Abstract: Authentication is a very significant demand in wireless sensor networks, especially in some critical applications. However, most previous user authentication schemes are always vulnerable and high-power consumption for the resource-constrained WSNs nodes. This study will focus on user authentication by investigating the Park and others’ schemes to identify their demerits. After that, a novel and lightweight mutual user authentication protocol named MUAP is proposed. The analysis and results show that the proposed scheme not only can resist the specific attacks likes Man-In-The-Middle Attack, Impersonation Attack and Message-Alteration Attack but also is better than Kumar and others’ protocols in terms of devices’ computation overhead and communication consumption.
INTRODUCTION
Recent years, Wireless Sensor Network (WSN) grows rapidly in accommodating plenty of application areas. The applications include military, national security, environmental monitoring, traffic management, health care, manufacturing and so on (Kumar et al., 2013). The WSN consists of resource-constrained sensors Crossbow Technology (2012) and Moteiv Corporation (2012) that have low computational ability, low power, low bandwidth and a small amount of memory. The broadcast nature of the sensor node makes it possible for a user to access sensor data within the networks, that is, on demand users may misuse the sensitive data for personal reasons (Das, 2009, 2011; Sun et al., 2013). Since, the sensor data are private for users within the WSN, it is mandatory to authenticate the users before permitting access to the sensitive data. Therefore, user authentication is a primary concern in application areas of WSNs.
At present, some mutual user authentication protocols have been proposed for resource-constraint WSNs (Ko, 2008; Lee, 2008; Chen and Shih, 2010; He et al., 2010; Khan and Alghathbar, 2010; Yoo et al., 2012) and each of these protocols has its advantages and disadvantages. Gao proposed a two-factor user authentication protocol which is based on a smartcard and password in 2010 (He et al., 2010). However, Chen showed that Gao’s protocol fails in mutual authentication and is vulnerable to parallel-session attacks. After that, they proposed a robust mutual authentication protocol for WSNs in (Chen and Shih, 2010). Khan proposed an improvement advice to Gao’s scheme to resist these attacks.
In 2012, Park claimed that the protocols which are proposed in (Chen and Shih, 2010; He et al., 2010; Khan and Alghathbar, 2010) are sensitive to parallel-session attacks and gateway-bypass attacks and are none of mutual authentication schemes. Therefore, they proposed a scheme (Yoo et al., 2012) to overcome the problem that presented in (Chen and Shih, 2010; He et al., 2010; Khan and Alghathbar, 2010).
Nevertheless, according to our study, Park and others’ protocols are not only sensitive to impersonation attacks, message-alteration attacks and man-in-the-middle attacks but they are not efficient (in terms of communication and computation cost) for real-time WSNs. Therefore, we propose a strong and lightweight user authentication protocol that protects the privacy of the user, wherein each user has to demonstrate his legitimacy by show his secret information. The proposed scheme has many merits, including mutual authentication for entities (that is, sensor, gateway and user), protecting user’s privacy and maintaining confidential wireless messages. Further, we show that the protocol we proposed is strong against popular attacks, in contrast to those in (Chen and Shih, 2010; He et al., 2010; Khan and Alghathbar, 2010) and obtains high efficiency at computation overhead and communication consumption.
ANALYSIS OF PARK AND OTHERS’ SCHEME
Review of Park and others’ protocol: The schemes of Park and other’s are consist of three parts: Registration, authentication and password-change. The details of this protocol are shown in Fig. 1.
Registration part: To access the sensor data, each user has to register himself by passing his IDU and PPWu = h(PWu)⊕b to Gateway nodes in a secure channel, where, b is a secret number generated by user. After that, the Gateway node uses the receiving data IDu and PPWu to calculate the following equations Mu = h(IDu||PPWu), Nu = h(IDu||PPWu)⊕h(K||J), Lu = h||(Ju||IDu), where, J is a random number generated by the Gateway node and K is a key generated by the Gateway node. Finally, the parameters {Mu, Nu, Lu, h(.)}} are passed to the user. The user adds b to the smartcard as his secret.
| Fig. 1: | Park and others’ authentication part |
Authentication part: This authentication part can be divided into three parts: Login part, verification part and session key establishment.
Login part: The user tries to access the sensor data on demand. The user has to use his smartcard and input his IDu and PWu. The smartcard performs series of computations after getting the request from user as the Fig. 1 shown.
Verification part: In this part, user and Gateway verified for each other by transmitting the data {Au, RNgateway}, {Bu}, {DIDu, T2, RN'gateway} and {Cu, RNsensor}.
Session key establishment: After verifying for each other, a session key between user and Gateway node can be built.
Password-change part: User needs to enter his previous IDu and Pwu, then the smart card computes the new PPWu and Mu*, matches the Mu* with Mu. If not, the new password change request will be rejected. Otherwise, it would be accepted, then, the user input his new password.
Drawbacks of Park and others’ scheme: We find two weaknesses of Park and Others schemes after analyzing the process of their protocols.
We assume that Eve was an intruder who can control the communication between the user, the Gateway and the sensor node. Eve has abilities of eavesdropping, altering and intercepting the wireless messages at any time. Alice is a legal user.
Impersonating attack: Supposing that previous login messages (DIDu, T, IDu, RNu) of Alice has been intercepted by Eve. Eve does not know anything about Alice’s password or identity but Eve could simply impersonate Alice to access the WSNs. The details of the impersonating attack are shown as follows:
| Step 1: | Eve→Gateway node: (DIDu, T', IDu, RNu) |
| Step 2: | The Gateway node checks the timestamp as (T1-T')<ΔT after receiving the login request from the user. Supposing that T’ is valid Ku* = h(xa||IDu), h(IDu||PPWu*) = DIDu⊕h(Ku*||T), Au = h)h(IDu||PPWu)*||Ku*||RNu) will be calculated by the Gateway node. Then, it responds to Eve with {Au, RNgateway} |
The impersonating attack was proved to be successful by performing the above steps. Eve’s login request was accepted and Eve can easily imitate any user to login into the Gateway at any time.
MITM attack: Assume that Eve is active between the Gateway and the sensors. And Eve can intercept the Gateway node message {DIDu, T2, RN’gateway} and simply alter the request to be (DIDu, T', IDu, RNu) by delete the original T' and RN'gateway where, T' is a current timestamp and RN'gateway is a random nonce of Eve. Eve transmits the altered request to the sensor node around him. The sensor node will receive the request from Eve, the details is shown as following:
| Step 1: | The sensor node verifies the timestamp (T*-T2)>ΔT. While T* is valid, the sensor would calculate Cu = h(Zn||T2||RNgateway) and create RN'sensor. Here, the sensor knows nothing about the request which he receives, he considers the request as a legal one and responds to Eve |
| Step 2: | Sensor→Eve: (Cu, RN'sensor). Eve could also replace Cu with C'u after receiving the message from the sensor. Then, Eve transmits the altered authentication message to the sensor |
| Step 3: | Eve→Sensor: It is obvious that the sensor will reject the request for Cu≠Cu' |
It is seemingly that this protocol rejects Eve but the detection of the MITM attack is too late. Eve can easily make the sensor node out of energy by numerous of attempting verification.
Certainly, Park and others’ protocol has overcome the drawbacks of (Das, 2009; Chen and Shih, 2010; Yoon and Yoo, 2011) but failed to the impersonating attack and MITM attack. However, there are still impacts on real-time WSNs by our analysis. To solve the problem in (Ko, 2008; Lee, 2008; Chen and Shih, 2010; He et al., 2010; Khan and Alghathbar, 2010; Yoo et al., 2012) we propose a secure and efficient mutual user authentication protocol named MUAP which provides the necessary security and efficient services to WSNs at a reasonable computation and communication consumption in next section.
PROPOSED MUTUAL USER AUTHENTICATION PROTOCOL MUAP
A special type of cryptography named Shamir secret sharing algorithm was used in this protocol. First, let us review the Shamir secret sharing algorithm (Dolev et al., 2011; Ulutas et al., 2011; Aldosary and Howells, 2012; Coron et al., 2013). Generally, Shamir (k, n) secret sharing algorithm divides a secret s into n parts called child-secret, the secret S can be recovered if only the number of the child-secret is equal to k, or more.
A secret S∈GF(q) (that is, q is a large prime number, GF(q) is in Galois field) will be divided into n parts by this polynomial f(x) = a0+a1x+a2x2+…+ak-1xk-1 mod q. Each of the parts has its unique identifier x1, x2…..xn∈GF(q), a1, a2…ak-1∈GF(q) and a0 = S. Then, all parts of the secret will be gotten as f(x1), f(x2)…f(xn). Finally, distribute the {xi, f(xi)} (that is i = 1,2…n)) as a key to each participant. In MUAP, we distribute {xi, f(xi)} to each legal user as his identity number. The identity number will be used at process of authentication.
We consider a WSN which consists of two kinds of devices those are low-resource devices and high-resource devices. The high-resource devices, like Gateway nodes, can resist the tampering attacks but the low-resource devices cannot. User can access to the WSN and get the sensor data by using their terminal equipment like smart phone, or laptop. Certainly, before that, user must register to the Gateway node and get the permission.
To introduce MUAP protocol, we make the following assumptions. And the notations used in this study are shown in Table 1.
| Table 1: | Symbols used in MUAP |
| • | The Gateway is absolute safe and never compromised, also it is a high-power device |
| • | A periodic secret key is maintained by Gateway and sensor to encrypt communication data in authentication process |
| • | The Gateway and sensor hold the same the initial key of ZUC (Liu et al., 2010; Zhou et al., 2011; Sekar, 2012) which is a lightweight stream encryption algorithm. All the authentication data will be encrypted by the stream encryption algorithm |
The MUAP protocol consists of three parts: Registration part, authentication part and password-change part.
Registration part: In order to access the sensor data, each user has to register himself with by passing their IDu and PPWu = h(PWu)⊕b to the Gateway node in a secure channel. After receiving these two messages, the Gateway node will choose S and use the Shamir secret sharing algorithm to calculate the f(IDu), then performs the following steps: The Gateway will call the ZUC algorithm to generate the key K1 whose length is the same as IDu||h(f(IDu))⊕IDgateway to encrypt it. Then, calculate Au = EEA3K1[IDu||h(f(IDu))⊕IDgateway]. S the Gateway chooses is a periodical-change parameter, so each user must reregister to the Gateway node after S changes.
After that, user will get a smartcard with the following parameters: {Au, Bu, h[f(IDu)]}. Then, user needs to add the random number b to the smartcard. Now, the register part is done.
Authentication part: The procedures of the authentication part in MUAP are shown in Fig. 2. This part consists of three sub-phases: Login phase verification phase and session key establishment.
Login phase: The user needs to insert his smartcard into the terminal and input IDu and PWu when he wants to access the sensor data. The smartcard will check the user identity after receiving the login request. Then the smartcard will calculate Bu* = h[IDu||h(f(IDu))⊕h(b⊕PWu)] and judges if(Bu= =Bu*), if yes, proceeds to next step: Calculate Cu = h(Bu⊕T'), then transmit the message (that is {Cu, Au, T'}) to Gateway, T' is the current system timestamp of the user; otherwise, deny the login request.
| Fig. 2: | Authentication part of MUAP protocol |
Verification phase: When the Gateway receives the login request from the user, the following steps will be done.
| Step 1: | Judge (T''-T')<ΔT; if yes, proceeds to next step; otherwise denies the login request. Here, T'' is Gateway’s current system timestamp and ΔT is the maximum tolerable interval |
| Step 2: | Gateway decrypts Au by calling the ZUC algorithm to generate the key K1, then gets {IDu*, h(f(IDu))*, ID*GateWay and calculates Cu* = h(Bu⊕T'). And compare Cu* = Cu, h(f(IDu))* = h(f(IDu))□, IDgateway* = IDgateway. If all the compares are yes, the Gateway will regard the user as a legal one and proceeds to next step. Otherwise, denies this procedure |
| Step 3: | The Gateway calls the ZUC algorithm to generate another key K2 and then calculates Du = EEA3K2[IDu||IDgateway||S||IDsensor||Tgateway]. Here, T'' is Gateway’s current timestamp. The Du and Tgateway are transmitted to the sensor |
| Step 4: | The sensor will check (Tsensor-Tgateway)<ΔT after receiving Du and Tgateway. If yes, proceeds to the next step. Otherwise, denies. Here, Tswnsor is the sensor’s current timestamp |
| Step 5: | The sensor will call ZUC algorithm to generate K2.Then sensor will decrypt Du using K2 and get {IDu*, IDGateWay*, S*, IDsensor*, Tgateway*} |
| Step 6: | Compares Tgateway* = Tgateway, IDgateway* = IDgateway, IDsensor* = IDsensor, S* = S. If all the compares are yes, the sensor will regard the Gateway and user as legitimate ones. Then, proceed to next step. Otherwise, denies |
| Step 7: | The sensor calculates Gu = h(h(f(IDu*))||IDu*⊕T'sensor) and sends the message {Gu, T’sensor} {Gu, T’sensor} to the user |
| Step 8: | The user will check (Tu-T'sensor)<ΔT after receiving Gu and T’sensor. If yes, proceeds to next step. Otherwise, refuse. Here, Tu is the user’s current system timestamp |
| Step 9: | The user will use the local h(f(IDu)) and IDu to calculate Gu* with received parameter T’sensor. Then, compare Gu = Gu*, if yes, the sensor is legal; otherwise, refuse |
Session key establishment: If the step 9 is yes, a session key between user and sensor will be built.
Password-change part: When user needs to change his password, he has to do the following steps:
| Step 1: | User inserts his smartcard into the terminal and inputs IDu and PWu, the smartcard calculates Bu* = h(IDu||h(b⊕PWu⊕Au). Then, checks Bu* = Bu, if yes, do the next step; otherwise, the procedure will be denied |
| Step 2: | User will be required to input a new password PWnew, the smartcard calculate a new Bu, Bu, Bnew = h(IDu||h(bnew⊕PWnew)⊕Au) |
| Step 3: | The Bnew and bnew will be written in the smartcard to take the place of the old ones |
ANALYSIS OF MUAP PROTOCOL
In this section, we analyze the security and performance of MUAP protocol and compare it with Park and others’ protocols.
Security analysis: Similarly, we assume that Eve was an intruder who could control the wireless channels between user, the Gateway and sensor. Eve has abilities of eavesdropping, altering and intercepting the wireless messages at any time. Alice is a legal user.
Replay attack and message-alternation attack: Eve has three methods to carry out this replay attack by eavesdropping the messages of authentication procedures: (1) Intercepts Alice’s login message {Cu, Au, T'} and tries to login by replaying it to the Gateway, (2) Intercepts the message {Du, Tgateway} which is from the Gateway to sensor and tries to replay it to the sensor, (3) Intercepts the message {Gu, T'sensor} which is from the sensor to user and tries to replay it to the user. In (i), Eve replays the message {Cu, Au, T'} to the Gateway. The verification of this replayed message will be failed, because of the maximum tolerable interval (T''-T')<ΔT. Even if Eve modifies T' (T'*,T'*≠T') to make it suitable for (T''-T')<ΔT, unfortunately, Eve also cannot get through the verification due to the Cu*≠Cu (that is, Cu* = h(Bu⊕T'*)). In (ii), Eve replays the message {Du, Tgateway} to sensor. Similarly, the verification of the replayed message will be fail because of the maximum tolerable interval (Tsensor-Tgateway)<ΔT. Even if Eve modifies Tgateway (Tgateway*, Tgateway*≠Tgateway) to make it suitable for (Tsensor-Tgateway)<ΔT, unfortunately, Eve also cannot get through the verification due to the Tgateway*≠Tgateway. In (iii), Eve replays the message {Gu, T'sensor} to user. Likewise, the verification of the replayed message will be fail because of the maximum tolerable interval (Tsensor-Tgateway)<ΔT. Even if Eve modifies T'sensor (Tsensor*, Tsensor*≠Tsensor) to make it suitable for (Tu-Tsensor)<ΔT, unfortunately, Eve also cannot get through the verification due to the Gu*≠Gu (that is, Gu* = h(h(f(IDu*))||IDu*⊕Tsensor*)). Therefore, the MUAP protocol is secure against replay attack and message-alternation attack.
MITM attack: Eve also can carry out the MITM attack by modifying the message {Du, Tgateway} from the Gateway to the sensor. (1) Du is a piece of cipher-text. (2) The real timestamp of the Gateway Tgateway is in Du. Eve has no idea about Du because he knows nothing about K2. If Eve modified the timestamp Tgateway to T’gateway (Tgateway≠T'gateway), Eve will not get through the step 6. So, the MUAP protocol can resist the MITM attack.
User-impersonation attack: If Eve wants to carry out the user-impersonation attack to login in the Gateway, he needs to eavesdrop a legal user’s login message {Cu, Au, T’} at the time of T'*. We assume that T'* is available for step 1. But the user-impersonation attack will not succeed when proceed to the step 2. Therefore, the MUAP protocol can resist the user-impersonation attack.
Key-guessing attack: In MUAP protocol, we use ZUC algorithm which is a stream encryption algorithm to encrypt the authentication data. One key is used for only once then a new key will be generated in next procedure to encrypt next procedure data. If someone guesses the current key, it will be useless in next procedure. For instance, someone got the key K1 in the authentication procedure while the K1 will be useless because of the new key K2. So, we can see that key-guessing attack could do nothing about the MUAP protocol.
Gateway-bypass attack: We assume that Eve maybe requests to the sensor directly without getting the Gateway’s permission. Eve can fabricate a message of Gateway’s request to sensor. But it will be recognized because the communication data between the Gateway and sensor are encrypted. So, the Gateway-bypass attack is useless for MUAP.
Mutual authentication protocol: We know that the MUAP is a mutual authentication scheme from the procedure of MUAP. Firstly, the Gateway will check the user by executing the step 2; Secondly, the Gateway will transmit the authentication data to sensor, the sensor also checks the Gateway by executing the step 6; At last, sensor will transmit the authentication data to sensor, the user also checks the sensor by executing the step 9.
| Table 2: | Security comparison |
| Table 3: | Computational consumption comparison |
| H: Times of executing hash function, S: Times of executing Shamir secret sharing algorithm, Z: Times of executing ZUC algorithm, B: Times of executing Block Cipher | |
Both of the three members will authenticated each other, so, the MUAP is a mutual protocol between user, Gateway and sensor.
Performance analysis: In this part, we compare the performance of the MUAP to that of (Lee, 2008; Chen and Shih, 2010; He et al., 2010; Yoo et al., 2012; Kumar et al., 2013).
Computational consumption: The major computational consumption of the registration part is in the Gateway while the Gateway is a high-resource device. It can calculate complex operations. The consumption of the user in registration part in (Lee, 2008; Chen and Shih, 2010; He et al., 2010; Yoo et al., 2012; Kumar et al., 2013) is approaching. But it is not the same in authentication part. From Table 3, we know that the consumption of the authentication part in (Lee, 2008; Chen and Shih, 2010; He et al., 2010; Yoo et al., 2012) are lower than that in (Kumar et al., 2013) and MUAP. But, from Table 2, we can see Gao’s and Chen’s protocols cannot resist all the attacks; Park’s scheme can resist the replay attack and message-alternation attack but is not good at resisting MITM attack, user-impersonation attack, key-guessing attack. And Lee’s can only resist the replay attack. it is obvious that the security in (Lee, 2008; Chen and Shih, 2010; He et al., 2010; Yoo et al., 2012) cannot catch up with that in (Kumar et al., 2013) and MUAP. We know that those protocol is not suitable for the WSNs’ security.
The security in (Kumar et al., 2013) and MUAP is the same while the computational consumption is different. Kumar’s protocol uses the RC5/Skipjack encryption and decryption algorithm which is block cipher, The MUAP uses the lightweight stream cipher. Stream cipher is lower-consumption than the block cipher. So, the Stream cipher is more suitable for WSN. The total computational consumption of MUAP is only 8H, 4Z and 2S while that in (Kumar et al., 2013) is 11H and 8B. Here, the computational consumption of S is lower than B. It is clear that the computation overhead of MUAP is lower than that in (Kumar et al., 2013). So, the MUAP protocol is more efficient than the protocol in (Kumar et al., 2013) at the same security level.
Communication consumption: From Fig. 1 and 2, we know that those protocols have six times of message-exchanging to complete the whole authentication procedure but in MUAP, we need only three times of message-exchanging with the same length of authentication messages.
CONCLUSION
A secure and lightweight authentication scheme is significant for wireless sensor network. We propose a secure and lightweight mutual user authentication protocol to resist those attacks presented in Table 1 using Shamir secret sharing algorithm, timestamp and a lightweight stream encryption algorithm. The analysis and results show that the MUAP is a secure and lightweight authentication scheme. In addition, the MUAP protocol not only can resist those attacks but has lower consumption of computation and communication at the same security level.
ACKNOWLEDGMENT
This study is supported by the Graduation of Xinjiang Research and Innovation Projects under grant No. XJGRI2013038. The authors would like to thank the anonymous reviewers for their constructive comments that helped to improve the quality of this study.