An Efficient and Provable Multifactor Mutual Authentication Protocol for Multigateway Wireless Sensor Networks

As the most popular way of communication technology at the moment, wireless sensor networks have been widely concerned by academia and industry and plays an important role in military, agriculture, medicine, and other fields. Identity authentication offers the first line of defence to ensure the security communication of wireless sensor networks. Since the sensor nodes are resource-limited in the wireless networks, how to design an efficient and secure protocol is extremely significant. +e current authentication protocols have the problem that the sensor nodes need to execute heavy calculation and communication consumption during the authentication process and cannot resist node capture attack, and the protocols also cannot provide perfect forward and backward security and cannot resist replay attack. Multifactor identity authentication protocols can provide a higher rank of security than single-factor and two-factor identity authentication protocols. +e multigateway wireless sensor networks’ structure can provide a larger communication coverage area than the single-gateway network structure, so it has become the focus of recent studies. +erefore, we design a novel multifactor authentication protocol for multigateway wireless sensor networks, which only apply the lightweight hash function and are given biometric information to achieve a higher level of security and efficiency and a larger communication coverage area. We separately apply BAN logic, random oracle model, and AVISPA tool to validate the security of our authentication protocol in Case 1 and Case 2. We put forward sixteen evaluation criteria to comprehensively evaluate our authentication protocol. Compared with the related authentication protocols, our authentication protocol is able to achieve higher security and efficiency.

the security of the wireless network works to a higher level [6,7]. At present, most of the researches are keen on the identity authentication technology of single gateway, while only a few people are engaged in identity authentication technology of multigateway structure [8]. We can apply multiple gateway nodes to extend the communication coverage area and increase scalability [9]. However, the current multigateway authentication technology has some disadvantages such as high computational complexity and heavy storage consumption and is vulnerable to various attacks. erefore, for the sake of eliminating the security flaws and increasing the computation efficiency, we design a novel lightweight mutual authentication protocol for the multiple gateway nodes networks. Figure 1, it involves three communication entities, that is, sensor nodes, home/foreign gateway node, and user in case 1. e sensor node and user should complete registration at the gateway node. After registration, the user delivers the login request to the gateway node. e gateway authenticates are in charge of transmitting authentication information between the user and the sensor node. After completing authentication process, the registered user has ability to obtain information gathered by the sensors under the negotiated session key.

Network Model. As shown in
As shown in Figure 2, it involves four communication entities, that is, sensor nodes, home gateway node, foreign gateway node, and user in case 2. In addition to completing the authentication of case 1, it is also necessary to achieve the authentication between the home gateway node and the foreign gateway node. [10] proposed an efficient and secure authentication scheme and claimed that their scheme is able to preserve the user anonymity for roaming services in global mobility networks by way of using the one-way hash function operation. Xu et al. [11] discovered that the scheme of Gope and Hwang is vulnerable to reply attacks and has a heavy storage cost. Similarly, Lu et al. [3] also pointed out that scheme of Gope and Hwang is susceptible to specific known information attack, and the password alteration section is inaccurate. Fan et al. [12] found that the scheme of Gope and Hwang is vulnerable to offline guessing attack and the desynchronization attack and does not retain robust forward security. en, they proposed a novel efficient mutual and key agreement scheme with desynchronization for anonymous roaming service in global mobility networks. However, Mohit and Narendra [13] reviewed the scheme of Wu and showed that the scheme has the problem of the traceability of the mobile user and inefficient wrong password detection.

Related Works. Gope and Hwang
In order to preserve security and privacy and reduce communication and computation costs, Das et al. [14] proposed a biometric-based authentication protocol for the Industrial Internet of ings. Unfortunately, Hussain and Chaudhry [15] discovered that the protocol of Das et al. is unable to prevent the assailant from obtaining the public parameters kept in the smart device and fails to resist session key attack and achieve perfect forward secrecy. So, against offline password guessing attack and user impersonation attack, Amin et al. [16] demonstrated a secure three-factor mutual authentication protocol, and this protocol lengthens the lifetime of network by means of decreasing the cost of sensor nodes. Later, Sharif et al. [17] claimed that the protocol of Amin et al. cannot boycott strong reply attacks and cannot realize the prefect forward secrecy. However, Wu et al. [18] pointed out that both of the two protocols [14,17] suffer from under offline surmising attack.
To overcome user and sensor node impersonation attacks, He et al. [19] introduced a novel mutual authentication design based on the temporal credential for wireless sensor networks. Afterwards, Kumari et al. [20] demonstrated that there are seven security problems in the design of He et al. Jiang et al. [21] revealed that the design of He et al. is prone to malicious user impersonation attack, stolen smart card attack, and tracking attack in the authentication process and proposed an untraceable and secure two-factor authentication design based on elliptic curve cryptography for wireless sensor networks. After analyzing the design of Jiang et al., Xiong et al. [22] received the result that the design has no detection mechanism for unauthorized login and clock synchronization problem and introduced a three-factor anonymous authentication design for wireless sensor networks by applying the fuzzy commitment to deal with biometric information.
For the purpose of withstanding the node capture attack, impersonation attack, and man-in-the-middle attack, Das [23] then put forward an original biometric-based mutual authentication design for wireless sensor networks. In the same year, Lu et al. [24] found that the design of Das does not really implement the three-factor security and user anonymity and has no ability to boycott user impersonation attack. Li et al. [25] pointed out that the design of Ruhul et al. [26] is vulnerable to DoS attack and lacks forward secrecy. In view of previous studies, Li introduced a three-factor mutual authentication design with forward secrecy for wireless medical sensor networks, which settles the contradiction of local password verification and mobile device lost attack via fuzzy verifier and honey_list technology. Nevertheless, Mo and Chen [27] discovered that the protocol of Xiong et al. [22] is vulnerable to resist stolen smart card attack and divulge the biometric information. Mo and Chen [27] pointed out that the protocol of Lu et al. [24] is prone to known session-specific temporary information attack and cannot realize three-factor security and backward secrecy. Mo and Chen [27] found that the protocol of Li et al. [25] is susceptible to withstanding replay attack.

Organization.
e remainder of the paper is organized as follows. In part 2, we discuss the preliminaries. In part 3, we present our proposed mutual authentication protocol. In part 4, we show formal analysis of our proposed mutual authentication protocol through three methods, that is, BAN logic, random oracle model, and AVISPA. In part 5, we demonstrate informal analysis of our proposed mutual authentication protocol through sixteen security authentication protocol evaluation criteria. In part 6, we compare our proposed mutual authentication protocol with other related authentication protocols in terms of security, computation time, and communication cost. Finally, we come to a conclusion in part 7.

Preliminaries
is part presents the preliminaries in our designed mutual authentication protocol involving biometric fuzzy extractor, threat model, and protocol evaluation criteria.

Biometric Fuzzy Extractor.
So as to prevent the given biometric information BIO i from various noises in the process of information acquisition, this paper introduces the biometric fuzzy extractor. ere are two functions in biometric fuzzy extractor [28,36]:GEN function and REP function. e concrete representations of the two functions are as follows: (1) GEN(BIO i ) � (σ i , τ i ). GEN is a probabilistic generation function that separates out the secret string σ i and an auxiliary string τ i from the given biometric information BIO i REP is a deterministic function that recovers the secret string σ i from the given biometric information BIO i with the assistance of the auxiliary string τ i

reat
Model. e threat model presents the possibilities of an assailant obtaining the information about the authentication protocol without authorizing and the competence of potential destruction. Before evaluating the security authentication protocol, we assume that the assailant has the following abilities in the authentication process: (1) e assailant is able to revise, intercept, delete, and transmit the communication information on the public network channel [38,39] (2) e assailant is able to obtain the parameters kept in the smart card via power analysis attack [40], in case the smart card is stolen or lost (3) e assailant is able to carry out the online and offline password guessing attack [35] (4) e assailant is able to implement the impersonation attack [4]

Protocol Evaluation Criteria.
Since the information is interacted on the public network channel, the assailant is able to intercept and manipulate the interactive information [41,44].
To guarantee the security of the interactive information on the public network channel, we design a mutual authentication and session key agreement protocol among the communication parties for the multiple gateway nodes networks. From four aspects of users, gateway nodes, sensor nodes, and communication protocol itself, we define the following sixteen security authentication protocol evaluation criteria: (1) Session key security (2)

The Proposed Protocol
In this part, we will demonstrate our three-factor remote user authentication and key agreement protocol in the wireless sensor network environment with multiple gateways. Our protocol is related to five sections, which are initialization section, registration section, login section, authentication and key agreement section, and password change section.

Registration
Section. e registration section is divided into two parts, namely, sensor node registration and user registration.
3.2.1. Sensor Node Registration. A1: in the light of the received information ID SNj , SNX j in the initialization section, SN j calculates MSN j � SNX j ⊕ h(ID SNj ) and dispatches the information ID SNj , MSN j to GWN H . A2: after obtaining the information sent by the SN, HGWN computes SNX j � MSN j ⊕ h(ID SNj ), preserves the information ID SNj , MSN j , and replies to the sensor node with a confirmation message.

User Registration
A1: U i picks the essential parameters, identity ID i , password PW i , and two stochastic digits r i and r p and After the calculation, U i delivers UID i and UPW i to HGWN as the registration request. A2: after getting the registration request, HGWN generates a stochastic digit r GWNh and computes GUID i tion with its own privacy parameters. HGWN loads GE i and GF i into the smart card and transmits the smart card to U i . A3: after reception of the smart card, U i imprints his or her unique biometric BIO Ui on the sensor device specific terminal and further counts GEN(BIO Ui ) � (σ Ui , τ Ui ), 3.3. Login Section. A1: U i inserts smart card and inputs his or her identity ID i , password PW i , and biometric BIO Ui . A2: and confirms the correctness of the formula USC * 3 � USC 3 . A3: if it is not right, smart card suspends the session promptly. Otherwise, smart card picks stochastic identity SCN i , stochastic digit r SCn , and time stamp T sc and counts SCG 1

Authentication and Key Agreement Section. On the basis of UID
� � � �ID SNj ) and confirms the correctness of the formula SCG * 4 � SCG 4 . If it is not right, GWN H terminates the session promptly. Otherwise, GWN H finds whether ID SNj is in the information about the sensor node it preserves. If it is in the information, execute case 1 as shown in Figure 3; if it is not, execute case 2 as shown in Figure 4.
and confirms the correctness of the formula HSN * 4 � HSN 4 . A3: if it is not right, SN j ends the session promptly. Otherwise, SN j selects stochastic digit r SNj and calculates upon receiving the information (SHN 1 , SHN 2 , T snj ) at time T gwnh1 , GWN H computes the freshness of the information by the formula

Security and Communication Networks 5
A7: if it is not right, U i suspends the session promptly.  sensor node it preserves. If it is in the information, GWN F finds SNX j based on ID SNj . Next, GWN F finds and computes FHN 1 3 . GWN H finds the private key K FH between them according to identity ID GWNf of GWN F and computes en, U i picks the stochastic digit r ui and time stamp T ui and counts A5: upon receiving the information (SCF 5 , SCF 6 , SCF 7 , T ui ) at time T gwnf , GWN F computes the freshness of the information by the formula and confirms the correctness of the formula SCF * 7 � SCF 7 . A6: if it is not right, GWN F terminates the session promptly. Otherwise, GWN F generates stochastic digit r GWNf and computes calculates the freshness of the information by the formula |T snj − T gwnf | ≤ ΔT. If it is not right, SN j ends the session promptly. Otherwise, SN j calculates and confirms the correctness of the formula and confirms the correctness of

Password and Biometric Change Section
A1: U i inserts smart card and inputs his or her identity ID i , password PW i , and biometric BIO Ui . A2: smart card counts REP(BIO Ui ,

Formal Security Analysis of Protocol
In this section, we separately apply BAN logic and AVISPA tool to validate the security of our proposed authentication and key agreement protocol in case 1 and case 2.

BAN Logic (Case 1).
In this section, we will validate our proposed designed authentication protocol by applying the BAN logic in case 1.
BAN logic notations are as follows: (1) z| ≡ β: z trusts the realness in β (2) z ⊲ β: z obtains or sees information β (3) z| ∼ β: z sent or said information β (4) z| ⇒ β: z has jurisdiction over β (5) #(β): β is fresh (6) z ⟷ SK β: SK is the private session key between z and β (7) (β) SK : β is encrypted with the private session key SK BAN logic postulate rules: PR1: Message-meaning rule: (z| ≡ β ⟷ SK z, z⊲ PR5: Belief rule: (z| ≡ β| ≡ (Μ, Ρ))/z| ≡ β| ≡ Μ Security goals are as follows: Rational assumptions are as follows: e idealized form of the information is as follows: (HSN 1 , HSN 2 , HSN 3 , HSN 4 , T gwnh ) In view of Inf1, we are ready to receive the following: In view of F1, RA1, and PR1, we are ready to receive the following: F2: e equivalent form of F2 is the following: In view of F3, RA2, PR4, and PR2, we are ready to receive the following: In view of F4 and PR5, we are ready to receive the following: In view of Inf2, we are ready to receive the following: F6: SN j ⊲ (HSN 1 , HSN 2 , HSN 3 , HSN 4 , T gwnh ) SNX j In view of F6, RA3, and PR1, we are ready to receive the following: F7: SN j | ≡ GWN h | ∼ (HSN 1 , HSN 2 , HSN 3 , HSN 4 , T gwnh ) e equivalent form of F7 is the following: In view of F8, RA4, PR4, and PR2, we are ready to receive the following: 8 Security and Communication Networks In view of F9 and PR5, we are ready to receive the following: F10: In view of Inf3, we are ready to receive the following: F11: GWN h ⊲ (SHN 1 , SHN 2 , T snj ) r SNj In view of F11, RA5, and PR1, we are ready to receive the following: e equivalent form of F12 is the following: In view of F13, RA6, PR4, and PR2, we are ready to receive the following: In view of F14 and PR5, we are ready to receive the following: In view of F15, we are ready to receive the following: In view of F16, RA7, and PR3, we are ready to receive the following: In view of Inf4, we are ready to receive the following: F18: In view of F18, RA8, and PR1, we are ready to receive the following: In view of F20, RA9, PR4, and PR2, we are ready to receive the following: F20: In view of F20 and PR5, we are ready to receive the following: In view of F21, we are ready to receive the following: In view of F22, RA10, and PR3, we are ready to receive the following: In view of F10 and F15, we are ready to receive the following: In view of F24, RA11, and PR3, we are ready to receive the following: In view of F5 and F21, we are ready to receive the following: In view of F26, RA12, and PR3, we are ready to receive the following:

AVISPA Tool (Case 1).
In this section, we will validate our proposed designed authentication protocol by applying the AVISPA tool in case 1. In AVISPA tool, four validation models are supported: OFMC, ATSE, SATMC, and TA4SP. e security of our designed authentication protocol is simulated by applying the HLPSL (High Level Protocol Specifications Language). Figures 5 and 6 present the result of the simulation by applying the OFMC and ATSE.

BAN Logic (Case 2).
In this section, we will validate our proposed designed authentication protocol by applying the BAN logic in case 2.
Rational assumptions are as follows:

Security and Communication Networks
e idealized form of the information is as follows: (FSN 1 , FSN 2 , FSN 3 , FSN 4 In view of Inf1, we are ready to receive the following: F1: GWN f ⊲(SCF 5 , SCF 6 , SCF 7 , T ui ) UID i In view of F1, RA1, and PR1, we are ready to receive the following: F2: GWN f | ≡ U i | ∼ (SCF 5 , SCF 6 , SCF 7 , T ui ) e equivalent form of F2 is the following: In view of F3, RA2, PR4, and PR2, we are ready to receive the following: In view of F4 and PR5, we are ready to receive the following: In view of Inf2, we are ready to receive the following: F6: SN j ⊲ (FSN 1 , FSN 2 , FSN 3 , FSN 4 , T gwnf ) r GWNf In view of F6, RA3, and PR1, we are ready to receive the following: e equivalent form of F7 is the following: In view of F8, RA4, PR4, and PR2, we are ready to receive the following: In view of F9 and PR5 we are ready to receive the following: F10: SN j | ≡ GWN f | ≡ (UID i , r ui , r GWNf ) In view of Inf3, we are ready to receive the following: F11: GWN f ⊲(SFN 2 , SFN 3 , T snj ) SFN1 In view of F11, RA5, and PR1, we are ready to receive the following: e equivalent form of F12 is the following: F13: GWN f | ≡ SN j | ∼ (r SNj , r GWNf , r ui , UID i , SNX j , T snj ) In view of F13, RA6, PR4, and PR2, we are ready to receive the following: In view of F14 and PR5, we are ready to receive the following: In view of F15, we are ready to receive the following: In view of F16, RA7, and PR3, we are ready to receive the following: In view of Inf4, we are ready to receive the following:  In view of F18, RA8, and PR1, we are ready to receive the following: e equivalent form of F19 is the following: F20: In view of F20, RA9, PR4, and PR2, we are ready to receive the following: F20: In view of F20 and PR5, we are ready to receive the following: In view of F21, we are ready to receive the following: In view of F22, RA10, and PR3, we are ready to receive the following: In view of F10 and F15, we are ready to receive the following: In view of F24, RA11, and PR3, we are ready to receive the following: In view of F5 and F21, we are ready to receive the following: In view of F26, RA12, and PR3, we are ready to receive the following:

AVISPA Tool (Case 2).
In this section, we will validate our proposed designed authentication protocol by applying the AVISPA tool in case 2. Figures 7 and 8 present the result of the simulation by applying the ATSE and OFMC.

Informal Security Analysis of Protocol
In this section, we demonstrate informal security analysis of our proposed mutual authentication protocol through sixteen evaluation criteria as defined in Section 2.3.

Session Key Security.
In our designed protocol, the private session key is derived from the relevant privacy parameters of the three parties involved in the communication process through hash function operation. In case 1,   r SNj , r GWNh , UID i � h(ID i � � � �r i ), and h(r Ui � � � �UID i ), the assailant is able to figure out the session key . Nevertheless, it is impracticable for the assailant to figure out the session key without knowing these privacy parameters and finishing inversion of hash function in polynomial time. us, our designed protocol is capable of achieving session key security.

ree-Factor Security.
In our designed protocol, if the assailant only knows two of three factors, he is unable to launch an attack in our designed protocol. e first possibility is that the assailant only knows smart card and biometric. In this condition, assume that the assailant captures (GE i , GF i , USC 1 , USC 2 , USC 3 ) kept in smart card and regains σ Ui by the formula GEN(BIO Ui ) � (σ Ui , τ Ui ). Later, the assailant will speculate ID i , PW i , r i , and r p to figure out and confirms the correctness of the formula USC * 3 � USC 3 . Nevertheless, the assailant cannot obtain password and sensitive parameters at the same time [4]. e smart card will suspend the session promptly after the assailant inputs the speculated password and sensitive parameters. e second possibility is that the assailant only knows password and biometric. Although the assailant has no ability to regain σ Ui by the formula REP(BIO Ui , τ Ui ) � σ Ui , he is able to capture the communication information (SCG 1 , SCG 2 , SCG 4 , T sc , UID i , ID SNj ). Even if the assailant obtains the correct password and biometric, he still cannot pass the verification of the smart card and cannot simulate the communication information.
e third possibility is that the assailant only knows smart card and password. Assume that the assailant captures Due to the uniqueness of biometric, the assailant has no ability to regain σ Ui by the formula GEN(BIO Ui ) � (σ Ui , τ Ui ). Without obtaining accurate biometric information to figure out USC 1 , USC 2 , and USC 3 , it is impossible for the assailant to imitate user to log into the gateway.

Perfect Forward and Backward Security.
In our designed protocol, the private session key in case 1 is counted by the stochastic digits r SNj , r GWNh , r i , and r SCn, the identities ID i , SCN i , and ID SNj , and the private key SX SNj . e private session key in ) and it is counted by the stochastic digits r SNj , r GWNh , r ui , and r i and the identity ID i . e private session key is counted by the hash function and the stochastic digits are variable in each session. Even if the assailant compromises the private session key SK in case 1 and case 2, he is unable to obtain any previous or future private session keys. Consequently, our designed protocol is capable of achieving perfect forward and backward security.

Resist Sensor Node Capture Attack.
In our designed protocol, the assailant is able to capture the sensor node and obtain the information (ID SNj , SNX j ) kept in the sensor nodes, since the sensor nodes are placed in an unattended environment. SNX j is calculated as and SX SNj is the private key of sensor node that is only known to himself. Even if the assailant compromises the information kept in the sensor nodes, he is unable to accurately figure out the private parameters in sensor nodes and create the effective information in the communication process. Consequently, our designed protocol is capable of resisting sensor node capture attack.

Resist Stolen Smart Card Attack.
In our designed protocol, smart card is one of the three factors; hence, the case where the smart card is stolen is supposed to be taken into consideration. Smart card includes GE i , GF i , USC 1 , USC 2 , ; r i and r p are stochastic digits picked by U i ; and σ Ui is counted by GEN. Assume that the smart card is stolen by the assailant through power analysis method and the information (GE i , GF i , USC 1 , USC 2 , USC 3 ) kept in smart card is available to the assailant. e assailant is unable to speculate ID i , PW i , and σ Ui through USC 1 and is also unable to speculate r GWNh and SX GWNh through GUID i . Without these important parameters, the assailant is unable to imitate the smart card information. us, our designed protocol is capable of resisting stolen smart card attack.

Resist User Impersonation
Attack. In our designed protocol, assume that the login request information (SCG 1 , SCG 2 , SCG 4 , T sc , UID i , ID SNj ) is known by the assailant. In order to compute SCG 1 , the assailant has to calculate GUID i and SCN i . In order to compute SCG 2 , the assailant has to calculate r SCn and h(SCN i � � � �T sc ). In order to compute SCG 4 , the assailant has to calculate GUID i , SCG 3 , r SCn , and SCN i . To implement impersonation attack, the assailant has to speculate accurate parameters (r SCn , SCN i , T sc , r GWNh , SX GWNh , ID GWNh , ID i , PW i , r i , r p ). However, it is impossible for the assailant to gain these parameters. Without these important parameters, the assailant is unable to imitate the user to participate in the communication process. us, our designed protocol is capable of resisting user impersonation attack.

Resist Gateway Impersonation
Attack. In our designed protocol, when U i delivers the registration request , the assailant is able to capture this registration information and demands to reply information In order to accurately calculate these parameters, the assailant needs to speculate (r GWNh , r i , r p , ID i , PW i , SX GWNh , ID GWNh ). As the stochastic digits (r GWNh , r i , r p ) are variable in each session, this reply will not be successful. Consequently, our designed protocol is capable of resisting gateway impersonation attack.

Resist
Sensor Node Impersonation Attack. In our designed protocol, the assailant is able to capture the information (HSN 1 , HSN 2 , HSN 3 , HSN 4 , T gwnh ) and counts UID * i � SNX j ⊕ HSN 1 , h(r SCn � � � �SCN i ) * � ID SNj ⊕ HSN 2 , and r * GWNh � HSN 1 ⊕ UID * i ⊕ HSN 3 . en, the assailant chooses stochastic digit r ASSk and time T ass to count as the valid sensor nodes.
Nevertheless, SNX j includes the private key SX SNj of SN; hence, the assailant is unable to count the accurate information (SHN 1 , SHN 2 , T ass ) and the session key SK A . e aforementioned sensor node impersonation attack is in case 1, and case 2 is identical to case 1. Consequently, our designed protocol is capable of resisting the sensor node impersonation attack.

Resist Reply Attack.
In our designed protocol, we apply the time stamp in our communication information to resist reply attack. Suppose that the assailant captures the foregone communication information (SCG 1 , SCG 2 , SCG 4 , T sc , UID i , ID SNj ) and intends to imitate the legitimate user to reply the information. GWN H computes the freshness of the information by the formula |T gwnh − T sc | ≤ ΔT. If it is not right, GWN H terminates the session promptly. Suppose that the assailant captures the foregone communication information (HSN 1 , HSN 2 , HSN 3 , HSN 4 , T gwnh ) and intends to imitate the legitimate gateway to reply the information. SN j calculates the freshness of the information by the formula |T snj − T gwnh | ≤ ΔT. If it is not right, SN j terminates the session promptly. Consequently, our designed protocol is capable of resisting reply attack.

Resist Privileged Insider Attack.
In our designed protocol, U i delivers UID i and UPW i to GWN H as the registration request in registration section, where If the identity and password are leaked to any privileged insider at GWN H , this will lead to abundant security risks. e privileged insider is unable to extract the accurate identity ID i and password PW i from UID i and UPW i in the registration section on account of the irreversible one-way hash function h(·). Unaware of the stochastic digits r i and r p , the privileged insider is also unable to extract the accurate identity ID i and password PW i from UID i and UPW i in the registration section. Consequently, our designed protocol is capable of resisting privileged insider attack.

Resist
Online Password-Guessing Attack. In our designed protocol, password PW i never emerges in the delivered information in the communication process. Although the assailant is able to capture the communication information (SCG 1 , SCG 2 , SCG 4 , T sc , UID i , ID SNj ), (HSN 1 , HSN 2 , HSN 3 , HSN 4 , T gwnh ), (SHN 1 , SHN 2 , T snj ), and (HSN 3 , GSC 1 , GSC 2 , GSC 3 , GSC 4 , T hgwn1 ), all the communication information does not directly associate with password PW i . e aforementioned condition is in case 1, and case 2 is identical to case 1. Consequently, our designed protocol is capable of resisting online password-guessing attack.

Resist
Offline Password-Guessing Attack. In our designed protocol, the assailant is able to capture the smart card and obtain the kept information GE i , GF i , USC 1 , USC 2 , and USC 3 . e smart card contents containing password are . For the purpose of speculating the password accurately, the assailant has to obtain ID i and σ Ui at the same time for USC 1 and has to obtain ID i , r i , r p , and σ Ui at the same time for USC 3 . It is impossible for the assailant to accurately compute these parameters at the same time.
Consequently, our designed protocol is capable of resisting offline password-guessing attack.

Resist User Tracking
Attack. In our designed protocol, parameter GUID i computed by the gateway node for the user is transformed into GUID new after finishing the authentication process in case 1. Parameter GUID i computed by the gateway node for the user is ishing the authentication process in case 2. Without knowing the relevant parameter, only known U i , the assailant is unable to figure out the following GUID new i . Consequently, our designed protocol is capable of resisting user tracking attack. 5.14. Biometric Template Protection. In our designed protocol, the biometric information kept in smart card is first counted via GEN(BIO Ui ) � (σ Ui , τ Ui ) and the masked with the irreversible one-way hash function USC 1  Consequently, our designed protocol is capable of achieving the mutual authentication.

User Anonymity.
In our designed protocol, the assailant is able to capture the login request (SCG 1 , SCG 2 , SCG 4 , T sc , UID i , ID SNj ) and obtain the kept information GE i , GF i , USC 1 , USC 2 , and USC 3 in the stolen smart card. e assailant will figure out identity In order to figure out GF i , the assailant has to speculate parameters r GWNh and SX GWNh , which are only known to GWN H . Moreover, UPW i includes parameters PW i and r p , which are only known to U i . Consequently, our designed protocol is capable of achieving user anonymity.

Performance Comparison
In this section, we will demonstrate performance comparisons of our proposed mutual authentication protocol with other related mutual authentication protocols in terms of security, computation time, and communication cost. Table 1. From [1], we know that [25] cannot resist offline and online password-guessing attack. As shown in [25], the authors' security analysis does not mention or refer to IF5, IF7, IF10, and IF13. As shown in [46], the authors' security analysis does not mention or refer to IF2, IF4, and IF11. From [1], we know that [45] and [9] cannot resist IF5 and cannot achieve IF16 and IF3. As shown in [50], the authors' security analysis does not mention or refer to IF2, IF4, IF11, IF12, and IF14. As shown in [8], the authors' security analysis does not mention or refer to IF3, IF5, IF7, and IF14. From [47], we know that [48] cannot resist reply and sensor node capture attacks. As shown in [47], the authors' security analysis does not mention or refer to IF2, IF11, and IF12. As shown in [49], the authors' security analysis does not mention or refer to IF2, IF13, IF14, and IF15.

Computation Time Comparison.
e computation time comparison result is presented in Table 2. We directly obtain the communication costs in the corresponding references as shown in Table 2. We can see that some references [47][48][49] add fingerprint operations to communication cost, while some references [8,9,25,45] do not. In order to make a unified communication cost comparison, we will not add the fingerprint operations to communication cost. In this comparison, we specify that H represents the time of hash function operation, E/D represents the time of encryption and decryption operation, MM represents the time of modular multiplication operation, and EM represents the time of ECC point multiplication operation. We apply the experimental results of EM � 0.0171 s [46], H � 0.00032 s [7], E/D � 0.0056 s [7], and MM � 0.0002586 s [47] to compute computation cost. e total communication time in our designed protocol is 27H � 0.00864 s in case 1 and 43H � 0.0137 s in case 2. Although the communication cost is higher than the communication time in [7], our designed protocol has higher level of security. Compared with other authentication protocols, no matter in case 1 or in case 2, our designed protocol has higher level of computation cost and is more suitable for the resource-constrained wireless sensor networks.

Communication Cost Comparison.
e communication cost comparison result is revealed in Table 3. In order to make a unified and thorough communication cost comparison, we make the following assumptions that the identity of user is 160 bits, the identity of gateway node or base station is 160 bits, the identity of sensor node is 32 bits, the stochastic digit is 128 bits, the result of symmetric encryption/decryption is 128 bits, the time stamp size is 32 bits, the result of hash function is 160 bits, and the result of ECC point multiplication operation is 160 bits.
Compared with the other authentication protocols, the total communication cost in our protocol is a bit higher than those in the other protocols [25,45,46,48,49]. During the authentication process, the number of information exchanges in the protocols in [46,48,49] is less than ours and the sensor nodes require more communication cost than the gateway node in the protocol in [50]. Because the sensor nodes are resource-constrained, the communication costs of the sensor nodes shall be reduced. e sensor nodes' communication costs in our protocol are lower than those in the other comparison protocols. e communication cost is acceptable as our designed authentication protocol achieves additional security features and has lower computation time.

Conclusion
To overcome the problems that the sensor nodes need to execute heavy calculation and communication consumption during the authentication process and cannot resist node capture attack and that the protocols also cannot provide perfect forward and backward security and cannot resist replay attack, we put forward a novel multifactor user authentication and key agreement scheme for multigateway wireless sensor networks in this paper. In our authentication protocol, we apply the lightweight hash function and given biometric information to achieve a higher level of security and efficiency, as well as a larger communication coverage area. Our authentication protocol meets sixteen evaluation criteria. We separately apply BAN logic, random oracle model, and AVISPA tool to validate the security of our authentication protocol. Our authentication protocol is able to achieve higher security and is more efficient in communication and computation costs as compared with the related authentication protocols.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.