A Performance and Usability Aware Secure Two-Factor User Authentication Scheme for Wireless Sensor Networks

Recently, several user authentication schemes for wireless sensor networks based on two-factor concept using the smart card technology were proposed. However, they have serious limitations in terms of security and usability. First, even though they are enhancements of other works, they still have several security flaws, such as vulnerability against parallel session, privileged-insider, and gateway-node bypassing attacks and lack of mutual authentication between user station and gateway node. On the other hand, they also present a usability constraint, in a sense that they do not consider the use case when sensor nodes cannot communicate with gateway node. In this case, data collected by isolated sensor nodes could not be accessed until they recover such communication, which is in many times not recoverable rapidly or forever (e.g., military applications, natural disaster monitoring). Due to all these reasons, this paper proposes a robust user authentication scheme which fixes the security weaknesses of previous solutions and provides wider usability considering the use case when the sensor nodes cannot communicate with the gateway node. Once the solution is described, its security is ensured by formal proof and analysis against attacks. Additionally, performance and cost analysis are executed to determine its level of feasibility for real implementation.


Introduction
With the growth of wireless sensor network (WSN) application fields, the frequency of WSNs managing critical tasks and important information has also increased.However, most of real applications do not include any security mechanisms making them vulnerable to serious attacks.This fact makes evident the necessity of security solutions for WSNs such as [1].Among different security mechanisms, a user authentication mechanism that allows only legitimate users to access the WSN's data is considered one of the most important security mechanisms because it contributes to keeping the confidentiality and integrity of network's data and because it is an essential primitive upon which other security mechanisms such as secure channel establishment and overthe-air (OTA) programming [2] are built on.
At this point, several research works [3][4][5][6][7] have been executed for providing user authentication schemes for WSNs.Those proposals consider the resource limitations of WSNs and provide lightweight schemes.However, they have serious limitations in terms of security and usability.
First, previous works have several security flaws such as vulnerability against parallel session, privileged-insider, and gateway-node bypassing attacks and lack of mutual authentication between user station and the gateway node.On the other hand, they also present a usability constraint, in a sense that they do not consider the case when sensor nodes cannot communicate with the gateway node; in this case, data collected by sensor nodes could not be accessed until they recover this communication, which is in many times not recoverable rapidly or forever.(e.g., military applications in war, natural disaster monitoring).Due to all these reasons, this paper proposes an enhanced user authentication scheme that solves the identified security issues and constraints.
The rest of this paper is organized as follows.Section 2 analyzes the existing works to detail their weaknesses and limitations in terms of security and usability.Section 3 then specifies the design criteria of the proposed user authentication scheme.Later, Section 4 presents the details of the proposed solution which solves the vulnerabilities and limitations mentioned in Section 2. Next, Section 5 analyzes the proposed protocol in terms of achieved security

Analysis of Existing Works
Lately, user authentication for wireless sensor networks based on smart cards has been actively researched.The two-factor authentication approach which requires the verification of ownership of both a password and a smart card achieves effectively the purpose of authentic delivery of sensed data while minimizing the load of storing user data in the gateway node.This is because the tamper-proof smart card of the user delivers the function of secure storage of authentication data instead of the gateway node.
In 2009, Das [3] presented a research work where The author proposed an authentication scheme based on the two-factor user authentication concept using the smart card technology.Das' proposal was considered as an efficient twofactor user authentication scheme because it only required the usage of small number of hash function calculations [4].However, even though Das' proposal was adopted by different research works, its limitations and security flaws were discovered in subsequent works.Nyang and Lee [4] identified that Das' protocol was vulnerable to offline password guessing and sensor node compromising attacks.Huang et al. [5] also identified some limitations of Das' scheme such as vulnerability from impersonate attack.Additionally, the authors of [6] pointed out the absence of mutual authentication feature in Das' protocol while Khan and Alghathbar [7] pointed out additional security flaws of Das' proposal, describing that it was vulnerable to privileged-insider and gateway-node bypassing attacks.
Once they discovered different vulnerabilities and security limitations of Das' proposal, the authors of [3][4][5][6] also proposed enhanced versions of Das' protocol to eliminate detected vulnerabilities.However, as shown in our previous work [8], those protocols still include serious vulnerabilities and security limitations of which an attacker can take advantage, exposing WSNs to serious risks.Table 1 summarizes the security analysis of [8] showing that the protocols in [3][4][5][6][7] are still vulnerable to different attacks and have several security limitations.
In addition, all of the aforementioned approaches only focus their analysis on the security and performance aspects, and neglect the usability aspect.From this point of view, we can say that the previous user authentication schemes also present a serious usability constraint because they do not consider the case when important sensor nodes are isolated.Isolation of sensor nodes could occur because of network link failures between the gateway node and sensor nodes (see Figure 1) or because of disconnections between critical routing sensor nodes (see Figure 2).Sensor nodes isolation is considered problematic for several reasons.First, the isolated sensor nodes frequently store critical information which requires to be transmitted opportunely to the user for decision making.However, using the previous user authentication mechanisms, users could not authenticate to the isolated sensor nodes until sensor nodes recover the communication with the gateway node, which is in many times not recoverable rapidly or forever.Additionally, if the link between the gateway node and isolated sensor nodes is not reestablished rapidly, historical data of those nodes could be eliminated because of their limited storage memory capacity.In this regard, this situation demands for a new user authentication scheme with an offline user authentication mechanism which allows users to authenticate directly to  isolated sensor nodes for getting the critical information in an opportune way.
Even though many people may think sensor node isolations are not common, they are common in particular applications.Here we describe some applications where sensor nodes could be isolated and why offline user authentication (mobile user station authenticating directly to the sensor node) is important.First, let us consider a volcano monitoring sensor network [9] gathering seismic and infrasonic signals.In such systems, there are several events that could provoke sensor nodes' isolation.One of the possibilities is when an explosion occurs in a side vent (see Figure 3); in such case, the sensor nodes located in the superior region of the side vent can lose the connection with the inferior region because the sensor nodes nearby the side vent are destroyed or buried.Another case is when critical routing sensor nodes are buried or damaged because of lahars or seismic activities.Data of Tungurahua volcano in Ecuador (see Figure 4) published by Instituto Geofísico de la Escuela Politécnica Nacional (http://www.igepn.edu.ec/)illustrates how frequent this situation could occur in an active volcano.The report indicates that 29 lahars and 8400 long-period seismic events were detected only in 2004.In those cases, it is frequent that the isolated nodes store important data that could help to forecast the future behavior of the volcano.Therefore, it is important to provide a mechanism that allows a rapid and opportune access to such information while maintaining the confidentiality and integrity features.
Another type of applications where critical sensor nodes could be isolated is the military one.Consider that a battlefield application has lost some intermediate nodes because they have been destroyed by the enemy, but the nodes deployed in the enemy's territory have accumulated important data.In this case, an automaton user station could be sent to the enemy's territory to gather such information.An easy way to authenticate to the sensor nodes is that the automaton carries the secret keys.However, carrying the secret keys in hostile environment opens wide possibilities of leakage of the secret values which could compromise the security of the whole network.Therefore, the user authentication scheme must provide a way to maintain the security of the sensor network even if the automaton is taken by the adversary.
In conclusion, as described previously, previous works present several limitations in terms of security and usability, and this situation creates the need for designing an enhanced user authentication scheme which overcomes such constraints.

User Authentication Scheme Design Criteria
We believe that several limitations of previous works were produced because of the absence of a concrete and clear requirement elicitation process.To avoid falling into the same mistake, this paper has decided to describe the design criteria of the proposed user authentication scheme.
International Journal of Distributed Sensor Networks 3.1.General Considerations and Assumptions.The proposed user authentication scheme must be able to be implemented in a scenario with the following considerations and assumptions.
(i) The network is composed of traditional elements, that is, sensor nodes, gateway node(s), and user station with time synchronization.
(ii) The network has at least one gateway node which has a stable link with the user station.
(iii) The network implements a routing protocol which provides the path between sensor nodes and gateway node(s).
(iv) The hierarchies of sensor nodes and the topology of the network are taken care of by the routing protocol.
(v) Each sensor node can store a set of predefined data.

Security Requirements.
The most important aspect of the proposed user authentication scheme is its security.Therefore, it is vital to precisely define the security requirements that the proposed scheme must satisfy.This section defines the threat model and then describes the list of security requirements considered in this paper.

Threat Model.
In the analysis of the proposed protocol, the widely used Doley and Yao [10] threat model will be used, which assumes that two communicating parties communicate over an insecure channel.This means that the attacker is able to eavesdrop and manipulate the messages sent over the air.In other words, the attacker can read, modify, and delay the messages sent by the different entities that participate in WSNs.Additionally, it is assumed that the attacker may know the algorithm of the security mechanisms that are deployed in the network.The main aim of the attacker is the falsification of an authentication.It is assumed that the attacker aims for a forgery in the proposed message exchange scenario where a user authenticates to the sensor network.The attack is considered successful if the sensor network (whether sensor node or gateway node) accepts a fake message that was not sent by an authentic user or if the user accepts messages coming from a fake sensor node or gateway node.All kinds of nonauthentic messages such as random new messages, replayed messages, and modified messages sent by the attacker are considered as fake messages.This paper only takes care of the user authentication problem; other security issues of other layers of the protocol are taken care of by security solutions of other levels.In addition, it is assumed that gateway node(s) is managed by a trusted infrastructure.Therefore, the gateway node(s) is considered as secure and its security is not considered as part of this work.Additionally, not every aspect of physical attacks is considered in this paper; however, the unauthorized extraction of the secret values of a sensor node or smart card using techniques such as shown in [11][12][13] must not have effect on the security of the rest of nodes and users.

Basic Requirements
Data Confidentiality.Data confidentiality is the most important issue in network security.The proposed security solution must provide concealment of private information making it infeasible for an unauthorized user to understand the confidential data.
Data Integrity.With the implementation of confidentiality, an adversary may be unable to read the information.However, this does not mean the data is safe.The adversary can change the data to produce disorder in the sensor network.Therefore, it is important that different entities of the network can detect modification of messages transmitted over the network.
Data Freshness.Even if confidentiality and data integrity are assured, it is necessary to ensure the freshness of each message.Data freshness suggests that the data is recent and it ensures that no old messages have been replayed.

Attack List.
There are several attacks that have been considered common in user authentication for WSNs such as privileged-insider, stolen-verifier, replay, parallel session, guessing, brute force, impersonation, and gateway-node bypassing attacks [3][4][5][6][7].The proposed solution must also demonstrate its security against such attacks.

Other Security Requirements
Mutual Authentication.Some of previous works [4,7] provide mutual authentication between the gateway node and sensor nodes but do not provide mutual authentication between user and gateway node.This situation can compromise the security of the whole network because newer sensor network implementations offer remote administration/query features in their gateway nodes [14,15], allowing users to access to network's data from a remote terminal.In this kind of environment, it is really important to authenticate the validity of the gateway node from the user's side to avoid adversaries collecting valuable data using fake gateway nodes.

Secure Registration, Authentication, and Password Change
Processes.It is important to remember that the proposed user authentication mechanism must offer user registration, authentication, and password change processes and they must be executed in a secure manner.
Session Key Establishment.After authentication, the scheme must provide a simple session key establishment algorithm to provide a secure channel between entities after authentication.

Performance Requirements.
WSNs own special characteristics which must also be considered in the designing of the security mechanisms.The most important resource constraints of WSN are the resource related ones [16], namely, limited storage space, limited computation power, and low energy capacity.Since the use of security algorithms reduces the lifetime of nodes, it is critical that the user authentication algorithm uses low quantity of energy.The aspects to be considered as performance requirements are as follows.
Type of Cryptographic Algorithm.Traditionally, there are two different types of cryptography algorithms, namely, publickey cryptography and symmetric-key cryptography.The first one has the characteristic of using two separate keys: one to encrypt the plaintext and another to decrypt the ciphertext.The most representative algorithms in publickey cryptography are Rivest-Shamir-Adleman ((RSA) the creators of the algorithm) and elliptic curve cryptography (ECC).On the other hand, the symmetric-key cryptography uses a common key for encryption and decryption which is shared among the communicating parties.One of the most representative algorithms of symmetric-key cryptography is advanced encryption standard (AES).Additionally, there is another type of encryption/decryption mechanism based on hash functions and exclusive-or operations which is considered as part of symmetric-key cryptography because it uses a common key between the communicating entities.One of the most representative hash functions used in such mechanisms is the secure hash algorithm (SHA).The importance of selecting a correct cryptographic algorithm lies in its complexity.A different Different cryptographic algorithms mean different complexities which is reflected in the required computation power and energy usage.This issue is very important because the common sensor nodes have very limited computation power and energy capacity.Several research works [17][18][19][20] have applied the asymmetrickey algorithms in WSNs.The results of such works reveal that despite the use of energy efficient techniques, such as ECC or dedicated cryptography coprocessors, asymmetrickey algorithms consume more energy than symmetrickey algorithms.For this reason, many researchers believe that the processing time and power consumption make it undesirable for public key algorithm techniques to be employed in sensor networks.Based on this criterion, the public cryptography was discarded for the proposed solution.
On the other hand, between the traditional symmetric key cryptography and encryption using hash functions, this paper has considered to use the last one because of its benefits in terms of energy usage as shown in previous works such as [21,22].In case of [21], the authors explain how AES-128 consumes more than double of SHA-1 function showing that the last one consumes around 154 J while AES-128 consumes 339 J on CrossBow nodes.The work described in [22] shows how for payloads of 17 bytes or above SHA-1 requires considerably less iterations than AES and therefore a shorter running time and less energy.In another earlier publication [16], the authors estimated that the energy per bit consumed by MIPS R4400 and MC68328 "DragonBall" processors for performing AES encryption/decryption operations is 9 nJ/bit and 101 nJ/bit, respectively, while for SHA-1 hashing function, the same processors consume 7.2 nJ/bit and 41 nJ/bit, respectively.
Number of Cryptographic Operations.The number of cryptographic operations used in sensor nodes must be minimal to extend their lifetime.The number of cryptographic operations executed by the user station and gateway node is not considered as important because they own superior

Number of Messages.
One of main the operations that consume more energy is the transmission of messages.Therefore, the number of messages sent by sensor nodes must also be minimal to reduce their energy spent in wireless communication.
Energy Consumption Analysis.Energy consumption analysis using realistic data sizes will help to understand the effects of the proposed user authentication scheme over WSN.

Usability Requirements.
The proposed scheme must also consider the different use cases of the authentication process according to the state of the network to offer extensive usability.This paper considers two specific use cases.

Online User Authentication.
Online user authentication refers to the user authentication process executed when the sensor node has network connection with the gateway node (see Figure 5).This is considered the most traditional because sensor nodes are commonly monitored from the fixed network infrastructure installed in a safe place which includes the gateway node.

Offline or Gateway-Less User
Authentication.This case is when the user authenticates directly to the sensor node because the network connection between the sensor node and gateway node cannot be established.In this case, the user must approach to the sensor node to authenticate with it but without the authorization of the gateway node (see Figure 6).
Important.Although this use case is very important for different types of WSNs such as military operation and natural disaster monitoring applications (as explained in Section 2), none of the previous works have considered this use case.

Proposed User Authentication Scheme
The proposed solution is composed of three protocols: user registration, user authentication, and password change protocols which are executed among three independent entities, that is, users, gateway node, and sensor nodes.

User Registration Protocol.
The user registration protocol is executed when new user needs to be authorized to access the sensor network.The steps executed in this protocol are as follows (see Figure 7 and Table 2).A user   chooses his/her identity   and password   and inputs them to the terminal.The terminal then generates a random number   and computes   = ℎ(  ) ⊕   , where ℎ(⋅) is a hash function and ⊕ is an XOR operator.Once   has been calculated,   and   are sent to the gateway node . then computes where  is a symmetric key only known by GW and "‖" is a concatenation operator.Once   has been calculated,  personalizes a smart card with the parameters ℎ(⋅) and   .Then, delivers the smart card to   in a secure manner.Finally,   calculates   = ℎ(  ‖   ‖   ) and stores   and   into the smart card.
On the other hand, a unique secret key   = ℎ(  ‖ ) is stored in each sensor node responsible for exchanging data with   , where   is the unique identification of the sensor node.
The proposed user registration protocol includes several enhancements compared to the previous solutions.First, each smart card and sensor node includes unique secret values:  attack.Finally, the usage of ℎ(  ‖ ) inside   delivers protection against parallel session attacks.

User Authentication
Protocol.This protocol is performed when   needs to access the data gathered by a sensor node.The process of user authentication is differentiated depending on the use case as described in Section 3.

Online User Authentication
Protocol.This subsection describes the authentication protocol when the sensor node is connected to the gateway node (see Figure 5).In this case, the gateway node works as a verifier to validate the authenticity of the user and sensor node.The steps executed in this protocol are as follows (see Figure 8 and Table 2).Note.Although the process of the online user authentication protocol is similar to that proposed by the existing works, it includes several enhancements.First, it delivers mutual authentication among all entities (  , , and   ).Additionally, the proposed protocol includes a simple session key establishment phase which was not provided in most of solutions.

Offline or Gateway-Less User Authentication Protocol.
In this use case,   is disconnected from the gateway node; therefore, it is not possible to receive the authorization from  to provide access to the collected data to   (see Figure 6).In this situation, another form of authentication is required, where   must be sure that the   is an authenticated user authorized by  without dealing directly with   's key; on the other hand,   also must be sure that   is an authentic sensor node, but without dealing with   's key.On that point, a special data called Permit is proposed to be used instead of the secret keys.Permit contains the authorization of  to access the data of a sensor node.The offline or gateway-less user authentication protocol is composed of two subprotocols, namely, permit issue and User Authentication.The first one allows   to request the permit for accessing   (  ) to the gateway node, while the second one allows   to use the issued permit to authenticate to   .
(A) Permit Issue Subprotocol.After receiving the smart card from ,   can use it to authenticate himself or herself to GW and receive the   which will allow   to authenticate to the sensor node   when it is disconnected from GW.   is a secret value issued by , which certifies that   has permission to access the data collected by   .The permit issue subprotocol is executed as follows (see Figure 9 Figure 10: Proposed offline user authentication subprotocol. , and encrypted permit   =     - (  ‖   ) and transmits {  ,   } to   , where   is the timestamp of 's system when generating   and    () is a symmetric encryption of a string using the key secret key.  first validates   using similar method of  1 verification then computes    - = ℎ( 1 ‖   ‖   ) to obtain   ‖   =     - (  ), where    () is a symmetric decryption of a string using the key secret key.Once   is obtained,   compares it with the   received in plaintext to validate once more the validity of   .Finally,   stores   and   into the smart card.
Note.The permit can be obtained (1) immediately after receiving the smart card as well as (2) when the need arises.
The criterion for checking the validity of Δ  is the same for both cases, that is, a period of time (e.g., one day, one week, etc.).The first case provides the advantage that the user can mobilize to a location near sensor nodes but without network connection with the .However, in this case, the user must be prudent in updating the Permit before its expiration.The second case can be used when the user stays in a location with stable network connection with the GW.We believe that obtaining the permit from the GW when the need arises is not a critical problem because the time required in executing the permit issue sub-protocol is small.In conclusion, taking into account the previous analysis, the first case (obtaining the permit immediately) could be a better solution, if the response time to the events was critical and the user was not in a place connected to the GW.On the other hand, the second case (obtaining the permit from the GW when the need arises) could be better when the user is located in a place with stable network connection with the GW.
(B) User Authentication Subprotocol.Once the Permit received,   can go to the field to authenticate directly to the sensor node.This protocol is composed of two phases, namely authentication and session key establishment (see Figure 10

Password Change Protocol.
One of the requirements of a secure protocol is the delivery of a mechanism to users so that they can freely change their passwords.The proposed scheme provides a simple and efficient password change protocol which does not require communication with the gateway node.The proposed password change protocol is executed as follows (see Figure 11 and   = ℎ(  ‖   ) ⊕ ℎ(  ‖ ), where   = ℎ(  )⊕  .Finally, the smart card replaces   and   with   and   , respectively.

Implementation
Issue.This paper does not consider the details related to the real implementation of the proposed scheme.However, we would like to share several ideas required on implementing the proposed scheme.First, the user interface of the application to be installed in the user station (  ) managing the execution of protocols must include the option to choose the protocol to be executed by the user.Second, as the content of the messages sent from   to GW in online user authentication protocol and offline permit issue subprotocol is the same ({  ,   ,  1 }), it must include a header indicating which protocol GW must execute; one possible solution could be the usage of 1 bit: "0" for online user authentication and "1" for offline permit issue sub-protocol.Finally, the requests {  ,   ,  2 } and {  ,   ,   execute the steps of one protocol according to the size of the receiving message.As another option, request messages could include a header to indicate the type of the request the user is asking for.The mentioned ideas are just possible options and we believe that the details required for real implementation should be considered in the implementation based on the requirements of the total solution.

Analysis of the Proposed Scheme
5.1.Security Analysis.This part analyzes the security of the proposed scheme in terms of formal verification and analysis of security requirements described in Section 3. The registration and password change protocols of the proposed scheme are excluded from this analysis because they are executed in a secure environment.In the analysis of the user authentication protocol, the threat model discussed in Section 3 is applied.

Formal Proof Based on BAN Logic
(A) Notations and Rules of BAN Logic.This subsection demonstrates the security of the proposed scheme by a wellknown formal model called BAN logic [23,24].BAN logic has been widely used in different works such as [25][26][27] to reason about their security validation.The logical notations of BAN logic used in this paper are as described in Table 3.This section also lists some main logical postulates to be used in proofs.
Message-Meaning Rule.If the principal P believes that the secret key is shared with the principal Q and P sees that the statement X is encrypted or combined (hashed) under K then ( Freshness-Conjuncatenation Rule.Provided that the principal P believes freshness of the statement X, the principal P believes freshness of the (X, Y): Nonce-Verification Rule.Provided that the principal P believes that the statement X have never been utter before and the principal Q once said X, the principal P believes that Q believes X: Jurisdiction Rule.Provided that the principal  believes that the principal Q jurisdiction over the statement X, the principal P believes Q on the validity of X: ( (B) Formal Proof.In the following, it shows the security proof of the authentication protocol using the BAN logic.
( Gateway-Node Bypassing Attack.The reason for the possibility of a GW bypassing attack in [3,6] is due to the sharing of secret parameter   with   and   .If the value of   is compromised, then the whole sensor network will become vulnerable to the gateway node bypassing attack.On the other hand, the reason for the possibility of the gateway node bypassing attack in [7] is due to the secret value   stored in sensor nodes which can be extracted using similar method of extracting   from a smart card [11][12][13]; if   is extracted, the adversary can execute the GW bypassing attack using In the proposed protocol,   's smart card and   do not store either   or   but instead store other individual secret values   = ℎ(  ‖   ) ⊕ (  ‖ ) and   = ℎ(  ‖ ) which are unique per smart card and sensor node.Therefore, even if the   value was extracted from a sensor node, the rest of nodes will still maintain their security.On the other hand, even if the   were extracted from a smart card, the   would be unusable without the correct   value because the   used for authentication is generated by using the ℎ(  ‖ ) which can only be obtained with the correct ℎ(  ‖   ) value.
User Impersonation.An adversary who wants to impersonate a valid user   to log into the network must calculate a valid   (for the online and offline user authentication) or   (for the permit issue).Since   = ℎ(  ‖   ‖  1 ) and   = ℎ(  ⊕   ‖  1 ) are calculated by a one-way hash function, the adversary cannot decipher such values.Additionally,   and   cannot be created arbitrarily because they are based on the secret value   obtainable only with the correct   and   .
Gateway-Node Impersonation.An adversary who wants to impersonate a valid GW must calculate a valid   (for the online user authentication) or   (for the permit issue).Since   = ℎ(  ‖   ‖  2 ) and   =     - (  ‖   ) are calculated using one-way hash function or a secure symmetric cryptographic algorithm, the adversary cannot decipher such values.Additionally,   and   cannot be created arbitrarily because they are based on the secret value K which is only known by the authentic GW.
Sensor Node Impersonation.An adversary who wants to impersonate a valid   must calculate a valid   (for the online user authentication) or   (for the offline user authentication).Since   = ℎ(  ‖   ‖  3 ) and   = ℎ(ℎ(  ‖   ‖   ) ‖  2 ) are calculated using one-way hash function, the adversary cannot decipher such values.Additionally,   and   cannot be created arbitrarily because they are based on the secret value   which is only known by the authentic GW.
Many Logged-In Users with the Same Login-ID.By using two-factor based authentication, the proposed scheme offers higher protection than only password-based schemes.Assuming that the   's smart card is not cloned, the proposed protocol successfully prevents this threat because the authentication process requires computation executed inside the valid smart card.
Brute-Force Attack.An attacker can try two kinds of bruteforce attacks.(1) First, the attacker can attempt to authenticate by sending random or sequential messages (  ,   , or   ) to GW or   .However, as well as explained in the replay attack, this attack becomes infeasible because each authentication process uses a different timestamp.(2) On the other hand, an insider with a valid smart card can try to discover the secret values by performing brute-force attacks.However, the determination of those values is infeasible because they are stored using secure one-way hash functions.If higher level of protection for K was required, additional random numbers   and   could be added for the generation of   = ℎ(  ‖  ‖   ) and   = ℎ(  ‖  ‖   ), respectively, which would be stored secretly in the GW.By using those additional random numbers, the number of possible combinations to decipher   and   is increased by 2  times, where n is the size in bits of   and   .

(C) Security Verification of Other Security Requirements
Mutual Authentication.The proposed protocol provides both mutual authentication between   and GW as well as between GW and   , (i) Online User Authentication.(1) The mutual authentication between   and GW is verified as follows.GW verifies the authenticity of   by comparing   sent by   with the  *  value calculated by itself.  can only be computed by the authentic   because it is based on the secret value ℎ(  ‖ ) only calculable with the valid   and   which are personal to each   .In the same way,   verifies the authenticity of GW by comparing   sent by GW with the  *  value computed by   .  can only be computed by the authentic GW because it is based on the secret value K only known by the authentic GW. (2) On the other hand, the mutual authentication between GW and   is verified as follows.  verifies the authenticity of GW by comparing   sent by GW with the  *  value calculated by itself.  can only be computed by the authentic GW because it is based on the secret value K.In the same way, GW verifies the authenticity of   by comparing   sent by GW with the  *  value computed by GW.   can only be computed by the authentic   because it is based on the secret   value only known by the specific   .
(ii) Password Change Phase.Our proposal offers a lightweight password change phase that does not require communication with GW, making it secure and efficient.
Session Key Establishment.Our proposal offers a simple and practical method for session key establishment among   , GW, and   .

(D) Summary of Security Features of the Proposed Solution.
Table 4 shows the comparison of security features among different works.This demonstrates how our scheme is stronger in terms of security.Our approach provides protection against different kinds of attacks (privileged-insider attack, gateway-node bypassing attack), also provides a secure password change phase and session key establishment, and achieves complete mutual authentication (mutual authentication between GW and   and between   and GW) features that previous works do not offer or offer with limitations.5 indicates the number of cryptographic operations required in each protocol per entity for online user authentication.It shows that our protocol requires a few more operations in the verification phase than some previous works.However, the majority of additional operations are executed by   or GW infrastructure which has no energy or computation power limitations.Therefore, the additional operations are not an impediment for real implementation.Additionally, it is possible to say that the additional operations are justifiable considering that our scheme includes security features that previous works do not offer, which is indispensable for implementing a reliable  and trustworthy network.It is important to remember that a failure at the component level will often compromise the security of the entire system [29].Furthermore, the proposed solution provides further usability delivering offline authentication when sensor nodes cannot communicate with the gateway node which is really useful in different kinds of applications such as the military and natural phenomenon monitoring.Table 6 shows the number of cryptographic operations required to execute the offline user authentication protocol.The permit issue sub-protocol requires 5 hash executions and 1 symmetric cryptographic operation in both   and GW.However, we believe this overhead is not an impediment for a real implementation because   and GW are powerful entities without resource limitations.On the other hand, the additional hash execution required by   in the offline user authentication sub-protocol (compared to the proposed online user authentication) is not an impediment for real implementation because it is not executed all the time but only in extraordinary situations.

Number of Messages.
Analyzing the number of messages transmitted and received by sensor nodes is considered important because it affects the energy consumption of those devices.This paper only focuses on the protocols where the resource limited sensor nodes participate in (i.e., online and offline user authentication protocols).Table 7 shows the number of transmissions and receptions executed by different entities in online user authentication protocols in different proposals.It illustrates how the proposed protocol maintains equal or less number of messages than previous works to show its competitiveness.
Going into details of Table 7, the present work also presents the content of messages transmitted and received by different entities and their sizes in each solution (see Tables 8,9,10,11,12,and 13).This work has considered that the size of the different data inside of messages, such as user identification, timestamps, hash values, and login confirmation messages, is equal because the intention of this part is to analyze the number of data units in each protocol (analysis using more realistic data sizes is executed in Section 5.2.3).As you can see in Tables 8-13, the most lightweight solutions in terms of messages sizes in sensor nodes are those proposed by Das, Huang et al., and Chen-Shih.However, messages sizes in those protocols are reduced because they omit steps required to provide mutual authentication between the gateway-node and sensor nodes opening serious vulnerabilities.Therefore, even though they offer less communication, they cannot be considered as optimal solutions.On the other hand, Table 9 shows how Nyang-Lee's proposal has the highest communication overhead requiring 4 data units for transmission and 4 data units for reception in sensor nodes.Finally, Alghathbar's proposal and the proposed solution have the same communication overhead in sensor nodes with 2 data units in transmission and 3 data units in reception.
On the other hand, Table 14 shows the number of messages in offline user authentication.In this protocol, only one message exchange between   and   is executed, showing how it is efficient in this aspect.In case of   , it only requires the transmission and reception of 2 and 4 data units, respectively.

Energy Consumption.
One of the most sensible limitations in sensor nodes is their energy capacity.Therefore, it is important to analyze the energy consumption in those devices.The energy consumptions of user station and gateway node have not been analyzed because they do not suffer from this aspect.Following the fact that the battery power of a sensor node is depleted by computational processing and radio consumption [30], this paper has calculated the energy consumption overhead caused by (1) cryptographic   [5] 0.0027648 0.015744 Chen-Shih's [6] 0.0032256 0.018368 Khan-Alghathbar's [7] 0.0052992 0.030176 operations and (2) radio communications in executing the proposed security mechanism.
(A) Energy Consumption Overhead of Cryptographic Operations.First, for the calculation of energy used by cryptographic operations, this paper has used the energy consumption estimates indicated in [16].In [16], the authors estimated that the energy per bit consumed by MIPS R4400 and MC68328 "DragonBall" processors for performing AES encryption/decryption operations is 9 nJ/bit and 101 nJ/bit, respectively, while for the SHA-1 hashing function the same processors consume 7.2 nJ/bit and 41 nJ/bit, respectively.Additionally, this work has assumed that the size of random numbers is 160 bits, the sizes of timestamps, identifications (ID of users, gateway node, and sensor nodes), and Login OK messages are 64 bits each, and the sizes of secret values such as   ,   ,   ,   are 160 bits each.Using those values, the energy consumption of cryptographic operation in each scheme was calculated (see Table 15).Here is an example of how the energy consumptions of cryptographic operation were calculated: in the proposed online authentication protocol, two hash values are calculated by   , that is,  *  and   .As the input values for the generation of  *  and   are 288 bits each, the energy used in generating  *  and   will be 7.2 nJ/bit * 288 bits = 0.002074 mJ for MIPS R4400 processor and 41 nJ/bit * 288 bits = 0.011808 mJ for MC68628 processor.Therefore, the total energy used by the cryptographic operations in the proposed online user authentication protocol will be the summation of the energy consumptions in generating  *  and   , that is, 0.0041472 mJ and 0.023616 mJ for MIPS R4400 and MC68628 processors, respectively.Table 15 shows how the proposed solution consumes 0.00092, 0.00138, and 0.00092 mJ more than M. Das, Huang et al., and Chen-Shih's schemes, respectively, and consumes 0.012557 and 0.001152 mJ less than Nyang-Lee and Khan-Alghathbar's schemes, respectively, when using the MIPS R4400 processor.Using the data of the table, it is also possible to deduce that the proposed solution consumes 0.002097 mJ less than the On the other hand, this work also has calculated the energy consumption of sensor nodes in executing cryptographic operations during the offline user authentication sub-protocol (see Table 16).It shows how this approach consumes 0.001152 and 0.00656 mJ more than the online user authentication using MIPS R4000 and MC68328 processors, respectively.However, we believe that it is not an impediment for real implementation because offline user authentication is not executed all the time but only in extraordinary situations where online user authentication cannot cover.

(B) Energy Consumption Overhead of Radio Communication.
For the calculation of energy consumption of radio communication produced by the proposed protocols, the present work has assumed a simple model where the radio dissipates   = 50 nJ/bit to run the transmitter or receiver circuitry and   = 10 pJ/bit/m 2 to run the transmitter amplifier (see Table 17), similar to the model used in [31][32][33].Additionally, for the calculation of the energy consumption, this work has used the parameters indicated in Table 17 and has assumed that the implemented hash function is SHA1 (160 bits hash value), the sizes of random numbers are 160 bits, the sizes of timestamps, identifications (ID of users, gateway node, and sensor nodes), and Login OK messages are 64 bits each, and the sizes of secret values such as   ,   ,   ,   are 160 bits each.
Table 18 indicates the energy used by a sensor node in executing the online user authentication in different schemes.
(C) Total Energy Consumption Overhead.The total energy consumption overhead in sensor nodes can be calculated adding the energy consumption of cryptographic operations and radio communication.Table 19 shows the total energy consumption overhead of different schemes.It shows that the proposed solution consumes 0.008122, 0.008582, and 0.008122 mJ more than M. Das's, Huang et al. 's, and Chen-Shih's schemes, respectively, and consumes 0.03816 and 0.00595 mJ less than Nyang-Lee's and Khan-Alghathbar's schemes, respectively, when using the MIPS R4400 processor.It also illustrates how the proposed solution consumes 0.00386 mJ less than the average energy consumption of the rest of approaches, which means it has competitive energy consumption compared to the rest of solutions.Similar conclusion can be reached with the energy consumption of schemes when using the MC68328 microprocessor.It is important to say that the additional energy overhead from other works is justifiable considering that our scheme includes security features that previous works do not offer, On the other hand, Table 20 shows the total energy consumption of authenticating sensor nodes executing the proposed offline user authentication sub-protocol.It shows that this approach consumes 0.004352 and 0.00976 mJ more than the online user authentication using MIPS R4000 and MC68328 processors, respectively.However, we believe that it is not an impediment for real implementation because offline user authentication is not executed all the time but only in extraordinary situations where online user authentication cannot cover.

(D) Effect of Energy Consumption Overhead in the Wireless
Sensor Network.Although there are differences among the energy consumption in different schemes, as they are small, it could not be neglected.Therefore, this paper has analyzed how much the energy consumption overhead of the proposed solution affects the lifetime of the sensor network.According to [16], one of the most common typical batteries in sensor nodes is the MN1500 Duracell AA with energy potential of 15.39 kJ.Based on this data, this work calculates how long a sensor node can survive executing the proposed user authentication scheme.In this simulation, we assume that the user authentication can use from 1% to 5% of the total energy while the rest of energy is used by other functionalities of the sensor node, such as path maintenance, data gathering, and data transmission.
Knowing that common sensor network applications are not dedicated for a massive user access yet, this work assumes that it is acceptable to use the average of one user authentication per minute as parameter.However, to understand how the proposed user authentication can act from higher demand, the present paper also considers the case when the average number of user authentication per minute is five.Figure 12 shows the number of months a sensor node with MIPS R4000 microprocessor can survive when executing 1 and 5 online user authentications per minute assuming that  executed only between the   and GW and reuse the connection between GW and   created before in the previous user authentication.Figures 14 and 15 show the number of months for which a sensor node with MIPS R4000 and MC68328 microprocessor can survive when executing 1 and 5 offline user authentications per minute assuming that 1% to 5% of the total energy of the battery is dedicated for user authentication.It shows that the survival period of a sensor node (from 11 to 448.7 months) depends on the microprocessor, number of authentication per minute, and percentage of total energy dedicated for user authentication.Once again, we believe this durability is consistent for real implementation because offline user authentication is not executed all the time but only in extraordinary situations where online user authentication cannot cover.

Conclusion
With the increase of different types of sensor network implementations such as medical, ecology, and military operation applications, there have been many proposals which tried to give secure user authentication schemes for them.However, even though they deliver important advance in this area, they still incorporate serious vulnerabilities and limitations.In those circumstances, this paper proposes a user authentication mechanism which considers the security, performance, and usability factors.The security is guaranteed by an intensive analysis in terms of formal verification and analysis of possible attacks.The optimization of performance is achieved by using lightweight cryptography and in most of cases, only hash functions and XOR operations; additionally, the number of messages is reduced by using timestamps instead of challenge response of random nonces.Finally, the usability requirements are satisfied by considering both the online and offline user authentication use cases, the feature which was not considered in previous works.In summary, this paper analyzes previous user authentication mechanisms for wireless sensor networks and identifies their vulnerabilities and limitations and proposes a robust user authentication for wireless sensor networks that eliminates the identified security flaws and limitations.The proposed solution takes advantage of the two-factor authentication concept to provide a secure authentication system offering balanced features in terms of security, performance, and usability.
Copyright of International Journal of Distributed Sensor Networks is the property of Hindawi Publishing Corporation and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.However, users may print, download, or email articles for individual use.

Figure 1 :Figure 2 :
Figure 1: Sensor nodes isolated because of broken link between gateway and sensor nodes.

Figure 3 :
Figure 3: Sensor nodes isolated because of side vent explosion of a volcano.

Figure 14 :
Figure 14: Number of months that a sensor node can survive executing the proposed offline user authentication sub-protocol using the MIPS R4000 microprocessor.

Figure 15 :
Figure 15: Number of months that a sensor node can survive executing the proposed offline user authentication sub-protocol using the MC68328 microprocessor.
if an encryption channel was required after authentication.Additionally, if a direct communication channel between   and   was required, a bilateral session key    -  could be established through .
and Table 2).  inputs his/her   ,   , and new password   to the smart card.The smart card then calculates  *  = ℎ(  ‖   ‖   ) and verifies the validity of   and   by comparing  *  with   .If those values do not match, the password change request is rejected.Otherwise, the smart card computes 1,   } used in online and offline user authentication protocols are differentiated by   using messages' sizes.This means that   would   ,   , (1)  ,  , new  (2) Verify  ,

Table 3 :
Notations of BAN logic.The principal  believes that  holds.In other words, it means that  is entitled to act as though  is true #()The formula  is fresh.That is,  has not been sent before in any run of the protocol  ⇒ The principal  has jurisdiction over the statement .That is,  is an authority on  and can be trusted on   ⊲ The principal  sees the statement .That is, someone has sent a message to  containing , and  can read and repeat   |∼ The principal  once said the statement .That is,  sent a message containing  sometime (, )The formula  or  is one part of the formula (, ) {} The formula  is encrypted under the key  () The formula  is hashed with the key , and  may be used to prove the origin of    ↔  Principals  and  may use the shared key  to communicate.The key  will never be discovered by any principal except  and  the principal P believes that the principal Q once said the statement X: ←→ ,  ⊲ ()   |≡  |∼  .
[28]andom numbers, sequence numbers, and timestamps, being most common the usage of random numbers (nonces) and timestamps.This work has used the timestamp method because it is always more efficient in terms of number of communication rounds compared to the nonce-based counterpart[28].In the proposed solution,   transmits his/her pseudo-password   = ℎ(  ) ⊕   instead of   .Therefore, GW will never know the   value.This means that only   will know his/her secret password, protecting   in this way from a privileged-insider attack.Additionally, a random value   is incorporated inside   to make the discovery of   harder.Stolen-Verifier Attack.One of the features of the proposed protocol is the absence of a password/verifier table in GW and   .This feature prevents our solution from stolen-verifier attacks.In the proposed scheme, secret values are never sent in plaintext but encrypted by a one-way hash function or symmetric cryptography algorithm.Therefore, even when the adversary got   ,   ,   ,   ,   ,   , or   , he or she could not guess any secret value (i.e.,   ,   ,   , or K) because of the secure property of the hash and symmetric cryptography algorithms.
Offline or Gateway-Less User Authentication/Permit Issue Subprotocol.The mutual authentication between   and GW is verified as follows.GW verifies the authenticity of   by comparing   sent by   with the  *  value calculated by itself.  can only be computed by the authentic   because it is based on the secret value ℎ(  ‖ ) only calculable with the valid   and   which are personal to each   .On the other hand,   verifies the authenticity of GW by comparing   sent in plaintext by GW with the   value contained inside   .  can only be computed by the authentic GW because it is based on the secret value K only known by GW. (iii) Offline or Gateway-Less User Authentication/User Authentication Subprotocol.The mutual Authentication between   and   is verified as follows.  verifies the authenticity of   by comparing   sent by   with the  *  value calculated by itself.  can only be computed by the authentic   because it is based on the secret value   ⊕   only calculable by the authentic   .On the other hand,   verifies the authenticity of   by comparing   sent by   with the  *  value calculated by   .  can only be computed by the authentic   because it is based on the secret value   only known by   .

Table 5 :
Number of cryptographic operations in online user authentication.

Table 6 :
Number of cryptographic operations in offline user authentication.

Table 7 :
Number of transmissions and receptions in online user authentication.

Table 15 :
Energy consumption of cryptographic operations executing different online user authentication protocols.

Table 16 :
Energy consumption of cryptographic operations executing the proposed offline user authentication sub-protocol.

Table 17 :
Radio communication parameters.Transmission energy model     = (  +   *  2 ) *  Reception energy model     =   *  average energy consumption of the rest of approaches, which means it has competitive energy consumption compared to the rest of solutions.Similar conclusion can be reached with the energy consumption values when using the MC68328 microprocessor.

Table 19 :
Total energy consumption overhead of authenticating sensor nodes executing different online user authentication protocols.

Table 20 :
Total energy consumption overhead of authenticating sensor nodes executing the proposed offline user authentication sub-protocol.
Figure 12: Number of months that a sensor node can survive executing the proposed online user authentication protocol using the MIPS R4000 microprocessor.Figure 13: Number of months that a sensor node can survive executing the proposed online user authentication protocol using the MC68328 microprocessor.