WSN-SLAP: Secure and Lightweight Mutual Authentication Protocol for Wireless Sensor Networks

Wireless sensor networks (WSN) are widely used to provide users with convenient services such as health-care, and smart home. To provide convenient services, sensor nodes in WSN environments collect and send the sensing data to the gateway. However, it can suffer from serious security issues because susceptible messages are exchanged through an insecure channel. Therefore, secure authentication protocols are necessary to prevent security flaws in WSN. In 2020, Moghadam et al. suggested an efficient authentication and key agreement scheme in WSN. Unfortunately, we discover that Moghadam et al.’s scheme cannot prevent insider and session-specific random number leakage attacks. We also prove that Moghadam et al.’s scheme does not ensure perfect forward secrecy. To prevent security vulnerabilities of Moghadam et al.’s scheme, we propose a secure and lightweight mutual authentication protocol for WSNs (WSN-SLAP). WSN-SLAP has the resistance from various security drawbacks, and provides perfect forward secrecy and mutual authentication. We prove the security of WSN-SLAP by using Burrows-Abadi-Needham (BAN) logic, Real-or-Random (ROR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. In addition, we evaluate the performance of WSN-SLAP compared with existing related protocols. We demonstrate that WSN-SLAP is more secure and suitable than previous protocols for WSN environments.


Introduction
As a rapid development of wireless communication technology, wireless sensor networks (WSN) can be applied to various environments such as smart grids, smart homes, agriculture, industrial internet of things (IoT), and health-care [1][2][3][4][5]. People can achieve a more bountiful life by utilizing WSN environments. Generally, WSN environments consist of sensor nodes, a gateway, and users, as shown in Figure 1. Sensor nodes detect and monitor their surrounding environment. Then, sensor nodes transmit the monitored data to the gateway. The gateway relays and analyzes the message between sensor nodes and users. The gateway also manages the private information of sensor nodes and users to provide secure services. Users can access the data collected by sensor nodes through the gateway.
An example of the application environment in WSN is health-care services. Wearable sensors attached to a patient analyze the health condition of the patient. Then, these sensors send the collected data to the physician. However, these services can be exposed to various security attacks because each entity exchanges information through a public channel. If an adversary intercepts messages in WSN, the adversary can disguise as a legal user and send an incorrect message to the sensor node. Moreover, if an adversary registers to the gateway as a legal entity, the adversary can try to obtain other legal user's sensitive information.
Therefore, we need an authentication protocol that can provide secure services and prevent various attacks in WSN environments.
In 2020, Moghadam et al. [6] suggested an authentication and key agreement scheme for WSN environments utilizing Elliptic-Curve Diffie-Hellman (ECDH) [7]. They demonstrated that their scheme is efficient and secure against various security attacks such as replay, password guessing, stolen verifier, and man-in-the-middle (MITM) attacks. However, we discover that Moghadam et al.'s scheme does not provide security against insiders, and session-specific random number leakage attacks. We also prove that Moghadam et al.'s scheme does not support perfect forward secrecy. Moreover, each entity performs Elliptic Curve Cryptography (ECC) multiplication operations to compute a session key in Moghadam et al.'s scheme. However, ECC requires heavy computational costs. Since sensor nodes have low computation capabilities and storage resources in a WSN environment, we cannot ensure real-time communications using ECC in WSN environments. Therefore, using Moghadam

Contributions
Our paper's contributions are as below. • We analyze and prove the security vulnerabilities of Moghadam et al.'s scheme. Then, we propose WSN-SLAP to resolve security vulnerabilities of Moghadam et al.'s scheme. • We demonstrate the mutual authentication of WSN-SLAP using Burrows-Abadi-Needham (BAN) logic [8]. • We proof the session key security of WSN-SLAP by using the Real-or-Random (ROR) model [9] • We use Automated Verification of Internet Security Protocols and Applications (AVISPA) [10,11] to prove security features of WSN-SLAP against replay and MITM attacks. • We analyze the communication cost, the computational cost, and security properties of WSN-SLAP compared with related schemes.

Adversary Model
WSN-SLAP uses a well-known adversary model called the Dolev-Yao (DY) model [12]. Through the DY model, the adversary can eavesdrop, delete, intercept, and insert exchanged messages through a public channel. Moreover, the adversary can get exposed session-specific ephemeral parameters, which is based on the Canetti-Krawczyk (CK) adversary model [13]. The adversary can perform various security attacks with the DY model and the CK model. The detailed assumptions of the adversary model are defined in the following manner. • If an adversary registers as a legal user to the gateway, the adversary can authenticate with other entities.
• An adversary can obtain a user's lost/stolen smart card. The adversary can perform the power analysis attack [14] to get stored parameters of the smart card. • An adversary can attempt various attacks such as replay, sensor node capture, stolen verifier, and off-line password guessing attacks.

Organization
In Section 2, we describe related works for WSN environments. Then, we revisit Moghadam et al.'s scheme in Section 3 and prove the security flaws of Moghadam et al.'s scheme in Section 4. Section 5 illustrates WSN-SLAP. In Section 6, we perform informal and formal security analyses of WSN-SLAP by using BAN logic, the ROR model, and AVISPA simulation tool. In Section 7, we analyze WSN-SLAP's performance compared with the existing related protocols. In Section 8, we conclude and summarize our paper.

Related Works
In the past few decades, numerous password-based authentication schemes have been proposed to provide security and efficiency in WSN environments [15][16][17][18][19]. In 1981, Lamport [20] suggested an authentication mechanism based on a password. Lamport used one-way hash functions to encode the password and stored the hashed password inside the system. In 2006, Wong et al. [21] suggested a password-based authentication scheme in WSN environments. Unfortunately, Tseng et al. [22] proved that Wong et al.'s scheme is insecure against forgery and replay attacks. Tseng et al. demonstrated a dynamic user authentication scheme to improve security vulnerabilities of Wong et al. [21]'s scheme. However, these schemes [20][21][22] can suffer from on/off-line password guessing attacks because they only used the password as a factor to login and authenticate with other entities.
In the last few decades, two-factor-based authentication schemes [23][24][25] have been presented using hash functions and XOR operations to improve single factor's security weaknesses. In 2009, Das et al. [23] proposed a two-factor authentication scheme based on a smart card in WSNs. They demonstrated that their scheme can prevent various attacks such as replay, stolen verifier, and off-line password guessing attacks. However, Khan et al. [24] analyzed that Das et al. [23]'s scheme is vulnerable to privileged insider attack. He et al. [25] found that Das et al. [23]'s scheme is vulnerable to insider and impersonation attacks. To improve the security vulnerabilities of Das et al.'s scheme, He et al. [25] suggested an enhanced two-factor user authentication scheme for WSNs. However, these schemes [23][24][25] can suffer from various attacks such as thoe using stolen smart cards and mobile devices.
To resolve the security flaws associated with two-factor-based authentication schemes and improve the security level in WSN environments, researchers have proposed many ECC-based authentication schemes [26][27][28][29][30][31]. In 2011, Yeh et al. [26] proposed an authentication protocol for WSN environments using ECC. Yeh et al.'s scheme used a smart card and ECC to prevent various security issues such as insider, and masquerade attacks. Choi et al. [27] suggested an ECC-based user authentication scheme for WSN. However, Wu et al. [28] pointed out that Choi et al.'s protocol does not provide security against forgery attack. Nam et al. [29] suggested a secure authentication protocol for WSN based on ECC. Nam et al.'s scheme provides a secure protocol based on an Elliptic Curve Computation Diffie-Hellman (ECCDH) problem. In 2016, Jiang et al. [30] proposed an ECC-based authentication scheme. Jiang et al.'s scheme provides secure communications and untraceability in WSN environments. In 2017, Wu et al. [31] suggested a user authentication scheme using ECC. Wu et al.'s scheme can preserve user privacy in WSN environments. However, sensor nodes in WSN have low computing power and resources. Therefore, it is difficult to provide efficiency in WSN environments using these schemes [26][27][28][29][30][31] because ECC requires large computational resources.
In 2020, Moghadm et al. [6] suggested an authentication and key agreement scheme using ECDH. They asserted that their scheme provides resistance against various attacks such as replay, MITM, off-line password guessing, and stolen verifier attacks. However, we discover that Moghadam et al.'s scheme is vulnerable to insider, session-specific random number leakage attacks and perfect forward secrecy. Moreover, Moghadam et al.'s scheme suffers from heavy computational cost because it involves an ECC-based computation. Therefore, we propose WSN-SLAP, which has resistance to various security problems.  Master key of gateway KG Shared secret key between gateway and sensor node X Public key of gateway Session key E k /D k Symmetric key encryption/decryption h(.) Hash function || Concatenation function ⊕ Exclusive-or function

Sensor Node Registration Phase
In this phase, a sensor node S j sends its identity to the gateway GW. Then, GW computes a shared secret parameter between GW and S j . In Figure 2, we show the sensor node registration phase and the details are as follows. Step 1: S j generates its identity SID j , and sends it to GW over a secure channel.
Step 2: GW receives SID j and checks the validity of SID j . After that, GW computes KG = h(SID j ||k GW N ), and stores {SID j , KG} in its secure database, where k GW N is the master key of GW. Finally, GW sends {KG} to S j .
Step 3: S j receives and stores {KG} in its database.

User Registration Phase
A user U i registers to the gateway GW by sending an identity and a masked password value. Then, GW issues a smart card to U i . In Figure 3, we describe the user registration phase and the details are shown as below. Step 1: U i inputs the identity ID i and the password PW i , and then generates a random number q i . After that, U i computes APW i = h(q i ||PW i ) and sends the registration request message {ID i , APW i } to the gateway GW over a secure channel.
Step 2: GW receives {ID i , APW i } from U i , and then generates a random number z i . After that, GW computes } in a smart card and issues it to U i over a secure channel.
Step 3: U i receives the smart card, and stores q i in the smart card. Finally, parameters , q i } are stored in the smart card.

Login and Authentication Phase
After the registration phase, the user U i authenticates the gateway GW. In Figure 4, we describe the login and authentication phase and the detailed steps of the phase are shown as below.
Step 1: After inserting the smart card, U i inputs the identity ID * i and the password PW * i . The smart card computes If the verification process is successful, the smart card generates a random nonce a i and timestamp T 1 . With the public key of the gateway X, the smart card computes A 1 = a i · P, A 2 = a i · X, DID i = ID i ⊕ A 2(x) , A 3 = SID j ⊕ A 2(x) , and A 4 = E A 2 (B i ||SID j ||A 3 ). At last, the smart card sends {A 1 , A 3 , A 4 , T 1 } to GW through a public channel.
Step 2: GW receives {A 1 , A 3 , A 4 , T 1 } from U i , and selects a timestamp T 2 and checks the validity of T 1 . If the timestamp is vaild, If the equality holds, GW generates a random nonce g i and computes . At last, GW sends {g i · P, D 1 , D 2 , T 2 } to the sensor node S j over a public channel.
Step 3: After reception of the message {g i · P, D 1 , D 2 , T 2 } from GW, S j selects a timestamp T 3 and checks the validity of T 2 . Then, S j computes If the verification is legitimate, S j generates a random nonce f i , and computes sk = h( Step 4: After receiving { f i · P, X i , T 3 } from S j , GW selects a timestamp T 4 and checks the validity of T 3 . Then, GW computes sk = h(A 2 || f i · g i · P), X i = h(sk||KG) and verifies Step 5: U i receives the message {y i , D 4 , T 4 }, and selects a timestamp T 5 and checks the validity of T 4 . At last,

Cryptanalysis of Moghadam et al.'s Scheme
In this section, we demonstrate the security vulnerabilities of Moghadam et al.'s scheme [6] such as insider, and session-specific random number leakage attacks. Moghadam et al.'s scheme also does not achieve perfect forward secrecy.

Insider Attack
If an adversary A ordinary registers as a legal user U i , A can authenticate with the gateway GW and the sensor node S j by exchanging messages. With this information, A can compute another legal user U l i 's session key. The details are shown as below.
Step 1: A inserts the smart card, and inputs the identity ID i and the password PW i of A. Then, the smart card checks the validity of A, and sends a login request message Upon reception of the message {g i · P, D 1 , D 2 , T 2 }, S j computes a session key sk. Then, S j sends the authentication response message { f i · P, X i , T 3 } to GW. GW computes the session key and sends {y i , D 4 , T 4 } to A. A computes the session key and obtains communication messages during the login and authentication phase.
Step 2: After obtaining the message {g i · P, D 1 , where A 2 is the secret key of A using ECC and KG is a shared secret key between GW and S j .
Step 3 : A intercepts a message {g l i · P, D l 1 , D l 2 , T l 2 } from the message of another legal user Step 4: A obtains the message {y l i , D l 4 , T l 4 } and decrypts D l 4 using the secret key A l 2 of U l i . Then, A can obtain the random secret nonce g l i of sensor node. A can compute Therefore, Moghadam et al.'s scheme cannot prevent insider attacks.

Perfect Forward Secrecy
Moghadam et al. demonstrated that their scheme can ensure the security feature of perfect forward secrecy. However, if the adversary A gets the master key k GW N of the gateway GW, the adversary can compute the legal user U i 's session key sk. The details are shown in following steps.
Step 1: If A obtains the master key k GW N , A can compute the secret key Step 2: the symmetric key between the U i and the gateway GW.
Step 3: Consequently, Moghadam et al.'s scheme does not ensure perfect forward secrecy.

Session-Specific Random Number Leakage Attack
Suppose that a random nonce a i is disclosed to an adversary A. Using the public key X of the gateway GW, A can calculate A 2 = a i · X. Then, A can compute the session key sk. The details are described as below.
Step 1: After getting the parameter A 2 , A captures the message {y i , D 4 , T 4 }. Then, A decrypts D 4 = E A 2 (g i ) by using the symmetric key A 2 and obtains g i .
Step 2: A eavesdrops the message of the sensor node Therefore, Moghadam et al.'s scheme cannot prevent session-specific random number leakage attacks.

Proposed Scheme
We propose a secure and lightweight mutual authentication protocol for WSN environments to resolve security weaknesses of Moghadam et al.'s scheme [6]. To consider the resource-limited sensor nodes, WSN-SLAP uses hash functions and XOR operations that generate low computational overheads. WSN-SLAP is composed of sensor node registration, user registration, login and authentication, password update, and sensor node addition phases.

Sensor Node Registration Phase
If a sensor node S j sends a registration request message, the gateway GW computes a secret parameter for the sensor node. Then, S j stores the parameter. We show the sensor node registration phase in Figure 5 and the details are presented as below. Step 1: S j selects its identity SID j and generates a random number R j . Then, S j computes h(SID j ||R j ) and sends {SID j , h(SID j ||R j )} to GW over a secure channel.
Step 2: Step 3: At last, S j stores {KS j } in its memory.

User Registration Phase
A user U i sends a registration request message to the gateway GW. Then, GW computes secret parameters and issues a smart card to the user. In Figure 6, we describe the user registration phase and the detailed steps are shown as below.
Generates a random number R i Step 1: U i inputs an identity ID i and a high entropy password PW i . After that, U i transmits {ID i } to GW via a secure channel.
Step 2: GW generates random numbers x and R g , and computes Step 3: U i generates a random number

Login and Authentication Phase
To access information of the sensor S j , the user U i sends a login request message to the gateway GW. In Figure 7, we describe the login and authentication phase and the details are presented below.
Retrieves PID i and the secret value x Generates a random nonce N2 Retrieves SID j and h(SID j ||R j ) Checks V *  Step 1: After inserting the smart card, U i inputs the identity ID i and the password PW i .
The smart card computes R * . Then, the smart card checks the validity of V * i compared with V i stored in the smart card. If the validity is confirmed, the smart card generates a random nonce N 1 , and computes Step 2: , and checks the validity of V * 1 compared with V 1 . If the validity is confirmed, GW retrieves SID j and h(SID j ||R j ) from GW's database. GW Step 3: and checks the validity of V * 2 compared with the parameter V 2 . If the validity is confirmed, where SK is a session key. Finally, S j sends {M 4 , V 3 } to GW.
Step 4: After receiving the message {M 4 , V 3 } from S j , GW computes N * and verifies the equality of V * 3 and V 3 . If the verification is successful, GW generates a random nonce N 2 and computes x new } if the key agreement is successful.

Password Update Phase
In WSN-SLAP, users can easily change their own password. The details are shown as below.
Step 1: After inserting the smart card, The user U i inputs the identity ID i and the password PW i . The smart card computes R and verifies the equality of V * i and V i . If the verification is successful, the smart card requests a new password to U i .

Sensor Node Addition Phase
To add a new sensor node S new j to WSN-SLAP, S new j registers to the gateway GW. The detailed steps are described as follows. Step

Security Analysis
WSN-SLAP not only considers lightweight features using hash functions and XOR operations, but also ensures a higher security level compared with related schemes. To evaluate the security of WSN-SLAP, we perform informal security analysis and formal security analysis such as BAN logic, ROR model, and AVISPA simulation tool. We show that WSN-SLAP prevents a variety of attacks using informal analysis. We demonstrate the mutual authentication of WSN-SLAP using BAN logic and also prove the session key security of WSN-SLAP by using the ROR model. We use the AVISPA simulation tool to prove security features of WSN-SLAP against replay and MITM attacks.

Informal Security Analysis
WSN-SLAP provides security against various attacks such as insider, stolen smart card, replay, sensor node capture, off-line password guessing, privileged insider, stolen verifier, and MITM attacks. Furthermore, WSN-SLAP ensures perfect forward secrecy and mutual authentication.

Insider Attack
If an adversary A registers to the gateway GW as a legal user, A can authenticate to GW and the sensor node To compromise other legal user's sessions, A must need KS j to compute the session key. Since hash functions mask the random nonce N 2 and the user's secret parameter H ID i such as h(h(N 2 ||HID i )||KS j ), A cannot compute the shared secret parameter KS j between GW and S j . Therefore, WSN-SLAP is secure against the insider attacks.

Stolen Smart Card Attack
Suppose that an adversary A captures the legal user U i 's smart card. Then, A uses the power analysis attack to extract stored parameters in the smart card. With U i 's smart card parameters, A tries to authenticate with the gateway GW and the sensor node S j . However, A cannot compute the login request message To calculate H ID i , A needs to guess ID i and PW i at the same time. Since these tasks are computationally infeasible task, it is hard to obtain both ID i and PW i . For these reasons, WSN-SLAP is secure against stolen smart card attacks.

Replay Attack
If an adversary A intercepts messages {PID i , M 2 , M 3 , V 2 } and {ID i , S i , M 1 , V 1 } from a legal user U i , A tries to authenticate with the gateway GW by sending intercepted messages at other sessions. In WSN-SLAP, GW and the sensor node check the freshness of random nonces N 1 , N 2 and N 3 . Thus, WSN-SLAP can provide security against replay attacks.

Sensor Node Capture Attack
We assume that an adversary A captures a specific sensor node S j and obtains parameters {SID j , KS j } from the S j 's memory by using the power analysis attack. Then, A can authenticate with gateway GW and user U i . However, A cannot threat other sensor nodes. Since the shared secret parameter KS j = h(h(SID j ||R j )||k GW N ), A can only authenticate with the specific sensor node S j . A cannot calculate any information about other sensor nodes. Therefore, WSN-SLAP is secure against sensor node capture attacks.

Off-Line Password Guessing Attack
According to Section 1.2, an adversary A can guess a legal user U i 's password PW i . A can also extract stored parameters {SR i , SH ID i , V i , PID i , h(.)} from U i 's legitimate smart card. Then, A tries to impersonate as U i . However, A cannot compute WSN-SLAP has resistance to off-line password-guessing attacks.

Privileged Insider Attack
If a privileged insider adversary A intercepts a legal user U i 's registration message {ID i }, A tries to compute U i 's session key by using messages in Section 5.3. However, A cannot compute the session key of U i . To compute SK = h(h(N 2 ||HID i )|| N 3 ||N 1 ), A has to calculate H ID i which is the shared secret parameter between U i and the gateway GW. However, A cannot compute H ID i = SH ID i ⊕ h(PW i ||ID i ||R i ) from the login request message {PID i , S i , M 1 , V 1 } without U i 's password and the random number R i . Consequently, WSN-SLAP ensures security against privileged insider attacks.

Stolen Verifier Attack
Assuming that an adversary A steals the gateway GW's verification table including {SID j , h(SID j ||R j )} and (PID i , x). However, A cannot compute the session key of the legal user U i with these parameters. To compute the session key SK = h(h(N 2 ||HID i )||N 3 || N 1 ), A must compute H ID i by using PID i = H ID i ⊕ h(x||k GW N ). Since the parameter k GW N is GW's master key, A cannot compute H ID i . Therefore, WSN-SLAP has resistance to stolen verifier attacks.

MITM Attack
During the login and authentication phase, an adversary A intercepts and tries to modify the login request message {PID i , S i , M 1 , V 1 }. However, the gateway GW can easily detect the modified message by using the verification table. In addition, it is impossible to modify all messages because they include random parameters. Therefore, WSN-SLAP can prevent MITM attacks.

Session-Specific Random Number Leakage Attack
Assume that an adversary A obtains all random parameters N 1 , N 2 , and N 3 . Then, A tries to compute the session key SK. However, it is impossible to calculate the session key without knowing H ID i . H ID i is masked with the secret key x and the master key k GW N during the session. Accordingly, WSN-SLAP is secure against session-specific random number leakage attacks.

Perfect Forward Secrecy
We suppose that an adversary A obtains GW's master key k GW N . Then, A tries to compute the session key SK = h(h(N 2 ||HID i )||N 3 ||N 1 ) of the user U i . However, the master key k GW N is utilized, i.e., h(x||k GW N ) and h(h(SID j ||R j )||k GW N ). Therefore, A needs the shared secret parameter x or h(SID j ||R j ) to analyze the secret parameter. For this reason, WSN-SLAP provides perfect forward secrecy. = V * 4 . If the whole verification process is successful, we can conclude that each participant is authenticated with each other. Therefore, WSN-SLAP guarantees mutual authentication.

BAN Logic
In this section, we prove mutual authentication of WSN-SLAP using BAN logic analysis [8]. BAN logic has been widely used to analyze the mutual authentication of various authentication schemes [32,33]. In WSN-SLAP, the participants authenticate with each other to establish a session key SK among U, GW, and SN. Table 2 presents the basic notations of the BAN logic used in this proof.

Notation Description
P 1 , P 2 Two principals S 1 , S 2 Two statements SK The session key P 1 | ≡ S 1 P 1 believes S 1 P 1 | ∼ S 1 P 1 once said S 1 P 1 ⇒ S 1 P 1 controls S 1 P 1 S 1 P 1 receives S 1 #S 1 S 1 is fresh {S 1 } Key S 1 is encrypted with Key P 1 Key ←→ P 2 P 1 and P 2 have shared key Key

Rules
The logical rules of the BAN logic are described as below.

Goals
In WSN-SLAP, the basic goals of the BAN logic are that each principal establishes a session key and achieves mutual authentication. The goals for proving mutual authentication of WSN-SLAP are defined as follows :

Idealized Forms
In WSN-SLAP, the authentication request and response messages {PID i , S i , M 1 , V 1 }, {PID i , M 2 , M 3 , V 2 }, {M 4 , V 3 }, and {P i , M 5 , M 6 , V 4 } are transmitted through a public channel. We will transmit these messages into the idealized form and omit other messages because they cannot efficiently provide the logical properties of BAN logic. WSN-SLAP's idealized form messages are shown as below:

Assumptions
After the registration phase, each principal believes that it has secret keys which are shared among each other. The principal also trusts that random numbers and pseudo identity are fresh. Moreover, the principal believes that a legal principal can control the entitled components and values. The assumptions of the BAN logic in WSN-SLAP are as below:

BAN Logic Proof
We conduct the BAN logic analysis of WSN-SLAP as follows: Step 1: S 1 can be obtained from Msg 1 .
Step 2: S 2 can be induced by applying the MMR using S 1 and A 10 .
Step 3: S 3 can be induced by applying the FR using S 2 and A 1 .
Step 4: S 4 can be induced by applying the NVR using S 2 and S 3 .
Step 5: S 5 is can be induced by S 4 and the BR.
Step 6: S 6 is obtained from Msg 2 .
Step 7: S 7 is can be induced by applying the MMR using S 6 and A 13 .
Step 8: S 8 is can be induced by applying the FR using S 7 and A 3 .
Step 9: S 9 is can be induced by applying the NVR using S 7 and S 8 .
Step 10: S 10 is obtained from Msg 3 .
Step 11: S 11 can be induced by applying the MMR using A 5 and S 8 .
Step 12: S 12 can be induced by applying the NVR using S 9 and S 10 .
Step 13: S 13 and S 14 can be induced by S 9 , and S 12 . SN and GW can compute the session key SK = h(h(N 2 ||HID i )||N 3 ||N 1 ).
Step 14: S 15 and S 16 can be induced by applying the JR using S 13 and A 8 , and S 14 and A 7 , respectively.
Step 15: S 17 is obtained from Msg 4 .
Step 16: S 18 can be induced by A 9 , S 17 , and the MMR.
Step 17: S 19 can be induced by applying the FR using S 18 and A 4 .
Step 18: S 20 can be induced by S 16 , S 17 , and the NVR.
Step 19: S 21 and S 22 can be induced by S 5 , S 18 . U and GW can compute the session key Step 20: S 23 and S 24 can be induced by applying the JR using S 21 and A 5 , S 22 , and A 6 , respectively.

ROR Model
This section proves the security of the session key of WSN-SLAP by using the wellknown Real-Or-Random (ROR) model [9]. In WSN-SLAP, there are three participants. P t 1 U is a user, P t 2 GW is a gateway, and P t 2 GW is a sensor node. In the ROR model, the network is under an adversary A who can eavesdrop, capture, insert, and delete messages. With these abilities, A performs various attacks using Execute, CorruptSC, Reveal, Send, and Test queries.  (Poly) is the probability of the session key being broken by A. q 2 h , H ASH, and q send mean the number of hash queries, the range space of the hash function, and the number of send queries, respectively. s and C are the Zipf's parameters [34].
We follow the proof according to the method of [35,36]. We perform four games Game k , where k ∈ [0, 3]. Succ A,Game k is the event that A can guess a correct bit c in the Game k , and Pr[Succ A,Game k ] is the probability of Succ A,Game k . We can perform Game k as follows with these parameters. - . To obtain R i and H ID i , A needs the identity ID i and the password PW i . Therefore, A cannot distinguish with Game 2 and Game 3 if guessing PW i is computationally infeasible task. Then, we can obtain the result by using Zipf's law [34].
Finally, A gets the guessed bit c because games are done.
We get the following result utilizing the triangular inequality.
By multiplying (8) by 2, we get the following result.
Therefore, we prove

AVISPA Simulation
In this section, we analyze security features of WSN-SLAP by using AVISPA [10,11]. AVISPA is a formal security verification tool that detects MITM and replay attacks against the authentication protocol.
AVISPA uses the High-Level Protocols Specification Language (HLPSL). After receiving a protocol written in HLPSL, the translator converts the HLPSL-based protocol to an intermediate format (IF). Then, the translator inputs the IF to four back-ends, which are Constraint Logic-based Attack Searcher (CL-AtSe), Tree Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP), SAT-based Model-Checker (SATMC), and On the fly Model-Checker (OFMC), respectively. Consequently, the IF is converted to an output format (OF). If the summary of OF is SAFE, it means the protocol has resistance to replay and MITM attacks.
Specifically, OFMC back-end can utilize XOR operations. Therefore, we use this back-end in our paper.

HLPSL Specifications
In HLPSL, WSN-SLAP consists of users U A, gateway GW N, and sensor nodes SN. These entities are written as role. There are also two composition roles named session and environment, which contain security goals. Figure 8 indicates goals and the role of session and environment of WSN-SLAP. Figure 9 shows the whole process of the user U A. In state 1, the user U A registers to GW N. To start the session, U A receives the start message. Then, U A sends a registration request message {ID i } to the gateway GW N through a secure channel. In state 2, U A receives a smart card from GW N and stores {R i , SR i , SH ID i , V i } in the smart card. In the login and authentication phase, U A sends {PID i , S i , M 1 , V 1 } to GW N via a public channel. The function witness(U A, GW N, ua_gw_n1, N1 ) indicates the freshness of N 1 generated by U A. In State 3, U A receives {P i , M 5 , M 6 , V 4 } from GW N. Then, U A authenticates with GW N using N 2 in request(GW N, U A, gw_ua_n3, N 2 ).

Simulation Result
If the protocol's result summary is SAFE in OFMC simulation, the protocol has resistance to replay and MITM attacks. The result of WSN-SLAP's AVISPA simulation tool using OFMC back-end is shown in Figure 10. Thus, WSN-SLAP can prevent replay and MITM attacks.

Performance Analysis
In this section, we estimate computational costs, communication costs, and security properties of WSN-SLAP compared with existing related schemes [6,27,28,31].

Computational Costs
We analyze WSN-SLAP's computational cost compared with the performance of the related schemes [6,27,28,31]. According to [6,38], the execution time of each operation is acquired on a computer with a four-core 3.2 GHz CPU, and 8 GB memory. We estimate that T h , T ecm , and T sym are the execution time of the hash function (≈0.00032 s), ECC point multiplication (≈0.0171 s), and symmetric encryption/decryption (≈0.0056 s), respectively. We do not consider the execution time of the XOR operation because it is negligible. Table 3 indicates the result for computational costs. Accordingly, WSN-SLAP has a more efficient computational cost than related schemes [6,27,28,31].

Communication Costs
We evaluate the communication cost of WSN-SLAP compared with related schemes [6,27,28,31] in this section. According to [6], we define that the user identity, sensor node identity, random number, timestamp, SHA-1 hash digest, and ECC point are 128, 16, 128, 32, 160 and 320 bits, respectively. In WSN-SLAP, the login request mes-involves XOR operations and hash functions. Therefore, the proposed WSN-SLAP provides more secure and efficient communication services compared with existing related protocols and is suitable for WSN environments. In future work, we will implement a whole network and secure protocol to design a new scheme that is practical for use in WSN.