SLUA-WSN: Secure and Lightweight Three-Factor-Based User Authentication Protocol for Wireless Sensor Networks.

Wireless sensor networks (WSN) are composed of multiple sensor nodes with limited storage, computation, power, and communication capabilities and are widely used in various fields such as banks, hospitals, institutes to national defense, research, and so on. However, useful services are susceptible to security threats because sensitive data in various fields are exchanged via a public channel. Thus, secure authentication protocols are indispensable to provide various services in WSN. In 2019, Mo and Chen presented a lightweight secure user authentication scheme in WSN. We discover that Mo and Chen's scheme suffers from various security flaws, such as session key exposure and masquerade attacks, and does not provide anonymity, untraceability, and mutual authentication. To resolve the security weaknesses of Mo and Chen's scheme, we propose a secure and lightweight three-factor-based user authentication protocol for WSN, called SLUA-WSN. The proposed SLUA-WSN can prevent security threats and ensure anonymity, untraceability, and mutual authentication. We analyze the security of SLUA-WSN through the informal and formal analysis, including Burrows-Abadi-Needham (BAN) logic, Real-or-Random (ROR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Moreover, we compare the performance of SLUA-WSN with some existing schemes. The proposed SLUA-WSN better ensures the security and efficiency than previous proposed scheme and is suitable for practical WSN applications.

1. Introduction

Wireless sensor networks (WSN) are widely exploited in terms of enormous applicability [1] and have been used in various fields such as smart homes, smart factories, healthcares, and environmental monitoring [2,3,4,5,6,7,8]. Generally, WSN consist of a gateway node (GWN), a user, and a sensor node (SN) which are resource-limited in smart devices (things, sensors, etc.) [9]. SNs are deployed in various fields and collect a large amount of real-time data. GWN manages data collected by deployed SNs to provide services for legitimate users.

One of the application areas of WSN is a smart home with sensor devices, which provides a better daily life for users [10,11]. A smart home provides various services for users such as automatic checking of the temperature and humidity of the house and controlling light bulbs. However, it may cause serious privacy problems [12,13] because the data collected by SNs are exchanged through a public channel. If data collected by SNs is exposed, a malicious adversary can obtain the private information of users such as daily routines and habits in the house, and also can use the information for criminal purposes. Furthermore, in these application scenarios, smart devices are resource-constrained in terms of computation, communication, and storage overheads, and it is not suitable to apply asymmetric cryptosystems that generate high computational overheads [14]. Therefore, secure and lightweight authentication and key agreement protocols are indispensable to provide secure services for legal users in WSN environments. The secure and lightweight authentication and key agreement protocols must consider the following security requirements.

Three-factor security: The protocol must meet the three-factor security to protect the legitimate user’s privacy.

Preventing well-known attacks: The protocol for WSN must be secure against potential attacks, including smart card stolen, masquerade, privileged insider, man-in-the-middle (MITM) attacks, and so on.

Preventing sensor node capture attack: Even if some sensors are captured by a malicious adversary, it is hard for an adversary to pretend to be other sensors.

Preventing offline password guessing attack: The protocol must prevent the guessing of the legitimate user’s real password if a malicious adversary either intercepts the transmitted messages or approaches smart card contents.

Preventing smart card stolen attack: In this attack it is assumed that a malicious adversary can attain the stored secret parameters on the smart card, thus the knowledge of attained parameters should not be enough for the malicious adversary to attain useful information to masquerade a legal user.

Preventing privileged insider attack: The protocol must be secure to privileged insider attacks where the insider having privileges in the database may access the secret credentials and misuse the contents.

Anonymity and untraceability: A malicious adversary cannot reveal and trace the real identity of a legitimate user.

User authentication and key agreement: The protocol must mutually authenticate among entities and successfully establish a secure session key.

Confidentiality: All transmitted messages communicated between the participants must be safely transmitted using a secret credential so that only legal participants can verify the message.

In 2019, Mo and Chen [15] proposed an elliptic curve cryptosystem (ECC)-based user authentication scheme for WSN. Mo and Chen claimed that their scheme prevents various attacks and provides user anonymity, untraceability, and authentication. However, we prove that their scheme suffers from many drawbacks, including masquerade and replay and session key exposure attacks, and does not provide user anonymity, untraceability, and mutual authentication. In addition, their scheme is not suitable for WSN environments because it requires high communication and computation costs. Consequently, we propose a secure and lightweight three-factor authentication protocol for WSN (SLUA-WSN), considering the efficiency of smart devices and improving the security level of Mo and Chen’s scheme [15].

1.1. Contributions and Motivations

The main contributions of our paper can be summarized as follows.

We propose a secure and lightweight authentication protocol for WSN to resolve the security problems of Mo and Chen’s scheme utilizing secret parameters and biometrics.

We perform the Burrows–Abadi–Needham (BAN) logic analysis [16] to evaluate that SLUA-WSN ensures secure mutual authentication. We also perform formal security analysis utilizing the Real-or-Random (ROR) model [17] to prove session key security of SLUA-WSN.

We carry out the simulation analysis using the automated verification of internet security protocols and applications (AVISPA) [18,19] to evaluate that SLUA-WSN prevents against replay and MITM attacks.

According to the security and performance analysis, we show that the proposed SLUA-WSN achieves better security along with more features, and provides efficient computational, communication, and storage overheads as compared with related schemes.

The motivations of our paper can be summarized as follows.

Authentication and key agreement protocols for WSN are susceptible to well-known attacks, including sensor node capture, masquerade, and replay attacks.

Authentication and key agreement protocols for WSN should provide useful convenience for legitimate users and take into account the security requirements.

Secure and efficient user authentication protocols are essential in WSN, which take into account limitations for resource-constrained smart devices in terms of memory and battery capacity.

We propose a secure and lightweight three-factor authentication protocol for WSN to resolve the security weaknesses of Mo and Chen’s scheme [15]. The proposed SLUA-WSN presents several advantages compared with existing authentication schemes: SLUA-WSN prevents potential attacks, including sensor node capture, replay, privileged insider, and masquerade attacks, and also ensures secure untraceability, user anonymity, and mutual authentication. SLUA-WSN also uses the fuzzy extractor technique to improve the security level of the two-factor-based protocol. Even if two of the three factors are exposed, SLUA-WSN is still secure. Furthermore, SLUA-WSN provides better efficient computation and communication costs with existing schemes because it only uses the hash and XOR operations. Thus, SLUA-WSN is suitable for practical WSN environments because it is more secure and efficient than related schemes.

1.2. Organization

The rest of this article is organized as follows. We introduce the related works for WSN environments in Section 2, and present the preliminaries of this paper in Section 3. Section 4 reviews Mo and Chen’s scheme and then Section 5 proves the security shortcomings of Mo and Chen’s scheme. Section 6 presents a secure and lightweight user authentication protocol for WSN environments to enhance the security shortcomings of Mo and Chen’s scheme. Section 7 evaluates the security analysis of SLUA-WSN by performing informal and formal analysis, including BAN logic, ROR model, and AVISPA simulation. Section 8 presents the results of the performance analysis of the SLUA-WSN compared with those of the related schemes. Finally, we conclude the paper in Section 9.

2. Related Works

In the last few decades, numerous authentication protocols have been proposed to provide user privacy in the WSN environment [20,21,22,23,24,25]. In 1981, Lamport [26] presented the password-based authentication protocol using a single factor to provide user privacy and anonymity. However, Lamport’s scheme [26] was fragile to offline password guessing attacks because it relied solely on the security of the password. To improve these security problems, Das [27] presented a two-factor authentication scheme using smartcard and password. Das [27] claimed that their scheme is secure and efficient because it uses only hash functions and prevents various attacks. However, some researchers [28,29] pointed out that Das’s scheme [27] has various security drawbacks. Nyang and Lee [28] showed that Das’s scheme [27] is fragile to the sensor node capture and offline password guessing attacks. Nyang and Lee [28] presented a secure authentication scheme in WSN to enhance the security problems of Das’s scheme. In 2010, He et al. [29] proposed a two-factor user authentication scheme for WSN. However, in 2011, Kumar and Lee [30] discovered that He et al.’s scheme [29] cannot provide mutual authentication and generate a session key between each entity. Therefore, these smartcard-based two-factor authentication protocols [27,28,29] were fragile to various attacks.

Numerous biometric-based three-factor authentication protocols have been proposed [31,32,33] to resolve the above-mentioned security issues. Compared with the existing two-factor authentication schemes using a password and smartcard, biometrics (palms, irises, and fingerprints) cannot be stolen or lost because they are very difficult to forget or lose, copy, distribute, guess, break, and forge. Thus, biometric-based three-factor authentication has a higher security level than two-factor authentication.

In recent years, many three-factor authenticated key agreement protocols have been proposed to provide various services in WSN environments [34,35,36]. In 2018, Wu et al. [37] presented a secure three-factor user authentication scheme for WSN. However, in 2019, Mo and Chen [15] demonstrated that if the user inputs an incorrect password at the login process in Wu et al.’s scheme [37], the smartcard does not check whether the password is verified, and the protocol will proceed until GWN finds that the login request of the user was invalid, so GWN performs unnecessary computational resources. In 2017, Wang et al. [38] presented an enhanced three-factor user authentication scheme using ECC for WSN. Unfortunately, Wang et al.’s scheme [38] is susceptible to insider attack because the random nonce for the legitimate user is stored in the database of GWN, and the insider can access and modify it so user login can result in failure. In 2018, Li et al. [39] presented a three-factor-based authentication scheme for WSN in Internet of Things (IoT) environments with adoption of fuzzy extractor to provide high security level. However, Mo and Chen [15] pointed out that Li et al.’s scheme [39] cannot provide three-factor security if the stolen/lost smartcard is obtained by the adversary. In addition, their scheme [39] is not as secure as they claimed because the biometric of the user is collected by the adversary without the awareness of the legitimate user. In 2019, Li et al. [40] presented a secure three-factor-based user authentication protocol for wireless medical sensor networks. However, Mo and Chen [15] demonstrated that their scheme [40] is vulnerable to replay attacks. In 2019, Lu et al. [41] proposed a three-factor authenticated key agreement for WSN using ECC. However, Mo and Chen [15] proved that Lu et al.’s protocol [41] cannot withstand known session-specific temporary information (KSSTI) attacks and cannot provide three-factor security along with session key security. To improve the security drawbacks of Lu et al.’s scheme, Mo and Chen [15] presented a lightweight secure user authenticated key agreement scheme for WSN using ECC. Mo and Chen [15] claimed that their scheme can prevent potential attacks and can ensure anonymity, untraceability, and authentication. However, we analyze that Mo and Chen’s scheme suffers from various security threats, such as session key exposure and masquerade attacks, and cannot ensure anonymity, untraceability, and mutual authentication. In addition, Mo and Chen’s scheme is not practical for WSN because ECC makes the computation and communication overheads burden very heavy. Therefore, we propose a secure and lightweight three-factor user authentication protocol in WSN, considering the efficiency of smart devices and improving security shortcomings of Mo and Chen’s scheme.

3. Preliminaries

This section introduces the preliminaries to improve the readability of this paper.

3.1. Fuzzy Extractor

This section briefly discusses the concepts of a fuzzy extractor [42]. The fuzzy extractor is a cryptographic method utilizing biometrics to perform secure authentication and it comprises two operations—the generator () and reproduction ()—which are presented below.

: After users imprint the biometric input , generates a consistent random string and a random auxiliary string , which is a probabilistic function.

: When a noisy biometric is imprinted, reproduces using value , where is public reproduction value related with .

3.2. Attacker Model

We present the well-known Dolev–Yao (DY) threat model [43] to examine the security of SLUA-WSN. In the DY model, the capabilities of the attacker are as follows.

Referring to the DY model [43], an attacker can inject, delete, intercept, and eavesdrop the data exchanged over wireless networks.

A malicious attacker can steal the smart card of legal users and can extract secret credentials stored in memory utilizing power-analysis [44].

After obtaining the secret credentials of smart card, a malicious attacker may attempt various attacks, including the masquerade, offline password guessing, privileged insider, forward secrecy attacks, and so on [45,46].

3.3. System Model

In 2013, Xue et al.’s scheme [47] introduced the five basic authentication mechanism models for WSN. We adopt the first authentication mechanism model presented by Xue et al.’s scheme [47]. This authentication model for WSN consists of three entities: the user, the SN, and the GWN, as shown in Figure 1. Initially, the user contacts GWN to initiate the key agreement between them and the SN. In contrast, the SN checks whether the legitimate user and performs mutual authentication through a GWN. As a result, this model enables mutual authentication between all entities and establishes key agreement between users and corresponding sensor nodes.

Figure 1

Authentication model in wireless sensor network.

4. Review of Mo and Chen’s Scheme

Mo and Chen’s scheme [15] presented a secure authentication protocol to provide useful services in WSN. This protocol comprises three entities: the user, the SN, and the GWN. Mo and Chen’s scheme has four processes: pre-deployment, user registration, authentication, and password update. In the pre-deployment process, the gateway node () selects a unique identity for each sensor () and computes . Then, sends to through a secure channel. Finally, stores in memory. During the user registration process, the issues a smartcard to the legal user who wants to request registration through a secure channel and then helps the agreement of the session key between the and the user. They presented a password update process to maintain a high level of security. Figure 2 shows the registration process of Mo and Chen’s scheme, and also the detailed steps involved in the authentication and key agreement process of Mo and Chen’s scheme are as shown in Figure 3. Furthermore, the password update process is described in the following subsections. Table 1 presents the notations used in this paper.

Figure 2

Registration process of Mo and Chen’s scheme.

Figure 3

Authentication process of Mo and Chen’s scheme.

Table 1

Notations.

Notation	Description
U_i	User
GWN	Gateway node
S_j	Sensor node
ID_i	U_i’s identity
PW_i	U_i’s password
SID_j	S_j’s identity
K_GWN	Master key of GWN
X_pub	Public key of GWN
X_j	Secret key of S_j
E/F_p	Elliptic curve E defined on the finite field F_p with order p
G	A group for an elliptic curve
P	The generator of G
E_k/D_k	Symmetric key encryption/decryption
SK	Session key
T_i	Timestamp
BIO	Biometric of U_i
h(·)	Hash function
⊕	XOR operation
||	Concatenation operation

Password Update Process

If the authorized user requests a new password, Mo and Chen’s scheme can update the password from the gateway as follows.

inputs and the old and imprints , and inserts the smartcard () in the reader. After that, the calculates , , and mod t and checks whether holds. If the condition is false, the communication is aborted.

inputs a new , computes mod t, , and replaces () with ().

5. Security Flaws of Mo and Chen’s Scheme

We discuss the security flaws of Mo and Chen’s scheme, including session key exposure and masquerade attacks. Furthermore, we discover that Mo and Chen’s scheme cannot ensure user anonymity, untraceability, and mutual authentication.

5.1. Masquerade Attack

In this attack, a malicious attacker () may attempt to impersonate legal users through stolen smartcard. According to Section 3.2, we assume that is able to extract the secret credentials stored in the smart card. Furthermore, can intercept the messages exchanged over the wireless network. Therefore, can perform the masquerade attack as shown in the following detailed steps.

A first calculates , , , and . After that, the generates the two random numbers , and computes , , , and . The sends to the over wireless networks.

Upon getting the , the verifies the validity of . If it is equal, the computes , , , and . Then, the checks . If it is correct, the computes , and . Next, the sends to the .

After getting the , the verifies the . If it is equal, the calculates and decrypts to get (). After that, the calculates and then checks . If the condition is equal, the selects a random number and timestamp . Then, computes , , and . Finally, sends to the .

Upon getting the , the verifies the validity of . If the condition is equal, the calculates and verifies . If the condition is valid, the selects and calculates and . Finally, sends to the .

After getting the , the checks the and calculates and checks . If it is equal, the computes and .

As a result, Mo and Chen’s scheme cannot prevent the masquerade attack because the can impersonate an legitimate user successfully.

5.2. Session Key Exposure Attack

In Mo and Chen’s scheme, they claimed that their scheme could prevent to session key exposure attack because a could not obtain the secret credentials. However, according to Section 5.1, we prove that is able to impersonate legal users and calculates the session key as follows. Referring to Section 3.2, the can extract secret credentials stored in the smartcard. Then, the is able to intercept the exchanged messages between , , and via wireless networks. If so, the can calculate , and . After that, the selects random numbers and can successfully generate new messages by utilizing and . Consequently, the can successfully perform the session key exposure attack by calculating and disguise as legitimate users.

5.3. Anonymity and Untraceability

Referring to Section 5.1, the can trace a legitimate user and can obtain the real identities of and . The computes utilizing secret credentials stored in the smart card. After that, the can compute , , and successfully. Thus, Mo and Chen’s scheme does not ensure user anonymity and untraceability.

5.4. Mutual Authentication

Mo and Chen’s scheme asserted that their scheme provides secure mutual authentication among the , , and . However, referring to Section 5.1, the can generate authentication request message , response message , and then can calculate session key . As a result, we prove that their scheme cannot provide correct mutual authentication among , , and .

6. Proposed Scheme

We present a secure and lightweight user authentication protocol in WSN to improve the security flaws of [15]. The proposed SLUA-WSN comprises the same process as that Mo and Chen’s scheme. The details of the four processes are shown below.

6.1. Pre-Deployment Process

This process is similar to the pre-deployment process given in Mo and Chen’s scheme [15]. In Figure 4, we show the user registration process of SLUA-WSN and the detailed steps are below.

Figure 4

Pre-deployment process of the proposed scheme.

selects a unique identity for sensors and computes . Finally, sends to the over a secure communication.

Upon receiving the messages, the stores them in secure memory.

6.2. User Registration Process

The must register within to access various services. In Figure 5, we show the user registration process of SLUA-WSN and the detailed steps are below.

Figure 5

User registration process of our scheme.

inputs the and and imprints biometric . Then, the computes = and , and sends to the over a secure communication.

After reception of messages, the generates a random nonce and calculates , , and , and then stores in secure database. After that, the stores in the smart card and issues it to the .

6.3. Authentication Process

After performing the registration process, the registered requests authentication to the in order to establish the session key. In Figure 6, we show the authentication process of SLUA-WSN and the detailed steps are below.

Figure 6

Authentication process of our scheme.

first inserts the smart card and inputs and . Then, the imprints and computes =, , , and , and then checks . If the condition is valid, the generates a random nonce and a timestamp . The computes , , and , and sends to the over an insecure channel.

Upon reception of messages, the checks the validity of and calculates , , and and then, checks . If the condition is correct, the calculates and , and sends to the .

After reception of messages, the checks the validity of and computes and and checks . If it is valid, the generates a random nonce and timestamp and calculates , , , and , and then sends to the over an insecure channel.

Upon reception of messages, the checks the validity of and calculates and , and checks . If it is valid, the generates a timestamp and computes , , , and and sends to the .

After reception of messages, the checks the validity of and computes and , and then checks . If the condition is valid, the computes and , and checks . If the condition is correct, the computes , and and replaces with . Consequently, the , the and are mutually authenticated successfully.

6.4. Password Change Process

In SLUA-WSN, an authorized can freely update their password. The detailed steps of the password change process are below.

inputs and and imprints biometric . After that, the computes = and and then sends to the over a secure communication.

Upon reception of messages, the calculates and and sends authentication message to the .

After reception of messages, the chooses a new and imprints a new . Then, the calculates = and and sends to the over a secure channel.

Upon reception of messages, the calculates and and then replaces with successfully.

7. Security Analysis

This section assessed the security of SLUA-WSN by using informal and formal security analysis such as BAN logic, ROR model, and AVISPA simulation, which are widely known security models.

7.1. Informal Security Analysis

The security of SLUA-WSN is assessed by performing an informal security analysis. We show that SLUA-WSN can resist potential security threats, including masquerade, sensor node capture, replay, and privileged insider attacks, and ensure secure authentication and anonymity.

7.1.1. Masquerade Attack

In this attack, the attempts to masquerade a legitimate user by intercepting messages transmitted over an insecure channel. However, the cannot generate the request messages in the proposed SLUA-WSN correctly. The cannot compute the request messages because cannot get ’s real identity , the biometric , and the random nonce . As a result, SLUA-WSN resists masquerade attacks.

7.1.2. Replay Attack

Assuming that the attempts the replay attack utilizing previously exchanged data over an insecure channel, even if the intercepts the request message in the previous session, the proposed SLUA-WSN verifies the freshness of the timestamp. In addition, the request messages are protected with secret parameter and random nonce . Thus, SLUA-WSN prevents replay attacks.

7.1.3. Sensor Node Capture Attack

As sensor nodes are typically placed in unmanned or hostile areas, the can easily capture sensor nodes. However, each has a unique and a secret parameter . Even if some sensor nodes are captured by the , it is difficult to impersonate that the is another sensor. Therefore, the does not have any ability to compromise other established between the and non-compromised . Thus, SLUA-WSN prevents sensor node capture attacks.

7.1.4. Privileged Insider Attack

In this attack, the privileged insider is able to access the password of the user stored in and disguises the user to log in to other systems. However, the user in the proposed SLUA-WSN only sends to the during the registration process. Consequently, SLUA-WSN prevents privileged insider attacks because the privileged insider cannot obtain the real password of the legitimate user.

7.1.5. Anonymity and Untraceability

We assume that the can extract secret credentials stored in a smartcard and is able to eavesdrop the message exchanged in each session. However, the cannot trace a legal user because all exchanged messages are updated every session, and also messages in the proposed SLUA-WSN update with . Moreover, the cannot obtain the real of because it is masked with XOR and hash functions. Thus, SLUA-WSN provides anonymity and untraceability because the cannot retrieve without knowing a secret parameter and a random nonce .

7.1.6. Mutual Authentication

In SLUA-WSN, each entity performs mutual authentication successfully. Upon getting the authentication request messages from the , the verifies . If the condition is correct, the authenticates the . After getting the messages from the , the checks . If it is valid, the authenticates the . After receiving the messages from the , the verifies . If the condition is correct, the authenticates the . After obtaining the response messages from the , the authenticates the . As a result, the , the and the are mutually authenticated because the cannot generate exchanged messages successfully.

7.2. Security Properties

We present the security properties of SLUA-WSN compared to those of the existing schemes [15,37,38,39,40,41]. Table 2 tabulates the security and functionality features of the proposed SLUA-WSN and other existing schemes. According to Table 2, previous schemes [15,37,38,39,40,41] suffer from various attacks, and also their schemes cannot ensure anonymity, untraceability, and mutual authentication. In contrast, SLUA-WSN ensures mutual authentication, anonymity, and untraceability and prevents various attacks. Thus, the proposed SLUA-WSN offers superior security and more functionality features compared with existing schemes.

Table 2

Security property comparison.

Security Properties	Wu et al. [37]	Wang et al. [38]	Li et al. [39]	Li et al. [40]	Lu et al. [41]	Mo and Chen [15]	Ours
Three-factor security	×	∘	×	∘	×	∘	∘
Masquerade attack	×	∘	×	×	×	×	∘
Replay attack	×	∘	×	×	∘	∘	∘
Privileged insider attack	∘	×	∘	×	∘	∘	∘
Sensor node capture attack	∘	∘	∘	∘	∘	∘	∘
Man-in-the-middle attack	∘	∘	×	×	∘	∘	∘
User anonymity	∘	∘	∘	∘	∘	×	∘
Untraceability	∘	∘	∘	∘	∘	×	∘
Mutual authentication	∘	∘	∘	∘	∘	×	∘

∘: it supports security properties; ×: it does not support security properties.

7.3. Formal Security Analysis Using Ban Logic

We perform the BAN logic to demonstrate the mutual authentication of SLUA-WSN. We present notations utilized for BAN logic in Table 3.

Table 3

Notations used for BAN logic.

Notation	Description
N|≡M	N believes M
#M	M is updated and fresh
N⊲M	N sees M
N|∼M	N once said M
N⇒M	Ncontrols that M
<M>_W	M is combined with W
{M}_K	M is encrypted utilizing symmetric key K
N↔KP	N and P share a shared secret key K
SK	Session key used in communication session

7.3.1. Rules of Ban Logic

In the following, the rules of BAN logic are summarized.

Message meaning rule:

Nonce verification rule:

Jurisdiction rule:

Freshness rule:

Belief rule:

7.3.2. Goals

We define the following security goals to prove that the proposed SLUA-WSN is capable of performing secure mutual authentication.

7.3.3. Idealized Forms

The idealized form messages of SLUA-WSN are as below.

:

:

:

:

7.3.4. Assumptions

In the following, the assumptions used in BAN logic are summarized.

7.3.5. Proof Using Ban Logic

The BAN logic proof then proceeds as below.

According to , we could get the following,

Using and with “message meaning rule”, the following is obtained,

Using and with “freshness rule”, the following is obtained,

From and with “nonce verification rule”, we could get

According to , we could get

Using the and with “message meaning rule”, the following is obtained,

Now, using and with “freshness rule”, we could get

Utilizing and with “nonce verification rule”, the following is obtained,

According to , we could get the following,

Using and with “message meaning rule”, the following is obtained,

Using and with “freshness rule”, the following is obtained,

From and with “nonce verification rule”, we could get

According to , we could get the following,

Using and with “message meaning rule”, the following is obtained,

Using and with “freshness rule”, the following is obtained,

From and with “nonce verification rule”, we could get

Because , according to and , the following is obtained,

Because , according to and , we could get

From and , the following is obtained,

Using and , the following is obtained,

According to Goals 1–4, we prove that the proposed SLUA-WSN ensures secure mutual authentication among , , and .

7.4. Formal Security Analysis Using Ror Model

We perform the ROR model [17] to evaluate the session key (SK) security of SLUA-WSN from the malicious attacker . Initially, we introduce the ROR model [17] before performing the analysis of SK security for SLUA-WSN.

In the ROR model, the malicious attacker interacts with the , the instance of the executing participant. Furthermore, there are three participants—the user , gateway , and sensor —where , , and are instances of , of , and of , respectively. In Table 4, we define various queries for ROR model to evaluate security analysis such as , , , , and . Furthermore, an one-way hash function is modeled as a random oracle . We utilize Zipf’s law [48] to evaluate SK security of SLUA-WSN.

Table 4

Queries of the Real-or-Random (ROR) model.

Query	Description
Execute(PU_it_1,PGWNt_2,PS_jt_3)	Execute denotes that MA performs the passive attack by eavesdropping transmitted messages between legitimate participants over an insecure channel.
CorruptSC(PU_it_1)	CorruptSC is modeled that the smartcard stolen attack, in which the MA can extract the secret credentials stored in the smartcard.
Send(P^t,M)	Using this query, the MA can transmit a message M to the instance P^t and also can receive accordingly.
Test(P^t)	Test corresponds to the semantic security of the SK between U_i and S_j following the indistinguishability style in the ROR model [17]. In this query, an unbiased coin c is flipped prior to the starting of the experiment. If the MA performs Test query and the corresponding SK is fresh, and then P^t returns SK when c=1 after running Test query, SK is new or a random number when c=0; otherwise, it delivers a null value (⊥).
Reveal(P^t)	Using this query, the MA reveals the current SK generated by its partner to an adversary MA.

If where

We define the following four games, namely, (). We indicate that is the probability of winning the . All are described in detail as shown below.

Game: The first game is considered as an passive attack executed from the in the proposed protocol P, as the bit C is guessed randomly at the beginning of . According to this game, the following is obtained.

Game: This considers the scenario where simulates the eavesdropping attack in which the transmitted messages are intercepted during the authentication process using the query. After eavesdropping transmitted messages, the performs the and queries to verify whether it is the SK or a random number. The needs the secret parameters, such as , , , and , to derive . Thus, the does not at all help in increasing the ’s winning probability by eavesdropping on the transmitted messages. According to this game, the following is obtained.

Game: is modeled as an active attack, where the simulations of the and oracles are included. In , the can eavesdrop all exchanged messages , , , and during the authentication and key agreement process. However, all exchanged messages are safeguarded using the hash function . Furthermore, the random numbers and are not derived from the intercepted exchanged messages because the random numbers are protected by hash function . By applying the birthday paradox [49], we can derive the following.

Game: is simulated using query. In this game, the is able to extract the secret credentials from a smartcard’s memory using the power analysis attack. Generally, a user utilizes the low-entropy password. Using ’s stored secret credentials , the may try to extract the password by performing a password guessing attack. However, in the proposed protocol, the cannot obtain password of the legitimate user correctly through the query without ’s master key and secret parameter . Furthermore, the probability of guessing the biometric secret key of bits by the is approximately . Thus, the and are indistinguishable if biometric/password guessing attacks are not present. Consequently, by applying Zipf’s law [48], the following is obtained.

When all the games are executed, the should guess the correct bit c. Consequently, we can obtain the following result.

By applying Equations (1), (2), and (5), the following result is obtained.

By applying Equations (4)–(6), the following result is obtained, utilizing the triangular inequality.

As a result, multiplying both sides of Equation (7) by a factor of two, the following result is obtained. □

7.5. AVISPA Simulation

We perform the AVISPA simulation tool [18,19] to prove the security of SLUA-WSN against MITM and replay attacks. To perform the AVISPA simulation, the environment and session of the protocol must be implemented utilizing the High-Level Protocols Specification Language (HLPSL) [50].

7.5.1. HLPSL Specification

Referring to HLPSL, we consider three roles: the , the , and the . We present the environment and session using HLPSL in Figure 7, which consists of the security goals.

Figure 7

High-Level Protocols Specification Language (HLPSL) syntax for session and environment.

In Figure 8, the initially receives the message and updates the state value from 1 to 2. After that, transmits the registration request message to over a secure channel. Then, receives the from and changes the state value from 1 to 2. In the authentication process, the should send an authentication request message to over a public channel. Thus, the declares from the , and then changes the state value from 2 to 3. Then, receives the authentication response messages from the . Finally, checks and . If it is correct, the , , and are mutually authenticated successfully. In addition, the HLPSL specification roles of and are similarly defined. Figure 9 and Figure 10 show the role specification of the and .

Figure 8

HLPSL syntax for .

Figure 9

HLPSL syntax for .

Figure 10

HLPSL syntax for .

7.5.2. AVISPA Simulation Result

We present the AVISPA simulation result to demonstrate the security of the SLUA-WSN utilizing On-the-Fly Model Checker (OFMC) and Constraint-Logic-based ATtack SEarcher (CL-AtSe) back-ends. The OFMC and CL-AtSe back-ends verify whether a legitimate entity is able to execute the protocol by searching for a passive attacker. In addition, CL-AtSe and OFMC back-ends check that the SLUA-WSN is secure against the replay and MITM attacks based on the DY model. According to Figure 11, the proposed SLUA-WSN is secure against MITM and replay attacks. Moreover, the result of OFMC validation shows that the search time was 4.11 s for visiting 520 nodes, and the result of the CL-AtSe validation analyzed three states and the translation time was 0.10 s. We provide similar AVISPA simulation results as adopted in [51,52,53,54,55].

Figure 11

AVISPA simulation results using On-the-Fly Model Checker (OFMC) and Constraint-Logic-based ATtack SEarcher (CL-AtSe).

8. Performance Analysis

We evaluate the performance of SLUA-WSN in terms of the computation, communication, and storage overheads. We also compare SLUA-WSN with other existing schemes [15,37,38,39,40,41].

8.1. Computation Overheads

This section compares the computation overhead associated with the SLUA-WSN to those of related schemes [15,37,38,39,40,41] during the authentication process. We analyzed utilizing the following parameters to evaluate the computation overhead. Referring to the work in [15], , , , and denote the execution time for point multiplication , rep operation , symmetric encryption/decryption , and hash function , respectively. The execution time of XOR operation is not included because it is negligible. In Table 5, we show the results of the computation overhead comparison. Consequently, SLUA-WSN provides a more efficient computation cost compared with the other existing schemes [15,37,38,39,40,41].

Table 5

Computation overheads comparison.

Schemes	User	Gateway	Sensor node	Total	Computation overhead
Wu et al. [37]	11T_h+T_R+2T_m	10T_h	3T_h+2T_m	24T_h+T_R+4T_m	36.77 ms
Wang et al. [38]	10T_h+T_R+3T_m	13T_h+T_m	6T_h+2T_m	29T_h+T_R+6T_m	51.48 ms
Li et al. [39]	8T_h+T_R+2T_m	9T_h+T_m	4T_h	21T_h+T_R+3T_m	29.42 ms
Li et al. [40]	12T_h+3T_m	8T_h+T_m	4T_h+2T_m	24T_h+6T_m	44.13 ms
Lu et al. [41]	7T_h+T_R+3T_m+T_S	6T_h+T_m+T_S	2T_h+2T_m+2T_S	15T_h+T_R+6T_m+4T_S	51.99 ms
Mo and Chen [15]	12T_h+T_R+2T_m	10T_h+T_S	5T_h+2T_m+T_S	27T_h+T_R+4T_m+2T_S	37.03 ms
Ours	11T_h+T_R	11T_h	6T_h	28T_h+T_R	7.36 ms

8.2. Communication Overheads

We compare the communication cost with the related schemes [15,37,38,39,40,41]. Referring to the work in [15], we assume that the hash function, a timestamp, an identity, a random nonce, and a prime p are 160 bits, 32 bits, 32 bits, 128 bits, and 160 bits, respectively. In addition, we consider that an ECC of 160 bits has a security level equivalent to that of the 1024-bit RSA [56]. The block size of plaintext/ciphertext for the AES algorithm is 128 bits [57]. In the authentication process of SLUA-WSN, the exchanged messages , , , and require (160 + 160 + 160 + 160 + 32 = 672 bits), (160 + 160 + 160 + 32 = 512 bits), (160 + 160 + 160 + 32 = 512 bits), and (160 + 160 + 160 + 32 = 512 bits), respectively. In Table 6, we present the results of the communication overhead comparison. Thus, SLUA-WSN has a more efficient communication cost compared with other related schemes [15,37,38,39,40,41].

Table 6

Communication overheads comparison.

Schemes	Communication Overhead	Number of Messages
Wu et al. [37]	3072 bits	4 messages
Wang et al. [38]	2368 bits	4 messages
Li et al. [39]	2496 bits	4 messages
Li et al. [40]	2880 bits	4 messages
Lu et al. [41]	2880 bits	3 messages
Mo and Chen [15]	3328 bits	4 messages
Ours	2208 bits	4 messages

8.3. Storage Overheads

We compare the storage costs with the related schemes [15,37,38,39,40,41]. We first define that the hash, identity, timestamp, random nonce, ECC algorithm, RSA algorithm, and AES algorithm are 20, 4, 4, 16, 20, 128, and 16 bytes, respectively, and the prime p in is 20 bytes. In the proposed SLUA-WSN, stored messages and require (20 + 20 + 20 = 60 bytes) and (20 bytes), respectively. Although the storage costs of the proposed SLUA-WSN are somewhat higher than Mo and Chen’s scheme [15], it provides better security and efficiency than the other related schemes [15,37,38,39,40,41]. Table 7 shows the analysis results of storage overhead compared to related schemes.

Table 7

Storage overheads comparison.

Schemes	Stored Message (Smart Card/mobile Device)	Stored Message (Gateway Node)
Wu et al. [37]	B_1,B_2,P_bi≈56 bytes	ID_i≈4 bytes
Wang et al. [38]	A_i,B_i,n_0,Y,P≈100 bytes	ID_i,r_i≈20 bytes
Li et al. [39]	α,δ,A_i,B_i,X≈92 bytes	ID_i≈4 bytes
Li et al. [40]	A_i,B_i,E_i,X,f,n_0,r≈108 bytes	ID_i,k_i≈20 bytes
Lu et al. [41]	RPW_i,f_i,v_i≈56 bytes	K_j≈20 bytes
Mo and Chen [15]	RID_i,f_i,τ≈56 bytes	K_j≈20 bytes
Ours	Q_i,W_i,MID_i≈60 bytes	r_g≈20 bytes

9. Conclusions

In this paper, we proved that Mo and Chen’s scheme suffers from various security flaws, such as session key exposure and masquerade attacks, and does not provide anonymity, untraceability, and authentication. We proposed a secure and lightweight user authentication protocol in WSN environments utilizing biometric and secret parameters to resolve the security drawbacks of Mo and Chen’s protocol. SLUA-WSN prevents various attacks, including sensor node capture, masquerade, and privileged insider attacks. We demonstrated that the proposed SLUA-WSN ensures secure mutual authentication between , , and by performing BAN logic. We also proved the security of SLUA-WSN by performing the formal security analysis such as the ROR model and AVISPA simulation. We compared the performance of SLUA-WSN in terms of computation, communication, and storage overheads with existing schemes. Consequently, the proposed SLUA-WSN provided a great improvement in terms of the security level compared with three-factor-based related schemes and also preserved the low computation and communication overheads using only hash and XOR operations. Therefore, the proposed SLUA-WSN provides superior security and efficiency than related schemes and is suitable for practical WSN environments.