An Efficient and Secure Authentication Scheme with Session Key Negotiation for Timely Application of WSNs

Abstract

For Internet of Things, it is more preferred to have immediate access to environment information from sensor nodes (SNs) rather than from gateway nodes (GWNs). To fulfill the goal, mutual authentication scheme between user and SNs with session key (SK) negotiation is more suitable. However, this is a challenging task due to the constrained power, computation, communication and storage resources of SNs. Though lots of authentication schemes with SK negotiation have been designed to deal with it, they are still insufficiently secure and/or efficient, and some even have serious vulnerabilities. Therefore, we design an efficient secure authentication scheme with session key negotiation (eSAS2KN) for wireless sensor networks (WSNs) utilizing fuzzy extractor technique, hash function and bitwise exclusive-or lightweight operations. In the eSAS2KN, user and SNs are mutually authenticated with anonymity, and an SK is negotiated for their direct and instant communications subsequently. To prove the security of eSAS2KN, we give detailed informal security analysis, carry out logical verification by applying BAN logic, present formal security proof by employing Real-Or-Random (ROR) model, and implement formal security verification by using AVISPA tool. Finally, computation and communication costs comparison show the eSAS2kN is more efficient and secure for practical application.

1. Introduction

In Internet of Things environment, wireles[s sensor networks (WSNs) act as a bridge, which links the real physical world and impalpable virtual world, and provide the possibility and feasibility to observe and analyze the monitoring objects with a good resolution [1]. Nowadays, WSNs have been widely applied in environment monitoring, disaster alert, healthcare, and military sensing and tracking [2-7]. The WSNs are consisted of a great many scattered sensor nodes (SNs), which are deployed to gather environmental information and transmit it to gateway nodes (GWNs) wirelessly. In WSNs, the GWNs are the most powerful nodes with rich computation and storage resources. However, the SNs are terribly resource-constraint, for example, with insufficient memory capacity, weak computing capability, and limited transmission range. Since WSNs are often randomly scattered in an unattended specific area, an adversary may easily capture a sensor node and extract the secrets from its tamper-prone memory with cost effectiveness. In addition, owing to WSN's open and wireless communication nature, malicious SNs may intercept, replay and even modify the transmitted messages. Moreover, user’s privacy, including user's identity, gender, access time and access habits, is vulnerable to leakage. Therefore, how to ensure the safety and stabilization of WSNs and how to prevent unauthorized disclosure of user's privacy becomes the most important and critical issue.

Generally, users can access the collected data from the GWNs. However, for some emergency scenarios, users hope to obtain environment information timely from some specific SNs instead of from the GWNs. For these cases, the most efficient and feasible method is mutual authentication with session key (SK) negotiation. For confidential and integral data transmission, user and SNs should be mutually authenticated, and a shared SK should be negotiated for subsequent secure data transmission. That is to say, the SNs should have the ability of verifying the user's legitimacy based on the transmitted packets from the user. Meanwhile, the user should also have the ability of verifying the legitimacy of SNs based on the received packets from the SNs. Moreover, SK should be securely negotiated and allocated to the user and the SNs after the mutual authentication has been achieved.

However, it’s so challenging to achieve mutual authentication with SK negotiation due to the SNs' poor power supply, computation ability, communication ability and storage capacity. The conventional schemes are not suitable for WSNs, which is a distributed ad-hoc like networks consisted of a variety of resource-constrained SNs. The most common security mechanism for WSNs is symmetric cryptography [8-9]. These solutions are efficient and simple to implement, however, the same symmetric key for different sessions will make the SNs susceptible to higher risks in unsupervised and unprotected environments [10-11]. Moreover, the solutions are hard to establish a shared secret key beforehand and have nonsupport of non-repudiation. Therefore, some researches focus on public-key cryptography solutions. These solutions do not need to distribute keys in advance and to share pairwise keys. However, these public-key cryptography solutions are too computationally expensive for the resource-constrained SNs if not accelerated by adopting cryptographic hardware. Recently, new trust models have been proposed to secure emergency message dissemination in VANETs, and trust evaluation scheme for federated learning in a digital twin for mobile networks [12-14].

Since a person’s biometrics may vary slightly occasionally [15], high rejection probability will happen in the login phase if conventional bio-hashing technique is adopted [16]. For successful biometric verification in login phase, fuzzy extractor technique [17] is adopted in our efficient secure authentication scheme with session key negotiation (eSAS2KN). Due to the smartcard’s characteristics of convenience and security, and the user’s biometric characteristics of uniqueness, therefore, we aim to design a more lightweight three-factor authentication in terms of password, smartcard and user’s biometrics to achieve mutual authentication and session key negotiation utilizing the lightweight cryptographic primitives such as hash and XOR operations.

The main contributions of our work are five folds. 1) A computing-efficient eSAS2KN is proposed for multi-gateway WSNs, which achieves mutual authentication of user, gateway node, and sensor node, as well as negotiating a session key for timely and direct communications between user and the specific sensor nodes. 2) The anonymous three-factor authentication with session key negotiation scheme not only strengthens the security and privacy of the eSAS2KN, but also decreases the user’s login-rejection probability in the login phase. 3) The session key is both verified in Msg3 when sensor node is authenticated by gateway node, and verified in Msg4 when the gateway node is authenticated by user, respectively, which greatly improves the confidentiality of real-time communications between user and the specific sensor nodes. 4) Informal security analysis, BAN logical verification, ROR-based formal security proof, and AVISPA-based formal security verification are implemented to prove the security of the eSAS2KN; and 5) Computation overhead and communication overhead are compared with those of relevant schemes to show the efficiency of the proposed eSAS2KN.

2. Related Work

For legitimate access of WSNs and ensuring the confidentiality and reliability of the transmitted information, a variety of mutual authentication with SK negotiation schemes, which are supplemented with long-term secret keys stored in smart card (SC), have been developed in the past decades [18–28].

In 2009, Das [18] first proposed an authentication with SK negotiation protocol between user and SNs by using password and smart card (SC) in WSNs. The protocol well suits the environment of WSNs due to its low computation cost. However, Das’s protocol was found not secure against several attacks by several researchers. In 2010, Khan et al. [19] first stated Das’s protocol has no password change operations, and more likely to incur privileged-insider attacks as well as GWNs bypassing attacks. Chen et al. [20] also indicated Das’s protocol failed in mutual authentication of two communication parties, and not immune to parallel session attacks. Meanwhile, He et al. [21] also indicated Das’s protocol easily suffers from impersonation and privileged-insider attacks.

In the following years, several works focus on solving the mutual authentication with session key negotiation in WSNs. In 2011, Yeh et al. [22] indicated several security defects existing in Das’s protocol, and proposed a strengthened authentication scheme with SK negotiation by applying Elliptic Curve Cryptosystem. Nevertheless, several researchers claimed that Yeh et al.’s scheme is time consuming due to scalar multiplications on elliptic curve, and still more likely to incur several attacks. In 2012, several security vulnerabilities such as lack of key negotiation, captured sensor node impersonation (CSNI) attacks, and stolen/lost smart card (SLSC) attacks in both Das’s protocol and its derivatives [19, 20] were indicated by Vaidya et al. [23]. In 2013, Xue et al. [24] put forward a scheme, in which user, GWNs and SNs can mutually authenticate each other by applying temporary credential, hash and XOR operations. The scheme has more security features and high security level with little increase in computation and communication costs, and storage capacity. In 2014, Kim et al. [25] claimed Vaidya et al.’s protocol is more likely to suffer from impersonation attacks and GWNs bypassing attacks. He also proposed an enhanced lightweight authentication scheme with SK negotiation. In 2015, Chang et al. [26] indicated Kim et al.’s protocol is likely to suffer from man-in-the-middle (MITM) attacks, CSNI attacks, SLSC attacks, user’s privacy leakage, and SK violation attacks. To eradicate these security pitfalls, He also devised an improved authentication scheme with SK negotiation by using dynamic identity. In 2016, Park et al. [27] indicated Chang et al.’s protocol is still vulnerable to offline password guessing (OPG) attacks, secure issues in perfect forward, and incorrectness of password change, and also designed an enhanced authentication scheme with SK negotiation. In 2017, Jung et al. [28] claimed Chang et al.’s scheme is vulnerable to OPG attacks, user impersonation attacks, SK compromising attacks. Moreover, the scheme has no SK verification, and has high load on GWNs. To eliminate these security vulnerabilities or defects, He also designed an improved authentication scheme with SK negotiation for WSNs environments.

In recent years, more attentions are paid to this subject. In 2018, Amin et al. [29] proposed a MBS-UAKA protocol for WSNs with multiple base station. The user authentication with key agreement achieves secure communication and authentication. In 2019, Soni et al. [30] designed an improved scheme, which efficiently eliminates both active and passive attacks, used for patient monitoring WSNs. In 2020, Ali et al. [31] proposed a robust scheme for secure communications of WSNs-based healthcare system, which achieves authentication and access control. In 2021, Wu et al. [32] put forward a fresh three-factor authentication scheme for WSNs. In 2022, Dai et al. [33] also put forward a three-factor authentication scheme based on ECC technique for multi-gateway WSNs. In spite of great improvements, these schemes are still insufficiently secure or efficient, and some fail in achieving user anonymity and untraceability. Some cannot achieve lightweight because of their heavy computation costs and communication costs. More seriously, some are vulnerable to SK leakage attacks. Moreover, the biometrics of the same person may slightly vary occasionally [15], therefore, high rejection probability occurs if conventional bio-hashing technique is applied in the design of authentication protocols. In addition, biometric data is vulnerable to a variety of noise in the phase of data acquisition. Worse yet, the regeneration of user’s real biometrics may succeed in cheating GWNs or SNs in common practice.

To overcome these defects in biometric data acquisition, we resort to fuzzy extractor method [17, 34–36] to generate a random string with uniform distribution and a public parameter according to its input biometrics within a given error tolerance. Therefore, we are greatly inspired to design the eSAS2KN by utilizing the fuzzy extractor, smartcard, lightweight operations such as hash function, and bitwise exclusive-or computation for multi-gateway WSNs. The novelty of eSAS2KN lies in four folds. 1) Mutual authentications are achieved between any two of a user, a GWN, and a SN, and an SK between a user and the specific SN is negotiated for their timely, direct and subsequent secure communications; 2) User’s anonymity and privacy protection are achieved; 3) Session key establishment and verification are incorporated into the authentication phases, which strengthens the communication confidentiality between user and the specific SN, and 4) The user’s login-rejection probability is decreased in the login phase.

3. Network Model and Threat Model

For clearly elaborate the proposed eSAS2KN, we first present network model, and then the threat model in this section.

3.1 Network Model

In the eSAS2KN, there are K gateway nodes (GWNs), each of which severs J sensor nodes (SNs) scattered in the vicinity of GWN_k, as shown in Fig. 1. The resource-constrained SNs in the specific area are used to harvest the desired environment information. Each GWN is deployed in the center of J SNs to aggregate the collected environment information and forward it to the specific user U_i. The U_i in the vicinity of GWN_k and the sensor node S_j can obtain the environment information from the specific GWN_k or directly from the specific S_j for real-time applications. In addition, all the users, GWNs and SNs are synchronized with the same clock.

Fig. 1. Network model of eSAS2KN

3.2 Threat Model

In eSAS2KN, all the SNs are assumed to be untrustworthy, however, all the GWNs are trustworthy and cannot be compromised. The DY model [37] is employed to evaluate the security of eSAS2KN. Under this threat model, any node can launch communications with the other via public (insecure) channels. Any adversary has the ability to intercept the transmitted messages, alter or even delete the message contents, and inject bogus messages via public channels. Moreover, the secrets stored in the memory of a legitimate user’s SC can be extracted through power analysis [38–41]. However, the secrets stored in the memory of any GWN cannot be extracted through power analysis.

In the eSAS2KN, CK model is also utilized to analyze and evaluate the security of key-exchange protocols [42,43]. Under this threat model, any adversary has the ability to send messages, compromise secrets including the SK, secret key, and session state. As a result, temporary session secrets, SK and long-term private keys may be leaked in the phase of key exchange, which will directly threaten the other previous and/or future session keys [44].

4. The eSAS2KN Scheme

In the eSAS2KN, mutual authentication is achieved among U_i, GWN_k and S_j. In addition, an SK is negotiated between U_i and S_j under the coordination of GWN_k after mutual authentication. With the computed SK, U_i and S_j can achieve timely, direct and secure communications without the GWN_k′s intervention. The main notations and their corresponding descriptions are listed in Table 1.

Table 1. Notations and corresponding description

4.1 Registration Phase

The registration phase of eSAS2KN consists of two parts. One is for user registration, the other for sensor node registration, which is shown in Fig. 2.

4.1.1 User Registration

For registration, U_i transmits a request message to the nearest GWN_k through a secure channel. Succeeded in verifying the U_i′s identity, the GWN_k issues an S_i to U_i. The user registration process is described in the following steps, which are illustrated in the left part of Fig. 2.

Fig. 2. Registration process of eSAS2KN.

UR1: U_i selects his ID_i and PW_i, then imprints his BIO_i on a biometric sensor.

UR2: U_i generates a nonce RN_i, then computes PID_i = h(ID_i║RN_i).

UR3: U_i computes Gen(BIO_i) = (σ_i, τ_i), HPW_i = h(PW_i║σ_i), and then sends the message <PID_i, HPW_i> to the GWN_k for registration.

UR4: The GWN_k stores HPW_i in its memory and calculates HID_i = h(PID_i║K), XS_i = h(HID_i║K), A_i = h(HPW_i║XS_i)⊕HID_i, B_i = h(PID_i║XS_i) and C_i = XS_i ⊕h(IDS_i║HPW_i), and then writes (IDS_i, HID_i, h(·), A_i, B_i, C_i) to the memory of SC_i, and finally issues SC_i to U_i via a secure channel.

UR5: U_i calculates D_i = h(PW_i)⊕RN_i, then writes D_i and τ_i into the SC_i.

4.1.2 Sensor Node Registration

For sensor node registration, S_j first sends its hashed identity PID_j to the nearest GWN_k. On receiving the registration request from S_j, the GWN_k stores PIDj in its memory, calculates HID_j, A_j and B_j, and then sends them to S_j in secure means. After receiving the parameters HID_j, A_j and B_j, the S_j writes them to its memory. The detailed registration phase of sensor node is presented in the following steps, which are illustrated in the right part of Fig. 2.

SR1: S_j chooses SID_j as its identity, generates a random nonce RN_j, and calculates PID_j = h(SID_j║RN_j), then sends PID_j to GWN_k for registration through a secure channel.

SR2: GWN_k stores PID_j in its memory, calculates HID_j = h(PID_j║K), XS_j = h(HID_j║K), A_j = h(XS_j║RN_k)⊕HID_j, B_j = XS_j⊕h(PID_j), and then sends <HID_j, A_j, B_j> to S_j through a secure channel.

SR3: S_j stores the parameters(HID_j, A_j, B_j) in its memory.

4.2 Login and Authentication Phase

This phase is used to achieve mutual authentication and session key negotiation between U_i and S_j with the coordination of GWN_k. The detailed process of login, authentication, and session key negotiation is illustrated in the following steps, which are shown in Fig. 3.

Fig. 3. Login and authentication process of eSAS2KN

LA1: U_i puts SC_i on a card reader, types in its ID_i and PW_i, then imprints his BIO*_i through a biometric sensor. (BIO*_i means that the input biometrics are slightly different from the original BIO_i)

LA2: SC_i computes σ*_i = Rep(BIO*_i, τ_i) provided that HD(BIO_i, BIO*_i) < t, HPW*i = h(PWi║σ*_i), RN_i = D_i⊕h(PW_i), PID_i = h(ID_i║RN_i), XS*_i = C_i⊕h(IDS_i║HPW*_i) and B*_i = h(PID_i║XS*_i).

LA3: SC_i verifies B*_i = ? B_i. If not satisfied, SC_i terminates the login, authentication, and session key phase; otherwise, SC_i calculates k_i = h(XS_i║T⁽¹⁾_i, DID_i = h(HPW_i║XS_i)⊕k_i, and M_Ui,Gk = h(A_i║XS_i║T⁽¹⁾_i), where G_k refers to GWN_k for short.

LA4: U_i transmits the message Msg1:<DID_i, HID_i, M_Ui,Gk,T⁽¹⁾_i> to the GWN_k as a login request.

LA5: Upon receiving the login request, GWN_k checks |T⁽¹⁾_Gk - T⁽¹⁾_i|≤ΔT. If not satisfied, the login, authentication, and session key negotiation process stop; otherwise, goes to the next step.

LA6: GWN_k calculates XS_i = h(HID_i║K), k_i = h(XS_i║T⁽¹⁾_i), A_i = DID_i ⊕ k_i ⊕ HID_i, and M*_Ui,Gk = h(A_i║XS_i║T⁽¹⁾_i), then verifies M*_Ui,Gk = ? M_Ui,Gk. If does not hold, the login, authentication, and session key negotiation process stop; otherwise, goes to the next step.

LA7: GWN_k generates a nonce RN_k, gets PID_j and K from its memory, and then computes HID_j = h(PID_j║K), XS_j = h(HID_j⊕K), M_j = h(XS_j║RN_k)║⊕HID_i, N_j = h(PID_j║XS_j)⊕HID_j, and M_Gk,Sj = h(HID_i║M_j║N_j║T⁽²⁾_Gk), and finally transmits the message Msg2:<HID_i, PID_j, M_Gk,Sj, T⁽²⁾_Gk > to S_j.

LA8: On receiving Msg2 fromGWN_k, S_j checks |T⁽¹⁾_j - T⁽²⁾_Gk|≤ΔT. If not satisfied, the login and authentication process stops; otherwise, S_j computes M_j = A_j⊕HID_j⊕HID_i, XS_j = B_j⊕h(PID_j), N_j = h(PID_j║XS_j)⊕HID_j, and M*_Gk,Sj = h(HID_i║M_j║N_j║T⁽²⁾_Gk).

LA9: S_j verifies M*_Gk,Sj = ?M_Gk,Sj. If not satisfied, the login and authentication process stops; otherwise, S_j calculates SK_j = h(HID_i║M_j║N_j║T⁽²⁾_j), and M_Sj,Gk = h(HID_j║HID_i║SK_j║M_j║N_j║T⁽²⁾_j), then transmits the message Msg3 :<M_Sj,Gk, HID_i, T⁽²⁾_j> to GWN_k.

LA10: On receiving Msg3 ,GWN_k checks |T⁽³⁾_Gk - T⁽²⁾_j|≤ΔT. If not satisfied, the login and authentication process stops; otherwise, GWN_k calculates HID_j = h(PID_j║K), XS_j = h(HID_j║K), M_j = h(XS_j║RN_k)⊕HID_i, N_j = h(PID_j║XS_j)⊕HID_j, SK_j = h(HID_i║M_j║N_j║T⁽²⁾_j), M*_Sj,Gk = h(HID_j║HID_i║SK_j║M_j║N_j║T⁽²⁾_j).

LA11: GWN_k verifies M*_Sj,Gk = ?M_Sj,Gk. If not satisfied, the authentication process stops; otherwise, GWN_k gets HPW_i and K from its memory and computes XS_i = h(HID_i║K), P_i = h(HPW_i║XS_i)⊕RN_kand M_Gk,Ui = h(HID_i║P_i║SK_j║M_j║N_j║T⁽⁴⁾_Gk), then transmits the message Msg4:<M_Gk,Ui, HID_i, P_i, XS_j, N_j, T⁽²⁾_j, T⁽⁴⁾_Gk> to U_i.

LA12: On receiving Msg4, U_i checks |T⁽²⁾_i - T⁽⁴⁾_Gk|≤ΔT. If not satisfied, the login and authentication process stops; otherwise, U_i computes RN_k = P_i⊕A_i⊕HID_i, M_j = h(XS_j║RN_k)⊕HID_i, SK_j = h(HID_i⊕M_j⊕N_j⊕T⁽²⁾_j) and M*_Gk,Ui = h(HID_i⊕P_i⊕SK_j⊕M_j⊕N_j⊕T⁽⁴⁾_Gk).

LA13: U_i verifies M*_Gk,Ui = ?M_Gk,Ui. If not satisfied, the login and authentication process stop; otherwise, U_i computes SK_i = h(HID_i║M_j║N_j║T⁽²⁾_j). Now, mutual authentications among U_i, GWN_k and S_j are achieved, and session keys SK_j and SK_i are computed from S_j and U_i, respectively.

4.3 Password and Biometrics Updating Phase

For security consideration, a legitimate user hopes to alter his/her current password to a new one, and/or to change the current memory-stored biometric template to a new one. To this end, the eSAS2KN provides password and biometrics updating function. The detailed password and biometrics updating process is described as the following steps, which are illustrated in Fig. 4.

Fig. 4. Password and biometrics updating process of eSAS2KN.

U1: U_i puts SCd on a card reader, types in the currently used ID_i and PW_i, and imprints his BIO*_i.

U2: SC_i computes σ*_i = Rep(BIO*_i, τ_i), HPW*_i = h(PW_i║σ*_i), RN_i = D_i⊕h(PW_i), PID_i = h(ID_i║RN_i), XS*_i = C_i⊕h(IDS_i║HPW*_i) and B*_i = h(PID_i║XS*_i).

U3: SC_i verifies B*_i = ?B_i. If unsuccessful, the password and biometrics updating process stops; otherwise, the next step proceeds.

U4: U_i imprints its new biometrics BIO^new_i and/or input a new password PW^new_i, then SC_i computes σ^new_i = Rep(BIO^new_i, τ_i), HPW^new_i = h(PW^new_i║σ^new_i), RN^new_i = D_i⊕h(PW^new_i), PID^new_i = h(ID_i║RN^new_i), XS^new_i = C_i⊕h(IDS_i║HPW^new_i), A^new_i = h(HPW^new_i║XS^new_i)⊕HID_i, B^new_i = h(PID^new_i║XS^new_i), C^new_i = XS^new_i⊕h(IDS_i║HPW^new_i), D^new_i = h(PW^new_i)⊕RN^new_i, and HID^new_i = A^new_i⊕h(HPW^new_i║XS^new_i).

U5: SC_i/U_i replaces the current A_i, B_i, C_i, D_i and HID_i with the newly computed A^new_i, B^new_i, C^new_i, D^new_i, and HID^new_i, respectively. Finally, the parameters (IDS_i, HID^new_i, h(·), A^new_i, B^new_i, C^new_i, D^new_i, τ_i) are stored in SC_i.

5. Security Analysis

To evaluate the scheme’s security, we give detailed informal security analysis, formal security proof, as well as formal security verification of eSAS2KN.

5.1 Informal Security Analysis

User Anonymity: In eSAS2KN, an attacker \(\begin{align}\mathcal{A}\end{align}\) cannot obtain ID_i even though he/she obtains HID_i from the extracted parameters (IDS_i, HID_i, h(·), A_i, B_i, C_i, D_i, τ_i) by power analysis attack [38-41] from the memory of SLSC or from the intercepted messages Msg1, Msg2, Msg3 and/or Msg4. Since the secret K is only possessed by the trusted GWN_k, \(\begin{align}\mathcal{A}\end{align}\)cannot obtain it. Without K, \(\begin{align}\mathcal{A}\end{align}\) cannot guess PID_i from HID_i = h(PID_i║K). Without RN_i and PID_i, \(\begin{align}\mathcal{A}\end{align}\) cannot guess ID_i from PID_i = h(ID_i║RN_i). Therefore, the proposed eSAS2KN has the feature of user anonymity.

Man-in-the-Middle Attack (MITM): If \(\begin{align}\mathcal{A}\end{align}\) wants to launch a MITM attack to cheat GWN_k through forging/altering the transmitted Msg1, he/she must obtain a legitimate user’s SC_i, ID_i ,PW_i and BIO_i. WithoutBIO_i, \(\begin{align}\mathcal{A}\end{align}\) cannot compute U_i's biometric secret σ_i according to σ*_i = Rep(BIO*_i, τ_i). Without U_i's password PW_i and smartcard SC_i, \(\begin{align}\mathcal{A}\end{align}\) cannot compute the nonce RN_i according to RN_i = D_i⊕h(PW_i). Without password PW_i and biometric secret σ_i, \(\begin{align}\mathcal{A}\end{align}\) cannot compute U_i's hash password HPW*_i according to HPW*_i = h(PW_i║σ*_i). Without HPW*_i and SC_i, \(\begin{align}\mathcal{A}\end{align}\) cannot compute XS*_i according to XS*_i = C_i⊕h(IDS_i║HPW*_i). If \(\begin{align}\mathcal{A}\end{align}\) cannot obtain XS_i and HPW_i, he/she will not compute DID_i and M_Ui,Gk according to DID_i = h(HPW_i║S_i)⊕h(XS_i║T⁽¹⁾_i) and M_Ui,Gk = h(A_i║XS_i║T⁽¹⁾_i), respectively. Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot forge Msg1:<DID_i, HID_i, M_Ui,Gk, T⁽¹⁾_i> to cheat GWN_k.

If \(\begin{align}\mathcal{A}\end{align}\) wants to launch a MITM attack to cheat U_i through forging/altering the transmitted Msg4 , he/she must obtainPID_j and secret K. However, all the GWNs are trustworthy and cannot be compromised, so \(\begin{align}\mathcal{A}\end{align}\) cannot extract PID_j and K from the memory of GWN_k. Without PID_j and K, \(\begin{align}\mathcal{A}\end{align}\) cannot compute HID_j according to HID_j = h(PID_j║K) and XS_j according to, XS_j = h(HID_j║K) respectively. Without HID_j and XS_j, \(\begin{align}\mathcal{A}\end{align}\) cannot compute M_j and N_j according to M_j = h(XS_j║RN_k)⊕HID_i and N_j = h(PID_j║XS_j)⊕HID_j, respectively. Without M_j and N_j, \(\begin{align}\mathcal{A}\end{align}\) cannot compute M_Gk,Ui according to M_Gk,Ui = h(HID_i║P_i║SK_j║M_j║N_j║T⁽⁴⁾_Gk), let alone to forge Msg4:<M_Gk,Ui, HID_i, P_i, XS_j, N_j,T⁽²⁾_j, T⁽⁴⁾_Gk> to cheat U_i.

If \(\begin{align}\mathcal{A}\end{align}\) wants to launch MITM attacks to cheat S_j through forging/altering the transmitted Msg2, he/she must obtain PID_j and the secret K. However, PID_j and K are stored in the memory of the trusted GWN_k. Without PID_j and K, \(\begin{align}\mathcal{A}\end{align}\) cannot computes M_j and N_j according to M_j = h(XS_j║RN_k)⊕HID_i and N_j = h(PID_j║XS_j)⊕HID_j, respectively. Without M_j and N_j, \(\begin{align}\mathcal{A}\end{align}\) cannot compute M_Gk,Sj = h(HID_i║M_j║N_j║T⁽²⁾_Gk), let alone to forge Msg2<HID_i, PID_j, M_Gk,Sj, T⁽²⁾_Gk> to cheat S_j.

If \(\begin{align}\mathcal{A}\end{align}\) wants to launch a MITM attack to cheat GWN_k through forging/altering the transmitted Msg3 , he/she must obtain M_j and N_j to compute SK_j = h(HID_i║M_j║N_j║T⁽²⁾_j). However, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain M_j and N_j, which has been analyzed above. Without SK_j, \(\begin{align}\mathcal{A}\end{align}\) cannot compute M_Sj,Gk according to M_Sj,Gk = h(HID_j║HID_i║SK_j║M_j║N_j║T⁽²⁾_j). Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot forge Msg3: <M_Sj,Gk, HID_i, T⁽²⁾_j> to cheat GWN_k.

Based on the above analysis, it can be concluded that MITM attacks are resisted in eSAS2KN.

Mutual Authentication with Key Agreement: In the eSAS2KN, U_i is authenticated by GWN_k through verifying Msg1: <DID_i, HID_i, M_Ui,Gk, T⁽¹⁾_i> by checking M*_Ui,Gk = ?M_ui,Gk. Similarly, S_j is authenticated by GWN_k through verifying Msg3:<M_Sj,Gk, HID_i, T⁽²⁾_j> by checking M*_Sj,Gk = ?M_Sj,Gk. In addition, GWN_k is authenticated by U_i through verifying Msg4:<M_Gk,Ui, HID_i, P_i, XS_j, N_j, T⁽²⁾_j, T⁽⁴⁾_Gk> by checking M*_Gk,Ui = ?M_Gk,Ui. Likewise, GWN_k is authenticated by S_j through verifying Msg2: <HID_i, PID_j, M_Gk,Sj, T⁽²⁾_Gk> by checking M*_Gk,Sj = ?M_Gk,Sj. Moreover, SK_j and SK_i can be computed at S_j and U_i ends, respectively, for their subsequent secure communications. In view of the above analysis, it can be concluded that the proposed eSAS2KN has the feature of mutual authentication and achievement of SK negotiation.

Withstands Replay Attack: In the eSAS2KN, all the sent or received messages are labelled with the sender's current timestamps, such as T⁽¹⁾_i, T⁽¹⁾_G and T⁽¹⁾_j. It is impossible for A to login to GWN_k, and to tamper the intercepted messages to cheat S_j or U_i as legal GWN_k, or to cheat GWN_k as a legal S_j or U_i. Therefore, the proposed eSAS2KN has the feature of withstanding replay attacks.

Withstands SLSC Attack: In the eSAS2KN, even if \(\begin{align}\mathcal{A}\end{align}\) succeeds in extracting the parameters (IDS_i, HID_i, h(·), A_i, B_i, C_i, D_i, τ_i) stored in the stolen or lost SC_i through power analysis attack [38-41], he/she still has no chance to launch malicious attacks. If \(\begin{align}\mathcal{A}\end{align}\) wants to guess the user's ID_i according to PID_i = h(ID_i║RN_i), he/she must obtain the secret K and h(PW_i) in advance. If \(\begin{align}\mathcal{A}\end{align}\) has the secret K, he/she can guess PID_i according to HID_i = h(PID_i║K) with the extracted HID_i from the stolen or lost SC_i. If \(\begin{align}\mathcal{A}\end{align}\) has h(PW_i), he/she can computes RN_i according to RN_i = D_i⊕h(PW_i) with the extracted D_i from the stolen or lost SC_i. However, due to the trustworthiness of GWN_k, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain the secret K. Without knowing the random nonce RN_i, \(\begin{align}\mathcal{A}\end{align}\) cannot compute h(PW_i) according to h(PW_i) = D_i⊕RN_i). Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot guess the user's ID_i according to PID_i = h(ID_i║RN_i). Not knowing ID_i, \(\begin{align}\mathcal{A}\end{align}\) cannot imitate a legitimate user to cheat S_j or GWN_k. Therefore, the proposed eSAS2KN has the feature of withstanding SLSC attacks.

Withstands OPG Attack: In the eSAS2KN, if \(\begin{align}\mathcal{A}\end{align}\) hopes to guess offline the correct PW_i according to HPW_i = h(PW_i║σ_i), he/she has to obtain HPW_i and a legitimate user's biometric secret key σ_i. However, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain HPW_i and σ_i. The HPW_i cannot be extracted because it is stored in the memory of GWN_k, which is a trustworthy node. In addition, without a legitimate user's BIO_i, \(\begin{align}\mathcal{A}\end{align}\) will unachievably compute σ_i according to Gen(BIO_i) = (σ_i, τ_i). Therefore, the proposed eSAS2KN has the feature of withstanding OPG attacks.

Withstands CSNI Attack: In the eSAS2KN, if S_j is compromised by a malicious \(\begin{align}\mathcal{A}\end{align}\), the parameters (HID_j, A_j, B_j) stored in S_j's memory are all known to \(\begin{align}\mathcal{A}\end{align}\). However, \(\begin{align}\mathcal{A}\end{align}\) cannot compute the secret information of both U_i and GWN_k. Suppose that SK_i = h(HID_i║M_j║N_j║T⁽²⁾_j) is computed by U_i in the current session. However, the old or the future session keys will not be known to \(\begin{align}\mathcal{A}\end{align}\). When the comprised S_j receives the request <HID_i, PID_j, M_Gk,Sj, T⁽²⁾_Gk> from GWN_k, \(\begin{align}\mathcal{A}\end{align}\) can retrieve M_j, XS_j, N_j. However, these parameters have no relation to U_i. Therefore, \(\begin{align}\mathcal{A}\end{align}\) will not be able to impersonate U_i in the future. Although \(\begin{align}\mathcal{A}\end{align}\) can successfully retrieve XS_j from GWN_k's request to the compromised S_j, \(\begin{align}\mathcal{A}\end{align}\) cannot derive the GWN_k's secret K according to XS_j = h(HID_j║K). Without K, \(\begin{align}\mathcal{A}\end{align}\) will not be able to impersonate the GWN_k. Therefore, the proposed eSAS2KN has the feature of withstanding CSNI attacks.

Withstands GWNs Bypassing Attack: In the eSAS2KN, even if \(\begin{align}\mathcal{A}\end{align}\) captures a legal user's SC_i and succeeds in extracting the parameters (IDS_i, HID_i, h(·), A_i, B_i, C_i, D_i, τ_i) stored in the memory of SC_i, he/she cannot cheat S_j by impersonating GWN_k. Since \(\begin{align}\mathcal{A}\end{align}\) cannot obtain PID_j and the secret K, which is owned only by the trusted GWN_k, he/she cannot compute HID_j according to HID_j = h(PID_j║K), let alone XS_j. Without XS_j, \(\begin{align}\mathcal{A}\end{align}\) cannot compute M_j and N_j. Without M_j and N_j, \(\begin{align}\mathcal{A}\end{align}\) will fail to compute M_Gk,Sj according to M_Gk,Sj = h(HID_i║M_j║N_j║T⁽²⁾_Gk), let alone forges a valid message <HID_i, PID_j, M_Gk,Sj, T⁽²⁾_G> to cheat S_j. Therefore, the proposed eSAS2KN has the feature of withstanding GWNs bypassing attacks.

Provides Password Verification Process: In the eSAS2KN, given the possibility of incorrect password input, we adopt password verification process by verifying B*_i = ? B_i at the beginning of login process. In addition, given the fact that a person's biometrics may be slightly different from the original one once in a while [15], therefore, we resort to fuzzy extractor technique instead of conventional bio-hashing techniques to decrease U_i's high rejection rate in the login phase of eSAS2KN. Therefore, the two methods contribute greatly to the robustness of eSAS2KN.

Provides Session Key Verification Process: In the eSAS2KN, S_j computes M_Sj,Gk according to M_Sj,Gk = h(HID_j║HID_i║SK_j║M_j║N_j║T⁽²⁾_j) with the computed session key SK_j, and then transmits Msg3: <M_Sj,Gk, HID_i, T⁽²⁾_j > to GWN_k. Since the session key SK_j is concatenated in M_Sj,Gk of Msg3 , from the perspective of GWN_k, the verification of SK_j and authentication of S_j are both achieved by verifying M*_Sj,Gk = ?M_Sj,Gk. In the same way, GWN_k computes M_Gk,Ui = h(HID_i║P_i║SK_j║M_j║N_j║T⁽⁴⁾_Gk) with the computed session key SK_j, and then transmits Msg4: <M_Gk,Ui, HID_i, P_i, XS_j, N_j, T⁽²⁾_j, T⁽⁴⁾_Gk> to U_i. Since SK_j is also concatenated in M_Gk,Ui, from the perspective of U_i, the verification of SK_j and authentication of GWN_k are both achieved by verifying M*_Gk,Ui? = M_Gk,Ui. Therefore, the eSAS2KN has the security feature of providing SK verification.

Withstands Privileged-insider Attack: In the eSAS2KN, ID_i and PW_i sent to GWN_k for registration are both in encrypted forms with PID_i = h(ID_i║RN_i) and HPW_i = h(PW_i║σ_i), respectively. A privileged insider attacker cannot identify the registered user's ID_i and PW_i. Therefore, the proposed eSAS2KN has the feature of withstanding privileged-insider attacks.

Provides Session Key Security: In the eSAS2KN, \(\begin{align}\mathcal{A}\end{align}\) cannot calculate SK_i and SK_j. To calculate SK_i/SK_j according to SK_i/SK_j = h(HID_i║M_j║N_j║T⁽²⁾_j), \(\begin{align}\mathcal{A}\end{align}\) must compute M_j and N_j. However, RN_k is random nonce generated by GWN_k, which is known only to the trusted GWN_k, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain it. Moreover, due to the trustworthiness of GWN_k, \(\begin{align}\mathcal{A}\end{align}\) cannot extract PID_j from the memory of GWN_k. Therefore, without RN_k and PID_j, \(\begin{align}\mathcal{A}\end{align}\) cannot compute M_j and N_j according to M_j = h(XS_j║RN_k)⊕HID_i and N_j = h(PID_j║XS_j)⊕HID_j, respectively. Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot compute SK_i/SK_j from both U_i and S_j ends. This means that the proposed eSAS2KN has the security feature of providing SK security.

5.2 Formal Security Proof and Verification

In the following subsections, BAN logic-based verification, ROR model-based formal security proof, and AVISPA-based formal security verification are presented in detail to show the security of the proposed eSAS2KN.

5.2.1 Logical Verification

In this subsection, the well-known BAN logic, regarded as a distinguished tool to give logical verification of cryptographic protocols, is used to prove the legitimacy of SK, which is computed at both U_i and S_j ends.

Basic Notations

• U ◁ C : C is received by U.

• U |≡ C : C is believed by U.

• #(C) : C is fresh.

• U ∣~ C : C is once sent by U.

• \(\begin{align}U \stackrel{K}{\longleftrightarrow} S\end{align}\) : U and S share the secret keyK.

• U |C : U has jurisdiction over C.

• (C, M) : C or M is a part of (C, M).

• {C}_K : C is encrypted with K.

Logic Rules

• R1 (Message-meaning rule): \(\begin{align}\frac{U \mid \equiv U \stackrel{K}{\leftrightarrow} S, U \triangleleft\{C\}_{K}}{U|S| \sim C}\end{align}\), If U believes he shares a secret key K with S, and receives an encrypted C with K, then he believes C is once sent by S.

• R2 (Nonce-verification rule): \(\begin{align}\frac{U|\equiv \#(C), U| \equiv S \mid \sim C}{U|\equiv S| \equiv C}\end{align}\), If U believes C is fresh, and believes S once sent C, then U believes S believe C.

• R3 (Believe rule): \(\begin{align}\frac{U|\equiv C, \; U| \equiv M }{U| \equiv \#(C, M)}\end{align}\), if U believes C andM, then he believes (C, M).

• R4 (Freshness rule): \(\begin{align}\frac{U|\equiv \# (C)} {U| \equiv \#(C, M)}\end{align}\), if U believes C is fresh, then he believes the freshness of (C, M).

Goals

In the following logic verification process, we aim at achieving the following four goals.

• Goal 1: \(\begin{align}U_{i} \mid \equiv\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)

• Goal 2: \(\begin{align}S_{j} \mid \equiv\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)

• Goal 3: \(\begin{align}U_{i} \mid \equiv S_{j} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)

• Goal 4: \(\begin{align}S_{j} \mid \equiv U_{i} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)

Assumptions

To well analyze the eSAS2KN, the listed assumptions are considered in the proof process.

• A1: GWN_k|≡#(T⁽¹⁾_i)

• A2: S_j|≡#(T⁽²⁾_Gk)

• A3: GWN_k|≡#(T⁽²⁾_j)

• A4: U_i|≡#(T⁽⁴⁾_Gk)

• A5: \(\begin{align}GWN_{k} \mid \equiv \left(GWN_{k} \stackrel{PID_{j}} {\longleftrightarrow} S_{j}\right)\end{align}\)

• A6: \(\begin{align}S_{j} \mid \equiv \left(S_{j} \stackrel{PID_{j}} {\longleftrightarrow} GWN_{k}\right)\end{align}\)

• A7: \(\begin{align}U_{i} \mid \equiv \left(U_{i} \stackrel{HPW_{i}} {\longleftrightarrow} GWN_{k}\right)\end{align}\)

• A8: \(\begin{align}GWN_{k} \mid \equiv \left(GWN_{k} \stackrel{HPW_{i}} {\longleftrightarrow} U_{i}\right)\end{align}\)

• A9: \(\begin{align}U_{i}\left|\equiv S_{j}\right| \Rightarrow\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S j\right)\end{align}\)

• A10: \(\begin{align}S_{j}\left|\equiv U_{i}\right| \Rightarrow\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S j\right)\end{align}\)

Ideal Forms Conversion

Before logic verification, all transmitted messages are transformed to ideal forms as follows.

• Msg1: U_i→GWN_k : {HID_i, K, Ti⁽¹⁾}_HWPi

• Msg2: GWN_k→S_j : {HID_i, M_j, N_j, T⁽²⁾_Gk}_PIDj

• Msg3: S_j→GWN_k : {HID_i, K, M_j, N_j, T⁽²⁾_j}_PIDj

• Msg4: GWN_k→U_i : {HID_i, M_j, N_j, T⁽²⁾_j, K, T⁽⁴⁾_Gk}_HPWi

Logical Verification of eSAS2KN

To well describe the verification process, predefined information, including four rules, ten assumptions and four messages are used as follows.

• According to Mgs1, V1 is derived as V1: GWN_k ◁ {HID_i, K, T⁽¹⁾_i}_HPWi

• According to A8 and R1, V2 is derived as V2: GWN_k |≡ U|~ (HID_i, K, T⁽¹⁾_i)

• According to A1 and R3, V3 is derived as V3: GWN_k |≡ #(HID_i, K, T⁽¹⁾_i)

• According to V2, V3 and R2, V4 is derived as V4: GWN_k |≡ U_i|≡ (HID_i, K, T⁽¹⁾_i)

• According to Msg2, V5 is derived as V5: S_j ◁ {HID_i, M_j, N_j, T⁽²⁾_Gk}_PIDj

• According to A6 and R1, V6 is derived as V6: S_j |≡ GWN_k|~ (HID_i, M_j, N_j, T⁽²⁾_Gk)

• According to A2 and R3, V7 is derived as V7: S_j |≡ #(HID_i, M_j, N_j, K, T⁽²⁾_Gk)

• According to V6, V7 and R2, V8 is derived as V8: S_j |≡ GWN_k |≡ (HID_i, M_j, N_j, T⁽²⁾_Gk)

• According to Msg3, V9: is derived as V9: GWN_k ◁ {HID_i, K, M_j, N_j, T⁽²⁾_j}_PIDj

• According to A5 and R1, V10 is derived as V10: GWN_k|≡ S_j|~ (HID_i, K, M_j, N_j, T⁽²⁾_j)

• According to A3 and R3, V11 is derived as V11: GWN_k|≡ #(HID_i, K, M_j, N_j, T⁽²⁾_j)

• According to V10, V11 and R2, V12 is derived as V12: GWN_k |≡ S_j|≡ (HID_i, K, M_j, N_j, T⁽²⁾_j)

• According to Msg4 , V13 is derived as V13: U_i ◁ {HID_i, M_j, N_j, K, T⁽²⁾_j, T⁽⁴⁾_Gk}_HPWi

• According to A7 and R1, V14 is derived as V14: U_i|≡ GWN_k |~ (HID_i, M_j, N_j, K, T⁽²⁾_j, T⁽⁴⁾_Gk)

• According to A4 and R3, V15 is derived as V15: U_i|≡#(HID_i, M_j, N_j, K, T⁽²⁾_j, T⁽⁴⁾_Gk)

• According to V14, V15 and R2, V16 is derived as follows V16: U_i|≡GWN_k|≡(HID_i, M_j, N_j, K, T⁽²⁾_j)

• According to V12, V16 and SK_i/SK_j = h(HID_i║M_j║N_j║T⁽²⁾_j), V17 is derived as follows.

V17: \(\begin{align}U_{i} \mid \equiv S_{j} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal₃)

• According to V8, V4 and SK_i/SK_j = h(HID_i║M_j║N_j║T⁽²⁾_j), V18 is derived as follows.

V18: \(\begin{align}S_{j} \mid \equiv U_{i} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal₄)

• According to A9, V17 and R4, V19 is derived as follows.

V19: \(\begin{align}U_{i} \mid \equiv U_{i} \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal₁)

• According to A10, V18 and R4, V20 is derived as follows.

V20: \(\begin{align}S_{j} \mid \equiv U_{i} \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal₂)

It can be clearly drawn from the above demonstrations that U_i, GWN_k and S_j are mutually authenticated, and SK is negotiated and shared between U_i and S_j.

5.2.2 Formal Security Proof

To demonstrate the SK security of eSAS2KN, we implement formal security proof by applying Real-Or-Random (ROR) model. The definition of ROR model is presented as follows.

Participants：Let II^u_Ui, II^s_Sj and II^g_GWNk be the instances of U_i, S_j and GWN_k, respectively.

Acceptedstate: On receiving the last anticipated message, instance II^t transits to the accepted state. When all the messages received and sent by II^t are concatenated in order, it will represent session identification for the current session.

Partnering: Instances II^t1 and II^t2 are deemed as partner to each other if 1) II^t1 and II^t2 are both in accepted state; 2) II^t1 and II^t2 are mutually authenticated by each other and share the same session identification; and 3) II^t1 and II^t2 are mutual partners of each other.

Freshness: II^u_Ui and II^s_Sj are deemed as freshness if SK computed from U_i and S_j ends is kept from disclosure to \(\begin{align}\mathcal{A}\end{align}\) by using the Reveal queries Reveal(II^u) and Reveal(II^s).

Adversary: In ROR model, DY threat model is employed for formal security proof. \(\begin{align}\mathcal{A}\end{align}\) has the ability to full control over all the communications. That is to say, \(\begin{align}\mathcal{A}\end{align}\) can intercept, alter, delete and inject forged information through the following queries.

Execute(II^u/II^s, II^g) is used to model a passive intercepting attack, in which \(\begin{align}\mathcal{A}\end{align}\) can read the transmitted messages between the legitimate U_i/S_j and GWN_k.

Reveal(II^u) is used to model the current SK generated by II^u and its partner II^s is disclosed to \(\begin{align}\mathcal{A}\end{align}\). If \(\begin{align}\mathcal{A}\end{align}\) cannot reveal SK between II^u and II^s using the query Reveal(II^u), then SK is secure.

Send(II^u/II^s/II^g, Msg) is used to models an active attack, in which Msg can be sent to the participant II^u/II^s/II^g by \(\begin{align}\mathcal{A}\end{align}\).

CorruptSN(II^s_Sj) is used to model an active captured sensor node attack, in which the secret credentials, HID_j, A_j and B_j stored in the memory of S_j, are known to \(\begin{align}\mathcal{A}\end{align}\).

CorruptSC(II^u) is used to model an active stolen or lost smartcard attack, in which the information (IDS_i, HID_i, h(·), A_i, B_i, C_i, D_i, τ_i) stored in the SC_i's memory is known to \(\begin{align}\mathcal{A}\end{align}\).

Test(II^u/II^s) is used to model the semantic security of SK between U_i and S_j adhering to the ROR model’s indistinguishability style. An impartial coin c needs to be throwed ahead of starting experiment. If \(\begin{align}\mathcal{A}\end{align}\) executes this query and the generated SK is of freshness, then the instance II^u/II^s returns an SK when c = 1 or a random number when c = 0. For other cases, the query returns a null value.

Semantic security of SK : In the ROR model, \(\begin{align}\mathcal{A}\end{align}\) makes as many as Test queries to either II^u_Ui or II^s_Sj as necessary to distinguish the instance II^u_Ui's or II^s_Sj's real SK from a random key. The output of Test queries must be consistent or uniform to random bit c. Once completing the game, \(\begin{align}\mathcal{A}\end{align}\) returns a guessed bit c' and wins the game (denoted as Succ) if c' = c. The gained advantage of \(\begin{align}\mathcal{A}\end{align}\) to break the semantic security of eSAS2KN is defined as Adv^{eSAS KN}_A = |2Pr[Succ]-1|. The proposed eSAS2KN is secure if Adv^eSAS2KN_A≤ v, for the run time t and sufficiently small value v > 0.

Random oracle : The one-way cryptographic hash function h(·) is used to model the random oracle, say \(\begin{align}\mathcal{H}\end{align}\), which can be accessed by all communicating parties and \(\begin{align}\mathcal{A}\end{align}\).

Theorem 1 : Let \(\begin{align}\mathcal{A}\end{align}\) be an adversary running in a polynomial time t against eSAS2KN in the ROR model, then, \(\begin{align}A d v_{\mathcal{A}}^{e S A S 2 K N}(t) \leq \frac{q_{h}^{2}}{|\mathcal{H}|}+\frac{q_{\text {send }}}{2^{l-1}|\mathcal{P D}|}\end{align}\), where q_h, |\(\begin{align}\mathcal{H}\end{align}\)|, q_send, |PD| and l denote the number of hash queries, the range space of h(·), the number of send queries, the size of uniformly distributed password dictionary, and the number of bits present in σ_i, respectively.

Proof: To demonstrate the Theorem 1, we define five games, G_i (i=0, 1, ⋯, 4) in sequence. Let Succ_i be the event that the bit c of the throwed impartial coin in G_i is successfully guessed by \(\begin{align}\mathcal{A}\end{align}\). The five games are defined as below in details.

Game G₀: G₀ represents an actual attack in the ROR model launched by \(\begin{align}\mathcal{A}\end{align}\) against eSAS2KN scheme, in which \(\begin{align}\mathcal{A}\end{align}\) selects a bit c in advance at the beginning of the game G₀. Therefore, \(\begin{align}\mathcal{A}'s\end{align}\) advantage is obtained

Adv^eSAS2KN_A(t) = |2Pr[Succ₀]-1|       (1)

Game G₁ : G₁ denotes an intercepting attack launched by \(\begin{align}\mathcal{A}\end{align}\) through running Execute(II^u/II^s,II^g) to obtain the messages Msg1 <DID_i, HID_i, M_Ui,Gk, T⁽¹⁾_i>, Msg2:<HID_i, PID_j, M_Gk,Sj, T⁽²⁾_Gk>, Msg3: <M_Sj,Gk, HID_i, T⁽²⁾_j>. The output of Test(II^u/II^s) is examined whether the SK between U_i and S_j is a key or a random number. In the eSAS2KN, the SK is computed according to SK_i/j = h(HID_i║M_j║N_j║T⁽²⁾_j) and the intercepted messages do not reveal the secret parameters M_j and N_j since \(\begin{align}\mathcal{A}\end{align}\) cannot obtain the random nonce RN_k. Therefore, the probability of \(\begin{align}\mathcal{A}'s\end{align}\)'s winning G₁ by the eavesdropping attack is not increased, and equal to that of winning G₀ as below.

Pr[Succ₁] = Pr[Succ₀]       (2)

Game G² : G₂ denotes an active attack launched by \(\begin{align}\mathcal{A}\end{align}\) through running Send (II^u/II^s/II^g, Msg) and hash queries aiming to trick a legal instance into accepting an illegal message. To create hash collisions, \(\begin{align}\mathcal{A}\end{align}\) can make any number of hash queries. However, the current timestamps are attached with all the transmitted messages. Therefore, it is infeasible for \(\begin{align}\mathcal{A}\end{align}\) find hash collision occurrence in a polynomial time through running send and hash queries. By using birthday paradox theory to find hash collision, the following result is obtained.

\(\begin{align}\left|\operatorname{Pr}\left[\operatorname{Succ}_{1}\right]-\operatorname{Pr}\left[\operatorname{Succ}_{2}\right]\right| \leq \frac{q_{h}^{2}}{2|\mathcal{H}|}\end{align}\)       (3)

Game G₃: In G₃, \(\begin{align}\mathcal{A}\end{align}\) launches an active attack by executing CorruptSC(II^u) and extracts all the secret credentials, i.e., (IDS_i, HID_i, h(·), A_i, B_i, C_i, D_i, τ_i), stored in the memory of the stolen or lost SC_i. By using dictionary attack, \(\begin{align}\mathcal{A}\end{align}\) can guess PW_i according to the information extracted from SC_i. Due to the use of fuzzy extractor, which is used to compute HPW_i = h(PW_i|σ_i) by extracting U_i's biometric secret key σ_i, it allows for the retrieval of at most l nearly random bits. Therefore, the probability of \(\begin{align}\mathcal{A}\end{align}\) guessing σ_i ∈ {0,1}^l i is 1/2^l approximately. Due to the number limitation of permitted wrong password entries, we can obtain the following result.

\(\begin{align}\left|\operatorname{Pr}\left[\operatorname{Succ}_{2}\right]-\operatorname{Pr}\left[\operatorname{Succ}_{3}\right]\right| \leq \frac{q_{\text {send }}}{2^{l}|\mathcal{P D}|}\end{align}\)       (4)

Game G₄ : In G₄, \(\begin{align}\mathcal{A}\end{align}\) launches a sensor node capture attack by executing CorruptSN(II^s_Sj) S and extracts all the secret credentials {HID_j,A_j,B_j}, which are stored in the memory of S_j. However, all the extracted secret credentials by using CorruptSN(II^s_Sj) queries have no help in deriving the session key SK_i/j because the derivation of HID_i needs U_i's identity ID_i, the random nonce RN_i generated by U_i, and GWN_k's long-time secret K. In addition, the derivation of M_j needs the random nonce RN_k generated by GWN_k. Therefore, the probability of \(\begin{align}\mathcal{A}'s\end{align}\) winning G₄ by executing CorruptSN(II^s_Sj) queries is not increased, and equal to that of winning G₃ as below.

Pr[Succ₃] = Pr[Succ₄]       (5)

In order to break the semantic security of the proposed eSAS2KN, \(\begin{align}\mathcal{A}\end{align}\) tries to run all the oracle queries. However, \(\begin{align}\mathcal{A}\end{align}\) can only guess the bit c at last for winning the game after Test(II^u/II^s) query. Therefore, the following result is obtained.

\(\begin{align}P_r[Succ_{4}]=\frac{1}{2}\end{align}\)       (6)

According to equations (1), (2) and (6), the following result is obtained.

\(\begin{align}\frac{1}{2} A d v_{\mathcal{A}}^{S A S 2 K N}(t)=\left|\operatorname{Pr}\left[S u c c_{0}\right]-1 / 2\right|=\mid \operatorname{Pr}\left[S u c c_{1}\right]-\operatorname{Pr}\left[S u c c_{4} \mid\right.\end{align}\)       (7)

By using triangular inequality, the following result can be obtained.

|Pr[Succ₁] - Pr[Succ₄]| ≤ |Pr[Succ₁] - Pr[Succ₂]| + |Pr[Succ₂] - Pr[Succ₄]| ≤ |Pr[Succ₁] - Pr[Succ₂]| + |Pr[Succ₂] - Pr[Succ₃] + |Pr[Succ₃] - Pr[Succ₄]|       (8)

According to equations (7), (3), (4) and (5), the result can be derived as follows.

\(\begin{align}A d v_{\mathcal{A}}^{e S A S 2 K N}(t) \leq \frac{q_{h}^{2}}{|\mathcal{H}|}+\frac{q_{\text {send }}}{2^{l-1}|\mathcal{P D}|}\end{align}\)       (9)

5.2.3 Formal Security Verification

In this subsection, we implement formal security verification by using AVISPA, which is a widely used common tool to automatically verify the security of Internet protocols [45-47]. In the AVISPA, a user can select different verification techniques to check the security of the same security protocol [48].

The tool employs a role-based formal language, called High-Level Protocol Specification Language (HLPSL) to specify some protocols and their possessed security properties. In addition, the tool is a modular and expressive language and can run On-the-fly Model-Checker (OFMC), Constraint-Logic-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP) to conduct a large number of most advanced automatic analysis techniques.

To conduct eSAS2KN's formal security verification, we describe the scheme by utilizing the role-oriented HLPSL. In [49-50], some specifications involved in AVISPA and HLPSL are addressed in detail. For simulation, we firstly describe the roles of different objects in HLPSL. The basic roles of U_i ,GWN_k and S_j are shown in Fig. 5, Fig. 6 and Fig. 7, respectively. The mandatory roles of session, goal and environment are shown in Fig. 8. Then, we simulate eSAS2KN in an animator, called SPAN, for the tool AVISPA. With the consideration of no supporting XOR operations for SATMC and TA4SP back-ends in SPAN [51], therefore, we simulate eSAS2KN's security merely by employing the OFMC and CL-AtSe back-ends. The simulation results in Fig. 9 demonstrate the proposed eSAS2KN is safe.

Fig. 5. Basic role of U_i in HLPSL.

Fig. 6. Basic role of GWN_k in HLPSL.

Fig. 7. Basic role of S_j in HLPSL.

Fig. 8. Roles of session, goal and environment in HLPSL.

Fig. 9. Simulation results of eSAS2KN under OFMC and CL-AtSe backends.

6. Security and Performance Comparison

In this section, security and performance comparisons are conducted with some related protocols in the light of security features, computation costs, and communication costs.

6.1 Security features

The comparison in terms of security feature is conducted with some related protocols, which is illustrated in Table 2. The comparison shows that the high security of our protocol over other related schemes and can be applied in practical applications.

Table 2. Comparison of security features.

6.2 Computation costs

For clear analysis and description of each protocol's computation costs, we give the following denotations. T_H denotes the time to run the one-way hash operation, T_X to conduct XOR operation, T_E to conduct an ECC point multiplication operation, T_F to conduct a fuzzy extractor operation, T_B to conduct Bio-Hash operation, and to run symmetric-key encryption or decryption. According to the experiment results in [52-54], T_H, T_E, T_F, T_B and T_S are 0.0005s, 0.063075s, 0.063075s, 0.063075s and 0.0087s, respectively. The bitwise XOR operation is so lightweight and its computing time can be negligible, therefore, we do not consider them in the final approximate total computation costs. The computation costs in the login phase, authentication and key negotiation phase, and final approximate total computation costs of different schemes are shown in Table 3.

Table 3. Computation costs comparison with related protocols.

From the Table 3, we can clearly conclude that our protocol performs much better efficiency than Jung [28], Das [35], Maurya [36], Amin [29], Soni [30], Ali [31] and Dai [33] et. al.’s protocols. Even though our protocol has slightly more computing time than Wu [32], it is yet admissible because eSAS2KN provides much more security features than Wu [32] et. al.’s protocol.

6.3 Communication Costs

For clear analysis and comparison of communication costs of different schemes, the lengths of identity, password, random number/string, error tolerance threshold, request, response, symmetric encryption/decryption, probabilistic generation function and deterministic reproduction function for fuzzy extractor are assumed to be 128 bits, the lengths of credential and timestamps are 32 bits, and the lengths of hash function, bio-hash function, as well as ECC encryption/decryption operation are 160 bits. The communication costs in the login phase, authentication and key negotiation phase, as well as the total communication costs in bits of different schemes are summarized in Table 4.

Table 4. Communication costs comparison with related protocols.

From the Table 4, we can clearly conclude that our protocol has much better communication efficiency than Amin [29], Soni [30], Wu [32] and Dai [33] et al.'s protocols. Although eSAS2KN provides less communication efficiency than Jung [28], Das [35], Maurya [36] and Ali [31], it yet provides much more security and functionality features, which is presented in Table 2.

7. Conclusions

In this paper, we developed a scheme (eSAS2KN) that enables lightweight mutual authentication as well as session key establishment. Due to the adoption of fuzzy extractor technique, user’s high rejection probability can be avoided in the login phase. Informal security analysis, BAN logic verification, formal security proof and verification demonstrate that the proposed eSAS2KN is safe. More importantly, the eSAS2KN is developed with only lightweight hash operations and XOR operations, which make it more lightweight and more efficient. Performance comparison with the competitive schemes shows that the eSAS2KN is more suitable for real-time communications between users and sensor node for multi-gateway WSNs, and can easily be implemented for a practical application.