A New User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography

User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. Since sensor nodes are equipped with limited computing power, storage, and communication modules, authenticating remote users in such resource-constrained environments is a paramount security concern. To overcome the weaknesses of Yeh et al.'s protocol, we proposed a new authentication protocol for wireless sensor networks using elliptic curves cryptography. The comparisons show that our protocol is more suitable for WSNs.


Introduction
Wireless sensor networks (WSNs) are becoming more and more popular in everyday life as they offer economically viable, real-time monitoring solutions. These wireless sensors can be quickly and easily deployed in hostile environments, and WSNs are now widely used in a variety of real-time applications, such as vehicular tracking, habitat monitoring, environment control, military surveillance, healthcare monitoring, wildlife monitoring, and traffic monitoring. One recent survey declared that, in the near future, WSNs will become an intelligent and integral part of daily lives [1].
A WSN consists of a discrete group of independent, low cost, and low power nodes with limited memory and computation power. They communicate wirelessly over limited frequency and low bandwidth [1]. More specifically, sensor nodes collectively monitor the area and sense substantial amounts of data, which are transmitted to the base station traversing some nodes via RF signals and routing schemes.
A key requirement for WSN is user authentication [2,3]. The client devices (remote wireless sensor nodes) need to be authenticated before being allowed to join the WSN and have access to the WSN's resources. To date, most user authentication methods have focused on protocol implementations in the network and link layers. It should be noted that, in order to limit power consumption by sensor nodes and to overcome limitations in computation capacity, user authentication in a WSN is typically done in dedicated gateway node (GW node) [1].
In 2004, Sastry and Wagner [4] proposed a security enhancement using access control lists (ACLs) in the GW node. In Sastry and Wagner's protocol, an ACL would be maintained besides the client's identity and the arranging of the nearest sensor node. Watro et al. [5] proposed a user authentication protocol employing RSA and Diffie-Hellman algorithms, but this protocol is open to hostile attack by a user masquerading as a sensor node. Wong et al. [6] proposed a dynamic user authentication protocol using hash function. Das [7] and Tseng et al. [8] demonstrated that both Watro's and Wong's user authentication methods were vulnerable to stolen-verifier, replay, and forgery attacks. To improve the security, Das [7] proposed a two-factor user authentication protocol. In 2007, Tseng et al. [8] show that Wong's protocol was vulnerable to stolen passwords. Tseng et al. also proposed an enhanced user authentication protocol to improve overcome the weakness. However, Khan and Alghathbar [9,10] show that Das' protocol did not provide mutual authentication between gateway node and sensor node and was vulnerable to gateway node bypassing attack and privileged-insider attack. Chen and Shih [11] also demonstrated that Das' protocol did not provide mutual authentication between gateway node and sensor node. Chen and Shih [11] also proposed a more secure and robust two-factor user authentication in WSNs. Unfortunately, Yeh et al. [12] found that Chen and Shih's protocol failed to provide a secure method for updating user passwords and was vulnerable to the insider attack problem. To improve the performance and the security, Yeh et al. [12] proposed the first user authentication protocol for WSNs using the elliptic curve cryptography (ECC). ECC was first proposed by Miller [13] and Koblitz [14], and its security was based upon the difficulty of elliptic curve discrete logarithm problem. Compared with the other cryptography, ECC offers a better performance because it can achieve the same security with a smaller key size. For example, 160-bit ECC and 1024-bit RSA have the same security level in practice [15]. Thus, ECC-based authentication schemes are very suitable for WSNs.
Unfortunately, Han [16] found that the Yeh et al. protocol had the following weaknesses: (1) no mutual authentication between the user and the sensor node, (2) no perfect forward secrecy, and (3) no key agreement between the user and the sensor node. To overcome the weaknesses of Yeh et al. 's protocol, we propose a new ECC-based user authentication protocol for WSNs.
The remainder of this paper is organized as follows. In Section 2, we propose our ECC-based authentication protocol for WSNs. The security analysis of the proposed protocol is presented in Section 3. In Section 4, performance analysis is presented. Conclusions are given in Section 5.

The Proposed Protocol
To solve the weakness of Yeh et al. 's scheme, we propose a new ECC-based user authentication protocol for WSNs. Thus, before issuing a query to a sensor node, each user must register with the gateway in a secure manner so that they can access the real-time sensors' data. Upon the successful user registration request, the gateway node personalizes a smart card for every registered user. Then, a user can submit his query in an authentic way and access the sensor network data at any time within an administratively configurable period [6].
In order to execute the proposed framework, we considered that the gateway is a trusted node and it holds two master keys ( and ), which are sufficiently large for the sensor network. Before starting the system, it is assumed that the gateway and the sensor nodes share a long-term common secret key, that is, SK = ℎ( || ) using any key agreement protocol. For example, Watro et al. [17] demonstrated that, with the careful design, D-H key agreement protocol [18] can be easily deployed on most constrained devices. Here, ℎ(⋅) is a collision-free one-way hash function (i.e., SHA-1), which has an output length of 160 bits [19] and is used throughout this paper.
It is assumed that some identical secure symmetric cryptosystems are publicly available and stored in the gateway and the sensor node. As a result only the users registered with the gateway have access privileges to the sensors, which share a long-term secret with the gateway. The framework is divided into four phases, namely, user registration phase, login phase, authentication phase, and password update phase. For convenience, the notations used throughout this paper are summarized as follows: , : two large prime numbers; : a finite field; : an elliptic curve defined on finite field with large order; : the group of elliptic curve points on ; ECDLP: the discrete logarithm problem, that is, given ∈ to compute ∈ * such that = ; ECCDHP: the computational Diffie-Hellman problem, that is, given , ∈ to compute .

Registration Phase.
In this phase, user has to submit an identity, ID , and a password, pw , to the GW node in a secured way. Then, the GW node issues a license to . The detailed steps are depicted as follows.
(1) chooses his identity ID and password pw , generates a random number , and computes pw = ℎ(pw ⊕ ). Then, sends ID and pw to the GW node.
(3) After receiving the smart card, the user inputs into it and finishes the registration.

Login Phase.
When enters an ID and a pw in order to deliver some query to or access data from the WSN, the smart card must perform the following steps to validate the legitimacy of . Figure 1 shows both the login phase and the authentication phase.
• sk = ℎ( ‖ ‖ ); • Check (1) User inserts his smart card into the terminal and enters his identity ID and password pw . (1) checks whether − ≤ Δ holds, where Δ is the legal time interval for transmission delay. If the answer is yes, the validity of can be assured, and proceeds to the next step. If no, the rejects the request.
After receiving the message 2 at time , GW node performs the following actions.
(1) GW node checks whether − ≤ Δ and − ≤ Δ hold, where Δ is the legal time interval for transmission delay. If the answer is yes, the validity of and can be assured, and GW node proceeds to the next step. If no, GW node rejects the request. After receiving the message 3 at time , performs the following actions to authenticate and GW node.
(1) checks whether − ≤ Δ holds, where Δ is the legal time interval for transmission delay. If the answer is yes, the validity of can be assured, and proceeds to the next step. If no, rejects the request. After receiving the message 4 at time , the smart card performs the following actions to authenticate .
(1) The smart card checks whether − ≤ Δ holds, where Δ is the legal time interval for transmission delay. If the answer is yes, the validity of can be assured, and the smart card proceeds to the next step. If no, the smart card rejects the request.

Password Update
Phase. The password update phase is invoked whenever user wants to update his old password pw . The password update phase is described below.
(1) User inserts his smart card into the terminal and enters his identity ID , the old password pw , and the new password pw .

Security Analysis
In this section, we will discuss the security of our protocol as follows.
Mutual Authentication. Our scheme provides mutual authentication, where all entities (i.e., user, gateway, and sensor nodes) are mutually authenticating each other. More specifically, when the GW node receives the message 2 = {ID , , , , ID , , , }, it can make sure that the user message 1 = {ID , , , } is included in the sensor node message 2 . When the sensor node receives message Replay Attacks. Our scheme is resistant to replay attacks, because the authenticity of messages 1 , 2 , 3 , and 4 is validated by checking the freshness of four timestamps. Let us assume an intruder intercepts a login request message 1 = {ID , , , } and attempts to access the sensor node by replaying the same message 1 . The verification of this login attempt fails since the time difference expires (i.e., − > Δ ). Similarly, if an intruder intercepts a valid message 2 = {ID , , , , ID , , , } and attempts to replay it to the GW node, the verification request will fail at the GW node because the time difference expires again (i.e., − > Δ ). Thus, our protocol is secure against replaying of messages.
User Impersonation Attacks. An attacker cannot impersonate the user. Suppose an attacker forges a login message 1 = {ID , , , }. Now, he will again try to login into the system with the modified message {ID , * , , * }. However, the attacker cannot forge * without knowing = ℎ(ID || )× or the master key since he will be faced with ECDLP. Therefore, it is not possible to impersonate the user.
Sensor Impersonation Attacks. As long as an attacker does not know the secret key SK , he cannot generate a legal message Gateway Impersonation Attacks. As long as an attacker does not possess the secret key SK , he cannot impersonate the gateway and cannot cheat the sensor node. Hence, it frustrates attackers to generate the valid message 4 to the sensor node. Therefore, it is not possible to impersonate the gateway.
Man-in-the-Middle Attack. Man-in-the-middle attack means that an active attacker intercepts the communication line between a legal user and the server and uses some means to successfully masquerade as both the server to the user and the user to the server. Then, the user will believe that he is talking to the intended server and vice versa. From the above discussion we know that our protocol can provide mutual authentication, and then the "man-in-the-middle" attack can be resisted.

Stolen-Verifier
Attacks. An attacker who steals the password verifier (e.g., hashed passwords) from the gateway can use the stolen verifier to impersonate a legal user to login to the system. The proposed scheme is free from the stolen verifier attack. There is no such information stored at the server, by which an adversary can make a fabricated login request to impersonate a legal user to login the server or can impersonate the gateway to cheat the legal user and the sensor node. Insider Attacks. It is possible in a real-time environment, when the gateway manager or system administrator can use the user password pw (e.g., weak password), to impersonate the user through any other network gateways. In this case, our scheme does not give any room for privileged insiders, since, in the registration phase, the user is passing pw = ℎ(pw ⊕ ) instead of the plain password. Thus, the insider of the GW node cannot get pw easily. Here, is a sufficiently high entropy number, which is not revealed to the GW node. Furthermore, the proposed scheme does not store any verifier table and can resist the insider attacks.
Perfect Forward Secrecy. A protocol is said to be perfect forward secrecy if compromise of the three private keys of the participating entities does not affect the security of the previous session keys. Two aspects are related to this notion, that is, perfect forward secrecy (p-FS) and master key perfect forward secrecy. p-FS means that the compromise of both user's and sensor node's long-term private keys would not affect the secrecy of the previously established session keys.
Master key p-FS is satisfied if the session key secrecy still holds even when the server's master key is compromised. Our protocol satisfies both p-FS and master key p-FS by using sk = ℎ( || || × ) or sk = ℎ( || || × ) as the shared secret. If user's private keys or gateway's master key is compromised, the adversary cannot compute or from and since he has to solve the ECCDHP, thus satisfying both p-FS and master key p-FS.

Performance Comparison
For the convenience of evaluating the computational cost, we define some notations as follows.   Table 1, we summarize the performance results of the proposed protocol. In Table 1, we know that the user, the sensor node, and the gateway require 3 mul + 5 ℎ , 2 mul + 3 ℎ , and 1 mul + 4 ℎ , separately. From the theoretical analysis [20] and the experimental result [21,22], we know that the relative computation cost of generating a random number point and executing a map-to-point hash function is about 1/2 times that of the scalar multiplication.
Besides, the computation costs of mul are considerably higher than add and ℎ . Then, the computational costs of the user, the sensor node, and the gateway in Yeh et al. 's protocol are about 3 mul , 3 mul , and 3 mul , separately. The computational costs of the user, the sensor node, and the gateway in our protocol are about 3 mul , 2 mul , and 1 mul , separately. Then our protocol has better performance at the sensor node side and the gateway side. Moreover, Yeh et al. 's protocol cannot provide (1) mutual authentication between the user and the sensor node, (2) perfect forward secrecy, and (3) key agreement between the user and the sensor node, and then our protocol enhances the security at the cost of increasing user's computation cost slightly.

Conclusions
This paper provides a new ECC-based user authentication protocol for WSNs. The proposed protocol performs more efficiently in terms of computation cost, communication cost, and security. Compared with the protocol of Yeh et al., the proposed protocol in this paper can prevent general security issues and provide mutual authentication to protect inside security and outside security. Therefore, the proposed protocol is more suited to WSNs environments.