1 Introduction

A wireless sensor network consists of low-cost, low-power sensor nodes deployed over a geographical area for controlling physical events like temperature, humidity, vibrations, seismic, and so on [2, 35]. WSNs are powerful in that they are amenable to support a lot of very different real world applications (e.g., disaster relief, environment control and biodiversity mapping, intelligent buildings, medicine and healthcare, machine surveillance and preventive maintenance) [30]. Some of these applications are critical scenarios including battlefield and security applications [18]. It is obvious that there should have great needs to access the real time data in these critical scenarios. The data are to be accessed directly by the external users as and when demanded, so authentication of the user must be ensured before allowing the user to access data [14]. The gateway node (GW) plays a crucial role in the WSNs as all data transmitted to the outside network must pass through it. Generally, registered users regularly log in to and query a WSN via GW. However, it is impractical or inconvenient to access real time data from the sensor nodes through GW only. In these networks, users need to have direct access to the sensor nodes to acquire data from them whenever required. Because of this reason, the user authentication problem is a very important research topic in WSN security which has received considerable research attention in WSN security study in the recent years [8, 9]. In general, there are two approaches in authenticating users in WSN:

  • A user is authenticated by the GW before accessing nodes.

  • A user directly contacts a sensor node and performs authentication with it [7].

Since nodes are limited in terms of computation and communication capabilities, lightweight authentication and key agreement protocols are prefered. In this direction, a number of two-factor user authentication schemes have been proposed in the literature [8, 14, 20, 25, 27, 31, 36, 37, 40, 43]. However, most of them have been demonstrated either insecure against different known attacks or lack of some important features. Recently, Gope et al. proposed a realistic lightweight anonymous authentication scheme for WSN and claimed that their scheme is secure against all known attacks [24]. However, in this paper, we analyze this scheme and show that their scheme is vulnerable to session key disclosure. In order to remedy this vulnerability, we improve the Gope et al.’s scheme and enhance its security features using three-factor user authentication along with access control property. In our scheme, we use a user’s personal biometric as the third factor. In recent years, the research shows that biometric based user authentication schemes are more secure and reliable. There are the following major advantages of using biometric key over traditional passwords [33]:

  • Biometric keys can not be guessed easily;

  • Biometric keys are very difficult to copy or share;

  • Biometric keys can not be lost or forgotten;

  • Biometric keys are extremely hard to forge or distribute;

  • Someone’s biometrics is not easy to break than others.

Moreover, in this paper, we propose a new user access control to allow authorized users with the relevant groups to access the real-time information from the WSN for which they are permitted. For example in the battlefield scenario, a commander should be able to access all types of data for the purpose of overall coordinating, but a soldier may only need to access the type of data relevant to his/her mission. Considering this point, the importance of user access control in WSNs for any applications becomes an important research field.

1.1 Our contribution

  • We first analyze the security of the recently proposed Gope et al.’s scheme [24], and find that their scheme has a vulnerability.

  • In order to remedy the vulnerability found in Gope et al.’s scheme, we improve the scheme and enhance its security features as follow:

    • Our scheme makes use of three factors, namely user’s password and biometric along with the non-tamper resistant smart card.

    • Our scheme makes use of access control which lets users from different groups access permitted sensor’s information.

  • We analyze the efficiency of our proposed scheme, and show our scheme is also efficient as compared to other schemes.

  • Our scheme is shown to be secure against relevant known attacks through both informal and formal security analysis.

2 Related work

Watro et al. [46] proposed a user authentication in WSNs which is known as TinyPK. Their schemes employed RSA [39] and Diffie-Hellman [15] algorithms to calculate an encrypted public key. TinyPK has a security flow as pointed out in [14]. Wong et al. [47] proposed a hash-based user authentication scheme, but some researchers found that is vulnerable to stolen-verifier, replay and forgery attacks [14]. Authors in [14] introduced a two-factor method of user authentication, which uses password and smart card of a user. However, that scheme cannot resist denial of service attack and node compromise attack [13]. Many researchers proposed several improvements [8, 32, 36, 38, 49] which inspired from [14].

Fan et al. [19] observed that two-factor authentication schemes [14, 49] have various defeats overlooked for real time data access and they proposed an efficient and denial of service resistant user authentication scheme which only employs lightweight cryptographic operations, such as hash functions and exclusive-OR. More recently, Vaidya et al. [42] identified some security weakness in [8, 14, 31]. These weaknesses are under the assumption that an adversary can extract parameters from the smart card or a smart card is lost or stolen. He et al. [25] proposed an improvement on Das’s scheme [14]. Chen and shih [8] showed that Das’s scheme [14] fails to mutual authentication so they proposed a lightweight authentication scheme, but their protocol is vulnerable to attacks such as forgery attack and replay attack [36]. Additionally, Amin et al. [1] proposed a three-factor user authentication protocol for WSNs using password, smart card and biometric. Later, in [3] the authors proved that Amin et al. protocol is vulnerable to replay and Denial-of-Service (DoS) attacks.

Xue et al.in [48] proposed a temporal credential-based mutual authentication which is based on hash function. However, their scheme is vulnerable to privileged-insider attack, tracking attack, stolen smart card attack and so on [29, 45]. Jiang et al. [29] and K Das et al. [11] used a temporary identity which helps the GW to comprehend exactly who is the user, but their schemes are vulnerable to DoS attack [22, 44]. Das et al. [10] proposed an efficient user anonymity authentication scheme, however in this scheme the GW needs to perform an exhaustive search operation for finding the user’s identity. This scheme also is vulnerable to DoS attack [24]. Gope et al. demonstrated the schemes proposed in [10, 11, 29, 48, 49] support session key agreement between the user and the sensor node, however none of the scheme can ensure perfect forward secrecy (PFC) [24].

Gope et al. [24] proposed a realistic lightweight anonymous authentication protocol. This scheme provides kinds of important properties such as user anonymity, PFC, etc.The author claimed that their scheme is secure against known attacks. However in this paper we analyze the Gope’s scheme and demonstrate that unfortunately their scheme is vulnerable to session key disclosure which is the goal of this user authentication scheme. The details are discussed in Section 5.

Paper organization

The remainder of this paper is organized as follows. The next section introduces the preliminary of fuzzy extractor briefly. Section 4 reviews Gope et al.’s scheme. Section 5 elaborates the drawback of their scheme. Section 6 presents the improved authentication and key agreement scheme. In Sections 7 and 8, the informal and formal security and efficiency of the proposed scheme are discussed. Finally, in Section 9, we conclude the paper.

3 Preliminaries and notations

3.1 Notations

In this section we describe the notations used in this paper (Table 1).

Table 1 Notations
Full size table

3.2 Preliminaries

Given biometric input B, a fuzzy extractor capables of extracting an almost random string R S from the biometric template B in an error-tolerant way, which means the fuzzy extractor could output the same random string when the input changes with the help of an auxiliary string P. The fuzzy extractor is composed of the following two algorithms, called G e n and R e p:

  1. 1.

    G e n is a probabilistic algorithm. Upon receiving biometric input B, the algorithm will output a secret data key R S and a random auxiliary string P as follows: G e n(B) = (R S,P).

  2. 2.

    R e p is a deterministic algorithm which takes a noisy biometric B and the corresponding random auxiliary P, and then recovers the biometric secret data key R S as follows: R e p(B ,P) = R S.

4 Review of Gope’s scheme

In this section, we review Gope’s authentication protocol [24] based on XOR and hash functions, which is composed of four phases, i.e., registration, anonymous authentication and key exchange, password renewal, and dynamic node addition phase.

4.1 Registration phase

U performs the following steps with GW through a secure channel, as is shown in Fig. 1.

Step 1.:

U submits his identity I D u to the GW.

Step 2.:

GW generates the random number (n g ) and computes K u g = h(I D u n g ) ⊕ I D G and also generates a set of unlinkable shadow-IDs and a set of emergency keys S I D = {s i d 1,s i d 2, . . . } and \(KEM_{ug}=\{KEM_{ug_{1}}, KEM_{ug_{2}},~.~.~.~\}\), respectively. Hereafter, the GW generates a sequence number of 64-bit T s u g . This sequence number will be computed based on the number of requests (m) handled by the GW, including the present request of the current user, then GW sets T s u g = m. This parameter is used by GW to speed up the authentication process, where by comparing it with the stored value of its database, the GW can define exactly who is the user. In the case of the user and the GW have been asynchronized, the user will send a pair of shadow-ID s i d j and the emergency key \(KEM_{ug_{j}}\) to the GW. The pair of \((sid_{j},KEM_{ug_{j}})\) must be deleted from the list by both the U and GW.

Step 3.:

The GW issues a smart card with {K u g ,(S I D ,K E M u g ),T s u g ,h(.)} to U. The GW uses its secret id I D G , the secret key w(stored in secure ROM-BIOS of the GW) and other parameters to encode I D u , K g s , K u g and K E M u g as depicted in lines 9 to 12 of Fig. 1 and stores \({ID^{\sharp }_{u}}\), \(K^{\sharp }_{ug}\), \(K^{\sharp }_{gs}\), \((SID,KEM^{\sharp }_{ug})\), and T s u g in its database.

Step 4.:

U chooses a password P S W u and computes \({K}_{ug}^{\ast }\), \({f}_{u}^{\ast }\), S I D and \({KEM}_{ug}^{\ast }\) (lines 17-20). Finally the smart card contains the tuple shown in line 21.

Fig. 1
figure 1

User registration phase of Gope et al.’s scheme [24]

Full size image

4.2 Anonymous authentication and key exchange phase

In this phase, U and S N are mutually authenticated. At the end of this phase, a session key is established between the user U and the sensor node S N i d . The following steps are performed as follows shown in Fig. 2.

Step 1.:

U inserts his smart card to a terminal, and enters his identity I D u and password P S W u . The smart card computes K u g , f u as depicted in lines 2 to 3 of Fig. 2 and checks whether the condition \(f_{u}=f^{\star }_{u}\) holds or not. If it holds, the smart card generates a random number N u and computes one-time alias identity A I D u , N x , and V 1 (lines 4-6). Finally, the user forms a request message \(M_{A_{1}}:U\rightarrow GW: \{AID_{u}, N_{x}, Ts_{ug}(if req), SN_{id}, V_{1} \}\). Note: In case of loss of synchronization between user and GW, the user need not to send any transaction sequence number T s u g in \(M_{A_{1}}\). In that case, the user needs to choose one of the unused pair of \((sid^{\ast }_{j},KEM^{\ast }_{ug_{j}})\) from \((SID^{\ast },{KEM}_{ug}^{\ast })\) and then submits his I D u and P S W u and computes s i d j and \(KEM_{ug_{j}}\) as depicted in lines 8 to 10, then user U assigns the s i d j as A I D u and \(KEM_{ug_{j}}\) as K u g .

Step 2.:

Upon receiving the message \(M_{A_{1}}\) from user, the GW checks whether T s u g is valid or not. Since the GW maintains the most recent transaction sequence number for each user, when the GW finds T s u g in its database then it selects that tuple and uses its secret id I D G and the secret key w to decode the identity I D u and K u g of the user. Hence, the GW can identify exactly who is the user. Then the GW checks the validity of V 1. If so, the GW first computes N u = K u g N x , and then checks A I D u , if the verification of A I D u is not successful the GW terminates the connection, otherwise GW generates a session key S K and a timestamp T randomly. Then, the GW computes S K , V 2 as represented in lines 15 to 16 and sends message \(M_{A_{2}}:GW \rightarrow SN:\{AID_{u}, SK^{\prime }, T, V_{2} \}\) to the sensor node S N i d . Note: If the GW cannot find the T s u g provided by the user in \(M_{A_{1}}\) in its database, it terminates the connection.

Step 3.:

After receiving the message \(M_{A_{2}}\), S N i d checks the T and V 2 (lines 17-18). If both of them are valid, S N i d computes S K = h(K g s ) ⊕ S K , generates a timestamp T and computes V 3 (lines 19-22). Hereafter, S N i d forms message \(M_{A_{3}}:SN \rightarrow GW:\{ T^{\prime }, SN_{id}, V_{3}\}\) and sends it to the GW. Finally the sensor node computes \(K_{gs_{new}}\) and updates its shared secret key as \(K_{gs}= K_{gs_{new}}\) (lines 24-25). Note: In case of loss of synchronization between S N i d and GW, the sensor node needs to ask GW for the new secret shared key, i.e, \(K_{gs_{new}}\), which will be securely sent to the sensor node.

Step 4.:

Upon receiving the message \(M_{A_{3}}\), the GW checks T , computes V 3 and checks whether it holds or not (lines 26). If so, then the GW checks the latest value of the transaction sequence number m and computes mm + 1 (line 27). Then GW saves \(Ts_{ug_{new}}\) in its database and computes T s , V 4 and S K as depicted in lines 28 to 30. Then, the GW forms message \(M_{A_{4}}:GW\rightarrow U:\{SK^{\prime \prime }, V_{4}, T_{s}, x(if req) \}\). Finally the GW computes \(K_{ug_{new}}\) and \(K_{gs_{new}}\) (lines 32-33). Note: If the GW cannot find any T s u g in \(M_{A_{1}}\), then the GW will try to recognize the s i d j in A I D u by comparing with the entries in its database. If GW can find s i d j , it retrieves \(KEM_{ug_{j}}\) associated with s i d j , and then validates V 1. And at the end, GW randomly generates a new shared key \(K_{ug_{new}}\), and encodes it by \(KEM_{ug_{j}}\) and the user identity I D u as depicted in line 35 and computes V 4 = h(S K N u T s x), then GW sends x and V 4 with other parameters in \(M_{A_{4}}\) to U. When the user receives the message \(M_{A_{4}}\), the terminal computes V 4 and verifies if it holds or not (line 37). If so, the smart card computes \(Ts_{ug_{new}}\) and \(K_{ug_{new}}\) as depicted in lines 40 to 41 and then saves \(K_{ug}=K_{ug_{new}}\) and \(Ts_{ug}=Ts_{ug_{new}}\) for further communication (lines 42-43).

Fig. 2
figure 2

Authentication and key agreement phase of Gope et al.’s scheme [24]

Full size image

4.3 Password update phase

In this phase, U executes the following steps to update the password. The user needs to enter his identity I D u , old password P S W u , and the new password \({PSW}_{u}^{\ast }\) to the smart card. The smart card will retrieve K u g ,K E M u g and S I D as follows.

  • \(K_{ug}={K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u}))\);

  • \(KEM_{ug}={KEM}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u}))\);

  • S I D = S I D h(h(I D u ) ⊕ h(P S W u )).

It then computes \({K}_{ug}^{\ast \ast }, SID^{\ast \ast }\) and S I D ∗∗ as bellow.

  • \({K}_{ug}^{\ast \ast }=K_{ug}\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast }))\);

  • \(SID^{\ast \ast }= SID \oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast }))\);

  • \({KEM}_{ug}^{\ast \ast }=KEM_{ug}\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast }))\).

Finally, the smart card will replace K u g with \({K}_{ug}^{\ast \ast }\), S I D with S I D ∗∗, and K E M u g with \({KEM}_{ug}^{\ast \ast }\).

4.4 Dynamic node addition phase

In this phase, a fresh sensor node will be deployed to the target field in order to continue the services in WSN. The GW generates an identity \(SN^{new}_{id_{i}}\) and a key \(K^{new}_{gs_{i}}\) for \(SN^{new}_{i}\). Then the GW saves these parameters in the memory of \(SN^{new}_{i}\). Hereafter, the GW computes \(K^{new\ast }_{gs_{i}}=K^{new}_{gs_{i}} \oplus h(ID_{G}\|w\|SN^{new}_{id_{i}})\) and saves both \(SN^{new}_{id_{i}}\) and \(K^{new\ast }_{gs_{i}}\) in its database.

5 Security analysis of the Gope et al.’s protocol

Before analyzing the security of Gope et al.’s scheme [24], we should define the threat model which is based on the Dolev-Yao model [17]. Under this model, an adversary can intercept all messages transmitted through the channel and adversary can modify, delete or change the contents of the transmitted messages. The adversary has the ability to obtain the secret information stored in the smart card by side channel attacks. If an attacker captures a sensor node then he/she can know all the security parameters stored in the sensor’s node memory.

In Gope et al.’s protocol, an adversary A can reveal the session key between the user U and the sensor node S N through the following scenario.

Step 1.:

A eavesdrops the message \(M_{A_{1}}:U \rightarrow GW:\{AID_{u},N_{x},Ts_{ug}(if req),SN_{id},V_{1} \}\) sent by U, then he extracts the T s u g value from \(M_{A_{1}}\) which is equal to m.

Step 2.:

A eavesdrops the message \(M_{A_{4}}:GW\rightarrow U:\{SK^{\prime \prime },V_{4},T_{s},x(if req) \}\) and then extracts the T s value which is equal to \(T_{s}=h(K_{ug}\|ID_{u}\|N_{u}) \oplus Ts_{ug_{new}}\). As mentioned in Step 4 of authentication and key exchange phase of this paper, the GW checks the last value of the transaction sequence parameter m and computes mm + 1. Then GW stores \(Ts_{ug_{new}}=m\) and computes \(T_{s}=h(K_{ug}\|ID_{u}\|N_{u}) \oplus Ts_{ug_{new}}\).

Step 3.:

A can compute the \(Ts_{ug_{new}}\) value just by incrementing the T s u g value obtained from Step 1 as: \(Ts_{ug_{new}}=Ts_{ug} + 1\). Then A computes h(K u g I D u N u ) using T s in \(M_{A_{4}}\) message and \(Ts_{ug_{new}}\) obtained from previous step as: \(h(K_{ug}\|ID_{u}\|N_{u})=Ts \oplus Ts_{ug_{new}}\).

Step 4.:

Finally adversary can reveal the session key S K using the S K in \(M_{A_{4}}\) message and h(K u g I D u N u ) value obtained from Step 3 by using equation S K = S K h(K u g I D u N u ).

Thus, Gope et al.’s protocol is vulnerable against session key disclosure attack.

6 Our proposed protocol

In this section, we describe an improvement of Gope et al.’s scheme in order to withstand the drawback found in their scheme. Our proposed scheme is a three-factor authentication scheme, which uses a user’s personal biometric as compared to Gope et al.’s two-factor authentication scheme. Unfortunately, in two-factor authentication, smart cards may be lost or stolen, and the data stored in the smart card can be extracted or passwords are vulnerable to off-line guessing attack, phishing, etc [28, 50]. Recently, biometric-based user authentication schemes along with passwords have drawn considerable attention in research [12, 33, 34]. Moreover, we add access control feature to allow legitimate users from different groups to access data they have privilege. So, we improve Gope’s scheme in the following aspects.

  1. 1.

    We revise the authentication and key agreement phase to resist session key disclosure attack.

  2. 2.

    In our scheme, we use three-factor authentication and access control to strengthen the security and add features which are not provided by Gope et al.’s scheme. Our scheme keeps the original merits of Gope et al.’s scheme.

Like Gope’s scheme, our scheme also consists of four phases: registration phase, anonymous authentication and key exchange phase, password and biometric update phase and dynamic node addition phase.

6.1 Registration phase

To register to the GW(a trusted entity in the network) in WSN by a legal user U the following steps need to be executed through a secure channel, as is shown in Fig. 3.

Step 1.:

U sends his identity I D u to the GW.

Step 2.:

GW generates the random number n g and computes K u g = h(I D u n g ) ⊕ I D G and also generates a set of shadow-IDs S I D = {s i d 1,s i d 2, . . . }, and a set of emergency keys \(KEM_{ug}=\{KEM_{ug_{1}}, KEM_{ug_{2}},~.~.~.~\}\), where s i d j = h(I D u r j K u g ) and \(KEM_{ug_{j}}=h(ID_{u}\|sid_{j}\|r^{\prime }_{j})\). Then, the GW generates a random sequence number of 64-bit T s u g . This parameter is used by GW to define exactly who is the user. Depending on the probable user query, the GW prepares a user access list pool. The access list defines the user’s access privilege. A typical access list is composed of I D u ,G j and user access privilege mask A P M j as is shown in Fig. 4. G j is a unique random number used to identify a particular access group. Multiple users who have similar task and access privilege can be organized in to the same group. A user can be member of one or more groups. User access privilege mask is a number of binary bit represents a specific information or service. Then, GW generates a set of group-IDs G = {G 1,G 2, . . . }, and a set of access privilege masks A P M = {A P M 1,A P M 2, . . . }, where G j G is a 128-bit random number and A P M j A P M is a 128-bit random number except first 16-bits (high order) which each bit defines different task or service. It is also to be noted that each A P M j A P M corresponds to a particular G j G.

Step 3.:

The GW will encode K u g , K g s , K E M u g , I D u , G and A P M as depicted in lines 13 to 20 of Fig. 3 and then stores these values in its database. Hereafter, the GW issues a smart card with {K u g ,(S I D,K E M u g ),T s u g ,G,h(.)} to U.

Step 4.:

After receiving smart card S C, U chooses a password P S W u and imprints the biometric B u . U applies the fuzzy extractor function G e n(.) to generate secret data key R S u and a random auxiliary parameter P u as G e n(B u ) = (R S u ,P u ). U then computes: \({K}_{ug}^{\ast }\), \({KEM}_{ug}^{\ast }\), S I D , G and \({f}_{u}^{\ast }\) as represented in lines 28 to 32. U stores fuzzy extractor G e n(.), R e p(.), P u and h(.) in the smart card. Further, U replaces K u g with \({K}_{ug}^{\ast }\), K E M u g with \({KEM}_{ug}^{\ast }\), S I D with S I D , G with G and f u with \({f}_{u}^{\ast }\). Finally, S C of U contains the information shown in line 33.

Fig. 3
figure 3

Registration phase of our scheme

Full size image
Fig. 4
figure 4

An example of user access list. A P M is a bitmap, for example, if the first bit of A P M represents the ‘temperature’ parameter, an ‘1’ in this bit indicates that the ‘temperature’ parameter is available for all members of this group

Full size image

6.2 Anonymous authentication and key exchange phase

In this phase, U and S N mutually authenticate each other and finally, both U and S N establish a common session key between them, as is shown in Fig. 5.

Step 1.:

U first inserts his smart card S C to a terminal and then enters his identity I D u , password P S W u and imprints the biometric information B u . S C computes R S u = R e p(B u ,P u ) using B u , and the parameter P u stored in its memory. S C further computes K u g , f u as depicted in lines 3 to 4 of Fig. 5, and then checks if \({f}_{u}^{\ast }= f_{u}\) holds or not. If it does not hold, this ensures that U does not pass verifications, otherwise, S C generates a random number N u and computes N x , G as represented in lines 5 to 6, then user U choose a group-ID G j from G and encode it as \({G}_{j}^{\prime }=G_{j}\oplus N_{u}\) (line 7). Then U computes A I D u , and V 1 (lines 7-8). In case of loss of synchronization between U and G W, the user needs to choose one of the unused pair of \((sid^{\ast }_{j},KEM^{\ast }_{ug_{j}})\) from \((SID^{\ast },{KEM}_{ug}^{\ast })\) and then submits his I D u , P S W u , B u and computes s i d j and \(KEM_{ug_{j}}\) (lines 10-11). Then user U assigns the s i d j as A I D u and \(KEM_{ug_{j}}\) as K u g . Finally, the user forms a request message \(M_{A_{1}}:U\rightarrow GW:\{AID_{u}, {G}_{j}^{\prime }, N_{x}, Ts_{ug}(if req), SN_{id}, V_{1} \}\).

Step 2.:

After receiving the message in Step 2, the GW checks the validity of T s u g . If the GW cannot find the T s u g provided by the user in \(M_{A_{1}}\) in its database, it terminates the connection, otherwise, the GW selects the related tuple to the user via T s u g value. Then, the GW decodes the user’s identity I D u as \(ID_{u}=ID^{\sharp }_{u}\oplus h(ID_{G}\|w\|Ts_{ug})\), K u g as \(K_{ug}=K_{ug}^{\sharp }\oplus h(ID_{G}\|ID_{u}\|w)\), respectively. Therefore, the GW exactly can identify who is the user, then the GW checks the validity of V 1. If so, the GW computes N u and G j as N u = K u g N x and \(G_{j}= {G}_{j}^{\prime }\oplus N_{u}\), respectively (line 14). Then GW checks A I D u , if the verification of A I D u is successful then GW will find the user group’s G j related A P M j and encode it as \(APM^{\prime }_{j}= h(K_{gs})\oplus APM_{j}\) (line 18), otherwise the GW terminates the connection. Then, GW generates a session key S K and encodes it as S K = h(K g s ) ⊕ S K. Subsequently, GW generates a time stamp T and finally computes V 2 as depicted in line 19 and sends message \(M_{A_{2}}:GW \rightarrow SN:\{AID_{u}, APM^{\prime }_{j}, SK^{\prime }, T, V_{2} \}\) to S N i d .

Step 3.:

Upon receiving the message \(M_{A_{2}}\), S N checks the validity of timestamp T and V 2 (lines 20-21). If so, S N decodes \(APM^{\prime }_{j}\) and S K , respectively as \(APM_{j}= APM^{\prime }_{j}\oplus h(K_{gs})\) and S K = h(K g s ) ⊕ S K (lines 22-24). Hereafter S N updates its shared secret key as \(K_{gs}= K_{gs_{new}}\), where \(K_{gs_{new}}=h(K_{gs}\|SN_{id})\) (line 26-27).

Step 4.:

After receiving message \(M_{A_{3}}\), the GW checks the validity of V 3 (line 28). If so, the GW generates a 64 bits of random m and updates \(Ts_{ug_{new}}\) as \(Ts_{ug_{new}}= m\) (line 29). Hereafter, GW encodes \(Ts_{ug_{new}}\) and S K, respectively as represented in lines 30 to 31. Finally, the GW forms message \(M_{A_{4}}:GW\rightarrow U:\{SK^{\prime \prime }, V_{4}, T_{s}, x(if req) \}\) . The continue of this step (lines 38-42) is the same as step 4 of section 4.2 (lines 37-43).

Step 5.:

Both the user U and the sensor node S N will communicate securely using the session key S K. S N responds to the query of the user U depending upon the access privilege mask A P M j stored for user U using the session key S K. Finally, at the end of this phase, S N deletes A P M j from its memory for security reasons.

Fig. 5
figure 5

Authentication and key agreement phase of our scheme

Full size image

6.3 Password and biometric update phase

For security reasons, a user U should be allowed to update his/her password as well as personal biometrics without any help of the GW. When the user wants to update the old password P S W u and old biometric B u , the following steps are executed:

Step 1.:

U first inserts his smart card into the terminal. U then inserts his identity I D u , old password P S W u , old biometric B u , the new password \({PSW}_{u}^{\ast }\) and the new biometric \({B}_{u}^{\ast }\).

Step 2.:

Smart card computes R S u = R e p(B u ,P u ) , and then will retrieve K u g ,K E M u g ,S I D,G and f u as follows.

  • \(K_{ug}={K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\);

  • \(KEM_{ug}={KEM}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\);

  • S I D = S I D h(h(I D u ) ⊕ h(P S W u ) ⊕ h(R S u ));

  • G = G h(h(I D u ) ⊕ h(P S W u ) ⊕ h(R S u ));

  • \(f_{u} = {f}_{u}^{\ast }\oplus h(h(K_{ug})\oplus h(PSW_{u})\oplus h(ID_{u})\oplus h(RS_{u}))\).

Step 3.:

Smart card computes \(Gen({B}_{u}^{\ast }), {K}_{ug}^{\ast \ast }\), \(SID^{\ast \ast }, {KEM}_{ug}^{\ast \ast }\), G ∗∗ and \({f}_{u}^{\ast \ast }\) as bellow.

  • \(Gen({B}_{u}^{\ast })=({RS}_{u}^{\ast }, {P}_{u}^{\ast })\);

  • \({K}_{ug}^{\ast \ast }=K_{ug}\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\);

  • \(SID^{\ast \ast }= SID \oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\);

  • \({KEM}_{ug}^{\ast \ast }=KEM_{ug}\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\);

  • \(G^{\ast \ast }=G\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\);

  • \({f}_{u}^{\ast \ast }= h(h(K_{ug})\oplus h({PSW}_{u}^{\ast })\oplus h(ID_{u})\oplus h({RS}_{u}^{\ast }))\).

Step 4.:

Finally, smart card will replace \({K}_{ug}^{\ast }\) with \({K}_{ug}^{\ast \ast }\), S I D with S I D ∗∗, \({KEM}_{ug}^{\ast }\) with \({KEM}_{ug}^{\ast \ast }\), G with G ∗∗, \({f}_{u}^{\ast }\) with \({f}_{u}^{\ast \ast }\), and P u with \({P}_{u}^{\ast }\).

6.4 Dynamic node addition phase

In this phase, a fresh sensor node will be deployed to the target field in order to continue the services in WSN. This phase is similar to Gope et al.’s scheme.

7 Security analysis of the proposed scheme

In this section, through both informal and formal security analysis, we show that our scheme has the ability to withstand relevant attacks.

In the informal security analysis, we argue the security and soundness of the proposed protocol against the known attacks, beside the point the informal security consists of trial and error methods to find security flaws in the protocol. However, the formal method analyzes the cryptographic protocols based on mathematics and logic. There are a number of logic tools such as BAN-logic [6], GNY-logic [21], Proverif tool [5] and AVISPA tool [4]. In this paper, we use BAN-logic to prove the security correctness of our scheme.

7.1 Informal security analysis

The following subsections show that our scheme has the ability to withstand relevant known attacks.

7.1.1 Stolen smart card attack

In our proposed scheme, if the smart card is lost or stolen, the attacker can easily extract all the sensitive information \({K}_{ug}^{\ast }\), \({KEM}_{ug}^{\ast }\), S I D , G and \({f}_{u}^{\ast }\) from the lost/stolen smart card, since the smart card in our scheme is not tamper-resistant. Note that I D u , P S W u and R S u are unknown to the attacker, and without knowing these parameters, the attacker cannot compute \(K_{ug}={K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\) and f u = h(h(K u g ) ⊕ h(P S W u ) ⊕ h(I D u ) ⊕ h(R S u )), since it is computationally infeasible to derive the I D u , P S W u and the biometric secret data key R S u of the user U due to collision-resistant property of the one-way hash function. Thus, our scheme has the capability to prevent the stolen smart card attack.

7.1.2 Stolen-verifier attack

In stolen-verifier attack, an attacker steals or modifies the verification data (e.g., plaintext passwords, hashed passwords, biometric data, hashed biometric data) stored in the GW. In our protocol, the GW maintains a table consists of \(<{{ID}_{u}^{\sharp }}\), \({K}_{ug}^{\sharp }\), \({K}_{gs}^{\sharp }\), G , A P M , \((SID,{KEM}_{ug}^{\sharp })\), T s u g >, which contains no information related to the password, so an adversary cannot steal or modify any information from GW. Therefore, our scheme is secure against stolen-verifier attack.

7.1.3 Privileged insider attack

During the user registration in our protocol, U only submits I D u as a registration message and all the public messages are independent of U’s password. Therefore, the insider person has no way to get U’s password. Thus, our scheme protects the privileged insider attack.

7.1.4 Identity guessing attack

It is noted that the real identity I D u of a user U is only known to that user and the GW, which stores encode of I D u in its database. However, I D u is never transmitted over the public channel for authentication purpose. Instead of that, the one-time alias identity A I D u or the random shadow-ID s i d j is used in the public communications. The attacker has no way to obtain any useful information related to I D u for verifying his guessing. Therefore, our scheme is secure against identity guessing attack.

7.1.5 Three-factor security

In the three-factor security model, the main goals of an adversary A are to impersonate a legal user even if he/she has any two factors of the triple (S C,P S W u ,B u ) [41]. We just need to show that A cannot generate a legal request message \(M_{A_{1}}:U\rightarrow GW:\{AID_{u},{G}_{j}^{\prime }, N_{x},Ts_{ug}(if req),SN_{id},V_{1} \}\). Since A I D u = h(I D u K u g N u T s u g ) or A I D u = s i d j , then we just need to show A cannot compute K u g or s i d j without three factors.

Case 1.:

A has user’s password and smart card: Upon getting the smart card, A could extract the secret value \({K}_{ug}^{\ast }\), \({KEM}_{ug}^{\ast }\), S I D , G and \({f}_{u}^{\ast }\) stored in the smart card, where \(K_{ug}= {K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\), and S I D = S I D h(h(I D u ) ⊕ h(P S W u ) ⊕ h(R S u )). If A wants to impersonate the user, he has to compute K u g from \({K}_{ug}^{\ast }\) or s i d j from S I D . However, A cannot recover R S u from P u since he does not have biometrics of the user. Then, A has no ability to generate A I D u .

Case 2.:

A has user’s biometrics and a smart card: A could extract the secret value \({K}_{ug}^{\ast }\), \({KEM}_{ug}^{\ast }\), S I D , G and \({f}_{u}^{\ast }\) stored in the smart card, where \(K_{ug}= {K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\), and S I D = S I D h(h(I D u ) ⊕ h(P S W u ) ⊕ h(R S u )). A could recover R S u from P u since he has the user’s biometric. A may guess password P S W u , I D u and computes \(K_{ug}= {K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\). However, A cannot verify if P S W u and I D u is correct. Then, A has no ability to generate correct A I D u .

Case 3.:

A has user’s password and biometrics: For the same reason, A could recover R S u from P u since he has the user’s biometric. A may guess I D u and computes \(K_{ug}= {K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\). However, A cannot verify if I D u is correct. Therefore, A cannot impersonate the user. From the given discussion, we know that the adversary A cannot generate a legal message \(M_{A_{1}}:U\rightarrow GW:\{AID_{u},{G}_{j}^{\prime }, N_{x},Ts_{ug}(if req),SN_{id},V_{1} \}\) with only two factors. Therefore, our proposed scheme could provide three-factor scheme.

7.1.6 Password and biometric change attack

In order to change the password and biometric of a user U, an attacker needs to pass three-factor (I D u ,P S W u ,B u ). Without these information, it is computationally infeasible to compute \(K_{ug}={K}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\), S I D = S I D h(h(I D u ) ⊕ h(P S W u ) ⊕ h(R S u )), \(KEM_{ug}={KEM}_{ug}^{\ast }\oplus h(h(ID_{u})\oplus h(PSW_{u})\oplus h(RS_{u}))\), G = G h(h(I D u ) ⊕ h(P S W u ) ⊕ h(R S u )) and \(f_{u}={f}_{u}^{\ast }\oplus h(h(K_{ug})\oplus h(PSW_{u})\oplus h(ID_{u})\oplus h(RS_{u}))\) where R S u = R e p(B u ,P u ). Because an attacker does not know the K u g , K E M u g and S I D, so he/she cannot compute \({K}_{ug}^{\ast \ast }=K_{ug}\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\), \(SID^{\ast \ast }= SID \oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\), \({KEM}_{ug}^{\ast \ast }=KEM_{ug}\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\), \(G^{\ast \ast }=G\oplus h(h(ID_{u})\oplus h({PSW}_{u}^{\ast })\oplus h({RS}_{u}^{\ast }))\), and \({f}_{u}^{\ast \ast }= h(h(K_{ug})\oplus h({PSW}_{u}^{\ast })\oplus h(ID_{u})\oplus h({RS}_{u}^{\ast }))\), where \(({RS}_{u}^{\ast }, {P}_{u}^{\ast })=Gen({B}_{u}^{\ast })\). Our scheme is thus secure against the password and biometric change attack.

7.1.7 Resistant to forgery attack

We consider the following cases:

  1. 1.

    User impersonation attack: An adversary A may eavesdrop the message \(M_{A_{1}}:U \rightarrow GW:\{AID_{u},{G}_{j}^{\prime }, N_{x},Ts_{ug}(if req),SN_{id},V_{1} \}\) of the previous sessions. Then A can forge a forged message and send it to the GW. After receiving the forged message, the GW can verify the legitimacy of the user U by verifying the A I D u = h(I D u K u g N u T s u g ). A has to posses I D u and K u g to forge A I D u . However, without the knowledge of the correct I D, password, biometric key and the possession of smart card, A cannot compute a valid A I D u . Therefore, our scheme could resist user impersonation attack.

  2. 2.

    GW impersonation attack: To forge the message \(M_{A_{2}}:GW \rightarrow SN:\{AID_{u}, APM^{\prime }_{j}, SK^{\prime }, T, V_{2} \}\) in Step 2, the adversary A needs to compute V 2 = h(A I D u S K TK g s ). However, A cannot compute V 2 without knowing K g s which is the shared key between user U and sensor node S N. Hence, the adversary A cannot forge the message. Thus, our scheme resist GW forgery attack.

  3. 3.

    Sensor impersonation attack: For the same reason, to forge the message \(M_{A_{3}}:SN \rightarrow GW:\{ T^{\prime }, SN_{id}, V_{3}\}\) in Step 3, the adversary A needs to compute V 3 = h(S KK g s S N i d T ). However, A cannot compute V 3 without the knowledge of the correct K g s . Therefore, our scheme is secure against S N forgery attack.

7.1.8 Session key security

Suppose an attacker eavesdrops the messages \(M_{A_{2}}:GW \rightarrow SN:\{AID_{u}, APM^{\prime }_{j}, SK^{\prime },T,V_{2} \}\) and \(M_{A_{4}}:GW \rightarrow U: \{SK^{\prime \prime },V_{4},T_{s},x(if req) \}\) during the authentication and key agreement phase. The secret session key S K = h(K g s ) ⊕ S K and S K = S Kh(K u g I D u N u ) is protected by the one-way hash function h(.). In order to compute S K, an adversary needs to know K g s to reveal S K as S K = S K h(K g s ) or he/she needs to know K u g , I D U and N u to derive S K as S K = S K h(K u g I D u N u ). Due to the collision-resistant one-way property of h(.), it is a computationally infeasible problem for the attacker to derive S K. Thus, our scheme provides the session key security.

7.1.9 Protection of user anonymity

In our scheme a user U’s real identity I D u is never transmitted over an insecure channel. Instead of that, the one-time alias identity A I D u = h(I D u K u g N u T s u g ) with random transaction sequence number T s or the random shadow-ID s i d j with emergency key pair is used in the public communications. Due to the collision-resistant one-way property of h(.), it is a computationally infeasible problem for the attacker to derive I D u from A I D u . Therefor, our scheme achieves user anonymity.

7.1.10 Protection of user untraceability

User untraceability means that the adversary can neither figure out who the user is nor tell apart whether two sessions are originated by the same(unknown) user. In our scheme, there is not relationship between the one-time alias identity A I D u , T s and shadow-ID s i d j . Besides, it can also be noticed that during the execution of our authentication protocol all the parameters in the message \(M_{A_{1}}\) are random. Therefor, the attacker is unable to tell whether two protocol runs have the same user involved, and our scheme achieves user untraceability.

7.1.11 Perfect forward secrecy

Perfect forward secrecy means that previously established session key remains secure even when the long-term keys of the server and the user are disclosed [16]. In our scheme, U and S N can compute the session key S K as S K = S K h(K u g I D u N u ) and S K = S K h(K g s ), respectively, which will be used to secure the data communication between U and S N. The session key S K is a random number which is different for each session and is unknown to other parties except U, S N and G W. That is, the session key S K is generated independently for each login session. Hence, even if some session keys are revealed, the previous session keys are still secure.

7.1.12 Replay attack

An attacker could replay the eavesdropped messages, such as U’s request \(M_{A_{1}}\) or \(M_{A_{2}}\), \(M_{A_{3}}\) and \(M_{A_{4}}\). However, the T s u g value in \(M_{A_{1}}\) and the V 4 value in \(M_{A_{4}}\) prevents any replay attempt from any attacker. The valid period of messages \(M_{A_{2}}\) and \(M_{A_{3}}\) is limited by the timestamp T and T , respectively, so a replay attack can be easily detected by checking the freshness of the timestamp. Therefor, replay attack cannot succeed in our scheme.

7.1.13 Resilience against node capture attack

The resilience against node capture attack of a user authentication scheme in WSN is measured by estimating the fraction of total secure communications that are compromised by a capture of c nodes not including the communication in which the compromised nodes are directly involved [13]. Since the sensor nodes are not equipped with tamper-resistant hardware, the adversary can easily compromise all the secret information including the captured sensor node’s secret key \(K_{gs_{i}}\) and session key S K i j established between the user U j and node \(S_{n_{i}}\). The session key is generated by the GW using the random number, and thus each established session key between a user and a sensor node is distinct throughout the network. Hence, the compromise of a sensor node does not reveal any other information about other sensor nodes and users in order to compromise any other secure communication between the users and the non-compromised nodes in the network, since the adversary has the ability to compromise the secret key of that captured sensor node only. Therefore, other non-captured sensor nodes have the ability to communicate with 100% secrecy with the actual real-time data to the legitimate users. Hence, our scheme is unconditionally secure against node capture attack.

7.2 Formal security analysis of our proposed scheme

We conduct security analysis of our proposed scheme using BAN-logic [6]. The BAN-logic notations used in the proof are shown in Table 2. The rules that we use in our analysis are as follows:

R1 (Shared key rule)

\(\frac {P \mid \equiv P \stackrel {k}{\longleftrightarrow } Q, P \triangleleft [X]_{k}}{P \mid \equiv Q \mid \sim X}\), if P believes that he/she shared the key K with Q, and P received the message [X] k , then P believes that Q has sent X.

R2 (Belief rule)

\(\frac {P \mid \equiv Q \mid \sim (X,Y)}{P \mid \equiv Q \mid \sim X}\), if P believes Q sends the message set (X,Y ), then P believes Q sends the message X.

Table 2 BAN-logic notations
Full size table

Our formal security analysis involves the following steps:

Step 1. Messages of the protocol

PM1: :

\(AID_{u}, {G}_{j}^{\prime }, N_{x}, Ts_{ug}, SN_{id}, V_{1}\)

PM2: :

\(AID_{u}, APM^{\prime }_{j}, SK^{\prime }, T, V_{2}\)

PM3: :

T ,S N i d ,V 3

PM4: :

S K ,V 4,T s,x

Step 2. Idealizing the messages of the protocol

This step converts the messages of the protocol to the idealized form of the messages according to the BAN-logic notations.

IM1 ( U G W ): :

\(GW \triangleleft (AID_{U}, {G}_{j}^{\prime }, N_{x}, SN_{id})_ {K_{ug}}\)

IM2 ( U G W ): :

\(GW \triangleleft (ID_{U}, N_{U}, Ts_{ug})_ {K_{ug}}\)

IM3 ( U G W ): :

\(GW \triangleleft \{N_{U}\}_ {K_{ug}}\)

IM4 ( U G W ): :

\(GW \triangleleft \{G_{j}\}_ {N_{U}}\)

IM5 ( G W S N ): :

\(SN \triangleleft (AID_{U}, APM^{\prime }_{j}, SK^{\prime }, T)_ {K_{gs}}\)

IM6 ( G W S N ): :

\(SN \triangleleft \{APM_{j}\}_ {K_{gs}}\)

IM7 ( G W S N ): :

\(SN \triangleleft \{SK\}_ {K_{gs}}\)

IM8 ( S N G W ): :

\(GW \triangleleft (SK, SN_{id}, T^{\prime })_ {K_{gs}}\)

IM9 ( G W U ): :

\(U \triangleleft (SK^{\prime \prime }, N_{u}, Ts)_ {K_{ug}}\)

IM10 ( G W U ): :

\(U \triangleleft \{SK\}_ {K_{ug},ID_{U}, N_{u}}\)

Step 3. Explicit assumptions

Initial explicit assumptions of the protocol are given below:

A1: :

U∣ ≡ (N u )

A2: :

G W∣ ≡ (S K,T,m)

A3: :

S N∣ ≡ (T )

A4: :

\(U \mid \equiv U \stackrel {K_{ug}}{\longleftrightarrow } GW\)

A5: :

\(GW \mid \equiv GW \stackrel {K_{ug}}{\longleftrightarrow } U\)

A6: :

\(GW \mid \equiv GW \stackrel {K_{gs}}{\longleftrightarrow } SN\)

A7: :

\(SN \mid \equiv SN \stackrel {K_{gs}}{\longleftrightarrow } GW\)

A8: :

\(U \mid \equiv U \stackrel {ID_{U}}{\rightleftharpoons } GW\)

Step 4. Security goals of the protocol

According to analytic procedures of BAN logic and the requirement of authentication protocol for WSNs, our protocol should satisfy the following goals:

G1: :

G W∣ ≡ U∣ ∼ N x

G2: :

G W∣ ≡ U∣ ∼ A I D u

G3: :

G W∣ ≡ U∣ ∼ N u

G4: :

G W∣ ≡ U∣ ∼ G j

G5: :

S N∣ ≡ G W∣ ∼ T

G6: :

S N∣ ≡ G W∣ ∼ A I D u

G7: :

S N∣ ≡ G W∣ ∼ A P M j

G8: :

S N∣ ≡ G W∣ ∼ S K

G9: :

G W∣ ≡ S N∣ ∼ T

G10: :

G W∣ ≡ S N∣ ∼ S N i d

G11: :

U∣ ≡ G W∣ ∼ T s

G12: :

U∣ ≡ G W∣ ∼ S K

Step 5. Deducing the security goals of the protocol

In this step, by applying logical rules to the idealized messages and the initial premises mentioned in the previous steps, we analyze the security of the protocol as follows:

According to IM1, A5, and R1:

Result1: :

\(GW\mid \equiv U \mid \sim (AID_{U}, {G}_{j}^{\prime }, N_{x}, SN_{id})\)

By Result1 and R2, we have:

Result2: :

G W∣ ≡ U∣ ∼ N x (satisfy G1);

Result3: :

G W∣ ≡ U∣ ∼ A I D U (satisfy G2);

According to IM3, A5, and R1:

Result4: :

G W∣ ≡ U∣ ∼ N u (satisfy G3);

By Result4 and IM4, we have:

Result5: :

G W∣ ≡ U∣ ∼ G j (satisfy G4);

According to IM5, A7, and R1:

Result6: :

\(SN\mid \equiv GW \mid \sim (AID_{U}, APM^{\prime }_{j}, SK^{\prime }, T)\)

By Result6 and R2, we have:

Result7: :

S N∣ ≡ G W∣ ∼ T (satisfy G5);

Result8: :

S N∣ ≡ G W∣ ∼ A I D U (satisfy G6);

According to IM6, A7, and R1:

Result9: :

S N∣ ≡ G W∣ ∼ A P M j (satisfy G7);

According to IM7, A7, and R1:

Result10: :

S N∣ ≡ G W∣ ∼ S K (satisfy G8);

According to IM8, A6, and R1:

Result11: :

G W∣ ≡ S N∣ ∼ (S K,S N i d ,T )

By Result11 and R2, we have:

Result12: :

G W∣ ≡ S N∣ ∼ T (satisfy G9);

Result13: :

G W∣ ≡ S N∣ ∼ S N i d (satisfy G10);

According to IM9, A4, and R1:

Result14: :

U∣ ≡ G W∣ ∼ (S K ,N u ,T s)

By Result6 and R2, we have:

Result15: :

U∣ ≡ G W∣ ∼ T s (satisfy G11);

According to IM10, A1, A4, A8 and R1:

Result16: :

U∣ ≡ G W∣ ∼ S K (satisfy G12);

It is clear that we can satisfy all the goals respectively. So, our proposal is secure.

8 Performance comparison

In this section, we compare the features, computational overhead and communication overhead of our proposed scheme with other related schemes, such as Yeh et al.’s scheme [49], Xue et al.’s scheme [48], Das et al.’s scheme [10], Jiang et al.’s scheme [29], Das et al.’s scheme [11] and Gope et al.’s scheme [24].

8.1 Feature comparison

In Table 3, we have presented a number of security attacks as well as functionality requirement to compare the proposed protocol with other similar protocols. In Table 3, the symbol ‘yes’ represents that the scheme prevents attack or satisfies the attribute, and the symbol ‘No’ represents that the scheme does not resist attack or failed to satisfy that attribute. We have found in Table 3 that the protocols in [10, 11, 29, 48, 49] suffers from the DoS attack, and also cannot ensure the perfect forward secrecy property, which is highly imperative for any session-key based authentication protocol [23]. Protocols in [24, 29, 48, 49] does not support three-factor authentication. From this table, it is clear that our scheme provides better security features and higher security level. Thus, our scheme is superior in terms of features as compared to those for other schemes.

Table 3 Feature comparison
Full size table

8.2 Overall Computational overhead comparison

In WSNs, energy is a constraint and thus, the user authentication protocol must be lightweight in terms of computation. Our protocol used the hash function, and the fuzzy extractor function (G e n(.),R e p(.)), which are efficient. According to experiments results executed in [24], each modular exponential operation in ECC-160 algorithm takes 1.2 Ws energy and 11.69 ms execution time. The approximate running time and energy consumption of symmetric key encryption/decryption (128 bit AES-CBC) and hash function (SHA-256) are t s y m = 4.62 ms with .72 Ws and t H a s h = 1.06 ms with 0.27 Ws, respectively. This experiments is performed using the modular sensor board MSB-430 with the TI MSP430 micro controller [24]. Also, as in [26], we assume that the time t f for executing a fuzzy extractor is about 17.1 ms. In Table 3, we have summarized the computational cost of the proposed protocol and existing protocols in [10, 11, 24, 29, 48, 49], for user, GW and sensor node, where our proposed scheme requires only 20 ∗ t H a s h + t f operations. Although our proposed scheme requires a few more operations in the authentication phase than [24, 29, 48] schemes, the extra operations are justifiable considering that our protocol remedies their security vulnerabilities and also provides more security features that are absent in [24, 29, 48] schemes like three-factor user authentication, which is essential for the successful deployment of a secure WSN. As shown in Table 4, it can be stated that, the computational overhead of the proposed scheme is significantly less from previous three-factor user authentication scheme [11].

Table 4 Overall Computational overhead comparison
Full size table

8.3 Computational and communicational cost of the sensor node

As WSNs is energy constraint environment and the battery power of sensor nodes are very low than the gateway node, the computation and communication costs of the sensor nodes should be as minimum as possible for achieving better efficiency. In Table 3, we have compared the computational overhead sensor node of the proposed protocol and existing protocols [10, 11, 29, 48, 49] for the sensor node. Table 5 shows that, for Yeh et al.’s scheme [49], Xue et al.’s scheme [48], Das et al.’s scheme [10], Jiang et al.’s scheme [29], Das et al.’s scheme [11] and Gope et al.’s scheme [24] and our scheme, a sensor node S N requires the computational cost during the authentication phase as 2t E x p + 3t H a s h (26.56 m s), 5t H a s h (5.3 m s), t S y m + 3t H a s h (7.8 m s), 5t H a s h (5.3 m s), 6t H a s h (6.36 m s), 3t H a s h (3.18 m s) and 3t H a s h (3.18 m s), respectively. Thus our scheme is much less than the other schemes. Finally, in Table 5, we have compared the communicational cost of our scheme with other schemes for the authentication phase. We assume that, the length of the identity of the sensor node is 128 − b i t, and the length of the timestamp value is 24 − b i t. Then, the length of the message sends by each sensor node in our proposed scheme and [10] is 35 − b y t e, which is significantly smaller than [11, 29, 48, 49] schemes. Therefore, our scheme is much suited for the resource-constrained sensor node due to computational and communicational cost.

Table 5 Computational and communicational cost of the sensor node
Full size table

9 Conclusion

In this paper, we have analyzed a recent user authentication scheme proposed by Gope et al. for wireless sensor networks, and showed how their scheme is vulnerable to session key disclosure attack. In order to withstand the vulnerability found in Gope et al.’s scheme, we have proposed an improved scheme. We also have enhanced Gope et al.’s scheme security features using three-factor user authentication and access control while retaining the original merits of Gope et al.’s scheme. We have demonstrated that our scheme provides more security features and high security level, which is evident through both informal and formal security analysis. The performance analysis showed that our protocol is efficient than existing protocols from the aspects of energy consumption of the sensor node, communication cost and running time, which make our scheme very suited for resource constrained sensor nodes. Overall, higher security along with low communication and computation costs make our scheme appropriate for WSN applications.