WSN-SLAP: Secure and Lightweight Mutual Authentication Protocol for Wireless Sensor Networks

Abstract

Wireless sensor networks (WSN) are widely used to provide users with convenient services such as health-care, and smart home. To provide convenient services, sensor nodes in WSN environments collect and send the sensing data to the gateway. However, it can suffer from serious security issues because susceptible messages are exchanged through an insecure channel. Therefore, secure authentication protocols are necessary to prevent security flaws in WSN. In 2020, Moghadam et al. suggested an efficient authentication and key agreement scheme in WSN. Unfortunately, we discover that Moghadam et al.’s scheme cannot prevent insider and session-specific random number leakage attacks. We also prove that Moghadam et al.’s scheme does not ensure perfect forward secrecy. To prevent security vulnerabilities of Moghadam et al.’s scheme, we propose a secure and lightweight mutual authentication protocol for WSNs (WSN-SLAP). WSN-SLAP has the resistance from various security drawbacks, and provides perfect forward secrecy and mutual authentication. We prove the security of WSN-SLAP by using Burrows-Abadi-Needham (BAN) logic, Real-or-Random (ROR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. In addition, we evaluate the performance of WSN-SLAP compared with existing related protocols. We demonstrate that WSN-SLAP is more secure and suitable than previous protocols for WSN environments.

1. Introduction

As a rapid development of wireless communication technology, wireless sensor networks (WSN) can be applied to various environments such as smart grids, smart homes, agriculture, industrial internet of things (IoT), and health-care [1,2,3,4,5]. People can achieve a more bountiful life by utilizing WSN environments. Generally, WSN environments consist of sensor nodes, a gateway, and users, as shown in Figure 1. Sensor nodes detect and monitor their surrounding environment. Then, sensor nodes transmit the monitored data to the gateway. The gateway relays and analyzes the message between sensor nodes and users. The gateway also manages the private information of sensor nodes and users to provide secure services. Users can access the data collected by sensor nodes through the gateway.

An example of the application environment in WSN is health-care services. Wearable sensors attached to a patient analyze the health condition of the patient. Then, these sensors send the collected data to the physician. However, these services can be exposed to various security attacks because each entity exchanges information through a public channel. If an adversary intercepts messages in WSN, the adversary can disguise as a legal user and send an incorrect message to the sensor node. Moreover, if an adversary registers to the gateway as a legal entity, the adversary can try to obtain other legal user’s sensitive information. Therefore, we need an authentication protocol that can provide secure services and prevent various attacks in WSN environments.

In 2020, Moghadam et al. [6] suggested an authentication and key agreement scheme for WSN environments utilizing Elliptic-Curve Diffie-Hellman (ECDH) [7]. They demonstrated that their scheme is efficient and secure against various security attacks such as replay, password guessing, stolen verifier, and man-in-the-middle (MITM) attacks. However, we discover that Moghadam et al.’s scheme does not provide security against insiders, and session-specific random number leakage attacks. We also prove that Moghadam et al.’s scheme does not support perfect forward secrecy. Moreover, each entity performs Elliptic Curve Cryptography (ECC) multiplication operations to compute a session key in Moghadam et al.’s scheme. However, ECC requires heavy computational costs. Since sensor nodes have low computation capabilities and storage resources in a WSN environment, we cannot ensure real-time communications using ECC in WSN environments. Therefore, using Moghadam et al.’s scheme makes it difficult to provide efficient services. To improve security vulnerabilities and reduce the computational cost of Moghadam et al.’s scheme, we propose a secure and lightweight mutual authentication protocol (WSN-SLAP) considering security and efficiency features using hash functions and XOR operations.

1.1. Contributions

Our paper’s contributions are as below.

• We analyze and prove the security vulnerabilities of Moghadam et al.’s scheme. Then, we propose WSN-SLAP to resolve security vulnerabilities of Moghadam et al.’s scheme.
• We demonstrate the mutual authentication of WSN-SLAP using Burrows–Abadi–Needham (BAN) logic [8].
• We proof the session key security of WSN-SLAP by using the Real-or-Random (ROR) model [9]
• We use Automated Verification of Internet Security Protocols and Applications (AVISPA) [10,11] to prove security features of WSN-SLAP against replay and MITM attacks.
• We analyze the communication cost, the computational cost, and security properties of WSN-SLAP compared with related schemes.

1.2. Adversary Model

WSN-SLAP uses a well-known adversary model called the Dolev–Yao (DY) model [12]. Through the DY model, the adversary can eavesdrop, delete, intercept, and insert exchanged messages through a public channel. Moreover, the adversary can get exposed session-specific ephemeral parameters, which is based on the Canetti–Krawczyk (CK) adversary model [13]. The adversary can perform various security attacks with the DY model and the CK model. The detailed assumptions of the adversary model are defined in the following manner.

• If an adversary registers as a legal user to the gateway, the adversary can authenticate with other entities.
• An adversary can obtain a user’s lost/stolen smart card. The adversary can perform the power analysis attack [14] to get stored parameters of the smart card.
• An adversary can attempt various attacks such as replay, sensor node capture, stolen verifier, and off-line password guessing attacks.

1.3. Organization

In Section 2, we describe related works for WSN environments. Then, we revisit Moghadam et al.’s scheme in Section 3 and prove the security flaws of Moghadam et al.’s scheme in Section 4. Section 5 illustrates WSN-SLAP. In Section 6, we perform informal and formal security analyses of WSN-SLAP by using BAN logic, the ROR model, and AVISPA simulation tool. In Section 7, we analyze WSN-SLAP’s performance compared with the existing related protocols. In Section 8, we conclude and summarize our paper.

2. Related Works

In the past few decades, numerous password-based authentication schemes have been proposed to provide security and efficiency in WSN environments [15,16,17,18,19]. In 1981, Lamport [20] suggested an authentication mechanism based on a password. Lamport used one-way hash functions to encode the password and stored the hashed password inside the system. In 2006, Wong et al. [21] suggested a password-based authentication scheme in WSN environments. Unfortunately, Tseng et al. [22] proved that Wong et al.’s scheme is insecure against forgery and replay attacks. Tseng et al. demonstrated a dynamic user authentication scheme to improve security vulnerabilities of Wong et al. [21]’s scheme. However, these schemes [20,21,22] can suffer from on/off-line password guessing attacks because they only used the password as a factor to login and authenticate with other entities.

In the last few decades, two-factor-based authentication schemes [23,24,25] have been presented using hash functions and XOR operations to improve single factor’s security weaknesses. In 2009, Das et al. [23] proposed a two-factor authentication scheme based on a smart card in WSNs. They demonstrated that their scheme can prevent various attacks such as replay, stolen verifier, and off-line password guessing attacks. However, Khan et al. [24] analyzed that Das et al. [23]’s scheme is vulnerable to privileged insider attack. He et al. [25] found that Das et al. [23]’s scheme is vulnerable to insider and impersonation attacks. To improve the security vulnerabilities of Das et al.’s scheme, He et al. [25] suggested an enhanced two-factor user authentication scheme for WSNs. However, these schemes [23,24,25] can suffer from various attacks such as thoe using stolen smart cards and mobile devices.

To resolve the security flaws associated with two-factor-based authentication schemes and improve the security level in WSN environments, researchers have proposed many ECC-based authentication schemes [26,27,28,29,30,31]. In 2011, Yeh et al. [26] proposed an authentication protocol for WSN environments using ECC. Yeh et al.’s scheme used a smart card and ECC to prevent various security issues such as insider, and masquerade attacks. Choi et al. [27] suggested an ECC-based user authentication scheme for WSN. However, Wu et al. [28] pointed out that Choi et al.’s protocol does not provide security against forgery attack. Nam et al. [29] suggested a secure authentication protocol for WSN based on ECC. Nam et al.’s scheme provides a secure protocol based on an Elliptic Curve Computation Diffie-Hellman (ECCDH) problem. In 2016, Jiang et al. [30] proposed an ECC-based authentication scheme. Jiang et al.’s scheme provides secure communications and untraceability in WSN environments. In 2017, Wu et al. [31] suggested a user authentication scheme using ECC. Wu et al.’s scheme can preserve user privacy in WSN environments. However, sensor nodes in WSN have low computing power and resources. Therefore, it is difficult to provide efficiency in WSN environments using these schemes [26,27,28,29,30,31] because ECC requires large computational resources.

In 2020, Moghadm et al. [6] suggested an authentication and key agreement scheme using ECDH. They asserted that their scheme provides resistance against various attacks such as replay, MITM, off-line password guessing, and stolen verifier attacks. However, we discover that Moghadam et al.’s scheme is vulnerable to insider, session-specific random number leakage attacks and perfect forward secrecy. Moreover, Moghadam et al.’s scheme suffers from heavy computational cost because it involves an ECC-based computation. Therefore, we propose WSN-SLAP, which has resistance to various security problems.

3. Review of Moghadam et al.’s Scheme

Moghadam et al. proposed an authentication scheme based on ECDH in WSN [6]. Moghadam et al.’s scheme is composed of sensor node registration, user registration, and login and authentication phases.

Table 1. Notations.

Notation	Description
$U_i$	User
$GW$	Gateway
$S_j$	Sensor node
$I{D}_i$	Real identity of user
$P{W}_i$	Password of user
$PI{D}_i$	Pseudo identity of user
$SI{D}_j$	Real identity of sensor node
$k_{GWN}$	Master key of gateway
$KG$	Shared secret key between gateway and sensor node
X	Public key of gateway
G	Elliptic curve group
P	Generator of G
$R_k,N_k,z_i,a_i,f_i,g_i,q_i$	Random numbers
$T_k$	Timestamp
$SK$	Session key
$E_k/D_k$	Symmetric key encryption/decryption
$h(.)$	Hash function
$\left|\right|$	Concatenation function
⊕	Exclusive-or function

indicates the notations of Moghadam et al.’s scheme and WSN-SLAP.

3.1. Sensor Node Registration Phase

In this phase, a sensor node $S_j$ sends its identity to the gateway $GW$. Then, $GW$ computes a shared secret parameter between $GW$ and $S_j$. In Figure 2, we show the sensor node registration phase and the details are as follows.

Step 1: 

$S_j$ generates its identity $SI{D}_j$, and sends it to $GW$ over a secure channel.

Step 2: 

$GW$ receives $SI{D}_j$ and checks the validity of $SI{D}_j$. After that, $GW$ computes $KG=h\left(SI{D}_j\right|\left|k_{GWN}\right)$, and stores $\{SI{D}_j,KG\}$ in its secure database, where $k_{GWN}$ is the master key of $GW$. Finally, $GW$ sends $\left\{KG\right\}$ to $S_j$.

Step 3: 

$S_j$ receives and stores $\left\{KG\right\}$ in its database.

3.2. User Registration Phase

A user $U_i$ registers to the gateway $GW$ by sending an identity and a masked password value. Then, $GW$ issues a smart card to $U_i$. In Figure 3, we describe the user registration phase and the details are shown as below.

Step 1: 

$U_i$ inputs the identity $I{D}_i$ and the password $P{W}_i$, and then generates a random number $q_i$. After that, $U_i$ computes $AP{W}_i=h(q_i\left|\right|P{W}_i)$ and sends the registration request message $\{I{D}_i,AP{W}_i\}$ to the gateway $GW$ over a secure channel.

Step 2: 

$GW$ receives $\{I{D}_i,AP{W}_i\}$ from $U_i$, and then generates a random number $z_i$. After that, $GW$ computes $B_i=h(I{D}_i\left|\right|AP{W}_i\left|\right|z_i),$$C_i=h(I{D}_i\left|\right|k_{GWN})$, and $D_i=h(I{D}_i\left|\right|C_i\left|\right|z_i\left|\right|B_i)$. Finally, $GW$ stores $\{z_i,C_i,D_i,$$h(.)\}$ in a smart card and issues it to $U_i$ over a secure channel.

Step 3: 

$U_i$ receives the smart card, and stores $q_i$ in the smart card. Finally, parameters $\{z_i,C_i,D_i,h(.),q_i\}$ are stored in the smart card.

3.3. Login and Authentication Phase

After the registration phase, the user $U_i$ authenticates the gateway $GW$. In Figure 4, we describe the login and authentication phase and the detailed steps of the phase are shown as below.

Step 1: 

After inserting the smart card, $U_i$ inputs the identity $I{D}_i^{*}$ and the password $P{W}_i^{*}$. The smart card computes $AP{W}_i^{*}=h(P{W}_i^{*}\left|\right|q_i),B_i^{*}=h(I{D}_i^{*}\left|\right|AP{W}_i^{*}\left|\right|z_i),D_i^{*}$$=h\left(I{D}_i^{*}\right|\left|C_i\right|\left|z_i\right|\left|B_i^{*}\right)$ and verifies $D_i^{*}\stackrel{?}{=}{D}_i$. If the verification process is successful, the smart card generates a random nonce $a_i$ and timestamp $T_1$. With the public key of the gateway X, the smart card computes $A_1=a_i·P,A_2=a_i·X,DI{D}_i=I{D}_i\oplus A_{2\left(x\right)},A_3=SI{D}_j\oplus A_{2\left(x\right)}$, and $A_4=E_{A_2}(B_i\left|\right|SI{D}_j\left|\right|A_3)$. At last, the smart card sends $\{A_1,A_3,A_4,T_1\}$ to $GW$ through a public channel.

Step 2: 

$GW$ receives $\{A_1,A_3,A_4,T_1\}$ from $U_i$, and selects a timestamp $T_2$ and checks the validity of $T_1$. If the timestamp is vaild, $GW$ computes $A_2=k_{GWN}·A_1,D_{A_2}\left(A_4\right)=(B_i^{*}\left|\right|SI{D}_i^{*}\left|\right|A_3^{*}),A_3=SI{D}_i^{*}\oplus A_{2\left(x\right)}$ and verifies $A_3^{*}\stackrel{?}{=}{A}_3$. If the equality holds, $GW$ generates a random nonce $g_i$ and computes $KG=h\left(SI{D}_j\right|\left|k_{GWN}\right),$$D_1=KG\oplus A_2,D_2=h(A_2\left|\right|SI{D}_j\left|\right|A_3)$. At last, $GW$ sends $\{g_i·P,D_1,D_2,$$T_2\}$ to the sensor node $S_j$ over a public channel.

Step 3: 

After reception of the message $\{g_i·P,D_1,D_2,T_2\}$ from $GW$, $S_j$ selects a timestamp $T_3$ and checks the validity of $T_2$. Then, $S_j$ computes $A_2=KG\oplus D_1,A_3=SI{D}_j\oplus A_{2\left(x\right)},D_2^{*}=h(A_2\left|\right|SI{D}_j\left|\right|A_3)$ and verifies $D_2^{*}\stackrel{?}{=}{D}_2$. If the verification is legitimate, $S_j$ generates a random nonce $f_i$, and computes $sk=h(A_2\left|\right|f_i·g_i·P),X_i=h\left(sk\right|\left|KG\right)$. At last, $S_j$ sends $\{f_i·P,X_i,T_3\}$ to $GW$.

Step 4: 

After receiving $\{f_i·P,X_i,T_3\}$ from $S_j$, $GW$ selects a timestamp $T_4$ and checks the validity of $T_3$. Then, $GW$ computes $sk=h(A_2\left|\right|f_i·g_i·P),X_i=h\left(sk\right|\left|KG\right)$ and verifies $X_i^{*}\stackrel{?}{=}{X}_i$. If it is equal, $GW$ computes $D_4=E_{A_2}\left(g_i\right),y_i=h\left(sk\right||A_3)$ and sends $\{y_i,D_4,T_4\}$ to $U_i$.

Step 5: 

$U_i$ receives the message $\{y_i,D_4,T_4\}$, and selects a timestamp $T_5$ and checks the validity of $T_4$. At last, $U_i$ computes $D_{A_2}\left(D_4\right)=\left(g_i\right),sk=h(A_2\left|\right|f_i·g_i·P),y_i^{*}=h\left(sk\right||A_3)$ and verifies $y_i^{*}\stackrel{?}{=}{y}_i$. If it is equal, the key agreement is successful.

4. Cryptanalysis of Moghadam et al.’s Scheme

In this section, we demonstrate the security vulnerabilities of Moghadam et al.’s scheme [6] such as insider, and session-specific random number leakage attacks. Moghadam et al.’s scheme also does not achieve perfect forward secrecy.

4.1. Insider Attack

If an adversary $\mathcal{A}$ ordinary registers as a legal user $U_i$, $\mathcal{A}$ can authenticate with the gateway $GW$ and the sensor node $S_j$ by exchanging messages. With this information, $\mathcal{A}$ can compute another legal user $U_i^l$’s session key. The details are shown as below.

Step 1: 

$\mathcal{A}$ inserts the smart card, and inputs the identity $I{D}_i$ and the password $P{W}_i$ of $\mathcal{A}$. Then, the smart card checks the validity of $\mathcal{A}$, and sends a login request message $\{A_1,A_3,A_4,T_1\}$ to $GW$. After authenticating $\mathcal{A}$, $GW$ sends $\{g_i·P,D_1,D_2,T_2\}$ to $S_j$. Upon reception of the message $\{g_i·P,D_1,D_2,T_2\}$, $S_j$ computes a session key $sk$. Then, $S_j$ sends the authentication response message $\{f_i·P,X_i,T_3\}$ to $GW$. $GW$ computes the session key and sends $\{y_i,D_4,T_4\}$ to $\mathcal{A}$. $\mathcal{A}$ computes the session key and obtains communication messages during the login and authentication phase.

Step 2: 

After obtaining the message $\{g_i·P,D_1,D_2,T_2\}$, $\mathcal{A}$ computes $KG=D_1\oplus A_2$, where $A_2$ is the secret key of $\mathcal{A}$ using ECC and $KG$ is a shared secret key between $GW$ and $S_j$.

Step 3: 

$\mathcal{A}$ intercepts a message $\{g_i^l·P,D_1^l,D_2^l,T_2^l\}$ from the message of another legal user $U_i^l$. Since $\mathcal{A}$ knows $KG$, it can compute $A_2^l=D_1^l\oplus KG$, where $A_2^l$ is the secret key of $U_i^l$.

Step 4: 

$\mathcal{A}$ obtains the message $\{y_i^l,D_4^l,T_4^l\}$ and decrypts $D_4^l$ using the secret key $A_2^l$ of $U_i^l$. Then, $\mathcal{A}$ can obtain the random secret nonce $g_i^l$ of sensor node. $\mathcal{A}$ can compute $f_i^l·g_i^l·P$ by utilizing the message $\{f_i^l·P,X_i^l,T_3^l\}$. Finally, $\mathcal{A}$ compute the session key $s{k}^l=h(A_2^l\left|\right|f_i^l·g_i^l·P)$.

Therefore, Moghadam et al.’s scheme cannot prevent insider attacks.

4.2. Perfect Forward Secrecy

Moghadam et al. demonstrated that their scheme can ensure the security feature of perfect forward secrecy. However, if the adversary $\mathcal{A}$ gets the master key $k_{GWN}$ of the gateway $GW$, the adversary can compute the legal user $U_i$’s session key $sk$. The details are shown in following steps.

Step 1: 

If $\mathcal{A}$ obtains the master key $k_{GWN}$, $\mathcal{A}$ can compute the secret key $A_2=k_{GWN}·A_1$ of $U_i$ by utilizing the login request message $\{A_1,A_3,A_4,T_1\}$.

Step 2: 

When $\mathcal{A}$ intercepts the message $\{y_i,D_4,T_4\}$, $\mathcal{A}$ can decrypt $E_{A_2}\left(g_i\right)$ because $A_2$ is the symmetric key between the $U_i$ and the gateway $GW$.

Step 3: 

After $\mathcal{A}$ obtains the message $\{f_i·P,X_i,T_3\}$, $\mathcal{A}$ can get $(A_2,g_i)$ and $(f_i·P)$. At last, $\mathcal{A}$ computes $U_i$’s session key $sk=h\left(A_2\right||f_i·g_i·P)$.

Consequently, Moghadam et al.’s scheme does not ensure perfect forward secrecy.

4.3. Session-Specific Random Number Leakage Attack

Suppose that a random nonce $a_i$ is disclosed to an adversary $\mathcal{A}$. Using the public key X of the gateway $GW$, $\mathcal{A}$ can calculate $A_2=a_i·X$. Then, $\mathcal{A}$ can compute the session key $sk$. The details are described as below.

Step 1: 

After getting the parameter $A_2$, $\mathcal{A}$ captures the message $\{y_i,D_4,T_4\}$. Then, $\mathcal{A}$ decrypts $D_4=E_{A_2}\left(g_i\right)$ by using the symmetric key $A_2$ and obtains $g_i$.

Step 2: 

$\mathcal{A}$ eavesdrops the message of the sensor node $S_j$$\{f_i·P,X_i,T_3\}$. Finally, $\mathcal{A}$ computes the session key $sk=h\left(A_2\right||f_i·g_i·P)$ using $f_i·P$ in the message of $S_j$.

Therefore, Moghadam et al.’s scheme cannot prevent session-specific random number leakage attacks.

5. Proposed Scheme

We propose a secure and lightweight mutual authentication protocol for WSN environments to resolve security weaknesses of Moghadam et al.’s scheme [6]. To consider the resource-limited sensor nodes, WSN-SLAP uses hash functions and XOR operations that generate low computational overheads. WSN-SLAP is composed of sensor node registration, user registration, login and authentication, password update, and sensor node addition phases.

5.1. Sensor Node Registration Phase

If a sensor node $S_j$ sends a registration request message, the gateway $GW$ computes a secret parameter for the sensor node. Then, $S_j$ stores the parameter. We show the sensor node registration phase in Figure 5 and the details are presented as below.

Step 1: 

$S_j$ selects its identity $SI{D}_j$ and generates a random number $R_j$. Then, $S_j$ computes $h\left(SI{D}_j\right|\left|R_j\right)$ and sends $\{SI{D}_j,h(SI{D}_j\left|\right|R_j\left)\right\}$ to $GW$ over a secure channel.

Step 2: 

$GW$ receives $\{SI{D}_j,h(SI{D}_j\left|\right|R_j\left)\right\}$ and computes $K{S}_j=h\left(h\right(SI{D}_j\left|\right|R_j\left)\right||k_{GWN})$, where $k_{GWN}$ is the master key of $GW$. $GW$ stores $\{SI{D}_j,h(SI{D}_j\left|\right|$$R_j\left)\right\}$ in the secure database and sends $\left\{K{S}_j\right\}$ to $S_j$.

Step 3: 

At last, $S_j$ stores $\left\{K{S}_j\right\}$ in its memory.

5.2. User Registration Phase

A user $U_i$ sends a registration request message to the gateway $GW$. Then, $GW$ computes secret parameters and issues a smart card to the user. In Figure 6, we describe the user registration phase and the detailed steps are shown as below.

Step 1: 

$U_i$ inputs an identity $I{D}_i$ and a high entropy password $P{W}_i$. After that, $U_i$ transmits $\left\{I{D}_i\right\}$ to $GW$ via a secure channel.

Step 2: 

$GW$ generates random numbers x and $R_g$, and computes $HI{D}_i=h(I{D}_i\left|\right|R_g),$$PI{D}_i$$=HI{D}_i\oplus h\left(x\right||k_{GWN})$. $GW$ stores $\{PI{D}_i,x\}$ in its secure database and sends the message $\{PI{D}_i,HI{D}_i,h(.)\}$ to $U_i$.

Step 3: 

$U_i$ generates a random number $R_i$. With $R_i$, $U_i$ computes $AP{W}_i=h(P{W}_i\left|\right|R_i),$$S{R}_i=R_i\oplus (I{D}_i\left|\right|P{W}_i), SHI{D}_i=HI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i)$, and $V_i=h($$AP{W}_i$$\left|\right|I{D}_i\left|\right|R_i)$. Finally, $U_i$ stores $\{S{R}_i,SHI{D}_i,V_i,PI{D}_i,h(.)\}$ in the smart card.

5.3. Login and Authentication Phase

To access information of the sensor $S_j$, the user $U_i$ sends a login request message to the gateway $GW$. In Figure 7, we describe the login and authentication phase and the details are presented below.

Step 1: 

After inserting the smart card, $U_i$ inputs the identity $I{D}_i$ and the password $P{W}_i$. The smart card computes $R_1^{*}=S{R}_i\oplus h(I{D}_i\left|\right|P{W}_i),AP{W}_i^{*}=h(P{W}_i\left|\right|R_i)$ and $V_i^{*}=h(AP{W}_i^{*}\left|\right|I{D}_i\left|\right|R_1^{*})$. Then, the smart card checks the validity of $V_i^{*}$ compared with $V_i$ stored in the smart card. If the validity is confirmed, the smart card generates a random nonce $N_1$, and computes $HI{D}_i=SHI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i),S_i=SI{D}_j\oplus h(PI{D}_i\left|\right|HI{D}_i),M_1=N_1\oplus h(HI{D}_i\left|\right|PI{D}_i),$ and $V_1=h(SI{D}_j\left|\right|PI{D}_i\left|\right|N_1\left|\right|HI{D}_i)$. At last, $U_i$ sends $\{PI{D}_i,S_i,M_1,V_1\}$ to $GW$ over a public channel.

Step 2: 

When $GW$ receives $\{PI{D}_i,S_i,M_1,V_1\}$ from $U_i$, $GW$ retrieves $PI{D}_i$ and the shared secret value x from $GW$’s database. Then, $GW$ computes $HI{D}_i^{*}=PI{D}_i\oplus h\left(x\right||k_{GWN}),SI{D}_j^{*}=S_i\oplus h(PI{D}_i\left|\right|$$HI{D}_i^{*}),N_1^{*}=M_1\oplus h(HI{D}_i^{*}\left|\right|PI{D}_i)$ and $V_1^{*}=h(SI{D}_j^{*}\left|\right|PI{D}_i\left|\right|N_1^{*}\left|\right|HI{D}_i^{*})$, and checks the validity of $V_1^{*}$ compared with $V_1$. If the validity is confirmed, $GW$ retrieves $SI{D}_j$ and $h\left(SI{D}_j\right|\left|R_j\right)$ from $GW$’s database. $GW$ computes $K{S}_j=h\left(h\right(SI{D}_j\left|\right|R_j\left)\right||k_{GWN}),M_2=h(N_2\left|\right|HI{D}_i)\oplus h(K{S}_j\left|\right|PI{D}_i),$$M_3=N_1\oplus h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||K{S}_j),$ and $V_2=h(PI{D}_i\left|\right|SI{D}_j\left|\right|h(N_2\left|\right|HI{D}_i\left)\right||N_1)$. At last, $GW$ sends $\{PI{D}_i,M_2,M_3,V_2\}$ to $S_j$ over a public channel.

Step 3: 

If $S_j$ receives $\{PI{D}_i,M_2,M_3,V_2\}$, $S_j$ computes $h(N_2\left|\right|HI{D}_i{)}^{*}=M_2\oplus h(K{S}_j\left|\right|$$PI{D}_i),N_1^{*}=M_3\oplus h\left(h\right(N_2\left|\right|HI{D}_i{)}^{*}\left|\right|PI{D}_i$$),$$V_2^{*}=h(PI{D}_i\left|\right|SI{D}_j\left|\right|h(N_2\left|\right|HI{D}_i\left)\right||$$N_1^{*})$ and checks the validity of $V_2^{*}$ compared with the parameter $V_2$. If the validity is confirmed, $S_j$ computes $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|N_1),M_4=N_3\oplus h(K{S}_j\left|\right|N_2),V_3=h\left(SK\right||N_3$$\left|\right|SI{D}_j)$, where $SK$ is a session key. Finally, $S_j$ sends $\{M_4,V_3\}$ to $GW$.

Step 4: 

After receiving the message $\{M_4,V_3\}$ from $S_j$, $GW$ computes $N_3^{*}=M_4\oplus h(K{S}_j\left|\right|N_2),S{K}^{*}=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3^{*}\left|\right|N_1),V_3^{*}=h(S{K}^{*}\left|\right|N_3^{*}\left|\right|$$SI{D}_j)$ and verifies the equality of $V_3^{*}$ and $V_3$. If the verification is successful, $GW$ generates a random nonce $N_2$ and computes $x^{new}=h\left(x\right||N_2),PI{D}_i^{new}=HI{D}_i\oplus h(x^{new}\left|\right|k_{GWN}),P_i=PI{D}_i^{new}\oplus h(N_1\left|\right|HI{D}_i),M_5=N_2\oplus h(HI{D}_i\left|\right|SI{D}_j\left|\right|$$N_1)$$,M_6=N_3\oplus h(N_2\left|\right|HI{D}_i$$\left|\right|PI{D}_i^{new})$ and $V_4=h(N_2\left|\right|N_3\left|\right|$$PI{D}_i^{new}\left|\right|SK)$. At last, $GW$ sends $\{P_i,M_5,M_6,V_4\}$ to $U_i$ and updates $\{PI{D}_i,x\}$ to $\{PI{D}_i^{new},x^{new}\}$ if the key agreement is successful.

Step 5: 

When $U_i$ receives the message $\{P_i,M_5,M_6,V_4\}$ from $GW$, $U_i$ computes $PI{D}_i^{new}$$=P_i\oplus h(N_1\left|\right|HI{D}_i),N_2^{*}=M_5\oplus h(HI{D}_i\left|\right|SI{D}_j\left|\right|N_1),N_3^{*}=M_6\oplus h(N_2^{*}\left|\right|HI{D}_i$$\left|\right|$$PI{D}_i^{new})$$,S{K}^{*}=h\left(h\right(N_2^{*}\left|\right|HI{D}_i\left)\right||N_3^{*}\left|\right|N_1),V_4^{*}=h(N_2^{*}\left|\right|N_3^{*}\left|\right|$$PI{D}_i^{new}\left|\right|S{K}^{*})$ and checks the validity of $V_4^{*}$ compared with $V_4$. If the validity is confirmed, $U_i$ replaces $\left\{PI{D}_i\right\}$ to $\left\{PI{D}_i^{new}\right\}$ in the smart card.

5.4. Password Update Phase

In WSN-SLAP, users can easily change their own password. The details are shown as below.

Step 1: 

After inserting the smart card, The user $U_i$ inputs the identity $I{D}_i$ and the password $P{W}_i$. The smart card computes $R_i^{*}=S{R}_i\oplus h(I{D}_i\left|\right|P{W}_i),AP{W}_i^{*}=h(P{W}_i\left|\right|R_i),V_i^{*}=h(AP{W}_i\left|\right|I{D}_i\left|\right|R_i^{*})$ and verifies the equality of $V_i^{*}$ and $V_i$. If the verification is successful, the smart card requests a new password to $U_i$.

Step 2: 

$U_i$ inputs a new password $P{W}_i^{new}$. The smart card selects a random number $R_i^{new}$ and computes $AP{W}_i^{new}=h(P{W}_i^{new}\left|\right|R_i^{new}),S{R}_i^{new}=R_i^{new}\oplus (I{D}_i\left|\right|P{W}_i^{new})$$,SHI{D}_i^{new}=HI{D}_i\oplus h(P{W}_i^{new}\left|\right|I{D}_i\left|\right|R_i^{new}),V_i^{new}=h(AP{W}_i^{new}\left|\right|I{D}_i\left|\right|R_i^{new})$. Finally, the smart card stores $\{S{R}_i^{new},SHI{D}_i^{new},V_i^{new},PI{D}_i,h(.)\}$.

5.5. Sensor Node Addition Phase

To add a new sensor node $S_j^{new}$ to WSN-SLAP, $S_j^{new}$ registers to the gateway $GW$. The detailed steps are described as follows.

Step 1: 

$S_j^{new}$ selects its identity $SI{D}_j^{new}$. Then, $S_j^{new}$ generates a random number $R_j^{new}$. With $SI{D}_j^{new}$ and $R_j^{new}$, $S_j^{new}$ computes $h(SI{D}_j^{new}||R_j^{new})$ and sends $\{SI{D}_j^{new},h($$SI{D}_j^{new}$$\left|\right|R_j^{new}\left)\right\}$ to $GW$ through a secure channel.

Step 2: 

After receiving $\{SI{D}_j^{new},h(SI{D}_j^{new}\left|\right|R_j^{new}\left)\right\}$ from $S_j^{new}$, $GW$ computes $K{S}_j^{new}=h(h(SI{D}_j^{new}\left|\right|R_j^{new}\left)\right||k_{GWN})$ and stores $\{SI{D}_j^{new},h(SI{D}_j^{new}\left|\right|R_j^{new}\left)\right\}$ in the database of $GW$. Finally, $GW$ sends $\{K{S}_j^{new}\}$ to $S_j^{new}$.

Step 3: 

$S_j^{new}$ receives the message $\{K{S}_j^{new}\}$ from $GW$ and stores $\{K{S}_j^{new}\}$ in the memory of $S_j^{new}$.

6. Security Analysis

WSN-SLAP not only considers lightweight features using hash functions and XOR operations, but also ensures a higher security level compared with related schemes. To evaluate the security of WSN-SLAP, we perform informal security analysis and formal security analysis such as BAN logic, ROR model, and AVISPA simulation tool. We show that WSN-SLAP prevents a variety of attacks using informal analysis. We demonstrate the mutual authentication of WSN-SLAP using BAN logic and also prove the session key security of WSN-SLAP by using the ROR model. We use the AVISPA simulation tool to prove security features of WSN-SLAP against replay and MITM attacks.

6.1. Informal Security Analysis

WSN-SLAP provides security against various attacks such as insider, stolen smart card, replay, sensor node capture, off-line password guessing, privileged insider, stolen verifier, and MITM attacks. Furthermore, WSN-SLAP ensures perfect forward secrecy and mutual authentication.

6.1.1. Insider Attack

If an adversary $\mathcal{A}$ registers to the gateway $GW$ as a legal user, $\mathcal{A}$ can authenticate to $GW$ and the sensor node $S_j$. $\mathcal{A}$ captures messages $\{PI{D}_i,M_2,M_3,V_2\},\{M_4,V_3\}$ and $\{P_i,M_5,M_6,V_4\}$. Then, $\mathcal{A}$ computes $h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||K{S}_j)=M_3\oplus N_1$ and $h\left(K{S}_j\right|\left|PI{D}_i\right)$$=M_2\oplus h(N_2\left|\right|HI{D}_i)$. To compromise other legal user’s sessions, $\mathcal{A}$ must need $K{S}_j$ to compute the session key. Since hash functions mask the random nonce $N_2$ and the user’s secret parameter $HI{D}_i$ such as $h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||K{S}_j)$, $\mathcal{A}$ cannot compute the shared secret parameter $K{S}_j$ between $GW$ and $S_j$. Therefore, WSN-SLAP is secure against the insider attacks.

6.1.2. Stolen Smart Card Attack

Suppose that an adversary $\mathcal{A}$ captures the legal user $U_i$’s smart card. Then, $\mathcal{A}$ uses the power analysis attack to extract stored parameters in the smart card. With $U_i$’s smart card parameters, $\mathcal{A}$ tries to authenticate with the gateway $GW$ and the sensor node $S_j$. However, $\mathcal{A}$ cannot compute the login request message $\{PI{D}_i,S_i,M_1,V_1\}$ because $HI{D}_i$ is masked by $SHI{D}_i=HI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i)$. To calculate $HI{D}_i$, $\mathcal{A}$ needs to guess $I{D}_i$ and $P{W}_i$ at the same time. Since these tasks are computationally infeasible task, it is hard to obtain both $I{D}_i$ and $P{W}_i$. For these reasons, WSN-SLAP is secure against stolen smart card attacks.

6.1.3. Replay Attack

If an adversary $\mathcal{A}$ intercepts messages $\{PI{D}_i,M_2,M_3,V_2\}$ and $\{I{D}_i,S_i,M_1,V_1\}$ from a legal user $U_i$, $\mathcal{A}$ tries to authenticate with the gateway $GW$ by sending intercepted messages at other sessions. In WSN-SLAP, $GW$ and the sensor node check the freshness of random nonces $N_1,N_2$ and $N_3$. Thus, WSN-SLAP can provide security against replay attacks.

6.1.4. Sensor Node Capture Attack

We assume that an adversary $\mathcal{A}$ captures a specific sensor node $S_j$ and obtains parameters $\{SI{D}_j,$$K{S}_j\}$ from the $S_j$’s memory by using the power analysis attack. Then, $\mathcal{A}$ can authenticate with gateway $GW$ and user $U_i$. However, $\mathcal{A}$ cannot threat other sensor nodes. Since the shared secret parameter $K{S}_j=h\left(h\right(SI{D}_j\left|\right|R_j\left)\right||k_{GWN})$, $\mathcal{A}$ can only authenticate with the specific sensor node $S_j$. $\mathcal{A}$ cannot calculate any information about other sensor nodes. Therefore, WSN-SLAP is secure against sensor node capture attacks.

6.1.5. Off-Line Password Guessing Attack

According to Section 1.2, an adversary $\mathcal{A}$ can guess a legal user $U_i$’s password $P{W}_i$. $\mathcal{A}$ can also extract stored parameters $\{S{R}_i,SHI{D}_i,V_i,PI{D}_i,h(.)\}$ from $U_i$’s legitimate smart card. Then, $\mathcal{A}$ tries to impersonate as $U_i$. However, $\mathcal{A}$ cannot compute $R_i=S{R}_i\oplus h(I{D}_i\left|\right|P{W}_i)$ to obtain $HI{D}_i=SHI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i)$ without knowing the identity $I{D}_i$. Therefore, $\mathcal{A}$ cannot compute the legal message $\{PI{D}_i,M_2,M_3,V_2\}$. Accordingly, WSN-SLAP has resistance to off-line password-guessing attacks.

6.1.6. Privileged Insider Attack

If a privileged insider adversary $\mathcal{A}$ intercepts a legal user $U_i$’s registration message $\left\{I{D}_i\right\}$, $\mathcal{A}$ tries to compute $U_i$’s session key by using messages in Section 5.3. However, $\mathcal{A}$ cannot compute the session key of $U_i$. To compute $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||$$N_3\left|\right|N_1)$, $\mathcal{A}$ has to calculate $HI{D}_i$ which is the shared secret parameter between $U_i$ and the gateway $GW$. However, $\mathcal{A}$ cannot compute $HI{D}_i=SHI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i)$ from the login request message $\{PI{D}_i,S_i,M_1,V_1\}$ without $U_i$’s password and the random number $R_i$. Consequently, WSN-SLAP ensures security against privileged insider attacks.

6.1.7. Stolen Verifier Attack

Assuming that an adversary $\mathcal{A}$ steals the gateway $GW$’s verification table including $\{SI{D}_j,h(SI{D}_j\left|\right|R_j\left)\right\}$ and $(PI{D}_i,x)$. However, $\mathcal{A}$ cannot compute the session key of the legal user $U_i$ with these parameters. To compute the session key $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|$$N_1)$, $\mathcal{A}$ must compute $HI{D}_i$ by using $PI{D}_i=HI{D}_i\oplus h\left(x\right||k_{GWN})$. Since the parameter $k_{GWN}$ is $GW$’s master key, $\mathcal{A}$ cannot compute $HI{D}_i$. Therefore, WSN-SLAP has resistance to stolen verifier attacks.

6.1.8. MITM Attack

During the login and authentication phase, an adversary $\mathcal{A}$ intercepts and tries to modify the login request message $\{PI{D}_i,S_i,M_1,V_1\}$. However, the gateway $GW$ can easily detect the modified message by using the verification table. In addition, it is impossible to modify all messages because they include random parameters. Therefore, WSN-SLAP can prevent MITM attacks.

6.1.9. Session-Specific Random Number Leakage Attack

Assume that an adversary $\mathcal{A}$ obtains all random parameters $N_1,N_2$, and $N_3$. Then, $\mathcal{A}$ tries to compute the session key $SK$. However, it is impossible to calculate the session key without knowing $HI{D}_i$. $HI{D}_i$ is masked with the secret key x and the master key $k_{GWN}$ during the session. Accordingly, WSN-SLAP is secure against session-specific random number leakage attacks.

6.1.10. Perfect Forward Secrecy

We suppose that an adversary $\mathcal{A}$ obtains $GW$’s master key $k_{GWN}$. Then, $\mathcal{A}$ tries to compute the session key $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|N_1)$ of the user $U_i$. However, the master key $k_{GWN}$ is utilized, i.e., $h\left(x\right|\left|k_{GWN}\right)$ and $h\left(h\right(SI{D}_j\left|\right|R_j\left)\right||k_{GWN})$. Therefore, $\mathcal{A}$ needs the shared secret parameter x or $h\left(SI{D}_j\right|\left|R_j\right)$ to analyze the secret parameter. For this reason, WSN-SLAP provides perfect forward secrecy.

6.1.11. Mutual Authentication

To authenticate with each other, each participant of WSN-SLAP performs verification processes. The gateway $GW$ checks the validity of $V_1\stackrel{?}{=}{V}_1^{*}$ and $V_3\stackrel{?}{=}{V}_3^{*}$, the sensor node $S_j$ verifies $V_2\stackrel{?}{=}{V}_2^{*}$, and the $U_i$ checks $V_4\stackrel{?}{=}{V}_4^{*}$. If the whole verification process is successful, we can conclude that each participant is authenticated with each other. Therefore, WSN-SLAP guarantees mutual authentication.

6.2. BAN Logic

In this section, we prove mutual authentication of WSN-SLAP using BAN logic analysis [8]. BAN logic has been widely used to analyze the mutual authentication of various authentication schemes [32,33]. In WSN-SLAP, the participants authenticate with each other to establish a session key $SK$ among U, $GW$, and $SN$.

Table 2. The basic notations.

Notation	Description
$P_1,P_2$	Two principals
$S_1,S_2$	Two statements
$SK$	The session key
$P_1|$≡$S_1$	$P_1$ believes $S_1$
$P_1|$∼$S_1$	$P_1$ once said $S_1$
$P_1$⇒$S_1$	$P_1$ controls $S_1$
$P_1$⊲$S_1$	$P_1$ receives $S_1$
$\#S_1$	$S_1$ is fresh
${\left\{S_1\right\}}_{Key}$	$S_1$ is encrypted with $Key$
$P_1$$\stackrel{Key}{\leftrightarrow }$$P_2$	$P_1$ and $P_2$ have shared key $Key$

presents the basic notations of the BAN logic used in this proof.

6.2.1. Rules

The logical rules of the BAN logic are described as below.

1. 

Message meaning rule (MMR):

$$\frac{P_1|\equiv P_1\stackrel{Key}{\leftrightarrow }{P}_2,P_1⊲{\left(S_1\right)}_{Key}}{P_1|\equiv P_2|\sim S_1}$$

2. 

Nonce verification rule (NVR):

$$\frac{P_1|\equiv \#\left(S_1\right),P_1|\equiv P_2|\sim S_1}{P_1|\equiv P_2|\equiv S_1}$$

3. 

Jurisdiction rule (JR):

$$\frac{P_1|\equiv P_2|⟹S_1,P_1|\equiv P_2|\equiv S_1}{P_1|\equiv S_1}$$

4. 

Belief rule (BR):

$$\frac{P_1|\equiv (S_1,S_2)}{P_1|\equiv S_1}$$

5. 

Freshness rule (FR):

$$\frac{P_1|\equiv \#\left(S_1\right)}{P_1|\equiv \#(S_1,S_2)}$$

6.2.2. Goals

In WSN-SLAP, the basic goals of the BAN logic are that each principal establishes a session key and achieves mutual authentication. The goals for proving mutual authentication of WSN-SLAP are defined as follows:

Goal 1: 

$U|\equiv U\stackrel{SK}{\leftrightarrow }GW$

Goal 2: 

$U|\equiv GW|\equiv U\stackrel{SK}{\leftrightarrow }GW$

Goal 3: 

$GW|\equiv U\stackrel{SK}{\leftrightarrow }GW$

Goal 4: 

$GW|\equiv U\equiv U\stackrel{SK}{\leftrightarrow }GW$

Goal 5: 

$SN|\equiv SN\stackrel{SK}{\leftrightarrow }GW$

Goal 6: 

$SN|\equiv GW|\equiv SN\stackrel{SK}{\leftrightarrow }GW$

Goal 7: 

$GW|\equiv SN\stackrel{SK}{\leftrightarrow }GW$

Goal 8: 

$GW|\equiv SN|\equiv SN\stackrel{SK}{\leftrightarrow }GW$

6.2.3. Idealized Forms

In WSN-SLAP, the authentication request and response messages $\{PI{D}_i,S_i,M_1,V_1\}$, $\{PI{D}_i,M_2,M_3,V_2\}$, $\{M_4,V_3\}$, and $\{P_i,M_5,M_6,V_4\}$ are transmitted through a public channel. We will transmit these messages into the idealized form and omit other messages because they cannot efficiently provide the logical properties of BAN logic. WSN-SLAP’s idealized form messages are shown as below:

$Ms{g}_1$

: $U\to GW:{\{N_1,SI{D}_j\}}_{HI{D}_i}$

$Ms{g}_2$

: $GW\to SN:\left\{h\right(N_2\left|\right|HI{D}_i{),N_1\}}_{K{S}_j}$

$Ms{g}_3$

: $SN\to GW:{\left\{N_3\right\}}_{K{S}_j}$

$Ms{g}_4$

: $GW\to U:{\{N_2,N_3\}}_{HI{D}_1}$

6.2.4. Assumptions

After the registration phase, each principal believes that it has secret keys which are shared among each other. The principal also trusts that random numbers and pseudo identity are fresh. Moreover, the principal believes that a legal principal can control the entitled components and values. The assumptions of the BAN logic in WSN-SLAP are as below:

$A_1$:

$GW|\equiv \#(N_1)$

$A_2$:

$GW|\equiv \#(N_3)$

$A_3$:

$SN|\equiv \#(h(N_2\left|\right|HI{D}_i\left)\right)$

$A_4$:

$U|\equiv \#(N_2)$

$A_5$:

$U|\equiv GW\Rightarrow (U\stackrel{SK}{\leftrightarrow }GW)$

$A_6$:

$GW|\equiv U\Rightarrow (U\stackrel{SK}{\leftrightarrow }GW)$

$A_7$:

$SN|\equiv GW\Rightarrow (SN\stackrel{SK}{\leftrightarrow }GW)$

$A_8$:

$GW|\equiv SN\Rightarrow (SN\stackrel{SK}{\leftrightarrow }GW)$

$A_9$:

$U|\equiv U\stackrel{HI{D}_i}{\leftrightarrow }GW$

$A_{10}$:

$GW|\equiv U\stackrel{HI{D}_i}{\leftrightarrow }GW$

$A_{11}$:

$SN|\equiv SN\stackrel{K{S}_j}{\leftrightarrow }GW$

$A_{12}$:

$GW|\equiv SNK{S}_{j}GW$

6.2.5. BAN Logic Proof

We conduct the BAN logic analysis of WSN-SLAP as follows:

Step 1: 

$S_1$ can be obtained from $Ms{g}_1$.

$S_1$: $GW⊲{\{N_1,SI{D}_j\}}_{HI{D}_i}$

Step 2: 

$S_2$ can be induced by applying the MMR using $S_1$ and $A_{10}$.

$S_2$: $GW|\equiv U|\sim (N_1,SI{D}_j)$

Step 3: 

$S_3$ can be induced by applying the FR using $S_2$ and $A_1$.

$S_3$: $GW|\equiv \#(N_1,SI{D}_j)$

Step 4: 

$S_4$ can be induced by applying the NVR using $S_2$ and $S_3$.

$S_4$: $GW|\equiv U|\equiv (N_1,SI{D}_j)$

Step 5: 

$S_5$ is can be induced by $S_4$ and the BR.

$S_5$: $GW|\equiv U|\equiv \left(N_1\right)$

Step 6: 

$S_6$ is obtained from $Ms{g}_2$.

$S_6$: $SN⊲\left\{h\right(N_2\left|\right|HI{D}_i{),N_1\}}_{K{S}_j}$

Step 7: 

$S_7$ is can be induced by applying the MMR using $S_6$ and $A_{13}$.

$S_7:SN|\equiv GW|\sim \left(h\right(N_2\left|\right|HI{D}_i),N_1)$

Step 8: 

$S_8$ is can be induced by applying the FR using $S_7$ and $A_3$.

$S_8:SN|\equiv \#(h(N_2\left|\right|HI{D}_i),N_1)$

Step 9: 

$S_9$ is can be induced by applying the NVR using $S_7$ and $S_8$.

$S_9:SN|\equiv GW|\equiv \left(h\right(N_2\left|\right|HI{D}_i),N_1)$

Step 10: 

$S_{10}$ is obtained from $Ms{g}_3$.

$S_{10}:GW⊲{\left\{N_3\right\}}_{K{S}_j}$

Step 11: 

$S_{11}$ can be induced by applying the MMR using $A_5$ and $S_8$.

$S_{11}$: $GW|\equiv SN|\sim \left(N_3\right)$

Step 12: 

$S_{12}$ can be induced by applying the NVR using $S_9$ and $S_{10}$.

$S_{12}:GW|\equiv SN|\equiv \left(N_3\right)$

Step 13: 

$S_{13}$ and $S_{14}$ can be induced by $S_9$, and $S_{12}$. $SN$ and $GW$ can compute the session key $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|N_1)$.

$S_{13}:GW|\equiv SN|\equiv (SN\stackrel{SK}{\leftrightarrow }GW)$ (Goal 8)

$S_{14}:SN|\equiv GW|\equiv (SN\stackrel{SK}{\leftrightarrow }GW)$ (Goal 6)

Step 14: 

$S_{15}$ and $S_{16}$ can be induced by applying the JR using $S_{13}$ and $A_8$, and $S_{14}$ and $A_7$, respectively.

$S_{15}:GW|\equiv (SN\stackrel{SK}{\leftrightarrow }GW)$ (Goal 7)

$S_{16}:SN|\equiv (SN\stackrel{SK}{\leftrightarrow }GW)$ (Goal 5)

Step 15: 

$S_{17}$ is obtained from $Ms{g}_4$.

$S_{17}$: $U⊲{\{N_2,N_3\}}_{HI{D}_i}$

Step 16: 

$S_{18}$ can be induced by $A_9$, $S_{17},$ and the MMR.

$S_{18}$: $U|\equiv GW|\sim (N_2,N_3)$

Step 17: 

$S_{19}$ can be induced by applying the FR using $S_{18}$ and $A_4$.

$S_{19}$: $U|\equiv \#(N_2,N_3)$

Step 18: 

$S_{20}$ can be induced by $S_{16}$, $S_{17},$ and the NVR.

$S_{20}$: $U|\equiv GW|\equiv (N_2,N_3)$

Step 19: 

$S_{21}$ and $S_{22}$ can be induced by $S_5$, $S_{18}$. U and $GW$ can compute the session key $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|N_1)$

$S_{21}:U|\equiv GW|\equiv (U\stackrel{SK}{\leftrightarrow }GW)$ (Goal 2)

$S_{22}:GW|\equiv U|\equiv (U\stackrel{SK}{\leftrightarrow }GW)$ (Goal 4)

Step 20: 

$S_{23}$ and $S_{24}$ can be induced by applying the JR using $S_{21}$ and $A_5$, $S_{22}$, and $A_6$, respectively.

$S_{23}:U|\equiv (U\stackrel{SK}{\leftrightarrow }GW)$ (Goal 1)

$S_{24}:GW|\equiv (U\stackrel{SK}{\leftrightarrow }GW)$ (Goal 3)

6.3. ROR Model

This section proves the security of the session key of WSN-SLAP by using the well-known Real-Or-Random (ROR) model [9]. In WSN-SLAP, there are three participants. ${\mathcal{P}}_U^{t_1}$ is a user, ${\mathcal{P}}_{GW}^{t_2}$ is a gateway, and ${\mathcal{P}}_{GW}^{t_2}$ is a sensor node. In the ROR model, the network is under an adversary $\mathcal{A}$ who can eavesdrop, capture, insert, and delete messages. With these abilities, $\mathcal{A}$ performs various attacks using $Execute,CorruptSC,Reveal,Send$, and $Test$ queries.

• $Execute$: This query is a passive attack that $\mathcal{A}$ can eavesdrop the legal entity’s message.
• $CorruptSC$: This query means $\mathcal{A}$ obtains stored parameters from the user’s smart card.
• $Reveal$: This query means $\mathcal{A}$ reveals the session key $SK$.
• $Send$: This query is an active attack that $\mathcal{A}$ sends a message to receive a response message.
• $Test$: An adversary $\mathcal{A}$ obtains a flipped unbiased coin before the game starts. If $\mathcal{A}$ obtains $c=1$, it means the session key $SK$ is fresh. If $\mathcal{A}$ obtains $c=0$, it means the session key is not fresh. Otherwise, $\mathcal{A}$ obtains a $NULL$ value. To ensure the security of the session key, it is necessary that $\mathcal{A}$ cannot distinguish the result value between a random number and the session key.

Security Proof

Theorem 1.

Let $\mathcal{A}$ attempt to obtain the session key of WSN-SLAP in polynomial time as follows. $Ad{v}_{\mathcal{A}}\left(Poly\right)$ is the probability of the session key being broken by $\mathcal{A}$. $q_h^2$, $HASH$, and $q_{send}$ mean the number of hash queries, the range space of the hash function, and the number of send queries, respectively. $s^{\prime }$ and $C^{\prime }$ are the Zipf’s parameters [34].

$$Ad{v}_{\mathcal{A}}\left(Poly\right)\le \frac{q_h^2}{\left|HASH\right|}+2\left\{C^{\prime }{q}_{send}^{s^{\prime }}\right\}$$

We follow the proof according to the method of [35,36]. We perform four games $Gam{e}_k$, where $k\in [0,3]$. $Suc{c}_{\mathcal{A},Gam{e}_k}$ is the event that $\mathcal{A}$ can guess a correct bit c in the $Gam{e}_k$, and $Pr\left[Suc{c}_{\mathcal{A},Gam{e}_k}\right]$ is the probability of $Suc{c}_{\mathcal{A},Gam{e}_k}$. We can perform $Gam{e}_k$ as follows with these parameters.

-

$Gam{e}_0$: This game describes a real attack of $\mathcal{A}$ in WSN-SLAP under the ROR model. The random bit c needs to be selected before starting the game. Therefore, we can derive as follows.

$$Ad{v}_A\left(Poly\right)=|2Pr\left[Suc{c}_{\mathcal{A},Gam{e}_0}\right]-1|$$

(1)

-

$Gam{e}_1$: In the $Gam{e}_1$, $\mathcal{A}$ obtains each entity’s messages $\{PI{D}_i,S_i,M_1,V_1\}$, $\{PI{D}_i,M_2,M_3,V_2\}$, $\{M_4,V_3\}$, and $\{P_i,M_5,M_6,$$V_4\}$ using $Execute$ query. Then, $\mathcal{A}$ performs $Test$ and $Reveal$ queries to obtain the session key $SK$. Since $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|N_1)$, $\mathcal{A}$ has to get random nonces $N_1$, $N_2$, and $N_3$. In addition, $\mathcal{A}$ needs the user’s masked identity $HI{D}_i$. For these reasons, $\mathcal{A}$ cannot calculate $SK$. This means $Gam{e}_0$ and $Gam{e}_1$ are indistinguishable. Therefore, we can get the following equivalent.

$$Pr\left[Suc{c}_{\mathcal{A},Gam{e}_1}\right]=Pr\left[Suc{c}_{\mathcal{A},Gam{e}_0}\right]$$

(2)

-

$Gam{e}_2$: In this game, $\mathcal{A}$ performs $Send$ query, which is an active attack. $\mathcal{A}$ utilizes $\{PI{D}_i,S_i,M_1,V_1\}$, $\{PI{D}_i,M_2,M_3,V_2\}$, $\{M_4,V_3\}$, and $\{P_i,M_5,M_6,V_4\}$ to get the session key $SK$. Parameters $V_1$, $V_2$, $V_3$, and $V_4$ are masked by $HASH$ query. In addition, parameters $PI{D}_i$, $M_1$, $M_2$, $M_3$, $M_4$, $M_5$, $M_6$, and $P_i$ contain random nonces $N_1$, $N_2$, and $N_3$. By using random nonces, we can prevent collision from other sessions. According to the birthday paradox [37], we can get the following inequation.

$$|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_2}\right]-Pr\left[Suc{c}_{\mathcal{A},Gam{e}_1}\right]|\le \frac{q_h^2}{\left|HASH\right|}$$

(3)

-

$Gam{e}_3$: In the $Gam{e}_3$, $\mathcal{A}$ executes $CorruptSC$ query and obtains smart card’s stored parameters $\{S{R}_i,SHI{D}_i,V_i,PI{D}_i\}$ by using the power analysis attack, where $S{R}_i=R_i\oplus h(I{D}_i\left|\right|P{W}_i), SHI{D}_i=HI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i),$$V_i=h(AP{W}_i\left|\right|I{D}_i\left|\right|R_i)$, and $PI{D}_i=HI{D}_i\oplus h\left(x\right||k_{GWN})$. To obtain $R_i$ and $HI{D}_i$, $\mathcal{A}$ needs the identity $I{D}_i$ and the password $P{W}_i$. Therefore, $\mathcal{A}$ cannot distinguish with $Gam{e}_2$ and $Gam{e}_3$ if guessing $P{W}_i$ is computationally infeasible task. Then, we can obtain the result by using Zipf’s law [34].

$$|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_3}\right]-Pr\left[Suc{c}_{\mathcal{A},Gam{e}_2}\right]|\le C^{\prime }{q}_{send}^{s^{\prime }}$$

(4)

Finally, $\mathcal{A}$ gets the guessed bit c because games are done.

$$Pr\left[Suc{c}_{\mathcal{A},Gam{e}_3}\right]=\frac{1}{2}$$

(5)

Moreover, we can get the following result by using (1) and (2).

$$\frac{1}{2}Ad{v}_{\mathcal{A}}\left(Poly\right)=|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_0}\right]-\frac{1}{2}|=|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_1}\right]-\frac{1}{2}|$$

(6)

Using (5) and (6), we obtain the following equation.

$$\frac{1}{2}Ad{v}_{\mathcal{A}}\left(Poly\right)=|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},Gam{e}_3}\right]|$$

(7)

We get the following result utilizing the triangular inequality.

$$\begin{gathered} \frac{1}{2}Ad{v}_{\mathcal{A}}\left(Poly\right)=|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},Gam{e}_3}\right]| \\ \le |Pr\left[Suc{c}_{\mathcal{A},Gam{e}_1}\right]-Pr\left[Suc{c}_{\mathcal{A},Gam{e}_2}\right]| \\ +|Pr\left[Suc{c}_{\mathcal{A},Gam{e}_2}\right]-Pr\left[Suc{c}_{\mathcal{A},Gam{e}_3}\right]| \end{gathered}$$

$$\le \frac{q_h^2}{2\left|HASH\right|}+C^{\prime }{q}_{send}^{s^{\prime }}$$

(8)

By multiplying (8) by 2, we get the following result.

$$Ad{v}_{\mathcal{A}}\left(Poly\right)\le \frac{q_h^2}{\left|HASH\right|}+2\left\{C^{\prime }{q}_{send}^{s^{\prime }}\right\}$$

Therefore, we prove

6.4. AVISPA Simulation

In this section, we analyze security features of WSN-SLAP by using AVISPA [10,11]. AVISPA is a formal security verification tool that detects MITM and replay attacks against the authentication protocol.

AVISPA uses the High-Level Protocols Specification Language (HLPSL). After receiving a protocol written in HLPSL, the translator converts the HLPSL-based protocol to an intermediate format (IF). Then, the translator inputs the IF to four back-ends, which are Constraint Logic-based Attack Searcher (CL-AtSe), Tree Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP), SAT-based Model-Checker (SATMC), and On the fly Model-Checker (OFMC), respectively. Consequently, the IF is converted to an output format (OF). If the summary of OF is SAFE, it means the protocol has resistance to replay and MITM attacks.

Specifically, OFMC back-end can utilize XOR operations. Therefore, we use this back-end in our paper.

6.4.1. HLPSL Specifications

In HLPSL, WSN-SLAP consists of users $UA$, gateway $GWN$, and sensor nodes $SN$. These entities are written as $role$. There are also two $compositionroles$ named $session$ and $environment$, which contain security goals. Figure 8 indicates goals and the $role$ of $session$ and $environment$ of WSN-SLAP.

Figure 9 shows the whole process of the user $UA$. In state 1, the user $UA$ registers to $GWN$. To start the session, $UA$ receives the start message. Then, $UA$ sends a registration request message $\left\{I{D}_i\right\}$ to the gateway $GWN$ through a secure channel. In state 2, $UA$ receives a smart card from $GWN$ and stores $\{R_i,S{R}_i,SHI{D}_i,V_i\}$ in the smart card. In the login and authentication phase, $UA$ sends $\{PI{D}_i,S_i,M_1,V_1\}$ to $GWN$ via a public channel. The function $witness(UA,GWN,ua\_gw\_n1,N{1}^{\prime })$ indicates the freshness of $N_1$ generated by $UA$. In State 3, $UA$ receives $\{P_i,M_5,M_6,V_4\}$ from $GWN$. Then, $UA$ authenticates with $GWN$ using $N_2^{\prime }$ in $request(GWN,UA,gw\_ua\_n3,N_2^{\prime })$.

6.4.2. Simulation Result

If the protocol’s result summary is SAFE in OFMC simulation, the protocol has resistance to replay and MITM attacks. The result of WSN-SLAP’s AVISPA simulation tool using OFMC back-end is shown in Figure 10. Thus, WSN-SLAP can prevent replay and MITM attacks.

7. Performance Analysis

In this section, we estimate computational costs, communication costs, and security properties of WSN-SLAP compared with existing related schemes [6,27,28,31].

7.1. Computational Costs

We analyze WSN-SLAP’s computational cost compared with the performance of the related schemes [6,27,28,31]. According to [6,38], the execution time of each operation is acquired on a computer with a four-core 3.2 GHz CPU, and 8 GB memory. We estimate that $T_h$, $T_{ecm}$, and $T_{sym}$ are the execution time of the hash function (≈0.00032 s), ECC point multiplication (≈0.0171 s), and symmetric encryption/decryption (≈0.0056 s), respectively. We do not consider the execution time of the XOR operation because it is negligible.

Table 3. Computational costs comparison.

Schemes	User	Gateway	Sensor Node	Total	Total Cost (s)
Choi et al. [27]	$9T_h+3T_{ecm}$	$6T_h+2T_{ecm}$	$5T_h+1T_{ecm}$	$20T_h+6T_{ecm}$	$0.109$
Wu et al. [28]	$12T_h+2T_{ecm}+1T_{sym}$	$11T_h+2T_{sym}$	$4T_h+2T_{ecm}+1T_{sym}$	$27T_h+4T_{ecm}+4T_{sym}$	$0.09944$
Wu et al. [31]	$13T_h+2T_{ecm}$	$13T_h$	$4T_h+2T_{ecm}$	$30T_h+4T_{ecm}$	$0.078$
Moghadam et al. [6]	$5T_h+3T_{ecm}+2T_{sym}$	$5T_h+3T_{ecm}+2T_{sym}$	$3T_h+2T_{ecm}$	$13T_h+8T_{ecm}+4T_{sym}$	$0.16336$
Ours	$13T_h$	$18T_h$	$6T_h$	$37T_h$	$0.01184$

indicates the result for computational costs. Accordingly, WSN-SLAP has a more efficient computational cost than related schemes [6,27,28,31].

7.2. Communication Costs

We evaluate the communication cost of WSN-SLAP compared with related schemes [6,27,28,31] in this section. According to [6], we define that the user identity, sensor node identity, random number, timestamp, SHA-1 hash digest, and ECC point are 128, 16, 128, 32, 160 and 320 bits, respectively. In WSN-SLAP, the login request message $\{PI{D}_i,S_i,M_1,V_1\}$ requires $(160+160+160+160=640$ bits), and the transmitted authentication messages $\{PI{D}_i,M_2,M_3,V_2\}$, $\{M_4,V_3\}$, and $\{P_i,M_5,M_6,V_4\}$ require $(160+160+160+160=640$ bits), $(160+160=320$ bits), and $(160+160+160+160=640$ bits), respectively. Consequently, total communication costs of WSL-SLAP and related schemes [6,27,28,31] are as shown in

Table 4. Communication costs comparison.

Schemes	Communication Costs	Number of Messages
Choi et al. [27]	3200 bits	4 messages
Wu et al. [28]	3296 bits	4 messages
Wu et al. [31]	3392 bits	4 messages
Moghadam et al. [6]	2512 bits	4 messages
Ours	2240 bits	4 messages

. Therefore, WSN-SLAP provides a more efficient communication cost than related schemes do [6,27,28,31].

7.3. Security Properties

In

Table 5. Security properties.

Security Property	Choi et al. [27]	Wu et al. [28]	Wu et al. [31]	Moghadam et al. [6]	Ours
Insider Attack	∘	∘	×	×	∘
Stolen Smart Card Attack	×	×	×	∘	∘
Replay Attack	∘	∘	∘	∘	∘
Sensor Node Capture Attack	∘	∘	∘	∘	∘
Off-line Password Guessing Attack	×	×	∘	∘	∘
Privileged Insider Attack	∘	∘	×	∘	∘
Stolen Verifier Attack	×	∘	∘	∘	∘
MITM Attack	∘	∘	×	∘	∘
Session-Specific Random Number Leakage Attack	×	×	×	×	∘
Perfect Forward Secrecy	∘	∘	∘	×	∘
Mutual Authentication	∘	∘	∘	∘	∘

∘: Secure from the attack. ×: Insecure from the attack.

, we present the security properties of WSN-SLAP with related schemes [6,27,28,31]. We show that existing protocols [6,27,28,31] suffer from various attacks, including insider, stolen smart card, and session-specific random number leakage attacks. Therefore, WSN-SLAP provides better functionality and security features compared with those of related schemes [6,27,28,31].

8. Conclusions

In this paper, we discovered that Moghadam et al.’s scheme has vulnerabilities against insider, and session-specific random number leakage attacks. We also proved that Moghadam et al.’s scheme does not guarantee perfect forward secrecy. To resolve the security weaknesses of Moghadam et al.’s scheme, we proposed a secure and lightweight mutual authentication protocol for WSN environments. WSN-SLAP has resistance to various attacks, including insider, stolen smart card, off-line password guessing, stolen verifier, and session-specific random number leakage attacks. We demonstrated that WSN-SLAP provides perfect forward secrecy and mutual authentication. We proved the security of WSN-SLAP using formal security analyses, which are AVISPA, BAN logic, and ROR model. Moreover, WSN-SLAP has lightweight computational and communication costs because it involves XOR operations and hash functions. Therefore, the proposed WSN-SLAP provides more secure and efficient communication services compared with existing related protocols and is suitable for WSN environments. In future work, we will implement a whole network and secure protocol to design a new scheme that is practical for use in WSN.