Secure and Efficient Three-Factor Protocol for Wireless Sensor Networks.

Wireless sensor networks are widely used in many applications such as environmental monitoring, health care, smart grid and surveillance. Many security protocols have been proposed and intensively studied due to the inherent nature of wireless networks. In particular, Wu et al. proposed a promising authentication scheme which is sufficiently robust against various attacks. However, according to our analysis, Wu et al.'s scheme has two serious security weaknesses against malicious outsiders. First, their scheme can lead to user impersonation attacks. Second, user anonymity is not preserved in their scheme. In this paper, we present these vulnerabilities of Wu et al.'s scheme in detail. We also propose a new scheme to complement their weaknesses. We improve and speed up the vulnerability of the Wu et al. scheme. Security analysis is analyzed by Proverif and informal analysis is performed for various attacks.

1. Introduction

A wireless sensor network (WSN) is a distributed network of autonomous sensors that are typically used to collect information about environmental or physical conditions. Wireless sensor networks are applicable to a variety of applications such as environmental monitoring, health care, smart grid and surveillance [1,2,3,4,5,6] because they can be easily deployed without a significant cost penalty.

In general, a WSN system consists of four entities: (1) user interface, (2) a sensor node that measures physical or environmental conditions, (3) a gateway node that forwards the information received from the sensor nodes to a central server, and (4) a central server that collects the information from the sensor nodes and analyze it. Naturally, however, the security of WSN is critical because network packets can be easily captured and modified in WSN due to the inherent characteristics of wireless networks. Therefore, we need to provide security protocols in order to ensure security properties such as confidentiality, integrity, and authenticity even when data packets on a WSN are captured and modified in an unauthorized manner.

Due to the inherent weakness of WSNs, many researchers have proposed security protocols to achieve fundamental security goals of WSNs. As one of the pioneers in this area, Watro et al. [7] proposed a security protocol using RSA (See Table A1 for details) for wireless sensor networks. To enhance the security of the authentication procedure, Das [2] extended their protocol to a two-factor user authentication protocol for WSNs where a user has to hold both a password and smartcard. Because their proposed authentication scheme provides reasonable security properties, it has been widely used for WSNs as a de-factor standard protocol [8,9,10]. However, He et al. [11] found that Das’s protocol is vulnerable to several attacks such as insider attacks, impersonation attacks and lack of secure mutual authentication. They also suggested an authentication scheme by fixing the discovered problems. However, Kumar et al. [12] also discovered several security flaws such as information leakage, no session key agreement, no mutual authentication, and lack of anonymity in Das’s protocol.

Table A1

Explanation of each abbreviation.

Notations	Description
WSN	Wireless sensor network
RSA	A public-key encryption technology developed by Ron Rivest, Adi Shamir, and Leonard Adleman
ECC	Elliptic curve cryptosystem created by Victor S. Miller and Neal Koblitz
Gen	A probabilistic generation function for which the biometrics B returns a string α and a string β
Rep	A function that restore β to α and any vector B^∗ close to B
B	A vector with biometric information
B^∗	Any vector B^∗ close to B
GWN	Gateway node
ProVerif	An analysis tool for protocol verification

Recently, some researchers (e.g., [13]) have started to develop user authentication schemes for WSNs using ECC, which can provide the same security as RSA with a smaller key size. ECC is the most efficient algorithm that satisfies forward secrecy and backward secrecy among the algorithms so far. Xue et al. [14] particularly introduced a temporal-credential-based protocol to provide user anonymity. However, Jiang et al. [15] demonstrated that Xue et al.’s scheme has four critical security flaws: (1) identity guessing attacks, (2) online password guessing attacks by privileged insiders, and (3) offline password guessing attacks with a victim’s smartcard. Jiang et al. also suggested a new authentication scheme to address their discovered issues.

More recently, Das [16] found that Jiang et al. [15]’s scheme has significant security issues such as the vulnerabilities to insider and de-synchronization attacks and lack of formal security proof of the proposed scheme. To address these issues, Das proposed several three-factor user authentication schemes [16,17,18] by introducing a new factor of user biometrics. Again, Wu et al. [1] found that all the Das’ schemes [16,17,18] are vulnerable to de-synchronization and offline password guessing attacks. In addition, the protocols [17,18] are vulnerable to user impersonation and offline password guessing attacks. To fix such problems, Wu et al. [1] suggested a three-factor user authentication scheme using ECC for WSNs.

In this paper, however, we found that Wu et al.’s scheme [1] has two security flaws against outsider attackers. First, their scheme can lead to user impersonation attacks. Second, user anonymity is not preserved because the user identity can be revealed from an anonymous login request message. We will explain these in the reminder of this paper. Our key contributions are summarized below:

We discovered two security weaknesses in Wu et al.’s scheme [1], which was recently designed for user authentication using ECC in WSN systems. We demonstrated that a malicious outsider holding a smart card can extract the secret parameters from his/her smart card; the extracted secret parameters can be used to perform impersonation attacks and reveal the identity of the user from a login request message.

We also proposed a novel three-factor user authentication scheme for WSN by extending Wu et al.’s scheme [1]. The proposed authentication scheme not only accomplishes several important security properties but also improves the performance of the protocol in time.

The rest of the paper is structured as follows: Section 2 gives some preliminaries of the cryptographic primitives (i.e., ECC and fuzzy extractor) used in our paper and explains the threat model and assumptions. Section 3 provides a review of Wu et al.’s scheme [1]. Section 4 analyzes the security weaknesses of their scheme. Section 5 presents a novel three-factor user authentication scheme by fixing security issues in Wu et al.’s scheme. Section 6 and Section 7 provide security and performance analysis results, respectively. We conclude in Section 8.

2. Preliminaries

In this section, we introduce elliptic curves, fuzzy extractors, and threat models to be used in this paper.

2.1. Elliptic Curve Cryptosystem

The Elliptic curve cryptosystem (ECC) is the most frequently used password system in modern passwords and has strong security characteristics. Miller [19] and Neal [20] create ECC in 1985 and 1987, respectively. ECC uses the following formula:

The above equation is ECC on the . The following conditions must be met in order to ensure safety:

This is a formula that guarantees the non-singularity of an elliptic curve. When using this elliptic curve, safety is ensured as follows:

Elliptic Curve Computational Diffie–Hellman Problem (ECCDHP): Given , it is impossible to find , .

Elliptic Curve Decisional Diffie–Hellman Problem (ECDDHP): Given , it is impossible to find .

Elliptic Curve Discrete Logarithm Problem (ECDLP): Given P, it is impossible to find x.

We hypothesized that P is the point on , is the result of calculating P times x, is the result of calculating P times y, and is the result of calculating P times .

2.2. Fuzzy Extractor

The user’s biometric information is very important information. In general, human biometric recognition is perceived differently each time, and the fuzzy extractor plays a role in correcting it. The fuzzy extractor can obtain a unique string using error tolerance. The fuzzy extractor is operated through two procedures (, ), demonstrated as [17,21]:

is a probabilistic generation function for which the biometrics B returns a factored out string and a coadjutant string , and is a function that restores to , and any vector close to B [22].

2.3. Threat Assumption

We introduce a threat model [8], and consider constructing the threat assumptions as follows:

The attacker can be a user, a gateway, or a sensor. Any registered user can act as an attacker.

can intercept or eavesdrop on all communication messages in a public channel, thereby capturing any message exchanged between a user and gateway or sensor.

has the ability to modify, reroute, or delete the intercepted message.

Stored parameters can be extracted from smart cards using the side channel attack [23].

An external attacker (outsider) can also register, login and receive his/her smart card.

3. Review of Wu et al.’s Scheme

In this section, we perform an analysis on Wu et al.’s scheme in order to scrutinize the security weakness of their scheme in the next section. Wu et al.’s scheme consists of four phases: registration phase, login phase, authentication phase, and password change phase. In addition, it applies ECC such as the [17] schemes. To begin with, creates G on E with P as a generator and large prime n as an order. After that picks a private key x under two hash functions h , and security length . In their scheme, they assume that the length of all random numbers should be above . Other notations used in Wu et al.’s scheme are abridged in Table 1.

Table 1

Notations used in this paper.

Notations	Description
U_i	The i-th user
S_j, SID_j	A j-th sensor and its identity
ID_i	U_i’s identification
PW_i	Password of U_i
B_i	U_i’s Biometric information summarized
A	An evil-minded attacker
x	Secret key of GWN
r_i	Random number generated by U_i
h (·), h_1 (·)	One-way hash function
X∥Y	Concatenation operator
⊕	Bitwise XOR operator
E (F_p)	A group of points on a finite field F_p elliptic curve
P	A point generator in F_p with a large prime order n
G	A cyclic addition group under P as a generator
sk_u, sk_s	The session key generated by U_i and S_j, respectively.

3.1. Registration Phase

Registration phase is divided into two parts: user registration phase and registration phase.

3.1.1. User Registration

The user first decides his/her identification and password . With a random number , it imprints over a device for biometrics collection, and calculates , , and . He/she then requests the registration message , to the gateway node over a secure channel.

After the registration request message from the is received, computes where x is ’s secret key, prepares a smart card for containing h , , P, and collects in the database. The next thing is that sends the smart card with to the securely.

When receiving the smart card with from the , computes and with storing , , P and in the smart card.

3.1.2. Sensor Registration

determines an identity for new sensor node , computes hash function , and sends to .

stores P, and , and enters the WSN.

3.2. Login Phase

enters , and . Then, the smart card computes , , , and .

The smart card produces random numbers , and , , and selects a special sensor . Then, the smart card calculates , , , , and . The value is used to certify the integrity of the identities and the new data generated by the user side as well as to authenticate the source of the message .

sends the login request messages , , , , , , to .

3.3. Authentication Phase

After the login request messages arrives from the user , first computes , and , and verifies the legitimacy of and . terminates the session if either verification fails. If three failures continuously occur in a certain time span as defined, ’s account will be frozen; otherwise, calculates and and sends , , to the sensor node . The value is used to accredit the integrity of the strings containing , and the data can be used for the sensor to acquire the correct data for calculating the session key. This is also done for verification of the source of .

checks the validity of , with its identity . If this step fails, will terminate the session. Otherwise, then chooses , and calculates , , and . The main functionality of is used for checking the integrity of the session key and , which is needed by to compute the session key. Both and are also used to validate the source of . In the end, sends , , to .

checks . If the validation phase fails, terminates the session; otherwise, computes and . The value is to check the validation of the source’s message . Eventually, sends the message , , , to .

checks . then computes the session key , and checks . terminates the session if fails the verification phase. Otherwise, computes , and , and replaces , with , in each smart card separately.

3.4. Password and Biometrics Change Phase

Same as the step 1 in the Login phase.

The smart card produces random numbers and , calculates , , , and , and sends , , , , with a password change request to . The value is similar to , which is to confirm the integrity of the identities as well as to verify the source of .

obtains , and as in step 1 of the authentication phase, and checks and (. If the verification stage fails, terminates the session; otherwise, computes ( ( and ( and sends , and a grant to . Here, is to verify the source of .

checks (. If two values are not equal, then terminates this session; otherwise, inputs a new password and a new biometric information . The next thing is that the smart card computes (, , (, ( and (. Finally, substitutes , , for , , in the smart card, respectively.

4. Cryptanalysis of Wu et al.’s Scheme

We show that Wu et al.’s scheme [1] possesses certain some security vulnerabilities in this section. The following problems have been found and are described in detail below.

4.1. Extract Critical Information

An attacker who is a legitimate user and he/she can own his/her smart card. The smart card can extract the value , , P, .

can thus obtain h (, and use this variable for other attacks because this value is a critical value that be used on the user identification in the .

4.2. No User Anonymity

Attacker can extract the identity of from the login request message of . Assume that eavesdrops on the login request message , , , , , , of . We also assume that attacker has h ( through 5.1. Extract Critical Information. The details are as follows:

Attacker first generates random numbers , , and , , and selects a special sensor . , , (, ( and (.

A forwards the login request message , , , , , , to the gateway node .

After receiving the login request message from , computes (, ( and (, and checks the validity of and (. then computes ( and ( and sends , , to .

checks ( with its identity . If this does not hold, terminates the session. then selects , and computes , , ( and (. sends , , to .

tests (. If this does not hold, terminates the session; otherwise, calculates ( ( and (. Finally, sends the message , , , to attacker .

calculates h ( (. Now, can compute (. Eventually, can find (.

This result shows that Wu et al.’s scheme does not ensure user anonymity.

4.3. User Impersonation Attack

An attacker can impersonate any user through the identity of others and his/her own information. We assume the casualty is . We also assume that attacker has h ( through Section 5.1. Extract Critical Information. The detailed method is as follows:

Attacker selects who is the target of the user impersonation attack.

selects random numbers , , and , and selects a particular sensor . Then, calculates (, , , (, ( and (. is to check the new data produced on the user side and the integrity of the identities as well as to verify the source of .

A forwards the login request message , , , , , , to .

After obtaining the message from the , calculates (, ( and (, and checks the availability of and checks (. continues to proceed with the scheme without detection. Unfortunately, the mistakenly believes that he/she is communicating with the legitimate patient .

Resultingly, the attacker A will be successfully confirmed as by user . Hence, the user impersonation attack is successful.

In the next section, we discuss Wu et al.’s scheme to overcome the weakness of the scheme. Our scheme stores several variables in the database to prevent the vulnerability of Wu et al.

5. Proposed Scheme

We propose a new three-factor user authentication scheme for wireless sensor networks in this section. We use three participants: the user , the gateway node and the sensor node . The gateway node creates master keys x. The user and the sensor node computes on elliptic curve group .

We have defined the name of the variable as follows:

: Generator of smart card,

: message sent by user,

: message sent by gateway node,

: message sent by the server node.

Other variables do not have that special meaning.

The proposed scheme is composed as follows: registration phase, login phase, authentication phase, and password/biometrics change phase.

5.1. Registration Phase

In this phase, a user chooses an identity , imprints biometric template at the sensor, and then performs the following steps:

5.1.1. User Registration Phase

selects and . imprints via a device for biometrics collection and computes () = (, ) and (). Then, he/she sends to secretly.

generates a random number and computes ().

computes (), prepares a smart card for containing h (·), (·), P, and the fuzzy extractor.

stores and in its database and shares it with . By storing and in the database, Wu et al. [1]’s problems arising from existing can be solved.

computes , () and (). (·), (·), are stored in the smart card.

5.1.2. Sensor Registration Phase

selects an identity for each new sensor , computes () and sends {, } to .

stores P, and and joins the WSN.

Figure 1 illustrates the registration phase of the proposed scheme.

Figure 1

Registration phase of the proposed scheme.

5.2. Login Phase

inputs , and . The smart card executes (, ) = and (). checks h () . This allows to verify whether it has come in correctly.

generates and . computes (), , and ().

sends the message , , , , } to .

Figure 2 illustrates the login and authentication phase of the proposed scheme.

Figure 2

Login and authentication phase of the proposed scheme.

5.3. Authentication Phase

finds by using from the database and computes (). checks the validity of (). If it fails, the session will be terminated. Otherwise, computes () and (). When the operation has finished, sends the message , , to .

checks () with its identity . If it is wrong, will stop the session. Otherwise, selects , and computes , session key , () and (). It sends message , , when all operations have finished.

checks (). If it is wrong, the session will be stopped. Otherwise, generates and calculates (), () (), () and () . Finally, sends the message , , , , to .

computes () and checks (). If not, the session will be stopped. computes and checks (). If it is wrong, will stop the session.

computes (), and . Finally, substitutes (, , ) for (, , ) in the smart card, respectively.

5.4. Password and Biometrics Change Phase

inputs , and . The smart card executes (, ) = and (). checks h () . This allows to verify whether it has come in correctly.

is asked to input a new password and new biometric information . The following data are computed: ( (, , (, , ( (. Finally, substitutes (, , ) for (, , ) in the smart card, respectively.

6. Security Analysis of the Proposed Scheme

6.1. Formal Security Analysis

The formal security analysis uses an automated analysis tool called ProVerif. ProVerif is an automated tool for analyzing cryptographic protocols that was developed by Bruno Blanchet. Digital signatures, hash functions, signature proofs, etc. are suitable for analyzing an authentication protocol. Recently, many researchers [1,4,24] have verified the authentication in the user authentication protocol using ProVerif. The formal security analysis shows the results of verifying and analyzing the security of the proposed scheme using ProVerif.

We use three channels. We provide the illustration of Table 2. is the channel in the registration phase and is used when the user and exchange in the registration phase. is the channel used by user and to exchange messages in the login phase and is used when the and Sensor node exchange messages in the login phase. Five initial variables were used: , , , , and . and are the personal information made by the user when registering. is a random string made up of the user’s biometric information. is the identity of the gateway and is the unique string of the sensor node . x is defined as a secret key. P is a generator for creating a session key, which is the initial value used in ECC. The concatenate function and the function, including the multiplication in ECC and the hash function h and , are defined for the events that indicate the start and end of each.

Table 2

Define values and functions.

(*—-channels—-*)

free cha:channel [private].

free chb:channel.

free chc:channel.

(*—-constants—-*)

free Ri:bitstring [private].

free IDi:bitstring [private].

free IDg:bitstring.

free SIDj:bitstring.

free PWi:bitstring [private].

(*—-secret key—-*)

free x:bitstring [private].

(*—-shared key—-*)

free P:bitstring [private].

(*—-functions—-*)

fun concat(bitstring, bitstring):bitstring.

fun xor(bitstring, bitstring):bitstring.

fun h(bitstring):bitstring.

fun h1(bitstring):bitstring.

fun mult(bitstring, bitstring):bitstring.

equation forall a:bitstring, b:bitstring; mult(a, b) = mult(b, a).

equation forall a:bitstring, b:bitstring; xor(xor(a, b), b) = a.

(*—-events—-*)

event beginUi(bitstring).

event endUi(bitstring).

event beginGWN(bitstring).

event endGWN(bitstring).

event beginSj(bitstring).

event endSj(bitstring).

Table 3 shows the registration phase of the user and the process of the login and authentication phase. Table 4 demonstrates the registration phase and the login and authentication phase of the . Table 5 displays the authentication phase of the sensor node . Table 6 shows the query against the attack with the prover- sive, and Table 7 shows the result for Table 6.

Table 3

protocol.

(*—-Ui process—-*)

let Ui =

let HPWi = h(concat(concat(IDi, PWi), Ri)) in

out(cha,(IDi));

in(cha,(XGIDi:bitstring));

let G1’ = h(concat(XGIDi, x)) in

let G1 = xor(G1’, HPWi) in

let G2 = xor(h(concat(concat(IDi, Ri), PWi)), XGIDi) in

let G3 = h(concat(IDi, XGIDi)) in

event beginUi(IDi);

new ei:bitstring;

new alpha:bitstring;

let GIDi = xor(G2, h(concat(concat(IDi, Ri), PWi))) in

if h(concat(IDi, XGIDi)) = G3 then

let HPWi = h(concat(concat(IDi, PWi), Ri)) in

let MU1 = xor(xor(G1, HPWi), ei) in

let MU2 = mult(alpha, P) in

let MU3 = h(concat(concat(IDi, ei), concat(concat(XGIDi, MU2), SIDj))) in

out(chc,(MU1, MU2, MU3, GIDi, SIDj));

in(chc,(XXMS1:bitstring, XXMS2:bitstring,

XMG2:bitstring, XMG3:bitstring, XMG4:bitstring));

let GIDinew = xor(XMG4, h(ei)) in

if XMG3 = h(concat(concat(IDi, SIDj),

concat(concat(GIDi, GIDinew), concat(ei, XMG2)))) then

let sku = mult(alpha, XXMS1) in

if XXMS2 = h1(concat(concat(MU2, XXMS1),

concat(concat(sku, GIDi), SIDj))) then

let G1new = xor(XMG2, xor(h(concat(GIDi, ei)), HPWi)) in

let G2new = xor(G2, xor(GIDi, GIDinew)) in

let G1 = G1new in

let G2 = G2new in

event endUi(IDi).

Table 4

protocol.

(*—-GWN process—-*)

let GWN =

in(cha, (XIDi:bitstring));

new ri:bitstring;

let GIDi = h(concat(XIDi, ri)) in

let G1’ = h(concat(GIDi, x)) in

out(cha, (GIDi));

in(chc, (XMU1:bitstring, XMU2:bitstring, XMU3:bitstring, XGIDi:bitstring, XSIDj:bitstring));

event beginGWN(IDg);

let ei = xor(XMU1,h(concat(XGIDi, x))) in

if XMU3 = h(concat(concat(XIDi, ei),

concat(concat(XGIDi, XMU2), XSIDj))) then

let cj = h(concat(XSIDj, x)) in

let MG1 = h(concat(concat(cj, XGIDi), concat(XSIDj, XMU2))) in

out(chb, (XMU2, MG1, XGIDi));

in(chb, (XMS1:bitstring, XMS2:bitstring,

XMS3:bitstring));

if XMS3 = h(concat(concat(XGIDi, XSIDj), cj)) then

new rinew:bitstring;

let GIDinew = h(concat(XIDi, rinew)) in

let MG2 = xor(h(concat(GIDinew, x)), h(concat(XGIDi, ei))) in

let MG3 = h(concat(concat(XIDi, XSIDj), concat(concat(XGIDi, GIDinew), concat(ei, MG2)))) in

let MG4 = xor(h(ei), GIDinew) in

out(chc, (XMS1, XMS2, MG2, MG3, MG4));

event endGWN(IDg).

Table 5

protocol.

(*—-Sj process—-*)

let Sj =

in(chb, (XXMU2:bitstring, XMG1:bitstring, XXGIDi:bitstring));

event beginSj(SIDj);

let scj = h(concat(SIDj, x)) in

if XMG1 = h(concat(concat(scj, XXGIDi), concat(SIDj, XXMU2))) then

new beta:bitstring;

let MS1 = mult(beta, P) in

let sks = mult(beta, XXMU2) in

let MS2 = h1(concat(concat(XXMU2, MS1), concat(concat(sks, XXGIDi), SIDj))) in

let MS3 = h(concat(concat(XXGIDi, SIDj), scj)) in

out(chb, (MS1, MS2, MS3));

event endSj(SIDj).

Table 6

Queries.

(*—-queries—-*)

query attacker(P).

query id:bitstring; inj-event(endUi(id)) ==> inj-event(beginUi(id)).

query id:bitstring; inj-event(endGWN(id)) ==> inj-event(beginGWN(id)).

query id:bitstring; inj-event(endSj(id)) ==> inj-event(beginSj(id)).

process

((!Ui)|(!GWN)|(!Sj))

Table 7

Output of queries.

RESULT inj-event(endSj(id)) ==> inj-event(beginSj(id) is true.

RESULT inj-event(endGWN(id_12209)) ==> inj-event(beginGWN(id_12209) is true.

RESULT inj-event(endUi(id_25655)) ==> inj-event(beginUi(id_25655) is true.

RESULT not attacker(P[]) is true.

When the code that makes up the scheme is executed, ProVerif prints the following results:

RESULT inj-event(EVENT) ==> inj-event(EVENT) is true.

RESULT inj-event(EVENT) ==> inj-event(EVENT) is false.

RESULT (QUERY) is true.

RESULT (QUERY) is false.

The first code means that the event has been verified and the authentication has been successful, while the second code means that the event has not been verified. The third code means that the query was proven and the attack was not successful. When the fourth code is displayed, the query is false, meaning that an attack is possible and the attack induction and tracking is thus displayed.

The ProVerif result of the proposed scheme is shown to be accurate for all events by simulating the result as shown in the figure (see Table 8). Therefore, the proposed scheme is safe from virtual attacker A and the virtual attack has been successfully terminated.

Table 8

Performance comparison.

Features	Wu et al. [1]	Park et al. [3]	Park et al. [25]	Ours
Defence of privileged insider attack	O	O	O	O
Defence of outsider attack	X	X	X	O
Defence of offline ID guessing attack	O	O	O	O
Defence of online ID guessing attack	X	X	X	O
Defence of session key disclosure attack	O	O	O	O
Defence of user impersonation attack	X	X	O	O
Defence of server impersonation attack	O	X	O	O
User anonymity	X	O	X	O
Forward secrecy and backward secrecy	O	O	O	O

6.2. Informal Security Analysis

6.2.1. Privileged Insider Attack

The only value that the user sends in the registration center is the . However, their is used after hashing with other values at every subsequent step. It can not be used because it is used as hashed with values that are not exposed to the outside such as or , , , , and , , and these values are not exposed. Therefore, it is safe from a privileged insider attack.

6.2.2. Outsider Attack

’s smart cards include h (·), (·), P, , and fuzzy extractors. Information such as session key or , which can be a critical value, or information such as a user’s password are all hashed, or can not be extracted because the value can not be extracted from ECC. In addition, s and s are kept in the database, and information can not be extracted because are not used directly in the protocol.

6.2.3. Offline ID Guessing Attack

and are not used directly in this phase. They are used through hashing by concatenating them with other variables, so and can not be directly obtained from public information. Therefore, and can not be obtained using login request messages , , , , and . Since and are combined and stored in the database, it is impossible to extract the from the protocol.

6.2.4. Online ID Guessing Attack

and are not directly used in the phase so the attacker can not guess the s or passwords of others. It is impossible to retrieve a user’s in the protocol because the s and s are stored in the database, and is found by searching the database.

6.2.5. Session Key Disclosure Attack

The session key should be computed as or when knowing or with . Neither nor are known to the user or the sensor node, so it is impossible to know the session key unless it is a user or a sensor node.

6.2.6. User Impersonation Attack

After the is found in the database using the , ( is calculated in order to compare the and h ( . One can never be accepted as a specific user without knowing the and pair. Therefore, a User Impersonation Attack is impossible.

6.2.7. Server Impersonation Attack

The server is identified in = h (. ( and x is the secret key. Therefore, it is necessary to know the calculated by the secret key other than the and the included in the message in order to authenticate the server and is not used alone and = h (, ( and other values. In addition, the value x in the destination ( can not be determined because it is always used by hashing with .

6.2.8. User Anonymity

In the login process, the user gives , , , , and to the . In this case, = () is continuously changed by the random number . Since is used by hashing, one cannot guess through , , , , and .

6.2.9. Forward Secrecy and Backward Secrecy

Because of the nature of ECCDH, we can not find and through , we can not find through and , and we can not find through P and .

7. Performance Analysis of the Proposed Scheme

Four symbols in total are used to analyze performance. is the time of the multiplicative operation used in ECC. This takes the most time in our scheme. assumes that it is equal to , the time to check for a match when recognizing the user’s biometric . means time in symmetric encryption or decryption. Finally, means the time it takes to use the hash function. These are listed in Table 9.

Table 9

Notations of time symbol.

Symbol	Meaning	Time (ms)
T_m	time of multiplication in Field	7.3529 [26]
T_Rep	time of Rep	=T_m [16]
T_s	time of symmetric encryption or decryption	0.1303 [26]
T_h	time of hash operation	0.0004 [26]

The authors [26] measured the approximate execution time of each cryptographic operation under the following conditions:

CPU: Intel(R) Core(TM)2T6570 2.1 GHz,

Memory: 4 G,

OS: Win7 32-bit,

Software: Visual C++ 2008,

MIRACL C/C++ Library,

Security level: 160-bit point in ,

1024-bit in a cyclic group, AES and SHA-1.

The proposed scheme produced the best results in time among all the three factor user authentication schemes using ECC (see Table 10).

Table 10

Performance comparison.

	Wu et al. [1]	Park et al. [3]	Park et al. [25]	Ours
User U_i	10T_h + 1T_Rep + 2T_m	6T_h + 1T_Rep + 2T_m	10T_h + 1T_Rep + 2T_m	8T_h + 1T_Rep + 2T_m
(ms)	= 22.0627	= 22.0611	= 22.0627	= 22.0619
GWN	10T_h	7T_h + 2T_e	11T_h	10T_h
(ms)	= 0.004	= 0.2634	= 0.0044	= 0.004
Sensor node S_j	2T_h + 2T_m	6T_h + 2T_m + 1T_e	4T_h + 2T_m	3T_h + 2T_m
(ms)	= 14.7066	= 14.8385	= 14.7074	= 14.707
Total costs	22T_h + 4T_m + 1T_Rep	19T_h + 4T_m + 3T_e + 1T_Rep	25T_h + 4T_m + 1T_Rep	21T_h + 4T_m + 1T_Rep
(ms)	= 36.7733	= 37.163	= 36.7745	= 36.7729

8. Conclusions

Many user authentication schemes have been proposed for wireless sensor networks, but they have serious security flaws, respectively. Recently, Wu et al. also proposed a three-factor user authentication scheme, which is looking promising. However, we discovered vulnerabilities in the configuration of their scheme and proposed a new scheme to address the discovered issues. Finally, we provide security and performance analysis between the Wu et al. scheme and our proposed protocol, and provide formal analysis based on the ProVerif. The security and performance of the proposed scheme are significantly better than the existing user authentication schemes. Our scheme is not very fast yet. In the future, we will study the WSN protocol, which is safer, simpler and faster.