Research ArticleA Provably Secure Anonymous Authenticated Key ExchangeProtocol Based on ECC for Wireless Sensor Networks
Ke Zhang 12 Kai Xu3 and Fushan Wei2
1Network Information Center Shaanxi Normal University Xirsquoan 710062 China2State Key Laboratory of Mathematical Engineering and Advanced Computing Zhengzhou 450002 China3School of Computer Science and Technology Xirsquoan University of Science and Technology Xirsquoan 710054 China
Correspondence should be addressed to Ke Zhang kezhang2017163com
Received 22 January 2018 Revised 7 April 2018 Accepted 19 April 2018 Published 16 July 2018
Academic Editor Ding Wang
Copyright copy 2018 Ke Zhang et alThis is an open access article distributed under the Creative CommonsAttribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
In wireless sensor networks users sometimes need to retrieve real-time data directly from the sensor nodes Many authenticationprotocols are proposed to address the security and privacy aspects of this scenario However these protocols still have securityloopholes and fail to provide strong user anonymity In order to overcome these shortcomings we propose an anonymousauthenticated key exchange protocol based on Elliptic Curves Cryptography (ECC) The novel protocol provides strong useranonymity such that even the gateway node and the sensor nodes do not know the real identity of the user The security ofthe proposed protocol is conducted in a well-defined security model under the CDH assumption Compared with other relatedprotocols our protocol is efficient in terms of communication and enjoys stronger security The only disadvantage is that ourprotocol consumes more computation resources due to the usage of asymmetric cryptography mechanisms to realize stronganonymity Consequently our protocol is suitable for applications which require strong anonymity and high security in wirelesssensor networks
1 Introduction
11 Background As an important part of Internet of thingswireless sensor networks (WSNs) draw more and moreattentions from the industrial and the researchers Typicallya WSN is composed of numerous tiny sensor nodes Thesesensor nodes can be deployed in unattended or hostileenvironments to collect valuable data of interest For examplea large amount of visual data such as images and videos canbe collected by visual sensor nodes [1] These nodes have thecharacteristics of easy deployment low cost and high mobil-ity [2] Due to these merits WSNs are very useful in manyapplication scenarios such as natural disaster preventionmachine health monitoring air temperature monitoringhealth care monitoring and battlefield surveillance
Usually the data collected by the sensor nodes will betransmitted to and aggregated by a gateway node periodicallyWhenever a user wants to get access to the aggregated datafrom the gateway node he will authenticate himself to thegateway node However in some application scenarios such
as health care monitoring and battlefield surveillance usershave great needs to access the data directly from the sensornodes Under such circumstances the user first sends arequest to the gateway node for accessing the real-time dataThe gateway will authenticate whether the user is valid or notIf the user is valid a common session key will be establishedbetween the user and the sensor node with the help of thegateway node The session key can later be used to protectconfidentiality and integrity of the data [3]
12 Related Work In order to address the security aspectsunder the above-mentioned application scenario manyauthentication protocols are proposed [4ndash7] In 2009 Das [8]proposed a two-factor user authentication protocol whichis claimed to have strong authentication and session keyestablishment and achieves efficiency Unfortunately Khanet al [9] soon found that Dasrsquos protocol is vulnerable tothe gateway node bypassing attack and the privileged-insiderattack Besides Dasrsquos protocol also fails to provide passwordupdate and mutual authentication Khan et al also presented
HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 2484268 9 pageshttpsdoiorg10115520182484268
2 Wireless Communications and Mobile Computing
an improved protocol to fix the susceptibilities of the originalprotocol In 2011 Yeh et al [10] pointed out several weak-nesses of Dasrsquos protocol They also design an ECC-Basedauthentication protocol to meet the needs of applicationswith higher security requirements In 2013 Xue et al [11]proposed a temporal-credential-basedmutual authenticationscheme among the user the gateway node and the sensornode A credential is issued by the gateway node to each userfor authentication Their protocol only involves lightweightoperations such as XOR and hash and is suitable for resource-constrained WSNs Nevertheless He et al [12] soon pointedout that Xue et alrsquos protocol is vulnerable to the offlinepassword guessing attack the user impersonation attackthe sensor node impersonation attack and the modificationattackThey also proposed an improved temporal-credential-based protocol to remedy the weaknesses Yuan et al [13]proposed an authentication scheme for WSNs based onpubic key mechanism and biometric characteristics of theuser to realize strong authentication In 2014 Wang et al[14] analyzed two authentication schemes for WSNs anddemonstrated several loopholes They also investigate theunderlying rationale of the security failures and put forwardthree basic principles for designing secure authenticationprotocols in WSNs In 2016 Shen et al [15] proposed an effi-cient multilayer authentication protocol and a secure sessionkey generation method for WSNs They also designed a one-to-many group authentication protocol and a certificate-lessauthentication protocol which is of independent interest
Recently researchers begin to focus on userrsquos privacyprotection in WSNs Wu et al [16] proposed an anonymousauthentication scheme based on ECC for WSNs with formalsecurity proof Jiang et al [17] designed an anonymouslightweight three-factor authentication scheme for WSNsThe security of their protocol is conducted using ProVerifWang et al [20] put forward a new authentication whichcan resist all known attacks for WSNs Moreover theyexplore the design principle of authentication schemesThey also designed a biometric-based authentication schemeand proved its security using the Burrows-Abadi-Needham(BAN) logic [18] Li et al [19] proposed a three-factoranonymous authentication scheme forWSNsThey use fuzzycommitment to deal with the userrsquos biometric template
13 Motivation and Contribution Until now there are manyauthentication protocols designed for protection of securityand privacy when accessing real-time data in WSNs How-ever there are still some problems which are not solvedFirstly most of these protocols only have informal heuristicsecurity arguments It is quite common such that a protocolwhich is claimed to be secure is soon found to be vulnerable toseveral attacksWhat is worse the improved protocol still hasmany vulnerabilities Secondly the existing protocol pays lit-tle attention to userrsquos privacy Only few protocols provide useranonymity and these protocols only achieve weak anonymityie the real identity is hidden to an adversary but is known tothe gateway node and sometimes even the sensor node knowsthe real identity of the user Last but not least the existingprotocols rely on efficient XOR symmetric encryption andhash operations to provide better efficiency Although these
protocols can meet the characteristics of constrained stor-age computation and communication capabilities of sensornodes they fail to provide strong security guarantee Forsecurity-critical applications such as battlefield surveillancesecurity and privacy are more important than the computa-tion and communication efficiency
In this paper we investigate the design of anonymousand strongly secure authenticated key exchange protocol inWSNs We propose an efficient authenticated key exchangeprotocol for the scenario in which the user wants to accessthe real-time data directly from the sensor node The novelprotocol has the following advantages First of all our pro-tocol enjoys formal security proof in a well-defined securitymodelThe security is conducted in the random oracle modelunder the CDH assumption Second our protocol providesthe strongest anonymity in the sense the real identity ofthe user is only known to himself Neither the gatewaynode nor the sensor node can obtain any information ofthe userrsquos identity not to mention the adversary Thirdlyour protocol achieves more security attributes than otherrelated protocols Consequently it is more secure than otherrelated protocol and is particularly suitable for security-critical applications in WSNs The only disadvantage is thatit needs more computation resources However security andprivacy are more important than the computation efficiencyin security-critic application So our protocol is suitable forsecurity-critical applications in WSNs
The rest of the paper is organized as follows In Section 2we present the security model and some preliminaries Wedescribe the details of the proposed protocol in Section 3The security proof is given in the random oracle model inSection 4 The performance comparison with other relatedprotocols is summarized in Section 5We conclude this paperin Section 6
2 Security Model
In this section we briefly recall the security model presentedin [21 22] The security of our protocol will be conducted inthis formal security model
Protocol Participants The participants of an authenticationand key exchange protocol for real-time data retrieval inWSNs involves users 119880 a gateway node 119866119873 and a sensornode 119878119894 Each user119880 registers with the gateway node and eachsensor node 119878119894 shares a common secret key with the gatewaynode
Protocol Execution All the participants are modeled as aPPT Turing machine The i-th instance of a participant119875 is denoted by 119875119894 All the communication channels aremanaged by a probabilistic polynomial time adversaryATheadversary A can intercept delay modify and even forge amessage at will The capabilities of the adversary are capturedthrough oracle queriesThe adversary canmake the followingoracle queries
(i) 119864119909119890119888119906119905119890(119880119909 119866119873119910 119878119911119894 ) the execution query capturesthe passive eavesdrop ability of A In reply tothis oracle query A will get all the transcripts of
Wireless Communications and Mobile Computing 3
the authentication instance executed among a userinstance 119880119909 a gateway node instance 119866119873119910 and asensor node instance 119878119911119894
(ii) 119878119890119899119889(119875119894 119898) the send query captures the active attackability ofA Through the 119878119890119899119889(119875119894 119898) queryA sendsa modified or forged message 119898 to instance 119875119894 inthe name of another participant instance A will getthe message generated by the participant instance119875119894 upon receiving the message 119898 according to thedescription of the protocol The participant 119875 can bea user a gateway node or a sensor node
(iii) 119862119900119903119903119906119901119905(119880 119875119882) this query captures the compromiseof the userrsquos password The adversaryA only gets thepassword of the victim user it can neither control norcompromise the credential of the user
(iv) 119862119900119903119903119906119901119905(119880 119888119903119890119889) this query captures the compro-mise of the userrsquos terminal The adversary A canextract the credential issued by the gateway nodeand control the victim userrsquos terminal However thepassword of the user is still unknown toA
(v) 119862119900119903119903119906119901119905(119878119894) this query captures the compromise of asensor node 119878119894The adversaryAwill get the secret keyand control the sensor node through this query
(vi) 119877119890V119890119886119897(119875119894) this query can only be asked to a userinstance or a sensor node instance If the instance 119875119894accepts the session and generates a session keyAwillget the session key OtherwiseA will get the symbolperpwhichmeans the instance119875119894 does not hold a sessionkey
(vii) 119879119890119904119905(119875119894) this query does not capture any real attackability ofA but is used to measure the security of thesession key held by instance 119875119894 Upon receiving thisquery the simulator will flip a coin 119887 If the result is 1then it returns the real session key to A If the resultis 0 the simulator will send a random session key ofthe same length with the real session key toAA hasto distinguish if the key is real or random In otherwordsA has to guess the coin flip result
The session identification (sid) is defined as the tran-scripts shared between a user instance and a sensor nodeinstance The partner identification (pid) of an instance isdefined to be the participant with whom the instance wantsto establish a common session key We say a user instance119880119909and a sensor node instance 119878119911119894 are partners if the followingconditions are satisfied (1) these two instances both acceptand generate the same session key (2) these two instancesshare the same sid (3) the pid of 119880119909 is 119878119894 and the pid of 119878119911119894 is119880 and (4) no other instances accept the same sid with119880119909 and119878119911119894
If the adversary A asks both 119862119900119903119903119906119901119905(119880 119888119903119890119889) and119862119900119903119903119906119901119905(119880 119875119882) the user 119872119880 is said to be fully corruptedWhen defining the AKE security of the session key we do notconsider the corruption of the gateway node This is becauseonce the gateway node is corrupted there is nothing we cando to guarantee the security of the protocol A user instance
or a sensor node instance 119875119894 is said to be fresh if (1) A doesnot send 119877119890V119890119886119897 queries to the instance or its partner and (2)the user or the sensor node is not fully corrupted byA
AKE Security The security of the session keys is captured bythe AKE security The adversary A is restricted to ask 119879119890119904119905queries to fresh instances only otherwise the adversary Acan trivially win the attack game The adversary A is givenaccess to all the oracle queries the only restriction is that Aonly can ask one119879119890119904119905 query to a fresh instanceThe adversaryA needs to guess the hidden bit 119887 used by the simulatorwhen answering the 119879119890119904119905 query If A correctly guesses therandom bit then we sayA wins the AKE security game Wedenote this event by 119878119906119888119888 With respect to the distribution ofthe passwords we use the Zipf rsquos law put forward by Wanget al [21] instead of assuming a uniform distribution Theadversary Arsquos advantage in attacking the AKE security ofa protocol P when passwords are chosen according to theZipf rsquos law of a dictionary119863 is defined as follows
119860119889V119886119896119890PD (A) = 2 sdot 119875119903 [119878119906119888119888] minus 1 (1)
An authentication and key exchange protocol P is saidto be AKE secure if for all PPT adversary A the advantage119860119889V119886119896119890PD(A) is only negligible larger than 1198621015840 sdot 119902119904
1015840
119904119890119899119889 where 1198621015840
and 1199041015840 are Zipf parameters and 119902119904119890119899119889 is the number of activeattack sessions Moreover 1198621015840 and 1199041015840 are constants dependingon the password data set and can be calculated by linearregression
3 Description of the Protocol
In this section we describe the proposed anonymous authen-ticated key exchange protocol based on ECC for WSNs Themost important benefit of ECC is that it provides the samelevel of security with a smaller key size compared to othercryptography mechanisms such as RSA So it suits the needsof the resource-constrained nature of theWSN Our protocolhas three phases the setup phase the registration phase theauthentication and key exchange phaseThe detailed steps ofeach phase are described in the following The symbols usedin this paper are summarized in Table 1
31 The Setup Phase Let 119901 be a large prime and 119865119901 be a finitefield of prime order 119901 Let 119864 be an elliptic curve cryptosystemsatisfying the equation 1199102 = (1199093 + 119886119909 + 119887)mod119901 such that119886 119887 isin 119865119901 and 41198863 + 271198872mod119901 = 0 The set of rationalpoints in 119864 over finite field 119865119901 is denoted by 119864(119865119901) Moreprecisely 119864(119865119901) = (119909 119910) 119909 119910 isin 119865119901 such that 1199102 =
(1199093 + 119886119909 + 119887)mod119901 cup 119874 where 119874 is the point at infinityLet 119866 be a cyclic group generated by 119875 where 119875 isin 119864(119865119901) hasa large prime order 119899 These parameters (119865119901 119864 119864(119865119901) 119866 119875)are the system parameters and can be chosen by a trustedthird party or the gateway node The gateway node (119866119873)chooses a random number 119904119866119873 isin 119885lowast119899 as his private keyand computes the corresponding public key 119876119866119873 = 119904119866119873119875The public key 119876119866119873 is published in the whole networkDefine six hash functions such that 1198671 0 1lowast 997888rarr 119885lowast119899
4 Wireless Communications and Mobile Computing
Table 1 Notations
notation meaning notation meaning119868119863119866119882 identity of the gateway node 119868119863119880 identity of the user 119880119868119863119878119894 identity of the sensor node 119878119894 119901 119899 large prime numbers119865119901 a finite field 119864 an elliptic curve defined on 119865119901
119864(119865119901) the set of rational points in 119864 119904119866119873 secret key of the gateway node119875119882119880 the password of the user 119880 oplus exclusive OR concatenation ℎ(119898) cryptographic hash of message119898119904119894119892119899119904119866119873(119898) signature of119898 singed by 119904119866119873 119879119866119873119878119894 timestamp of 119866119873119878119894
User U Gateway Node GN
choose identity IDU
choose a random password PWUIDU
=1
sGN + H1(IDU)P
r isin Zlowastn
R1 = r
R2 = rP
c = H1(P QGNH1(IDU) R1 R2)
s = (r + csGN) mod n( c s)
Rlowast1 = (s + cH1(IDMU)) minus cP
Rlowast2 = sP minus cQGN
clowast = H1(g QGNH1(IDU) Rlowast1 R
lowast2 )
if clowast = ccred = + H2(PWU)
stores cred in terminal
Figure 1 Registration phase of mobile user
1198672 0 1lowast 997888rarr 119866lowast 1198670 1198673 1198674 1198675 0 1lowast 997888rarr 0 1120581where 120581 is the security parameter All these parameters(119865119901 119864 119864(119865119901) 119866 119875 119876119866119873 119867119894(119894 = 0 1 5)) are available to allthe entities in the WSN
32 The Registration Phase If a user 119880 wants to accessthe data collected by the sensor nodes in the WSN 119880 hasto register himself to the gateway node For a pictorialillustration of the user registration please refer to Figure 1The detailed steps are described in the following
Step 1 The user 119880 randomly chooses his identity 119868119863119880 andhis password 119875119882119880 from the password dictionary 119880 sendshis identity 119868119863119880 to the gateway node 119866119873 through a securechannel
Step 2 When the gateway node 119866119873 receives the registrationrequest from the user 119866119873 verifies the validity of the 1198801015840119904identity 119868119863119880 If it is valid and there is no other user in itsdatabase registers using the same identity 119866119873 first computesthe credential 120590 = (1(119904119866119873 + 1198671(119868119863119880)))119875 Then 119866119873chooses a random number 119903 isin 119885lowast119899 and computes 119888 =1198671(119875 119876119866119873 1198671(119868119863119880) 120590 1198771 1198772) and 119904 = (119903 + 119888119904119866119873)mod 119899where 1198771 = 119903120590 1198772 = 119903119875 At last 119866119873 sends the registrationmessage (120590 119888 119904) to the user 119880 through a secure channel
Step 3 When the user 119880 receives the registration message(120590 119888 119904) from 119866119873 119880 will verify the validity of the message119880 computes 119877lowast1 = (119904 + 1198881198671(119868119863119880))120590 minus 119888119875 119877lowast2 = 119904119875 minus 119888119876119866119873and 119888lowast = 1198671(119892 119876119866119873 1198671(119868119863119880) 120590 119877
lowast1 119877lowast2 ) 119880 verifies whether
119888lowast is equal to 119888 or not If the verification is successful 119880 willaccept 120590 as a valid credential Finally119880 computes 119888119903119890119889 = 120590+1198672(119875119882119880) and then stores his password-protected credential119888119903119890119889 in his terminal
The registration of the sensor node is rather simplecomparedwith the user registrationThe sensor node 119878119894 sendsthe registration request to the gateway node 119866119873 through asecure channel Upon receiving the request the gateway node119866119873will compute a symmetric key119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873)and send the symmetric key 119870(119866119873119878119894) to 119878119894 through a securechannel
33 The Authentication and Key Exchange Phase Suppose auser 119880 wants to get the real-time data from the sensor node119878119894 119880 has to execute the authentication and key exchangephase with the gateway node 119866119873 and the sensor node 119878119894During this phase the user119880 the gateway node 119866119873 and thesensor node 119878119894 will authenticate each other At the end of thisphase a session key will be established between 119880 and 119878119894 toprotect the upcoming data transmission The detailed steps
Wireless Communications and Mobile Computing 5
User U(PWU cred)
(4) (Y GN)
Verify GN
K = xY
sk = H0(label X Y K)
Gateway Node GW(sGN)
V = sGNT
Rlowast3 = saP minus c1V minus smT
clowast1 = H1(P T Rlowast3 X label)
clowast1 = c1K(GNS)
= H3(GN Si sGN)
AutℎGN = H4(K(GNS)
X label TGN)
TlowastS
minus TSle T
Verify AutℎS
rGN = H1(label X T c1 sm sa Y)GN = signs (r)
Sensor Node Si(K(GNS)
)
(2) (label X TGN AutℎGN)
TlowastGN minus TGN le T
Verify AutℎGN
y isin Zlowastn Y = yP
AutℎS= H5(K(GNS)
X
Y TGN TS label)
K = yXsk = H0(label X Y K)
(3) (Si Y TS AutℎS
)
= cred minus H2(PWU)
x isin Zlowastn X = xP
label = (IDGN IDS)
a rm ra isin Zlowastn
T = a R3 = raP minus rmT
c1 = H1(P T R3 X label)
sm = rm + c1H1(IDU) mod nsa = ra + c1a mod n
(1)(label X T c1 sm sa)
Figure 2 Authentication and key exchange phase
of the authentication and key exchange phase are describedas follows For a pictorial illustration please refer to Figure 2
Step 1 The user 119880 types his password 119875119882119880 to his terminalThe terminal will compute 1198672(119875119882119880) and recovers the cre-dential 120590 from the stored 119888119903119890119889 119880 then chooses a randomnumber 119909 isin 119885lowast119899 and computes 119883 = 119909119875 119880 defines thelabel of this session as 119897119886119887119890119897 = (119868119863119866119873 119868119863119878119894) 119880 chooses threerandom numbers 119886 119903119898 119903119886 isin 119885lowast119899 and computes 119879 = 1198861205901198773 = 119903a119875 minus 119903119898119879 1198881 = 1198671(119875 119879 1198773 119883 119897119886119887119890119897) 119904119898 = 119903119898 +11988811198671(119868119863119880)mod 119899 and 119904119886 = 119903119886 + 1198881119886mod 119899 Finally 119880 sendsthe message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886) to the gateway node 119866119873
Step 2 Upon receiving the message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)from the user 119866119873 needs to authenticate the user 119880 119866119873computes 119881 = 119904119866119873119879 119877lowast3 = 119904119886119875 minus 1198881119881 minus 119904119898119879 and119888lowast1 = 1198671(119875 119879 119877
lowast3 119883 119897119886119887119890119897) 119866119873 checks whether 119888lowast1 is
equal to 1198881 or not If the verification is successful 119866119873authenticates the user 119880 and believes the user 119880 is a validuser 119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and the authenticator119860119906119905ℎ119866119873 = 1198674(119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) where 119879119866119873 is the
current timestamp of 119866119873 Finally 119866119873 send the message(119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873) to the sensor node 119878119894
Step 3 Upon receiving the message (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873)from119866119873 at time119879lowast119866119873 the sensor node 119878119894 first checks whether|119879lowast119866119873minus119879119866119873| le 119879 where119879 is the expected time interval forthe transmission delay If this is true 119878119894 then verifies the valid-ity of the authenticator 119860119906119905ℎ119866119873 using its private key119870(119866119873119878119894)If the authenticator is valid 119878119894 chooses a random number 119910 isin119885lowast119899 and computes119884 = 119910119875 119878119894 then computes the authenticator119860119906119905ℎ119878119894 = 1198675(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) where 119879119878119894 is thecurrent timestamp of 119878119894 119878119894 computes the Diffie-Hellman key119870 = 119910119883 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) Finally119878119894 sends the message (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) to the gateway node119866119873
Step 4 Upon receiving themessage (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) from 119878119894at time 119879lowast119878119894 119866119873 first checks whether |119879lowast119878119894 minus 119879119878119894 | le 119879 where119879 is the expected time interval for the transmission delay Ifthis is true119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and verifies the validity ofthe authenticator 119860119906119905ℎ119878119894 If the verification is successful 119866119873
6 Wireless Communications and Mobile Computing
computes 119903119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) and signs therandom number 119903119866119873 using his private key 119904119866119873 the signatureis denoted by 120590119866119873 Finally 119866119873 sends the message (119884 120590119866119873) tothe user 119880
Step 5 Upon receiving the message (119884 120590119866119873) from 119866119873 119880first verifies the validity of the signature 120590119866119873 119880 computesthe random number 119903lowast119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) andchecks if 120590119866119873 is a valid signature for 119903
lowast119866119873 singed by 119866119873 If the
verification is successful119880 computes the Diffie-Hellman key119870 = 119909119884 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) 119880 willaccept the session and wait for the upcoming communica-tion
4 Security Proof
In this section we present the security proof of our protocolThe security proof is conducted in the security model pre-sented in Section 2
Theorem 1 SupposeP is the anonymous authentication andkey exchange protocol for WSN described in the previoussection and A is a PPT time adversary against the AKEsecurity of P who runs in time 119905 and makes at most 119876119904119890119899119889queries of Send oracle to different instances If the signaturescheme used in our protocol is existential unforgeable againstadaptive chosen message attacks the hash functions 119867119894(sdot)(119894 =0 2 5) are all modeled as random oracles then underthe CDH assumption the advantage of the adversary A inviolating the AKE security of the protocolP is at most
119860119889V119886119896119890PD (A) le 1198621015840 sdot 1198761199041015840
Proof We use the hybrid experiments technique to proveTheorem 1 These hybrid experiments start with the realattack scenario We gradually change the simulation rules ineach experiment In the last experiment the advantage ofthe adversary in distinguishing the session key is negligibleWe also estimate the advantage difference of the adversarybetween two hybrid experiments and the advantage of theadversary in breaking the AKE security can be calculatedWe denote the adversaryrsquos advantage in hybrid 119864119909119901119894 using119860119889V119894(A)
Experiment 1198641199091199010 This is the real attack scenario defined inthe security model In this experiment the adversary hasaccess to all the oracles According to the definition of Arsquosadvantage we have the following result
Experiment 1198641199091199011 In this experiment we simulate all thehash function 119867119894(sdot)(119894 = 0 1 5) by maintaining hash listsΛ119867119894(119894 = 0 1 5) using the following rules
(i) On a query 119867119894(119898) if a record (119894 119898 119903) exists in Λ119867119894 then return 119903 Otherwise the output 119903 is chosenaccording to the following rule 119877119906119897119890119867119894if 119894 = 1 choose a random element 119903 from 119911lowast119899 Thenadd the record (1 119898 119903) to Λ119867119894
if 119894 = 2 choose a random element 119903 from119866 Then addthe record (2 119898 119903) to Λ1198672 if 119894 = 0 3 4 5 choose a random element 119903 from0 1120581 Then add record (119894 119898 119903) to Λ119867119894
In addition to these lists we also simulate six private hashoracles 1198671015840119894 (119894 = 0 1 5) by maintaining hash lists and1015840119867119894(119894 =0 1 5) We will use these private hash functions in thefollowing hybrid experiments It is well known that a hashfunction can be simulated perfectly in PPT time using theabove rules thus we have
1003816100381610038161003816119860119889V1 (A) minus 119860119889V0 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (4)
Experiment 1198641199091199012 In this experiment we cancel the sessionsif some unlikely collisions occur in these sessions To bemorespecific if some collisions occur in the simulation of the hashfunctions or on the transcripts of ((119883 119884 119879 1198881 119904119898 119904119886 120590119866119873))we will terminate the session and let the adversary win Basedon the birthday paradox we have the following result
1003816100381610038161003816119860119889V2 (A) minus 119860119889V1 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (5)
Experiment 1198641199091199013 In this experiment we modify the sim-ulation rules of sessions by 119864119909119890119888119906119905119890 queries Whenever weneed to compute the session key in a passive session weuse the private hash oracle 11986710158400 instead of 1198670 Moreoverthe Diffie-Hellman key 119870 is not used as an input In otherwords the session key of a passive session is computed as119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) The adversary can distinguish theexperiment 1198641199091199013 and the previous experiment 1198641199091199012 if andonly if the adversary sends a hash query (119897119886119887119890119897 119883 119884119870) to thehash oracle1198670 in which119883119884 is generated in a passive sessionand 119870 = 119862119863119867(119883 119884) However if the adversary can issuesuch a query we can use the ability of the adversary to solvethe CDH problem
Given a CDH instance (119880 119881) we can embed the instanceto all the passive session using the self-reducibility of theCDH problem In order to do so we choose four randomnumbers 1198860 1198870 1198861 1198871 isin 119885lowast119899 for each passive session Insimulation the transcripts we simply set 119883 = 1198860119880 + 1198870119875and 119884 = 1198861119881 + 1198871119875 All other transcripts are simulated asusual until the computation of the session key The sessionkey is computed as 119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) If an adversary candistinguish between this experiment and the previous onethen a query (119897119886119887119890119897 119883 119884119870)must be issued to the hash oracle1198670 We can compute the Diffie-Hellman value of (119880 119881) byselecting a random record (0 (119897119886119887119890119897 119883 119884119870) 119903) in and1198670 andcomputing (119870 minus 11988601198871119880 minus 11988611198870119881 minus 11988701198871119875)11988601198861
Under the intractability assumption of the CDHproblemwe have
1003816100381610038161003816119860119889V3 (A) minus 119860119889V2 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (6)
Experiment 1198641199091199014 In this experiment we begin to deal withthe active sessions For a 119878119890119899119889(119880 (119884 120590119866119873)) query if thesignature 120590119866119873 is a valid signature for this active sessionwe simply terminate the simulation and let the adversary
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Wireless Communications and Mobile Computing
an improved protocol to fix the susceptibilities of the originalprotocol In 2011 Yeh et al [10] pointed out several weak-nesses of Dasrsquos protocol They also design an ECC-Basedauthentication protocol to meet the needs of applicationswith higher security requirements In 2013 Xue et al [11]proposed a temporal-credential-basedmutual authenticationscheme among the user the gateway node and the sensornode A credential is issued by the gateway node to each userfor authentication Their protocol only involves lightweightoperations such as XOR and hash and is suitable for resource-constrained WSNs Nevertheless He et al [12] soon pointedout that Xue et alrsquos protocol is vulnerable to the offlinepassword guessing attack the user impersonation attackthe sensor node impersonation attack and the modificationattackThey also proposed an improved temporal-credential-based protocol to remedy the weaknesses Yuan et al [13]proposed an authentication scheme for WSNs based onpubic key mechanism and biometric characteristics of theuser to realize strong authentication In 2014 Wang et al[14] analyzed two authentication schemes for WSNs anddemonstrated several loopholes They also investigate theunderlying rationale of the security failures and put forwardthree basic principles for designing secure authenticationprotocols in WSNs In 2016 Shen et al [15] proposed an effi-cient multilayer authentication protocol and a secure sessionkey generation method for WSNs They also designed a one-to-many group authentication protocol and a certificate-lessauthentication protocol which is of independent interest
Recently researchers begin to focus on userrsquos privacyprotection in WSNs Wu et al [16] proposed an anonymousauthentication scheme based on ECC for WSNs with formalsecurity proof Jiang et al [17] designed an anonymouslightweight three-factor authentication scheme for WSNsThe security of their protocol is conducted using ProVerifWang et al [20] put forward a new authentication whichcan resist all known attacks for WSNs Moreover theyexplore the design principle of authentication schemesThey also designed a biometric-based authentication schemeand proved its security using the Burrows-Abadi-Needham(BAN) logic [18] Li et al [19] proposed a three-factoranonymous authentication scheme forWSNsThey use fuzzycommitment to deal with the userrsquos biometric template
13 Motivation and Contribution Until now there are manyauthentication protocols designed for protection of securityand privacy when accessing real-time data in WSNs How-ever there are still some problems which are not solvedFirstly most of these protocols only have informal heuristicsecurity arguments It is quite common such that a protocolwhich is claimed to be secure is soon found to be vulnerable toseveral attacksWhat is worse the improved protocol still hasmany vulnerabilities Secondly the existing protocol pays lit-tle attention to userrsquos privacy Only few protocols provide useranonymity and these protocols only achieve weak anonymityie the real identity is hidden to an adversary but is known tothe gateway node and sometimes even the sensor node knowsthe real identity of the user Last but not least the existingprotocols rely on efficient XOR symmetric encryption andhash operations to provide better efficiency Although these
protocols can meet the characteristics of constrained stor-age computation and communication capabilities of sensornodes they fail to provide strong security guarantee Forsecurity-critical applications such as battlefield surveillancesecurity and privacy are more important than the computa-tion and communication efficiency
In this paper we investigate the design of anonymousand strongly secure authenticated key exchange protocol inWSNs We propose an efficient authenticated key exchangeprotocol for the scenario in which the user wants to accessthe real-time data directly from the sensor node The novelprotocol has the following advantages First of all our pro-tocol enjoys formal security proof in a well-defined securitymodelThe security is conducted in the random oracle modelunder the CDH assumption Second our protocol providesthe strongest anonymity in the sense the real identity ofthe user is only known to himself Neither the gatewaynode nor the sensor node can obtain any information ofthe userrsquos identity not to mention the adversary Thirdlyour protocol achieves more security attributes than otherrelated protocols Consequently it is more secure than otherrelated protocol and is particularly suitable for security-critical applications in WSNs The only disadvantage is thatit needs more computation resources However security andprivacy are more important than the computation efficiencyin security-critic application So our protocol is suitable forsecurity-critical applications in WSNs
The rest of the paper is organized as follows In Section 2we present the security model and some preliminaries Wedescribe the details of the proposed protocol in Section 3The security proof is given in the random oracle model inSection 4 The performance comparison with other relatedprotocols is summarized in Section 5We conclude this paperin Section 6
2 Security Model
In this section we briefly recall the security model presentedin [21 22] The security of our protocol will be conducted inthis formal security model
Protocol Participants The participants of an authenticationand key exchange protocol for real-time data retrieval inWSNs involves users 119880 a gateway node 119866119873 and a sensornode 119878119894 Each user119880 registers with the gateway node and eachsensor node 119878119894 shares a common secret key with the gatewaynode
Protocol Execution All the participants are modeled as aPPT Turing machine The i-th instance of a participant119875 is denoted by 119875119894 All the communication channels aremanaged by a probabilistic polynomial time adversaryATheadversary A can intercept delay modify and even forge amessage at will The capabilities of the adversary are capturedthrough oracle queriesThe adversary canmake the followingoracle queries
(i) 119864119909119890119888119906119905119890(119880119909 119866119873119910 119878119911119894 ) the execution query capturesthe passive eavesdrop ability of A In reply tothis oracle query A will get all the transcripts of
Wireless Communications and Mobile Computing 3
the authentication instance executed among a userinstance 119880119909 a gateway node instance 119866119873119910 and asensor node instance 119878119911119894
(ii) 119878119890119899119889(119875119894 119898) the send query captures the active attackability ofA Through the 119878119890119899119889(119875119894 119898) queryA sendsa modified or forged message 119898 to instance 119875119894 inthe name of another participant instance A will getthe message generated by the participant instance119875119894 upon receiving the message 119898 according to thedescription of the protocol The participant 119875 can bea user a gateway node or a sensor node
(iii) 119862119900119903119903119906119901119905(119880 119875119882) this query captures the compromiseof the userrsquos password The adversaryA only gets thepassword of the victim user it can neither control norcompromise the credential of the user
(iv) 119862119900119903119903119906119901119905(119880 119888119903119890119889) this query captures the compro-mise of the userrsquos terminal The adversary A canextract the credential issued by the gateway nodeand control the victim userrsquos terminal However thepassword of the user is still unknown toA
(v) 119862119900119903119903119906119901119905(119878119894) this query captures the compromise of asensor node 119878119894The adversaryAwill get the secret keyand control the sensor node through this query
(vi) 119877119890V119890119886119897(119875119894) this query can only be asked to a userinstance or a sensor node instance If the instance 119875119894accepts the session and generates a session keyAwillget the session key OtherwiseA will get the symbolperpwhichmeans the instance119875119894 does not hold a sessionkey
(vii) 119879119890119904119905(119875119894) this query does not capture any real attackability ofA but is used to measure the security of thesession key held by instance 119875119894 Upon receiving thisquery the simulator will flip a coin 119887 If the result is 1then it returns the real session key to A If the resultis 0 the simulator will send a random session key ofthe same length with the real session key toAA hasto distinguish if the key is real or random In otherwordsA has to guess the coin flip result
The session identification (sid) is defined as the tran-scripts shared between a user instance and a sensor nodeinstance The partner identification (pid) of an instance isdefined to be the participant with whom the instance wantsto establish a common session key We say a user instance119880119909and a sensor node instance 119878119911119894 are partners if the followingconditions are satisfied (1) these two instances both acceptand generate the same session key (2) these two instancesshare the same sid (3) the pid of 119880119909 is 119878119894 and the pid of 119878119911119894 is119880 and (4) no other instances accept the same sid with119880119909 and119878119911119894
If the adversary A asks both 119862119900119903119903119906119901119905(119880 119888119903119890119889) and119862119900119903119903119906119901119905(119880 119875119882) the user 119872119880 is said to be fully corruptedWhen defining the AKE security of the session key we do notconsider the corruption of the gateway node This is becauseonce the gateway node is corrupted there is nothing we cando to guarantee the security of the protocol A user instance
or a sensor node instance 119875119894 is said to be fresh if (1) A doesnot send 119877119890V119890119886119897 queries to the instance or its partner and (2)the user or the sensor node is not fully corrupted byA
AKE Security The security of the session keys is captured bythe AKE security The adversary A is restricted to ask 119879119890119904119905queries to fresh instances only otherwise the adversary Acan trivially win the attack game The adversary A is givenaccess to all the oracle queries the only restriction is that Aonly can ask one119879119890119904119905 query to a fresh instanceThe adversaryA needs to guess the hidden bit 119887 used by the simulatorwhen answering the 119879119890119904119905 query If A correctly guesses therandom bit then we sayA wins the AKE security game Wedenote this event by 119878119906119888119888 With respect to the distribution ofthe passwords we use the Zipf rsquos law put forward by Wanget al [21] instead of assuming a uniform distribution Theadversary Arsquos advantage in attacking the AKE security ofa protocol P when passwords are chosen according to theZipf rsquos law of a dictionary119863 is defined as follows
119860119889V119886119896119890PD (A) = 2 sdot 119875119903 [119878119906119888119888] minus 1 (1)
An authentication and key exchange protocol P is saidto be AKE secure if for all PPT adversary A the advantage119860119889V119886119896119890PD(A) is only negligible larger than 1198621015840 sdot 119902119904
1015840
119904119890119899119889 where 1198621015840
and 1199041015840 are Zipf parameters and 119902119904119890119899119889 is the number of activeattack sessions Moreover 1198621015840 and 1199041015840 are constants dependingon the password data set and can be calculated by linearregression
3 Description of the Protocol
In this section we describe the proposed anonymous authen-ticated key exchange protocol based on ECC for WSNs Themost important benefit of ECC is that it provides the samelevel of security with a smaller key size compared to othercryptography mechanisms such as RSA So it suits the needsof the resource-constrained nature of theWSN Our protocolhas three phases the setup phase the registration phase theauthentication and key exchange phaseThe detailed steps ofeach phase are described in the following The symbols usedin this paper are summarized in Table 1
31 The Setup Phase Let 119901 be a large prime and 119865119901 be a finitefield of prime order 119901 Let 119864 be an elliptic curve cryptosystemsatisfying the equation 1199102 = (1199093 + 119886119909 + 119887)mod119901 such that119886 119887 isin 119865119901 and 41198863 + 271198872mod119901 = 0 The set of rationalpoints in 119864 over finite field 119865119901 is denoted by 119864(119865119901) Moreprecisely 119864(119865119901) = (119909 119910) 119909 119910 isin 119865119901 such that 1199102 =
(1199093 + 119886119909 + 119887)mod119901 cup 119874 where 119874 is the point at infinityLet 119866 be a cyclic group generated by 119875 where 119875 isin 119864(119865119901) hasa large prime order 119899 These parameters (119865119901 119864 119864(119865119901) 119866 119875)are the system parameters and can be chosen by a trustedthird party or the gateway node The gateway node (119866119873)chooses a random number 119904119866119873 isin 119885lowast119899 as his private keyand computes the corresponding public key 119876119866119873 = 119904119866119873119875The public key 119876119866119873 is published in the whole networkDefine six hash functions such that 1198671 0 1lowast 997888rarr 119885lowast119899
4 Wireless Communications and Mobile Computing
Table 1 Notations
notation meaning notation meaning119868119863119866119882 identity of the gateway node 119868119863119880 identity of the user 119880119868119863119878119894 identity of the sensor node 119878119894 119901 119899 large prime numbers119865119901 a finite field 119864 an elliptic curve defined on 119865119901
119864(119865119901) the set of rational points in 119864 119904119866119873 secret key of the gateway node119875119882119880 the password of the user 119880 oplus exclusive OR concatenation ℎ(119898) cryptographic hash of message119898119904119894119892119899119904119866119873(119898) signature of119898 singed by 119904119866119873 119879119866119873119878119894 timestamp of 119866119873119878119894
User U Gateway Node GN
choose identity IDU
choose a random password PWUIDU
=1
sGN + H1(IDU)P
r isin Zlowastn
R1 = r
R2 = rP
c = H1(P QGNH1(IDU) R1 R2)
s = (r + csGN) mod n( c s)
Rlowast1 = (s + cH1(IDMU)) minus cP
Rlowast2 = sP minus cQGN
clowast = H1(g QGNH1(IDU) Rlowast1 R
lowast2 )
if clowast = ccred = + H2(PWU)
stores cred in terminal
Figure 1 Registration phase of mobile user
1198672 0 1lowast 997888rarr 119866lowast 1198670 1198673 1198674 1198675 0 1lowast 997888rarr 0 1120581where 120581 is the security parameter All these parameters(119865119901 119864 119864(119865119901) 119866 119875 119876119866119873 119867119894(119894 = 0 1 5)) are available to allthe entities in the WSN
32 The Registration Phase If a user 119880 wants to accessthe data collected by the sensor nodes in the WSN 119880 hasto register himself to the gateway node For a pictorialillustration of the user registration please refer to Figure 1The detailed steps are described in the following
Step 1 The user 119880 randomly chooses his identity 119868119863119880 andhis password 119875119882119880 from the password dictionary 119880 sendshis identity 119868119863119880 to the gateway node 119866119873 through a securechannel
Step 2 When the gateway node 119866119873 receives the registrationrequest from the user 119866119873 verifies the validity of the 1198801015840119904identity 119868119863119880 If it is valid and there is no other user in itsdatabase registers using the same identity 119866119873 first computesthe credential 120590 = (1(119904119866119873 + 1198671(119868119863119880)))119875 Then 119866119873chooses a random number 119903 isin 119885lowast119899 and computes 119888 =1198671(119875 119876119866119873 1198671(119868119863119880) 120590 1198771 1198772) and 119904 = (119903 + 119888119904119866119873)mod 119899where 1198771 = 119903120590 1198772 = 119903119875 At last 119866119873 sends the registrationmessage (120590 119888 119904) to the user 119880 through a secure channel
Step 3 When the user 119880 receives the registration message(120590 119888 119904) from 119866119873 119880 will verify the validity of the message119880 computes 119877lowast1 = (119904 + 1198881198671(119868119863119880))120590 minus 119888119875 119877lowast2 = 119904119875 minus 119888119876119866119873and 119888lowast = 1198671(119892 119876119866119873 1198671(119868119863119880) 120590 119877
lowast1 119877lowast2 ) 119880 verifies whether
119888lowast is equal to 119888 or not If the verification is successful 119880 willaccept 120590 as a valid credential Finally119880 computes 119888119903119890119889 = 120590+1198672(119875119882119880) and then stores his password-protected credential119888119903119890119889 in his terminal
The registration of the sensor node is rather simplecomparedwith the user registrationThe sensor node 119878119894 sendsthe registration request to the gateway node 119866119873 through asecure channel Upon receiving the request the gateway node119866119873will compute a symmetric key119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873)and send the symmetric key 119870(119866119873119878119894) to 119878119894 through a securechannel
33 The Authentication and Key Exchange Phase Suppose auser 119880 wants to get the real-time data from the sensor node119878119894 119880 has to execute the authentication and key exchangephase with the gateway node 119866119873 and the sensor node 119878119894During this phase the user119880 the gateway node 119866119873 and thesensor node 119878119894 will authenticate each other At the end of thisphase a session key will be established between 119880 and 119878119894 toprotect the upcoming data transmission The detailed steps
Wireless Communications and Mobile Computing 5
User U(PWU cred)
(4) (Y GN)
Verify GN
K = xY
sk = H0(label X Y K)
Gateway Node GW(sGN)
V = sGNT
Rlowast3 = saP minus c1V minus smT
clowast1 = H1(P T Rlowast3 X label)
clowast1 = c1K(GNS)
= H3(GN Si sGN)
AutℎGN = H4(K(GNS)
X label TGN)
TlowastS
minus TSle T
Verify AutℎS
rGN = H1(label X T c1 sm sa Y)GN = signs (r)
Sensor Node Si(K(GNS)
)
(2) (label X TGN AutℎGN)
TlowastGN minus TGN le T
Verify AutℎGN
y isin Zlowastn Y = yP
AutℎS= H5(K(GNS)
X
Y TGN TS label)
K = yXsk = H0(label X Y K)
(3) (Si Y TS AutℎS
)
= cred minus H2(PWU)
x isin Zlowastn X = xP
label = (IDGN IDS)
a rm ra isin Zlowastn
T = a R3 = raP minus rmT
c1 = H1(P T R3 X label)
sm = rm + c1H1(IDU) mod nsa = ra + c1a mod n
(1)(label X T c1 sm sa)
Figure 2 Authentication and key exchange phase
of the authentication and key exchange phase are describedas follows For a pictorial illustration please refer to Figure 2
Step 1 The user 119880 types his password 119875119882119880 to his terminalThe terminal will compute 1198672(119875119882119880) and recovers the cre-dential 120590 from the stored 119888119903119890119889 119880 then chooses a randomnumber 119909 isin 119885lowast119899 and computes 119883 = 119909119875 119880 defines thelabel of this session as 119897119886119887119890119897 = (119868119863119866119873 119868119863119878119894) 119880 chooses threerandom numbers 119886 119903119898 119903119886 isin 119885lowast119899 and computes 119879 = 1198861205901198773 = 119903a119875 minus 119903119898119879 1198881 = 1198671(119875 119879 1198773 119883 119897119886119887119890119897) 119904119898 = 119903119898 +11988811198671(119868119863119880)mod 119899 and 119904119886 = 119903119886 + 1198881119886mod 119899 Finally 119880 sendsthe message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886) to the gateway node 119866119873
Step 2 Upon receiving the message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)from the user 119866119873 needs to authenticate the user 119880 119866119873computes 119881 = 119904119866119873119879 119877lowast3 = 119904119886119875 minus 1198881119881 minus 119904119898119879 and119888lowast1 = 1198671(119875 119879 119877
lowast3 119883 119897119886119887119890119897) 119866119873 checks whether 119888lowast1 is
equal to 1198881 or not If the verification is successful 119866119873authenticates the user 119880 and believes the user 119880 is a validuser 119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and the authenticator119860119906119905ℎ119866119873 = 1198674(119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) where 119879119866119873 is the
current timestamp of 119866119873 Finally 119866119873 send the message(119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873) to the sensor node 119878119894
Step 3 Upon receiving the message (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873)from119866119873 at time119879lowast119866119873 the sensor node 119878119894 first checks whether|119879lowast119866119873minus119879119866119873| le 119879 where119879 is the expected time interval forthe transmission delay If this is true 119878119894 then verifies the valid-ity of the authenticator 119860119906119905ℎ119866119873 using its private key119870(119866119873119878119894)If the authenticator is valid 119878119894 chooses a random number 119910 isin119885lowast119899 and computes119884 = 119910119875 119878119894 then computes the authenticator119860119906119905ℎ119878119894 = 1198675(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) where 119879119878119894 is thecurrent timestamp of 119878119894 119878119894 computes the Diffie-Hellman key119870 = 119910119883 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) Finally119878119894 sends the message (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) to the gateway node119866119873
Step 4 Upon receiving themessage (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) from 119878119894at time 119879lowast119878119894 119866119873 first checks whether |119879lowast119878119894 minus 119879119878119894 | le 119879 where119879 is the expected time interval for the transmission delay Ifthis is true119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and verifies the validity ofthe authenticator 119860119906119905ℎ119878119894 If the verification is successful 119866119873
6 Wireless Communications and Mobile Computing
computes 119903119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) and signs therandom number 119903119866119873 using his private key 119904119866119873 the signatureis denoted by 120590119866119873 Finally 119866119873 sends the message (119884 120590119866119873) tothe user 119880
Step 5 Upon receiving the message (119884 120590119866119873) from 119866119873 119880first verifies the validity of the signature 120590119866119873 119880 computesthe random number 119903lowast119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) andchecks if 120590119866119873 is a valid signature for 119903
lowast119866119873 singed by 119866119873 If the
verification is successful119880 computes the Diffie-Hellman key119870 = 119909119884 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) 119880 willaccept the session and wait for the upcoming communica-tion
4 Security Proof
In this section we present the security proof of our protocolThe security proof is conducted in the security model pre-sented in Section 2
Theorem 1 SupposeP is the anonymous authentication andkey exchange protocol for WSN described in the previoussection and A is a PPT time adversary against the AKEsecurity of P who runs in time 119905 and makes at most 119876119904119890119899119889queries of Send oracle to different instances If the signaturescheme used in our protocol is existential unforgeable againstadaptive chosen message attacks the hash functions 119867119894(sdot)(119894 =0 2 5) are all modeled as random oracles then underthe CDH assumption the advantage of the adversary A inviolating the AKE security of the protocolP is at most
119860119889V119886119896119890PD (A) le 1198621015840 sdot 1198761199041015840
Proof We use the hybrid experiments technique to proveTheorem 1 These hybrid experiments start with the realattack scenario We gradually change the simulation rules ineach experiment In the last experiment the advantage ofthe adversary in distinguishing the session key is negligibleWe also estimate the advantage difference of the adversarybetween two hybrid experiments and the advantage of theadversary in breaking the AKE security can be calculatedWe denote the adversaryrsquos advantage in hybrid 119864119909119901119894 using119860119889V119894(A)
Experiment 1198641199091199010 This is the real attack scenario defined inthe security model In this experiment the adversary hasaccess to all the oracles According to the definition of Arsquosadvantage we have the following result
Experiment 1198641199091199011 In this experiment we simulate all thehash function 119867119894(sdot)(119894 = 0 1 5) by maintaining hash listsΛ119867119894(119894 = 0 1 5) using the following rules
(i) On a query 119867119894(119898) if a record (119894 119898 119903) exists in Λ119867119894 then return 119903 Otherwise the output 119903 is chosenaccording to the following rule 119877119906119897119890119867119894if 119894 = 1 choose a random element 119903 from 119911lowast119899 Thenadd the record (1 119898 119903) to Λ119867119894
if 119894 = 2 choose a random element 119903 from119866 Then addthe record (2 119898 119903) to Λ1198672 if 119894 = 0 3 4 5 choose a random element 119903 from0 1120581 Then add record (119894 119898 119903) to Λ119867119894
In addition to these lists we also simulate six private hashoracles 1198671015840119894 (119894 = 0 1 5) by maintaining hash lists and1015840119867119894(119894 =0 1 5) We will use these private hash functions in thefollowing hybrid experiments It is well known that a hashfunction can be simulated perfectly in PPT time using theabove rules thus we have
1003816100381610038161003816119860119889V1 (A) minus 119860119889V0 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (4)
Experiment 1198641199091199012 In this experiment we cancel the sessionsif some unlikely collisions occur in these sessions To bemorespecific if some collisions occur in the simulation of the hashfunctions or on the transcripts of ((119883 119884 119879 1198881 119904119898 119904119886 120590119866119873))we will terminate the session and let the adversary win Basedon the birthday paradox we have the following result
1003816100381610038161003816119860119889V2 (A) minus 119860119889V1 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (5)
Experiment 1198641199091199013 In this experiment we modify the sim-ulation rules of sessions by 119864119909119890119888119906119905119890 queries Whenever weneed to compute the session key in a passive session weuse the private hash oracle 11986710158400 instead of 1198670 Moreoverthe Diffie-Hellman key 119870 is not used as an input In otherwords the session key of a passive session is computed as119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) The adversary can distinguish theexperiment 1198641199091199013 and the previous experiment 1198641199091199012 if andonly if the adversary sends a hash query (119897119886119887119890119897 119883 119884119870) to thehash oracle1198670 in which119883119884 is generated in a passive sessionand 119870 = 119862119863119867(119883 119884) However if the adversary can issuesuch a query we can use the ability of the adversary to solvethe CDH problem
Given a CDH instance (119880 119881) we can embed the instanceto all the passive session using the self-reducibility of theCDH problem In order to do so we choose four randomnumbers 1198860 1198870 1198861 1198871 isin 119885lowast119899 for each passive session Insimulation the transcripts we simply set 119883 = 1198860119880 + 1198870119875and 119884 = 1198861119881 + 1198871119875 All other transcripts are simulated asusual until the computation of the session key The sessionkey is computed as 119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) If an adversary candistinguish between this experiment and the previous onethen a query (119897119886119887119890119897 119883 119884119870)must be issued to the hash oracle1198670 We can compute the Diffie-Hellman value of (119880 119881) byselecting a random record (0 (119897119886119887119890119897 119883 119884119870) 119903) in and1198670 andcomputing (119870 minus 11988601198871119880 minus 11988611198870119881 minus 11988701198871119875)11988601198861
Under the intractability assumption of the CDHproblemwe have
1003816100381610038161003816119860119889V3 (A) minus 119860119889V2 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (6)
Experiment 1198641199091199014 In this experiment we begin to deal withthe active sessions For a 119878119890119899119889(119880 (119884 120590119866119873)) query if thesignature 120590119866119873 is a valid signature for this active sessionwe simply terminate the simulation and let the adversary
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 3
the authentication instance executed among a userinstance 119880119909 a gateway node instance 119866119873119910 and asensor node instance 119878119911119894
(ii) 119878119890119899119889(119875119894 119898) the send query captures the active attackability ofA Through the 119878119890119899119889(119875119894 119898) queryA sendsa modified or forged message 119898 to instance 119875119894 inthe name of another participant instance A will getthe message generated by the participant instance119875119894 upon receiving the message 119898 according to thedescription of the protocol The participant 119875 can bea user a gateway node or a sensor node
(iii) 119862119900119903119903119906119901119905(119880 119875119882) this query captures the compromiseof the userrsquos password The adversaryA only gets thepassword of the victim user it can neither control norcompromise the credential of the user
(iv) 119862119900119903119903119906119901119905(119880 119888119903119890119889) this query captures the compro-mise of the userrsquos terminal The adversary A canextract the credential issued by the gateway nodeand control the victim userrsquos terminal However thepassword of the user is still unknown toA
(v) 119862119900119903119903119906119901119905(119878119894) this query captures the compromise of asensor node 119878119894The adversaryAwill get the secret keyand control the sensor node through this query
(vi) 119877119890V119890119886119897(119875119894) this query can only be asked to a userinstance or a sensor node instance If the instance 119875119894accepts the session and generates a session keyAwillget the session key OtherwiseA will get the symbolperpwhichmeans the instance119875119894 does not hold a sessionkey
(vii) 119879119890119904119905(119875119894) this query does not capture any real attackability ofA but is used to measure the security of thesession key held by instance 119875119894 Upon receiving thisquery the simulator will flip a coin 119887 If the result is 1then it returns the real session key to A If the resultis 0 the simulator will send a random session key ofthe same length with the real session key toAA hasto distinguish if the key is real or random In otherwordsA has to guess the coin flip result
The session identification (sid) is defined as the tran-scripts shared between a user instance and a sensor nodeinstance The partner identification (pid) of an instance isdefined to be the participant with whom the instance wantsto establish a common session key We say a user instance119880119909and a sensor node instance 119878119911119894 are partners if the followingconditions are satisfied (1) these two instances both acceptand generate the same session key (2) these two instancesshare the same sid (3) the pid of 119880119909 is 119878119894 and the pid of 119878119911119894 is119880 and (4) no other instances accept the same sid with119880119909 and119878119911119894
If the adversary A asks both 119862119900119903119903119906119901119905(119880 119888119903119890119889) and119862119900119903119903119906119901119905(119880 119875119882) the user 119872119880 is said to be fully corruptedWhen defining the AKE security of the session key we do notconsider the corruption of the gateway node This is becauseonce the gateway node is corrupted there is nothing we cando to guarantee the security of the protocol A user instance
or a sensor node instance 119875119894 is said to be fresh if (1) A doesnot send 119877119890V119890119886119897 queries to the instance or its partner and (2)the user or the sensor node is not fully corrupted byA
AKE Security The security of the session keys is captured bythe AKE security The adversary A is restricted to ask 119879119890119904119905queries to fresh instances only otherwise the adversary Acan trivially win the attack game The adversary A is givenaccess to all the oracle queries the only restriction is that Aonly can ask one119879119890119904119905 query to a fresh instanceThe adversaryA needs to guess the hidden bit 119887 used by the simulatorwhen answering the 119879119890119904119905 query If A correctly guesses therandom bit then we sayA wins the AKE security game Wedenote this event by 119878119906119888119888 With respect to the distribution ofthe passwords we use the Zipf rsquos law put forward by Wanget al [21] instead of assuming a uniform distribution Theadversary Arsquos advantage in attacking the AKE security ofa protocol P when passwords are chosen according to theZipf rsquos law of a dictionary119863 is defined as follows
119860119889V119886119896119890PD (A) = 2 sdot 119875119903 [119878119906119888119888] minus 1 (1)
An authentication and key exchange protocol P is saidto be AKE secure if for all PPT adversary A the advantage119860119889V119886119896119890PD(A) is only negligible larger than 1198621015840 sdot 119902119904
1015840
119904119890119899119889 where 1198621015840
and 1199041015840 are Zipf parameters and 119902119904119890119899119889 is the number of activeattack sessions Moreover 1198621015840 and 1199041015840 are constants dependingon the password data set and can be calculated by linearregression
3 Description of the Protocol
In this section we describe the proposed anonymous authen-ticated key exchange protocol based on ECC for WSNs Themost important benefit of ECC is that it provides the samelevel of security with a smaller key size compared to othercryptography mechanisms such as RSA So it suits the needsof the resource-constrained nature of theWSN Our protocolhas three phases the setup phase the registration phase theauthentication and key exchange phaseThe detailed steps ofeach phase are described in the following The symbols usedin this paper are summarized in Table 1
31 The Setup Phase Let 119901 be a large prime and 119865119901 be a finitefield of prime order 119901 Let 119864 be an elliptic curve cryptosystemsatisfying the equation 1199102 = (1199093 + 119886119909 + 119887)mod119901 such that119886 119887 isin 119865119901 and 41198863 + 271198872mod119901 = 0 The set of rationalpoints in 119864 over finite field 119865119901 is denoted by 119864(119865119901) Moreprecisely 119864(119865119901) = (119909 119910) 119909 119910 isin 119865119901 such that 1199102 =
(1199093 + 119886119909 + 119887)mod119901 cup 119874 where 119874 is the point at infinityLet 119866 be a cyclic group generated by 119875 where 119875 isin 119864(119865119901) hasa large prime order 119899 These parameters (119865119901 119864 119864(119865119901) 119866 119875)are the system parameters and can be chosen by a trustedthird party or the gateway node The gateway node (119866119873)chooses a random number 119904119866119873 isin 119885lowast119899 as his private keyand computes the corresponding public key 119876119866119873 = 119904119866119873119875The public key 119876119866119873 is published in the whole networkDefine six hash functions such that 1198671 0 1lowast 997888rarr 119885lowast119899
4 Wireless Communications and Mobile Computing
Table 1 Notations
notation meaning notation meaning119868119863119866119882 identity of the gateway node 119868119863119880 identity of the user 119880119868119863119878119894 identity of the sensor node 119878119894 119901 119899 large prime numbers119865119901 a finite field 119864 an elliptic curve defined on 119865119901
119864(119865119901) the set of rational points in 119864 119904119866119873 secret key of the gateway node119875119882119880 the password of the user 119880 oplus exclusive OR concatenation ℎ(119898) cryptographic hash of message119898119904119894119892119899119904119866119873(119898) signature of119898 singed by 119904119866119873 119879119866119873119878119894 timestamp of 119866119873119878119894
User U Gateway Node GN
choose identity IDU
choose a random password PWUIDU
=1
sGN + H1(IDU)P
r isin Zlowastn
R1 = r
R2 = rP
c = H1(P QGNH1(IDU) R1 R2)
s = (r + csGN) mod n( c s)
Rlowast1 = (s + cH1(IDMU)) minus cP
Rlowast2 = sP minus cQGN
clowast = H1(g QGNH1(IDU) Rlowast1 R
lowast2 )
if clowast = ccred = + H2(PWU)
stores cred in terminal
Figure 1 Registration phase of mobile user
1198672 0 1lowast 997888rarr 119866lowast 1198670 1198673 1198674 1198675 0 1lowast 997888rarr 0 1120581where 120581 is the security parameter All these parameters(119865119901 119864 119864(119865119901) 119866 119875 119876119866119873 119867119894(119894 = 0 1 5)) are available to allthe entities in the WSN
32 The Registration Phase If a user 119880 wants to accessthe data collected by the sensor nodes in the WSN 119880 hasto register himself to the gateway node For a pictorialillustration of the user registration please refer to Figure 1The detailed steps are described in the following
Step 1 The user 119880 randomly chooses his identity 119868119863119880 andhis password 119875119882119880 from the password dictionary 119880 sendshis identity 119868119863119880 to the gateway node 119866119873 through a securechannel
Step 2 When the gateway node 119866119873 receives the registrationrequest from the user 119866119873 verifies the validity of the 1198801015840119904identity 119868119863119880 If it is valid and there is no other user in itsdatabase registers using the same identity 119866119873 first computesthe credential 120590 = (1(119904119866119873 + 1198671(119868119863119880)))119875 Then 119866119873chooses a random number 119903 isin 119885lowast119899 and computes 119888 =1198671(119875 119876119866119873 1198671(119868119863119880) 120590 1198771 1198772) and 119904 = (119903 + 119888119904119866119873)mod 119899where 1198771 = 119903120590 1198772 = 119903119875 At last 119866119873 sends the registrationmessage (120590 119888 119904) to the user 119880 through a secure channel
Step 3 When the user 119880 receives the registration message(120590 119888 119904) from 119866119873 119880 will verify the validity of the message119880 computes 119877lowast1 = (119904 + 1198881198671(119868119863119880))120590 minus 119888119875 119877lowast2 = 119904119875 minus 119888119876119866119873and 119888lowast = 1198671(119892 119876119866119873 1198671(119868119863119880) 120590 119877
lowast1 119877lowast2 ) 119880 verifies whether
119888lowast is equal to 119888 or not If the verification is successful 119880 willaccept 120590 as a valid credential Finally119880 computes 119888119903119890119889 = 120590+1198672(119875119882119880) and then stores his password-protected credential119888119903119890119889 in his terminal
The registration of the sensor node is rather simplecomparedwith the user registrationThe sensor node 119878119894 sendsthe registration request to the gateway node 119866119873 through asecure channel Upon receiving the request the gateway node119866119873will compute a symmetric key119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873)and send the symmetric key 119870(119866119873119878119894) to 119878119894 through a securechannel
33 The Authentication and Key Exchange Phase Suppose auser 119880 wants to get the real-time data from the sensor node119878119894 119880 has to execute the authentication and key exchangephase with the gateway node 119866119873 and the sensor node 119878119894During this phase the user119880 the gateway node 119866119873 and thesensor node 119878119894 will authenticate each other At the end of thisphase a session key will be established between 119880 and 119878119894 toprotect the upcoming data transmission The detailed steps
Wireless Communications and Mobile Computing 5
User U(PWU cred)
(4) (Y GN)
Verify GN
K = xY
sk = H0(label X Y K)
Gateway Node GW(sGN)
V = sGNT
Rlowast3 = saP minus c1V minus smT
clowast1 = H1(P T Rlowast3 X label)
clowast1 = c1K(GNS)
= H3(GN Si sGN)
AutℎGN = H4(K(GNS)
X label TGN)
TlowastS
minus TSle T
Verify AutℎS
rGN = H1(label X T c1 sm sa Y)GN = signs (r)
Sensor Node Si(K(GNS)
)
(2) (label X TGN AutℎGN)
TlowastGN minus TGN le T
Verify AutℎGN
y isin Zlowastn Y = yP
AutℎS= H5(K(GNS)
X
Y TGN TS label)
K = yXsk = H0(label X Y K)
(3) (Si Y TS AutℎS
)
= cred minus H2(PWU)
x isin Zlowastn X = xP
label = (IDGN IDS)
a rm ra isin Zlowastn
T = a R3 = raP minus rmT
c1 = H1(P T R3 X label)
sm = rm + c1H1(IDU) mod nsa = ra + c1a mod n
(1)(label X T c1 sm sa)
Figure 2 Authentication and key exchange phase
of the authentication and key exchange phase are describedas follows For a pictorial illustration please refer to Figure 2
Step 1 The user 119880 types his password 119875119882119880 to his terminalThe terminal will compute 1198672(119875119882119880) and recovers the cre-dential 120590 from the stored 119888119903119890119889 119880 then chooses a randomnumber 119909 isin 119885lowast119899 and computes 119883 = 119909119875 119880 defines thelabel of this session as 119897119886119887119890119897 = (119868119863119866119873 119868119863119878119894) 119880 chooses threerandom numbers 119886 119903119898 119903119886 isin 119885lowast119899 and computes 119879 = 1198861205901198773 = 119903a119875 minus 119903119898119879 1198881 = 1198671(119875 119879 1198773 119883 119897119886119887119890119897) 119904119898 = 119903119898 +11988811198671(119868119863119880)mod 119899 and 119904119886 = 119903119886 + 1198881119886mod 119899 Finally 119880 sendsthe message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886) to the gateway node 119866119873
Step 2 Upon receiving the message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)from the user 119866119873 needs to authenticate the user 119880 119866119873computes 119881 = 119904119866119873119879 119877lowast3 = 119904119886119875 minus 1198881119881 minus 119904119898119879 and119888lowast1 = 1198671(119875 119879 119877
lowast3 119883 119897119886119887119890119897) 119866119873 checks whether 119888lowast1 is
equal to 1198881 or not If the verification is successful 119866119873authenticates the user 119880 and believes the user 119880 is a validuser 119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and the authenticator119860119906119905ℎ119866119873 = 1198674(119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) where 119879119866119873 is the
current timestamp of 119866119873 Finally 119866119873 send the message(119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873) to the sensor node 119878119894
Step 3 Upon receiving the message (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873)from119866119873 at time119879lowast119866119873 the sensor node 119878119894 first checks whether|119879lowast119866119873minus119879119866119873| le 119879 where119879 is the expected time interval forthe transmission delay If this is true 119878119894 then verifies the valid-ity of the authenticator 119860119906119905ℎ119866119873 using its private key119870(119866119873119878119894)If the authenticator is valid 119878119894 chooses a random number 119910 isin119885lowast119899 and computes119884 = 119910119875 119878119894 then computes the authenticator119860119906119905ℎ119878119894 = 1198675(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) where 119879119878119894 is thecurrent timestamp of 119878119894 119878119894 computes the Diffie-Hellman key119870 = 119910119883 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) Finally119878119894 sends the message (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) to the gateway node119866119873
Step 4 Upon receiving themessage (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) from 119878119894at time 119879lowast119878119894 119866119873 first checks whether |119879lowast119878119894 minus 119879119878119894 | le 119879 where119879 is the expected time interval for the transmission delay Ifthis is true119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and verifies the validity ofthe authenticator 119860119906119905ℎ119878119894 If the verification is successful 119866119873
6 Wireless Communications and Mobile Computing
computes 119903119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) and signs therandom number 119903119866119873 using his private key 119904119866119873 the signatureis denoted by 120590119866119873 Finally 119866119873 sends the message (119884 120590119866119873) tothe user 119880
Step 5 Upon receiving the message (119884 120590119866119873) from 119866119873 119880first verifies the validity of the signature 120590119866119873 119880 computesthe random number 119903lowast119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) andchecks if 120590119866119873 is a valid signature for 119903
lowast119866119873 singed by 119866119873 If the
verification is successful119880 computes the Diffie-Hellman key119870 = 119909119884 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) 119880 willaccept the session and wait for the upcoming communica-tion
4 Security Proof
In this section we present the security proof of our protocolThe security proof is conducted in the security model pre-sented in Section 2
Theorem 1 SupposeP is the anonymous authentication andkey exchange protocol for WSN described in the previoussection and A is a PPT time adversary against the AKEsecurity of P who runs in time 119905 and makes at most 119876119904119890119899119889queries of Send oracle to different instances If the signaturescheme used in our protocol is existential unforgeable againstadaptive chosen message attacks the hash functions 119867119894(sdot)(119894 =0 2 5) are all modeled as random oracles then underthe CDH assumption the advantage of the adversary A inviolating the AKE security of the protocolP is at most
119860119889V119886119896119890PD (A) le 1198621015840 sdot 1198761199041015840
Proof We use the hybrid experiments technique to proveTheorem 1 These hybrid experiments start with the realattack scenario We gradually change the simulation rules ineach experiment In the last experiment the advantage ofthe adversary in distinguishing the session key is negligibleWe also estimate the advantage difference of the adversarybetween two hybrid experiments and the advantage of theadversary in breaking the AKE security can be calculatedWe denote the adversaryrsquos advantage in hybrid 119864119909119901119894 using119860119889V119894(A)
Experiment 1198641199091199010 This is the real attack scenario defined inthe security model In this experiment the adversary hasaccess to all the oracles According to the definition of Arsquosadvantage we have the following result
Experiment 1198641199091199011 In this experiment we simulate all thehash function 119867119894(sdot)(119894 = 0 1 5) by maintaining hash listsΛ119867119894(119894 = 0 1 5) using the following rules
(i) On a query 119867119894(119898) if a record (119894 119898 119903) exists in Λ119867119894 then return 119903 Otherwise the output 119903 is chosenaccording to the following rule 119877119906119897119890119867119894if 119894 = 1 choose a random element 119903 from 119911lowast119899 Thenadd the record (1 119898 119903) to Λ119867119894
if 119894 = 2 choose a random element 119903 from119866 Then addthe record (2 119898 119903) to Λ1198672 if 119894 = 0 3 4 5 choose a random element 119903 from0 1120581 Then add record (119894 119898 119903) to Λ119867119894
In addition to these lists we also simulate six private hashoracles 1198671015840119894 (119894 = 0 1 5) by maintaining hash lists and1015840119867119894(119894 =0 1 5) We will use these private hash functions in thefollowing hybrid experiments It is well known that a hashfunction can be simulated perfectly in PPT time using theabove rules thus we have
1003816100381610038161003816119860119889V1 (A) minus 119860119889V0 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (4)
Experiment 1198641199091199012 In this experiment we cancel the sessionsif some unlikely collisions occur in these sessions To bemorespecific if some collisions occur in the simulation of the hashfunctions or on the transcripts of ((119883 119884 119879 1198881 119904119898 119904119886 120590119866119873))we will terminate the session and let the adversary win Basedon the birthday paradox we have the following result
1003816100381610038161003816119860119889V2 (A) minus 119860119889V1 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (5)
Experiment 1198641199091199013 In this experiment we modify the sim-ulation rules of sessions by 119864119909119890119888119906119905119890 queries Whenever weneed to compute the session key in a passive session weuse the private hash oracle 11986710158400 instead of 1198670 Moreoverthe Diffie-Hellman key 119870 is not used as an input In otherwords the session key of a passive session is computed as119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) The adversary can distinguish theexperiment 1198641199091199013 and the previous experiment 1198641199091199012 if andonly if the adversary sends a hash query (119897119886119887119890119897 119883 119884119870) to thehash oracle1198670 in which119883119884 is generated in a passive sessionand 119870 = 119862119863119867(119883 119884) However if the adversary can issuesuch a query we can use the ability of the adversary to solvethe CDH problem
Given a CDH instance (119880 119881) we can embed the instanceto all the passive session using the self-reducibility of theCDH problem In order to do so we choose four randomnumbers 1198860 1198870 1198861 1198871 isin 119885lowast119899 for each passive session Insimulation the transcripts we simply set 119883 = 1198860119880 + 1198870119875and 119884 = 1198861119881 + 1198871119875 All other transcripts are simulated asusual until the computation of the session key The sessionkey is computed as 119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) If an adversary candistinguish between this experiment and the previous onethen a query (119897119886119887119890119897 119883 119884119870)must be issued to the hash oracle1198670 We can compute the Diffie-Hellman value of (119880 119881) byselecting a random record (0 (119897119886119887119890119897 119883 119884119870) 119903) in and1198670 andcomputing (119870 minus 11988601198871119880 minus 11988611198870119881 minus 11988701198871119875)11988601198861
Under the intractability assumption of the CDHproblemwe have
1003816100381610038161003816119860119889V3 (A) minus 119860119889V2 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (6)
Experiment 1198641199091199014 In this experiment we begin to deal withthe active sessions For a 119878119890119899119889(119880 (119884 120590119866119873)) query if thesignature 120590119866119873 is a valid signature for this active sessionwe simply terminate the simulation and let the adversary
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Wireless Communications and Mobile Computing
Table 1 Notations
notation meaning notation meaning119868119863119866119882 identity of the gateway node 119868119863119880 identity of the user 119880119868119863119878119894 identity of the sensor node 119878119894 119901 119899 large prime numbers119865119901 a finite field 119864 an elliptic curve defined on 119865119901
119864(119865119901) the set of rational points in 119864 119904119866119873 secret key of the gateway node119875119882119880 the password of the user 119880 oplus exclusive OR concatenation ℎ(119898) cryptographic hash of message119898119904119894119892119899119904119866119873(119898) signature of119898 singed by 119904119866119873 119879119866119873119878119894 timestamp of 119866119873119878119894
User U Gateway Node GN
choose identity IDU
choose a random password PWUIDU
=1
sGN + H1(IDU)P
r isin Zlowastn
R1 = r
R2 = rP
c = H1(P QGNH1(IDU) R1 R2)
s = (r + csGN) mod n( c s)
Rlowast1 = (s + cH1(IDMU)) minus cP
Rlowast2 = sP minus cQGN
clowast = H1(g QGNH1(IDU) Rlowast1 R
lowast2 )
if clowast = ccred = + H2(PWU)
stores cred in terminal
Figure 1 Registration phase of mobile user
1198672 0 1lowast 997888rarr 119866lowast 1198670 1198673 1198674 1198675 0 1lowast 997888rarr 0 1120581where 120581 is the security parameter All these parameters(119865119901 119864 119864(119865119901) 119866 119875 119876119866119873 119867119894(119894 = 0 1 5)) are available to allthe entities in the WSN
32 The Registration Phase If a user 119880 wants to accessthe data collected by the sensor nodes in the WSN 119880 hasto register himself to the gateway node For a pictorialillustration of the user registration please refer to Figure 1The detailed steps are described in the following
Step 1 The user 119880 randomly chooses his identity 119868119863119880 andhis password 119875119882119880 from the password dictionary 119880 sendshis identity 119868119863119880 to the gateway node 119866119873 through a securechannel
Step 2 When the gateway node 119866119873 receives the registrationrequest from the user 119866119873 verifies the validity of the 1198801015840119904identity 119868119863119880 If it is valid and there is no other user in itsdatabase registers using the same identity 119866119873 first computesthe credential 120590 = (1(119904119866119873 + 1198671(119868119863119880)))119875 Then 119866119873chooses a random number 119903 isin 119885lowast119899 and computes 119888 =1198671(119875 119876119866119873 1198671(119868119863119880) 120590 1198771 1198772) and 119904 = (119903 + 119888119904119866119873)mod 119899where 1198771 = 119903120590 1198772 = 119903119875 At last 119866119873 sends the registrationmessage (120590 119888 119904) to the user 119880 through a secure channel
Step 3 When the user 119880 receives the registration message(120590 119888 119904) from 119866119873 119880 will verify the validity of the message119880 computes 119877lowast1 = (119904 + 1198881198671(119868119863119880))120590 minus 119888119875 119877lowast2 = 119904119875 minus 119888119876119866119873and 119888lowast = 1198671(119892 119876119866119873 1198671(119868119863119880) 120590 119877
lowast1 119877lowast2 ) 119880 verifies whether
119888lowast is equal to 119888 or not If the verification is successful 119880 willaccept 120590 as a valid credential Finally119880 computes 119888119903119890119889 = 120590+1198672(119875119882119880) and then stores his password-protected credential119888119903119890119889 in his terminal
The registration of the sensor node is rather simplecomparedwith the user registrationThe sensor node 119878119894 sendsthe registration request to the gateway node 119866119873 through asecure channel Upon receiving the request the gateway node119866119873will compute a symmetric key119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873)and send the symmetric key 119870(119866119873119878119894) to 119878119894 through a securechannel
33 The Authentication and Key Exchange Phase Suppose auser 119880 wants to get the real-time data from the sensor node119878119894 119880 has to execute the authentication and key exchangephase with the gateway node 119866119873 and the sensor node 119878119894During this phase the user119880 the gateway node 119866119873 and thesensor node 119878119894 will authenticate each other At the end of thisphase a session key will be established between 119880 and 119878119894 toprotect the upcoming data transmission The detailed steps
Wireless Communications and Mobile Computing 5
User U(PWU cred)
(4) (Y GN)
Verify GN
K = xY
sk = H0(label X Y K)
Gateway Node GW(sGN)
V = sGNT
Rlowast3 = saP minus c1V minus smT
clowast1 = H1(P T Rlowast3 X label)
clowast1 = c1K(GNS)
= H3(GN Si sGN)
AutℎGN = H4(K(GNS)
X label TGN)
TlowastS
minus TSle T
Verify AutℎS
rGN = H1(label X T c1 sm sa Y)GN = signs (r)
Sensor Node Si(K(GNS)
)
(2) (label X TGN AutℎGN)
TlowastGN minus TGN le T
Verify AutℎGN
y isin Zlowastn Y = yP
AutℎS= H5(K(GNS)
X
Y TGN TS label)
K = yXsk = H0(label X Y K)
(3) (Si Y TS AutℎS
)
= cred minus H2(PWU)
x isin Zlowastn X = xP
label = (IDGN IDS)
a rm ra isin Zlowastn
T = a R3 = raP minus rmT
c1 = H1(P T R3 X label)
sm = rm + c1H1(IDU) mod nsa = ra + c1a mod n
(1)(label X T c1 sm sa)
Figure 2 Authentication and key exchange phase
of the authentication and key exchange phase are describedas follows For a pictorial illustration please refer to Figure 2
Step 1 The user 119880 types his password 119875119882119880 to his terminalThe terminal will compute 1198672(119875119882119880) and recovers the cre-dential 120590 from the stored 119888119903119890119889 119880 then chooses a randomnumber 119909 isin 119885lowast119899 and computes 119883 = 119909119875 119880 defines thelabel of this session as 119897119886119887119890119897 = (119868119863119866119873 119868119863119878119894) 119880 chooses threerandom numbers 119886 119903119898 119903119886 isin 119885lowast119899 and computes 119879 = 1198861205901198773 = 119903a119875 minus 119903119898119879 1198881 = 1198671(119875 119879 1198773 119883 119897119886119887119890119897) 119904119898 = 119903119898 +11988811198671(119868119863119880)mod 119899 and 119904119886 = 119903119886 + 1198881119886mod 119899 Finally 119880 sendsthe message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886) to the gateway node 119866119873
Step 2 Upon receiving the message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)from the user 119866119873 needs to authenticate the user 119880 119866119873computes 119881 = 119904119866119873119879 119877lowast3 = 119904119886119875 minus 1198881119881 minus 119904119898119879 and119888lowast1 = 1198671(119875 119879 119877
lowast3 119883 119897119886119887119890119897) 119866119873 checks whether 119888lowast1 is
equal to 1198881 or not If the verification is successful 119866119873authenticates the user 119880 and believes the user 119880 is a validuser 119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and the authenticator119860119906119905ℎ119866119873 = 1198674(119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) where 119879119866119873 is the
current timestamp of 119866119873 Finally 119866119873 send the message(119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873) to the sensor node 119878119894
Step 3 Upon receiving the message (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873)from119866119873 at time119879lowast119866119873 the sensor node 119878119894 first checks whether|119879lowast119866119873minus119879119866119873| le 119879 where119879 is the expected time interval forthe transmission delay If this is true 119878119894 then verifies the valid-ity of the authenticator 119860119906119905ℎ119866119873 using its private key119870(119866119873119878119894)If the authenticator is valid 119878119894 chooses a random number 119910 isin119885lowast119899 and computes119884 = 119910119875 119878119894 then computes the authenticator119860119906119905ℎ119878119894 = 1198675(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) where 119879119878119894 is thecurrent timestamp of 119878119894 119878119894 computes the Diffie-Hellman key119870 = 119910119883 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) Finally119878119894 sends the message (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) to the gateway node119866119873
Step 4 Upon receiving themessage (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) from 119878119894at time 119879lowast119878119894 119866119873 first checks whether |119879lowast119878119894 minus 119879119878119894 | le 119879 where119879 is the expected time interval for the transmission delay Ifthis is true119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and verifies the validity ofthe authenticator 119860119906119905ℎ119878119894 If the verification is successful 119866119873
6 Wireless Communications and Mobile Computing
computes 119903119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) and signs therandom number 119903119866119873 using his private key 119904119866119873 the signatureis denoted by 120590119866119873 Finally 119866119873 sends the message (119884 120590119866119873) tothe user 119880
Step 5 Upon receiving the message (119884 120590119866119873) from 119866119873 119880first verifies the validity of the signature 120590119866119873 119880 computesthe random number 119903lowast119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) andchecks if 120590119866119873 is a valid signature for 119903
lowast119866119873 singed by 119866119873 If the
verification is successful119880 computes the Diffie-Hellman key119870 = 119909119884 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) 119880 willaccept the session and wait for the upcoming communica-tion
4 Security Proof
In this section we present the security proof of our protocolThe security proof is conducted in the security model pre-sented in Section 2
Theorem 1 SupposeP is the anonymous authentication andkey exchange protocol for WSN described in the previoussection and A is a PPT time adversary against the AKEsecurity of P who runs in time 119905 and makes at most 119876119904119890119899119889queries of Send oracle to different instances If the signaturescheme used in our protocol is existential unforgeable againstadaptive chosen message attacks the hash functions 119867119894(sdot)(119894 =0 2 5) are all modeled as random oracles then underthe CDH assumption the advantage of the adversary A inviolating the AKE security of the protocolP is at most
119860119889V119886119896119890PD (A) le 1198621015840 sdot 1198761199041015840
Proof We use the hybrid experiments technique to proveTheorem 1 These hybrid experiments start with the realattack scenario We gradually change the simulation rules ineach experiment In the last experiment the advantage ofthe adversary in distinguishing the session key is negligibleWe also estimate the advantage difference of the adversarybetween two hybrid experiments and the advantage of theadversary in breaking the AKE security can be calculatedWe denote the adversaryrsquos advantage in hybrid 119864119909119901119894 using119860119889V119894(A)
Experiment 1198641199091199010 This is the real attack scenario defined inthe security model In this experiment the adversary hasaccess to all the oracles According to the definition of Arsquosadvantage we have the following result
Experiment 1198641199091199011 In this experiment we simulate all thehash function 119867119894(sdot)(119894 = 0 1 5) by maintaining hash listsΛ119867119894(119894 = 0 1 5) using the following rules
(i) On a query 119867119894(119898) if a record (119894 119898 119903) exists in Λ119867119894 then return 119903 Otherwise the output 119903 is chosenaccording to the following rule 119877119906119897119890119867119894if 119894 = 1 choose a random element 119903 from 119911lowast119899 Thenadd the record (1 119898 119903) to Λ119867119894
if 119894 = 2 choose a random element 119903 from119866 Then addthe record (2 119898 119903) to Λ1198672 if 119894 = 0 3 4 5 choose a random element 119903 from0 1120581 Then add record (119894 119898 119903) to Λ119867119894
In addition to these lists we also simulate six private hashoracles 1198671015840119894 (119894 = 0 1 5) by maintaining hash lists and1015840119867119894(119894 =0 1 5) We will use these private hash functions in thefollowing hybrid experiments It is well known that a hashfunction can be simulated perfectly in PPT time using theabove rules thus we have
1003816100381610038161003816119860119889V1 (A) minus 119860119889V0 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (4)
Experiment 1198641199091199012 In this experiment we cancel the sessionsif some unlikely collisions occur in these sessions To bemorespecific if some collisions occur in the simulation of the hashfunctions or on the transcripts of ((119883 119884 119879 1198881 119904119898 119904119886 120590119866119873))we will terminate the session and let the adversary win Basedon the birthday paradox we have the following result
1003816100381610038161003816119860119889V2 (A) minus 119860119889V1 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (5)
Experiment 1198641199091199013 In this experiment we modify the sim-ulation rules of sessions by 119864119909119890119888119906119905119890 queries Whenever weneed to compute the session key in a passive session weuse the private hash oracle 11986710158400 instead of 1198670 Moreoverthe Diffie-Hellman key 119870 is not used as an input In otherwords the session key of a passive session is computed as119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) The adversary can distinguish theexperiment 1198641199091199013 and the previous experiment 1198641199091199012 if andonly if the adversary sends a hash query (119897119886119887119890119897 119883 119884119870) to thehash oracle1198670 in which119883119884 is generated in a passive sessionand 119870 = 119862119863119867(119883 119884) However if the adversary can issuesuch a query we can use the ability of the adversary to solvethe CDH problem
Given a CDH instance (119880 119881) we can embed the instanceto all the passive session using the self-reducibility of theCDH problem In order to do so we choose four randomnumbers 1198860 1198870 1198861 1198871 isin 119885lowast119899 for each passive session Insimulation the transcripts we simply set 119883 = 1198860119880 + 1198870119875and 119884 = 1198861119881 + 1198871119875 All other transcripts are simulated asusual until the computation of the session key The sessionkey is computed as 119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) If an adversary candistinguish between this experiment and the previous onethen a query (119897119886119887119890119897 119883 119884119870)must be issued to the hash oracle1198670 We can compute the Diffie-Hellman value of (119880 119881) byselecting a random record (0 (119897119886119887119890119897 119883 119884119870) 119903) in and1198670 andcomputing (119870 minus 11988601198871119880 minus 11988611198870119881 minus 11988701198871119875)11988601198861
Under the intractability assumption of the CDHproblemwe have
1003816100381610038161003816119860119889V3 (A) minus 119860119889V2 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (6)
Experiment 1198641199091199014 In this experiment we begin to deal withthe active sessions For a 119878119890119899119889(119880 (119884 120590119866119873)) query if thesignature 120590119866119873 is a valid signature for this active sessionwe simply terminate the simulation and let the adversary
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 5
User U(PWU cred)
(4) (Y GN)
Verify GN
K = xY
sk = H0(label X Y K)
Gateway Node GW(sGN)
V = sGNT
Rlowast3 = saP minus c1V minus smT
clowast1 = H1(P T Rlowast3 X label)
clowast1 = c1K(GNS)
= H3(GN Si sGN)
AutℎGN = H4(K(GNS)
X label TGN)
TlowastS
minus TSle T
Verify AutℎS
rGN = H1(label X T c1 sm sa Y)GN = signs (r)
Sensor Node Si(K(GNS)
)
(2) (label X TGN AutℎGN)
TlowastGN minus TGN le T
Verify AutℎGN
y isin Zlowastn Y = yP
AutℎS= H5(K(GNS)
X
Y TGN TS label)
K = yXsk = H0(label X Y K)
(3) (Si Y TS AutℎS
)
= cred minus H2(PWU)
x isin Zlowastn X = xP
label = (IDGN IDS)
a rm ra isin Zlowastn
T = a R3 = raP minus rmT
c1 = H1(P T R3 X label)
sm = rm + c1H1(IDU) mod nsa = ra + c1a mod n
(1)(label X T c1 sm sa)
Figure 2 Authentication and key exchange phase
of the authentication and key exchange phase are describedas follows For a pictorial illustration please refer to Figure 2
Step 1 The user 119880 types his password 119875119882119880 to his terminalThe terminal will compute 1198672(119875119882119880) and recovers the cre-dential 120590 from the stored 119888119903119890119889 119880 then chooses a randomnumber 119909 isin 119885lowast119899 and computes 119883 = 119909119875 119880 defines thelabel of this session as 119897119886119887119890119897 = (119868119863119866119873 119868119863119878119894) 119880 chooses threerandom numbers 119886 119903119898 119903119886 isin 119885lowast119899 and computes 119879 = 1198861205901198773 = 119903a119875 minus 119903119898119879 1198881 = 1198671(119875 119879 1198773 119883 119897119886119887119890119897) 119904119898 = 119903119898 +11988811198671(119868119863119880)mod 119899 and 119904119886 = 119903119886 + 1198881119886mod 119899 Finally 119880 sendsthe message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886) to the gateway node 119866119873
Step 2 Upon receiving the message (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)from the user 119866119873 needs to authenticate the user 119880 119866119873computes 119881 = 119904119866119873119879 119877lowast3 = 119904119886119875 minus 1198881119881 minus 119904119898119879 and119888lowast1 = 1198671(119875 119879 119877
lowast3 119883 119897119886119887119890119897) 119866119873 checks whether 119888lowast1 is
equal to 1198881 or not If the verification is successful 119866119873authenticates the user 119880 and believes the user 119880 is a validuser 119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and the authenticator119860119906119905ℎ119866119873 = 1198674(119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) where 119879119866119873 is the
current timestamp of 119866119873 Finally 119866119873 send the message(119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873) to the sensor node 119878119894
Step 3 Upon receiving the message (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873)from119866119873 at time119879lowast119866119873 the sensor node 119878119894 first checks whether|119879lowast119866119873minus119879119866119873| le 119879 where119879 is the expected time interval forthe transmission delay If this is true 119878119894 then verifies the valid-ity of the authenticator 119860119906119905ℎ119866119873 using its private key119870(119866119873119878119894)If the authenticator is valid 119878119894 chooses a random number 119910 isin119885lowast119899 and computes119884 = 119910119875 119878119894 then computes the authenticator119860119906119905ℎ119878119894 = 1198675(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) where 119879119878119894 is thecurrent timestamp of 119878119894 119878119894 computes the Diffie-Hellman key119870 = 119910119883 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) Finally119878119894 sends the message (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) to the gateway node119866119873
Step 4 Upon receiving themessage (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894) from 119878119894at time 119879lowast119878119894 119866119873 first checks whether |119879lowast119878119894 minus 119879119878119894 | le 119879 where119879 is the expected time interval for the transmission delay Ifthis is true119866119873 then computes the shared key with the sensornode 119870(119866119873119878119894) = 1198673(119866119873 119878119894 119904119866119873) and verifies the validity ofthe authenticator 119860119906119905ℎ119878119894 If the verification is successful 119866119873
6 Wireless Communications and Mobile Computing
computes 119903119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) and signs therandom number 119903119866119873 using his private key 119904119866119873 the signatureis denoted by 120590119866119873 Finally 119866119873 sends the message (119884 120590119866119873) tothe user 119880
Step 5 Upon receiving the message (119884 120590119866119873) from 119866119873 119880first verifies the validity of the signature 120590119866119873 119880 computesthe random number 119903lowast119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) andchecks if 120590119866119873 is a valid signature for 119903
lowast119866119873 singed by 119866119873 If the
verification is successful119880 computes the Diffie-Hellman key119870 = 119909119884 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) 119880 willaccept the session and wait for the upcoming communica-tion
4 Security Proof
In this section we present the security proof of our protocolThe security proof is conducted in the security model pre-sented in Section 2
Theorem 1 SupposeP is the anonymous authentication andkey exchange protocol for WSN described in the previoussection and A is a PPT time adversary against the AKEsecurity of P who runs in time 119905 and makes at most 119876119904119890119899119889queries of Send oracle to different instances If the signaturescheme used in our protocol is existential unforgeable againstadaptive chosen message attacks the hash functions 119867119894(sdot)(119894 =0 2 5) are all modeled as random oracles then underthe CDH assumption the advantage of the adversary A inviolating the AKE security of the protocolP is at most
119860119889V119886119896119890PD (A) le 1198621015840 sdot 1198761199041015840
Proof We use the hybrid experiments technique to proveTheorem 1 These hybrid experiments start with the realattack scenario We gradually change the simulation rules ineach experiment In the last experiment the advantage ofthe adversary in distinguishing the session key is negligibleWe also estimate the advantage difference of the adversarybetween two hybrid experiments and the advantage of theadversary in breaking the AKE security can be calculatedWe denote the adversaryrsquos advantage in hybrid 119864119909119901119894 using119860119889V119894(A)
Experiment 1198641199091199010 This is the real attack scenario defined inthe security model In this experiment the adversary hasaccess to all the oracles According to the definition of Arsquosadvantage we have the following result
Experiment 1198641199091199011 In this experiment we simulate all thehash function 119867119894(sdot)(119894 = 0 1 5) by maintaining hash listsΛ119867119894(119894 = 0 1 5) using the following rules
(i) On a query 119867119894(119898) if a record (119894 119898 119903) exists in Λ119867119894 then return 119903 Otherwise the output 119903 is chosenaccording to the following rule 119877119906119897119890119867119894if 119894 = 1 choose a random element 119903 from 119911lowast119899 Thenadd the record (1 119898 119903) to Λ119867119894
if 119894 = 2 choose a random element 119903 from119866 Then addthe record (2 119898 119903) to Λ1198672 if 119894 = 0 3 4 5 choose a random element 119903 from0 1120581 Then add record (119894 119898 119903) to Λ119867119894
In addition to these lists we also simulate six private hashoracles 1198671015840119894 (119894 = 0 1 5) by maintaining hash lists and1015840119867119894(119894 =0 1 5) We will use these private hash functions in thefollowing hybrid experiments It is well known that a hashfunction can be simulated perfectly in PPT time using theabove rules thus we have
1003816100381610038161003816119860119889V1 (A) minus 119860119889V0 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (4)
Experiment 1198641199091199012 In this experiment we cancel the sessionsif some unlikely collisions occur in these sessions To bemorespecific if some collisions occur in the simulation of the hashfunctions or on the transcripts of ((119883 119884 119879 1198881 119904119898 119904119886 120590119866119873))we will terminate the session and let the adversary win Basedon the birthday paradox we have the following result
1003816100381610038161003816119860119889V2 (A) minus 119860119889V1 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (5)
Experiment 1198641199091199013 In this experiment we modify the sim-ulation rules of sessions by 119864119909119890119888119906119905119890 queries Whenever weneed to compute the session key in a passive session weuse the private hash oracle 11986710158400 instead of 1198670 Moreoverthe Diffie-Hellman key 119870 is not used as an input In otherwords the session key of a passive session is computed as119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) The adversary can distinguish theexperiment 1198641199091199013 and the previous experiment 1198641199091199012 if andonly if the adversary sends a hash query (119897119886119887119890119897 119883 119884119870) to thehash oracle1198670 in which119883119884 is generated in a passive sessionand 119870 = 119862119863119867(119883 119884) However if the adversary can issuesuch a query we can use the ability of the adversary to solvethe CDH problem
Given a CDH instance (119880 119881) we can embed the instanceto all the passive session using the self-reducibility of theCDH problem In order to do so we choose four randomnumbers 1198860 1198870 1198861 1198871 isin 119885lowast119899 for each passive session Insimulation the transcripts we simply set 119883 = 1198860119880 + 1198870119875and 119884 = 1198861119881 + 1198871119875 All other transcripts are simulated asusual until the computation of the session key The sessionkey is computed as 119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) If an adversary candistinguish between this experiment and the previous onethen a query (119897119886119887119890119897 119883 119884119870)must be issued to the hash oracle1198670 We can compute the Diffie-Hellman value of (119880 119881) byselecting a random record (0 (119897119886119887119890119897 119883 119884119870) 119903) in and1198670 andcomputing (119870 minus 11988601198871119880 minus 11988611198870119881 minus 11988701198871119875)11988601198861
Under the intractability assumption of the CDHproblemwe have
1003816100381610038161003816119860119889V3 (A) minus 119860119889V2 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (6)
Experiment 1198641199091199014 In this experiment we begin to deal withthe active sessions For a 119878119890119899119889(119880 (119884 120590119866119873)) query if thesignature 120590119866119873 is a valid signature for this active sessionwe simply terminate the simulation and let the adversary
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Wireless Communications and Mobile Computing
computes 119903119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) and signs therandom number 119903119866119873 using his private key 119904119866119873 the signatureis denoted by 120590119866119873 Finally 119866119873 sends the message (119884 120590119866119873) tothe user 119880
Step 5 Upon receiving the message (119884 120590119866119873) from 119866119873 119880first verifies the validity of the signature 120590119866119873 119880 computesthe random number 119903lowast119866119873 = 1198671(119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886 119884) andchecks if 120590119866119873 is a valid signature for 119903
lowast119866119873 singed by 119866119873 If the
verification is successful119880 computes the Diffie-Hellman key119870 = 119909119884 and the session key 119904119896 = 1198670(119897119886119887119890119897 119883 119884119870) 119880 willaccept the session and wait for the upcoming communica-tion
4 Security Proof
In this section we present the security proof of our protocolThe security proof is conducted in the security model pre-sented in Section 2
Theorem 1 SupposeP is the anonymous authentication andkey exchange protocol for WSN described in the previoussection and A is a PPT time adversary against the AKEsecurity of P who runs in time 119905 and makes at most 119876119904119890119899119889queries of Send oracle to different instances If the signaturescheme used in our protocol is existential unforgeable againstadaptive chosen message attacks the hash functions 119867119894(sdot)(119894 =0 2 5) are all modeled as random oracles then underthe CDH assumption the advantage of the adversary A inviolating the AKE security of the protocolP is at most
119860119889V119886119896119890PD (A) le 1198621015840 sdot 1198761199041015840
Proof We use the hybrid experiments technique to proveTheorem 1 These hybrid experiments start with the realattack scenario We gradually change the simulation rules ineach experiment In the last experiment the advantage ofthe adversary in distinguishing the session key is negligibleWe also estimate the advantage difference of the adversarybetween two hybrid experiments and the advantage of theadversary in breaking the AKE security can be calculatedWe denote the adversaryrsquos advantage in hybrid 119864119909119901119894 using119860119889V119894(A)
Experiment 1198641199091199010 This is the real attack scenario defined inthe security model In this experiment the adversary hasaccess to all the oracles According to the definition of Arsquosadvantage we have the following result
Experiment 1198641199091199011 In this experiment we simulate all thehash function 119867119894(sdot)(119894 = 0 1 5) by maintaining hash listsΛ119867119894(119894 = 0 1 5) using the following rules
(i) On a query 119867119894(119898) if a record (119894 119898 119903) exists in Λ119867119894 then return 119903 Otherwise the output 119903 is chosenaccording to the following rule 119877119906119897119890119867119894if 119894 = 1 choose a random element 119903 from 119911lowast119899 Thenadd the record (1 119898 119903) to Λ119867119894
if 119894 = 2 choose a random element 119903 from119866 Then addthe record (2 119898 119903) to Λ1198672 if 119894 = 0 3 4 5 choose a random element 119903 from0 1120581 Then add record (119894 119898 119903) to Λ119867119894
In addition to these lists we also simulate six private hashoracles 1198671015840119894 (119894 = 0 1 5) by maintaining hash lists and1015840119867119894(119894 =0 1 5) We will use these private hash functions in thefollowing hybrid experiments It is well known that a hashfunction can be simulated perfectly in PPT time using theabove rules thus we have
1003816100381610038161003816119860119889V1 (A) minus 119860119889V0 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (4)
Experiment 1198641199091199012 In this experiment we cancel the sessionsif some unlikely collisions occur in these sessions To bemorespecific if some collisions occur in the simulation of the hashfunctions or on the transcripts of ((119883 119884 119879 1198881 119904119898 119904119886 120590119866119873))we will terminate the session and let the adversary win Basedon the birthday paradox we have the following result
1003816100381610038161003816119860119889V2 (A) minus 119860119889V1 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (5)
Experiment 1198641199091199013 In this experiment we modify the sim-ulation rules of sessions by 119864119909119890119888119906119905119890 queries Whenever weneed to compute the session key in a passive session weuse the private hash oracle 11986710158400 instead of 1198670 Moreoverthe Diffie-Hellman key 119870 is not used as an input In otherwords the session key of a passive session is computed as119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) The adversary can distinguish theexperiment 1198641199091199013 and the previous experiment 1198641199091199012 if andonly if the adversary sends a hash query (119897119886119887119890119897 119883 119884119870) to thehash oracle1198670 in which119883119884 is generated in a passive sessionand 119870 = 119862119863119867(119883 119884) However if the adversary can issuesuch a query we can use the ability of the adversary to solvethe CDH problem
Given a CDH instance (119880 119881) we can embed the instanceto all the passive session using the self-reducibility of theCDH problem In order to do so we choose four randomnumbers 1198860 1198870 1198861 1198871 isin 119885lowast119899 for each passive session Insimulation the transcripts we simply set 119883 = 1198860119880 + 1198870119875and 119884 = 1198861119881 + 1198871119875 All other transcripts are simulated asusual until the computation of the session key The sessionkey is computed as 119904119896 = 11986710158400(119897119886119887119890119897 119883 119884) If an adversary candistinguish between this experiment and the previous onethen a query (119897119886119887119890119897 119883 119884119870)must be issued to the hash oracle1198670 We can compute the Diffie-Hellman value of (119880 119881) byselecting a random record (0 (119897119886119887119890119897 119883 119884119870) 119903) in and1198670 andcomputing (119870 minus 11988601198871119880 minus 11988611198870119881 minus 11988701198871119875)11988601198861
Under the intractability assumption of the CDHproblemwe have
1003816100381610038161003816119860119889V3 (A) minus 119860119889V2 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (6)
Experiment 1198641199091199014 In this experiment we begin to deal withthe active sessions For a 119878119890119899119889(119880 (119884 120590119866119873)) query if thesignature 120590119866119873 is a valid signature for this active sessionwe simply terminate the simulation and let the adversary
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 7
win Since the user 119880 is honest in this session the message(119883 119879 1198881 119904119898 119904119886) is generated by the user119880 Besides we cancelthe experiment in which the collision occurs in the outputof the hash functions and the transcripts in 1198641199091199012 so thesignature 120590119866119873 is valid if it is a signature for the randomnumber 119903119866119873The adversary wins the game in this experimentif and only if a new signature is forged The signature schemeused in our protocol is existential unforgeable against thechosen message attacks so the advantage of the adversaryAin forging a signature for a new random number is negligibleIt is obvious that
1003816100381610038161003816119860119889V4 (A) minus 119860119889V3 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (7)
Experiment 1198641199091199015 In this experiment we continue to dealwith the active sessions For a 119878119890119899119889(119866119873 (119878119894 119884 119879119878119894 119860119906119905ℎ119878119894))query if the sensor node 119878119894 is uncorrupted the timestamp119879119878119894 is within the transmission delay and 119860119906119905ℎ119878119894 is a validauthenticator then we simply terminate the simulation andlet the adversary win the attack game Since the sensornode 119878119894 is uncorrupted the symmetric key 119870(119866119873119878119894) isunknown to the adversary Moreover the timestamp 119879119878119894makes the replay attack impossible The adversary can onlyproduce a valid authenticator 119860119906119905ℎ119878119894 by issuing a query(119870(119866119873119878119894) 119883 119884 119879119866119873 119879119878119894 119897119886119887119890119897) to the hash oracle 1198675 or theadversary correctly guesses the output of the hash function1198675 without asking the corresponding message 119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalues chosen from 0 1120581 the successprobability of the adversary is negligible Consequently wehave the following equation
1003816100381610038161003816119860119889V5 (A) minus 119860119889V4 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (8)
Experiment 1198641199091199016 In this experiment we deal with the activesessions once again For a 119878119890119899119889(119878119894 (119897119886119887119890119897 119883 119879119866119873 119860119906119905ℎ119866119873))query if the timestamp 119879119866119873 is within the transmission delayand119860119906119905ℎ119866119873 is a valid authenticator thenwe simply terminatethe simulation and let the adversary win the attack gameSince the gateway node is not allowed to be corrupted thesymmetric key 119870(119866119873119878119894) is unknown to the adversary and thetimestamp 119879119866119873 ensures the adversary cannot replay an oldauthenticatorThe adversary can only produce a valid authen-ticator 119860119906119905ℎ119866119873 by issuing a query (119870(119866119873119878119894) 119883 119897119886119887119897119890 119879119866119873) tothe hash oracle 1198674 or the adversary correctly guesses theoutput of the hash function 1198674 without asking the corre-spondingmessage119870(119866119873119878119894) and119860119906119905ℎ119878119894 are two randomvalueschosen from 0 1120581 the success probability of the adversaryis negligible Similarly with the previous experiment wehave
1003816100381610038161003816119860119889V6 (A) minus 119860119889V5 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (9)
Experiment 1198641199091199017 In this experiment we change the sim-ulation rule of 119878119890119899119889 queries for the last time For a119878119890119899119889(119866119873 (119897119886119887119890119897 119883 119879 1198881 119904119898 119904119886)) query the gateway nodewillfirst check the validity of the credential proof If the credentialproof is valid and the message is forged by the adversary we
then terminate the simulation and the adversary is claimedsuccessful However the success probability of the adversaryin producing a fake proof is bounded by the presentation ofan algebraic MAC With a similar analysis with [23] we getthe following result
1003816100381610038161003816119860119889V7 (A) minus 119860119889V6 (A)1003816100381610038161003816 le 119899119890119892119897 (120581) (10)
In the last experiment we can see that all the session keysof passive sessions are chosen randomly from the domain andall the active sessions are terminated without accepting Theonlyway for the adversary to succeed is to steal the terminal ofthe user and recover the credential by guessing the passwordThe adversary has to verify the correctness of the recov-ered credential by executing the protocol Consequently wehave
1003816100381610038161003816119860119889V7 (A)1003816100381610038161003816 le 1198621015840 sdot 119876119904
1015840
119904119890119899119889 (11)
5 Performance Analysis
In this section we evaluate the computation and communi-cation costs and the security attributes of our protocol withother related protocols with user anonymity [16ndash19] In termsof computation let ldquo119879119872rdquo denote the time of one modularexponentiation computation ldquo119879119875119872rdquo denote the time cost ofone point multiplication computation on elliptic curve lsquo119879119867rdquodenote the time of one hash function computation and ldquo119879119878rdquodenote the time of one symmetric encryptiondecryptionoperation According to [24] 119879119872 asymp 1169119898119904 119879119875119872 asymp0508119898119904 119879119867 asymp 0069119898119904 and 119879119878 asymp 0069119898119904 Moreoverwe only evaluate the computation cost of the authenticationand key exchange phase because the registration phase is aone-time job In terms of communication cost we assumethe length of the identity is 32 bits the secure parameter120581 is 160 bits the length of the timestamp is 64 bits anelement of cyclic group of ECC can be represented with320 bits and an element of cyclic group of RSA can bepresented with 1024 bits We also instantiate the signaturescheme using the famous ECDSA signature scheme [25]The performance of communication and computation issummarized in Table 2 We can see from Table 2 that ourprotocol is inefficient in terms of computation However thecommunication performance of the compared protocols ismore or less the sameThe computation cost of our protocolsmainly arises from the strong user anonymity ie no oneexcept the user knows his real identity in our protocol whilethe gateway node knows the userrsquos real identity in otherprotocols
Table 3 summarizes security properties of the proposedprotocol with related protocols It can be seen from Table 3that our protocol provides all the security features More-over our protocol is the only one which provides stronguser anonymity and formal security proof Consideringthe computation cost communication cost and securityattributes as a whole our protocol outperforms to otherprotocols Consequently the proposed protocol is more suit-able for security and privacy critic applications scenarios inWSNs
8 Wireless Communications and Mobile Computing
Table 2 Comparisons of computation and communication costs
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolComputation timeof user (ms) 2119879119875119872 + 119879119878 + 11119879119867 asymp 104 119879119875119872 + 8119879119867 asymp 118 2119879119875119872 + 8119879119867 asymp 104 2119879119875119872 + 8119879119867 asymp 105 4119879119875119872 + 4119879119867 asymp 203
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Protocols Wu et alrsquos [16] Jiang et alrsquos [17] Wang et alrsquos [18] Li et alrsquos [19] Our protocolThe replayattack secure secure secure secure secure
The privilegedinsider attack secure secure secure secure secure
The GW-nodeimpersonationattack
secure secure secure secure secure
The stolenverifier attack secure secure secure secure secure
The off-linedictionaryattack
secure secure secure secure secure
Thecompromisedsensor nodeattack
secure secure secure secure secure
Mutualauthentication yes yes yes yes yes
Session keyestablishment yes yes yes yes yes
Key privacy yes no yes no yesUser anonymity weak weak weak weak strongFormal securityproof yes yes yes yes yes
6 Conclusions
In this paper we propose an anonymous authentication andkey exchange protocol for WSNs The most attractive prop-erty of our protocol is its strong user anonymity such that noone except the user knows the real identity of himself Besidesthis our protocol also enjoys formal security proof in the ran-dom oracle model and efficient communication complexityThe only disadvantage is that it consumes more computationresources In wireless communication networks establishinga channel usually consumes more energy than computationdoes As a result the heavy computation cost is not a seriousproblem Due to its high security and strong anonymityour protocol is very suitable for security and privacy criticapplication scenarios in WSNs
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This work is supported by the Funding of Science andTechnology on Information Assurance Laboratory (no KJ-17-001) andKey Scientific andTechnological Project ofHenanProvince (no 122102210126)
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 9
References
[1] Y Liu W Guo C Fan L Chang and C Cheng ldquoA practicalprivacy-preserving data aggregation (3PDA) scheme for smartgridrdquo IEEE Transactions on Industrial Informatics pp 1-1 2018
[2] D He N Kumar H Wang L Wang K R Choo and A VinelldquoA Provably-Secure Cross-Domain Handshake Scheme withSymptoms-Matching for Mobile Healthcare Social NetworkrdquoIEEETransactions onDependable and Secure Computing pp 1-12016
[3] J Shen T Zhou D He Y Zhang X Sun and Y XiangldquoBlock design-based key agreement for group data sharing incloud computingrdquo IEEE Transactions on Dependable and SecureComputing vol PP no 99 2017
[4] J Shen J Shen X Chen X Huang and W Susilo ldquoAn efficientpublic auditing protocol with novel dynamic structure for clouddatardquo IEEE Transactions on Information Forensics and Securityvol 12 no 10 pp 2402ndash2415 2017
[5] D He S Zeadally and L Wu ldquoCertificateless public auditingscheme for cloud-assisted wireless body area networksrdquo IEEESystems Journal vol 12 no 1 pp 64ndash73 2018
[6] Q Jiang Z Chen B Li et al ldquoSecurity analysis and improve-ment of bio-hashing based three-factor authentication schemefor telecare medical information systemsrdquo Journal of AmbientIntelligence and Humanized Computing 2017
[7] Q Jiang J Ma C Yang X Ma J Shen and S A ChaudhryldquoEfficient end-to-end authentication protocol for wearablehealth monitoring systemsrdquo Computers and Electrical Engineer-ing 2017
[8] M L Das ldquoTwo-factor user authentication in wireless sensornetworksrdquo IEEE Transactions on Wireless Communications vol8 no 3 pp 1086ndash1090 2009
[9] M K Khan and K Alghathbar ldquoCryptanalysis and securityimprovements of lsquotwo-factor user authentication in wirelesssensor networksrsquordquo Sensors vol 10 no 3 pp 2450ndash2459 2010
[10] H-L Yeh T-H Chen P-C Liu T-H Kim and H-W WeildquoA secured authentication protocol for wireless sensor networksusing Elliptic Curves Cryptographyrdquo Sensors vol 11 no 5 pp4767ndash4779 2011
[11] K Xue C Ma P Hong and R Ding ldquoA temporal-credential-based mutual authentication and key agreement scheme forwireless sensor networksrdquo Journal of Network and ComputerApplications vol 36 no 1 pp 316ndash323 2013
[12] D He N Kumar H Shen and J-H Lee ldquoOne-to-manyauthentication for access control in mobile pay-TV systemsrdquoScience China Information Sciences vol 59 no 5 pp 1ndash14 2016
[13] J-J Yuan ldquoAn enhanced two-factor user authentication inwireless sensor networksrdquo Telecommunication Systems vol 55no 1 pp 105ndash113 2014
[14] D Wang and P Wang ldquoUnderstanding security failures oftwo-factor authentication schemes for real-time applications inhierarchical wireless sensor networksrdquo Ad Hoc Networks vol20 pp 1ndash15 2014
[15] J Shen S Chang J Shen Q Liu and X Sun ldquoA lightweightmulti-layer authentication protocol for wireless body areanetworksrdquo Future Generation Computer Systems vol 78 no 3pp 956ndash963 2018
[16] F Wu L Xu S Kumari and X Li ldquoA new and secureauthentication scheme for wireless sensor networks with formalproofrdquo Peer-to-Peer Networking and Applications vol 10 no 1pp 16ndash30 2017
[17] Q Jiang S Zeadally J Ma and D He ldquoLightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networksrdquo IEEE Access vol 5 pp3376ndash3392 2017
[18] C Wang G Xu and J Sun ldquoAn enhanced three-factor userauthentication scheme using elliptic curve cryptosystem forwireless sensor networksrdquo Sensors vol 17 no 12 article no2946 2017
[19] X Li J Niu S Kumari F Wu A K Sangaiah and K R ChooldquoA three-factor anonymous authentication scheme for wirelesssensor networks in internet of things environmentsrdquo Journal ofNetwork and Computer Applications vol 103 pp 194ndash204 2018
[20] CWang DWang G Xu and Y Guo ldquoA lightweight password-based authentication protocol using smart cardrdquo InternationalJournal of Communication Systems vol 30 no 16 pp 1ndash11 2017
[21] D Wang H Cheng P Wang et al ldquoZipfs law in passwordsrdquoIEEE Transactions on Information Forensics and Security vol 12no 11 pp 2776ndash2791 2017
[22] F Wei P Vijayakumar J Shen R Zhang and L Li ldquoA provablysecure password-based anonymous authentication scheme forwireless body area networksrdquo Computers and Electrical Engi-neering 2017
[23] Z Zhang K Yang X Hu and Y Wang ldquoPractical anony-mous password authentication and TLS with anonymous clientauthenticationrdquo in Proceedings of the 23rd ACM Conference onComputer and Communications Security CCS 2016 pp 1179ndash1191 October 2016
[24] D Wang and P Wang ldquoTwo birds with one stone two-factorauthenticationwith security beyond conventional boundrdquo IEEETransactions on Dependable and Secure Computing 2016
[25] C Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of cryptology vol 4 no 3 pp 161ndash174 1991
![Practical and Provably Secure Onion Routing · 2012-07-16 · Practical and Provably Secure Onion Routing [IEEE CSF '12] Practical and Provably Secure OR - Esfandiar Mohammadi Anonymous](https://static.documents.pub/doc/80x56/5f03aa957e708231d40a2ccb/practical-and-provably-secure-onion-routing-2012-07-16-practical-and-provably.jpg)
