Enhanced Two-Factor Authentication and Key Agreement Using Dynamic Identities in Wireless Sensor Networks.

Key agreements that use only password authentication are convenient in communication networks, but these key agreement schemes often fail to resist possible attacks, and therefore provide poor security compared with some other authentication schemes. To increase security, many authentication and key agreement schemes use smartcard authentication in addition to passwords. Thus, two-factor authentication and key agreement schemes using smartcards and passwords are widely adopted in many applications. Vaidya et al. recently presented a two-factor authentication and key agreement scheme for wireless sensor networks (WSNs). Kim et al. observed that the Vaidya et al. scheme fails to resist gateway node bypassing and user impersonation attacks, and then proposed an improved scheme for WSNs. This study analyzes the weaknesses of the two-factor authentication and key agreement scheme of Kim et al., which include vulnerability to impersonation attacks, lost smartcard attacks and man-in-the-middle attacks, violation of session key security, and failure to protect user privacy. An efficient and secure authentication and key agreement scheme for WSNs based on the scheme of Kim et al. is then proposed. The proposed scheme not only solves the weaknesses of previous approaches, but also increases security requirements while maintaining low computational cost.

1. Introduction

1.1. Authentication and Key Agreement for WSNs

An authentication and key agreement scheme for WSNs comprises users, sensor nodes and a gateway node (GWN), and enables a user and sensor nodes to realize mutual authentication and to negotiate a common secret key via the help of the GWN. The legitimate user and sensor nodes then establish a secure and authentication channel [1,2,3,4,5,6,7,8,9], as shown in Figure 1. A password-based authentication and key agreement scheme only uses a weak password for user authentication, and is the most convenient authentication method. However, these schemes tend to suffer from some possible attacks, and thus have poor security. To improve security, many authentication and key agreement schemes supplement password authentication with long-term secret keys stored in RFID tags or smartcards [1,8,9,10,11,12]. Since long-term secret keys are not easy to guess and break, two-factor authentication schemes that realize identification using passwords and smartcards may increase security, and thus are suitable for WSNs.

Figure 1

An authentication and key agreement scheme for WSNs.

Several efficient two-factor authentication and key agreement schemes for WSNs have been presented recently. For example, in 2009 Das proposed a two-factor authentication and key agreement scheme using passwords and smartcards [1]. The scheme of Das has low computational cost, and is suitable for resource-constrained WSNs. Many improved authentication and key agreement schemes [9,10,11,12,13] were proposed later to solve the security weaknesses in the Das scheme. Yeh et al. Chen and Shih [11] in 2010 provided an improved scheme based on the Das scheme to ensure that a legal user can use a WSN in a public environment. Yeh et al. [14] in 2011 presented a user authentication scheme based on Elliptic Curves Cryptography (ECC) to overcome the perceived security weaknesses of the scheme of Chen and Shih [11]. However, the scheme of Yeh et al. [14] requires time-consuming scalar multiplications on an elliptic curve, and is still insecure against several possible types of attack, and thus fails to provide a secure and efficient solution for WSNs. Vaidya et al. [15] in 2012 showed that the Das scheme and its derivatives not only have security flaws, but also do not provide key agreement. Additionally, Kim et al. [16] pointed out in 2014 that the scheme of Vaidya et al. fails to resist gateway node bypassing and user impersonation attacks, and also proposed an improved scheme that eliminates such security weaknesses and is efficient in term of computational and communication cost. However, their scheme still fails to withstand some possible attacks, as any legitimate user can obtain the secret keys of sensor nodes such that an adversary can perform impersonation, lost smartcard and man-in-the-middle attacks. Moreover, their scheme violates session key security, and fails to provide user privacy protection.

1.2. Our Contributions

This investigation presents an efficient and secure authentication and key agreement scheme for WSNs to address the weaknesses of the two-factor scheme of Kim et al. [16]. The proposed scheme protects user privacy by using dynamic identities, and by eliminating constant parameters in request messages. Our scheme also encrypts the communicating messages with temporary secret keys rather than constant secret keys of users and sensor nodes, and diminishes redundant variables to ensure session key security. It overcomes the weaknesses in previous schemes, increases security requirements and maintains low computational cost.

1.3. Organization of the Paper

The remainder of this investigation is organized as follows: Section 2 lists the notations and definitions adopted in this investigation, reviews the two-factor authentication and key agreement scheme for WSNs of Kim et al. [16], and analyzes its weaknesses. Section 3 presents the proposed authentication and key agreement scheme using dynamic identities for WSNs. Section 4 and Section 5 present the results of the security and performance evaluation, respectively. Finally, Section 6 draws the conclusions.

2. Preliminaries

This section lists the notations adopted in this paper, describes the underlying primitives used in this investigation, briefly reviews the two-factor authentication and key agreement scheme for WSNs of Kim et al. [16], and then addresses the weaknesses of the their scheme.

Assume that U denotes the ith user; S denotes the jth sensor node, and GWN denotes the gateway node in which U and S are registered. Table 1 lists the notations used throughout this paper.

Table 1

Notation.

IDi, pwi	Identity and password pair of user Ui
SIDj	Identity of sensor node Sj
IDs	Identity of smart card
K	Secret key only know to GWN
xs	Secret value of GWN and Sj
KS	Session key
RNi, RNj, RNG	Random numbers selected by Ui, Sj and GWN, respectively
Ti, Ti′, Tj, TG, TG′	The timestamp values
h(·)	A collision free one-way hash function
f(x, k)	Pseudo-random function of variable x with key k
A →B:M	A sends message M to B through a common channel.
A ⇒ B:M	A sends message M to B through a secure channel
⊕	The exclusive-or (XOR) operation.
M1||M2	Message M1 concatenates to message M2.

2.1. Review of the Authentication and Key Agreement Scheme of Kim et al.

Kim et al. [16] in 2014 proposed an improved two-factor authentication and key agreement scheme for WSNs. Their improved scheme comprises registration, login, authentication and key agreement, and password change phases, which are described as follows:

2.1.1. Registration Phase

In the registration phase, U registers his/her identity and password to GWN. Then, GWN personalizes a smartcard for U. Meanwhile, S keeps (SID, X*) in its storage before being deployed, where X* = h(SID||x):

U GWN:{ID, HPW}

U selects ID, password pw, a random number RN, computes HPW = h(pw||RN) and sends {ID, HPW} to GWN via a secure channel.

GWN U: U′s smartcard

GWN computes HID = h(ID||K), X = h(HID||x), A = h(HPW||X) h(HID||K), B = h(HPW* X), C = X h(ID||HPW) and personalizes the smart card for U with the parameters: (ID, HID, h(·), A, B, C). Then, GWN sends the smartcard to U via a secure channel.

U computes XPW = h(pw) RN and inserts XPW into his/her smart card.

2.1.2. Login Phase

U inserts his/her smart card into a terminal and enters ID* and PW*.

The smart card computes RN* = h(pw) XPW, HPW* = h(pw*||RN*), X* = C h(ID||HPW*), B* = h(HPW* X*) and verifies B* = ? B. If unsuccessful, the smart card aborts this request; otherwise, the smartcard computes DID = B h(X*||RN||T), M = h(A||X*||RN||T) and v = RN X*, where RN is a nonce and T is the current timestamp. Then the smartcard sends the authentication request {DID, M, v, T, HID} to GWN.

2.1.3. Authentication and Key Agreement Phase

This phase enables U and S to authenticate each other and to negotiate a secret key, and functions as follows:

GWN → S: {DID, M, T}

GWN checks the validity of T, computes X = h(HID||x), RN = v X, X* = DID h(X||RN||T), M* = h((X* h(HID||K)||X||RN||T) and checks M* = ? M. If successful, GWN computes X = h(SID||x), M = h(DID||SID||X||T) and sends {DID, M, T} to S, where S is the nearest sensor node for U and T is current timestamp.

S → GWN: {y, M, T}

S checks the validity of T, computes M* = h(DID||SID||X*||T) and checks M* = ? M. If successful, S computes y = RN X*, z = M* RN and M = h(z||X*||T), K = f((DID||RN), X*), and sends {y, M, T} to GWN, where RN is a nonce and T is current timestamp.

GWN → U: {y, w, M,, q, T′}

GWN checks the validity of T, computes RN = y X, z* = M* RN, M,G* = h(z*||X||T), and checks M* = ? M. If successful, GWN computes M = h(DID||M|| M||X||T′), w = z* X, y = RN X, q = X RN and sends {y, w, M,, q, T′} to U, where T′ is current timestamp.

The smart card checks the validity of T′ and computes RN = y X, z* = w X, M = z* RN, M* = h(DID||M*|| M||X||T′), and checks M* = ? M. If successful, U computes X = q RN and the session key K = f((DID||RN), X). Then, U and S successfully realize mutual authentication and have a common session key K.

2.1.4. Password Change Phase

This phase provides user U to change his/her password by performing the following steps:

U inserts his smartcard and inputs his/her identity ID*, old password pw*, and a new password pw.

The smart card computes RN* = h(pw*) XPW, HPW* = h(pw*||RN*), X* = C h(ID||HPW*), B* = h(HPW* X*), and checks B* = ? B. If successful, the smart card computes HPW = h(pw||RN*), A = A h(HPW*||X*) h(HPW||X*), B = h(HPW X*), C = X* h(ID||HPW), and replaces (A, B, C) with (A, B, C).

2.2. Limitations of the Authentication and Key Agreement Scheme of Kim et al.

This subsection addresses the weaknesses of the authentication and key agreement scheme of Kim et al. [16], which include: vulnerability to impersonation, lost smartcard and man-in-the-middle attacks; violation of session key security, and failure to protect user privacy.

2.2.1. Security Against Impersonation Attacks

In the scheme of Kim et al., any legitimate user can obtain the sensor node S’s secret X* after performing the login phase followed by the authentication and key agreement phase. Malicious user 𝒜 can then easily impersonate S to communicate with GWN and any user U by using the following steps:

On receiving the message {DID, M, T} from GWN, 𝒜 computes y = RN X*, z = M* RN and M′ = h(z*||T), where RN is a nonce selected by 𝒜 and T is the timestamp. Then 𝒜 sends back {y, M′, T} to GWN

Next, 𝒜 is authenticated by GWN since GWN successfully checks and M′ = ? M, where RN = y X, z* = M* RN, M′* = h(z*||X||T).

Then, 𝒜 computes the session key K = f((DID||RN), X) shared with U. Thus, 𝒜 successfully impersonates S to communicate with GWN and U.

2.2.2. Security against Lost Smart Card Attacks

The malicious user 𝒜 gets (ID, HID, h(·), A, B, C, XPW) from U’s smartcard. Then 𝒜 can impersonate U to communicate with GWN and any sensor node S by using the following steps:

𝒜 collects previous messages between U, GWN and S0, which include (DID0, v0, T0, HID, y0, y0, w0, q0), and has S0’s secret X0.

𝒜 computes RN0 = y0 X0, X = y0 RN0, RN0 = v0 X, DID = DID0 h(XRN0||T0) h(XRNT), M′ = h(AXRNT) and v = RN X, where RN is a nonce selected by 𝒜 and T is the current timestamp. Then 𝒜 impersonates U and sends the authentication request {DID, M′, v′, T, HID} to GWN.

GWN successfully authenticates 𝒜 by checking and M* = ? M′. Next, GWN and S realize mutual authentication by validating timestamps T, T and checking M* = ? M, M* = ? M. Then GWN sends back {y, w, M, q, T} to 𝒜, where M = h(DID||M|| M||X||T), w = z* X, y = RN X, q = X RN, and is the current timestamp.

The adversary 𝒜 computes RN = y X and X = q RN. Then, 𝒜 successfully has the session key K = f((DID||RN), X) shared with S.

2.2.3. Security against Man-in-the-Middle Attacks

Additionally, a legitimate user 𝒜 has S’s secret X* and can successfully perform the man-in-the-middle attack by using the following steps:

User 𝒜 intercepts the communications between GWN and S. After receiving the message {DID, M, T} from GWN, 𝒜 forwards it to S.

On receiving the message {y, M, T} from S, 𝒜 computes RN = y X*, y = RN X*, z = M* RN and M′ = h(z||X*||T), and sends {y, M′, T} to GWN, where RN is a nonce selected by S and RN is a nonce selected by 𝒜, respectively

GWN successfully checks T, computes RN = y X, z* = M* RN, M′* = h(z*||X||T), and checks M′* = ? M′. Then, GWN computes M′ = h(DID||M′|| M||X||T), w = z* X, y = RN X, q = X RN sends {y, w, M′, q, T} to U.

The smart card successfully checks T and computes RN = y X, z* = w X, M,S′ = z* RN, M′* = h(DID||M′*|| M||X||T), and checks M′* = ? M′. Then U computes X = q RN and the session key K = f((DID||RN), X) shared with 𝒜. S computes the session key K = f((DID||RN), X) shared with 𝒜.

2.2.4. Violation of Session Key Security

Moreover, the legitimate 𝒜 can derive each RN by computing y X* and calculate all used session keys K = f((DID||RN), X) of U and S since 𝒜 has X* and DID. Then, 𝒜 derives all transmitted secrets between U and S. Therefore, the scheme of Kim et al. violates session key security.

2.2.5. Failure to Privacy Protection of Users

In the scheme of Kim et al., U’s identity ID is protected with GWN’s secret key K and hash function h(·), and is not revealed. However, the parameter HID = h(ID||K) in the request message {DID, M, v, T, HID} from U relies on U’s ID and is constant. An adversary can then easily distinguish whether any two request messages are from the same user using HID. Thus, the scheme of Kim et al. fails to exhibit data unlinkability, and cannot realize privacy protection of users [17].

3. Proposed Authentication and Key Agreement Scheme Using Dynamic Identities for WSNs

This section presents a secure authentication and key agreement scheme based on the scheme of Kim et al. [16] for WSNs. The proposed scheme appends a dynamic identity for the user and eliminates constant parameters from the user’s request messages such that any two request messages are independent and indistinguishable. It also encrypts the communicating messages with the temporary secret keys rather than the constant secret keys of users and sensor nodes, and diminishes redundant variables. Additionally, the proposed scheme modifies sensor nodes’ secret keys such that a sensor node cannot derive other sensor nodes’ secret keys. Consequently, an adversary cannot discover the secret keys of users and sensor nodes, and thus used session keys and transmitted secrets. The proposed scheme also has registration, login, authentication & key agreement and password change phases. The password change phase is the same as that of the scheme of Kim et al., and therefore is not presented here.

3.1. Registration Phase

In the registration phase, U registers his/her identity and password to GWN. Then, GWN personalizes a smart card for U. Meanwhile, S keeps (SID, X*) in its storage before being deployed, where X* = h(SID||K):

U GWN: {ID, HPW}

U selects ID, password pw, a random number RN, computes HPW = h(pw||RN) and sends {ID, HPW} to GWN via a secure channel.

GWN U: U′s smartcard

GWN computes HID = h(ID||K), X = h(HID||K), A = h(HPW||X) HID, B = h(HPW X), C = X h(ID||HPW) and personalizes the smartcard for U with the parameters: (ID, h(·), A, B, C, TID). Then, GWN sends the smartcard to U via a secure channel. GWN also stores parameters (TID, TID°, HID) in its storage for U, where TID is the temporal identity for U’s next login and TID = RN, RN is a nonce, and TID°= "".

U computes XPW = h(pw) RN and inserts XPW into his/her smartcard.

3.2. Login Phase

In this phase, user U inserts his/her smart card, inputs his/her identity and password, and sends the service request to GWN. Figure 2 illustrates the login phase, which works as follows.

Figure 2

The login phase of the proposed scheme for WSNs.

inserts his/her smart card into a terminal and enters ID* and pw*.

The smartcard computes RN* = h(pw) XPW, HPW* = h(pw*||RN*), X* = C h(ID||HPW*), B* = h(HPW* X*) and verifies B* = ? B. If unsuccessful, the smartcard aborts this request; otherwise, the smart card computes a temporary secret key k = h(X*||T), DID = h(HPW*||X*) k, M = h(A||X*||T), where T is the current timestamp. Then the smartcard sends the authentication request {DID, M, T, TID} to GWN.

3.3. Authentication and Key Agreement Phase

This phase enables U, GWN and S to authenticate each other, and to establish a common session key of U and S. Figure 3 illustrates the authentication and key agreement phase, which works as follows:

Figure 3

The authentication and key agreement phase of the proposed scheme for WSNs.

GWN → S: {DID, M, T}

GWN checks the validity of T, retrieves U,’s information HID by using TID. If TID is not found, then GWN retrieves HID by using TID°. If unsuccessful, GWN rejects this service request; otherwise, GWN computes X = h(HID||K), k = h(X||T), X* = DID k, M,* = h((X* HID)||X||T) and checks M* = ? M. If successful, GWN computes X = h(SID||K), M = h(DID||SID||X||T) and sends {DID, M, T} to S, where S is the nearest sensor node for U and T is current timestamp.

S → GWN: {M, T}

S checks the validity of T, computes M* = h(DID||SID||X*||T) and checks M* = ? M. If successful, S computes a temporary secret key k = h(X*||T), z = M* k, K = f(DID, k) and M = h(z||X*||T), and sends {M, T} to GWN, where T is current timestamp.

GWN → U: {y, M,, T′}

GWN checks the validity of T, computes k = h(X||T), z* = M* k, M* = h(z*||X||T), and checks M* = ? M. If successful, GWN computes M = h(DID||M*||k||X||T′), y = k h(k), TID = h(HID||T), and sends{y, M,, T′} to U, where T′ is current timestamp. At this time, GWN updates (TID, TID°) as (TID, TID).

The smartcard checks the validity of T′, and computes k = y h(k), M,* = h(DID||M||k||X||T′), and checks M,* = ? M,. If successful, U computes the session key K = f(DID, k). Then, U and S successfully realize mutual authentication and have a common session key K. Similarly, U also updates TID as h(HID||T).

4. Security Analyses

This section analyzes the security of the proposed authentication and key agreement scheme. The benefits of the proposed scheme provide mutual authentication, session key security, user privacy protection, known-key security and resistance to privileged insider, impersonation and stolen verifier attacks. Since the proposed scheme is based on the scheme of Kim et al. [16], the analyses of the resistance to possible attacks, including replay attacks, parallel session attacks, privileged insider attacks and password guessing attacks, closely resemble those for the scheme of Kim et al., and so are not presented here.

The following descriptions show that the proposed scheme provides the indistinguishability in the Real-or-Random model [17,18,19].

4.1. Security Definitions

4.1.1. AKE Security (Session Key Security)

This definition defines that an adversary cannot effectively distinguish between two messages from a challenger. One message is computed by the real session key and the other one is computed by a random string via an unbiased coin c. The adversary selects one message and sends to the challenger. The challenger then decides to return the message computed by the real session key if c = 1 or computed by a random string if c = 0 by flipping an unbiased coin c. The adversary aims to correctly guess the value of the hidden bit c. The advantage that an adversary violates the indistinguishability of a scheme is denoted as Adv(𝒜), and is defined as: where E denotes the event that the adversary wins this game. The scheme is AKE-secure if Adv(𝒜) is negligible [17,18,19].

4.1.2. Mutual Authentication (MA) Security

In executing a scheme, the adversary 𝒜 violates mutual authentication if 𝒜 can successfully fake the authenticator M, M, M or M. The probability of this event is denoted by Adv(𝒜). The scheme is MA-secure if Adv(𝒜) is negligible [17,18,19].

The Difference Lemma [20] is made used within our sequence of games (SOG), which is described as follows:

(Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that | Pr[

The advantage that an adversary breaks the AKE security of the proposed scheme: where Adv.

The proof consists of a sequence of games starting at the game G0. Each game Gi defines the probability of the event E that the adversary wins this game. The first game is the real attack against the protocol and the terminal game G2 concludes that the adversary has a negligible advantage to break the AKE security of the proposed scheme. Assume that the challenger 𝒜1 attempts to breaks long-term secret keys (X and X), and the adversary 𝒜ake is constructed to break the session key security. Then 𝒜ake tries to distinguish the real session key from the random string. The challenger 𝒜1 sets up the used parameters, starts simulating the scheme and returns the real session key or a random string to 𝒜ake by flipping an unbiased coin . The adversary 𝒜ake outputs its guess bit c′ and wins if c′ = c.

4.2. Session Key Security

Game G This game corresponds to the real attack. By definition, we have:

Game G This game transforms game G0 into game G1 by replacing the long-term secret keys, X and X, with two random numbers. Thus, by using Lemma 1, we have: | Pr[

Game G This game transforms game G1 into game G2 by replacing k (= h(=X||T)) and k (= h(X||T)) with two random numbers. Then, games G1 and G2 are indistinguishable except collisions of a hash function in G2. Thus, by using the birthday paradox and Lemma 1, we have: | Pr[

Game G This game transforms previous game except for replacing K with a random number. Similarly, games G2 and G3 are indistinguishable except collisions of a hash function in G3, and thus we have: | Pr[

Therefore, the probability of the event that 𝒜1 outputs 1 when the response message is obtained by using the real session key is equal to the probability of the event that 𝒜ake correctly guesses the hidden bit c in game G2. Similarly, the probability of the event that 𝒜1 outputs 1 when the response message obtained by a random string is equal to the probability of the event that 𝒜ake correctly guesses the hidden bit c in game G3. All session keys are random and independent, and no information about c is revealed. Thus, we have: Pr[

Combining Equations (1)–(5), we have:

Then the proof is concluded.

Let Advma be the advantage in violating the mutual authentication of the proposed scheme. Then, Advma is negligible, and thus the proposed scheme provides mutual authentication.

The proof also consists of a sequence of games. The first game G0 is the real attack against the proposed protocol and the terminal game G3 concludes that the adversary has a negligible advantage to break mutual authentication of the proposed protocol. Assume that Adv denotes the advantage that an adversary breaks the long-term secret keys and l is a security parameter. The challenger 𝒜2 attempts to break long-term secret keys of the proposed scheme, and the adversary 𝒜ma is constructed to break mutual authentication security for the scheme. The adversary 𝒜ma wins this game if he/she successfully fakes the authenticator M, M, M or M.

4.3. Mutual Authentication

Game G This game corresponds to the real attack. By definition, we have:

Game G This game transforms game G0 into game G1 by replacing X and X with two random numbers. Thus, by using Lemma 1, we have: | Pr[

Game G This game transforms game G1 into game G2 by replacing k and k with two random numbers. Thus, by using the birthday paradox and Lemma 1, we have: | Pr[

Game G This game transforms previous game by replacing the authenticators with random numbers. Similarly, games G2 and G3 are indistinguishable except collisions of a hash function in G3, and thus we have: | Pr[

Therefore, the probability of the event that 𝒜2 outputs 1 when the authenticator is computed by using the real secret key is equal to the probability of the event that 𝒜ma correctly guesses the hidden bit c in game G2. Similarly, the probability of the event that 𝒜2 outputs 1 when the authenticator obtained by a random string is equal to the probability of the event that 𝒜ma correctly guesses the hidden bit c in game G3. Since no information on the authenticator is leaked to the adversary, we have: Pr[

Combining Equations (6)–(10), we have the advantage that the adversary violates the mutual authentication of the proposed scheme is: and thus is negligible.

The proposed scheme provides privacy protection of users.

The proposed scheme does not reveal the user’s real identity IDi; it replaces the constant temporal identity HIDi with a dynamic user identity TIDi, and eliminates constant parameters from the user’s request messages. Consequently, any two request messages are independent and indistinguishable. The proposed scheme thus exhibits user anonymity, unlinkability and data untrackability [21]. Accordingly, the proposed scheme provides users with privacy protection.

The proposed scheme provides privacy known-key security.

Since the parameters DIDi and kj are independent among scheme executions, the session keys KS = f(DIDi, kj) generated in different runs are independent where DIDi = h(HPWi||XS) h(XS||Ti) and kj = h(XS||Ti). Accordingly, the proposed scheme provides known-key security.

The proposed scheme provides privacy known-key security.

An adversary who tries to impersonate Ui fails to compute ki = h(XS||Ti), DIDi = h(HPWi||XS) ki, MU = h(Ai||XS||Ti), and fails to send out the correct request messages {DIDi, MU, Ti, TIDi} in the login phase without correct IDi, pwi, XS and (IDs, h(·), Ai, Bi, Ci, HPWi, TIDi) in Ui’s smart card, where RNr = h(pwi) XPWi, HPWi = h(pwi||RNr), and Ti is the current timestamp. A failed login is detected by GWN in the authentication and key agreement phase, and thus the proposed scheme withstands impersonation attacks.

The proposed scheme withstands stolen verifier attacks.

In the proposed scheme, the GWN maintains (TIDi, TIDi0, HIDi) in the verifier table for each user Ui. An adversary who steals a GWN’s verifier table and copies (TIDi, TIDi0, HIDi) still fails to compute RNr = h(pwi) XPWi, HPWi = h(pwi||RNr), XS = Ci h(IDs||HPWi), ki = h(XS||Ti), DIDi = h(HPWi||XS) ki and MU = h(Ai||XS||Ti) without the knowledge of user Ui’s (IDi, pwi) and (IDs, h(·), Ai, Bi, Ci, XPWi, TIDi) in the smartcard. The adversary fails to send the authentication request {DIDi, MU, Ti, TIDi} to GWN, and a failure login is detected by GWN. Therefore, the enhanced scheme withstands stolen verifier attacks.

The proposed scheme withstands lost smart card attacks.

An adversary who steals user U’s smartcard and copies the message (ID, h(·), A, B, C, XPW, TID) still fails to compute RN = h(pw) XPW, HPW = h(pw||RN), X = C h(ID||HPW), k = h(X||T), DID = h(HPW||X) k and M = h(A||X||T), and fails to send out the correct authentication request {DID, M, T, TID} without the correct ID and pw. Consequently, a failed login is detected by GWN in the authentication and key agreement phase, and thus the enhanced scheme withstands lost smartcard attacks.

The proposed scheme withstands sensor node capture attacks.

The enhanced scheme eliminates the shared secret key x of all sensor nodes and GWN in the WSN, and modifies the sensor node S’s secret key as X = h(SID||K). That is, each S does not require maintaining x. Thus, an attacker 𝒜 who has captured S and obtained (SID, X) cannot derive other S’s secret key, and also cannot impersonate U, GWN or other S.

5. Performance Analyses and Functionality Comparisons

5.1. Performance Analyses

Table 2 and Table 3 compare the performance and the simulation time of the proposed scheme with Vaidya et al.’s scheme [15], Li et al.’s scheme [9] and Kim et al.’s scheme [16], where H denotes the execution time for a one-way hash function operation, and X denotes the execution time for an exclusive-or operation. Table 4 lists our simulation environment, including hardware/software specifications and used algorithms. The proposed scheme involves a user U, a sensor node S, and a gateway node GWN. The user U is simulated by using a personal computer, the sensor node S is simulated by using a mobile device and the gateway node GWN is simulated by using a powerful server, respectively.

Table 2

The comparisons of related schemes and the proposed scheme.

		Vaidya et al. [15]	Li et al. [9]	Kim et al. [16]	Our Scheme
	Ui	7H + 7X	9H + 5X	9H + 9X	11H + 5X
Computations	Sj	2H	6H + 4X	3H + 2X	4H + 1X
	GWN	6H + 6X	11H + 5X	8H + 8X	10H + 4X
	Total	15H + 13X	26H + 14X	20H + 29X	25H + 10X
Used random numbers		5	4	5	3

Table 3

The simulation comparisons of related schemes and the proposed scheme.

Simulation Time (ms)	Vaidya et al. [15]	Li et al. [9]	Kim et al. [16]	Our Scheme
Ui	0.00140	0.00162	0.00180	0.00198
Sj	0.00048	0.00144	0.00072	0.00100
GWN	0.00084	0.00143	0.00104	0.00130
Total	0.00272	0.00449	0.00356	0.00428

Table 4

Simulation environment.

Hardware/Software Specification
User Ui	Mainboard	ASUSTeK Computer INC. CM5571
	CPU	Intel Core 2 Quad Q8300 @ 2.50 GHz 2.50 GHz
	Memory	4.00 GB Dual-Channel DDR3 @ 533 MHz
	OS	Windows 7 64-bit SP1
Sensor Node Sj	Mainboard	ASUSTeK Computer INC. UX303LN
	CPU	Intel Core i3/i5/i7 4xxx @ 1.70 GHz
	Memory	4.00 GB Single-Channel DDR3 @ 798 MHz
	OS	Windows 8.1 64-bit
Gateway Node GWN	Mainboard	IBM 46W9191
	CPU	Intel Xeon E3 1231 v3 @ 3.40 GHz 3.40 GHz
	Memory	8.00 GB Dual-Channel DDR3 @ 800 MHz
	OS	Windows Server 2008 R2 Standard 64-bit SP1
Used Programming Language and Algorithms
	C/C++
	Hash function: SHA-1

The first comparison item in Table 2 lists the computational cost used in login and authentication-key agreement phases. Vaidya et al. [15] requires 15 hash function and 13 exclusive-or operations; Li et al. [9] requires 11 hash function and 5 exclusive-or operations; Kim et al. [16] requires 11 hash function and 5 exclusive-or operations, and the proposed scheme requires 25 hash function and 10 exclusive-or operations, respectively. The subsequent comparison item is uses random numbers. The proposed scheme requires three random numbers, which is less than that required by related schemes. The comparison item in Table 3 lists the simulation time used in login and authentication-key agreement phases. Although the proposed scheme requires more computations and spends much time in simulation than related schemes, it is still computationally simple and retains low energy consumption.

5.2. Functionality Comparisons

Table 5 compares the functionality of the proposed scheme with that of comparable schemes. The comparison items include resisting possible attacks and providing security requirements. Kim et al.’s improved scheme [16] is based on Vaidya et al.’s scheme [15], and therefore has the similar security problems. Accordingly, both Vaidya et al. [15] and Kim et al. schemes [16] fail to withstand possible attacks, including impersonation, lost smartcard and man-in-the-middle attacks. They never provide session key security and protect user privacy. Additionally, Li et al.’s scheme [9] fails to withstand impersonation and stolen-verifier attacks, and fail to provide privacy protection. The proposed scheme appends a dynamic identity, eliminates redundant parameters, encrypts the communicating messages with the temporary secret keys, and modifies sensor nodes’ secret keys such that a sensor node cannot derive other sensor nodes’ secret keys, and thus withstands possible attacks and provides privacy protection. Therefore, the proposed scheme provides more functionalities and security properties than other examined schemes, and retains low computational cost.

Table 5

The comparisons of the related schemes and the proposed scheme.

	Vaidya et al. [15]	Li et al. [9]	Kim et al. [16]	Our Scheme
Resisting replay attacks	Yes	Yes	Yes	Yes
Resisting impersonation attacks	No	No	No	Yes
Resisting gateway node by passing attacks	No	Yes	Yes	Yes
Resisting parallel session attacks	Yes	Yes	Yes	Yes
Resisting password guessing attacks	Yes	Yes	Yes	Yes
Resisting sensor node capture attacks	No	Yes	Yes	Yes
Resisting man-in-the-middle attacks	No	Yes	No	Yes
Resisting lost smartcard attacks	No	Yes	No	Yes
Resisting privileged-insider attacks	Yes	Yes	Yes	Yes
Resisting stolen-verifier attacks	Yes	No	Yes	Yes
Providing session key security	No	Yes	No	Yes
Providing privacy protection of users	No	No	No	Yes

6. Conclusions

This study analyzes the weaknesses of the two-factor authentication and key agreement scheme of Kim et al., which include suffering from impersonation attacks, lost smartcard attacks and man-in-the-middle attacks, violation of session key security, and failure to protect user privacy. An efficient and secure authentication and key agreement scheme for WSNs based on the scheme of Kim et al. is proposed. The proposed scheme adopts dynamic identities rather than the constant temporary identity and conceals the user’s constant parameters in login requests, encrypts the communicating messages with temporary secret keys rather than the long-life secret keys of users and sensor nodes, and diminishes redundant variables. Our scheme solves the weaknesses in previous approaches; it provides increased functionality and security properties, making it very suitable for WSNs.