Sage Journals: Discover world-class research

Abstract

Wireless sensor networks (WSNs) have been widely deployed in different application domains ranging between environment monitoring, transportation, target tracking, and health care. However, due to the limited power supply of the sensors, the researchers introduce mobile sinks in WSNs to prolong its lifetime. When introducing the mobile sinks in WSNs, the authentication issue between the mobile sink and the sensors appears. However, there are few studies on the authentication issue when using mobile sinks in WSNs. In this paper, we present a bilinear pairing based authentication and key agreement scheme for the authentication between mobile sinks and cluster head in WSNs. The proposed scheme can solve the problems of mobile sink authentication and provide data confidentiality and integrity. Security and performance analysis demonstrate that the proposed scheme can resist against various attacks and meet the requirements of computational complexity in the environment of WSNs.

1. Introduction

Wireless sensor networks (WSNs) consist of a few base stations (BS) and a large number of low-cost sensor nodes which have constrained communication and computation resources. Each sensor node comprises a sensing unit, a data processing unit, a short range communication module, and a power supply unit [1]. WSNs have a huge potentiality in many application fields such as military target tracking, hazardous environment exploration, and biomedical health monitoring. Due to the limited power supply of the sensor nodes, some researches [2–5] have introduced the mobile sink into the resource-constrained WSNs to prolong the sensor network's lifetime. However, almost all of the existing schemes focus on the mobility strategies of the mobile sink and few studies mentioned the security issues of using mobile sink in the resource-constrained WSNs.

In some scenarios, such as military target tracking and biomedical health monitoring, sensor nodes need to transmit confidential data via the wireless networks. However, due to the wireless nature of the sensor networks, any user (including the malicious users or adversaries) is able to eavesdrop or tamper with any sensitive collected data transmitted in WSNs. Therefore, the authentication between mobile sinks and sensor nodes is necessary and important for sensitive applications in WSNs, which can ensure that the confidential data collected by the sensor nodes are transmitted to the legitimate collectors securely.

To address the above-mentioned issue, in this paper, we propose an authentication scheme that provides authentication and session key agreement between mobile sink and cluster head (CH, a special kind of sensor nodes which play the role of the base station in each local cluster). The proposed authentication scheme can solve the authentication problem and provide data confidentiality when using mobile sink in WSNs. In addition, in the authentication phase of the proposed scheme, the mobile sink and the cluster head can exchange the authentication message to authenticate each other without the participation of the base station, while most of the existing authentication schemes need three communication entities (the user, the sensors, and the base station) to exchange message for verifying each other in WSNs. Therefore, the proposed scheme is more flexible than three-communication-entity based authentication scheme when using mobile sinks in WSNs.

The remainder of this paper is organized as follows. Section 2 reviews existing related works on user authentication in WSNs. In Section 3, the preliminaries, network model, and some assumptions used in this scheme are discussed. The proposed scheme and corresponding protocol analysis are presented in Sections 4 and 5, respectively. Finally, Section 6 concludes the paper.

2. Related Work

In recent years, the security issue in WSNs receives increasing attention due to the inherent open nature of the WSNs. In this section, we briefly describe some mainstream security mechanisms in resource-constrained WSNs.

2.1. Key Establishment Protocols in WSNs

Eschenauer and Gligor [9] proposed a random key predistribution scheme to establish the initial trust among the sensor nodes. In their scheme, a set of keys from a key pool is selected randomly and stored in the sensors before the sensors are deployed. As a result, any two sensor nodes have a certain probability to share at least one common key. Chan et al. [10] extended this idea and proposed two key predistribution schemes: the q-composite key predistribution scheme and the random pairwise keys scheme. Further, Rasheed and Mahapatra [11] proposed a three-tier general framework for authentication and then established pairwise keys between mobile sinks and sensor nodes. All these kinds of schemes can be developed with low cost and high efficiency. However, they still have some serious defects. Due to the distribution of random keys, it may not be possible to establish a common key between every pair of sensors. Besides, an adversary can obtain the common key between noncompromised sensors by compromising some sensors.

2.2. Password-Based Authentication Scheme in WSNs

In 2004, Watro et al. [12] proposed an authentication scheme for WSNs using the RSA protocol and Diffie-Hellman protocol, namely, TinyPK protocol. However, TinyPK protocol is vulnerable to masquerade attack [6]. Then, Das [6] presented a two-factor user authentication protocol for WSNs to remedy this weakness, but Chen and Shih [7] pointed out that Das's scheme fails to achieve mutual authentication. Later, Chen and Shih proposed a novel mutual authentication protocol for WSNs [7]. He et al. [8] proposed an improved authentication scheme based on Das's scheme. Their improved scheme can resist the security weaknesses such as insider attack and impersonation attack. In 2010, Yuan et al. [13] proposed a biometric-based user authentication scheme for WSNs. The architecture of Yuan et al.'s scheme is similar to Das's scheme. However, their scheme still suffers from node compromise attack and denial-of-service attack [14].

In recent years, some researchers have suggested to introduce the mobile sink in WSNs to prolong the lifetime of the resource-constrained WSNs. Most of the existing works focus on data gathering applications and energy consumption [5, 15]. Vupputuri et al. [5] proposed a scheme that uses mobile data collectors to improve the network lifetime of WSNs. In [15], the authors suggested a multisink distributed and localized algorithm for improving sensor network lifetime. The authors of [3] provided a survey on mechanisms that utilize node mobility to prolong the network lifetime and then presented a comparison of these mechanisms.

However, there are few studies focusing on the security problem when using mobile sinks in WSNs. We believe that the security and authentication problem of mobile sink node is very important in WSNs. If there is no relevant security mechanism deployed in WSNs, the data security of WSNs is suffering more challenges. For example, the adversary may impersonate as a legal mobile sink to collect the sensitive sensed data from sensors or impersonate as a legal sensor to upload inaccuracy or false messages to the mobile sink. In addition, owing to the mobility of the mobile sink, the existing related user authentication schemes in WSNs [8, 14, 16] are not suitable for the authentication between the mobile sink and the sensor node. In this paper, we propose a novel scheme using bilinear pairings to enhance data security when introducing mobile sinks into WSNs.

3. Network Model, Assumptions, and Preliminaries

3.1. Network Model

In the proposed scheme, we consider a hierarchical WSN architecture similar to [3, 17]. This is a hierarchy among the nodes according to the function of different nodes: sensor nodes, cluster heads, and base station. The considered network model is presented in Figure 1.

Figure 1

The system architecture of the proposed scheme.

A sensor node is a small device that has limited power, sensing, and computational capabilities, and it is used to collect the environmental parameters in a designated place. Without loss of generality, it is assumed that the sensor nodes are freely distributed. Sensor nodes can communicate with each other in its local cluster and finally deliver the sensed data to a cluster head [1].

Compared with sensor nodes, a cluster head (CH) has more resources in terms of power supply, processing capability, and radio transmission range. Therefore, it can communicate with other CHs directly and transmit the sensed data to the BS directly. The role of the CH is gathering the collected data from its cluster members, saving data in the memory, and then relaying the collected data to an authenticated mobile sink when the mobile sink moves to the vicinity of it.

A base station (BS) is a powerful server with a large range of communication area. The BS is directly linked to the Internet and is used to aggregate data from all the CHs. It is usually regarded as an interface between the WSNs and the Internet. The BS is typically a data collection center or a powerful data processing/storage center. In addition, the BS also serves as the master controller of the WSNs, which controls the activities of the entire network.

The mobile sink is responsible for collecting the sensed data from the CHs and uploading the collected data to the BS. The principal purpose of introducing the mobile sink into the WSNs is to reduce the communication consumption between CH and BS and further prolong the lifetime of the WSNs. In addition, the mobile sink is able to visit all the cluster heads to collect the sensed data in WSNs because of its mobility.

The hierarchical WSNs model has been widely used in many sensing applications because of its superiority on energy saving. For example, in practical applications, the number of deployed sensor nodes is always extremely large and the connectivity between all the sensor nodes is not always necessary. Therefore, the hierarchical WSNs model has more operational advantages than the distributed WSN model for reducing the power consumption of the sensors. Based on these reasons, in this paper, we design the secure authentication scheme for WSNs under the hierarchical WSN architecture.

3.2. Assumptions

In this subsection, we give some basic assumptions for the proposed scheme. As mentioned above, three major system roles (the mobile sink, the CH, and the BS) are used to characterize the system model. Here we introduce the assumptions, respectively.

First, it is assumed that the mobile sink is a handheld terminal with a smart card issued by the BS. The mobile sink is operating correctly only if the user enters the correct user identity and password. Moreover, the mobile sink's storage space is large enough to store the sensed data collected from the CHs. Furthermore, the mobile sink is assumed to be powerful in terms of computing and energy supplies.

Second, since our main goal is to establish the mutual authentication between the mobile sink and the CH, we assume that the secure connections among each sensor in a local cluster have been established using existing secure key establishment schemes [8, 15, 16]. Therefore, we omit the security mechanism that the sensors transmit the sensed data to the cluster head in a cluster.

Third, it is assumed that the BS is protected against various attacks by well-established security mechanisms such as system security and physical security. Furthermore, there are some studies which have been proposed to solve the problem of node capture attack in [18, 19]. Therefore, it is assumed that the BS has the ability to detect the compromised CHs in WSNs. The BS maintains a database table LCD $B_{s}$ to record the noncompromised CHs and updates the table periodically according to the schemes in [18, 19].

3.3. Preliminaries

In this subsection, we introduce the concepts of elliptic curve cryptography (ECC) and bilinear pairings. Compared with the RSA algorithm, ECC can achieve the same security level with shorter key length [20].

3.3.1. Elliptic Curve

Let p be a big prime number and let $F_{p}$ be a finite field of integers modulo p. An elliptic curve E over $F_{p}$ is defined by the following equation: $\begin{matrix} y^{2} = x^{3} + a x + b (\mod p), \end{matrix}$ (1) where $a, b \in F_{p}$ and satisfy $4 a^{3} + 27 b^{2} \neq 0$ (mod p). Any point $Q (x, y)$ which satisfies the above equation together with ∞, called “point at infinity,” form an additive cyclic group $E (F_{p})$ = ${(x, y) : x, y \in F_{p}$ satisfy $y^{2} = x^{3} + a x + b$ (mod $p)} \cup \infty$ . The scalar multiplication of points on elliptic curve is computed by repeated addition as $k \cdot P = P + P + \dots + P$ (k times). For simplicity, we omit the details and the readers can refer to the related references [20, 21].

3.3.2. Bilinear Pairings

Let G be a cyclic additive group generated by a point P and let $G_{T}$ be a cyclic multiplicative group. G and $G_{T}$ have the same primer order q. Let $\hat{e} : G \times G \to G_{T}$ be a computable bilinear map, which satisfies the following properties [22].

Bilinearity. For any P, $Q \in G$ and a, $b \in Z_{q}^{*}$ , $\hat{e} (a P, b Q) = \hat{e} (P, Q)^{a b}$ ; here $Z_{q}^{*} = {j ∣ 1 \leq j \leq q - 1}$ .

Nondegenerate. For any $P \in G$ , $\hat{e} (P, P) \neq e$ , where e is the identity element of the group $G_{T}$ .

Computability. There exists an efficient algorithm to compute $\hat{e} (P, Q)$ for any P, $Q \in G$ .

3.3.3. Mathematical Problems

To prove the security of our proposed protocol, we present some important mathematical problems [20, 21] as follows.

Discrete Logarithm Problem (DLP). Given P, $Q \in G$ , find an integer $k \in Z_{q}^{*}$ such that $Q = k P$ .

Computational Diffie-Hellman Problem (CDHP). Given any P, $a P$ , $b P$ for any a, $b \in Z_{q}^{*}$ , compute $a b P$ .

Decisional Diffie-Hellman Problem (DDHP). Given any P, $a P$ , $b P$ , $c P$ for any a, b, $c \in Z_{q}^{*}$ , decide whether $c P = a b P$ or, equivalently, whether $c = a b$ (mod q).

Bilinear Diffie-Hellman Problem (BDHP). Given any P, $a P$ , $b P$ , $c P$ for any a, b, $c \in Z_{q}^{*}$ , compute $\hat{e} (P, P)^{a b c}$ .

To the best of our knowledge, there is no polynomial time algorithm to solve any of the above-mentioned problems with nonnegligible probability [20].

4. The Proposed Scheme

In order to address the authentication problem between the mobile sink and cluster head, we propose a novel authentication scheme using bilinear pairings. The proposed scheme contains five phases, that is, the system initialization phase, the registration phase, the login phase, the authentication phase, the data extraction phase, and the password change phase. For the sake of clarity, the notations used in this paper are listed in the notation section. The detailed descriptions of these phases are in the notation section.

4.1. System Initialization

In this phase, the base station initializes all the needed keys and parameters used in this scheme. The BS performs the following steps.

Step I1. It generates the bilinear parameters ( $q, P, G, G_{T}, \hat{e}$ ), where G is a cyclic additive group of prime order q generated by P and $\hat{e} : G \times G \to G_{T}$ is a bilinear map.

Step I2. It generates its own public and private keys as follows. At first, BS selects a random number $s \in Z_{q}^{*}$ as its master key. Then, it computes $P_{pub} = s P$ and considers $P_{pub}$ as its public key.

Step I3. It determines two secure collision-resistance hash functions $H_{1}$ and $H_{2}$ , where $H_{1} : {0,1}^{*} \Rightarrow G$ is a map-to-point hash function and $H_{2} : {0,1}^{*} \Rightarrow Z_{q}^{*}$ is a secure hash function.

Step I4. It chooses a symmetric encryption algorithm $E_{SK} (\cdot)$ as the encryption function of the system.

Step I5. It publishes these public system parameters as ${\hat{e}, G, G_{T}, q, P, P_{pub}, H_{1}, H_{2}, E_{SK} (\cdot)}$ and keeps the secret values s, x, and y secretly.

4.2. Registration Phase

Prior to the system deployment, all the cluster nodes and mobile sinks must be registered to the BS. The registration phase consists of two parts, namely, CH registration and mobile sink registration. In the proposed scheme, each cluster node in the system is assigned a unique identifier $CI D_{j}$ and each mobile sink also has its unique identifier $PI D_{i}$ . In addition, the BS initializes a database table $LCD B_{s}$ to maintain the latest list of the noncompromised CHs.

Cluster Head Registration. Before the cluster head $C H_{j}$ was deployed in WSNs, the BS assigns it a unique identifier $CI D_{j}$ and computes $s \cdot H_{1} (CI D_{j})$ . Then, the BS stores the values of $s \cdot H_{1} (CI D_{j})$ into the memory of $C H_{j}$ . At last, the BS deploys $C H_{j}$ at an appointed place and enters the new identifier $CI D_{j}$ in the table $LCD B_{s}$ .

Mobile Sink Registration

Step R1. The owner of the mobile sink freely selects an identity $PI D_{i}$ , a password $P W_{i}$ , and a random number $b \in Z_{q}^{*}$ . Then, the mobile sink computes $H_{2} (b \oplus P W_{i})$ and sends the message ${PI D_{i}, H_{2} (b \oplus P W_{i})}$ to the BS via a secure channel.

Step R2. Upon receiving the message ${PI D_{i}, H_{2} (b \oplus P W_{i})}$ , the BS computes the following: $\begin{matrix} Cer t_{i} = s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), \\ T_{i} = H_{2} (PI D_{i} ∥ y), \\ H_{i} = H_{2} (T_{i}), \\ V_{i} = T_{i} \oplus H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), \\ A_{i} = H_{2} (PI D_{i} ∥ x ∥ y) . \end{matrix}$ (2)

Then, the BS issues a smart card which contains ${Cer t_{i}, V_{i}, H_{i}, A_{i}}$ to the mobile sink via a secure channel.

Step R3. Upon receiving the smart card, the owner of the mobile sink securely stores the random number b into the smart card, and the smart card contains ${Cer t_{i}, V_{i}, H_{i}, A_{i}, b}$ .

4.3. Login Phase

When a user wants to use the mobile sink to collect the sensed data in a sensor network, he/she inserts his/her smart card into the terminal and then keys his/her identity $PI D_{i}$ and password $P W_{i}$ . This phase is depicted in Figure 2, and more detailed processes are as follows.

Figure 2

The system architecture of the proposed scheme.

Step L1. The smart card computes $T_{i}^{*} = V_{i} \oplus H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ and $H_{i}^{*} = H_{2} (T_{i}^{*})$ and then checks whether $H_{i}^{*}$ is equal to $H_{i}$ . If they are equal, the mobile sink operates the next steps. Otherwise, the smart card requests the user to input the correct identity and password.

Step L2. The mobile sink generates a random value $N_{i}$ and computes the following: $\begin{matrix} B_{i} = H_{2} (T_{i}^{*} ∥ N_{i}) \oplus H_{2} (b \oplus P W_{i}), \\ C_{i} = H_{2} (A_{i} ∥ H_{2} (b \oplus P W_{i}) ∥ N_{i}) . \end{matrix}$ (3)

Then, the mobile sink sends the message ${PI D_{i}, B_{i}, C_{i}, N_{i}}$ to the BS via a common channel.

Step L3. Upon receiving the message ${PI D_{i}, B_{i}, C_{i}, N_{i}}$ , the BS computes the following: $\begin{matrix} A_{i}^{*} = H_{2} (PI D_{i} ∥ x ∥ y), \\ D_{i} = B_{i} \oplus H_{2} (H_{2} (PI D_{i} ∥ y) ∥ N_{i}) = H_{2} (b \oplus P W_{i}), \\ C_{i}^{*} = H_{2} (A_{i}^{*} ∥ D_{i} ∥ N_{i}) . \end{matrix}$ (4)

Then, the BS checks whether $C_{i}^{*} = C_{i}$ . If they are equal, the BS considers the mobile sink as a legitimate mobile sink. Next, the BS computes $Q_{i} = H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}) ∥ N_{i})$ , $MK = \hat{e} (s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), P_{pub})$ , and $CLCD B_{s} = E_{MK} (LCD B_{s})$ and sends ${Q_{i}, CLCD B_{s}}$ to the mobile sink.

Step L3. After receiving the message ${Q_{i}, CLCD B_{s}}$ , the mobile sink computes $Q_{i}^{*} = H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}) ∥ N_{i})$ and checks whether $Q_{i}^{*} = Q_{i}$ . If they are equal, the mobile sink computes $MK = \hat{e} (Cer t_{i}, P_{pub})$ and $LCD B_{s} = D_{MK} (CLCD B_{s})$ , where $D_{MK} (\cdot)$ is the decryption algorithm of $E_{MK} (\cdot)$ . Then, the mobile sink saves the latest list of legitimate cluster heads $LCD B_{s}$ into its memory.

After finishing the previous steps, the mobile sink contains the latest database table of noncompromised cluster heads. Then, the mobile sink can run the following steps for authentication. Besides, in order to obtain the latest noncompromised cluster heads list, this phase needs to be automatically operated at regular intervals periodically.

4.4. Authentication Phase

After finishing the login phase, the mobile sink can freely move in the cover range of the WSNs to collect the sensed data. The following steps are depicted in Figure 3, and the detailed descriptions are as follows.

Figure 3

The system architecture of the proposed scheme.

Step A1. When the mobile sink moves to the vicinity of a cluster head $C H_{j}$ , it sends a connection request message to $C H_{j}$ for authentication.

Step A2. Upon receiving the request, $C H_{j}$ responds by its identity $CI D_{j}$ to the mobile sink.

Step A3. After receiving $C H_{j}$ 's identity $CI D_{j}$ , the mobile sink checks the legitimacy of $C H_{j}$ using the noncompromised cluster head table $LCD B_{s}$ . If $C H_{j}$ is a legitimate CH, the mobile sink generates a timestamp $T_{s}$ and computes the following: $\begin{matrix} h_{t} = H_{2} (T_{s}), \\ M_{1} = h_{t} \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), \\ Δ_{i} = \hat{e} (Cer t_{i}, h_{t} \cdot H_{1} (CI D_{j})) . \end{matrix}$ (5)

Then, the mobile sink sends the message ${M_{1}, Δ_{i}, T_{s}}$ to $C H_{j}$ . At last, the mobile sink computes $S K_{1} = \hat{e} (h_{t} \cdot Cer t_{i}, h_{t} \cdot H_{1} (CI D_{j}))$ as the session key.

Step A4. Upon receiving the message ${M_{1}, Δ_{i}, T_{s}}$ , $C H_{j}$ checks whether $T_{s} - T_{c} \leq Δ T$ , where $T_{c}$ is the current time when $C H_{j}$ receives this message and $Δ T$ is the expected time interval of the transmission delay. If so, $C H_{j}$ computes $h_{t} = H_{2} (T_{s})$ , $Δ_{i}^{*} = \hat{e} (M_{1}, s \cdot H_{1} (CI D_{j}))$ and checks whether $Δ_{i}^{*} = Δ_{i}$ . If they are equal, $C H_{j}$ believes that the mobile sink is legitimate. Next, $C H_{j}$ computes $S K_{2} = \hat{e} (M_{1}, h_{t} \cdot s \cdot H_{1} (CI D_{j}))$ , $\nabla = H_{2} (S K_{2} ∥ PI D_{i} ∥ CI D_{j} ∥ T_{s})$ and then sends the message ${\nabla, T_{s}}$ to the mobile sink.

It is obvious that two session keys are identical by the following equations: $\begin{array}{l} S K_{2} = \hat{e} (M_{1}, h_{t} \cdot s \cdot H_{1} (CI D_{j})) \\ = \hat{e} (h_{t} \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), h_{t} \cdot s \cdot H_{1} (CI D_{j})) \\ = \hat{e} (h_{t} \cdot s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), h_{t} \cdot H_{1} (CI D_{j})) \\ = \hat{e} (h_{t} \cdot Cer t_{i}, h_{t} \cdot H_{1} (CI D_{j})) = S K_{1} . \end{array}$ (6)

Step A5. Upon receiving ${\nabla, T_{s}}$ , the mobile sink computes $V e r = H_{2} (S K_{1} ∥ PI D_{i} ∥ CI D_{j} ∥ T_{s})$ and compares it with ∇. If they are equal, the mobile sink takes the value of SK1 as the session key for communication with the $C H_{j}$ .

4.5. The Data Extraction Phase

When the mutual authentication is achieved and a session key is established with a CH, the mobile sink can extract sensed data from the CH. The detailed processes are as follows.

Step D1. The CH computes the ciphertext $C T_{i} = E_{S K_{2}} (DAT A_{i})$ using the session key $S K_{2}$ , where $DAT A_{i}$ is the sensed data stored in the CH. Then, the CH sends the ciphertext $C T_{i}$ to the mobile sink.

Step D2. Upon receiving the ciphertext $C T_{i}$ , the mobile sink computes $CDAT A_{i} = E_{MK} (D_{S K_{1}} (C T_{i}))$ and then stores $CDAT A_{i}$ in its memory or sends this value to the BS directly, where $MK = \hat{e} (Cer t_{i}, P_{pub})$ is computed in login phase.

The above formula can be deduced as follows: $CDAT A_{i}$ = $E_{MK} (D_{S K_{1}} (C T_{i}))$ = $E_{MK} (D_{S K_{1}} (E_{S K_{2}} (DAT A_{i})))$ = $E_{MK} (DAT A_{i})$ . Therefore, the data stored in mobile sink's memory are the sensed data encrypted by $MK$ .

Step D3. Then, the mobile sink sends the message ${PI D_{i}, CDAT A_{i}, B_{i}, C_{i}, N_{i}}$ to the BS, where $B_{i}$ , $C_{i}$ , and $N_{i}$ are parameters which are mentioned in the login phase.

Step D4. After acquiring the message from mobile sink, the BS extracts $PI D_{i}$ and computes the following: $\begin{matrix} A_{i}^{*} = H_{2} (PI D_{i} ∥ x ∥ y), \\ D_{i} = B_{i} \oplus H_{2} (H_{2} (PI D_{i} ∥ y) ∥ N_{i}) = H_{2} (b \oplus P W_{i}), \\ C_{i}^{*} = H_{2} (A_{i}^{*} ∥ D_{i} ∥ N_{i}) . \end{matrix}$ (7)

Then, the BS checks whether $C_{i}^{*} = C_{i}$ . If they are equal, the BS considers the mobile sink as a legitimate user. Then, the BS computes $MK = \hat{e} (s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), P_{pub})$ . Next, the BS decrypts the sensed data $D_{MK} (CDAT A_{i}) = D_{MK} (E_{MK} (DAT A_{i}))$ = $DAT A_{i}$ . After finishing the above steps, the BS can extract the sensed data $DAT A_{i}$ from the mobile sink.

4.6. Password Change Phase

In this phase, the user $U_{i}$ can change his/her password when he/she wants. The steps of the password change phase are as follows.

Step P1. $U_{i}$ enters his/her smart card into the terminal and then keys his/her identity $PI D_{i}$ and password $P W_{i}$ .

Step P2. The smart card computes $T_{i}^{*} = V_{i} \oplus H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ , $H_{i}^{*} = H_{2} (T_{i}^{*})$ , and then it checks whether $H_{i}^{*} = H_{i}$ . If they are equal, the user is allowed to input $P W_{new}$ and $b_{new}$ . Otherwise, the smart card rejects the request. Finally, the mobile sink sends ${PI D_{i}, H_{2} (b \oplus P W_{i}), V_{i}, H_{2} (b_{new} \oplus P W_{new})}$ to the base station via a secure channel.

Step P3. Upon receiving ${PI D_{i}, H_{2} (b \oplus P W_{i}), V_{i}, H_{2} (b_{new} \oplus P W_{new})}$ , the base station computes $V_{i}^{*} = H_{2} (PI D_{i} ∥ y) \oplus H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ and checks whether $V_{i}^{*} = V_{i}$ . If they are equal, the BS computes the following: $\begin{matrix} Cer t_{new} = s \cdot H_{1} (PI D_{i} ∥ H_{2} (b_{new} \oplus P W_{new}), \\ V_{new} = H_{2} (PI D_{i} ∥ y) \oplus H_{2} (PI D_{i} ∥ H_{2} (b_{new} \oplus P W_{new}) . \end{matrix}$ (8)

Then, the BS sends back the message ${Cer t_{new}, V_{new}}$ to the mobile sink via a secure channel.

Step P4. Upon receiving the message ${Cer t_{new}, V_{new}}$ , the smart card stores $Cer t_{new}, V_{new}$ , and $b_{new}$ into the smart card to replace $Cer t_{i}, V_{i}$ , and b, respectively.

5. Security Analysis and Performance Evaluation

5.1. Security Analysis

In this subsection, we evaluate the security of our proposed scheme. Before evaluating the security of our scheme, it is assumed that an adversary may have the following capabilities. (1)

The adversary has the ability to control over the communication channel among the mobile sink, the CH, and the base station. In other words, the attacker may intercept, insert, delete, or modify any exchanged messages in the channel.

(2)

The adversary may either (i) obtain a user's identity and password or (ii) extract the secret information stored in the smart card but cannot obtain both (i) and (ii). When the adversary steals or obtains a smart card, he/she has no chance to get both the identity and password of the smart card.

As we will see in the following paragraphs, the proposed authentication scheme has been designed to resist against the following attacks.

5.1.1. Replay Attack

A replay attack is an attack where an authentication session is replayed by an attacker to fool a computer into granting access. In order to prevent the replay attack, the timestamp $T_{s}$ is used in the proposed scheme. When an adversary wants to launch a replay attack to extract the sensed data from a CH, he/she needs to send a message to the CH for authentication. If the message ${M_{1}^{*}, Δ_{i}^{*}, T_{s}^{*}}$ is an expired message used by another mobile sink, the timestamp $T_{s}^{*}$ has also expired, and the CH can detect it immediately. Even though the adversary modifies the timestamp $T_{s}^{*}$ , he/she cannot compute a valid $Δ_{i}^{*}$ without the knowledge of the BS's secret value s.

In addition, when an adversary wants to launch a replay attack to communicate with an authorized mobile sink, he/she needs to send a message ${\nabla, T_{s}}$ to the mobile sink. However, the adversary cannot compute the session key $S K_{2} = \hat{e} (M_{1}, h_{t} \cdot s \cdot H_{1} (CI D_{j}))$ without the knowledge of $s \cdot H_{1} (CI D_{j})$ . As a result, he/she cannot compute $\nabla = H_{2} (S K_{2} ∥ PI D_{i} ∥ CI D_{j} ∥ T_{s})$ . Therefore, the adversary has no way to launch a replay attack utilizing the used messages ${\nabla, T_{s}}$ . From the above analysis, we can see that our scheme can resist the replay attack.

5.1.2. Impersonation Attack

In this type of attack, the adversary forges a valid message ${M_{1}^{*}, Δ_{i}^{*}, T_{s}^{*}}$ to impersonate as a legitimate mobile sink using the information eavesdropped from previous message or obtained from captured nodes. However, in the proposed scheme, the adversary is infeasible to forge a valid $Δ_{i}^{*}$ , without the knowledge of $Cer t_{i}$ . Based on the Discrete Logarithm Problem (DLP), it is difficult to derive the secret value s by way of P and $P_{pub}$ . Therefore, the adversary cannot compute $s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ = $Cer t_{i}$ and $Δ_{i}^{*}$ . From the above analysis, we can see that our scheme can resist the impersonation attack.

5.1.3. Stolen Smart Card Attack

If the adversary has obtained the smart card of user $U_{i}$ , he/she is able to extract the stored parameters $Cer t_{i} = s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ , $H_{i} = H_{2} (H_{2} (PI D_{i} ∥ y))$ , $V_{i} = T_{i} \oplus H_{2} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ , $A_{i} = H_{2} (PI D_{i} ∥ x ∥ y)$ , and b. However, the adversary has no way to know the user's identity $PI D_{i}$ and password $P W_{i}$ from $Cer t_{i}, H_{i}, V_{i}$ , and $A_{i}$ due to the one-way property of the hash functions $H_{1} (\cdot)$ and $H_{2} (\cdot)$ . Since the secret value s is only known to the BS, there is no way for the adversary to obtain the value $Cer t_{i}$ . As a result, the adversary cannot compute a correct $M_{1} = H_{2} (T_{s}) \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i}))$ and cannot forge a valid request message ${M_{1}, Δ_{i}, T_{s}}$ just using the parameters stored in the smart card. Therefore, the proposed scheme can resist the stolen smart card attack.

5.1.4. Privileged-Insider Attack

During the registration phase of the proposed scheme (in Section 4.2), the owner of the mobile sink $U_{i}$ does not send his/her password $P W_{i}$ in the form of plaintext. Instead the user $U_{i}$ sends the hashed password $H_{2} (b \oplus P W_{i})$ to the BS. Due to the one-way property of the hash function $H_{2} (\cdot)$ , it is computationally infeasible to retrieve $P W_{i}$ from $H_{2} (b \oplus P W_{i})$ . The administrator or a privileged-insider of the BS cannot obtain the password $P W_{i}$ of $U_{i}$ , and he/she is unable to impersonate $U_{i}$ to communicate with the CH. Therefore, our scheme is secure against privileged-insider attack.

5.1.5. User Anonymity and Untraceability

In the authentication phase of the proposed scheme, the mobile sink sends the message ${M_{1}, Δ_{i}, T_{s}}$ to a CH for authentication, since the timestamp $T_{s}$ is contained in the message ${M_{1}, Δ_{i}, T_{s}}$ and is different for each session when the mobile sink sends to a CH. As a result, there is no correlation between the two authentication messages ${M_{1}, Δ_{i}, T_{s}}$ and ${M_{1}^{*}, Δ_{i}^{*}, T_{s}^{*}}$ . In addition, due to the one-way property of the hash function $H_{1} (\cdot)$ , an adversary cannot obtain the identity $PI D_{i}$ from $M_{1}$ . Therefore, the adversary is unable to identify the mobile sink or link two sessions launched by the same mobile sink.

5.1.6. Resist Node Capture Attack

This resistance is measured by estimating the fraction of total network communications that are compromised by a capture of x nodes not including the communications in which the compromised nodes are directly involved [10]. Due to the unattended property of WSNs, sensor nodes or CHs can be captured by an attacker easily. Suppose that a CH is captured by an attacker, he/she knows all of the CH's parameters. Note that each CH is given an identity $CI D_{j}$ and secret value $s \cdot H_{1} (CI D_{j})$ in the system initialization phase. Thus, the attacker is able to utilize the compromised CH's parameters to communicate with a mobile sink and then response the false information to the mobile sink. However, other noncompromised cluster heads can still communicate with the mobile sink securely. Consequently, the attacker cannot affect or damage the secure communication between the noncompromised CHs and the mobile sink.

In addition, according to the assumption mentioned in Section 3.2, the compromised CHs can be detected by the BS. The BS is able to update the legitimate cluster heads list $LCD B_{s}$ periodically according to the existing schemes proposed in [18, 19]. When the owner of a mobile sink wants to extract the sensed data from sensor networks, he/she has to login to the BS and gets the latest legitimate cluster heads list $LCD B_{s}$ . In this way, the mobile sink can detect whether the CH is legitimate when the mobile sink wants to communicate with it. Therefore, the mobile sink is able to identify the compromised CH timely and further reject the sensed data sent from the compromised CH. In addition, the BS will redeploy a new CH to replace the compromised CH for collecting the environment condition information.

When a new CH needs to be added in the existing networks, the BS assigns it a unique identifier $CI D_{j}^{*}$ and computes $s \cdot H_{1} (CI D_{j}^{*})$ . Then, these values are loaded in the memory of the new CH and then it is deployed at the location of the compromised CH. Next, the base station puts the identity of the new CH in the latest legitimate cluster heads list $LCD B_{s}$ . Therefore, the mobile sink can extract the sensed data from the new CH properly when he/she updates the list $LCD B_{s}$ . Consequently, our scheme is secure against the node capture attack.

5.1.7. Data Confidentiality

In the proposed scheme, when a mobile sink needs to collect the sensed data from a CH, he/she has to realize the mutual authentication and agree on a shared session key SK with the CH. After establishing the session key SK, the mobile sink is able to receive the encrypted sensed data $C T_{i}$ from the CH and then decrypt $C T_{i}$ and get the plaintext $DAT A_{i}$ . Since the session key SK is only known between the mobile sink and the CH, the adversary or malicious user cannot decrypt the plaintext $DAT A_{i}$ without the knowledge of SK. Therefore, the proposed scheme is able to provide the security communication between the mobile sink and the CH.

After receiving the ciphertext $C T_{i}$ , the mobile sink computes $CDAT A_{i} = E_{MK} (D_{SK} (C T_{i}))$ and saves $CDAT A_{i}$ in its memory or sends $CDAT A_{i}$ to the BS immediately. Even if the adversary has obtained the mobile sink or intercepted the data that the mobile sink transmits to the BS, he/she can still not extract the plaintext $DAT A_{i}$ , because he/she has no way to obtain the key MK. From the above analysis, we can see that our proposed scheme can provide the data confidentiality for users.

5.1.8. Proper Mutual Authentication and Session Key Agreement

In the authentication and session key agreement phase of the proposed scheme, the CH can authenticate the mobile sink by checking whether $Δ_{i} = \hat{e} (M_{1}, s \cdot H_{1} (CI D_{j}))$ . With the knowledge of the secret value $s \cdot H_{1} (CI D_{j})$ , the CH is able to compute the following: $\begin{array}{l} \hat{e} (M_{1}, s \cdot H_{1} (CI D_{j})) \\ = \hat{e} (h_{t} \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), s \cdot H_{1} (CI D_{j})) \\ = \hat{e} (s \cdot H_{1} (PI D_{i} ∥ H_{2} (b \oplus P W_{i})), h_{t} \cdot H_{1} (CI D_{j})) \\ = \hat{e} (Cer t_{i}, h_{t} \cdot H_{1} (CI D_{j})) = Δ_{i} . \end{array}$ (9)

On the other hand, the mobile sink is able to authenticate the CH by checking whether $V e r = \nabla$ when he/she receives the message ${\nabla, T_{s}}$ . Since only the authorized mobile sink possesses the valid certificate $Cer t_{i}$ , others (an adversary or malicious user) cannot forge the valid value of $Δ_{i}$ . Besides, only the registered CH has the valid $s \cdot H_{1} (CI D_{j})$ to compute the correct value of ∇. At last, the mobile sink and the CH can compute the shared session key $SK = \hat{e} (h_{t} \cdot Cer t_{i}, h_{t} \cdot H_{1} (CI D_{j}))$ , respectively. From the above analysis, we can see that our proposed scheme provides proper mutual authentication and session key agreement.

5.2. Performance Analysis

In this section, we first evaluate the performance of our proposed scheme and then compare our proposed scheme with some related schemes. For the convenience of evaluating the computational cost, we define some notations as follows.

$T_{h}$ : The time of performing a one-way hash function $H_{2} (\cdot)$

$T_{Gh}$ : The time of performing a map-to-point hash function $H 1 (\cdot)$

$T_{pair}$ : The time of performing a bilinear pairings computation

$T_{add}$ : The time of performing an addition operation of points

$T_{en}$ : The time of performing an encryption algorithm

$T_{mec}$ : The time of performing a scalar multiplication of elliptic curve.

Table 1 illustrates the computational cost of the proposed scheme in different phases. As can be seen from Table 1, our scheme requires $2 T_{Gh} + 5 T_{h} + 2 T_{mec}$ at BS side in the registration phase. In the login phase, the mobile sink needs $4 T_{h} + T_{pair}$ and the BS needs $3 T_{h} + T_{pair}$ . In the authentication phase, the mobile sink needs $4 T_{h} + T_{Gh} + T_{mec} + T_{pair}$ and the CH requires $4 T_{h} + T_{Gh} + 2 T_{pair} + T_{mec}$ . In the password change phase, the mobile sink needs two hashing operations and the BS needs $3 T_{h} + T_{Gh} + T_{mec}$ to change the password.

Table 1

Performance of the proposed scheme.

The cost in different phases	Mobile sink	Cluster head	Base station
Registration phase	$T_{h}$	—	$2 T_{Gh} + 5 T_{h} + 2 T_{mec}$
Login phase	$4 T_{h} + T_{pair}$	—	$3 T_{h} + T_{pair}$
Authentication phase	$4 T_{h} + T_{Gh} + T_{mec} + T_{pair}$	$4 T_{h} + T_{Gh} + 2 T_{pair} + T_{mec}$	—
Password change phase	$2 T_{h}$	—	$3 T_{h} + T_{Gh} + T_{mec}$

We implemented a proof-of-concept of our scheme to demonstrate that the proposed scheme is practical enough to be deployed in the resource-constrained WSNs. In our implementation, the mobile sink and the CH operations were developed on an Android smart phone (equipped with a 1.2 GHz ARM processor and 1 GB RAM). The base station operations were developed on an Intel E8400 (3.0 GHz) with 4.0 GB RAM. All the encryption operations are built based on MIRACLE [23]. Table 2 shows the experimental results for related pairing-based operations on the smart phone and the Intel E8400 processor, respectively. According to Table 2, it is obvious that the operation time of bilinear pairings and scalar multiplication is quite short.

Table 2

Cryptographic operation time.

	$T_{pair}$	$T_{mec}$	$T_{h}$	$T_{Gh}$	$T_{add}$	$T_{en}$
Client	0.015 s	0.01 s	<0.001 s	<0.01 s	<0.001 s	0.01 s
Server	3.58 ms	1.71 ms	<0.01	<1 ms	<1 ms	0.5 ms

In Table 3, we demonstrate the execution time of the proposed scheme in different phases. The execution time is measured based on the cryptographic operation time listed in Table 2. From Table 3, we can see that the execution time of the proposed scheme is extremely short. Based on the above analysis, it is obvious that the computational cost of the proposed scheme is well suited for the environment of WSNs.

Table 3

Execution time of the proposed scheme in different phases.

Time spent in different phases	Mobile sink	Cluster head	Base station
Registration phase	0.001 s	—	5.69 ms
Login phase	0.019 s	—	3.61 ms
Authentication phase	0.344 s	0.484 s	—
Password change phase	0.002 s	—	2.82 ms

Communication overhead is closely related to the size of the authentication message. In our scheme, the number of communication parameters includes ${M_{1}, Δ_{i}, T_{s}}$ and ${\nabla, T_{s}}$ . In our implementation, the length of the $PI D_{i}$ and $CI D_{j}$ is set to 160 bits, respectively. To achieve the same public key security as a 1024-bit RSA implementation, only 160-bit keys are needed for ECC. Therefore, according to the actual conditions, we can assume that the bit-length of the point P, the time stamp, the hash function $H_{1} (\cdot)$ , and the hash function $H_{2} (\cdot)$ are 160 bits, 32 bits, 160 bits, and 256 bits, respectively. Therefore, the communication costs of ${M_{1}, Δ_{i}, T_{s}}$ and ${\nabla, T_{s}}$ are 352 (160 + 160 + 32) bits and 288 (256 + 32) bits, respectively. From the above analysis, we can see that our scheme is well suited for WSNs in terms of the communication cost.

The functionality comparison between our scheme and the related authentication schemes is listed in Table 4. Our scheme is secure against replay attack and provides mutual authentication between the mobile sink and the CH. In addition, our scheme prevents smart card breach attack as in Das et al.'s scheme. Based on the above analysis, we can see that our scheme meets the performance requirements and can provide more secure authentication and key agreement function.

Table 4

Functionality comparison between the proposed scheme and the related schemes.

	Ours	Das [6]	Chen and Shih [7]	He et al. [8]
Proper mutual authentication	Yes	No	Yes	No
Session key agreement	Yes	Yes	No	No
Resist stolen smart card attack	Yes	Yes	Yes	Yes
Resist replay attack	Yes	Yes	Yes	No
Impersonation attack	Yes	No	Yes	Yes
Correct password change	Yes	Yes	No	Yes
Support mobile sink	Yes	No	No	No

6. Conclusion

Although there are many studies focusing on the mobile sink, few works focus on the security problem when introducing the mobile sinks in WSNs. In this paper, we have proposed a novel protocol to achieve secure authentication between the mobile sink and the cluster head using bilinear pairings. The proposed scheme can establish a session key between the mobile sink and the cluster head. In addition, after successful authentication, the mobile sink can extract the sensed data from the cluster head using the session key. Security analysis demonstrates that the proposed scheme can solve various security problems when using mobile sinks in WSNs. In addition, the proposed scheme is also efficient in terms of computational. Therefore, our proposed scheme is suitable for the environment of WSNs.

Footnotes

Notations

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research was supported by the National Major Science and Technology Special Project of China under Grant no. 2012ZX03005008,the National Natural Science Foundation of China under Grant nos. 61271041 and 61300220,FP7 Integrated Project iCore (Internet Connected Objects for Reconfigurable Ecosystems) under Grant no. 287708,and the Scientific Research Fund of Hunan Provincial Education Department under Grant no. 13C324.

References

Yick

Mukherjee

Ghosal

Wireless sensor network survey

Computer Networks 2008 52 12 2292 2330

2-s2.0-46449122114

10.1016/j.comnet.2008.04.002

Mini

R. A. F.

Loureiro

A. A. F.

Energy-efficient design of wireless sensor networks based on finite energy budget

Computer Communications 2012 35 14 1736 1748

Yang

Fonoage

M. I.

Cardei

Improving network lifetime with mobile wireless sensor networks

Computer Communications 2010 33 4 409 419

2-s2.0-74149091307

10.1016/j.comcom.2009.11.010

Rao

Biswas

Analyzing multi-hop routing feasibility for sensor data harvesting using mobile sinks

Journal of Parallel and Distributed Computing 2012 72 6 764 777

2-s2.0-84859915521

10.1016/j.jpdc.2012.02.017

Vupputuri

Rachuri

K. K.

Siva Ram Murthy

Using mobile data collectors to improve network lifetime of wireless sensor networks with reliability constraints

Journal of Parallel and Distributed Computing 2010 70 7 767 778

2-s2.0-77955418699

10.1016/j.jpdc.2010.03.010

Das

M. L.

Two-factor user authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2009 8 3 1086 1090

2-s2.0-62949130774

10.1109/TWC.2008.080128

Chen

T.-H.

Shih

W.-K.

A robust mutual authentication protocol for wireless sensor networks

ETRI Journal 2010 32 5 704 712

2-s2.0-78049334450

10.4218/etrij.10.1510.0134

Gao

Chan

Chen

An enhanced two-factor user authentication scheme in wireless sensor networks

Ad-Hoc and Sensor Wireless Networks 2010 10 4 361 371

2-s2.0-78650459565

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communications Security

November 2002

41 47

2-s2.0-0038341106

10.

Chan

Perrig

Song

Random key predistribution schemes for sensor networks

Proceedings of the IEEE Symposium on Security and Privacy

May 2003

197 213

2-s2.0-0038487088

11.

Rasheed

Mahapatra

R. N.

The three-tier security scheme in wireless sensor networks with mobile sinks

IEEE Transactions on Parallel and Distributed Systems 2012 23 5 958 965

2-s2.0-84859722160

10.1109/TPDS.2010.185

12.

Watro

Kong

Cuti

S.-F.

Gardiner

Lynn

Kruus

TinyPK: securing sensor networks with public key technology

Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '04)

October 2004

59 64

2-s2.0-14844304757

13.

Yuan

Jiang

A biometric-based user authentication for wireless sensor networks

Wuhan University Journal of Natural Sciences 2010 15 3 272 276

2-s2.0-77952339469

10.1007/s11859-010-0318-2

14.

Das

A. K.

Sharma

Chatterjee

Sing

J. K.

A dynamic password-based user authentication scheme for hierarchical wireless sensor networks

Journal of Network and Computer Applications 2012 35 5 1646 1656

2-s2.0-84859765399

10.1016/j.jnca.2012.03.011

15.

Marta

Cardei

Improved sensor network lifetime with multiple mobile sinks

Pervasive and Mobile Computing 2009 5 5 542 555

2-s2.0-70349771047

10.1016/j.pmcj.2009.01.001

16.

Delgado-Mohatar

Fúster-Sabater

Sierra

J. M.

A light-weight authentication scheme for wireless sensor networks

Ad Hoc Networks 2011 9 5 727 735

2-s2.0-79952574261

10.1016/j.adhoc.2010.08.020

17.

Saad

E. M.

Awadalla

M. H.

Darwish

R. R.

A data gathering algorithm for a mobile sink in large-scale sensor networks

Proceedings of the 4th International Conference on Wireless and Mobile Communications (ICWMC '08)

August 2008

207 213

2-s2.0-52049118331

10.1109/ICWMC.2008.38

18.

Bonaci

Bushnell

Poovendran

Node capture attacks in wireless sensor networks: A system theoretic approach

Proceedings of the 49th IEEE Conference on Decision and Control (CDC '10)

December 2010

6765 6772

2-s2.0-79953148070

10.1109/CDC.2010.5717499

19.

T. M.

Safavi-Naini

Williamson

Securing wireless sensor networks against large-scale node capture attacks

Proceedings of the 5th ACM Symposium on Information, Computer and Communication Security (ASIACCS '10)

April 2010

112 123

2-s2.0-77954465312

10.1145/1755688.1755703

20.

Hankerson

Menezes

Vanstone

Guide to Elliptic Curve CrypTography 2004

New York, NY, USA

Springer

21.

Washington

L. C.

Elliptic Curves Number Theory and Cryptography 2008 2nd

Boca Raton, Fla, USA

Chapman and Hall/CRC

22.

An efficient remote user authentication and key agreement protocol for mobile client-server environment from pairings

Ad Hoc Networks 2012 10 6 1009 1016

2-s2.0-84859767453

10.1016/j.adhoc.2012.01.002

23.

Shamus Software

http://www.shamus.ie/index.php

Secure and Efficient Authentication Scheme for Mobile Sink in WSNs Based on Bilinear Pairings

Abstract

1. Introduction

2. Related Work

2.1. Key Establishment Protocols in WSNs

2.2. Password-Based Authentication Scheme in WSNs

3. Network Model, Assumptions, and Preliminaries

3.1. Network Model

3.2. Assumptions

3.3. Preliminaries

3.3.1. Elliptic Curve

3.3.2. Bilinear Pairings

3.3.3. Mathematical Problems

4. The Proposed Scheme

4.1. System Initialization

4.2. Registration Phase

4.3. Login Phase

4.4. Authentication Phase

4.5. The Data Extraction Phase

4.6. Password Change Phase

5. Security Analysis and Performance Evaluation

5.1. Security Analysis

5.1.1. Replay Attack

5.1.2. Impersonation Attack

5.1.3. Stolen Smart Card Attack

5.1.4. Privileged-Insider Attack

5.1.5. User Anonymity and Untraceability

5.1.6. Resist Node Capture Attack

5.1.7. Data Confidentiality

5.1.8. Proper Mutual Authentication and Session Key Agreement

5.2. Performance Analysis

6. Conclusion

Footnotes

Notations

Conflict of Interests

Acknowledgments

References