Efficient and secure three-party mutual authentication key agreement protocol for WSNs in IoT environments

In the Internet of Things (IoT), numerous devices can interact with each other over the Internet. A wide range of IoT applications have already been deployed, such as transportation systems, healthcare systems, smart buildings, smart factories, and smart cities. Wireless sensor networks (WSNs) play crucial roles in these IoT applications. Researchers have published effective (but not entirely secure) approaches for merging WSNs into IoT environments. In IoT environments, the security effectiveness of remote user authentication is crucial for information transmission. Computational efficiency and energy consumption are crucial because the energy available to any WSN is limited. This paper proposes a notably efficient and secure authentication scheme based on temporal credential and dynamic ID for WSNs in IoT environments. The Burrows–Abadi–Needham (BAN) logic method was used to validate our scheme. Cryptanalysis revealed that our scheme can overcome the security weaknesses of previously published schemes. The security functionalities and performance efficiency of our scheme are compared with those of previous related schemes. The result demonstrates that our scheme’s security functionalities are quantitatively and qualitatively superior to those of comparable schemes. Our scheme can improve the effectiveness of authentication in IoT environments. Notably, our scheme has superior performance efficiency, low computational cost, frugal energy consumption, and low communication cost.


Introduction
Internet of Things (IoT) is an emerging technology, which is the extension of Internet connectivity into various devices such as sensors, vehicles, and mobile phones. These devices can interact with each other over the Internet [1]. A wide range of applications connecting objects that can communicate with each other have been deployed; applications include transportation systems, healthcare systems, smart buildings, smart factories, and smart cities [1,2]. time of a user's temporal credential is regulated by the GWN. A user's temporal credential is related to the identity of user and can be securely stored in a smart card. The temporal credential of a sensor node is also related to its identity and confidentially written in its storage. Based on the issuing and signing of temporal credential, the mutual authentication between the user and the GWN is achieved through the verification of temporal credential for the user. The mutual authentication between the sensor node and the GWN is achieved by the verification of the temporal credential for the sensor node. Each dynamic ID is temporarily assigned by the system and mapped to a specific user [9]. A dynamic ID is a combination of its user's information and a random nonce. The random nonce is an arbitrary number; it is used only once during the communication. In the authentication process, the login message of the user i contains a dynamic ID, called DID i . The login message is dynamic for each login. For all i, the parameter DID i is associated with nonce N i and changed dynamically for each login. The use of a dynamic ID in each login message can avoid the risk of ID-theft [10]. Our scheme introduces dynamic ID to anonymize users.

Motivation and contribution
Typical IoT installations allow remote users to access data from sensor nodes in WSNs through the Internet. Researchers have been developing effective approaches for merging WSNs into IoT environments [2,[11][12][13][14][15][16]. Because of the resource constraints of sensor nodes, to design an efficient and secure authentication scheme for WSNs in IoT environments constitutes a nontrivial challenge. In IoT environments, the security effectiveness of remote user authentication is crucial for trustworthy information transmission [2,3]. Computational efficiency and energy consumption are crucial because of the limited energy resources of WSNs [2,3]. Moreover, time synchronization is a critical and challenging problem for WSNs; the system must provide a synchronized logical time clock for all devices and objects in IoT environments [3,[17][18][19]. Any adversary and any malicious node in IoT environments can attack clock synchronization [3,17]. The communication errors, frequent topological changes, lowcost clocks, and limited energy levels of IoT nodes are other factors that can affect time synchronization [18,19]. A timestamp-based authentication scheme requires trustworthy timestamps and synchronized time clocks to verify any device's legitimacy. When a system has a serious time synchronization problem, no device can be synchronized with any another device, and thus the system cannot verify any device's legitimacy. Therefore, any serious time synchronization failure causes mutual authentication failure. The time synchronization problem should be contemplated as designing a remote user authentication scheme for WSNs in IoT environments [3,[17][18][19]. Moreover, when a given user's ID is revealed, an adversary can determine any information concerning the user's identity and monitor the user's activities. An exposed user ID is also useful to the adversary because it provides login information [10]. Therefore, anonymous access for each login should be required. Although several previously published studies have proposed diverse remote user authentication schemes, they have been neither highly secure nor efficient sufficiently to satisfy the requirements of WSNs in IoT environments (Related work in Section 2). This paper proposes a more efficient and secure authentication scheme for WSNs in IoT environments to ameliorate these security weaknesses.
The major contributions of our work are as follows: 1. We propose a new three-party scheme on the basis of temporal credential [7] and dynamic ID [9,10] for WSNs in IoT environments to achieve security, mutual authentication, and session key agreement. Cryptanalysis revealed that the security functionalities of the proposed scheme qualitatively and quantitatively superior to those of previous schemes; the proposed scheme can advance the field of authentication schemes. The Burrows-Abadi-Needham (BAN) logic method [3,[20][21][22][23][24] was used to validate our scheme.
2. The proposed scheme performs efficiently in IoT environments, with low computational cost, frugal energy consumption, and little communication cost.
3. Our scheme uses temporal credentials and random nonce instead of the timestamps to verify mutual authentication among U i , the GWN, and S j . Therefore, our scheme can avoid the time synchronization problem for WSNs in IoT environments [3,9,17,25]. Moreover, dynamic ID technology [9,10] is applied in our scheme. User identities are consequently anonymous and can be confirmed only by the service provider.

Organization of the paper
The remainder of this paper is organized as follows: Section 2 introduces a brief review of the related work in WSNs and explains the security weaknesses of the Ostad-Sharif et al. scheme [2] for WSNs in IoT environments; Section 3 details the proposed efficient secure authentication scheme for WSNs in IoT environments; Section 4 presents the security analysis of the proposed scheme; Section 5 discusses the effectiveness and efficiency of the proposed scheme; and finally, Section 6 presents the study's conclusion.

Related work in WSNs
To satisfy the security requirements of WSNs, many remote user authentication schemes have been proposed. In 2004, Benenson et al. [26] described the security issues of user authentication in WSNs and proposed a protocol for them, in which the user can achieve successful authentication with any subset of sensors from a set of n sensors (n being the average number of sensors within a broadcast distance of the user). Watro et al. [27] proposed a TinyPK authentication protocol with the Rivest-Shamir-Adleman (RSA) public key cryptosystem [28] and Diffie-Hellman key agreement algorithm [29]. However, this authentication protocol has the disadvantage of the masquerade attack, in which an adversary can masquerade as a sensor node to spoof the user [5]. Wong et al. [30] proposed a less complex lightweight user authentication protocol for WSNs by using hash function operations. However, the scheme cannot protect against stolen-verifier, replay, and forgery attacks [5,31]. Moreover, the passwords in the scheme can be revealed easily by any of the sensor nodes, and users cannot change their passwords freely. In 2009, to eliminate the weaknesses of the Wong et al. scheme, Das [5] proposed a two-factor user authentication scheme for WSNs. The scheme implements passwordbased authentication with the assistance of a GWN to access resource-constrained sensor nodes. However, this scheme is vulnerable to insider, masquerade, offline password-guessing, stolen smart card, and GWN bypassing attacks [7,8,32]. The scheme does not provide mutual authentication, a key agreement, and a password change phase for users to change or update their password [7,8,32]. Khan et al. [32], Chen et al. [33], and Yeh et al. [8] have subsequently proposed new schemes for improving the inherent security weaknesses of the Das scheme. Khan et al. [32] proposed a user authentication scheme for rectifying the susceptibilities of the Das scheme and achieving a more secure user authentication in WSNs. Afterward, Chen et al. [33] provided a secrecy-improved mutual user authentication scheme for WSNs by applying hash functions. Yeh et al. [8] proposed a new mutual user authentication protocol by using elliptic curves cryptography (ECC) and smart cards for WSNs. Xue et al. [7] showed that the Khan et al. scheme is vulnerable to stolen smart card and GWN bypassing attacks. In addition, the Chen et al. scheme is vulnerable to insider, masquerade, stolen smart card, and GWN bypassing attacks [7]. By contrast, the Yeh et al. scheme is vulnerable to stolen smart card and replay attacks [7]. Xue et al. [7] proposed a temporal-credential-based mutual authentication scheme for users, GWNs, and sensor nodes. With the assistance of password-based authentication, the GWN in the Xue et al. scheme can issue a temporal credential to each user and sensor node. However, the Xue et al. scheme is vulnerable to insider attacks and stolen smart card attacks [34]; the scheme does not offer password protection [34]. In 2016, Chang et al. [35] proposed a flexible authentication scheme for WSNs which operates in two modes. The first mode provides a lightweight authentication scheme, and the second mode is an advanced protocol based on ECC. In 2018, Amin et al. [34] demonstrated that the Chang et al. scheme is insecure against stolen smart card attack and cannot provide password protection. Amin et al. [34] then proposed a robust authentication scheme using smartcards for WSNs. However, the Amin et al. scheme has higher energy consumption, computational costs, and communication costs than those published previously (Section 5) [34]. In healthcare applications, Challa et al. [36] proposed a secure user authentication scheme for wireless healthcare sensor networks. The three factor authentication scheme is designed with ECC. The proposed scheme has several functionality features including dynamic sensor node addition, password updates, biometrics updates, and smart card revocation for WSNs. On the basis of ECC, Li et al. [3] also proposed an anonymous authentication scheme for WSNs in IoT environments. In the scheme, they used fuzzy commitment scheme [3] to handle user biometric information. In 2019, Harbi et al. [37] proposed an ECC-based mutual authentication scheme to secure communication in IoT-enabled WSNs. The sensor network in the system is arranged into clusters to diminish the energy consumption of sensors. Each cluster has a cluster head, which is a leader sensor node. However, Challa et al. scheme, Li et al. scheme, and Harbi et al. scheme are all based on an ECC for WSNs. The ECC approach is a public key cryptography approach based on elliptic curves. According to a related study, the time cost of an ECC point multiplication is much larger than that of hash function operations [2,3,7,34,35], and the energy consumption for executing an asymmetric ECC cryptosystem is much higher than that for executing a hash function [38,39]. Currently, researchers are designing effective remote user authentication schemes for WSNs in IoT environments. In 2019, Ostad-Sharif et al. [2] proposed an efficient user authentication scheme and claimed that their scheme is appropriate for WSNs in IoT environments. However, in this section, we argue that the login and authentication phase of the Ostad-Sharif et al. scheme has design faults. Moreover, their scheme cannot provide password change and update a password in its password change phase. Their scheme also has the time synchronization problem [3,[17][18][19]. The details are presented as follows.

Authentication design faults of the Ostad-Sharif et al. scheme in IoT environments
Design faults exist in the login and authentication phase of the Ostad-Sharif et al. scheme [2]. We illustrate this security weakness in the subsequent passages. When a registered user U i wants to access the information of sensor node S j , the login and authentication phase of the Ostad-Sharif et al. scheme must be executed in advance. At first, a registered user U i inserts a smart card into the smart card reader and imprints his/her fingerprint B i on the sensor device. The smart card contains the secret parameters {D i , C i , E i , SCN i , BK()}, in which SCN i denotes unique smart card number and BK() denotes biometric key generation/extraction function. The smart card reader first extracts masked biometric C i from the smart card and computes RN 0 i = BK(h(B i ))�C 0 i . After finding C 0 i , the smart card reader must validate whether C 0 i and C i are equal. If C 0 i 6 ¼ C i , then the smart card reader terminates the request. However, in the equation above, the smart card reader does not know random number RN 0 i and masked biometric C 0 i . Therefore, it cannot obtain RN 0 i and C 0 i from the equation. Finally, a legitimately registered user U i cannot pass the verification to access the system. This problem will happen to all legitimately registered users. The Ostad-Sharif et al. scheme has design faults in the login and authentication phase.

Failure to provide password change capability in the Ostad-Sharif et al. scheme
The Ostad-Sharif et al. scheme [2] cannot provide password change capability. We demonstrate this weakness in the following passages. When a registered user U i wants to update the password PW i , the password change phase in the scheme must be executed. U i first inserts a smart card into the smart card reader. He or she then inputs identity ID i and password PW i . The smart card contains the secret parameters {D i , C i , E i , SCN i , BK()}. After the legitimacy of U i is verified, U i enters a new password PW new i . The smart card computes the following equations:  (4) and (5), we obtain the following results:

Time synchronization and authentication problem of the Ostad-Sharif et al. scheme in IoT environments
The Ostad-Sharif et al. scheme uses a timestamp T i to verify mutual authentication among U i , the GWN, and S j for WSNs in IoT environments. Therefore, the Ostad-Sharif et al. scheme must provide synchronized time clocks to all devices in IoT environments for timestamp comparison [3,17,18]. However, as mentioned, both adversaries and malicious nodes can attack time synchronization [17]. Frequent topological changes, low-cost clocks, and limited energy of the sensor nodes in IoT environments can also affect time synchronization [18,19]. The time synchronization of all WSN devices in IoT environments is a nontrivial challenge in itself [3,[17][18][19]. When a serious time synchronization problem arises in Ostad-Sharif et al. scheme, the GWN, U i , and S j cannot be synchronized with each other and then the legitimacy values of the GWN, U i , and S j cannot be verified. Hence, the Ostad-Sharif et al. scheme may enter a state such that mutual authentication among the GWN, U i , and S j cannot be achieved [3,17,18].

Proposed scheme
In this section, we propose an efficient and secure authentication scheme for WSNs in IoT environments. The WSN environment contains three participants: the user (U i ), sensor node (S j ), and gateway node (GWN). The scheme applies dynamic ID to achieve security and user anonymity (identity protection) [9,10]. The scheme applies temporal credential to achieve mutual authentication and session key agreement [7]. Temporal credentials are securely protected and stored in smart cards. The scheme can withstand stolen smart card attacks (Section 4.2). The system protects passwords against off-line password guessing attacks (Section 4.2). The system need not maintain any password or verification table; therefore it can resist the stolen verifier attacks and insider attacks [9,40,41]. The scheme can withstand masquerade attacks, replay attacks, GWN bypassing attacks, and GWN spoofing attacks (Section 4.4 and 4.8). Before the registration, users are not obliged to share their IDs and passwords with the GWN; hence, the scheme provides a convenient functionality of adding new users (Section 4.6). To solve the password-changing problem in previous schemes, we also introduce a new password change phase to update the password. In the new password change phase, U i can freely select and update the password without requiring the communication with any other participants (the GWN and S j ), such that it can avoid additional communication message overhead ( Fig 5) [42]. Hash function is operated in our scheme for providing security and computational efficiency. Table 1 lists the definition of the notations in our scheme. The GWN chooses the private keys K GWN-U and K GWN-S , and only the GWN knows them. The proposed scheme consists of four phases: (1) registration phase, (2) login phase, (3) authentication and key agreement phase, and (4) password change phase. They are described as follows:

Registration phase
The registration phase comprises two parts, one for users and the other for sensor nodes. We first describe the registration phase for users. In this phase, when a new user U i undertakes to register, he or she selects the identification ID i and password PW i . Subsequently, U i generates a random number r i and sends ID i and h(r i �PW i ) to the GWN for registration through a secure channel. After receiving the messages from U i , the GWN selects the expiration time TE i of the temporal credential of U i . The GWN computes the temporal credential TC i and verification information R i for U i . The GWN then issues a smart card with the temporal credential TC i , expiration time TE i , and verification information R i to U i through a secure channel. The steps are detailed as follows (Fig 2): Step U1. U i freely chooses identification ID i and password PW i .
Step U2. U i generates a random number r i and calculates h(r i �PW i ).
After receiving the message from U i , the GWN selects the expiration time TE i of the temporal credential of U i and computes the following equations to issue the temporal credential TC i for U i .
The GWN then issues a smart card with the secret parameters Step U5. U i stores r i in the smart card, after which the smart card holds the parameters We now describe the registration phase for sensor nodes. In this phase, each sensor node S j is pre-configured with SID j . After deployment, the sensor node S j generates a random number r j and then sends SID j and h(r j �SID j ) to the GWN for registration through a secure channel. After receiving the messages from S j , the GWN issues a temporal credential TC j to S j through a secure channel. The steps are detailed as follows (Fig 3): Step S1. S j is pre-configured with SID j .
Step S2. S j generates a random number r j and computes h(r j �SID j ).
Step S3. S j ) GWN: S j sends SID j and h(r j �SID j ) to the GWN through a secure channel.
Step S4. GWN ) S j : {RTC j }. After receiving the message from S j , the GWN computes TC j = h (K GWN-S kSID j ) to issue the temporal credential TC j for S j and then calculates RTC j = TC j �h (h(r j �SID j )kSID j ). The GWN sends RTC j to S j through a secure channel.
Step S5. After receiving the message from the GWN, S j computes TC j = RTC j �h(h(r j �SID j )k SID j ) to find its temporal credential TC j and then stores it.
One-way hash function c a A common channel is a channel allocated in common to participants. b A secure channel is a channel of delivering messages that can withstand tampering and overhearing. c A hash function has a one-way property that it is computationally infeasible to find a data object to map to a hash result [43]. https://doi.org/10.1371/journal.pone.0232277.t001

Login phase
U i first inserts a smart card into the smart card reader to log in to the system. U i then gives (ID i , PW i ) that correspond to the smart card. The smart card of U i computes verification information R � i and then verifies it with the stored R i in the smart card. After passing verification, the legitimacy of U i is ensured. Afterward, U i can read the information stored in the smart card and find its temporal credential TC i . The steps are detailed as follows (Fig 4): Step L1. User U i inserts a smart card into the smart card reader and provides keys (ID i , PW i ).
The smart card of user U i then computes Q i = B i �h(ID i kh(r i �PW i )) and R � i = h(Q i ). The smart card validates whether R � i and the stored R i in the smart card are equal. If the values are unequal, the smart card rejects the login request. Otherwise, the legitimacy of U i is ensured, and U i can read the information stored in the smart card.
Step L2. U i computes TC i = PTC i �h(r i �PW i ) to find its temporal credential TC i .

PLOS ONE
Three-party mutual authenticated key agreement protocol for WSNs

Authentication and key agreement phase
After ensuring the legitimacy of U i and finding the temporal credential TC i , the system must complete mutual authentication among U i , the GWN, and S j . The first step of the mutual authentication phase involves identity verification for U i , which is conducted by the GWN. Afterward, the second step entails identity verification of the GWN, which is conducted by S j . The third step involves identity verification for S j , which is conducted by U i as well as the GWN. Finally, a session key KEY ij is negotiated between U i and S j to conduct encryption during data transmission later on. The steps are detailed as follows (Fig 4): Afterward, U i randomly chooses a secret sharing key K i and computes PKS i = K i �h(TC i kN i ). After computation, U i sends the login request message Step V2. GWN! S j : h(ID i kTC i kN i ). The GWN then verifies whether q � 1 and q 1 are equal. If q � 1 6 ¼ q 1 , then the GWN terminates the request and sends a reject message to U i . Otherwise, the legitimacy of U i is ensured, and the GWN accepts the login request. The GWN then records the login status of U i to indicate that Ui is logging in to the system. The GWN computes K i = PKS i �h (TC i kN i ). At this point, the GWN selects a proper sensor node S j with identification SID j and calculates its temporal credential TC j = h(K GWN-S kSID j ). The GWN then generates a nonce N GWN and computes DID GWN Step V3.
. S j then verifies whether q � 2 and q 2 are equal. If q � 2 6 ¼ q 2 , then S j terminates the request and returns a reject message. Otherwise, the legitimacy of the GWN is ensured, and S j accepts the request. S j computes K i = PKS GWN �h(TC j kN GWN ). Afterward, S j randomly selects a secret sharing key K j . S j computes q 3 Step V4. After receiving the message m 3 , U i and the GWN separately compute q � 3 = h (ID i kSID j kK i kN i kN GWN ). After computation, the GWN verifies whether q � 3 and q 3 are equal. If q � 3 = q 3 , then the GWN can verify the legitimacy of S j . User U i also verifies whether q � 3 and q 3 are equal. If q � 3 = q 3 , then U i can verify the legitimacy of S j and the GWN. Afterward, U i and the GWN separately compute K j = PKS j �h(K i kN i kN GWN ). Finally, after ending the mutual authentication phase, U i , the GWN, and S j separately generate the shared session key KEY ij by computing

Password change phase
To update or change the password, a user U i must insert his/her smart card into the smart card reader. Afterward, U i gives ID i and PW i , which correspond to the smart card. In the first step of the password change phase, the smart card of U i computes verification information R � i and then verifies it with the stored R i in the smart card. After passing verification, the legitimacy of U i is ensured. U i can then read the information stored in the smart card.
and then verifies whether R � i and the stored R i in the smart card are equal. If the values are unequal, the smart card rejects the login request. Otherwise, the legitimacy of U i is ensured, and U i can read the information stored in the smart card.
Step P2. The user U i selects a new password PW new i , and then U i generates a random number r new i . Then, the smart card calculates B new

Security analysis
This section presents the security analysis of the proposed scheme and proves its security strength. Our scheme can overcome the weaknesses of previous schemes. Our proposed scheme has the following main security features.

Mutual authentication and session key agreement
Mutual authentication is a critical feature for verifying mutual validity among the GWN, U i , and S j in WSNs. Because encryption and a message authentication code (MAC) are required to protect data transmission between U i and S j , a session key must be negotiated in advance between these two participants [7]. In this section, we first illustrate the mutual authentication analysis of the proposed scheme, then we present the formal proofs. In the authentication and key agreement phase of the proposed scheme, mutual authentication between the GWN and S j is accomplished by calculating verification information q 2 and q 3 . In Step V3, S j can verify the legitimacy of the GWN after determining whether q 2 and q � 2 are equal, where q 2 = h (ID i kTC j kN GWN ). Temporal credential TC j is included in verification information q 2 . This shows that the sensor node S j can authenticate the validity of the GWN. In Step V4, the GWN can verify the legitimacy of S j after confirming whether q 3 and q � 3 are equal, where This shows that the GWN can authenticate S j . By contrast, mutual authentication between U i and the GWN is accomplished by calculating verification information q 1 and q 3 . In Step V2, the GWN can verify the legitimacy of U i after determining whether q � 1 and q 1 are equal, where q 1 = h(ID i kTC i kN i ). Temporal credential TC i is included in verification information q 1 . This shows that the GWN can authenticate the user U i . In Step V4, U i can verify the legitimacy of S j after confirming whether q 3 and q � 3 are equal, where q 3 = h(ID i kSID j kK i kN i kN GWN ). A secret sharing key K i is included in verification information q 3 . This shows that the user U i can authenticate the sensor node S j . In addition, because S j has authenticated the validity of the GWN, the user U i further authenticates the validity of the GWN as well. Therefore, on the basis of temporal credential signing and the secret sharing key, U i , S j , and the GWN can mutually authenticate each other in the proposed protocol. In Step V4, after completing the mutual authentication phase, U i , the GWN, and S j can separately generate the shared session key KEY ij by computing KEY ij = h(K i kK j kN i kN GWN kSID j ), where secret sharing key K i and K j are selected randomly. This shows that U i , S j , and the GWN can share a common session key after finishing the mutual authentication phase. The common session key is validated by U i , the GWN, and S j . This illustration indicates that our scheme provides session key agreement and mutual authentication. The formal proofs are given in the following lemmas and Proposition 1. We use the BAN logic method [3,[21][22][23][24] to formally validate the mutual authentication and session key agreement of our scheme. The BAN logic method is widely used to validate authentication and key establishment protocols [3,[21][22][23][24]. The BAN logic method accomplishes to introduce the logic of authentication and explain the protocols step-by-step. The notations of BAN logic are presented in Table 2. In Table 2, the symbols X and Y range over statements; Q and P are principals [20][21][22]42].
The essential logical postulates for the BAN logic are listed as follows [20][21][22]42]: 1. Freshness-propagation rule: Pj�ðXÞ Pj�ðX;YÞ . That is, if P is entitled to believe that one part of a formula (X,Y) is fresh, then he also is entitled to believe that the entire formula (X,Y) must also be fresh.

2.
Receiving rule: P⊲ðX;YÞ P⊲X and P⊲hXi Y P⊲X . That is, if a principal P can receive and read a formula (X,Y) or formula hXi Y , then he also can receive and read its components X.

Nonce-verification rule: Pj�ðXÞ; Pj�Qj�X
Pj�Qj�X . That is, if P is entitled to believes that X is a fresh statement and that Q once said X, then P believes that Q believes X.

Jurisdiction rule: Pj�Qj)X;Pj�Qj�X
Pj�X . That is, if P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.
. That is, if P is entitled to believe that the key Y is shared with Q, and P sees X encrypted under Y, then P is entitled to believe that Q once said X.

Session-key rule: Pj�ðKÞ; Pj�Qj�X
Pj�P $ K Q , where statement X is an element of the combination session key K [21,44]. That is, if P is entitled to believe that K is a fresh statement and that Q believes X, then P believes that P and Q share a common key K.
To validate the proposed protocol, we first summarize our scheme in the generic form [20,21,42]:

Notation Definition
P⊲X P sees X : P can receive and read X (possibly after doing some decryption).
P|~X P said X : P once said X. P once sent a message including the statement X.
P|)X P controls X : P has jurisdiction over X.
P|�X P believes X : P is entitled to believe X.
#(X) fresh(X) : X is regarded as a fresh statement.
hXi Y X is combined with Y; Y is a secret.
(X,Y) X and Y are said simultaneously.
P$ K Q P and Q share a common key K.
Subsequently, we transform the generic form into the idealized form: To analyze our scheme, we use the following assumptions:  N GWN ), the S j returns (N i , N GWN ) to the GWN and U i .
To prove that the GWN can authenticate S j , the following belief must be demonstrated: To prove that the U i can authenticate S j , the following belief must be demonstrated: The steps of the proof for B 3 :

Lemma 3. In our scheme, the GWN, U i , and S j can coordinate the common session key KEY ij .
Proof: To prove that U i , the GWN, and S j in our scheme can share a session key KEY ij = h (K i kK j kN i kN GWN kSID j ), the following beliefs must be demonstrated: Consequently, the GWN believes that GWN shares the session key KEY ij with S j . Proposition 1. U i , the GWN, and S j in our scheme can mutually authenticate each other; they can share a common session key.
Proof: From Lemma 2, U i in our scheme can authenticate S j . In addition, S j can authenticate the GWN (Lemma 1). Thus, U i can further authenticate the GWN as well. Conversely, the GWN can authenticate U i (Lemma 1). Consequently, the GWN and U i in our scheme can mutually authenticate each other. The GWN can authenticate S j (Lemma 2). Conversely, S j can authenticate the GWN (Lemma 1). Consequently, the GWN and S j in our scheme can mutually authenticate each other. Mutual authentication can be provided in our scheme. After finishing the mutual authentication, U i , the GWN, and S j can share a session key KEY ij = h (K i kK j kN i kN GWN kSID j ) (Lemma 3). Session key agreement can also be provided in our scheme.

Password protection, guessing attack resistance, and stolen smart card attack resistance
When a user's smart card is stolen or lost in a stolen smart card attack, an adversary can acquire information from the smart card. Then, the adversary masquerades as an authorized user to access to the GWN. However, password protection functionality can prevent the leakage of password information, such that the adversary cannot obtain useful information to perform an off-line password guessing attack.

Proposition 2. The proposed scheme can provide password protection, guessing attack resistance, and stolen smart card attack resistance.
Proof: In our scheme, the password presents with the h(r i �PW i ) form, in which PW i and r i are hidden. h(r i �PW i ) is not stored in the smart card, the GWN, or any other device. Thus, the adversary cannot directly obtain PW i by performing an off-line password guessing attack on h(r i �PW i ) [45]. Therefore, the proposed scheme can provide password protection and guessing attack resistance. Moreover, smart card secrets can be breached by monitoring power consumption or by analyzing leaked information [25,42,46]. When the adversary has a smart card that has been lost by its legitimate owner, the adversary can acquire the secret parameters from that smart card by applying the previously discussed method. We can prove that the proposed scheme can also provide stolen smart card attack resistance. That is, in the proposed scheme, the adversary cannot masquerade as a legitimate user to log in to the GWN when the adversary has obtained a legitimate user's smart card. Suppose that when the smart card of user U i is stolen or lost, the adversary obtains that the smart card. The adversary can obtain the secret parameters {ID GWN , PTC i , TE i , B i , R i , r i , h(.)} from the smart card. To impersonate a legitimate user, the adversary must produce a new N } i , randomly choose an imitative secret sharing key K } i , and create an imitative login request message are obtained using the following equations: Therefore, to obtain the imitative parameters {DID } i , q } 1 , PKS } i , P i }, the adversary must first obtain TC i and ID i by using the following equations: Nevertheless, the adversary cannot acquire TC i and ID i because he/she does not possess K GWN-U and PW i . Only the GWN knows the private key K GWN-U in our scheme. As previously discussed, the proposed scheme can provide password protection, and that the adversary cannot acquire PW i by executing an off-line password guessing attack. Therefore, the imitative parameter set {DID } i , q } 1 , PKS } i , P i }of a login request message is not acquired. The adversary cannot masquerade as an authorized user by only using a smart card.

Two-factor security
By involving a smart card and a password in the login phase, two-factor security in our scheme can be achieved [9,37,47,48]. Proposition 3. Two-factor security can be provided in our scheme. Proof: First, assume that the adversary only has the smart card of U i . Let us even assume that the adversary can intercept login request message m 1 = {DID i , q 1 , PKS i , TE i , P i , N i }. As mentioned in Proposition 2, the adversary can obtain the secret parameters {ID GWN , PTC i , TE i , B i , R i , r i , h(.)} from the smart card. To impersonate a legitimate user, the adversary must produce a new N } i , randomly choose a new sharing key K } i , and create an imitative . Consequently, to gain the parameter set {DID } i , q } 1 , PKS } i }, the adversary must acquire TC i and ID i by applying the following equations: TC i = h(P i kK GWN-U kTE i ), TC i = PTC i �h(r i �PW i ), and ID i = DID i �h (TC i kID GWN kN i ). Nevertheless, the adversary cannot acquire TC i and ID i because he/she does not possess K GWN-U and PW i . Only the GWN knows the private key K GWN-U in our scheme, and we have proven that the proposed scheme can provide password protection to prevent the leakage of PW i information (Section 4.2). Therefore, the parameter set {DID } i , q } 1 , PKS } i } of the login request message is not acquired, and the adversary cannot disguise as an authorized user by only using the smart card. Secondly, assume that the adversary only has the password PW i and identification ID i of U i . Under this condition, the adversary also cannot acquire TC i to calculate the parameters {DID } i , q } 1 , PKS } i } because he/she does not know K GWN-U and PTC i (which are not stored in the smart card). Therefore, the adversary cannot impersonate an authorized user when he/she either acquires information from the smart card or knows {ID i , PW i }. Our scheme can withstand this type of masquerade attack and provide two-factor security.

Masquerade attack resistance and replay attack resistance
Protection against masquerade attacks is a principal security feature for any remote user authentication scheme. Replay attack resistance means that the adversary cannot attempt to replay any previously intercepted message to spoof the GWN. Proposition 4. Our scheme can provide masquerade attack resistance and replay attack resistance.
Proof: Proposition 3 has demonstrated that our scheme can protect against masquerade attacks caused by either the loss of a smart card or the revelation of sensitive identification and password details {ID i , PW i }. The reliability of our scheme against other masquerade attacks must be demonstrated. We can even assume that the adversary is a legitimate user L and undertakes to impersonate a user U i . Adversary L may intercept the login request message m 1 Nevertheless, adversary L still cannot acquire TC i and ID i to calculate the parameters {DID } i , q } 1 , PKS } i } because he/she does not possess K GWN-U and PW i (Proposition 2). In addition, adversary L cannot compute the shared session key KEY ij = h(K i kK j kN i kN GWN kSID j ) because he or she does not know K i and K j in KEY ij . Thus, adversary L cannot impersonate any other legitimate user. Consequently, our scheme can protect against masquerade attacks when an adversary impersonates any other legitimate user. Adversary L can undertake to replay the intercepted message {DID i , q 1 , PKS i , TE i , P i , N i } to the GWN. However, after receiving message m 3 = {SID j , q 3 , PKS j , N i , N GWN }, adversary L cannot compute the shared session key KEY ij = h(K i kK j kN i kN GWN kSID j ) because he or she cannot obtain K i and K j in KEY ij . Consequently, resistance to replay attacks is guaranteed as well. Next, we prove that an adversary cannot masquerade as a sensor node to spoof the user. Suppose adversary L has intercepted message m 2 when the GWN attempts to send it to S j ; that is, the message {DID i , DID GWN , q 2 , PKS GWN , ID GWN , N i , N GWN }. To masquerade as a sensor node to spoof the user, the adversary must randomly choose an imitative secret sharing key K } j and send an imitative response message {SID j , q 3 , kN i kN GWN ). To obtain the parameters {q 3 , PKS } j }, the adversary must first know K i . Moreover, K i can be obtained by using the equation K i = PKS GWN �h(TC j kN GWN ). Nevertheless, the adversary cannot acquire K i because he/she does not possess the temporal credential TC j . Therefore, the parameters {q 3 , PKS } j } cannot be acquired, and the adversary cannot send an imitative response message {SID j , q 3 , PKS } j , N i , N GWN } to the GWN. Consequently, our scheme can protect against masquerade attacks when an adversary masquerades as a sensor node to spoof the user.

Stolen verifier attack resistance and insider attack resistance
The stolen verifier attack means that the adversary steals the verification table from the GWN or S j . By contrast, an insider attack involves any privileged insider of the GWN purposely obtaining a user password, which leads to security defects in the remote user authentication scheme [41,49].
Proposition 5. Our scheme can protect against stolen verifier attacks and insider attacks. Proof: The GWN and S j in our scheme do not retain any verification table for verifying the legitimacy of registered users or sensor nodes. Therefore, the adversary cannot find any verifiable information in the GWN or S j to impersonate a legitimate user. Consequently, our scheme can protect against stolen verifier attacks [9,40]. Moreover, because U i presents h(r i �PW i ) to register with the GWN. r i and PW i are hidden from the GWN. In addition, the GWN does not store any verifier h(r i �PW i ). The privileged insider of the GWN cannot acquire PW i by executing any off-line password guessing attack [45]. Consequently, our scheme can resist insider attacks [41].

Password updating, adding new user functionality, and time synchronization avoidance
In our scheme, users are not obliged to share their IDs and passwords with the GWN before the registration. During the registration process, a new user U i can freely choose some identification string ID i and password PW i as favorite strings without requiring assistance from the GWN. Any new legitimate user can be freely added to the system after the registration. Therefore, the proposed scheme provides a convenient functionality for adding new users. Moreover, as mentioned, it is strongly recommended that for security policy, users update or change their passwords frequently to protect against compromise [32]. In the password change phase of our scheme, a legitimate user U i can freely choose his/her new password to update or change the password without requiring extra communication message overhead to exchange messages with the GWN (Fig 5). Consequently, our scheme provides the functionalities of freely chosen passwords and efficient password updating. Finally, our scheme does not require any timestamp to verify mutual authentication among U i , the GWN, and S j because our scheme is a nonce-based scheme. Consequently, our scheme is not obliged to provide synchronized time clocks for all devices [3,17,18], and it can avoid the time-synchronization problem for WSNs in IoT environments [3,17,25].

User anonymity (identity protection)
The user anonymity (identity protection) means that the identity of any user is disclosed only to service providers [9]. Proposition 6. Our scheme can provide user anonymity to protect user identity. Proof: The adversary can intercept message m 1 = {DID i , q 1 , PKS i , TE i , P i , N i } to acquire the identification string of U i ,. The parameters DID i , q 1 , PKS i , and P i are obtained using the following equations: However, in Proposition 2, we show that the adversary cannot obtain ID i and TC i because he or she does not know K GWN-U and PW i . The identification string ID i also cannot be derived from the equations above. Therefore, an adversary cannot acquire ID i to identify the user U i , and our scheme can provide user anonymity to protect user identity.

GWN bypassing attack resistance and GWN spoofing attack resistance
A GWN bypassing attack occurs when an adversary can bypass the GWN to forge a verification message straight to the sensor node S j without passing the GWN login [7]. By contrast, a GWN spoofing attack occurs when an adversary may impersonate the GWN to obtain private login information of U i . Proposition 7. Our scheme can protect against GWN bypassing attacks and GWN spoofing attacks.
Proof: To bypass the GWN, an adversary must send an imitative verification message m 2 = {DID i , DID GWN , q 2 , PKS GWN , ID GWN , N i , N GWN } straight to S j , where q 2 = h(ID i kTC j kN GWN ). However, the adversary cannot obtain q 2 to create an imitative message m 2 because he or she does not know the temporal credential TC j ; thus, the adversary cannot bypass the GWN to forge m 2 to S j . Without m 2 , S j cannot respond with any other messages. Consequently, our scheme can prevent GWN bypassing attacks. By contrast, the adversary may attempt to impersonate the GWN to acquire the secret login information of U i . To pose as the GWN, the adversary can intercept some login request message m 1 = {DID i , q 1 , PKS i , TE i , P i , N i } and respond with an imitative message m 3 kSID j kK i kN i kN GWN ). Verification information q 3 includes a secret sharing key K i . However, as mentioned in Proposition 4, the adversary cannot acquire K i because he/she does not know temporal credential TC j . Therefore, the adversary cannot obtain q 3 ; thus, the adversary cannot send an imitative message m 3 = {SID j , q 3 , PKS j , N i , N GWN } to respond to U i . The adversary cannot convince U i that he/she is a legitimate GWN. Consequently, our scheme can protect against GWN spoofing attacks.

Performance evaluation and functionality comparison
Performance and functionality evaluations are critical to establish validity for practical deployment. In this section, the performance and functionality of our scheme are evaluated. The performance efficiency and functional effectiveness of our authentication scheme are demonstrated. Table 3 presents a functionality comparison of our scheme versus previous related schemes. In Table 3, Yes denotes the scheme has a security feature; No denotes the contrary. The weaknesses of the previous related schemes for WSNs are mentioned in Section 2 and summarized in Table 3. We present a practical scenario to show that the proposed scheme can provide secure functionality and effectiveness for WSNs in IoT environments. Suppose that an adversary, Eve, undertakes to damage our scheme by executing the following attacks: guessing attack, stolen smart card attack, masquerade attack, replay attack, stolen verifier attack, insider attack, user anonymity attack, or GWN bypassing attack. Section 4 has shown that our scheme has the following abilities. Eve cannot directly obtain a user's password by executing a password guessing attack. When Eve steals a user's smart card, she cannot impersonate an authorized user to access the system. When Eve is even a legitimate user who pretends to be a different legitimate user, our scheme can protect against this masquerade attack. Moreover, Eve may undertake to replay some intercepted message to the GWN. Our scheme can provide resistance to replay attacks. Eve cannot breach the system by stealing the verification table.

Functionality comparison
Even as an insider, Eve cannot acquire a password by executing any password guessing attack.
Eve may intercept a login request message from the user to acquire the identification information, but the identification information of a user cannot be derived. Finally, Eve cannot forge an imitative message and send it straight to the sensor node to bypass the GWN. Moreover, our scheme has other security functionalities, which include updating passwords, choosing passwords freely, adding new users, and time synchronization avoidance. Our scheme provides a secure common session key and mutual authentication. Our scheme can thus protect against all listed attacks from Eve.

Performance evaluation
The proposed scheme comprises four phases: registration phase, login phase, authentication and key agreement phase, and password change phase. In a WSN environment, the performance of the authentication scheme is affected mainly by the authentication and key agreement phase [2,7,34,35]. This phase is the main part of the authentication scheme and is what chiefly distinguishes it from the various authentication schemes in WSNs [2,7,34,35]. Therefore, we focus our discussion on the performance comparison of the authentication and key agreement phase in the authentication schemes. The performance comparison is usually separated into communication costs and computational costs [2,7,34,35,42]. The computational costs are defined as the time spent by the user and service provider in the process [2,7,34,35,42]. By contrast, the communication costs are defined as the number of messages dispatched by the user and service provider in the process [9,42]. The performance comparison of our scheme and previous related schemes is shown in Table 4. Table 4 presents the computational  【Computational cost】 authentication phase costs and communication costs of the authentication and key agreement phase in each authentication scheme run without the consideration of interference and packet loss [2,7,21,34,35]. The notation T h is defined as the time complexity of the hash function; T ecc is the time complexity of the encryption/decryption operation in elliptic curve cryptography (ECC) algorithm [7]. The computational costs of the exclusive-or operation are usually neglected because it necessitates minimal computations [2,7,34,35]. We first analyze the computational costs of the authentication and key agreement phase for each scheme as follows: 1. In the authentication phase of the Ostad-Sharif et al. scheme [2], the user requires 10T h to compute the parameters of the login request message and the response message. The GWN must spend 14T h to compute the parameters in a response message for the user and a request message for the sensor node. The sensor node must expend 3T h to confirm whether the verification equations hold. In addition, the user, GWN, and sensor node must expend 2T h , 3T h , and 2T h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 12T h , 17T h , and 5T h , respectively [2].
2. In the authentication phase of the Amin et al. scheme [34], the user requires 13T h to compute the parameters of the login request message and the response message. The GWN must spend 14T h to compute the parameters in a request message for the sensor node and a response message for the user. The sensor node must expend 2T h to confirm whether the verification equations hold.
In addition, the user, GWN, and sensor node must expend 1T h , 3T h , and 2T h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 14T h , 17T h , and 4T h , respectively [34].
3. In the authentication phase of the Chang et al. scheme [35], the user requires 3T h to compute the parameters of the login request message. The sensor node must expend 1T h to compute the parameters in a message for the GWN. The GWN must spend 5T h to verify the login request. In addition, the user, GWN, and sensor node must expend 3T h , 3T h , and 4T h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 6T h , 8T h , and 5T h , respectively [35].
4. In the authentication phase of the Xue et al. scheme [7], the user requires 5T h to compute the parameters of the login request message. The GWN must spend 11T h to verify the login request message and compute the parameters of the request message for the sensor node. The sensor node must expend 3T h to confirm whether the verification equations hold. Moreover, the user, GWN, and sensor node must expend 3T h , 3T h , and 3T h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 8T h , 14T h , and 6T h , respectively [7].
5. In the Khan et al. scheme [32], the user must expend 3T h to generate a login request message. The GWN must expend 5T h to confirm whether the verification equations hold and to calculate the parameters of the request message for the sensor node. The sensor node requires 2T h to confirm whether the verification equations hold and to generate a response message for the GWN. However, the Khan et al. scheme does not provide the key agreement phase for the session key agreement.
6. In the Chen et al. scheme [33], the user must expend 4T h to produce a login request message and to validate a response message. The GWN requires 5T h to validate a login request message and to respond to a user's request. The sensor node must expend 2T h to verify the request message from the GWN and to generate a response message for the user. However, the Chen et al. scheme also does not provide any key agreement phase.
7. In the Das scheme [5], the user requires 3T h to generate the login request message. The GWN must expend 4T h to confirm whether the verification equations hold and to calculate the parameters of the request message for the sensor node. The sensor node requires 1T h to confirm whether the verification equations hold and to generate a response message for the user. The Das scheme [5] does not provide the key agreement phase as well.
8. The Yeh et al. scheme [8] uses elliptic curve cryptography (ECC) to provide both the authentication phase and session key agreement phase. That scheme requires that the user, GWN, and sensor node expend 2T ecc + 1T h , 4T ecc + 3T h , and 2T ecc + 2T h separately to complete the authentication phase [7]. Moreover, the user, GWN, and sensor node must expend 1T h , 1T h , and 1T h separately to compute a shared session key in the key agreement phase [7]. Accordingly, the total computational costs of the user, GWN, and sensor node are 2T ecc + 2T h , 4T ecc + 4T h , and 2T ecc + 3T h , respectively [7].
9. Our proposed scheme provides both the authentication phase and key agreement phase. In the authentication phase of our scheme, the user requires only 4T h to calculate the parameters of a login request message. The GWN expends only 8T h to verify the login request and to calculate the parameters of the request message for the sensor node. The sensor node requires only 3T h to confirm whether the verification equations hold. In the key agreement phase, the user, GWN, and sensor node expend only 3T h , 3T h , and 3T h , respectively, to negotiate the shared session key. Accordingly, the total computational costs for the user, GWN, and sensor node are 7T h , 11T h , and 6T h , respectively.
Our proposed scheme uses only the hash function and XOR operations to design a simple authentication and key agreement scheme. However, the Yeh et al. scheme [8] provides a authentication and key agreement scheme which is established by an asymmetric encryption algorithm (specifically, an ECC). According to an experimental finding obtained in a related study, the one-way hash function is computationally efficient. The time complexity of the hash function is less than that of an asymmetric ECC encryption operation [2,3,7,34,35]. The following is a practical example for the computational costs: In an environment with a CPU of 3.2 GHz and with 3.0 GB of RAM, completing a one-way hash operation requires 0.02 ms on average when using SHA-1, and completing an asymmetric ECC encryption operation requires 0.45 ms on average when using ECC-160 [7].
For the user in each scheme run, the Yeh  . By contrast, our scheme can perform the run in 0.12 ms for 6T h . Therefore, the computational load of the sensor node in the proposed scheme is reduced to 12.5% compared with the Yeh et al. scheme.
The energy consumption of the Yeh et al. scheme [8] is ascribed chiefly to the asymmetric ECC cryptosystem and hash functions. By contrast, the energy consumption of our scheme is principally attributed to the hash functions. As mentioned, the energy consumption for executing the hash function is much lower than that for executing an asymmetric ECC cryptosystem [38,39]. A practical example follows: While using SHA-1 to compute the hash value, a 1-byte data packet requires 0.76 μJ of energy [43,38,39]. Nevertheless, a 163-bit ECC asymmetric cryptosystem requires 134.2 mJ of energy [38,39]. As previously discussed, the total computational costs of the schemes of Yeh (Fig 7). Because the total energy consumption of the Yeh et al. scheme is excessive relative to other schemes, it cannot be shown in Fig 7. Although the total energy consumption of our scheme (18.2 μJ) is slightly greater than that of the Chang et al. scheme (14.4 μJ), our scheme provides superior security functionality to overcome the weaknesses of previous schemes ( Table 3).
As mentioned, the communication cost accounts for the number of messages transmitted. A low number of transmitted messages results in less consumption for the message overhead In this subsection, we demonstrate that our scheme is highly efficient because of the superior performance: low computational cost (0.14 ms for the user, 0.12 ms for the sensor node, and 0.22 ms for the GWN), low energy consumption (18.2 μJ for the authentication and key agreement phase), and low communication cost (4 transmitted messages for the authentication and key agreement phase, 0 transmitted messages for the password change phase).

Conclusions
This paper analyzes the security weaknesses of related authentication schemes and proposes a more efficient and secure authentication scheme for WSNs in IoT environments. The BAN logic method is used to prove our scheme. Finally, we compare the functional effectiveness and performance efficiency of our scheme with those of previously published schemes. Cryptanalysis revealed that our scheme overcomes the security weaknesses of the previously published schemes. Our scheme satisfies the requirement of basic design criteria for the authentication scheme as well. Consequently, our scheme can enhance security effectiveness in real-world IoT environments and provide additional security functionalities compared with the other discussed schemes. Moreover, performance analysis revealed that our scheme demonstrates high efficiency and superior performance.
Our future work and challenges include attempting to find security risks in heterogeneous IoT environments. Various heterogeneous IoT applications can cause serious challenges in securing networks. Future studies will further evaluate the reliability and scalability of the proposed scheme in heterogeneous IoT environments. Moreover, we also study highly secure machine learningbased authentication schemes for WSNs in intelligent IoT environments. The integration of Big Data with intelligent IoT networks will be challenging due to the limited resources of WSNs.