A Secure and Lightweight Three-Factor Remote User Authentication Protocol for Future IoT Applications

School of Computer Science, Huazhong University of Science and Technology, Wuhan, 400037 Hubei, China Department of Mathematics, College of Science, University of Basrah, 61004, Iraq Medical Instrumentation Engineering Techniques Department, Al-Mustaqbal University College, 51001 Hillah, Babil, Iraq Department of Computer Science, Education College of Pure Science, University of Basrah, 61004, Iraq


Introduction
The IoT has been a trend in the last few years, and it is expected to be so in the future [1]. In an IoT system, information is being sensed/collected by IoT sensing devices such as embedded systems, Radio Frequency Identification (RFID), wearable devices, and low powered IEEE 802.15.4 devices before being sent to another intermediary device/node (e.g., edge or fog computing node), IoT device, or to the cloud, via the Internet. In IoT, many devices can interact with each other over the Internet. A lot of IoT applications, already, have been deployed such as healthcare systems, smart cities, smart industrial, transportation systems, and smart homes [2,3]. In these IoT applications, WSNs are most necessary and important [4]. The use of WSNs has greatly increased in providing services to activities and monitoring environments due to its low costs, ease of deployment, a wide range of applications, and flexibility [5]. Therefore, security and privacy are a significant challenge in any consumer technology deployment [6]. For example, let us highlight on an IoT healthcare application [7] as shown in Figure 1. In this scenario, the quality of healthcare service can be enhanced by allowing a medical practitioner to direct access to data that have sensed by the medical sensor nodes deployed in his patient's body. This information can involve current vital reading such as blood pressure, cholesterol, C-reactive protein, and blood sugar level. Accordingly, based on this private and secret current information, a decision can be taken regarding the patient's health condition to provide necessary remedial actions.
In IoT, the sensor node/devices in WSN face a significant security challenge. Usually, those sensor nodes are deployed in places that are easy for people to touch. Nowadays, one of the most possible critical security attacks that easily happen is a node captured attack where the authentication information that is inside the sensor node is revealed by physical crack [8]. Furthermore, new remote user authentication that is also possible could be vulnerable to this attack because the malicious attacker possibly obtained all sensitive authentication information through this attack. Thus, the security issues in IoT WSN applications are significant and catch more attention. To satisfy this goal, we proposed a secure and lightweight remote user authentication and key agreement protocol to operate in an IoT WSN application environment.
1.1. Motivation. The IoT WSN has opened up many opportunities in various walks of life and particularly in healthcare, shipping, warehousing, and logistics, which have facilitated processes for consumers and businesses. This wide-ranging and rapid development has led to the emergence of great challenges that require the design of high-security protocols for IoT applications in order to preserve the sensitive information of users. Security is now the primary challenge facing the IoT WSN environment. In an IoT WSNs, remote users can access data from IoT sensor nodes via the Internet. Researchers have developed effective mechanisms to integrate wireless networks into the Internet of things environments [9,10]. Sensor nodes are inherently resourceconstrained devices in terms of limited processing capability, constrained communication bandwidth, and very low storage capacity due to the physical size and limited energy [11]. Therefore, designing a secure and efficient remote user authentication protocol for IoT WSN environments is a nontrivial challenge. In IoT environments, the security efficiency of remote user authentication is an important issue for transmitting information securely [12][13][14]. In addition, energy consumption and computational and communication efficiency are crucial due to the WSN resources energy limitation. Also, due to constrained sensors, adding resourceful gateway nodes can support the sensors, can provide quick on-demand delivery of information, and take care of most of the processing. The authentication of users or devices is a critical issue that must be considered in the context of IoT security. Most of the traditional authentication protocols are based on a password, a smart card, or both. These protocols are ineffective at present since attackers have modified the methodology of their attacks on IoT devices. The need for biometric-based approaches that are difficult to reproduce, such as those involving fingerprints, iris scanning, and facial patterns, has emerged as an additional factor that can enhance the security of Internet applications.

Attack
Model. In our proposed protocol, we follow the widely accepted and more realistic Dolev-Yao threat (DY) model [15]. In this model, the communication between two entities is accomplished over a public (open) channel. Also, an adversary MA will have full control over the communication channel. Therefore, MA can alter, eavesdrop, insert, and delete forgery messages that are being transmitted during communication. In addition, it is assumed that MA can physically capture one or more IoT sensing nodes in IoT and can steal all sensitive information stored in the captured sensing nodes which utilize the strength analysis attacks.

Our Contribution.
The main contributions of our proposal are as follows: (1) We proposed a lightweight and secure remote user authentication protocol based on feature extraction of the user fingerprint and one-way hash function for IoT WSN applications which is suitable to use in wireless healthcare application. The proposed protocol is three factors: user password, smartphone, and biometrics to achieve our goal. We used biometrics to increase the security of the protocol due to difficulty to forge or steal or forget biometrics (2) Level 3 feature extraction is done to overcome the problem of noise in fingerprint images in existing authentication schemes (3) We prove our protocol secure using informal and formal security analysis through BAN logic and random oracle model (4) We simulate the proposed protocol using the popular and widely accepted tool called AVISPA and demonstrate that the protocol is perfectly secure against active and passive attacks (5) Comparative evaluation of our protocol with related protocols in terms of communication and computational overheads was performed

Related Work
The general security requirements needed to secure an IoT WSN environment are authentication, integrity, confidentiality, availability, nonrepudiation, authorization, freshness, forward, and backward secrecy. Therefore, a remote user authentication scheme designed for an IoT WSN environment should be designed in a way that ensures it will withstand many attacks such as man-in-the-middle, online/offline guessing, replay, privileged insider, stolen/lost smart card, password change, and sensing device capture. Also, the designed scheme should reduce computation and communication costs and include the password/biometric update phase. Presume a scenario for a medical practitioner wandering the medical IoT environment. In such an assumption, we need to preserve certain information about this user such as achieving anonymity preservation to prevent other parties (users) from revealing the patient's critical privacy information while he/she joins the system sessions. By way of explanation, user anonymity is one of important key features in the user authentication protocol [16]. Also, the untraceability feature is important in the IoT WSN applications to prevent an attacker from tracing a user during a session [17]. WSNs have become an important and necessary network infrastructure after modernization, and they can be generally used in many modern fields such as health monitoring, environments, and smart homes [18][19][20][21]. To gratify the security requirements of the IoT WSN environment, numerous user authentication protocols have been proposed. Shi and Gong [22] proposed a new user-authentication scheme using ECC for the WSNs. Unfortunately, the storage and computational overhead are relatively high so it is not applicable for healthcare application systems [23][24][25]. Usually, the real-time users adopt to use easy-tomemorialize parameters, such as secret keys and identities, for their convenience, as explain in [23][24][25]; hence, user anonymity is not provided. For the enhancement security of IoT WSNs, studies in [26][27][28][29][30] presented lightweight remote user authentication schemes. Nonetheless, these contributions have need of improvements to resist attacks while persevering optimum communication and computation performance. In 2016, Arasteh et al. [31] proposed an authentication scheme for an IoT network that aimed to overcome the weaknesses of a scheme designed by Amin et al. [32]. In 2017, Dhillon and Kalra's [33] proposed a lightweight 3FA scheme using a user password, biometric, and a mobile device. They pointed out that their scheme is secure against well-known attacks such as a denial of service, impersonation, offline password guessing, and stolen mobile device attacks. However, their scheme is still insecure against the mentioned attacks and does not afford a session key agreement. In the same year, Li et al. [34] and Zhang et al. [35] presented their authentication schemes with key agreement. They showed that their scheme was lightweight and appropriate for constrained IoT environments. In 2018, several studies were published on remote user authentication for the IoT environment [36][37][38][39][40][41]. The author in [36] presented an authentication scheme for ad hoc WSN to improve the security weakness of the scheme in [42] using ECC cryptograph. In Cyber-Physical Systems (CPS) and IoT, Lu et al. [37] presented a mutual authentication proposed scheme with user anonymity. Xu et al. [38] proved that Srinivas et al.'s [43] authentication schemes are vulnerable by many attacks and did not achieve user anonymity features. Moreover, Ryu et al. [39] reviewed Wu et al.'s [44] scheme and pointed out that Wu et al.'s scheme has two security weaknesses against outsider attackers. A new user authentication scheme was presented by Wazid et al. [40] for a hierarchical IoT network. These authors observed that their scheme involved lower computation and communication costs. Moreover, Chen et al. [41] presented an authentication scheme based on the fuzzy extractor. Nonetheless, the overhead in Chen's scheme is costly.
More recently, in 2019, articles on this subject were published by Dammak et al. [45], Gupta et al. [46], Lyu et al. [47], Ma et al. [48], Renuka et al. [49], and Li et al. [50]. However, these schemes still have weaknesses, particularly in terms of the computation and communication overheads, which are highly compared to those of our proposed scheme. In summary, most remote user authentication protocols either fail to achieve IoT WSN environment security requirements or they do not provide security functionality features such as dynamic anonymity and untraceability and biometric and password change procedures. To overcome the aforementioned weaknesses, we proposed a lightweight remote user authentication protocol suited for the IoT WSN application, which achieves user anonymity and untraceability.

Basic Preliminaries
In this section, we briefly discuss the properties of the oneway hash function, perceptual hashing, and level 3 feature extraction.
(i) Level 3 feature extraction of fingerprint: a fingerprint is the pattern of ridges and valleys on the outer surface of the fingertip, and each individual has unique fingerprints. Fingerprint identification involves three levels: the first level includes details such as thr pattern type and ridge-line flow; the second involves minutiae points for instant bifurcations, spurs, and terminations; and the third relates to the dimensional properties of a ridge, such as incipient ridges, creases, pores, and edge contours The third level contains all the dimensional properties of a ridge for instant sweat pores, initial ridges, edge, and the crispiness. Our proposed protocol therefore adopts the third level, since it is unique, unalterable, and perpetual. More detail can be found in [51].
(ii) One-way hash function: one-way hash function (1HF) is a mathematical function that is broadly used in many applications, such as disclose data integrity during transmission, generating message authentication codes (MAC), and digital forensic investigations. Cryptographic 1HF is highly sensitive to even small perturbations to the input. The 1HF is impossible to invert, i.e., it is difficult to regain the original text from the hash value. It produces hash values of 128 bits and higher. Generally, 1FH is used to generate digital signatures, which are used to recognize and authenticate the sender [52].
(iii) Perceptual hashing: when using biometrics for user authentication schemes, the standard encryption or hashing algorithms cannot be used to encrypt the biometric template. The biometric data such as fingerprint and voice. change with time and environment. Therefore, in designing a user authentication protocol using biometrics, the hashing or encryption algorithms cannot be utilized to encrypt the biometric template. To deal with this issue, researchers have proposed using perceptual hashing (p-hash) [53]. The advantage of using p-hash is capability tolerant to unimportant variation in the quality and format of the input. The hash value size that is generated by perceptual hashing differs from 64 to 128 bits [54]. In this paper, we adopted the perceptual hashing function proposed by Jie [55] in a previous study. The authors in [56] merge the image blocks which have low-frequency DCT coefficients and the color histogram as a perceptual feature, and this perceptual feature then compressed as interfeature with PCA and threshold the interfeature to generate a strong hash. Figure 2 shows the process of perceptual hashing

The Proposed Protocol
In this section, we propose an efficient and secure user authentication protocol for IoT WSN applications using the network model scenario presented in Figure 1. We also mention that the proposed protocol is designed to be generic enough for most IoT WSN applications that require user authentication. A summary of the symbols used in this paper is given in Table 1. In this work, we utilize the current timestamps to ensure flexibility to replay attacks. In this work, we utilize the current timestamps to ensure flexibility to replay attacks. Consequently, the clocks of all protocol objects are assumed to be synchronized which is a typical assumption in the literature [7,44,57]. Our authentication protocol based on three factors, namely, password, user's biometric, and smartphone focuses on the user in order to reduce the costs to the IoT nodes. Using a smart device such as a smartphone, the user can easily access the IoT nodes and the services they provide. The proposed protocol contains three participants: a remote user (U i ) who aims to maximize the services in the environment, a set of IoT sensor nodes (D k ), and a trusted home authority/gateway (GW). Our work consists of four phases: registration, precomputation, authentication and key agreement, and password change phase. The registration phase was performed once, while the precomputation, authentication, and password change phase are executed whenever a remote user wishes to login or change his/her password. The proposed protocol enables the remote users to freely update his password and/or biometric information with the help of the smartphone without further involving GW. Step 2) The U i computes level 3 feature extraction of the fingerprint as follows: Step 3) The U i selects a random integer R i ∈ Z + n and computes a mask for the user's identity, password, and fingerprint as follows: identity mask: to the GW as a communication request to the GW node through a secure channel Gateway side: on receiving a request message from U i , the GW performs the following steps.
(Step 1) GW generates secret keys X g and X g u . Following this, GW computes the security parameters a i = HðMID i ⨁ X g Þ, b i = HðMPW i ⨁ X g u Þ, and c i = HðFX3 FP i ⨁ X g u Þ, prior to use and MFP i to U i . On receiving M 1 , U i saves it in the memory of the device. Figure 3 summarizes the different processing steps followed during this phase 4.2. IoT Sensor Node Registration. In this stage, each IoT sensor node is a registry. Any supplementary nodes can be added dynamically. This stage consists of the following steps. IoT node side: (Step 1) D k generates a random number R k ∈ Z + n . D k known the shared secret X g D k of the GW and has a unique identity ID * D k and TS 1 to the GW through a secure channel GW node side: upon receiving the registration request from IoT sensor nodes D k , the Gw calculates the following steps.
(Step 1) Checks the timestamp condition jTS 1 − Tj < △ T. If the condition is unsatisfied, then the registration phase is terminated; otherwise, the GW executes the next step MPW j ′ on the basis of the previous message Step 3) Verifies whether MPW j = MPW j ′ or not. Therefore, if they are not unequal, the node is not Factor i Þ, and c j = a j ⨁ b j (Step 5) Then, GW sends a j , c j , and TS 2 to D k . Upon receiving the registration messages (a j , c j , and TS 2 ) from the GW, D k checks the timestamp condition jTS 2 − Tj < △T to verify for any external interference. If the condition is unsatisfied, then the session is terminated; otherwise, D k saves the parameters a j , c j . and TS 2 into his device memory. Finally, the user registration phase is accomplished. Figure 3 shows the steps of the IoT sensor node registration phase

Precomputation and Login Phase.
Once the registration is accomplished successfully, an authorized user U i can access any desired sensor node within the IoT network through the authentication phase. To start with the authentication phase, U i must login to the selected IoT service application, following the login steps that are implemented during this phase.
(Step 1) First, the user U i uses the smartphone to open the applications and enters his/her password PW i and level 3 feature extraction F X3 FP i saved in the smartphone (Step 2) Then, the smartphone of U i calculates a masked for the password and the feature extraction as follows: Step 3) Next, the original values of b i and c i extract as Step 4) U i computes the value of the following verification parameters b * * i and c * *  Journal of Sensors then the login proceeds to the next step. Otherwise, the user is not legal and has entered incorrect credentials, and the process will terminate (Step 6) On successful the user validation, it calculates the security parameters: Step 7) Also, calculates Factor * i = Factor i ⨁ TS 1 for use in a security check later (Step 8) In the end, U i sends the login parameters M 5 = fFactor * i , UD k , UC i , TS 3 , e i , f i g to the desired IoT node. Upon completing step 8, the login phase is complete. The user U i can select any node in the IoT environment 4.4. Authentication and Key Agreement Phase. To access the services of the IoT sensor nodes, the user will attempt to login to the proper node, after which the node will redirect the user login request to GW, which will carry out the necessary process to check the user's authentication. When mutual validation is achieved between these three entities, a session key will be established between the user and the IoT sensor node. Figure 4 summarizes the login and the authentication phase. The following steps illustrate the processes of this phase.
(Step 1) On receiving the login request message from U i , D k performs the timestamp check on receive TS 3 , i.e., ðjTS 3 − Tj < ΔTÞ. Also, check the security parameter ðFactor * i ? = Factor i ⨁ TS 1 Þ?, to authenticate the U i . If the condition is unsatisfied, then the login is terminated; otherwise, the process proceeds to the next step (Step 2) D k uses the stored values of e j and a j to Factor * i g to the GW. GW can recognize the legitimacy of the U i and the node D k on the basis of the parameter Factor * i and the transaction time. In this step, the node D k authenticates the GW (Step 5) GW verifies the received timestamp ðjTS 4 − Tj < ΔTÞ and ðFactor * i ? = Factor i ⨁ TS 1 Þ, authority of the U i , and the device D k simultaneously. If the condition is satisfied, then the GW proceeds to the next step; otherwise, the process is terminated (Step 6) Then, GW calculates the security parameters: Afterwards, the GW checks the quality of b j and b * j . If they are equal, then GW authenticates the node D k and the user U i The IoT sensor node D k must be successfully verified by the GW on the basis of the retrieved ðFactor i Þ depending on MID i . Therefore, GW performs the following: Step 2) GW compares the original UD k and the calculated UD * k to authenticate the U i . If the verification condition is unsuccessful, then the GW terminates the communication; otherwise, the GW continues to the next step (Step 3) Next, GW computes the security parameters: Upon receiving the verification parameters M 7 from the GW, D K computes the following processes: (Step 1) D k verifies the timestampjTS 5 − Tj < △T. If the verification condition is unsatisfied, then the process is terminated; otherwise, it continues forward If the condition is unsatisfied, then the process is terminated; otherwise, it proceeds to the next step where M is a random number generated once. Afterwards, D K computes the session key as SK = hðR i ⨁ M i ⨁ Factor * i Þ (Step 4) At last, D K sends M 8 = fV * i , TS 3 , TS 4 , TS 5 , TS 6 , chag to the U i . When U i receives the verification parameter M 8 from D K , U i executes the following steps: (Step 1) U i performs timestamp checks, i.e., jTS 6 − Tj < △T? If not, then the process is terminated; otherwise, it continues to the next step If not, then U i is unsure of the authority of D K and the GW; otherwise, the U i computes the session key as SK = hðM * i ⨁ R i Þ and the authentication and key agreement phase successfully 4.5. Password and Biometric Change Phase. This phase is necessary to regularly update the user password to preserve high security. The proposed protocol allows the remote user to change his/her password easy.

Security Analysis
We evaluate the security strength of the proposed protocol using both formal and informal security analysis in this section. First, we prove that the proposed protocol provides mutual authentication between the remote user and the IoT sensor node using the BAN logic verification. First, we prove that the proposed protocol provides mutual authentication between the remote user and the IoT sensor node using the BAN logic verification. Then, we prove that the proposed protocol is resistant to other well-known attacks using informal security analysis. After that, we perform a formal security analysis using the popular widely accepted automated verification tool, AVISP.

Mutual Authentication Proof through BAN Logic.
We use the widely recognized BAN logic [58] to prove that the mutual authentication is achieved between the registered legitimate remote user and an accessed IoT sensor node with the help of a trusted gateway node. Table 2 shows the symbols used of BAN logic and their respective abbreviations, where P and Q represent the principals, and X denotes a statement.

Theorem 1.
The proposed protocol provides secure mutual authentication between U i and D k in the presence of the GW.
Proof. We define the following four goals: The idealization form of the transmitted messages during the login and authentication phase under the proposed protocol is presented as follows: We consider the following initial assumptions according to the proposed protocol description:

P⊲X
Principal P sees the statement X.
P |~X Principal P once said the statement X. # X ð Þ The formula X is fresh. P K ⟷ Q P and Q use the shared session key K to communicate, and K will never be discovered by any principal except P and Q.
P ⟹ X P has jurisdiction over X.

From
Mssg5, we could get S25: Based on S25, H13, and rule 1, we have Based on H14 and rule 4, we have S27: D k | ≡# Based on S26, S27, and rule 2, we get S28: Based on S28 and rule 5, we could get S29: Based on S29, H15, and rule 3, we have S30: Based on S30, S31, H13, and Rule 1, we get S32: N k | ≡GW | ∼ Based on H14, H16, and rule 4, we obtain the following: S33: D k | ≡# Based on S32, S33, and rule 2, we have the following: Based on S17, S18, and S34, we get S35: D k | ≡GW | ≡ð Based on S35, H17, and rule 3, we get S36: Based on S37, H13, and rule 1, we get: Based on H14, H16, and rule 4, we get From S38, S39, and rule 2, we get S40: Based on S17, S18, S35, and rule 5, we get goal 4: Based on S36, H18, goal 4, and rule 3, it will lead to the following: Based on S41, H19, and rule 1, we get S42: U i | ≡GW | ∼ Based on H20, and rule 4, we get S43: U i | ≡# Based on S42, S43, and rule 2, we get 11 Journal of Sensors From S48, S49, and rule 2, we have S50: Based on S45, S50, and rule 5, we have Finally, using S46, H23, goal 2, and rule 3, we obtain Hence, the goals 1 and 2 assure mutual authentication among U i and N k in presence of GW 5.2. Informal Security Analysis. In this section, we present an informal security analysis to prove that the proposed protocol is withstanding against various well-known malicious attacks. Besides, it provides the most security functionality requirement.

Proposition 2.
Resistance to the IoT sensor node capture attack.
Proof. Assume that a malicious attacker MA attempts to compose the legal authentication request message M 6 6 , ch ag of the IoT sensing node N k and sent them to U i or GW on behalf of N k .For this motivation, MA tries to modify the exchanges message M 6 and M 7 to M i 6 = ðUC i ′ , UD K ′ , Factor * i ′, e i ′, f i ′, TS 3 ′, TS 4 ′Þ and M i 7 = ðV * i ′, TS 4, ′ , TS 6, ′ Þ by extracting the stored information. MA cannot obtain the value of MID i as it is protected by a one-way hash function and the shared secret key Xg Nk , which is only known to the IoT sensor node N k . Also, MA cannot calculate V * i as it protected by a one-way hash with the random number M i . Therefore, our proposed protocol resists node compromise attacks.

Proposition 3. Resistance to impersonation attacks.
Proof. In our proposed protocol, the attacker cannot extract or impersonate the level 3 feature extraction of the fingerprint of U i . Moreover, if a malicious attacker attempts to adjust the parameter UD k = hðX g u ∥TS 1 ∥Factor i ⨁ R i Þ to a new one as UD k ′ , then the attacker will fail in the GW side due to a mismatch with UD k calculated by the GW in the authentication phase with UD k ′ . Therefore, the proposed protocol resists impersonation attacks.

Proposition 4. Resistance to replay attacks.
Proof. Assuming that a malicious attack aims to retransmit a message gained by eavesdropping on an efficient communication channel between the U i and the D k through the login and authentication phase, the attacker will fail, because our proposed protocol uses timestamps ðTS 3 , TS 4 , TS 5 , TS 6 Þ, and the delay time of the timestamp is brief. Our proposed scheme also uses Factor * i which is stored on the basis of level 3 feature extraction. Therefore, the proposed protocol provides an efficient security against replay attacks.

Proposition 5.
Resistance to stolen smart device attacks.
Proof. In the case where the user's smart device is stolen or lost, the attacker aims to access the sensitive information stored in the device's memory using a power examination attack. Our proposed protocol provides efficient security against this kind of attack. The attacker cannot determine the identity ID i and the password PW i of the U i since these are masked by a hash function on the basis of a random number R i that is generated only once. Moreover, the attacker cannot identify the feature extraction FP i given the hash function. Accordingly, our proposed protocol provides an efficient security against stolen smart device attacks. Proposition 6. Resistance to password change attacks.
Proof. To change the user password, a malicious attack must use the personal fingerprint of a genuine U i . Thus, the attacker cannot change the password. Assuming that a user's smart device is stolen or lost or is used by an attacker through another method, the attacker still cannot change the password, since this process requires the old password. Therefore, our proposed protocol resists password changes attacks.

Proposition 9.
Resistance to gateway node bypass attacks.
Proof. In this kind of attack, the attacker aims to impersonate the GW with the aim of later connecting to any IoT node D k . Our proposed scheme can resist this type of attack because, as illustrated in Figure 4, the U i initially sends the authenticated message Factor * i , UD k , UC i , TS 3 , e i , and f i to the desired node D k to initiate the authenticated phase. Subsequently, the node D k returns this message to the GW (Figure 3.7). Then, GW verifies D k and U i . Accordingly, U i , as the first step, uses any IoT facility that is disconnected from the GW. Therefore, the propose protocol provides an efficient security against gateway node bypass attacks.
Proof. As previously explained in Section 4, this type of attack aims to intercept communication between two legitimate parties and to modify, delete or delay messages. We suppose that a malicious attack intercepts the login message (M 5 = fFactor * i , UD k , UC i , TS 3 , e i , f i g) transmitted from U i to the node D k and the authentication message (M 6 = fUC i , UD k , e i , f i , TS 3 , TS 4 , Factor * i g) that transmitted from the node D k to GW. In this scenario, the attacker aims to modify the login message or authentication message to ðM 5 ′ , M 6 ′ Þ. However, the attacker cannot predict the shared secret key needed to modify these messages. Moreover, each message communicated in the login and authentication phases has a timestamp with a short delay, thereby preventing an attacker from changing the messages. Therefore, our proposed scheme resists MITM attacks. Proposition 11. Resistance to Off-line Guessing Attacks.
Proof. In our proposed scheme, a malicious attacker cannot gain an advantage by using off-line password-guessing attacks because the attacker cannot obtain the real passwords of a genuine U i using the communication messages 3 , TS 4 , Factor * i g in the login and authentication phases, respectively. Even if the user's smart device is stolen, the attacker cannot predict the password due to the nature of the hash function. Furthermore, the attacker cannot deduce the user fingerprint because the fingerprint is stored on the basis of a random number R i , level 3 feature extraction that is generated only once, and the use of a strong hash function. If the adversary guesses PW i ′, then, to legalize PW i ′ with b * i = b * * i ? and c * i = c * * i ?, he/she needs to know U i ' s identity as well as U i ' s biometric B i . Moreover, to guess PW i , the adversary will need to guess ID i and B i along with the password. However, revealing of user biometric information or stealing it or forging it is not achievable; hence, the proposed protocol withstands offline-password-guessing attacks.
Proof. This feature indicates that the U i and the IoT node D k must agree on a secure session key to protect their successive communications. In our protocol, once D k receives the authentication request (M 7 = fGP ij , V i , TS 5 g) from the GW , it computes the session key SK = HðR i ⨁ M i ⨁ Factor * i Þ on the basis of mask nonce M i , R i and Factor * i . Afterwards, D k sends the message (M 8 = fV * i , TS 3 , TS 4 , TS 5 , TS 6 , chag) to the U i . Subsequently, U i receives the authenticated message and then calculates the session key SK = hðM * i ⨁ R i Þ, and both session keys are equal as shown in Figure 3.6. Therefore, our proposed protocol supports a secure session key.

Proposition 13. Provides user anonymity.
Proof. Anonymity means protecting the information of a U i from being tracked by an attacker. The user information, identity ID i , password PW i , and fingerprint FP i are masked by a hash function. The fingerprint FP i is calculated on the basis of the hash function of level 3 feature extraction. Accordingly, if a particular attacker attempts to interrupt the message exchange between the entities, then the attacker will fail to trace the user information.

Proposition 14. Provides forward secrecy.
Proof. In our protocol, we created the session key SK = hðR i ⨁ M i ⨁ Factor * i Þ on the basis of the nonce number M i which is generated once for each U i who desires to log in to the (IoT) nodes. We also created the random number R i and the Factor i which is not saved as a plaintext. Therefore, a malicious attack cannot obtain the session key by any way.

Proposition 15. Provides mutual authentication.
Proof. An authentication mechanism requires each entity in the IoT environment,, i.e. GW, the U i and the IoT node D k to validate each other. In our proposed protocol, after executing the necessary steps, U i sends the authentication message (M 5 = fFactor * i , UD k , UC i , TS 3 , e i , f i g) to D k in the login phase (see Figure 3.7). Then, D k send the authentication message (M 6 = fUC i , UD k , TS 3 , TS 4 , e i , f i , Factor * i g) to GW. Accordingly, the GW uses the authenticated message to validate the U i and the node D k . Therefore, the proposed protocol achieves mutual authentication.

Proposition 16. Provides Key Freshness
Proof. In our work, we generate a session key SK = hðR i ⨁ M i ⨁ Factor * i Þ that consists of fresh timestamps that are different in each session. Accordingly, our proposed protocol achieves key freshness. A security analysis of possible attacks 13 Journal of Sensors against this model is presented below, and it is shown that our proposed protocol can resist several well-known attacks.

Formal Security Analysis Using the AVISPA Tool.
AVISPA is a powerful automated validation tool which provides a wide applications range for constructing cryptographic protocols analysis models, verification, and validation. To validate the protocol using the AVISPA tool, firstly, the protocol is coded by using HLPSL language. Then, translate the HLPSL code in intermediate format (IF) by the HLPSL2IF translator. Finally, the IF specification as input is given to the back ends. After the IF execution, the back-end displays the result of the simulation of the protocol by analyzing to output format (OF), with an explanation of whether the protocol is safe or unsafe against man-in-the-middle and replay attacks. Also, back ends confirm the security features of the protocol such as the flexibility against most of the known attacks, authentication, and the secrecy of keys. Note that AVISPA performs the Dolev-Yao threat model [59,60]. More details of the AVISPA tool and HLPSL can be found in [61].
To implement and simulate the proposed protocol on AVISPA, we have concentrated on the major tool SPAN Version 1.6 based on a computer system which is consist of Windows 10 Enterprise operating system (64 bit) that is supported by Ubuntu 10.10 light on Virtual machine, Intel (R) Core (TM) i7-7500U CPU @ 2.70 GHz 2.90 GHz processor, and 8 GB RAM. In AVISPA, there is a role for each entity, and these roles are independent of each other. AVISPA has an implementation in the form of four back ends, namely, TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols), OFMC (On-the-fly Model-Checker), CL-AtSe (Constraint Logic-based Attack Searcher), and SATMAC (SAT-based Model checker) [62]. We have evaluated the proposed protocol against man-in-the-middle and replay attacks under the OFMC and CL-AtSe back ends using SPAN.
The user registration, login, and authentication phases for the proposed protocol are implemented in HLPSL utilizing three basic roles for a remote user, the IoT sensor node, and the gateway node. The compulsory roles for the environment, session, and goal are also defined. Figure 5 provides the simulation results that obviously indicate that the proposed protocol is protected against man-in-the-middle and replay attacks.

Comparative Study
The proposed protocol is compared with the recent user authentication protocols proposed in the IoT environment such as the protocols of Banerjee et al. [1], Yang et al. [8], Dhillon and Kalra [33], Dammak et al. [45], Li et al. [50], and Farkoon et al. [60].
6.1. Security Functionality Comparisons. Table 3 summarizes the comparison of the functionality features of the recent user authentication protocols [1,8,33,45,50,60]. It can be observed that the proposed protocol offers improved security and functionality features, in comparison to the other recent protocols.

Computation Overhead Comparison.
In this section, we compare our proposed protocol in terms of computation overhead with those of recent related protocols [1,8,33,45,50,60]. The protocol comprises four phases: user and sensor node registration phase, login phase, key agreement and authentication phase, and password and biometrics change phase. In the IoT WSN environment, the performance of the user authentication protocol mainly is affected by the login and authentication phase [2]. These two phases are the major part of the user authentication protocol and is what chiefly characterize it from the different user authentication protocols in IoT WSNs. Consequently, we focused our discussion of computation overheads during the login and authentication phase. The computational costs are the time consumed by the user and service provider in the process [9]. For computation overheads analysis, we utilized the notations T h and T m to indicate the time complexity of the hash function and elliptic curve cryptography (ECC) algorithm, respectively. The computational costs of the OXR operation are usually neglected because it requires a minimal number of computations.
In the login and authentication phase of our protocol, the remote user requires only 8T h to calculate the parameters of a login and authentication request message. The IoT sensor node expends only 3T h bits to verify the login request and to calculate the parameters of the key agreement message. As for the gateway node, it requires the gateway node which requires only 7T h bits to verify whether the verification equations hold. Our proposed protocol uses only the XOR and one-way hash function operations to design simple user authentication and key agreement protocol. However, Li et al.'s protocol [50] provides authentication and key agreement protocol that is designed using an asymmetric encryption ECC algorithm. The time complexity of the asymmetric ECC encryption operation is greater than that of a one-way hash function. According to the practical example of the computational costs in an environment with a CPU of 3.2 GHz and with 3.0 GB of RAM, the time complexity of one-way hash operations requires 0.02 ms when using SHA-1 and for the ECC encryption operation which requires 0.45 ms when using ECC-160 [63]. Therefore, the total computational overheads of our protocol are 0.36 ms. Table 4 summarizes the computational overheads of our proposed protocol and the existing protocols in [1,8,33,45,50,60] with approximate time (in milliseconds). It is clear that the proposed protocol requires less overall computation costs. The energy consumption of the IoT sensor node in our work is 0.06 ms which is 50%, 81.25%, 25%, 87.75%, 62.5%, and 95.8% lower than the computation times in the protocols of [1,8,33,45,50,60].
Consequently, the total energy consumed of the IoT sensor node by our protocol is 0.36 ms. Therefore, our proposed protocol is more efficient and suitable for constrained sensor devices in the IoT WSNs environment. Journal of Sensors   improvements of computational costs of the present protocols. From Table 5, it can be observed that the computational costs for the resource-limited IoT sensing device in our protocol is less in comparison to that of the recent existing protocols. The proposed protocol achieves superior performance because it consumes less energy compared to recent related protocols and is highly efficient. As the sensors nodes deployed in IoT networks have low battery life, low storage, and limited processing capability, the energy consumption of these IoT sensor nodes must be optimized. The IoT sensor nodes energy depends on two factors: the number of cryptographic operations to be performed and the amount of data being transmitted. Our proposed protocol minimized the number of cryptographic computations, therefore, more data can be transmitted via IoT sensor nodes. For the evaluation of the proposed protocol, the workload is not taken into consideration. In the future, the proposed protocol will be executed for different workloads in Cloud computing and IoT environments.

Communication Overhead Comparison.
For communication overhead computation, we assumed that the timestamp, hash digest (assuming SHA-1 hashing algorithm is applied), identity, a random nonce, and the secret key are 128 bits, while the ECC operations are 160 bits. There are four exchanges messages between U i , N k , and GW in proposed protocol that are M 5 = fMID i , UD k , UC i , TS 3 g, M 6 = fUC i , UD k , TS 4 g, M 7 = fGP ij , V i , TS 5 g, and M 8 = fV * i , TS 4 , TS 6 }, where MID i , UD k , UC i , GP I J , and V i are the hash function output. TS 3 , TS 4 , TS 5 , and TS 6 are timestamps. According to our above assumption, each parameter is 128 bits. Therefore, the communication overhead of the proposed protocol is 128 × 13 = 1664 bits. Table 6 summarizes the communication overheads and the number of exchanged messages for all protocols in addition to the proposed protocol. We observe that the proposed protocol obtains less communication overhead as compared to the protocols in [1,8,33,45,50,60] and incurs greater overhead than the protocol in [60]. Although the protocol [60] bears the less overhead but did not achieve the desired functionality and security features such as resistance to impersonation attacks, password guessing attacks, DOS attacks, preserved user anonymity, and forward secrecy in contrast to our protocol which achieved all functionality and security features (see Table 3).

Conclusion
In this paper, we presented a secure and lightweight threefactor remote user authentication protocol designed for future IoT WSN application. The proposed protocol grants the legitimate remote user that mutually authenticates with the IoT sensor node through a trusted gateway node. The symmetric session key SK is established by the end of successful mutual authentication between the user and the IoT sensor node for future secure communications. The security of the proposed protocol is formally using the popular widely accepted BAN logic. Furthermore, informal security verification demonstrates that the proposed protocol resists the most well-known attacks. The formal security using the AVISPA simulation is evaluated, and the results showed that our protocol is safe. Finally, the performance analysis comparison in terms of computation and communication overheads demonstrated that our protocol showed high efficiency and performance compared to those of recent related protocols and is more suitable for practical IoT WSN environments.

Data Availability
All data are available within the manuscript.

Conflicts of Interest
The authors declare that they have no conflicts of interest.

16
Journal of Sensors