A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps

Accepted Manuscript A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps Saru Kumari, Xiong Li, Fan Wu, Ashok Kumar Das, Hamed Arshad, Muhammad Khurram Khan PII: DOI: Reference:

S0167-739X(16)30093-0 http://dx.doi.org/10.1016/j.future.2016.04.016 FUTURE 3016

To appear in:

Future Generation Computer Systems

Received date: 22 July 2015 Revised date: 8 January 2016 Accepted date: 23 April 2016 Please cite this article as: S. Kumari, X. Li, F. Wu, A.K. Das, H. Arshad, M.K. Khan, A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps, Future Generation Computer Systems (2016), http://dx.doi.org/10.1016/j.future.2016.04.016 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Highlights (for review)



We examine recently proposed Li et al.'s and He et al.’s schemes for WSN.



We show security weaknesses in both schemes.



We propose an improved scheme for WSN using Chebyshev chaotic maps.



Formal security proof using BAN logic and conventional analysis assure the security of our scheme.



Comparative evaluation shows the superiority of our scheme over related schemes.

*Manuscript Click here to view linked References

A User Friendly Mutual Authentication and Key Agreement Scheme for Wireless Sensor Networks using Chaotic Maps Saru Kumari1, Xiong Li2, Fan Wu3, Ashok Kumar Das4, Hamed Arshad5, Muhammad Khurram Khan6 2

1 Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, Meerut. [email protected] School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China. [email protected] 3 Department of Computer Science and Engineering, Xiamen Institute of Technology, Huaqiao University, Xiamen 361021, China. [email protected] 4 Center for Security,Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India [email protected], [email protected] 5 Department of Computer Engineering and Information Technology, Imam Reza International University, Mashhad, Iran. [email protected] 6 Center of Excellence in Information Assurance, King Saud University, Riyadh, Kingdom of Saudi Arabia. [email protected]

Abstract: Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resists many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.

Keywords: User authentication, Wireless sensor networks, User anonymity, Passsword guessing, Forward secrecy, Chaotic maps. 1. Introduction Now-a-days, wireless sensor networks (WSNs) are the first choices for remote monitoring in various domains like domestic [1], industry [2, 3, 4], military [5], medical [6], scientific research [7], safety [8, 9], etc, due to their ease of deployment in harsh/hostile/unattended/unfriendly environment, minimal maintenance and exciting outcomes. In a wireless sensor network (WSN), numerous tiny-sized sensor-nodes (SNs) are deployed in the intended field. After deployment, these SNs associate themselves in an extemporized manner to communicate with each other and with a resource rich master node called Gateway-node (or base station) GWN via wireless links [10]. In this way, the SNs wirelessly linked with their neighboring nodes together form a network which is finally linked to the GWN, and the network so formed is called the wireless sensor network (WSN). The data sensed by the SNs from surroundings is eventually routed to the GWN which is then used for decision making and taking necessary action accordingly. The involvement of WSNs in a wide range of applications requires managing many critical tasks simultaneously. Generally, real applications neglect the security aspect rendering WSNs exposed to various potential threats. Malicious minds can misuse the sensitive (here, sensitive data depends on the domain of WSN, for example, military, healthcare, etc) data collected by SNs for personal reasons, therefore, it is mandatory to regulate authorized access to the WSNs. Therefore, security solutions are essential for proper functioning of the application layer of WSNs, for which user authentication scheme is a prime choice on which other security mechanisms such as Over The Air (OTA) programming and establishment of a secure channel [11] are based on. It provides confidentiality and integrity of data and allows only valid users to access information from the network. However, the design of a user authentication scheme suitable for WSNs is not an easy task due to complicated architecture involving

numerous resource-deficient SNs as important components. GWN is a powerful data processing/storage center with powerful antenna and much more battery power than required to surpass the life-time of all the SNs. GWN plays a key role in WSN. It acts as registration authority to register willing to be users, serves as a gateway to another network or an access point for human interface [10] and also commands the SNs. Contrarily, SNs are equipped with limited memory size, low battery power, low data processing capability and short radio transmission range [10]. Hence, a user authentication scheme for WSNs should be characterized with short communication messages, fast algorithm and less power consumption. Data is made available to the user on demand whereby users needs to prove their authenticity before accessing the data. Generally, users transmit their login request to the GWN which issues commands to the SNs whether to answer or not to the user’s query. In scenarios where users directly login the SNs, the SNs seeks the help of the GWN to confirm thevalidity of the user. Therefore, the three involved entities (user, GWN and SN) should be able to mutually authenticate each other to avoid forgery at any end. Furthermore, user privacy is a focal concern due to the vulnerability of wireless communications. 1.1 Related Work As yet, the design of user authentication schemes for resource-deficient WSNs has been substantially addressed by various researchers [12-33]. However, every scheme is proposed with some merits. Most of these are found to be insecure due to susceptibility to different kinds of security threats. In 2004, Watro et al. [12] proposed a public-key-based user authentication scheme using Diffie-Hellman [34] and RSA [35] algorithms. In 2006, Wong et al. [13] gave a password-based user authentication scheme for WSN by using only hash function. Nonetheless, Watro et al.’s scheme is identified with an attack in which an adversary can behave as a sensor node to cheat the user [18]. Nevertheless, Wong et al.’s scheme is observed to be flawed with many logged-in-users attack whence many non-registered users possessing the password of a registered user can login to WSN and access data [14, 18, 20]. Tseng et al. [14] and Das [18] independently pointed out stolenverifier and replay attacks on Wong et al.’s and Watro et al.’s schemes. In 2007, Tseng et al. [14] proposed a scheme as an enhancement of Wong et al.’s scheme to overcome its weaknesses. They claimed their scheme to be more efficient due to reduced risk of user’s password leakage and password changing facility. In 2008, Lee [15] noticed high computational overhead on SNs in Wong et al.’s scheme and proposed two improvements. In the first scheme, he focused on reducing the computational overhead of SNs without deteriorating the security level. On the other hand, the second scheme is aimed at averting an attacker from masquerading as GWN for granting access to illicit persons. In the same year, Ko [16] pointed out that Tseng et al.’s scheme has no provision for mutual authentication between GWN & SN and between user & SN. Ko also presented a new scheme to establish mutual authentication. Vaidya et al. [17, 19] analyzed Wong et al.’s, Tseng et al.’s, and Ko’s schemes, and devised their improved schemes. Vaidya et al. asserted that their proposed improvements can withstand forgery attack, replay attack, manin-the-middle attack, and offer user privacy and mutual authentication. In 2009, Das [18] introduced a two-factor-based user authentication scheme for WSN, his scheme became a centre of attraction for many researchers [21-23] working in this field. The scheme is based on the concept of using a password and a smart card as two factors to realize the user authentication. Das claimed his scheme to be free from the security problems such as stolen-verifier, many logged-in-users with the same identity, guessing, impersonation and replay attacks. In 2010, Huang et al. [22] pointed out that Das’s scheme does not resist many logged-in-users attack with the same identity and SN impersonation attack. As a solution, they proposed a scheme [22] with same performance but possessing additional features of user anonymity and password change feature. In the same year, He et al. [21] demonstrated impersonation attack, privileged insider attack and lack of password changing facility in Das’ scheme. Based on their analysis, they built an enhanced scheme [21]. During the same time, Khan and Alghathbar [23] also identified the insider attack, gateway node bypass attack, and the absence of mutual authentication between the SN and the GWN. Consequently, they proposed [23] an improve method to remove the security loopholes of Das’s scheme. In 2012, Kumar et al. [24] presented an authentication scheme for WMSNs. They used hash function and symmetric cryptographic operation in their scheme to provide security. In 2015, He et al. [25] observed that Kumar et al.’s scheme suffers from some security problems and proposed an authentication scheme for WMSNs to fix these flaws. In the same year, Li et al. [29] found that the authentication processes of He et al.’s scheme [25] is flawful in such a way that the scheme can neiter provide proper mutual authentication nor the session key agreement. Hence, Li et al. [29] proposed a new user anonymous authentication scheme for WMSNs. Li et al. [29] also deploys symmetric cryptographic operation in their ’s scheme.

1.1.1 Contribution of Li et al.’s [28] and He et al.’s [29] schemes In 2013, Xue et al. [30] introduced a temporal-credential-based mutual authentication & key agreement scheme for WSNs. In Xue et al.’s scheme, GWN issues a temporal credential to each registered user and SN which depends on the identity of the respective entity and GWN secret key. The temporal credential of the user is stored in her/his smart card and for SN it is stored in its memory. The authors asserted that their scheme was lightweight and fulfilled the security requirements of WSNs. In 2013, Li et al. [31] examined Xue et al.’s scheme and found it vulnerable to many logged-in-users attack with same identity, stolen verifier attack, privileged insider attack, smart card loss problem and password disclosure problem. To preclude the security risks of Xue et al.’s scheme, they suggested an advanced scheme. They utilized a service period feature for the purpose of revoking users and sensor nodes and to prevent any misuse by the authorized GWN. They asserted that their scheme achieves mutual authentication & key agreement among the user, GWN and SN and is efficient in terms of communication cost and computational complexity. They used login timestamp and status-bit storing features to remedy the many logged-in-users attack of Xue et al.’s scheme. They claimed that their scheme resisted various known attacks and provided advanced security features. Very recently, He et al. [32] analyzed Xue et al.’s scheme and demonstrated that Xue et al.’s scheme suffers from offline password guessing attack, user impersonation attack, sensor node impersonation attack and modification attack since registration of user and sensor-node is conducted over insecure channel. Besides, He et al. demonstrated that user is not anonymous in Xue et al.’s scheme.To overcome theses problems of Xue et al.’s scheme, He et al. [32] proposed a mutual authentication and key agreement scheme [32] using the concept of pseudoidentity. During the registration process, user submits its identity to the GWN which assigns a pseudoidentity to the user. They claimed that this pseudoidentity plays an important role in the authentication process and maintains the anonymity of the user. 1.2 Application of Chaotic Maps In last decade, chaotic maps have been widely accepted as a tool to impart security and efficiency in various cryptographic protocols. Some literature [36-38] came up regarding construction of one-way hash functions based on chaotic maps. Deng et al. [36] proposed an improved hash algorithm with good diffusion and confusion capability, enhanced collision resistance and high sensitivity to message and secret key. Chaotic maps have also been deployed in the area of image encryption [39-44]. This is achieved by computing a one-time key using chaotic map and the linear chaotic map is utilized to compute a pseudo-random key stream sequence that works as the key of a symmetric stream cipher algorithm. In 2006, Wang et al. [45] highlighted the use of multiple chaotic systems for security of public key encryption technique. However, Zhang [46] identified some vulnerabilities in public key encryption method [45] devised by Wang et al. In information security, digital signatures are very imperative primitives used to achieve to obtain the message integrity and non-repudiation. In 2010, Wang and Gao [47] presented a digital communication system based on discrete and adaptive chaos synchronization. In 2013, Chain and Kuo [48] proposed a signature scheme with its security relying on Chebyshev chaotic discrete logarithm problem (CHDLP), though it displayed high computational cost. Many public key agreement protocols [49-52] have been introduced based on the chaotic maps. These protocols facilitate two parties to compute and agree up-on a secret session key in order to maintain data confidentiality in their future communications. Besides, a number of password authenticated or simply key exchange schemes [53-58] are also developed utilizing chaotic maps. These schemes establish mutual authentication and a secret session key between the participants. In 2005, Bergamo et al. [59] noticed that public key cryptosystems relying on Chebyshev polynomials were weak in the sense that a legal but malicious entity can determine the session key in advance. To eradicate this flaw, Zhang [46] modified the Chebyshev polynomials by extending the domain of definition to ( , + ). He proved that Chebyshev polynomials satisfy the commutativity under composition and the semi-group property in the enlarged domain ( , + ). Since then, many two-factor and three-factor password authenticated key agreement schemes [60-64] have been introduced using extended chaotic maps.

1.3 Our Contribution and Design Methodology 1.3.1 Our Contribution In this paper, we first review and examine Li et al.’s [31] and He et al.’s [32] scheme for its suitability to WSNs followed by the results of our analysis respectivly, and finally design a chaotic maps based user friendly authentication scheme for WSN with forward secrecy and wrong identifier detection mechanism at the time of login. In Li et al.’s scheme [31] GWN maintains a write-protected table for storing some user-specific-information to fix the many logged-in-user attack of Xue et al.’s scheme [30]. Undoubtedly, Li et al.’s scheme [31] achieves this aim but it exposes their scheme to user’s identity revelation, user impersonation and password guessing attacks. Further, their scheme does not provide forward secrecy which is an essential characteristic of the authentication schemes with key agreement facility. In addition, the security of the established session keys is at risk if the sessionspecific temporary information is leaked. Besides, the users cannot change their password and the security of a static password is considered as weak. An attacker can guess the identity of the user by merely intercepting her/his login request. Moreover, the protocol imposes extra computational load on the sensor-nodes. He et al.’s scheme [32] does not adhere with the authors’ claim of providing user anonymity and imposes time consuming modular exponentiation operation on resource scanty sensor-nodes. In addition, their scheme suffers from offline password guessing and session-specific temporary information attacks. The scheme lacks forward secrecy as an attacker can compute the session key established between the user and the sensor node if any one of the two secret keys (one user-specific and other sensor node-specific) of the GWN is leaked. Further, a user has no option of changing his/her password and there is no mechanism in the smart card to detect an unauthorized login. In this paper, we utilize the the commutativity under composition and the semi-group property of extended Chebyshev polynomials to propose a sesure and efficient scheme. We propose a new authentication scheme for WSN which establishes session key between user and SN using extended chaotic maps by virtue of which the established session key provides the forward secrecy. To get rid of the stolen-verifier attacks, the GWN in our scheme does not store any user specific data. The proposed scheme provides user anonymity so it is ideal for the sensitive application demanding protection of user’s privacy. The communication overhead on the scheme, especially, on the resource-starving SNs, is sufficiently less as compared to privious schemes [29-33] for WSN. 1.3.2 Design methodology Our design methodology to present a robust authentication and key agreement scheme for WSNs so as avoid the drawbacks identified in previous schemes is as follows:  Maintaining a table at the server storing sensitive data about registered users should be avoided.  User’s identity should not be sent in plaintext over public channel.  No such value should be transmitted over the public channel which gives a way to an attacker to guess the vulnerable identifiers (identity and password) of the user. In fact, identity and password are very susceptible to guessing since they are chosen out of a limited domain.  Keeping low computational load at the resource scanty sensor nodes should be the prime concern.  Session key should rely on some fixed parameters in addition to session specific temporary values otherwise leakage of the session specific temporary values would lead to the disclosure of the session key.  Compromise of long term secrets such as user’s identity & password or GWN’s private key(s) should not affect the security of the session key. In any case, session key should remain confidential between the parties to guarantee the confidentiality of communication between them.  User should be able to freely choose and change the user’s password.  There should be provision of detecting any unauthorized access attempt during the login phase. An unauthorized access attempt may occur due to wrong insertion of identity or password or both by the legal user during login phase. This causes denial of service to the legal user and exhausts resources of the entities involved in computation of the values necessary for authentication.

1.4 Organization of the Remaining Paper Section 2 reviews Li et al.’s scheme and Section 3 presents its cryptanalysis discussions. Section 4 reviews He et al.’s scheme and Section 5 presents its cryptanalysis discussions. Section 6 describes the preliminary of Chebyshev chaotic maps and the proposed scheme using chaotic maps is presented in Section 7. Section 8 discusses the security features of the proposed scheme and Section 9 presents formal analyzation of the scheme using BAN logic. Section 10 is about the comparison of the proposed scheme with previously proposed related schemes. Finally, conclusions are drawn in Section 11.

2. Review of Li et al.’s Scheme [31] Notations with description used in the paper are listed in Table 1 given below:

Table 1: The notations and their meaning Notations Description Ui A registered user GWN Gateway node or base station DB Database maintained by the GWN SN/SNs/SNj Sensor node/Sensor nodes/jth Sensor node E An adversary/attacker IDi Identity of Ui PWi Password of Ui SC Smart card of Ui x/xg-u/xg-s Secret keys of GWN meant for itself/users/SNs TCi/TCj Temporal-credential of Ui/SNj computable only by the GWN TEi Expiry-time for TCi determining the service-validity-limit ∆T Time-threshold for transmission delay a, ri Random strings generated at the user side during the registration process b, sj Random string generated by SNj/GWN for the registration of SNj Ri (Ki)/Kg/Ks Random strings generated at Ui/GWN/SNj during login-authentication process SKw-z Session key established between the entities w and z Enk(.)/Dnk(.) Encryption/Decryption using key k p A large prime number Zp Ring of integers modulo p Zp* Multiplicative group of Zp g Generator of Zp* Exclusive-OR operator which operates bitwise  A one-way hash function h(.) Concatenation operator || Li et al.’s scheme has four phases: pre-registration phase, registration phase, login phase, authentication & key agreement phase. Here follows a detailed description of Li et al.’s scheme: 2.1 Pre-Registration Phase Before registration, each user Ui has to share a pre-decided pair of identity IDipre and password PWipre with the GWN. Corresponding to {IDipre, PWipre}, the GWN stores the values {IDipre, h(IDipre || PWipre)} to confirm the validity of the registration request of Ui. Besides, each sensor node SNj is stored with a pre-decided pair {SIDj, sj} where SIDj is the identity assigned to the SNj and sj is a random string. Corresponding to {SIDj, sj}, the GWN stores {SIDj, h(SIDj|| sj)} to confirm the validity of the registration request of SNj.

2.2 Registration Phase This phase is about the registration of the user Ui and the sensor node SNj at the GWN. 2.2.1 User registration phase: Following steps are performed by Ui and GWN: 1) Ui chooses her/his identity IDi and password PWi, and generates a random string ri. 2) Computes Vi = h(Tir || h(IDipre || PWipre)), Ci = h(IDipre || PWipre)  h(IDi || PWi || ri) and Di = IDi  h(IDipre || PWipre) using the current timestamp Tir. 3) Sends {IDipre, Vi, Ci, Di , Tir} to GWN. On obtaining the registration request {IDipre, Vi, Ci, Di , Ti} from Ui, the GWN does the following: 4) Acquires the current timestamp Tgir and checks if |Tir -Tgir| < ∆T. If not so, the GWN transmits REJECT to Ui. Otherwise, GWN retrieves h(IDipre || PWipre) using the received IDipre and computes Vi* = h(Tir || h(IDipre || PWipre)). 5) Verifies if Vi* = Vi, for not so, the connection is disrupted. For equality of Vi* and Vi, the GWN computes Qi = Ci  h(IDipre || PWipre) = h(IDi || PWi || ri), IDi = Di  h(IDipre || PWipre), Pi = h(IDi || TEi), TCi = h(xg-u || Pi || TEi) and PTCi = TCi  Qi; where TCi is the temporal credential of Ui. It is noticeable that Ui is entitled to access information from WSN within the time threshold mentioned in TEi. 6) The GWN maintains a write-protected user-verifier table as given below (Table 2):

User-Identity IDi … …

Table 2: User-verifier-table at GWN during the registration phase Service-Validity-limit User-Verifier Status-Bit Last-Login-Time Qi … …

0/1 … …

N/A … …

TEi … …

Status-Bit: 1 if user is logged-in to GWN, otherwise 0. Last-Login Time: This field stores the timestamp indicating the last-login-time of the user. The entry in this field is updated in every session. Service-Validity-limit: This field indicates the time limit within which a user can access services from WSN.

7) The GWN sends h(Qi) and SC containing {h(Qi), TEi, PTCi, h(.)} to Ui. On obtaining h(Qi) and SC, Ui does the following: 8) Checks if the computed h(h(IDi || PWi || ri)) and the received h(Qi) are equal. If not, Ui rejects the session and the SC; else, the GWN is authenticated. 9) Inserts the random number ri into the smart card so that SC = {h(Qi), TEi, PTCi, ri, h(.)}. 2.2.2 Sensor-node registration phase: This phase is conducted after the deployment of SNs in the target field. The following steps are performed by SNj and the GWN: 1) SNj computes Vj = h(Tsr || h(SIDj || sj)) using the current timestamp Tsr and sends {SIDj, Vj, Tsr} to GWN. On obtaining the registration request {SIDj, Vj, Tsr} from SNj, the GWN does the following: 2) Acquires the current timestamp Tgsr′ and checks if |Tsr -Tgsr′| < ∆T. If not so, the GWN transmits REJECT to SNj. Otherwise, GWN retrieves h(SIDj || sj) using the received SIDj and computes Vj* = h(Tjs || h(SIDj || sj)). 3) Verifies if Vj* = Vj, for not so, the connection is disrupted. For equality of Vj* and Vj, the GWN computes temporal credential for SNj as TCj = h(xg-s || SIDj) and acquires another current timestamp Tgsr. Also computes Qj = h(Tgsr || h(SIDj || sj)) and RGj = h(h(SIDj || sj) || Tgsr)  TCj. 4) The GWN sends {Qj, RGj, Tgsr} to SNj. On obtaining {Qj, RGj, Tgsr}, SNj does the following: 5) Acquires the current timestamp Tsr ′ and verifies if | Tgsr - Tsr ′| < ∆T. If not so, SNj disrupts the session, else, checks if the computed h(Tgsr || h(SIDj || sj)) and the received Qj are equal. If so, then SNj obtains its temporal credential as TCj = RGj  h(h(SIDj || sj) || Tgsr) and stores it in its memory. After successful registration, SNj discards sj from its memory.

2.3 Login Phase In order to access information from the WSN, Ui logins the GWN in the following manner. 1) Ui inserts her/his SC into the card reader and inputs IDi and PWi. 2) SC computes h(h(IDi || PWi || ri)) and compares it with the stored h(Qi), if these two values are different then SC disrupts the session. In case these two values match, SC proceeds to compute the login request. 3) Retrieves temporal credential TCi = PTCi  Qi, generates a random string Ki and acquires the current timestamp Til. 4) Computes DIDi = IDi  h(TCi || Til), Ci = h[h(Qi || Til)  TCi], PKSi = Ki  h(TCi || Til || “000”) and Pi = h(IDi || TEi); the binary string “000” is used to distinguish h(TCi || Til || “000”) from h(TCi || Til). 5) Ui sends the login request {DIDi, Ci, PKSi, Til, TEi, Pi} to GWN. 2.4 Authentication & Key Agreement Phase In this phase, mutual authentication and session key establishment take place between the participants. First of all, on receiving {DIDi, Ci, PKSi, Til, TEi, Pi} from Ui, the GWN authenticates the user in the following manner: 1) Checks the freshness of Til as per the time threshold ∆T. For fresh Til, GWN computes TCi* = h(xg-u || Pi || TEi), IDi = DIDi  h(TCi* || Til) and obtains Ui’s verifier Qi = h(IDi || PWi || ri) from the user-verifier-table using IDi. 2) Computes Ci* = h(h(Qi || Til)  TCi*) and verifies if Ci* = Ci. If not so, GWN rejects the login request; else Ui is authenticated. GWN sets the status-bit to “1” and records Til in the third and fourth field of the user-verifier table. The entries of the Table 2 are updated as given below in Table 3: Table 3: User-verifier-table at GWN during the authentication & key agreement process Service-Validity-limit User-Identity User-Verifier Status-Bit Last-Login-Time IDi … …

Qi … …

1 … …

Til … …

TEi … …

3) Retrieves Ki = PKSi h(TCi || Til || “000”) and selects a suitable sensor node SNj from the neighborhood. For sending an authentication message to SNj, GWN performs the following steps: 4) Computes temporal credential TCj = h(xg-s || SIDj) for SNj. Acquires the current timestamp Tgsl and computes DIDg = IDi  h(DIDi || TCj || Tgsl), Cg = h(IDi || TCj || Tgsl) and PKSg = Ki  h(TCj || Tgsl). 5) Sends {DIDi, DIDg, Cg, PKSg, Tgsl} to SNj. On receiving {DIDi, DIDg, Cg, PKSg, Tgsl}, SNj does the following to verify the legitimacy of the GWN: 6) Checks the freshness of Tgsl as per the time threshold ∆T. For fresh Tgsl, SNj obtains IDi = DIDg  h(DIDi || TCj || Tgsl) and computes Cg* = h(IDi || TCj || Tgsl). Checks if Cg* = Cg, if not so, SNj disrupts the session; else, GWN is authenticated. 7) Next, SNj obtains Ki = PKSg  h(TCj || Tgsl), generates a random string Ks and acquires the current timestamp Tsl. 8) Computes Cj = h(Ks || IDi || SIDi || Tsl), PKSj = Ks  h(Ki || Tsl) and sends {SIDj, Cj, PKSj, Tsl} to Ui and GWN. On receiving {SIDj, Cj, PKSj, Tsl}, GWN and Ui independently verify the legitimacy of SNj. 9) For fresh Tsl, GWN and Ui independently compute Ks = PKSj  h(Ki || Tsl) and Cj* = h(Ks || IDi || SIDj || Tsl). For Cj* = Cj, SNj is authenticated by the GWN; whereby the same equivalence guarantees the legitimacy of SNj and GWN to the user. 10)After successful mutual authentication, SNj and Ui compute a session key SKi-j = h(Ki  Ks). When the authentication and key agreement phase is finished, the status-bit is set to “0” as shown in Table 4. Table 4: User-verifier-table at GWN after finishing the authentication & key agreement process Service-Validity-limit User-Identity User-Verifier Status-Bit Last-LoginTime IDi Qi 0 Til TEi … … … … … … … … … …

3. Cryptanalysis of Li et al.’s Scheme [31] In this section, we discuss the security problems of Li et al.’s scheme under the following assumptions. The loginauthentication process is conducted over the open communication channel and an attacker can intercept all the messages from the network. Besides, the attacker can steal or obtain a valid user Ui’s smart card and can extract the information stored in it according to researches by Kocher et al. [65] and Messerges et al. [66]. In addition, the secret key of the user or the server may leak. We categorize the attack analysis of Li et al.’s scheme into two streams. The first kind of attacks originate due to theft or compromise of the user-verifier-table maintained at the GWN. The attacks under the second kind are independent of each other and also independent from the attacks of the first kind. 3.1 Attack Analysis I: Security Problems via Stolen Verifier Attack We demonstrate that Li et al.’s scheme is defenseless in many ways if an adversary E steals the information stored in user-verifier-table at GWN. As discussed in Section 2, the GWN maintains a user-verifier-table to store user-specific information. This table consists of five fields of which only two are updated in every session. First, second and last fields storing user’s identity IDi, user’s verifier Qi and user’s service-validity-limit TEi respectively are fixed. Although, the user-verifier-table is write-protected, E can read the information stored in it. The possible weaknesses of Li et al.’s scheme under the aforementioned scenario are as follows:  Revelation of user’s identity [67-69]  User impersonation attack [67-71]  Password guessing attack [68-72] 3.1.1 Revelation of User’s Identity Suppose E steals the contents of the user-verifier-table, then corresponding to each user, he would possess the identity, verifier and the expiry-time of user’s temporal-credential. If the adversary E steals or finds the SC of Ui then he can recognize the identity of Ui. For this, E extracts the information {h(Qi), TEi, PTCi, ri} stored in SC and looks-up the stolen table for the extracted TEi, the corresponding value of the identity IDi yields Ui’s identity. Possibly, two or more users may have the same service-validity-limit, whereby the extracted TEi would correspond to more than one value of the identity as shown below in Table 5.

User-Identity IDi … IDk IDm … IDn …

Table 5: User-verifier-table stolen by the adversary E Service-Validity-limit User-Verifier Status-Bit Last-Login-Time Qi … Qk Qm … Qn …

0 … 0 0 … 0 …

Til … Tkl Tml … Tnl …

TEi … TEi TEm … TEi …

In this situation, E can compute the hashed values {h(Qi), h(Qk), h(Qn)} of each of the verifiers {Qi, Qk, Qn} corresponding to TEi and compares them with the hash value h(Qi) extracted from SC. The value of the identity corresponding to the value of the verifier whose hash value matches with h(Qi) would yield the exact identity of Ui. In this way, E can reveal the identity of any user whose smart card he possess and hence the scheme does not provide user anonymity. 3.1.2 User Impersonation Attack It is observable that during the above described process of revealing the identity of the user Ui whose smart card is possessed by E, the adversary also obtains the exact value of the verifier Qi. Using Qi, E can retrieve the temporal credential TCi of Ui by computing TCi = PTCi  Qi. Now, E possesses IDi, Qi, TEi and TCi corresponding to Ui; and this much information is sufficient for E to impersonate Ui as discussed below:

1) E generates a random string Ke and computes DIDe = IDi  h(TCi || Tel), Ce = h[h(Qi || Tel)  TCi], PKSe = Ke  h(TCi || Tel || “000”) and Pi = h(IDi || TEi), where Tel is the current timestamp of the adversary’s system. 2) Sends {DIDe, Ce, PKSe, Tel, TEi, Pi} as the login request to GWN. On receiving this login request, the following happens at the GWN: 3) Tel being the current timestamp would pass the timestamp validity test, therefore, the GWN proceeds further. Computes TCi* = h(xg-u || Pi || TEi) which is equal to TCi by virtue of the exact values Pi and TEi. Thereby, GWN retrieves the correct identity IDi of Ui as IDi = DIDe  h(TCi* || Tel) and obtains Ui’s verifier Qi = h(IDi || PWi || ri) from the user-verifier-table using IDi. 4) Computes Ci* = h(h(Qi || Til)  TCi*) and verifies if Ci* = Ci, the equivalence would obviously hold by virtue of the exact values Qi and TCi*. As a result, GWN believes the origin of the received login request from the legitimate user Ui and updates the entries of the user-verifier table. 5) Retrieves Ke = PKSe  h(TCi || Tel || “000”) and sends {DIDe, DIDge, Cg, PKSge, Tgsl} to a suitable sensor node SNj. Here DIDge = IDi  h(DIDe || TCj || Tgsl), Cg = h(IDi || TCi || Tgsl) and PKSge = Ke  h(TCj || Tgsl); TCj = h(xg-s || SIDj) the temporal credential of SNj and Tgsl is the current timestamp. On receiving {DIDe, DIDge, Cg, PKSge, Tgsl}, the following happens at SNj: 6) Tel being the current timestamp would pass the timestamp validity test, therefore, SNj proceeds further. Obtains IDi = DIDge  h(DIDe || TCj || Tgsl) and computes Cg* = h(IDi || TCj || Tgsl). Verifies if Cg* = Cg, the equivalence would obviously hold by virtue of the exact values IDi and TCj. As a result, SNj believes the origin of the received message from the authorized GWN. 7) Next, SNj obtains Ke = PKSge  h(TCj || Tgsl) and sends {SIDj, Cj, PKSje, Tsl} to Ui and GWN. Here Cj = h(Ks || IDi || SIDi || Tsl), PKSje = Ks  h(Ke || Tsl) whence Ks is the random string generated by SNj and Tsl is the current timestamp. On receiving {SIDj, Cj, PKSje, Tsl}, the following happens at the GWN and adversary E’s side: 8) GWN and E compute Ks = PKSje  h(Ke || Tsl) and Cj* = h(Ks || IDi || SIDj || Tsl). For Cj* = Cj which would obviously hold, SNj is authenticated by the GWN; whereby the same equivalence guarantees the legitimacy of SNj and GWN to the adversary. 9) Finally, E computes the same session key SKe-j = h(Ke  Ks) as is computed by the SNj and hence can communicate with the SNj. In this way, E can successfully impersonate Ui to the extent of establishing a confidential communication channel with the SNj without knowing the user’s password. 3.1.3 Password Guessing Attack As described under attack analysis 3.1.1, an adversary E can reveal the identity of the user Ui whose smart card he processes. Further, E can employ the random string ri extracted from the possessed smart card along with the revealed identity IDi and the corresponding verifier Qi = h(IDi || PWi || ri) to guess the user’s password . 1) E guesses PWi* as user’s probable password and computes Qi* = h(IDi || PWi* || ri). 2) Compares Qi* and Qi, the equivalence Qi* = Qi implies the correctness of the guessed password; else E repeats the process with some other guess and keeps on doing so till he guesses the correct password. 3.2 Attack Analysis II The attacks under this analysis are independent of each other and also independent of the attacks aforementioned in Subsection 3.1. A list of the attacks under this analysis is as follows:     

Identity guessing attack [73] Absence of forward secrecy [68-69, 74] Session-specific temporary information attack [75-76] Absence of password changing facility Extra computational load on sensor-nodes

3.2.1 Identity Guessing Attack The adversary can intercept the login request {DIDi, Ci, PKSi, Til, TEi, Pi} of Ui from the open network. Since TEi in plaintext and Pi = h(IDi || TEi) are available from the intercepted login request, E can attempt to guess the identity of Ui. E guesses IDi* as user’s probable identity and computes Pi* = h(IDi* || TEi). If Pi* ≠ Pi, E repeats the process with some other guess; else the equality of Pi* and Pi yields the correct value of Ui’s identity. 3.2.2 Absence of Forward Secrecy An authentication scheme is said to satisfy the forward secrecy if the security of the previously established session keys remains unaffected on the disclosure of the secret keys of any of the participating entities (GWN’s secret key or user’s password). Forward secrecy ensures the confidentiality of future communication between the entities even after the disclosure of their secret keys. Consider the situation of the leakage of GWN secret key xg-u. E can intercept the login request {DIDi, Ci, PKSi, Til, TEi, Pi} and the SNj message {SIDj, Cj, PKSj, Tsl} from the communication channel, it is observable that both the messages contain the common value DIDi which ensures E that these messages belong to the same user. Next, E can compute the temporal credential of Ui as TCi = h(xg-u || Pi || TEi) using Pi and TEi available from the intercepted login request. E obtains Ui’s random string Ki as Ki = PKSi  h(TCi || Til || “000”) and SNj’s random string Ks = PKSj  h(Ki || Tsl). Having Ki and Ks in hand, E can compute the session key SKi-j = h(Ki  Ks) and hence can read the confidential communication between Ui and SNj. Thus, the forward secrecy property is absent from Li et al.’s scheme. 3.2.3 Session-Specific Temporary Information Attack This attack is introduced by Canetti and Krawczyk [75] under which the session key established in a specific session remains no more secure if the specific information generated temporarily for that session is leaked. In Li et al.’s scheme, if the temporarily generated random strings Ki and Ks of user and SN are leaked then E can easily compute the session key SKi-j = h(Ki  Ks) established between Ui and SNj. Thus, the security of the session key is under threat due to the leakage of the session-specific temporary information. 3.2.4 Absence of Password Changing Facility The scheme has no provision for the users to change their existing password. Since users tend to pick an easily memorable password so it is vulnerable to guessing attack. Therefore, in the absence of password updating, the security of a password-based scheme is at risk and Li et al.’s scheme falls under this category. 3.2.5 Extra Computational Load on Sensor-nodes In Li et al.’s scheme, there is provision of sensor-node registration over public channel. For this, GWN assigns to each sensor node, SNj an identity SIDj and a random string sj. GWN stores the pair {SIDj, sj} in SNj before its deployment in the field and itself stores the pair {SIDj, h(SIDj|| sj)} to confirm the validity of the registration request of SNj. After their deployment in the target field, SNs undergo registration with the GWN. For the entire registration phase, SNj has to compute four hash operations. However, power hungry SNs could utilize this energy for sensing and transmitting the information on demand. The purpose of sensor-node registration is to equip each SN with a unique temporal credential TCj = h(xg-s || SIDj). GWN can achieve this in a single step by computing temporal credential for each SN and storing its unique value in each SN before the deployment in the target field. Thus, Li et al.’s scheme unnecessarily imposes extra load on resource scanty sensor-nodes. 4. Review of He et al.’s Scheme [32] He et al.’s scheme has four phases: pre-registration phase, registration phase, login phase, authentication & key agreement phase. A detailed description of the scheme is as follows:

4.1 Pre-Registration Phase Firstly, GWN selects a large prime number p and a generator g of . Then, GWN randomly selects x ∈ as its secret key, computes y = gx mod p and publicizes {p, g, y} as the system parameters. Each user Ui has an identity IDi and shares a pair {IDi, h(PWi')} with the GWN, where PWi' is user’s password. Corresponding to the user, say, Ui, the GWN stores {IDi, h(PWi')} in the database. Besides, each sensor node SNj is stored with a pre-decided pair {SIDj, h(PWj)} where SIDj is the identity and PWj is the password assigned to SNj. Corresponding to the sensor node SN, say, SNj, the GWN stores {SIDj, h(PWj)} in the database. 4.2 Registration Phase This phase is about the registration of the user Ui and the sensor node SNj at the GWN. 4.2.1 User registration phase: Following steps are performed by Ui and GWN for user registration: 1) Ui chooses a new password PWi, and generates two random strings a, ri ∈ . 2) Computes Ai= ga mod p, Ai'= ya mod p = gax mod p, Vi = h(Tir || h(PWi') || Ai || Ai' || h(PWi || IDi || ri)) and TPWi = h(PWi || IDi || ri)  h(Tir || h(PWi') || Ai || Ai') using the current timestamp Tir. 3) Sends {IDi, Vi, TPWi, Ai, Tir} to GWN through a public channel. On obtaining the registration request {IDi, Vi, TPWi, Ai, Tir} from Ui, the GWN does the following: 4) Acquires the current timestamp Tgir and checks if |Tir Tgir| < ∆T. If not so, the GWN rejects the request. Otherwise, GWN retrieves h(PWi') from its database using the received IDi and computes Ai''= (Ai)x mod p = gax mod p. 5) Retrieves Qi = TPWi  h(Tir || h(PWi') || Ai || Ai'') = h(PWi || IDi || ri) to compute Vi* = h(Tir || h(PWi') || Ai || Ai'' || h(PWi || IDi || ri)) and checks if Vi* = Vi. For Vi*  Vi, the connection is disrupted. 6) For equality of Vi* and Vi, the GWN generates a pseudo identity PIDi, computes TCi = h(xg-u || PIDi || TEi) and PTCi = TCi  Qi, where TCi is the temporal credential of Ui. It is noticeable that Ui is entitled to access information from WSN within the time threshold mentioned in TEi. 7) GWN deletes {IDi, h(PWi')} from its database, stores {PIDi, TEi, PTCi, h(.)} in a smart card SC and issues SC to Ui through a secure channel. On obtaining SC, Ui does the following: 8) Inserts the random number ri into the smart card so that SC = {PIDi, TEi, PTCi, ri, h(.)}. 4.2.2 Sensor-node registration phase: This phase is conducted after the deployment of SNs in the target field. The following steps are performed by SNj and the GWN for sensor node registration: 1) SNj generates a random string b ∈ , computes Bj= gb mod p, Bj'= yb mod p = gbx mod p, Vj = h(Tsr || h(PWj) || Bj || Bj') using the current timestamp Tsr and sends {SIDj, Vj, Bj, Tsr} to GWN through a public channel. On obtaining the registration request {SIDj, Vj, Bj, Tsr} from SNj, the GWN does the following: 2) Acquires the current timestamp Tgsr′ and checks if |Tsr -Tgsr′| < ∆T. If not so, the GWN rejects the request. Otherwise, GWN retrieves h(PWj) using the received SIDj and computes Bj''= (Bj)x mod p = gbx mod p. 3) Computes Vj* = h(Tsr || h(PWj) || Bj || Bj'') and checks if Vj* = Vj. If not so, the connection is disrupted. For equality of Vj* and Vj, the GWN computes temporal credential for SNj as TCj = h(xg-s || SIDj) and acquires another current timestamp Tgsr. Also computes RGj = h(Tgsr || h(PWj) || Bj || Bj'')  TCj and Qj = h(TCj || h(Tgsr || h(PWj) || Bj || Bj'')). GWN discards h(PWj) and stores only SIDj in its database. 4) The GWN sends {RGj, Qj, Tgsr} to SNj. On obtaining {RGj, Qj, Tgsr}, SNj does the following: 5) Acquires the current timestamp Tsr ′ and verifies if | Tgsr Tsr ′| < ∆T. If not so, SNj disrupts the session, else, it retrieves TCj = RGj  h(Tgsr || h(PWj) || Bj || Bj'). Computes h(TCj || h(Tgsr || h(PWj) || Bj || Bj'')) and checks if it is equal to the received Qj. If not so, SNj terminates the session; otherwise, SNj stores TCj in its memory. 4.3 Login Phase In order to access information from SNs, Ui logins the GWN in the following manner. 1) Ui inserts her/his SC into the card reader and inputs IDi and PWi. 2) SC computes Qi = h(PWi || IDi || ri), retrieves TCi = PTCi  Qi, generates a random string Ki and acquires the current timestamp Til.

3) Computes DIDi = IDi  h(TCi || Til), Ci = h[h(IDi || Til)  TCi] and PKSi = Ki  h(TCi || Til || “000”). 4) Ui sends the login request {DIDi, Ci, PKSi, Til, TEi, PIDi} to GWN. 4.4 Authentication & Key Agreement Phase In this phase, mutual authentication between the participants and session key establishment take place between Ui and SNj. First of all, on receiving {DIDi, Ci, PKSi, Til, TEi, PIDi} from Ui, the GWN authenticates the user in the following manner: 1) Checks the freshness of Til as per the time threshold ∆T. For fresh Til, GWN retrieves IDi = DIDi  h(h(xg-u || PIDi || TEi) || Til). Computes Ci* = h[h(IDi || Til)  h(xg-u || PIDi || TEi)] and verifies if Ci* = Ci. If not so, GWN rejects the login request; else, For sending an authentication message to a nearby SNj, GWN performs the following steps: 2) Retrieves Ki = PKSi h(h(xg-u || PIDi || TEi) || Til || “000”) and acquires the current timestamp Tgsl. Computes DIDg = IDi  h(DIDi || h(xg-s || SIDj) || Tgsl), Cg = h(IDi || h(xg-s || SIDj) || Tgsl) and PKSg = Ki  h(h(xg-s || SIDj) || Tgsl). 3) Sends {DIDi, DIDg, Cg, PKSg, Tgsl} to SNj. On receiving {DIDi, DIDg, Cg, PKSg, Tgsl}, SNj does the following to verify the legitimacy of the GWN: 4) Checks the freshness of Tgsl as per the time threshold ∆T. For fresh Tgsl, SNj obtains IDi = DIDg  h(DIDi || TCj || Tgsl) and computes Cg* = h(IDi || TCj || Tgsl). Checks if Cg* = Cg, if not so, SNj disrupts the session; else, 5) SNj obtains Ki = PKSg  h(TCj || Tgsl), generates a random string Ks and computes the session key SKj-i = h(Ki  Ks). 6) Acquires the current timestamp Tsl to compute Cj = h(Ks || IDi || SIDi || Tsl), PKSj = Ks  h(Ki || Tsl) and sends {SIDj, Cj, PKSj, Tsl} to Ui. On receiving {SIDj, Cj, PKSj, Tsl}, Ui verifies the legitimacy of SNj. 7) For fresh Tsl, Ui computes Ks = PKSj  h(Ki || Tsl) and Cj* = h(Ks || IDi || SIDj || Tsl). For Cj* = Cj, both SNj & GWN are authenticated by Ui. 8) Finally, Ui compute the session key SKi-j = h(Ki  Ks). 5. Cryptanalysis of He et al.’s Scheme [31] 5.1 Absence of User Anonymity We observe the registration of a user Ui at GWN in He et al.’s scheme. Ui transmits its registration request {IDi, Vi, TPWi, Ai, Tir} to the GWN over a public channel. An attacker E can easily intercept the login request from the network and acquires the identity IDi of Ui. In this way, E can get information about the identity of all registered users. Therefore, user is not anonymous in He et al.’s scheme. 5.2 Extra Computational Load on Sensor-nodes In He et al.’s scheme, there is provision of sensor-node registration over public channel. To achieve this, GWN assigns to each sensor node, say, SNj an identity SIDj and a password PWj. GWN stores the pair {SIDj, h(PWj)} in SNj before its deployment in the field. After their deployment in the target field, SNs undergo registration with the GWN. To compute the registration request, SNj uses time consuming modular exponentiation operation twice which is not favorable for low-battery enabled SNs. SNs could use this energy for sensing and transmitting the information on demand. The purpose of sensor-node registration is to equip each SN with a unique temporal credential TCj = h(xg-s || SIDj). GWN can achieve this in a single step by computing temporal credential for each SN and storing its unique value in each SN before the deployment in the target field. Thus, He et al.’s scheme unnecessarily imposes extra load on resource scanty sensor-nodes. 5.3 Offline Password Guessing Attack An attacker E can easily obtain Ui’s identity from the registration request {IDi, Vi, TPWi, Ai, Tir} of Ui transmitted over public channel. Suppose E gains access to the SC of Ui and obtains all information {PIDi, TEi, PTCi, ri, h(.)} stored in it [65-66]. Then E can guess the password of Ui using the intrcepted login request {DIDi, Ci, PKSi, Til, TEi,

PIDi} as E can record all the messages exchanged during login and authentication phase. For this, E guesses PW* as a password of Ui to compute (Qi)* = h(PW* || IDi || ri) using IDi and ri. Then E computes (TCi)* = PTCi  (Qi)* and checks if h[h(IDi || Til)  (TCi)*] and Ci are equal. If not so, then E repeats the computation with some other guess and keeps on doing so till achieves success. For equality of h[h(IDi || Til)  (TCi)*] and Ci, the attacker gains the correct password PWi and the temporal credential TCi of Ui. Thus, He et al.’s scheme is not safe against offline password guessing attack and further leads to the following scenario. 

Cracking the confidential communication: As just discussed, E can obtain the temporal credential TCi of a user Ui whose expiry-time for TCi is TEi and pseudoidentity is PIDi. E can record all the messages ({DIDi, Ci, PKSi, Til, TEi, PIDi}, {DIDi, DIDg, Cg, PKSg, Tgsl}, {SIDj, Cj, PKSj, Tsl}) exchanged during login and authentication session of Ui. E uses TCi to compute Ki = PKSi  h(TCi || Til || “000”), then uses Ki to compute Ks = PKSj  h(Ki || Tsl). Afterwards, Ui computes the session key h(Ki  Ks) exactly in the same way as Ui and SNj do. Now, Ui can read the confidential messages protected with the session key h(Ki  Ks) and exchanged between Ui and SNj. Thus, He et al.’s scheme suffers from the breach of confidential communication.

5.4 Absence Forward Secrecy Generally, there is provision of establishing a session key between the participants in most of the user authentication schemes. Further, the scheme is said to satisfy forward secrecy if the leakage of one or all of the secret keys of the participants leads to the disclosure of the session key. Here we show that how an attacker E can compute the session key owing to the leakage of any one of the secret keys of the GWN. E can record all the messages ({DIDi, Ci, PKSi, Til, TEi, PIDi}, {DIDi, DIDg, Cg, PKSg, Tgsl}, {SIDj, Cj, PKSj, Tsl}) exchanged during login-authentication session of Ui. Suppose the secret key xg-u of the GWN is compromised. Then E can compute the temporal credential TCi = h(xgu || PIDi || TEi) of Ui. Next, E computes Ki = PKSi  h(TCi || Til || “000”), Ks = PKSj  h(Ki || Tsl) and hence computes the session key h(Ki  Ks). On the other hand, assume that the secret key xg-s of the GWN is compromised. Then E can compute the temporal credential TCj = h(xg-s || SIDi) of SNj. Next, E computes Ki = PKSg  h(TCj || Tgsl), Ks = PKSj  h(Ki || Tsl) and can compute the session key h(Ki  Ks). Hence, either xg-u leaks or xg-s leaks, in both the cases E can compute the session key corresponding to a previous or ongoing session of any user. Thus, He et al.’sscheme is vulnerable regarding forward secrecy. 5.5 Session-Specific Temporary Information Attack Like Li et al.’s scheme, the computation of the session key agreed between Ui and SNj depends solely on the temporary random strings Ki and Ks are generated by Ui and SNj. If Ki and Ks are leaked then E can easily compute the session key h(Ki  Ks) established between Ui and SNj. Thus, the session key is insecure in case of the leakage of the session-specific temporary information [75]. 5.6 Absence of Password Changing Facility Like Li et al.’s scheme, there is no provision for a user to change his /her password in He et al.’s scheme. Thus the scheme is not user friendly. 5.7 Absence of Unauthorized Login Detection Generally, users deploy different identities and passwords for diverse applications for security purposes. Thus, user is likely to confuse with the variety passwords pertaining to particular applications, causing to enter the mismatching password in the login process. Hence, a wrong identifier detection method in the login phase is necessary. However, He et al.’s scheme lacks unauthorized login detection method and the user transmits the login request computed with the wrong password to the GWN. The problem is detected by GWN when it encounters some mismatching information. Consequently, GWN rejects the login request and the user has to face denial of service. This also induces communication and computational wastage.

6. Preliminaries: Chebyshev Chaotic Maps In this section, we give brief background of Chebyshev chaotic maps: definition, semigroup property, merits, and computational problems. 6.1 Chebyshev Chaotic Maps As described by Mason and Handscomb [77], the Cebyshev polynomial Tn(x): [−1, 1] → [−1, 1] is a polynomial in x of degree n, where n is an integer, and x ∈ [−1, 1] and is defined as Tn(x) = cos(n·arccos(x)). The recurrence relation of Tn(x) is defined as Tn(x) = 2xTn−1(x) −Tn−2(x), n ≥ 2, where T0(x) = 1 and T1(x) = x. The cos(x) and arccos(x) have usual meanings in trigonometry [59] and are defined as cos: R → [−1, 1] and arccos: [−1, 1] → [0,π] respectively. When n > 1, the Chebyshev polynomial map Tn(x): [−1, 1] → [−1, 1] of degree n is a chaotic map whence its invariant density is given by

for Lyapunov exponent lnn > 0. Thus, chaotic property is satisfied by the Chebyshev polynomial. 6.2 Semigroup Property of Chebyshev Polynomials The Chebyshev polynomials display the following noteworthy property [78] called the semigroup property: Tr(Ts(x)) = cos[r cos−1{cos(s cos−1(x))}] = cos[rs cos−1(x)] −1 = Trs(x) = Tsr(x) = cos[sr cos (x)] = cos[s cos−1{cos(r cos−1(x))}] = Ts(Tr(x)), r and s being the positive integers. In 2008, Zhang [46] proved that the semi-group property holds for the enhanced Chebyshev polynomials defined on (−∞,+∞) and enhances their property in the following manner: Tn(x) = [2xTn−1(x) −Tn−2(x)] mod p, n ≥ 2, x ∈ (−∞,+∞), where p is a large prime number. Apparently, Tr(Ts(x)) ≡ Tsr(x) ≡ Ts(Tr(x)) mod p. The enhancement is that the semi-group property also holds in the enhanced Chebyshev polynomials, that is, the enhanced Chebyshev polynomials also commute under composition. 6.3 Merits of Chebyshev Polynomials According to Kocarev and Tasev, chaotic maps-based public key cryptosystem are superior to other public key cryptosystems due to following merits [79]: (i) instead of a large prime number, any large integer can serve as the secret key; (ii) it guarantee security of smaller numbers; (iii) the algorithm is quite fast; (iv) random variables x and Ts(x) (or Tr(x) and x) are independent. 6.4 Computational Problems of Chebyshev Polynomials Generally, the security of extended Chebyshev chaotic maps relies on the difficulties of the following computational problems [77] which are not solvable in polynomial time. (i) Extended Chebyshev Chaotic Discrete Logarithm Problem (CHDLP): Given x and y and p whence x, y ∈ (−∞, +∞), CHDLP calls to find the integer r, such that Tr(x) mod p = y. (ii) Extended Chebyshev Chaotic Diffie–Hellman Problem (CHDHP): Given x, Tr(x), and Ts(x) and p whence r, s ≥ 2 & x ∈ (−∞, +∞), CHDHP calls to compute Trs(x) ≡ Tr(Ts(x)) ≡ Ts(Tr(x)) mod p.

(iii) Extended Chebyshev Chaotic Decisional Diffie–Hellman Problem (CHDDHP): Given x, Tr(x), Ts(x), and Tz(x) and p whence r, s, z ≥ 2 & x ∈ (−∞, +∞), CHDDHP calls to decide if Trs(x) ≡ Tz(x) mod p. 7. The Proposed Scheme Now, we present an improved scheme which has four phases: initialization phase, user registration phase, login phase, authentication & key agreement phase and password change phase. Figure 1 depicts initialization and user registration phases; login-authentication phase is summarized in Figure 2; Figure 3 is about password change phase. 7.1 Initialization Phase GWN selects two secret keys xg-u and xg-s meant for users and SNs respectively and a large prime number p. GWN assigns an identity for each SN, say SIDj for SNj; computes a temporal credential for each SN, say TCj = h(xg-s || SIDj) for SNj; and stores the pair of identity and temporal credential in the memory of each SN before deployment in the target field, say stores {SIDj, TCj} in the memory of SNj. GWN stores the identity of each SN in its database DB. 7.2 User Registration Phase This phase is about the registration of a user at the GWN. It is carried over a secure channel. The user Ui and the GWN perform the following steps: 1) Ui chooses her/his identity IDi and password PWi, and generates a random string ri. 2) Computes Qi = h(IDi || PWi || ri) and sends {IDi, Qi} to GWN. On obtaining the registration request {IDi, Qi} from Ui, the GWN does the following: 3) Generates a random string ui and computes D1 = h(xg-u || ui)  Qi, TCi = h(xg-u || IDi || TEi), PTCi = Enh(Qi)(TCi || ui || TEi); where TCi is the temporal credential of Ui. It is noticeable that Ui is entitled to access information from WSN within the time threshold mentioned in TEi. 4) GWN issues SC containing {D1, PTCi, p, h(.)} to Ui. On obtaining SC, Ui does the following: 5) Computes D2 = h(IDi || ri || PWi) and inserts D2 and ri into the smart card so that SC = {D1, D2, ri, PTCi, p, h(.)}.

GWN Initialization Phase: Selects xg-u, xg-s and p Assigns an identity for each SN, say SIDj for SNj TCj = h(xg-s || SIDj) Stores {SIDj, TCj} in the memory of SNj Stores SIDj in DB User (Ui) User Registration Phase: Chooses IDi, PWi Generates ri Qi = h(IDi || PWi || ri)

GWN

{IDi, Qi}

Generates ui D1 = h(xg-u || ui)  Qi TCi = h(xg-u || IDi || TEi), PTCi = Enh(Qi)(TCi || ui || TEi)

{D1, PTCi, p, h(.)} D2 = h(IDi || ri || PWi) Inserts D2 and ri in SC so that SC = {D1, D2, ri, PTCi, p, h(.)} Figure 1: Initialization Phase & User Registration Phase of the Proposed Scheme

Note: In case TEi is expired and the user wants to access services from WSN, he can renew her/his temporal credential by re-registering at GWN with the same identity and different password. The user is free to choose a new random string during this process. 7.3 Login Phase In order to access information from the WSN, Ui logins the GWN in the following manner. 1) Ui inserts her/his SC into the card reader and inputs IDi and PWi. 2) SC computes h(IDi || ri || PWi) and compares it with the stored D2, if finds these two values different then SC disrupts the session. In case these two values match, SC proceeds to compute the login request. 3) Computes Qi = h(IDi || PWi || ri) to obtain (TCi || ui || TEi)  Dnh(Qi)(PTCi). For invalid TEi, SC displays a need for the renewal of the temporal credential. For valid TEi, generates a random string Ri and a random integral string Ki. 4) Computes I1 = D1  Ri = [h(xg-u || ui)  Qi]  Ri, I2 = Qi  Ri, I3 = TKi[h(IDi || h(Qi))] mod p, I4 = EnI (IDi || TEi || TCi || h(Qi) || I3 || Ti). 5) Ui sends the login request {I1, I4, ui, Ti} to GWN. 2

7.4 Authentication & Key Agreement Phase In this phase, mutual authentication and session key establishment take place between the participants. First of all, on receiving {I1, I4, ui, Ti} from Ui, the GWN authenticates the user in the following manner: 1) For fresh Ti, GWN computes I2* = I1  h(xg-u || ui) to obtain (IDi* || TEi* || TCi || h(Qi) || I3 || Ti*)  DnI *(I4). If TEi has not expired and Ti* = Ti then GWN computes TCi* = h(xg-u || IDi* || TEi*) and discards the login request if TCi* and TCi do not match. The equivalence TCi* = TCi authenticates Ui having IDi & TEi as identity and expiry-time for TCi respectively. 2) GWN selects a suitable sensor node, say SNj, and computes temporal credential TCj = h(xg-s || SIDj) for SNj. It further computes Dg1= h(IDi || h(Qi))  h(TCj), Dg2= I3  h(TCj), Cg = h[h(IDi || h(Qi)) || TCj || I3 || Tg] , where Tg is the current timestamp. GWN sends {Dg1, Dg2, Cg, Tg} to SNj. On receiving {Dg1, Dg2, Cg, Tg} from GWN, SNj does the following to verify the legitimacy of the GWN and Ui: 3) For fresh Tg, SNj obtains h(IDi || h(Qi))  Dg1 h(TCj), I3 Dg2  h(TCj), and computes Cg* = h[h(IDi || h(Qi)) || TCj || I3 || Tg]. Disrupts the connection if Cg* and Cg do not match, else, the equivalence Cg* = Cg authenticates GWN and Ui. 4) SNj generates a random integral string Ks and computes S1 = TKs[h(IDi || h(Qi))] mod p, session key SKs-u = TKs(I3) mod p = TKsKi[h(IDi || h(Qi))] mod p and S2 = h[SKs-u || h(IDi || h(Qi)) || Ts], where Ts is the current timestamp. SNj sends {S1, S2, Ts} to Ui. On receiving {S1, S2, Ts} from SNj, Ui does the following to verify the legitimacy of SNj and GWN. 5) Computes session key SKu-s = TKi(S1) mod p = TKiKs[h(IDi || h(Qi))] mod p and S2* = h[SKu-s || h(IDi || h(Qi)) || Ts]. Disrupts the connection if S2* and S2 do not match, else, the equivalence S2* = S2 authenticates SNj and GWN. 2

7.5 Password Change Phase This phase fortunate the user to change her/his password and the steps required for this are as follows: 1) Ui inserts her/his SC into the card reader, inputs IDi and PWi and opts for password change. 2) SC computes h(IDi || ri || PWi) and compares it with the stored D2, if finds these values different then rejects the password change request, else, demands the new password. 3) Ui chooses a new password PWinew and a new random string rinew. Ui enters PWinew and rinew. 4) SC computes Qi = h(IDi || PWi || ri) and Qinew = h(IDi || PWinew || rinew). Then SC computes D1new = D1  Qi  Qinew, PTCinew = Enh(Qinew)(TCi || ui || TEi) and D2new = h(IDi || rinew || PWinew). 5) SC replaces D1, PTCi, and D2 with D1new, PTCinew and D2new respectively.

User (Ui) Login and Authentication Phase: U: Inserts IDi & PWi SC: For D2 = h(IDi || ri || PWi) Qi = h(IDi || PWi || ri) (TCi || ui || TEi)  Dnh(Qi)(PTCi) I1 = D1  Ri = [h(xg-u || ui)  Qi]  Ri I2 = Qi  Ri, I3 = TKi[h(IDi || h(Qi))] mod p, I4 = EnI (IDi || TEi || TCi || h(Qi) || I3 || Ti) {I1, I4, ui, Ti}

GWN

SNj

2

For fresh Ti, I2* = I1  h(xg-u || ui) (IDi *|| TEi* || TCi || h(Qi) || I3 || Ti*)  DnI *(I4) If TEi* has not expired and Ti* = Ti TCi* = h(xg-u || IDi *|| TEi*) For TCi* = TCi, Ui is authenticated TCj = h(xg-s || SIDj) Dg1= h(IDi || h(Qi))  h(TCj) Dg2= I3  h(TCj) Cg = h[h(IDi || h(Qi)) || TCj || I3 || Tg] {Dg1, Dg2, Cg, Tg} 2

h(IDi || h(Qi))  Dg1 h(TCj) I3 Dg2  h(TCj) Cg* = h[h(IDi || h(Qi)) || TCj || I3 || Tg] For Cg* = Cg, GWN and Ui are authenticated S1 = TKs[h(IDi || h(Qi))] mod p SKs-u = TKs(I3) mod p = TKsKi[h(IDi || h(Qi))] mod p S2 = h[SKs-u || h(IDi || h(Qi)) || Ts].

{S1, S2, Ts} SKu-s = TKi(S1) mod p = TKiKs[h(IDi || h(Qi))] mod p S2* = h[SKu-s || h(IDi || h(Qi)) || Ts] For S2* = S2, SNj and GWN are authenticated Figure 2: Login-Authentication & Session Key-Agreement Phase of the Proposed Scheme

User (Ui) Password Change Phase: Inserts IDi & PWi

Smart Card (SC) {IDi, PWi}

For D2 = h(IDi || ri || PWi) Demands new password

PWinew Qi = h(IDi || PWi || ri), Qinew = h(IDi || PWinew || ri) D1new = D1  Qi  Qinew PTCinew = Enh(Qinew)(TCi || ui || TEi) D2new = h(IDi || ri || PWinew). D1new  D1, PTCinew  PTCi and D2new  D2 Figure 3: Password Change Phase of the Proposed Scheme

8. Security Analysis of the Proposed Scheme In this section, we analyze the security aspects of the proposed scheme. We show how the proposed scheme is secure against various attacks under the assumptions given in the beginning of Section 3. 8.1 User is Anonymous Suppose an adversary E intercepts the login request {I1, I4, ui, Ti} of Ui. To guess the identity IDi of Ui using I1 = D1  Ri = [h(xg-u || ui)  Qi]  Ri = [h(xg-u || ui)  h(IDi || PWi || ri)]  Ri, E must possess the values {xg-u, PWi, ri, Ri}; xg-u is the secret key of GWN, PWi is the secret password of Ui, and ri & Ri are random strings, all are unknown to E. To obtain IDi as (IDi || TEi || TCi || h(Qi) || I3|| Ti)  DnI (I4) using decryption, the adversary E should hold I2. However, I2 can be computed if Qi & Ri are known. But E cannot recover Ri from I1 unless D1 is known and the computation of correct Qi = h(IDi || PWi || ri) is not possible without having IDi, PWi & ri. Assume that E obtains the SC of Ui and extracts the information {D1, D2, ri, PTCi, p, h(.)} stored in it. But E cannot recover Qi from D1 without xg-u & ui. Further, it is not feasible to gain IDi either from Qi = h(IDi || PWi || ri) or from D2 = h(IDi || ri || PWi) due to the one-way property of the hash function. Although ri is available in plaintext from among the extracted information, still IDi cannot be guessed using D2 in the absence of correct password PWi of Ui [80]. Thus, the user is anonymous in the proposed scheme. 2

8.2 Resistance to User Impersonation Attack In order to impersonate Ui, the adversary E must possess the values {D1, IDi, Qi, TEi & TCi}. Although D1 can be extracted from Ui’s SC provided E obtains or steals the SC of Ui. But E cannot recover Qi out of D1 without xg-u & ui. Also, E cannot recover TCi & TEi out of PTCi without Qi. As discussed in previous Subsection, E cannot gain IDi from the possessed SC of Ui. E can generate a random string Re to compute a new value I1new if he holds D1 and can also generate a random integral string Ke though computation of a workable I3new and I4new is not possible without having the values {IDi, Qi, TEi & TCi}. E is also unable to proceed by computing I2new = Qi  Re in the absence of Qi and computation of a valid I4new is dependent of the knowledge of {IDi, Qi, TEi & TCi}. Moreover, E cannot be successful in impersonating as Ui by means of replaying an intercepted login request which will be discussed in Subsection 8.7. Therefore, the proposed scheme resists user impersonation attack. 8.3 Resistance to Password Guessing Attack E can intercept the login request {I1, I4, ui, Ti} from the network, it is not feasible to gain Qi from I1 since it requires the knowledge of Ri & xg-u; I4 is also useless in this sense unless the correct value of I2 is known. Moreover, Ui’s password PWi cannot be guessed using Qi = h(IDi || PWi || ri) in the absence of the correct IDi & ri and PWi cannot be recovered out of Qi = h(IDi || PWi || ri) due to the one-way property of the hash function. Suppose E obtains the SC of Ui and extracts the information {D1, D2, ri, PTCi, p, h(.)} stored in it. But E cannot use D1 or PTCi to recover Qi containing PWi. Even if E obtains Qi = h(IDi || PWi || ri) he cannot gain PWi due to the one-way property of the hash function. Although ri is available in plaintext among the extracted values, E cannot guess PWi from Qi [80]; for similar reasons PWi cannot be guessed or gained using D2 = h(IDi || ri || PWi). Thus, neither an intercepted message nor Ui’s SC is useful for E to guess Ui’s password. 8.4 Provides Mutual Authentication On receiving the login request {I1, I4, ui, Ti} from Ui, GWN computes I2* = I1  h(xg-u || ui) to retrieve the values {IDi, TEi, TCi, h(Qi) & I3} from I4 as (IDi || TEi || TCi || h(Qi) || I3|| Ti)  DnI *(I4) and verifies the validity of Ui by means of the equivalence TCi* = TCi. On receiving the GWN message {Dg1, Dg2, Cg, Tg}, SNj retrieves the values {h(IDi || h(Qi)) & I3} from Dg1 and Dg2 as h(IDi || h(Qi))  Dg1 h(TCj) and I3 Dg2  h(TCj) respectively. Then SNj computes Cg* = h[h(IDi || h(Qi)) || TCj || I3 || Tg] to verify the validity of Ui and GWN by means of the equivalence Cg* = Cg. This is because only the legitimate GWN can retrieve the correct values {h(IDi || h(Qi)) & I3} of Ui and can 2

provide these values to SNj after embedding in Dg1 & Dg2 respectively on computing the correct TCj of SNj. SNj also computes S1 = TKs[h(IDi || h(Qi))] mod p, S2 = h[SKs-u || h(IDi || h(Qi)) || Ts] and sends {S1, S2, Ts} to Ui. On receiving the message {S1, S2, Ts}, Ui computes S2* = h[SKu-s || h(IDi || h(Qi)) || Ts] to verify the validity of SNj and GWN by means of the equivalence S2* = S2. This is because only the legitimate GWN can obtain the correct values h(IDi || h(Qi)) & I3 from the login request {I1, I4, ui, Ti} of Ui and hence can provide it to the SNj embedded in Dg1 as Dg1= h(IDi || h(Qi))  h(TCj) and in Dg2 as Dg2= I3  h(TCj) respectively. Further, only the legitimate SNj can utilize its TCj to procure correct h(IDi || h(Qi)) & I3 of Ui from received Dg1 & Dg2 and hence can compute the value S2 = h[TKs(I3) mod p || h(IDi || h(Qi)) || Ts] which is equal to S2* = h[TKi(S1) mod p || h(IDi || h(Qi)) || Ts] computed by Ui; where S1 = TKs[h(IDi || h(Qi))] mod p is received by Ui from SNj. In this way, our scheme provides mutual authentication. 8.5 Provides Secure Session-Key Agreement During login phase, Ui generates a random integral string Ki to compute I3 = TKi[h(IDi || h(Qi))] mod p and sends it to GWN embedded in I4 via login request {I1, I4, ui, Ti}. On receiving {I1, I4, ui, Ti}, GWN retrieves the values {IDi, h(Qi), I3, etc} from I4 as (IDi || TEi || TCi || h(Qi) || I3 || Ti)  DnI *(I4). Once Ui is authenticated, GWN sends the message {Dg1, Dg2, Cg, Tg} to the nearby SNj, where h(IDi || h(Qi)) and I3 are embedded in Dg1 & Dg2 respectively. On receiving {Dg1, Dg2, Cg, Tg}, SNj first authenticates the validity of Ui and GWN. Afterwards, SNj retrieves the values {h(IDi || h(Qi)) & I3} from Dg1 & Dg2 h(IDi || h(Qi))  Dg1 h(TCj) and I3 Dg3  h(TCj) respectively. Then SNj generates a random integral string Ks to computes S1 = TKs[h(IDi || h(Qi))] mod p, the session key SKs-u = TKs(I3) mod p = TKsKi[h(IDi || h(Qi))] mod p, S3 = h[SKs-u || h(IDi || h(Qi)) || Ts] and sends {S1, S2, Ts} to Ui. On obtaining {S1, S2, Ts}, Ui computes the session key SKu-s = TKi(S1) mod p = TKiKs[h(IDi || h(Qi)] mod p using the random integral string Ki generated during the login phase. Ui also confirms the equality of SKu-s and SKs-u by computing S2* = h[SKu-s || h(IDi || h(Qi)) || Ts] and comparing it with S2 received. E cannot establish the session key SKse-u = TKse(I3) mod p using a newly generated random integral string Kse since he is unable to gain I3 out of I4 over public network and E cannot make Ui to compute SKu-se = TKi(S1) mod p equal to SKse-u since it is not possible to transmit the correct S1 = TKse[h(IDi || h(Qi))] mod p to Ui as E can neither retrieve h(IDi || h(Qi)) from Dg1 nor can he gain IDi & h(Qi) from I4 as it is infeasible to compute the correct I2 (it requires knowledge of the secret key xg-u of GWN). As a result, E cannot establish a session key with Ui itself acting as SNj. In this way, a secure session key is established between SNj and Ui. 2

8.6 Provides Forward Secrecy Assume that both the secret keys xg-u and xg-s of GWN are leaked. The session key SKs-u = TKs(I3) mod p = TKsKi[h(IDi || h(Qi))] mod p = TKiKs[h(IDi || h(Qi))] mod p = TKi(S1) mod p = SKu-s established between SNj and Ui is independent of the GWN secret keys xg-u and xg-s. E can use xg-u & ui to compute I2* = I1  h(xg-u || ui) and retrieve I3 from an intercepted login request {I1, I4, ui, Ti}, still he cannot compute SKs-u = TKs(I3) mod p = SKu-s unless the correct random integral string Ks is known. On the other hand, assume that the secrets IDi and PWi of Ui are leaked. E can easily compute h(IDi || h(Qi)) = h(IDi || h(h(IDi || PWi || ri))) using IDi and PWi but he cannot compute SKs-u = TKsKi[h(IDi || h(Qi))] mod p = TKiKs[h(IDi || h(Qi))] mod p = SKu-s without having the correct random integral strings Ki and Ks. Thus, in the proposed scheme Ui and SNj can exchange confidential plans and ideas with each other even after the disclosure of GWN secret keys or Ui’s secret identity and password. Hence, the proposed scheme provides forward secrecy. 8.7 Resistance to Replay Attack An attacker E can easily intercept and replay the login request {I1, I4, ui, Ti} of Ui to GWN. The replayed {I1, I4, ui, Ti} would not succeed the authentication test at GWN as it would fail in the timestamp freshness test. Suppose E replays this message as {I1, I4, ui, Te}, that is, after replacing Ti with the current timestamp Te. Obviously, the timestamp Te would pass the freshness test but this replay would fail because of the involvement of the timestamp Ti

in I4 = EnI (IDi || TEi || TCi || h(Qi) || I3 || Ti). Consequently, when GWN would decrypt I4, it would obtain the timestamp Ti which would differ from Te. For similar reasons, replay of GWN to SNj message {Dg1, Dg2, Cg, Tg} and SNj to Ui message {S1, S2, Ts} by E would be useless. Therefore, replay of any of the messages travelling over the public channel is not successful in the proposed scheme. 2

8.8 Resistance to Stolen Verifier Attack Generally, in authentication schemes, server/GWN stores some information related to user to utilize during authentication phase. This information may be stolen by an attacker to craft various threats such as user impersonation, guessing attacks etc against the user. In our scheme, GWN does not maintain any record to store user-specific information, so there is no possibility of aforementioned scenarios. Hence, the proposed scheme is free from the stolen verifier attack. 8.9 Resistance to Smart Card Loss Attack The situation, when loss of a user’s smart card results in some kind of security breach, is characterized as an attack However, the loss of Ui’s SC in our scheme does not facilitate an attacker to guess or obtain Ui’s identity IDi as discussed in Subsection 8.1. Further, E can neither impersonate Ui nor can he guess Ui’s password PWi as discussed in Subsections 8.2 and 8.3. Therefore, the proposed scheme is safe against smart card loss attack. 8.10 Resistance to Session-Specific Temporary Information Attack Suppose the temporarily generated random integral strings Ki, and Ks of a specific session are leaked, still E cannot compute the established session key SKs-u/SKu-s = TKsKi[h(IDi || h(Qi))] mod p due to involvement of Ui’s identity IDi and the corresponding parameter Qi = h(IDi || PWi || ri). In the proposed scheme user is anonymous as shown in Subsection 8.1 and Qi is not recoverable either from an intercepted login request or from Ui’s SC as shown in Subsection 8.2. Hence, the security of the established session keys is unaffected by the leakage of the sessionspecific temporary information. 8.11 Resistance to GWN Bypass Attack If some legitimate but malicious user or an adversary can successfully pass the authentication mechanism without letting GWN to play its role then it is termed as a GWN bypass attack. With this attack not only the attackers but legitimate malicious users can also access information from WSNs in an unauthorized manner. An attacker cannot send a valid message {Dg1, Dg2, Cg, Tg} to SNj in order to directly access the sensed data from the sensor node as it requires the values {IDi & h(Qi)} corresponding to Ui and the temporal credential TCj of SNj. Ui itself cannot be successful in doing so as he does not possess TCj = h(xg-s || SIDj) nor can he compute the correct TCj as it involves the GWN secret key xg-s. Although Ui possess the values {IDi , h(Qi) & I3} and can intercept the message {Dg1, Dg2, Cg, Tg} from the network to retrieve h(TCj) from Dg1 as h(TCj)  Dg1 h(IDi || h(Qi)) or from Dg3 as h(TCj)  Dg3  I3. But Ui cannot derive TCj from h(TCj) due to one-way property of hash function, so he compute the correct Cg = h[h(IDi || h(Qi)) || TCj || G1 || I3] without knowing TCj. Therefore, the proposed scheme resists GWN bypass attack. 8.12 Provides Freely Password Changing Facility When Ui wishes to change the existing password, he inserts her/his SC into the card reader, inputs IDi and PWi and opts for password change. SC computes h(IDi || ri || PWi) and compares it with the stored D2, for D2 = h(IDi || ri || PWi) demands the new password. On obtaining new password PWinew from Ui, SC computes Qi = h(IDi || PWi || ri) and Qinew = h(IDi || PWinew || ri). SC computes D1new = D1  Qi  Qinew, PTCinew = Enh(Qinew)(TCi || ui || TEi) and D2new = h(IDi || ri || PWinew). Finally, SC replaces D1, PTCi, and D2 with D1new, PTCinew and D2new respectively. In this way, the proposed scheme facilitates the user to change her/his password freely without interacting with the GWN.

8.13 Resistance to Privileged Insider Attack In the registration phase, Ui submits {IDi, Qi} to GWN, where Qi = h(IDi || PWi || ri). So, the privileged insider at GWN does not come to know the password of a user applying for registration, he cannot obtain PWi from Qi due to the one-way property of the hash function, and he cannot guess PWi from Qi without knowing the random string ri. Hence, our scheme resists the privileged insider attack. 8.14 Efficient in Unauthorized Login Detection with Wrong Identity and Password User may enter wrong identity or (and) password in the login phase, so a fast detection method for wrong inputs is required in SC side. Provision of such a method not only rules out the needless communication and computation in wrong input detection, but also facilitates the user to update the password in SC without assistance of GWN. In the proposed protocol, user stores D2 = h(IDi || ri || PWi) in SC = {D1, D2, ri, PTCi, p, h(.)} during registration phase. In login phase, Ui inputs IDi, PWi, then the SC checks if the received D2 is equal to the computed h(IDi || ri || PWi). If D2  h(IDi || ri || PWi), it implies that at least one of the two inputs {IDi, PWi} is invalid, and the login request is immediately terminated by the SC. Only if the equality of these two values holds, SC computes the login request. Therefore, the presented scheme offers the ideal feature of fast wrong input detection. 9. Security Proof of the Proposed Scheme using BAN-Logic We analyze the security of our proposed scheme using Burrows-Abadi-Needham Logic (BAN-logic) [81]. We prove using BAN-logic that the proposed scheme establish a session key between user and sensor node. Let , and th th be the i user, j sensor node and the gateway node respectively. Let X & Y are symbols for statements, P & Q are symbols for principals, and K is symbol for some secret key in BAN-logic. Here follows a brief description of logical notation about BAN-logic needed to analyze the proposed scheme:     

P |≡ X: P believes X. P X: P sees/receives X. P | X: P once said X (or P sent X). P | X: P controls X. #(X): X is fresh.

       

P Q: P and Q communicate using shared key K. : is one part of . : The hashed value of X using K as key. : The hashed value of X and Y using K as key. : X combined with Y. X is encrypted with the key K. X and Y are encrypted with the key K SK = : The session key established between user and sensor node.

The elementary BAN-logic postulates are as given below: 

Message meaning rule: or



Nonce-verification rule: or



Jurisdiction rule: or



Freshness rule: or



Believe rule: or

We are aimed to show that the proposed scheme satisfies the following goals: 

Goal1:

|≡ (



Goal2:

|≡



Goal3:

|≡ (



Goal4:

|≡

) |≡ (

) )

|≡ (

)

Idealized form of the scheme in terms of the messages exchanged is given below: 

Mssg1:

:



Mssg2:

:



Mssg3:

SNj :



Mssg4:

SNj:



Mssg5: SNj

:

Initial state assumptions for the scheme are as follows:  

1:

  

3:



6:



7:



8:

 

9:



11:

 

12:



14:



15:

 

16:

2:

4: 5:

10:

13:

17:

≡ ≡# ≡# ≡#

≡#

≡#

≡( ≡#

)



18:

≡

|

(

)

Now, we will utilize BAN-logic rules and postulates to show that confidential communication. 

&

It is clear from Mssg1 that Eq.1)



From Eq.1,

1

and the message meaning rule, it is clear that

|≡ 

From

2

|

and the freshness-conjuncatenation rule, it is clear that |≡



From

,

and the nonce-verification rule, it is clear that |≡



From

|

and believe rule, it is clear that |≡

|



From



It is clear from Mssg2 that

,

3 and

jurisdiction rule, it is clear that

|≡ Eq.7) 

From Eq.6, Eq.7 and the message meaning rule, it is clear that |≡



From

4,

5

|

and the freshness-conjuncatenation rule, it is clear that

|≡ 

From

,

and the nonce-verification rule, it is clear that |≡





From

From

|

and believe rule, it is clear that

,

|≡

|

|≡

|

|≡

|

6 and

jurisdiction rule, it is clear that

|≡ 

From

,

7 and

jurisdiction rule, it is clear that

|≡ 

From

,

8 and

jurisdiction rule, it is clear that

|≡ 

It is clear from Mssg3 that Eq.17)



From Eq.17,

9

and the message meaning rule, it is clear that

share a common session key SK to ensure

|≡ 

From

10

|

and the freshness-conjuncatenation rule, it is clear that |≡

 



From

,

and the nonce-verification rule, it is clear that

|≡

|

From

and believe rule, it is clear that |≡

|

|≡

|

From

,

11 and

jurisdiction rule, it is clear that

12 and

jurisdiction rule, it is clear that

|≡ 

From

, |≡



It is clear from Mssg4 that Eq.25)



From Eq.25,

9

and the message meaning rule, it is clear that

|≡ 

From

10,

13

| and the freshness-conjuncatenation rule, it is clear that

|≡  



From

,

and the nonce-verification rule, it is clear that

|≡

|

From

and believe rule, it is clear that |≡

|

|≡

|

,

,

From

,

11,

12,

14 and

jurisdiction rule, it is clear that

|≡

Goal4



From

 

|≡ It is clear from Mssg5 that

,

15 and

jurisdiction rule, it is clear that Goal3

Eq.33) 

From Eq.14, Eq15, Eq.23, Eq.33, |≡



From

17

16

and the message meaning rule, it is clear that

|

and the freshness-conjuncatenation rule, it is clear that |≡



From

, |≡



From

and the nonce-verification rule, it is clear that | and believe rule, it is clear that

|≡

|

Goal2



From

,

18 and

jurisdiction rule, it is clear that

|≡

Goal1

10. Performance and Efficiency Comparison of the Proposed Scheme This section shows the distinctions of the proposed scheme over related schemes [29-33] via comparison on different aspects, among these schemes only Choi et al.’s scheme is based on ECC. We show, the proposed scheme offers high level security as compared to the related works. Once the SNs are deployed in the field and user(s) is(are) registered at GWN, the deployment and registration phase are over. On viewing the authentication protocol with respect to a single user, it is observable that a user is registered once only and re-registration is also limited in number, that is, it is the login-authentication & key agreement phase which occurs very frequently in the application layer of WSNs. Therefore, we consider only login-authentication & key agreement phases for comparing the communication cost and the computational complexity. Comparison of the proposed scheme is done with Xue et al.’s [30] and Li et al.’s [29], Li et al.’s [31] He et al.’s [32] and Choi et al.’s [33] schemes on the following aspects: 10.1 Comparison of Communication Cost, Memory Capacity and Number of GWN Secret Key/Parameters For convenience, we assume that the random strings {ri, Ri, Ki, Ks, etc}, the output of one-way hash function {Qi, G1, Cg, I5, etc}, the outcome of Chebyshev chaotic map operation { S1, SKu-g, SKs-u, etc}, the outcome of symmetric encryption { I4}, secret keys {xg-u & xg-s}, prime number p, user’s identity IDi and password PWi are all of 128 bits. Table 6 displays the following analysis. The parameters transmitted from Ui to GWN and the associated communication cost in Choi et al.’s scheme is nil; in Xue et al.’s [30], Li et al.’s [31] and He et al.’s [32] schemes are same, that is, 6*128 = 768 bits; it is minimum, that is, 3*128 = 384 bits in Li et al.’s [29] scheme; and quite near to the minimum values that is, 4*128 = 512 bits in our scheme. On the other hand, no messages are transmitted from GWN to Ui in any of these schemes except that in Li et al.’s [29] scheme whence the parameters and the communication cost is 2*128 = 256 bits. The parameters exchanged between GWN and SNj is 4 and the related communication cost is 4*128 =512 bits in Li et al.’s [29] and our schemes; it is less as compared to schemes [30-31] by 5 parameters and 5*128 = 640 bits in cost; and it is less as compared to He et al.’s [32] scheme by 1 parameter and 1*128 = 128 bits in cost. The parameters exchanged between GWN and SNj is highest, that is, 12 with related communication cost 12*128 =1536 bits, in Choi et al.’s scheme [33]. The parameters exchanged between Ui and SNj is 3 and the related communication cost is 3*128 = 384 bits in our scheme, which is also lesser as compared to schemes [30-32] by 1 parameter and 1*128 = 128 bits in cost; it is nil in Li et al.’s [29] scheme. The parameters exchanged between Ui and SNj is highest, that is, 11 with related communication cost 11*128 =1408 bits, in Choi et al.’s scheme [33]; and this number/cost of the parameters is equal to the total number/cost of the parameters exchanged among all the participants in our scheme. In our scheme, the total number of parameters exchanged is 11 and the associated communication cost is 11*128 = 1408 bits; it is less as compared to schemes [30-31] by 8 parameters and 8*128 = 1024 bits in cost; it is only 2 parameters (2*128 = 256 bits) more than that in Li et al.’s [29] scheme; it is less as compared to Choi et al.’s scheme [33] by 12 parameters and 12*128 = 1536 bits in cost. In our scheme, SNj receives 4 parameters during the entire authentication process which is 1 parameter lesser as compared to schemes [30-32] and is 5 parameters lesser as compared to scheme [33]. In our scheme, SNj transmits 3 parameters during the entire authentication process which is 1 parameter lesser as compared to schemes [30-32]. However, in Choi et al.’s scheme [33], SNj transmits 14 parameters which are highest among all the considered schemes. It is noticeable that the messages which are transmitted or received by SNj bear 7 parameters and 7*128 = 896 bits cost in our scheme; it is lesser as compared to schemes [30-32] by 2 parameters and 2*128 = 256 bits in cost; it is very less as compared to 23 parameters with the cost of 23*128 = 2944 bits; thus our scheme

adheres very much with the resource scanty nature of SNs. Further, the SC requires only 128 bits extra memory space than the schemes [30-33] whereas this number is same as required in Li et al.’s [29] scheme. Although in our scheme GWN uses the same number of secret keys, that is, 2 (which is 1 lesser than that required in Li et al.’s [29] and He et al.’s [32] schemes) as in schemes [30-31, 33], it achieves very high level of security as summarized in Table 8. Thus, on this front of comparison, our scheme beats Xue et al.’s [30], Li et al.’s [31], He et al.’s [32] and Choi et al.’s [33] schemes.

Schemes  Entities Ui to GWN No. of parameters/Cost GWN to Ui No. of parameters/Cost GWN to SNj No. of parameters/Cost SNj to GWN No. of parameters/Cost Ui to SNj No. of parameters/Cost SNj to Ui No. of parameters/Cost Total No. of parameters/Cost No. of Secret key/Parameter used by GWN SC memory No.of parameters/Cost

Table 6: Comparison of communication cost, memory capacity of SC, and number of GWN secret key/parameters Xue et al.’s Li et al.’s Li et al.’s He et al.’s Choi et al.’s [30] [31] [29] [32] [33] 6*128 6*128 3*128 6*128 ― 768 bits 768 bits 384 bits 768 bits Nil

Our’s 4*128 512 bits

― Nil

― Nil

2*128 256 bits

― Nil

― Nil

― Nil

5*128 640 bits

5*128 640 bits

2*128 256 bits

5*128 640 bits

3*128 384 bits

4*128 512 bits

4*128 512 bits

4*128 512 bits

2*128 256 bits

― Nil

9*128 1152 bits

― Nil

― Nil

― Nil

― Nil

― Nil

6*128 768 bits

― Nil

4*128 512 bits

4*128 512 bits

― Nil

4*128 512 bits

5*128 640 bits

3*128 384 bits

19*128 2432 bits

19*128 2432 bits

9*128 1152 bits

15*128 1920 bits

23*128 2944 bits

11*128 1408 bits

2

2

3

3

2

2

5*128 640 bits

5*128 640 bits

6*128 768 bits

5*128 640 bits

5*128 640 bits

6*128 768 bits

10.2 Performance Comparison via Computational Complexity Table 7 compares the computational complexity of six schemes under consideration. We conduct this comparison as per the computational complexity of different operation/functions described in [82-83]. On comparing the proposed scheme with Choi et al.’s scheme [33], we find that our scheme cuts 5th while adds 2tc and 2ts in place of 3te at the user end; it cuts 3th while adds 2tc in place of 2te at the SN end; it adds 1th while adds 2ts in place of 1te at the GWN end. On the whole, our scheme cuts 7th while adds 4tc and 4ts in place of 6te. On comparing the proposed scheme with He et al.’s scheme [32], we notice the following. Our scheme cuts 2th while adds 2tc and 2ts at the user end; it cuts 4th and adds 2tc at the SN end; it cuts 4th while adds 2ts at the GWN end. On the whole, our scheme cuts 10th while adds 4tc and 4ts. If we compare the proposed scheme with Li et al.’s scheme [29], we see the following. Our scheme cuts 2th while adds 2tc at the user end; it cuts 2th and 2ts while adds 2tc at the SN end; it cuts 1th and 4ts at the GWN end. On the whole, our scheme cuts 5th and 6ts while adds 4tc. Here our scheme remarkably reduces the computational cost/complexity; the most noticeable point is that the sensor node is free from symmetric operation

which is in favor of their resource scanty nature. If we compare the proposed scheme with Li et al.’s scheme [31], we observe the following. Our scheme cuts 5th while adds 2tc and 2ts at the user end; it cuts 3th and adds 2tc at the SN end; it cuts 7th while adds 2ts at the GWN end. On the whole, our scheme cuts 15th while adds 4tc and 4ts. Besides, our scheme adds nominal computational cost/complexity with respect to Xue et al.’s scheme [30]. It is apparent that we do not add much computational cost/complexity in our scheme as compared to the schemes [29-32]. Moreover, the computational cost/complexity in our scheme is less than that in Li et al.’s scheme [29] and is very less than that in Choi et al.’s scheme [33]. But our scheme is quite efficient in resisting different threats and providing friendly features as is apparent from Table 8 and the related analysis presented in next Subsection. Further, it is noticeable that the load of symmetric encryption/decryption is only at the user and GWN end. Resource hungry SNs deal with only lightweight operations, that are, hash functions and Chebyshev chaotic map operation. Table 7: Performance comparison via computational complexity Xue et Li et Li et He et Choi et al.’s Our’s Schemes al.’s [30] al.’s [31] al.’s [29] al.’s [32] [33] Entities & Issues Ui 7th 9th 6th+2ts 6th 3te+9th 4th+2tc+2ts SNj 5th 6th 5th+2ts 7th 2te+6th 3th+2tc GWN 10th 13th 7th+6ts 10th 1te+5th 6th+2ts Sum of operations 22th 28th 18th+10ts 23th 6te+20th 13th+4tc+4ts th: Time complexity for computing one-way hash function; tc: Time complexity for computing Chebyshev chaotic map operation; ts: Time complexity for computing symmetric encryption/decryption; te: Time complexity for computing elliptic curve point multiplication. 10.3 Efficiency Comparison Based on Security Features Table 8 compares the efficiency of five schemes of which our scheme resists maximum number of attacks and is more user-friendly. Our scheme resists password guessing, smart card loss, user impersonation, replay attacks, etc, Only ours and Choi et al.’s [33] schemes are sensor-node friendly. Table 8: Efficiency comparison based on security features Schemes Security Threats & Features User is anonymous Resistance to user impersonation attack Sensor-node friendly Resistance to password guessing attack Provides fast wrong input detection Provides mutual authentication Provides session key Provides forward secrecy Resistance to replay attack Resistance to stolen verifier attack Resistance to smart card loss attack Resistance to session-specific temporary information attack Resistance to GWN bypass attack Provides freely password changing facility Resistance to privileged insider attack

Xue et al.’s [30] Yes Yes No No Yes Yes Yes No Yes No No No

Li et al.’s [31] No No No No Yes Yes Yes No Yes No No No

He et al.’s [32] No Yes No No No Yes Yes No Yes Yes No No

Choi et al.’s [33] No No Yes Yes Yes Yes Yes Yes No No No No

Our’s

Yes No No

Yes No Yes

Yes No Yes

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Besides, our scheme provides freely password changing facility to users, and establishes session key between the user and the sensor-node like all other schemes [30-33]. Although Xue et al.’s scheme resists replay, user impersonation and GWN bypass attacks, it is susceptible to many security problems. Although Li et al.’s scheme [31] improves upon privileged insider attack applicable on Xue et al.’s scheme, but GWN stores user’s identity IDi,

related parameter Qi and service-time-limit TEi in a write-protected table which leaves their scheme vulnerable to identity revelation attack, user impersonation attack and password guessing attack. Besides, none of the schemes [30-32] offers forward secrecy which spoils the confidentiality of communication even after the establishment of session keys between the entities. In addition, all the three schemes [30-32] fail to resist password guessing, attack, smart card loss attack, session-specific temporary information attack and does not offer password changing facility. Choi et al.’s scheme [33] also suffers from smart card loss, session-specific temporary information, user impersonation, replay and stolen verifier attacks & it does not provide user anonymity. Our scheme remedies the aforementioned attacks and also keeps many merits of the previous schemes. 11. Conclusion In this paper, we have identified security loopholes in recently proposed He et al.’s and Li et al.’s temporalcredential-based mutual authentication and key agreement schemes for WSNs and fixed the pointed out threats in terms of a user friendly temporal-credential-based authentication scheme using chaotic maps which can fulfill the security and privacy needs of WSNs. The proposed scheme offers various security services, such as protection of user’s privacy, mutual authentication and secure session key establishment among all the three entities (SN, GWN and user), and facility of any-time password updating without interaction with GWN. The forward secrecy property and resistance to session-specific temporary information leakage attack guarantees the confidentiality of communication even in the arduous scenarios such as GWN secret key disclosure, user’s identity and password compromise and session-specific temporary information leakage. Besides, our scheme withstands various known attacks ranging from simple to severe which are shown by presenting a comprehensive security analysis. The scheme provides fast wrong identifier detection mechanism at the time of login which cuts the risk of denial of sevice attack. Use of timestamps resists replay and use of chaotic maps keeps the computational complexity and overhead of the login-authentication & session key agreement of the scheme under control. The results of communication cost and efficiency comparison with the related schemes demonstrates the superiority of the proposed scheme over the previous temporal-credential-based and other related authentication schemes. We deem that the contribution and findings of this study provides a better insight about the approach and evaluation for design of an anonymous user authentication protocol. It is of primary significance for security engineers to select suitable mechanisms. It is also beneficial for the researchers to design viable authentication protocols with better utility-safety tradeoffs. Acknowledgement: "The authors extend their sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding this Prolific Research Group (PRG-1436-16)” Conflict of Interest: Authors declare no conflict of interest regarding the publication of this article. References [1]

[2] [3] [4] [5] [6]

J. Carlson, R. Han, S. Lao, C. Narayan, S. Ghani, Rapid prototyping of mobile input devices using wireless sensor nodes, Proceedings of the 5th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA ’03), October 2003, pp. 21–29. J.H. Chen, M.B. Salim, M. Matsumoto, A single mobile target tracking in voronoi-based clustered wireless sensor network, J. Inf. Process. Syst. 7(1) (2011) 17–28. D. Kumar, T.C. Aseri, R.B. Patel, Multi-hop communication routing (MCR) protocol for heterogeneous wireless sensor networks, Int. J. Inf. Technol. Commun. Converg. 1(2) (2011) 130–145. G. Zhao, A. Kumar, Lifetime-aware geographic routing under a realistic link layer model in wireless sensor networks, Int. J. Inf. Technol. Commun. Converg., 1(3) (2011) 297–317. U.A.F., ARGUS: Advanced Remote Ground Unattended Sensor Systems, Department of Defense, 2009, http://www.globalse -curity.org/ intell/systems/arguss.htm. C. Otto, A. Milenkovic, C. Sanders, E. Jovanov, System architecture of a wireless body area sensor network for ubiquitous health monitoring, Journal of Mobile Multimedia 1(4) (2006) 307–326.

[7]

[8] [9] [10] [11]

[12] [13]

[14] [15] [16] [17]

[18] [19] [20] [21] [22]

[23] [24] [25]

[26] [27]

A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, J. Anderson, Wireless sensor networks for habitat monitoring, Proceedings of the 1st ACM International Workshop on Wireless Sensor Networks and Applications, September 2002, pp. 88–97. W.R. Claycomb, D. Shin, A novel node level security policy framework for wireless sensor networks, Journal of Network and Computer Applications, 34 (2011) 418–428. B. Li, L. Batten, Using mobile agents to recover from node and database compromise in path-based dos attacks in wireless sensor networks, Journal of Network and Computer Applications 32 (2009) 377–387. E.H. Callaway, Wireless Sensor Networks, Architectures and Protocols, Auerbach Publications, Taylor & Francis Group: Boca Raton, FL, USA, 2003. A. Hagedorn, D. Starobinski, A. Trachtenberg, Rateless Deluge: Over-the Air programming of wireless sensor networks using random linear codes, 2008 International Conference on Information Processing in Sensor Networks, 2008. R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, P. Kruus, TinyPK: Securing sensor networks with public key technology, Proc. ACM Workshop Security of Ad Hoc Sensor Networks, 2004, pp. 59-64. K. Wong, Y. Zheng, J. Cao, S. Wang, A dynamic user authentication scheme for wireless sensor networks, Proc. IEEE International Conf. Sensor Networks, Ubiquitous, Trustworthy Computing, IEEE Computer Society, 2006, pp. 244-251. H.R. Tseng, R.H. Jan, W. Yang, An improved dynamic user authentication scheme for wireless sensor networks, Proceedings of IEEE Globecom, Washington, DC, USA, 26–30 November 2007, pp. 986-990. T.H. Lee, Simple dynamic user authentication protocols for wireless sensor networks, The Second International Conference on Sensor Technologies and Applications, 2008, pp. 657–660. L.C. Ko, A novel dynamic user authentication scheme for wireless sensor networks, IEEE International Symposium on Wireless Communication Systems (ISWCS '08), 2008, pp. 608 – 612. B. Vaidya, J.S. Silva, J.J. Rodrigues, Robust dynamic user authentication scheme for wireless sensor networks, Proc. of the 5th ACM Symposium on QoS and Security for wireless and mobile networks (Q2SWinet 2009), Tenerife, Spain, Oct. 2009, pp. 88-91. M.L. Das, Two-factor user authentication in wireless sensor networks, IEEE Trans. Wireless. Comm. 8 (2009) 1086-1090. B. Vaidya, J.J. Rodrigues, J.H. Park, User authentication schemes with pseudonymity for ubiquitous sensor network in NGN, International Journal of Communication Systems 23 (2010) 1201–1222. J.Yuan, C. Jiang, Z. Jiang, A biometric-based user authentication for wireless sensor networks, Wuhan University Journal of Natural Sciences 15(3) (2010) 272–6. D. He, Y. Gao, S. Chan, C. Chen, J. Bu, An enhanced two-factor user authentication scheme in wireless sensor networks, Ad Hoc & Sensor Wireless Networks 0 (2010) 1-11. H.F. Huang, Y.F. Chang, C.H. Liu, Enhancement of two-factor user authentication in wireless sensor networks, Proceedings of the 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIHMSP’10), October 2010, pp. 27–30. M.K. Khan, K. Alghathbar, Cryptanalysis and security improvements of “two-factor user authentication in wireless sensor networks, Sensors 10(3) (2010) 2450–2459. P. Kumar, S. G. Lee, H. J. Lee, E-SAP: Efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks, Sensors, 12(2) (2012) 1625-1647. D. B. He, N. Kumar, J. H. Chen, C. C. Lee, Chilamkurti, N., & Yeo, S. S. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks, Multimedia Systems. 21(1) (2015) 49-60. Q. Jiang, Jianfeng Ma, X. Lu, Y. Tian, An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks, Peer-to-Peer Networking and Applications, 8(6) (2015) 1070-1081. Q. Jiang, Zhuo Ma , Jianfeng Ma, G. Li, Security enhancement of a robust user authentication framework for wireless sensor networks, China Communications, 9(10) (2012) 103-111.

[28] [29]

[30] [31]

[32]

[33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51]

Q. Jiang, Jianfeng Ma, G. Li, L. Yang, An efficient ticket based authentication protocol with unlinkability for wireless access networks, Wireless Personal Communications, 77 (2) (2014) 1489-1506. X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, M. K. Khan, A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity, Security and Communication Networks, (2015) DOI: 10.1002/sec.1214 K. Xue, C. Ma, P. Hong, R. Ding, A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks, J. Netw. Comput. Appl. 36 (2013) 316–323. C.T. Li, C.Y. Weng, C.C. Lee, An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks, Sensors 13 (2013) 9589-9603. doi:10.3390/s130809589 D. He, N. Kumar, N. Chilamkurti, A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks, Information Sciences (2015) http://dx.doi.org/10.1016/j.ins.2015.02.010 Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, D. Won, Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography, Sensors, 14 (2014) 10081-10106. W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, 22 (1976) 644–54. R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21 (1978) 120–126. S. Deng, Y. Li, D. Xiao, Analysis and improvement of a chaos-based Hash function construction, Commun. Nonlinear Sci. Numer. Simul., 15 (5) (2010) 1338–1347. D. Xiao, X. Liao, S. Deng, One-way hash function construction based on the chaotic map with changeable parameter, Chaos Solit. Fract., 24 (1) (2005) 65–71. D. Xiao, F. Shih, X. Liao, A chaos-based hash function with both modification detection and localization capabilities, Commun. Nonlinear Sci. Numer. Simul., 15 (9) (2010) 2254–2261. G. Chen, Y. Mao, C. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos Solit. Fract., 21 (3) (2004) 749–761. G. Chen, Y. Chen, X. Liao, An extended method for obtaining S-boxes based on three-dimensional chaotic baker maps, Chaos Solit. Fract. 31 (3) (2007) 571–579. H. Liu, W. Wang, Color image encryption using spatial bit-level permutation and high-dimension chaotic system, Optics Commun. 284 (2011) 3895–3903. X. Wang, L. Yang, R. Liu, A chaotic image encryption algorithm based on perceptron model, Nonlinear Dynam. 62 (2010) 615–621. Y. Q. Zhang, X. Y. Wang, A symmetric image encryption algorithm based on mixed linear-nonlinear coupled map lattice, Inform. Sci,. 273 (2014) 329–351. X. Wang, D. Luan, X. Bao, Cryptanalysis of an image encryption algorithm using Chebyshev generator, Digital Signal Process., 25 (2014) 244–247. K. Wang, W. Pei, L. Zhou, Y. Cheung, Z. He, Security of public key encryption technique based on multiple chaotic system, Phys. Lett., A 360 (2006) 259–262. L. Zhang, Cryptanalysis of the public key encryption based on multiple chaotic systems, Chaos Solitons Fractals 37(3) (2008) 669–674. X. Y. Wang, Y. F. Gao, A switch-modulated method for chaos digital secure communication based on userdefined protocol, Commun. Nonlinear Sci. Numer. Simul., 15 (2010) 99–104. K. Chain, W. C. Kuo, A new digital signature scheme based on chaotic maps, Nonlinear Dynam., 74 (2013) 1003–1012. X. Y. Wang, J. F. Zhao, An improved key agreement protocol based on chaos, Commun. Nonlinear Sci. Numer. Simul., 15 (2010) 4052–4057. E. Yoon, I. Jeon, An efficient and secure Diffie–Hellman key agreement protocol based on Chebyshev chaotic map, Commun. Nonlinear Sci. Numer. Simul., 16 (2011) 2383–2389. X. Y. Wang, D. P. Luan, A secure key agreement protocol based on chaotic maps, Chinese Phys., B 22(11) (2013) 110503.

[52] [53] [54] [55] [56] [57] [58]

[59] [60] [61] [62]

[63] [64] [65] [66] [67] [68] [69] [70]

[71] [72] [73]

[74]

T. F. Lee, Enhancing the security of password authenticated key agreement protocols based on chaotic maps, Inform. Sci., 290 (2015) 63–71. D. Xiao, X. Liao, S. Deng, A novel key agreement protocol based on chaotic maps, Inform. Sci., 177 (2007) 1136–1142. D. Xiao, X. Liao, S. Deng, Using time-stamp to improve the security of a chaotic maps-based key agreement protocol, Inform. Sci., 178 (2008) 1598–1602. K. Xue, P. Hong, Security improvement on an anonymous key agreement protocol based on chaotic maps, Commun. Nonlinear Sci. Numer. Simul., 17 (2012) 2969–2977. Y. Niu, X. Wang, An anonymous key agreement protocol based on chaotic maps, Commun. Nonlinear Sci. Numer. Simul., 16(4) (2011) 1986–1992. Z. Tan, A chaotic maps-based authenticated key agreement protocol with strong anonymity, Nonlinear Dynam,. 72 (2013) 311–320. Q. Jiang, F. Wei, S. Fu, J. Ma, G. Li, A. Alelaiwi, Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy, Nonlinear Dyn., (2015) DOI 10.1007/s11071015-2467-5 P. Bergamo, P. D’Arco, A. De Santis, L. Kocarev, Security of public-key cryptosystems based on Chebyshev polynomials, IEEE Trans. Circuits Syst. I, Fundam. Theory Appl., 52(7) (2005) 1382–1393. D. He, Y. Chen, J. Chen, Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol, Nonlinear Dynam., 69 (2012) 1149–1157. C. C. Lee, C. W. Hsu, A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps, Nonlinear Dynam., 71 (2013) 201–211. C. T. Li, C. C. Lee, C. Y. Weng, An extended chaotic maps based user authentication and privacy preserving scheme against DoS attacks in pervasive and ubiquitous computing environments, Nonlinear Dynam., 74 (2013) 1133–1143. S.H. Islam, Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps, Nonlinear Dynam., (2014) http://dx.doi.org/10.1007/s11071-014-1584-x. S. H. Islam, Design and analysis of a three party password-based authenticated key exchange protocol using extended chaotic maps, Information Sciences, 312 (2015) 104–130. P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proceedings of Advances in Cryptology (CRYPTO’99) 1999, pp. 388–397. T. S. Messerges, E. A. Dabbish, R. H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers, 51(5) (2002) 541–552. D. He, Y. Zhang, J. Chen, Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks, Wireless Personal Communications, 74 (2) (2014) 229-243. S. Kumari, M.K. Khan, Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme, International Journal of Communication Systems, (2013) DOI: 10.1002/dac.2590. S. Kumari, M.K. Khan, More secure smart card based remote user password authentication scheme with user anonymity, Security and Communication Networks, (2013) DOI: 10.1002/sec.916. X. Li, J. Niu, J. Liao, W. Liang, Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update, International Journal of Communication Systems, (2013) DOI: 10.1002/dac.2676. D. He, D. Wang, Robust biometrics-based authentication scheme for multi-server environment, IEEE Systems Journal, (2014) DOI: 10.1109/JSYST.2014.2301517. S. Kumari, M.K. Gupta, M. Kumar, Cryptanalysis and security enhancement of Chen et al.’s remote user authentication scheme using smart card, Central European Journal of Computer Science, 2(1) (2012) 60-75. M.K. Khan, S. Kumari, Cryptanalysis and improvement of “an efficient and secure dynamic id-based authentication scheme for telecare medical information systems, Security and Communication Networks, (2013) DOI: 10.1002/sec.791 S. Kumari, M.K. Gupta, M.K. Khan, X. Li, An improved timestamp-based password authentication scheme: comments, cryptanalysis and improvement, Security and Communication Networks, (2013) DOI: 10.1002/sec.906.

[75] [76] [77] [78] [79] [80] [81] [82] [83]

R. Canetti, H. Krawczyk, Analysis of key exchange schemes and their use for building secure channels, In Advances in Cryptology-Eurocrypt., 2001, pp. 451-472. Z. Cheng, M. Nistazakis, R. Comley, L. Vasiu, On the indistinguishability-based security model of key agreement schemes-simple cases. In Cryptology ePrint Archive, Report, 2005. J.C. Mason, D.C. Handscomb, Chebyshev Polynomials. Chapman & Hall/CRC Press, London, Boca Raton, 2003. S. Han, E. Chang, Chaotic map based key agreement with/out clock synchronization, Chaos Solitons Fractals, 39(3) (2009) 1283–1289. L. Kocarev, Z. Tasev, Public-key encryption based on Chebyshev maps, In proceedings of the international symposium on circuits and systems, (ISCAS’03) 3 (2003) 28–31. S.K. Sood, A.K. Sarjee, K. Singh, An improvement of Liao et al.’s authentication scheme using smart card, In: IEEE 2nd International Advance Computing Conf., 2010, pp. 240–245. M. Burrows, M. Abadi, R. Needham, A logic of authentication, ACM Transactions on Computer System, 8 (1990) 18-36. L. Bakrawy, N. Ghali, A. Hassanien, T.H. Kim, A fast and secure one-way hash function, Comput. and Info. Sci., 259 (2011) 85–93. T. F. Lee, Provably secure anonymous single-sign-on authentication mechanism using extended Chebyshev chaotic maps for distributed computer networks, IEEE Systems Journal, DOI: 10.1109/JSYST.2015.2471095

Dr. Saru Kumari is currently an Assistant Professor with the Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India. She received her Ph.D. degree in Mathematics in 2012 from CCS University, Meerut, UP, India. She has published more than 50 research papers in reputed International journals and conferences, including 35 publications in SCI-Indexed Journals. Her current research interests include information security, digital authentication, security of wireless sensor networks, and applied mathematics.

Dr. Xiong Li received his master’s degree in mathematics and cryptography from Shaanxi Normal University (SNNU) in 2009 and Ph.D. degree in computer science and technology from Beijing University of Posts and Telecommunications (BUPT) in 2012. Dr. Li now is a lecturer of Hunan University of Science and Technology (HNUST). He has published more than 10 referred journal papers. His research interests include cryptography and information security, etc.

Fan Wu received the Bachelor degree in Computer Science from Shandong University, Jinan, China in 2003, and received Master degree in Computer Software and Theory from Xiamen University, Xiamen, China in 2008. Now he is a lecturer in Xiamen Institute of Technology, Huaqiao University. His current research interests include information security, internet protocols, and network management.

Ashok Kumar Das received the Ph.D. degree in Computer Science and Engineering, the M.Tech. degree in Computer Science and Data Processing,and the M.Sc. degree in Mathematics, all from IIT Kharagpur, India.He is currently an Assistant Professor with the Center for Security,Theory and Algorithmic Research of the International Institute of Information Technology (IIIT), Hyderabad, India. He has authored over 80 papers in international journals and conferences in his research areas. His current research interests include cryptography, wireless sensor network security, proxy signature, hierarchical access control,data mining and remote user authentication. He received the Institute Silver Medal from IIT, Kharagpur.

Hamed Arshad is with the Department of Computer Engineering and Information Technology, Imam Reza International University, Mashhad, Iran. His research interest includes information security, network security, and cryptography.

Dr. Muhammad Khurram Khan is currently working at the Center of Excellence in Information Assurance, King Saud University, Saudi Arabia. He has edited seven books and proceedings published by Springer-Verlag and IEEE. He has published more than 200 papers in international journals and conferences and he is an inventor of 10 U.S./PCT patents. Dr. Khan is the Editor-in-Chief of ‘Telecommunication Systems’ (Springer). He is also on the editorial boards of several International SCI journals. His current research interests include Cybersecurity, biometrics, multimedia security, and digital authentication.