A Practically Secure Two-Factor and Mutual Authentication Protocol for Distributed Wireless Sensor Networks Using PUF

Abstract

In a distributed wireless sensor network (DWSN), sensors continuously perceive the environment, collect data, and transmit it to remote users through the network so as to realize real-time monitoring of the environment or specific targets. However, given the openness of wireless channels and the sensitivity of collecting data, designing a robust user authentication protocol to ensure the legitimacy of user and sensors in such DWSN environments faces serious challenges. Most of the current authentication schemes fail to meet some important and often overlooked security features, such as resisting physical impersonation attack, resisting smartcard loss attack, and providing forward secrecy. In this work, we put forward a practically secure two-factor authentication scheme using a physically unclonable function to prevent a physical impersonation attack and sensor node capture attack, utilize Chebyshev chaotic mapping to provide forward secrecy, and improve the efficiency and security of session key negotiation. Furthermore, we use the fuzzy verifier technique to prevent attackers from offline guessing attacks to resist smartcard loss attacks. In addition, a BAN logic proof and heuristic security analysis show that the scheme achieves mutual authentication and key agreement as well as prevents known attacks. A comparative analysis with state-of-the-art schemes shows that the proposal not only achieves desired security features but also maintains better efficiency.

1. Introduction

The development of microelectronics technology, computing technology, and wireless transmission technologies has promoted the rapid development of low-power multifunctional sensors for integrating various functions such as information collection, environmental sensing, and wireless communication in miniaturized volumes [1]. A distributed wireless sensor network consists of users, gateways, and many static or mobile microsensors that form a multihop self-organizing network through wireless communication, realize data collection and data aggregation, and transmit the data through a wireless channel by a gateway to a remote user for further analysis and processing [2]; its architecture is shown in Figure 1. A DWSN has a wide range of application scenarios, such as industrial Internet of Things [3], wireless medical sensor networks [4], smart homes [5], mine monitoring [6], etc. Note that since a WSN is the foundation of a DWSN, this paper also discusses the security of a WSN in the related works section. In a DSWN, wireless sensors are characterized by limited energy, computing power, and transmission bandwidth, and they are typically deployed in unmanned or harsh environments. Because the data gathered by wireless sensors are often important and sensitive and are transmitted wirelessly, it is easy for attackers to launch malicious attacks, such as eavesdropping, blocking, tampering, and replaying, during the communication process [7,8]. In a DWSN, the most serious case is that the node is subjected to a physical impersonation attack. By capturing the wireless sensor node in the network, the attacker obtains all the information (including the key) in the node, clones it, disguises it as a legitimate node, and participates in various network activities. Due to its legitimate information, the cloned node cannot be identified by ordinary security authentication methods. Although IEEE 802.15.4 provides some security services for the lower layers of the WSN stack, it also has some security defects [9]. Moreover, the openness of wireless networks and the scanty resources of wireless sensors make it necessary to establish appropriate authentication and key agreement mechanisms at the application layer to ensure secure communication between legitimate users and the sensors.

1.1. Related Works

As the key technology of network security, the user authentication protocol verifies the user’s legality and encrypts the transmission data between communication parties. It is crucial to ensure network security, and this is a prerequisite for ensuring the secure transmission of data and access by authorized users. In recent years, as sensor-based IoT technologies have been increasingly widely used in industrial and other scenarios, designing user authentication protocols for DWSNs has attracted the attention of the research community. In general, for DWSN user authentication protocols, in addition to being suitable for the actual needs and capable of user anonymity, mutual authentication, and high efficiency, they should also be able to defend against malicious attacks, like insider attacks, replay attacks, and physical impersonation attacks [10]. It is worth noting that the sensor node physical impersonation attack is easily overlooked.

Researchers have proposed various user authentication protocol schemes based on the hash function to address the challenges posed by the high-security requirements and resource constraints imposed by wireless sensors due to data sensitivity in the WSN environment [11,12,13,14,15,16,17,18,19,20,21]. Although these schemes are efficient in computation cost, they are still subject to some attacks, resulting in session key leakage or failure to meet the relevant security properties of the session key, which cannot guarantee the session key’s security negotiated by the two parties. For example, Das [22] proposed a three-factor (password, smartcard, biometrics) authentication protocol for a large-scale DWSN, but we found that Das’s scheme suffered from smartcard loss attack, failed to provide sensor node anonymity, and could not thwart a physical impersonation attack. Md. et al. [23] also found that Das’s scheme failed to resist a known session-specific temporary information attack and replay attack; the scheme [13] lacks forward secrecy; that is, if the system key is obtained by an attacker, the attacker can calculate the session key shared by the user and the sensor; protocols [12,14,15,19,20] are vulnerable to a temporary information leakage attack; protocols [11,16,17,18] cannot withstand a session key leakage attack; and protocols [15,19,20,21] could not thwart a physical impersonation attack. To address the security flaws of these authentication schemes by using the hash function, Wang et al. emphasized that public key operations should be employed to construct an authentication protocol in universal circumstances [24]. Compared with RSA and other public key cryptosystems, elliptic curve cryptography (ECC) has the merits of a shorter key length and faster computing speed, and it has been widely employed in various authentication protocols [25,26,27,28,29,30,31,32,33]. However, this kind of user authentication, using an ECC protocol for the WSN environment, still has the problem of high computation cost. Moreover, related research has shown that these authentication schemes based on ECC still lack anonymity and cannot resist security risks like a user impersonation attack and insider attack. Thus, designing a DWSN authentication protocol that not only can resist various known attacks and satisfy favorable security properties but also achieve a good trade-off between security and efficiency is a very challenging task.

Because public key cryptography with Chebyshev chaotic mapping has the merits of not relying on large prime numbers, faster computation, and shorter encryption length under the same security strength compared with modular exponential and ECC in public key cryptosystems, some researchers have proposed user authentication schemes using chaotic mapping [34,35]. Wang et al. [34] reported that a previous scheme lacked forward secrecy and was insecure to resist a session key leakage attack, impersonation attack, sensor node impersonation attack, desynchronization attack, and temporary information leakage attack; additionally, they suggested an improved anonymous authentication protocol to surmount these defects. However, our examination revealed that Wang et al.’s scheme fails to resist a gateway impersonation attack and temporary information leakage attack. To overcome the lack of forward secrecy, lack of three-factor (password, smartcard, biometric) security, and other defects in the previous scheme, Xu et al. [35] suggested a three-factor authentication protocol with chaotic mapping; however, the attacker can launch a replay attack because their scheme lacks a timestamp mechanism, and when insiders obtain registration information and the smartcard, they can recover some secret information and launch a user impersonation attack correspondingly. Li et al. [36] suggested an enhanced scheme with chaotic mapping to overcome the shortcomings in the previous scheme. Unfortunately, we point out that Li et al.’s solution is not appropriate in practice because, in their architecture, the user is capable of communicating directly with the sensor without having to go through a gateway, which shows that the communication distance is too far and that the signal transmission needs to consume more energy, resulting in the rapid depletion of the scanty energy of the sensor. Over the past few years, several enhanced authentication schemes [37,38,39] have been devised to eliminate the security weaknesses of previous protocols and to improve their efficiency using chaotic mapping in recent years. These schemes provide better security features compared to [10,27,28,29,30], but we note that none of them can defend against a sensor node physical impersonation attack.

Because sensors in the current DWSN are still at risk of being captured and physically impersonated by attackers, a new technique called PUF is being used in sensor nodes to improve the security of WSN authentication protocols. Recently, Shao et al. [40] put forward a mutual anonymous authentication protocol using PUF and a fuzzy extractor to thwart a desynchronization attack and privileged-insider attack for a wireless medical sensor network environment. In their scheme, both the user and the sensor use PUF to negotiate a session key to secure real-time data transmission between them. However, their scheme is not resistant to a desynchronization attack, and it is expensive to deploy because PUF is used on both the user and sensor sides. To resolve the faultiness of physical-layer security and over-centralized problem of the wireless medical sensor network, Wang et al. [41] devised a lightweight authentication protocol using PUF and blockchain technology with dynamic identity updates. Although this solution successfully addressed the physical-layer security of the sensor, all three participants in the authentication process needed to save many challenge response pairs in advance, which undoubtedly took up plenty of storage space for each of them. Lee et al. [42] presented a three-factor anonymous authentication scheme with PUF to ensure the secure communication of a wireless medical sensor network. It is possible for Lee et al.’s protocol to eliminate a sensor node capture attack within their protocol; however, the challenge response pairs saved in the gateway note are not updated during the authentication process, which exposes their scheme to potential risks such as an insider attack. In [43], a multifactor authentication scheme utilized PUF for an IoT-enabled WSN to provide a solution for accessing remote sensors through a base station. Recently, to address security shortcomings in three different schemes, Tyagi et al. [44] suggested an authentication scheme using PUF and ECC. However, we discovered that Tyagi et al.’s solution did not renew the challenge response pair as Lee et al.’s scheme [42], and the sensors directly communicate with the user as the scheme [36]. Although their scheme may protect against a sensor node physical impersonation attack, the high computation cost and communication cost or inner design flaws make them impractical in deployment.

1.2. Research Motivation and Contribution

Due to the huge application potential of a DWSN in many scenarios, some authentication protocols applied to the DWSN environment still have security defects, so it is extremely necessary to design authentication protocols with high security that are suitable for the DWSN environment. On the one hand, due to the scant energy and computation capability of wireless sensors, traditional network security technologies cannot be directly employed in a DWSN; thus, an authentication protocol for a DWSN should be designed to be efficient and lightweight. On the other hand, the data collected and transmitted by wireless sensors are frequently sensitive and can even lead to serious problems such as privacy disclosure and personal security, so there is a higher demand for security. In addition, compared to other public key cryptography systems such as ECC, Chebyshev chaotic mapping not only reduces computation cost on a wireless sensor with limited resources but also improves computation efficiency of the authentication scheme while maintaining higher security. In particular, sensor nodes are easily captured by attackers to launch a physical impersonation attack, so an authentication protocol must be able to defend against a physical impersonation attack. To solve these problems, we propose a DWSN anonymous authentication scheme using PUF and Chebyshev chaotic mapping.

The following are the contributions of this paper:

• We put forward an anonymous user authentication scheme for a DWSN utilizing PUF, Chebyshev chaotic mapping, and two factors, i.e., password and smartcard. Our scheme uses PUF only on sensor nodes to thwart a physical impersonation attack, and there is no need to prepare many challenge response pairs in advance. The challenge-response information of the sensor node is also not fixed but varies during each authentication process to guarantee the sensor node’s physical security, and this does not require a special additional phase. In addition, we use the public key cryptography system Chebyshev chaotic mapping, which can not only prevent the guessing attacks caused by the simple use of the hash function to generate the shared session key but can also ensure the same security with only one-third of the operation cost compared with an ECC.
• We demonstrate the security of our scheme by using the BAN logic and heuristic analysis to demonstrate that it not only achieves secure session key negotiation and mutual authentication but also has the ability of preventing various known attacks while possessing the desired security features.
• We analyze the performance by comparing our protocol with that of state-of-the-art relevant protocols to indicate that our protocol produces a better trade-off between efficiency and security.

2. Preliminaries

2.1. Chebyshev Chaotic Mapping

Let p and t be variables, and p ∈ Z⁺, t ∈ [−1, 1]. The definition of p degree Chebyshev polynomial is as follows: T_p(t): [−1,1] → [−1, 1], T_p(t) = cos(parccos(t)) [45]. When p ≥ 2, the equivalent iterative relation is T_p (t) = 2 t T_p−1(t) − T_p−2(t), where T₁(t) = t and T₀(t) = 1. Chebyshev polynomial satisfies the following semigroup property: T_q(T_p(t)) = T_qp(t) = T_pq(t) = T_p(T_q(t)), where q and p ∈ Z⁺. When p > 1, the Chebyshev polynomial is also called the Chebyshev chaotic mapping.

For example, we set p = 0, 1, 2, …, and t = 0.3; thus, T₀(t) = 1, T₁(t) = 0.3, T₂(t) = 2tT₁(t) − T₀(t) = −0.82, T₃(t) = −0.792, T₄(t) = 0.3448, T₅(t) = 0.99888, T₆(t) = 0.2545, and T₆(t) = T₃(T₂(t)) = T₂(T₃(t)) = 0.2545. By repeating this process, a series of values can be obtained that satisfy the semigroup property, and as the number of iterations increases, the output will exhibit complex and unpredictable characteristics.

In 2008, Zhang [46] proved that the Chebyshev polynomial still satisfies the semigroup property if the variable t is extended to the interval (−∞, +∞). The extended Chebyshev polynomial is described as T_p (t) = 2tT_p−1(t) − T_p−2(t) mod P, where P is a large prime and t ∈ (−∞, +∞). For convenience, mod P is left out in the subsequent subsections. The security of the extended Chebyshev polynomial is mainly based on the following two mathematical problems as follows:

Discrete Logarithm Problem (DLP): Given a, b = T_r(a), P, and a ∈ (−∞,+∞), find r in polynomial time such that b ≡ T_r(a) is infeasible.

Diffie–Hellman Problem (DHP): Given a, T_r(a), T_s(a), P, and a ∈ (−∞,+∞), find b in polynomial time such that b ≡ T_rs(a) is infeasible.

2.2. Physically Unclonable Function

A physically unclonable function (PUF) is a function that uses structured differences within a physical circuit so that any input challenge outputs a unique and unpredictable response [47]. A PUF’s output response is based on the intrinsic properties of the physical system, so each PUF is unique, unpredictable, and difficult to replicate or simulate. The PUF can also realize several traditional public key encryption functions while reducing the computation and communication overhead. The PUF is embedded as the basic unit in the computing device, which enhances the security of the protocol, and the computing time can be negligible. The PUF can be expressed as a functional relationship between the input challenge C and the output response R, i.e., R = PUF(C).

2.3. Adversary Model

To facilitate the reader’s comprehension of the cryptanalysis of our proposal in Section 4, an adversary model depicting the attacker’s capabilities is presented here according to the relevant literature.

• The attacker can completely manipulate the public channel; that is, the attacker can intercept, block, tamper, and retransmit the message on the public channel [48,49].
• The attacker can draw out the secret parameters on the smartcard [50].
• To facilitate memory, the identity and password set by the user often have low entropy, so the attacker can conduct an offline guessing attack on the user’s identity and password simultaneously by enumeration [24,51,52].
• The lengths of the random numbers and keys chosen by each communicating entity are large enough that an attacker cannot successfully guess them in polynomial time [53].
• When considering an insider attack, insiders can derive the registration message sent by the user during the registration phase [54,55].

2.4. Security Requirements

In light of the literature [48,53], an efficient and robust DWSN user authentication protocol should meet the security requirements as follows.

• Provide N-factor security: For an N-factor (password, smartcard, biometric information, etc.) authentication protocol for the DWSN, even if an attacker obtains N − 1 factors, the attack cannot log into the system.
• Defense against known attacks: The DWSN authentication protocol should be robust enough to defend against known attacks like an impersonation attack, an insider attack, a temporary information leakage attack, and a replay attack.
• Provide forward secrecy: If the master key of the system is leaked, an attacker should either be unable to recover the previous session keys or be unable to calculate future session keys.
• Prevent a sensor node capture attack: If an attacker captures a sensor node, other sensor nodes are not affected.
• User anonymity: The attacker cannot disclose the real identities of users.
• Mutual authentication and key agreement: Mutual authentication between the sensor and the user is achieved, and a shared session key is negotiated.

3. Our Proposed Scheme

In this section, we suggest a two-factor (password, smartcard) authentication protocol for the DWSN. Our scheme improves security and efficiency mainly in three aspects:

• We use PUF to thwart a physical impersonation attack and sensor node capture attack.
• Because it is imperative that the public key algorithm is used to improve the security of the protocol [24], we adopt the Chebyshev chaotic mapping algorithm, which is superior to other public key algorithms in terms of efficiency, to improve efficiency and provide forward secrecy.
• We utilize a fuzzy verifier mechanism to eliminate an offline guessing attack caused by the loss/stolen smartcard being acquired by attackers.

Our solution consists of five phases: system setup, user registration, sensor node registration, login and authentication, and password update.

The meanings of the symbols used in this article are listed in

Table 1. The meaning of notations.

Notation	Meaning
GWi	The ith gateway node
Ui	ith user
Sj	jth sensor node
IDi	Ui’s identity
PWi	Ui’s password
SIDj	Sj’s identity
KGi	GWi’s master key
Kj	Sj’s secret password key
h()	A secure one-way hash function
Ti	Timestamp, i = 1, 2, ….
||	Concatenation
⊕	Bitwise XOR operation
→	The public channel

.

3.1. System Setup

The ith gateway node GW_i selects the master key K_Gi, a large prime number α_i, a Chebyshev polynomial parameter β_i ∈ (−∞,+∞), calculates G_P = T_KGi(β_i), and stores {K_Gi, α_i} secretly and publishes {G_P, β_i}.

3.2. User Registration

• U_i sets the identity ID_i and password PW_i and then delivers a registration request message {ID_i} to the GW_i via a secure channel.
• On receiving the message, GW_i checks whether ID_i is in the database. If ID_i already exists, GW_i aborts the registration. Otherwise, it stores ID_i in the database and selects random numbers x and R_g, calculates DID_i = h(ID_i||R_g), UID_i = DID_i⊕h(x||K_Gi), P_i = h(UID_i||K_Gi), stores {P_i, x} into the database, and stores {UID_i, DID_i, h(), β_i} into the smartcard. Finally, GW_i delivers the card to U_i through a secure channel.
• After receiving the smartcard, the user chooses a random number r and calculates A_i = h(PW_i||r), selects δ ∈ [2⁸, 2¹⁰], calculates R_i = r⊕h(ID_i||PW_i) mod δ, H_i = DID_i⊕h(PW_i||ID_i||r), L_i = UID_i⊕h(ID_i||A_i), V_i = h(A_i||ID_i), replaces {UID_i, DID_i} with {H_i, L_i} in the smartcard, and keeps (R_i, V_i, δ) in the smartcard.

3.3. Sensor Node Registration

• S_j chooses the identity SID_j and a random number R_j, calculates PR_j = h(SID_j||R_j), and sends the registration request information {SID_j, PR_j} to the GW_i.
• After receiving {SID_j, PR_j}, GW_i calculates KS_j = h(PR_j||K_Gi), P_j = h(SID_j||K_Gi), stores {P_j, PR_j} in the database, and then transmits {KS_j, C_s} to S_j via a secure channel, where C_s is a challenge.
• On receiving {KS_j, C_s}, S_j computes R_s = PUF(C_s), sends to GW_i, and stores {PR_j, KS_j} in memory.
• GW_i stores {C_s, R_s} in the database.

3.4. Login and Authentication

• U_i inserts the smartcard, inputs ID_i and PW_i, calculates r* = R_i⊕h(ID_i||PW_i) mod δ, A_i* = h(PW_i||r*), V_i* = h(A_i*|| ID_i), and verifies that V_i^* == V_i holds. If not, U_i terminates this session. Otherwise, U_i selects random number a and timestamp T₁, computes A₁ = T_a(β_i), DID_i = H_i⊕h(PW_i||ID_i||r*), UID_i = L_i⊕h(ID_i||A_i*), V₁ = h(DID_i ||UID_i||A₁||T₁), M₁ = (UID_i||SID_j||V₁)⊕T_a(G_P), and transmits a login request {A₁,M₁, T₁} to GW_i.
• On receiving the user’s login request, GW_i uses the current timestamp T₁′ to verify |T₁′ − T₁| ≤ ΔT, decrypts M₁ by computing M₁⊕T_KGi(A₁) to obtain UID_i, SID_j, V₁, calculates P_i = h(UID_i ||K_Gi), P_j = h(SID_j||K_Gi), retrieves the secret value x according to P_i, retrieves {C_s, R_s, PR_j} according to P_j, calculates KS_j = h(PR_j||K_Gi), DID_i = UID_i⊕h(x||K_Gi), V₁′ = h(DID_i||UID_i||A₁||T₁), and verifies whether V₁’ == V₁ holds. If the stipulation is false, GW_i aborts the session; otherwise, GW_i chooses random number b and timestamp T₂, M₂ = (h(b||DID_i)||C_s)⊕h(KS_j||SID_j), V₂ = h(SID_j||h(b||DID_i)||A₁||R_s||T₂), and finally delivers {M₂, A₁, V₂, T₂} to S_j.
• On receiving the incoming message, S_j verifies |T₂’ − T₂| ≤ ΔT with the current timestamp T₂’ and calculates (h(b||DID_i)’||C_s’) = M₂⊕h(KS_j||SID_j), R_s’ = PUF(C_s’), V₂’ = h(SID_j||h(b||DID_i)’||A₁||R_s||T₂), and verifies whether V₂’ == V₂ holds. If not, S_j ends the session; otherwise, S_j selects random number c and timestamp T₃, computes C_s^new = h(C_s||h(b||DID_i)’), R_s^new = PUF(C_s^new), A₂ = T_c(y), session key SK_su = h(h(b||DID_i)’||A₁||A₂||T_c(A₁)), V₃ = h(R_s^new||KS_j||h(b||DID_i)’||A₂||T₃), L_j = R_s^new⊕KS_j, M₃ = h(A₁||A₂||SK_su), and finally sends the message {A₂, L_j, V₃, M₃, T₃} to GW_i.
• On receiving the message, GW_i verifies that |T₃’ − T₃| ≤ ΔT, where T₃’ is the current timestamp, calculates R_s^new = L_j⊕KS_j, V₃’ = h(R_s^new ||KS_j||h(b||DID_i)’||A₂||T₃), and determines whether V₃’ and V₃ are equal. If not, GW_i ends the session. Otherwise, GW_i obtains the current timestamp T₄, and calculates C_s^new = h(C_s||h(b||DID_i)’), M₄ = h(b||DID_i)⊕h(DID_i||UID_i||T₄), V₄ = h(M₃||DID_i||T₄), replaces {P_j, C_s, R_s, PR_j} with {P_j, C_s^new, R_s^new, PR_j}, and finally sends {A₂, M₄, V₄, T₄} to U_i.
• Upon receiving the message from GW_i, U_i uses the current timestamp T₄’ to verify |T₄’ − T₄| ≤ ΔT, calculates h(b||DID_i)″= M₄⊕h(DID_i||UID_i||T₄), SK_us = h(h(b||DID_i)″||A₁||A₂||T_a(A₂)), V₄’ = h(h(A₁||A₂||SK_us)||DID_i||T₄), and compares V_4’ and V₄ for equality. If V₄’ and V₄ are equal, U_i accepts SK_us as the session key with S_j; otherwise, U_i terminates the session.

This phase is illustrated in Figure 2.

3.5. Password Update

If the user intends to renew the password, the subsequent steps are necessary.

• U_i inserts the smartcard into the card reader and types his ID_i and password PW_i. The smartcard calculates r = R_i⊕h(ID_i||PW_i) mod δ, A_i = h(PW_i||r), DID_i = H_i⊕h(PW_i||ID_i||r), UID_i = L_i⊕h(ID_i||A^*), V_i’ = h(A_i||ID_i), and compares V_i’ and V_i for equality. If the two are equal, the smartcard executes the next step; otherwise, the card ends this session.
• U_i inputs his ID_i and new password PW_i^new, calculates A_i^new = h(PW_i^new||r), R_i^new = r⊕h(ID_i||PW_i^new) mod δ, H_i^new = DID_i⊕h(PW_i^new||ID_i||r), L_i^new = UID_i⊕h(ID_i||A_i^new), and V_i^new = h(A_i^new||ID_i).
• U_i replaces {H_i, L_i, R_i, V_i} with {H_i^new, L_i^new, R_i^new, V_i^new} on the card.

4. Security Analysis

In this section, we first employ BAN (Burrows_Abadi_Needham) logic [48] to demonstrate the security of the proposal, and then, we perform a heuristic analysis to show that the proposal can thwart known attacks and satisfies the security requirements of DWSNs.

4.1. Security Proof

BAN logic is a belief-based modal logic that has been widely used in the formal analysis of key agreement security of cryptographic authentication protocols. We employ the BAN logic to prove the security property of mutual authentication and key agreement in the proposal. To save space, we use the BAN symbols and rules in [48] to perform the security proof of the proposal.

We define the following goals of our protocol:

Goal 1: U_i|≡S_j|≡(U_i $\stackrel{SK}{\leftrightarrow }$ S_j)

Goal 2: U_i|≡(U_i $\stackrel{SK}{\leftrightarrow }$ S_j)

Goal 3: S_j|≡U_i|≡(U_i $\stackrel{SK}{\leftrightarrow }$ S_j)

Goal 4: S_j|≡(U_i $\stackrel{SK}{\leftrightarrow }$ S_j)

The idealized form of the messages transmitted by each communication participant during the authentication process is described as below:

Msg1: U_i → GW_i: <A₁, M₁, T₁>_DIDi

Msg2: GW_i → S_j: <h(b||DID_i), A₁, V₂, T₂>_KSj

Msg3: S_j → GW_i: <A₂, L_j, V₃, M₃, T₃>_KSj

Msg4: GW_i → U_i: <A₂, h(b||DID_i), V₅, T₄>_UIDi

According to the initial state of the proposal, we make the following assumptions:

• H₁: U_i|≡#(T₄)
• H₂: GW_i|≡#(T₁)
• H₃: S_j|≡#(T₂)
• H₄: GW_i|≡#(T₃)
• H₅: GW_i|≡GW_i $\stackrel{DI{D}_i}{\leftrightarrow }$ U_i
• H₆: S_j|≡GW_i $\stackrel{K{S}_j}{\leftrightarrow }$ S_j
• H₇: GW|≡GW_i $\stackrel{K{S}_j}{\leftrightarrow }$ S_j
• H₈: U_i|≡S_j|≡U_i $\stackrel{SK}{\leftrightarrow }$ S_j
• H₉: U_i|≡U_i $\stackrel{UI{D}_i}{\leftrightarrow }$ GW_i
• H₁₀: S_j|≡U_i|≡U_i $\stackrel{SK}{\leftrightarrow }$ S_j

The validity of the proposal on the basis of the above definition and the BAN logic rules is carried out as follows.

From Msg1, we obtain S₁:

GW_i◁<A₁, M₁, T₁>_DIDi

Thus, according to S₁, H₅, and the message meaning rule, we obtain S₂:

GW_i|≡U_i|~<UID_i, DID_i, A₁, T₁>

According to S₂, H₂, and the freshness-conjuncatenation rule, we obtain S₃:

GW_i|≡#<UID_i, DID_i, A₁, T₁>

According to S₂, S₃, and the brief rule, we obtain S₄:

GW_i|≡U_i|≡<UID_i, DID_i, A₁, T₁>

From Msg2, we obtain S₅:

S_j◁<h(b||DID_i), A₁, V₂, T₂>_KSj

According to S₅, H₆, and the message meaning rule, we obtain S₆:

S_j|≡GW_i|~<h(b||DID_i), A₁, V₂, T₂>

According to S₆, H₃, and the freshness-conjuncatenation rule, we obtain S₇:

S_j|≡#<h(b||DID_i), A₁, V₂, T₂>

According to S₆, S₇, and the brief rule, we obtain S₈:

S_j|≡GW_i |≡<h(b||DID_i), A₁, V₂, T₂>

From Msg3, we obtain S₉:

GW_i◁<A₂, L_j, V₃, M₃, T₃>_KSj

According to S₉, H₇, and the message meaning rule, we obtain S₁₀:

GW_i|≡S_j|~<A₂, L_j, V₃, M₃, T₃>

According to S₁₀, H₄, and the freshness-conjuncatenation rule, we obtain S₁₁:

GW_i|≡#<A₂, L_j, V₃, M₃, T₃>

According to S₁₀, S₁₁, and the brief rule, we obtain S₁₂:

GW_i|≡S_j|≡<A₂, L_j, V₃, M₃, T₃>

From Msg4, we obtain S₁₃:

U_i◁<A₂, h(b||DID_i), V₅, T₄>_UIDi

According to S₁₃, H₉, and the message meaning rule, we obtain S₁₄:

U_i|≡GW_i|~<A₂, h(b||DID_i), V₅, T₄>

According to S₁₄, H₁, and the freshness-conjuncatenation rule, we obtain S₁₅:

U_i|≡#<A₂, h(b||DID_i), V₅, T₄>

According to S₁₄, S₁₅, and the brief rule, we obtain S₁₆:

U_i|≡GW_i|≡<h(b||DID_i), A₁, V₂, T₂>

Because SK = h(h(b||DID_i)||A₁||A₂||T_a1(A₂)), and according to S₁₂ and S₁₆, we obtain S₁₇:

$$U_i|\equiv S_j|\equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j) (\mathit{Goal} 1)$$

According to S₁₇, H₈, and the Jurisdiction rule, we obtain S₁₈:

$$U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j) (\mathit{Goal} 2)$$

According to S₄ and S₈ and because SK = h(h(b||DID_i)||A₁||A₂||T_a1(A₂)), we obtain S₁₉:

$$S_j|\equiv U_i|\equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j) (\mathit{Goal} 3)$$

Finally, according to S₁₉, H₁₀, and the Jurisdiction rule, we obtain S₂₀:

$$S_j|\equiv (U_i\stackrel{SK}{\leftrightarrow }{S}_j) (\mathit{Goal} 4)$$

Therefore, Goals 1–4 have been proven successfully, and it means that, in the proposal, U_i and S_j not only authenticate mutually but also generate a session key between them.

4.2. Security Analysis

We analyze the security of our scheme and finally compare it with related protocols with regard to security properties.

• Smartcard loss attack: Assume that the attacker derives the smartcard of the legitimate user and retrieves the secret data {H_i, L_i, R_i, V_i, h(), δ, β_i} on the card through the side channel analysis technique [50], where H_i = DID_i⊕h(PW_i||ID_i||r), L_i = UID_i⊕h(ID_i||A_i), V_i = h(A_i||ID_i), and A_i = h(PW_i||r), R_i = r⊕h(ID_i||PW_i) mod δ. If the attacker intends to guess ID_i and PW_i through H_i and L_i because the attacker knows nothing about the secret parameter r of the user U_i and the secret parameters (x, R_g) and the master key K_Gi of the GW_i, the attack will not succeed. In addition, if the attacker intends to guess ID_i and PW_i through V_i, first, r must be found by calc unnecessary ulating r = R_i⊕h(ID_i||PW_i) mod δ. However, due to the protection of the fuzzy verifier technique, the probability of the attacker’s guessing success is very trivial and can be ignored [24]. Therefore, our scheme can defend against a smartcard loss attack.
• N-factor security: Our protocol is a two-factor (password, smartcard) scheme; thus, N = 2. On the one hand, if the attacker only acquires the password, clearly, the attacker cannot log in to the system. On the other hand, if the attacker only obtains the smartcard, although the attacker can extract the secret parameters on the smartcard, as analyzed in item 1 of Section 4.2, the attacker still cannot guess the user’s password and cannot log into the system. Thus, our scheme can provide N-factor security.
• Insider attack: Suppose the insider obtains the user’s registration request {ID_i}, temporarily derives the user’s smartcard, retrieves the secret parameters {H_i, L_i, R_i, V_i, h(), δ, β_i} on the card through a side channel analysis attack, and then prepares to guess the user’s password PW_i through the parameters (H_i, L_i, R_i, V_i), as analyzed in item 1 of Section 4.2, due to the protection of the fuzzy verifier mechanism, the attacker will fail to acquire r so that the correct PW_i cannot be guessed, and finally, the two important parameters (DID_i, UID_i) of the user cannot be disclosed. In addition, we suppose an insider has obtained the sensor information {P_j, C_s, R_s, PR_j} stored in GW_i and eavesdrops on the interaction messages {M₂, A₁, V₂, T₂} and {A₂, L_j, V₃, M₃, T₃} between GW_i and the sensor. Although the attacker can obtain the updated PUF response by computing R_s^new = L_j⊕R_s, because the calculation of the session key involves parameters A₁ and A₂ and the attacker cannot break the DLP and DHP problems, the attacker cannot calculate the session key based on h(h(b||DID_i)’||A₁||A₂||T_c(A₁)).

Therefore, our protocol can protect against an insider attack.

4.

Forward secrecy and backward secrecy: In our protocol, if an attacker acquires U_i’s smartcard, the attacker cannot launch a successful guessing attack on ID_i and PW_i, so our protocol does not suffer from the forward secrecy issue as in Kwon et al.’s scheme. On the other hand, even if the master key K_Gi of the GW_i is disclosed to the attacker, because the session key SK= h(h(b||DID_i)’||A₁||A₂||T_c(A₁)) and the attacker cannot obtain PR_j, the attacker is incapable of calculating KS_j; as a result, h(b||DID_i) cannot be obtained by calculating M₂⊕h(KS_j||SID_j). More importantly, although the attacker can eavesdrop on the messages containing A₁ and A₂ in the public channel, the attacker still cannot calculate SK because calculating T_c(A₁) is equivalent to solving the DLP problem and the DHP problem. In summary, our scheme can provide forward and backward secrecy for session keys.

5.

Mutual authentication: In some schemes, like Kwon et al.’s protocol [15], the mutual authentication among U_i, GW_i, and S_j relies on the single secret parameter HID_i. Once the attacker acquires the parameter HID_i, the attacker can impersonate a legal user to deliver a valid login request to GW_i and pass the authentication of GW_i and S_j and, finally, generate a shared session key with S_j. In our scheme, the authentication of GW_i to U_i depends on these secret parameters (α_i, P_i, x, K_Gi); the mutual authentication of GW_i and S_j depends on the two parameters of KS_j and SID_j, and SID_j transmitted on the open channel is not in clear text; the authentication of U_i to GW_i relies on two secret parameters of UID_i and DID_i. It can be observed that the mutual authentication among communication entities in our scheme does not depend on a single parameter but on multiple sets of mutually independent secret parameters. This makes it extremely difficult for attackers to spoof messages to deceive communication entities and pass their verification. Thus, our scheme achieves mutual authentication among the three communication participants U_i, GW_i, and S_j.

6.

Desynchronization attack: Since our scheme does not need to synchronously update the related information between GW_i and the user’s smartcard in each authentication process to keep user anonymity and to prevent the attacker from tracing, our scheme can defend against a desynchronization attack.

7.

Replay attack: In our scheme, the messages sent by U_i, GW_i, and S_j all contain timestamps, and the timestamps are protected using a hash function in V_i (i = 1, 2, 3, 4). Upon receiving the message, the receiver must not only check the freshness of the timestamps but must also check the corresponding hash value V_i. If the attacker intends to conduct a replay attack by intercepting the message and changing the timestamp and retransmitting the message to the receiver, it will cause the V_i calculated by the hash function at the receiver’s side using the timestamp as a parameter to be inconsistent with the received V_i, and the session will be ended. Thus, our scheme can prevent a replay attack.

8.

Sensor node capture Attack: If the attacker captures the sensor node S_j, the attacker can read the key KS_j from the sensor’s memory and restore h(b||DID_i) of the three parameters needed to reveal the session key based on the eavesdropped messages {M₂, A₁, V₂, T₂} and {A₂, L_j, V₃, M₃, T₃}. Because the session key SK = h(h(b||DID_i)″||A₁||A₂||T_a(A₂)), the attacker is still unable to reveal the session key as the attacker also faces both the DLP problem and the DHP problem. In addition, due to the features of PUF, the attacker cannot produce R_s or R_s^new from C_s or C_s^new, which is necessary to generate the valid authenticators V₂ and V₃, respectively. In this way, even if the sensor S_j is captured by an attacker, it will not affect the secure communication between other sensor nodes and U_i. Thus, our protocol can defend against a sensor node capture attack.

9.

Man-in-the-middle attack: Assuming the attacker blocks the user’s login request message {A₁, M₁, T₁}, because he does not obtain {K_Gi, α_i}, he or she cannot decrypt M₁ to obtain relevant information (UID_i, SID_j, V₁). In addition, if the attacker obtains {K_Gi, α_i} by some means, but because V₁ = h(DID_i||UID_i||A₁||T₁) and the attacker cannot obtain x, it is not feasible to fake V₁. Hence, our proposal can thwart a man-in-the-middle attack.

10.

User anonymity: Suppose the attacker eavesdrops on four messages, {A₁, M₁, T₁}, {M₂, A₁, V₂, T₂}, {A₂, L_j, V₃, M₃, T₃}, and {A₂, M₄, V₄, T₄}, in the login and authentication phase, since M₁ is ciphertext, other parameters are generated using random numbers (a, b, c), timestamps, and hash functions, and the message in each user login process is different. In addition, there is no user identity information that allows for the attacker to track the user according to these messages, and the attacker also cannot determine whether different login request messages are delivered by the same user. Thus, the proposal achieves user anonymity.

11.

User Impersonation Attack: In the proposal, if the attacker is going to conduct a user impersonation attack to deceive GW_i, the attacker must first produce a valid login request message {A₁, M₁, T₁}. However, without knowledge of the user’s ID_i, PW_i, and parameters (DID_i, UID_i), the attacker cannot produce a valid login request message. In addition, it has been pointed out in item 1 of Section 4.2 that, even if the user’s smartcard is stolen by the attacker, the guessing attack on ID_i and PW_i will not be successful. It is also pointed out in item 2 of Section 4.2 that, even if the user’s ID_i and smartcard are obtained by the attacker and the attacker starts guessing the password, he or she will fail due to the protection of the fuzzy verifier technique. Hence, the proposal can thwart a user impersonation attack.

12.

Physical impersonation attack: This attack indicates that an attacker can imitate the sensor to send a fake message {A₂, L_j, V₃, M₃, T₃} to GW_i and pass the validation of GW_i. However, if the attacker intends to recreate the same wireless sensor as the original wireless sensor with the PUF, the fake message {A₂, L_j, V₃, M₃, T₃} generated by the attacker through the invalid PUF will be discriminated and rejected by the GW_i. Hence, the proposed scheme can defend against a physical impersonation attack.

13.

DoS attack: In our scheme, an attacker might send a previously valid message {A₁, M₁, T₁} to GW_i repeatedly to consume the target’s resources. If the attacker alters T₁ to T₁’ so that T_ct − T₁’ ≤ Δt is valid, where T_ct is the current time and Δt represents a very small time interval, although GW_i passes the verification of timestamp T₁’, GW_i also calculates V₁’ = h(DID_i||UID_i||A₁||T₁’) according to T₁^’ and then determines whether V₁’ = V₁ is valid. Obviously, since V₁ = h(DID_i ||UID_i||A₁||T₁), V₁’ = h(DID_i||UID_i||A₁||T₁’), and T₁’ ≠ T₁ and the attacker does not know DID_i and UID_i, the attacker cannot forge V₁ to pass authentication. So V₁’ = V₁ does not hold, and GW_i terminates the session. Similarly, if an attacker repeatedly sends messages {M₂, A₁, V₂, T₂}, {A₂, L_j, V₃, M₃, T₃}, and {A₂, M₄, V₄, T₄} to the sensor, gateway, and user to launch a DoS (Denial of Service) attack, it will also be unsuccessful. The analysis process is similar to the above. Therefore, our scheme can prevent a DoS attack.

14.

Comparison of security features: According to the above security analysis, we compare the proposal with state-of-the-art schemes [28,29,33,40,42,43,44] with respect to security features, and the result is as exhibited in

Table 2. Comparison of security features.

Security Features	[28]	[29]	[33]	[40]	[42]	[43]	[44]	Ours
S1	√	√	√	×	×	√	√	√
S2	√	√	√	×	×	√	√	√
S3	√	√	√	√	√	√	√	√
S4	×	×	×	√	√	√	×	√
S5	√	√	√	×	×	√	×	√
S6	√	√	√	√	√	√	√	√
S7	×	√	√	√	√	√	√	√
S8	√	√	√	√	√	×	√	√
S9	√	×	√	√	√	√	√	√
S10	√	√	√	√	×	×	√	√
S11	√	√	√	√	×	×	√	√
S12	×	×	×	√	√	√	×	√
S13	√	√	√	√	√	√	√	√
S14	×	√	√	√	×	√	√	√

S1: Resist smartcard loss attack; S2: Resist user impersonation attack; S3: Resist GW impersonation attack; S4: Resist sensor node capture attack; S5: Resist desynchronization attack; S6: Provide forward secrecy; S7: Resist replay attack; S8: Resist insider attack; S9: Resist man-in-the-middle attack; S10: User anonymity; S11: Sensor node anonymity; S12: Resist physical impersonation attack; S13: Mutual authentication and key agreement; S14: Resist DoS attack.

, where “√” means that the attack can be thwarted or the security property can be satisfied, while “x” means that the attack cannot be resisted or the security property cannot be satisfied. It can be observed from Table 2 that the scheme [44] cannot prevent a physical impersonation attack, though it uses the PUF function on the user side. Although the scheme [40] uses the PUF function on both the user side and sensor side, it is not resistant to a desynchronization attack. Furthermore, compared with other related schemes, our scheme can defend against more attacks and satisfy more security properties, while other schemes are subject to some security flaws, more or less.

When considering the influence of the external environment on the proposal, various states can be constructed, such as the user sends an authentication request, the gateway verifies the authenticity of the user’s identity, the sensor verifies the authenticity of the gateway and the user, the gateway verifies the authenticity of the sensor’s identity, the user verifies the authenticity of the gateway’s identity, and then the Markov chain is established. If the external environment changes, such as an increase in network latency or an attacker attempts brute-force intercepted messages, the timestamp mechanism resolves these issues. Although this may affect the probability of transition, the future state depends only on the current state, not on past states and historical information, so the execution process of the proposal conforms to the Markovian effect and does not conform to the non-Markovian effect [56]. These are left for a future in-depth analysis.

5. Performance Analysis

In this section, we compare the performance of the proposal with state-of-the-art schemes [28,29,33,40,42,43,44] with respect to the login and authentication phase in four aspects: computation overhead, communication overhead, sensor throughput, and storage overhead.

5.1. Computation Overhead

For convenience, we use the running time of various cryptographic operations in the literature [34,35] as the benchmark to calculate the computation overhead of each scheme. Suppose that T_H, T_P, T_C, T_F, and T_S denote the execution times of a hash function, an elliptic curve point multiplication, a Chebyshev polynomial calculation, a Rep function of the fuzzy extractor, and the symmetric encryption/decryption, respectively, and their values are 0.5 ms, 63.08 ms, 21.02 ms, 63.08 ms, and8.7 ms, respectively. Since the XOR operation takes very little time, we ignore its time overhead. Table 2 shows the comparison results between the proposal and relevant protocols in terms of computation overhead. For ease of understanding, we show

Table 3. Comparison of computation overhead.

	[28]	[29]	[33]	[40]	[42]	[43]	[44]	Ours
Ui	7TH + 3TP	6TH + TF + 2TP + 2TS	13TH + TF + 2TP	13TH + TF	18TH + TF	9TH	12TH +TF + 2TP	9TH + 3TC
GWi	9TH + TP	3TH + 6TS	10TH + 2TP	17TH + TF	22TH	15TH + 2TS + 3TF	8TH	12TH + TC
Sj	8TH + 2TP	2TH + 2TP + 2TS	6TH	8TH + TF	12TH + TF	9TH + TF + TS	6TH + 2TP	6TH + 2TC
Total cost	24TH + 6TP	11TH + TF + 4TP + 10TS	29TH + TF + 4TP	38TH + 3TF	52TH + 2TF	33TH + 4TF + 3TS	26TH + TF + 4TP	27TH + 6TC
Computation overhead (ms)	390.48	407.9	329.9	208.24	467.56	286.22	328.4	139.62

as a graph in Figure 3.

5.2. Communication Overhead

According to [34], we set the length of the random number, elliptic curve, hash value, Chebyshev polynomial, identity, timestamp, and encrypted block lengths to 128 bits, 320 bits, 160 bits, 128 bits, 32 bits, 32 bits, and 128 bits, respectively. Table 3 shows the comparison results of communication overhead between the proposal and relevant schemes [28,29,33,40,42,43,44]. Moreover, for the sake of understanding, we present

Table 4. Comparison of communication overhead.

	[28]	[29]	[33]	[40]	[42]	[43]	[44]	Ours
Communication overhead (bits)	3252	3456	1952	2752	2016	5120	2656	1952

as a graph, as shown in Figure 4.

5.3. Sensor Throughput

Because wireless sensors are often deployed in unattended environments, it is difficult for users to replenish their energy in real time. A wireless sensor consumes a certain amount of energy to receive and send data, so its network throughput is closely related to its life cycle. Therefore, we analyze the network throughput to examine its impact on the life cycle of the sensor node. The comparison results of the sensor node throughput between the proposed scheme and the other schemes [28,29,33,40,42,43,44] are shown in

Table 5. Comparison of sensor node throughput.

	[28]	[29]	[33]	[40]	[42]	[43]	[44]	Ours
Receive	928	640	384	896	512	1024	1152	480
Send	852	896	352	512	192	864	960	480
Total (bits)	1780	1536	736	1408	704	1888	2112	960

and Figure 5.

5.4. Storage Overhead

By comparing the proposal with state-of-the-art protocols [28,29,33,40,42,43,44] in terms of their own storage overhead for the three communication participants U_i, GW_i, and S_j, the results are illustrated in

Table 6. Comparison of storage overhead.

	[28]	[29]	[33]	[40]	[42]	[43]	[44]	Ours
Smartcard	544	736	960	832	640	2464	1728	746
Gateway	640	608	832	1312	896	2016	448	1204
Sensor	192	192	352	320	512	192	480	320
Total	1376	1536	2144	2464	2048	4672	2656	2270

and Figure 6.

5.5. Comprehensive Analysis

From the performance comparison of the four aspects mentioned above, we can see that our scheme has favorable performance. From Table 3 and Figure 3, we can see that the proposal requires the least computation time of 139.62 ms. Compared with that of the other schemes, the computation overhead of our protocol has a significant advantage over that of the other schemes [28,29,33,40,42,43,44]. Furthermore, from Figure 4 and Figure 5, we can see that our protocol and Saini et al.’s scheme [33] have the lowest communication overhead among all the protocols, our protocol is slightly higher than protocols [33,42] in terms of sensor throughput, and Figure 6 also shows that our protocol is slightly higher than protocols [28,29,33,42] but better than protocols [40,43,44] in terms of storage overhead. Although schemes [40,44] use PUF to ensure the security of authentication, it can be seen from Figure 3 to Figure 6 that they have no advantage in terms of computation overhead, communication overhead, sensor node throughput, and storage overhead compared with our scheme, and the computation cost of [42] is three times that of our scheme. Moreover, the computation overhead and communication overhead of [43] are almost 2.5 times greater than those of our scheme, and their storage overhead is 2 times greater than that of our scheme. In addition, as can be seen from Table 2, scheme [40] fails to avoid a smartcard loss attack and user impersonation attack. Both scheme [42] and scheme [43] cannot provide user anonymity and sensor node anonymity, which makes it difficult for them to protect user privacy and the sensor does face some potential attacks; thus, these schemes cannot fully meet the security requirements of a DWSN. In summary, our scheme is more efficient than most of the related schemes while satisfying comprehensive security requirements. Compared with other related protocols, our protocol can achieve a better trade-off between performance and security, so it is more suitable for deployment in the WSN application environment.

6. Conclusions

In this study, we suggest an anonymous authentication scheme with PUF and Chebyshev chaotic mapping for a DWSN to resist some security defects, especially the easily overlooked physical impersonation attack, and we use BAN logic to prove the security of the protocol. In addition, our protocol is compared with related protocols in five aspects, security features, computation overhead, communication overhead, sensor throughput, and storage overhead. The results show that, although our protocol is not the most efficient compared with the competitive schemes, it can fulfill the security requirements that are needed for DWSN circumstances. Consequently, our protocol is more suitable for actual deployment than the related schemes. The countermeasure we took to eliminate the security defects is suitable for addressing the security weaknesses in similar authentication protocols, and this countermeasure can also be used as a reference for designing new protocols in the future.

In future work, we plan to use a more advanced public key algorithm to reduce the runtime of the public key operation and to improve the performance of this protocol. In addition, we will build an environment suitable for conducting DWSN experiments, such as connecting dedicated wireless sensors to actual hardware, such as Arduino or Raspberry Pi, for testing or using simulation software NS-3 3.40 to simulate network behavior, simulate various attack scenarios (such as node capture attack, replay attacks, etc.), verify the security of the protocol, and measure indicators such as computation overhead, communication overhead, and energy consumption for performance evaluation.