Understanding Node Capture Attacks in User Authentication Schemes for Wireless Sensor Networks

Abstract

Despite decades of intensive research, it is still challenging to design a practical multi-factor user authentication scheme for wireless sensor networks (WSNs). This is because protocol designers are confronted with a long-standing "security vs. efficiency" dilemma: sensor nodes are lightweight devices with limited storage and computation capabilities, while the security requirements are demanding as WSNs are generally deployed for sensitive applications. Hundreds of proposals have been proposed, yet most of them have been found to be problematic, and the same mistakes are repeated again and again. Two of the most common security failures are regarding smart card loss attacks and node capture attacks. The former has been extensively investigated in the literature, while little attention has been given to understanding the node capture attacks. To alleviate this undesirable situation, this paper takes a substantial step towards systematically exploring node capture attacks against multi-factor user authentication schemes for WSNs. We first investigate the various causes and consequences of node capture attacks, and classify them into ten different types in terms of the attack targets, adversary's capabilities and vulnerabilities exploited. Then, we elaborate on each type of attack through examining 11 typical vulnerable protocols, and suggest corresponding countermeasures. Finally, we conduct a large-scale comparative measurement of 61 representative user authentication schemes for WSNs under our extended evaluation criteria. We believe that such a systematic understanding of node capture attacks would help design secure user authentication schemes for WSNs.

Full text

IEEE Proof
1Understanding Node Capture Attacks
2in User Authentication Schemes
3for Wireless Sensor Networks
4Chenyu Wang, Ding Wang , Yi Tu, Guoai Xu , and Huaxiong Wang
5Abstract—Despite decades of intensive research, it is still challenging to design a practical multi-factor user authentication scheme for
6wireless sensor networks (WSNs). This is because protocol designers are confronted with a long-standing “security versus efficiency”
7dilemma: sensor nodes are lightweight devices with limited storage and computation capabilities, while the security requirements are
8demanding as WSNs are generally deployed for sensitive applications. Hundreds of proposals have been proposed, yet most of them
9have been found to be problematic, and the same mistakes are repeated again and again. Two of the most common security failures
10 are regarding smart card loss attacks and node capture attacks. The former has been extensively investigated in the literature, while
11 little attention has been given to understanding the node capture attacks. To alleviate this undesirable situation, this article takes a
12 substantial step towards systematically exploring node capture attacks against multi-factor user authentication schemes for WSNs. We
13 first investigate the various causes and consequences of node capture attacks, and classify them into ten different types in terms of the
14 attack targets, adversary’s capabilities and vulnerabilities exploited. Then, we elaborate on each type of attack through examining
15 11 typical vulnerable protocols, and suggest corresponding countermeasures. Finally, we conduct a large-scale comparative
16 measurement of 61 representative user authentication schemes for WSNs under our extended evaluation criteria. We believe that such
17 a systematic understanding of node capture attacks would help design secure user authentication schemes for WSNs.
18 Index Terms—User authentication, node capture attacks, wireless sensor networks
Ç
19 1INTRODUCTION
20 THE PAST ten years have witnessed the prosperity and
21 development of wireless sensor networks. As the ele-
22 mentary infrastructure of Internet of Things, WSNs are
23 widely used in smart homes [1], public safety [2], personal
24 health [3] and intelligent transportation systems [4]. A WSN
25 is an ad-hoc network consisting of a large number of sensor
26 nodes which are connected by wireless communication.
27 These sensor nodes can collaboratively monitor information
28 from network coverage area [5], and typically external par-
29 ties are allowed to access the real-time data in sensor nodes
30 to acquire the status of the monitoring entity [6], [7]. As
31 such, it is critical that the sensitive data are not accessed by
32 malicious adversaries. Therefore, a well-designed user
33 authentication method is necessary.
34Generally, there are three factors used for authenticating a
35person: something only she knows, such as a password [8];
36something she has, such as a smart card; something she is,
37such as a biometric trait [9]. Due to their simplicity and con-
38venience, password-based authentication protocols get quite
39popular [10]. Smart card and biometric factors are usually
40added to password-based protocols as a way for increasing
41security [1], [11]. A protocol which combines at least two fac-
42tors is called a multi-factor user authentication protocol. It is
43typically used for security-crucial systems, such as wireless
44sensor networks as shown in Fig. 1. In this authentication
45models, three participants are included: 1) A set of users U,
46who may want to access the real-time data from a sensor
47node, and 2) A large number of distributed sensor nodes SN,
48which are deployed to detect, monitor and collect data, and
49may help to process the data; 3) The gateway GWN, who acts
50as a controller, provides a registration service, and is a com-
51munication bridge between users and sensor nodes. Though
52our results can be also applied to multi-gateway environ-
53ments, this paper primarily focuses on the single-gateway
54architecture as shown in Fig. 1. Besides, unless otherwise
55specified, the figures, tables and various conclusions in this
56article are for multi-factor user authentication in WSNs.
57The request for a user authentication protocol that ensures
58the security of communication and avoids eavesdropping by
59adversaries, has resulted in a large number of proposals. How-
60ever, designing a multi-factor user authentication scheme for
61WSNs is full of challenges due to the fact that the protocol
62designer is confronted with a powerful adversary, resource-
C. Wang and G. Xu are with the School of Cyber Security, Beijing Univer-
sity of Posts and Telecommunications, Beijing 100876, China, and also
with the National Engineering Laboratory of Mobile Network Security,
Beijing 100876, China. E-mail: {wangchenyu, xga}@bupt.edu.cn.
D. Wang is with College of Cyber Science, Nankai University, Tianjin
300350, China, with the State Key Laboratory of Cryptology, Beijing
100878, China, and also with Tianjin Key Laboratory of Network and Data
Security Technology, Nankai University, Tianjin 300350, China.
E-mail: wangding@nankai.edu.cn.
Y. Tu and H. Wang are with the School of Physical and Mathematical
Sciences, Nanyang Technological University, Singapore 637371.
E-mail: tuyi0002@e.ntu.edu.sg, hxwang@ntu.edu.sg.
Manuscript received 12 Sept. 2019; revised 18 Jan. 2020; accepted 11 Feb.
2020. Date of publication 0 . 0000; date of current version 0 . 0000.
(Corresponding author: Ding Wang.)
Digital Object Identifier no. 10.1109/TDSC.2020.2974220
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1
1545-5971 ß2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tps://www.ieee.org/publications/rights/index.html for more information.

IEEE Proof
63 constrained hardwares and demanding security requirements.
64 To reveal the difficulties in designing a multi-factor user
65 authentication scheme for WSNs, we revisit dozens of typical
66 schemes and identify their security flaws. For a concrete grasp,
67 we show the result in Fig. 2, illustrating the development his-
68 tory of multi-factor user authentication protocols for WSNs. It
69 can be seen that most proposals have been found insecure or
70 unable to provide certain important security attributes. Partic-
71 ularly, most schemes are unable to resist offline dictionary
72 attacks or node capture attacks. Among these examined
73 schemes, only two are secure against node capture attacks.
74 To repaire offline dictionary attacks, much effort has been
75 made. Notably, Ma et al. [12] showed that the public-key algo-
76 rithm is indispensable; Wang et al. [13] introduced a technique
77 integrating “fuzzy-verifier” and “honey-words” to settle the
78 conflict between resisting against offline dictionary attacks
79 and detecting typos timely. In contrast, little attention has
80 been paid to node capture attacks. In most cases, node capture
81 attacks are mentioned as a security threat, but their actual
82 attacking process and consequences are overlooked, and there
83 is a lack of systematic investigation of node capture attacks.
84 1.1 Node Capture Attacks
85 Around 2000, Carman et al. [14] and a number of researchers
86 [15], [16], [17] pointed out that the adversary can physically
87acquire the data of some sensor nodes, because they are usu-
88ally left in unattended or hostile environments and it costs
89too much to equip them with tamper-resistant hardwares in
90view of their large-scale development. In 2005, Benenson
91et al. [18] for the first time introduced node capture attacks
92into remote user authentication schemes. They pointed out
93that the adversary can compromise some of sensor nodes
94and carry out a series of subsequent attacks. After that, node
95capture attacks begin to be accepted as a practical attack
96against user authentication schemes for WSNs, and many
97new proposals are designed to resist against this attack.
98One notable attempt, initiated by Vaidya et al. [19] in
992010, is to identify the weaknesses in previous schemes [20],
100[21], [22] against node capture attacks and design a new
101secure version. Unfortunately, this scheme was later shown
102that it does not provide forward secrecy, and is insecure
103against smart card loss attacks and node capture attacks. In
1042012, Vaidya et al. [23] proposed a hash-based scheme
105which is claimed to be secure against node capture attacks.
106However, in 2014, Kim et al. [24] pointed out that Vaidya
107et al.’s scheme [23] is unable to resist node capture attacks: if
108the adversary gets the private key of a sensor node, she can
109forge the message that is sent by the gateway to users. They
110then proposed a scheme which is claimed to be secure against
111node capture attacks and other known attacks. Nevertheless,
112their security claims were invalidated by Chang et al. [25],
113who showed that a legitimate user can get sensor node’s pri-
114vate key and carry out subsequent attacks. Therefore, Chang
115et al. proposed a new enhanced version, and proved their
116scheme is secure against node capture attacks. However,
117their scheme was demonstrated by Park et al. [26] that it dose
118not provide forward secrecy if the adversary obtains the pri-
119vate key of a sensor node, and thus it is not secure against
120node capture attacks. Recently, in 2017, Srinivas et al. [27] pre-
121sented a temporary-certificate-based user authentication
Fig. 1. User Authentication in wireless sensor networks (WSNs).
Fig. 2. A brief history of multi-factor user authentication for WSNs. This figure is developed from Fig. 2 of [6]. Most works first present effective attacks
on protocol(s) in the parent node, and then propose a new scheme and claim it to be better than previous ones. Schemes underlined with a solid line
cannot resist against offline dictionary attacks, and these underlined with a dashed line cannot resist against node capture attacks. Among all
schemes, only two of them (those that are circled in the graph) are secure against node capture attacks.
2IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
122 scheme for WSNs with lightweight operations. Particularly,
123 they proved that their scheme is secure against node capture
124 attacks. Later, Wang et al. [6] revealed that in Srinivas et al.’s
125 scheme [27], once a sensor node is compromised, the adver-
126 sary is able to compute previous session keys that are associ-
127 ated to this sensor node. Thus, the scheme in [27] is unable to
128 resist node capture attacks again.
129 As said above, node capture attacks have been considered
130 as a practical attack against user authentication schemes for
131 WSNs. More and more schemes take the resistance to node
132 capture attacks as an attribute that should be satisfied [6],
133 [23], [27], but most schemes still suffer from this threat.
134 Moreover, when assessing the security of multi-factor user
135 authentication schemes for WSNs, node capture attacks are
136 usually included in the criterion “resistance to known
137 attacks” (see [6], [28]). In a nutshell, The harmfulness of node
138 capture attacks have not been well recognized and a system-
139 atic investigation is still lacking.
140 1.2 Motivations and Contributions
141 Generally, sensor nodes are deployed in unattended or hos-
142 tile environments, and its large-scale deployment makes it
143 too costly to equip them with tamper-resistant hardwares.
144 Hence, sensor nodes are susceptible to be captured by
145 adversaries, resulting in typical node capture attacks in user
146 authentication schemes for WSNs.
147 1) Although some recent work takes into account of node
148 capture attacks, as mentioned above, most of them still
149 cannot resist against node capture attacks, and they
150 are caught in a “break-fix-break-fix” circle. The main
151 reason for this undesirable situation is a lack of system-
152 atic investigation on node capture attacks.
153 2) Moreover, the damaging effects of node capture
154 attacks are underestimated. According to our obser-
155 vation and examples in later sections, besides trig-
156 gering the leakage of previous session keys [6], node
157 capture attacks may enable adversaries to trace user
158 activities, impersonate users, manipulate not only
159 the compromised sensor nodes but also other nodes,
160 and even break the security of the entire system.
161 In all, node capture attacks have become one of the most
162 urgent and prevalent issues to be addressed in the design of
163 a secure user authentication scheme for WSNs, and they
164 would have a huge impact on the security of user authentica-
165 tion schemes. Understanding node capture attacks and sum-
166 marizing their causes and consequences can help to design a
167 secure authentication scheme that can resist against this kind
168 of attack, which motivates us to conduct a systematic investi-
169 gation on node capture attacks.
170 As far as we know, this is the first in-depth exploration
171 on node capture attacks in the field of user authentication
172 schemes for WSNs. Towards our goal, we first define the
173 adversary model based on Wang et al.’s work [6]. Then, we put
174 forward a detailed and thorough evaluation criteria for multi-
175 factor user authentication schemes for WSNs. We achieve this
176 by combining the merits of the widely accepted evaluation cri-
177 teria [6], [13] and including the effects of node capture attacks.
178 Note that, unlike [6], [13], where they include the resistance to
179 node capture attacks in the criterion C5 “resistance to known
180 attacks”, we propose a separate criterion “resistance to node
181capture attacks”. This additional criterion is indispensable to
182understand and evaluate the security of multi-factor user
183authentication schemes for WSNs due to the prevalent feature
184and damaging effects of node capture attacks.
185Then, with intensive experience on analyzing about ninety
186user authentication schemes for WSNs, we figure out the var-
187ious causes and consequences of node capture attacks, and
188classify them into ten types in terms of the attack targets,
189adversary’s capabilities and vulnerabilities exploited. We
190explain each type of attack through examining typical vulner-
191able schemes, and propose corresponding countermeasures.
192For example, in Fan et al.’s scheme [29], due to the inappropri-
193ate distribution of sensor nodes’ private keys, all sensor
194nodes share a same private key with the gateway. We show
195that an adversary who compromises the sensor node SNj, can
196obtain the private keys of all sensor nodes, resulting to sensor
197node impersonation threat. To deal with this attack, we rec-
198ommend to use hðIDSNjjjxÞas SNj’s private key, where xis a
199long-term secret key, IDSNjis SNj’s identity.
200Finally, according to our taxonomy of node capture
201attacks, we naturally improve our evaluation criteria for
202multi-factor user authentication schemes for WSNs by
203expanding the criterion “resistance to node capture attacks”
204into ten types. We then perform a large-scale assessment of
20561 multi-factor user authentication schemes for WSNs
206under our expanded criteria set. Among those schemes,
207only two are secure against node capture attacks, indicating
208the difficulty in designing node-capture-attack resistant
209user authentication schemes for WSNs along the way. For-
210tunately, our work provides a better understanding of node
211capture attacks, and we believe that this work would facili-
212tate the design of secure user authentication schemes for
213WSNs that is resistant to node capture attacks. In brief, our
214contributions are summarized as follows:
2151) We investigate the root causes and consequences of
216node capture attacks against user authentication
217schemes for WSNs, and classify them into ten differ-
218ent types in terms of the attack targets, adversary
219capabilities and vulnerabilities exploited. As far as
220we know, we are the first to provide a taxonomy of
221node capture attacks.
2222) We elaborate on each type of node capture attacks
223through examining a corresponding typical vulnerable
224scheme, and propose corresponding countermeasures.
2253) Finally, based on our taxonomy of node capture
226attacks, we extend our evaluation criteria, and perform
227a large-scale assessment of 61 user authentication
228schemes for WSNs under the expanded criteria.
2291.3 Paper Organization
230The remaining sections are organized as follows. In Sec-
231tion 2, we describe the adversary model, evaluation criteria
232and notions used in the paper. Section 3 presents a taxon-
233omy of node capture attacks. Section 4 explains each type of
234node capture attacks using several typical schemes. The
235countermeasures are given in Section 5. Section 6 gives a
236large-scale measurement of 61 representative authentication
237schemes under our extended evaluation criteria. The sum-
238mary of this paper is given in Section 7.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 3

IEEE Proof
239 2ADVERSARY MODEL,EVALUATION CRITERIA,
240 AND MODEL OF AUTHENTICATION PROCESS
241 In this section, we first introduce some notations and a stan-
242 dard model of authentication process for public-key based
243 multi-factor user authentication schemes for WSNs, then
244 define the adversary model and evaluation criteria based on
245 widely accepted frameworks.
246 2.1 A Generic Model of Authentication Process
247 Our notations and abbreviations are illustrated in Table 1,
248 and the standard model of authentication process for WSNs
249 is shown in Fig. 3. Note that, this model is recommended by
250 Wang et al. [6], because other models for single-gateway
251 WSNs have some inherent weaknesses.
252 In a user authentication protocol, there are three parties:
253 the gateway node GWN, users, and sensor nodes. GWN pos-
254 sesses a secret key x, which is known as the long-term secret
255 key. It is assumed that this key xis well protected and cannot
256 be extracted from GWN’s database.
1
For a user Ui, it owns an
257 identity-password pair ðIDi;PWiÞ. When Uirequests to join
258 the network in the registration phase, it interacts with GWN
259 and obtains a smart card/device, which contains informa-
260 tion SCi. After the interaction, Uiand GWN share a secret
261 key XUi, which can be computed by f1ðPWi;SCiÞat the user
262 side and by f2ðxÞat the gateway side. GWN also registers sen-
263 sor nodes to the network and computes a secret key XSNjas
264 SNj’s private key.
265 When Uiwants to access data in SNj, it needs to authenti-
266 cate itself to SNjvia the help of GWN. To begin with, it first
267 chooses a random parameter riand computes Ri¼f4ðriÞ,
268 RGU ¼f5ðriÞ. It then sends an access request M1=
269 fAuth1¼f3ðXUi;Ri;RGUÞ;...gto GWN. Note that M1always
270 contains the information that helps to compute Auth1if the
271 user is honest. Upon receiving M1,GWN checks the validity
272 of M1by checking whether its computed Auth0
1is equal to
273 Auth1. If it is valid, GWN chooses a random parameter RGS,
274 computes M2=fAuth2¼f6ðXSNj;RGSÞ;...gand then sends
275 M2to SNj. After receiving M2,SNjchecks its validity first,
276 chooses a random parameter rjif valid, and then replies back
277 M3=fAuth3¼f7ðXSNj;Rj;RGSÞ;...gwith Rj¼f4ðrjÞ. With
278 M3,GWN checks its validity and if valid it replies
279 M4¼fAuth4¼f8ðXUi;Ri;RGUÞ;...gto Ui. If the authentica-
280 tion phase is successful, Uiand SNjwill agree on a secret ses-
281 sion key SK ¼f9ðri;rjÞ. Among the notations mentioned
282 above, we have the following definitions:
2831) We name parameters Auth1,Auth2,Auth3and Auth4
284used for verifying the validity of participants as veri-
285fication parameter, denoted as VP.
2862) The shared secret key XUiis named as fixed unique secret
287parameter between GWN and Ui,denotedasFUSPG=U.
288Similarly, XSNjis named as fixed unique secret parameter
289between GWN and SNj, denoted as FUSPG=S.
2903) The shared secret parameter RGU is named as tempo-
291rary unique secret parameter between GWN and Ui,
292denoted as TUSPG=U.RGS is named as temporary unique
293secret parameter between GWN and SNj,denotedas
294TUSPG=S.
2954) Parameter rithat is chosen by Uiand critical in com-
296puting session keys is named as SK-U-critical parame-
297ter, denoted as CPSK=U. Parameter rjthat is chosen by
298SNjand essentialin the computation of session keys is
299named as SK-S-critical parameter, denoted as CPSK=S.
300Within a user authentication protocol, if an adversary is
301able to obtain any of: PWifor some i,XSNjfor some j, or the
302long-term secret key x, we say that the adversary can fully
303impersonate their victim (Ui;SNjor GWN, respectively).
304Such an attack is called a complete impersonation attack.On
305the other hand, if the adversary has no such secret informa-
306tion and can only try to manipulate some parties’ messages
307to cheat other parties, we name such an attack as an incom-
308plete impersonation attack.
3092.2 Adversary Model and Evaluation Criteria
310As the security of a cryptographic scheme cannot be prop-
311erly evaluated if the adversary model or evaluation criteria
312is not well defined, we now describe the adversary model
313and evaluation criteria, tailored to multi-factor user authen-
314tication protocols for WSNs in the single-gateway setting.
315Our adversary model is adapted from the one in [6] and is
316defined in Table 2. Note that Wang et al.’s criteria set [6] only
317considers the two-factor authentication scenario. Therefore,
318we adjust C3 of [6] so that it captures the three-factor scenario
319considered in this work. Also, we remove the adversary’s
320ability in multi-gateway setting in C7 as we only consider the
321single-gateway environment.
322Our evaluation criteria is adapted from the state-of-the
323art evaluation frameworks [6], [13] and the traditional
324one [51], and it is illustrated in Table 3. More specifically,
325following [51], we divide the criteria into two levels: the
326ideal attributes and security requirements. The former deals
327with various attributes that an ideal user authentication
328scheme should provide, and focuses on the usability of the
TABLE 1
Notations and Abbreviations
?:throughout the paper, the session key is between the user and sensor node.
Fig. 3. Authentication processes.
1. When assessing forward secrecy, this key can be extracted
4IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
329 protocol. The latter specifies requirements that a scheme
330 should satisfy to be served as a secure one. Following [6],
331 [13], we remove redundancies in the criteria of [51] and form
332 our 12 independent criteria. Inspired by [6], [13], we separate
333 node capture attacks from “the known attacks” and propose
334 our criterion S6 (resistance to node capture attacks), taking
335 into account the prevalent features and damaging effects of
336 node capture attacks. More specifically, the reason why we
337 propose an independent criteria for node capture attacks, are
338 consistent with Wang et al. [13], where they separate smart
339 card loss attacks from the criterion C5 “resistance to known
340 attacks” due to the destructive effects of smart card loss
341 attacks. Another difference of our criteria from [6], [13], [51]
342 is that we specify the adversary’s capabilities for each crite-
343 rion. For the criteria under ideal attributes, we evaluate them
344 from the functional perspective rather than from the
345attacking view. For the criteria under security requirements,
346we specify the adversary’s capabilities in Table 3.
347Remark 1. From the above comparison, we can see that the
348most important difference between our criteria and exist-
349ing criteria [6], [13], [51] is that our criteria proposes a sepa-
350rate criterion S6 “resistance to node capture attacks”, yet
351this criterion is included in the criterion “resistance to
352known attacks” in existing criteria. Furthermore, as shown
353in Section 6, our criteria framework will further divide S6
354into ten sub-criteria based on our analysis results of node
355capture attacks. This difference is the main reason why it
356seems that our criteria becomes more complex than others.
357However, we think this complexity is necessary and it will
358make our criteria more concrete and decidable to be
359employed. In these existing criteria [6], [13], [51], the attack
360scenarios where the adversary simultaneously compro-
361mise the victim’s smart card and several sensor nodes, can-
362not be captured. Besides, our criteria framework allows the
363designers to assess the scheme more objectively and easily.
364For example, in previous criteria framework, if the protocol
365designer wants to assess whether their scheme can satisfy
366the criterion “resistance to known attacks”, she needs to
367assess whether their scheme can resist to node capture
368attacks. But how to achieve this? Before our work, they
369need to try various possible attack scenarios, which either
370may cost more time to assess or ignore some important
371attack scenarios. Therefore, following these existing criteria
372frameworks, it is difficult and tricky for protocol designers
373to assess whether their schemes can resist against node
374capture attacks, and they need to make much more efforts.
375Fortunately, the ten sub-criteria (as shown in Section 6) of
376our criteria framework provide a structured, actionable
377and concrete reference for protocol designers to systemati-
378cally evaluate whether their scheme can resist against node
379capture attacks.
380Remark 2. All authentication schemes are assessed from
381two aspects: (1) The security and functionality under a
382widely-accepted criteria framework; (2) The performance,
383such as computational cost and storage cost. The former
384captures the security and functionality requirements, and
TABLE 2
Capabilities of the Adversary0
0: The seven capabilities are not all necessary to Table 4 where C4 and C5 are
not mentioned, because these two capabilities have no inherent relevance to the
taxonomy of node capture attacks. However, we include all seven capabilities
here for completeness.
1: Note that C3 of Wang’s criteria [6] is suitable for the two-factor user
authentication schemes, so we add the three-factor condition in C3 to make the
model apply to multi-factor user authentication schemes.
2: Since the multi-gateway environment is not our focus, we omit the part
about it. Furthermore, we highlight the security threat of the administrator of
the gateway in the registration phase.
TABLE 3
Evaluation Criteria
y
:An ideal attribute is assessed from the functional perspective rather than an attack.
?:The criterion “Timely Typo Detection” in [6] is included in D1 here, as a scheme providing local-change-password can timely detect typos too.
Note that, we say that Abreaks S5 and S6 only when Aconducts the attack with the help of compromised smart card and sensor node, respectively.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 5

IEEE Proof
385 is continuing to be a hot and hard topic and has led to
386 intense research, see [6], [13], [51]. The latter is specific and
387 can well capture the dynamic nature of WSNs. Like exist-
388 ing criteria frameworks,the target of our criteria is to assess
389 the security and functionality of authentication schemes.
390 When WSNs become larger, the factors that affect the secu-
391 rity, such as the capabilities to compromise the victim’s
392 smart card, some of sensor nodes and long-term secret key,
393 will not change. Therefore, the scale of WSNs has little
394 impact on the security of authentication schemes. As for
395 the functionality, the criterion “Sound Repairability”,
396 which requires the scheme to support dynamic sensor
397 node addition, is an attribute to support the dynamic
398 nature of WSNs. Therefore, when WSNs become larger,
399 existing criteria frameworks and ours are still workable.
400 3ATAXONOMY OF NODE CAPTURE ATTACKS
401 Based on the analysis of about 90 authentication protocols for
402 WSNs, we investigate the causes and consequences of node
403 capture attacks, and we classify them into ten different types
404 (see Table 4) in terms of the attack targets, adversary’s capabil-
405 ities and vulnerabilities exploited. As shown in Table 4, the
406 adversary Acan achieve different attack consequences and
407 attack scale
2
in terms of different attack targets, adversary’s
408 capabilities and vulnerabilities exploited. The attack targets
409 can be dividedinto five categories: the session keys, the users,
410 the sensor nodes, the gateway and the availability. The
411 vulnerabilities exploited include insecure parameter trans-
412 mission, inappropriate parameter distribution, unreasonable
413 design intent, inefficient verification, the issue of offline dictio-
414 nary attacks and forward secrecy.
415Type I and Type II in Table 4 depict the attacks where A
416breaks the security of session keys with the help of the pri-
417vate key XSNjof compromised sensor node SNj. The differ-
418ence between them is that: in Type I, Acan only calculate
419previous session keys between the compromised sensor node
420SNjand all users; in Type II, Acan calculate previous ses-
421sion keys between all sensor nodes and all users, it is more
422destructive. The root cause of Type I is essentially consistent
423with that of forward secrecy. As for Type II, besides the
424issue of forward secrecy, the inappropriate distribution of
425SN’s private key is its another cause.
426Type IIIType V in Table 4 represent the scenarios where
427the adversary with XSNjcompromises the security of users.
428Both Type III and Type IV can be regarded as a user imper-
429sonation attack. In Type III, the adversary gets the victim’s
430fixed unique secret parameter FUSPG=U(XUiin Fig. 3) to
431impersonate Ui, due to the insecure transmission (such as
432“XOR” operation) of user unique secret parameters. In Type
433IV, the adversary with XSNjand who additionally gets the
434data stored in a victim’s smart card (and the biometric) and
435can enumerate the items in the space of password and iden-
436tity, is able to obtain users’ passwords, and then acts as Uito
437engage in the conversations. This attack is an outcome of no
438(or incorrect) public-key algorithm deployment. Its failure
439reason is as same as offline dictionary attacks [12].
440If the adversary Acannot impersonate the user, then she
441may try to break the victim’s privacy, and this is the situation
442in Type V. It contains two cases. In the first case, Acan trace
443users’ activities, but cannot compute their identities. It usu-
444ally occurs in a temporary-certificate-based authentication
445protocol where Acan trace the victim by manipulating the
446broken sensor node to seek the link parameter, such as TIDi
447in [37]. In the second case, Acan compute users’ identities
448IDisuccessfully, because they are transmitted with simple
449“XOR” operation or designed to be known to sensor nodes
TABLE 4
A Taxonomy of Node Capture Attacks1
1In this table, we assume the adversary has broken the sensor node SNj,Uiis a legitimate user and welling to collude with A, as well as a victim that A
tries to attack. SNm(m6¼ j) denotes the sensor nodes that Aattempts to attack.
C6’, C3’ and C1’ all are a part of the capabilities C6, C3 and C1, respectively. C6’: here we want to emphasize that Aacts as SNjto actively participates in
the communication. C3’: here C3’ refers to that Aextracts the data in Ui’s card (and gets the biometrics). C1’: here C1’ refers to that Amodifies and sends
message to the participants (U=SN=GWN). Since C4 and C5 have no influence to the classification, they are not listed.
: The capability is not required. @: the capability is required. D: whether the capability is required depends on specific attack scenario.
2: As shown in Fig. 4, it describes the status of the affected entity with the increase in the number of attacks.
3: It usually happens in the model (b) of Fig. 5.
4: It usually happens in the model (c) of Fig. 5.
2. Since it is more easy to understand the attack scale with specific
examples, we explain it in Section 4.
6IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
450 (e.g., simply transmit IDito sensor nodes in plaintext), and
451 we call this flaw an unreasonable design intent.
452 In Type VIType VIII in Table 4, once the adversary A
453 compromises the sensor node SNjand gets XSNj, then she
454 also can compromise other sensor nodes SNm(m6¼ j) in dif-
455 ferent ways. In Type VI, Awith XSNjexploits the insecure
456 transmission or distribution of the private key of sensor
457 nodes SNmðm6¼ jÞto obtain the private key and imperson-
458 ate SNm. In Type VII, due to the insecure transmission of
459 users’ unique secret parameters and GWN’s failure in
460 authenticating SN (usually happen in the communication
461 model of (b) in Fig. 5), Awith XSNjthen can impersonate
462 SNmto users. In Type VIII, since the users’ login requests
463 are first sent to sensor nodes without explicitly designating
464 the target sensor node SNm(usually happens in the commu-
465 nication model of (c) in Fig. 5), the adversary with XSNjthen
466 can intercept the login request sent to SNm, and act as SNj
467 to respond the request as the process of the original protocol
468 without being noticed by users. After this attack, the users
469 think a session key is agreed with SNm, but actually with
470 SNj(i.e., the adversary). Among the three attacks, we say
471 that only Type VI where the adversary becomes SNm
472 achieves complete impersonation.Ain Type VII and VIII tries
473 to disguise as much as possible to deceive Uiand GWN,so
474 only achieves incomplete impersonation.
475 In Type IX, the adversary who registers as or colludes
476 with a legitimate Uiand exploits the weakness in the inse-
477 cure transmission of GWN’s long-term secret key, can get
478 the secret key. It makes whole system completely insecure,
479 because GWN’s long-term secret key is employed to com-
480 pute all secret information of users and sensor nodes.
481 The last attack Type X is very common in authentication
482 schemes based on our analysis, but it receives little notice. In
483 Type X, the adversary Awith XSNjcan modify session keys
484 between users and sensor nodes. Furthermore, it is a pro-
485 gressive attack. If Uifails to verify part of SK controlled by
486 SNj, i.e., CPSK=S, then Awith SNj’s private key can tamper
487 the respond message from SNj=GWN to users (i.e., message
488 M4in Fig. 3), and makes legitimate participants (i.e., all users
489 and SNj) unable to share the same session key, meanwhile
490 the participants authenticate to each other successfully. If
491 besides the problem above, the part of SK controlled by Ui
492(CPSK=U) is also transmitted insecurely, then Acan modify
493session keys between Uiand all sensor nodes. Type X not only
494causes usability problems where legitimate parties cannot
495share a same session key and thus cannot correctly decrypt
496their interaction messages, but also enable the adversary to
497compute the same session key with Ui.
4984EXAMPLES OF THE TEN TYPES OF NODE
499CAPTURE ATTACKS
500To better understand the ten different types of attacks in
501Table 4, we explain them in detail by using several typical
502user authentication protocols for WSNs. Note that, to save
503space, we do not review the original protocols, and we
504retain the symbols and notations of the original protocols
505even though they are not the same as those in Table 1.
5064.1 Node Capture Attack Type I
507Type I depicts a practical attack where the adversary
508with the private key XSNjof sensor node SNjcan com-
509pute the session keys between SNjand all users. The
510attackcauseofTypeIisthesameasthatofforward
511secrecy. This section uses Kumari et al.’s scheme [2] to
512explain this attack.
513–Adversary’s Capability:
514(1) “C1”. Eavesdrop the message between GWN and
515SNjin authentication phase to get fA5i;A6i;C2ig.
516(2) “C6”. Get SNj’s private key SIXk.
517–Attack Target: session key.
518–Attack Consequence: compute SNj’s previous session
519keys.
520–Attack Steps:
521Step 1. Compute ðRU
ijjRG
jjjTS2
iÞ=A5iSIXk.
522Step 2. Compute A1
i¼A6ihðSIDkjjhðRG
jÞjjRU
iÞ.
523Step 3. Compute ðRS
kjjTS3
iÞ¼C2iRG
j.
524Step 4. Compute SKi¼hðA1
ijjRU
ijjRG
jjjRS
kÞ.
525–Time Complexity:Oð3THÞ, where THdenotes the run-
526ning time of hash operation. Some lightweight oper-
527ations like XOR and jj are omitted.
528–The Scale of the Attack: (a)!(c) as shown in Fig. 4. In
529the beginning, the adversary Acompromises the
Fig. 4. The scale of attacks. We use the attack diagram to show the affected parties and sessions. Those marked in red circle represent that some of
its parameters have been obtained by the adversary. The affected sessions are marked by a blue line.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 7

IEEE Proof
530 sensor node SN1(marked in red circle as shown in
531 (a) of Fig. 4), then exploits messages among GWN,
532 SN1and U1,Acan compute previous session keys
533 between U1and SN1as above. Similarly, Acan com-
534 pute previous session keys between U2and SN1.
535 When the number of the attacks is large enough, A
536 can compute previous session keys between SN1
537 and all users as shown in (c) of Fig. 4.
538 4.2 Node Capture Attack Type II
539 As we mentioned above, the issue of forward secrecy and
540 inappropriate distribution of sensor nodes’ private keys
541 result in Type II. In this section, we take Fan et al.’s scheme
542 [29] as an example to describe node capture attack Type II.
543 Note that all sensor nodes and the gateway share the same
544 secret parameter Skin Fan et al.’s scheme [29].
545 –Adversary’s Capability:
546 (1) “C1”. Eavesdrop the message between GWN and
547 SNjin authentication phase to get K.
548 (2) “C6”. Get SNj’s private key Sk.
549 –Attack Target: session key.
550 –Attack Consequence: compute previous session keys
551 between all sensor nodes and all users.
552 –Attack Steps:
553 Step 1. Compute Key ¼hðSkjjKÞ.
554 –Time Complexity:OðTHÞ.
555 –The Scale of the Attack: (a)!(i)!(d) as shown in Fig. 4.
556 In the beginning, the adversary Agets SN1’s private
557 key (marked in red circle as shown in (a) of Fig. 4),
558 then exploits messages among GWN,SN1and U1,A
559 can compute session keys between U1and SN1as
560 above. Since Aalso gets all SN’s private key in the
561 first attack, Athen can compute session keys
562 between Uand SN1as shown in (i) of Fig. 4. When
563 the number of the attacks is large enough, Acan
564 compute previous session keys between all users
565 and all sensor nodes as shown in (d) of Fig. 4.
566 From the above attacks, we can see that securely distrib-
567 uting the private key of the sensor nodes is fundamental to
568 the whole security, it also decides the authentication pro-
569 cess. Inappropriate private key distribution can cause sen-
570 sor node impersonation and session key leakage.
571 4.3 Node Capture Attack Type III
572 Type III utilizes the vulnerability of insecure transmission of
573 user’s fixed unique secret parameter FUSPG=Uto obtain the
574 necessary information to impersonate the user. This section
575 introduces Type III via Li et al.’s scheme [34] as follows:
576 –Adversary’s Capability:
577 (1) “C1”. Eavesdrop the authentication message
578 between GWN and SNjto get M8and M9, and
579the message between GWN and Uito get M14 in
580the session of SNj.
581(2) “C6”. Get SNj’s secret key KGWNS.
582–Attack Target: the users.
583–Attack Consequence: get FUSPG=Uto impersonate Ui.
584–Attack Steps:
585Step 1. Compute IDi=M8KGWNS.
586Step 2. Compute rg=hðIDijjKGWNSM9Þ.
587Step 3. Compute M1=M14 rg, once acquires M1,Ahas
588the ability to forge the message sent by Uito spoof
589GWN and sensor nodes as follows:
590Step 4. Generate rA
iand sA.
591Step 5. Compute MA
2=sAP.
592Step 6. Compute MA
3=sAX, note that Xis a public param-
593eter and can be easily gotten.
594Step 7. Compute MA
4=IDiMA
3.
595Step 8. Compute MA
5=M1rA
i.
596Step 9. Compute MA
6=hðIDijjrA
iÞSIDm(mcan be any
597valid number).
598Step 10. Compute MA
7=hðM1jjSIDmjjMA
3jjrA
iÞ.
599Step 11. Send fMA
2;MA
4;MA
5;MA
6;MA
7g, then GWN and SNm
600will believe the legitimacy of Aand they will build
601a shared session key successfully. The following
602procedures are similar to original scheme.
603–Time Complexity: near to a legitimate user.
604–The Scale of the Attack: (a)!(b)!(e)!(f) as shown in
605Fig. 4. In the beginning, the adversary Agets SN1’s
606private key (marked in red circle as shown in (a) of
607Fig. 4), then exploits messages among GWN,SN1
608and U1,Acan computes U1’s FUSPG=Uas above
609(marked in red circle as shown in (b) of Fig. 4). Simi-
610larly, Acan get U2’s FUSPG=U. With the increase in
611number of the attacks, Acan get all users’ FUSPG=U
612as above (shown in (e) of Fig. 4). With users’
613FUSPG=U,Afinally can impersonate all users to all
614sensor nodes, as shown in (f) of Fig. 4.
6154.4 Node Capture Attack Type IV
616Type IV is an complete impersonation where Awith the pri-
617vate key of SNjcan get victim’s password and identity via
618offline dictionary attacks. Generally, offline dictionary
619attacks occur when Acan find a verification parameter VP to
620test the correctness of guessed value and is one of the most
621common attacks in user authentication schemes. Though as
622we mentioned in Sec. 1, Wang et al. [52] introduce the pub-
623lic-key technique to resist against offline dictionary attacks,
624the situation in WSNs is a little bit different where Acan
625obtain some sensor nodes’s private key to gain many advan-
626tages to conduct such an attack. Furthermore, when analyz-
627ing offline dictionary attacks, most protocol designers focus
628on the first two message flows, while pay little attention to
629subsequent flows sent by the gateway. This well-explains
Fig. 5. Communication models of user authentication schemes for WSNs [6].
8IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
630 why such an attack is ignored by Jiang et al. [30] when they
631 already have known the way to apply public-key algorithm
632 to withstand this attack.
3
633 –Adversary’s Capability:
634 (1) “C1”. Intercept the message between GWN and
635 SNjto get M5,M7,T2in authentication phase.
636 (4) “C2”. Offline enumerate all items in the space of
637 password and identity.
638 (3) “C3”. Obtain biometrics fngiand fiin smart card.
639 (4) “C6”. Get SNj’s private key Xj.
640 –Attack Target: the users.
641 –Attack Consequence: compute the password of Ui, then
642 further impersonate Ui.
643 –Attack Steps:
644 Step 1. Guess PWito be PW
iand IDito be ID
i.
645 Step 2. Compute K
i=M5hðID
ijjIDjjjXjjjT2Þ.
646 Step 3. Compute K0
j¼M7K
i.
647 Step 4. Compute SK ¼hðID
ijjIDjjjK
ijjK0
jÞ.
648 Step 5. Compute B
i¼BHðri;fngiÞ.
649 Step 6. Compute d
i¼fihðID
ijjPW
ijjB
iÞ.
650 Step 7. Compute M
8¼hðSKjjID
ijjd
ijjKjÞ.
651 Step 8. Verify PW
iand ID
iby checking if M
8?¼M8.
652 Step 9. Repeat Step 1 8 until the correct value of PWiand
653 IDiare found.
654 –Time Complexity:OðjDpwjjD
idjð4THþTBÞÞ, where
655 TBis the time for biometric-specific operation.
656 –The Scale of the Attack: (a)!(b)!(e)!(f) as shown in
657 Fig. 4. The attack evolution is similar to that of
658 Type III.
659 4.5 Node Capture Attack Type V
660 Type V contains two kinds basic attacks: (1) track users, or.
661 (2) compute users’ identity. Normally, there are three condi-
662 tions to led to this attack. 1) Awith SNj’s private key may
663 exploit protocol’s unreasonable design intent to get users’
664 identity, such as Li et al.’s scheme [34] where SN is designed
665 to get IDi.2)Aalso may make use of the vulnerability in a
666 temporary-certificate-based scheme to track users, such as
667 Wu et al.’s scheme [37], where Acan compute TIDnew
ivia
668 eavesdropped D10,T4and computed ru. Once with TIDnew
i,
669 Ais able to track Ui’s next message to learn users’ habits
670 and preferences for business purpose. A limitation in the
671 attack on Wu et al.’s scheme is that Acan only trace activi-
672 ties of Uijust after Uiinteracts with SNj.3)Acan exploit the
673 insecure transmission of user identity to compute victim’s
674 identity, and we take Amin et al.’s scheme [38] to explain
675 this attack as follows:
676 –Adversary’s Capability:
677 (1) “C1”. Eavesdrop the message between GWN and
678 SNjto get fNj;SSj;Vj;T2gand Kij, and the mes-
679 sage between GWN and Uito get M2during the
680 authentication phase.
681 (2) “C6”. Get SNj’s private key fj.
682 –Attack Target: the users.
683 –Attack Consequence: compute Ui’s identity IDi.
684–Attack Steps:
685Step 1. Compute hðIDiÞ=SSjhðfjjjT2Þ.
686Step 2. Compute K0
i=VjhðIDiÞ.
687Step 3. Compute K0
j=Kij K0
i.
688Step 4. Compute SK =hðhðIDiÞjjSIDjjjK0
ijjK0
jÞ.
689Step 5. Compute IDi=M2hðSKjjKiÞ.
690–Time Complexity:Oð4THÞ.
691–The Scale of the Attack: (a)!(b)!(e) as shown in
692Fig. 4. In the beginning, the adversary Agets SN1’s
693private key (marked in red circle as shown in (a) of
694Fig. 4), then exploits messages among GWN,SN1
695and U1,Acan compute U1’s identity as above as
696shown in (b) of Fig. 4. Similarly, Acan get U2’s iden-
697tity. When the number of the attacks is large enough,
698Acan get all users’ identity as shown in (e) of Fig. 4.
6994.6 Node Capture Attack Type VI
700Type VI depicts an attack where the adversary with SNj’s
701private key XSNjcan acquire SNm’s (m6¼ j). Two situations
702will result in this attack: (1) The inappropriate distribution
703of SN’s private key. (2) The insecure transmission of SN’s
704private key. We take Fan et al.’s scheme to show the first sit-
705uation. In Fan et al.’scheme, since all the sensor nodes share
706a same private key, once Acompromises SNjto get Sk, then
707the private key of SNmis exposed too. Then Acan imper-
708sonate all sensor nodes with Sk.
709We take Dhillon et al.’s scheme [41] as an example to
710show the second situation where Acan learn SNm’ private
711key due to the insecure transmission of the key:
712–Adversary’s Capability:
713(1) “C1”. Eavesdrop the message between GWN and
714SNmto get Am,emand TS2, and the message
715between Uiand GWN to get TS1 in the session of
716SNmðm6¼ jÞ.
717(2) “C6”. Get SNj’s private key Xgn, note that Xgn is a
718shared secret between GWN and SN.
719–Attack Target: sensor node.
720–Attack Consequence: get SNm’s private key.
721–Attack Steps:
722Step 1. Compute ym=AmHðXgn jjTS1jjTS2Þ.
723Step 2. Compute xm=ymem, note that xmis a private
724key for SNm, thus now Acan impersonate SNm.
725Since the interaction processes are the same as orig-
726inal scheme, we omit here.
727–Time Complexity:Oð4THÞfor getting SNm’s private key.
728–The Scale of the Attack: (a)!(i)!(d) as shown in Fig. 4.
729In the beginning, the adversary Acompromises the
730sensor node SN1(marked in red circle as shown in
731(a) of Fig. 4), then exploits messages among SN2,U
732and GWN to get the private key of SN2as above.
733With SN2’s private key , Acan impersonate SN2to
734all users, as shown in (i) of Fig. 4. After enough inter-
735actions, Acan get all sensor nodes’ private keys and
736impersonate any sensor nodes to any users, as
737shown in (d) of Fig. 4.
7384.7 Node Capture Attack Type VII
739Type VII presents an impersonation attack where the adver-
740sary with SNj’s private key gets U’s unique secret parame-
741ter, and then exploits GWN’s inefficient authentication to
3. They transmit user-chosen random number Kito GWN via a pub-
lic-key encryption algorithm. So that Acannot conduct offline dictio-
nary attacks using M2(=hðdijjLijjKijjT1Þ)
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 9

IEEE Proof
742 SN to impersonate SNmðm6¼ jÞ. It usually occurs in the
743 communication model (b) of Fig. 5. Type VI and Type VII
744 both are about impersonating sensor node, while Type VI is
745 the complete impersonation, Type VII is an elaborate camou-
746 flage, i.e., “Incomplete Impersonation”. We take Kumari
747 et al.’s scheme [42] as an example to explain this attack:
748 –Adversary’s Capability:
749 (1) “C1”. Eavesdrop Dg1in the session between
750 GWN and SNj. Furthermore, Ajoins the session
751 actively, intercepts and modifies messages
752 among participants.
753 (2) “C6”. Get SNj’s private key TCj.
754 –Attack Target: sensor node.
755 –Attack Consequence: get Ui’s unique secret parameters,
756 then impersonate SNmðm6¼ jÞto Ui.
757 –Attack Steps:
758 Step 1. Compute hðIDijjhðQiÞÞ =Dg1hðTCjÞ.
759 Step 2. Intercept message to SNm:fDm
g1;Dm
g2;Cm
g;Tm
gg, note
760 that this session is among Ui,SNmand GWN.
761 Step 3. Compute I3=Dm
g1Dm
g2hðIDijjhðQiÞÞ.
762 Step 4. Select a random number KA
s, compute SA
1=
763 TKA
s½hðIDijjhðQiÞÞ mod p.
764 Step 5. Compute SKA
su=TKA
sðI3Þmod p.
765 Step 6. Compute SA
2=hðSKA
sujjhðIDijjhðQiÞÞjjTA
sÞ, where
766 TA
sis timestamp.
767 Step 7. Send fSA
1;SA
2;TA
sgto Ui, then according to the pro-
768 tocol, Uiwill authenticate Asuccessfully and share
769 session key SKuswith A.
770 –Time Complexity: close to legitimate SNm.
771 –The Scale of the Attack:(a)!(b)!(e)!(f) as shown in
772 Fig. 4. In the beginning, Acompromises the sensor
773 node SN1(marked in red circle as shown in (a) of
774 Fig. 4), then exploits messages among U1,SN1and
775 GWN to get U1’s FUSPG=U(marked in red circle as
776 shown in (b) of Fig. 4) as above. Similarly, Acan get
777 U2’s FUSPG=U. When the number of the attacks is large
778 enough, Acan get all users’ FUSPG=Uasshownin(e)
779 of Fig. 4, and then impersonate any sensor nodes to
780 communicate with any users as shown in (f) of Fig. 4.
781 Note that, Type VI and Type VII have an obvious differ-
782 ence in attack consequence: after an attack of Type VII, A
783 can impersonate all sensor nodes to Ui, and after an attack in
784 Section 4.6 (Type VI), Acan impersonate SNmto all users.
785 4.8 Node Capture Attack Type VIII
786 Type VIII usually happens where user’s login request first
787 sends to a sensor node rather than the gateway such as
788 model (c) of Fig 5. In this case, once the request is not well
789 marked the target sensor node, Acan intercept it and then
790 carry out an impersonation attack. The similar attack can be
791 found in Shi et al.’s scheme [53] criticized by Choi et al. [36].
792 In this section, we introduce node capture attack Type VIII
793 via Farash et al.’s scheme [45].
794 –Adversary’s Capability:
795 (1) “C1”. Intercept messages and send messages to
796 GWN.
797 (2) “C6”. Control SNj, i.e., Agets xj;hðXGWNjj1Þand
798 joins the communication among Ui,SNmand
799 GWN actively.
800–Attack Target: sensor node.
801–Attack Consequence: impersonate SNm.
802–Attack Steps:
803Step 1. Intercept fM1;M2;M3;T1gfrom Uito SNm, note that
804this session is among Ui,SNmand GWN.
805Step 2. Compute ESIDA
j=SIDA
jhðhðXGWNjj1ÞjjTA
2Þ.
806Step 3. Select KA
j, compute MA
4=hðxjjjTA
1jjTA
2ÞKA
j,
807MA
5=hðSIDA
jjjMA
4jjTA
1jjTA
2jjKA
jÞ.
808Step 4. Send GWN fM1;M2;M3;T1;TA
2;ESIDA
j;MA
4;MA
5g.
809Step 5. GWN respondes fM6;M7;M8;M9;T3gto SNj(i.e.,
810the adversary), Acomputes KA
i=M7hðxjjjT3Þ,
811SKA=ðKA
iKA
jÞ,MA
10=hðSKAjjM6jjM8jjT3jjTA
4Þ,
812sends fM6;M8;MA
10;T3;TA
4gto Ui.
813Step 6. Uiwill authenticate Asuccessfully, that is, Uithinks
814that she shares the session key with SNm, while
815actually with SNj(i.e., the adversary).
816–Time Complexity: close to a legitimate sensor node.
817–The Scale of the Attack: (a)!(j)!(g) as shown in Fig. 4.
818In the beginning, Acompromises the sensor node
819SN1(marked in red circle as shown in (a) of Fig. 4),
820then exploits messages among U1,SN2and GWN to
821impersonate SN2as above. Similarly, Acan imper-
822sonate SN2to all users as shown in (j) of Fig. 4.
823When the number of the attacks is large enough, A
824can impersonate any sensor nodes to any users, as
825shown in (g) of Fig. 4.
8264.9 Node Capture Attack Type IX
827In Type IX, the adversary Aexploits the insecure transmis-
828sion or distribution of GWN’s long term secret key to obtain
829the secret key. In this section, we show the details of Type
830IX via analysis of Das et al.’s scheme [49]:
831–Adversary’s Capability:
832(1) “C6”. Get SNj’s private key MKCHj.
833(2) “C7”. Register as a legitimate user Ui.
834–Attack Target: the gateway.
835–Attack Consequence: get GWN’s long-term secret key.
836–Attack Steps: note that Kj=EMKCHjðIDijjIDCHjjjXsÞis a spe-
837cial parameter related to GWN and SNjand stored in
838Ui’s smart card, where Xsis GWN’s long-term secret
839key and MKCHjis SNj’s private key. Once Acollude
840with Uior register as a legitimate user Uiand get Kj
841from Ui’s smart card, then Acan obtain Xsvia
842decrypting Kjwith MKCHj.
843–Time Complexity:OðTSÞ, where TSis the operation
844time for symmetric encryption and decryption.
845–The Scale of the Attack: (a)!(h) as shown in Fig. 4. In
846the beginning, Acompromises the sensor node SN1
847(marked in red circle as shown in (a) of Fig. 4), then
848exploits U1’s smart card to get GWN’s long-term
849secret key as above. After the first attack, Acan
850obtain all unique secret parameters of Uand SN,
851because their secret parameters are computed via
852this secret key. Thus, all participants and sessions
853are affected, as shown in (h) of Fig. 4.
8544.10 Node Capture Attack Type X
855In Type X, the adversary Awith XSNjcan modify session
856key between Uand SNj(or SNm) without being noticed by
857any participants. After the attack, Uand SNj(or SNm)do
10 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
858 not share the same session key and Acan compute
859 thesamesessionkeyasU. But the authentication is fin-
860 ished successfully. Generally, this attack includes two
861 situations:
862 (1) Acan modify session keys between Uand compro-
863 mised sensor node SNjdue to users’ ineffective ver-
864 ification to CPSK=S. Taking Amin et al.’s scheme [50]
865 as an example, the last message of this scheme can
866 be modified by Aas fMA
8;MA
9;MA
10;MA
11g, where MA
8
867 =hðRA
2ÞRA
3,MA
9=M9R2RA
2,SKA=hðM0
6jj
868 RA
2jjRA
3Þ,MA
10 =hðIDijjSKAjjRA
3Þ,MA
11 =M11 hðR2
869 R3ÞhðRA
2RA
3Þ, note that IDican be view as a
870 known value to A,R2=M5hðSKGWSNjÞ(SKGWSNj
871 is SNj’s private key) and R3=M8R2. In this way,
872 the authentication is finished successfully, yet Ui
873 and SNjdo not share the same session key.
874 The scale of the attack is (a)!(c) as shown in
875 Fig. 4. In the beginning, the adversary Acompro-
876 mises sensor node SN1(marked in red circle as
877 shown in (a)), and makes SN1and U1share differ-
878 ent session keys as above. Similarly, Athen can
879 modify session keys between SN1and U2. When
880 the number of the attacks is large enough, Acan
881 modify session keys between all users and SN1as
882 shown in (c).
883 (2) In addition to problems in the first case, if CPSK=Uis
884 transmitted insecurely too, the second situation
885 occurs where Acan modify all session keys between
886 Uand SN to make participants cannot share the
887 same session keys, though the authentication is fin-
888 ished successfully. We use Amin et al.’s scheme [38]
889 to show the attack:
890 –Adversary’s Capability:
891 (1) “C1”. Eavesdrop SSjand T2from message
892 between SNjand GWN, intercept and send
893 message to GWN.
894 (2) “C6”. Get SNj’s secret key fj.
895 –Attack Consequence: modify session key without
896 noticed (Uiand SNmðm6¼ jÞshare a different ses-
897 sion key), meanwhile the authentication is fin-
898 ished successfully, and Acan compute the same
899 session key as Ui.
900 –Attack Steps:
901 Step 1. Compute hðIDiÞ=SSjhðfjjjT2Þ.
902 Step 2. Eavesdrop Vmfrom GWN to SNmðm6¼ jÞ, compute
903 Ki=VmhðIDiÞ.
904 Step 3. Intercept fM1;Kim;T4gfrom GWN to Ui.
905 Step 4. Generate KA
mwhich has the same length as Km.
906 Step 5. Compute SKA
m=hðhðIDiÞjjSIDmjjKijjKA
mÞ.
907 Step 6. Compute KA
im =KiKA
m.
908 Step 7. Compute MA
1=hðSKA
mjjKA
mjjTA
4Þ.
909 Step 8. Send fMA
1;KA
im;TA
4gto Ui, then Uiwill authenticate
910 the message successfully.
911 Step 9. Intercept fM2gfrom Uito GWN.
912 Step 10. Compute Km=Kim Ki.
913 Step 11. Compute MA
2=M2hðhðhðIDiÞjjSIDmjjKijjKmÞ
914 jjKiÞhðSKA
mjjKiÞ.
915 Step 12. Send fMA
2gto GWN. Finally, Uiand SNmdo not
916 share the same session key, yet Uiand Ado.
917 –Time Complexity:Oð6THÞ.
918–The Scale of the Attack:(a)!(b)!(e)!(f) as shown
919in Fig. 4. In the beginning, the adversary Acom-
920promises SN1(marked in red circle as shown in (a)
921of Fig. 4) and gets some parameters of U1to modify
922session key between U1and SN1as above as
923shown in (b) of Fig. 4. Similarly, Acan get U2’s
924hðID2Þand modify session key between U2and
925SN1. With the increase in number of the attacks, A
926can get all users’ useful parameters and modify
927session keys between all users and SN1.Whenthe
928number of the attacks is large enough, Afinally
929can modify session keys between all users and all
930sensor nodes asshown in (f) of Fig. 4.
931Note that, in the first situation, the adversary Acan only
932modify session keys between compromised sensor node
933SNjand all users. In the second situation, Afinally can mod-
934ify session keys between all sensor nodes and all users.
9355SUGGESTIONS TO NODE CAPTURE ATTACKS
936Sensor nodes are usually deployed in unattended environ-
937ments, thus it is easy for an adversary to breach some sensor
938nodes and extract the data stored in them. Based on this
939reality, it is very important to ensure the security of the sys-
940tem after the sensor node is compromised. Much effort has
941been taken to design a secure scheme resisting such an
942attack, while most attempts failed. In this section, we sum-
943marize the rationales for node capture attacks, put forward
944some suggestions to avoid such attacks.
945From attack consequences of Table 4, the adversary can
9461)computesessionkeysfromTypeIandII,2)impersonate
947users from of Type III and IV, 3) avoid user anonymity
948from Type V, 4) impersonate sensor nodes from Type VI,
949VII and VIII, 5) get the long-term secret key from Type IX,
9506) modify session keys from Type X. Based on these six
951consequences, we figure out their causes from the vulner-
952abilities exploited of Table 4. With the six consequences
953and their causes, we draw the fishbone of node capture
954attacks, as shown in Fig. 6. It clarifies the causes of node
955capture attacks. Focusing on these listed causes in Fig. 6,
956these five causes, namely insecure transmission of long-
957term secret key, insecure transmission of users’ identity,
958insecure transmission of FUSPG=U, insecure transmission
959of CPSK=SN, and insecure transmission of SN’s private key,
960can be concluded as insecure transmission of FUSPG=Uor
961some parameters. Then these listed causes of node capture
962attacks in Fig. 6 can be summarized to eight aspects:
Fig. 6. The fishbone of node capture attacks.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 11

IEEE Proof
963 unreasonable design intent, insecure communication
964 architecture, inappropriate distribution of SN’s private
965 key, insecure transmission of FUSPG=Uor some parame-
966 ters, inefficient verification of SN or CPSK=SN, the issue of
967 forward secrecy, the issue of offline dictionary attacks and
968 the issue of temporary certificate. Suggestions to these
969 eight issues are as follows:
970 –Unreasonable Design Intent. Note that user identity,
971 unique secret parameter (FUSPG=Uand TUSPG=U)
972 cannot be known to sensor nodes, so do not let the
973 gateway send these parameters to sensor nodes.
974 –Insecure Communication Architecture. From the view-
975 point of node capture attacks, model (b) and model
976 (c) of Fig. 5 are insecure: model (b) is likely to result in
977 node capture attack Type VII as shown in Section 4.7.
978 Model (c) is likely to result in node capture attack
979 Type VIII as shown in Section 4.8. Furthermore, both
980 model (b) and model (c) is bound to led to node cap-
981 ture attack Type X. Following Wang et al.’s research
982 [6], model (a) of Fig. 5 is recommended.
983 –Inappropriate Distribution of SN’s Private Key. The dis-
984 tribution of SN’s private key is a basic factor to the
985 security of the system. Looking back Fan et al.’s
986 scheme [29], it is very dangerous to have all sensor
987 nodes share a same secret key. We recommend that
988 let hðIDSNjjjxÞbe SN’s private key, this method has
989 been accepted by most schemes [28], [30], [34], [54],
990 [55]. In some of schemes, such as Gope et al.’s [56],
991 GWN assigns a random unique secret number to SN
992 as their private key. In this way, GWN must store the
993 parameters related to the private keys of SN, which
994 consumes more resources. Thus this method is not
995 recommended.
996 Following this principle, the private key of sensor
997 nodes in Fan et al.’s scheme [29] should be hðIDSNjjjxÞ
998 rather than a common shared key.
999 –Insecure Transmission of Some Parameters, including
1000 the private key XSNjof SNj, unique secret parame-
1001 ters/identity ID of users, and long-term secret key.
1002 The ways that the unique secret parameters are
1003 transmitted are varied from one protocol design to
1004 another. It is difficult to generalize, some basic princi-
1005 ples are as follows:
1006 Transmitting these parameters with “XOR” or
1007 symmetric encryption operation is dangerous,
1008 see Sections 4.3, 4.5, 4.6 and 4.9. We recommend
1009 to protect these parameters (denoted as ImporPar)
1010 in a form of hðImporParjjÞ, where denotes any
1011 parameters. Particularly, when ImporPar is
1012 FUSPG=U,“” has to include TUSPG=U(it is con-
1013 structed by a public-key technique).
1014 Following this principle, we can fix Li et al.’s
1015 scheme [34] by setting M5¼hðM1jjM3Þri,M14
1016 =hðM3jjM1Þrgand all IDiin the parameters
1017 that GWN sends to SNjbe replaced with
1018 hðIDijjKGWNSÞ, where M1is FUSPG=Uand M5is
1019 TUSPG=U. In this way, the adversary cannot fol-
1020 low the steps in Section 4.3 to extract FUSPG=U,
1021 so this scheme can resist against the attack Type
1022 III, IV, V and X.
1023In some occasions, ID and XSNjneed to be trans-
1024mitted with the operation “XOR”, we recom-
1025mend to transmit them in the form of
1026ID hðTUSPG=UjjÞ and XSNjhðTUSPG=SN jjÞ
1027(or XSNjTUSPG=SN ), respectively. Note
1028that TUSPG=Uis constructed by a public-key
1029technique.
1030Following this principle, we can fix Li et al.’s
1031scheme [57] by setting DIDU=IDUhðD2jjD1Þ,
1032D3=SNid hðB2jjD2Þ,whereB2is FUSPG=Uand
1033D2is TUSPG=U. In this way, the adversary can-
1034not extract FUSPG=U, so this improved scheme
1035is secure against the attack Type III and IV.
1036–Inefficient Verification of SN or CPSK=SN.It contains
1037two aspects: 1) GWN fails to authenticate SN.2)
1038users fail to verify CPSK=SN. To the first aspect, the
1039first thing is to use a proper communication model.
1040Then, do not merely rely on XSNjto finish the authen-
1041tication between SNjand GWN, a temporary chal-
1042lenge, such as RGS in Fig. 3, is necessary. Specifically,
1043let Auth3at least contain FUSPG=SN,TUSPG=SN and
1044CPSK=SN. It can stop the adversary from forging mes-
1045sages to fool GWN. To the second aspect, a public-
1046key technique is required to construct TUSPG=U, and
1047Auth4should at least contain TUSPG=Uand CPSK=SN.
1048This method can stop the adversary from modifying
1049session keys (see Section 4.10).
1050Following above principle, to improve Amin et al.’s
1051scheme [38], we first introduce ECC-based public-key
1052technique with a pair of private/public key ðXGWN;
1053XGWN P¼YÞ, where Pis a point on an elliptic
1054curve which is built over prime finite field Fp. Next,
1055we construct TUSPG=Uas TM2¼KiY, and let Ui
1056send TM1¼KiPto GWN. Till now, Uiand GWN
1057share the TUSPG=U(GWN can obtain TM2by comput-
1058ing XGWN TM1). Next, we set the Auth3of Amin et al.’
1059s scheme [38] Wjbe hðfjjjTM2jjKjÞ, where fjis
1060FUSPðG=SNÞ,Kjis TUSPðG=SNÞand TM2is
1061CPðSK=SNÞ. Finally, we set the Auth4, i.e., M1,be
1062hðTM2jjKjjjKgjjT4Þ.
1063–Forward Secrecy. To achieve forward secrecy, at least
1064two modular multiplication or point multiplication
1065operations are needed on sensor node [12]. Once a
1066scheme achieves forward secrecy, then it is resistant
1067against the attack Type I and Type II.
1068Following this principle, we continue to improve
1069Aim et al.’s scheme [38]. We let SNjcompute two point
1070multiplication operations: TM3¼KjPand TM =
1071KiTM1, and set session keys SK =hðTM1jjTM3jjTMÞ.
1072Note that TM is not transmitted in any channel. In this
1073way, Aim et al.’s scheme [38] can achieve forward
1074secrecy and resist against the attack Type I and Type II.
1075–Offline Dictionary Attacks. To resist offline dictionary
1076attacks, the public-key algorithm is indispensable
1077[52]. Yet, there is a subtlety worth noting: when
1078accessing offline dictionary attacks, in addition to
1079focusing on VP in login request initiated by U, spe-
1080cial attention should be taken to Auth4and parame-
1081ters with FUSPG=Uin the channel, and this is often
1082ignored by the protocol designer. As we have shown in
1083Section 4.4, the adversary can exploit Auth4(M8)
12 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
1084 to carry out a dictionary attack successfully in the
1085 Jiang et al.’s scheme [30]. A recommended solution is to
1086 use FUSPG=Uin a form of hðFUSPG=UjjTUSPG=UjjÞ,
1087 where denotes any valid numbers, and TUSPG=Uis
1088 constructed by a public-key technique.
1089 Following this principle, we can improve Jiang et al.’
1090 s scheme [30]. First, we need to construct a TUSPG=U.
1091 The way to construct such a TUSPG=Uhas been intro-
1092 duced above, therefore, the details are omitted. Second,
1093 we let M8=hðdijjTUSPG=UjjIDijjKjÞ. In this way, Jiang
1094 et al.’s scheme [30] is resistant to the attack Type V.
1095 –The Issue of Temporary Certificate. Applying temporary
1096 certificate algorithm to multi-factor user authentication
1097 schemes leads many problems [52], how to avoid these
1098 problems is still an open question. A simple way is that
1099 do not use temporary certificate technique. Actually,
1100 many schemes that do not use temporary certificate
1101 technique [26], [27], [28], [57] achieve as least the same
1102 security as those using this technique [37], [50], [56].
1103 To design a secure authentication scheme that is resistant
1104 to node capture attacks, the above eight challenges should be
1105 taken into account. The specific method to achieve the above
1106 suggestions may be different from scheme to scheme, but we
1107 summarize some common principles against node capture
1108 attacks: 1) Regarding “Insecure communication architecture”,
1109 model (b) and model (c) of Fig. 5 are not secure against node
1110 capture attacks, and model (a) is recommended. 2) Users’
1111 identity and unique secret parameter should be kept anony-
1112 mous to sensor nodes. 3) It is recommended to set hðIDSNjjjxÞ
1113 as SN’s private key. Furthermore, as shown in Appendix A ,
1114 which can be found at https://bit.ly/2VjHqY1 and also on
1115 the Computer Society Digital Library at http://doi.
1116 ieeecomputersociety.org/10.1109/TDSC.2020.
1117 2974220, we take Li et al.’s scheme [57] as an example to show
1118 a viable way to follow the above principles to avoid node cap-
1119 ture attacks.
1120 6ACOMPARATIVE EVALUATION OF EXITING
1121 SCHEMES FOR WSNS
1122 Based on our taxonomy of node capture attacks in Section 3,
1123 we naturally improve our evaluation criteria by expanding
1124 the criterion “resistance to node capture attacks” into ten sub-
1125 criteria. Wethen perform a large-scale assessment of 61 multi-
1126 factor user authentication schemes for WSNs under our
1127 expanded criteria set and our attack model in Table 5. The
1128 selected schemes usually represent a typical attack or have
1129 attracted much attention and lead many new enhanced ver-
1130 sions. This comparison gives a fair and comprehensive evalu-
1131 ation of existing schemes. Unsurprisingly, two early schemes,
1132 which were proposed around the year of 2005 when Benenson
1133 et al. [18] for the first time introduce node capture attacks into
1134 remote user authentication, are worse than other schemes. As
1135 time goes by, the situation gets better, which is in line with
1136 our understanding on the development of things. From
1137 Table 5, it is easy to see that so far no scheme meets all evalua-
1138 tion criteria after nearly ten years of research. The scheme
1139 with the best performance proposed by Li et al. [58] can only
1140 achieve at most 20 criteria, highlighting the unsatisfactory sit-
1141 uation of user authentication schemes for WSNs.
1142When dividing the evaluation criteria into two parts, i.e.,
1143ideal attributes and security requirements, we can see another
1144trend in the development of user authentication schemes, that
1145is, the schemes’ performance in ideal attributes gets better and
1146better. The challenge in satisfying the requirements of ideal
1147attributes is to design schemes without relying on clock syn-
1148chronization. Compared with the realization of ideal attributes,
1149meeting the security requirements is more difficult. Every crite-
1150ria of security requirements except S1 are all difficult to meet.
1151In most cases, offline dictionary attacks are the main kinds of
1152attacks for S5, and it can be stopped by applying public-key
1153techniques correctly [12], [52]. In WSNs, S4 “resistance to
1154known attacks” is becoming difficult as the complexity of sys-
1155tem increases. According to Li et al.’s recent study [80], the
1156administrator of the gateway can exploit the user’s login
1157request as a verifier to guess victims’ passwords. Most schemes
1158arevulnerabletosuchanattackandthuscannotsatisfythecri-
1159terion S2 “No Password Exposure”. S3 “forward secrecy” is a
1160tricky problem in WSNs because of the recourse-limited sensor
1161nodes. “How to efficiently achieve forward secrecy in user
1162authentication scheme for WSNs” is still an open issue.
1163Among all criteria, S6 “resistance to node capture attacks”
1164is the hardest criterion to be achieved. As shown in Table 5,
1165only two schemes meet S6. However, this trend cannot be
1166reflected well under other evaluation criteria sets. For exam-
1167ple, the schemes of Li et al. (2018 JNCA) [34], Wu et al. (2017
1168PPNA) [37], Wang et al. (2018 Sensors) [28], Jiang et al. (2017
1169IEEE Access) [30] and Das et al. (2016 SCN) [65] are thought of
1170being resistant to node capture attacks under Wang et al.’s cri-
1171teria set [6] where node capture attacks are included in the cri-
1172terion “resistance to known attacks”, but these schemes are
1173demonstrated that they cannot resist against node capture
1174attacks under our criteria set. All this highlights the urgency
1175and significance of understanding the failure in node capture
1176attacks and the difficulty in designing a user authentication
1177scheme for WSNs resistant against node capture attacks. Fur-
1178thermore, each sub-criterion of S6 is met or unmet by at least
1179ten schemes. This indicates that each of the ten sub-criteria is
1180necessary and our taxonomy of node capture attacks is rea-
1181sonable. We present a detailed discussion on S6 in Appendix
1182B, available at https://bit.ly/2VjHqY1.
11837CONCLUSION
1184In this paper, we have taken the first substantial step towards
1185systematically exploring node capture attacks against user
1186authentication protocols for WSNs. We first define the adver-
1187sary model, and then develop a detailed and through evalua-
1188tion criteria including the effects of node capture attacks. We
1189then categorize node capture attacks into ten different types
1190in terms of the attack targets, adversary’s capabilities and vul-
1191nerabilities exploited. Next, we elaborate on each type of
1192attacks through examining 11 typical vulnerable protocols
1193and investigate the conrresponding countermeasures. Finally,
1194we extend our evaluation criteria and conduct a large-scale
1195comparative measurement of 61 representative user authenti-
1196cation schemes for WSNs. Among those schemes, only two
1197are secure against node capture attacks, highlighting the diffi-
1198culty in designing node-capture-attack resistant user authen-
1199tication schemes for WSNs and demonstrating the
1200significance of our systematic studyon node capture attacks.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 13

IEEE Proof
1201 ACKNOWLEDGMENT
1202 The authors thank Dr. Yanhong Xu and the anonymous
1203 reviewers for their invaluable comments. This research is sup-
1204 ported by the National Key Research and Development Plan
1205 of China under Grant No. 2018YFB0803605, and by the
1206National Natural Science Foundation of China under Grant
1207No.61802006, and by the National Research Foundation,
1208Prime Minister’s Office, Singapore under its Strategic Capabil-
1209ity Research Centres Funding Initiative and Singapore Minis-
1210try of Education under Research Grant MOE2016-T2-2-014(S)
TABLE 5
Security and Efficiency Comparison Among Relevant User Authentication Schemes
: the case 1 of their scheme; y: the P2of their scheme.
Some schemes do not describe dynamic sensor node addition or smart card revocation phases directly, but they do support the two phases, and thus meet D2. TE,
TP,TC,TB,TH,TSdenote the operation time for modular exponentiation, elliptic curve point multiplication, chebysev chaotic-map, fuzzy extracting biometric
data, hash, and symmetric encryption, respectively, Some lightweight operations like XOR and kare omitted.
“@” denotes the scheme can provide the corresponding attribute. “” denotes the scheme cannot provide the corresponding attribute. “-” means the attribute is
not applied to the scheme. For example, if the scheme dose not create a session key after authentication, then it dose not make sense to discuss session key related
security; if the scheme dose not use password, then it dose not make sense to discuss offline dictionary guessing attacks; if the message sent to users is an
“acknowledgment” containing no sensitive parameters, then it dose not make sense to discuss whether the adversary can modify this message.
14 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
1211 REFERENCES
1212 [1] M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “Secure
1213 remote user authenticated key establishment protocol for smart
1214 home environment,” IEEE Trans. Depend. Secur. Comput., 2017. to
1215 be published, doi:10.1109/TDSC.2017.2764083.
1216 [2] S. Kumari and H. Om, “Authentication protocol for wireless sen-
1217 sor networks applications like safety monitoring in coal mines,”
1218 Comput. Netw., vol. 104, no. C, pp. 137–154, 2016.
1219 [3] J. Wei, X. Hu, and W. Liu, “An improved authentication scheme
1220 for telecare medicine information systems,” J. Med. Syst., vol. 36,
1221 no. 6, pp. 3597–3604, 2012.
1222 [4] X. Yang et al., “A lightweight authentication scheme for vehicular
1223 ad hoc networks based on msr,” Veh. Commun., vol. 15, no. 16–27,
1224 2019.
1225 [5] M. Wazid, A. K. Das, M. K. Khan, A. D. Al-Ghaiheb, N. Kumar,
1226 and A. Vasilakos, “Design of secure user authenticated key man-
1227 agement protocol for generic IoT networks,” IEEE Internet Things
1228 J., vol. 5, no. 1, pp. 269–282, Feb. 2018.
1229 [6] D.Wang,W.Li,andP.Wang,“Measuringtwo-factorauthentication
1230 schemes for real-time data access in industrial wireless sensor
1231 networks,” IEEE Trans. Ind. Inf., vol. 14, no. 9, pp. 4081–4092, Sep. 2018.
1232 [7] M. L. Das, “Two-factor user authentication in wireless
1233 sensor networks,” IEEE Trans. Wireless Commun., vol. 8, no. 3,
1234 pp. 1086–1090, Mar. 2009.
1235 [8] Y. Zhang, Y. Xiang, and X. Huang, “Password authenticated
1236 group key exchange: A cross-layer design,” ACM Trans. Internet
1237 Technol., vol. 15, no. 4, pp. 24:1–24:20, 2016.
1238 [9] W. Meng, Y. Wang, D. S. Wong, S. Wen, and Y. Xiang, “Touch
1239 behavioral user authentication based on web browsing on
1240 smartphones,” J. Netw. Comput. Appl., vol. 117, pp. 1–9, 2018.
1241 [10] E. Erdem and M. T. Sand{kkaya, “OTPaaS—one time password as
1242 a service,” IEEE Trans. Inf. Forensics Security, vol. 14, no. 3,
1243 pp. 743–756, Mar. 2019.
1244 [11] J. Srinivas, A. K. Das, M. Wazid, and N. Kumar,“Anonymous light-
1245 weight chaotic map-based authenticated key agreement protocol
1246 for industrial Internet of Things,” IEEE Trans. Dependable Secure
1247 Comput., 2018. to be published, doi: 10.1109/TDSC.2018.2857811.
1248 [12] C. Ma, D. Wang, and S. Zhao, “Security flaws in two improved
1249 remote user authentication schemes using smart cards,” Int. J.
1250 Commun. Syst., vol. 27, no. 10, pp. 2215–2227, 2012.
1251 [13] D. Wang and P. Wang, “Two birds with one stone: Two-factor
1252 authentication with security beyond conventional bound,” IEEE
1253 Trans. Dependable Secure Comput., vol. 15, no. 4, pp. 708–722, Jul./
1254 Aug. 2018.
1255 [14] D. W. Carman, P. S. Kruus, and B. J. Matt, “Constraints and
1256 approaches for distributed sensor network security,” Crypto-
1257 graphic Technologies Group, Trusted Information System, NAI
1258 Labs. DARPA Project report, 2000, vol. 1, no. 1. [Online]. Avail-
1259 able: http://download.nai.com
1260 [15] H. Chan, A. Perrig, and D. Song, “Random key predistribution
1261 schemes for sensor networks,” in Proc. IEEE Symp. Secur. Privacy
1262 2003, pp. 197–213.
1263 [16] L. Eschenauer and V. Gligor, “A key-management scheme for
1264 distributed sensor networks,” in Proc. 9th ACM Conf. Comput.
1265 Commun. Secur. 2002, pp. 41–47.
1266 [17] W. Du, J. Deng, Y. Han, P. Varshney, J. Katz, and A. Khalili, “A
1267 pairwise key predistribution scheme for wireless sensor
1268 networks,” ACM Trans. Inf. Syst. Secur., vol. 8, no. 2, pp. 228–258,
1269 2005.
1270 [18] Z. Benenson, N. Gedicke, and O. Raivio, “Realizing robust user
1271 authentication in sensor networks,” in Proc. Real-World Wireless
1272 Sensor Netw., 2005, vol. 14, pp. 52–56.
1273 [19] B. Vaidya, J. J. Rodrigues, and P. J. Hyuk, “User authentication
1274 schemes with pseudonymity for ubiquitous sensor network in
1275 ngn,” Int. J. Commun. Syst., vol. 23, no. 9–10, pp. 1201–1222, 2010.
1276 [20] K. H. M. Wong, Y. Zheng, J. Cao, and S. Wang, “A dynamic user
1277 authentication scheme for wireless sensor networks,” in Proc.
1278 IEEE Int. Conf. Sensor Netw., 2006, pp. 244–251.
1279 [21] H. R. Tseng, R. H. Jan, and W. Yang, “An improved dynamic user
1280 authentication scheme for wireless sensor networks,” in Proc.
1281 IEEE Global Telecommun. Conf., 2007, pp. 986–990.
1282 [22] L. C. Ko, “A novel dynamic user authentication scheme for wire-
1283 less sensor networks,” in Proc. IEEE Int. Symp. Wireless Commun.
1284 Syst., 2008, pp. 608–612.
1285[23] B. Vaidya, D. Makrakis, and H. Mouftah, “Two factor mutual
1286authentication with key agreement in wireless sensor networks,”
1287Secur. Commun. Netw., vol. 9, no. 2, pp. 171–183, 2016.
1288[24] J. Kim, D. Lee, W. Jeon, Y. Lee, and D. Won, “Security analysis and
1289improvements of two-factor mutual authentication with key
1290agreement in wireless sensor networks,” Sensors, vol. 14, no. 4,
1291pp. 6443–6462, 2014.
1292[25] I. Chang, T. Lee, T. Lin, and C. Liu, “Enhanced two-factor authen-
1293tication and key agreement using dynamic identities in wireless
1294sensor networks,” Sensors, vol. 15, no. 12, pp. 29 841–29 854, 2015.
1295[26] Y. Park and Y. Park, “Three-factor user authentication and key
1296agreement using elliptic curve cryptosystem in wireless sensor
1297networks,” Sensors, vol. 16, no. 12, p. 2123, 2016.
1298[27] J. Srinivas, S. Mukhopadhyay, and D. Mishra, “Secure and
1299efficient user authentication scheme for multi-gateway wireless
1300sensor networks,” Ad Hoc Netw., vol. 54, no. C, pp. 147–169, 2017.
1301[28] C. Wang, G. Xu, and J. Sun, “An enhanced three-factor user
1302authentication scheme using elliptic curve cryptosystem for wire-
1303less sensor networks,” Sensors, vol. 17, no. 12, p. 2946, 2017.
1304[29] R. Fan, D. He, X. Pan, and L. Ping, “An efficient and dos-resistant
1305user authentication scheme for two-tiered wireless sensor
1306networks,” J. Zhejinag Univ. Sci. C, vol. 12, no. 7, pp. 550–560, 2011.
1307[30] Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor
1308authentication and key agreement protocol for internet-integrated
1309wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392,
13102017.
1311[31] D. He, “Robust biometric-based user authentication scheme for
1312wireless sensor networks,” Ad Hoc Sensor Wireless Netw., vol. 25,
1313no. 3, pp. 309–321, 2012.
1314[32] E.-J. Yoon and K.-Y. Yoo, “A new biometric-based user authenti-
1315cation scheme without using password for wireless sensor
1316networks,” in Proc. IEEE Int. Workshops Enabling Technologies:
1317Infrastructure Collaborative Enterprises, 2011, pp. 279–284.
1318[33] J. Jung, J. Moon, D. Lee, and D. Won, “Efficient and security
1319enhanced anonymous authentication with key agreement scheme
1320in wireless sensor networks,” Sensors, vol. 17, no. 3, pp. 644–665,
13212017.
1322[34] X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and K. K. R. Choo,
1323“A three-factor anonymous authentication scheme for wireless
1324sensor networks in Internet of Things environments,” J. Netw.
1325Comput. Appl., vol. 103, pp. 194–204, 2018.
1326[35] Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user
1327authentication scheme with unlinkability for wireless sensor
1328networks,” Peer Peer Netw. Appl., vol. 8, no. 6, pp. 1070–1081, 2015.
1329[36] Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, and D. Won, “Security
1330enhanced user authentication protocol for wireless sensor net-
1331works using elliptic curves cryptography,” Sensors, vol. 14, no. 6,
1332pp. 10081–10106, 2014.
1333[37] F. Wu et al., “An efficient authentication and key agreement
1334scheme for multi-gateway wireless sensor networks in IoT
1335deployment,” J. Netw. Comput. Appl., vol. 89, pp. 72–85, 2017.
1336[38] R. Amin, S. K. H. Islam, N. Kumar, and K. K. R. Choo, “An
1337untraceable and anonymous password authentication protocol for
1338heterogeneous wireless sensor networks,” J Netw. Comput. Appl.,
1339vol. 104, pp. 133–144, 2018.
1340[39] R. Ali, A. K. Pal, S. Kumari, M. Karuppiah, and M. Conti, “A
1341secure user authentication and key-agreement scheme using wire-
1342less sensor networks for agriculture monitoring,” Future Gener.
1343Comput. Syst., vol. 84, pp. 200–215, 2018.
1344[40] S. Challa et al., “An efficient ECC-based provably secure three-factor
1345user authentication and key agreement protocol for wireless health-
1346care sensor networks,” Comput. Elect. Eng., vol. 69, pp. 534–554, 2018.
1347[41] P. K. Dhillon and S. Kalra, “Secure multi-factor remote user
1348authentication scheme for Internet of Things environments,” Int.
1349J. Commun. Syst., vol. 30, no. 16, p. e3323, 2017.
1350[42] S. Kumari, X. Li, F. Wu, A. K. Das, H. Arshad, and M. K. Khan, “A
1351user friendly mutual authentication and key agreement scheme
1352for wireless sensor networks using chaotic maps,” Future Gener.
1353Comput. Syst., vol. 63, pp. 56–75, 2016.
1354[43] A. K. Das, “A secure and efficient user anonymity-preserving
1355three-factor authentication protocol for large-scale distributed
1356wireless sensor networks,” Wireless Pers. Commun., vol. 82, no. 3,
1357pp. 1377–1404, 2015.
1358[44] P. Kumar, S.-G. Lee,and H.-J. Lee, “E-SAP: Efficient-strong authenti-
1359cation protocol for healthcare applications using wireless medical
1360sensor networks,” Sensors, vol. 12, no. 2, pp. 1625–1647, 2012.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 15

IEEE Proof
1361 [45] M. S. Farash, M. Turkanovi
c, S. Kumari, and M. H€
olbl, “An effi-
1362 cient user authentication and key agreement scheme for heteroge-
1363 neous wireless sensor network tailored for the Internet of Things
1364 environment,” Ad Hoc Netw., vol. 36, pp. 152–176, 2016.
1365 [46] W. Shi and P. Gong, “A new user authentication protocol for
1366 wireless sensor networks using elliptic curves cryptography,” Int.
1367 J. Distrib. Sensor Netw., vol. 2013, no. 730831, pp. 51–59, 2013.
1368 [47] W.-L. Tai, Y.-F. Chang, and W.-H. Li, “An IoT notion–based
1369 authentication and key agreement scheme ensuring user anonym-
1370 ity for heterogeneous ad hoc wireless sensor networks,” J. Inf.
1371 Secur. Appl., vol. 34, pp. 133–141, 2017.
1372 [48] M. Turkanovic, B. Brumen, and M. Holbl, “A novel user authenti-
1373 cation and key agreement scheme for heterogeneous ad hoc wire-
1374 less sensor networks, based on the Internet of Things notion,” Ad
1375 Hoc Netw., vol. 20, no. 2, 2014.
1376 [49] A. K. Das, P. Sharma, S. Chatterjee, and J. K. Sing, “A dynamic
1377 password-based user authentication scheme for hierarchical wire-
1378 less sensor networks,” J. Netw. Comput. Appl., vol. 35, no. 5,
1379 pp. 1646–1656, 2012.
1380 [50] R. Amin, S. H. Islam, G. Biswas, M. K. Khan, and N. Kumar,
1381 “A robust and anonymous patient monitoring system using wire-
1382 less medical sensor networks,” Future Gener. Comput. Syst., vol. 80,
1383 pp. 483–495, 2018.
1384 [51] R. Madhusudhan and R. Mittal, “Dynamic ID-based remote user
1385 password authentication schemes using smart cards: A review,”
1386 J. Netw. Comput. Appl., vol. 35, no. 4, pp. 1235–1248, 2012.
1387 [52] D. Wang, D. He, P. Wang, and C. Chu, “Anonymous two-factor
1388 authentication in distributed systems: Certain goals are beyond
1389 attainment,” IEEE Trans. Dependable Secure Comput., vol. 12, no. 4,
1390 pp. 428–442, Jul./Aug. 2015.
1391 [53] W. Shi and P. Gong, “A new user authentication protocol for wire-
1392 less sensor networks using elliptic curves cryptography a new
1393 user authentication protocol for wireless sensor networks using
1394 elliptic curves cryptography,” Int. J. Distrib. Sensor Netw., vol. 9,
1395 no. 4, 2013, Art. no. 730831.
1396 [54] F. Wu et al., “A lightweight and robust two-factor authentication
1397 scheme for personalized healthcare systems using wireless
1398 medical sensor networks,” Future Gener. Comput. Syst., vol. 82,
1399 pp. 727–737, 2018.
1400 [55] C. C. Chang and H. D. Le, “A provably secure, efficient, and flexi-
1401 ble authentication scheme for Ad hoc wireless sensor networks,”
1402 IEEE Trans. Wireless Commun., vol. 15, no. 1, pp. 357–366, Jan. 2016.
1403 [56] P. Gope and T. Hwang, “A realistic lightweight anonymous
1404 authentication protocol for securing real-time application data
1405 access in wireless sensor networks,” IEEE Trans. Ind. Electron.,
1406 vol. 63, no. 11, pp. 7124–7132, Nov. 2016.
1407 [57] X. Li, J. Niu, M. Z. A. Bhuiyan, F. Wu, M. Karuppiah, and
1408 S. Kumari, “A robust ECC based provable secure authentication
1409 protocol with privacy preserving for industrial Internet of Things,”
1410 IEEE Trans. Ind. Informat., vol. 14, no. 8, pp. 3599–3609, Aug. 2018.
1411 [58] X. Li, J. Peng, M. S. Obaidat, F. Wu, M. K. Khan, and C. Chen, “A
1412 secure three-factor user authentication protocol with forward
1413 secrecy for wireless medical sensor network systems,” IEEE Syst.
1414 J., 2019, to be published, doi: 10.1109/JSYST.2019.2899580.
1415 [59] A. Gupta, M. Tripathi, T. J. Shaikh, and A. Sharma, “A lightweight
1416 anonymous user authentication and key establishment scheme for
1417 wearable devices,” Comput. Netw., vol. 149, pp. 29–42, 2019.
1418 [60] J. Srinivas, D. Mishra, S. Mukhopadhyay, and S. Kumari,
1419 “Provably secure biometric based authentication and key agree-
1420 ment protocol for wireless sensor networks,” J. Ambient Intell.
1421 Humanized Comput., vol. 9, no. 4, pp. 875–895, 2018.
1422 [61] L. Xiong, D. Peng, T. Peng, H. Liang, and Z. Liu, “A lightweight
1423 anonymous authentication protocol with perfect forward secrecy
1424 for wireless sensor networks,” Sensors, vol. 17, no. 11, 2017,
1425 Art. no. 2681.
1426 [62] F. Wu, L. Xu, S. Kumari, and X. Li, “A new and secure authentica-
1427 tion scheme for wireless sensor networks with formal proof,” Peer
1428 Peer Netw. Appl., vol. 10, no. 16, pp. 16–30, 2017.
1429 [63] J. Moon, D. Lee, Y. Lee, and D. Won, “Improving biometric-
1430 based authentication schemes with smart card revocation/reis-
1431 sue for wireless sensor networks,” Sensors, vol. 17, no. 5, 2017,
1432 Art. no. 940.
1433 [64] A. G. Reddy, A. K. Das, E.-J. Yoon, and K.-Y. Yoo, “A secure anon-
1434 ymous authentication protocol for mobile services on elliptic
1435 curve cryptography,” IEEE Access, vol. 4, pp. 4394–4407, 2016.
1436[65] A. K. Das, S. Kumari, V. Odelu, F. Wu, F. Wu, and X. Huang,
1437“Provably secure user authentication and key agreement scheme
1438for wireless sensor networks,” Secur. Commun. Netw., vol. 9,
1439no. 16, pp. 3670–3687, 2016.
1440[66] Y. Lu, L. Li, H. Peng, and Y. Yang, “An energy efficient mutual
1441authentication and key agreement scheme preserving anonymity
1442for wireless sensor networks,” Sensors, vol. 16, no. 6, p. 837, 2016.
1443[67] Y. Choi, D. Lee, and D. Won, “Security improvement on biometric
1444based authentication scheme for wireless sensor networks using
1445fuzzy extraction,” Int. J. Distrib. Sensor Netw., vol. 12, no. 1, 2016,
1446Art. no. 8572410.
1447[68] Y. H. Park, S. Y. Lee, and C. K. Kim, “Secure biometric-based
1448authentication scheme with smart card revocation/reissue for
1449wireless sensor networks,” Int. J. Distrib. Sensor Netw., vol. 12,
1450no. 7, pp. 1–11, 2016.
1451[69] Q. Jiang, J. Ma, F. Wei, Y. Tian, J. Shen, and Y. Yang, “An untrace-
1452able temporal-credential-based two-factor authentication scheme
1453using ECC for wireless sensor networks,” J. Netw. Comput. Appl.,
1454vol. 76, pp. 37–48, 2016.
1455[70] R. Amin, S. H. Islam, G. P. Biswas, M. K. Khan, L. Leng, and
1456N. Kumar, “Design of an anonymity-preserving three-factor
1457authenticated key exchange protocol for wireless sensor
1458networks,” Comput. Netw., vol. 101, no. C, pp. 42–62, 2016.
1459[71] R. Amin and G. Biswas, “A secure light weight scheme for user
1460authentication and key agreement in multi-gateway based wire-
1461less sensor networks,” Ad Hoc Netw., vol. 36, no. part 1, pp. 58–80,
14622016.
1463[72] D. He, N. Kumar, and N. Chilamkurti, “A secure temporal-cre-
1464dential-based mutual authentication and key agreement scheme
1465with pseudo identity for wireless sensor networks,” Inf. Sci.,
1466vol. 321, pp. 263–277, 2015.
1467[73] M. Turkanovi
c, B. Brumen, and M. H€
olbl, “A novel user authenti-
1468cation and key agreement scheme for heterogeneous ad hoc wire-
1469less sensor networks, based on the Internet of Things notion,” Ad
1470hoc Sensor Wireless Netw., vol. 20, pp. 96–112, 2014.
1471[74] M. Turkanovic and M. Holbl, “An improved dynamic password-
1472based user authentication scheme for hierarchical wireless sensor
1473networks,” Elektronika Ir Elektrotechnika, vol. 19, no. 6, pp. 109–116,
14742013.
1475[75] E.-J. Yoon and C. Kim, “Advanced biometric-based user authenti-
1476cation scheme for wireless sensor networks,” Sensors Lett., vol. 11,
1477no. 9, pp. 1836–1843, 2013.
1478[76] K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-
1479based mutual authentication and key agreement scheme for wire-
1480less sensor networks,” J Netw. Comput. Appl., vol. 36, no. 1,
1481pp. 316–323, 2013.
1482[77] P. Kumar, A. J. Choudhury, M. Sain, S.-G. Lee, and H.-J. Lee,
1483“RUASN: A robust user authentication framework for wireless
1484sensor networks,” Sensors, vol. 11, no. 5, pp. 5020–5046, 2011.
1485[78] H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, and H.-W. Wei,
1486“A secured authentication protocol for wireless sensor networks
1487using elliptic curves cryptography,” Sensors, vol. 11, no. 5,
1488pp. 4767–79, 2011.
1489[79] D. He, Y. Gao, S. Chan, C. Chen, and J. Bu, “An enhanced two-fac-
1490tor user authentication scheme in wireless sensor networks,” Ad
1491Hoc Sensor Wireless Netw., vol. 10, no. 4, pp. 361–371, 2010.
1492[80] W. Li, D. Wang, and P. Wang, “Insider attacks against multi-factor
1493authentication protocols for wireless sensor networks,” Ruan Jian
1494Xue Bao/J. Softw., vol. 30, no. 8, 2019, Art. no. 2375-2391.
1495Chenyu Wang is currently working toward the
1496PhD degree in the Beijing University of Posts and
1497Telecommunications, and a visiting student in
1498Nanyang Technological University. She has
1499received the “Cyber security scholarship” (China)
1500and has published several papers. Her research
1501interests include cryptographic protocols and
1502software security.
16 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

IEEE Proof
1503 Ding Wang received the PhD degree in informa-
1504 tion security from Peking University, in 2017. He is
1505 currently a professor with the College of Cyber Sci-
1506 ence, Nankai University, and also serves as the
1507 deputy director of the Tianjin Key Laboratory of
1508 Network and Data Security Technology. As the
1509 first author, he has published more than 40 papers
1510 at venues like ACM CCS, Usenix Security, NDSS,
1511 IEEE DSN, ESORICS, ACM ASIACCS, ACM
1512 TCPS, IEEE Transactions on Dependable and
1513 Secure,andIEEE Transactions on Information
1514 Forensics and Security. Seven of them are recognized as “ESI highly cited
1515 papers”. His PhD thesis receives the “ACM China Doctoral Dissertation
1516 Award” and “China Computer Federation (CCF) Outstanding Doctoral Dis-
1517 sertation Award”. He has been involved in the community as a TPC, AEC
1518 member or PC Chair for more than 50 international conferences, such as
1519 Usenix Security, ACSAC, ISC, CNS, SEC, ACISP, and SocialSec. His
1520 research interests focus on authentication and provable security.
1521 Yi Tu received the bachelor’s degree from Nankai
1522 University, China, in 2016, and the master’s deg-
1523 ree from the George Washington University, in
1524 USA, in 2018. Currently he is working toward the
1525 PhD degree in the School of Physical and Mathe-
1526 matical Sciences in Nanyang Technological Uni-
1527 versity. His research interests include machine
1528 learning, software security and symmetric key
1529 cryptanalysis.
1530Guoai Xu is currently a professor with the Beijing
1531University of Posts and Telecommunications. He
1532is a member of cyberspace security association
1533in China. He has published more than 50 papers
1534at venues like WWW, FSE/ESEC, and TECS.
1535His research interests include information secu-
1536rity, cryptographic, and software security.
1537Huaxiong Wang received the PhD degree in
1538mathematics from the University of Haifa, Israel, in
15391996, and the PhD degree in computer science
1540from the University of Wollongong, Australia, in
15412001. He joined Nanyang Technological University
1542in 2006, and is currently an associate professor
1543with the Division of Mathematical Sciences. He is
1544also an honorary fellow at Macquarie University,
1545Australia. His research interests include cryptogra-
1546phy, information security, coding theory, combina-
1547torics, and theoretical computer science. He has
1548been on the editorial board of three international journals: Designs, Codes
1549and Cryptography (2006–2011), the Journal of Communications (JCM),
1550and the Journal of Communications and Networks. He was the program
1551co-chair of Ninth Australasian Conference on Information Security and Pri-
1552vacy (ACISP 04), in 2004 and Fourth International Conference on Cryptol-
1553ogy and Network Security (CANS 05), in 2005, and has served in the
1554program committee for more than 70 international conferences. He has
1555receivedthe inaugural Award of Best Research Contribution from the Com-
1556puter Science Association of Australasia, in 2004.
1557
"
For more information on this or any other computing topic,
1558please visit our Digital Library at www.computer.org/csdl.
WANG ET AL.: UNDERSTANDING NODE CAPTURE ATTACKS IN USER AUTHEN TICATION SCHEMES FOR WIRELESS SENSOR NETWORKS 17