Skip to main content

Advances, Systems and Applications

A secure user authentication protocol for sensor network in data capturing

Abstract

Sensor network is an important approach of data capturing. User authentication is a critical security issue for sensor networks because sensor nodes are deployed in an open and unattended environment, leaving them possible hostile attack. Some researchers proposed some user authentication protocols using one-way hash function or using biometric technology. Recently, Yel et al. and Wenbo et al. proposed a user authentication protocols using elliptic curves cryptography. However, there are some security weaknesses for these protocols. In the paper, we review several proposed user authentication protocols, with a detail review of the Wenbo et al.’s user authentication protocol and a cryptanalysis of this protocol that shows several security weaknesses. Furthermore, we propose a secure user authentication protocol using identity-based cryptography to overcome those weaknesses. Finally, we present the security analysis, a comparison of security, computation, and performance for the proposed protocols, which shows that this user authentication protocol is more secure and suitable for higher security WSNs.

Introduction

With the application of big data, there are some base manipulation processes: data capturing, data transport, data storage, data extraction & integration, data analysis & interpretation and data application. In the data capturing, using all kinds of devices and methods to collect data, such as smart devices, sensors, Web. So there are three important approaches of data capturing: Internet, Internet of Things (IoT) and sensor network [1]. Wireless Sensor networks (WSNs) is an open environment distributed network, which is an important approach of data capturing for big data. Nevertheless, with the application of dig data, the requirement of real-time data from WSNs is increasing highly. In some situations the gateway impossibly does force a user to access the sensor node directly. In such case the security and reliability to inquire and data disseminate are very important. Only when every client (remote sensor node, remote user) in the WSNs proves his/her identity can he/she be allowed to join the WSNs and access to resource, such as real-time data. Thus, a key security requirement for WSNs is user authentication [2-5].

In 2004, Sastry et al. [2] proposed a security scheme using access control lists (ACL) for IEEE 802.15.4 networks in the gateway node. An ACL would be maintained in gateway node and sensor nodes. Watro et al. [6] proposed a user authentication protocol using RSA and Differ-Hellman algorithm, but which was open to hostile attack by a user masquerading.

In 2005, Benenson et al. [7] proposed a user authentication protocol based on elliptic curve discrete logarithm problem (ECDLP) to handle the sensor node capture attack, which relied on a trusted third party.

In 2006, Wong et al. [8] proposed a dynamic user authentication scheme for WSNs based on a light-weight strong password using hash function, which included three phases: registration phase, login phase and authentication phase. Nonetheless, Tseng et al. [9] and Das [10] pointed out that this protocol had some weaknesses in protecting against replay attack, forgery attack, stolen-verifier attack, sensor node revealing and exposing the password to the other node and no updating user’s password. In 2007, Tseng et al. [9] proposed an enhanced user authentication protocol by adding an extra phase (password changing phase) on Wong et al.’s phases. However, in 2008 Ko [11] showed the Tseng et al.’s protocol was still insecure and did not provide mutual authentication.

In 2009, Das [10] proposed a two-factor user authentication protocol based on password and smart card against stolen-verifier attack. Nevertheless, Nyang et al. [12] showed there were some security weaknesses in offline-password guessing attacks.

In 2010, Vaidya et al. [13] demonstrated the Tseng et al.’s protocol, Wong et al.’s protocol and Ko’s protocol were still not strong enough to protect again replay attack, stolen-verifier attack and man-in-the-middle attack. Khan et al. [14,15] pointed out the Das’s protocol did not provide mutual authentication, and against by passing attack and privileged insider attack. Moreover, Chen et al. [16] also demonstrated the Das’s protocol did not provide mutual authentication between the gateway node and the sensor node. And Chen et al. proposed a more secure and robust two-factor user authentication scheme for WSNs.

In 2011, Yeh et al. [17] found that the Chen et al.’s protocol failed to provide a secure method for updating password and insider attack. And Yeh et al. proposed a new user authentication scheme for WSNs using elliptic curve cryptography (ECC). Unfortunately, Han [18] found this protocol still had some weaknesses: no mutual authentication, no key agreement between the user and the sensor node, and no prefer forward security. Meanwhile, Yuan et al. [19] proposed a biometric-based user authentication for WSNs using password and smart card in 2010. Unfortunately, in 2011 Yoon et al. [20] showed the integrity problem of the Yuan et al.’s protocol and proposed a new biometric-based user authentication scheme without using password for WSNs.

In 2012, Ohood et al. [21] pointed out Yoon et al.’s scheme still had some drawbacks, such as no key agreement, no message confidentiality service, no providing against DoS and node compromise attack. Moreover, Ohood et al. [22] proposed an efficient biometric authentication protocol for WSNs.

Recently, Wenbo et al. [23] in 2013 proposed a new user authentication protocol for WSNs using elliptic curve cryptography to overcome the security weaknesses of Yeh et al.’s protocol. Although they suggested security improvements of Yeh et al.’s protocol, there were some security weaknesses in their protocol, e.g. no mutual authentication between the user and sensor node, no protecting against insider attack, forgery attack and DoS (denial of service) attack.

To address all of the issues raised in the above studies, we propose a secure user authentication protocol using identity-based cryptography on the basis of our previous studies to trusted management and trusted architecture of WSNs [24-26]. Our proposal addresses the key security issues.

The remainder of this paper is organized as follows: in Section Related works, we review the Wenbo et al.’s protocol and a detail cryptanalysis; next we present our user authentication protocol based on identity-based encryption in Section Proposed protocol; in Section Security and performance analysis, a security and performance analysis of the related protocol is presented; in Section Conclusion, we provide some conclusion remarks.

Related works

Notation

In Table 1, some notations used throughout this paper and their corresponding definitions are shown.

Table 1 Notations

Review of Wenbo’s scheme

In the Wenbo’s protocol, the gateway GW held two master keys (x and y). And it was assumed that the gateway and the sensor nodes shared a long-term common secret key, SKGS = h(S n ||y). The Wenbo’s protocol involves the registration phase, login phase, authentication phase and password update phase, which can be briefly described as follows.

Registration phase

In this phase, a user U submits his/her ID u and a hash of his/her password to GW via a secured channel. Then, GW issues a license to U. The steps are described as follows.

Step 1: U → GW: {ID u , PS′}.

U enters an identity, selects a random number br and a password PS. And U computes PS′ = h(PSbr). Then U sends message {ID u , PS′} to GW via a secured channel.

Step 2: GW → a smart card of U: {Bu, Wu, h(.)}.

GW computes Ku = h(ID u ||x) × P, Bu = h(ID u PS′), and Wu = BuKu, where x is a master key of GW. Then the GW stores (Bu, Wu) into a smart card and sends it to U.

Login phase

When U access Sn, U needs enter his ID u and PS. And the smart card must confirm the validity of U via the following steps.

Step 1: Validate U.

The smart card check whether Bu = h(ID u h(PSbr)) hold. If the answer is no, the U’s identification validation fails and the smart card will terminate this request. Otherwise, the smart card continues to execute the next step.

Step 2: U’s smart card generates a random number r u , calculates X and a. X = r u  × P, X′ = r u  × (BuWu), and a = h(ID u ||X||X′||T u ), where T u is the curren time of U’s system.

Step 3: U → Sn: {ID u , X, T u , a}.

The {ID u , X, Tu, a} is submitted to Sn via public channel.

Authentication phase

The authentication phase includes: Sn checking the validity of the request message of U, GW authenticating Sn and U, Sn authenticating GW and U, U authenticating Sn and GW.

Sn checks the validity of the request message of U

When receiving the login message {ID u , X, T u, a} at time T′, Sn checks and generates request message which is sent to GW for authentication. Sn executes the following steps.

Step 1: Checks T u .

Sn checks if (T′-T u )T holds, where ∆T denotes the expected time interval for transmission delay. If the answer is yes, the validity of T u can be assured, and Sn executes the next step. Otherwise Sn rejects the login request.

Step 2: Picks a random number r s and calculates Y and b.

Y = r s  × P, b = h(SKGS||ID u ||X||T u ||a||ID Sn ||Y||T s ), where T s denotes the current request time of the Sn system.

Step 3: Sn → GW: {ID u , X, T u , a, ID Sn , Y, T s , b}.

The {ID u , X, T u , a, ID Sn , Y, T s , b} is submitted to GW via public channel.

GW authenticates Sn and U

When receiving the request message that sent by Sn at time T′′, GW checks and validates Sn and U, and generates the response message that will be sent to Sn. GW executes the following steps.

Step 1: Validates if T s and T u .

GW checks whether (T′′-T s )T and (T′′-T u )T hold. If the answer is yes, the validity of T s and T u can be assured and GW executes the next step. Otherwise GW rejects this request message.

Step 2: Calculates b *.

$$ {b}^{*}=h\left(S{K}_{GS}\left|\left|I{D}_u\right|\right|X\left|\left|{T}_u\right|\right|a\left|\left|I{D}_{Sn}\right|\right|Y\left|\right|{T}_s\right). $$

Step 3: Confirms whether b = b * and validates Sn.

GW checks if b = b * holds. If the answer is yes, GW accepts this request message and executes the next step. Otherwise, GW rejects this request message.

Step 4: Calculates X′ and a *.

X′ = h(ID u ||x) × X, a * = h(ID u ||X||X′||T u ), where x denotes a master key of GW.

Step 5: Confirms whether a = a *.

GW checks if a = a * holds. If the answer is yes, GW accepts this request message and executes the next step. Otherwise, GW rejects the request message.

Step 6: Calculates y and l.

$$ y = h\left(S{K}_{GS}\left|\left|I{D}_u\right|\right|X\left|\left|{T}_u\right|\right|a\left|\left|I{D}_{Sn}\right|\right|Y\left|\right|{T}_G\right), $$
$$ l=h\left(I{D}_u\left|\left|X\right|\right|X^{\prime}\left|\left|{T}_u\right|\right|Y\left|\right|{T}_s\right), $$

where T G denotes the current response time of GW.

Step 7: GW → S n : {T G , y, l}

The {T G , y, l} is submitted to Sn via public channel.

Sn authenticates GW

When receiving the response message that sent by GW at time T′′′, Sn checks and validates GW, and generates the message that will be sent to U. Sn executes the following steps.

Step 1: Validates T G .

Sn checks if (T′′′-T G ) ∆T holds. If the answer is yes, the validity of T G can be assured and Sn executes the next step. Otherwise Sn rejects the response message.

Step 2: Calculates y *.

$$ {y}^{*}=h\left(S{K}_{GS}\left|\left|I{D}_u\right|\right|X\left|\left|{T}_u\right|\right|a\left|\left|I{D}_{Sn}\right|\right|Y\left|\right|{T}_G\right). $$

Step 3: Validates y.

Sn checks if y = y * holds. If the answer is yes, Sn accepts this response and executes the next step. Otherwise, Sn rejects this response message.

Step 4: Calculates K SU , g and session key sk.

$$ {K}_{SU}={r}_s\times X,g=h\left(Y\left|\left|{T}_s\right|\right|l\left|\right|{K}_{SU}\right),\kern0.5em sk=h\left(X\left|\left|Y\right|\right|{K}_{US}\right). $$

Step 5: S n  → U: {Y, T s , l, g}

The {Y, T s , l, g} is submitted to U via public channel.

U authenticates GW and Sn

When receiving the response message that sent by Sn at time T′′′′, U checks and validates GW and Sn. U executes the following steps.

Step 1: Validates Ts.

U checks if (T′′′′-Ts)T holds. If the answer is yes, the validity of T S can be assured and U executes the next step. Otherwise, U rejects the response message.

Step 2: Calculates K US , l * and g *.

$$ {K}_{SU}={r}_u\times Y,\kern0.5em {l}^{*}=h\left(I{D}_u\left|\left|X\right|\right|X^{\prime}\left|\left|{T}_u\right|\right|Y\left|\right|{T}_s\right)\Big),\kern0.5em and{g}^{*}=h\left(Y\left|\left|{T}_s\right|\right|l\left|\right|{K}_{SU}\right). $$

Step 3: Confirms l and g .

U checks if l = l * and g = g * hold. If the answer is yes, U accepts the response message and executes the next step. Otherwise, U rejects the response message.

Step 4: Calculates session key sk.

$$ sk=h\left(X\left|\left|Y\right|\right|{K}_{US}\right). $$

Password update phase

When U wants to update his/her old password, U and the smart card execute the following steps.

Step 1: U inserts his/her smart card into the smart terminal and enters his/her identify ID u , the old password PS and the new password PSn.

Step 2: The smart card calculates PS′ = h(PSbr), and checks whether Bu = h(ID u PS′) holds. If it does not hold, the smart card stops U’s request. Otherwise, the smart card continues to compute Ku = h(ID u ||PS′)Wu, PSn′ = h(PSnbr), Bu′ = h(ID u PSn′) and Wu′ = BuKu. Finally, the smart card replaces (Bu, Wu ) with (Bu′, Wu′).

Cryptanalysis of Wenbo’s protocol

Security requirements in WSNs

  1. (1)

    Secure user authentication in WSNs should be based on full mutual authentication.

  2. (2)

    Secure user authentication in WSNs should resist masquerade, replay, forgery and DoS attacks.

  3. (3)

    Secure user authentication in WSNs should resist internal attack (compromise attack).

  4. (4)

    Secure user authentication in WSNs with smart card should reject Virus Injection attack.

No full mutual authentication

Because Wenbo’s protocol does not authenticate U during the authentication phase (Sn checks the validity of the request message of U), a malicious user can attack Sn and GW by means of forging. The attack could be accomplished as follows:

  1. (1)

    The attacker sends a forging message {ID a , X a , Tu a , a a } to Sn.

  2. (2)

    Sn sends a message {ID a , X a , Tu a , a a , ID Sn , Y, T s , b} to GW for authenticating the user when receiving the forging message.

During the above process, since Sn does not authenticate the user, Sn directly generates authenticating request message for GW to authenticate the user. When GW receives this request message, GW can finish the process from Step 1 to Step 4 of authentication phase (GW authenticates Sn and U). This is because there is no mechanism for Sn to be assured that U is real user of WSNs. Thus, the Wenbo’s protocol does not provide mutual authentication between U and Sn. There is no full mutual authentication between Sn and U. This protocol cannot reject DoS attack to Sn and GW.

No protection against forgery attack

Because the confidential information (Bu, Wu) is not encrypted to be stored, the attacker can masquerade as a legal user U. In the case that an attacker steals the (Bu, Wu) from the smart card via some a Virus or a Trojan in the user terminal, he/she maybe try to impersonate user U to access resource in WSNs. The attack can be accomplished via the following means.

  1. (1)

    The attacker steals the (Bu, Wu)} via some methods, such as Virus software, Trojan.

  2. (2)

    The attacker could compute Ku = BuWu and gain the secret Ku.

  3. (3)

    The attacker picks a random number R u .

  4. (4)

    The attacker could computes X a  = R u  × P, X a ′ = R u  × Ku, and a a  = h (ID||X a ||X a ′||T a ) because the point P on elliptic curve E is public.

  5. (5)

    The attacker sends the request message {ID u , X a, T a , a a } to the Sn via public channel.

  6. (6)

    Sn can finish the authentication phase processes. And GW also can accomplish the authentication phase processes.

After GW and Sn finish to authenticate, the attacker can gains the session key sk. The attacker continues to access Sn. Thus, the Wenbo’s protocol does not provide sufficient protection against forgery attack.

No protection against insider attack

In the Wenbo’s protocol, U uses a single password for accessing Sn. It is convenient for a user. Nevertheless, if the system manager or a privileged user of GW obtains (Bu, Wu) of U during U registration phase, he/she maybe try to impersonate U to access the resource in WSNs. The attacking processes are the same as the forgery attack. Thus, the Wenbo’s protocol does not provide sufficient protection against an insider attack on GW by a privileged user.

No protection against compromise attack

In the Wenbo’s protocol, the gateway and the sensor nodes shared a long-term common secret key SKGS. If an attacker captures some a sensor node, he/she can attain the shared secret key SKGS via some methods since the SKGS is not encrypted. So it is very easy to impersonate a sensor node in WSNs. Even the attacker may make many sensor nodes to impersonate the sensor nodes of in WSNs.

Proposed protocol

To solve the security weaknesses of the Wenbo’s protocol, we propose a new user authentication protocol for WSNs using identity-based cryptography. First, we review the fundamentals of identity-based cryptography, and then survey the identity-based cryptography which is suitable for our design of a secure authentication protocol for WSNs. In the proposed protocol, GW integrates the trusted and reputation scheme [24,26]. The proposed five phases are described in detail later.

Identity-based cryptography

Identity-based cryptography is a kind of public-key based scheme. The public key is the unique identity of the user. The private key is generated by a third party called a Private Key Generator (PKG) with its master secret and user’s identity. In the identity-based cryptography system, firstly, the PKG must create a master public key and a master private key. Then any user may use this master public key and also use the user’s identity to generate the user’s public. The user’s private key is created by the PKG with the user’s identity.

For every two parties using in identity-based cryptography, it is easy to calculate a shared secret session key between them using its own private key and public key of another party. For example, a sensor node Sn with public key Q Sn and private key d Sn , and a user U with public key Q u and private key d u can calculate their shared secret session key by computing key = ê(Q u , d Sn ) = ê(d u , Q Sn ).

In the proposed protocol, GW is the PKG. GW selects a random number sZ q * that is kept secret. GW computes K pub  = s × P. This public-private key pair < K pub , s > is the master key pair of GW. And GW computes Q GW  = H 1 (ID GW ), d GW  = s × Q GW . Q GW is the authentication public key of GW. d GW is the authentication private key of GW.

Registration phase

In the registration phase, Sn and U register to GW. The processes are the follow as.

Sensor node registration

In the WSNs, all sensor nodes must register to GW before being deployed. GW creates a private key for every sensor node. And the system parameters P set , the public functions and the private key are stored in the sensor node. GW completes the following steps.

Step 1: Creates the public key Q Sn .

GW uses the identity ID Sn of Sn to generate the public key Q Sn , Q Sn  = H 1 (ID Sn ).

Step 2: Generates the private key d Sn .

GW uses the master key s and the public key Q Sn to create the private key d Sn , d Sn  = s × Q Sn .

Step 3: Installs system parameters, public functions and private key of Sn.

GW installs the system parameters P set , d Sn and other public functions into Sn. That is to say, {P set , d Sn , h(.), f(.), H 1 (.), e(.)} is stored into the Sn.

User registration phase

Before accessing a sensor node in WSNs, any user must register to GW and gains a set P set and other parameters. The registration phase is shown in the Figure 1.

Figure 1
figure 1

Registration phase of the user.

Step 1: U → GW: {ID u , Reg-inf, T1}.

U sends the register request message {ID u , Reg-inf, T1} to GW at the time T1.

Step2: GW → U: {ID GW , P, xP, h(.), a 1 ,T2}.

When receiving the register request message of U at the time T′, firstly GW checks whether (T′-T1) ≤ ∆T holds. If the answer is no, GW rejects the register request message of U. Otherwise, GW selects a random number xZ q * and computes xP = x × P. Then GW calculates a 1  = h(ID GW ||ID u ||xP||T2), where T2 is the current time of GW. Finally, GW sends the register response message {ID GW , P, xP, h(.), a 1 ,T2} to U.

Step 3: U → GW: {ID u , E k (PS′), yP, b, T3}.

When receiving the register response message {ID GW , P, xP, h(.), a 1 ,T2} at the time T′, U checks whether (T′-T2) ≤ ∆T holds. If the answer is no, U rejects the register response message. Otherwise, U computes a 1  = h(ID GW ||ID u ||xP||T2) and checks whether a 1  = a 1 holds. If the answer is no, U rejects the register response message. Otherwise, U picks a random number y Z q *and computes yP = y × P. And U selects a password PSZ q * and a random number brZ q *. U calculates PS′ = h(PSbr) and k = h(y × xP). Then U encrypts PS′ with the session key k, E k (PS′). Finally, U computes b = h(ID u ||ID GW ||E k (PS′)||yP||T3), where T3 is the current times of U. And U sends a message {ID u , E k (PS′), yP, b, T3} to GW.

Step 4: GW → U: {ID GW , P set , E ϴ(ϴ, Ϻ), a 2, T4}.

Receiving the message {ID u , E k (PS′), yP, b, T3} at the time T′, GW firstly checks whether (T′-T3) ≤ ∆T holds. If the answer is no, GW rejects this message. Otherwise, GW computes b′ = h(ID u ||ID GW ||E k (PS′)||yP||T3) and checks whether b′ = b holds. If the answer is no, GW rejects this message. Otherwise, GW generates the session key k and decrypts E k (PS′), k = h(x × yP), D k (E k (PS′)) to gain PS′. Then GW computes ϴ = h(PS||ID u ), Q u  = H 1 (ID u ) and d u  = s × Q u . And GW also calculates Ϻ = ϴf(d u ). GW encrypts the (Q u , Ϻ), E ϴ(ϴ, Ϻ) and computes a 2 = h(ID GW ||ID u ||xyP||T4). At last GW stores (P set , E ϴ(ϴ, Ϻ), h(.), f(.), H1(.), ê(.)) into a smart card that is sent to U. Moreover GW sends the register acknowledge message {ID GW , a 2, T4} to U.

Step 5: U encrypts and stores br .

When receiving the register acknowledge message {ID GW , a 2, T4} at the time T′, U firstly checks whether (T′-T4) ≤ ∆T holds. If the answer is no, U rejects this message. Otherwise U computes a 2  = h(ID GW ||ID u ||yxP||T4) and checks whether a 2  = a 2 holds. If the answer is no, U rejects this message. Otherwise, U computes ks = h(PS||ID u ) and encrypts br, E ks (br). Finially U stores E ks (br).

Login phase and authentication phase

Accessing the data in Sn, U must login Sn and be authenticated by GW and Sn. And U must complete the login phase and authentication phase. Login phase and authentication phase are shown in Figure 2.

Figure 2
figure 2

Login phase and authentication phase.

Login phase

U must enter his ID u and password PS firstly. Then, after the smart card validates U via the following steps, the smart card sends the access request message to Sn.

Step 1: Gains br.

U enters his identity ID u and password PS to the smart terminal. And the smart terminal computes ks = h(PS||ID u ), and D ks (E ks (br)) to gain br.

Step 2: Validate U.

The smart card computes PS′ = h(PSbr), ϴ′ = h(PS||ID u ) and D ϴ′(E ϴ(ϴ, Ϻ)) to gain the (ϴ, Ϻ). The smart card checks whether ϴ = ϴ′ holds. If the answer is no, the smart card stops and alarms. Otherwise, the smart card continues to execute the next step.

Step 3: Computes Q Sn , Q GW , d u , X and Y.

$$ {Q}_{Sn}={H}_1\left(I{D}_{Sn}\right),\kern0.5em {Q}_{GW}={H}_1\left(I{D}_{GW}\right),\kern0.5em {d}_u={H}_1\left(\mathrm{M}\oplus \uptheta \right),\kern0.5em X=\hat{e}\left({d}_u,{Q}_{Sn}\right) andY=\hat{e}\left({d}_u,{Q}_{GW}\right). $$

Step 4: Generates a, b and encrypts (a, b).

The smart card calculates a = h(ID u ||ID GW ||Y||T u ), b = h(ID u ||ID Sn ||X||a||T u ) and E X (a, b), where T u is the current time of the smart terminal system.

Step 5: U → Sn: {ID u , ID Sn , E X (a, b), T u }.

The smart card sends the login request message {ID u , ID Sn , E X (a, b), T u } to the Sn.

Authentication phase

The authentication phase includes Sn authenticating U and GW, GW authenticating Sn and U, U authenticating Sn and GW. The authentication phase can complete the mutual authentication.

Sensor node Sn authenticates user U

When receiving the login request message {ID u , ID Sn , E X (a, b), T u } sent by U at time T′, Sn firstly checks the validity of the request message. Then Sn authenticates U.

Step 1: Validates login request message.

Sn checks whether (T′-T u ) ≤ ∆T holds. If the answer is no, Sn rejects the login request of U. Otherwise, it continues to perform the next step.

Step 2: Decrypts E X (a, b).

S n computes Q u  = H 1 (ID u ), X′ = ê(Q u , d Sn ) and D X′ (E X (a, b)) to gain (a, b).

Step 3: Computes b′ = h(ID u ||ID Sn ||X′||a||T u ).

Step 4: Validates U.

S n checks if b = b′ holds. If the answer is yes, the validity of U can be assured and Sn continues to perform the next step. Otherwise, it rejects the login request message of U.

Step 5: Computes Q GW , Z, β and encrypts.

Q GW  = H 1 (ID GW ), Z = ê(d Sn , Q GW ) and β = h(ID u ||ID Sn ||Z||a||T u ||T Sn ), where T Sn is the current time of Sn system. And Sn encrypts (a, β), E Z (a, β).

Step 6: S n  → GW: {ID Sn , ID GW , IDu, E Z (a, β), T u , T Sn }

Sn sends a request message {ID Sn , ID GW , ID u , E Z (a, β), T u , T Sn } to GW.

Gateway GW authenticates sensor node Sn

When receiving the request message {ID Sn , ID GW , ID u , E Z (a, β), T u , T Sn } at time T′′, GW checks the validity of this message firstly. And GW authenticates Sn and U. Finally, GW creates a response message for Sn and U.

Step 1: Validates request message of Sn.

GW checks whether (T′′-T u ) ≤ ∆T and (T′′-T Sn ) ≤ ∆T hold. If the answer is no, GW rejects the request message. Otherwise, GW continues to perform the next step.

Step 2: Computes Q Sn , Z′ and gains (a, β).

GW computes Q Sn  = H 1 (ID Sn ), Z′ = ê(Q Sn , d GW ) and D Z(E Z (a, β)) to gain (a, β).

Step 3: Computes β′ = h(ID u ||ID Sn ||Z′|a||T u ||T Sn ).

Step 4: Validates Sn.

GW checks if β′ = β holds. If the answer is yes, the validity of Sn can be assured and GW continues to perform the next step. Otherwise, it rejects the request message.

Step 5: Computes Q u , Y′ and a′.

GW computes Q u  = H 1 (ID u ), Y′ = ê(Q u , d GW ) and a′ = h(ID u ||ID GW ||Y′||T u ).

Step 6: Validates U.

GW checks if a′ = a holds. if the answer is yes, the validity of U can be assured and GW continues to perform the next step. Otherwise, GW rejects the request message.

Step 7: GW → Sn:{ID GW , ID Sn , ID u , E Z(γ, δ),T GW }.

GW generates the response message for Sn and U. GW calculates: γ = h(ID u ||ID Sn ||ID GW ||Y′||T u ||T Sn ) and δ = h(ID u ||ID Sn ||ID GW ||Z′||γ||T Sn ||T GW ), where T GW is the current time of GW’s system. And GW encrypts (γ, δ) with the key Z′, E Z′ (γ, δ), and sends the response message {ID GW , ID Sn , ID u , E Z(γ, δ), T GW } to Sn.

Sensor node Sn authenticates gateway GW

When receiving the response message {ID GW , ID Sn , ID u , E Z(γ, δ), T GW } sent by GW at time T′′′, Sn checks and authenticates GW via the following steps.

Step 1: Validates the response message.

Sn checks if (T′′′-T GW ) ≤ ∆T holds. If the answer is no, Sn rejects this response message. Otherwise, Sn continues to perform the next step.

Step 2: Gains (γ, δ).

Sn decrypts the E Z(γ, δ) with the key Z, D Z (E Z(γ, δ)), to gain (γ, δ).

Step 3: Computes δ′.

$$ \delta^{\prime }=h\left(I{D}_u\left|\left|I{D}_{Sn}\right|\right|I{D}_{GW}\left|\left|Z\right|\right|\gamma \left|\right|{T}_{Sn}\left|\right|{T}_{GW}\right). $$

Step 4: Validates GW.

Sn checks if δ′ = δ holds. If th answer is yes, the validity of GW can be assured and S n continues to execute the next step. Otherwise, it rejects the response message.

Step 5: Generates K session , ζ and encrypts.

Sn computes K session  = h(X||T u ||T Sn ),

$$ \zeta =h\left(I{D}_u\left|\left|I{D}_{Sn}\right|\right|{K}_{session}\left|\left|\gamma \right|\right|{T}_{Sn}\right)\kern0.5em \mathrm{and}\kern0.5em {E_X}_{\prime}\left(\zeta, \gamma \right). $$

Step 6: Sn → U: {ID Sn , ID u , ID GW , E X(ζ, γ), T Sn }.

Sn sends the response message {ID Sn , ID u , ID GW , E X′ (ζ, γ), T Sn } to U.

User U authenticates sensor node Sn

When U receives Sn’s response message {ID Sn , ID u , ID GW , E X(ζ, γ), T Sn } at time T′′′′, U checks this message and authenticates Sn and GW. U performs the following steps.

Step 1: Validates the response message.

U checks whether (T′′′′-T Sn ) ≤ ∆T holds. If the answer is no, U rejects this response message. Otherwise, it continues to perform the next step.

Step 2: Gains (ζ, γ).

U computes D X (E X(ζ, γ)) to decrypt E X(ζ, γ) with the key X to gain (ζ, γ).

Step 3: Generates K session and ζ′.

U computes K session  = h(X||T u ||T Sn ),

and ζ′ = h(ID u ||ID Sn ||K session ||γ||T Sn )

Step 4: Validates Sn.

U checks whether ζ = ζ′ holds. If the answer is yes, the validity of Sn can be assured and U continues to execute the next step. Otherwise, U rejects the response message.

Step 5: Computes γ′ = h(ID u ||ID Sn ||ID GW ||Y||T u ||T Sn ).

Step 6: Validates GW.

U checks whether γ′ = γ holds. If the answer is yes, the validity of GW can be assured and U accepts this response message. Otherwise, U rejects this response message.

After U authenticates Sn and GW, U will access the data of the Sn with the session key K session .

Password update phase

When U updates his password, U enters his ID u , old password PS and news password PSn to the smart terminal or a update password program. The smart card must compute a new password value, which is encrypted and stored in the smart card. The user password update phase includes the following steps.

Step 1: U enters his ID u , old password PS and news password PSn to the smart terminal or a update password program.

Step 2: The smart terminal computes ks = h(PS||ID u ) and D ks (E ks (br)) to gain br firstly. Then it computes PS′ = h(PSbr), PSn′ = h(PSnbr). The smart terminal sends {ID u , PS, PSn′} to the smart card.

Step 3: The smart card computes ϴ′ = h(PS||ID u ) and D ϴ′(E ϴ(ϴ, Ϻ)) to gain (ϴ, Ϻ).

Step 4: The smart card checks whether ϴ′ = ϴ holds. If the answer is no, the smart card rejects the password update and alarms. Otherwise, the smart card continues to perform the next step.

Step 5: The smart card calculates ϴ n ′ = h(PSn||ID u ) and Ϻ′ = ϴ n Ϻ).

Step 6: The smart card encrypts the new sensitive password value (ϴ n ′, Ϻ′) with the key ϴ n ′, E ϴn n ′, Ϻ′), and replaces the E ϴ(ϴ, Ϻ) with E ϴn n ′, Ϻ′).

Security and performance analysis

The proposed protocol provides message confidentiality service

Proof

Message confidentiality service against eavesdropping attack is performed by data encryption service. Our proposed protocol can provide sufficient confidentiality for sensitive data stored and transmitted with encrypting data (e.g. E k (PS′), E ϴ(ϴ,Ϻ), E X (a, b), E Z (a, β), E Z′ (γ, δ) and E X(ζ, γ). More specifically, these sensitive information are confidential against the attacker. If the sensitive data is stored or transmitted without encryption in the public channel , the attacker maybe view the plaintext data. This attack maybe occur in Wenbo’s protocol and Yoon and Yoo’s protocol [15]. Moreover, in Wenbo’s protocol the sensitive (Bu, Wu) that was not encrypted was stored in the smart card and the long-term shared secret key SKGW was not also encrypted in the Sn. In the [15] Sn’s response message that was not encrypted was sent to U by a public channel directly.

The proposed protocol resists an integrity attack

Proof

The data integrity attack includes data modification attack, data corruption attack and data insertion attack. The integrity service assures the transmitted data is not modified by an unauthorized entity.

In our proposed protocol, Sn can guarantee the login request message {ID u , ID Sn , E X (a, b), T u } from U has not been modified by an unauthorized entity via decrypting E X (a, b), recomputing and checking b. GW can also guarantee the authentication request message {ID Sn , ID GW , IDu, E Z (a, β), T u , T Sn } from Sn has not been modified by an unauthorized entity via decrypting E Z (a, β), recomputing and checking a, β. Similarly, Sn can guarantee the authentication response message {ID GW , ID Sn , ID u , E Z′ (γ, δ), T GW } from GW has not been modified by an unauthorized entity via decrypting E Z′ (γ, δ), recomputing and checking δ. Moreover, U uses the same way to guarantee the authentication response message {ID GW , ID Sn , ID u , E X(ζ, γ), T Sn } from Sn has not been modified.

The proposed protocol resists a denial attack

Proof

This type of attack is that the participating entity denies in all of the operations or part of its. However, in our proposed protocol, we assume that GW is a trusted party. And GW creates the unique private key for every entity (sensor node, user) . Although GW does not store the private key of an entity, it can trace the entity operations with the entity’s public key and HMAC. Therefore, the entity cannot deny that he/she performed all participation.

The proposed protocol resists a DoS Attack

Proof

The DoS attack can be occurred by the attacker who transmitting the large number of request messages to Sn or GW in the login phase or in the authentication phase. In our proposed protocol, since every message associates with a timestamp T and is authenticated, the unauthenticated message or the timeout message is rejected. So the proposed protocol can reject DoS attack.

The proposed protocol resists a sensor node compromise attack

Proof

Since WSNs is normally deployed in an open environment, the attacker is easy to capture a sensor node and may attempt to get some information stored in the sensor node. When the attacker gets the secret from the capturing sensor node, he/she can attack the WSNs. If the authenticating user and data access from the sensor node are allowed directly to the user without the license of gateway, this attack is very high, which occurs in Watro et al.’s scheme [19].

In our proposed protocol, And U does not access data from Sn until it is authorized by GW and Sn. And U’s request message must be authenticated by Sn firstly, and the request message must be authenticated by GW. After that GW sends the license of U’s to Sn and U. Only U can access the data of sensor node when his/her license from GW is the same as Sn’s from GW. Moreover, in our proposed protocol GW can monitor whether a sensor node is captured with the trusted and reputation management scheme [24,26]. If some a sensor node is captured by an attacker, GW can detect and isolate it.

The proposed protocol resists a replay attack

Proof

The replay attacks are impossible if the previous information is not reused again. In our proposed protocol, the login message and the authentication message are validated by checking timestamps. When an attacker eavesdrops the communication between U and Sn or between Sn and GW, he/she does not reusable again. We assume if an adversary intercepts a login request message {ID u , ID Sn , E X (a, b), T u } and attempts replaying the same message for login to Sn. The verification of the login request fails because of (T a -T u ) > ∆T, where T a denotes the time when Sn receives the replaying message. Similarly, if an adversary intercepts {ID Sn , ID GW , ID u , E Z (a, β), T u , T Sn }and attempts to replay it to GW, he/she cannot pass the verification of GW because the time expires (i.e. (T b -T Sn ) > ∆T and (T b -T u ) > ∆T), where T b denotes the time when the replaying message is received by GW. Also if an adversary intercepts {ID GW , ID Sn , ID u , E Z′ (γ, δ), T GW } and attempts replaying the same message to Sn, he/she cannot pass the verification of Sn because of (T c -T GW ) > ∆T, where T c denotes the time when Sn receives the replaying response message. Moreover, if an adversary intercepts {ID GW , ID Sn , ID u , E X(ζ, γ), T Sn } and attempts replaying the same message to U, he/she also cannot pass the verification of U because of (T d -T Sn  > ∆T), where T d denotes the time when U receives the replaying response message.

The proposed protocol resists an impersonation attack

Proof

In our proposed protocol, all sensitive information that is transmitted is encrypted with some a key. Additionally, the messages are validated and authenticated. Only when an attacker knows the master key s or solves Bilinear Differ-Hellman Problem can he/she attain the private key. It is impossible for an attacker.

In the login phase, only when an attacker knows U’s private key d u can he/she generate a legal login request message {D u , ID Sn , E X (a, b), T u } to impersonate the U. Moreover it is impossible that an attacker gains the sensitive key material (ϴ, Ϻ) that is encrypted to only be stored in the smart card without the user U’s password. Thus it is not possible to compute X without d u for an attacker. And as long as an attacker does not possess Sn’s private key d Sn , he/she cannot generate a legal authentication request message {ID Sn , ID GW , IDu, E Z (a, β) , T u , T Sn } and {ID GW , ID Sn , ID u , E X(ζ, γ), T Sn } to impersonate Sn. This is because that the attacker cannot compute the key Z and the key X′ without d Sn . Similarly, an attacker also cannot generate a legal response message {ID GW , ID Sn , ID u , E Z′ (γ, δ), T GW } to impersonate GW. This is due to that an attacker does not know the private key d GW of GW.

The proposed protocol resists a stolen verifier attack

Proof

An attacker who has stolen U’s private key materials E ϴ(ϴ, Ϻ) from the smart terminal or the smart card via the Trojan or other intruding methods cannot obtain any useful information. This is due to that the private key materials are encrypted. The attacker cannot decrypt E ϴ(ϴ, Ϻ) to gain (ϴ, Ϻ) without U’s password PS. And the attacker also cannot attain any useful private key information of U from GW because U’s private key materials are not stored in the GW database.

The proposed protocol resists a stolen smart card attacks

Proof

The attacker who has stolen U’s smart card cannot impersonate this user to access S n . Because the attacker does not know U’s password, the smart card does not validate the login request and rejects the access request of the attacker.

The proposed protocol resists an insider attack

Proof

The insider attack is intentionally misused by authorized entities. In our proposed protocol, the gateway manager or system administrator cannot attain U’s password PS because in the registration phase U transmits E k (PS′) to GW instead of the plain password PS, and any sensitive key material information of U and any verifier table are not stored in GW. Additionally, the smart terminal manager or administrator also cannot attain the useful information of U’s key from the smart card and the smart terminal because of the sensitive key material encrypted. Therefore, the proposed protocol can resist the privileged insider attacks.

The proposed protocol resists a man-in-the-middle attack

Proof

The man-in-the-middle attack is that an attacker intercepts the communication between the legal user and other entity (e.g. sensor node, gateway) and successfully masquerades as the user or other entity by some methods. In our proposed protocol, U is authenticated by Sn in the login phase, Sn and U are authenticated by GW in the authentication request phase, and Sn also authenticates GW in the authentication response phase, U validates Sn and GW in the authentication response phase. That is to say, our proposed protocol can provide complete mutual authenticate among entities and resists the man-in-the-middle attack.

Table 2 shows the security functionality comparisons between our proposed protocol and the related protocols. According to the Table 2, although the Ohood et al.’s protocol presents the same security as ours, the Ohood et al.’s protocol needs some complicated biometric equipments. Compared against each other, our protocol provides is more security services than the other protocols.

Table 2 Security comparison

Performance analysis

The section summarizes the performance results of the proposed protocol. We define the notation Th as the hash function computation cost, Texp as the modular exponential computation cost, Tpm as the elliptic curve point multiply cost, Tpa as the elliptic curve point addition cost, Tpair as pairing computation cost, Trc as RC5 computation cost, Taes as AES computation cost, Te as the elliptic curve polynomial computation cost. The comparison of related protocols is illustrated in the Table 3.

Table 3 Computation performance comparison

According to Table 3, Chen et al.’s protocol needs eight hash function computations, Yoon el at.’s needs thirteen hash function computations, Yuan et al.’s also need thirteen hash function computations, Das’s protocol needs six hash function computations. And Benenson et al.’s protocol needs 2n hash function computations and 3n + 1 modular exponential computations [22]. Ohood et al.’s biometric authentication protocol needs four RC5 computations and ten hash function computations. Yeh et al.’s protocol needs fifteen hash function computations, four elliptic curve point addition computations , ten elliptic curve point multiply computations and two elliptic curve polynomial computations. Wenbo et al.’s protocol needs eighteen hash function computations and seven elliptic curve point multiply computations. Our proposed protocol needs eighteen hash function computations, four elliptic curve point multiply computations, eleven AES computations and six pairing computations. Although our protocol needs more computations than their protocols, their protocols suffer from security issues or need complicated biometric equipments. Our protocol addressed these issues and provides better security and more security services than the other related protocols.

Conclusion

In the paper, we discussed an approach of data capturing for big data that is data collecting via sensor networks and its user authentication protocol. We have analyzed Wenbo et al.’s user authentication protocol for WSNs. The Wenbo’s protocol, which does not provide mutual authentication between user and sensor node and confidentiality service, is susceptible to insider, replay, denial, compromise, forgery, man-in-the-middle and DoS attacks. We have also reviewed the protocols of Yeh et al., which does not provide mutual authentication and protect against insider, denial, compromise, man-in-the-middle and DoS attacks, of Das, which is vulnerable to forgery, denial, compromise, DoS, man-in-the-middle attacks, of Benenson et al., which susceptible to denial, compromise, DoS, man-in-the-middle attacks, of Chen et al. which is vulnerable to denial, insider, compromise and DoS attacks, of other biometric authentication protocols. Since WSNs need more secure mutual authentication method in an insecure network environment, we use the IBE mechanism to design a news user authentication protocol. Our protocol can prevent all the problems of the former schemes. Furthermore, it enhances the WSNs authentication with higher security than the other protocol. Therefore, the protocol is more suited to open and higher security WSNs environment in despite of more computation cost.

References

  1. Kenneth NC, Viktor MS (2013) The rise of big data: how It’s changing the way we think about the world. Fortuna’s Corner in cloud computing, Cybersecurity, Dow, Intelligence Community, Internet, Markets, national security, S & P, Uncategorized, US Military, April 24, 2013

    Google Scholar 

  2. Sastry N, Wagner D (2004) Security considerations for IEEE 802.15.4 networks. In Proceedings of the ACM Workshop on Wireless Security (WiSe’04). 32–42

  3. WG802.15 (2003) IEEE Standards for 802.15.4, Part 15, Amendment 4. Wireless medium access control and physical layer specifications for low-rate wireless personal area networks. IEEE, Washington, DC, USA

    Google Scholar 

  4. Das ML, Saxena A, Gulati VP (2004) A dynamic ID-based remote user authentication scheme. IEEE Trans Consum Electron 50(2):629–31

    Article  Google Scholar 

  5. Leung KC, Cheng LM, Fong AS, Chan CK (2003) Cryptanalysis of a modified remote user authentication scheme using smart cards. IEEE Trans Consum Electron 49(4):1243–5

    Article  Google Scholar 

  6. Watro R, Kong D, Cuti S F, Gardiner C, Lynn C, Kruus P (2004) TinyPK: securing sensor networks with public key technology. In Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN’04), 59–64

  7. Benenson Z, Gedicke N, Raivio O (2005) Realizing robust user authentication in sensor networks. In Real-World Wireless Sensor Networks (REALWSN), 14

  8. Wong KHM, Yuan Z, Jiannong C, Shengwei W (2006) A dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, 244-251

  9. Tseng HR, Jan RH, Yang W (2007) An improved dynamic user authentication scheme for wireless sensor networks. In Proceedings of the 50th Annual IEEE Global Telecommunications Conference (GLOBECOM’07), 986–990

  10. Das ML (2009) Two-factor user authentication in wireless sensor networks. IEEE Trans Wirel Commun 8(3):1086–90

    Article  Google Scholar 

  11. Ko KC (2008) A novel dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Symposium on Wireless Communication Systems, ISWCS’08, 608–612

  12. Nyang DH, Lee MK (2009) Improvement of Das’s two-factor authentication protocol in wireless sensor networks. Available via DIALOG. http://eprint.iacr.org/2009/631.pdf. Accessed 15 Jan 2014.

  13. Vaidya B, Rodrigues JJ, Park JH (2010) User authentication schemes with pseudonymity for ubiquitous sensor network in NGN. Int J Communication Syst 23(9–10):1201–22

    Article  Google Scholar 

  14. Khan MK, Alghathbar K (2010) Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’. Sensors 10(3):2450–9

    Article  Google Scholar 

  15. Khan MK, Alghathbar K (2010), Security Analysis of Two-Factor Authentication In Wireless Sensor Networks. In Proceedings of Advances in Computer Science and Information Technology: AST/UCMA/ISA/ACN 2010 Conferences, 55–60

  16. Chen TH, Shih WK (2010) A robust mutual authentication protocol for wireless sensor networks. ETRI J 32(5):704–12

    Article  Google Scholar 

  17. Yeh HL, Chen TH, Liu PC, Kim TH, Wei HW (2011) A secured authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors 11(5):4767–79

    Article  Google Scholar 

  18. Han W (2013), Weakness of a secured authentication protocol for wireless sensor networks using elliptic curves cryptography. Available via DIALOG. http://eprint.iacr.org/2011/293. Accessed 15 May 2014.

  19. Yuan J, Jiang C, Jiang Z (2010) A biometric-based user authentication for wireless sensor networks. Wuhan Univ J Nat Sci 15(3):272–6

    Article  Google Scholar 

  20. Yoon EJ, Yoo K Y(2011) A new biometric-based user authentication scheme without using password for wireless sensor networks. In Proceedings of the 20th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 279–284

  21. Ohood A, Mznah AR, Abdullah AD (2013) An efficient biometric authentication protocol for wireless sensor networks. Int J Distributed Sensor Networks 4:1–13

    Google Scholar 

  22. Wenbo S, Peng G (2013) A new user authentication protocol for wireless sensor networks using elliptic curves cryptography. Int J Distrib Sens Netw 3:1–7

    Google Scholar 

  23. Quan Z (2011) Trusted transmission model of wireless sensor networks, Ph.d. Theis. South China Agricultural University, China

    Google Scholar 

  24. Quan Z, Gui F, Deqin X, Jiuhao L (2010) trusted transport model based cluster-merkle-tree for WSNs. in Processing of 2010 IEEE International Conference on Computer Application and System Modeling V1, 564 -568

  25. Quan Z, GUI F, Deqin X, Yi T (2012) Trusted architecture for farmland WSNs. in Processing of 2012 Forth IEEE International Conference on Cloud Computing Technology and Science, 782–787

  26. Boneh D, Franklin M (2001) Identity based encryption from the Weil pairing. in processing of Advances in Cryptology. Lect Notes Computer Sci 2139:213–29

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China under Grant No. 11271003, the National Research Foundation for the Doctoral Program of Higher Education of China under Grant No.20134410110003, High Level Talents Project of Guangdong, Guangdong Provincial Natural Science Foundation under Grant No.S2012010009950 and No. S2012040007370, the Project of Department of Education of Guangdong Province under Grant No 2013KJCX0146, and the Natural Science Foundation of Bureau of Education of Guangzhou under Grant No. 2012A004. We sincerely thank all the researchers in our references section for the inspiration they provide.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zhou Quan.

Additional information

Competing interests

The authors declare that they have no competing interests.

Authors’ contributions

ZQ designed the user authentication protocol and analyzed performance. TC implemented the security analysis for protocol. ZX analyzed the security of Wenbo’s protocol. RC coordinated the whole study. All authors read and approved the final manuscript.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0), which permits use, duplication, adaptation, distribution, and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Quan, Z., Chunming, T., Xianghan, Z. et al. A secure user authentication protocol for sensor network in data capturing. J Cloud Comp 4, 6 (2015). https://doi.org/10.1186/s13677-015-0030-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s13677-015-0030-z

Keywords