A secure and privacy-preserving authentication protocol for wireless sensor networks in smart city

Smart city can improve the efficiency of managing assets and resources, optimize urban services and improve the quality of citizens’ life. Wireless sensor networks (WSNs) can solve many problems in smart city, such as smart transportation, smart healthcare and smart energy. However, security and privacy are the biggest challenges for WSN. Recently, Banerjee et al. proposed a security-enhanced authentication and key agreement scheme for WSN, but their scheme cannot resist offline password guessing attack, impersonation attack, and does not achieve session key secrecy, identity unlinkability, and perfect forward secrecy. In order to fix these flaws, a secure and privacy-preserving authentication protocol for WSN in smart city is proposed. We prove the security of the proposed protocol by using applied pi calculus-based formal verification tool ProVerif and show that it has high computational efficiency by comparison with some related schemes.

In 2004, Watro et al. [9] proposed an authentication protocol for wireless sensor networks based on public key encryption. In order to strengthen the security of the protocol, Das [10] proposed a two-factor authentication protocol using password and smartcard. Khan and Alghathbar [11] proposed a protocol with better performance than Das's protocol. However, the password update phase in their scheme is faulty. Later, Yeh et al. [12] proposed a mutual authentication scheme based on elliptical curve cryptosystem, but it has a higher computation cost. Xue et al. [13] proposed a temporal-credential-based protocol in WSN. However, their scheme cannot resist many attacks, such as stolen smart card attack and impersonation attack. Later, Gope et al. [14] proposed a lightweight two-factor protocol for WSN, but Luo et al. [15] pointed out that their protocol exists several drawbacks and proposed an improved scheme. However, the improved scheme is still insecure. Recently, Turkanović et al. [16] proposed an authentication and key agreement scheme for wireless sensor networks, but Banerjee et al. [17] found that Turkanvic et al. 's scheme cannot resist identity theft attack and eavesdropping attack, and then, Banerjee et al. proposed an improved scheme based on the biometric and smart card.
Banerjee et al. [17] claimed that their scheme can resist various attacks. However, in this paper, we find that their scheme has some weaknesses, it cannot resist offline password guessing attack and impersonation attack and does not achieve session key secrecy, identity unlinkability and perfect forward secrecy. Therefore, we propose a new scheme to overcome the weaknesses of Banerjee et al. 's scheme.
The rest of the paper is structured as follows: Sections 2 and 3 introduce methods and preliminaries. Sections 4 and 5 review the Banerjee et al. 's scheme and present the attacks on their scheme. The proposed scheme, security analysis, results and discussion are given in Sects. 6, 7 and 8. Section 9 is conclusions.

Methods
The authentication model for WSN consists of users, sensor nodes and gateway nodes. Sensor nodes collect data from their environment, and users can access and receive data from sensor nodes. Gateway nodes are responsible for authentication between users and sensor nodes. In order to prevent unauthorized users from accessing data stored in sensors nodes, before users access sensor nodes, users and sensors nodes should authenticate each other with the help of gateway nodes and establish session keys to encrypt data transmitted between users and sensors nodes.
The threat assumptions of this model are as follows [18]: • The adversary can be a user, any registered user can act as an adversary.
• The adversary can intercept or eavesdrop on all communication messages in a public channel, thereby capturing any exchanged messages between a user and gateway or sensor. • The adversary has the ability to eavesdrop, intercept, modify, or delete the transmitted message. • The adversary has the ability to obtain all information stored in users' smart cards by using the side channel attack [19]. • An external adversary can also register, login and receive his smart card.
According to above threat assumptions, the proposed protocol for WSN should meet the following security and privacy criteria: • Mutual authentication and key agreement: user and sensor node should authenticated each other with the help of gateway node and establish session key. • Anonymity and unlinkability: the protocol protects the user's real identity and the adversary cannot trace the user's activities. • Password friendly: the user can update and change his/her password freely.
• No password guessing attacks: the protocol can protect the user's password from guessing attack and ensure the adversary cannot verify whether the password is right or not. • No smart stolen/lost attacks: even if the smart card is lost or stolen, the adversary can obtain all information stored in it, but the adversary cannot attack the protocol successfully. • Perfect forward secrecy: even if an adversary can compromise long secret keys, he or she still cannot compute the session keys. • Known session key security: even if an adversary knows session key, the protocol still safety. • No replay attack: the protocol prevents the adversary from replaying the transmission information to attack the protocol successfully. • No various known attacks: the protocol can resist various known attacks, such as forgery attacks, impersonation attacks and man-in-the-middle attacks.

Preliminaries
In this section, we introduce the elliptic curve cryptosystem, the fuzzy extractor and some notations, which will be used in our protocol.

Elliptic curve cryptosystem
The elliptic curve cryptosystem (ECC) is widely used to design password-based authentication protocols, which are created by Miller [20] and Koblitz [21], respectively. ECC uses the following formula: The above equation is ECC on F p . The following conditions must be met in order to ensure safety: We choose P as a base point on F p , then xP = x P + · · · + P , xyP is a Diffie-Hellman value based on ECC.

Fuzzy extractor
It is very difficult for users to lose and steal their biological information. In many protocols, the users' biometric will be taken as an important factor. There is a slight difference in each extraction of biological information, which can be corrected by using fuzzy extraction. The fuzzy extractor consists of two procedures (Gen, Rep) [22,23]: where B is the biometric, and B * is closed to B . Gen function returns a string α ∈ {0, 1} k and a coadjutant string β ∈ {0, 1} * . For each biometric B , Gen function outputs a key α and a help data β . For each biometric B * , Rep function recovers a key α with the help data β.

Notations
The notations used in the paper are shown in Table 1.

Brife review of Banerjee et al.'s scheme
The Banerjee et al. 's scheme [17] has six phases: pre-deployment phase, registration phase, login phase, authentication and key agreement phase, password change phase and dynamic node addition phase. We omit the last two phases.

Pre-deployment
In this phase, the administrator uses the setup server to establish the environment. The setup server chooses identity SID j for each sensor node S j and provides a key GWNPS j shared with the gateway node GWN . The GWN is also provided with a secret key S g and stores {SID j , GWNPS j , S g }.

User registration phase
The user U i chooses his identity UID i , password UPWD i and a random number r i and then calculates MID i = h(UID i ||r i ) and MPWD i = h(UPWD i ||r i ) . U i sends {MID i , MPWD i } to the gateway node GWN through secure channel. After receiving {MID i , MPWD i } , GWN selects secret key GWNPU i and calculates MXIP i = h(MID i ||MPWD i ) ⊕ GWNPU i and X i = h(MID i ||S g ) , and stores {MXIP i , X i , h()} into the smart card USC and issues it to U i securely.
After receiving USC ,

Sensors registration phase
The sensor node S j chooses a random number r j . S j calculates MX j = h(SID j ||r j ||GWNPS j ) and MY j = r j ⊕ GWNPS j . S j sends {SID j , MX j , MY j } to GWN through secure channel.
After receiving {SID j , MX j , MY j } , GWN calculates r j = MY j ⊕ GWNPS j and verifies MX j = h(SID j ||r j ||GWNPS j ) . And then calculates P j = h(MX j ||S g ) . The GWN stores P j securely in its memory and issues P j to S j . S j stores P j securely.

Login phase
The user U i inputs UID i , UPWD i and BIO i . USC calculates If not, the user U i re-does it. Otherwise, the smart card USC chooses a random number r 1 and calculates M 1 = h(X i ||GWNPU i ||r 1 ) and

Authentication and key agreement phase
After receiving {MID i , M 1 , M 2 } , S j chooses a random number r 2 and calculates . If both are equal, the GWN authenticates the user U i and the sensor node S j The GWN chooses a random number r 3 and calculates . If it is equal, the S j authenticates the GWN and then calculates the session key and then verifies M 9 ? = h(r 1 ||r * 2 ) . If the result is equal, U i authenticates S j and then calculates the session key SK = h(X i ||P j ||r * 3 ||r * 2 ||r 1 ).

Security flaws of Banerjee et al.'s scheme
Though Banerjee et al. claimed that their scheme can resist various attacks, in this section, we show that their scheme has some security flaws.

Identity linkability
In Banerjee et al. 's scheme, because MID i = h(UID i ||r i ) transmitted in public channel and unchanged in each session, the scheme exists the user identity linkability. Further, the adversary may get the user's real identity according to the user's behavior information. That is, the user's anonymity may be broken.

Offline password guessing attacks
If an adversary can obtain or not. If yes, the guessed password is correct. Otherwise, the adversary does it again till to find the correct password.
This attack may success; the reason is that the user's identity UID i may easily to be known (e.g., an insider attacker, like the user's colleague) or it is often publicly available, and the password dictionary size is very restricted. Even if the adversary needs to guess UID i and UPWD i simultaneously, the time complexity of the above attacking procedure is O(|D id | * |D pw | * (T h )) , where T h is the running time for hash operation and can guess the correct identity and password quickly [24].
If an adversary can get the user's password by offline password guessing attack, then he can know GWNPU i and X i , and he can launch impersonation attack.

No perfect forward secrecy
Because the session key is SK = h(X i ||P j ||r 3 ||r 2 ||r 1 ) , if an adversary can obtain the secret key S g of GWN , then he can compute That is, the adversary can compute the session key, since he can get {MID i , M 2 , P 1 , M 7 , M 8 } from public channels.

No session key secrecy
If a legal user U l have pass through the authentication of the sensor node S j , then U l can know P j . After that, when other user U i wants to pass through the authentication of the sensor node S j , U l can get the authentication messages therefore, U l can compute the session key SK = h(X i ||P j ||r 3 ||r 2 ||r 1 ) shared between the U i and S j .

Impersonation attack
If a legal user U l have pass through the authentication of the sensor node S j , and obtains P j , then he can impersonate the S j . When other user U i wants to login onto the sensor node S j , U l sends to GWN . When GWN responses the message {M 5 , M 6 , P 1 , P 2 } , U l intercepts it, and chooses a random number r ′ 3 , and computes r * Obviously, U l can compute and verify the correction of the session key SK. However, U l shares the session key SK with U l , not the sensor node S j .

Proposed scheme
There are three entities of our proposed scheme: the user U i , the sensor node S j and the gateway node GWN . The user and the sensor node can authenticate each other and establish a session key with the help of the gateway node. Our protocol has four phases: initialization phase, registration phase, authentication and key agreement phase and password change phase.

Initialization phase
The administrator provides an identity SID j and a secret key GWNPS j (shared with GWN ) for the sensor node S j and chooses a prime number P and an additive group G1 , the GWN 's long secret key S g ∈ Z p and computes the GWN 's public key PK g = S g P , where P ∈ G1.

Registration phase
The registration phase is run through the secure channel as shown in Algorithm 1. The user U i firstly chooses its identity UID i and password UPWD i and sends {UID i } to GWN . After receiving {UID i } , GWN calculates X i = h(UID i ||S g ) . GWN enters {X i } into the smart card and sends it to U i through the secure channel.
U i imprints the biological information BIO i and calculates (α, β) = Gen(BIO i ) , Algorithm 1: User-gateway registration phase

Authentication and key agreement phase
The user, the sensor and the gateway authenticate with each other, and the user and the sensor negotiate session key as shown in Algorithm 2.
Step 1 U i inserts smart card and inputs identity UID i , password UPWD i and biological information BIO i . The smart card USC calculates α = Rep(BIO i , β) and verifies whether V 1 ? = h(UID i ||UPWD i ||α) or not. If not, the user re-does it. Otherwise, USC chooses a random numbers a and calculates the user's tem- Step 2 After receiving {PID i , SID j , M 1 , T u , T 1 } , GWN checks the validity of T 1 and SID j and forwards {SID j } to the sensor node S j .
Step 3 After receiving {SID j } , S j chooses a random number b and calculates T s = bP , Step 1: Step 5: Ver Step 5: Ver Step 4 After received the authentication message, GWN first verifies the timestamp T 2 . If T − T 2 ≤ T is false where T is the current timestamp, GWN refuses the authentication request. Otherwise, GWN calculates UID i = PID i ⊕ h(S g T u ) , X i = h(UID i ||S g ) and verifies M 1 ? = h(UID i ||X i ||T u ||T g ||T 1 ) . If the result is false, GWN terminates the protocol. Otherwise, GWN authenticates the user successfully. After that, GWN calculates T s = M 2 ⊕ h(GWNPS j ||T 2 ) and verifies M 3 ? = h(SID j ||GWNPS j ||T s ||T 2 ) . If the result is false, GWN also terminates the protocol. Otherwise, GWN authenticates the sensor node S j successfully. Then, GWN computes M 4 = E GWNPS j (T u , UID i , SID j , T 3 ) and M 6 = E X i (T s , UID i , SID j , T 3 ) and calculates M 5 = h(GWNPS j ||T u ||UID i ||SID j ||T 3 ) and M 7 = h(X i ||T s ||SID j ||UID i ||T 3 ) , where T 3 is the current time stamp. GWN sends {M 4 , M 5 , T 3 } to S j and {M 6 , M 7 , T 3 } to U i .
Step 5 After receiving the message {M 4 , M 5 , T 3 } , S j firstly verifies T 3 . If T ′ − T 3 ≤ T is false where T ′ is the current timestamp, S j terminates the protocol. Otherwise, S j computes (T u , UID i , SID j , T 3 ) = D GWNPS j (M 4 ) and verifies . If the result is equal, S j authenticates GWN successfully. And then, S j calculates the session key . If the result is false, U i also terminates the protocol. Otherwise, U i authenticates GWN successfully and calculates the session key Step 6. After receiving {V s , T 4 } and {V u , T 5 } , U i and S j verifies the freshness of T 4 and T 5 , and verifies the correctness of V s and V u , respectively. After verification of correctness, U i and S j share the session key SK.

Password change phase
If the user wants to change or update his passwords, U i inserts USC in card reader and inputs identity UID i , password UPWD old i and biological information BIO i . Next, the smart card calculates α = Rep(BIO i , β) and verifies V = h(UID i ||UPWD old i ||α) . If the result is false, the smart card does not recognize him as a legitimate user. Otherwise, the user inputs new password UPWD new i . The smart card calculates V new = h(UID i ||UPWD new i ||α) and replaces V with V new .

Security analysis
In the section, we analyze the security of the proposed protocol by using formal and informal security analysis.
Our protocol must also protect the session keys (SKus and SKsu). The code is: query attacker(SKsu). query attacker(SKus).

Anonymity and unlinkability
In our scheme, the user's real identity is contained in those parameters < PID i , M 4 , M 5 , M 6 , M 7 >.PID i is protected by Diffie-Hellman problem. And the M 4 and M 6 are encrypted by X i and GWNPS j , respectively. The rest of the parameters < M 6 , M 8 > are protected by the hash function. So, the adversary cannot know the user's real identity. Our scheme meets the need of anonymity. The PID i changes in each session because of the use of the random number and Diffie-Hellman value. So, our scheme is also unlinkability.

Offline password guessing attacks
Assume that an adversary knows the parameters {Y i , Rep(), V 1 , β} stored in the smart card and all messages transmitted in all public channels, but he cannot guess the true password. Since the user's password is protected by the bio-information and the hash function, the adversary cannot verify the parameter V 1 . On the other hand, we assume that an adversary knows the legal user's password and all messages transmitted through the public channel, but do not know the parameters stored in the smart card. However, the adversary cannot login the protocol because he cannot obtain the bio-information. So, our scheme can resist the offline password guessing attacks.

Replay attack
There are two ways to prevent replay attacks: adding timestamps and random numbers. Our scheme uses time stamps to prevent replay attack. In every session, the timestamps are different and the entity checks the fresh of the timestamps.

Impersonation attack and man-in-the-middle attack
In our scheme, the gateway node authenticates the user by the parameter M 1 . The user authenticates the gateway node by the parameter M 7 . If an adversary wants to impersonate the legal user, he must know those parameter < T u , X i , T s > which X i is pre-shared with the gateway node. However, X i is contained in Y i stored in the smart card securely. Similarly, an adversary cannot impersonate the sensor node because of GWNPS j . If an adversary captures a sensor node, he cannot know the others' key parameters. So he cannot impersonate other sensor node and the user. Therefore, our scheme resists impersonation attack, and the man-in-the-middle is also invalid.

Perfect forward secrecy
Assume that an adversary knows the user's password UPWD i , the sensor node's secret key GWNPS j . Since the session key is SK = h(abP||UID i ||SID j ||T 3 ) , an adversary cannot compute abP due to Elliptic Curve Diffie-Hellman problem (ECDHP). So he cannot compute the session key.

Known session key security
In our scheme, the adversary cannot compute the session key because of ECDHP. The session key is also different in each session due to two random numbers a, b . So, if the adversary knows a session key, he cannot know the before and the future session keys.

Sensors capture attack
If an adversary can capture a sensor node S j , then he can obtain the secret key GWNPS j shared with GWN. However, each sensor node has a different secret key shared with GWN, so the adversary cannot impersonate another sensor node to pass through the authentication with GWN. On the other hand, even if the adversary can know the secret key GWNPS j of a sensor node S j , he cannot know the user's X i = h(UID i ||S g ) from the session run. Therefore, the proposed scheme is secure even if the sensor node is captured.
T m means the time of the point multiplicative operation in ECC, T Rep means the running time to performance Rep which is equal to T m [29], T s means the time in symmetric encryption or decryption, T h means the time of hash operation, and T is the time or searching the identity in verification table which is related to the number of users. The running time is shown in Table 6 [30].
As shown in Tables 7 and 8, we can know that the proposed scheme achieves both security and computational efficiency.

Conclusions
In this paper, we have shown that the recently proposed Banerjee et al. 's protocol cannot resist offline password guessing attack, impersonation attack, and does not achieve session key secrecy, identity unlinkability and perfect forward secrecy. Then, we proposed a secure and privacy-preserving protocol to fix their security flaws. According to the formal security proof and performance comparison with some related schemes, we can know that our protocol achieves both security and computational efficiency and can be used to the smart city. In the future, we will design more secure authentication protocols for smart city applications, such as smart transportation and smart healthcare.