Efficient and secure three-party mutual authentication key agreement protocol for WSNs in IoT environments.

In the Internet of Things (IoT), numerous devices can interact with each other over the Internet. A wide range of IoT applications have already been deployed, such as transportation systems, healthcare systems, smart buildings, smart factories, and smart cities. Wireless sensor networks (WSNs) play crucial roles in these IoT applications. Researchers have published effective (but not entirely secure) approaches for merging WSNs into IoT environments. In IoT environments, the security effectiveness of remote user authentication is crucial for information transmission. Computational efficiency and energy consumption are crucial because the energy available to any WSN is limited. This paper proposes a notably efficient and secure authentication scheme based on temporal credential and dynamic ID for WSNs in IoT environments. The Burrows-Abadi-Needham (BAN) logic method was used to validate our scheme. Cryptanalysis revealed that our scheme can overcome the security weaknesses of previously published schemes. The security functionalities and performance efficiency of our scheme are compared with those of previous related schemes. The result demonstrates that our scheme's security functionalities are quantitatively and qualitatively superior to those of comparable schemes. Our scheme can improve the effectiveness of authentication in IoT environments. Notably, our scheme has superior performance efficiency, low computational cost, frugal energy consumption, and low communication cost.

1. Introduction

Internet of Things (IoT) is an emerging technology, which is the extension of Internet connectivity into various devices such as sensors, vehicles, and mobile phones. These devices can interact with each other over the Internet [1]. A wide range of applications connecting objects that can communicate with each other have been deployed; applications include transportation systems, healthcare systems, smart buildings, smart factories, and smart cities [1, 2]. Wireless sensor networks (WSNs) are crucial in these IoT applications [2, 3]. WSNs have become increasingly used in providing services for monitoring environments and activities because of their low cost, flexibility, ease of deployment, and wide range of applications (Fig 1) [4]. As illustrated in Fig 1, WSNs comprise numerous sensor nodes scattered arbitrarily over a certain region. Sensor nodes can sense, process, and transmit information (e.g., temperature and traffic information). Remote users are required to reach a specific sensor node via the gateway node (GWN) [5, 6]. Each scattered sensor node can collect data and route data back to the GWN. Remote users may communicate with a GWN through the Internet. When data from WSNs are made available to users, the legitimacy of each user must be verified before the system can grant access to the data, and the sensor nodes reserved for access must be confirmed to be legitimate. Hence, remote user authentication is necessary and critical for secure information transmission in WSNs [2, 5, 7, 8]. The following basic design criteria must be considered when designing a remote user authentication scheme for WSNs [2, 5, 8]:

Fig 1

Wireless sensor networks.

Mutual authentication. Users and sensor nodes must mutually authenticate each other. After they have authenticated each other, they must arrange a session key for information transmission.

Masquerade attack resistance. An adversary cannot impersonate a legal user to log in to WSNs. In addition, the adversary cannot masquerade as a sensor node to spoof the user.

Replay attack resistance. The adversary cannot attempt to replay previously intercepted messages to spoof the GWN.

Guessing attack resistance. The adversary cannot obtain useful information to devise an offline check of the correctness of guessed passwords.

1.1. Preliminaries and technical background

In this subsection, we introduce some preliminaries and the principal technologies that our scheme is based on, such as temporal credential [7] and dynamic ID [9, 10].

A temporal credential is an impermanent attestation of authority issued by a third party. The GWN can issue a temporal credential to each user and sensor node [7]. The expiration time of a user’s temporal credential is regulated by the GWN. A user’s temporal credential is related to the identity of user and can be securely stored in a smart card. The temporal credential of a sensor node is also related to its identity and confidentially written in its storage. Based on the issuing and signing of temporal credential, the mutual authentication between the user and the GWN is achieved through the verification of temporal credential for the user. The mutual authentication between the sensor node and the GWN is achieved by the verification of the temporal credential for the sensor node.

Each dynamic ID is temporarily assigned by the system and mapped to a specific user [9]. A dynamic ID is a combination of its user’s information and a random nonce. The random nonce is an arbitrary number; it is used only once during the communication. In the authentication process, the login message of the user i contains a dynamic ID, called DID. The login message is dynamic for each login. For all i, the parameter DID is associated with nonce N and changed dynamically for each login. The use of a dynamic ID in each login message can avoid the risk of ID-theft [10]. Our scheme introduces dynamic ID to anonymize users.

1.2. Motivation and contribution

Typical IoT installations allow remote users to access data from sensor nodes in WSNs through the Internet. Researchers have been developing effective approaches for merging WSNs into IoT environments [2, 11–16]. Because of the resource constraints of sensor nodes, to design an efficient and secure authentication scheme for WSNs in IoT environments constitutes a nontrivial challenge. In IoT environments, the security effectiveness of remote user authentication is crucial for trustworthy information transmission [2, 3]. Computational efficiency and energy consumption are crucial because of the limited energy resources of WSNs [2, 3]. Moreover, time synchronization is a critical and challenging problem for WSNs; the system must provide a synchronized logical time clock for all devices and objects in IoT environments [3, 17–19]. Any adversary and any malicious node in IoT environments can attack clock synchronization [3, 17]. The communication errors, frequent topological changes, low-cost clocks, and limited energy levels of IoT nodes are other factors that can affect time synchronization [18, 19]. A timestamp-based authentication scheme requires trustworthy timestamps and synchronized time clocks to verify any device’s legitimacy. When a system has a serious time synchronization problem, no device can be synchronized with any another device, and thus the system cannot verify any device’s legitimacy. Therefore, any serious time synchronization failure causes mutual authentication failure. The time synchronization problem should be contemplated as designing a remote user authentication scheme for WSNs in IoT environments [3, 17–19]. Moreover, when a given user’s ID is revealed, an adversary can determine any information concerning the user's identity and monitor the user’s activities. An exposed user ID is also useful to the adversary because it provides login information [10]. Therefore, anonymous access for each login should be required. Although several previously published studies have proposed diverse remote user authentication schemes, they have been neither highly secure nor efficient sufficiently to satisfy the requirements of WSNs in IoT environments (Related work in Section 2). This paper proposes a more efficient and secure authentication scheme for WSNs in IoT environments to ameliorate these security weaknesses.

The major contributions of our work are as follows:

We propose a new three-party scheme on the basis of temporal credential [7] and dynamic ID [9, 10] for WSNs in IoT environments to achieve security, mutual authentication, and session key agreement. Cryptanalysis revealed that the security functionalities of the proposed scheme qualitatively and quantitatively superior to those of previous schemes; the proposed scheme can advance the field of authentication schemes. The Burrows–Abadi–Needham (BAN) logic method [3, 20–24] was used to validate our scheme.

The proposed scheme performs efficiently in IoT environments, with low computational cost, frugal energy consumption, and little communication cost.

Our scheme uses temporal credentials and random nonce instead of the timestamps to verify mutual authentication among U, the GWN, and S. Therefore, our scheme can avoid the time synchronization problem for WSNs in IoT environments [3, 9, 17, 25]. Moreover, dynamic ID technology [9, 10] is applied in our scheme. User identities are consequently anonymous and can be confirmed only by the service provider.

1.3. Organization of the paper

The remainder of this paper is organized as follows: Section 2 introduces a brief review of the related work in WSNs and explains the security weaknesses of the Ostad-Sharif et al. scheme [2] for WSNs in IoT environments; Section 3 details the proposed efficient secure authentication scheme for WSNs in IoT environments; Section 4 presents the security analysis of the proposed scheme; Section 5 discusses the effectiveness and efficiency of the proposed scheme; and finally, Section 6 presents the study’s conclusion.

2. Related work in WSNs

To satisfy the security requirements of WSNs, many remote user authentication schemes have been proposed. In 2004, Benenson et al. [26] described the security issues of user authentication in WSNs and proposed a protocol for them, in which the user can achieve successful authentication with any subset of sensors from a set of n sensors (n being the average number of sensors within a broadcast distance of the user). Watro et al. [27] proposed a TinyPK authentication protocol with the Rivest-Shamir-Adleman (RSA) public key cryptosystem [28] and Diffie-Hellman key agreement algorithm [29]. However, this authentication protocol has the disadvantage of the masquerade attack, in which an adversary can masquerade as a sensor node to spoof the user [5]. Wong et al. [30] proposed a less complex lightweight user authentication protocol for WSNs by using hash function operations. However, the scheme cannot protect against stolen-verifier, replay, and forgery attacks [5, 31]. Moreover, the passwords in the scheme can be revealed easily by any of the sensor nodes, and users cannot change their passwords freely. In 2009, to eliminate the weaknesses of the Wong et al. scheme, Das [5] proposed a two-factor user authentication scheme for WSNs. The scheme implements password-based authentication with the assistance of a GWN to access resource-constrained sensor nodes. However, this scheme is vulnerable to insider, masquerade, offline password-guessing, stolen smart card, and GWN bypassing attacks [7, 8, 32]. The scheme does not provide mutual authentication, a key agreement, and a password change phase for users to change or update their password [7, 8, 32]. Khan et al. [32], Chen et al. [33], and Yeh et al. [8] have subsequently proposed new schemes for improving the inherent security weaknesses of the Das scheme. Khan et al. [32] proposed a user authentication scheme for rectifying the susceptibilities of the Das scheme and achieving a more secure user authentication in WSNs. Afterward, Chen et al. [33] provided a secrecy-improved mutual user authentication scheme for WSNs by applying hash functions. Yeh et al. [8] proposed a new mutual user authentication protocol by using elliptic curves cryptography (ECC) and smart cards for WSNs. Xue et al. [7] showed that the Khan et al. scheme is vulnerable to stolen smart card and GWN bypassing attacks. In addition, the Chen et al. scheme is vulnerable to insider, masquerade, stolen smart card, and GWN bypassing attacks [7]. By contrast, the Yeh et al. scheme is vulnerable to stolen smart card and replay attacks [7]. Xue et al. [7] proposed a temporal-credential-based mutual authentication scheme for users, GWNs, and sensor nodes. With the assistance of password-based authentication, the GWN in the Xue et al. scheme can issue a temporal credential to each user and sensor node. However, the Xue et al. scheme is vulnerable to insider attacks and stolen smart card attacks [34]; the scheme does not offer password protection [34]. In 2016, Chang et al. [35] proposed a flexible authentication scheme for WSNs which operates in two modes. The first mode provides a lightweight authentication scheme, and the second mode is an advanced protocol based on ECC. In 2018, Amin et al. [34] demonstrated that the Chang et al. scheme is insecure against stolen smart card attack and cannot provide password protection. Amin et al. [34] then proposed a robust authentication scheme using smartcards for WSNs. However, the Amin et al. scheme has higher energy consumption, computational costs, and communication costs than those published previously (Section 5) [34]. In healthcare applications, Challa et al. [36] proposed a secure user authentication scheme for wireless healthcare sensor networks. The three factor authentication scheme is designed with ECC. The proposed scheme has several functionality features including dynamic sensor node addition, password updates, biometrics updates, and smart card revocation for WSNs. On the basis of ECC, Li et al. [3] also proposed an anonymous authentication scheme for WSNs in IoT environments. In the scheme, they used fuzzy commitment scheme [3] to handle user biometric information. In 2019, Harbi et al. [37] proposed an ECC-based mutual authentication scheme to secure communication in IoT-enabled WSNs. The sensor network in the system is arranged into clusters to diminish the energy consumption of sensors. Each cluster has a cluster head, which is a leader sensor node. However, Challa et al. scheme, Li et al. scheme, and Harbi et al. scheme are all based on an ECC for WSNs. The ECC approach is a public key cryptography approach based on elliptic curves. According to a related study, the time cost of an ECC point multiplication is much larger than that of hash function operations [2, 3, 7, 34, 35], and the energy consumption for executing an asymmetric ECC cryptosystem is much higher than that for executing a hash function [38, 39].

Currently, researchers are designing effective remote user authentication schemes for WSNs in IoT environments. In 2019, Ostad-Sharif et al. [2] proposed an efficient user authentication scheme and claimed that their scheme is appropriate for WSNs in IoT environments. However, in this section, we argue that the login and authentication phase of the Ostad-Sharif et al. scheme has design faults. Moreover, their scheme cannot provide password change and update a password in its password change phase. Their scheme also has the time synchronization problem [3, 17–19]. The details are presented as follows.

2.1. Authentication design faults of the Ostad-Sharif et al. scheme in IoT environments

Design faults exist in the login and authentication phase of the Ostad-Sharif et al. scheme [2]. We illustrate this security weakness in the subsequent passages. When a registered user U wants to access the information of sensor node S, the login and authentication phase of the Ostad-Sharif et al. scheme must be executed in advance. At first, a registered user U inserts a smart card into the smart card reader and imprints his/her fingerprint B on the sensor device. The smart card contains the secret parameters {D, C, E, SCN, BK()}, in which SCN denotes unique smart card number and BK() denotes biometric key generation/extraction function. The smart card reader first extracts masked biometric C from the smart card and computes RN′ = BK(h(B))⊕C′. After finding C′, the smart card reader must validate whether C′ and C are equal. If C′ ≠ C, then the smart card reader terminates the request. However, in the equation above, the smart card reader does not know random number RN′ and masked biometric C′. Therefore, it cannot obtain RN′ and C′ from the equation. Finally, a legitimately registered user U cannot pass the verification to access the system. This problem will happen to all legitimately registered users. The Ostad-Sharif et al. scheme has design faults in the login and authentication phase.

2.2. Failure to provide password change capability in the Ostad-Sharif et al. scheme

The Ostad-Sharif et al. scheme [2] cannot provide password change capability. We demonstrate this weakness in the following passages. When a registered user U wants to update the password PW, the password change phase in the scheme must be executed. U first inserts a smart card into the smart card reader. He or she then inputs identity ID and password PW. The smart card contains the secret parameters {D, C, E, SCN, BK()}. After the legitimacy of U is verified, U enters a new password . The smart card computes the following equations:

= h(IDi∥ ∥RNi), in which RNi denotes random number.

A′ = D⊕RPW

= ⊕ RPW

L′ = E ⊕ RPW

= L′i ⊕ RPW

After and have been found, the smart card replaces the secret parameters {D, E} in the smart card with the new parameters {, }. The smart card finally contains the parameters {, C, , BK()}. However, in (3), the smart card does not know ; hence, it cannot obtain the new parameter from (3). Moreover, from (4) and (5), we obtain the following results:

Finally, the value of the new parameter is the same as the value of the parameter E, and the new parameter cannot be acquired from the equations. Therefore, a registered user U cannot update his/her password. The Ostad-Sharif et al. scheme fails to provide password change capability.

2.3. Time synchronization and authentication problem of the Ostad-Sharif et al. scheme in IoT environments

The Ostad-Sharif et al. scheme uses a timestamp T to verify mutual authentication among U, the GWN, and S for WSNs in IoT environments. Therefore, the Ostad-Sharif et al. scheme must provide synchronized time clocks to all devices in IoT environments for timestamp comparison [3, 17, 18]. However, as mentioned, both adversaries and malicious nodes can attack time synchronization [17]. Frequent topological changes, low-cost clocks, and limited energy of the sensor nodes in IoT environments can also affect time synchronization [18, 19]. The time synchronization of all WSN devices in IoT environments is a nontrivial challenge in itself [3, 17–19]. When a serious time synchronization problem arises in Ostad-Sharif et al. scheme, the GWN, U, and S cannot be synchronized with each other and then the legitimacy values of the GWN, U, and S cannot be verified. Hence, the Ostad-Sharif et al. scheme may enter a state such that mutual authentication among the GWN, U, and S cannot be achieved [3, 17, 18].

3. Proposed scheme

In this section, we propose an efficient and secure authentication scheme for WSNs in IoT environments. The WSN environment contains three participants: the user (U), sensor node (S), and gateway node (GWN). The scheme applies dynamic ID to achieve security and user anonymity (identity protection) [9, 10]. The scheme applies temporal credential to achieve mutual authentication and session key agreement [7]. Temporal credentials are securely protected and stored in smart cards. The scheme can withstand stolen smart card attacks (Section 4.2). The system protects passwords against off-line password guessing attacks (Section 4.2). The system need not maintain any password or verification table; therefore it can resist the stolen verifier attacks and insider attacks [9, 40, 41]. The scheme can withstand masquerade attacks, replay attacks, GWN bypassing attacks, and GWN spoofing attacks (Section 4.4 and 4.8). Before the registration, users are not obliged to share their IDs and passwords with the GWN; hence, the scheme provides a convenient functionality of adding new users (Section 4.6). To solve the password-changing problem in previous schemes, we also introduce a new password change phase to update the password. In the new password change phase, U can freely select and update the password without requiring the communication with any other participants (the GWN and S), such that it can avoid additional communication message overhead (Fig 5) [42]. Hash function is operated in our scheme for providing security and computational efficiency. Table 1 lists the definition of the notations in our scheme. The GWN chooses the private keys K and K, and only the GWN knows them. The proposed scheme consists of four phases: (1) registration phase, (2) login phase, (3) authentication and key agreement phase, and (4) password change phase. They are described as follows:

Fig 5

Password change phase in the proposed scheme (U can update the password without requiring the communication with the GWN and S).

Table 1

Notation definitions.

Notation	Definition
Ui	The ith user
Sj	The jth sensor node
GWN	The gateway node
IDi	The identification of Ui
IDGWN	The identification of the GWN
SIDj	The identification of Sj
DIDi	The dynamic ID of Ui
DIDGWN	The dynamic ID of the GWN
PWi	The password of Ui
PWj	The password of Sj
BK	Biometric key generation/extraction function
Bi	Biometric of Ui
SCNi	Unique smart card number
KGWN-U	Private key only known to the GWN
KGWN-S	Private key only known to the GWN
KEYij	Shard session key between Ui and Sj
TCi	Temporal credential issued by the GWN to Ui
TCj	Temporal credential issued by the GWN to Sj
TEi	Expiration time of a user’s temporal credential
TS	Timestamp value
||	String concatenation manipulation
→	Common channela
⊕	Exclusive-or manipulation
⇒	Secure channelb
h(•)	One-way hash functionc

a A common channel is a channel allocated in common to participants.

b A secure channel is a channel of delivering messages that can withstand tampering and overhearing.

c A hash function has a one-way property that it is computationally infeasible to find a data object to map to a hash result [43].

3.1. Registration phase

The registration phase comprises two parts, one for users and the other for sensor nodes. We first describe the registration phase for users. In this phase, when a new user U undertakes to register, he or she selects the identification ID and password PW. Subsequently, U generates a random number r and sends ID and h(r⊕PW) to the GWN for registration through a secure channel. After receiving the messages from U, the GWN selects the expiration time TE of the temporal credential of U. The GWN computes the temporal credential TC and verification information R for U. The GWN then issues a smart card with the temporal credential TC, expiration time TE, and verification information R to U through a secure channel. The steps are detailed as follows (Fig 2):

Fig 2

Registration phase for users in the proposed scheme.

Step U1. U freely chooses identification ID and password PW.

Step U2. U generates a random number r and calculates h(r⊕PW).

Step U3. U ⇒ GWN: {h(r⊕PW), ID}.

U transmits h(r⊕PW) and ID to the GWN through a secure channel.

Step U4. GWN ⇒ U: {ID, PTC, TE, B, R, h(.)}. After receiving the message from U, the GWN selects the expiration time TE of the temporal credential of U and computes the following equations to issue the temporal credential TC for U.

P = h(ID∥ID∥TE), TC = h(P∥K∥TE), PTC = TC⊕h(r⊕PW),

Q = h(ID∥K), B = Q⊕h(ID∥h(r⊕PW)), and R = h(Q).

The GWN then issues a smart card with the secret parameters {ID, PTC, TE, B, R, h(.)} to U through a secure channel.

Step U5. U stores r in the smart card, after which the smart card holds the parameters {ID, PTC, TE, B, R, r, h(.)}.

We now describe the registration phase for sensor nodes. In this phase, each sensor node S is pre-configured with SID. After deployment, the sensor node S generates a random number r and then sends SID and h(r⊕SID) to the GWN for registration through a secure channel. After receiving the messages from S, the GWN issues a temporal credential TC to S through a secure channel. The steps are detailed as follows (Fig 3):

Fig 3

Registration phase for sensor nodes in the proposed scheme.

Step S1. S is pre-configured with SID.

Step S2. S generates a random number r and computes h(r⊕SID).

Step S3. S ⇒ GWN: {SID, h(r⊕SID)}.

S sends SID and h(r⊕SID) to the GWN through a secure channel.

Step S4. GWN ⇒ S: {RTC}. After receiving the message from S, the GWN computes TC = h(K∥SID) to issue the temporal credential TC for S and then calculates RTC = TC⊕h(h(r⊕SID)∥SID). The GWN sends RTC to S through a secure channel.

Step S5. After receiving the message from the GWN, S computes TC = RTC⊕h(h(r⊕SID)∥SID) to find its temporal credential TC and then stores it.

3.2. Login phase

U first inserts a smart card into the smart card reader to log in to the system. U then gives (ID, PW) that correspond to the smart card. The smart card of U computes verification information and then verifies it with the stored R in the smart card. After passing verification, the legitimacy of U is ensured. Afterward, U can read the information stored in the smart card and find its temporal credential TC. The steps are detailed as follows (Fig 4):

Fig 4

Login phase; authentication and key agreement phase.

Step L1. User U inserts a smart card into the smart card reader and provides keys (ID, PW). The smart card of user U then computes Q = B⊕h(ID∥h(r⊕PW)) and = h(Q). The smart card validates whether and the stored R in the smart card are equal. If the values are unequal, the smart card rejects the login request. Otherwise, the legitimacy of U is ensured, and U can read the information stored in the smart card.

Step L2. U computes TC = PTC⊕h(r⊕PW) to find its temporal credential TC.

3.3. Authentication and key agreement phase

After ensuring the legitimacy of U and finding the temporal credential TC, the system must complete mutual authentication among U, the GWN, and S. The first step of the mutual authentication phase involves identity verification for U, which is conducted by the GWN. Afterward, the second step entails identity verification of the GWN, which is conducted by S. The third step involves identity verification for S, which is conducted by U as well as the GWN. Finally, a session key KEY is negotiated between U and S to conduct encryption during data transmission later on. The steps are detailed as follows (Fig 4):

Step V1. U → GWN: {DID, q1, PKS, TE, P, N}. U generates a nonce N and computes P = h(ID∥ID∥TE), DID = ID ⊕h(TC∥ID∥N), and q1 = h(ID∥TC∥N). Afterward, U randomly chooses a secret sharing key K and computes PKS = K⊕h(TC∥N). After computation, U sends the login request message m = {DID, q1,PKS,TE, P, N} to the GWN.

Step V2. GWN→ S: {DID, DID, q2, PKS, ID, N, N}. After obtaining message m, the GWN computes TC = h(P∥K∥TE), ID = DID ⊕h(TC∥ID∥N), and = h(ID∥TC∥N). The GWN then verifies whether and q1 are equal. If ≠ q1, then the GWN terminates the request and sends a reject message to U. Otherwise, the legitimacy of U is ensured, and the GWN accepts the login request. The GWN then records the login status of U to indicate that Ui is logging in to the system. The GWN computes K = PKS ⊕h(TC∥N). At this point, the GWN selects a proper sensor node S with identification SID and calculates its temporal credential TC = h(K∥SID). The GWN then generates a nonce N and computes DID = ID ⊕h(TC∥DID∥N), q2 = h(ID∥TC∥N), and PKS = K ⊕h(TC∥N). After computation, the GWN sends the message m = {DID, DID, q2, PKS, ID, N, N}to S.

Step V3. S →U, GWN: {SID, q3, PKS, N, N}. After receiving message m, S assesses ID to verify whether the GWN is a participant. If verification is true, S computes ID = DID ⊕h(TC∥DID∥N) and = h(ID∥TC∥N). S then verifies whether and q2 are equal. If ≠ q2, then S terminates the request and returns a reject message. Otherwise, the legitimacy of the GWN is ensured, and S accepts the request. S computes K = PKS ⊕h(TC∥N). Afterward, S randomly selects a secret sharing key K. S computes q3 = h(ID∥SID∥K∥N∥N) and PKS = K⊕h(K∥N∥N). After computation, S sends the message m = {SID, q3, PKS, N, N}to U and the GWN.

Step V4. After receiving the message m, U and the GWN separately compute = h(ID∥SID∥K∥N∥N). After computation, the GWN verifies whether and q3 are equal. If = q3, then the GWN can verify the legitimacy of S. User U also verifies whether and q3 are equal. If = q3, then U can verify the legitimacy of S and the GWN. Afterward, U and the GWN separately compute K = PKS⊕h(K∥N∥N). Finally, after ending the mutual authentication phase, U, the GWN, and S separately generate the shared session key KEY by computing KEY = h(K∥K∥N∥N∥SID).

3.4. Password change phase

To update or change the password, a user U must insert his/her smart card into the smart card reader. Afterward, U gives ID and PW, which correspond to the smart card. In the first step of the password change phase, the smart card of U computes verification information and then verifies it with the stored R in the smart card. After passing verification, the legitimacy of U is ensured. U can then read the information stored in the smart card. The second step involves finding the updated value of the parameters {, , }. Finally, the smart card replaces the old value of the parameters {PTC, B, r} in the smart card with the updated value of the parameters {, , }. The steps are detailed as follows (Fig 5):

Step P1. A user U inserts a smart card into the smart card reader and gives (ID, PW). The smart card of U calculates Q = B⊕h(ID∥h(r⊕PW)) and = h(Q) and then verifies whether and the stored R in the smart card are equal. If the values are unequal, the smart card rejects the login request. Otherwise, the legitimacy of U is ensured, and U can read the information stored in the smart card.

Step P2. The user U selects a new password , and then U generates a random number . Then, the smart card calculates = Q⊕h(ID∥h (⊕)), = PTC⊕h(r⊕PW)⊕h(⊕).

Step P3. The parameters {PTC, B, r} in the smart card are replaced with new parameters {, , }. Finally, the smart card contains {ID, , TE, , R, , h(.)}.

4. Security analysis

This section presents the security analysis of the proposed scheme and proves its security strength. Our scheme can overcome the weaknesses of previous schemes. Our proposed scheme has the following main security features.

4.1. Mutual authentication and session key agreement

Mutual authentication is a critical feature for verifying mutual validity among the GWN, U, and S in WSNs. Because encryption and a message authentication code (MAC) are required to protect data transmission between U and S, a session key must be negotiated in advance between these two participants [7]. In this section, we first illustrate the mutual authentication analysis of the proposed scheme, then we present the formal proofs. In the authentication and key agreement phase of the proposed scheme, mutual authentication between the GWN and S is accomplished by calculating verification information q2 and q3. In Step V3, S can verify the legitimacy of the GWN after determining whether q2 and are equal, where q2 = h(ID∥TC∥N). Temporal credential TC is included in verification information q2. This shows that the sensor node S can authenticate the validity of the GWN. In Step V4, the GWN can verify the legitimacy of S after confirming whether q3 and are equal, where q3 = h(ID∥SID∥K∥N∥N). A secret sharing key K is included in verification information q3. This shows that the GWN can authenticate S. By contrast, mutual authentication between U and the GWN is accomplished by calculating verification information q1 and q3. In Step V2, the GWN can verify the legitimacy of U after determining whether and q1 are equal, where q1 = h(ID∥TC∥N). Temporal credential TC is included in verification information q1. This shows that the GWN can authenticate the user U. In Step V4, U can verify the legitimacy of S after confirming whether q3 and are equal, where q3 = h(ID∥SID∥K∥N∥N). A secret sharing key K is included in verification information q3. This shows that the user U can authenticate the sensor node S. In addition, because S has authenticated the validity of the GWN, the user U further authenticates the validity of the GWN as well. Therefore, on the basis of temporal credential signing and the secret sharing key, U, S, and the GWN can mutually authenticate each other in the proposed protocol. In Step V4, after completing the mutual authentication phase, U, the GWN, and S can separately generate the shared session key KEY by computing KEY = h(K∥K∥N∥N∥SID), where secret sharing key K and K are selected randomly. This shows that U, S, and the GWN can share a common session key after finishing the mutual authentication phase. The common session key is validated by U, the GWN, and S. This illustration indicates that our scheme provides session key agreement and mutual authentication. The formal proofs are given in the following lemmas and Proposition 1. We use the BAN logic method [3, 21–24] to formally validate the mutual authentication and session key agreement of our scheme. The BAN logic method is widely used to validate authentication and key establishment protocols [3, 21–24]. The BAN logic method accomplishes to introduce the logic of authentication and explain the protocols step-by-step. The notations of BAN logic are presented in Table 2. In Table 2, the symbols X and Y range over statements; Q and P are principals [20–22, 42].

Table 2

Notations of BAN logic.

Notation	Definition
P◁X	P sees X : P can receive and read X (possibly after doing some decryption).
P|~X	P said X : P once said X. P once sent a message including the statement X.
P|⇒X	P controls X : P has jurisdiction over X.
P|≡X	P believes X : P is entitled to believe X.
#(X)	fresh(X) : X is regarded as a fresh statement.
〈X〉Y	X is combined with Y; Y is a secret.
(X,Y)	X and Y are said simultaneously.
P ↔K Q	P and Q share a common key K.
P Y→← Q	Statement Y is identified only to P and Q.

The essential logical postulates for the BAN logic are listed as follows [20–22, 42]:

Freshness-propagation rule: . That is, if P is entitled to believe that one part of a formula (X,Y) is fresh, then he also is entitled to believe that the entire formula (X,Y) must also be fresh.

Receiving rule: and . That is, if a principal P can receive and read a formula (X,Y) or formula 〈X〉, then he also can receive and read its components X.

Nonce-verification rule: . That is, if P is entitled to believes that X is a fresh statement and that Q once said X, then P believes that Q believes X.

Jurisdiction rule: . That is, if P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.

Message-meaning rule: . That is, if P is entitled to believe that the key Y is shared with Q, and P sees X encrypted under Y, then P is entitled to believe that Q once said X.

Session-key rule: , where statement X is an element of the combination session key K [21, 44]. That is, if P is entitled to believe that K is a fresh statement and that Q believes X, then P believes that P and Q share a common key K.

To validate the proposed protocol, we first summarize our scheme in the generic form [20, 21, 42]:

Message m. U → GWN: {DID, q1, PKS, TE, P, N}

= {ID⊕h(TC∥ID∥N), h(ID∥TC∥N), K⊕h(TC∥N), TE,

h(ID∥ID∥TE), N}.

Message m. GWN→ S: {DID, DID, q2, PKS, ID, N, N}

= {ID ⊕h(TC∥ID∥N), ID ⊕h(TC∥DID∥N),

h(ID∥TC∥N), K⊕h(TC∥N), ID, N, N}.

Message m. S →GWN: {SID, q3, PKS, N, N}

= {SID, h(ID∥SID∥K∥N∥N), K⊕h(K∥N∥N),N, N}.

Message m. S →U: {SID, q3, PKS, N, N}

= {SID, h(ID∥SID∥K∥N∥N), K⊕h(K∥N∥N), N, N}.

Subsequently, we transform the generic form into the idealized form:

I1. U → GWN: , ,

I2. GWN→ S: , , ,

I3. S → GWN: ,

I4. S →U:,

To analyze our scheme, we use the following assumptions:

A1.                A2. A3.                   A4. A5. GWN|≡#(N)                       A6. S|≡#(N)

A7. U|≡#(N,N)              A8. GWN|≡#(N,N)

A9. GWN|≡U|⇒N              A10. S|≡GWN|⇒N

A11.GWN|≡S|⇒(N,N)              A12. U|≡S|⇒(N,N)

Lemma 1. The GWN in our scheme can authenticate U; S can authenticate the GWN.

Proof: In our scheme, U produces a nonce N. Then, U transmits N to the GWN. After obtaining N, the GWN generates a nonce N and then sends nonces (N, N) to S.

To prove that the GWN can authenticate U, the following belief must be demonstrated:

B1. GWN|≡N

To prove that S can authenticate the GWN, the following belief must be demonstrated:

B2. S|≡N

The steps for proving B1:

S1. GWN (Apply the Receiving rule and I1)

S2. GWN U N. (Apply the Message-meaning rule, A1, and S1)

S3. GWN U N. (Apply the Nonce-verification rule, A5, and S2)

S4. GWN N. That is, GWN|≡N (Apply the Jurisdiction rule, A9, and S3)

Consequently, the GWN authenticates U.

Similarly, the steps of the proof for B2:

S5. S (Apply I2 and Receiving rule)

S6. S GWN N. (Apply the Message-meaning rule, A3, and S5)

S7. S GWN N. (Apply the Nonce-verification rule, A6, and S6)

S8. S N. That is, S|≡N (Apply the Jurisdiction rule, A10, and S7).

Lemma 2. The GWN in our scheme can authenticate S ; U can also authenticate S.

Proof: In our scheme, after receiving nonces (N, N), the S returns (N, N) to the GWN and U.

To prove that the GWN can authenticate S, the following belief must be demonstrated:

B3. GWN|≡(N,N)

To prove that the U can authenticate S, the following belief must be demonstrated:

B4. U|≡(N,N)

The steps of the proof for B3:

S9. GWN (Apply the Receiving rule and I3)

S10. GWN S (N,N). (Apply the Message-meaning rule, A2, and S9)

S11. GWN S (N,N).(Apply the Nonce-verification rule, A8, and S10)

S12. GWN (N,N). That is, GWN|≡(N,N) (Apply the Jurisdiction rule, A11, and S11).

Consequently, the GWN can authenticate S.

Similarly, the steps of the proof for B4:

S13. U (Apply the Receiving rule and I4)

S14. U S (N,N). (Apply the Message-meaning rule, A4, and S13)

S15. U S (N,N). (Apply the Nonce-verification rule, A7, and S14)

S16. U (N,N). That is, U|≡(N,N). (Apply the Jurisdiction rule, A12, and S15)

Lemma 3. In our scheme, the GWN, U, and S can coordinate the common session key KEY.

Proof: To prove that U, the GWN, and S in our scheme can share a session key KEY = h(K∥K∥N∥N∥SID), the following beliefs must be demonstrated:

B5.

B6.

B7.

B8. The steps for proving B5 are:

S17. U S (N,N). (Apply S15)

S18. S GWN N. (Apply S7)

S19. U GWN N. (Apply the Lemma 1, the Lemma 2, S17, and S18)

S20. U (N, N). (Apply A7)

S21. U (KEY). (Apply S20 and Freshness-propagation rule)

S22. Ui . That is, . (Apply the Session-key rule, S19, and S21)

Consequently, U believes that U shares the session key KEY with the GWN.

Similarly, the steps of the proof for B6:

S23. GWN U N. (Apply S3)

S24. GWN (N). (Apply A5)

S25. GWN (KEY). (Apply S24 and Freshness-propagation rule)

S26. GWN . That is, . (Apply S23, S25, and Session-key rule)

Consequently, the GWN believes that GWN shares the session key KEY with U.

The steps of the proof for B7 are:

S27. S GWN N. (Apply S7)

S28. S (N). (Apply A6)

S29. S (KEY). (Apply the Freshness-propagation rule and S28)

S30. S . That is, . (Apply the Session-key rule, S27, S29)

Consequently, S believes that S shares the session key KEY with the GWN.

Similarly, the steps of the proof for B8 are:

S31. GWN S (N,N). (Apply S11)

S32. GWN (N). (Apply A5)

S33. GWN (KEY). (Apply S32 and Freshness-propagation rule)

S34. GWN . That is, . (Apply S31, S33, and Session-key rule)

Consequently, the GWN believes that GWN shares the session key KEY with S.

Proposition 1. U, the GWN, and S in our scheme can mutually authenticate each other; they can share a common session key.

Proof: From Lemma 2, U in our scheme can authenticate S. In addition, S can authenticate the GWN (Lemma 1). Thus, U can further authenticate the GWN as well. Conversely, the GWN can authenticate U (Lemma 1). Consequently, the GWN and U in our scheme can mutually authenticate each other. The GWN can authenticate S (Lemma 2). Conversely, S can authenticate the GWN (Lemma 1). Consequently, the GWN and S in our scheme can mutually authenticate each other. Mutual authentication can be provided in our scheme. After finishing the mutual authentication, U, the GWN, and S can share a session key KEY = h(K∥K∥N∥N∥SID) (Lemma 3). Session key agreement can also be provided in our scheme.

4.2. Password protection, guessing attack resistance, and stolen smart card attack resistance

When a user’s smart card is stolen or lost in a stolen smart card attack, an adversary can acquire information from the smart card. Then, the adversary masquerades as an authorized user to access to the GWN. However, password protection functionality can prevent the leakage of password information, such that the adversary cannot obtain useful information to perform an off-line password guessing attack.

Proposition 2. The proposed scheme can provide password protection, guessing attack resistance, and stolen smart card attack resistance.

Proof: In our scheme, the password presents with the h(r ⊕PW) form, in which PW and r are hidden. h(r⊕PW) is not stored in the smart card, the GWN, or any other device. Thus, the adversary cannot directly obtain PW by performing an off-line password guessing attack on h(r⊕PW) [45]. Therefore, the proposed scheme can provide password protection and guessing attack resistance. Moreover, smart card secrets can be breached by monitoring power consumption or by analyzing leaked information [25, 42, 46]. When the adversary has a smart card that has been lost by its legitimate owner, the adversary can acquire the secret parameters from that smart card by applying the previously discussed method. We can prove that the proposed scheme can also provide stolen smart card attack resistance. That is, in the proposed scheme, the adversary cannot masquerade as a legitimate user to log in to the GWN when the adversary has obtained a legitimate user's smart card. Suppose that when the smart card of user U is stolen or lost, the adversary obtains that the smart card. The adversary can obtain the secret parameters {ID, PTC, TE, B, R, r, h(.)} from the smart card. To impersonate a legitimate user, the adversary must produce a new , randomly choose an imitative secret sharing key , and create an imitative login request message {, , , TE, P, } for the GWN. The imitative parameters {, , , P} are obtained using the following equations:

= IDi ⊕h(TCi∥IDGWN∥),

= h(IDi∥TCi∥),

= ⊕h(TCi∥),

Pi = h(IDi∥IDGWN∥TEi).

Therefore, to obtain the imitative parameters {, , , P}, the adversary must first obtain TC and ID by using the following equations:

TCi = h(Pi∥KGWN-U∥TEi),

TC = PTC⊕h(r⊕PW),

ID = DID⊕h(TC∥ID∥N).

Nevertheless, the adversary cannot acquire TC and ID because he/she does not possess K and PW. Only the GWN knows the private key K in our scheme. As previously discussed, the proposed scheme can provide password protection, and that the adversary cannot acquire PW by executing an off-line password guessing attack. Therefore, the imitative parameter set {, , , P}of a login request message is not acquired. The adversary cannot masquerade as an authorized user by only using a smart card.

4.3. Two-factor security

By involving a smart card and a password in the login phase, two-factor security in our scheme can be achieved [9, 37, 47, 48].

Proposition 3. Two-factor security can be provided in our scheme.

Proof: First, assume that the adversary only has the smart card of Ui. Let us even assume that the adversary can intercept login request message m1 = {DID, q1, PKS, TE, P, N}. As mentioned in Proposition 2, the adversary can obtain the secret parameters {ID, PTC, TE, B, R, r, h(.)} from the smart card. To impersonate a legitimate user, the adversary must produce a new , randomly choose a new sharing key , and create an imitative login request message {, , , TEi, Pi, } for the GWN, where = IDi ⊕h(TCi∥IDGWN∥), = h(IDi∥TCi∥), and = ⊕h(TCi∥). Consequently, to gain the parameter set {, , }, the adversary must acquire TCi and IDi by applying the following equations: TCi = h(Pi∥KGWN-U∥TEi), TCi = PTCi ⊕h(ri⊕PWi), and IDi = DIDi⊕h(TCi∥IDGWN∥Ni). Nevertheless, the adversary cannot acquire TCi and IDi because he/she does not possess KGWN-U and PWi. Only the GWN knows the private key KGWN-U in our scheme, and we have proven that the proposed scheme can provide password protection to prevent the leakage of PWi information (Section 4.2). Therefore, the parameter set {, , } of the login request message is not acquired, and the adversary cannot disguise as an authorized user by only using the smart card. Secondly, assume that the adversary only has the password PWi and identification IDi of Ui. Under this condition, the adversary also cannot acquire TCi to calculate the parameters {, , } because he/she does not know KGWN-U and PTCi (which are not stored in the smart card). Therefore, the adversary cannot impersonate an authorized user when he/she either acquires information from the smart card or knows {IDi, PWi}. Our scheme can withstand this type of masquerade attack and provide two-factor security.

4.4. Masquerade attack resistance and replay attack resistance

Protection against masquerade attacks is a principal security feature for any remote user authentication scheme. Replay attack resistance means that the adversary cannot attempt to replay any previously intercepted message to spoof the GWN.

Proposition 4. Our scheme can provide masquerade attack resistance and replay attack resistance.

Proof: Proposition 3 has demonstrated that our scheme can protect against masquerade attacks caused by either the loss of a smart card or the revelation of sensitive identification and password details {ID, PW}. The reliability of our scheme against other masquerade attacks must be demonstrated. We can even assume that the adversary is a legitimate user L and undertakes to impersonate a user U. Adversary L may intercept the login request message m = {DID, q1, PKS, TE, P, N}. Adversary L can have {ID, PW} and acquire {ID, PTC, TE, B, R, r, h(.)} from his/her smart card because he/she is an admissible user. Adversary L generates a new nonce , randomly chooses an imitative secret sharing key , and creates an imitative login request message {, , , TE, P, } for the GWN, where = ID ⊕h(TC∥ID∥), = h(ID∥TC∥), and = ⊕h(TC∥). Nevertheless, adversary L still cannot acquire TC and ID to calculate the parameters {, , } because he/she does not possess K and PW (Proposition 2). In addition, adversary L cannot compute the shared session key KEY = h(K∥K∥N∥N∥SID) because he or she does not know K and K in KEY. Thus, adversary L cannot impersonate any other legitimate user. Consequently, our scheme can protect against masquerade attacks when an adversary impersonates any other legitimate user. Adversary L can undertake to replay the intercepted message {DID, q1, PKS, TE, P, N} to the GWN. However, after receiving message m = {SID, q3, PKS, N, N}, adversary L cannot compute the shared session key KEY = h(K∥K∥N∥N∥SID) because he or she cannot obtain K and K in KEY. Consequently, resistance to replay attacks is guaranteed as well. Next, we prove that an adversary cannot masquerade as a sensor node to spoof the user. Suppose adversary L has intercepted message m when the GWN attempts to send it to S; that is, the message {DID, DID, q2, PKS, ID, N, N}. To masquerade as a sensor node to spoof the user, the adversary must randomly choose an imitative secret sharing key and send an imitative response message {SID, q3, , N, N} to the GWN, where q3 = h(ID∥SID∥K∥N∥N) and = ⊕h(K∥N∥N). To obtain the parameters {q3, }, the adversary must first know K. Moreover, K can be obtained by using the equation K = PKS⊕h(TC∥N). Nevertheless, the adversary cannot acquire K because he/she does not possess the temporal credential TC. Therefore, the parameters {q3, } cannot be acquired, and the adversary cannot send an imitative response message {SID, q3, , N, N} to the GWN. Consequently, our scheme can protect against masquerade attacks when an adversary masquerades as a sensor node to spoof the user.

4.5. Stolen verifier attack resistance and insider attack resistance

The stolen verifier attack means that the adversary steals the verification table from the GWN or S. By contrast, an insider attack involves any privileged insider of the GWN purposely obtaining a user password, which leads to security defects in the remote user authentication scheme [41, 49].

Proposition 5. Our scheme can protect against stolen verifier attacks and insider attacks.

Proof: The GWN and S in our scheme do not retain any verification table for verifying the legitimacy of registered users or sensor nodes. Therefore, the adversary cannot find any verifiable information in the GWN or S to impersonate a legitimate user. Consequently, our scheme can protect against stolen verifier attacks [9, 40]. Moreover, because U presents h(r⊕PW) to register with the GWN. r and PW are hidden from the GWN. In addition, the GWN does not store any verifier h(r⊕PW). The privileged insider of the GWN cannot acquire PW by executing any off-line password guessing attack [45]. Consequently, our scheme can resist insider attacks [41].

4.6. Password updating, adding new user functionality, and time synchronization avoidance

In our scheme, users are not obliged to share their IDs and passwords with the GWN before the registration. During the registration process, a new user U can freely choose some identification string ID and password PW as favorite strings without requiring assistance from the GWN. Any new legitimate user can be freely added to the system after the registration. Therefore, the proposed scheme provides a convenient functionality for adding new users. Moreover, as mentioned, it is strongly recommended that for security policy, users update or change their passwords frequently to protect against compromise [32]. In the password change phase of our scheme, a legitimate user U can freely choose his/her new password to update or change the password without requiring extra communication message overhead to exchange messages with the GWN (Fig 5). Consequently, our scheme provides the functionalities of freely chosen passwords and efficient password updating. Finally, our scheme does not require any timestamp to verify mutual authentication among U, the GWN, and S because our scheme is a nonce-based scheme. Consequently, our scheme is not obliged to provide synchronized time clocks for all devices [3, 17, 18], and it can avoid the time-synchronization problem for WSNs in IoT environments [3, 17, 25].

4.7. User anonymity (identity protection)

The user anonymity (identity protection) means that the identity of any user is disclosed only to service providers [9].

Proposition 6. Our scheme can provide user anonymity to protect user identity.

Proof: The adversary can intercept message m = {DID, q1, PKS, TE, P, N} to acquire the identification string of U,. The parameters DID, q1, PKS, and P are obtained using the following equations:

DID = ID ⊕h(TC∥ID∥N),

q1 = h(ID∥TC∥N),

PKS = K⊕h(TC∥N),

P = h(ID∥ID∥TE).

However, in Proposition 2, we show that the adversary cannot obtain ID and TC because he or she does not know K and PW. The identification string ID also cannot be derived from the equations above. Therefore, an adversary cannot acquire ID to identify the user U, and our scheme can provide user anonymity to protect user identity.

4.8. GWN bypassing attack resistance and GWN spoofing attack resistance

A GWN bypassing attack occurs when an adversary can bypass the GWN to forge a verification message straight to the sensor node S without passing the GWN login [7]. By contrast, a GWN spoofing attack occurs when an adversary may impersonate the GWN to obtain private login information of U.

Proposition 7. Our scheme can protect against GWN bypassing attacks and GWN spoofing attacks.

Proof: To bypass the GWN, an adversary must send an imitative verification message m = {DID, DID, q2, PKS, ID, N, N} straight to S, where q2 = h(ID∥TC∥N). However, the adversary cannot obtain q2 to create an imitative message m because he or she does not know the temporal credential TC; thus, the adversary cannot bypass the GWN to forge m to S. Without m, S cannot respond with any other messages. Consequently, our scheme can prevent GWN bypassing attacks. By contrast, the adversary may attempt to impersonate the GWN to acquire the secret login information of U. To pose as the GWN, the adversary can intercept some login request message m = {DID, q1, PKS, TE, P, N} and respond with an imitative message m = {SID, q3, PKS, N, N} to U, where q3 = h(ID∥SID∥K∥N∥N). Verification information q3 includes a secret sharing key K. However, as mentioned in Proposition 4, the adversary cannot acquire K because he/she does not know temporal credential TC. Therefore, the adversary cannot obtain q3; thus, the adversary cannot send an imitative message m = {SID, q3, PKS, N, N} to respond to U. The adversary cannot convince U that he/she is a legitimate GWN. Consequently, our scheme can protect against GWN spoofing attacks.

5. Performance evaluation and functionality comparison

Performance and functionality evaluations are critical to establish validity for practical deployment. In this section, the performance and functionality of our scheme are evaluated. The performance efficiency and functional effectiveness of our authentication scheme are demonstrated.

5.1. Functionality comparison

Table 3 presents a functionality comparison of our scheme versus previous related schemes. In Table 3, Yes denotes the scheme has a security feature; No denotes the contrary. The weaknesses of the previous related schemes for WSNs are mentioned in Section 2 and summarized in Table 3. We present a practical scenario to show that the proposed scheme can provide secure functionality and effectiveness for WSNs in IoT environments. Suppose that an adversary, Eve, undertakes to damage our scheme by executing the following attacks: guessing attack, stolen smart card attack, masquerade attack, replay attack, stolen verifier attack, insider attack, user anonymity attack, or GWN bypassing attack. Section 4 has shown that our scheme has the following abilities. Eve cannot directly obtain a user’s password by executing a password guessing attack. When Eve steals a user’s smart card, she cannot impersonate an authorized user to access the system. When Eve is even a legitimate user who pretends to be a different legitimate user, our scheme can protect against this masquerade attack. Moreover, Eve may undertake to replay some intercepted message to the GWN. Our scheme can provide resistance to replay attacks. Eve cannot breach the system by stealing the verification table. Even as an insider, Eve cannot acquire a password by executing any password guessing attack. Eve may intercept a login request message from the user to acquire the identification information, but the identification information of a user cannot be derived. Finally, Eve cannot forge an imitative message and send it straight to the sensor node to bypass the GWN. Moreover, our scheme has other security functionalities, which include updating passwords, choosing passwords freely, adding new users, and time synchronization avoidance. Our scheme provides a secure common session key and mutual authentication. Our scheme can thus protect against all listed attacks from Eve.

Table 3

Functionality comparison of our scheme with other related schemes.

	Ours Ostad-Sharif Amin et al. Chang et al. Xue et al. Yeh et al. Khan et al. Chen et al. Das(2019)[2] (2018)[34] (2016)[35] (2013)[7] (2011)[8] (2010)[32] (2010)[33] (2009)[5]
Password protection	Yes      Yes      Yes      No      No      Yes      Yes      No      No
Stolen smart card attack resistance	Yes      Yes      Yes      No      No      No      No      No      No
Masquerade attack resistance	Yes      Yes      Yes      No      Yes      Yes      Yes      No      No
Replay attacks resistance	Yes      Yes      Yes      No      Yes      No      Yes      Yes      Yes
Insider attack resistance	Yes      Yes      Yes      Yes      No      Yes      Yes      No      No
Password updating/changing	Yes      No      Yes      Yes      No      No      Yes      No      No
Time synchronization avoidance	Yes      No      No      No      No      Yes      No      No      No
Mutual authentication	Yes      No      Yes      Yes      Yes      Yes      Yes      Yes      No
Session key agreement	Yes      Yes      Yes      Yes      Yes      Yes      No      No      No
User anonymity	Yes      Yes      Yes      No      Yes      No      Yes      Yes      Yes
GWN bypassing attack resistance	Yes      Yes      Yes      Yes      Yes      Yes      No      No      No

5.2. Performance evaluation

The proposed scheme comprises four phases: registration phase, login phase, authentication and key agreement phase, and password change phase. In a WSN environment, the performance of the authentication scheme is affected mainly by the authentication and key agreement phase [2, 7, 34, 35]. This phase is the main part of the authentication scheme and is what chiefly distinguishes it from the various authentication schemes in WSNs [2, 7, 34, 35]. Therefore, we focus our discussion on the performance comparison of the authentication and key agreement phase in the authentication schemes. The performance comparison is usually separated into communication costs and computational costs [2, 7, 34, 35, 42]. The computational costs are defined as the time spent by the user and service provider in the process [2, 7, 34, 35, 42]. By contrast, the communication costs are defined as the number of messages dispatched by the user and service provider in the process [9, 42]. The performance comparison of our scheme and previous related schemes is shown in Table 4. Table 4 presents the computational costs and communication costs of the authentication and key agreement phase in each authentication scheme run without the consideration of interference and packet loss [2, 7, 21, 34, 35]. The notation Th is defined as the time complexity of the hash function; Tecc is the time complexity of the encryption/decryption operation in elliptic curve cryptography (ECC) algorithm [7]. The computational costs of the exclusive-or operation are usually neglected because it necessitates minimal computations [2, 7, 34, 35]. We first analyze the computational costs of the authentication and key agreement phase for each scheme as follows:

Table 4

Performance comparison of our scheme with other related schemes.

	Ours Ostad-Sharif Amin et al. Chang et al. Xue et al. Yeh et al. Khan et al. Chen et al. Das(2019)[2] (2018)[34] (2016)[35] (2013)[7] (2011)[8] (2010)[32] (2010)[33] (2009)[5]
【Computational cost】
authentication phase
User	4Th      10Th      13Th      3Th      5Th      2Tecc+1Th      3Th      4Th      3Th
GWN	8Th      14Th      14Th      5Th      11Th      4Tecc+3Th      5Th      5Th      4Th
Sensor node	3Th      3Th      2Th      1Th      3Th      2Tecc+2Th      2Th      2Th      1Th
key agreement phase
User	3Th      2Th      1Th      3Th      3Th      1Th      − * − * − *
GWN	3Th      3Th      3Th      3Th      3Th      1Th      − * − * − *
Sensor node	3Th      2Th      2Th      4Th      3Th      1Th      − * − * − *
Total	24Th      34Th      35Th      19Th      28Th      8Tecc+9Th
【Communication cost】
Transmitted message	4      6      6      4      4      3      4      4      3

* Khan et al. scheme, Chen et al. scheme and Das scheme do not provide the key agreement phase for session key agreement.

In the authentication phase of the Ostad-Sharif et al. scheme [2], the user requires 10Th to compute the parameters of the login request message and the response message. The GWN must spend 14Th to compute the parameters in a response message for the user and a request message for the sensor node. The sensor node must expend 3Th to confirm whether the verification equations hold. In addition, the user, GWN, and sensor node must expend 2Th, 3Th, and 2Th separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 12Th, 17Th, and 5Th, respectively [2].

In the authentication phase of the Amin et al. scheme [34], the user requires 13Th to compute the parameters of the login request message and the response message. The GWN must spend 14Th to compute the parameters in a request message for the sensor node and a response message for the user. The sensor node must expend 2Th to confirm whether the verification equations hold. In addition, the user, GWN, and sensor node must expend 1Th, 3Th, and 2Th separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 14Th, 17Th, and 4Th, respectively [34].

In the authentication phase of the Chang et al. scheme [35], the user requires 3Th to compute the parameters of the login request message. The sensor node must expend 1Th to compute the parameters in a message for the GWN. The GWN must spend 5Th to verify the login request. In addition, the user, GWN, and sensor node must expend 3Th, 3Th, and 4Th separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 6Th, 8Th, and 5Th, respectively [35].

In the authentication phase of the Xue et al. scheme [7], the user requires 5Th to compute the parameters of the login request message. The GWN must spend 11Th to verify the login request message and compute the parameters of the request message for the sensor node. The sensor node must expend 3Th to confirm whether the verification equations hold. Moreover, the user, GWN, and sensor node must expend 3Th, 3Th, and 3Th separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 8Th, 14Th, and 6Th, respectively [7].

In the Khan et al. scheme [32], the user must expend 3Th to generate a login request message. The GWN must expend 5Th to confirm whether the verification equations hold and to calculate the parameters of the request message for the sensor node. The sensor node requires 2Th to confirm whether the verification equations hold and to generate a response message for the GWN. However, the Khan et al. scheme does not provide the key agreement phase for the session key agreement.

In the Chen et al. scheme [33], the user must expend 4Th to produce a login request message and to validate a response message. The GWN requires 5Th to validate a login request message and to respond to a user’s request. The sensor node must expend 2Th to verify the request message from the GWN and to generate a response message for the user. However, the Chen et al. scheme also does not provide any key agreement phase.

In the Das scheme [5], the user requires 3Th to generate the login request message. The GWN must expend 4Th to confirm whether the verification equations hold and to calculate the parameters of the request message for the sensor node. The sensor node requires 1Th to confirm whether the verification equations hold and to generate a response message for the user. The Das scheme [5] does not provide the key agreement phase as well.

The Yeh et al. scheme [8] uses elliptic curve cryptography (ECC) to provide both the authentication phase and session key agreement phase. That scheme requires that the user, GWN, and sensor node expend 2Tecc + 1Th, 4Tecc + 3Th, and 2Tecc + 2Th separately to complete the authentication phase [7]. Moreover, the user, GWN, and sensor node must expend 1Th, 1Th, and 1Th separately to compute a shared session key in the key agreement phase [7]. Accordingly, the total computational costs of the user, GWN, and sensor node are 2Tecc + 2Th, 4Tecc + 4Th, and 2Tecc + 3Th, respectively [7].

Our proposed scheme provides both the authentication phase and key agreement phase. In the authentication phase of our scheme, the user requires only 4Th to calculate the parameters of a login request message. The GWN expends only 8Th to verify the login request and to calculate the parameters of the request message for the sensor node. The sensor node requires only 3Th to confirm whether the verification equations hold. In the key agreement phase, the user, GWN, and sensor node expend only 3Th, 3Th, and 3Th, respectively, to negotiate the shared session key. Accordingly, the total computational costs for the user, GWN, and sensor node are 7Th, 11Th, and 6Th, respectively.

Our proposed scheme uses only the hash function and XOR operations to design a simple authentication and key agreement scheme. However, the Yeh et al. scheme [8] provides a authentication and key agreement scheme which is established by an asymmetric encryption algorithm (specifically, an ECC). According to an experimental finding obtained in a related study, the one-way hash function is computationally efficient. The time complexity of the hash function is less than that of an asymmetric ECC encryption operation [2, 3, 7, 34, 35]. The following is a practical example for the computational costs: In an environment with a CPU of 3.2 GHz and with 3.0 GB of RAM, completing a one-way hash operation requires 0.02 ms on average when using SHA-1, and completing an asymmetric ECC encryption operation requires 0.45 ms on average when using ECC-160 [7].

For the user in each scheme run, the Yeh et al. scheme requires 0.94 ms for 2Tecc + 2Th. The Amin et al. scheme requires 0.28 ms for 14Th. The Ostad-Sharif et al. scheme requires 0.24 ms for 12Th. By contrast, our scheme can perform the run in only 0.14 ms for 7Th. Therefore, the computational load of the user in the proposed scheme is reduced to 14.89% compared with the Yeh et al. scheme and to 58.33% compared with the Ostad-Sharif et al. scheme.

For the GWN in each scheme run, the Yeh et al. scheme requires 1.88 ms for 4Tecc + 4Th. The Amin et al. scheme requires 0.34 ms for 17Th. The Ostad-Sharif et al. scheme requires 0.34 ms for 17Th. By contrast, our scheme can perform the run in only 0.22 ms for 11Th. Therefore, the computational load of the GWN in the proposed scheme is reduced to 11.7% compared with the Yeh et al. scheme and to 64.7% compared with the Ostad-Sharif et al. scheme.

For the sensor node in each scheme run, the Yeh et al. scheme requires 0.96 ms for 2Tecc + 3Th. The Amin et al. scheme requires 0.08 ms for 4Th. The Ostad-Sharif et al. scheme requires 0.1 ms for 5Th. By contrast, our scheme can perform the run in 0.12 ms for 6Th. Therefore, the computational load of the sensor node in the proposed scheme is reduced to 12.5% compared with the Yeh et al. scheme.

In Table 4, the total computational costs of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 8Tecc+9Th, 28Th, 19Th, 35Th, 34Th, and 24Th, respectively. Therefore, the total running time of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 3.78, 0.56, 0.38, 0.7, 0.68, and 0.48 ms, respectively (Fig 6). Therefore, the total running time of our scheme is 12.7%, 85.7%, 68.6%, and 70.6% of that of the schemes of Yeh et al., Xue et al., Amin et al., and Ostad-Sharif et al., respectively. Although the total running time of our scheme (0.48 ms) is slightly greater than that of the Chang et al. scheme (0.38 ms), our scheme can overcome the security weaknesses of previous related schemes and provide greater security functionality (Table 3).

Fig 6

Comparison of running time.

The energy consumption of the Yeh et al. scheme [8] is ascribed chiefly to the asymmetric ECC cryptosystem and hash functions. By contrast, the energy consumption of our scheme is principally attributed to the hash functions. As mentioned, the energy consumption for executing the hash function is much lower than that for executing an asymmetric ECC cryptosystem [38, 39]. A practical example follows: While using SHA-1 to compute the hash value, a 1-byte data packet requires 0.76 μJ of energy [43, 38, 39]. Nevertheless, a 163-bit ECC asymmetric cryptosystem requires 134.2 mJ of energy [38, 39]. As previously discussed, the total computational costs of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 8Tecc+9Th, 28Th, 19Th, 35Th, 34Th, and 24Th, respectively (Table 4). Consequently, the total energy consumption levels of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 1073606.8, 21.3, 14.4, 26.6, 25.8, and 18.2 μJ, respectively. Consequently, in each scheme run, the total energy consumed by our scheme is 0.0017%, 85.4%, 68.4%, and 70.5% of that consumed by the schemes of Yeh et al., Xue et al., Amin et al., and Ostad-Sharif et al., respectively (Fig 7). Because the total energy consumption of the Yeh et al. scheme is excessive relative to other schemes, it cannot be shown in Fig 7. Although the total energy consumption of our scheme (18.2 μJ) is slightly greater than that of the Chang et al. scheme (14.4 μJ), our scheme provides superior security functionality to overcome the weaknesses of previous schemes (Table 3).

Fig 7

Comparison of energy consumption.

As mentioned, the communication cost accounts for the number of messages transmitted. A low number of transmitted messages results in less consumption for the message overhead [9, 42]. In completing the authentication and key agreement phase, the total numbers of transmitted messages of the schemes of Ostad-Sharif et al., Amin et al., Chang et al., Xue et al., Yeh et al., and ours are 6, 6, 4, 4, 3, and 4, respectively (Table 4). Although the communication costs of the proposed scheme (4 transmitted messages) is slightly greater than the Yeh et al. scheme (3 transmitted messages), the Yeh et al. scheme is subject to high computational costs (3.78 ms, Fig 6) and large energy consumption (1073606.8 μJ) due to its use of ECC.

In this subsection, we demonstrate that our scheme is highly efficient because of the superior performance: low computational cost (0.14 ms for the user, 0.12 ms for the sensor node, and 0.22 ms for the GWN), low energy consumption (18.2 μJ for the authentication and key agreement phase), and low communication cost (4 transmitted messages for the authentication and key agreement phase, 0 transmitted messages for the password change phase).

6. Conclusions

This paper analyzes the security weaknesses of related authentication schemes and proposes a more efficient and secure authentication scheme for WSNs in IoT environments. The BAN logic method is used to prove our scheme. Finally, we compare the functional effectiveness and performance efficiency of our scheme with those of previously published schemes. Cryptanalysis revealed that our scheme overcomes the security weaknesses of the previously published schemes. Our scheme satisfies the requirement of basic design criteria for the authentication scheme as well. Consequently, our scheme can enhance security effectiveness in real-world IoT environments and provide additional security functionalities compared with the other discussed schemes. Moreover, performance analysis revealed that our scheme demonstrates high efficiency and superior performance.

Our future work and challenges include attempting to find security risks in heterogeneous IoT environments. Various heterogeneous IoT applications can cause serious challenges in securing networks. Future studies will further evaluate the reliability and scalability of the proposed scheme in heterogeneous IoT environments. Moreover, we also study highly secure machine learning-based authentication schemes for WSNs in intelligent IoT environments. The integration of Big Data with intelligent IoT networks will be challenging due to the limited resources of WSNs.