1 Introduction

Nowadays sensors are used in a wide range of applications. Wireless Sensor network (WSN) is composed of one or more gateway nodes and large number of sensor node without any wired connectivity. Sensor nodes collect the data in their surroundings and provide the information about changing environment parameters. As the technology is getting more and more innovative and advanced, IoT (Internet of Things) is being developed and facilitates a remote user to connect the reliable sensor nodes to collect data. User can also request any particular data by passing instructions to the sensor nodes. The main objective behind Internet of Things (IoT) is that everything is accessible and linked in a network. Every transmitted or received message should be authenticated for secure communication. Key agreement schemes are the basic building block for secure communication.

Sensor nodes are embedded with low powered battery cell so that any scheme imposed on WSN must be energy efficient. Sensor nodes are deployed in a hostile environment and exchange of the batteries is infeasible in many cases. Providing secure and authenticated communication is a challenging issue for low powered sensor nodes.

WSN is made of various types of sensor nodes and at least one sink node known as ‘Gateway’ node (GW). Gateway node plays an important role in WSN. It is more secure and much powerful in terms of processing, computing, communication and efficiency than the other sensor nodes.

In order to deploy an effective security system for WSN various authentication schemes have been suggested [29]. Cryptographic authentication can be accomplished in two ways, asymmetric and symmetric authentication. This paper focuses on symmetric authentication protocols. The rest of the paper is organized as follows: In Sect. 2, we have reviewed few cryptographic schemes exist in the literature. Section 3 contains brief review of Turkanovic et al’s scheme. Section 4, describes the weaknesses of Turkanovic et al’s scheme. In Sect. 5, we propose a new scheme which eliminates the weaknesses of the scheme discussed in previous section. Section 6 describes the password changing phase. In Sects. 7 and 8 we analyse security and evaluate the performance of suggested scheme respectively. Finally, Sect. 9 concludes the work.

2 Related Work

In this section we have reviewed few related schemes exist in the literature. In 2004, Watro et al. [2] proposed a security scheme named as ‘TinyPK’ based on asymmetric cryptography. Some researchers came to the conclusion that this scheme is prone to various attacks like man in middle attack so that the scheme is unacceptable for deployment. In 2006, Wong et al. [3] proposed a lightweight hash based user authentication scheme based on symmetric encryption. It was later found that this scheme was prone to several attacks i.e. stolen-verifier, replay, and forgery attacks. In 2009, Das [4] made an improvement of Wong et al. scheme and proposed an efficient password based user authentication using gateway node which has become a frequently cited literature in this field of password based authentication. Das scheme based on temporal credential which is released by gateway node after the verification of the user but Das’s scheme does not fulfill the need of the mutual authentication and key agreement. Later on some researchers improved the Das Scheme and proposed their own schemes based on the same [57] to enhance the security of the original scheme.

In 2010, Khan and Alghathbar [8] also proposed several enhancements in Das scheme. The hash value of the password was used to make the password more secure. And for mutual authentication they brought up a new idea of pre shared keys between gateway and each sensor node. But it gave a new problem of extra storage overhead to GW Nodes. In 2011, Yeh et al. [9] proposed an user authentication and key agreement protocol based on ECC. But beside increasing computational complexity that also require additional storage overhead of public keys other sensor nodes.

More recently Turkanovic et al. [1] proposed a scheme for mutual authentication between the user, the sensor node and the gateway node. Our analysis shows that Turkanovic et al.’s scheme has many security issues. To find solution to these security issues we proposed a novel scheme for the security of network which resolves weaknesses of Turkanovic et al.’s scheme and is more secure, protective and efficient for real application environment. In this paper, we suggested a user authentication protocol based on symmetric key cryptography. We use only hash and XOR functions to provide mutual authentication between user, gateway and sensor node which consume less energy than public key cryptography.

Xue et al. [10] proposed five basic authentication models for WSN. In every model there are four message required implementing mutual authentication. Xue et al. used fourth model in which sensor node receives and sends three messages. Turkanovic et al. used fifth model in which sensor node have to receive and send four message. As we know that sensor node has limited communication energy we use second model. In this model, sensor node will send and receive two messages only in mutual authentication process. When a remote user needs to communicate with sensor node firstly it send a message to gateway node then GW works as a mediator and finally a session key is established in between user and the sensor node. Authentication model of proposed scheme is depicted in Fig. 1. In next section Turkanovic et al’s scheme is reviewed.

Fig. 1
figure 1

Authentication model used in proposed scheme

Full size image

3 Review of Turkanovic et al.’s Scheme

In this section, we briefly reviewed the Turkanovic et al’s user authentication scheme for WSN. Turkanovic et al’s protocol involves three participants, namely, the user, the gateway (GW) and the sensor node. There are three phases in Turkanovic et al’s scheme: registration, login and authentication followed by password changing phase. Notations used are listed in Table 1.

Table 1 Notations
Full size table

In pre-deployment phase, sensor node is loaded with its \( ID_{sj} \) and a secret password key \( K_{{GW - S_{j} }} \) shared between sensor node and gateway. Gateway has its own predefined randomly generate password key \( K_{GW} \) and stores all shared key \( K_{{GW - S_{j} }} \) of sensor node. Where \( 1 \le j \le m \) (m is the total number of sensor nodes deployed in the network).

3.1 Registration Phase

There are two registration phase in [1]. First one is between user and gateway and second is between sensor node and gateway.

3.2 Registration Between User and Gateway

User \( U_{i} \) has its \( ID_{i} \) and \( PW_{i} \) then selects a random number \( r_{i} \). User computes \( MP_{i} = h(r_{i} ||PW_{i} \)) and \( MI_{i} = h(r_{i} ||ID_{i} ) \) and sent via secure channel to GW. After receiving \( MP_{i} \) and \( MI_{i} \), GW randomly chooses a secret password key \( K_{{GW - U_{i} }} \) for ith user. Now GW computes \( f_{i} = h\left( {MI_{i} ||K_{GW} } \right) \), \( x_{i} = h\left( {MP_{i} ||K_{{GW - U_{i} }} } \right) \) and \( e_{i} = f_{i} \oplus x_{i} \). The gateway personalizes user (\( U_{i} \)) smartcard with {\( MI_{i} \), \( e_{i} ,f_{i} \),\( K_{{GW - U_{i} }} \)}. GW stored \( MI_{i} \) and \( K_{{GW - U_{i} }} \) to its memory. Now the user \( U_{i} \) stores \( r_{i} \) in the smart card. Finally, smartcard has {\( r_{i} ,MI_{i} \),\( e_{i} ,f_{i} \),\( K_{{GW - U_{i} }} \)} in its storages.

3.3 Registration Between Sensor Node and Gateway

The sensor node \( S_{j} \) selects a random number \( r_{j} \) and computes \( MP_{sj} = h(K_{{GW - S_{j} }} ||r_{j} ||ID_{sj} \)), \( MN_{sj} = r_{j } \oplus K_{{GW - S_{j} }} \) and \( RMP_{j} = MP_{sj} \oplus MN_{sj} \). After computing \( MP_{sj} \), \( MN_{sj} \) and \( RMP_{j} \) sensor \( S_{j} \) send \( \left\{{ID_{sj} ,RMP_{j} ,MN_{sj} , T_{1}} \right\} \) to gateway.\( T_{1} \) is current timestamp. After receiving the message \( \left\{ {ID_{sj} ,RMP_{j} ,MN_{sj} , T_{1}} \right\} \) gateway node checks the validity of the timestamp and computes \( MP_{sj} = RMP_{j} \oplus MN_{sj} \). According to received \( ID_{sj} \) gateway chooses the \( K_{{GW - S_{j} }} \) and computes own version of \( r_{j}^{*} = MN_{sj} \oplus K_{{GW - S_{j} }} \). Also compute \( s MP_{sj}^{*} = h(K_{{GW - S_{j} }} ||r_{j}^{*} ||ID_{sj} \)) with the help of \( r_{j}^{*} \). Now it checks the computed \( MP_{sj}^{*} \) and received \( MP_{sj} \) are equal or not. If computed \( MP_{sj}^{*} \) and received \( MP_{sj} \) are not equal then GW sends a rejection message to the sensor node \( S_{j} \). With the use of its secret password key \( K_{GW} \) and shared password key \( K_{{GW - S_{j} }} \), GW computes \( f_{sj} = h\left( {ID_{sj} ||K_{GW} } \right) \) and \( x_{sj} = h\left( {{\text{M}}P_{sj}^{*} ||K_{{GW - S_{j} }} } \right) \). Finally GW computes \( e_{sj} = f_{sj} \oplus x_{sj} \) and sends \( \left\{ {e_{sj} ,f_{sj} , T_{2} } \right\} \) via insecure channel to sensor node \( S_{j} \). \( T_{2} \) is the current timestamp used by GW. After receiving \( \left\{ {e_{sj} ,f_{sj} , T_{2} } \right\} \), sensor node \( S_{j} \) checks the validity of the timestamp \( T_{2} \) and stored \( e_{sj} \) and \( f_{sj} \) into its memory.

3.4 Login Phase

After completing the registration phase the user \( U_{i} \) can connect to the desired sensor node \( S_{j} \). For further procedure user \( U_{i} \) has to login first. In login phase, user \( U_{i} \) inserts his smart card in terminal and provides his password \( PW_{i}^{*} \) as input. With the stored \( r_{i} \) Smart card computes \( MP_{i}^{*} = h(r_{i} ||PW_{i}^{*} \)). With stored \( K_{{GW - U_{i} }} \), SC computes own version of \( x_{i}^{*} = h(MP_{i}^{*} ||K_{{GW - U_{i} }} \)) and compare this with original value of \( x_{i} = f_{i} \oplus e_{i} \), where \( f_{i} \) and \( e_{i} \) stored in SC. If \( x_{i} \) and \( x_{i}^{*} \) are not equal then it rejects the login process otherwise further computes \( N_{i} = h\left( {x_{i} ||K_{{GW - U_{i} }} || T_{1} } \right) \). SC chooses a random number \( q_{i} \) and computes \( Z_{i} = q_{i} \oplus f_{i} \) by using stored value of \( f_{i} \). Finally user send an authentication message { \( MI_{i} \),\( e_{i} \),\( Z_{i} , N_{i} , T_{1} \)} to the selected sensor node \( S_{j} \) via unsecure channel.

3.5 Authentication Phase

Login phase is followed by authentication phase. The purpose of this phase is to establish the secret session key between the user and the sensor node. A detail of authentication phase is given below:

  • After receiving the authentication message \( \{MI_{i} \),\( e_{i} \),\( Z_{i} , N_{i} , T_{1}\} \) from user, sensor node first checks the validity of timestamp. After verification with stored value of \( e_{sj} \) and \( f_{sj} \) it computes \( x_{sj} = e_{sj} \oplus f_{sj} \) and \( A_{j} = h\left( {K_{{GW - S_{j} }} ||T_{1} || T_{2} } \right) \oplus x_{sj} \). Now, sensor node sends { \( MI_{i} \), \( e_{i} \), \( N_{i} , T_{1} , T_{2 } , ID_{sj} ,e_{sj} , A_{j} \)} via public channel to gateway.

  • Gateway checks the validity of timestamp and after verification computes own version of \( f_{sj}^{*} = h\left( {ID_{sj} ||K_{GW} } \right) \). Using \( f_{sj}^{*} \) and received value of \( e_{sj} \) compute \( x_{sj}^{*} = e_{sj} \oplus f_{sj}^{*} \). Further, it computes original \( x_{sj} = A_{j} \oplus h\left( {K_{{GW - S_{j} }} || T_{1} || T_{2} } \right) \) and compares own version of \( x_{sj}^{*} \) with original version of \( x_{sj} \). If both are same then GW successfully authenticated the sensor node \( S_{j} \), otherwise sends the rejection message to \( S_{j} \).

  • Now GW starts authenticating user \( U_{i} \). For this purpose GW computes own version of \( f_{i}^{*} \) using its secret password key \( K_{GW} \) and received \( MI_{i} \) by \( f_{i}^{*} = h\left( {MI_{i} ||K_{GW} } \right) \). Then it computes its own version of \( x_{i}^{*} = e_{i} \oplus f_{i}^{*} \) and \( Q_{i} = h\left( {x_{i}^{*} ||K_{{GW - U_{i} }} || T_{1} } \right) \). It compares \( Q_{i} \) and \( N_{i} \). If both are equal then gateway verified the user otherwise rejects the process.

  • Now GW compute \( F_{ij} = f_{i}^{*} \oplus h\left( {f_{sj}^{*} ||K_{{GW - S_{j} }} } \right), \) \( H_{j} = h\left( {f_{sj}^{*} ||K_{{GW - S_{j} }} || T_{1} || T_{2} || T_{3} } \right) \) and \( S_{i} = h\left( { Q_{i} || T_{1} || T_{2} || T_{3} } \right) \).

  • GW sends a message {\( F_{ij} \),\( H_{j} , S_{i} , T_{1} , T_{2} , T_{3} \)} to sensor node \( S_{j} \).

  • After receiving this message \( S_{j} \) first checks the validity of timestamp. If validity holds then it compute \( h\left( {f_{sj} ||K_{{GW - S_{j} }} || T_{1} || T_{2} || T_{3} } \right) \) with stored value of \( f_{sj} \) and compares it with received \( H_{j} \). If both are equal then \( S_{j} \) authenticated GW otherwise sends a rejection message to GW and user.

  • Now sensor node computes \( f_{i}^{*} = F_{ij} \oplus h\left( {f_{sj} ||K_{{GW - S_{j} }} } \right) \) and \( q_{i} = Z_{i} \oplus f_{i}^{*} \) with previously received \( Z_{i} \). After that \( S_{j} \) chooses a random number \( q_{j} \) and creates a session key \( SK = h(q_{i} \oplus q_{j} ) \).

  • \( S_{j} \) computes \( R_{ij} = h\left( {f_{i}^{*} ||ID_{Sj} || T_{1} ||T_{2} ||T_{3} || T_{4} } \right) \oplus q_{j} \) and sends a message \( \{R_{ij} , S_{i} , T_{1} , T_{2} , T_{3} , T_{4} \} \) to the user.

  • After receiving this message user computes \( h\left( {h(e_{i} \oplus f_{i} )|| T_{1} ) || T_{1} || T_{2} || T_{3} } \right) \) and compare it with \( S_{i} \). If both are equal then user computes \( q_{j} = R_{ij} \oplus h\left( {f_{i} ||ID_{Sj} || T_{1} || T_{2} || T_{3} || T_{4} } \right) \) and finally computes the session key \( SK = h(q_{i} \oplus q_{j} ) \).

4 Security Flaws in Turkanovic et al.’s Scheme

In this section we demonstrate that Turkanovic et al.’s scheme is susceptible to various types of attacks. Any information regarding secret key must not be revealed to fulfil the basic requirement of any authentication scheme. Turkanovic et al.’s scheme is highly insecure as the basic requirement is not fulfilled.

4.1 Smart Card Breach Attack

If smart card of the user \( U_{i} \) is stolen or lost then an adversary \( U_{a} \) can extract the secret parameters stored in the smart card by monitoring the power consumption [11]. Secret parameters stored into the smart card are {\( r_{i} ,MI_{i} \),\( e_{i} ,f_{i} \),\( K_{{GW - U_{i} }} \)}, where \( K_{{GW - U_{i} }} \) is the secret password chosen by the gateway for user \( U_{i} \) and stored directly into the smart card. An adversary can get this secret password key from smart card. Also an attacker can find \( f_{i} \) as it is also stored directly in smart card and easily can get \( Z_{i} \) which is send by the user \( U_{i } \) to sensor node \( S_{j} \) via insecure channel. XORing of \( Z_{i} \oplus f_{i} \) will give \( q_{i} \) which is one part of session key. To obtain second part of session key the adversary \( U_{a} \) will try to get the message \( \{R_{ij} , S_{i} , T_{1} , T_{2} , T_{3} , T_{4} \} \), which is send by the senor node via public channel, and hence compute \( q_{j} = R_{ij} \oplus h\left( {f_{i} ||ID_{Sj} || T_{1} || T_{2} || T_{3} } \right) \). After computing \( q_{j} , U_{a} \) can get session key \( SK = h(q_{i} \oplus q_{j} ) \). Revealing of session key will break the entire scheme.

4.2 Off-line Password Guessing Attack

Secret parameters stored into the smart card are \( \{r_{i} ,MI_{i} \),\( e_{i} ,f_{i} \),\( K_{{GW - U_{i} }}\} \). XOR of \( e_{i} \& f_{i} \) will give \( x_{i} \). After reveling secret password key \( K_{{GW - U_{i} }} \), \( x_{i} \) depends only on \( PW_{i} \) since \( x_{i} = h\left( {h\left( {r_{i} ||PW_{i} } \right) ||K_{{GW - U_{i} }} } \right) \). An adversary \( U_{a} \) can make a guess \( PW_{i}^{*} \) for password and to compute \( x_{i}^{*} \). If \( x_{i}^{*} = x_{i} \) holds then the adversary can get the actual password. It showsTurkanovic et al’s scheme is not secure against Off-line password guessing attack.

4.3 Replay Attack

In registration phase between sensor node and gateway, sensor node sends the following parameter \( \left\{{ID_{sj} ,RMP_{j} ,MNS_{j} , T_{1} } \right\} \) to gateway. An attacker can capture this message and sends the same message \( \left\{{ID_{sj} ,RMP_{j} ,MNS_{j} , T_{a} } \right\} \) at different time \( T_{a} \) because no parameter \( RMP_{j} \) and \( MNS_{j} \) contain time stamp \( T_{1} \) that leads to replay attack. Again, GW sends \( \left\{{e_{sj} ,f_{sj} , T_{2} } \right\} \) to sensor node. An attacker can send the same message at different time \( T_{a} \) because time stamp \( T_{2 } \) is not used in any parameter \( e_{sj} \) and \( f_{sj} \) that leads to replay attack.

4.4 Impersonation Attack

In login phase SC sends {\( MI_{i} \),\( e_{i} \),\( Z_{i} , N_{i} , T_{1} \)} to the selected sensor node \( S_{j} \). XOR of \( e_{i} \& f_{i} \) will give \( x_{i} \) and \( K_{{GW - U_{i} }} \) is directly stored in smart card.

  • An adversary \( U_{a} \) at time \( T_{a} \) can compute \( N_{a} = h\left( {x_{i} ||K_{{GW - U_{i} }} || T_{a} } \right) \). Adversary \( U_{a} \) selects a random nonce \( q_{a} \) and compute \( s Z_{a} = q_{a} \oplus f_{i} \). To impersonate the user \( U_{i} \) adversary sends {\( MI_{i} \),\( e_{i} \),\( Z_{a} , N_{a} , T_{a} \)} to sensor node \( S_{j} \) via public channel. After receiving this message from \( U_{a} \), the sensor node \( S_{j} \) checks the validity of time stamp, \( \left| {T_{a} - T_{c} } \right| < \Delta T \) and after verification use the stored value of \( e_{sj} \) and \( f_{sj} \) to compute \( x_{sj} = e_{sj} \oplus f_{sj} \) then computes \( A_{j} = h\left( {K_{{GW - S_{j} }} || T_{a} || T_{2} } \right) \oplus x_{sj} \). Now sensor node \( S_{j} \) sends {\( MI_{i} \),\( e_{i} \),\( N_{a} , T_{a} , T_{2 } , ID_{sj} ,e_{sj} , A_{j} \)} via public channel to gateway.

  • Gateway checks the validity of time stamp and after verification computes own version of \( f_{sj}^{*} = h\left( {ID_{sj} ||K_{GW} } \right) \). Using \( f_{sj}^{*} \) and received value of \( e_{sj} \) it computes \( x_{sj}^{*} = e_{sj} \oplus f_{sj}^{*} \). Further it computes.

  • \( x_{sj} = A_{j} \oplus h\left( {K_{{GW - S_{j} }} || T_{a} || T_{2} } \right) \). Compare own version of \( x_{sj}^{*} \) with \( x_{sj} \). If both are same then GW successfully authenticates sensor node \( S_{j} \) .

  • For user’s authentication, GW computes \( f_{i}^{*} = h\left( {MI_{i} ||K_{GW} } \right) \) using its secret password key \( K_{GW} \) and received \( MI_{i} \). Then it computes \( x_{i}^{*} = e_{i} \oplus f_{i}^{*} \) and \( Q_{i} = h\left( {x_{i}^{*} ||K_{{GW - U_{i} }} || T_{a} } \right) \) and compares \( Q_{i} \) and \( N_{i} \). If both are equal then gateway verifies the user. Now GW computes \( F_{ij} = f_{i}^{*} \oplus h\left( {f_{sj}^{*} ||K_{{GW - S_{j} }} } \right), H_{j} = h\left( {f_{sj}^{*} ||K_{{GW - S_{j} }} || T_{a} || T_{2} || T_{3} } \right) \) and \( S_{i} = h\left( {Q_{i} || T_{a} || T_{2} || T_{3} } \right) \).

  • GW Node sends a message {\( F_{ij} \),\( H_{j} , S_{i} , T_{a} , T_{2} , T_{3} \)} to the sensor node \( S_{j} \).

  • After receiving this message \( S_{j} \) first checks the validity of time stamp and then computes \( H_{j}^{*} = h\left( {f_{sj} ||K_{{GW - S_{j} }} || T_{a} || T_{2} || T_{3} } \right) \) with stored value of \( f_{sj} \). Now sensor node S j compares it \( H_{j}^{*} \) with received \( H_{j} \). If both are equal then \( S_{j} \) authenticates the gateway GW.

  • Now sensor node computes \( f_{i}^{*} = F_{ij} \oplus h\left( {f_{sj} ||K_{{GW - S_{j} }} } \right) \) and \( q_{a} = Z_{a} \oplus f_{i}^{*} \) with previously received \( Z_{a} \). After that \( S_{j} \) chooses a random number \( q_{j} \) and creates a session key \( SK = h(q_{a} \oplus q_{j} ) \), which is not the actual session key and the whole process of authentication and key agreement is failed.

An attacker can modify very first message, that send to sensor by the user which makes this scheme insecure against impersonation attack. Due to this sensor node \( S_{j} \) creates a wrong session key that will destroy the entire process.

4.5 Missing Information

When user receives the last message from sensor \( S_{j} \), he computes \( S_{i}^{*} = h\left( {h(e_{i} \oplus f_{i} )|| T_{1} ) || T_{1} || T_{2} || T_{3} } \right) \) and compares it with \( S_{i} \). Since \( S_{i} = h\left( {Q_{i} || T_{1} || T_{2} || T_{3} } \right) \) where \( Q_{i} = h\left( {x_{i}^{*} ||K_{{GW - U_{i} }} || T_{1} } \right) \).\( h\left( {h(e_{i} \oplus f_{i} )|| T_{1} ) || T_{1} || T_{2} || T_{3} } \right) \), therefore S i never match with \( S_{i}^{*} \). The verification does not hold and user \( U_{i} \) aborts the authentication phase.

This shows that the scheme is inconsistent and does not complete authenticate process.

Next section describes our proposed scheme.

5 Proposed Scheme

In this section, we propose an upgraded authentication scheme that provides high level security and based on four step model as shown in Fig. 1. In our scheme we use 1b model [10]. In this model, sensor node has to receive and send only one message and session key is established without taking gateway node into account. Our scheme resolves all the identified weaknesses of Turkanovic et al.’s scheme and is more robust and efficient for practical application environment. Scheme consists of four phases: registration phase, login phase, authentication and password changing phase.

5.1 Registration Phase

Process of registration phase will start after deployment of sensor nodes in the application area. Registration phase divided into two sub phases. First phase is between user and gateway and second one is between sensor node and the gateway. Figure 2, depicts both phases.

Fig. 2
figure 2

Registration phase

Full size image

5.1.1 Registration Between User and Gateway

Each user has its identity \( \left( {ID_{i} } \right) \) and secure password \( (PW_{i} ) \). User’s identity and hash value of user’s password is also stored in gateway. Initially gateway chooses a random key \( K_{{GW - {\text{U}}}} \) which is used for communication with user. Gateway also chose another key \( K_{GW - S} \), which is used for communication with sensor nodes. Steps involved in this phase are as follows:

  • Step 1 User \( U_{i} \) selects a random number \( r_{i} \) and computes \( P_{i} = h(r_{i} ||h\left( {PW_{i} } \right) \)).

  • Step 2 User generates time stamp \( T_{s1} \) and send \( \{P_{i} ,ID_{i} ,Ts_{1} \} \) to gateway via a secure channel.

  • Step 3 After receiving the message gateway checks the validity of time stamp. If \( \left| {Ts_{1} - T_{c} } \right| < ||T \) holds then gateway computes.

    • \( \alpha_{i} = h\left( {K_{{GW - {\text{U}}}} ||ID_{i} } \right), \)

    • \( b_{i} = \alpha_{i} \oplus h\left( {P_{i} ||h\left( {PW_{i} } \right)} \right) \)

    • \( c_{i} = h\left( {\alpha_{i} ||h\left( {PW_{i} } \right)||ID_{i} } \right) \)

  • Step 4 Gateway personalizes smart card with \( \{h\left( . \right),b_{i} ,c_{i} ,ID_{i} \} \) and sends to user via secure channel.

  • Step 5 User adds \( d_{i} = r_{i} \oplus h\left( {ID_{i} ||PW_{i} } \right) \) into smart card. Now smart card has the following parameter \( \{h\left( . \right),b_{i} ,c_{i} ,d_{i} ,ID_{i} \} \).

5.1.2 Registration Between Sensor Node and Gateway

Each sensor node has its identity \( \left( {ID_{sj} } \right) \) and secure password \( (PW_{sj} ) \). Identity and hash value of password for sensor node \( S_{j} \) is also stored in gateway. Steps involved in this phase are as follows:

  • Step 1 Sensor node \( S_{j} \) calculates \( P_{sj} = h(ID_{sj} ||h\left( {PW_{sj} } \right)||Ts_{2} \)) with its \( ID_{sj} \) and \( PW_{sj} \).

  • Step 2 SN sends message containing the parameter \( \{P_{sj} ,ID_{sj,} Ts_{2} \} \) to gateway.

  • Step 3 After receiving the message gateway checks the validity of time stamp. If \( \left| {Ts_{2} - T_{c} } \right| < \Delta T \) then it proceeds further otherwise send rejection message to sensor node.

  • Step 4 With the \( ID_{sj,} \) gateway chooses its own value of \( h\left( {PW_{sj}^{*} } \right) \) and computes \( P_{sj}^{*} \). If \( P_{sj}^{*} \) is not equal to received \( P_{sj} \) then send the rejection message to sensor node otherwise perform further steps.

  • Step 4 With secret key \( K_{GW - S} \), GW computes following values:

    • \( \beta_{j} = h\left( {K_{GW - S} ||ID_{sj} } \right) \)

    • \( b_{sj} = \beta_{j} \oplus h\left( {ID_{sj} ||h\left( {PW_{sj} } \right)} \right) \)

    • \( c_{sj} = h\left( {\beta_{j} ||h\left( {PW_{sj} } \right)||ID_{sj} ||Ts_{3} } \right) \)

  • Step 5 GW sends \( \{ b_{sj} ,c_{sj} ,Ts_{3} \} \) to sensor node via public channel.

  • Step 6 After receiving the message sensor node checks the validity of time stamp. If \( \left| {Ts_{3} - T_{c} } \right| < \Delta T \) then proceeds to next step otherwise sends a rejection message to GW.

  • Step 7 Sensor node compute \( \beta_{j} = b_{sj} \oplus h\left( {ID_{sj} ||h\left( {PW_{sj} } \right)} \right) \) and verify \( c_{sj}^{*} = h\left( {\beta_{j} ||h\left( {PW_{sj} } \right)||ID_{sj} ||Ts_{3} } \right) \) is equals to \( c_{sj} \) then store \( \beta_{j} \) into its memory otherwise sends a rejection message to GW.

5.2 Login Phase

After successful registration phase, user can connect to a sensor node through the GW node. Figure 3 shows procedure of login phase. Detailed steps are given below:

Fig. 3
figure 3

Login phase

Full size image

  • Step 1 User \( U_{i} \) inserts his/her smart card into terminal and input his \( ID_{i}^{*} \) and password \( PW_{i}^{*} \).

  • Step 2 Smartcard computes \( r_{i}^{*} = d_{i} \oplus h(ID_{i}^{*} ||PW_{i}^{*} \)) with the stored value of \( d_{i} \). Then it computes \( MP_{i}^{*} = h\left( {PW_{i}^{*} } \right) \) and \( P_{i} = h\left( {r_{i}^{*} ||MP_{i}^{*} } \right). \)

  • Step 3 Furthermore, Smartcard computes \( \alpha_{i}^{*} = b_{i} \oplus h\left( {P_{i} ||MP_{i}^{*} } \right). \)

  • Step 4 He again computes \( c_{i}^{*} = h\left( {\alpha_{i}^{*} ||MP_{i}^{*} ||ID_{i}^{*} } \right) \) and checks whether original \( c_{i} \) or computed \( c_{i}^{*} \) are equal. If they are unequal then login process will be aborted.

  • Step 5 If the input password was correct then user chooses a random nonce \( k_{i} \) and computes \( M_{1} = k_{i} \oplus h\left( {\alpha_{i} ||MP_{i} } \right) \) and \( M_{2} = h\left( {\alpha_{i} ||MP_{i} || k_{i} ||T_{1} } \right) .\)

  • Step 7 User sends \( \{M_{1} ,M_{2} ,ID_{i} , T_{1} \} \) to GW via public channel.

5.3 Authentication and Key Agreement Phase

After successful login phase mutual authentication between all parties established in authentication and key agreement phase. There are three steps. First step is for user’s legitimacy verification by GW. The second step shows the GW’s legitimacy verification by user and the sensor node. Finally in third step, user verifies the legitimacy of sensor node. The target of this phase to generate session key between user and sensor node. This phase is depicted by Fig. 4. Complete phase of authentication and key agreement is as follows

Fig. 4
figure 4

Authentication phase

Full size image

  • Step 1 When gateway receives a message \( \{M_{1} ,M_{2} ,ID_{i} , T_{1} \} \) from user \( U_{i} \), gateway checks the validity of time stamp by computing \( \left| {T_{1} - T_{c} } \right| < \Delta T \). If validity holds then further computes next step otherwise sends a rejection message to the user \( U_{i} \).

  • Step 2 Using \( h\left( {PW_{i} } \right) \) according to received \( ID_{i} \) gateway computes \( k_{i}^{*} = M_{1} \oplus h\left( {\alpha_{i} ||h\left( {PW_{i} } \right)} \right) \) and then computes its own version of \( M_{2}^{*} = h\left( {\alpha_{i} ||h\left( {PW_{i} } \right)||k_{i}^{*} ||T_{1} } \right) \) and compares it with received \( M_{2} \). If both are equal then gateway authenticates the user \( U_{i} \) otherwise sends a rejection message to user.

  • Step 3 After checking the legitimacy of user, gateway computes \( \gamma_{ij} = h\left( {\alpha_{i} || \beta_{j} || ID_{i} ||ID_{sj} } \right) \), \( M_{3} = \alpha_{i} \oplus \gamma_{ij} \) and \( M_{4} = h\left( {\gamma_{ij} || M_{3} ||ID_{i} ||T_{2} } \right) \) and send \( \{M_{3} , M_{4} ,ID_{i} ,T_{2} \} \) to gateway where \( T_{2} \) is the gateway’s time stamp.

  • Step 4 After receiving \( \{M_{3} , M_{4} ,ID_{i} ,T_{2} \} \), user checks whether \( \left| {T_{2} - T_{c} } \right| < \Delta T \) and then computes its own version of \( \gamma_{ij} = \alpha_{i} \oplus M_{3} \) and \( M_{4}^{*} = h\left( {\gamma_{ij} || M_{3} ||ID_{i} ||T_{2} } \right) \) then compare this result with received value of \( M_{4} \). If both are equal then gateway verification by user \( U_{i} \) holds otherwise aborts the process by sending rejection message to GW.

  • Step 5 After sending a message at time \( T_{2} \) to user \( U_{i} \), gateway further compute \( M_{5} = k_{i} \oplus h\left( {\beta_{j} ||ID_{sj} } \right) \), \( M_{6} = \beta_{j} \oplus \gamma_{ij} \) and \( M_{7} = h\left( {\gamma_{ij} ||k_{i} ||ID_{sj} ||T_{3} } \right) \) then sends \( \{M_{5} , M_{6} , M_{7} ,ID_{i} ,ID_{sj} ,T_{3} \} \) to sensor node \( S_{j} \).

  • Step 6 After receiving message from gateway, sensor node checks whether \( \left| { T_{3} - T_{c} } \right| < \Delta T \) and then compute its own version of \( k_{i}^{*} = M_{5} \oplus h\left( {\beta_{j} ||ID_{sj} } \right) \) by using stored \( \beta_{j} \) and then compute its own version of \( \gamma_{ij} = \beta_{j} \oplus M_{6} \) and \( M_{7}^{*} = h\left( {\gamma_{ij} ||k_{i}^{*} ||ID_{sj} ||T_{3} } \right) \) and compare \( M_{7}^{*} \) with received \( M_{7} \). If both values are same then gateway is authenticated by sensor node otherwise sensor node sends a rejection message to gateway.

  • Step 7 After verification of gateway, sensor node \( S_{j} \) selects a random nonce \( k_{j} \) and compute session key as \( SK = h\left( {k_{i} \oplus k_{j} } \right). \)

  • Step 8 Finally sensor node \( S_{j} \) computes \( M_{8} = k_{j} \oplus \gamma_{ij } \) and \( M_{9} = h\left( {k_{j} ||ID_{sj} ||T_{4} } \right) \) then send \( \{M_{8} , M_{9} ,ID_{i} ,ID_{sj} ,T_{4} \} \) to user \( U_{i} \).

  • Step 9 After receiving above message from sensor node \( S_{j} \) user checks the validity of time stamp \( \left| {T_{4} - T_{c} } \right| < \Delta T \). Checks the legitimacy of sensor node by computing own version of \( k_{j} = M_{8} \oplus \gamma_{ij} \) and \( M_{9}^{*} = h\left( {k_{j} ||ID_{sj} ||T_{4} } \right) \) then compare \( M_{9}^{*} \) with received \( M_{9} \). If both are equal then compute session key as \( SK = h\left( {k_{i} \oplus k_{j} } \right) \) and thus successfully end the authentication phase.

6 Password Changing Phase

This section presents the password changing phase. Details of password changing phase are as follows-

  • Step 1 User \( U_{i } \) inserts his/her smart card into terminal and input his \( ID_{i}^{*} \) and his/her old password \( PW_{i}^{OLD} \).

  • Step 2 Now SC computes \( r_{i}^{*} = d_{i} \oplus h(ID_{i}^{*} || PW_{i}^{OLD} \)) with the stored value of \( d_{i} \) then compute \( MP_{i}^{*} = h\left( {PW_{i}^{OLD} } \right) \) and \( P_{i} = h\left( {r_{i}^{*} ||MP_{i}^{*} } \right) .\)

  • Step 3 Furthermore SC compute \( \alpha_{i}^{*} = b_{i} \oplus h\left( {P_{i} ||MP_{i}^{*} } \right). \)

  • Step 4 Compute \( c_{i}^{*} = h\left( {\alpha_{i}^{*} ||MP_{i}^{*} ||ID_{i}^{*} } \right) \) and checks whether original \( c_{i} \) or com- puted \( c_{i}^{*} \) are equal. If they are unequal then password changing process aborted otherwise continued.

  • Step 5 If the input password was correct then SC invite the user to select his/her new password and then SC compute new version of \( P_{i}^{NEW} = h\left( {r_{i} ||PW_{i}^{NEW} } \right) \). After that compute \( b_{i}^{NEW} = \alpha_{i} \oplus h\left( {P_{i}^{NEW} ||h(PW_{i}^{NEW} } \right) \) and

    $$ c_{i}^{NEW} = h\left( {\alpha_{i} ||h(PW_{i}^{NEW} } \right)||ID_{i} ) $$

    and \( d_{i}^{NEW} = r_{i} \oplus h\left( {ID_{i} ||PW_{i}^{NEW} } \right) \). Finally replaces \( b_{i} ,c_{i} ,d_{i} \) with new values.

7 Security Analysis

In this section we analyse our protocol based on known security attacks. Security analysis of proposed scheme demonstrates that our scheme is safe from various attacks. Details are as follows.

7.1 Mutual Authentication

When a user need to communicate with the sensor node then gateway plays an important role and works as a trusted third party. In our scheme when user \( U_{i} \) sends a message to gateway then gateway verifies the legitimacy of user by checking \( M_{2}^{*} = M_{2} \). Then gateway sends a message to the user and sensor node. User checks the legitimacy of the gateway by computing \( M_{4}^{*} = M_{4} \) and sensor node verifies the legitimacy of gateway by checking \( M_{7}^{*} = M_{7} \). Finally user verifies the sensor node’s legitimacy by checking \( M_{9}^{*} = M_{9} . \) Our scheme executes mutual authentication successfully among the user, gateway and sensor node.

7.2 Key Agreement

The session key is generated at the end of authentication phase. Both parties’ user and the sensor node agreed on same session key \( SK = h\left( {k_{i} \oplus k_{j} } \right) \) where both parties individually contributed to it. \( k_{i} \) is the random nonce choosen by user and \( k_{j} \) is the random nonce choosen by sensor node. Even GW cannot compute the session key generated between user and sensor node. For secret establishment of session key we use hash and XOR operation only over an insecure open network.

7.3 Resist Stolen Smart Card Attacks

We assume if smart card has been lost or stolen from a user then a malicious attacker can get the information stored in smart card. In our scheme smart card has the following parameter \( \{h\left( . \right),b_{i} ,c_{i} ,d_{i} ,ID_{i} \} \). To proceed login phase an attacker has to insert his/her password but password is not stored directly into smart card. If he/she uses incorrect password, terminal will not verify the legitimacy of the adversary. So our protocol resists stolen smart card and smart card breach attack.

7.4 Password Protection

In our proposed scheme user password is not directly stored in smart card so adversary cannot get the information regarding password. Only user knows his password. While sending message we use hash value of password so no one can get the password and also in our proposed protocol attacker cannot get \( K_{GW - U} \) and \( K_{GW - S} \) which are used to compute \( \alpha_{i} \) and \( \beta_{j} \) for user and sensor node respectively.

7.5 Resist Replay Attacks

An attacker can try to impersonate a message send by user, gateway or sensor node and can cheats by sending out a previous message. Since the message contains the sender’s time stamp hence replay attack is unsuccessful for the proposed protocol.

7.6 Resist Gateway Node Bypassing Attack

In our proposed protocol it is difficult to bypass the gateway and cannot send forged message. Without right message any party cannot respond and verified any fake messages.

7.7 Password Updating/Changing

For changing a user’s password, an adversary would need to submit his/her smart card. If we assume that an adversary has found the smart card by stealing or finding a lost one. Adversary must have the knowledge of old password to change the password. But it is shown in stolen smart card attack that an adversary would not be able to getting password from the smart card.

7.8 Resist Denial of Service Attack

Denial of service attack can be harmful for resource constrained wireless sensor networks. In our proposed scheme DoS attack is not possible because every time user received a confirmation or rejection message from sensor node. If number of login failures exceeds the predefined value due to bogus login attempts or due to fault of legal user or due to malicious intentions of an adversary; then card reader blocks the card for some specific period at the same time; which saves time, energy and computation resources of the server. Thus, computation exhaustive attacks like DOS attack on the server will be avoided.

7.9 Resist Insider Attack

In the proposed protocol, user \( U_{i} \) does not submit his password in plaintext format to the remote server while he sends hashed value \( P_{i} = h(r_{i} ||h\left( {PW_{i} } \right) \)) to the server in a secure communication channel. Therefore, it is not possible for any privileged insider to guess both the parameters \( r_{i} \) as well as \( PW_{i} \) simultaneously in a polynomial time, which makes him unable to use the secret information of the user for his personal benefit. Hence proposed protocol prevent against the privileged insider attack.

7.10 Resist Offline Password Guessing Attack

An adversary can get the information from login request message \( \{M_{1} ,M_{2} ,ID_{i} , T_{1} \} \), authentication message and stored security parameters of \( U_{i} \) ‘s smart card \( \{h\left( . \right),b_{i} ,c_{i} ,d_{i} ,ID_{i} \} . \). Then he tries to guess out secret parameters offline \( \alpha_{i} , \beta_{j} \gamma_{ij} \) and \( PW_{i} \) from his directory. But every time, he has to guess at least two secret unknown parameters correctly at the same time, which is impossible. Thus because of collision resistant property of hash functions, our protocol is secure against offline guessing attacks.

Table 2 shows the comparison of our proposed scheme with existing schemes [1, 2, 5, 10].

Table 2 Comparison of proposed scheme with related scheme in terms of security
Full size table

8 Performance Evaluation

In this section we examined our scheme on the basis of parameter like communication, computation and storage overhead. We compare our scheme with related schemes and found that our proposed protocol provides more security feature without increasing too much overhead.

8.1 Computational Overhead Analysis

We used \( T_{H} \),\( T_{ECC} \) and \( T_{\oplus } \) as three computational parameter. Where \( T_{H} \) denotes the time required for hash operation and \( T_{ECC} \) denotes the time required for ECC-160 operation in encryption/decryption.\( T_{\oplus } \) is the time complexity for XOR operation. We have summarized our result in Table 3, which presents the comparison of our scheme with other related schemes based on the computational overhead of login and key agreement phase only. We compare our protocol with three existing schemes (Turkanovic et al.’s, Xue et al.’s and Yeh et al.). Our analysis shows that proposed scheme has less computation overhead than the others and provide security in all aspects. Yeh et al’s protocol is based on ECC, which is more complex in computation and takes more energy than hash operation [12].

Table 3 Comparison of proposed scheme with related scheme in terms of computational cost
Full size table

8.2 Storage Overhead Analysis

In proposed scheme, stored parameters in smart card are \( \{ h\left( . \right),b_{i} ,c_{i} ,d_{i} ,ID_{i} \} \). We assume that the length of identity, password, random number and secret parameters are as long as the one way hash function i.e. 128 bits. Time stamps length would be 24 bit. Storage cost for user is 620 bits (5*128). Gateway needs to store identity (\( ID_{i} , ID_{sj} ) \) and hash of password for every sensor and user. GW also keeps \( K_{GW - U} \) and \( K_{GW - s} \). Storage analysis of sensor node should be considered due to resource constrained environment. In pre deployment phase each sensor node keeps its identity and password. Password can be removed from the memory of sensor node after registration phase and then each sensor node need to store its identity and \( \beta_{j} \) only. After registration phase storage cost for sensor node is 256 bits while in turkanovic et al’ scheme storage cost for sensor node is 448 bits. In proposed scheme storage cost of a sensor node is less than the turkanovic et al’ scheme.

8.3 Communication Overhead Analysis

Sensor node is the device with low memory, limited computation capacity and low transmission range. The IEEE 802.15.4 [13, 14] standard was specially designed for low cost and low speed communication between devices. According to IEEE 802.15.4 standard, packet frames less than 127 bytes fit to WSN. In our protocol only four message are required for mutual authentication and to establish session key between user and sensor node. Cost of first message sent from user to gateway is 51 bytes. Second message from GW to user has the communication cost of 51 bytes. Third message is sent from GW to sensor node has the communication cost 83 bytes. Communication cost of fourth message from sensor node to user is 67 bytes. As per the standard, threshold value is 127 bytes and it is shown that every message exchanged between the user, GW and sensor node is less than threshold value of 127 bytes.

Communication cost of the four messages used in authentication phase of proposed scheme is given in Table 4.

Table 4 Communication cost of sent messages
Full size table

9 Conclusion

In this paper a user authentication and key agreement scheme is presented. Turkanovic et al. proposed a user authentication and key agreement scheme based on internet of things notion for wireless sensor network. Crypt analysis of their scheme shows the scheme proposed by them is not secure against many types of attacks. We found that their scheme is insecure for practical application and susceptible to offline password guessing attack, replay attack and impersonate attack. Furthermore, an outsider can obtain the secured password shared between the user and gateway that breaks the entire system. To eliminate all security shortcomings, we proposed a new and improved user authentication and key agreement scheme. Security analysis of our scheme shows that it resolves all the described vulnerability of Turkanovic et al.’s scheme and is more protected and competent for practical application surroundings. The performance analysis of our scheme shows that our scheme requires only 1 more hash computation as compared to turkanovic et al’s scheme. The additional hash computation is done by user’s side.