1.1. Preliminaries and technical background

In this subsection, we introduce some preliminaries and the principal technologies that our scheme is based on, such as temporal credential [7] and dynamic ID [9, 10].

A temporal credential is an impermanent attestation of authority issued by a third party. The GWN can issue a temporal credential to each user and sensor node [7]. The expiration time of a user’s temporal credential is regulated by the GWN. A user’s temporal credential is related to the identity of user and can be securely stored in a smart card. The temporal credential of a sensor node is also related to its identity and confidentially written in its storage. Based on the issuing and signing of temporal credential, the mutual authentication between the user and the GWN is achieved through the verification of temporal credential for the user. The mutual authentication between the sensor node and the GWN is achieved by the verification of the temporal credential for the sensor node.

Each dynamic ID is temporarily assigned by the system and mapped to a specific user [9]. A dynamic ID is a combination of its user’s information and a random nonce. The random nonce is an arbitrary number; it is used only once during the communication. In the authentication process, the login message of the user i contains a dynamic ID, called DID_i. The login message is dynamic for each login. For all i, the parameter DID_i is associated with nonce N_i and changed dynamically for each login. The use of a dynamic ID in each login message can avoid the risk of ID-theft [10]. Our scheme introduces dynamic ID to anonymize users.

1.2. Motivation and contribution

Typical IoT installations allow remote users to access data from sensor nodes in WSNs through the Internet. Researchers have been developing effective approaches for merging WSNs into IoT environments [2, 11–16]. Because of the resource constraints of sensor nodes, to design an efficient and secure authentication scheme for WSNs in IoT environments constitutes a nontrivial challenge. In IoT environments, the security effectiveness of remote user authentication is crucial for trustworthy information transmission [2, 3]. Computational efficiency and energy consumption are crucial because of the limited energy resources of WSNs [2, 3]. Moreover, time synchronization is a critical and challenging problem for WSNs; the system must provide a synchronized logical time clock for all devices and objects in IoT environments [3, 17–19]. Any adversary and any malicious node in IoT environments can attack clock synchronization [3, 17]. The communication errors, frequent topological changes, low-cost clocks, and limited energy levels of IoT nodes are other factors that can affect time synchronization [18, 19]. A timestamp-based authentication scheme requires trustworthy timestamps and synchronized time clocks to verify any device’s legitimacy. When a system has a serious time synchronization problem, no device can be synchronized with any another device, and thus the system cannot verify any device’s legitimacy. Therefore, any serious time synchronization failure causes mutual authentication failure. The time synchronization problem should be contemplated as designing a remote user authentication scheme for WSNs in IoT environments [3, 17–19]. Moreover, when a given user’s ID is revealed, an adversary can determine any information concerning the user's identity and monitor the user’s activities. An exposed user ID is also useful to the adversary because it provides login information [10]. Therefore, anonymous access for each login should be required. Although several previously published studies have proposed diverse remote user authentication schemes, they have been neither highly secure nor efficient sufficiently to satisfy the requirements of WSNs in IoT environments (Related work in Section 2). This paper proposes a more efficient and secure authentication scheme for WSNs in IoT environments to ameliorate these security weaknesses.

The major contributions of our work are as follows:

1. We propose a new three-party scheme on the basis of temporal credential [7] and dynamic ID [9, 10] for WSNs in IoT environments to achieve security, mutual authentication, and session key agreement. Cryptanalysis revealed that the security functionalities of the proposed scheme qualitatively and quantitatively superior to those of previous schemes; the proposed scheme can advance the field of authentication schemes. The Burrows–Abadi–Needham (BAN) logic method [3, 20–24] was used to validate our scheme.
2. The proposed scheme performs efficiently in IoT environments, with low computational cost, frugal energy consumption, and little communication cost.
3. Our scheme uses temporal credentials and random nonce instead of the timestamps to verify mutual authentication among U_i, the GWN, and S_j. Therefore, our scheme can avoid the time synchronization problem for WSNs in IoT environments [3, 9, 17, 25]. Moreover, dynamic ID technology [9, 10] is applied in our scheme. User identities are consequently anonymous and can be confirmed only by the service provider.

1.3. Organization of the paper

The remainder of this paper is organized as follows: Section 2 introduces a brief review of the related work in WSNs and explains the security weaknesses of the Ostad-Sharif et al. scheme [2] for WSNs in IoT environments; Section 3 details the proposed efficient secure authentication scheme for WSNs in IoT environments; Section 4 presents the security analysis of the proposed scheme; Section 5 discusses the effectiveness and efficiency of the proposed scheme; and finally, Section 6 presents the study’s conclusion.

2.1. Authentication design faults of the Ostad-Sharif et al. scheme in IoT environments

Design faults exist in the login and authentication phase of the Ostad-Sharif et al. scheme [2]. We illustrate this security weakness in the subsequent passages. When a registered user U_i wants to access the information of sensor node S_j, the login and authentication phase of the Ostad-Sharif et al. scheme must be executed in advance. At first, a registered user U_i inserts a smart card into the smart card reader and imprints his/her fingerprint B_i on the sensor device. The smart card contains the secret parameters {D_i, C_i, E_i, SCN_i, BK()}, in which SCN_i denotes unique smart card number and BK() denotes biometric key generation/extraction function. The smart card reader first extracts masked biometric C_i from the smart card and computes RN′_i = BK(h(B_i))⊕C′_i. After finding C′_i, the smart card reader must validate whether C′_i and C_i are equal. If C′_i ≠ C_i, then the smart card reader terminates the request. However, in the equation above, the smart card reader does not know random number RN′_i and masked biometric C′_i. Therefore, it cannot obtain RN′_i and C′_i from the equation. Finally, a legitimately registered user U_i cannot pass the verification to access the system. This problem will happen to all legitimately registered users. The Ostad-Sharif et al. scheme has design faults in the login and authentication phase.

2.2. Failure to provide password change capability in the Ostad-Sharif et al. scheme

The Ostad-Sharif et al. scheme [2] cannot provide password change capability. We demonstrate this weakness in the following passages. When a registered user U_i wants to update the password PW_i, the password change phase in the scheme must be executed. U_i first inserts a smart card into the smart card reader. He or she then inputs identity ID_i and password PW_i. The smart card contains the secret parameters {D_i, C_i, E_i, SCN_i, BK()}. After the legitimacy of U_i is verified, U_i enters a new password . The smart card computes the following equations:

1. = h(ID_i∥ ∥RN_i), in which RN_i denotes random number.
2. A′_i = D_i⊕RPW_i
3. = ⊕ RPW_i
4. L′_i = E_i ⊕ RPW_i
5. = L′_i ⊕ RPW_i

After and have been found, the smart card replaces the secret parameters {D_i, E_i} in the smart card with the new parameters {, }. The smart card finally contains the parameters {, C_i, , SCN_i, BK()}. However, in (3), the smart card does not know ; hence, it cannot obtain the new parameter from (3). Moreover, from (4) and (5), we obtain the following results:

Finally, the value of the new parameter is the same as the value of the parameter E_i, and the new parameter cannot be acquired from the equations. Therefore, a registered user U_i cannot update his/her password. The Ostad-Sharif et al. scheme fails to provide password change capability.

2.3. Time synchronization and authentication problem of the Ostad-Sharif et al. scheme in IoT environments

The Ostad-Sharif et al. scheme uses a timestamp T_i to verify mutual authentication among U_i, the GWN, and S_j for WSNs in IoT environments. Therefore, the Ostad-Sharif et al. scheme must provide synchronized time clocks to all devices in IoT environments for timestamp comparison [3, 17, 18]. However, as mentioned, both adversaries and malicious nodes can attack time synchronization [17]. Frequent topological changes, low-cost clocks, and limited energy of the sensor nodes in IoT environments can also affect time synchronization [18, 19]. The time synchronization of all WSN devices in IoT environments is a nontrivial challenge in itself [3, 17–19]. When a serious time synchronization problem arises in Ostad-Sharif et al. scheme, the GWN, U_i, and S_j cannot be synchronized with each other and then the legitimacy values of the GWN, U_i, and S_j cannot be verified. Hence, the Ostad-Sharif et al. scheme may enter a state such that mutual authentication among the GWN, U_i, and S_j cannot be achieved [3, 17, 18].

3.1. Registration phase

The registration phase comprises two parts, one for users and the other for sensor nodes. We first describe the registration phase for users. In this phase, when a new user U_i undertakes to register, he or she selects the identification ID_i and password PW_i. Subsequently, U_i generates a random number r_i and sends ID_i and h(r_i⊕PW_i) to the GWN for registration through a secure channel. After receiving the messages from U_i, the GWN selects the expiration time TE_i of the temporal credential of U_i. The GWN computes the temporal credential TC_i and verification information R_i for U_i. The GWN then issues a smart card with the temporal credential TC_i, expiration time TE_i, and verification information R_i to U_i through a secure channel. The steps are detailed as follows (Fig 2):

1. Step U1. U_i freely chooses identification ID_i and password PW_i.
2. Step U2. U_i generates a random number r_i and calculates h(r_i⊕PW_i).
3. Step U3. U_i ⇒ GWN: {h(r_i⊕PW_i), ID_i}.

U_i transmits h(r_i⊕PW_i) and ID_i to the GWN through a secure channel.

1. Step U4. GWN ⇒ U_i: {ID_GWN, PTC_i, TE_i, B_i, R_i, h(.)}. After receiving the message from U_i, the GWN selects the expiration time TE_i of the temporal credential of U_i and computes the following equations to issue the temporal credential TC_i for U_i.

P_i = h(ID_i∥ID_GWN∥TE_i), TC_i = h(P_i∥K_GWN-U∥TE_i), PTC_i = TC_i⊕h(r_i⊕PW_i),

Q_i = h(ID_i∥K_GWN-U), B_i = Q_i⊕h(ID_i∥h(r_i⊕PW_i)), and R_i = h(Q_i).

The GWN then issues a smart card with the secret parameters {ID_GWN, PTC_i, TE_i, B_i, R_i, h(.)} to U_i through a secure channel.

1. Step U5. U_i stores r_i in the smart card, after which the smart card holds the parameters {ID_GWN, PTC_i, TE_i, B_i, R_i, r_i, h(.)}.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Registration phase for users in the proposed scheme.

https://doi.org/10.1371/journal.pone.0232277.g002

We now describe the registration phase for sensor nodes. In this phase, each sensor node S_j is pre-configured with SID_j. After deployment, the sensor node S_j generates a random number r_j and then sends SID_j and h(r_j⊕SID_j) to the GWN for registration through a secure channel. After receiving the messages from S_j, the GWN issues a temporal credential TC_j to S_j through a secure channel. The steps are detailed as follows (Fig 3):

1. Step S1. S_j is pre-configured with SID_j.
2. Step S2. S_j generates a random number r_j and computes h(r_j⊕SID_j).
3. Step S3. S_j ⇒ GWN: {SID_j, h(r_j⊕SID_j)}.

S_j sends SID_j and h(r_j⊕SID_j) to the GWN through a secure channel.

1. Step S4. GWN ⇒ S_j: {RTC_j}. After receiving the message from S_j, the GWN computes TC_j = h(K_GWN-S∥SID_j) to issue the temporal credential TC_j for S_j and then calculates RTC_j = TC_j⊕h(h(r_j⊕SID_j)∥SID_j). The GWN sends RTC_j to S_j through a secure channel.
2. Step S5. After receiving the message from the GWN, S_j computes TC_j = RTC_j⊕h(h(r_j⊕SID_j)∥SID_j) to find its temporal credential TC_j and then stores it.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Registration phase for sensor nodes in the proposed scheme.

https://doi.org/10.1371/journal.pone.0232277.g003

3.2. Login phase

U_i first inserts a smart card into the smart card reader to log in to the system. U_i then gives (ID_i, PW_i) that correspond to the smart card. The smart card of U_i computes verification information and then verifies it with the stored R_i in the smart card. After passing verification, the legitimacy of U_i is ensured. Afterward, U_i can read the information stored in the smart card and find its temporal credential TC_i. The steps are detailed as follows (Fig 4):

1. Step L1. User U_i inserts a smart card into the smart card reader and provides keys (ID_i, PW_i). The smart card of user U_i then computes Q_i = B_i⊕h(ID_i∥h(r_i⊕PW_i)) and = h(Q_i). The smart card validates whether and the stored R_i in the smart card are equal. If the values are unequal, the smart card rejects the login request. Otherwise, the legitimacy of U_i is ensured, and U_i can read the information stored in the smart card.
2. Step L2. U_i computes TC_i = PTC_i⊕h(r_i⊕PW_i) to find its temporal credential TC_i.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Login phase; authentication and key agreement phase.

https://doi.org/10.1371/journal.pone.0232277.g004

3.3. Authentication and key agreement phase

After ensuring the legitimacy of U_i and finding the temporal credential TC_i, the system must complete mutual authentication among U_i, the GWN, and S_j. The first step of the mutual authentication phase involves identity verification for U_i, which is conducted by the GWN. Afterward, the second step entails identity verification of the GWN, which is conducted by S_j. The third step involves identity verification for S_j, which is conducted by U_i as well as the GWN. Finally, a session key KEY_ij is negotiated between U_i and S_j to conduct encryption during data transmission later on. The steps are detailed as follows (Fig 4):

1. Step V1. U_i → GWN: {DID_i, q₁, PKS_i, TE_i, P_i, N_i}. U_i generates a nonce N_i and computes P_i = h(ID_i∥ID_GWN∥TE_i), DID_i = ID_i ⊕h(TC_i∥ID_GWN∥N_i), and q₁ = h(ID_i∥TC_i∥N_i). Afterward, U_i randomly chooses a secret sharing key K_i and computes PKS_i = K_i⊕h(TC_i∥N_i). After computation, U_i sends the login request message m₁ = {DID_i, q₁,PKS_i,TE_i, P_i, N_i} to the GWN.
2. Step V2. GWN→ S_j: {DID_i, DID_GWN, q₂, PKS_GWN, ID_GWN, N_i, N_GWN}. After obtaining message m₁, the GWN computes TC_i = h(P_i∥K_GWN-U∥TE_i), ID_i = DID_i ⊕h(TC_i∥ID_GWN∥N_i), and = h(ID_i∥TC_i∥N_i). The GWN then verifies whether and q₁ are equal. If ≠ q₁, then the GWN terminates the request and sends a reject message to U_i. Otherwise, the legitimacy of U_i is ensured, and the GWN accepts the login request. The GWN then records the login status of U_i to indicate that Ui is logging in to the system. The GWN computes K_i = PKS_i ⊕h(TC_i∥N_i). At this point, the GWN selects a proper sensor node S_j with identification SID_j and calculates its temporal credential TC_j = h(K_GWN-S∥SID_j). The GWN then generates a nonce N_GWN and computes DID_GWN = ID_i ⊕h(TC_j∥DID_i∥N_GWN), q₂ = h(ID_i∥TC_j∥N_GWN), and PKS_GWN = K_i ⊕h(TC_j∥N_GWN). After computation, the GWN sends the message m₂ = {DID_i, DID_GWN, q₂, PKS_GWN, ID_GWN, N_i, N_GWN}to S_j.
3. Step V3. S_j →U_i, GWN: {SID_j, q₃, PKS_j, N_i, N_GWN}. After receiving message m₂, S_j assesses ID_GWN to verify whether the GWN is a participant. If verification is true, S_j computes ID_i = DID_GWN ⊕h(TC_j∥DID_i∥N_GWN) and = h(ID_i∥TC_j∥N_GWN). S_j then verifies whether and q₂ are equal. If ≠ q₂, then S_j terminates the request and returns a reject message. Otherwise, the legitimacy of the GWN is ensured, and S_j accepts the request. S_j computes K_i = PKS_GWN ⊕h(TC_j∥N_GWN). Afterward, S_j randomly selects a secret sharing key K_j. S_j computes q₃ = h(ID_i∥SID_j∥K_i∥N_i∥N_GWN) and PKS_j = K_j⊕h(K_i∥N_i∥N_GWN). After computation, S_j sends the message m₃ = {SID_j, q₃, PKS_j, N_i, N_GWN}to U_i and the GWN.
4. Step V4. After receiving the message m₃, U_i and the GWN separately compute = h(ID_i∥SID_j∥K_i∥N_i∥N_GWN). After computation, the GWN verifies whether and q₃ are equal. If = q₃, then the GWN can verify the legitimacy of S_j. User U_i also verifies whether and q₃ are equal. If = q₃, then U_i can verify the legitimacy of S_j and the GWN. Afterward, U_i and the GWN separately compute K_j = PKS_j⊕h(K_i∥N_i∥N_GWN). Finally, after ending the mutual authentication phase, U_i, the GWN, and S_j separately generate the shared session key KEY_ij by computing KEY_ij = h(K_i∥K_j∥N_i∥N_GWN∥SID_j).

3.4. Password change phase

To update or change the password, a user U_i must insert his/her smart card into the smart card reader. Afterward, U_i gives ID_i and PW_i, which correspond to the smart card. In the first step of the password change phase, the smart card of U_i computes verification information and then verifies it with the stored R_i in the smart card. After passing verification, the legitimacy of U_i is ensured. U_i can then read the information stored in the smart card. The second step involves finding the updated value of the parameters {, , }. Finally, the smart card replaces the old value of the parameters {PTC_i, B_i, r_i} in the smart card with the updated value of the parameters {, , }. The steps are detailed as follows (Fig 5):

1. Step P1. A user U_i inserts a smart card into the smart card reader and gives (ID_i, PW_i). The smart card of U_i calculates Q_i = B_i⊕h(ID_i∥h(r_i⊕PW_i)) and = h(Q_i) and then verifies whether and the stored R_i in the smart card are equal. If the values are unequal, the smart card rejects the login request. Otherwise, the legitimacy of U_i is ensured, and U_i can read the information stored in the smart card.
2. Step P2. The user U_i selects a new password , and then U_i generates a random number . Then, the smart card calculates = Q_i⊕h(ID_i∥h (⊕)), = PTC_i⊕h(r_i⊕PW_i)⊕h(⊕).
3. Step P3. The parameters {PTC_i, B_i, r_i} in the smart card are replaced with new parameters {, , }. Finally, the smart card contains {ID_GWN, , TE_i, , R_i, , h(.)}.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Password change phase in the proposed scheme (U_i can update the password without requiring the communication with the GWN and S_j).

https://doi.org/10.1371/journal.pone.0232277.g005

4.1. Mutual authentication and session key agreement

Mutual authentication is a critical feature for verifying mutual validity among the GWN, U_i, and S_j in WSNs. Because encryption and a message authentication code (MAC) are required to protect data transmission between U_i and S_j, a session key must be negotiated in advance between these two participants [7]. In this section, we first illustrate the mutual authentication analysis of the proposed scheme, then we present the formal proofs. In the authentication and key agreement phase of the proposed scheme, mutual authentication between the GWN and S_j is accomplished by calculating verification information q₂ and q₃. In Step V3, S_j can verify the legitimacy of the GWN after determining whether q₂ and are equal, where q₂ = h(ID_i∥TC_j∥N_GWN). Temporal credential TC_j is included in verification information q₂. This shows that the sensor node S_j can authenticate the validity of the GWN. In Step V4, the GWN can verify the legitimacy of S_j after confirming whether q₃ and are equal, where q₃ = h(ID_i∥SID_j∥K_i∥N_i∥N_GWN). A secret sharing key K_i is included in verification information q₃. This shows that the GWN can authenticate S_j. By contrast, mutual authentication between U_i and the GWN is accomplished by calculating verification information q₁ and q₃. In Step V2, the GWN can verify the legitimacy of U_i after determining whether and q₁ are equal, where q₁ = h(ID_i∥TC_i∥N_i). Temporal credential TC_i is included in verification information q₁. This shows that the GWN can authenticate the user U_i. In Step V4, U_i can verify the legitimacy of S_j after confirming whether q₃ and are equal, where q₃ = h(ID_i∥SID_j∥K_i∥N_i∥N_GWN). A secret sharing key K_i is included in verification information q₃. This shows that the user U_i can authenticate the sensor node S_j. In addition, because S_j has authenticated the validity of the GWN, the user U_i further authenticates the validity of the GWN as well. Therefore, on the basis of temporal credential signing and the secret sharing key, U_i, S_j, and the GWN can mutually authenticate each other in the proposed protocol. In Step V4, after completing the mutual authentication phase, U_i, the GWN, and S_j can separately generate the shared session key KEY_ij by computing KEY_ij = h(K_i∥K_j∥N_i∥N_GWN∥SID_j), where secret sharing key K_i and K_j are selected randomly. This shows that U_i, S_j, and the GWN can share a common session key after finishing the mutual authentication phase. The common session key is validated by U_i, the GWN, and S_j. This illustration indicates that our scheme provides session key agreement and mutual authentication. The formal proofs are given in the following lemmas and Proposition 1. We use the BAN logic method [3, 21–24] to formally validate the mutual authentication and session key agreement of our scheme. The BAN logic method is widely used to validate authentication and key establishment protocols [3, 21–24]. The BAN logic method accomplishes to introduce the logic of authentication and explain the protocols step-by-step. The notations of BAN logic are presented in Table 2. In Table 2, the symbols X and Y range over statements; Q and P are principals [20–22, 42].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Notations of BAN logic.

https://doi.org/10.1371/journal.pone.0232277.t002

The essential logical postulates for the BAN logic are listed as follows [20–22, 42]:

1. Freshness-propagation rule: . That is, if P is entitled to believe that one part of a formula (X,Y) is fresh, then he also is entitled to believe that the entire formula (X,Y) must also be fresh.
2. Receiving rule: and . That is, if a principal P can receive and read a formula (X,Y) or formula 〈X〉_Y, then he also can receive and read its components X.
3. Nonce-verification rule: . That is, if P is entitled to believes that X is a fresh statement and that Q once said X, then P believes that Q believes X.
4. Jurisdiction rule: . That is, if P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.
5. Message-meaning rule: . That is, if P is entitled to believe that the key Y is shared with Q, and P sees X encrypted under Y, then P is entitled to believe that Q once said X.
6. Session-key rule: , where statement X is an element of the combination session key K [21, 44]. That is, if P is entitled to believe that K is a fresh statement and that Q believes X, then P believes that P and Q share a common key K.

To validate the proposed protocol, we first summarize our scheme in the generic form [20, 21, 42]:

Message m₁. U_i → GWN: {DID_i, q₁, PKS_i, TE_i, P_i, N_i}

= {ID_i⊕h(TC_i∥ID_GWN∥N_i), h(ID_i∥TC_i∥N_i), K_i⊕h(TC_i∥N_i), TE_i,

h(ID_i∥ID_GWN∥TE_i), N_i}.

Message m₂. GWN→ S_j: {DID_i, DID_GWN, q₂, PKS_GWN, ID_GWN, N_i, N_GWN}

= {ID_i ⊕h(TC_i∥ID_GWN∥N_i), ID_i ⊕h(TC_j∥DID_i∥N_GWN),

h(ID_i∥TC_j∥N_GWN), K_i⊕h(TC_j∥N_GWN), ID_GWN, N_i, N_GWN}.

Message m₃. S_j →GWN: {SID_j, q₃, PKS_j, N_i, N_GWN}

= {SID_j, h(ID_i∥SID_j∥K_i∥N_i∥N_GWN), K_j⊕h(K_i∥N_i∥N_GWN),N_i, N_GWN}.

Message m₃. S_j →U_i: {SID_j, q₃, PKS_j, N_i, N_GWN}

= {SID_j, h(ID_i∥SID_j∥K_i∥N_i∥N_GWN), K_j⊕h(K_i∥N_i∥N_GWN), N_i, N_GWN}.

Subsequently, we transform the generic form into the idealized form:

I₁. U_i → GWN: , ,

I₂. GWN→ S_j: , , ,

I₃. S_j → GWN: ,

I₄. S_j →U_i:,

To analyze our scheme, we use the following assumptions:

A₁.                A₂. A₃.                   A₄. A₅. GWN|≡#(N_i)                       A₆. S_j|≡#(N_GWN)

A₇. U_i|≡#(N_i,N_GWN)              A₈. GWN|≡#(N_i,N_GWN)

A₉. GWN|≡U_i|⇒N_i              A₁₀. S_j|≡GWN|⇒N_GWN

A₁₁.GWN|≡S_j|⇒(N_i,N_GWN)              A₁₂. U_i|≡S_j|⇒(N_i,N_GWN)

Lemma 1. The GWN in our scheme can authenticate U_i; S_j can authenticate the GWN.

Proof: In our scheme, U_i produces a nonce N_i. Then, U_i transmits N_i to the GWN. After obtaining N_i, the GWN generates a nonce N_GWN and then sends nonces (N_i, N_GWN) to S_j.

To prove that the GWN can authenticate U_i, the following belief must be demonstrated:

B₁. GWN|≡N_i

To prove that S_j can authenticate the GWN, the following belief must be demonstrated:

B₂. S_j|≡N_GWN

The steps for proving B₁:

1. S₁. GWN sees (Apply the Receiving rule and I₁)
2. S₂. GWN believes U_i said N_i. (Apply the Message-meaning rule, A₁, and S₁)
3. S₃. GWN believes U_i believes N_i. (Apply the Nonce-verification rule, A₅, and S₂)
4. S₄. GWN believes N_i. That is, GWN|≡N_i (Apply the Jurisdiction rule, A₉, and S₃)

Consequently, the GWN authenticates U_i.

Similarly, the steps of the proof for B₂:

1. S₅. S_j sees (Apply I₂ and Receiving rule)
2. S₆. S_j believes GWN said N_GWN. (Apply the Message-meaning rule, A₃, and S₅)
3. S₇. S_j believes GWN believes N_GWN. (Apply the Nonce-verification rule, A₆, and S₆)
4. S₈. S_j believes N_GWN. That is, S_j|≡N_GWN (Apply the Jurisdiction rule, A₁₀, and S₇).

Lemma 2. The GWN in our scheme can authenticate S_j ; U_i can also authenticate S_j.

Proof: In our scheme, after receiving nonces (N_i, N_GWN), the S_j returns (N_i, N_GWN) to the GWN and U_i.

To prove that the GWN can authenticate S_j, the following belief must be demonstrated:

B₃. GWN|≡(N_i,N_GWN)

To prove that the U_i can authenticate S_j, the following belief must be demonstrated:

B₄. U_i|≡(N_i,N_GWN)

The steps of the proof for B₃:

1. S₉. GWN sees (Apply the Receiving rule and I₃)
2. S₁₀. GWN believes S_j said (N_i,N_GWN). (Apply the Message-meaning rule, A₂, and S₉)
3. S₁₁. GWN believes S_j believes (N_i,N_GWN).(Apply the Nonce-verification rule, A₈, and S₁₀)
4. S₁₂. GWN believes (N_i,N_GWN). That is, GWN|≡(N_i,N_GWN) (Apply the Jurisdiction rule, A₁₁, and S₁₁).

Consequently, the GWN can authenticate S_j.

Similarly, the steps of the proof for B₄:

1. S₁₃. U_i sees (Apply the Receiving rule and I₄)
2. S₁₄. U_i believes S_j said (N_i,N_GWN). (Apply the Message-meaning rule, A₄, and S₁₃)
3. S₁₅. U_i believes S_j believes (N_i,N_GWN). (Apply the Nonce-verification rule, A₇, and S₁₄)
4. S₁₆. U_i believes (N_i,N_GWN). That is, U_i|≡(N_i,N_GWN). (Apply the Jurisdiction rule, A₁₂, and S₁₅)

Lemma 3. In our scheme, the GWN, U_i, and S_j can coordinate the common session key KEY_ij.

Proof: To prove that U_i, the GWN, and S_j in our scheme can share a session key KEY_ij = h(K_i∥K_j∥N_i∥N_GWN∥SID_j), the following beliefs must be demonstrated:

B₅.

B₆.

B₇.

B₈. The steps for proving B₅ are:

1. S₁₇. U_i believes S_j believes (N_i,N_GWN). (Apply S₁₅)
2. S₁₈. S_j believes GWN believes N_GWN. (Apply S₇)
3. S₁₉. U_i believes GWN believes N_GWN. (Apply the Lemma 1, the Lemma 2, S₁₇, and S₁₈)
4. S₂₀. U_i believes fresh (N_i, N_GWN). (Apply A₇)
5. S₂₁. U_i believes fresh (KEY_ij). (Apply S₂₀ and Freshness-propagation rule)
6. S₂₂. Ui believes . That is, . (Apply the Session-key rule, S₁₉, and S₂₁)

Consequently, U_i believes that U_i shares the session key KEY_ij with the GWN.

Similarly, the steps of the proof for B₆:

1. S₂₃. GWN believes U_i believes N_i. (Apply S₃)
2. S₂₄. GWN believes fresh (N_i). (Apply A₅)
3. S₂₅. GWN believes fresh (KEY_ij). (Apply S₂₄ and Freshness-propagation rule)
4. S₂₆. GWN believes . That is, . (Apply S₂₃, S₂₅, and Session-key rule)

Consequently, the GWN believes that GWN shares the session key KEY_ij with U_i.

The steps of the proof for B₇ are:

1. S₂₇. S_j believes GWN believes N_GWN. (Apply S₇)
2. S₂₈. S_j believes fresh (N_GWN). (Apply A₆)
3. S₂₉. S_j believes fresh (KEY_ij). (Apply the Freshness-propagation rule and S₂₈)
4. S₃₀. S_j believes . That is, . (Apply the Session-key rule, S₂₇, S₂₉)

Consequently, S_j believes that S_j shares the session key KEY_ij with the GWN.

Similarly, the steps of the proof for B₈ are:

1. S₃₁. GWN believes S_j believes (N_i,N_GWN). (Apply S₁₁)
2. S₃₂. GWN believes fresh (N_i). (Apply A₅)
3. S₃₃. GWN believes fresh (KEY_ij). (Apply S₃₂ and Freshness-propagation rule)
4. S₃₄. GWN believes . That is, . (Apply S₃₁, S₃₃, and Session-key rule)

Consequently, the GWN believes that GWN shares the session key KEY_ij with S_j.

Proposition 1. U_i, the GWN, and S_j in our scheme can mutually authenticate each other; they can share a common session key.

Proof: From Lemma 2, U_i in our scheme can authenticate S_j. In addition, S_j can authenticate the GWN (Lemma 1). Thus, U_i can further authenticate the GWN as well. Conversely, the GWN can authenticate U_i (Lemma 1). Consequently, the GWN and U_i in our scheme can mutually authenticate each other. The GWN can authenticate S_j (Lemma 2). Conversely, S_j can authenticate the GWN (Lemma 1). Consequently, the GWN and S_j in our scheme can mutually authenticate each other. Mutual authentication can be provided in our scheme. After finishing the mutual authentication, U_i, the GWN, and S_j can share a session key KEY_ij = h(K_i∥K_j∥N_i∥N_GWN∥SID_j) (Lemma 3). Session key agreement can also be provided in our scheme.

4.2. Password protection, guessing attack resistance, and stolen smart card attack resistance

When a user’s smart card is stolen or lost in a stolen smart card attack, an adversary can acquire information from the smart card. Then, the adversary masquerades as an authorized user to access to the GWN. However, password protection functionality can prevent the leakage of password information, such that the adversary cannot obtain useful information to perform an off-line password guessing attack.

Proposition 2. The proposed scheme can provide password protection, guessing attack resistance, and stolen smart card attack resistance.

Proof: In our scheme, the password presents with the h(r_i ⊕PW_i) form, in which PW_i and r_i are hidden. h(r_i⊕PW_i) is not stored in the smart card, the GWN, or any other device. Thus, the adversary cannot directly obtain PW_i by performing an off-line password guessing attack on h(r_i⊕PW_i) [45]. Therefore, the proposed scheme can provide password protection and guessing attack resistance. Moreover, smart card secrets can be breached by monitoring power consumption or by analyzing leaked information [25, 42, 46]. When the adversary has a smart card that has been lost by its legitimate owner, the adversary can acquire the secret parameters from that smart card by applying the previously discussed method. We can prove that the proposed scheme can also provide stolen smart card attack resistance. That is, in the proposed scheme, the adversary cannot masquerade as a legitimate user to log in to the GWN when the adversary has obtained a legitimate user's smart card. Suppose that when the smart card of user U_i is stolen or lost, the adversary obtains that the smart card. The adversary can obtain the secret parameters {ID_GWN, PTC_i, TE_i, B_i, R_i, r_i, h(.)} from the smart card. To impersonate a legitimate user, the adversary must produce a new , randomly choose an imitative secret sharing key , and create an imitative login request message {, , , TE_i, P_i, } for the GWN. The imitative parameters {, , , P_i} are obtained using the following equations:

= ID_i ⊕h(TC_i∥ID_GWN∥),

= h(ID_i∥TC_i∥),

= ⊕h(TC_i∥),

P_i = h(ID_i∥ID_GWN∥TE_i).

Therefore, to obtain the imitative parameters {, , , P_i}, the adversary must first obtain TC_i and ID_i by using the following equations:

TC_i = h(P_i∥K_GWN-U∥TE_i),

TC_i = PTC_i⊕h(r_i⊕PW_i),

ID_i = DID_i⊕h(TC_i∥ID_GWN∥N_i).

Nevertheless, the adversary cannot acquire TC_i and ID_i because he/she does not possess K_GWN-U and PW_i. Only the GWN knows the private key K_GWN-U in our scheme. As previously discussed, the proposed scheme can provide password protection, and that the adversary cannot acquire PW_i by executing an off-line password guessing attack. Therefore, the imitative parameter set {, , , P_i}of a login request message is not acquired. The adversary cannot masquerade as an authorized user by only using a smart card.

4.3. Two-factor security

By involving a smart card and a password in the login phase, two-factor security in our scheme can be achieved [9, 37, 47, 48].

Proposition 3. Two-factor security can be provided in our scheme.

Proof: First, assume that the adversary only has the smart card of U_i. Let us even assume that the adversary can intercept login request message m₁ = {DID_i, q₁, PKS_i, TE_i, P_i, N_i}. As mentioned in Proposition 2, the adversary can obtain the secret parameters {ID_GWN, PTC_i, TE_i, B_i, R_i, r_i, h(.)} from the smart card. To impersonate a legitimate user, the adversary must produce a new , randomly choose a new sharing key , and create an imitative login request message {, , , TE_i, P_i, } for the GWN, where = ID_i ⊕h(TC_i∥ID_GWN∥), = h(ID_i∥TC_i∥), and = ⊕h(TC_i∥). Consequently, to gain the parameter set {, , }, the adversary must acquire TC_i and ID_i by applying the following equations: TC_i = h(P_i∥K_GWN-U∥TE_i), TC_i = PTC_i ⊕h(r_i⊕PW_i), and ID_i = DID_i⊕h(TC_i∥ID_GWN∥N_i). Nevertheless, the adversary cannot acquire TC_i and ID_i because he/she does not possess K_GWN-U and PW_i. Only the GWN knows the private key K_GWN-U in our scheme, and we have proven that the proposed scheme can provide password protection to prevent the leakage of PW_i information (Section 4.2). Therefore, the parameter set {, , } of the login request message is not acquired, and the adversary cannot disguise as an authorized user by only using the smart card. Secondly, assume that the adversary only has the password PW_i and identification ID_i of U_i. Under this condition, the adversary also cannot acquire TC_i to calculate the parameters {, , } because he/she does not know K_GWN-U and PTC_i (which are not stored in the smart card). Therefore, the adversary cannot impersonate an authorized user when he/she either acquires information from the smart card or knows {ID_i, PW_i}. Our scheme can withstand this type of masquerade attack and provide two-factor security.

4.4. Masquerade attack resistance and replay attack resistance

Protection against masquerade attacks is a principal security feature for any remote user authentication scheme. Replay attack resistance means that the adversary cannot attempt to replay any previously intercepted message to spoof the GWN.

Proposition 4. Our scheme can provide masquerade attack resistance and replay attack resistance.

Proof: Proposition 3 has demonstrated that our scheme can protect against masquerade attacks caused by either the loss of a smart card or the revelation of sensitive identification and password details {ID_i, PW_i}. The reliability of our scheme against other masquerade attacks must be demonstrated. We can even assume that the adversary is a legitimate user L and undertakes to impersonate a user U_i. Adversary L may intercept the login request message m₁ = {DID_i, q₁, PKS_i, TE_i, P_i, N_i}. Adversary L can have {ID_l, PW_l} and acquire {ID_GWN, PTC_l, TE_l, B_l, R_l, r_l, h(.)} from his/her smart card because he/she is an admissible user. Adversary L generates a new nonce , randomly chooses an imitative secret sharing key , and creates an imitative login request message {, , , TE_i, P_i, } for the GWN, where = ID_i ⊕h(TC_i∥ID_GWN∥), = h(ID_i∥TC_i∥), and = ⊕h(TC_i∥). Nevertheless, adversary L still cannot acquire TC_i and ID_i to calculate the parameters {, , } because he/she does not possess K_GWN-U and PW_i (Proposition 2). In addition, adversary L cannot compute the shared session key KEY_ij = h(K_i∥K_j∥N_i∥N_GWN∥SID_j) because he or she does not know K_i and K_j in KEY_ij. Thus, adversary L cannot impersonate any other legitimate user. Consequently, our scheme can protect against masquerade attacks when an adversary impersonates any other legitimate user. Adversary L can undertake to replay the intercepted message {DID_i, q₁, PKS_i, TE_i, P_i, N_i} to the GWN. However, after receiving message m₃ = {SID_j, q₃, PKS_j, N_i, N_GWN}, adversary L cannot compute the shared session key KEY_ij = h(K_i∥K_j∥N_i∥N_GWN∥SID_j) because he or she cannot obtain K_i and K_j in KEY_ij. Consequently, resistance to replay attacks is guaranteed as well. Next, we prove that an adversary cannot masquerade as a sensor node to spoof the user. Suppose adversary L has intercepted message m₂ when the GWN attempts to send it to S_j; that is, the message {DID_i, DID_GWN, q₂, PKS_GWN, ID_GWN, N_i, N_GWN}. To masquerade as a sensor node to spoof the user, the adversary must randomly choose an imitative secret sharing key and send an imitative response message {SID_j, q₃, , N_i, N_GWN} to the GWN, where q₃ = h(ID_i∥SID_j∥K_i∥N_i∥N_GWN) and = ⊕h(K_i∥N_i∥N_GWN). To obtain the parameters {q₃, }, the adversary must first know K_i. Moreover, K_i can be obtained by using the equation K_i = PKS_GWN⊕h(TC_j∥N_GWN). Nevertheless, the adversary cannot acquire K_i because he/she does not possess the temporal credential TC_j. Therefore, the parameters {q₃, } cannot be acquired, and the adversary cannot send an imitative response message {SID_j, q₃, , N_i, N_GWN} to the GWN. Consequently, our scheme can protect against masquerade attacks when an adversary masquerades as a sensor node to spoof the user.

4.5. Stolen verifier attack resistance and insider attack resistance

The stolen verifier attack means that the adversary steals the verification table from the GWN or S_j. By contrast, an insider attack involves any privileged insider of the GWN purposely obtaining a user password, which leads to security defects in the remote user authentication scheme [41, 49].

Proposition 5. Our scheme can protect against stolen verifier attacks and insider attacks.

Proof: The GWN and S_j in our scheme do not retain any verification table for verifying the legitimacy of registered users or sensor nodes. Therefore, the adversary cannot find any verifiable information in the GWN or S_j to impersonate a legitimate user. Consequently, our scheme can protect against stolen verifier attacks [9, 40]. Moreover, because U_i presents h(r_i⊕PW_i) to register with the GWN. r_i and PW_i are hidden from the GWN. In addition, the GWN does not store any verifier h(r_i⊕PW_i). The privileged insider of the GWN cannot acquire PW_i by executing any off-line password guessing attack [45]. Consequently, our scheme can resist insider attacks [41].

4.6. Password updating, adding new user functionality, and time synchronization avoidance

In our scheme, users are not obliged to share their IDs and passwords with the GWN before the registration. During the registration process, a new user U_i can freely choose some identification string ID_i and password PW_i as favorite strings without requiring assistance from the GWN. Any new legitimate user can be freely added to the system after the registration. Therefore, the proposed scheme provides a convenient functionality for adding new users. Moreover, as mentioned, it is strongly recommended that for security policy, users update or change their passwords frequently to protect against compromise [32]. In the password change phase of our scheme, a legitimate user U_i can freely choose his/her new password to update or change the password without requiring extra communication message overhead to exchange messages with the GWN (Fig 5). Consequently, our scheme provides the functionalities of freely chosen passwords and efficient password updating. Finally, our scheme does not require any timestamp to verify mutual authentication among U_i, the GWN, and S_j because our scheme is a nonce-based scheme. Consequently, our scheme is not obliged to provide synchronized time clocks for all devices [3, 17, 18], and it can avoid the time-synchronization problem for WSNs in IoT environments [3, 17, 25].

4.7. User anonymity (identity protection)

The user anonymity (identity protection) means that the identity of any user is disclosed only to service providers [9].

Proposition 6. Our scheme can provide user anonymity to protect user identity.

Proof: The adversary can intercept message m₁ = {DID_i, q₁, PKS_i, TE_i, P_i, N_i} to acquire the identification string of U_i,. The parameters DID_i, q₁, PKS_i, and P_i are obtained using the following equations:

DID_i = ID_i ⊕h(TC_i∥ID_GWN∥N_i),

q₁ = h(ID_i∥TC_i∥N_i),

PKS_i = K_i⊕h(TC_i∥N_i),

P_i = h(ID_i∥ID_GWN∥TE_i).

However, in Proposition 2, we show that the adversary cannot obtain ID_i and TC_i because he or she does not know K_GWN-U and PW_i. The identification string ID_i also cannot be derived from the equations above. Therefore, an adversary cannot acquire ID_i to identify the user U_i, and our scheme can provide user anonymity to protect user identity.

4.8. GWN bypassing attack resistance and GWN spoofing attack resistance

A GWN bypassing attack occurs when an adversary can bypass the GWN to forge a verification message straight to the sensor node S_j without passing the GWN login [7]. By contrast, a GWN spoofing attack occurs when an adversary may impersonate the GWN to obtain private login information of U_i.

Proposition 7. Our scheme can protect against GWN bypassing attacks and GWN spoofing attacks.

Proof: To bypass the GWN, an adversary must send an imitative verification message m₂ = {DID_i, DID_GWN, q₂, PKS_GWN, ID_GWN, N_i, N_GWN} straight to S_j, where q₂ = h(ID_i∥TC_j∥N_GWN). However, the adversary cannot obtain q₂ to create an imitative message m₂ because he or she does not know the temporal credential TC_j; thus, the adversary cannot bypass the GWN to forge m₂ to S_j. Without m₂, S_j cannot respond with any other messages. Consequently, our scheme can prevent GWN bypassing attacks. By contrast, the adversary may attempt to impersonate the GWN to acquire the secret login information of U_i. To pose as the GWN, the adversary can intercept some login request message m₁ = {DID_i, q₁, PKS_i, TE_i, P_i, N_i} and respond with an imitative message m₃ = {SID_j, q₃, PKS_j, N_i, N_GWN} to U_i, where q₃ = h(ID_i∥SID_j∥K_i∥N_i∥N_GWN). Verification information q₃ includes a secret sharing key K_i. However, as mentioned in Proposition 4, the adversary cannot acquire K_i because he/she does not know temporal credential TC_j. Therefore, the adversary cannot obtain q₃; thus, the adversary cannot send an imitative message m₃ = {SID_j, q₃, PKS_j, N_i, N_GWN} to respond to U_i. The adversary cannot convince U_i that he/she is a legitimate GWN. Consequently, our scheme can protect against GWN spoofing attacks.

5.1. Functionality comparison

Table 3 presents a functionality comparison of our scheme versus previous related schemes. In Table 3, Yes denotes the scheme has a security feature; No denotes the contrary. The weaknesses of the previous related schemes for WSNs are mentioned in Section 2 and summarized in Table 3. We present a practical scenario to show that the proposed scheme can provide secure functionality and effectiveness for WSNs in IoT environments. Suppose that an adversary, Eve, undertakes to damage our scheme by executing the following attacks: guessing attack, stolen smart card attack, masquerade attack, replay attack, stolen verifier attack, insider attack, user anonymity attack, or GWN bypassing attack. Section 4 has shown that our scheme has the following abilities. Eve cannot directly obtain a user’s password by executing a password guessing attack. When Eve steals a user’s smart card, she cannot impersonate an authorized user to access the system. When Eve is even a legitimate user who pretends to be a different legitimate user, our scheme can protect against this masquerade attack. Moreover, Eve may undertake to replay some intercepted message to the GWN. Our scheme can provide resistance to replay attacks. Eve cannot breach the system by stealing the verification table. Even as an insider, Eve cannot acquire a password by executing any password guessing attack. Eve may intercept a login request message from the user to acquire the identification information, but the identification information of a user cannot be derived. Finally, Eve cannot forge an imitative message and send it straight to the sensor node to bypass the GWN. Moreover, our scheme has other security functionalities, which include updating passwords, choosing passwords freely, adding new users, and time synchronization avoidance. Our scheme provides a secure common session key and mutual authentication. Our scheme can thus protect against all listed attacks from Eve.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Functionality comparison of our scheme with other related schemes.

https://doi.org/10.1371/journal.pone.0232277.t003

5.2. Performance evaluation

The proposed scheme comprises four phases: registration phase, login phase, authentication and key agreement phase, and password change phase. In a WSN environment, the performance of the authentication scheme is affected mainly by the authentication and key agreement phase [2, 7, 34, 35]. This phase is the main part of the authentication scheme and is what chiefly distinguishes it from the various authentication schemes in WSNs [2, 7, 34, 35]. Therefore, we focus our discussion on the performance comparison of the authentication and key agreement phase in the authentication schemes. The performance comparison is usually separated into communication costs and computational costs [2, 7, 34, 35, 42]. The computational costs are defined as the time spent by the user and service provider in the process [2, 7, 34, 35, 42]. By contrast, the communication costs are defined as the number of messages dispatched by the user and service provider in the process [9, 42]. The performance comparison of our scheme and previous related schemes is shown in Table 4. Table 4 presents the computational costs and communication costs of the authentication and key agreement phase in each authentication scheme run without the consideration of interference and packet loss [2, 7, 21, 34, 35]. The notation T_h is defined as the time complexity of the hash function; T_ecc is the time complexity of the encryption/decryption operation in elliptic curve cryptography (ECC) algorithm [7]. The computational costs of the exclusive-or operation are usually neglected because it necessitates minimal computations [2, 7, 34, 35]. We first analyze the computational costs of the authentication and key agreement phase for each scheme as follows:

1. In the authentication phase of the Ostad-Sharif et al. scheme [2], the user requires 10T_h to compute the parameters of the login request message and the response message. The GWN must spend 14T_h to compute the parameters in a response message for the user and a request message for the sensor node. The sensor node must expend 3T_h to confirm whether the verification equations hold. In addition, the user, GWN, and sensor node must expend 2T_h, 3T_h, and 2T_h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 12T_h, 17T_h, and 5T_h, respectively [2].
2. In the authentication phase of the Amin et al. scheme [34], the user requires 13T_h to compute the parameters of the login request message and the response message. The GWN must spend 14T_h to compute the parameters in a request message for the sensor node and a response message for the user. The sensor node must expend 2T_h to confirm whether the verification equations hold. In addition, the user, GWN, and sensor node must expend 1T_h, 3T_h, and 2T_h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 14T_h, 17T_h, and 4T_h, respectively [34].
3. In the authentication phase of the Chang et al. scheme [35], the user requires 3T_h to compute the parameters of the login request message. The sensor node must expend 1T_h to compute the parameters in a message for the GWN. The GWN must spend 5T_h to verify the login request. In addition, the user, GWN, and sensor node must expend 3T_h, 3T_h, and 4T_h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 6T_h, 8T_h, and 5T_h, respectively [35].
4. In the authentication phase of the Xue et al. scheme [7], the user requires 5T_h to compute the parameters of the login request message. The GWN must spend 11T_h to verify the login request message and compute the parameters of the request message for the sensor node. The sensor node must expend 3T_h to confirm whether the verification equations hold. Moreover, the user, GWN, and sensor node must expend 3T_h, 3T_h, and 3T_h separately to negotiate the shared session key in the key agreement phase. Accordingly, the total computational costs for the user, GWN, and sensor node are 8T_h, 14T_h, and 6T_h, respectively [7].
5. In the Khan et al. scheme [32], the user must expend 3T_h to generate a login request message. The GWN must expend 5T_h to confirm whether the verification equations hold and to calculate the parameters of the request message for the sensor node. The sensor node requires 2T_h to confirm whether the verification equations hold and to generate a response message for the GWN. However, the Khan et al. scheme does not provide the key agreement phase for the session key agreement.
6. In the Chen et al. scheme [33], the user must expend 4T_h to produce a login request message and to validate a response message. The GWN requires 5T_h to validate a login request message and to respond to a user’s request. The sensor node must expend 2T_h to verify the request message from the GWN and to generate a response message for the user. However, the Chen et al. scheme also does not provide any key agreement phase.
7. In the Das scheme [5], the user requires 3T_h to generate the login request message. The GWN must expend 4T_h to confirm whether the verification equations hold and to calculate the parameters of the request message for the sensor node. The sensor node requires 1T_h to confirm whether the verification equations hold and to generate a response message for the user. The Das scheme [5] does not provide the key agreement phase as well.
8. The Yeh et al. scheme [8] uses elliptic curve cryptography (ECC) to provide both the authentication phase and session key agreement phase. That scheme requires that the user, GWN, and sensor node expend 2T_ecc + 1T_h, 4T_ecc + 3T_h, and 2T_ecc + 2T_h separately to complete the authentication phase [7]. Moreover, the user, GWN, and sensor node must expend 1T_h, 1T_h, and 1T_h separately to compute a shared session key in the key agreement phase [7]. Accordingly, the total computational costs of the user, GWN, and sensor node are 2T_ecc + 2T_h, 4T_ecc + 4T_h, and 2T_ecc + 3T_h, respectively [7].
9. Our proposed scheme provides both the authentication phase and key agreement phase. In the authentication phase of our scheme, the user requires only 4T_h to calculate the parameters of a login request message. The GWN expends only 8T_h to verify the login request and to calculate the parameters of the request message for the sensor node. The sensor node requires only 3T_h to confirm whether the verification equations hold. In the key agreement phase, the user, GWN, and sensor node expend only 3T_h, 3T_h, and 3T_h, respectively, to negotiate the shared session key. Accordingly, the total computational costs for the user, GWN, and sensor node are 7T_h, 11T_h, and 6T_h, respectively.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Performance comparison of our scheme with other related schemes.

https://doi.org/10.1371/journal.pone.0232277.t004

Our proposed scheme uses only the hash function and XOR operations to design a simple authentication and key agreement scheme. However, the Yeh et al. scheme [8] provides a authentication and key agreement scheme which is established by an asymmetric encryption algorithm (specifically, an ECC). According to an experimental finding obtained in a related study, the one-way hash function is computationally efficient. The time complexity of the hash function is less than that of an asymmetric ECC encryption operation [2, 3, 7, 34, 35]. The following is a practical example for the computational costs: In an environment with a CPU of 3.2 GHz and with 3.0 GB of RAM, completing a one-way hash operation requires 0.02 ms on average when using SHA-1, and completing an asymmetric ECC encryption operation requires 0.45 ms on average when using ECC-160 [7].

For the user in each scheme run, the Yeh et al. scheme requires 0.94 ms for 2T_ecc + 2T_h. The Amin et al. scheme requires 0.28 ms for 14T_h. The Ostad-Sharif et al. scheme requires 0.24 ms for 12T_h. By contrast, our scheme can perform the run in only 0.14 ms for 7T_h. Therefore, the computational load of the user in the proposed scheme is reduced to 14.89% compared with the Yeh et al. scheme and to 58.33% compared with the Ostad-Sharif et al. scheme.

For the GWN in each scheme run, the Yeh et al. scheme requires 1.88 ms for 4T_ecc + 4T_h. The Amin et al. scheme requires 0.34 ms for 17T_h. The Ostad-Sharif et al. scheme requires 0.34 ms for 17T_h. By contrast, our scheme can perform the run in only 0.22 ms for 11T_h. Therefore, the computational load of the GWN in the proposed scheme is reduced to 11.7% compared with the Yeh et al. scheme and to 64.7% compared with the Ostad-Sharif et al. scheme.

For the sensor node in each scheme run, the Yeh et al. scheme requires 0.96 ms for 2T_ecc + 3T_h. The Amin et al. scheme requires 0.08 ms for 4T_h. The Ostad-Sharif et al. scheme requires 0.1 ms for 5T_h. By contrast, our scheme can perform the run in 0.12 ms for 6T_h. Therefore, the computational load of the sensor node in the proposed scheme is reduced to 12.5% compared with the Yeh et al. scheme.

In Table 4, the total computational costs of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 8T_ecc+9T_h, 28T_h, 19Th, 35Th, 34Th, and 24Th, respectively. Therefore, the total running time of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 3.78, 0.56, 0.38, 0.7, 0.68, and 0.48 ms, respectively (Fig 6). Therefore, the total running time of our scheme is 12.7%, 85.7%, 68.6%, and 70.6% of that of the schemes of Yeh et al., Xue et al., Amin et al., and Ostad-Sharif et al., respectively. Although the total running time of our scheme (0.48 ms) is slightly greater than that of the Chang et al. scheme (0.38 ms), our scheme can overcome the security weaknesses of previous related schemes and provide greater security functionality (Table 3).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Comparison of running time.

https://doi.org/10.1371/journal.pone.0232277.g006

The energy consumption of the Yeh et al. scheme [8] is ascribed chiefly to the asymmetric ECC cryptosystem and hash functions. By contrast, the energy consumption of our scheme is principally attributed to the hash functions. As mentioned, the energy consumption for executing the hash function is much lower than that for executing an asymmetric ECC cryptosystem [38, 39]. A practical example follows: While using SHA-1 to compute the hash value, a 1-byte data packet requires 0.76 μJ of energy [43, 38, 39]. Nevertheless, a 163-bit ECC asymmetric cryptosystem requires 134.2 mJ of energy [38, 39]. As previously discussed, the total computational costs of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 8T_ecc+9T_h, 28T_h, 19T_h, 35T_h, 34T_h, and 24T_h, respectively (Table 4). Consequently, the total energy consumption levels of the schemes of Yeh et al., Xue et al., Chang et al., Amin et al., Ostad-Sharif et al., and ours are 1073606.8, 21.3, 14.4, 26.6, 25.8, and 18.2 μJ, respectively. Consequently, in each scheme run, the total energy consumed by our scheme is 0.0017%, 85.4%, 68.4%, and 70.5% of that consumed by the schemes of Yeh et al., Xue et al., Amin et al., and Ostad-Sharif et al., respectively (Fig 7). Because the total energy consumption of the Yeh et al. scheme is excessive relative to other schemes, it cannot be shown in Fig 7. Although the total energy consumption of our scheme (18.2 μJ) is slightly greater than that of the Chang et al. scheme (14.4 μJ), our scheme provides superior security functionality to overcome the weaknesses of previous schemes (Table 3).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Comparison of energy consumption.

https://doi.org/10.1371/journal.pone.0232277.g007

As mentioned, the communication cost accounts for the number of messages transmitted. A low number of transmitted messages results in less consumption for the message overhead [9, 42]. In completing the authentication and key agreement phase, the total numbers of transmitted messages of the schemes of Ostad-Sharif et al., Amin et al., Chang et al., Xue et al., Yeh et al., and ours are 6, 6, 4, 4, 3, and 4, respectively (Table 4). Although the communication costs of the proposed scheme (4 transmitted messages) is slightly greater than the Yeh et al. scheme (3 transmitted messages), the Yeh et al. scheme is subject to high computational costs (3.78 ms, Fig 6) and large energy consumption (1073606.8 μJ) due to its use of ECC.

In this subsection, we demonstrate that our scheme is highly efficient because of the superior performance: low computational cost (0.14 ms for the user, 0.12 ms for the sensor node, and 0.22 ms for the GWN), low energy consumption (18.2 μJ for the authentication and key agreement phase), and low communication cost (4 transmitted messages for the authentication and key agreement phase, 0 transmitted messages for the password change phase).