Content uploaded by Yanrong Lu
Author content
All content in this area was uploaded by Yanrong Lu on Jun 07, 2022
Content may be subject to copyright.
A Novel Smart Card Based User Authentication and Key
Agreement Scheme for Heterogeneous Wireless Sensor
Networks
Yanrong Lu
1,2
•Lixiang Li
1,2
•Haipeng Peng
1,2
•
Yixian Yang
1,2
Published online: 21 June 2017
Springer Science+Business Media New York 2017
Abstract Due to the open environment in which hierarchical wireless sensor networks
(HWSNs) are typically deployed, it is important to authenticate transmitted data. In recent
years, a number of user authentication schemes with smart card for HWSNs have been
proposed. In 2014, Turkanovic
´et al. proposed a novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks (HADWSNs). Their
scheme is a lightweight, which requires the computation of only hash functions. In this
paper, we first analyze Turkanovic
´et al.’s scheme and then demonstrate that their
scheme cannot really protect against user masquerade, off-line password guessing, and
node capture attacks. To overcome these security weaknesses, we further propose an
advanced smart card based user authentication while inherits the original merits of their
scheme. Through the informal and formal security analysis, we demonstrate that our
scheme is resilient possible known attacks including the attacks found in Turkanovic
´
et al.’s scheme. In addition, we compare the proposed scheme with related ones to prove
that the computation cost of the proposed scheme are well suitable for practical applica-
tions in HADWSNs.
Keywords Authentication Ad hoc Cryptanalysis Smart cards Wireless
sensor networks
&Lixiang Li
li_lixiang2006@163.com
1
Information Security Center, State Key Laboratory of Networking and Switching Technology,
Beijing University of Posts and Telecommunications, Beijing 100876, China
2
State Key Laboratory of Public Big Data, Guizhou 550025, China
123
Wireless Pers Commun (2017) 96:813–832
DOI 10.1007/s11277-017-4203-6
1 Introduction
Wireless sensor networks (WSNs) have gained great achievements in a variety of appli-
cations, such as military, environment, health, and so on [1]. Generally, there are two
architectures available for WSNs: the distributed flat and the hierarchical one. The hier-
archical is more energy-efficient and has more operational advantages than flat one [2].
Hierarchical wireless sensor networks (HWSNs) consist of a large number of sensor nodes
with resource-constrained architecture such as memory capacity, computation capability,
bandwidth and energy consumption [3–6]. Sensor nodes communicate with each other
within their communication ranges and finally communicate with the nearby gateway node
(GWN) via one-hop or multi-hop path. The deployment of sensor nodes is performed in an
ad-hoc manner in which they are randomly scattered in a region. The functionality of
GWN is to gather and process the data in order to achieve certain goals.
Considering the fact that WSNs are mostly inaccessible and sometimes deployed within
hostile environments, user authentication becomes an essential security mechanism to
authorize external users and to protect systems’ security and privacy from malicious
attackers because the transmission is done wirelessly. In the recent literature, numerous
user authentication schemes have been proposed for the security of the WSNs. In 2004,
Watro et al. [7] proposed a user authentication scheme for WSNs based on asymmetric
cryptography. However, Das [8] and Yuan et al. [9] respectively pointed out Watro et al.’s
scheme cannot only secure against man in the middle attack, but also need large energy
consumption and therefore unsuitable for implementation. Later, other studies also pro-
vided user authentication schemes for WSNs [10–12].
Unfortunately, all of these schemes are all based on asymmetric cryptography which
requires a large number of computations and storage [13]. Therefore, public key crypto-
graphic is not fit into resource-starved of WSNs. In presence of such limitations it becomes
imperative to devise lightweight security solutions for WSNs. In 2006, Wong et al. [14]
proposed an one-way hash-based user authentication scheme. However, Das and Yuan
et al. showed that Wong et al.’s scheme is susceptible to many logged-in users with the
same login-id and stolen verifier attacks. To remove these security weaknesses of Wong
et al.’s scheme, Das proposed a robust mutual authentication scheme with the help of the
GWN. Nevertheless, Huang et al. [15], He et al. [16], and Nyang et al. [17] respectively
found that Das’s scheme cannot achieve mutual authentication and user anonymity while it
fails to resist multiple attacks, such as denial of service and node capture. To tackle these
problems, the improvement of Das’s scheme have been proposed. Meanwhile, Khan
et al. [18] also showed that Das’s scheme cannot resilient against GW-node bypassing and
privileged-insider attacks and then presented an improvement of Das’s scheme. But Vaidya
et al. [19] later showed that Khan et al.’s scheme is still vulnerable to several attacks and
proposed an enhanced scheme to solve these problems. Another a simple user authenti-
cation and key agreement scheme for WSNs using smart cards proposed by Xue et al. [20].
However, Li et al. [21] and Turkanovic
´et al. [22] found that Xue et al.’s scheme cannot
secure against several attacks, such as stolen-verifier, off-line password guessing, stolen
smart card, node capture and so on while it requires more computation and communication
costs. Moreover, Li et al. proposed a robust scheme based on passwords which improves
security over Xue et al.’s scheme.
As with one of architectures of WSNs, research on HWSNs have also attracted much
attention. In 2011, Fan et al. [23] proposed the first password authentication scheme based
on smart card and an one-way hash function for HWSNs, which is claimed to protect
814 Y. Lu et al.
123
against many types of security attacks, such as smart card security breach, off-line pass-
word guessing, replay and impersonation attacks. After that, Das et al. [24] also presented
a novel smart card based user authentication scheme to provide user access to real-time
data by authorizing his directly at node level for HWSNs. The authors claimed that their
scheme resists several attacks like privileged-insider, denial-of-service, node capture and
smart card security breach attacks, and provides mutual authentication. Unfortunately,
Wang et al. [25] pointed out that Fan et al.’s scheme cannot preserve user anonymity and it
is vulnerable to smart card security breach attack and Das et al.’s scheme cannot resist the
claimed security goals, such as smart card breach attack, privileged-insider attack, and
easily suffers from the problem of server master key disclosure. Recently, Turkanovic
´
et al. [26] proposed a novel user authentication and key agreement scheme for heteroge-
neous ad hoc wireless sensor networks (HADWSNs). This proposal also involves only
lightweight operations, such as one-way hash functions and exclusive-or operations, which
is well-suited to the large-scale resource-limited sensor networks. This proposal provides
security features like password protection, mutual authentication, session key agreement,
and has less computation overhead. The authors claimed that their scheme is free from
various related cryptographic attacks, such as smart card security breach, replay and user
impersonation.
In this paper, we analyze the recently proposed Turkanovic
´et al. scheme for
HADWSNs and demonstrate its weaknesses. We find that Turkanovic
´et al.’s scheme ac-
tually cannot resist smart card security breach and user masquerade attacks. We also
identify that this scheme fails to protect off-line guessing password and node capture
attacks. We present an advanced scheme which is able to withstand all the possible attacks
where Turkanovic
´et al.’s scheme fails while keeps the original merits of Turkanovic
´
et al.’s scheme. And it has less computational overheads in comparison with Turkanovic
´
et al.’s scheme. The secure authenticity of our scheme is validated by a useful formal
model called BAN logic [27], which is adopted to prove that a session key between two
communicating parties can be correctly generated within authentication process. Through
formal security analysis, we show that our scheme is secure against various known attacks
including the attacks found in Turkanovic
´et al.’s scheme.
The rest of paper is organized as follows: In Sect. 2, we review the Turkanovic
´et al.’s
scheme and Sect. 3shows the security weaknesses of Turkanovic
´et al.’s scheme. In
Sect. 4, we propose an enhancement authentication scheme for HADWSNs to overcome
these security weaknesses. We present analysis of our scheme in Sect. 5. We compare our
scheme with previous schemes regarding security and performance in Sect. 6. We con-
clude in Sect. 7.
2 Review of Turkanovic
´et al.’s Scheme
In this section, we briefly review Turkanovic
´et al.’s user authentication and key agreement
scheme for HADWSNs [26]. We first employ the notations within this paper listed in
Table 1. We have then described all the phases relating to Turkanovic
´et al.’s
scheme which consists of the pre-deployment, the registration, login and authentication is
shown in Fig. 1, password updating, and dynamic node addition phases.
A Novel Smart Card Based User Authentication…815
123
2.1 Pre-deployment Phase
Each sensor node Sjis predefined with a randomly-generated secure password-key
XGWNSj.GWN stores secure password-key XGWN and the corresponding secret password-
key XGWNSj.
2.2 Registration Phase
Uiregistration phase is performed as follows:
Fig. 1 Login and authentication phase of Turkanovic
´et al.’s scheme
Table 1 Notations
Ui;Sj;GWN User, sensor node, gateway node
IDi;SIDjIdentity of Ui;Sj
PWi;PWjPassword of Ui;Sj
c;d;XGWN Master secret key of Ui;Sj;GWN
XGWNUi;XGWNSjSecure number shared by GWN and Ui;GWN and Sj
hðÞ Hash function
;jj Exclusive-or operation and concatenation operation
816 Y. Lu et al.
123
1. Uiselects his identity IDi, password PWiand a random number ri.Uithen computes
MIi¼hðIDijjriÞ;MPi¼hðPWijjriÞand sends fMIi;MPigto GWN.
2. GWN computes fi¼hðMIijjXGWN Þ;xi¼hðMPijjXGWNUiÞ;ei¼fixi, stores
fMIi;ei;fi;XGWNUiginto the smart card SCi, and sends it to Ui.
3. Uiadds riinto SCi. Thus, SCistores the values fri;MIi;ei;fi;XGWNUig.
The registration phase of Sjis performed as follows:
1. Sjgenerates a random number rjand computes MPj¼hðrjjjSIDjjjXGWNSjÞ;
MNj¼rjXGWNSj;RMPj¼MPjMNj. Then, Sjsends fSIDj;RMPj;MNj;T1gto
GWN, where T1is the current timestamp.
2. Upon receiving the registration message, GWN first checks whether jT1Tcj\DT,
where Tcis the current timestamp of the GWN. If the equation is correct, GWN then
computes MPj¼RMPjMNj;r0
j¼MNjXGWNSj;MP0
j¼hðr0
jjjxjjjXGWNSjÞand
checks MPj¼
?MP0
j. If the equality holds, then, GWN computes fj¼
hðSIDjjjXGWN Þ;xj¼hðMPjjjXGWNSjÞ;ej¼fjxjand submits fej;fj;T2gto Sj, where
T2is the current timestamp.
3. Sjfirst checks whether jT2Tcj\DT, where Tcis the current timestamp of the Sj.If
the equation holds, Sjthen stores fej;fjginto his database.
2.3 Login Phase and Authentication Phase
1. Uiinserts his smart card SCiinto a card reader and inputs password PW0
i.SCicom-
putes x0
i¼fihðhðPWijjriÞjjXGWNUiÞand checks whether the computed x0
iequals the
stored xi. If the verification successes, SCigenerates a random number Kiand com-
putes Ni¼hðxijjXGWNUijjT1Þ;Zi¼fiKi. Then, SCisends fMIi;ei;Ni;Zi;T1gto Sj,
where T1is the current timestamp.
2. When receiving the login request, Sjfirst checks whether jT1Tcj\DT, where Tcis
the current timestamp of the Sj. If the check holds, Sjthen computes xj¼ejfj;Aj¼
hðXGWNSjjjT1jjT2Þxjand sends fMIi;ei;Ni;Zi;T1;SIDj;Aj;ejgto GWN.
3. Upon receiving the message from Sj;GWN first checks whether jT2Tcj\DT, where
Tcis the current timestamp of the GWN. If it is correct, GWN then computes
f0
j¼hðSIDjjjXGWN Þ;x0
j¼ejfj;xj¼AjhðXGWNSjjjT1jjT2Þ, and checks x0
j¼
?xj.
Similarly, GWN continues to compute f0
i¼hðMIijjXGWN Þ;x0
i¼eif0
i;
Qi¼hðx0
ijjXGWNUijjT1Þ, and checks Ni¼
?Qi. If both of two equations hold, GWN
computes Fij ¼f0
ihðf0
jjjXGWNSjÞ;Hj¼hðf0
jjjXGWNSjjjT1jjT2jjT3Þ;Si¼
hðQijjT1jjT2jjT3Þand sends back the authentication message fFij;Hj;Si;T1;T2;T3g
to Sj, where T3is the current timestamp.
4. Upon receiving the message from GWN;Sjfirst checks the freshness of T3and
H0
j¼hðf0
jjjXGWNSjjjT1jjT2jjT3Þ¼
?Hj, where Tcis the current timestamp of the Sj.If
both of the check hold, Sjthen generates a random number Kjand computes
f0
i¼hðf0
jjjXGWNSjÞFij ;Ki¼Zif0
i;Rij ¼hðf0
ijjSIDjjjT1jjT2jjT3jjT4ÞKj. Finally,
Sjsends fRij;Si;T1;T2;T3;T4gto Ui, where T4is the current timestamp.
5. When receiving the message from Sj;Uifirst checks the freshness of T4and
Si¼hðhðeifiÞjjT1ÞjjT1jjT2jjT3Þ¼
?Si, where Tcis the current timestamp of Ui. If both
A Novel Smart Card Based User Authentication…817
123
of the check hold, Uithen computes Kj¼hðf0
ijjSIDjjjT1jjT2jjT3jjT4ÞRij. Finally, a
session key SKij ¼hðKiKjÞis established between Uiand Sj.
2.4 Password Updating Phase
A user inputs his IDiand PW0
i.SCichecks whether x0
i¼fihðhðPWijjriÞjjXGWNUiÞ¼
?xi.
If SCidetermines that they are equal, then the user can key the new password PW new
i.
Subsequently, SCicomputes enew
i¼fihðhðPWnew
ijjriÞjjXGWNUiÞand replaces eiwith
enew
i.
2.5 Dynamic Node Addition Phase
Since this phase has little relevance with our discussions. We omit it.
3 Cryptanalysis of Turkanovic
´et al.’s scheme
Turkanovic
´et al. argued that their scheme is robust and can be free from user masquerade
and stolen smart card attacks. In fact, based on our security analysis, we observe that
Turkanovic
´et al.s scheme is insecure against these security requirements and still has a
number of serious deficiencies. The possible attacks are described as follows.
3.1 Off-Line Password Guessing Attack
Turkanovic
´et al. claimed that stolen smart card attack is resisted since Acannot know Ui’s
password PWiby using the one-way hash function. However, we found that Ui’s password
PWican be derived from off-line password guessing attack. Consider Ahas found or stolen
the smart card of a legitimate Ui. That is, Acan read [28,29] the secret information
fMIi;ri;ei;fi;XGWNUigfrom it. Then, he can guess some secret parameters such as the
identity IDiand the password PWiof the corresponding Ui, the secure password XGWN of
GWN in an off-line manner by performing the following step:
(1) Aguesses an identity ID0
iand calculates MI0
i¼hðID0
ijjriÞ. Then, Acompares the
results of MI0
iwith eavesdropped MIi.
(2) Aguesses a password X0
GWN and computes f0
i¼hðMIijjX0
GWN Þ. Then, Acompares
the results of f0
iwith intercepted fi.
(3) Aretrieves xiby computing xi¼eifi.
(4) By (2) and (3), Acontinues to guess a password PW0
iand computes
x0
i¼hðhðPW0
ijjriÞjjXGWN Þ. After that, Acompares the results of x0
iwith retrieved xi.
Having Ui’s password, Acannot only impersonate a legal user of the system, but also
can cheat Uiand Sjby masquerading as the legal GWN.
3.2 User Masquerade Attack
In the analysis phase of Turkanovic
´et al.’s scheme, they said that Acannot masquerade as
the legitimate user since he cannot get PWifrom the stolen smart card. Acannot compute
the session key, even if he eavesdrops on a legitimate user’s authentication message.
818 Y. Lu et al.
123
Therefore, their scheme can withstand user masquerade attack. However, after careful
analysis we find that this is not the case, any Acan use the stolen smart card information
fMIi;ri;ei;fi;XGWNUigto fool Sjand GWN at any time by intercepting the corresponding
login request fMIi;ei;Zi;Ni;T1g. Finally, Acan further construct the common session key
SKij shared among any other Sj, the related GWN. The attack is in the following manner:
1. Aacquires the current timestamp T0
1, generates a random number K0
iand computes
N0
i¼hððeifiÞjjXGWNUijjT0
1Þ;Z0
i¼K0
ifi.Asends fMIi;ei;Z0
i;N0
i;T0
1gto Sj.
Clearly, this login request will be entertained by Sjbecause it is computed using
fresh timestamp T0
1. Using the current timestamp T2;Sjcomputes xj;Ajand transmits
fMIi;ei;N0
i;T0
1;T2;SIDj;ej;Ajgto GWN.
2. GWN surely authenticates Uisince the equivalence N0
i¼Qiwill hold as Qi¼
hððeihðMIijjXGWN ÞjjXGWNUijjT0
1Þcomputed by GWN will be equal to N0
i¼hððei
fiÞjjXGWNUijjT0
1Þby virtue of stolen numbers ðei;fi;XGWNUiÞstored in the smart
card. Then, GWN acquires the current timestamp T3, computes ðFij;Hj;SiÞand
sends fFij;Hj;Si;T0
1;T2;T3gto Sj, where Fij ¼fihðfjjjXGWNSjÞ;Hj¼
hðfjjjXGWNSjjjT1jjT2jjT3Þ;Si¼hðQijjT1jjT2jjT3Þ.
3. After checking the correctness of Hjand the freshness of T3;Sjderives fiand K0
iby
using Fij and Z0
i. Then, Sjgenerates a random number Kjand computes
Rij ¼hðfijjSIDjjjT0
1jjT2jjT3jjT4ÞKj;SKij ¼hðK0
iKjÞ, where T4is the current
timestamp. Finally, Sjsends fSi;Rij;T0
1;T2;T3;T4gto Awho masquerading as a legal
Ui.
4. When receiving the message from Sj;Afirst verifies whether S0
i¼hððhðei
fiÞjjXGWNUijjT0
1ÞjjT0
1jjT2jjT3Þis equal to the received Siand the freshness of T4.If
both the conditions are hold, Athen derives Kjby computing Kj¼Rij
hðfijjSIDjjjT0
1jjT2jjT3jjT4Þand computes the common session key SKij ¼hðK0
iKjÞ.
In this way, Asuccessfully cheats Sjand GWN and agrees on the common session key,
but unfortunately Sjand GWN mistakenly believe that they are communicating with the
legitimate user Ui. It will result into harmful scenarios since the session key is to encrypt
the following packets to ensure the communications are confidential. Having the common
session key, Acan not only impersonate a legal Ui/Sjof the system, but can also decrypt
the encrypted data sent from Ui/Sjin the dark.
3.3 Node Capture Attack
In Turkanovic
´et al.’s scheme, since each sensor node owns the same information XGWNSj
providing a malicious sensor node Aa chance to impersonate as another sensor node to
cheat any legal user and GWN, and Turkanovic
´et al.’s scheme cannot withstand this kind
of attack. The reason is as below.
1. Aintercepts the message fMIi;ei;Ni;T1;T2;SIDj;ej;Ajgexchanged over network and
derives xj¼AjhðXGWNSjjjT1jjT2Þ;fj¼ejxjby using the stolen information.
After that, Acomputes A0
j¼xjhðXGWNSjjjT1jjT0
2Þ, where T0
2is the current time of
A. Then, Adelivers fMIi;ei;Ni;T1;T0
2;SIDj;ej;A0
jgto GWN.
2. After passing the timeliness verification of T0
2;GWN computes xj¼ej
hðSIDjjjXGWN Þ;x0
j¼A0
jhðXGWNSjjjT1jjT0
2Þand checks whether xj¼
?x0
j. If it is true,
GWN can confirm that Ais a legitimate sensor node. Then, GWN acquires the current
A Novel Smart Card Based User Authentication…819
123
timestamp T3and sends fFij;Hj;Si;T1;T0
2;T3gto Aafter carrying out a serious of
computation and verification.
3. After receiving the message from GWN;Achecks whether the transmission delay is
within the allowed time interval DT.IfT0
3Tc\DT;Acomputes H0
j¼
hðfjjjXGWNSjjjT1jjT0
2jjT3Þand checks whether H0
jis equal to the received Hj.Ifitis
equal, Acontinues to compute fi¼Fij hðfjjjXGWNSjÞ;Ki¼Zifi. After that, A
generates a random number K0
j, computes R0
ij ¼hðfijjSIDjjjT1jjT0
2jjT3jjT0
4jjK0
jÞ;SKij ¼
hðKiK0
jÞ, and sends fSi;R0
ij;T1;T0
2;T3;T0
4gto Ui.
4. After receiving the message and passing the timeliness verification of T0
4;Uicomputes
S0
i¼hðhððeifiÞjjXGWNUijjT1ÞjjT1jjT0
2jjT3Þis equal to the received Si. If it is equal, A
then derives K0
jby computing K0
j¼R0
ij hðfijjSIDjjjT1jjT0
2jjT3jjT0
4Þ.
In this way, A;Uiand Sj‘‘successfully’’ agree on a session key SKij ¼hðKiK0
jÞ. But
unfortunately Uiand GWN mistakenly believe that they are communicating with the
legitimate sensor node Sj. Using the session key, Acan achieve all the confidential data
that are transferred among the public channel.
4 The Proposed Scheme
This section discusses our proposed smart card based user authentication and key agree-
ment for HADWSNs. Our scheme consists of the following phases: registration, login and
authentication is shown in Fig. 2, and password update phase.
Fig. 2 Login and authentication phase of our scheme
820 Y. Lu et al.
123
4.1 Registration Phase
The registration phase of Uiis performed as follows:
1. Uiselects his identity IDi, password PWi, and a random number ri. Then, Uicomputes
MPi¼hðPWijjriÞand sends fIDi;MPigto GWN.
2. Upon receiving the message from Ui;GWN computes fi¼hðIDijjMPiÞ
XGWN ;ei¼hðIDijjXGWNUiÞ;xi¼eiMPi, where XGWN is secure key of GWN.
Then, GWN stores fiand submits fxi;XGWNUigto Ui.
3. Uicomputes Ci¼XGWNUic, and stores the values fCi;xi;hðÞg into SCi, where cis
the secret key of Ui.
The registration phase of Sjis performed as follows:
1. Sjselects password PWj, and a random number rj. Then, Sjcomputes MPj¼
hðPWjjjrjÞand sends fSIDj;MPjgto GWN.
2. Upon receiving the message from Sj;GWN computes fj¼hðSIDjjjMPjÞXGWN ;
ej¼hðSIDjjjXGWNSjÞ;xj¼ejMPj. Then, GWN submits fxj;XGWNSjgto Sj.
3. Sjcomputes Dj¼XGWNSjdand stores fxj;Djg, where dis the secret key of Sj.
4.2 Login and Authentication Phase
1. Uiinserts his smart card SCiinto device and enters his identity IDiand password PWi.
Then, SCivalidates whether x0
i¼hðIDijjXGWNUiÞhðPWijjriÞis equal to the stored
xi. If the check holds, SCigenerates a random number Kiand computes
PUiGWN ¼hððCicÞjjhðIDijjMPiÞÞ;Ni¼PUiGWN hðIDijjMPiÞ;Zi¼PUiGWN
KiðCicÞ. Finally, Uisubmits fZi;Nigto Sj.
2. Upon receiving the message from Ui;Sjfirst generates a random number Kjand
computes PSjGWN ¼hððDjdÞjjhðSIDjjjMPjÞÞ;ej¼PSjGWN hðSIDjjjMPjÞ;Aj¼
PSjGWN KjðDjdÞ. Then, Sjsends authentication message fZi;Ni;Aj;ejgto
GWN.
3. When GWN receiving the message from Sj;GWN computes PUiGWN ¼
hðXGWNUijjðfiXGWN ÞÞ by using stored value ðXGWN Ui;fi;XGWNÞand P0
UiGWN ¼
NifiXGWN by using the received value Ni, and then verifies whether they are
equal with each other. Similarly, GWN computes PSjGWN ¼hðXGWNSjjjðfjXGWN ÞÞ
by using stored value ðXGWNSj;fj;XGWN Þand P0
SjGWN ¼ejfjXGWN by using the
received value ej, and then verifies whether they are equal with each other. If they are
equal, GWN derives Kiand Kjby computing ZiPUiGWN XGWNUiand
AjPSjGWN XGWNSj, respectively. Then, GWN computes Si¼hðKijjðfi
XGWN ÞÞ;Hj¼hðKjjjðfjXGWN ÞÞ;Fij ¼KiKjhðKjjjPSjGWNÞ;Rij ¼KiKjh
ðKijjPUiGWN Þ.Finally,GWN sends back the authentication message fHj;Si;Fij;Rij gto Sj.
4. After receiving the message from GWN;Sjfirst computes H0
j¼hðKjjjðfjXGWN ÞÞ and
checks whether it is equal to the received value Hj. If it holds, Sjthen retrieves Kiby
computing Fij KjhðKjjjPSjGWN Þ. Finally, Sjdelivers fRij;Sigto Ui.
5. When receiving the message from Sj;Uialso verifies the correctness of S0
i¼
hðKijjðfiXGWN ÞÞ with the received value Si. Then, Uiderives Kjby computing
Rij KihðKijjPUiGWN Þ. Finally, a session key SKij ¼hðKiKjÞis established
between Uiand Sj.
A Novel Smart Card Based User Authentication…821
123
4.3 Password Updating Phase
Uifirst inputs his SCiinto the device and provides his identity IDiand password PWi.
Then, SCicomputes validates whether x
i¼hðIDijjXGWNUiÞhðPWijjriÞis equal to the
stored xi. If they are not equal, SCirejects the request; Otherwise, Uikeys in the new
password PW0
i. Finally, SCicomputes x0
i¼hðIDijjXGWNUiÞhðPW 0
ijjriÞand replaces the
xiby x0
i.
5 Security Analysis of Our Advanced Scheme
In this section, we first adopt BAN logic [27] mechanism to prove that a session key
between communicating parties can be correctly generated within authentication process.
Then, we conduct both formal and informal analysis of the proposed scheme.
5.1 Verifying Authentication Scheme with BAN Logic
First, we introduce some notations and logical postulates of BAN logic that we will use in
our scheme (Table 2).
(1) BAN logical postulates
a. Message-meaning rule: AjA$
KB;A/hXiK
AjjBX:ifAbelieves that the key Kis shared by Aand
B, and sees Xencrypted with K, then Abelieves that Bonce said X.
b. Fresh conjuncatenation rule: Aj#ðXÞ
Aj#ðX;YÞ: if the principal Abelieves freshness of X, the
principal Abelieves freshness of the #ðX;YÞ.
c. Belief rule: AjX;AjY
AjðX;YÞ:IfAbelieves Xand Y, then Abelieves (X,Y).
d. Nonce-verification rule: Aj#ðXÞ;AjBjX
AjBjX:ifAbelieves that Xcould have been uttered
only recently and that Bonce said X, then Abelieves that Bbelieves X.
e. Jurisdiction rule: AjB)X;AjBjX
AjX:ifAbelieves that Bhas jurisdiction over Xand
Atrusts Bon the truth of X, then Abelieves X.
Table 2 BAN logic notations AjXUser believes a statement X
A$
KBShare a key Kbetween Aand B
#XXis fresh
A/XAsees X
A)XAcontrols X
AjXAsaid X
(X,Y) The formula Xor Yis one part of the formula (X,Y)
hX;YiKXand Yare encrypted with the key K
822 Y. Lu et al.
123
(2) Establishment of security goals
g1:UijSjjUi !
SKij Sj
g2:UijUi !
SKij Sj
g3:SjjUijUi !
SKij Sj
g4:SjjUi !
SKij Sj
(3) Idealized scheme
Ui:hhðIDijjMPiÞiUi !
PUiGWN GWN
;hKi;XGWNUiiUi !
PUiGWN GWN
Sj:hhðSIDjjjMPjÞiSj !
PSjGWN
GWN
;hKj;XGWNSjiSj !
PSjGWN
GWN
GWN :hKjihðSIDjjjMPjÞ;hKiihðIDijjMPiÞ;hKi;KjiSj !
PSjGWN
GWN
;hKi;KjiUi !
PUiGWN GWN
(4) Initiative premises
p1:Uij#Kip2:Sjj#Kj
p3:UijUi$
PUiGWN GWNp4:GWNjUi$
PUiGWN GWN
p5:SjjSj$
PSjGWN GWNp6:GWNjSj$
PSjGWN GWN
p7:GWNj#XGWN Sjp8:GWNj#XGWN Ui
p9:UijSj)Ui$
SKij Sjp10:SjjUi)Ui$
SKij Sj
(5) Scheme analysis
a1.Byp3and Ui/hKi;KjiUi !
PUiGWN GWN
, we apply the message-meaning rule to derive:
UijGWNjðKi;KjÞ
a2.Bya1and p1, we apply the fresh conjuncatenation rule and the nonce-verification
rule to derive: UijGWNjðKi;KjÞ
a3.Bya2, we apply the belief rule to derive: UijGWNjKi;UijGWNjKj
a4.Byp6and GWN /hKj;XGWNSjiSj$
PSjGWN
GWN
, we apply the message-meaning rule to
derive: GWNjSjjðKj;XGWNSjÞ
a5.Bya4and p7, we apply the fresh conjuncatenation rule and the nonce-verification
rule to derive: GWNjSjjðKj;XGWNSjÞ
a6.Bya5, we apply the belief rule to derive: GWNjSjjKi;GWNjSjjKj
a7.Bya3and a6, we get UijSjjKi;UijSjjKj
g1.Bya7and SK ¼hðKiKjÞ, we apply the belief rule to derive:
UijSjjUi$
SK Sj
g2.By g1and p9, we apply the jurisdiction rule to derive: UijUi$
SK Sj
a4.Byp5and Sj/hKi;KjiSj$
PSjGWN
GWN
, we apply the message-meaning to derive:
SjjGWNjðKi;KjÞ
A Novel Smart Card Based User Authentication…823
123
a5.Bya4and p2, we apply the fresh conjuncatenation rule and the nonce-verification
rule to derive: SjjGWNjðKi;KjÞ
a6.Bya5, we apply the belief rule to derive: SjjGWNjKi;SjjGWNjKj
a7.Byp4and GWN /hKi;XGWNUiiUi !
PUiGWN GWN
, we apply the message-meaning rule
to derive: GWNjUijðKi;XGWNUiÞ
a8.Bya7and p8, we apply the fresh conjuncatenation rule and the nonce-verification
rule to derive: GWNjUijðKi;XGWNUiÞ
a9.Bya8, we apply the belief rule to derive: GWNjUijKi;GWNjUijKj
a10.Bya6and a9, we get SjjUijKi;SjjUijKj
g3.Bya10 and SKij ¼hðKiKjÞ, we apply the belief rule to derive:
SjjUijUi$
SKij Sj
g4.By g3and p10, we apply the jurisdiction rule to derive: SjjUi$
SKij Sj
5.2 Informal Security Analysis
In this subsection, we show that our scheme overcomes all the practical flaws of Turka-
novic
´et al.’s scheme and is equally resilient to various possible attacks. The following
attacks are based on the assumptions that a malicious attacker Ahas total controlled over
the communication channel connecting Ui;Sj, and GWN in login/authentication phase. So
Acan intercept, insert, delete, or modify any message transmitted via public channel
[30–33].
5.2.1 User Anonymity
During the login phase, the login request message fNi;Zigprotects IDiwith hðIDijjMPiÞ.It
also protects PWiwith hðrijjPWiÞ. Thus, in order to retrieve IDi;Ui’s password PWiand
random number riare needed. Furthermore, even if stolen smart card would occur, A
cannot retrieve IDifrom xisince IDiis protected by hðIDijjXGWNUiÞ;XGWN Uiis protected
by secret key c. Since the secret information ðPWi;ri;cÞare only known to Ui,itis
computationally infeasible for Ato retrieve IDifrom hðIDijjhðrijjPWiÞÞ due to one-way
property of the hash function hðÞ. This shows that our proposed scheme guarantees user
anonymity.
5.2.2 Resist User Masquerading and Off-line Password Guessing Attacks
with a Smart Card Security Breach
Assume that Ahas not only collected the transmitted messages fNi;Zigbetween Uiand Sjbut
also has read [28,29] the secret information fxi;Ci;HðÞg stored in the smart card. To verify
the guessed password PW0
iby using the condition xi¼
?hðIDijjðCicÞÞ hðPW0
ijjriÞ, the
user’s identity IDi, secret key c, and random number riare required. Moreover, in order to
verify the guessed password by using Ni¼PUiGWN hðIDijjhðPWijjriÞ;Aalso needs to
compute PUiGWN ¼hððCicÞjjhðIDijjMPiÞÞ, which also requires riand c, because
824 Y. Lu et al.
123
MPi¼hðPWijjriÞ. Moreover, SCidoes not store IDiof Ui. Additionally, the transmitted
message protects IDiby hðIDijjMPiÞ. It is clear that Acannot guess the user’s password
correctly, since the user’s identity IDi, secret key c, and random number riare not known to A.
In this case, masquerading and off-line password guessing attacks cannot work in the pro-
posed scheme.
5.2.3 Resist Stolen Verifier and Node Capture Attacks
Since the proposed scheme does not require to store any password table for verification. It
is also noted that the GWN and sensor nodes do not keep password tables. As a result, the
compromise of a sensor node does not lead to a compromise in any other secure com-
munication between the user and the non-captured sensor node in the network. Therefore,
our scheme provides unconditional security against stolen-verifier and node capture
attacks.
5.2.4 Resist Many Logged-in Users with The Same Login-ID Attack
As described in the off-line password guessing attack, even if Ahas obtained the infor-
mation of the stolen smart card, he cannot retrieve the user’s IDiand PWi. That is, he
cannot generate a valid login message using the stolen smart card. In addition, Acannot
guess both user identity and password correctly in polynomial time. Thus, our scheme is
resilient against many logged-in users with the same login-ID attack.
5.2.5 Resist Replay Attack
Assume Ahas intercepted all the communication messages fNi;Zi;Aj;ej;Hj;Si;Fij;Rij g
and tries to replay them to Ui;Sjor GWN to obtain authentication. However, it is
impossible since the shared secret parameter PUiGWN and PSjGWN are protected by Ui’s
secret key cand Sj’s secret key d, respectively. In addition, PUiGWN and PSjGWN are not
directly transmitted in the public channel. Only known PUiGWN and PSjGWN ;Ui;Sjand
GWN can carry out a series of computation and verification. Moreover, our scheme uses
different random numbers ðKi;KjÞeach session. Uiand Sjwill quickly detect the attack if
Achanges the random numbers. Hence, our scheme can withstand replay attack.
5.2.6 Mutual Authentication
In order to authenticate Uiand Sj;GWN has to compare the evidences PUiGWN ¼
hðXGWNUijjðfiXGWN ÞÞ and PSjGWN ¼hðXGWNSjjjðfjXGWN ÞÞ with PUiGWN ¼Ni
fiXGWN and PSjGWN ¼NjfjXGWN , respectively. No one can counterfeit the evi-
dences since they are not transmitted in the public channel and only known Uiand GWN;Sj
and GWN, respectively. To authenticate GWN;Sjneeds to verify whether Hj¼
hðKjjjhðSIDjjjMPjÞÞ is equal to the received Hj. Because MPjare only known Sjand GWN,
no one can forge a valid ðHj;FijÞwithout it. Uiverifies the correctness of Si¼
hðKijjhðIDijjMPiÞÞ to check Sjand GWN are legitimate. Hence, mutual authentication
among Ui;Sjand GWN is achieved.
A Novel Smart Card Based User Authentication…825
123
5.2.7 Resist Stolen Smart Card Attack
Assume that if a smart card is stolen, Ahas collected the information fxi;Ci;hðÞg from it.
But without inputting the right information ðIDi;cÞ;Acannot figure out the correct value
ei, and further extract MPifrom xi. Hence, Astill cannot succeed if he steals the smart
card.
5.2.8 Perfect Forward Secrecy with A Smart Card Security Breach
Assume that Acompromises all the passwords ðc;d;PWi;PWj;XGWN Þof the entities of the
system, gathers all the information ðCi;xi;hðÞÞ stored in the smart card, and eavesdrops all
the messages ðNi;Zi;Aj;ej;Hj;Si;Fij;Rij Þtransmitted in the public channel. Astill cannot
derive the common session key SKij ¼hðKiKjÞdue to the following reasons: to compute
Ki;PUiGWN ¼hððCicÞjjhðIDijjMPiÞÞ is needed. The smart card SCidoes not store the
user’s identity IDi, and the transmitted message, which includes Ni¼PUiGWN
hðIDijjMPiÞinstead of IDi. To compute IDifrom Ni, the random number riis needed, and it
is protected by secure one-way hash function MPi¼hðPWijjriÞ. Similarly, to compute
Kj;PSjGWN ¼hððDidÞjjhðSIDjjjMPjÞÞ is needed. To compute MPj, the random number
rjis needed and it is protected by secure one-way hash function MPj¼hðPWjjjrjÞ. Thus,
even if Aobtains all the passwords of the entities, smart card information, and all the
transmitted messages, he still cannot compromise other session key. Hence, the proposed
scheme achieves perfect forward secrecy.
5.2.9 Session Key Agreement
We provide the session key SKij ¼hðKiKjÞto protect the message communication
between Uiand Sj, where Kiand Kjare known to anybody but Ui;Sjand GWN, and GWN is
the a trusted third party. In addition, SKij is different in each session, Ahas obtained a
known session key cannot be used to calculate the value of the next session key.
5.2.10 Resist Insider Attack
In the proposed scheme, Uisubmits hashed value MPi¼hðrijjPWiÞof random number ri
and password PWi. Therefore, an insider of the system cannot know or obtain a user’s
password. Without knowing the random number ri, it is computationally infeasible to
retrieve PWifrom MPidue to the one-way property of the hash function hðÞ. Hence, the
proposed scheme provides full protection against insider attack.
5.2.11 No Clock Synchronization
In our scheme, Ui;Sjand GWN computes the authenticated message concerned with a
random number instead of the timestamps, which avoid the requirement of time syn-
chronization problems.
5.3 Formal Security Analysis of The Proposed Scheme
In this subsection, we provide the formal security analysis of our scheme and show that our
scheme is secure. For this, we first define the following hash function [34,35].
826 Y. Lu et al.
123
Definition 1 A secure one-way hash function h:f0;1g!f0;1gn, which takes an input
as an arbitrary length binary string x2f0;1gand outputs a binary string hðxÞ2f0;1gn
and satisfies the following requirements: a. Given y2Y, it is computationally infeasible to
find an x2Xsuch that y¼hðxÞ;b. Given x2X, it is computationally infeasible to find
another x06¼ x2X, such that hðx0Þ¼hðxÞ; c. It is computationally infeasible to find a pair
ðx0;xÞ2X0X, with x06¼ x, such that hðx0Þ¼hðxÞ.
Theorem 1 Under the assumption that the one-way hash function hðÞ closely behaves
like an oracle, then our scheme is provably secure against an attacker Afor protecting
user’s personal information including identity IDiand password PWi.
Proof The formal security proof of our scheme is similar to that as in [36,37]. Using the
following oracle to construct Awho will have the ability to derive the user’s IDi, and
password PWi.
Reveal: This random oracle will unconditionally output from the input xgiven hash
value y¼hðxÞ.
Aruns the experimental algorithm showed in Table 3,EXPSCUAKAHADWSNs
HASH;Afor our smart
card based user authentication and key agreement for heterogeneous ad hoc wireless sensor
networks, say SCUAKAHADWSNs.
Define the success probability for EXPSCUAKAHADWSNs
HASH;Ais SuccSCUAKAHADWSNs
HASH;A¼
jPr½EXPSCUAKAHADWSNs
HASH;A¼11jand the advantage function for this experiment then
becomes AdvSCUAKAHADWSNs
HASH;Aðt;qRÞ¼maxASuccSCUAKAHADWSNs
HASH;A, where the maximum is
taken over all Awith execution time t, and the number of queries qRmade to the Reveal
oracle. Consider the experiment showed in Table 3for A.IfAhas the ability to solve the
hash function problem provided in Definition 1, then he can directly derive Ui’s identity
IDiand password PWi. In this case, Awill discover the complete connections between Ui
and Sj. However, it is a computationally infeasible problem to invert the input from a given
hash value, i.e., AdvSCUAKAHADWSNs
HASH;AðtÞ; 8[0. Hence, we have AdvSCUAKAHADWSNs
HASH;A
ðt;qRÞ, since AdvSCUAKAHADWSNs
HASH;Aðt;qRÞdepends on AdvSCUAKAHADWSNs
HASH;AðtÞ. As a result,
Table 3 Algorithm
EXPSCUAKAHADWSNs
HASH;A
1. Eavesdrop login message fNi;Zig
2. Call the Reveal oracle. Let ðP0
UiGWN ;m0Þ RevealðNiÞ
3. Call the Reveal oracle. Let ðCi;c;Þ RevealðP0
UiGWN Þ
4. Call the Reveal oracle. Let ðID0
i;MP0
iÞ Revealðn0Þ
5. Call the Reveal oracle. Let ðPW0
i;r0
iÞ RevealðMP0
iÞ
6. Eavesdrop authentication message fRij;Sig
7. Call the Reveal oracle. Let ðKi;ID00
i;MP00
iÞ RevealðSiÞ
8. Call the Reveal oracle. Let ðPW0
i;r00
iÞ RevealðMP00
iÞ
9. if ðr0
i¼r00
iÞthen
10. Accept the derived identity ID0
i, password PW0
i
as the correct IDiand PWiof the user Ui
11. return 1 (Success)
12. else
13. return 0 (Failure)
14. end if
A Novel Smart Card Based User Authentication…827
123
there is no way for Ato discover the complete connections between Uiand Sjand our
scheme is provably secure against an adversary for deriving ðIDi;PWiÞ.
6 Functionality and Performance Analysis
In this section, we compare our scheme with other related schemes regarding the func-
tionality and performance.
Table 4shows comparison regarding the functionality of our proposed scheme with
other related schemes [8,15,16,18,20,21,23,26]. From this comparison, we can see that
our scheme is more secure and robust than Turkanovic
´et al.’s, and achieves more security
features, which were not considered in the aforementioned schemes and are fundamental
requirements in implementing a practical user authentication scheme in WSNs.
Figure 3summarizes the computational primitives involved in login and authentication
phases of our scheme and other related schemes [8,15,16,18,20,21,23,26] in terms of
overhead cost. We compare only hashing operation since XOR operations require very
little computations. It can be seen that the overall computational overhead cost for our
scheme is less computationally costly than those of schemes [20,21,26] whereas in
comparison to other related schemes [8,15,16,18–20,23], it is slightly higher.
Table 4 Computational cost comparison
Ours Turkanovic
´
et al. [26]
Li
et al.
[21]
Xue
et al.
[20]
Fan
et al.
[23]
Vaidya
et al.
[19]
Khan
et al.
[18]
He
et al.
[16]
Huang
et al.
[15]
Das
et al.
[8]
T1Yes Yes Yes No – – Yes No – No
T2Yes Yes Yes – – – Yes No – –
T3Yes Yes Yes Yes Yes Yes Yes Yes Yes No
T4Yes Yes Yes Yes Yes Yes Yes No No Yes
T5Yes Yes Yes Yes No Yes Yes Yes Yes Yes
T6Yes – – – – – – – – –
T7Yes No – Yes – – No No – –
T8Yes No – No Yes No – No Yes Yes
T9Yes No Yes – – Yes – – – Partial
T10 Yes Yes No – – – – – – –
T11 Yes No Yes No – – – – – –
T12 Yes Yes – Yes – – Yes Yes – Yes
T13 Yes No No No No No No No No No
T14 Yes Yes Yes Yes Yes No No No No Yes
T1: Resist insider attack; T2: Resist masquerade attack; T3: User anonymity; T4: Provide mutual authenti-
cation; T5: Provide password change; T6: Provide perfect forward secrecy with stolen smart card; T7: Resist
stolen smart card attack; T8: Resist node capture attack; T9: Resist off-line guessing attack; T10 : Resist many
logged-in users with the same login-ID attack; T11:Resist stolen-verifier attack; T12 : Resist replay attack;
T13: No time synchronization; T14 : Session key agreement
828 Y. Lu et al.
123
7 Conclusion
In this paper, we have discussed the vulnerability and security attacks existing in Turka-
novic
´et al. user authentication and key agreement scheme for HADWSNs. The analysis
indicates that the existing scheme is susceptible to user masquerade, off-line guessing, and
node capture attacks. In order to tackle these problems, we have then proposed a secure and
efficient user authentication and key agreement scheme for HADWSNs without times-
tamps. Through both informal and formal security analysis, we have demonstrated that the
proposed scheme satisfies all desirable security attributes. In addition, the proposed
scheme is computationally efficient as compared to other existing approaches due to usage
of only lightweight one-way hashing function. In general, the higher security and the lower
computational costs make the proposed scheme much more suitable for practical appli-
cations in HADWSNs compared with other existing schemes
Acknowledgements The authors would like to thank all the anonymous reviewers for their helpful advice.
This paper is supported by the National Key Research and Development Program (Grant Nos.
2016YFB0800602), the National Natural Science Foundation of China (Grant Nos. 61472045, 61573067,
61373020, U1536102 and U1536116).
References
1. Vivek, K., Narottam, C., & Naveen, C. (2010). Recent advances and future trends in wireless sensor
networks. Internatioal Journal of Applied Engineering Research,1(3), 330–342.
2. Cheng, Y., & Agrawal, D. (2007). An improved key distribution mechanism for large-scale hierarchical
wireless sensor networks. Ad Hoc Networks,5(1), 35–48.
3. Asadi, M., Zimmerman, C., & Agah, A. (2013). A game-theoretic approach to security and power
conservation in wireless sensor networks. International Journal of Network Security,15(1), 50–58.
4. Das, A. K. (2012). Improving identity-based random key establishment scheme for large-scale hier-
archical wireless sensor networks. International Journal of Network Security,14(1), 1–21.
Fig. 3 Performance comparison
A Novel Smart Card Based User Authentication…829
123
5. Li, C. T. (2011). Secure smart card based password authentication scheme with user anonymity.
Information Technology and Control,40(2), 157–162.
6. Mi, Q., Stankovic, J. A., & Stoleru, R. (2012). Practical and secure localization and key distribution for
wireless sensor networks. Ad Hoc Networks,10(6), 946–961.
7. Watro, R., Kong, D., Cuti, S., Gardiner, C., Lynn, C., Kruus, P., & Tiny, P. K. (2004). Securing sensor
networks with publickey technology. In Proceedings of the 2nd ACM workshop on security of ad hoc
and sensor networks, SASN 2004, Washington, DC, USA, October (pp. 59–64).
8. Das, M. L. (2009). Two-factor user authentication in wireless sensor networks. IEEE Transactions on
Wireless Communications,8(3), 1086–1090.
9. Yuan, J., Jiang, C., & Jiang, Z. (2010). A biometric-based user authentication for wireless sensor
networks. Wuhan University Journal of Natural Sciences,15(3), 272–276.
10. Song, R. (2010). Advanced smart card based password authentication protocol. Computer Standards
and Interfaces,32(5), 321–325.
11. Xu, J., Zhu, W. T., & Feng, D. G. (2009). An improved smart card based password authentication
scheme with provable security. Computer Standards and Interfaces,31(4), 723–728.
12. Yeh, H. L., Chen, T. H., Liu, P. C., Kim, T. H., & Wei, H. W. (2011). A secured authentication protocol
for wireless sensor networks using ellipticcurves cryptography. Sensors,11(5), 4767–4779.
13. Ghosal, A., Halder, S., & DasBit, S. (2012). A dynamic TDMA based scheme for securing query
processing in WSN. Wireless Networks,8(2), 165–184.
14. Wong, K. H. M., Zheng, Y., Cao, J., & Wang, S. (2006). A dynamic user authentication scheme for
wireless sensor networks. In Proceedings of the IEEE international conference on sensor networks,
ubiquitous, and trustworthy computing, Taichung (pp. 244–251).
15. Huang, H. F., Chang, Y. F., & Liu, C. H. (2010). Enhancement of two-factor user authentication in
wireless sensor networks. In Proceedings of the 2010 sixth international conference on intelligent
information hiding and multimedia signal processing (pp. 27–30). IEEE Computer Society.
16. He, D., Gao, Y., Chan, S., Chen, C., & Bu, J. (2010). An enhanced two-factor user authentication
scheme in wireless sensor networks. Ad Hoc and Sensor Wireless Networks,10(4), 361–371.
17. Nyang, D., & Lee, M. K. (2009). Improvement of Das’s two-factor authentication protocol in wireless
sensor networks. In CORD conference proceedings.
18. Khan, M. K., & Alghathbar, K. (2010). Cryptanalysis and security improvements of ‘‘two-factor user
authentication in wireless sensor networks’’. Sensors,10(3), 2450–2459.
19. Vaidya, B., Makrakis, D., & Mouftah, H. T. (2010). Improved two-factor user authentication in wireless
sensor networks. In IEEE 6th international conference on wireless and mobile computing, networking
and communications (pp. 600–606).
20. Xue, K., Ma, C., Hong, P., & Ding, R. (2012). A temporal-credential-based mutual authentication and
key agreement scheme for wireless sensor networks. Journal of Network and Computer Applications,
36, 316–323.
21. Li, C. T., Weng, C. Y., & Lee, C. C. (2013). An advanced temporal credentialbased security
scheme with mutual authentication and key agreement for wireless sensor networks. Sensors,13,
9589–9603.
22. Turkanovic
´, M., & Ho
¨lbl, M. (2014). Notes on ‘‘a temporal-credential-based mutual authentication and
key agreement scheme for wireless sensor networks’’. Wireless Personal Communication,77, 907–922.
23. Fan, R., He, D., Pan, X., & Ping, L. (2011). An efficient and dos-resistant user authentication scheme for
two-tiered wireless sensor networks. Journal of Zhejiang University SCIENCE,12(7), 550–560.
24. Das, A. K., Sharma, P., Chatterjee, S., & Sing, J. K. (2012). A dynamic passwordbased user authen-
tication scheme for hierarchical wireless sensor networks. Journal of Network and Computer Appli-
cations,35(52), 1646–1656.
25. Wang, D., & Wang, P. (2014). Understanding security failures of two-factor authentication schemes for
real-time applications in hierarchical wireless sensor networks. Ad Hoc Networks,20, 1–15.
26. Turkanovic
´, M., Brumen, B., & Ho
¨lbl, M. (2014). A novel user authentication and key agreement
scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad
Hoc Networks,20, 96–112.
27. Burrow, M., Abadi, M., & Needham, R. (1990). A logic of authentication. ACM Transactions on
Computer System,8, 18–36.
28. Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Proceedings of advances in
cryptology-CRYPTO’99, LNCS 1666 (pp. 388–397).
29. Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002b). Examining smart-card security under the
threat of power analysis attacks. IEEE Transactions on Computers,51(5), 541–552.
30. Boyd, C., & Mathuria, A. (2003). Protocols for authentication and key establishment. Berlin: Springer.
830 Y. Lu et al.
123
31. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. T. M. (2008). On
the power of power analysis in the real world: A complete break of the keeloq code hopping scheme.
Advances in cryptology-CRYPTO (pp. 203–220). Berlin: Springer.
32. Lamport, L. (1981). Password authentication with insecure communication. Communications of the
ACM,24(11), 770–772.
33. Yang, W. H., & Shieh, S. P. (1999). Password authentication schemes with smart cards. Computer and
Security,18(8), 727–733.
34. Stallings, W. (2004). Cryptography and network security: Principles and practices (3rd ed.,
pp. 328–345). London: Pearson Education.
35. Stinson, D. R. (2006). Some observations on the theory of cryptographic hash functions. Designs Codes
and Cryptography,38(2), 259–277.
36. Chatterjee, S., Das, A. K., & Sing, J. K. (2014). An enhanced access control scheme in wireless sensor
networks. Ad Hoc and Sensor Wireless Networks,21(1–2), 121–149.
37. Odelu, V., Das, A. K., & Goswami, A. (2014). A secure effective key management scheme for dynamic
access control in a large leaf class hierarchy. Information Sciences,269(10), 270–285.
Yanrong Lu received the M.S. degree in cryptography from Xidian
University of China, Xi’an, China, in 2012. she is currently a Ph.D.
student in Beijing University of Posts and Telecommunications, Bei-
jing, China. Her research interests is focused on information security
and cryptography, in particular, cryptographic protocols.
Lixiang Li received the M.S. degree in circuit and system from
Yanshan University, Qinhuangdao, China, in 2003, and the Ph.D.
degree in signal and information processing from Beijing University of
Posts and Telecommunications, Beijing, China, in 2006. She is cur-
rently a professor at the School of Computer Science and Technology,
Beijing University of Posts and Telecommunications, China. Her
research interests include swarm intelligence, information security and
network security. Dr. L. Li is the co-author of 70 scientific papers and
10 Chinese patents.
A Novel Smart Card Based User Authentication…831
123
Haipeng Peng received the M.S. degree in system engineering from
Shenyang University of Technology, Shenyang, China, in 2006, and
the Ph.D. degree in signal and information processing from Beijing
University of Posts and Telecommunications, Beijing, China, in 2010.
He is currently an associate professor at the School of Computer
Science and Technology, Beijing University of Posts and Telecom-
munications, China. His research interests include information secu-
rity, network security, complex networks and control of dynamical
systems. Dr. H. Peng is the coauthor of 50 scientific papers and over 10
Chinese patents.
Yixian Yang received the M.S. degree in applied mathematics in 1986
and the Ph.D. degree in electronics and communication systems in
1988 from Beijing University of Posts and Telecommunications,
Beijing, China. He is the Managing Director of information security
center, Beijing University of Posts and Telecommunications, Beijing,
China. His research interests include network security, information
security and coding theory. Dr. Y. Yang is the co-author of 300 sci-
entific articles and 50 patents.
832 Y. Lu et al.
123
