1 Introduction

With the advancement of wireless communication and sensor technologies, wireless sensor networks (WSN) [1] are widely used in many fields. Application fields of WSN comprise but are not limited to habitat monitoring [2], health environment monitoring [3, 4], military applications [5], indoor sensor networks [6], industrial and consumer applications [7] and preventing chemical, biological, or nuclear threats in an area [8,9,10]. In WSN, several dozens to thousands of highly resource-constrained sensor nodes are randomly deployed in a target field. The data collected by these sensor nodes can be given access to the external users. As a result, authentication and key agreement in this environment becomes an essential security mechanism to authenticate those who are authorized to access data when they demand. After an adequate progress in link layer security [11] and network layer security [12], the application layer security in WSN also attracted the attention of many researchers and many user authentication schemes were proposed for WSN. He et al. [13] proposed a lightweight two-factor authenticated key agreement scheme for WSN, where the sensor node is no need of registration for the gateway node. To protect user’s identity, they also proposed an access control scheme using ring signature for WSN [14].

With the deepen of the network technology, on the one hand, the user’s identity protection as a desirable security property is gradually receiving a lot of attention since the user is most likely not willing to be tracked his identity to the content he requests. This security attribute has led to recent increasing popularity of privacy-preserving scheme for different applications, such as cloud computing [15, 16], GSM systems [17], wearable health monitoring systems [18], road networks [19,20,21], global mobility networks[22], location based service systems[23,24,25], and so on. On the other hand, Das [26] gave a new direction to the application layer in WSN by incorporating two-factor authentication concept namely the smart card and the password. This concept uncovers the potential threats which the server side needs to keep the password table for each user. Two-factor secure means the proposed scheme should be secure in condition that password or smart card is stolen, but not of both. This hot topic combines user anonymity attracting many researchers’ attention, several two-factor authentication scheme with user privacy support have been proposed [27]. Wang et al. [28] disclosed the relationships among several security attributes by analyzing the representative two two-factor authentication schemes in 2015. And they proposed an ideal two-factor authentication scheme which satisfied 12 independent criteria under the formal proof[29].

Although the scheme of Das [26] proposed a solution avoiding the stolen verifier attack, a sequence of cryptanalysis about his scheme was performed. Nyang-Lee [30] identified that Das’s scheme was vulnerable to the off-line password guessing and node capture attacks. To conquer the security pitfalls, Nyang-Lee [30] proposed an improvement without sacrificing any efficiency and usability based on Das’s scheme. Also, Khan-Alghathbar [31] cryptanalyzed that Das’s scheme [26] could not withstand the insider and GWN bypassing attacks. As a counter measure to these sufferings, Khan-Alghathbar [31] proposed security patches and improvements. They claimed that their enhanced scheme could withstand the insider attack, GW-node bypassing attack and provide mutual authentication. However, Yuan [32] came across some security problems in Khan-Alghathbar’s scheme, like non resistance to lost smart card breach attack, failure of providing non-repudiation and achieving mutual authentication between the user and the GW-node. Yuan [31] then modified Khan-Alghathbar’s scheme [31] to rectify its drawbacks and improve its security with increasing computation overhead. Subsequently, a number of authenticated key agreement schemes [33, 34] for WSN were proposed to deal with security vulnerabilities about two-factor anonymous authentication. Sun et al. [35] proposed a two-factor user authentication scheme to defeat the GW-node impersonation attack, the GW-node bypassing attack and the privileged-insider attack. Turkanovi et al. [36] proposed a scheme to enable a remote user to securely negotiate a session key with a general sensor node, using a lightweight key agreement protocol.

With the widespread of basic pattern recognition system, more and more biometrics based authentication schemes have been proposed [37, 38]. For example, Xie et al. [39] proposed an improved ECC-based three-factor authentication protocol for mobile networks which uses user’s biometrics to transmit the user’s identity and the authentication message in confidential manner. Besides, they used a random nonce to decrypt and encrypt messages without using the server’s public key for reducing computation cost and avoiding the key management problem. Das [40] proposed a novel three-factor user authentication scheme suited for distributed WSN which supports efficiently updating password and biometric change phase without contacting the BS and dynamic node addition phase. Biometric methods include fingerprint scanning[41], facial recognition, hand geometry recognition or retinal scans, which can be used as a proof of user’s identity. As compared to the traditional passwords keys[42], biometric keys have many advantages as follows [43] :

  1. 1.

    it is difficult to lose or forget biometric keys;

  2. 2.

    it is difficult to copy or share biometric keys;

  3. 3.

    it is difficult to forge or distribute biometrics;

  4. 4.

    it is difficult to guess biometric keys;

  5. 5.

    it is more difficult to break biometric keys.

Generally, the user’s biometric should be preprocessed using biohashing [44] and fuzzy extractor [45] due to it is easily effected by surrounding environment. Due to its excellent advantages compared with password, biometrics based authenticated key agreement schemes were successively presented. He-Wang [46] proposed anonymous ECC based authentication and key agreement scheme for multi-server, but at the cost of a slight higher computation overheads. Li et al. [47] also proposed a fingerprint information based authentication scheme for IoT environments, where the fuzzy commitment scheme is utilized to check the legitimacy of fingerprint.

Recently, Das [48] also proposed a three-factor authentication only employing hash function. Undoubtedly, Das’s scheme has a good performance compared to the public-key cryptographic technique based authentication. However, we point out the scheme of Das has several security pitfalls, such as no user anonymity, no three-factor security and user impersonation attack. Such security weaknesses makes their scheme cannot be applied in practical environment. Motivated by this, we present an anonymous three-factor key agreement using elliptic curve cryptography to mitigate all the problems of the scheme Das. We use BAN logic to show the proposed scheme achieves the mutual authentication. The formal security analysis and software verification demonstrate the proposed scheme is secure against many attacks. In addition, we also compare the performance with the related works.

The remainder of paper is planned as follows: Sect. 2 is Preliminaries. Section 3 is regarding the review of Das’s scheme. Section 4 is regarding the thorough cryptanalysis of Das’s user authentication scheme for WSN. Section 5 presents an improvement based on Das’s scheme. Section 6 is regarding the security analysis of our scheme. Section 7 shows the performance comparison of our scheme and previous schemes. Finally, the paper is concluded in Sect. 8.

2 Preliminaries

Given biometric input Bio, a fuzzy extractor could extract a random string \(\mu _i\). One important property of the fuzzy extractor is that it could output the same random string when the input changes, but it remains close. To recover \(\mu _i\) from a new biometric input Bio, a uniformly random auxiliary string \(\nu _i\) will be generated and used in the following operations. The fuzzy extractor is formally defined as follows [45].

Fuzzy extractor A fuzzy extractor is given by two procedures (GenRep).

\(Gen(B_i)=(\mu _i,\nu _i)\) : The probabilistic generation procedure Gen on input \(B_i\) outputs a random string \(\mu _i\) and a random auxiliary string \(\nu _i\);

\(Rep(B'_i,\nu _i)=\mu _i\): The deterministic reproduction procedure Rep on input \(B'_i\) which is reasonably close to \(B_i\) and the corresponding random auxiliary string \(\nu _i\) and finally recover \(\mu _i\).

3 Review of Das’s scheme

This section reviews Das’s user authentication scheme for WSN, which is based on one-way hash functions.

3.1 Pre-deployment

The gateway node GWN chooses a unique identity \(SID_j\) for every deployed sensor \(S_j\). Then, GWN selects a master key \(MK_{S_j}\) and computes a secret key \(K_j=h(SID_j, MK_{S_j})\) for each \(S_j\). Finally, the GWN stores the pair \(\{SID_j, K_j \}\) in its database and then deletes \(MK_{S_j}\).

3.2 User registration

\(UR_1\): \(U_i\) submits his identity \(Id_i\), password \(pw_i\), and then imprints biometric \(Bio_i\) on the specific device.

\(UR_2\): \(U_i\) computes \(RPW_i=h(Id_i, pw_i, K)\) and sends the registration message \(\{Id_i, RPW_i, ek_i\}\) to the GWN via a secure channel, where K is a nonce and \(ek_i\) is a symmetric key shared with the GWN.

\(UR_2\): The GWN computes \(f_i=h(Id_i, X_s)\) and issues a smart card which contains \(\{f_i, h(), Gen(), Rep(), \mathcal {T}\}\) and sends it securely to \(U_i\), where \(X_s\) is a 1024-bit nonce.

\(UR_3\): \(U_i\) computes \(Gen(Bio_i)=(\sigma _i, \tau _i), f_i^{*}=f_i \oplus h(Id_i, \sigma _i, K), e_i=h(Id_i, RPW_i, \sigma _i), r_i= h(Id_i, \sigma _i)\oplus K, BE_i= h(Id_i,\sigma _i)\oplus ek_i\). \(U_i\) then replaces \(f_i\) with \(f_i^{*}\) in the smart card before storing the information \(\{\tau _i, e_i, r_i, BE_i\}\) in smart card. Thus, the smart card finally containing the information \(\{\tau _i, e_i, r_i, BE_i, f_i^{*}, h(), Gen(), Rep(), \mathcal {T}\}\).

3.3 Login

\(U_i\) enters his smart card into a smart card reader and imprints biometric \(Bio_i\). \(U_i\) then keys his \(Id_i\) and \(pw_i\). The smart card computes \(\sigma '_i=Rep(Bio_i,\tau _i)\), \(K'=r_i\oplus h(Id_i,\sigma '_i)\), \(RPW'_i=h(Id_i,pw_i,K_i)\) and \(e_i=h(Id_i,RPW'_i, \sigma '_i)\). The smart card checks the condition \(e_i{\mathop {=}\limits ^{?}}e'_i\). If it is true, the smart card sends the login message \(\{Id_i, req\}\) to the GWN via a public channel, where req is a request.

3.4 Authentication and key agreement

\(AK_1\): When the login message is received, GWN checks \(Id_i\). If it is valid, the GWN sends the message \(\{R\}\) to \(U_i\), where R is a nonce.

\(AK_2\): The smart card computes \(ek_i=BE_i\oplus h(Id_i,\sigma _i)\) and sends the message \(\{E_{ek_i}(R, T_1, SID_j)\}\) to the GWN, where \(T_1\) is the current timestamp.

\(AK_3\): The GWN decrypts \(E_{ek_i}(R, T_1, SID_j)\) to retrieve \((R, T_1, SID_j)\) using the key \(ek_i\) stored in its database. The GWN then verifies whether \(T_1\) is within the tolerable time interval. If it is true, the GWN further checks the validness of the decrypted R.

\(AK_4\): The GWN computes \(f_i^{*}=h(Id_i,h(X_s)), f_i^{**}=h(SID_j, f_i^{*})\) and \(Y_j=E_{K_j}(Id_i, SID_j, T_1, T_2, f_i^{**})\), where \(T_2\) is the current timestamp of GWN side. The GWN then sends the message \(\{Id_i, Y_j\}\) to \(S_j\).

\(AK_5\): \(S_j\) decrypts \(Y_j\) to retrieve \((Id_i, SID_j, T_1, T_2, f_i^{**})\) using its secret key \(K_j\). \(S_j\) then checks the validity of the timestamp \(T_2\) and \((Id_i, SID_j)\). If they are valid, \(S_j\) computes a session key as \(sk_{ij}=h(f_i^{**}, Id_i, SID_j, T_1, T_3)\) and sends the message \(\{h(sk_{ij}), T_3\}\) back to \(U_i\), where \(T_3\) is the current timestamp of \(S_j\).

\(AK_6\): \(U_i\) checks the validity of the timestamp \(T_3\) by the condition \(T_3-T_3^{*} < {\Delta }T\), where \(T_3^{*}\) is \(U_i\)’s the current timestamp of \(U_i\). \(U_i\) computes \(f'_i=f_i^{*}\oplus h(\sigma '_i, Id_i, K), f_i^{''}=h(SID_j,f'_i)\) and \(sk'_{ij}=h(f_i^{''}, Id_i, SID_j, T_1, T_3)\). \(U_i\) then checks whether \(h(sk_{ij}){\mathop =\limits ^{?}}h\,(sk_{ij})\). If it holds, \(U_i\) confirms the session key \(sk_{ij}\) with \(S_j\) and uses it to secure a subsequent communications.

3.5 Password change

\(P_1\): \(U_i\) enters his smart card into a smart card reader and imprints biometric \(Bio_i\). \(U_i\) then keys his \(Id_i\) and \(pw_i\). The smart card computes \(\sigma '_i=Rep(Bio_i,\tau _i)\), \(K'=r_i\oplus h(Id_i,\sigma '_i)\), \(RPW'_i=h(Id_i,pw_i,K_i)\) and \(e_i=h(Id_i,RPW'_i, \sigma '_i)\). The smart card checks the condition \(e_i{\mathop {=}\limits ^{?}}e'_i\). If it is true, \(U_i\) inputs new password \(pw_i^{New}\) and imprints new biometrics \(Bio_i^{New}\). The smart card computes \(RPW_i^{new}=h(Id_i, pw_i^{New}, K^{New}), Gen(Bio_i^{New})=(\sigma _i^{New},\tau _i^{New}), e_i^{New}=h(Id_i, RPW_i^{New}, \sigma _i^{New}), r_i^{New}=h(Id_i,\sigma _i^{New})\oplus K^{New}, BE_i^{New}=h(Id_i, \sigma _i^{New})\oplus ek_i,f_i^{New}= h(Id_i\oplus h(X_s))\oplus h(\sigma _i^{New},Id_i, K^{New})\). Finally, \(U_i\) replaces \(\tau _i, e_i, r_i, BE_i\) and \(f_i^{*}\) with \(\tau _i^{New}, e_i^{New}, r_i^{New}, BE_i^{New}\) and \(f_i^{New}\), respectively.

4 Security analysis of Das’s scheme

This section highlight the security risks in Das’s scheme if the unauthorized malicious user \(\mathbb {E}\) has the ability to intercept, alter, delete, block, or insert any messages exchanged in the channel [49]. The possible attacks are described as follows.

4.1 No provision of user anonymity

Since authentication of a user is done via an unsecure open channel, an ideal scheme should ensure user anonymity thus disabling any private information leakage if \(\mathbb {E}\) would eavesdrop the communication. However, Das’s scheme fails to do this, which offers convenience for the next subsection attack.

4.2 Three-factor security violation attack along with user impersonation attack

Three-factor security prevents \(\mathbb {E}\) who has learned at most two components of the triple (password, smart card, biometric) from mounting a masquerading attack. Unfortunately, in Das’s scheme, the smart card and biometric breach will not only lead to the leakage of the shared symmetric-key \(ek_i\) but perform an impersonation attack. \(\mathbb {E}\) executes the attack with the following operations.

\(A_1\). \(\mathbb {E}\) could extract the secrets \(\{ \tau _i, e_i, r_i, BE_i , f_i^{*} , h(), Gen(), Rep(), \mathrm {T}\}\) through the differential power attack [50] and recover \(\sigma _i\) from \(\tau _i\) with the user’s biometrics. Owing to the exposure of user’s identity in the channel, \(\mathbb {E}\) could derive \(ek_i\) by \(BE_i\oplus h(Id_i,\sigma _i)\) and K by \(r_i\oplus h(Id_i, \sigma _i)\).

\(A_2\). \(\mathbb {E}\) guesses a password \(pw'_i\) and verifies whether \(h(Id_i,h(Id_i,pw'_i,K), \sigma _i)\) is equal to \(e_i\). If it is true, \(\mathbb {E}\) finds the correct password; otherwise, \(\mathbb {E}\) repeats steps \(A_1\) and \(A_2\) until the correct password is found.

With the correct password and the data \((Id_i,ek_i)\), thus \(\mathbb {E}\) could impersonate the \(U_i\), he performs as follows.

\(A_3\). \(\mathbb {E}\) sends \(\{Id_i, request\}\) to GWN, GWN sends a random challenge R to \(U_i\) to respond the query data;

\(A_4\). \(\mathbb {E}\) sends the encrypted \((SID_j,T_1, R)\) with the shared symmetric key \(ek_i\) to GWN;

\(A_5\). The message will go through the verification of GWN by checking the validness of \(T_1\). Then, GWN proceeds to next step and sends \(\{Id_i,Y_j\}\) to the nearest sensor node;

\(A_6\). \(S_j\) now decrypts \(Y_j\) and checks the validity of \(T_2\), \(Id_i\) and \(SID_j\). If it is true, the session key is computed by \(sk_{ij}=h(Id_i,f^{''},SID_j,T_3,T_1)\) and is sent back by hashing along with \(T_3\) to responds to \(\mathbb {E}\)’s query;

\(A_7\). After checking the correctness of the session key, \(\mathbb {E}\) who is not a legitimate user of the sensor network system, enjoys the resources as an authorized user without being a member of the system.

In this regard, three-factor security violation attack is rather effective and threatens to Das’s scheme.

5 Proposed scheme

This section presents an authentication and key agreement for WSN using ECC. We employ ECC headed from the results in [51] indicate that ECC provides some advantages with respect to memory and computing cost, and hence is suitable for WSNs. The purpose of this part is to erase the security risk found in Das’s scheme. Before executing the system, it is considered GWN is the trusted third party and it holds a master key \(K_j\) with \(S_j\).

5.1 Pre-deployment

GWN stores the corresponding secret password-key \(K_j=h(SID_j,X_{GWN})\) shared with each sensor node, where \(X_{GWN}\) is a randomly-generated highly secure password-key and is known only to the GWN and is secretly stored in the memory of the GWN. Finally, GWN deletes \(X_{GWN}\).

5.2 User registration

\(RU_1\). \(U_i\) first inputs his chosen identity \(Id_i\), password \(pw_i\) and then imprints the biometrics \(Bio_i\) at the sensor of a specific device. \(U_i\) sends the registration request \(\{Id_i, h(pw_i,\mu _i)\}\) to GWN, where \(\mu _i\) is computed by \(Gen(Bio_i)=(\mu _i,\nu _i)\) via a secure channel;

\(RU_2\). GWN computes \(RPW_i=h(Id_i)h(Id_i,h(K))\) and sends back it to \(U_i\) stored in the smart card, where K is a nonce;

\(RU_3\). \(U_i\) stores \(f_i=h(Id_i, h(pw_i, \mu _i))\) and \(RPW_i\) into the smart card. All the related values \(\{RPW_i, f_i, \nu _i, Gen(), Rep(), h()\}\) are stored into the smart card. Figure 1 depicts the processes of this phase.

Fig. 1
figure 1

User registration

Full size image

5.3 Sensor node registration

\(RS_1\). \(S_j\) sends its identity \(SID_j\) to GWN;

\(RS_2\). GWN returns \(h(SId_j,K_j)\) to \(S_j\) via a secure channel;

\(RS_3\). \(S_j\) stores \(h(SId_j,K_j)\oplus N_j\) into its database.

5.4 Login

\(U_i\) inserts the smart card into terminal device and inputs his identity \(Id_i\), password \(pw_i\) and imprints his biometrics \(Bio_i^{*}\) at the sensor. Next, the smart card derives \(\mu _i\) with \(Rep(Bio_i^{*}, \nu _i)=\mu _i\) and verifies whether \(h(Id_i, h(pw_i, \mu _i)){\mathop {=}\limits ^{?}}f_i\). If the check is passed, the smart card computes \(A_i=\alpha _iP, B_i=Id_i\oplus \alpha _i X_{Pub}, V_i=h(Id_i, h(Id_i,h(K)), \alpha _iP,T_1)\) and sends \(\{A_i,RPW_i,B_i,V_i, T_1\}\) to GWN, where \(\alpha _i\) is a nonce and \(X_{Pub}\) is the public key of GWN.

5.5 Authentication and key agreement

\(AK_1\). When receiving the request, GWN derives \(Id_i\) by computing \(X_sA_i\oplus B_i\). After that, GWN computes \(h(Id_i, h(Id_i,h(K)), \alpha _iP,T_1)\) and checks whether it is equal to the received \(V_i\), where \(X_s\) is the private key of GWN. If it holds, GWN computes \(RPW_i^{*}= h(Id_i)h(Id_i,h(K^{*})), V_j=E_{h(SId_j,K_j)}(Id_i,\alpha _iP,T_2)\) and sends them with \(T_2\) to \(S_j\), where \(K^{*}\) is a new nonce;

\(AK_2\). Once receiving \(\{V_j, RPW_i^{*},T_2\}\), \(S_j\) decrypts \(V_j\) to get \((Id_i,\alpha _iP, T_2)\) and checks the validness of \(T_2\). If it is valid, \(S_j\) further derives \(h(Id_i,h(K^{*}))\) by computing \(h(Id_i)^{-1}RPW_i^{*}\) and computes \(C_{i}=E_{h(Id_i,h(K^{*}))}(Id_i,\beta _jP,sk,T_3)\) and \(sk=h(\alpha _i\beta _jP)\). Subsequently, \(S_j\) sends \(\{C_{i},RPW_i^{*},T_3\}\) to \(U_i\);

\(AK_3\). After receiving the request, \(U_i\) derives \(h(Id_i,h(K^{*}))\) by computing \(h(Id_i)^{-1}RPW_i^{*}\) and replaces the old temporary identity \(RPW_i\) with a new temporary identity \(RPW_i^{*}\) into the smart card. Then, \(U_i\) decrypts \(C_{i}\) using \(h(Id_i,h(K^{*}))\) to derive \((Id_i,\beta _jP,sk,T_3)\). Next, \(U_i\) computes \(sk=h(\alpha _i\beta _jP)\) and checks whether it is equal to the decrypted sk. If it is valid, \(U_i\) accepts the communication requests from \(S_j\) and agrees the session key sk as their shared session key. Figure 2 depicts the processes of this phase.

Fig. 2
figure 2

Authentication and key agreement

Full size image

5.6 Password change

The user has the ability to freely choose and if desired change his/her password in the proposed scheme. The following steps are required for a user to change his password:

\(P_1\). \(U_i\) inserts the smart card into the device and provides his identity \(Id_i\), old password \(pw_i\) and imprints his biometrics \(Bio_i^{*}\).

\(P_2\). The smart card derives \(\mu _i\) with \(Rep(Bio_i^{*}, \nu _i)=\mu _i\) and checks whether \(h(Id_i, h(pw_i, \mu _i)){\mathop {=}\limits ^{?}}f_i\). If it holds, \(U_i\) keys his new password \(pw_i\), the smart card stores \(f_i^{new}=h(Id_i, h(pw_i^{new}, \mu _i))\) before deleting \(f_i\).

5.7 Dynamic sensor node addition

If some sensor nodes expire or to be added to the network, GWN updates its password-key \(X_{GWN}\) as a new \(X_{GWN}^{new}\) and stores \(K_j^{new}=h(SID_j^{new}, X_{GWN}^{new})\) into its database and deletes the old information.

6 Security analysis

In this section, the security of the proposed scheme for WSN is analyzed. The BAN-logic [52] is used to show the scheme is valid and practical. Detailed analysis also shows the proposed scheme could withstand various attacks and satisfy security requirements in WSNs. Also, the formal security analysis and simulation are performed to demonstrate the proposed scheme can achieve high level security.

6.1 Authentication proof With BAN logic

To apply the BAN logic, we first introduce the basic notations listed in Table 1, where M, N as participators and X as a formula.

Table 1 Notations
Full size table

We establish the following goals which the proposed scheme should be satisfied from the analytic procedures of BAN logic.

\(G_1\).:

\(GWN|\equiv U_i|\equiv Id_i\)

\(G_2\).:

\(GWN|\equiv Id_i\)

\(G_3\).:

\(S_j|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

\(G_4\).:

\(U_i|\equiv S_j|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

\(G_5\).:

\(U_i|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

\(G_6\).:

\(S_j|\equiv U_i|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

The transmitted messages of authenticated key agreement in the idealized form are as follows:

\(U_i\rightarrow GWN\)::

\(\alpha _iP, <Id_i>_{\alpha _iX_{Pub}}, (Id_i, \alpha _iP,T_1)_{h(Id_i,h(K))}, h(Id_i)_{h(Id_i,h(K))}\);

\(GWN\rightarrow S_j\)::

\((Id_i,\alpha _iP,T_2)_{h(SId_j,K_j)}\);

\(S_j\rightarrow U_i\)::

\((Id_i,\beta _jP,sk,T_3)_{h(Id_i, h(K^{*}))}, h(Id_i)_{h(Id_i,h(K^{*}))}\)

We then make the following assumptions to analyze the proposed scheme:

\(A_1\)::

\(U_i|\equiv \alpha _i\)

\(A_2\)::

\(U_i|\equiv T_1\)

\(A_3\)::

\(U_i|\equiv Id_i\)

\(A_4\)::

\(GWN|\equiv K_j\)

\(A_5\)::

\(GWN|\equiv X_s\)

\(A_6\)::

\(GWN|\equiv T_1\)

\(A_7\)::

\(GWN|\equiv U_i\Rightarrow Id_i\)

\(A_8\)::

\(U_i|\equiv \ T_2\)

\(A_9\)::

\(S_j|\equiv \beta _i\)

\(A_{10}\)::

\(S_j|\equiv \ T_3\)

\(A_{11}\)::

\(S_j|\equiv K_j\)

\(A_{12}\)::

\(S_j|\equiv T_2\)

\(A_{13}\)::

\(S_j|\equiv GWN\Rightarrow \alpha _iP\)

\(A_{14}\)::

\(U_i|\equiv U_i{\mathop{\longleftrightarrow}\limits^{{h(Id_i,h(K))}}} GWN\)

\(A_{15}\)::

\(GWN|\equiv U_i{\mathop{\longleftrightarrow}\limits^{{h(Id_i,h(K))}}} GWN\)

\(A_{16}\)::

\(U_i|\equiv U_i{\mathop{\longleftrightarrow}\limits^{{h(Id_i,h(K^{*}))}}} GWN\)

\(A_{17}\)::

\(GWN|\equiv U_i{\mathop{\longleftrightarrow}\limits^{{h(Id_i,h(K^{*}))}}} GWN\)

\(A_{18}\)::

\(S_j|\equiv S_j{\mathop{\longleftrightarrow}\limits^{{h(SId_j,h(K_j))}}} GWN\)

\(A_{19}\)::

\(GWN|\equiv S_j{\mathop{\longleftrightarrow}\limits^{{h(SId_j,h(K_j))}}} GWN\)

\(A_{20}\)::

\(U_i|\equiv S_j\Rightarrow (U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j)\)

We now use BAN logic to analyze the proposed scheme:

\(S_1\): Since \(GWN\triangleleft (Id_i, \alpha _iP,T_1)_{h(Id_i,h(K))}\), \(A_{15}\) and the message-meaning rule, we could draw a conclusion: \(GWN|\equiv U_i|\sim <Id_i, \alpha _iP,T_1>\)

\(S_2\): Since \(S_1\), \(A_6\) and the fresh conjuncatenation rule, we could draw a conclusion: \(GWN|\equiv U_i|\equiv <Id_i, \alpha _iP>\)

\(G_1\): Since \(S_2\) and the belief rule, we could draw a conclusion: \(GWN|\equiv U_i|\equiv Id_i\)

\(G_2\): Since \(A_7\), \(G_1\) and the jurisdiction rule, we could draw a conclusion: \(GWN|\equiv Id_i\)

\(S_3\): Since \(S_j\triangleleft (Id_i,\alpha _iP,T_2)_{h(SId_j,K_j)}\), \(A_{18}\) and the message-meaning rule, we could draw a conclusion: \(S_j|\equiv GWN|\sim <Id_i,\alpha _iP,T_2>\)

\(S_4\): Since \(A_{12}\), \(S_3\) and the fresh conjuncatenation rule, we could draw a conclusion: \(S_j|\equiv GWN|\equiv <Id_i,\alpha _iP,T_2>\)

\(S_5\): Since \(S_4\), \(A_{12}\) and the belief rule, we could draw a conclusion: \(S_j|\equiv GWN|\equiv <\alpha _iP, Id_i>\)

\(S_6\): Since \(S_5\), \(A_{13}\) and the jurisdiction rule, we could draw a conclusion: \(S_j|\equiv \alpha _iP,S_j|\equiv Id_i\)

According to \(sk=h(\alpha _i\beta _iP)\), we could draw a conclusion:

\(G_3\): \(S_j|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

\(S_7\): Since \(U_i\triangleleft (Id_i,\beta _jP,sk,T_3)_{h(Id_i, h(K^{*}))}\), \(A_{16}\) and the message-meaning rule, we could draw a conclusion: \(U_i|\equiv S_j|\sim <Id_i,\beta _jP,U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j,T_3>\)

\(S_8\): Since \(S_7\), \(A_3\) and the fresh conjuncatenation rule, we could draw a conclusion: \(U_i|\equiv S_j|\equiv <Id_i,\beta _jP,U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j,T_3>\)

\(G_4\): Since \(S_8\) and the belief rule, we could draw a conclusion: \(U_i|\equiv S_j|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

\(G_5\): Since \(A_{20}\), \(G_4\) and the jurisdiction rule, we could draw a conclusion: \(U_i|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

\(G_6\): Since \(S_2\), \(S_5\) and \(sk=h(\alpha _i\beta _jP)\), we could draw a conclusion: \(S_j|\equiv U_i|\equiv U_i{\mathop {\longleftrightarrow }\limits ^{sk}}S_j\)

6.2 Discussion

This subsection shows that the proposed scheme can solve the security pitfalls troubled in Das’s authentication. Besides, the proposed scheme possesses other security features.

6.2.1 Resilience against trace attack

In the proposed scheme, \(U_i\)’s real identity is concealed in \(B_i=Id_i\oplus \alpha _i X_{Pub}\), \(V_i=h(Id_i, h(Id_i,h(K)), \alpha _iP,T_1)\) and \(RPW_i=h(Id_i)h(Id_i,h(K))\). If an adversary tries to learn \(Id_i\) from these authentic messages, he has to be able to know K or the private key \(X_s\) of GWN. Without the knowledge of private key \(X_s\) or the nonce K, it is impossible for an adversary to get user identity successfully. Therefore, the presented scheme can withstand trace attack.

6.2.2 Three-factor security

This topic is discussed in three sides: smart card and password, biometric and password, smart card and biometric.

a. Assume that an adversary has the user’s smart card and password.

Undoubtedly, the adversary could extract the secrets \(\{RPW_i, f_i, \nu _i, Gen(), Rep(), h()\}\) by side-channel attack [39]. However, the adversary could not derive the identity \(Id_i\) using owned information due to the lack of the nonce K and the user’s biometric. Therefore, the adversary could not perform the user impersonation.

b. Assume that an adversary has the user’s biometric and password.

The adversary could intercept the login message \(\{A_i,RPW_i,B_i,V_i, T_1\}\) and attempt to derive \(Id_i\) from \(B_i=Id_i\oplus \alpha _iX_{Pub}\). Unfortunately, the adversary has no ability to come true his wish without knowledge of the private key of GWN or the auxiliary string \(\nu _i\) stored in the smart card. Therefore, the adversary could not derive \(\mu _i\).

c. Assume that an adversary has the user’s smart card and biometric.

The adversary also reads [50] the information \(\{A_i,RPW_i,B_i,V_i, T_1\}\) from the smart card. Obviously, he could retrieve \(\mu _i\) by computing \(Rep(Bio_i,\nu _i)\). At the very least, he could derive \(Id_i\) and \(pw_i\) by checking \(h(Id_i,h(pw_i^{*},\mu _i^{*})){\mathop =\limits ^{?}}f_i\). However, he is not possible to impersonate a legal user without knowledge of the nonce K. Once modified the value \(V_i=h(Id_i,h(Id_i,h(K)),\alpha _iP,T_1)\), the GWN will detect the attack from the user.

6.2.3 Resilience against insider attack

An adversary plans to patch the insider attack by preferring user to submit \({Id_i, h(pw_i,\mu _i)}\). However, the proposed scheme could not suffer from insider attack as the insider of GWN cannot guess \(pw_i\) of \(U_i\) without \(\mu _i\). Therefore, the proposed scheme is secure against the insider attack.

6.2.4 Resilience against node capture attack

Assume that an adversary could eavesdrop the communication messages \(\{V_j, RPW_i^{*},T_2\}\) and \(\{C_{i},RPW_i^{*},T_3\}\) and steal the stored information \(h(SId_j,K_j)\oplus N_j\). However, it is useless to try to impersonate as a sensor node using these messages due to the lack of important secrets, such as \(K_j\), \(N_j\) and \(X_s\). For example, if the adversary does not know \(N_j\), he cannot derive \(h(SId_j,K_j)\) which is the verification between GWN and \(S_j\). In other words, the adversary cannot be authenticated by \(S_j\) without knowledge of \(N_j\) even if he has owned the information \(h(SId_j,K_j)\oplus N_j\). Therefore, the adversary tries to launch the node capture attack is hard in the proposed scheme.

6.2.5 Session key security

Even though an adversary could intercept all the communication messages \(\{A_i,RPW_i,B_i,V_i, T_1\}\), \(\{V_j, RPW_i^{*},T_2\}\) and \(\{C_{i},RPW_i^{*},T_3\}\), he is impossible to compromise the session key \(sk=h(\alpha _i\beta _jP)\). To derive \(\beta _jP\) from \(C_i=E_{h(Id_i,h(K^{*}))}(Id_i,\beta _jP,sk, T_3)\), the adversary needs to know the user’s identity \(Id_i\) and sensor node’s nonce \(K^{*}\). To say the least, suppose the adversary has compromised \(\alpha _iP\) and \(\beta _jP\), he still cannot compute sk without knowing \(\alpha _i\) and \(\beta _j\). Therefore, the proposed scheme achieves the session key security.

6.2.6 Resilience against replay attack

Let the adversary intercepts the login request \(\{A_i,RPW_i,B_i,V_i, T_1\}\) during the login phase, where \(A_i=\alpha _iP, B_i=Id_i\oplus \alpha _i X_{Pub}, V_i=h(Id_i, h(Id_i,h(K)), \alpha _iP,T_1), RPW_i=h(Id_i)h(Id_i,h(K))\). Suppose the adversary attempts to reply this login request, GWN will easily detect the attack by checking the validity of \(T_1\). Further, assume that the adversary generates a new timestamp, he can be found by checking the correctness of \(V_1\) due to \(T_1\) is implied in \(V_1\). As a result, the proposed scheme can prevent the replay attack.

6.2.7 Resilience against man-in-the middle attack

Assume that an adversary intercepts the login request \(\{A_i,RPW_i,B_i,V_i, T_1\}\). Unfortunately, it is futile that the adversary plans to send the forged message by changing certain parameters. Once the GWN verifies the validity of \(V_i=h(Id'_i,h(Id_i,h(K))',\alpha '_iP,T'_1)\), he will immediately find the attack because GWN computes \(h(Id'_i,h(Id_i,h(K)),\alpha '_iP,T'_1)\) is not equal to the received \(V_i\), where \(Id'_i\), \(\alpha '_i\) and \(T'_1\) are the forged messages, \(h(Id_i,h(K))\) is the original message only known by the user and the gateway node. Similarly, \(h(SId_j,K_j)\) is also only known by the gateway node and the sensor node, any modified message \(V_j\) from GWN to \(S_j\) could be found by \(S_j\). Therefore, the proposed scheme is secure against man-in-the middle attack.

6.2.8 Resilience against many logged-in users with the same login-ID attack

Even if the two users have the same identity and password, the proposed scheme could resist this attack. Since the two hash values \(h(Id_i,h(pw_i,\mu _i))\) and \(h(Id_i,h(pw_i,\mu '_i))\) are different, where \(\mu _i\) and \(\mu '_i\) are produced by the fuzzy extractor of each biometrics.

6.3 Formal security analysis

In this section, an extended security model for authentication and key agreement will be achieved to guarantee three-factor security. Specifically, we will expand the Corrupt query. The so-called three-factor security means that the adversary can get the users smart card and password, or the users biometric and password, or the users smart card and biometric, but not all.

6.3.1 Participant and partner

In our proposed scheme, there are three types of protocol participants, one is the user set \({ \vee _{User}}\), one is the server collection \({ \vee _{Server}}\), and the last one is gateway note(GWN) which is a trusted third party. There are multiple instances respectively in the user and server collections which can execute the protocol concurrently. If two instances \({U_i} \in { \vee _{User}}\) and \({S_j} \in { \vee _{Server}}\) meet the following points, then we call these two instances a partnership: (1) Both \({U_i}\) and \({S_j}\) are in the accepted state which means they have computed a session key respectively; (2) Both \({U_i}\) and \({S_j}\) have the same session identifier sid which is the connection of all messages accepted and sent by the instance \({U_i}\) or \({S_j}\); (3) \({U_i}\) and \({S_j}\) are each other’s partners.

In these participants, every user instance \({U_i}\) has their own password which is chosen from a uniformly distributed dictionary D, and the gateway note (GWN) has a public key \({X_{Pub}}\) and a private key \({X_s}\). When the user registers with the GWN, GWN computes \(RP{W_i}\) and sends back it to \({U_i}\) stored in the smart card. When the server registers with the GWN, GWN returns \(h(SI{d_j},{K_j})\) to \({S_j}\) and \({S_j}\) stores \(h(SI{d_j},{K_j}) \oplus {N_j}\) into its database.

6.3.2 Query

We make the following five queries which the adversary sends to the protocol participants \({U_i}\) and \({S_j}\), and the participants need to answer all these queries from the adversary.

  1. (1)

    \(Send({U_i}/{S_j}/GWN,m)\) This query simulates the active attack. When the adversary sends this query \(Send({U_i}/{S_j}/GWN,m)\) with the message m to the instance \({U_i}\), \({S_j}\) or GWN, they will answer with a corresponding response message to the adversary.

  2. (2)

    \(Execute({U_i},{S_j})\) This query simulates the passive attack. When the adversary initiates this query, the messages will be returned to the adversary, where the messages were exchanged in the process of implementing the proposed protocol between the \({U_i}\) and \({S_j}\).

  3. (3)

    \(\hbox {Re}veal({U_i})\) This query simulates the known key attack. In this query, it is required to return the \({U_i}'\) session key to the adversary.

  4. (4)

    \(Corrupt({U_i},3)\) This query simulates the three-factor security. Specifically, the adversary can get the users smart card and password, or the users biometric and password, or the users smart card and biometric, which depends on the value of a.

    1. 1.

      If a = 1, this query answers with the messages \(\{RP{W_i},{f_i},{v_i}, Gen(),Rep(),h()\}\) stored in \({U_i}'\) smart card and the user \({U_i}'\) password \(p{w_i}\) to the adversary.

    2. 2.

      If a = 2, this query answers with the user \({U_i}'\) biometric \(Bi{o_i}\) and password \(p{w_i}\) to the adversary.

    3. 3.

      If a = 3, this query answers with the messages \(\{ RP{W_i},{f_i},{v_i},Gen(),REP(),h()\}\) stored in \({U_i}'\) smart card and the user \({U_i}'\) biometric \(Bi{o_i}\) to the adversary.

  5. (5)

    \(Test({U_i})\) This query tests the authentication key exchange security of \({U_i}'\) session key. In this query, a random bit \(b \in \{ 0,1\}\) will be threw. If b = 1, the \({U_i}'\) session key will be returned to the adversary; otherwise, if b = 0, the adversary can only learn a random value as the same length as the session key. It should be noted that the adversary can only ask this query up to once.

6.3.3 Semantic security

After the above queries, the adversary guesses the value of b related to the query \(Test({U_i})\), in which the instance \({U_i}\) need be fresh and the session key has been defined. We let Corr denote the event that the adversary guesses the bit b correctly and let D denote the \({U_i}'\) uniformly distributed password dictionary. Therefore, the advantage of the adversary A against the semantic security of the proposed protocol P is defined as \(Ad{v_{P,D}}(A) = 2\Pr [Corr] - 1\).

The so-called instance freshness needs to meet the following conditions: (1)The instance \({U_i}\) has computed a session key; (2)The user instance \({U_i}\) and his/her partner are not be made Reveal-query; (3) The adversary can only query \(Corrupt({U_i},1)\) or \(Corrupt({U_i},2)\), but not both.

6.3.4 The security proof of our scheme

In this section, we will analyse the formal security analysis of the proposed protocol for WSN through a game between the adversary and the protocol participants, which will show that our proposed scheme is secure and practical.

Theorem 1

\(Ad{v_{tps,D}}(A)\)represents the advantage that an adversary is against the proposed scheme under a uniformly distributed dictionary. Our proposed scheme is secure as long as the following inequality holds, i.e. the probability\(Ad{v_{tps,D}}(A)\)is small enough:

$$\begin{aligned} Ad{v_{tps,D}}(A) \le Adv_{{E_h}}^{sym}(t) + \frac{{q_h^2 + {{({q_{send}} + {q_{exe}})}^2}}}{p} + \frac{{2{q_{send}}}}{p} + \frac{{2{q_{send}}}}{{|D|}} + 2{q_h}Adv_G^{CDH}(t + ({q_{send}} + {q_{exe}} + 1) \cdot {\tau _G}), \end{aligned}$$

wheretps, D, A, |D|, G, t and \({\tau _G}\)represent the proposed scheme, a uniformly distributed dictionary, an adversary against our proposed scheme, the number of elements in dictionary D, a finite cycle group, the time bound that an adversary runs against the proposed scheme and the scalar multiplication calculating time inG respectively. We denote\(Adv_{{E_h}}^{sym}(t)\) and \(Adv_G^{CDH}\)as the advantage that an adversary is against symmetric encryption using a key which is a hash output and the advantage that an adversary solves CDH problem in G respectively. We also denote\({q_{send}}\), \({q_{exe}}\) and\({q_h}\)as the quantity of Send-queries, Execute-queries and Hash-queries respectively.

Proof

We firstly define six mix experiments \({\exp _0}\) to \({\exp _5}\) which correspond to different situations. Then we let \(Succes{s_i}\) denote the event the adversary guesses the value of b related to the Test-query, where \(i = 0,1,\ldots ,5\). What’s more, we use \({{\Delta }_i}\) to denote the distance between \({\exp _i}\) and \({\exp _{i + 1}}\). \(\square\)

\({\exp _0}\): It is the first experiment corresponding to the actual attack, so in this experiment, we can get the following inequality holds by the above definition:

$$\begin{aligned} Ad{v_{tps,D}}(A)&= 2\Pr [Succes{s_0}] - 1\\&= 2\Pr [Succes{s_4}] - 1 + 2(Pr[Succes{s_0}] - \Pr [Succes{s_4}])\\&\le 2\Pr [Succes{s_4}] - 1 + 2\sum \limits _{i = 0}^{4 - 1} {{{\Delta }_i}} \end{aligned}$$

\({\exp _1}\): In this experiment, we simulate various queries including two hash-queries h(m) and \({h}'(m)\), one Send-query, one Execute-query, one Reveal-query and one Test-query, where \({h}'(m)\) will appear in \({\exp _4}\). The simulation of these queries is shown in (1) (2) (3) respectively. The identity of the user is protected by \({V_j}\) and \({C_i}\) in the process of transmitting. However, once the adversary distinguishes the plain text \(I{d_i}\) in the cipher text \({V_j}\) or \({C_i}\), he/she will break the symmetric key algorithm \({E_h}\), so we can get the following inequality to be established: \({{\Delta }_0} \le Adv_{{E_h}}^{sym}(t)\).

\({\exp _2}\): In this experiment, we simulate the above queries as the same as the \({\exp _1}\). In the process of simulating, we will stop executing once the transcript of the messages collides like \((({A_i},RP{W_i},{B_i},{V_i},{T_1}),({V_j},RPW_i^*,{T_2}),({C_i},RPW_i^*,{T_3}))\). The output of the hash queries and the transcript of the transmitted messages are both likely to collide. According to the birthday paradox, the maximum probability of hash queries is \(\frac{{q_h^2}}{{2p}}\). Using the same analytical method, the maximum collision probability of the transcript on transmitted messages is \(\frac{{{{({q_{send}} + {q_{exe}})}^2}}}{{2p}}\). Therefore, we have \({{\Delta }_1} \le \frac{{q_h^2 + {{({q_{send}} + {q_{exe}})}^2}}}{{2p}}\).

\({\exp _3}\): In this experiment, we will stop executing once the adversary guesses the values \({f_i}\), \({V_i}\) and sk for authentication correctly. The two experiments \({\exp _2}\) and \({\exp _3}\) are indistinguishable unless the user or server rejects a valid authentication value, so we have \({{\Delta }_2} \le \frac{{{q_{send}}}}{p}\).

\({\exp _4}\): In this experiment, we introduce and use a new hash-query \(h'\) on \({\alpha _i}P\) or \({\beta _j}P\) instead of using the hash-query h on which can get the session key. Therefore, the value of session key sk is completely independent of h and \({\alpha _i}{\beta _j}P\). Specifically, one can get \(sk = h({\alpha _i}P)\) or \(sk=h({\beta _j}P)\) in the Execute-query. We let \(Query{H_{in - 4}}\) denote the event that the adversary makes a hash-query h on \({\alpha _i}{\beta _j}P\) in \({\exp _4}\). The experiment \({\exp _3}\) and \({\exp _4}\) are indistinguishable unless the event \(Query{H_{in - 4}}\) occurs. Therefore, we can derive \({{\Delta }_3} \le \Pr [Query{H_{in - 4}}]\). What’s more, the choice of b related to the Test-query is random and independent of all session executions, so the equation \(Pr[Succes{s_4}] = \frac{1}{2}\) holds.

\({\exp _5}\): In this experiment, similarly, we firstly let \(Query{H_{in - 5}}\) denote the event that the adversary makes a hash-query h on \({\alpha _i}{\beta _j}P\) in \({\exp _5}\) as the same as \(Query{H_{in - 4}}\) in \({\exp _4}\), so we can get \(\Pr [Query{H_{in - 4}}] = \Pr [Query{H_{in - 5}}]\). And then we use the random self-reducibility of the Diffie-Hellman problem to simulate the executions. Specifically, given a CDH instance(AB), we choose two random number \(\alpha ,\beta\) and compute \({A_i} = \alpha A\) and \({B_j} = \beta B\). Thus we can draw \({\alpha _i}{\beta _j}P = CDH({A_i},{B_j}) = CDH(\alpha \cdot A,\beta \cdot B) = \alpha \cdot \beta \cdot CDH(A,B)\), where \(CDH({A_i},{B_j})\) or CDH(AB) is one solution of the CDH instance \(({A_i},{B_j})\) or (AB). Furthermore, if the adversary has gotten all the information existing in the user’s smart card and the user \({U_i}'\) biometric \(Bi{o_i}\), he/she will not be allowed to get the user’s password. In other words, once the adversary has made a query on \(Corrupt({U_i},3)\), he/she cannot query \(Corrupt({U_i},2)\) and \(Corrupt({U_i},2)\), so in each transcript, the adversary can only test one password. Therefore, we can finally get \(\Pr [Query{H_{in - 5}}] \le \frac{{{q_{send}}}}{{|D|}} + {q_h}Adv_G^{CDH}(t + ({q_{send}} + {q_{exe}} + 1) \cdot {\tau _G})\).

  1. (1)

    Simulation of hash-query includingh() and\(h'()\)

    • On a hash-query h(m), if there is a record (mresult) existing in a list \({{\varLambda }_h}\), then return the value of result, otherwise, choose an nonce result arbitrarily, add the record (mresult) to the list \({{\varLambda }_h}\), and return result.

    • On a hash-query \({h}'({m}')\), if there is a record \(({m}',result')\) existing in a list \({{\varLambda }_{{h}'}}\), then return the value of \(result'\), otherwise, choose an nonce \(result'\) arbitrarily, add the record \(({m}',result')\) to the list \({{\varLambda }_{{h}'}}\), and return \(result'\).

  1. (2)

    Simulation of Send-query

  • On a Send-query \(Send({U_i},start)\), assuming \({U_i}\) is in the correct state, we carry out the following steps: Derive \({\mu _i}\) with \(Rep\left( {Bio_i^*,{\nu _i}} \right) = {\mu _i}\) and verify whether \(h\left( {I{d_i},h\left( {p{w_i},{\mu _i}} \right) } \right) \mathop = \limits^{?}{f_i}\). If this check is not passed, the user terminates without accepting; otherwise, choose a nonce \({\alpha _i}\), and compute \(Ai = {\alpha _i}P\), \({B_i} = I{d_i} \oplus {\alpha _i}{X_{Pub}}\) and \({V_i} = h\left( {I{d_i},h\left( {I{d_i},h\left( K \right) } \right) , {\alpha _i}P,{T_1}} \right)\). Then this query is answered with \(\left\{ {{A_i},RP{W_i},{B_i},{V_i},{T_1}} \right\}\).

  • On a Send-query \(Send(GWN,({A_i},RP{W_i},{B_i},{V_i},{T_1}))\), assuming GWN is in the correct state, we carry out the following steps: Derive \(I{d_i} = {X_s}{A_i} \oplus {B_i}\) and verify whether \(h(Id_{i},h(Id_{i},h(K)),\alpha _{i}P,T_{_{1}})= V_{i}\) holds. If this check is not passed, the GWN terminates without accepting; otherwise, compute \(RPW_i^* = h\left( {I{d_i}} \right) h\left( {I{d_i},h\left( {{K^*}} \right) } \right)\) and \({V_j} = {E_{h\left( {SI{d_j},{K_j}} \right) }}\left( {I{d_i},{\alpha _i}P,{T_2}} \right)\). Then this query is answered with \(\left\{ {{V_j},RPW_i^*,{T_2}} \right\}\).

  • On a Send-query \(Send({S_j},({V_j},RPW_i^*,{T_2}))\), assuming \({S_j}\) is in the correct state, we carry out the following steps: Decrypt \(\left( {I{d_i},{\alpha _i}P,{T_2}} \right) = {D_{h\left( {SI{d_j},{K_j}} \right) }}\left( {{V_{_j}}} \right)\) and check the validness of \({T_2}\), if this check is not passed, the server terminates without accepting; otherwise, derive \(h\left( {I{d_i},h\left( {{K^*}} \right) } \right) \mathrm{{ = }}h{\left( {I{d_i}} \right) ^{\mathrm{{ - }}1}}RPW_i^*\) and compute \({C_i} = {E_{h\left( {I{d_i},h\left( {{K^*}} \right) } \right) }}\left( {I{d_i},{\beta _j}P,sk,{T_3}} \right)\) and \(sk = h\left( {{\alpha _i}{\beta _j}P} \right)\). Then this query is answered with \(\left\{ {{C_i},RPW_i^*,{T_3}} \right\}\).

  • On a Send-query \(Send({U_i},({C_i},RPW_i^*,{T_3}))\), assuming \({U_i}\) is in the correct state, we carry out the following steps: Derive \(h\left( {I{d_i},h\left( {{K^*}} \right) } \right) \mathrm{{ = }}h{\left( {I{d_i}} \right) ^{\mathrm{{ - }}1}}RPW_i^*\), replace \(RP{W_i} = RPW_i^*\), decrypt \(\left( {I{d_i},{\beta _j}P,sk,{T_3}} \right) = {D_{h\left( {I{d_i},h\left( {{K^*}} \right) } \right) }}\left( {{C_i}} \right)\), compute \(sk = h\left( {{\alpha _i}{\beta _j}P} \right)\) and check whether it is equal to the decrypted sk. If this check is not passed, the user terminates without accepting.

  1. (3)

    Simulation of Execute-query, Reveal-query \({\varvec{C}}orrupt({U_i},a)\)and Test-query

  • On a Execute-query \(Execute({U_i},{S_j})\), we carry out the following steps:

    $$\begin{aligned}&({A_i},RP{W_i},{B_i},{V_i},{T_1}) \leftarrow Send({U_i},start)\\&({V_j},RPW_i^*,{T_2}) \leftarrow Send(GWN,({A_i},RP{W_i},{B_i},{V_i},{T_1}))\\&({C_i},RPW_i^*,{T_3}) \leftarrow Send({S_j},({V_j},RPW_i^*,{T_2}))\\ \end{aligned}$$

    The transcript \((({A_i},RP{W_i},{B_i},{V_i},{T_1}),({V_j},RPW_i^*,{T_2}),({C_i},RPW_i^*,{T_3}))\) will be returned to the adversary.

  • On a Reveal-query \(\hbox {Re}veal({U_i})\), we carry out the following steps: If the user \({U_i}\) has accepted, the session key sk will be returned to the adversary.

  • On a Corrupt-query \(Corrupt({U_i},a)\), we carry out the following steps:

    1. a.

      If a = 1, the messages \(\{ RP{W_i},{f_i},{v_i},Gen(),REP(),h()\}\) stored in \({U_i}'\) smart card and the user \({U_i}'\) password \(p{w_i}\) will be returned to the adversary.

    2. b.

      If a = 2, the user \({U_i}'\) biometric \(Bi{o_i}\) and password \(p{w_i}\) will be returned to the adversary.

    3. c.

      If a = 3, the messages \(\{ RP{W_i},{f_i},{v_i},Gen(),REP(),h()\}\) stored in \({U_i}'\) smart card and the user \({U_i}'\) biometric \(Bi{o_i}\) will be returned to the adversary.

  • On a Test-query \(Test({U_i})\), we carry out the following steps: Throw a coin \(b \in \{ 0,1\}\). If b=1, we return the session key sk of the user which is obtained from \(\hbox {Re}veal({U_i})\) query; otherwise, we return a random value as the same length as the session key sk.

6.4 Simulation results using AVISPA tool

AVISPA (Automated Validation of Internet Security Protocols and Applications) Tool is a push-button tool used to verify the robustness and efficiency of a cryptographic protocol. And it provides a modular role-based expressive formal language called the HLPSL (High level protocol specification language) for implementing security protocols. A HLPSL specification is translated into the Intermediate Format (IF), using a translator called HLPSL2IF. The IF specification of a protocol is then input to the back-ends of the AVISPA tool to analyze if the security goals are satisfied or not. The AVISPA tool comprises four back-ends: On-the-fly Model-Checker (OFMC), Constraint-Logic-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP).

To evaluate the security of the proposed scheme by the AVISPA tool, the specifications for the user \(U_i\), the sensor node \(S_j\) , the gate-way node GWN, the session, goal and the environment have been implemented in HLPSL. The proposed scheme is simulated under the OFMC and CL-AtSe backends using the SPAN a security protocol animator for AVISPA. The designd goals, GWN authenticates \(U_i\) through \(Id_i\), \(S_j\) authenticates \(U_i\) through \(Id_i\), the secrecy of session key, user’s identity and password are all achieved. In OFMC backend, as illustrated in Fig. 3, the total number of visited nodes is 9657 and the depth of search is 13 which require 51.42 seconds. In CL-AtSe backend, as shown in Fig. 4, 8621 states were analyzed and 1573 states were reachable. Further, CL-AtSe backend took 0.53 seconds for translation and 0.91 s for computation. Simulation results demonstrate that the proposed scheme is SAFE.

Fig. 3
figure 3

The result of OFMC backend

Full size image
Fig. 4
figure 4

The result of CL-AtSe backend

Full size image

7 Performance comparison

This section compares the performance of the proposed scheme with other four biometrics-based schemes using elliptic curve cryptography.

Table 2 shows the comparison of the security features among the proposed scheme and other biometrics-based schemes, such as He and Wang’s scheme [46], Xie et al.’s scheme [39], Jiang et al.’s scheme [44] and Li et al.’s scheme [47]. It is clear that all these schemes cannot resist many logged-in users with the same login-ID attack. He and Wang’s[46] scheme even cannot provide session key security. Besides, Xie et al.’s scheme [39], Jiang et al.’s scheme [44] and Li et al.’s scheme [47] are unable to provide three-factor security. Both the two schemes [44, 47] are vulnerable to man-in-the middle attack. From the table, it can be see that the proposed scheme could provide the desired security features and defend various existing attacks.

Table 3 has compared the computation cost of the proposed scheme with other four schemes during registration, login and authentication, and key agreement phases. The following notations for computing the computational costs of the proposed scheme and other schemes: H: hash computation, S: symmetric operation, E: elliptical curve scale multiplication operation. According to Table 3, it can be see that the proposed scheme needs a slight higher computation cost than the schemes [39] and [47] but lower than the schemes [44] and [47]. To make a comparison more clearly, Fig. 5 shows the comparison graph for the computation cost in login and authentication(LAA) phases and the total cost(TC). Here, we utilize the arithmetic mean to perform the primitive operations for thousand executions each based on the jPBC library 2.0.0 [53], where the experiment lays on Windows 10 operating system, Pentium 3.20 GHz CPU, and 4.0 GB RAM. The running time of H is 0.0359 ms, E is 10.5129 ms and S is 0.1755 ms.

Generally speaking, the security of the scheme is the first important. Thus, we consider that the proposed scheme reaches a balance between efficiency and security properties.

Table 2 Security features comparison
Full size table
Table 3 Computational cost comparison
Full size table
Fig. 5
figure 5

Performance comparison

Full size image

8 Conclusion

This paper has shown that the Das’s mutual authentication scheme for WSN has several security pitfalls and may suffer from some attacks. In the Das’s scheme, there is no provision of user anonymity, it is susceptible to the user impersonation attack due to the failure of three-factor security. Thus, this paper provides improvements to fix the two loopholes so that the proposed scheme should be secure enough to be used in WSNs.