A privacy-preserving and provable user authentication scheme for wireless sensor networks based on Internet of Things security

Abstract

The notion Internet of Things (IoT) means all things in the global network can be interconnected and accessed. Wireless sensor network (WSN) is one of the most important applications of the notion and is widely used in nearly all scopes. In 2014, Hsieh et al. presented an improved authentication scheme for WSNs. But it has several weaknesses, including no session key, lack of mutual authentication and under the insider attack, the off-line guessing attack, the user forgery attack and the sensor capture attack. To avoid the weaknesses, we present a new authentication scheme which is also for WSNs. Then we employ the random oracle model to show the formal proof, and use the protocol analyzing tool Proverif to list the formal verification process. Compared with some recent schemes for WSNs via the aspects of security properties, the proposed scheme overcomes the common problems and fits for the security properties of IoT.

1 Introduction

Internet of Things (IoT) is a popular notion by which we are surrounded in our lives. With a technical view, IoT means the interconnection of every embedded computing device with a unique identity in the Internet covering many sorts of domains, protocols and applications. It satisfies the needs between the development of market, user and information. The appearance of Internet, wireless network and micro-electromechanical systems makes this notion be true and widely applied.

Wireless sensor network (WSN) is one of the most important parts of IoT. The early research focused on the WSNs including a lot of immobile and homogeneous wireless sensors used in a special way. But such description does not meet the development. Nowadays, sensor networks are built with many kinds of sensor nodes which have their own abilities. That is to say, the WSN with heterogeneity is a widespread view in life and it is widely used in many fields, like industrial work monitoring and control, remote health care for patients and alarm for guarding or fire. The wireless sensor network includes three basic parts: the users, the gateway and the sensors. The gateway is the most important core device which is responsible for the security of the wireless sensor network. The users and the sensors must register on it. The gateway can reach and communicate with all the sensors. Users who want the data collected by the sensors should contact the gateway. Using an encryption key in the session is a usual method. The main question is how to establish a common session key between the user and the sensor which the user wants to access. If anyone wants to get data from one particular sensor of a WSN, he should first be authenticated to make the access legally. The common way is to do mutual authentication between the user and the special sensor. Researchers have done much work for it in the application layer.

1.1 Related work

As a method to guarantee the security in communication, authentication is usually employed by the researchers, like signatures (Guo et al. 2014; Ren et al. 2015; Wu and Xu 2015) and key agreement (Li et al. 2013a, b; Xu and Wu 2015a, b; Wu et al. 2015b, c). In the recent decade, many authentication schemes for WSN have been proposed (Watro et al. 2004; Das 2009; Khan and Alghathbar 2010; Vaidya et al. 2010; Chen and Shih 2010; Yeh et al. 2011; Yoo et al. 2012; Xue et al. 2013; Choi et al. 2014; Shi and Gong 2013; Hsieh and Leu 2014; Turkanović et al. 2014; Farash et al. 2015; Chang and Le 2015; Wu et al. 2015a). In 2004, (Watro et al. 2004) presented a user authentication scheme for WSN, which was based on RSA and with a name TinyPK. But in 2009, (Das 2009) showed that sensor forgery attacks could be done on the scheme in Watro et al. (2004), and he also proposed an efficient authentication scheme using smart cards. Only hash functions are employed in the scheme. But in 2010, it was criticized by Chen and Shih (2010), He et al. (2010), Khan and Alghathbar (2010) and Vaidya et al. (2010), respectively, due to some security flaws, such as destitute of mutual authentication, and under the impersonation attack and the insider attack. Moreover, (Vaidya et al. 2010) also pointed out that the scheme in (Khan and Alghathbar 2010) was vulnerable to the stolen smart card attack and the sensor node capture attack. Then they presented an enhanced scheme. Kumar and Lee (2011) showed that the scheme in He et al. (2010) was susceptible to information leakage attack, and the following security properties were destitute, including user anonymity, mutual authentication and constructing a session key between the user and the sensor.

According to the review paper Hayouni et al. (2014), elliptic curve cryptography (ECC) has already been used for WSNs in recent years. Some new technology for improving the performance of ECC in sensors appears, like (Liu et al. 2014). In 2011, (Yeh et al. 2011) pointed out that the scheme proposed by Chen and Shih (2010) was under the insider attack and without a password change part. They presented the first authentication scheme using ECC for the WSNs. But (Han 2011) showed that Yeh et al.’s scheme lacked mutual authentication and forward security. In 2013, (Shi and Gong 2013) presented a new two-factor authentication scheme with ECC. But in 2014, (Choi et al. 2014) showed that the scheme in Shi and Gong (2013) had disadvantages such as the session key attack and the off-line password guessing attack. They also showed their new scheme in the paper. Unfortunately, (Wu et al. 2015a) showed that the scheme in Choi et al. (2014) still had some weaknesses, containing under the off-line password guessing attack and the user forgery attack. Moreover, the identity of the user is exposed in the message.

To avoid the common attacks, in 2014, (Turkanović et al. 2014) proposed a scheme to fit for the heterogeneous ad hoc WSNs. According to Chang and Le (2015) and Farash et al. (2015), Turkanovi\(\acute{c}\) et al. scheme is under the off-line password guessing attack, the sensor node impersonation attack and the stolen verifier attack. Also, the identity of every user in the scheme can be tracked. Here we should mention that the schemes in Chang and Le (2015) and Farash et al. (2015) are all vulnerable to off-line password guessing attack. Also, the first scheme in Chang and Le (2015) does not keep strong forward security.

In 2014, (Hsieh and Leu 2014) showed that Vaidya et al.’s scheme could not withstand the insider attack and the off-line password guessing attack. They also gave their scheme in the paper. But we find that Hsieh and Leu’s scheme has disadvantages including under the off-line guessing attack and the sensor node capture attack and also destitution of session key. According to Xue et al. (2013), Turkanovi\(\acute{c}\) et al. employed the fifth authentication model and they said that it was the only model where the user first contacted the special sensor and asserted that their model was based on the notion of IoT. In fact, according to Fantacci et al. (2014) and Nguyen et al. (2015), which are about the security of IoT, the way that the user contacting the gateway first is more often used. We can see many schemes of this kind (Das 2009; Khan and Alghathbar 2010; Vaidya et al. 2010; Chen and Shih 2010; Yeh et al. 2011; Yoo et al. 2012; Xue et al. 2013; Hsieh and Leu 2014). In fact, the above two structures can both be used in homogeneous WSN. To overcome those weaknesses, we give a new authentication scheme for common WSNs, where the user sends messages to the gateway at first. And we show its security with formal proof, formal verification and informal analysis of security characters. From the explanation, we can see that our scheme is suitable for the IoT security properties.

1.2 Our contribution

1. 1.

   We point out that Hsieh and Leu’s scheme is not secure because it has several disadvantages in security.

2. 2.

   We present a new two-factor authentication scheme for WSNs also based on ECC, like Choi et al. (2014) and Yeh et al. (2011).

3. 3.

   We prove our scheme secure with a formal proof in a standard model and a formal verification with Proverif. Also, the concrete security analysis denotes that our scheme meets the IoT security properties.

1.3 Structure of our paper

The remainder of the paper is arranged as follows: Sect. 2 lists the basic knowledge used in the paper. Hsieh and Leu’s scheme and its disadvantages are in Sect. 3. Our scheme, its formal proof, formal verification and concrete analysis are in Sects. 4, 5, 6 and 7, respectively. We list the performance comparisons among our scheme and several recent schemes in Sect. 8. Finally, the conclusion is in Sect. 9.

2 Preliminaries

We illustrate some basic knowledge for the whole paper in this Section.

2.1 Symbols used in the paper

We list the symbols throughout the paper in Table 1.

Table 1 Symbols throughout the paper

Here the elliptic curve E is \(y^{2}=x^{3}+ax+b \ mod \ p\) where \(a,b\in F_{p}\) and \(4a^{3}+27b^{2}\ne 0 \ mod \ p\). We omit \(mod\ p\) for convenience in the following part. Some calculation problems are demonstrated as follows:

• Elliptic Curve Discrete Logarithm (ECDL) problem: P and Q are two points in G. It is difficult to compute the special integer \(\alpha \in Z_{q}^{*}\) satisfying \(Q=\alpha P\).

• Elliptic Curve Computational Diffie-Hellman (ECCDH) problem: aP and bP are two points in G. To get abP is hard with only aP and bP.

• Elliptic Curve Decisional Diffie-Hellman (ECDDH) problem: aP, bP and cP are three points in G. It is hard to decide if \(abP=cP\).

2.2 Hypotheses for our analysis

Assumption 1

First we list some hypotheses about cryptographical computation.

1. 1.

   The cryptographic algorithms are secure. \(E_{k}(.)/D_{k}(.)\) is strong. m is a binary string and no one can decrypt \(E_{k}(m)\) in polynomial time unless he knows k. And the collisions of the hash functions cannot be found in polynomial time.

2. 2.

   The lengths of the random numbers, hash results and the secret number x are l. The above strings can resist the guessing attacks.

Assumption 2

According to Fan et al. (2011), Wang and Wang (2014), Xu and Wu (2015b) and Wu et al. (2015a), we use the following adversary model:

1. 1.

   The attacker A has the ability to control the public communication channel under the two-factor environment (Wu et al. 2015a), e.g., forging, blocking, modifying or eavesdropping the messages. Also, A can seize the sensors and get all information from them.

2. 2.

   A can get all information stored in the smart card, according to the technology proposed in Kocher et al. (1999). But this ability can be only once, since the leakage of data in the smart card means that the two-factor environment does not exist.

3. 3.

   In papers He et al. (2015) and Wang and Wang (2014), researchers claim that the passwords are in a small dictionary and so do the identities of users. The adversary can choose a pair of \((ID^{*},PW^{*})\) to guess them until he gets the right pair. We employ this view and consider that the guessing action can be done in polynomial time.

4. 4.

   A can gain the old session keys.

5. 5.

   Even though A gets all data in the gateway, sensors and the user’s smart card with his identity and password, he still cannot calculate the past session keys. If this item is discussed, the last item cannot be done.

2.3 Security properties of IoT

According to Nguyen et al. (2015), there are five aspects for the IoT security properties. We simply explain them according to our scheme:

1. 1.

   Confidentiality: A could not obtain useful information between the participants.

2. 2.

   Integrity: the receiver can detect the change of the received messages.

3. 3.

   Authentication: the receiver can check the origin of the received messages.

4. 4.

   Authorization: the receiver can verify if the accessor is authorized.

5. 5.

   Freshness: no old messages can be used to crack the session.

The concrete applications are illustrated in Sect. 7.

3 Cryptanalysis of Hsieh and Leu’s scheme

3.1 Review of Hsieh and Leu’s scheme

Hsieh and Leu’s scheme consists of three phases: registration, login and authentication, and password change. The last phase has little relation to attacks, so we omit it here. At first, GW and all sensors share a secret number c. Every sensor \(S_j\) should has its own identity \(SID_{j}\), but Hsieh and Leu did not mention this point.

3.1.1 Registration

1. 1.

   \(U_{i}\) chooses \(ID_{i}\) and \(PW_{i}\), computes \(HPW_{i}=h(PW_{i})\) and sends \(\{ID_{i},HPW_{i}\}\) to GW through a secure way.

2. 2.

   GW generates a nonce \(w_{i}\), gives a smart card a name \(ID_{s}\), computes \(B_{1}=h(h(ID_{i}||HPW_{i}||c)\oplus x)\oplus h(w_{i})\), \(B_{2}=h((HPW_{i}||w_{i})\oplus c)\), \(B_{3}=c\oplus h(ID_{i}||ID_{s}||HPW_{i})\) and \(B_{4}=HPW_{i}\oplus w_{i}\), and stores \((ID_{s},B_{1},B_{2},B_{3},B_{4})\) into the smart card. Finally GW sends the card to \(U_{i}\) secretly.

3.1.2 Login and authentication

1. 1.

   \(U_{i}\) inserts his smart card in the terminal and enters \(ID_{i}\) and \(PW_{i}\). The smart card computes \(HPW_{i}=h(PW_{i})\), \(w_{i}=B_{4}\oplus HPW_{i}\) and \(c=B_{3}\oplus h(ID_{i}||ID_{s}||HPW_{i})\) and checks \(B_{2}?=h((HPW_{i}||w_{i})\oplus c)\). If the equation does not hold, the phase will be stopped. Otherwise, the card picks the timestamp \(T_{0}\), computes \(C_{0}=B_{1}\oplus h(w_{i})\), \(DID_{i}=h(ID_{i}||HPW_{i}||c)\oplus h(c||T_{0})\) and \(C_{1}=h(C_{0}||c||T_{0})\) and sends \(\{DID_{i},C_{1},T_{0}\}\) to GW.

2. 2.

   GW verifies if \(T_{1}-T_{0}\le \Delta T\), where \(T_{1}\) is the timestamp. If it is false, the session will be stopped. Otherwise, GW computes \(C_{2}=DID_{i}\oplus h(c||T_{0})\), and checks \(C_{1}?=h(h(C_{2}\oplus x)||c||T_{0})\). If it is wrong, the session will be rejected. Otherwise, GW computes \(C_{3}=h(DID_{i} ||SID_{j}||c||T_{1})\) and sends \(\{DID_{i},C_{3},T_{1}\}\) to \(S_{j}\).

3. 3.

   \(S_{j}\) selects the timestamp \(T_{2}\) and checks if \(T_{2}-T_{1}\le \Delta T\) and \(C_{3}?=h(DID_{i}||SID_{j}||c||T_{1})\). If either of them fails, the phase will be stopped. Then \(S_{j}\) calculates \(C_{4}=C_{3}\oplus c\) and \(C_{5}=h(C_{4}||c||T_{2})\) and sends \(\{C_{5},T_{2}\}\) to GW.

4. 4.

   GW checks if \(T_{3}-T_{2}\le \Delta T\) where \(T_{3}\) is the timestamp. Then it computes \(C_{4}=C_{3}\oplus c\) and checks \(C_{5}?=h(C_{4}||c||T_{2})\). If they are right, GW sends the acceptance to \(S_{j}\) and \(U_{i}\).

3.2 Weaknesses of Hsieh and Leu’s scheme

3.2.1 Insider attack

\(U_{i}\) submits \(HPW_{i}=h(PW_{i})\) to GW. The malicious inside attacker guesses a password \(PW^{*}\) and computes \(HPW_{i}?=h(PW^{*})\). He can do the above steps until he finds the right password.

3.2.2 Off-line guessing attack

An attacker A as a legal user in the system retrieves all information in his smart card and computes \(c=B_{3A}\oplus h(ID_{A}||ID_{s}||h(PW_{A}))\). Then A gets the messages from sessions initialized by \(U_{i}\) and then the data from \(U_{i}\)’s smart card, guesses \(PW^{*}\) and computes \(w^{*}=h(PW^{*})\oplus B_{4}\) and checks \(h(h(h(PW^{*})||w^{*})\oplus c)?=B_{2}\). He can repeat doing this until the correct \(PW_{i}\) is found. Then A guesses \(ID^{*}\) and checks \(B_{3}?=c\oplus h(ID^{*}||ID_{s}||PW_{i})\) until he gets the right \(ID_{i}\).

3.2.3 User forgery attack

Note that A has got the data in \(U_{i}\)’s smart card before A gets the right \(ID_{i}\) and \(PW_{i}\). So once he obtains the correct pair \((ID_{i},PW_{i})\), he can forge \(U_{i}\) according to the login and authentication steps successfully. The process is described as follows:

A inputs \((ID_{i},PW_{i})\) and the smart card computes \(HPW_{i}=h(PW_{i})\), \(w_{i}=B_{4}\oplus HPW_{i}\) and \(c=B_{3}\oplus h(ID_{i}||ID_{s}||HPW_{i})\). Then the card picks the timestamp \(T_{0A}\), computes \(C_{0}=B_{1}\oplus h(w_{i})\), \(DID_{i}=h(ID_{i}||HPW_{i}||c)\oplus h(c||T_{0A})\) and \(C_{1}=h(C_{0}||c||T_{0A})\) and sends \(\{DID_{i},C_{1},T_{0A}\}\) to GW. Since there is no session key formed, sending a legal message means A’s success.

3.2.4 Sensor capture attack

Because c is all the same in every sensor, so if anyother sensor \(S_{n}\) is captured, A can fake \(C_{5}=h(C_{4}||c||T_{2})\) with the current \(T_{2}\) and c and the corresponding information \(C_{4}=C_3\oplus c\).

3.2.5 No session key

There is no session key formed at the end of the authentication. \(U_{i}\) and \(S_{j}\) do not have a secure way to communicate after the authentication.

3.2.6 Lack of mutual authentication

We can see that Hsieh and Leu’s scheme is devoid of the property of mutual authentication because the adversary A can forge a legal user through an attack.

4 Outline of our scheme

We present a new scheme to avoid the disadvantages. It includes four phases: initialization, registration, login and authentication, and password change. It is built with the elliptic curve cryptosystem mechanism, like Choi et al. (2014) and Yeh et al. (2011), and is fit for common WSN environment. The login and authentication phase is shown in Table 2.

Table 2 Login and Authentication

4.1 Initialization

GW produces an addition group G with a large prime order q on \(E(F_{p})\). G’s generator is P. \(ID_{GW}\) is GW’s identity. Also, GW chooses a secret key x and two hash functions h(.) and \(h_{1}(.)\).

4.2 Registration

For \(U_{i}\):

1. 1.

   \(U_{i}\) selects a random nonce \(r_{0}\), his own identity \(ID_{i}\) and password \(PW_{i}\). Then he calculates \(MP_{i}=h(r_{0}||PW_{i})\) and \(MI_{i}=h(r_{0}||ID_{i})\), and sends \(\{MP_{i},MI_{i},ID_{i}\}\) to GW via a secure channel.

2. 2.

   GW calculates \(e_{i}=h(ID_{GW}||x||MI_{i})\oplus MP_{i}\) and \(f_{i}=h(MI_{i}||x)\oplus MI_{i}\), injects \((e_{i},f_{i},P,p,q)\) into the smart card, stores \(ID_{i}\) in the database for auditing, and issues the card to \(U_{i}\) via a secure channel.

3. 3.

   \(U_{i}\) stores \(d_{i}=h(ID_{i}||PW_{i})\oplus r_{0}\) into the smart card.

For \(S_{j}\):

1. 1.

   \(S_{j}\) submits \(SID_{j}\) to GW via a secure channel.

2. 2.

   GW computes \(c_{j}=h(SID_{j}||x)\) and sends it to \(S_{j}\) via a secure channel. \(S_{j}\) stores \(SID_{j}\) and \(c_{j}\).

Meanwhile, if a sensor is changed to be a new one or a new sensor joins the wireless sensor network, the new sensor needs to register on GW like the above steps.

4.3 Login and authentication

1. 1.

   \(U_{i}\) inserts his smart card and inputs \(ID_{i}\) and \(PW_{i}\). The smart card calculates \(r_{1}=d_{i}\oplus h(ID_{i}||PW_{i})\), \(MI_{i}=h(r_{1}||ID_{i})\) and \(MP_{i}=h(r_{1}||PW_{i})\).

2. 2.

   \(U_{i}\) selects random numbers \(\alpha \in [1,q-1]\), \(r_{2}\) and \(r_{3}\), picks up the sensor \(S_{j}\) as the partner, computes \(MI_{i}^{new}=h(r_{2}||ID_{i})\), \(B_{1}=e_{i}\oplus MP_{i}\oplus r_{3}\), \(B_{2}=\alpha P \), \(B_{3}= f_{i}\oplus MI_{i}\oplus MI_{i}^{new}\oplus h(r_{3}||MI_{i})\), \(B_{4}=h(r_{3}||MI_{i}^{new}||B_{2})\oplus ID_{i}\) and \(B_{5}=h(ID_{i} ||MI_{i}||MI_{i}^{new}||SID_{j})\), and sends \(M_{1}=\{MI_{i},SID_{j},B_{1},B_{2},B_{3}, B_{4},B_{5}\}\) to \(S_{j}\).

3. 3.

   GW computes \(r_{3}=B_{1}\oplus h(ID_{GW}||x||MI_{i})\), \(MI_{i}^{new}=B_{3}\oplus h(MI_{i}||x)\oplus h(r_{3}||MI_{i})\) and \(ID_{i}=B_{4}\oplus h(r_{3}||MI_{i}^{new}||B_{2})\), and checks if \(ID_{i}\) is in the database and \(B_{5}?=h(ID_{i}||MI_{i} ||MI_{i}^{new}||SID_{j})\). Either failed check leads to the rejection of the session. GW computes \(c_{j}=h(SID_{j}||x)\) and \(D_{1}=h(MI_{i}||SID_{j}||c_{j}||B_{2})\). Then the message \(M_{2}=\{MI_{i},SID_{j},B_{2},D_{1}\}\) is sent to \(S_{j}\).

4. 4.

   \(S_{j}\) checks \(SID_{j}\) and \(D_{1}?=h(MI_{i}||SID_{j}||c_{j}||B_{2})\). If either checking is incorrect, \(S_{j}\) will stop the session. Otherwise \(S_{j}\) chooses \(\beta \in [1,q-1]\), computes \(C_{1}=\beta P \), \(C_{2}=\beta B_{2}\), \(sk_{s}=h_{1}(B_{2}||C_{1}||C_{2})\), \(C_{3}=h(MI_{i}||SID_{j}||sk_{s})\) and \(C_{4}=h(c_{j}||MI_{i}||SID_{j})\), and sends \(M_{3}=\{C_{1},C_{3},C_{4}\}\) to GW.

5. 5.

   GW first checks \(C_{4}?=h(c_{j}||MI_{i}||SID_{j})\). If it is right, GW computes \(D_{2}=h(ID_{GW}||x||MI_{i}^{new})\oplus h(MI_{i}^{new}||r_{3}) \), \(D_{3}=h(MI_{i}^{new}||x)\oplus h(MI_{i}||r_{3})\) and \(D_{4}=h(ID_{i}||MI_{i}||MI_{i}^{new}||SID_{j}||D_{2}||D_{3}||r_{3})\), and sends \(M_{4}=\{C_{1},C_{3},D_{2},D_{3},D_{4}\}\) to \(U_{i}\).

6. 6.

   \(U_{i}\) checks \(D_{4}?=h(ID_{i}||MI_{i}||MI_{i}^{new}||SID_{j}||D_{2}||D_{3}||r_{3})\), computes \(B_{6}=\alpha C_{1}\) and \(sk_{u}=h_{1}(B_{2}||C_{1}||B_{6})\), and checks \(C_{4}?=h(MI_{i}||SID_{j}||sk_{u})\). If either of checks fails, \(U_{i}\) terminates the session. Then the smart card computes new data \(d_{i}^{new}=r_{2}\oplus h(ID_{i}||PW_{i})\), \(e_{i}^{new}=D_{2}\oplus h(r_{2}||PW_{i})\oplus h(MI_{i}^{new}||r_{3})\) and \(f_{i}^{new}=D_{3}\oplus MI_{i}^{new}\oplus h(MI_{i}||r_{3})\), and replaces \((d_{i},e_{i},f_{i})\) with \((d_{i}^{new},e_{i}^{new},f_{i}^{new})\), respectively.

4.4 Password change

1. 1.

   This step is as same as step 1 of login and authentication phase.

2. 2.

   \(U_{i}\) selects random numbers \(r_{4}\) and \(r_{5}\), computes \(MI_{i}^{new}=h(r_{4}||ID_{i})\), \(B_{7}=e_{i}\oplus MP_{i}\oplus r_{5}\), \(B_{8}=f_{i}\oplus MI_{i}\oplus MI_{i}^{new}\oplus h(r_{5}||MI_{i})\), \(B_{9}=ID_{i}\oplus h(r_{5}||MI_{i}^{new})\) and \(B_{10}=h(ID_{i}||MI_{i} ||MI_{i}^{new}||r_{5})\), and sends \(M_{5}=\{MI_{i},B_{7},B_{8},B_{9},B_{10}\}\) with a password change request to GW.

3. 3.

   GW computes \(r_{5}=B_{7}\oplus h(ID_{GW}||x||MI_{i}) \), \(MI_{i}^{new}=B_{8}\oplus h(MI_{i}||x)\oplus h(r_{5}||MI_{i})\) and \(ID_{i}=B_{9}\oplus h(r_{5}||MI_{i}^{new})\), and checks the validity of \(ID_{i}\) and \(B_{10}?=h(ID_{i}||MI_{i} ||MI_{i}^{new}||r_{5})\). If either of them fails, the request will be abandoned. Otherwise, GW calculates \(D_{5}=h(ID_{GW}||x ||MI_{i}^{new})\oplus h(MI_{i}^{new}||r_{5})\), \(D_{6}=h(MI_{i}^{new}||x)\oplus h(MI_{i}||r_{5})\) and \(D_{7}=h(ID_{i}||r_{5}||MI_{i}||MI_{i}^{new}||D_{5}||D_{6})\), and sends \(M_{6}=\{D_{5},D_{6},D_{7}\}\) to \(U_{i}\) with a grant.

4. 4.

   \(U_{i}\) checks \(D_{7}?=h(ID_{i}||r_{5}||MI_{i}||MI_{i}^{new}||D_{5}||D_{6})\) and terminates the session if it is wrong. Otherwise, \(U_{i}\) is asked to input a new password \(PW_{i}^{new}\). The card computes \(MP_{i}^{new}=h(r_{4}||PW_{i}^{new})\), \(e_{i}^{new2}=D_{5}\oplus h(MI_{i}^{new}||r_{5})\oplus MP_{i}^{new}\), \(f_{i}^{new2}=D_{6}\oplus h(MI_{i}||r_{5})\oplus MI_{i}^{new}\) and \(d_{i}^{new2}=h(ID_{i}||PW_{i}^{new})\oplus r_{4}\), and updates \((d_{i},e_{i},f_{i})\) with \((d_{i}^{new2},e_{i}^{new2},f_{i}^{new2})\), respectively.

5 Formal proof

5.1 Basis of formal proof

Our scheme belongs to authenticated key exchange (AKE) scheme, and we give our formal proof based on (Bresson et al. 2003). Some changes are made to fit for our scheme.

In order to analyze our proof simply, we suppose there are three entities in the protocol \(\mathcal {P}\): one user U, one sensor S and the gateway GW. If they need not be differentiated, we use I to express the entity.

Each entity owns many instances. We make \(U^{i}\) as the \(i-th\) instance of U. And \(GW^{t}\), \(S^{j}\) and \(I^{k}\) can be defined similarly. We consider an instance as an oracle and employ a simulator to answer the input messages. Three states may occur on an instance: accept, reject and \(\bot \). If an oracle gets a normal message, it will turn to be the accept state. If an oracle receives an incorrect message, the state reject will happen. Otherwise if no answer is generated, \(\bot \) will appear. Once the oracle \(U^{i}\) or \(S^{j}\) is accepted and calculates a session key, it has the following elements: an identity for session (\(sid_{U^{i}}\) or \(sid_{S^{j}}\)), an identity for its partner (\(pid_{U^{i}}\) or \(pid_{S^{j}}\)) and the session key \(sk_{U^{i}}\) or \(sk_{S^{j}}\). The situation is called Partnering which we will explain later.

Initializations should be done before the simulations. U has his identity ID, password PW and an issued smart card including d, e, f, P, q and p. The password PW is in a dictionary with size N. S owns c, P, p, q and its identity SID. GW contains its identity \(ID_{GW}\), x, P, q and p. Furthermore, ID, SID, \(ID_{GW}\), P, q and p are known to A.

Three definitions and an assumption used in the proof are illustrated below and readers can find the relative queries in Tables 3 and 4.

• Partnering: we consider \(U^{i}\) and \(S^{j}\) are partners once the session key is formed between them. At the same time, four conditions should be satisfied: \(U^{i}\) and \(S^{j}\) are accepted; \(sid_{U^{i}}=sid_{S^{j}}\), \(pid_{S^{j}}=U^{i}\),\(pid_{U^{i}}=S^{j}\) and \(sk_{U^{i}}=sk_{S^{j}}\).

• \(sfs-fresh\)(fresh with strong forward security): \(I^{k}\) reaches \(sfs-fresh\) if the following queries do not happen:

  1. 1.

     A \(Reveal(I^{k})\) occurs;

  2. 2.

     A \(Reveal(pid_{I^{k}})\) occurs;

  3. 3.

     Any \(Corrupt(I^{m})\) query occurs before the Test query. Here m can be any legal numbers, including k.

• \(sfs-ake \ security\): if A has the advantage on guessing the coin a on \(\mathscr {P}\) after \(Test(I^{k})\) where \(I^{k}\) is \(sfs-fresh\) and A gives a bit \(a^{\prime }\), we define the probability as

  $$\begin{aligned} Adv_{\mathscr {P}}^{sfs-ake}(A)=2Pr[a=a^{\prime }]-1 \end{aligned}$$

  And the scheme is \(sfs-ake \ secure\) based on security length l if \(Adv_{\mathscr {P}}^{sfs-ake}(A)\) is negligibly greater than \(\frac{O(q_{s})}{N}\) and \(q_{s}\) denotes the number of Send queries.

• Elliptic Curve Gap Diffie-Hellman(ECGDH) problem assumption: there are two points aP and bP in G. We define \(Adv_{A}^{ECGDH}(t)\) as the probability for A to calculate abP based on the ECDDH oracle with polynomial time t. And in fact, \(Adv_{A}^{ECGDH}(t)\) is ignorable.

Table 3 Simulation of Send queries

5.2 Security proof

Theorem 1

In the scheme \(\mathcal {P}\), the cyclic addition group G in the finite field \(E(F_{p})\) has a large prime order q. The passwords are in a set with N elements. A can make at most Send, Execute and hash queries for \(q_{s}\), \(q_{e}\) and \(q_{h}\) times, respectively. l is the security length. We make \(T_{m}\) as the time cost of a scalar multiplication in G and know

$$\begin{aligned}&Adv_{\mathcal {P}}^{sfs-ake}(A) \\ \le&\frac{(q_{s}+q_{e})^{2}}{q-1}+\frac{q_{h}^{2}+(q_{s}+q_{e})^{2}}{2^{l}}+\frac{12q_{h}+7q_{s}}{2^{l-1}}+\frac{2q_{s}}{N} \\&+4q_{h}((q_{s}+q_{e})^{2}+1)Adv_{A}^{ECGDH}(t+(4q_{e}+2q_{s})T_{s}) \end{aligned}$$

Table 4 Simulation of other queries

Proof

The proof contains a sequence of games, from \(G_{0}\) to \(G_{8}\). The event A guesses the coin a correctly in the test session in Game \(G_{i}\) is denoted as \(Succ_{i}\). A need not take time in guessing the user’s identity since there is only one user in the proof.

• Game \(G_{0}\): this game is for the real attacks with random oracles. If any of the following things happens, a random bit \(a^{\prime }\) is selected instead of the answer of Test.

  1. 1.

     A does not guess \(a^{\prime }\) when the game aborts or stops.

  2. 2.

     A uses more queries than the pre-determined quantities.

  3. 3.

     A uses more time than the pre-determined time.

  According to the definition,

  $$\begin{aligned} Adv_{\mathcal {P}}^{sfs-ake}(A)=2Pr[Succ_{0}]-1. \end{aligned}$$

• Game \(G_{1}\): all the oracles are simulated in this game. Three lists are defined for some queries. \(L_{h}\) stores the answers to hash queries. If the hash query is asked by A, the answer is stored in \(L_{A}\). And \(L_{\mathcal {P}}\) stores the transcripts of all messages. The queries are demonstrated in Tables 3 and 4. A can do queries using the oracles to break the privacy of authentication processes and the session keys. So \(G_{1}\) and \(G_{0}\) are indistinguishable and \(Pr[Succ_{1}]=Pr[Succ_{0}]\).

• Game \(G_{2}\): we try to eliminate the collisions in the messages. In light of birthday paradox, we show the three collisions as follows:

  1. 1.

     The random numbers \(\alpha ,\beta \in [1,q-1]\) in different sessions may be the same and the whole probability is bounded by \(\frac{(q_{s}+q_{e})^{2}}{2(q-1)}\).

  2. 2.

     The random numbers \(r_{1},r_{2}\) and \(r_{3}\) may have collisions and the whole probability is \(\frac{(q_{s}+q_{e})^{2}}{2^{l+1}}\).

  3. 3.

     The probability of collisions in hash results is upper bounded by \(\frac{q_{h}^{2}}{2^{l+1}}\).

  So we can see that \(|Pr[Succ_{2}]-Pr[Succ_{1}]|\le \frac{(q_{s}+q_{e})^{2}}{2(q-1)}+\frac{(q_{s}+q_{e})^{2}+q_{h}^{2}}{2^{l+1}}\).

• Game \(G_{3}\): we think about the probability of forging \(M_{1}\) without random oracles in this game. Since the simulator gives response as S, we add steps in \(Send(U^{i},GW^{t},M_{1})\): the simulator needs to check if \(M_{1}\in L_{\mathcal {P}}\) and \((ID||*,*)\), \((*||ID,MI)\), \((*||MI,*)\), \((*||ID,*)\), \((*||B_{2},*)\) and \((ID||MI||*||SID,B_{5})\) are in \(L_{A}\). If any of them fails, the query will be terminated. Because S does not know PW or \(MI^{new}\), \((r_{1}||PW,*)\) cannot be examined. The probabilities for \((*||ID,MI)\) and \((ID||MI||*||SID,B_{5})\) are all bounded by \(\frac{q_{s}}{2^{l}}\) and for the others are bounded by \(\frac{q_{h}}{2^{l}}\). If the examinations are considered, we can see \(|Pr[Succ_{3}]-Pr[Succ_{2}]|\le \frac{5q_{h}+2q_{s}}{2^{l}}\).

• Game \(G_{4}\): we think about the probability of forging \(M_{2}\) without random oracles and add steps on \(Send(GW^{t},S^{j},M_{2})\): checks if \(M_{2}\in L_{\mathcal {P}}\) and \((SID||*,c)\) and \((MI||SID||c||B_{2},D_{1})\) are in \(L_{A}\). The probability for \((MI||SID||c||B_{2},D_{1})\) is bounded by \(\frac{q_{s}}{2^{l}}\) while for \((SID||*,c)\) is \(\frac{q_{h}}{2^{l}}\). So \(|Pr[Succ_{4}]-Pr[Succ_{3}]|\le \frac{q_{h}+q_{s}}{2^{l}}\).

• Game \(G_{5}\): we think about the probability of forging \(M_{3}\) without random oracles and add steps on \(Send(S^{j},GW^{t},M_{3})\): checks if \(M_{3}\in L_{\mathcal {P}}\) and \((1,B_{2}||C_{1}||*,*)\), \((MI||SID||*,C_{3})\) and \((c||MI||SID,C_{4})\) are in \(L_{A}\). The probabilities for \((MI ||SID||*,C_{3})\) and \((c||MI||SID,C_{4})\) are both bounded by \(\frac{q_{s}}{2^{l}}\). And it is bounded by \(\frac{q_{h}}{2^{l}}\) at most for \((1,B_{2}||C_{1}||*,*)\). So \(|Pr[Succ_{5}]-Pr[Succ_{4}]|\le \frac{q_{h}+2q_{s}}{2^{l}}\).

• Game \(G_{6}\): here is the game for forging \(M_{4}\) without random oracles and we add steps on \(Send(GW^{t},U^{i},M_{4})\): checks if \(M_{4}\in L_{\mathcal {P}}\) and \((ID_{GW}||*||MI^{new},*)\), \((MI^{new}||r_{3},*)\), \((MI^{new}||*,*)\), \((MI||r_{3},*)\), \((1,B_{2}||C_{1}||*,*)\), \((MI||SID||*, C_{3})\) and \((ID||MI||MI^{new}||SID||D_{2}||D_{3}||r_{3},D_{4})\) are in \(L_{A}\). The last two data have the upper-bound probability \(\frac{q_{s}}{2^{l}}\), respectively and each of the others has at most \(\frac{q_{h}}{2^{l}}\). So \(|Pr[Succ_{6}]-Pr[Succ_{5}]|\le \frac{5q_{h}+2q_{s}}{2^{l}}\).

• Game \(G_{7}\): the ECGDH problem is brought in and A can use the random oracles. Once A gets the real session key via the hash oracle \(h_{1}\), we will say we use A to work out ECGDH problem. We change the \(h_{1}\) oracle as follows: if A asks \((1,\alpha P||\beta P||\lambda )\), the simulator checks if \((1,\alpha P||\beta P||*,sk)\in L_{A}\). If it exists, returns sk. Otherwise, ECDDH oracle is used to check \(\lambda ?=\alpha \beta P\). The query should be terminated if the check fails. Otherwise, the simulator selects \(sk\in \{0,1\}^{l}\), answers with it, and adds \((1,\alpha P||\beta P||\lambda ,sk)\) into \(L_{A}\). Here we divide the game into two aspects. At the beginning A queries Corrupt(smart card) and obtains all information from the card.

  1. 1.

     It simulates active attacks. A chooses a password \(PW^{*}\) from the dictionary with size N. Then he can forge messages to start the session. As A can send at most \(q_{s}\) Send queries, the probability of guessing the right password is \(\frac{q_{s}}{N}\).

  2. 2.

     It simulates passive attacks. There are two cases:

     1. (a)

        A asks Execute queries and finally queries \(h_{1}\) successfully to break the ECGDH problem. \((1,\alpha P||\beta P||\alpha \beta P,sk)\) can be retrieved from \(L_{A}\) with the probability bounded by \(\frac{1}{q_{h}}\). So the probability of this case is at most \(q_{h}Adv_{A}^{ECGDH}(t+4q_{e}T_{m})\).

     2. (b)

        A asks Send queries in order to simulate the Execute query and repeats querying. Similar as the last case, we can get the probability \( q_{h}Adv_{A}^{ECGDH}(t+2q_{s}T_{m}) \) for this case.

  So we know

  $$\begin{aligned}&|Pr[Succ_{7}]-Pr[Succ_{6}]|\\ \le&\frac{q_{s}}{N}+q_{h}Adv_{A}^{ECGDH}(t+4q_{e}T_{m})+q_{h}Adv_{A}^{ECGDH}(t+2q_{s}T_{m}) \\ \le&\frac{q_{s}}{N}+2q_{h}Adv_{A}^{ECGDH}(t+(4q_{e}+2q_{s})T_{m}) \end{aligned}$$

• Game \(G_{8}\): it is for strong forward security. A can ask all Corrupt oracles. However, in the light of the \(sfs-fresh\) notion, \(Corrupt(I^{m})\) query should occur after Test. Therefore, A can use the old sessions only. Like \(G_{7}\), we can find \((1,\alpha P||\beta P||\alpha \beta P,sk)\) from \(L_{A}\). And the probability of obtaining \(\alpha P\) and \(\beta P\) in the same session is \(\frac{1}{(q_{s}+q_{e})^{2}}\). So \(|Pr[Succ_{8}]-Pr[Succ_{7}]|\le 2q_{h}(q_{s}+q_{e})^{2}Adv_{A}^{ECGDH}(t+(4q_{e}+2q_{s})T_{m})\). Now A has no advantage and \(Pr[Succ_{8}]=\frac{1}{2}\).

Combining all above games, Theorem 1 is proved. \(\square \)

6 Formal verification

Researchers have developed many tools to verify the cryptographic schemes. Proverif is one of them for the verification. It can prove characters such as observational equivalence, reachability properties and correspondence assertions, which are very useful to computer network security. Attacks can be reconstructed by the tool. An execution trace is described when one security character is not satisfied. We also make a formal verification of the Login and authentication phase for our scheme with Proverif and the codes are illustrated.

6.1 Premises in the verification

First some premises including channels, shared keys, constants, functions and equations are listed for the process of protocol. These are illustrated in Table 5.

Table 5 Definitions of Proverif code

The four events are used to test the correspondence relations for the user and the sensor in Login and authentication phase. Moreover, the first two queries are for checking the session keys’ security and the last two are for checking if the relations of the events are right. They are shown in Table 6.

Table 6 Events and queries in Proverif code

6.2 Processes

Every participant uses its own process and the scheme is modeled as the parallel execution:

$$\begin{aligned} process \ !User | !GW | !Sensor \end{aligned}$$

The processes of the user, the sensor and the gateway are in Tables 7, 8 and 9, respectively. The processes of the user and the sensor can be divided into two parts: registration and authentication. The process of the gateway contains three parts: two for registration and one for authentication.

Table 7 Code for the user

Table 8 Code for the sensor

Table 9 Code for the gateway

6.3 Results of the verification

We demonstrate the main results as follows. It is easy to see that the session keys are secure via the verification:

Starting query inj-event(SensorAuth(sid))

\(==>\) inj-event(SensorStart(sid))

RESULT inj-event(SensorAuth(sid))

\(==>\) inj-event(SensorStart(sid)) is true.

Starting query inj-event(UserAuth(id))

\(==>\) inj-event(UserStart(id))

RESULT inj-event(UserAuth(id))

\(==>\) inj-event(UserStart(id)) is true.

Starting query not attacker(sks[]) RESULT not attacker(sks[]) is true.

Starting query not attacker(sku[]) RESULT not attacker(sku[]) is true.

7 Analysis of security properties

We discuss the security properties in this section and show the comparison with some recent schemes (Choi et al. 2014; Shi and Gong 2013; Turkanović et al. 2014; Hsieh and Leu 2014; Chang and Le 2015; Farash et al. 2015) in Table 10. In Chang and Le (2015), there are two versions: one is based on hash functions and the other is based on ECC. We use P1 and P2 to tell them apart. The results are in Table 10. Each security character may belong to one IoT security character demonstrated in Sect. 2.3, and we also demonstrate this for one column in Table 10.

Table 10 Comparison of security characters

7.1 Resistant to the insider attack

In registration phase, \(MP_{i}\) submitted by the user is a hash result with a random number \(r_{0}\) and the password \(PW_i\) as input. A malicious adversary A cannot guess the real \(PW_{i}\) from \(MP_{i}\) due to lack of \(r_{0}\). It meets the confidentiality property for IoT security.

7.2 Resistant to the off-line guessing attack

According to Sect. 2.2, A could obtain \(d_{i}\), \(e_{i}\) and \(f_{i}\) from \(U_{i}\)’s smart card and the messages \(M_{1}^{old}\), \(M_{2}^{old}\), \(M_{3}^{old}\) and \(M_{4}^{old}\) in the last session from the channel. Then he guesses the pair \((ID^{*},PW^{*})\) and computes \(r^{*}=d_{i}\oplus h(ID^{*}||PW^{*})\), \(MI^{*}=h(r^{*}||ID^{*})\) and \(MP^{*}=h(r^{*}||PW^{*})\). Here A can use three equations: \(B_{4}^{old}=h(r_{3}^{old}||MI^{*}||B_{2}^{old})\oplus ID^{*}\), \(e_{i}\oplus h(MI^{*}||r_{3}^{old})=D_{2}^{old}\oplus MP^{*}\) and \(f_{i}\oplus MI^{*}=D_{3}^{old}\oplus h(MI_{i}^{old}||r_{3}^{old})\). The random number \(r_{3}^{old}\) in the last session is needed in all equations. But \(r_{3}^{old}=h(ID_{GW}||x||MI_{i}^{old})\oplus B_{1}\) and x is kept in GW secretly. So A has no chance to calculate \(h(ID_{GW}||x||MI_{i}^{old})\). Due to this reason, A cannot finish the guessing. For IoT security, it meets the confidentiality property.

7.3 Resistant to the user forgery attack

If A wants to forge \(M_{1}\) to start a session, he should generate \(B_{1}=h(ID_{GW}||x||MI_{i})\oplus r_{3}\) and \(B_{3}=h(MI_{i}||x)\oplus MI_{i}^{new}\oplus h(r_{3}||MI_{i})\). Since x is kept secretly in the gateway, A has no ability to forge suitable \(B_{1}\) and \(B_{3}\). For IoT security, it meets the integrity property.

7.4 Resistant to the gateway forgery attack

GW can get the random number \(r_{3}\) which is produced by \(U_{i}\) with the secret key x and calculate \(D_{1}\), \(D_{2}\), \(D_{3}\) and \(D_{4}\). So it is hard for A to generate \(M_{2}\) and \(M_{3}\) in order to forge GW. For IoT security, it meets the integrity property.

7.5 Resistant to the sensor capture attack

Every sensor owns \(SID_{j}\) and the corresponding secret number \(c_{j}\). Stealing the two strings from one sensor does not affect the others. So our scheme can resist to the sensor capture attack. For IoT security, it meets the integrity property.

7.6 Resistant to the de-synchronization attack

The de-synchronization attack means that the gateway denies the legal user’s login and authentication. In our scheme, password must be checked in a session with the gateway before changing. That blocks inputting wrong password by mistake. Also, inconsistent data between the gateway and the user may cause this attack. The gateway does not store any information about the concrete users except the identity for audit. Data change always happens on the user side only. It is impossible that inconsistent data appear between the user and the gateway. Thus, our scheme avoids the de-synchronization attack. For IoT security, it meets the integrity property.

7.7 Resistant to the replay attack

Even if A replays \(U_{i}\) and GW’s old messages \(M_{1}\) and \(M_{2}\) to repeat the login and authentication phase, \(S_{j}\) will choose a fresh random number \(\beta \) and produce the new \(C_{1}\) and \(C_{3}\). So A cannot calculate the session key to crack the session. For IoT security, it meets the freshness property.

7.8 Resistant to the known-key attack

The session key in our scheme is built by the ECCDH problem. There is no relation among any session keys. So even if A has got some session keys by accident, other keys will not be affected. For IoT security, it meets the confidentiality property.

7.9 Useful input identity

Unlike paper (Turkanović et al. 2014), \(ID_{i}\) should be input at the beginning of login and it is useful in the process of login and authentication in our scheme. For IoT security, it meets the authorization property.

7.10 User anonymity

We use a dynamic hash result \(MI_{i}\) as the identity of \(U_{i}\) and it is updated in every authentication and password change phase. The attacker cannot track the user by \(MI_{i}\), not to say getting the real identity of \(U_{i}\). It meets the confidentiality property for IoT security.

7.11 Mutual authentication

We demonstrate the explanations of mutual authentication between \(U_{i}\), GW and \(S_{j}\):

• GW authenticates \(U_{i}\) by checking \(B_{5}\), and \(S_{j}\) by checking \(C_{4}\).

• \(S_{j}\) checks \(D_{1}\) to verify GW and authenticates \(U_{i}\) indirectly by GW.

• \(U_{i}\) checks \(D_{4}\) to verify GW and \(C_{4}\) to verify \(S_{j}\).

It meets the authentication property for IoT security.

7.12 Form a session key

Unlike paper (Hsieh and Leu 2014), the user and the sensor share a session key at last in our scheme. The latter conversation can be encrypted by the temporary key. It meets the confidentiality property for IoT security.

7.13 Strong forward security

If A gets all information from \(U_{i}\), \(S_{j}\) and GW, he cannot calculate the historical session keys, as our scheme employs ECCDH problem. It meets the confidentiality property for IoT security.

8 Performance comparison

In this section we show the performance of proposed scheme and compare it with schemes in Choi et al. (2014), Shi and Gong (2013), Turkanović et al. (2014), Hsieh and Leu (2014), Chang and Le (2015) and Farash et al. (2015).

Table 11 Comparison of performance

We illustrate the basis of comparison:

• \(T_{s}\) is the time cost of one scalar multiplication in G and \(T_{h}\) is the time for hash function. According to Xu and Wu (2015a), \(T_{s}=7.3529ms\), \(T_{h}=0.0004ms\). We can see that \(T_{s}\gg T_{h}\).

• We assume that the points in G has 320 bits in total. And we also assume the security parameter l is 160. That is to say, the lengths for the secret numbers, e.g., x in the gateway, the hash results, random numbers, timestamps and \(SID_{j}\) are 160 bits. \(Q_{u}\) and \(Q_{s}\) are the quantities of the users and the sensors in the WSN. |P|, |p| and |q| are lengths for the parameters P, p and q. According to Hankerson et al. (2004), \(|p|=160\), \(|q|\approx 160\).

We explain every aspect in Table 11 which lists the comparison results.

• Our scheme is in the middle by comparing time cost of user, better than (Choi et al. 2014; Shi and Gong 2013).

• By comparing time cost on the sensor, our scheme is the same as (Shi and Gong 2013; Choi et al. 2014), and better than P2 in Chang and Le (2015), which also employs ECC. The main reason is that our scheme employs ECCDH problem to obtain strong forward security while schemes based on hash functions do not have this property, like Hsieh and Leu (2014) and Turkanović et al. (2014).

• Our scheme is also in the middle by comparing time cost of the gateway. Also, it is better than (Choi et al. 2014; Shi and Gong 2013).

• Our scheme has less communication cost than (Choi et al. 2014; Shi and Gong 2013; Turkanović et al. 2014) and it is also in the middle.

• Our scheme takes more storage cost in the user’s smart card than (Hsieh and Leu 2014; Turkanović et al. 2014; Farash et al. 2015) and P1 in Chang and Le (2015), same as P2 in Chang and Le (2015), and less than (Choi et al. 2014; Shi and Gong 2013). The reason is that the corresponding parameters P, p and q should be stored. Among the four schemes with ECC mechanism, ours is the best.

• For the aspect of secret number storage in the gateway, our scheme is same as (Hsieh and Leu 2014), and better than the others. The storage cost for schemes in Turkanović et al. (2014) and Chang and Le (2015) is determined by the quantities of users and sensors. Even if there is only one user and one sensor, it takes more space in the gateway to store the secret bit strings in Turkanović et al. (2014) and Chang and Le (2015) than all of the other schemes for this index.

• The most important evaluation index is the security. The proposed scheme perfectly wins because it supports all required IoT security properties.

9 Conclusion

In this paper, we point out that Hsieh and Leu scheme is insecure. To eliminate the weaknesses, we propose a new authentication scheme for WSN. Then we prove it secure by the formal proof and the formal verification. Also, we analyze the security properties of our scheme. The scheme not only provides mutual authentication between the user, the sensor and the gateway, but also withstands security analysis. Furthermore, it owns all IoT security properties. The results of comparison with the other recent schemes show that our scheme is well-performed and more practical.