A Temporal Credential-Based Mutual Authentication with Multiple-Password Scheme for Wireless Sensor Networks.

Wireless sensor networks (WSNs), which consist of a large number of sensor nodes, have become among the most important technologies in numerous fields, such as environmental monitoring, military surveillance, control systems in nuclear reactors, vehicle safety systems, and medical monitoring. The most serious drawback for the widespread application of WSNs is the lack of security. Given the resource limitation of WSNs, traditional security schemes are unsuitable. Approaches toward withstanding related attacks with small overhead have thus recently been studied by many researchers. Numerous studies have focused on the authentication scheme for WSNs, but most of these works cannot achieve the security performance and overhead perfectly. Nam et al. proposed a two-factor authentication scheme with lightweight sensor computation for WSNs. In this paper, we review this scheme, emphasize its drawbacks, and propose a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Our scheme uses multiple passwords to achieve three-factor security performance and generate a session key between user and sensor nodes. The security analysis phase shows that our scheme can withstand related attacks, including a lost password threat, and the comparison phase shows that our scheme involves a relatively small overhead. In the comparison of the overhead phase, the result indicates that more than 95% of the overhead is composed of communication and not computation overhead. Therefore, the result motivates us to pay further attention to communication overhead than computation overhead in future research.

Introduction

With the development of microelectronic, computer, and wireless communication techniques, multifunctional sensor nodes with small consumption have rapidly developed [1]. As a result, the Internet of Things has become increasingly popular. Wireless sensor networks (WSNs), which consist of a large number of sensor nodes (SNs), are widely used in various application fields, such as, environmental monitoring, military surveillance, nuclear-reactor control systems, vehicle safety systems, and medical monitoring [2, 3]. Although WSNs perform important functions in numerous application fields, the drawbacks of the network are evident. First, WSNs are often deployed in unattended environments [4] or enemy-controlled environments. Therefore, the networks are easily manipulated. Second, given their characteristics, WSNs consist of numerous resource-constrained nodes. The main limitation points are as follows [5]:

Given the low data-transfer rate, the short communication distance, and the harsh environment deployment, the transmission of WSNs is unreliable and has a higher energy costs.

Owing to the small size of SNs, each node is supplied with a small battery. WSNs are, however, always deployed in unattended environments or enemy environments; therefore, energy supplementation is impracticable.

As SNs use embedded processor and memory, only base computation capacity is available for processing. Therefore, the technology is limited by low computation and storage capacity.

The security of WSNs is related to sensitive data and safety of patients, and it can even escalate to national security. Compared with traditional networks, however, WSNs are vulnerable to various related attacks. Unfortunately, the information transmitted in WSNs is highly important and sensitive, so adversaries can destroy WSNs or obtain confidential information from such networks. Therefore, the challenge and priority is to secure the performance of WSNs with small overhead, and this topic has recently been studied by many researchers. Authentication schemes have become the most important concern in the security of WSNs. In the last five years, numerous mutual-authentication and key agreement schemes have been published by researchers around the world and are discussed in the following subsection.

Related Work

The authentication scheme for WSNs has recently been studied by many professors, and several investigations have surveyed the security of WSNs [3, 6–13]. These studies have analyzed the main problems faced by WSN security research and classified authentication schemes into two types: scheme-based asymmetric encryption and scheme-based symmetric encryption. The majority of the schemes aim to achieve improved security performance with small overhead. Nam et al. [14] proposed an anonymous scheme with lightweight computation. The group used elliptic curve cryptography for better security and focused on user anonymity. Watro et al. [15] proposed a security scheme of mutual authentication with RSA cryptosystem and Diffie—Hellman key agreement. Wong et al. [16] proposed another password-based authentication scheme that only uses hash functions. The scheme proposed by Wong et al. is therefore more efficient than Watro et al.’s schemes. However, their scheme is vulnerable to numerous attacks, as proven by M. L. Das et al. [17], who proposed a two-factor scheme with a password and a smart card (SC). Although vulnerable to numerous attacks, the scheme prompted other researchers to improve the two-factor authentication for WSNs. Xue et al. [18] proposed temporal credential authentication for WSNs. This scheme allows the gateway nodes (GW) to issue a temporal credential to users and SNs for mutual authentication. The scheme is efficient because it only uses the hash function and XOR operation. Jiang et al. [19] concluded that Xue et al.’s scheme cannot withstand the privileged insider, weak stolen smart card, identity guessing, and tracking attacks. Then, Jiang et al. proposed a two-factor user authentication scheme with unlinkability for WSNs. Despite presenting an improvement on the weakness of Xue et al.’s approach, Jiang et al.’s scheme is also vulnerable to privileged insider attacks and presents several drawbacks, as proven by A. K. Das [20]. The scheme proposed by A. K. Das used biometrics as the third factor for user authentication and improved the weakness of the scheme by Xue et al. He et al. [21] also found drawbacks in Xue et al.’s scheme. Through their analysis, the team found that Xue et al.’s scheme is vulnerable to offline password guessing, user impersonation, and modification attacks. Thereafter, He et al. proposed a temporal credential authentication with pseudo identity for WSNs. The scheme proposed by Khan and Alghathbar [22] indicated that M. L. Das’s scheme cannot withstand bypassing attacks and is vulnerable to privileged insider attacks. Sun et al. [23] concluded that Khan and Alghathbar’s scheme is vulnerable to GW impersonation and other related attacks. Sun et al. proposed a scheme to improve the weakness of Khan and Alghathbar’s scheme and determined that their scheme had low overhead cost.

Key establishment is the central problem in authentication schemes [24]. Diffie and Hellman proposed the revolutionary introduction of the key establishment protocol [25] and Bellare and Rogaway proposed a model of authentication and key distribution that is widely accepted [26-28]. Choo et al. discovered that all secure key distribution protocols should use partnering definitions based on session identifiers [29] and that session identifiers should also be included within the protocol specification [30]; the secure protocols should construct the session keys using the identities of participants, unique session identifiers and ephemeral-long-term shared secrets [31]; and any entity authentication and key establishment protocol should provide rigorous proof of security based on their meticulous research [32]. They also carefully researched the subtle differences between the well-known models and contributed a better understanding of proof models for key establishment protocols [33]. Based on the careful study, Choo and Hitchcock proposed that the proof models allow different options for the key-sharing requirement in formulation [34]. Numerous researchers have worked on fulfilling this requirement, so listing these works in our paper is unnecessary.

Our Contribution

In this paper, we propose a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Comparison with other related works shows that our proposed scheme exhibits improved security performance with low overhead. The major contributions are described as follows.

We perform user authentication without any GW consumption which presents better efficiency and security performance, as proven by A. K. Das and Amin et al.’ s research [20, 35], they bind U with IDSC so that the scheme can reliably withstand D-DOS attacks that are launched by inputting wrong passwords [20] as well as withstand same-login ID attacks [22, 36].

We use multiple passwords to authenticate the legality of the user identity. We select all user-inputting passwords, the sequence of passwords, and the number of passwords n as the factors to verify the identity of the user. This innovation not only presents the same security performance as the three-factor authentication based on biometrics but also exhibits a more efficient performance than biometric authentication. This approach overcomes several weaknesses of biometric authentication, which is unsuitable for WSNs. These disadvantages include high noise data rate, false non-match rate, false match rate, intraclass variations, non-universality, spoof attacks [37], high biometric error rate, stolen biometric features attacks [38], and high consumption [20, 39].

Through detailed comparison, we found that communication overhead accounts for the majority of the overhead. Most of the related studies, which were concerned only with computation overhead, are not comprehensive. Therefore, more attention should be paid to communication overhead than to computation overhead to evaluate the performance of any scheme in future research.

Notations in This Paper

The notations used in this paper are described as follows.

GW: a gateway node

U: the user

SN: the sensor node

SC: the smart card of U

: the adversary

IDU: the identity of U

IDGW: the identity of GW

IDSC: the identity of SC

IDSN: the identity of SN

PWU: the password of U

n: the number of passwords

ki, kGW, ki: the secret number for U,GW,SN respectively

ei, PKGW, PKj: the protected information for the secret number of U,GW,SN, respectively

Vi: the verification information of U

DIDSC, PIDj: the pseudonym of SC,SN, respectively

TU, TGW, TS: the current timestamp

RPWi: the protected information for the multiple password

PTCi, PTCj: the protected temporal credential of U, SN, respectively

SK: the session key in the future

σU, σGW: the HMAC output with secret keys kUG, kGS, respectively

(Mac, Ver): a keyed-hashing for message authentication codes

(Enc, Dec): symmetric encryption/decryption functions

H(·): hash function

∥: bitwise concatenation operation

Review of Nam et al.’s Scheme

In this section, we review Nam et al.’s scheme in detail. The scheme consists of three phases: the registration phase, the login phase, and the authentication and key exchange phase [14]. Nam et al.’s scheme stores an elliptical curve group G with generator P of prime order q; MAC function ∑ = (Mac, Ver) [40, 41]; symmetric encryption and decryption functions Δ = (Enc, Dec); and three hash functions, H, J, and I in each entity (we use only H to represent the hash function in this paper). After finishing these tasks, GW selects two random numbers, and, z ∈ {0, 1}k, computes Y = yP with kGS = h(IDSN ∥ z) as the public key and shares a secret key with SN.

Registration phase

A user U registers his identity IDU and password PWU through the following steps.

A user U registers the identity IDU and password PWU and submits IDU to the GW.

GW computes EIDU = Encz(IDU ∥ IDGW) with the key z and sends {EIDU, Y, IDGW, G, P, ∑, Δ, H} to U. U stores these messages in the SC.

U computes XEIDU = EIDU ⊕ h(IDU ∥ PWU) to replace EIDU.

Login, authentication, and key exchange phase

In these phases, U, GW, and SN authenticate each other through the following, and the session key SK is generated. The details of these phases are described as follows:

U inserts his SC and inputs the identity IDU and password PWU. Then, SC retrieves the current timestamp TU and gets two random numbers , kUS ∈ {0, 1}k. SC performs a series of calculations as follows. KUG = xY, X = xP, kUG = h(TU ∥ X ∥ Y ∥ KUG), EIDU = XEIDU ⊕ h(IDU ∥ PWU), and . Finally, U sends (TU, IDSN, X, CU, σU) to GW.

Upon receiving these message, GW checks the freshness of TU, if TU is not fresh, GW discards the session. Otherwise, GW checks whether is equal to 1, where kUG = h(TU ∥ X ∥ Y ∥ KUG) and KUG = yX. If it is not equal, GW discards the session. Otherwise, GW uses the key kUG to decrypt CU to get IDU and EIDU. GW uses the key z to decrypt EIDU to get . Then, GW checks whether IDU is equal to . If they are equal, GW computes and , where TGW is the current TS. Finally, GW sends (IDGW, TGW, TU, CGW, σGW) to SN.

Upon receiving these messages, SN first checks the freshness of TGW. If TGW is not fresh, SN aborts the session. Otherwise, SN checks whether is equal to 1. If it is not equal, SN aborts the session. Otherwise, SN decrypts CGW with the key kGS to get kUS. Then, SN computes SK = h(kUS ∥ TU ∥ IDSN) and ρSN = h(kUS ∥ TU ∥ IDSN). Finally, SN sends ρSN to the user U.

Upon receiving messages, the user checks whether ρSN is equal to h(kUS ∥ IDSN ∥ TU). If they are not equal, U aborts the session. Otherwise, U computes SK = h(kUS ∥ TU ∥ IDSN) as the SK.

Password update phase

In this phase, Nam et al. have designed an interactive password update phase as follows:

U inserts his SC and inputs IDU, PWU, and new password .

SC completes a series of calculations with the random and timestamp TU as follows. kUG = xY, X = xP, kUG = h(TU ∥ X ∥ Y ∥ KUG), EIDU = XEIDU ⊕ h(IDU ∥ PWU) . Then, SC sends (TU, CU, X) to the GW.

Upon receiving these messages, GW rejects the request if TU is not fresh. Otherwise, GW computes kUG = h(TU ∥ X ∥ Y ∥ KUG) and KUG = yX. Then, GW uses the key kUG to decrypt CU to get IDU and EIDU. GW decrypts EIDU with the key z to get another . GW checks whether IDU is equal to . If they are equal, GW computes ρGW = h(kUG ∥ X ∥ IDU ∥ IDGW) and sends ρGW to SC.

SC checks whether ρGW is equal to h(kUG ∥ X ∥ IDU ∥ IDGW). If they are not equal, SC aborts the session. Otherwise, SC computes and finishes the password update phase.

Security Analysis of Nam et al.’s Scheme

In this section, we comprehensively analyze the security performance of Nam et al.’s scheme. During the analysis, several weaknesses of the scheme were identified. Nam et al.’s scheme ensures user anonymity and uses the elliptical curve computational Diffie—Hellman (ECCDH) protocol and authenticated key exchange (AKE) to fulfill the security function. However, further analysis shows that the scheme is vulnerable to the following threats.

D-DOS attacks

In the authentication and key exchange phase or password update phase of Nam et al.’s scheme, SC and GW need to execute numerous complex computations to verify the identity of U. To fulfill this task, SC and GW have to execute the hash function three times, encryption once, decryption twice, and MAC calculation and Ver calculation twice. Following several studies [3, 20, 42], we assume that an adversary would start a D-DOS attack that is launched by persistently inputting a wrong IDU or wrong PWU. According to Nam et al. [14] and the reference basis that is analyzed in this paper, each verification needs approximately 9.5 hash calculations, wasting 0.00304 s and costing 0.073 mJ of WSNs. would not be suspended until the energy of GW is depleted [42].

Based on the preceding discussion, Nam et al.’s scheme is vulnerable to D-DOS attacks, and adversary can easily drain the batteries in the login phase.

Online guessing attacks

In the authentication and key exchange phase, we assume that eavesdrops on the communication channel [43]. can obtain the secret key kUS and compute the SK with an online guessing attack through the following steps:

obtains TU, IDSN, and ρSN by intercepting channels U → GW, GW → SN, and SN → U.

guesses the kUS from the directory.

verifies whether h(kUS ∥ IDSN ∥ TU) is equal to ρSN. If both numbers are the same, obtains kUS. Otherwise, repeats steps 2 and 3 until the correct kUS is guessed.

After obtaining kUS, computes SK = h(kUS ∥ TU ∥ IDSN) to obtain the SK.

According to the preceding discussion, we conclude that can obtain the secret key kUS and compute the SK by online guessing attacks. These findings prove that Nam et al.’s scheme is vulnerable to online guessing attacks.

Lost password threat

Numerous approaches, such as the hit library attack and social engineering [44, 45], can be used to obtain user passwords. The lost password threat is currently popular and is a deadly threat to any one-password-based authentication, including WSNs. If the adversary obtains the commonly used passwords of U by other methods, we can see that the authentication scheme encounters a considerable threat.

Replay attacks

In the authentication and key exchange phase, we assume that an adversary intercepts the message ρSN. Then, sends ρSN to U. As U does not check the freshness of T, U cannot realize that has already obtained the ρSN, therefore proving that Nam et al.’s scheme is vulnerable to replay attacks.

Impersonation attacks

In the authentication and key exchange phase, SN authentication verifies whether the identity of GW is invalid. Furthermore, U does not authenticate the validity of SN. can start the impersonation attack by forging GW and SN as in the following steps:

intercepts IDGW, TGW, TU, CGW, and σGW from the communication channel GW → SN.

sends IDGW, TGW, TU, CGW, and σGW to SN.

passes the MAC, and is believed to be the real GW.

According to the preceding discussion, as U does not check the freshness of T, we can safely conclude that Nam et al.’s scheme is vulnerable to impersonation attacks. The detailed security analysis is described in Table 1.

Table 1

The security comparison with other schemes.

	SSCA	NCA	PIA	MA	UA	ONGA	OFPGA	RA	MITMA	LPT	DDA	MSNA	TFS	IOM	IGA	SKA	PUP	DNAP
D.B.He	yes	no	no	yes	yes	no	yes	yes	yes	no	no	n/a	no	yes	yes	yes	no	no
A.K.Das	yes	no	yes	yes	yes	yes	yes	yes	yes	no	yes	no	yes	no	yes	yes	yes	yes
J.H.Nam	no	yes	yes	no	yes	no	no	no	no	no	no	n/a	no	yes	no	yes	yes	no
K.XUE	no	no	no	yes	no	yes	no	yes	yes	no	no	n/a	no	no	no	yes	yes	no
Q.Jiang	no	no	no	no	yes	no	yes	yes	yes	no	no	n/a	no	yes	no	yes	no	no
M.L.Das	no	no	no	yes	no	no	yes	yes	yes	no	no	n/a	no	no	no	no	no	no
Ours	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes

SSCA: Stolen smart card attack; NCA: Nodes captured attack; PIA: Privileged insider attack; MA: mutual authentication; UA: Anonymity; ONGA: Online guessing attack OFPGA: Off-line password guessing attack; RA: Replay attack; MITMA: Man-in-the-middle attack; LPT: Lost password threat; DDA: D-Dos attack; MSNA: Malicious sensor node attacks; TFS: Three-factor security; IOM: Integrity of message; IGA: identity guessing attack; SKA: session key agreement; SKA: session key agreement; PUP: password updated phase; DNAP: dynamic node addition phase

Our Proposed Scheme

In this section, we propose a temporal credential-based mutual authentication with multiple-password scheme for WSNs. The temporary SK has many advantages relative to using long-term keys according to Choo’s research [46]. Our scheme not only inherits the excellent properties of Nam et al.’s scheme but also improves upon the weaknesses of their scheme. As our scheme uses multiple passwords to replace Tate-pairing computation and the fuzzy extractor function, our scheme can achieve the same security performance with smaller overhead [47].

Unlike Nam et al.’s scheme, our proposed scheme consists of five phases: registration phase, login phase, authentication and key exchange phase, password update phase, and dynamic-node addition phase. These phases are described in detail as follows.

In this phase, we register a legal user, U, and sensor nodes, SN. This concept has already been presented in other studies [18, 21]. The registration phase is executed in a rigorously secure environment prior to the deployment of WSNs. Before registration, GW assigns the unique identities, namely, IDSN, IDSC, and IDGW, to SNs, SC, and the GW respectively. Then, GW randomly generates a secret number, kGW. Finally, the hash function-H(∙); message authentication check scheme MAC(∙); and Ver(∙) are stored in SC, GW, and SN. The registration phase is described in detail as follows.

Registration phase for legal user

In this phase, we register the legal user U through the following steps.

U inserts his SC and inputs his multiple-password PW1, PW2 ⋯PWn. U generates a random secret number Ki and gets the unique identifier IDSC. U computes RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki) and retrieves the timestamp TS1. Finally, U sends (RPWi, TS1, IDSC) to GW.

Upon receiving the message, GW checks the freshness of TS1. If TS1 is not fresh, GW rejects the request. Otherwise, GW gets the unique identifier IDGW. Then, GW computes TCi = H(kGW ∥ IDGW ∥ IDSC), PTCi = TCi ⊕RPWi, and PKGW = PTCi⊕kGW. Then, GW retrieves the current timestamp TS2. Finally, GW stores the tuple (IDGW, IDSC, PKGW) in the verification table and sends (PTCi, TS2, IDGW) to U.

Upon receiving the message, U checks the freshness of TS2. If TS2 is not fresh, U rejects the request. Otherwise, U computes ei = ki⨁H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn), Vi = H(ei ∥ RPWi ∥ IDSC ∥ ki ∥ n). Finally, U stores (ei, Vi, PTCi, IDSC, IDGW) in the SC.

In this phase, adversary cannot restore the sensitive number because of the property of the hash function [48-50] and the confidentiality property of the XOR operation [51-53], as well as the information stored in GW and SC. The random secret numbers ki and kGW are not stored in GW. This phase is shown in Fig 1.

Fig 1

The registration phase for user of our scheme.

Registration for sensor node

In our scheme, each legal SN is required to register in GW so that we can verify the legal SN and add the new SN to WSNs in the future. Before SN registration, the legality of U should be verified. The steps are as follows.

SN generates a random secret number kj and gets the unique identifier IDSN. Then, SN computes PIDj = H(IDSN ∥ kj), PKj = PIDj⊕kj and replaces IDSN with PIDj. Finally, SN retrieves timestamp TS3 and sends (PIDj, TS3) to GW.

Upon receiving the message, GW checks the freshness of TS3. If TS3 is not fresh, GW rejects the request. Otherwise, GW computes TCj = H(kGW ∥ PIDj), PTCj = TCj⊕PIDj. Then, GW retrieves the timestamp TS4 and stores PIDj. Finally, GW sends (TS4, PTCj) to SN.

Upon receiving the message, SN checks the freshness of TS4. If TS4 is not fresh, GW rejects the request. Otherwise, SN stores (PKj, PTCj).

In this phase, different SNs possess different PIDj and PKj, and the random secret number Kj is not stored in SN. Therefore, our scheme can withstand node capture attacks, as analyzed in the security analysis section. This phase is shown in Fig 2. After finishing the entire registration scheme, GW deletes kGW, SC deletes Ki, and SN deletes Kj before the deployment of WSNs.

Fig 2

The registration phase of sensor node of our scheme.

Login phase

The login phase procedure is described in detail as follows. If U attempts to login to WSNs and obtains data from SN, the following steps are executed. This phase is shown in Fig 3.

Fig 3

The login, authentication and key exchange phase of our scheme.

U inserts his SC and inputs the registered multiple-password PW1, PW2 ⋯PWn.

SC gets the unique identifier IDSC and computes ki = ei⨁H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn), RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki).

SC checks whether H(ei ∥ RPWi ∥ ki ∥ n ∥ IDSC) is equal to Vi. If it is not equal, SC rejects the request. Otherwise, SC retrieves timestamp TS1 and computes TCi = PTCi⊕RPWi, PKSi = ki⊕H(TCi ∥ TS1), , DIDSC = IDSC⊕H(TS1 ∥ IDGW).

Finally, U sends (PTCi, Cj, PKSi, TS1, DIDSC) to GW.

Authentication and key exchange phase

In this phase, we describe the authentication mechanism through U, GW, and SC. The mechanism achieves mutual authentication and generates the SK, for future use. The details are presented as follows.

Upon receiving the message, GW checks the freshness of TS1. If it is not fresh, GW aborts the session. Otherwise, GW retrieves the unique identity IDGW and computes IDSC = DIDSC⨁H(TS1 ∥ IDGW), GW obtains the PKGW corresponding to IDSC in the verification table. Then, GW computes kGW = PKGW⨁PTCi, TCi = H(kGW ∥IDGW), RPWi = PTCi⨁TCi, and ki = PKSi⨁ (TCi ∥ TS1). GW checks whether Verki(TCi ∥ TS1 ∥ RPWi, Ci) is equal to 1. If it is not equal, GW aborts the session. Otherwise, GW retrieves timestamp TS2 and computes TCj = H(kGW ∥PIDj), PKSGW = ki⨁H(TCj ∥ TS2),. Finally, GW sends (PIDj, CGW, PKSGW, TS2) to SN.

Upon receiving the message, SN checks the freshness of TS2. If it is not fresh, SN aborts the session. Otherwise, SN computes TCj = PTCj⨁PIDj, ki = PKSGW⨁H(TCj ∥TS2). Then, SN checks whether is equal to 1. If it is not equal, SN aborts the session. Otherwise, SN retrieves timestamp TS3 and computes ki = PKi⨁PIDj, PKSj = kj⨁H(ki ∥TS3), and SK = H(ki⨁kj) as the SK. Finally, SN sends (Cj, PKSj, TS3) to U.

Upon receiving the message, U checks the freshness of TS3. If it is not fresh, U aborts the session. Otherwise, the SC of U computes kj = PKSj⨁H(ki ∥TS3). Then SC checks whether is equal to 1? If it is not equal, SC aborts the session. Otherwise, SC computes SK = H(ki⨁kj) as the SK for the future.

In this phase, our proposed scheme not only achieves mutual authentication and key establishment but also checks the integrity of the message. Each message authentication check function in U, SN, and GW uses different secret encryption keys for secure communication [3]. The detailed security performance of our scheme is discussed in the security analysis section, and the authentication and key exchange phase is shown in Fig 3.

Password updated phase

For security reasons, U needs to change his/her password periodically. In this phase, we propose the password-updating phase to change the password of U and U can change the sequence of passwords and the number of passwords as the new identity characteristics with minimal consumption. The details of this phase are described as follows.

U inserts his SC and inputs the older multiple-password PW1, PW2 ⋯PWn.

SC gets the unique identifier IDSC and computes ki = ei⨁H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn), RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki).

SC checks whether H(ei ∥ RPWi ∥ ki ∥ n ∥IDSC) is equal to Vi. If it is not equal, SC rejects the request. Otherwise, SC computes TCi = PTCi⨁RPWi. Then, U inputs his new multiple-password .

After inputting the new multiple-password, SC computes , , . U sends PTCi, , and current TS to GW. Finally, SC replaces (ei, Vi, PTCi) with().

Upon receiving , GW checks the freshness of TS. If it is not fresh, GW rejects the request. Otherwise, GW computes kGW = PKGW⨁PTCi, . Then, GW replaces PKGW with .

Dynamic node addition phase

New node deployment is inevitable in WSNs because nodes may be lost, exhausted, or destroyed [54]. In this phase, our proposed scheme allows U to add new SN to WSNs after deployment. Our scheme strictly requires that the dynamic node addition phase must be executed by the legal user. Thus, our scheme must initially verify the legality of U. We assume that a new sensor node SNnew is going to join the WSNs, and the following steps must be executed.

U inserts his SC and inputs the registered multiple-password PW1, PW2 ⋯PWn.

SC gets the unique identifier IDSC and computes ki = ei⊕H(n ∥ PW1 ∥ PW2 ∥⋯∥ PWn) and RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki).

SC checks whether H(ei ∥ RPWi ∥ ki ∥ n ∥IDSC) is equal to Vi. If it is not equal, SC rejects the request. Otherwise, SC sends PTCi and the current TS to GW.

GW checks the freshness of TS. If it is not fresh, GW rejects the request. Otherwise, GW computes kGW = PKGW⨁PTCi and assigns the new unique identifier to SNnew via a secure channel.

Finally, SNnew executes the registration phase for the sensor node.

Note that in this phase, the dynamic addition phase must be executed by a legal U that is authenticated by SC. This mechanism is able to withstand malicious sensor node attacks.

Security Analysis

In this section, we analyze the security performance of our proposed scheme by both formal and informal analyses. We assume that threatens the security of WSNs. Based on the existing defined models of adversary capabilities that are widely accepted [26, 27, 55, 56], and we conclude that possesses the following hacking capabilities: (1) intercept the transmitted message via the channel [3, 6]; (2) use power analysis attacks to obtain the information stored in SC [57, 58] and use sensor node capture attack to obtain the information stored in SN [59-61]; (3)use dictionary attacks to guess numbers [43]; (4) posses the right to access the gateway station because he/she is a privileged user [40]; and (5) obtain the used passwords of U through other methods. We assume that sensitive information (PW1, PW2 ⋯PWn, n, ki, kj, kGW, TCj, TCi, SK) is attractive to . Our goal is to prevent the sensitive information from being extracted by . Thus we carefully analyzed the security performance of our proposed scheme using BAN-logic [62], which is popularly used to ensure the security of communication and session key agreement. The details of our analysis are described as follows.

Formal analysis based on BAN-logic

In this section, we use BAN-logic to analyze the security of our proposed scheme. The notations of BAN-logic are defined as follows, where P denotes the principal as well as, X and Y denote the statements.

P |≡X: P believes X

P ⊲ X: P sees X

P | ∼ X: P once said X

P ⇒ X: P has jurisdiction over X

#(X): X is fresh

(X, Y): The formulae X or Y is one part of the formulae (X, Y)

< X >Y: X combined with Y

{X}K: X is encrypted under the key K

(X)K: X is hashed with the key K

: P and Q communicate via shared key K

SK: The session key between U and SN

: The formulae X is known only to P and Q

Some main logical postulates of the BAN-logic are as follows:

The Message-meaning rule: ,

The nonce-verification rule:

The jurisdiction rule:

The belief rule:

The freshness rule:

The session key rule:

In order to prove the security of proposed scheme, the follow goals of BAN-logic must be satisfied.

First, the initial status of our scheme is made according to the following assumptions:

A1: U |≡⋕(TS1)

A2: U |≡⋕(TS3)

A3:

A4:

A5:

A6:

A7:

A8: GW|≡⋕(TS1)

A9: GW|≡⋕(TS2)

A10:

A11:

A12:

A13:

A14: SN |≡⋕(TS2)

A15: SN |≡⋕(TS3)

A16:

A17:

A18:

A19:

A20:

A21:

Second, our scheme is transformed to the idealized form.

M1:

M2:

M3:

Third, the idealized form of our scheme is analyzed based on BAN-logic and the assumptions. The main steps are described as follows:

By M1 and the seeing rule, we get:

S1:

By A10, S1 and the message-meaning rule, we get:

S2:

By A8, S2, freshness rule and nonce-verification, we get:

S3:

By M2 and the seeing rule, we get:

S4:

By A16, S4 and the message-meaning rule, we get:

S5:

By A14, S5, freshness rule and nonce-verification, we get:

S6:

By A19, S6 and the jurisdiction rule, we get:

S7:

By A21, S7 and the jurisdiction rule, we get:

S8:

By S7 and session key rule which ki is the necessary parameters of SK, we get:

S9:

By A20, S9 and the jurisdiction rule, we get:

S10:

By M3 and the seeing rule, we get:

S11:

By A10, S11 and the message-meaning rule, we get:

S12:

By A15, S12 freshness rule and nonce-verification, we get:

S13:

By S13 and the belief rule, we get:

S14:

S15:

By A6, S14 and the jurisdiction rule, we get:

S16:

By S15 and the session key rule which kj is the necessary parameters of SK, we get:

S17:

By A5, S17 and the jurisdiction rule, we get:

S18:

From the above discussion, our scheme satisfies (Goal 1), (Goal 2), (Goal 3), (Goal 4), (Goal 5), (Goal 6), (Goal 7) and (Goal 8). Therefore, U, GW and SN perform the mutual authentication and session key exchange securely.

Informal analysis

In this section, we prove our scheme could withstand other attacks. The detailed analysis is described as follows.

Stolen smart card attacks

We know that could use a power analysis attack to extract the information stored in the SC. We assume that obtains information (ei, Vi, PTCi, IDSC). These messages are operated after a one-way hash function. The multiple passwords and the secret number Ki from the SC are impossible to obtain. Because meets the property of the one-way hash function [48-50], our scheme can withstand the stolen SC attacks.

Nodes captured attacks

After WSNs are deployed in the target field, can easily capture a legitimate sensor node [59-61]. Although there are some important studies that focus on the key revocation protocols [63, 64], we believe the confidentiality of stored key/data is as important as key revocation. We assume that could obtain (PTCj, PKj) from SN. Owing to the properties of the one-way hash function and XOR operation [51-53], the secret number kj or TCj are impossible to obtain from SN. Given that IDSN is replaced with PIDj in the registration phase, cannot extract IDSN. The secret number, kj, is impossible to guess because of the two unknown numbers. To obtain TCj, can compute TCj = PTCj⨁PIDj. However, PIDj is not stored in SN. Therefore, cannot obtain TCj. According to the preceding discussion, we can conclude that our proposed scheme can withstand the nodes captured attack.

Privileged insider attacks

We assume that the adversary is a privileged insider of WSNs. Therefore, can access GW to obtain others’ sensitive information. In our scheme, GW does not store the passwords of U and other sensitive information. Therefore, cannot extract the passwords of U. We assume that can obtain (PKGW, PIDj) from GW. Given the properties of the one-way hash function and XOR operation, deriving kGW and TCi is an almost impossible task for . We assume that intends to compute kGW = PTCi⨁PKGW. However, since PTCi is stored in the SC of U, cannot obtain kGW. The preceding discussion shows that our proposed scheme can withstand privileged insider attacks.

Impersonation attacks/ mutual authentication

The adversary can impersonate the GW to send/receive the message or install any program to take over the entire network [65]. In our scheme, each receiver must authenticate the identity of the sender by MAC and Ver functions with the sender’s own secret key. GW verifies the identity of U by computing = 1? with Ki. SN verifies the identity of GW by = 1? with TCj. U verifies the identity of SN by = 1? with Kj. cannot impersonate any legitimate entity without knowing the secret numbers, such as Ki, TCj, and kj. Accordingly our proposed scheme can withstand an impersonation attack and achieve mutual authentication.

User anonymity

According to Choo et al.’ research [66], there is a mechanical approach to derive identity-based schemes from existing Diffie-Hellman-based schemes. After a careful study of this work, our scheme is designed to withstand this method for protecting user’s anonymity. In the login phase, our proposed scheme uses IDSC as the only identity of U. However, a serious problem with user privacy exists. User anonymity is necessary to resist tracing attacks. Our scheme hides IDSC in RPWi = H(IDSC ∥ PW1 ∥ PW2 ∥ ⋯∥PWn ∥ n ∥ ki), Vi = H(ei ∥ RPWi ∥ IDSC ∥ ki ∥n) and DIDSC = IDSC⊕H(TS1 ∥ IDGW). The transmitted pseudo identity DIDSC is the dynamic name. Given the hash function property, cannot extract IDSC without IDGW. Consequently, our scheme achieves the goal of anonymity and can withstand tracing attacks.

Online guessing attacks

In our scheme, the registration phase is executed strictly in a secure environment before deployment. We assume that intercepts message transmission in the channel during the login, authentication and key exchange, password updating, and dynamic-node addition phases. can obtain the messages (PTCi, Ci, PKSi, TS1), (PIDj, CGW, PKSGW, TS2), and (Cj, PKSj, TS3), (). Notably, the intercepted message, excluding the TS, is entirely encrypted by hash function and XOR operation. In addition, each hash function includes a minimum of two unknown numbers. Therefore, cannot use online guessing attacks to guess the inputs of the hash function. In CGW and calculation, although only one unknown input is in the function, cannot guess the inputs from the dictionary without the secret key, TCj. Therefore, our scheme can resist online guessing attacks.

Offline password guessing attacks

Offline password guessing attacks have always been a major security concern in designing password-based schemes. There are some outstanding studies trying to solve this problem, and our scheme strictly observes the rules that are described in Nam et al.’s research [67]. In this attack analysis section, can use the power analysis attack to extract the information stored in the SC. Therefore, obtains (ei, Vi, PTCi, IDSC) from SC. All messages extracted by are operated by hash function and XOR operation. Therefore, cannot derive the sensitive information from these messages. Each message includes a minimum of two unknown inputs, as well as multiple passwords encrypted by the hash function. Therefore, cannot use offline password-guessing attacks to derive the multiple passwords and the number of passwords n from the SC.

Replay attacks

We assume that intercepts the messages transmitted in the communication channel and replays these messages to the receiver without any modification. A replay attack cannot work in our scheme because each entity initially checks the freshness of the TS. If the TS is not fresh, then the receiver rejects the request. Therefore, our scheme can resist replay attacks.

Man-in-the-middle attacks

Choo et al. proposed that the unknown key share attack(man-in-the-middle attack) is the most fatal security problem for any protocol [68]. We assume that intercepts the messages transmitted in the communication channel and replays these messages to the receiver with a particular modification of the message. The purpose of this action of is to make the receiver believe that is the legitimate sender. can intercept the transmitted messages via the channel. To pass authentication, must compute Ci, CGW, and Cj and is unable to obtain (TCi, RPWi, ki, TCj, kj) without knowing the secret number or the temporal credential of each entity. Therefore, cannot obtain the right (Ci, CGW, Cj) and pass authentication. Therefore, our scheme can resist man-in-the-middle attacks.

Lost password threat

According to other studies [69-71], passwords are currently not safe and are therefore vulnerable to any identity authentication. can obtain the used passwords of U through numerous methods. For example, can obtain user passwords from a low-security level database or by using social engineer [44, 45]. Then, can use these lost passwords to pass the authentication of WSNs with the stolen SC. Once the password is lost, the scheme for WSNs encounters a considerable threat. In our scheme, multiple passwords are used to replace the unique password, which means that the legitimate user needs to input several passwords at will. The passwords, their sequence, and their number are used as key factors to authenticate the user’s identity. Although obtains the used passwords, he/she does not know other security factors, such as the sequence of passwords, their combination, and their number. In other schemes, if obtains m passwords of the user, the probability of obtaining the correct password is described as follows: where we assume that the probability of using the old password is Ph. In our scheme, U adopts n passwords as login passwords. The probability of obtaining the correct password is

If the lost passwords do not consist of all the multiple passwords, the probability is smaller than Pmultiple. According to the preceding discussion, Pmultiple is smaller than Pone, and cannot obtain the correct multiple passwords. Therefore, our scheme can prevent the lost password threat.

D-DOS attacks

Because of the energy limitation of WSNs, D-DOS attack is one of the most detrimental threats to WSNs [3, 42, 59], this attack includes the hello flood, inputting the wrong password, and resource depletion attacks. The goal of these attacks is to deplete the resource, especially the energy of WSNs. Numerous related schemes verify the user identity in GW with several complex computations, including numerous hash functions and other operations. This authentication method costs considerable energy of WSNs if starts a D-DOS attack, which is launched by persistently inputting wrong passwords persistently. Our scheme verifies the user identity by the SC without any consumption of GW. This idea can cut the spare overhead off and can validly resist the D-DOS attacks that are launched by inputting wrong passwords in the login phase.

Malicious sensor-node attack

In the dynamic-node addition phase, U can add his/her new SNs to the WSNs. If the SNnew is the malicious sensor node that is employed by , then SNnew can obtain information from other legitimate SNs and start malicious sensor-node attacks on WSNs, including Sybil, wormhole, sink hole, rushing, routing loop, and other types of attacks [1, 40]. To protect WSNs from malicious sensor-node attacks, our scheme requires the procedure of the dynamic node addition phase to be executed under the legitimate user. If someone wants to add any new SN to the WSN, the validity of the user identity must be verified. If the identity is not legitimate, the request is rejected. Therefore, our scheme can withstand malicious sensor-node attacks.

Three-factor security

Numerous related schemes adopting three security factors [20, 72, 73] usually adopt SC, password, and biometric characteristics as authenticating factors. However, biometrics present several drawbacks that are unsuitable for WSNs. Therefore, our scheme uses multiple passwords to replace the biometric characteristic. Several passwords, their sequence, and the number of passwords are used as the most important factors for verification.

Integrity of message

In our scheme, the MAC and Ver functions are used to achieve the goal of confidentiality and integrity, which are the most important properties of security [74, 75]. Upon receiving messages, the receiver verifies whether the output of the Ver function is equal to 1. If it is not equal, the receiver aborts the session and rejects the request from the sender. Therefore, if modifies the message and sends it to the next entity, then the message is denied. Therefore, our scheme checks the integrity of the message.

Security performance comparison

In this section, we compare our proposed scheme with other schemes from the security aspect. The comparison shows that our scheme exhibits superior security performance to other schemes. The detailed comparison is presented in Table 1. Yes and No in this table denote that the scheme could withstand the attack or could not withstand the attack, respectively, and n/a denotes the scheme is not applicable in this comparison. The abbreviations below Table 1 denote the compared security properties [76].

Performance Analysis

In this section, we compare our proposed scheme with other schemes that are listed in Table 1. As introduced in other studies [6, 72], the overhead of several base operations, such as XOR operation, TS, and random number generation are ignored. These types of operations entail approximately no cost in comparison with the one-way hash computation and other complex computations. We believe that the communication overhead and storage overhead are of equal importance to the computational overhead. As introduced in Amin et al.’s research [76], the communication and storage overheads are analyzed in detail. Therefore, we analyze our scheme in three terms.

Reference basis

In this section, we enumerate the reference basis of WSN performance that is adopted in this paper. As described in several studies [14, 17–21, 23, 35, 73, 77–83], all protocols are compared by the number of main computations. To show the result intuitively, we unified the hash function to represent all protocol overheads. The basis of comparison is described as follows:

According to Nam et al.’s research [14] and Crypto++ 5.6.0 benchmarks, we know that SHA-1 takes 11.4 cycles per byte, HMAC takes 11.9 cycles per byte, and AES takes 16.9 cycles per byte under Windows Vista and Intel Core 2. Therefore, one HMAC is equal to 1.04 hash functions and one AES is almost equal to 1.5 hash functions.

As introduced in other studies [72, 84], one asymmetric encryption/decryption is equal to 100 symmetric encryptions/decryptions. In addition, a symmetric encryption/decryption is at least 60 times faster than a one-exponential operation.

According to other studies [20, 39, 72], the time to execute a fuzzy extractor is the same as for an elliptic curve point multiplication. The time for a one-way hashing operation is 0.00032 s, for a symmetric encryption/decryption operation is 0.0056 s, for a modular exponentiation operation is 0.0192 s, and for an elliptic curve point relative multiplication operation or a fuzzy extractor is 0.0171 s.

According to Ma’s study [85], we assume one WSN that adopts MICA2 and, integrates an 8 bit 8 MHz ATmega128L processor with the voltage is 3 V, the computational electric current is 8 mA, the received electric current is 10 mA, the transmitted electric current is 27 mA, and the transmission rate is 12.4 kb/s. Therefore, the executed 0.00032 s computation needs 3 V × 8 mA × 0.00032 s = 0.00768 mJ.

In agreement to [6, 20], we assume that the hash output is 160 bits [86], one prime factor is 160 bits minimum, the elliptical curve output is 320 bits, and the secret parameter is at least 160 bits [87]. The TS has 32 bits; expiration time for TE, is 32 bits; the user identity ID, pseudo ID, and random nonce are 160 bits; sensor node identity IDSN, GW IDGW, and pseudo IDSN are 16 bits; encryption/decryption output is 128 bits; MAC output is 128 bits; and key setup is 128 bits.

Therefore, we can conclude all main computations in several aspects. The overhead of these main computations is described in Table 2.

Table 2

The comparison with main computations.

	cycles per byte	hash function	the time(s)	consumption(mJ)
TH	11.4	1 TH	0.00032	0.00768
TA	1140	about 150 TH	0.048	1.152
TE	16.9	about 1.5 TH	0.00048	0.01152
TM	11.9	about 1 TH	0.00032	0.00768
TME	684	about 60 TH	0.0192	0.4608
TEx	1026	about 90 TH	0.336	8.064
TEC/TF	609	about 53 TH	0.0171	0.4104

The notations in this section are as follows:

T: hash function operation;T: asymmetric encryption/decryption; T: symmetric encryption/decryption;T: MAC generation/verification;T: modular exponentiation operation;T: one-exponential operation; T: elliptic curve point multiplication;T: fuzzy extractor.

Comparison with other schemes

In this section, we compare our proposed scheme with the schemes proposed by Nam et al. [14], A. K. Das [20], He et al. [21], Jiang et al. [19], M. L. Das [17], and Xue et al. [18] in terms of computational, communication, and storage overheads. Comparison details are described as follows.

Computational overhead

In this section, we compare the computational overhead of all schemes in several aspects. The details of the comparison of computational overhead are shown in Table 3. Notation: the numbers shown in Table 3 is a rough number that retains three decimal places.

Table 3

Comparison of computational overhead.

Phase	Login		Authentication and key agreement			Total	hash	time(s)	enegy (mJ)
	U	GW	U	GW	SN
Nam et al.	2TEC + 2TH + 1TE + 1TM	1TEC + 1TH + 2TE + 1TM	2TH	1TE + 1TM	1TM + 2TH + 1TE	3TEC + 7TH + 5TE + 4TM	177.5TH	0.0568	1.363
A.K.Das	1TF + 3TH	0	6TH	11TH	5TH	1TF + 25TH	78TH	0.0251	0.602
He et al.	5TH	4TH	3TH	5TH	6TH	23TH	23TH	0.00736	0.177
Jiang et al.	3TH	2TH	4TH	7TH	5TH	21TH	21TH	0.00672	0.161
M.L.Das	4TH	0	0	4TH	1TH	9TH	9TH	0.00288	0.054
XUE etal.	2TH	0	8TH	11TH	6TH	27TH	27TH	0.00864	0.207
Ours	3TH	0	4TH + 2TM	5TH + 2TM	3TH + 2TM	15TH + 6TM	21TH	0.00672	0.161

Communication overhead

As introduced by the study [6], the transmission overhead is considerably larger than the computational overhead. The proportion of all overheads is listed as follows: 71% data transmission, 20% MAC transmission, 7% nonce transmission (for freshness), and 2% MAC and encryption computation. Therefore, analyzing the communication overhead is crucial. We assume that the receiving electric current of WSNs is 10 mA, the transmitting electric current is 27 mA, and the rate of transmission is 12.4 kb/s. According to Ma’s study [85], we assume that 1-byte transmission consumption is 3 V × 27 mA × 8 b/12400 b/s = 0.052mJ and a received byte consumption is 3 V × 10 mA × 8 b/12400 b/s = 0.019 mJ.

The details of the communication overhead of all schemes are presented in Table 4. The hello and successful signals are ignored. Notation: the number shown in Table 4 is a rough number that retains three decimal places.

Table 4

Comparison of communication overhead.

schemes	Total bits	Rough consumption(mJ)
		U	GW	SN	total
Nam et al.	1264	4.463	4.645	2.206	11.314
A.K.Das	1952	4.7	9.132	3.643	17.475
He et al.	1744	5.489	6.093	4.03	15.612
Jiang et al.	1920	4.622	8.923	3.643	17.188
M.L.Das	704	2.299	3.151	0.852	6.302
XUE et al.	1744	5.489	6.093	4.03	15.612
Ours	1440	4.955	4.683	3.251	12.899

Storage overhead analysis

In this section, we compare the size of stored messages with other schemes. According to the reference basis, we compute the size of stored messages in U, GW, and SN, respectively. The detailed comparison of storage overhead is presented in Table 5.

Table 5

Comparison of storage overhead.

schemes	The storage overhead
	U/SC	GW	SN	Total (bit)
Nam et al.	P, XEIDU, Y, IDGW	y, EIDU, Y, IDGW, kGS	IDSN, kGS	1648
A.K.Das	ri*,f_i,e_i,TID_i,TE_i,PTC_i	TIDi, XS, KGWN−S, TEi, IDi, IDSN	TCj, IDSN	3424
He et al.	ri, PIDi, TEi, PTCi	SIDj, H(PWj), KGWN−S, KGWN−U	TCj, IDSN	1184
Jiang et al.	r, TIDi, TEi, PTCi	TIDi, TEi, IDi, KGWN−S, IDSN	TCj, IDSN	2080
M.L.Das	IDi, H(PWi), Ni, xa	IDi, K, Ni, xa, SN	SN, xa	1472
XUE et al.	IDi, H(H(PWi)), TEi, PTCi	KGWN−S, KGWN−U, IDSN	TCj, IDSN	1024
Ours	PTCi, Vi, ei, IDGW,	PKGW, PIDj, IDGW, IDSC	PTCJ, PKj	1328

Comparison of total overhead

In this section, we compare the total overhead of schemes, including communication and computation overheads. We compare the overhead of each entity in Table 6 and compute the total overhead of all schemes. The result shows that the communication consumption is markedly larger than the computation consumption and the percentage is almost above 95% of the total overhead, and the result is the same as that in Perrig et al.’s study [6] and in common agreement with other research. Future security schemes developed will be compared based on computation overhead and communication overhead. Owing to the property of WSNs [85], the gateway station presents larger energy, higher computation performance, and larger storage performance than SN. If we want to improve the overhead of the research scheme, the most important point is improving the communication overhead of SN instead of computational overhead. Notation: the number shown in Table 6 is a rough number that retains three decimal places. The notations in this section are denoted as follows: CC: communication costs; PC: computation costs; Tot: total overhead %: the communication costs’ percentage of total overhead.

Table 6

Comparison of total consumption.

schemes	Rough total consumption(mJ)
	U			GW			SN			total	%
	CC	PC	Tot	CC	PC	Tot	CC	PC	Tot
Nam et al.	4.463	0.864	5.327	4.645	0.465	5.11	2.206	0.035	2.241	12.678	89.24
A.K.Das	4.7	0.476	5.176	9.132	0.084	9.216	3.643	0.038	3.681	18.073	96.69
He et al.	5.489	0.061	5.55	6.093	0.069	6.162	4.03	0.046	4.076	15.788	98.89
Jiang et al.	4.622	0.054	4.676	8.923	0.069	8.992	3.643	0.038	3.681	17.349	99.07
M.L.Das	2.299	0.03	2.329	3.151	0.03	3.181	0.852	0.008	0.86	6.37	98.93
XUE et al.	5.489	0.077	5.566	6.093	0.084	6.177	4.03	0.046	4.076	15.819	98.69
Ours	4.955	0.069	5.024	4.883	0.054	4.937	3.251	0.038	3.289	13.25	98.41

Conclusion

In this paper, we designed a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Through comparison with other schemes, we have proven that our scheme exhibits better security performance than the other schemes. Moreover, our scheme can withstand related attacks, including the lost password threat. The discussion in this paper proves that our scheme entails relatively small consumption. The analysis shows that the communication consumption’s percentage of total overhead is almost above 95% and it is markedly larger than the computational consumption. Therefore, we will compare future security schemes based on computational overhead and communication overhead.

This table illustrates the security comparison with other schemes. The comparison show that our scheme has better security performance than others.

(DOCX)

Click here for additional data file.

This table illustrates the main computations in the authentication scheme for wireless sensor networks.

(DOCX)

Click here for additional data file.

This table illustrates the computational overhead comparison with other schemes. The comparison shows that our scheme has better performance than others in computational overhead.

(DOCX)

Click here for additional data file.

This table illustrates the communication overhead comparison with other schemes. The comparison shows that our scheme has better performance than others in communication overhead.

(DOCX)

Click here for additional data file.

This table illustrates the storage overhead comparison with other schemes. The comparison shows thatour scheme has better performance than others in storage overhead.

(DOCX)

Click here for additional data file.

This table illustrates the comparison with other schemes. The detailed comparison shows that the communication overhead accounts for the majority of total overhead.

(DOCX)

Click here for additional data file.