U denotes the i-th user of WSNs; S denotes the j-th sensor node; and GWN denotes the Gateway node in which U and S are registered. Table 1 lists the notations which are used throughout this paper.

Table 1

Notation.

IDi, PWi	Identity and password pair of user Ui
SIDj	Pre-configured identity of the sensor node Sj
KGWN_U, KGWN_S	The long-term secret keys only known to GWN.
p	A large prime number
TCRi, TCRj	A temporal credential issued by GWN to Ui / Sj
Ei	The expiration time of Ui’s temporal credential.
t1,t2,…,t6	The timestamp values.
Δt	The expected time interval for the transmission delay.
h(.)	A collision free one-way hash function [28]
A→B:M	A sends message M to B through a common channel.
⊕	The exclusive-or (XOR) operation
M1||M2	Message M1 concatenates to message M2.

2.1. Review of the Temporal Credential-Based Scheme of Li et al.

In 2013, Li et al. [9] proposed an advanced temporal credential-based scheme for WSNs, which consists of pre-registration, registration, login, authentication and key agreement phases, which are described as follows.

2.1.1. Pre-Registration Phase

Each user U has a pair of identity ID and password PW. GWN stores h(ID||PW) and ID in its storage. Similarly, each sensor node S is pre-configured with its identity SID and a random number r and the hash value h(SID||r). Then r and SID are stored on the GWN’s storage.

Registration phase for users

U → GWN: {ID, t1,VI, CI, DI}

U selects his/her ID, password PW, and a random number r, computes and sends {ID, t1, VI, CI, DI} to GWN, where VI = h(t1||h(ID||PW)), CI = h(ID||PW) ⨁ h(ID||PW||r), DI = ID ⨁ h(ID||PW) and t1 is the current timestamp.

GWN → U: {h(Q), smartcard}

GWN checks the validity of t1, retrieves h(ID||PW) by using ID, computes VI = h(t1||h(ID||PW)) and checks VI =? VI. Then GWN computes Q = CI ⨁ h(ID||PW) = h(ID||PW||r), DI = ID ⨁ h(ID||PW), P = h(ID||E), TCR = h(K||P||E) and PTC = TCR ⨁ Q and personalizes the smart card for U with the parameters: {h(.), h(Q), E, PTC}. GWN maintains a write protected file, where the status-bit indicates the status of the user, i.e., when U is logged-in to GWN, the status-bit is 1, otherwise it is 0. Finally, GWN sends h(Q) and smart card to U.

U and authenticates GWN by checking h(h(ID||PW||r)) =? h(Q) and enters r into his/her smart card. Then the smart card contains {h(.), h(Q), E, PTC, r}.

Registration phase for sensor nodes

S → GWN: {SID, t2,VI}

S computes VI = h(t2||h(SID||r)) and sends {SID, t2,VI} to GWN, where t2 is the current timestamp.

GWN → S: {t3, Q, REG}

GWN checks the validity of t2, retrieves h(SID||r) by using SID and computes VI = h(t2||h(SID||r)), checks VI =? VI, computes TCR = h(K||SID), Q = h(t3||h(SID||r)) and REG = h(h(SID||r)||t3) ⨁ TCR, and sends {t3, Q, REG} to S, where t3 is the current system timestamp.

S checks the validity of t3 and h(t3||h(SID||r)) =? Q, computes its temporal credential TCR = REG ⨁ h(h(SID||r)||t3) and stores it.

U inserts his/her smart card into a card reader and enters ID and PW.

The smartcard retrieves r, computes Q' = h(ID||PW||r) and checks h(Q') =? h(Q). If successful, U passes the verification, allows to read the information stored in the smartcard, and computes TCR = PTC ⨁ Q'.

U → GWN: {DID, C, PKS, t4, E, P}

U computes DID = ID ⨁ h(TCR||t4), C = h(h(ID||PW||r)||t4) ⨁ TCR, PKS = K ⨁ h(TCR||t4||"000"), and sends {DID, C, PKS, t4, E, P} to GWN, where t4 is the current timestamp.

GWN → S: {t5, DID, DID, C, PKS}

GWN checks the validity of t4, computes TCR* = h(K||P||E) and ID = DID ⨁ h(TCR*||t4) and retrieves U's password-verifier of Q = h(ID||PW||r) by using ID. Then, GWN further computes C* = h(Q ||t4) ⨁ TCR*, verifies C* =? C, sets the status-bit as “1” and records t4 in the 4th field of the identity table. GWN computes K = PKS ⨁ h(TCR*||t4||"000") and chooses a nearby suitable sensor node S as the accessed sensor node. GWN further computes S’s temporal credential TCR(K), DID = ID ⨁ h(DID||TCR||t5), C = h(ID||TCR||t5) and PKS = K ⨁ h(TCR||t5) and sends {t5, DID, DID, C, PKS} to S, where t5 is the current timestamp of GWN.

S → GWN, U: {SID, t6, C, PKS}

S checks the validity of t5, computes ID = DID ⨁ h(DID||TCR||t5) and C = h(ID||TCR||t5), and checks C =? C. If unsuccessful, S terminates this session; otherwise, S convinces that the received message is from a legitimate GWN. Moreover, S computes K = PKS ⨁ h(TCR||t5), C = h(K||ID||SID||t6) and PKS = K ⨁ h(K||t6) and sends {SID, t6, C, PKS} to GWN and U, where t6 is the current timestamp of S.

U and GWN separately computes K = PKS ⨁ h(K||t6) and C*= h(K6). GWN authenticates S by checking C* =? C. U authenticates S and GWN by checking C* =? C. Finally, U and S computes a common session key K = h(K||K) for later securing communications.

2.2. Weaknesses of Temporal Credential-Based Scheme of Li et al.

This subsection elucidates the weaknesses of the temporal credential-based scheme of Li et al., which include vulnerability to impersonation and stolen verifier attacks, and failure to protect the privacy of users.

2.2.1. Vulnerability to Impersonation Attacks

In the registration phase of the scheme of Li et al., since (ID, t1, VI, CI, DI) and (h(.), h(Q), E, PTC) are public, where VI = h(t1||h(ID||PW)), CI = h(ID||PW) ⨁ h(ID||PW||r), DI = ID ⨁ h(ID||PW) and t1 is the current timestamp, an adversary, A, can obtain a correct PW by guessing a password PW and checking VI = ? h(t1||h(ID||PW)) repeatedly. Next, the adversary can derive ID, Q ( =h(ID||PW||r) ) and TCR by computing DI ⨁ h(ID||PW), h(ID||PW) ⨁ CI and PTC ⨁ Q|, respectively. A can subsequently impersonate U and compromise U's privacy based on knowledge of (ID, Q, TCR, E). By the following steps, A can successfully impersonate U, be authenticated, and communicate with GWN and S:

First, the adversary A retrieves P using E. In the authentication and key agreement phase, A can compute DID =ID ⨁ h(TCR||t4), C = h(h(Q||t4)⨁TCR), PKS = K ⨁ h(TCR||t4||"000"), where t4 is the current timestamp. Then, A successfully impersonates U and sends {DID, C, PKS, t4, E, P} to GWN.

GWN checks t4, computes TCR =h(K||P||E) and ID =DID ⨁ h(TCR||t4), C = h(h(Q||t4)⨁TCR) and verifies C =? C. Then, GWN computes K = PKS ⨁ h(TCR||t4||"000"), TCR =h(K||SID), DID = ID ⨁ h(DID||TCR||t5), C = h(ID||TCR||t5) and PKS = K ⨁ h(TCR||t5) and sends {t5, DID, DID, C, PKS} to S, where t5 is the current timestamp of GWN.

S checks t5, computes ID = DID ⨁ h(DID||TCR||t5), C = h(ID||TCR||t5), K = PKS ⨁ h(TCR||t5)and C = h(K||ID||SID||t6); verifies C =? C, and responds by sending {SID, t6, C, PKS} to GWN and A, where PKS = K ⨁ h(K||t6). Finally, A computes K = PKS ⨁ h(K||t6) and shares the common session key K = h(K||K) with S.

However, if the password PW is sufficiently long, the credential based key agreement scheme of Li, et al. can resist the impersonation attacks.

2.2.2. Failure to Protect the Privacy of Users

In the scheme of Li et al., upon receiving the request message {DID, C, PKS, t4, E, P} that is sent by U, whose identity is ID, the adversary A easily determines that the request message belongs to U because A has the knowledge of (ID, Q, TCR, E). Thus, the scheme of Li et al. fails to support user anonymity, data unlinkability, or untrackability [29]. Accordingly, the scheme of Li et al. cannot protect the privacy of users.

2.2.3. Vulnerability to Stolen Verifier Attacks

Assume that an adversary A steals the verifier table and obtains (ID, Q, E). The adversary A can derive TCR using PTC ⨁ Q, since (h(.), h(Q), E, PTC) is public in the registration phase:

A → GWN: {DID**, C4**, PKS, t4**, E, P}

A randomly selects K**, computes DID** = ID ⨁ h(TCR||t4**), C** = h(Q||t4**) ⨁ TCR and PKS** = K** ⨁ h(TCR||t4**||"000"), where t4** is the current timestamp, and sends {DID**, C4**, PKS, t4**, E, P} to GWN.

GWN → S: {t5, DID**, DID, C, PKS}

GWN validates t4**, computes TCR* = h(K||P||E) and ID = DID** ⨁ h(TCR*||t4**), and retrieves Q = h(ID||PW||r). Then, GWN verifies h(Q ||t4**) ⨁ TCR* = C**, computes K = PKS ⨁ h(TCR*||t4**||"000") , TCR(K), DID = ID ⨁ h(DID**||TCR||t5), C = h(ID||TCR||t5) and PKS = K ⨁ h(TCR||t5), and sends {t5, DID**, DID, C, PKS} to S, where t5 is the current timestamp of GWN.

S → GWN, U: {SID, t6, C, PKS}

S validates t5. If successful, S computes ID = DID ⨁ h(DID**||TCR||t5) and C* = h(ID||TCR||t5) and checks C =? C, computes K** = PKS ⨁ h(TCR||t5), C = h(K||ID||SID||t6) and PKS = K ⨁ h(K**||t6) and sends out {SID, t6, C, PKS}.

Upon receiving {SID, t6, C, PKS}, A computes K = PKS ⨁ h(K**||t6) and a common session key K = h(K||K) that is shared with S.

Hence, the adversary A can impersonate U, be authenticated, and communicate with GWN and S. Additionally, A has TCR and messages (PKS, t4) and (PKS, t6), which were previously sent out by user U. A can therefore derive previous secrets K and K by computing PKS ⨁ h(TCR||t4||"000") and PKS ⨁ h(K||t6), respectively. A can calculate all session keys that have been used by U and S, and thereby derive all transmitted secrets. Therefore, the authenticated key agreement scheme of Li et al. fails to resist stolen verifier attacks.

3. Proposed Temporal Credential-Based Scheme Using Chaotic Maps for WSNs

This section describes the use of chaotic maps in a new temporal credential-based authenticated key agreement scheme for WSNs. The novel scheme does not reveal the user’s private parameters in the registration phase, and it protects the user’s identity with a temporary secret key of the user and the gateway node. The security of this temporary secret key is based on the extended chaotic map-based Diffie-Hellman problem. The proposed approach also reduces the redundant parameters associated with the user’s identity and password, which are stored in the GWN’s verifier table, preventing an adversary from impersonating a user and communicating with the gateway node and sensor nodes, even if the adversary has stolen the verifier table and obtained the user’s private information. The session key security is based on the extended chaotic map-based Diffie-Hellman problem, so the adversary cannot derive any previous session key of the user and the sensor node. In the proposed scheme, the user does not know which node it can access and communicate with, thus GWN requires choosing a nearby suitable sensor node as the accessed sensor node. The proposed scheme involves parameter generation, pre-registration, registration, login and authentication and password change phases, which are described below.

The gateway node GWN randomly selects K as its master secret key.

GWN computes PK = T(x) mod p, where x is a random number, p is a large prime number and (PK, T(.), x, p) are public parameters.

3.2. Pre-Registration Phase

Each user U has a pre-configured identity ID, which is stored in the GWN’s storage. Similarly, each sensor node S is pre-configured with its identity SID and a random number r and the hash value h(SID║r). Then h(SID║r) and SID are stored on the GWN’s storage. The pre-configured data is transferred by using physical delivery.

U → GWN: {X0, X1, REG, t1}

U chooses his/her identity ID, password PW, random numbers r and r, and computes K = T(PK) mod p, X0 = T(x) mod p, REG = K ⨁ (ID║ID║h(ID║PW║r), and X1 = h(K║h(ID║PW║r)║t1), where t1 is the current timestamp. Then U sends {X, X1, REG, t1} to GWN.

GWN → U: {Y0, Y1}

Upon receiving the register message form Ui, GWN checks the validity of t1 and computes K = T(X0) mod p and ID║ID║h(ID║PW║r) = REG ⨁ K, and extracts (ID, ID, h(ID║PW║r)). If GWN successfully checks h(K║h(ID║PW ║r)║t1) =? X1 and verifies that ID is in GWN’s storage and has not been registered, then generates an expiration time E, and computes U’s temporal credential TCR= h(K||ID||E), D1= TCR⨁ h(ID║PW║r), Y0 = D1 ⨁ h(K║t1) and Y1 = h(D1║K║t1). Then, GWN sends {Y0, Y1} to U. GWN also stores (h(ID), E) in its storage and maintains a status-bit b and a last login field to indicate the status of the user. If U logins GWN, b = 1, otherwise b = 0.

After receiving the response message form GWN, U computes D1 = Y0 ⨁ h(K║t1), checks h(D1║K║t1) =? Y1. If successful, U inserts (D1, PK, T(.), x , p, h(.), r) into a smartcard and finishes the registration.

S → GWN: {SID, Z0, t2}

S computes REG = h(SID║r), Z0 = h(REG║t2), and sends {SID, Z0, t2} to GWN, where t2 is the current timestamp.

GWN → S: {SID, Y2, Y3}

Upon receiving {SID, Z0, t2}, GWN successfully checks the validity of t2 and h(REG||t2) =? Z0 and verifies that SID has not been registered, then computes S’s temporal credential TCR = h(K║REG), Q = TCR ⨁ REG, Y2 = TCR ⨁ h(t2║REG), Y3 = h(TCR║REG║t2) stores (SID, Q) in its storage, and sends {SID, Y2, Y3} to S.

S computes its temporal credential TCR = Y2 ⨁ h(t2║REG), checks h(TCR║REG║t2) =? Y3, and stores (SID, TCR, REG, T(.), x, p, h(.)) in its storage.

3.4. Login and Authentication Phase

In this phase, as shown in Figure 1, U and GWN authenticate each other by performing the following steps:

Figure 1

The login and authentication phase of the proposed scheme for WSNs.

U → GWN: M1 = {DID, X2, X3, t3}

U inserts his smart card, inputs ID, and PW, computes TCR = D1 ⨁ h(ID║PW║r), generates a random number u, calculates K1 = T(PK) mod p, DID = ID ⨁ K1 and X2 = T(x) mod p, X3 = h(ID║K1║TCR║t3), where t3 is the current timestamp, and sends M1 = {DID, X2, X3, t3} to GWN.

GWN → S: M2 = {DID, X2, Y4, t4}

Upon receiving M1, GWN checks the validity of t3. If unsuccessful, GWN rejects this service request; Otherwise GWN computes K1' = T(X2) mod p, ID = DID ⨁ K1', retrieval E by h(ID), computes TCR = h(K||ID'||E), and checks the status-bit, X3 =? h(ID'║K1║TCR║t3). If unsuccessful, GWN rejects this service request; Otherwise GWN updates the status-bit, and chooses an accessed sensor node sensor node S which is nearby and suitable, computes K2 = h(Q║t4), DID = ID ⨁ K2, Y4 = h(Q║ID║X2║t4), where t4 is the current timestamp, and sends M2 = {DID, X2, Y4, t4} to S.

S → GWN: M3 = {Z1, Z2, Z3, t5}

Upon receiving M2, S checks the validity of t4. If unsuccessful, S aborts this service request; Otherwise S computes Q = TCR ⨁ REG, K2' = h(Q║t4), ID = DID ⨁ K2', and checks Y4 =? h(Q║ID║X2║t4). If unsuccessful, S still aborts this service request; Otherwise, S generates v, calculates Z1 = T(x) mod p, sk = T(X2) mod p, Z2 = h(K2'║ID║SID║t5), Z3 = h(sk║ID║SID║t5), where t5 is the current timestamp, and sends M3 = {Z1, Z2, Z3, t5} to GWN.

GWN → U: M4 = {SID, Z1, Z3, t5}

Upon receiving M3, GWN checks the validity of t5. If unsuccessful, GWN rejects this request; Otherwise, GWN authenticates S by checking Z2 =? h(K2║ID║SID║t5), and sends M4 = {SID, Z1, Z3, t5} to U.

Upon receiving M4, U checks the validity of t5. If unsuccessful, U aborts this request; Otherwise, U computes sk' = T(Z1) mod p and authenticates GWN and S by checking Z3 =? h(sk'║ID║SID║t5). Finally, U and S obtain a common session key sk = T(x) mod p for later securing communications.

3.5. Password Change Phase

A user U changes his/her password by performing the following steps:

U inserts his smart card and inputs his/her identity ID, old password PW, and a new password PW'.

The smart card computes Q = h(ID║PW║r) and Q' = h(ID║PW'║r) and D1' = D1 ⨁ Q ⨁ Q. Then the smart card replaces D1 with D1'.

4. Security Analyses

This section analyzes the security of the proposed authenticated key agreement scheme, which provides mutual authentication, session key security and privacy protection for users, and resists potential attacks, including privileged insider attacks, password guessing attacks, impersonation attacks, stolen verifier attacks and many-logged-in-users attacks. The details are described below.

4.1. Communication Model

4.1.1. Communicating Participants:

The proposed scheme involves a user U, a sensor node S, and a gateway node GWN. U and S authenticate each other and establish a common session key sk with the help of the GWN. A participant may be involved in several instances, called oracles, of distinct concurrent executions of the proposed scheme P. The instance m of participant V is denoted as Π.

4.1.2. Oracle Queries:

Oracle queries model the capabilities of adversary A, and are described below:

(Π, M): This query models the capacity of an adversary A to control all communications in P. A sends a message M to oracle Π; then Π sends back a response message using P. A can initiate the execution of P by sending a query (Π, "start") to a user oracle Π.

(V): This query models the perfect forward secrecy of P, meaning that a compromised long-lived key fails to endanger previous session keys. The adversary A sends a corrupt query to a participant V, and returns V's long-life key.

(M): This query models adversary A’s reception of hash results by sending queries to a random oracle Ω. Upon receiving a query, Ωchecks whether a record (M, r) has been queried and recorded in the H-table. If (M, r) in the H-table, then Ω replies r to A; otherwise it returns a nonce r', and keeps (M, r') in the H-table.

(Π): This query models the known key security of P: a compromised session key fails to reveal other session keys, and is only available if oracle Π has accepted.

(Π): This query models the session key security to determine the indistinguishability of the real session key from a random string. During the execution of scheme P, adversary A sends queries to the oracle, including a single query at any time. Then, Π flips an unbiased coin c. If c equals 1, then Π returns the real session key sk; otherwise, it returns a random string to A.

Π and Π directly exchange message flows and

only Π and Π have the same session key sk.

Π or Π has accepted a session key sk and

Π and Π have not been sent a Reveal query.

4.2. Security Definitions

4.2.3. Session Key Security (AKE Security):

This definition allows an adversary to generate many queries. If a query is generated concerning a client instance that has not accepted, then the invalid symbol ⊥ is returned. If a query is generated concerning an instance of an honest participant whose intended partner is dishonest or an instance of a dishonest participant, then replies with the real session key. Otherwise, the reply to the query provides either the real session key or a random string, as determine by flipping an unbiased coin, c. The adversary seeks to guess correctly the value of the hidden bit c that is used by the Test oracle. The ake-advantage of the event that an adversary violates the indistinguishability of scheme P is denoted as Adv(A). The scheme P is AKE-secure if Adv(A) is negligible [30,31,32].

4.2.4. Mutual Authentication (MA Security)

In the execution of P, the adversary A violates mutual authentication if A can fake the authenticator. The probability of this event is denoted by Adv(A). The scheme P is MA-secure if Adv(A) is negligible [33].

4.3. Providing Session Key Security (AKE Security)

The following lemma describes the Difference Lemma, which is made used within our sequence of games [34].

Lemma 1 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that A∧¬F⟺ B∧¬F. Then |

The following theorem shows that the proposed scheme involving U.

Theorem 1. Let Adv within time t' and t' ≤ t +4(q+q)τ, where q

Proof of Theorem 1. Each game G defines the probability of the event E that the adversary wins this game. The first game G0 is the real attack against the proposed scheme and the final game G2 concludes that the adversary has a negligible advantage to break the AKE security of the proposed scheme:

Game G0: This game corresponds to the real attack. By definition, we have

Game G1: This game simulates all oracles as in previous game except for modifying the simulation of queries refereeing the flows containing T(x) mod p and T(x) mod p of the proposed scheme, and the simulation of the Test(Π) oracle to avoid relying on the knowledge of u, v and w used to compute the answer to these queries. Assume that (X, Y, Z) = (T(x) mod p, T(x) mod p, T(x) mod p) is a random extended chaotic map-based Diffie-Hellman triple. A simulator Σ simulates the oracles for all sessions by using this triple (X, Y, Z) and the classical random self-reducibility of the extended chaotic map-based Diffie-Hellman problem. Next, Σ sets up all parameters and secret keys of the scheme, and picks a random number m ∈ [1, q] and answers the oracle queries according to the proposed scheme. Σ thus can correctly return the Test queries. Additionally, the random variables in G0 is replaced by another random variables in G1. Then we have that G0 and G1 is equivalent, and thus: Pr[

Game G2: This game simulates all oracles as in previous game except that all rules are computed using a triple (X, Y, Z) from a random distribution (T(x) mod p, T(x) mod p, T(x) mod p), instead of an extended chaotic map-based Diffie-Hellman triple. Let a challenger Aecdh try to violate the indistinguishability of the extended chaotic map-based Diffie-Hellman problem; and an adversary Aake be constructed to break the session key security. Aecdh returns the real session key sk (if c = 1) or a random string (otherwise) to Aake by flipping an unbiased coin c ∈ {0,1}. Then Aake wins the game if its output bit c' equals c. Aecmdh is asked Send, Corrupt or Test queries, and returns the responses by using a previous experiment except for (X, Y, Z) that it had received as input. If Aake outputs c, then Aecmdh outputs 1; otherwise, Aecmdh outputs 0. If (X, Y, Z) is a real extended chaotic map-based Diffie-Hellman triple, then Aecmdh runs Aake in G1 and thus the probability of the event that Aecmdh outputs 1 equals the probability of E1. If (X, Y, Z) is a random triple, Aecmdh runs Aake in G2 and thus the probability of the event that Aecdh outputs 1 equals the probability of E2. Therefore, we have: |Pr[

Since the coin bit c and all sessions keys are random and independent, we have Pr[

By combining Equations (5)–(8) and using Lemma 1, we have:

Then the proof is concluded.

4.4. Providing Mutual Authentication

The following theorem shows that the proposed scheme has MA security if the used hash function is secure and the proposed scheme has AKE security:

Theorem 2. Let Adv within time t" and t" ≤ t' + (q+ q)⋅t + 2⋅τ, where q

Proof of Theorem 2. The start game G0 is the real attack against the proposed scheme and the final game G2 concludes that the adversary has a negligible advantage to break MA security of the proposed scheme. The challenger A1 attempts to break AKE security of the proposed scheme and the adversary Ama is constructed to break MA security of the proposed scheme. The adversary Ama wins this game if he successfully fakes the authenticator:

Game G0: This game corresponds to the real attack. By definition, we have:

Game G1: This game simulates all oracles as in previous game except for using a table list H to simulate Hash queries involving U and GWN, and involving GWN and S. Then, games G0 and G1 are undistinguishable except collisions of H-table in G1. By using the birthday paradox and Lemma 1, we have: |Pr[ where Ama makes q queries involving U and GWN, and involving GWN and S.

Game G2: This game simulates all oracles as in previous game except for replacing the session key sk with a random number. Then, Ama is used for building an adversary A1 against the AKE security of the proposed scheme. Next, A1 arranges the parameters, simulates the proposed scheme and replies the oracle queries made by Ama by using following scenarios.

When receiving or queries involving U and GWN, and involving GWN and S, A1 replies the results by executing the proposed scheme.

When receiving queries involving U and S, A1 replies corresponding authenticators to Ama by making the same queries to the oracle Hash involving U and S.

When receiving queries, A1 replies these queries by using the coin bit c that it has previously selected and the computed session keys.

Therefore, the probability of the event that A1 outputs 1 when the authenticator is obtained by the real session key equals the probability of the event that Ama correctly guesses the hidden bit c in game G1. Similarly, the probability that A1 outputs 1 when the authenticator obtained by a random string equals the probability that Ama correctly guesses the hidden bit c in game G2. Thus, by Lemma 1, we have: |Pr[

Since no information on the authenticator is leaked to the adversary, we have Pr[

Combining Equations (9)–(12) and using Lemma 1, we have

Then the proof is concluded.

4.5. Protecting Privacy of Users

Theorem 3. The proposed scheme protects the privacy of users.

Proof of Theorem 3. The proposed scheme protects user U’s identity ID using the temporary secret key K1 of the user and the gateway node, and enables any two request messages M1 = {DID, X2, X3, t3} and M1' = {DID, X2', X3', t3'} from user U to be independent and difficult to distinguish from each other, where K1 = T(PK) mod p, DID = ID ⨁ K1, X2 = T(x) mod p, X3 = h(ID║K1║TCR║t3), u is a random number and t3 is a timestamp; and K1' = T(PK) mod p, DID' = ID ⨁ K1', X2' = T(x) mod p, X3' = h(ID║K1'║TCR║t3'), u' is a random number and t3' is a timestamp. The proposed scheme provides user anonymity and data unlinkability, and thus exhibits untrackability [29]. Accordingly, the privacy of users is protected.

4.6. Resistance to Privileged Insider Attacks

Theorem 4. The proposed scheme withstands privileged insider attacks.

Proof of Theorem 4. In the registration phase, the user sends REG rather than (ID, PW) to GWN, where REG = K ⨁ (ID║ID║h(ID║PW║r), U’s identity ID and password PW are protected by a random number r. Therefore, the privileged insider fails to obtain (ID, PW) and REG, and fails correctly to compute TCR = D1 ⨁ h(ID║PW║r) (or h(K||ID||E)), so the proposed scheme withstands the privileged insider attack.

4.7. Resistance to Impersonation Attacks

Theorem 5. The proposed scheme withstands impersonation attacks.

Proof of Theorem 5. An adversary who tries to impersonate U fails to compute TCR = D1 ⨁ h(ID║PW║r) and X3 = h(ID║K1║TCR║t3), and cannot send out the correct request messages M1 = {DID, X2, X3, t3} in the login and authentication phase without the correct ID, PW and (D1, r) in U’s smart card, where t3 is the timestamp. A failed login is detected by the GWN in Step 2 of the login and authentication phase, so the proposed scheme withstands impersonation attacks.

4.8. Resistance to Off-Line Password Guessing Attacks

Theorem 6. The proposed scheme withstands off-line password guessing attacks.

Proof of Theorem 6. In the proposed scheme, since reveal messages M1 = {DID, X2, X3, t3}, M2 = {DID, X2, Y4, t4}, M3 = {Z1, Z2, Z3, t5} and M4 = {SID, Z1, Z3, t5} do not provide information about users’ passwords PW, an adversary cannot confirm the accuracy of the passwords that have been guessed from M1, M2, M3 and M4, where DID = ID ⨁ K1, K1 = T(PK) mod p, X2 = T(x) mod p, X3 = h(ID║K1║TCR║t3) and TCR = h(K||ID||E); DID = ID ⨁ K2, K2 = h(Q║t4) and Y4 = h(Q║ID║X2║t4); and Z1 = T(x) mod p, Z2 = h(K2'║ID║SID║t5), Z3 = h(sk║ID║SID║t5) and sk = T(X2) mod p. Thus, off-line password guessing attacks are ineffective against the proposed scheme.

4.9. Resistance to Undetectable On-Line Password Guessing Attacks

Theorem 7. The proposed scheme withstands on-line password guessing attacks.

Proof of Theorem 7. Again, the revealed messages M1, M2, M3 and M4 do not provide information about a user’s password PW. Accordingly, an attacker has difficulty in guessing the password in an on-line transaction, and the scheme thus resists undetectable on-line password guessing attacks.

4.10. Resistance to Stolen Verifier Attacks

Theorem 8. The proposed scheme withstands stolen verifier attacks.

Proof of Theorem 8. In the proposed scheme, the GWN keeps (h(ID), E) in the verifier table for each user U. An adversary who steals the GWN’s verifier table and copies (h(ID), E) still fails to compute TCR = D1 ⨁ h(ID║PW║r), DID = ID ⨁ K1 and X3 = h(ID║K1║TCR║t3) without knowledge of user U’s ID, PW, r and D1, where u is a random number, K1 = T(PK) mod p, X2 = T(x) mod p and t3 is the timestamp. The adversary fails to send out M1 = {DID, X2, X3, t3} in Step 1, and a failed login is detected by the GWN. Therefore, the proposed scheme resists stolen verifier attacks.

4.11. Resistance to Lost Smartcard Attacks

Theorem 9. The proposed scheme withstands lost smartcard attacks.

Proof of Theorem 9. An adversary who steals user U’s smartcard and copies the message (D1, PK, T(.), x, p, h(.), r) still fails to compute TCR = D1 ⨁ h(ID║PW║r) and X3 = h(ID║K1║TCR║t3), where t3 is the timestamp, and so cannot send out the correct messages M1 = {DID, X2, X3, t3} in Step 1 of the login and authentication phase without the correct ID and PW. The GWN will detect a failed login Step 2 of the login and authentication phase, so the proposed scheme withstands lost smartcard attacks.

4.12. Resistance to Many Logged-in Users Attacks

Theorem 10. The proposed scheme withstands many-logged-in-users attacks.

Proof of Theorem 10. Assume that U’s login information (ID, PW, T(.), x, p, h(.), r) is leaked to more than one non-registered user. The GWN also maintains a status-bit field and a last login field in its verifier table to prevent simultaneous duplicate logins. Therefore, the proposed scheme withstands many-logged-in-users attacks.

5. Performance Analyses and Functionality Comparisons

5.1. Performance Analyses

Table 2 compares the performance of the proposed scheme with those of the schemes developed by Yeh et al. [16], Xue et al. [8], Li et al. [9] and Kim et al. [35], where T is the execution time for a one-way hash operation; T is the execution time for a Chebyshev chaotic map operation, and T is the execution time for a scalar multiplication operation on an elliptic curve.

Table 2

The performance comparisons of the related schemes and the proposed scheme.

		Yeh et al. [16]	Xue et al. [8]	Li et al. [9]	Kim et al. [35]	Our Scheme
	Ui	2 Te + 1 Th	7 Th	9 Th	8 Th	3 Tc + 3 Th
Computations	Sj	2 Te + 3 Th	5 Th	6 Th	2 Th	2 Tc + 4 Th
	GWN	4 Te + 4 Th	10 Th	11 Th	8 Th	1 Tc + 6 Th
	Total	8 Te + 8 Th	22 Th	26 Th	18 Th	6 Tc + 13 Th

The first comparison made concerns the computational cost for user U, sensor node S and the gateway node GWN. The scheme of Yeh et al., [16] employs encryptions and decryptions on an elliptic curve, and has a greater computational cost than related schemes [8,9,35], which use only hash operations. Since T approximates T, where T is obtained by using the hash functions SHA-1 and MD5 [36,37,38], the proposed scheme requires six chaotic map operations and 13 hash function operations and so has a low computational burden.

5.2. Functionality Comparisons

Table 3 compares the proposed scheme and related schemes in terms of functionality, and specifically the meeting of security requirements and resistance to possible attacks. The schemes that were developed by Yeh et al., Xue et al., Li et al. and Kim et al. all fail to protect users’ privacy. Additionally, the scheme of Yeh et al. fails to withstand password guessing, lost smart card and many-logged-in-users attacks. The scheme of Xue et al. fails to withstand privileged insider, password guessing, stolen verifier, lost smart card and many-logged-in-users attacks. The scheme of Li et al. fails to withstand impersonation and stolen verifier attacks. Only the proposed scheme withstands all possible attacks and protects privacy. Thus, the proposed scheme provides greater functionality; exhibits more favorable security-related properties, and has a lower computational cost than the other schemes.

Table 3

The functionality comparisons of the related schemes and the proposed scheme.

	Yeh et al. [16]	Xue et al. [8]	Li et al. [9]	Kim et al. [35]	Our Scheme
Providing mutual authentication	Yes	Yes	Yes	Yes	Yes
Providing session key security	Yes	Yes	Yes	Yes	Yes
Providing privacy protection	No	No	No	No	Yes
Resisting privileged insider attacks	Yes	No	Yes	Yes	Yes
Resisting to impersonation attacks	Yes	Yes	No	Yes	Yes
Resisting password guessing attacks	No	No	Yes	Yes	Yes
Resisting stolen verifier attacks	Yes	No	No	Yes	Yes
Resisting lost smartcard attacks	No	No	Yes	Yes	Yes
Resisting many logged-in users attacks	No	No	Yes	Yes	Yes

6. Conclusions

This study addresses the weaknesses of the temporal credential-based authenticated key agreement scheme developed by Li et al., which enables an adversary to impersonate legitimate users, to perform a stolen verifier attack to calculate all used session keys and transmitted secrets of users and sensor nodes, and to reveal users’ identities. A new temporal credential-based authenticated key agreement scheme that uses chaotic maps is developed for WSNs. The proposed scheme protects each user’s identity using a temporary secret key; conceals each user’s private parameters, and reduces the number of redundant parameters concerning the user’s identity and password in the verifier table of the GWN. Therefore, the proposed scheme does not have any of the weaknesses of previous schemes. Additionally, session key security is based on the extended chaotic maps-based Diffie-Hellman problem, and the proposed scheme thus exhibits perfect forward secrecy and known-key security. The proposed scheme not only eliminates the weaknesses of previous approaches, but also increases security and efficiency.