Cryptanalysis and Security Improvement of Two Authentication Schemes for Healthcare Systems Using Wireless Medical Sensor Networks

Wireless medical sensor networks (WMSNs) play an important role in collecting healthcare data of the remote patient and transmitting them to the medical professional for proper diagnosis via wireless channel. To protect the patient’s healthcare data which is private-related and sensitive, some authentication schemes for healthcare systems using WMSN have been proposed to ensure the secure communication between the medical sensors and the medical professional. Since cryptanalyzing the security defects of authenticated protocols is crucial to put forward solutions and propose truly robust protocols, we scrutinize two stateof-the-art authentication protocols using WMSN for healthcare systems. Firstly, we examine Ali et al.’s enhanced three-factor based authentication protocol and show that although it provides a formal proof and a security verification, it still fails to resist offline dictionary guessing attack, desynchronization attack, and privileged insider attack and contains a serious flaw in the password change phase. Secondly, we investigate Shuai et al.’s lightweight and three-factor based authentication protocol and point out that it cannot achieve high security level as they claimed; it is actually subject to offline dictionary guessing attack and privileged insider attack, and it also has a design flaw in the password change phase. In addition, we suggest several countermeasures to thwart these security weaknesses in these two schemes for WMSN and the similar kinds.


Introduction
Internet of ings (IoT), which enables a variety of things to connect each other via the Internet or wireless communication, by employing data-collecting devices such as sensors and radio frequency identification (RFID), has a wide range of applications [1,2]. As an indispensable part of IoT, wireless sensor networks (WSNs) can collect data from specific objects and share them with human beings; thus, WSN is widely applied in many application scenarios, like healthcare service [3,4], environment monitoring [5], and habitats [6]. Wireless medical sensor network (WMSN) is a popular application of WSN for healthcare systems, in which wearable sensors gather the patient's physiological information such as blood pressure, body temperature, and heart rate and send them to the medical professionals for diagnosis or further treatment [7]. It is obvious that WMSN not only monitors the patient in realtime but also saves his time and money and improves the efficiency of the medical professional. Generally, a typical WMSN mainly includes three entries: a gateway node, sensor nodes, and medical professional. e gateway node (GWN) has powerful computation and ammunition capabilities and plays the role of a communication bridge between the sensors and medical professionals. e sensor nodes, resource-restraint in computation and communication capabilities, are implanted or installed in the patient's body to gather the physiological information and transmit them to medical professionals in the distance with the help of GWN. However, the physiological information of the patient is sensitive, and they are transmitted over insecure wireless channel. If the attacker intercepts and modifies these physiological data, the doctor may make a wrong diagnosis.
Although some measures have been developed to protect the security of WSN at link layer and network layer in IEEE 802.15.4 by IETF [8,9], it is still necessary to design a robust authentication mechanism in application layer to protect the sensitive sensed data from unauthorized access. at is to say, the identity legitimacy of the medical professional should be verified before accessing the sensor data. In addition, the sensor node to be accessed should be authenticated for the criticality and sensitivity of the sensed data from the patient. Particularly, a session key should be negotiated between the medical professional and the sensor node to secure the real-time access.
Over years, a series of authentication protocols have been proposed for WMSN to protect the transmitted data against unauthorized access from an attacker or a malicious user. We brief the previous schemes related to WMSN. Because of the limitations of wearable sensor's computation and communication capabilities, WMSN authentication schemes concern efficiency and adopt lightweight cryptography operations on the premise of ensuring security. In 2012, Kumar et al. [10] presented an efficient remote user authentication protocol named E-SAP for healthcare applications in WMSN environment and claimed that their scheme is secure against various known attacks. However, He et al. [11] showed that Kumar et al.'s scheme suffers from offline password guessing attack and privileged insider attack, as well as failure to provide user anonymity. In addition, they suggested a robust and efficient anonymous authentication protocol for patient monitoring using WMSN. Unfortunately, both Wu et al. [12] and Li et al. [13] indicated that the protocol in [11] is still vulnerable to some security weaknesses, such as denial of service attack, lack of wrong password detection mechanism, user impersonation attack, senor node capture attack, and offline password guessing attack. As a remedy, they also gave their enhanced protocol, respectively. However, Das et al. [14] observed that Li et al.'s scheme [13] is insecure to withstand sensor node capture attack, privileged insider attack, and lack of user anonymity. Further, they contributed an efficient and secure authentication protocol for WMSN. In the same year, Srinivas et al. [15] described that Wu et al.'s scheme [12] is subject to insider attack, user impersonation attack, and stolen smartcard attack. To thwart these security defects, they devised an efficient authentication scheme using lightweight operations for WMSN. But Wu et al. [16] pointed out that the scheme in [15] is unsuitable for practical deployment owing to security weaknesses like offline password guessing attack, and a lightweight two-factor authentication scheme for healthcare systems using WMSN was introduced to fix these drawbacks.
In 2016, Amin et al. [17] proposed a two-factor anonymous patient monitoring system using hash function in WMSN. e purpose of scheme in [17] is to design a robust and efficient user authentication protocol so as to provide secure data access in WMSN. However, Jiang et al. [18] claimed that scheme in [17] fails to resist stolen mobile device attack and desynchronization attack, as well as suffering from security issue of sensor key exposure. Afterwards, they devised an enhanced protocol. In addition, protocol in [17] was deemed vulnerable to user impersonation attack, offline password guessing attack, known session key temporary information, revelation of secret parameters, and identity guessing attack by Ali et al. [19], and then they proposed an enhanced three-factor authentication protocol to overcome these vulnerabilities. Although Jiang et al. [18] adopted fuzzy verifier technique and asserted that their protocol achieves admirable security properties, we find that their scheme is susceptible to privileged insider attack, denial of service attack, and known session special temporary information attack.
Since elliptical curve cryptography (ECC) can achieve the same symmetric cryptography algorithm (i.e., RSA) security level with faster computation and smaller key size, many authentication protocols have been developed for WMSN on ECC to enhance their security in recent years. In 2016, Hayajneh et al. [20] proposed an authentication protocol for remote patient monitoring with Rabin algorithm and used Tmote sky notes to prove its efficiency. In the same year, Liu and Chung [21] devised a remote user authentication scheme on bilinear pair to facilitate security and privacy protection in wireless healthcare sensor networks and asserted their scheme can resist various known attacks. But, Challa et al. [22] claimed that the protocol in [20] is susceptible to stolen smartcard attack, offline password guessing attack, privileged insider attack, user impersonation attack, and even inappropriate mutual authentication. To improve efficiency and security, they introduced a threefactor authentication protocol using lightweight ECC point multiplications with formal proof. In 2019, to ensure secure communication and privacy-preserving, Xie et al. [23] proposed an efficient and certificateless authentication scheme named CasCP with batch authentication in wireless body area networks. In the same year, Li et al. [2] considered that the protocol in [17] is vulnerable to denial of services (DoS) attack and cannot provide forward secrecy and proposed an ECC-based three-factor authentication protocol using fuzzy commitment and fuzzy verifier techniques to enhance the security of [17].
More recently, Ali et al. [19] analyzed protocol in [17] and showed that their protocol suffers from offline password guessing attack, user impersonation attack, and revelation of secret parameter, and a new three-factor protocol is introduced to resist various attacks. But, in this work, in contrast to their assertions, we examine Ali et al.'s protocol and point out that their scheme is still vulnerable to offline dictionary guessing attack, desynchronization attack, and privileged insider attack and has a flaw in the password change phase. In addition, Shuai et al. [24] in 2019 proposed a lightweight three-factor authentication scheme for patient monitoring using on-body wireless networks and employing one-time hash chain technique and pseudonym identity method to improve its security. e on-body wireless network is actually a WMSN, since the former is like the latter, in which the sensors installed on the patient collect physiological data and transmit them to the doctor or the health professional through GWN for further processing. However, in this paper, we prove that Shuai et al. [24] suffers from three security drawbacks, that is, offline dictionary guessing attack, privileged insider attack, and flaw in the password change phase.
As two case studies, our analysis shows that a number of WMSN authentication protocols for healthcare systems and the similar kinds are not secure under some provable security models. Furthermore, our cryptanalysis of the two schemes highlights that it is important to pay attention to potential threats when proposing a new authentication protocol.
In brief, our main contributions are summarized as follows.
(1) First, we cryptanalyze Ali et al.'s protocol [19] and reveal that it cannot withstand offline dictionary guessing attack and desynchronization attack and contains a serious flaw in the password change phase. (2) Second, we cryptanalyze Shuai et al.'s protocol [24] and show that their scheme is vulnerable to offline dictionary guessing attack as [19] and privileged insider attack. In addition, we point out a design flaw in the password change phase of their scheme. (3) ird, we put forward some effective countermeasures to amend these two schemes and similar authentication protocols with the same defects.
e remainder of this work is organized as follows: In Section 2, we review Ali et al.'s protocol and show their security weaknesses. Shuai et al.'s protocol is reviewed and cryptanalyzed in Section 3. Section 4 puts forward several countermeasures to fix the discovered threats. Finally, conclusion is made in Section 5.

Cryptanalysis on Ali et al.'s Protocol
In this section, we briefly review and cryptanalyze Ali et al.'s protocol [19], which is a lightweight three-factor based authentication protocol for healthcare monitoring in WMSN environment. eir scheme consists of five phases: system setup, user registration, login, authentication, and password change. To facilitate description, we list notations in Table 1 and they will be used throughout this work.

Review of Ali et al.'s Scheme
Firstly, the administrator SA selects identity SID j for each sensor node and computes , where X G and Y G are secret keys of GWN. Afterwards, SA stores {X GS , K j } in the memory of the sensor node S j .

User Registration.
If the user wants to access the sensor, he must register in the gateway node first.
stores it in the smartcard.

Login
(1) U i inserts his smartcard, inputs ID i , PW i and imprints BIO i , and then the smartcard computes where M i is a random nonce and T 1 is the current timestamp.

Authentication
with key h(X GS || K j ) and verifies the freshness of T 3 . If not, S j aborts the session. Otherwise, GWN computes Otherwise, U i rejects the session.

Password Change.
is phase is performed if U i wants to change his password.
(1) U i inserts smartcard and keys ID i , PW i , and imprints BIO i , and then the smartcard computes If it fails, smartcard aborts the session. Otherwise, the procedure continues.
(2) U i inputs his new password PW new i , and the smartcard computes RPW new

Cryptanalysis of Ali et al.'s Protocol. Although Ali et al.'s
protocol [19] is equipped with a formal security proof to show that their scheme can withstand various known attacks, it still suffers from some security defects. In this subsection, we prove that their protocol cannot resist offline dictionary guessing attack, desynchronization attack, and privileged insider attack and has a flaw in the password change phase though they tried to fix the security drawbacks in Amin et al.'s scheme. Since it is crucial to depict the capabilities of the adversary in designing a robust authentication protocol in WSN environment, we summarize the adversary model as follows [19,[25][26][27].
(1) e attacker can intercept, delete, modify, and insert the messages exchanged between the related communication parties over public channel. (2) e attacker cannot guess the secret key and random number since they are assumed sufficiently large. (3) e attacker can offline enumerate the user-memorable identities and low-entropy passwords in polynomial time simultaneously. (4) As far as privileged insider attack is taken into account, the privileged-insider in GWN being an attacker can learn the submitted information by the user during the registration phase of authentication protocol. (5) When considering whether some multifactor authentication protocol can provide truly multifactor security (i.e., the n factors protocol is secure, even if n-1 factors are compromised), it is reasonable to suppose that (i) the attacker can somehow obtain the lost/stolen smartcard and retrieve the secret information by using side-channel attack [28,29]. (ii) e attacker can collect the biometrics of the user through malicious device without awareness of victim.

Offline Dictionary Guessing Attack.
It is widely regarded that the password-based authentication schemes are prone to password guessing attack [30][31][32], including online password guessing attack and offline password guessing attack, since the users tend to choose a password that is easy to remember. e online password guessing can be relatively detected by judging whether the time of logins exceeds the threshold. On the contrary, during this guessing attack, the attacker does not need to communicate with related communication parties, and thus the offline password guessing attack is not easily surmounted. In Ali et al.'s scheme, they claimed their scheme not only can withstand password guessing attack, but also can withstand identity guessing attack. Unfortunately, we prove that their claim is not convincing as they claimed. According to the aforementioned adversary model, we assume that the user's lost/stolen smartcard is obtained by the attacker, and the user's biometrics is also collected by the attacker without awareness of owner, and the attackers can launch offline password guessing attack and offline identity guessing attack simultaneously in terms of item 3 in the adversary model, which we call offline dictionary guessing attack. e offline dictionary guessing attack is conducted to get the user's identity and password by the attacker with the following procedure.
Step 1: the attacker extracts the secret data {A i , D i , DID i , H(), h(), R n } from the smartcard by using methods reported in [28]. 4 Security and Communication Networks Step 2: the attacker selects a candidate pair (ID * i , PW * i ) from D ID and D PW , where D ID denotes the identity space and D PW denotes the password space.
Step 3: the attacker computes r Step 4: the attacker checks whether the extracted D i Step 5: if it holds, the attacker has found a right pair (ID i , PW i ). Otherwise, the attacker repeats steps 2-4 until the right pair (ID i , PW i ) is found.
For ease of achieving user friendliness, Ali et al.'s scheme [19], like previous schemes [12,17,18], provides the password update phase, allowing the users to select their own ID and password and make changes. Generally, the user likes to choose an easy-to-remember identity and password, which are often low-entropy. us, this makes sense for the attacker to perform offline dictionary guessing attack by enumerating pairs (ID i , PW i ) in polynomial time. Let |D ID | and |D PW | represent the size of D ID and D PW , respectively. In addition, we set T h and T H as the execution time of hash function h() and bio-hash function H(), respectively. e time complexity of the above attack procedure is O(|D ID | * |D PW | * 4T h * 2T H ). Since T h and T H are limited, it is clear that the time required by the attacker to carry out the above attack procedure is linear to |D ID | * |D PW |. As reported in [33,34], both the identity space D ID and the password space D PW are rather limited in practice (e.g., |D ID | ≤ D PW | ≤ 10 6 [33,34]), and thus, it is possible for the attacker to guess (ID i , PW i ) within polynomial time. Wang and Wang [35] even pointed out that the time spent on the above guessing attack can be greatly reduced to the level of seconds on an ordinary computer. erefore, Ali et al.'s protocol [19] is vulnerable to offline dictionary guessing attack.
Based on the aforementioned attack, after the attacker has obtained the user's identity and password, he can impersonate the user to log onto GWN with the smartcard and the collected biometrics. In this regard, Ali et al.'s protocol suffers from user impersonation attack.

Desynchronization Attack.
To achieve security features of user anonymity and user untraceability, Ali et al.'s protocol [19] makes use of synchronous update mechanism; that is, GWN updates the dynamic identity DID i and C i synchronously with U i via message {M 9 , M 10 }. In this way, the attacker cannot trace a particular user by eavesdropping messages over the public channel. However, we point out that the attacker can breach this synchronous mechanism by blocking the last message {M 9 , M 10 }, leading to failure when the user logs onto GWN the next time. Such attack is illustrated as follows. In Step 7 of the authentication phase after updating {DID n i , C n i } in the database, GWN sends message {M 9 , (SK || C n i || DID n i ) and DID n i is a new dynamic identity. Upon receiving the message, U i will generate a session key and replace {DID i , C i } with {DID n i , C n i }. If the malicious attacker blocks this message at the end of authentication process, and the parameters {DID i , C i } in the user's smartcard remain unchanged while {DID i , C i } on the GWN side have been updated, it means the attacker has broken the dynamic identity synchronization mechanism between GWN and the user by means of blocking messages. As a result, the medical professional can no longer log onto GWN to access data from the sensor on the patient. Step 1: he eavesdrops the messages {M 1 , M 4 , M 5 , M 6 } and {M 9 , M 10 } from the public channel.
Step 2: then, he decrypts M 9 using decryption key h(RPW i || F i ) to obtain N i and V i .
Step 3: further, he acquires M i by computing Step 4: finally, with the known parameters h(RPW i || F i ), M i , N i , V i , the attacker can compute the session key erefore, Ali et al.'s scheme suffers from privileged insider attack.

Flaw in Password Change
Phase. In Ali et al.'s protocol, they provide a password change phase to allow users to freely change the password locally. However, our scrutiny reveals that their password change phase has a fatal flaw which will prevent the user from logging onto GWN. In their scheme, before changing the password, the user is asked to input his identity and old password and imprint his biometrics. If the identity legitimacy of the user is verified by the smartcard, the user is allowed to enter a new password to update the old one. en, the smartcard computes

Cryptanalysis on Shuai et al.'s Protocol
In this section, we review and cryptanalyze Shuai et al.'s protocol [24] proposed in 2019, which is an anonymous authentication scheme for remote patient monitoring. To achieve some desirable security attributes, their scheme employs pseudonym identity method to preserve user anonymity and adopts one-time hash chain technique to achieve forward secrecy. e serial number technique is also used to resist desynchronization attack. Furthermore, they conduct an informal security analysis to show that their scheme is secure against various attacks. However, in the following section, we find that their scheme is susceptible to offline dictionary guessing attack; that is, their protocol fails to provide truly a three-factor security. On the other hand, we show that their protocol is suspected to privileged insider attack.

Review of Shuai et al.'s Scheme.
We will concisely review Shuai et al.'s scheme. eir protocol involves initialization phase, registration phase, login phase, authentication and key agreement phase, and password change phase.

Initialization Phase.
e RA performs this phase offline. RA chooses two random numbers ID g and K as the identity and master secret key to GWN, respectively. Next, RA chooses a collision-resistant cryptographic hash function h() for all communication participants. Finally, RA chooses a unique identity SID j for each wearable sensor node S j and stores SID j into S j 's memory.

Registration Phase.
is phase consists of two points, that is, user registration phase and wearable sensor node registration phase.
(1) User registration (i) U i �> RA: {ID i , A i } e user U i inputs his ID i , PW i , and imprints biometrics BIO i to mobile device MD. ereafter, MD computes Gen where Gen is a probabilistic generation procedure, R i is a secret random key, P i is an auxiliary string, and a i is a random secret value generated by U i .
and checks whether C * i equals the stored C i . If it is false, MD aborts the session. Otherwise, MD chooses a random nonce R 1 and the current timestamp

Authentication and Key Agreement Phase
(1) On receiving the login request, GWN checks the freshness of timestamp T 1 . If not, GWN rejects the request. Otherwise, the subsequent operations of GWN are divided into three cases.
, and checks whether V * i � V i holds. If not, GWN aborts the session. Otherwise, GWN chooses a new pseudonym identity MID * i0 and sets If not, GWN aborts this session. Otherwise, GWN generates a new random pseudonym identity MID * i0 and sets ereafter, GWN updates K GS and NC k0 with K GS � h(K GS || SID j ) and NC k0 � NC k0 + 1, respectively.
Upon receiving the message from GWN, S j checks whether 1 ≤ NC k0 − NC k ≤ N holds, where N is a threshold. If it is false, S j aborts the session. Otherwise, after setting K * GS � K GS , S j computes N − 1 times K * GS � h(K * GS || SID j ). If N � 1, S j will not execute the above hash operation. en, S j computes en, S j generates a random number R 3

and computes SK
If it is false, U i aborts the session. Otherwise, U i computes V 5 � h(ID i || ID g || SID j || MID i0 || SK) and sets K GU � h(K GU ) and MID i � MID i0 . After that, U i sends {V 5 } to GWN.
If it is false, GWN aborts the session. Otherwise, GWN sets K GU � h(K GU ) and MID i1 � NULL and believes that U i has shared a session key with S j .

Password Change
Phase. U i inputs ID i , PW i and imprints BIO i to mobile device MD. en, MD computes , and compares C * i with the stored C i . If it is true, MD rejects the password change request. Otherwise, MD allows U i to input a new password PW new i and computes

Cryptanalysis on Shuai et al.'s Scheme.
Despite armed with three factors and formal security proof, Shuai et al.'s protocol [24] suffers from offline dictionary guessing attack and privileged insider attack and contains a serious design flaw in the password change phase.

Offline Dictionary Guessing Attack.
Suppose the attacker has obtained the lost/stolen mobile device and extracted the secret data {MID i , B i , C i , D i , K GU , P i } from it; meanwhile, he has collected biometrics BIO i of the medical professional via a malicious terminal; the attacker can mount an offline dictionary guessing attack as follows.
Step 1: computes R * i � Rep(BIO i , P i ); Step 2: chooses a pair (ID * i , PW * i ) from the dictionary space DID and DPW, respectively. Step where D i and B i are from the mobile device.
Step 4: verifies the correctness of (ID * i , PW * i ) pair by checking whether the computed C * i equals the stored C i . If it holds, the attacker has found the correct value of (ID * i , PW * i ). Otherwise, the attacker repeats steps 2-4 until C * i � C i . It is clear that the time complexity of the above attack is O(|D ID | * |D PW | * 3T h ), where T h is the execution time of hash function. As analyzed in Section 2.2.1, such attack is quite efficient.

Privileged Insider Attack.
Assume privileged insider of RA being an attacker, it is easy for him to know the registration information {ID i , A i } during the user registration phase. Moreover, he also can learn {ID i , MID i0 , MID i1 , b i , K GU } from the user information table and the registration reply message {MID i1 , B i , C i , K GU } from the side of RA and mount a privileged insider attack. e similar attacks have been discussed in [14,[36][37][38]. Using these information, the attacker can reveal the session key with the following procedure.

Security and Communication Networks
With the session key, the attacker can decrypt all the messages between the user and the sensor. In this way, the patient's sensitive physiological information is exposed to the attacker. erefore, Shuai et al.'s scheme fails to resist privileged insider attack.

Flaw in Password Change
Phase. For ease of the password change phase, Shuai et al.'s scheme also provides the password change phase for U i to change his password locally without contacting the RA. Unfortunately, similar to Ali et al.'s scheme, there is a serious security flaw in their password change phase which prevents the users who change their password from being able to log onto GWN again. Before allowing the user to change the password, the MD verifies his identity legitimacy based on the identity ID i , password PW i , and biometrics information BIO i provided by the user. If the user is legitimate, MD allows U i to input his new password PW new i . However, this password change phase only updates B i and C i stored on the mobile device according to the new password and does not update D i with the new password, which is used to recover the secret random number a i of U i during the login phase. e user either writes the secret random number a i on a paper or bears it in mind or updates D i with the new password.
us, if he intends to recover a i by computing || R * i ) not to be equal. As a result, the user who has changed his password will be rejected by MD when he intends to log onto GWN again. What is worse, the user can no longer change the password in the future, because MD also needs to verify the legitimacy of the user by recovering the user's secret random number a i before changing his password.

Countermeasures
In order to address the security weaknesses in Ali et al.'s protocol and Shuai et al.'s protocol, we provide several possible countermeasures in this section.

Countermeasures to Offline Dictionary Guessing Attack.
Our previous analysis shows that neither Ali et al.'s scheme nor Shuai et al.'s Scheme can provide truly three-factor security; that is, the attacker can launch an offline dictionary guessing attack to acquire the user's identity and password if he obtains the user's smartcard (or mobile device) and biometrics somehow. e root cause of this attack described above is that the password verifier D i � h(RFW i || R g || F i ) of Ali et al.'s protocol and C i � h(h(ID i || K || b i ) || A i ) are stored in a smartcard (mobile device). Consequently, if the smartcard is obtained by the attacker, he will try to make a breach in the password verifier for offline dictionary guessing attack.
To thwart this security weakness without radical improvement while keeping usability, a feasible countermeasure is to utilize "fuzzy verifier" technique [25]. In the following, taking Ali et al.'s protocol as a case study to show how to integrate fuzzy verifier, we revise the password verifier D i as D i � h(h(RPW i || R g || F i ) mod n) during the user registration phase, where n represents the space size of (ID i , PW i ) pair. If the attacker has obtained the user's smartcard and biometrics, he picks up a pair (ID * i , PW * i ) from D ID and D PW to perform offline dictionary guessing attack as described in Section 2.2.1. However, it is hard for the attacker to find a correct pair (ID i , PW i ) since there are (|D ID | * |D PW |)/n ≈ 2 32 candidates of (ID i , PW i ) pair (suppose n � 2 8 , |D ID | � |D PW | � 2 6 [25,33]). Someone may question if the attacker will just pick up an incorrect pair of (ID i , PW i ) but can satisfy . e probability of such an event is 1/2 8 . Moreover, if the user is asked to enter the old/ new password twice, and the hash function h() responds as a random oracle, the probability will greatly reduce to (1/2 8 ) 2 � 1/2 16 [25,33,34]. erefore, the fuzzy verifier that provides adequate candidate can effectively prevent the attacker from mounting offline dictionary guessing attack successfully. In addition, the effectiveness of fuzzy verifier technique has been discussed and verified in Section V-B of [24], and the interested readers can refer to it for more information.  9 , M 10 } from the GWN to the user to break the consistency in the authentication process, the authenticated parameters {DID n i , C n i } are made to be different between GWN and the user U i , which means U i could not log onto GWN ever since.

Countermeasures to Desynchronization
To cope with such an attack, an effective countermeasure is to avoid updating the user dynamic identity DID i simultaneously on both sides of communication parties. at is, during the authentication phase, GWN chooses a new dynamic identity DID n i for U i , but does not need to save it to the database. After decrypting M 9 , U i conceals DID n i with the new random number M i and other information generated in each login, stores it in the smartcard, and restores DID n i on the next login. If message {M 9 , M 10 } is blocked, on the one hand, the attacker cannot obtain the new DID n i because M 9 is encrypted; on the other hand, U i does not update DID i in the smartcard since he has not received {M 9 , M 10 }. When U i logs onto GWN next time, GWN can still recover M i with the stored DID i instead of DID n i . In this way, although the attacker attempts to break the synchronization, he will not succeed because the dynamic identity information of the user has not been saved in GWN, and GWN will perform the subsequent procedure regardless of whether {M 9 , M 10 } is blocked or not. Hence, the desynchronization attack is thwarted effectively. It is worth noting that we only give the main idea of the measure, not a complete scheme, because the detailed solution requires a long paper. In addition, their user registration phase and the password change also need to be revised correspondingly, and we omitted them due to the space constraints.

Countermeasures to Privileged Insider
Attack. Our aforementioned analysis shows that both of the two schemes suffer from privileged insider attack. e root cause is that to improve the computation efficiency, they use lightweight operations based on hash function and random numbers to generate the session key, which makes the leakage of a small amount of secret data easily lead to the leakage of other secret data. To thwart this attack, the public-key operations such as modular exponentiation or elliptic curve point multiplication should be adopted in their scheme [31]. We take the GWN and sensor side as the server side and keep the user as the client side; according to [31], modular exponentiation operation should be performed at least twice on the server side. Take Ali et al.'s scheme as an example and use elliptic curve point multiplication; without requiring radical improvement, the main idea of overcoming privileged insider attack during the login and authentication phase is sketched as follows.
Step 1: after generating the random nonce M i in the login phase, U i computes W 1 � M i P and sends the message containing W 1 to GWN. P is a generator in elliptic curve group over a finite field.
Step 2: because GWN does not need to participate in negotiating session key, GWN sends the message containing W 1 to S j after the user's identity legitimacy verification is passed.
Step 3: if the legitimacy authentication of GWN is passed, the sensor S j selects the random number V i and calculates W 2 � V i P and computes the session key SK � h(h(RPW i || F i ) || W 1 || W 2 || V i W 1 ) � h(h(RPW i || F i ) || M i P || V i P || V i M i P). Afterwards, S j sends a message containing W 2 to U i via GWN.
Step 4: if the legitimacy of GWN and S j is ensured, U i computes the session key SK � h(h(RPW i || F i ) || W 1 || If the attacker eavesdrops W 1 and W 2 from the public channel and intends to find M i and V i from W 1 and W 2 , respectively, it is infeasible since he has to resolve elliptic curve discrete logarithm problem [2]; and if he intends to compute M i V i P from W 1 and W 2 , it is also impossible since he faces the hardness of elliptic curve computational Diffie-Hellman problem [2].

Countermeasures to Flaw in Password Change Phase.
As we have analyzed before, both Ali et al.'s scheme and Shuai et al.'s scheme contain serious flaws in their password change phase which renders the user unable to log onto GWN again after changing his password. e reason is that none of their password change phase are designed to recover the secret random number for login. us, the countermeasures to fix these design flaws are obvious, and we describe them as follows.

Conclusion
In the past few years, many three-factor authentication protocols have been proposed for WMSN and the similar environment. But, most of them are vulnerable to some inherent security defects more or less. In this paper, we briefly review and cryptanalyze the two quite recent and typical authentication protocols with key agreement presented by Ali et al. and Shuai et al., respectively. Firstly, we point out that although Ali et al. tried to overcome the security defects in the previous scheme and provide security proof with BAN logic and simulation under AVISPA, they are still vulnerable to offline dictionary guessing attack, desynchronization attack, and privileged insider attack and even contain a serious design flaw in the password change phase. Secondly, we demonstrate that Shuai et al.'s protocol is also insecure against offline dictionary guessing attack and privileged insider attack and has a design flaw in the password change phase. ereafter, we put forward some possible countermeasures to eliminate these security weaknesses. Note that in this paper, the assumption that an attacker can simultaneously obtain both the secret information on the smartcard (mobile device) and the biometrics of the user is a trivial case, but it still cannot be ignored since security is one of the most important factors to consider in designing a protocol. Otherwise, if it is not based on this assumption, the attacker will require higher time complexity when carrying out offline ID and password dictionary attacks on the two protocols. Our efforts highlight that it is important to be aware of potential security risks in designing authentication protocols for WMSN and the similar kinds.
is also indicates the necessity of our work.

Conflicts of Interest
e authors declare no conflicts of interest regarding the publication of this paper.
Security and Communication Networks 9