A Temporal Credential-Based Mutual Authentication with Multiple-Password Scheme for Wireless Sensor Networks

Wireless sensor networks (WSNs), which consist of a large number of sensor nodes, have become among the most important technologies in numerous fields, such as environmental monitoring, military surveillance, control systems in nuclear reactors, vehicle safety systems, and medical monitoring. The most serious drawback for the widespread application of WSNs is the lack of security. Given the resource limitation of WSNs, traditional security schemes are unsuitable. Approaches toward withstanding related attacks with small overhead have thus recently been studied by many researchers. Numerous studies have focused on the authentication scheme for WSNs, but most of these works cannot achieve the security performance and overhead perfectly. Nam et al. proposed a two-factor authentication scheme with lightweight sensor computation for WSNs. In this paper, we review this scheme, emphasize its drawbacks, and propose a temporal credential-based mutual authentication with a multiple-password scheme for WSNs. Our scheme uses multiple passwords to achieve three-factor security performance and generate a session key between user and sensor nodes. The security analysis phase shows that our scheme can withstand related attacks, including a lost password threat, and the comparison phase shows that our scheme involves a relatively small overhead. In the comparison of the overhead phase, the result indicates that more than 95% of the overhead is composed of communication and not computation overhead. Therefore, the result motivates us to pay further attention to communication overhead than computation overhead in future research.


Introduction
With the development of microelectronic, computer, and wireless communication techniques, multifunctional sensor nodes with small consumption have rapidly developed [1]. As a result, the Internet of Things has become increasingly popular. Wireless sensor networks (WSNs), which consist of a large number of sensor nodes (SNs), are widely used in various application fields, such as, environmental monitoring, military surveillance, nuclear-reactor control systems, vehicle safety systems, and medical monitoring [2,3]. Although WSNs perform important functions in numerous application fields, the drawbacks of the network are evident. First, a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 scheme. Through their analysis, the team found that Xue et al.'s scheme is vulnerable to offline password guessing, user impersonation, and modification attacks. Thereafter, He et al. proposed a temporal credential authentication with pseudo identity for WSNs. The scheme proposed by Khan and Alghathbar [22] indicated that M. L. Das's scheme cannot withstand bypassing attacks and is vulnerable to privileged insider attacks. Sun et al. [23] concluded that Khan and Alghathbar's scheme is vulnerable to GW impersonation and other related attacks. Sun et al. proposed a scheme to improve the weakness of Khan and Alghathbar's scheme and determined that their scheme had low overhead cost.
Key establishment is the central problem in authentication schemes [24]. Diffie and Hellman proposed the revolutionary introduction of the key establishment protocol [25] and Bellare and Rogaway proposed a model of authentication and key distribution that is widely accepted [26][27][28]. Choo et al. discovered that all secure key distribution protocols should use partnering definitions based on session identifiers [29] and that session identifiers should also be included within the protocol specification [30]; the secure protocols should construct the session keys using the identities of participants, unique session identifiers and ephemerallong-term shared secrets [31]; and any entity authentication and key establishment protocol should provide rigorous proof of security based on their meticulous research [32]. They also carefully researched the subtle differences between the well-known models and contributed a better understanding of proof models for key establishment protocols [33]. Based on the careful study, Choo and Hitchcock proposed that the proof models allow different options for the key-sharing requirement in formulation [34]. Numerous researchers have worked on fulfilling this requirement, so listing these works in our paper is unnecessary.

Our Contribution
In this paper, we propose a temporal credential-based mutual authentication with a multiplepassword scheme for WSNs. Comparison with other related works shows that our proposed scheme exhibits improved security performance with low overhead. The major contributions are described as follows.

Notations in This Paper
The notations used in this paper are described as follows.

Review of Nam et al.'s Scheme
In this section, we review Nam et al.'s scheme in detail. The scheme consists of three phases: the registration phase, the login phase, and the authentication and key exchange phase [14]. Nam et al.'s scheme stores an elliptical curve group G with generator P of prime order q; MAC function ∑ = (Mac, Ver) [40,41]; symmetric encryption and decryption functions Δ = (Enc, Dec); and three hash functions, H, J, and I in each entity (we use only H to represent the hash function in this paper). After finishing these tasks, GW selects two random numbers, y 2 Z Ã q and, z 2 {0, 1} k , computes Y = yP with k GS = h(ID SN k z) as the public key and shares a secret key with SN.

Registration phase
A user U registers his identity ID U and password PW U through the following steps.
1. A user U registers the identity ID U and password PW U and submits ID U to the GW.
2. GW computes EID U = Enc z (ID U k ID GW ) with the key z and sends {EID U , Y, ID GW , G, P, ∑, Δ, H} to U. U stores these messages in the SC.
3. U computes XEID U = EID U È h(ID U k PW U ) to replace EID U .
Login, authentication, and key exchange phase In these phases, U, GW, and SN authenticate each other through the following, and the session key SK is generated. The details of these phases are described as follows: 1. U inserts his SC and inputs the identity ID U and password PW U . Then, SC retrieves the current timestamp T U and gets two random numbers x 2 Z Ã q , k US 2 {0, 1} k . SC performs a series of calculations as follows. K UG = xY, X = xP, k UG Finally, U sends (T U , ID SN , X, C U , σ U ) to GW.
2. Upon receiving these message, GW checks the freshness of T U , if T U is not fresh, GW discards the session. Otherwise, GW checks whether Ver k UG ðID GW k ID SN k T U k C U ; σ U Þ is equal to 1, where k UG = h(T U k X k Y k K UG ) and K UG = yX. If it is not equal, GW discards the session. Otherwise, GW uses the key k UG to decrypt C U to get ID U and EID U . GW uses the key z to decrypt EID U to get ID 0 U . Then, GW checks whether ID U is equal to ID 0 U . If they are equal, where T GW is the current TS. Finally, GW sends (ID GW , T GW , T U , C GW , σ GW ) to SN.
3. Upon receiving these messages, SN first checks the freshness of T GW . If T GW is not fresh, SN aborts the session. Otherwise, SN checks whether Ver k GS ðID GW k ID SN k T GW k T U k C GW ; σ GW Þ is equal to 1.
Then, SC sends (T U , C U , X) to the GW.
3. Upon receiving these messages, GW rejects the request if T U is not fresh. Otherwise, GW computes k UG = h(T U k X k Y k K UG ) and K UG = yX. Then, GW uses the key k UG to decrypt C U to get ID U and EID U . GW decrypts EID U with the key z to get another ID 0 U . GW checks whether ID U is equal to ID 0 U . If they are equal, GW computes ρ GW = h(k UG k X k ID U k ID GW ) and sends ρ GW to SC. 4. SC checks whether ρ GW is equal to h(k UG k X k ID U k ID GW ). If they are not equal, SC aborts the session. Otherwise, SC computes XEID U ¼ EID U È hðID U k PW 0 U Þ and finishes the password update phase.

Security Analysis of Nam et al.'s Scheme
In this section, we comprehensively analyze the security performance of Nam et al.'s scheme. During the analysis, several weaknesses of the scheme were identified. Nam et al.'s scheme ensures user anonymity and uses the elliptical curve computational Diffie-Hellman (ECCDH) protocol and authenticated key exchange (AKE) to fulfill the security function. However, further analysis shows that the scheme is vulnerable to the following threats.

D-DOS attacks
In the authentication and key exchange phase or password update phase of Nam et al.'s scheme, SC and GW need to execute numerous complex computations to verify the identity of U. To fulfill this task, SC and GW have to execute the hash function three times, encryption once, decryption twice, and MAC calculation and Ver calculation twice. Following several studies [3,20,42], we assume that an adversary A would start a D-DOS attack that is launched by persistently inputting a wrong ID U or wrong PW U . According to Nam et al. [14] and the reference basis that is analyzed in this paper, each verification needs approximately 9.5 hash calculations, wasting 0.00304 s and costing 0.073 mJ of WSNs. A would not be suspended until the energy of GW is depleted [42].
Based on the preceding discussion, Nam et al.'s scheme is vulnerable to D-DOS attacks, and adversary A can easily drain the batteries in the login phase.

Online guessing attacks
In the authentication and key exchange phase, we assume that A eavesdrops on the communication channel [43]. A can obtain the secret key k US and compute the SK with an online guessing attack through the following steps: 1. A obtains T U , ID SN , and ρ SN by intercepting channels U ! GW, GW ! SN, and SN ! U.

2.
A guesses the k US from the directory.

3.
A verifies whether h(k US k ID SN k T U ) is equal to ρ SN . If both numbers are the same, A obtains k US . Otherwise, A repeats steps 2 and 3 until the correct k US is guessed.
4. After obtaining k US , A computes SK = h(k US k T U k ID SN ) to obtain the SK.
According to the preceding discussion, we conclude that A can obtain the secret key k US and compute the SK by online guessing attacks. These findings prove that Nam et al.'s scheme is vulnerable to online guessing attacks.

Lost password threat
Numerous approaches, such as the hit library attack and social engineering [44,45], can be used to obtain user passwords. The lost password threat is currently popular and is a deadly threat to any one-password-based authentication, including WSNs. If the adversary A obtains the commonly used passwords of U by other methods, we can see that the authentication scheme encounters a considerable threat.

Replay attacks
In the authentication and key exchange phase, we assume that an adversary A intercepts the message ρ SN . Then, A sends ρ SN to U. As U does not check the freshness of T, U cannot realize that A has already obtained the ρ SN , therefore proving that Nam et al.'s scheme is vulnerable to replay attacks.

Impersonation attacks
In the authentication and key exchange phase, SN authentication verifies whether the identity of GW is invalid. Furthermore, U does not authenticate the validity of SN. A can start the impersonation attack by forging GW and SN as in the following steps: 1. A intercepts ID GW , T GW , T U , C GW , and σ GW from the communication channel GW ! SN.

2.
A sends ID GW , T GW , T U , C GW , and σ GW to SN.

3.
A passes the MAC, and A is believed to be the real GW.
According to the preceding discussion, as U does not check the freshness of T, we can safely conclude that Nam et al.'s scheme is vulnerable to impersonation attacks. The detailed security analysis is described in Table 1.

Our Proposed Scheme
In this section, we propose a temporal credential-based mutual authentication with multiplepassword scheme for WSNs. The temporary SK has many advantages relative to using longterm keys according to Choo's research [46]. Our scheme not only inherits the excellent properties of Nam et al.'s scheme but also improves upon the weaknesses of their scheme. As our scheme uses multiple passwords to replace Tate-pairing computation and the fuzzy extractor function, our scheme can achieve the same security performance with smaller overhead [47].
Unlike Nam et al.'s scheme, our proposed scheme consists of five phases: registration phase, login phase, authentication and key exchange phase, password update phase, and dynamic-node addition phase. These phases are described in detail as follows.

Registration phase
In this phase, we register a legal user, U, and sensor nodes, SN. This concept has already been presented in other studies [18,21]. The registration phase is executed in a rigorously secure environment prior to the deployment of WSNs. Before registration, GW assigns the unique identities, namely, ID SN , ID SC , and ID GW , to SNs, SC, and the GW respectively. Then, GW randomly generates a secret number, k GW . Finally, the hash function-H(Á); message authentication check scheme MAC(Á); and Ver(Á) are stored in SC, GW, and SN. The registration phase is described in detail as follows.
Registration phase for legal user. In this phase, we register the legal user U through the following steps.
1. U inserts his SC and inputs his multiple-password PW 1 , PW 2 Á Á ÁPW n . U generates a random secret number K i and gets the unique identifier ID SC . U computes RPW i = H(ID SC k PW 1 k PW 2 k Á Á ÁkPW n k n k k i ) and retrieves the timestamp TS 1 . Finally, U sends (RPW i , TS 1 , ID SC ) to GW.
2. Upon receiving the message, GW checks the freshness of TS 1 . If TS 1 is not fresh, GW rejects the request. Otherwise, GW gets the unique identifier ID GW . Then, GW computes TC i = H (k GW k ID GW k ID SC ), PTC i = TC i ÈRPW i , and PK GW = PTC i Èk GW . Then, GW retrieves the current timestamp TS 2 . Finally, GW stores the tuple (ID GW , ID SC , PK GW ) in the verification table and sends (PTC i , TS 2 , ID GW ) to U.
1. SN generates a random secret number k j and gets the unique identifier ID SN . Then, SN computes PID j = H(ID SN k k j ), PK j = PID j Èk j and replaces ID SN with PID j . Finally, SN retrieves timestamp TS 3 and sends (PID j , TS 3 ) to GW.
2. Upon receiving the message, GW checks the freshness of TS 3 . If TS 3 is not fresh, GW rejects the request. Otherwise, GW computes TC j = H(k GW k PID j ), PTC j = TC j ÈPID j . Then, GW retrieves the timestamp TS 4 and stores PID j . Finally, GW sends (TS 4 , PTC j ) to SN.
3. Upon receiving the message, SN checks the freshness of TS 4 . If TS 4 is not fresh, GW rejects the request. Otherwise, SN stores (PK j , PTC j ).
In this phase, different SNs possess different PID j and PK j , and the random secret number K j is not stored in SN. Therefore, our scheme can withstand node capture attacks, as analyzed in the security analysis section. This phase is shown in Fig 2. After finishing the entire registration scheme, GW deletes k GW , SC deletes K i , and SN deletes K j before the deployment of WSNs.

Login phase
The login phase procedure is described in detail as follows. If U attempts to login to WSNs and obtains data from SN, the following steps are executed. This phase is shown in Fig 3. 1. U inserts his SC and inputs the registered multiple-password PW 1 , PW 2 Á Á ÁPW n .
2. SC gets the unique identifier ID SC and computes k i = e i ÈH(n k PW 1 k PW 2 kÁ Á Ák PW n ), RPW i = H(ID SC k PW 1 k PW 2 k Á Á ÁkPW n k n k k i ).
3. SC checks whether H(e i k RPW i k k i k n k ID SC ) is equal to V i . If it is not equal, SC rejects the request. Otherwise, SC retrieves timestamp TS 1 and computes 4. Finally, U sends (PTC i , C j , PKS i , TS 1 , DID SC ) to GW.

Authentication and key exchange phase
In this phase, we describe the authentication mechanism through U, GW, and SC. The mechanism achieves mutual authentication and generates the SK, for future use. The details are presented as follows.
1. Upon receiving the message, GW checks the freshness of TS 1 . If it is not fresh, GW aborts the session. Otherwise, GW retrieves the unique identity ID GW and computes ID SC = DID SC ÈH(TS 1 k ID GW ), GW obtains the PK GW corresponding to ID SC in the verification table. Then, GW computes k GW = PK GW ÈPTC i , TC i = H(k GW kID GW ), RPW i = PTC i ÈTC i , and k i = PKS i È H(TC i k TS 1 ). GW checks whether Ver ki (TC i k TS 1 k RPW i , C i ) is equal to 1. If it is not equal, GW aborts the session. Otherwise, GW retrieves timestamp TS 2 and computes TC j = H(k GW kPID j ), PKS GW = k i ÈH(TC j k TS 2 ), Finally, GW sends (PID j , C GW , PKS GW , TS 2 ) to SN.
2. Upon receiving the message, SN checks the freshness of TS 2 . If it is not fresh, SN aborts the session. Otherwise, SN computes TC j = PTC j ÈPID j , k i = PKS GW ÈH(TC j kTS 2 ). Then, SN checks whether Ver TC j ðk i k TS 2 k PID j ; C GW Þ is equal to 1. If it is not equal, SN aborts the session. Otherwise, SN retrieves timestamp TS 3 and computes k i = PK i ÈPID j , PKS j = k j ÈH (k i kTS 3 ),C j ¼ MAC k j ðk j k TS 3 k k i Þ and SK = H(k i Èk j ) as the SK. Finally, SN sends (C j , PKS j , TS 3 ) to U.
3. Upon receiving the message, U checks the freshness of TS 3 . If it is not fresh, U aborts the session. Otherwise, the SC of U computes k j = PKS j ÈH(k i kTS 3 ). Then SC checks whether Ver k j ðk j k TS 3 k k i ; C j Þ is equal to 1? If it is not equal, SC aborts the session. Otherwise, SC computes SK = H(k i Èk j ) as the SK for the future.
In this phase, our proposed scheme not only achieves mutual authentication and key establishment but also checks the integrity of the message. Each message authentication check function in U, SN, and GW uses different secret encryption keys for secure communication [3]. The detailed security performance of our scheme is discussed in the security analysis section, and the authentication and key exchange phase is shown in

Password updated phase
For security reasons, U needs to change his/her password periodically. In this phase, we propose the password-updating phase to change the password of U and U can change the  sequence of passwords and the number of passwords as the new identity characteristics with minimal consumption. The details of this phase are described as follows.
2. SC gets the unique identifier ID SC and computes k i = e i ÈH(n k PW 1 k PW 2 kÁ Á Ák PW n ),

Dynamic node addition phase
New node deployment is inevitable in WSNs because nodes may be lost, exhausted, or destroyed [54]. In this phase, our proposed scheme allows U to add new SN to WSNs after deployment. Our scheme strictly requires that the dynamic node addition phase must be executed by the legal user. Thus, our scheme must initially verify the legality of U. We assume that a new sensor node SN new is going to join the WSNs, and the following steps must be executed.
2. SC gets the unique identifier ID SC and computes k i = e i ÈH(n k PW 1 k PW 2 kÁ Á Ák PW n ) and RPW i = H(ID SC k PW 1 k PW 2 k Á Á ÁkPW n k n k k i ).
3. SC checks whether H(e i k RPW i k k i k n kID SC ) is equal to V i . If it is not equal, SC rejects the request. Otherwise, SC sends PTC i and the current TS to GW.
4. GW checks the freshness of TS. If it is not fresh, GW rejects the request. Otherwise, GW computes k GW = PK GW ÈPTC i and assigns the new unique identifier ID new SC to SN new via a secure channel.
5. Finally, SN new executes the registration phase for the sensor node.
Note that in this phase, the dynamic addition phase must be executed by a legal U that is authenticated by SC. This mechanism is able to withstand malicious sensor node attacks.

Security Analysis
In this section, we analyze the security performance of our proposed scheme by both formal and informal analyses. We assume that A threatens the security of WSNs. Based on the existing defined models of adversary capabilities that are widely accepted [26,27,55,56], and we conclude that A possesses the following hacking capabilities: (1) intercept the transmitted message via the channel [3,6]; (2) use power analysis attacks to obtain the information stored in SC [57,58] and use sensor node capture attack to obtain the information stored in SN [59][60][61]; (3)use dictionary attacks to guess numbers [43]; (4) posses the right to access the gateway station because he/she is a privileged user [40]; and (5) obtain the used passwords of U through other methods. We assume that sensitive information (PW 1 , PW 2 Á Á ÁPW n , n, k i , k j , k GW , TC j , TC i , SK) is attractive to A. Our goal is to prevent the sensitive information from being extracted by A. Thus we carefully analyzed the security performance of our proposed scheme using BAN-logic [62], which is popularly used to ensure the security of communication and session key agreement. The details of our analysis are described as follows.

Formal analysis based on BAN-logic
In this section, we use BAN-logic to analyze the security of our proposed scheme. The notations of BAN-logic are defined as follows, where P denotes the principal as well as, X and Y denote the statements. P |X: P believes X P ⊲ X: P sees X P | * X: P once said X P ) X: P has jurisdiction over X #(X): X is fresh (X, Y): The formulae X or Y is one part of the formulae (X, Y) < X > Y : X combined with Y {X} K : X is encrypted under the key K (X) K : X is hashed with the key K P $ K Q: P and Q communicate via shared key K SK: The session key between U and SN P , X Q: The formulae X is known only to P and Q Some main logical postulates of the BAN-logic are as follows: The Message-meaning rule: P jP $ K Q;P ⊲fXg K P jQj$X , P jP, The nonce-verification rule: P j⋕ðXÞ;P jQj$X P jQjX The jurisdiction rule: P jQ)X;P jQjX;

Informal analysis
In this section, we prove our scheme could withstand other attacks. The detailed analysis is described as follows.
Stolen smart card attacks. We know that A could use a power analysis attack to extract the information stored in the SC. We assume that A obtains information (e i , V i , PTC i , ID SC ). These messages are operated after a one-way hash function. The multiple passwords and the secret number K i from the SC are impossible to obtain. Because A meets the property of the one-way hash function [48][49][50], our scheme can withstand the stolen SC attacks.
Nodes captured attacks. After WSNs are deployed in the target field, A can easily capture a legitimate sensor node [59][60][61]. Although there are some important studies that focus on the key revocation protocols [63,64], we believe the confidentiality of stored key/data is as important as key revocation. We assume that A could obtain (PTC j , PK j ) from SN. Owing to the properties of the one-way hash function and XOR operation [51][52][53], the secret number k j or TC j are impossible to obtain from SN. Given that ID SN is replaced with PID j in the registration phase, A cannot extract ID SN . The secret number, k j , is impossible to guess because of the two unknown numbers. To obtain TC j , A can compute TC j = PTC j ÈPID j . However, PID j is not stored in SN. Therefore, A cannot obtain TC j . According to the preceding discussion, we can conclude that our proposed scheme can withstand the nodes captured attack.
Privileged insider attacks. We assume that the adversary A is a privileged insider of WSNs. Therefore, A can access GW to obtain others' sensitive information. In our scheme, GW does not store the passwords of U and other sensitive information. Therefore, A cannot extract the passwords of U. We assume that A can obtain (PK GW , PID j ) from GW. Given the properties of the one-way hash function and XOR operation, deriving k GW and TC i is an almost impossible task for A. We assume that A intends to compute k GW = PTC i ÈPK GW . However, since PTC i is stored in the SC of U, A cannot obtain k GW . The preceding discussion shows that our proposed scheme can withstand privileged insider attacks. Impersonation attacks/ mutual authentication. The adversary A can impersonate the GW to send/receive the message or install any program to take over the entire network [65]. In our scheme, each receiver must authenticate the identity of the sender by MAC and Ver functions with the sender's own secret key. GW verifies the identity of U by computing Ver k i ðTC i k TS 1 k RPW i ; C i Þ = 1? with K i . SN verifies the identity of GW by Ver TC j ðk i k TS 2 k PID j ; C GW Þ = 1? with TC j . U verifies the identity of SN by Ver k j ðk j k TS 3 k k i ; C j Þ = 1? with K j . A cannot impersonate any legitimate entity without knowing the secret numbers, such as K i , TC j , and k j . Accordingly our proposed scheme can withstand an impersonation attack and achieve mutual authentication.
User anonymity. According to Choo et al.' research [66], there is a mechanical approach to derive identity-based schemes from existing Diffie-Hellman-based schemes. After a careful study of this work, our scheme is designed to withstand this method for protecting user's anonymity. In the login phase, our proposed scheme uses ID SC as the only identity of U. However, a serious problem with user privacy exists. User anonymity is necessary to resist tracing attacks. Our scheme hides ID SC in RPW i = H(ID SC k PW 1 k PW 2 k Á Á ÁkPW n k n k k i ), V i = H(e i k RPW i k ID SC k k i kn) and DID SC = ID SC ÈH(TS 1 k ID GW ). The transmitted pseudo identity DID SC is the dynamic name. Given the hash function property, A cannot extract ID SC without ID GW . Consequently, our scheme achieves the goal of anonymity and can withstand tracing attacks.
Online guessing attacks. In our scheme, the registration phase is executed strictly in a secure environment before deployment. We assume that A intercepts message transmission in the channel during the login, authentication and key exchange, password updating, and dynamic-node addition phases. A can obtain the messages (PTC i , C i , PKS i , TS 1 ), (PID j , C GW , PKS GW , TS 2 ), and (C j , PKS j , TS 3 ), (PTC i PTC new i ). Notably, the intercepted message, excluding the TS, is entirely encrypted by hash function and XOR operation. In addition, each hash function includes a minimum of two unknown numbers. Therefore, A cannot use online guessing attacks to guess the inputs of the hash function. In C GW and Ver TC j calculation, although only one unknown input is in the function, A cannot guess the inputs from the dictionary without the secret key, TC j . Therefore, our scheme can resist online guessing attacks.
Offline password guessing attacks. Offline password guessing attacks have always been a major security concern in designing password-based schemes. There are some outstanding studies trying to solve this problem, and our scheme strictly observes the rules that are described in Nam et al.'s research [67]. In this attack analysis section, A can use the power analysis attack to extract the information stored in the SC. Therefore, A obtains (e i , V i , PTC i , ID SC ) from SC. All messages extracted by A are operated by hash function and XOR operation. Therefore, A cannot derive the sensitive information from these messages. Each message includes a minimum of two unknown inputs, as well as multiple passwords encrypted by the hash function. Therefore, A cannot use offline password-guessing attacks to derive the multiple passwords and the number of passwords n from the SC.
Replay attacks. We assume that A intercepts the messages transmitted in the communication channel and replays these messages to the receiver without any modification. A replay attack cannot work in our scheme because each entity initially checks the freshness of the TS. If the TS is not fresh, then the receiver rejects the request. Therefore, our scheme can resist replay attacks.
Man-in-the-middle attacks. Choo et al. proposed that the unknown key share attack (man-in-the-middle attack) is the most fatal security problem for any protocol [68]. We assume that A intercepts the messages transmitted in the communication channel and replays these messages to the receiver with a particular modification of the message. The purpose of this action of A is to make the receiver believe that A is the legitimate sender. A can intercept the transmitted messages via the channel. To pass authentication, A must compute C i , C GW , and C j and A is unable to obtain (TC i , RPW i , k i , TC j , k j ) without knowing the secret number or the temporal credential of each entity. Therefore, A cannot obtain the right (C i , C GW , C j ) and pass authentication. Therefore, our scheme can resist man-in-themiddle attacks.
Lost password threat. According to other studies [69][70][71], passwords are currently not safe and are therefore vulnerable to any identity authentication. A can obtain the used passwords of U through numerous methods. For example, A can obtain user passwords from a low-security level database or by using social engineer [44,45]. Then, A can use these lost passwords to pass the authentication of WSNs with the stolen SC. Once the password is lost, the scheme for WSNs encounters a considerable threat. In our scheme, multiple passwords are used to replace the unique password, which means that the legitimate user needs to input several passwords at will. The passwords, their sequence, and their number are used as key factors to authenticate the user's identity. Although A obtains the used passwords, he/she does not know other security factors, such as the sequence of passwords, their combination, and their number. In other schemes, if A obtains m passwords of the user, the probability of obtaining the correct password is described as follows: where we assume that the probability of using the old password is P h . In our scheme, U adopts n passwords as login passwords. The probability of obtaining the correct password is If the lost passwords do not consist of all the multiple passwords, the probability is smaller than P multiple . According to the preceding discussion, P multiple is smaller than P one , and A cannot obtain the correct multiple passwords. Therefore, our scheme can prevent the lost password threat.
D-DOS attacks. Because of the energy limitation of WSNs, D-DOS attack is one of the most detrimental threats to WSNs [3,42,59], this attack includes the hello flood, inputting the wrong password, and resource depletion attacks. The goal of these attacks is to deplete the resource, especially the energy of WSNs. Numerous related schemes verify the user identity in GW with several complex computations, including numerous hash functions and other operations. This authentication method costs considerable energy of WSNs if A starts a D-DOS attack, which is launched by persistently inputting wrong passwords persistently. Our scheme verifies the user identity by the SC without any consumption of GW. This idea can cut the spare overhead off and can validly resist the D-DOS attacks that are launched by inputting wrong passwords in the login phase.
Malicious sensor-node attack. In the dynamic-node addition phase, U can add his/her new SNs to the WSNs. If the SN new is the malicious sensor node that is employed by A, then SN new can obtain information from other legitimate SNs and start malicious sensor-node attacks on WSNs, including Sybil, wormhole, sink hole, rushing, routing loop, and other types of attacks [1,40]. To protect WSNs from malicious sensor-node attacks, our scheme requires the procedure of the dynamic node addition phase to be executed under the legitimate user. If someone wants to add any new SN to the WSN, the validity of the user identity must be verified. If the identity is not legitimate, the request is rejected. Therefore, our scheme can withstand malicious sensor-node attacks.
Three-factor security. Numerous related schemes adopting three security factors [20,72,73] usually adopt SC, password, and biometric characteristics as authenticating factors. However, biometrics present several drawbacks that are unsuitable for WSNs. Therefore, our scheme uses multiple passwords to replace the biometric characteristic. Several passwords, their sequence, and the number of passwords are used as the most important factors for verification.
Integrity of message. In our scheme, the MAC and Ver functions are used to achieve the goal of confidentiality and integrity, which are the most important properties of security [74,75]. Upon receiving messages, the receiver verifies whether the output of the Ver function is equal to 1. If it is not equal, the receiver aborts the session and rejects the request from the sender. Therefore, if A modifies the message and sends it to the next entity, then the message is denied. Therefore, our scheme checks the integrity of the message.

Security performance comparison
In this section, we compare our proposed scheme with other schemes from the security aspect. The comparison shows that our scheme exhibits superior security performance to other schemes. The detailed comparison is presented in Table 1. Yes and No in this table denote that the scheme could withstand the attack or could not withstand the attack, respectively, and n/a denotes the scheme is not applicable in this comparison. The abbreviations below Table 1 denote the compared security properties [76].

Performance Analysis
In this section, we compare our proposed scheme with other schemes that are listed in Table 1.
As introduced in other studies [6,72], the overhead of several base operations, such as XOR operation, TS, and random number generation are ignored. These types of operations entail approximately no cost in comparison with the one-way hash computation and other complex computations. We believe that the communication overhead and storage overhead are of equal importance to the computational overhead. As introduced in Amin et al.'s research [76], the communication and storage overheads are analyzed in detail. Therefore, we analyze our scheme in three terms.

Reference basis
In this section, we enumerate the reference basis of WSN performance that is adopted in this paper. As described in several studies [14, 17-21, 23, 35, 73, 77-83], all protocols are compared by the number of main computations. To show the result intuitively, we unified the hash function to represent all protocol overheads. The basis of comparison is described as follows: 1. According to Nam et al.'s research [14] and Crypto++ 5.6.0 benchmarks, we know that SHA-1 takes 11.4 cycles per byte, HMAC takes 11.9 cycles per byte, and AES takes 16.9 cycles per byte under Windows Vista and Intel Core 2. Therefore, one HMAC is equal to 1.04 hash functions and one AES is almost equal to 1.5 hash functions. [72,84], one asymmetric encryption/decryption is equal to 100 symmetric encryptions/decryptions. In addition, a symmetric encryption/decryption is at least 60 times faster than a one-exponential operation.

As introduced in other studies
3. According to other studies [20,39,72], the time to execute a fuzzy extractor is the same as for an elliptic curve point multiplication. The time for a one-way hashing operation is 0.00032 s, for a symmetric encryption/decryption operation is 0.0056 s, for a modular exponentiation operation is 0.0192 s, and for an elliptic curve point relative multiplication operation or a fuzzy extractor is 0.0171 s.

4.
According to Ma's study [85], we assume one WSN that adopts MICA2 and, integrates an 8 bit 8 MHz ATmega128L processor with the voltage is 3 V, the computational electric current is 8 mA, the received electric current is 10 mA, the transmitted electric current is 27 mA, and the transmission rate is 12.4 kb/s. Therefore, the executed 0.00032 s computation needs 3 V × 8 mA × 0.00032 s = 0.00768 mJ.
5. In agreement to [6,20], we assume that the hash output is 160 bits [86], one prime factor is 160 bits minimum, the elliptical curve output is 320 bits, and the secret parameter is at least 160 bits [87]. The TS has 32 bits; expiration time for TE, is 32 bits; the user identity ID, pseudo ID, and random nonce are 160 bits; sensor node identity ID SN , GW ID GW , and pseudo ID SN are 16 bits; encryption/decryption output is 128 bits; MAC output is 128 bits; and key setup is 128 bits.
Therefore, we can conclude all main computations in several aspects. The overhead of these main computations is described in Table 2.
The notations in this section are as follows: T H : hash function operation;T A : asymmetric encryption/decryption; T E : symmetric encryption/decryption;T M : MAC generation/verification;T ME : modular exponentiation operation; T Ex : one-exponential operation; T EC : elliptic curve point multiplication;T F : fuzzy extractor.
Comparison with other schemes. In this section, we compare our proposed scheme with the schemes proposed by Nam et al. [14], A. K. Das [20], He et al. [21], Jiang et al. [19], M. L. Das [17], and Xue et al. [18] in terms of computational, communication, and storage overheads. Comparison details are described as follows.
Computational overhead. In this section, we compare the computational overhead of all schemes in several aspects. The details of the comparison of computational overhead are shown in Table 3. Notation: the numbers shown in Table 3 is a rough number that retains three decimal places.
Communication overhead. As introduced by the study [6], the transmission overhead is considerably larger than the computational overhead. The proportion of all overheads is listed as follows: 71% data transmission, 20% MAC transmission, 7% nonce transmission (for freshness), and 2% MAC and encryption computation. Therefore, analyzing the communication overhead is crucial. We assume that the receiving electric current of WSNs is 10 mA, the transmitting electric current is 27 mA, and the rate of transmission is 12.4 kb/s. According to Ma's study [85], we assume that 1-byte transmission consumption is 3 V × 27 mA × 8 b/12400 b/s = 0.052mJ and a received byte consumption is 3 V × 10 mA × 8 b/12400 b/s = 0.019 mJ. The details of the communication overhead of all schemes are presented in Table 4. The hello and successful signals are ignored. Notation: the number shown in Table 4 is a rough number that retains three decimal places.
Storage overhead analysis. In this section, we compare the size of stored messages with other schemes. According to the reference basis, we compute the size of stored messages in U, GW, and SN, respectively. The detailed comparison of storage overhead is presented in Table 5.
Comparison of total overhead. In this section, we compare the total overhead of schemes, including communication and computation overheads. We compare the overhead of each entity in Table 6 and compute the total overhead of all schemes. The result shows that the communication consumption is markedly larger than the computation consumption and the percentage is almost above 95% of the total overhead, and the result is the same as that in Perrig et al.'s study [6] and in common agreement with other research. Future security schemes developed will be compared based on computation overhead and communication overhead. Owing to the property of WSNs [85], the gateway station presents larger energy, higher computation performance, and larger storage performance than SN. If we want to improve the overhead of the research scheme, the most important point is improving the communication overhead of SN instead of computational overhead. Notation: the number shown in Table 6 is a rough number that retains three decimal places. The notations in this section are denoted as follows: CC: communication costs; PC: computation costs; Tot: total overhead %: the communication costs' percentage of total overhead.

Conclusion
In this paper, we designed a temporal credential-based mutual authentication with a multiplepassword scheme for WSNs. Through comparison with other schemes, we have proven that our scheme exhibits better security performance than the other schemes. Moreover, our scheme can withstand related attacks, including the lost password threat. The discussion in this paper proves that our scheme entails relatively small consumption. The analysis shows that the communication consumption's percentage of total overhead is almost above 95% and it is markedly larger than the computational consumption. Therefore, we will compare future security schemes based on computational overhead and communication overhead.
Supporting Information S1