A Secure and Privacy-Preserving Three-Factor Anonymous Authentication Scheme for Wireless Sensor Networks in Internet of Things

The Internet of things is playing more and more important role in smart healthcare, smart grids, and smart transportation, and using wireless sensor network (WSN), we can easily obtain and transmit information. However, the data security and users’ privacy are the biggest challenges for WSN because sensor nodes have low computing power and low storage capacity and are easy to be captured, and wireless networks are vulnerable. In 2021, Shuai et al. proposed a lightweight three-factor anonymous authentication scheme for WSN. However, we found that their protocol is vulnerable to stolen-veriﬁer attack, modiﬁcation of messages’ attack, and no perfect forward secrecy. Then, a new three-factor anonymous authentication scheme using elliptic curve cryptography (ECC) is proposed. Through informal and formal security analyses, our scheme can resist various known attacks and maintains low computational complexity.


Introduction
In recent years, with the rapid development of Internet of things (IoT) technology, wireless sensor networks (WSN) are widely used in medical, military, agriculture, and other fields [1]. A large number of wireless sensor nodes are deployed in the target fields to collect the data in WSN, but sensor nodes have low computing power and low storage capacity and are easy to be captured; on the contrary, compared with the traditional wired network, messages are transmitted through wireless channels, and it may be easily attacked by means of eavesdropping, capture, replay, forgery, and so on. In order to protect the data security and users' privacy, it is very important to design secure and privacypreserving authentication and key agreement protocol for WSN in IoT.
Many authentication protocols have been proposed in the past ten years; however, these protocols exist one or more security flaws [2]. In 2013, Li et al. proposed a communication scheme in IoT [3], which provides authentication, integrity, nonrepudiation, and confidentiality. However, this scheme is based on bilinear pairing, so it is hard to be deployed in WSN [4]. In 2014, Turkanović et al. [5] proposed a hash function-based authentication scheme for WSN. Farash et al. [6] pointed out that it suffers from impersonation attack, smart card loss attack, and session key disclosure attack; then, Farash et al. designed a new twofactor authentication (2FA) protocol. Amin and Biswas [7] also showed that Turkanović et al.'s scheme [5] suffers from offline password-guessing attacks and impersonation attacks, and Amin et al. proposed a 2FA protocol for multigateway WSN. Meanwhile, Amin et al. found that, in Farash et al.'s [6] scheme, there exists some security flaws, such as impersonation attack, smart card loss attack, and offline password-guessing attack.
In order to improve the security of authentication protocol, Diffie-Hellman key agreement algorithm, Chebyshev chaotic map [8], and elliptic curve cryptography (ECC) are used to design secure user authentication and key agreement protocol [9,10]. In 2009, Das [11] proposed an authentication protocol based on ECC for WSN, but their scheme suffers from privilege insider attacks and gateway bypass attacks [12]. Later, Kumar et al. [13] proposed an efficient authentication protocol for WSN. He et al. [14] showed that their scheme suffers from offline passwordguessing attack and privilege insider attacks. To overcome these security flaws, they proposed an improved authentication scheme for WSN. Unfortunately, Li et al. [15], Wu et al. [16], and Mir et al. [17] pointed out that He et al.'s scheme is still insecure, and it may suffer from offline password-guessing attack and impersonation attack. erefore, Li et al. [15] proposed a three-factor authentication (3FA) scheme to overcome these flaws because twofactor authentication (2FA) schemes usually suffer from offline password-guessing attacks [18]. Compared with 2FA schemes, 3FA schemes can improve the security because 3FA schemes use biometrics to avoid password-guessing attacks. Yeh et al. [19] and Chang and Hai [20] proposed 3FA schemes for WSN to resist various known attacks, but these schemes suffer from smart card loss attacks, impersonation attacks, and so on. So, Challa et al. [21] proposed the signature-based authentication scheme to achieve security, but the computation cost is high. In 2021, Tanveer et al. [22] proposed a lightweight user authentication and key exchange scheme for smart home, and Xie et al. [23] designed an ECC-based secure and privacy-protected authentication protocol for smart city. Shuai et al. [24] proposed a 3FA scheme for WSN, which uses a bio-hash function to enhance security.

Motivations and Contributions.
In 2021, Shuai et al. [24] proposed a lightweight 3FA anonymous authentication scheme; however, we pointed out that Shuai et al.'s scheme is vulnerable to stolen-verifier attack, modification of messages attack, and no perfect forward security. To solve these problems, we propose a new 3FA scheme based on ECC and Fuzzy Extractor algorithm. We summarize our contributions as follows: (1) We pointed out that Shuai et al.'s scheme suffers from the stolen-verifier attack, modification of messages attack, and no perfect forward security (2) A new three-factor authentication scheme based on ECC and fuzzy extractor algorithm used for WSNs is proposed (3) We use formal verification tool ProVerif [25] which is based on applied pi calculus to prove the security of the proposed scheme (4) e informal security analysis shows that the proposed scheme can resist various known attacks (5) We evaluate the computational cost of the proposed scheme with some related schemes; the result shows that the proposed scheme has better performance

Attack Model.
Referring to the Dolev-Yao threat model [26], we present the abilities of an adversary as follows: (1) U A has the ability to eavesdrop on all the messages which are transmitted via an open channel (2) U A can modify, insert, replay, modify, and reroute the eavesdropped messages (3) If U A obtains the smart card of the user U i , he/she can get all the data kept in the smart card (4) U A can obtain all data stored in sensor node if U A captures a sensor node (5) U A maybe an insider attacker e rest of the paper is as follows. We review the scheme of Shuai et al. in Section 2. Section 3 shows the security analysis of Shuai et al. 's scheme. We propose the new scheme in Section 4. Sections 5 and 6 present the informal and formal security analyses of the proposed scheme. In Section 7, we exhibit the performance analysis between the proposed scheme and some related schemes. Finally, the paper concludes in Section 8.

Review the Shuai et al.'s Scheme
Shuai et al.'s scheme [24] consists of three phases: registration phase, login and authentication phase, and password change phase.

Registration Phase.
e registration phase includes user (may be health professional) registration and medical sensor node registration. e user registration phase is as follows: Step UR1: the user U i chooses identity ID i and inputs password PW i and fingerprint fg i via the sensor device; the device generates a random number m i . After that, the device computes MB i � BH(m i ‖fg i ) and MPW i � h(ID i ‖PW i ‖MB i ‖m i ) and then sends ID i , MPW i and the personal credential to GWN via a private channel.
Step UR2: once the message is received, GWN generates random numbers n i , r i , and K 1 and computes . GWN stores ID i , HID i , n i , K 1 and user's credential in its memory and stores HID i , Y i , V i , K 1 , h(.), BH(.) into a smart card; GWN issues the smart card to U i via a private channel.
Step UR3: once the smart card is received, U i writes m i into the smart card. At the end of the user registration phase, the smart card contains HID i , Y i , V i , e registration phase of sensor node is as follows.
Step SR1: the medical sensor node SN j chooses identity SID j and sends it to GWN via a private channel.
Step SR2: on receiving SID j , GWN first checks the uniqueness of the SID j ; if the SID j is not unique, it refuses the registration request. Otherwise, GWN generates a random number K 2 and stores SID j , K 2 in its memory. en, GWN transmits K 2 to SN j via a private channel.
Step SR3: on receiving K 2 , SN j stores K 2 .

Login and Authentication Phase
Step LA1: the user U i inserts the smart card and enters identity ID i , password PW i , and fingerprint fg i . e smart card computes If not, it terminates the session. Otherwise, proceed to the next step.
Step LA2: if the user U i is legal, the smart card generates a random number R and current timestamp T 1 ; U i selects an identity SID j of sensor node SN j ; the smart card computes en, U i sends message HID i , M 1 , CK 1 , T 1 to GWN via a public channel.
Step LA3: on receiving the message from U i , GWN checks the time stamp T 1 first. GWN gets the current time T * 1 and compares with where ΔT is the predefined threshold value, and GWN terminates the session. Otherwise, according to HID i , GWN extracts identity ID i , random number n i , and K 1 of user U i from the storage table. en, GWN computes and compares CK * 1 with CK 1 . If they are not equal, terminate the session. Otherwise, the user U i is legal. In addition, GWN generates a timestamp T 2 and session key SK and computes M 2 � (SK‖ID i )⊕h(K 2 ‖SID j ) and CK 2 � h(ID i ‖SID j ‖SK‖K 2 ‖T 2 ). Finally, GWN sends the message M 2 , CK 2 , T 2 to the sensor node SN j via an open channel.
Step LA4: on receiving the message M 2 , CK 2 , T 2 , SN j gets the current time T * 2 and compares with T 2 . If . en, SN j compares CK * 2 with CK 2 . If they are not equal, terminate the session. Otherwise, SN j generates a timestamp T 3 and computes CK 3 and sends the message CK 3 , T 3 to GWN via an open channel.
Step LA5: on receiving the message CK 3 en, GWN compares CK * 3 with CK 3 . If they are not equal, terminate the session. Otherwise, GWN generates a random number r * i and T 4

and computes HID
en, U i compares CK * 4 with CK 4 . If they are equal, U i updates K 1 and HID i with K 1 � h(K 1 ) and HID i � HID * i and completes the authentication.

Password Change Phase
Step PC1: the user U i inserts the smart card and enters identity ID i , password PW i , and fingerprint fg i . e smart card computes If the values are equal, the smart card allows U i to enter a new password PW * i . Otherwise, it rejects the request for password change.
Step PC2: the smart card computes MPW Step PC3: finally, the smart card deletes Y i and V i and stores Y * i and V * i .

Analysis of the Shuai et al.'s Scheme
In this section, we will show that Shuai et al.'s protocol has some security flaws.

Modification of Messages/Desynchronization
. Suppose an attacker U A intercepts or changes information CK 3 , T 3 , GWN will not update K 2 � h(K 2 ) before the session terminated. erefore, SN j and GWN store different K 2 . e sensor node SN j is paralyzed. e same attack method can be used between GWN and the user U i . If an attacker U A intercepts or changes information M 3 , CK 4 , T 4 between Step LA5 and Step LA6, U i will not update the value of K 1 . However, GWN has updated K 1 already. Later on, U i cannot pass the authentication of GWN.

Stolen-Verifier Attack.
In their scheme, GWN stores SID j , K 2 . SID j is the identity of sensor node SN j ; the random number K 2 is generated by GWN for the sensor node SN j .
Assuming that SID j and K 2 of each node is known by the attacker U A , U A can eavesdrop on M 2 , CK 2 , T 2 via an open channel. By computing (SK‖ID i ) � M 2 ⊕h(K 2 ‖SID j ), the attacker U A gets session key SK and user's identity ID i .
If attacker U A knows SID j , K 2 , he/she can intercept all messages and impersonate any sensor node. After knowing SID j , K 2 , U A can forge M 2 , CK 2 , T 2 and send the message to the sensor node SN j , where M 2 � (SK‖ID i ) ⊕ h(K 2 ‖SID j ) and CK 2 � h(ID i ‖SID j ‖SK‖K 2 ‖T 2 ). SK, ID i , and T 2 can be randomly generated by the attacker U A . e sensor node verifies the message by computing and checks if CK * 2 � CK 2 . ere is no doubt that they are equal. en, the sensor node updates K 2 � h(K 2 ) and cannot respond to the legitimate request. Finally, the sensor node is paralyzed.
So, if an attacker U A can get access to the database, he/ she can obtain session key SK, impersonate sensor nodes, or paralyze sensor nodes.

Our Proposed Scheme
In this section, we propose a new three-factor anonymous authentication scheme using ECC and fuzzy extractor algorithm. Table 1 shows the notations and intuitive abbreviations mentioned in the proposed scheme.

System Setup Phase. GWN chooses an elliptic curve
E(GF q ) defined over GF(q), where GF(q) is a finite field defined over a large prime number q. P is a generator point on the curve. GWN chooses a secret parameter K GWN . GWN computes public key as PK G � K GWN · P and publishes Rep(.), Gen(.), h(.), and PK G , where Rep(.) and Gen(.) are reproduction and generation algorithm of fuzzy extractor algorithm, respectively. h(.) is a hash function.

User Registration Phase
Step UR1: U i chooses its ID i and sends ID i to GWN via a private channel.
Step UR2: GWN verifies the effectiveness and legitimacy of ID i ; if not, GWN requests U i to choose a new ID i . Otherwise, GWN computes a i � h(ID i ‖K GWN ). GWN stores the information a i , PK G , P into a smart card (SC) and transmits it to U i .
Step UR3: U i inserts the SC into a card reader and enters its ID i , PW i , and fingerprint fng i ; the device computes σ i , τ i � Gen fng i ,

Sensor Node Registration Phase
Step SR1: GWN chooses a unique identity SID j for sensor node SN j and computes b j � h(SID j ‖K GWN ).
en, GWN sends b j , SID j , P to SN j via a private channel.
Step SR2: upon receiving b j , SID j , P , SN j stores them into its memory.

Login and Authentication Phases
Step LA1: U i inserts the smart card into the device and inputs the identity ID * i and the password PW * i and enters the fingerprint fng * i . en, the device calculates If MPW * i ≠ MPW i , SC refuses the login request of U i . Otherwise, go on.
Step LA2: U i creates a random number m i and computes where PK G is the public key of GWN, T 1 is the current timestamp, And U i sends the message If M 3 ′ ≠ M 3 , GWN declines the request. Otherwise, GWN generates the current time T 2 and calculates GWN transmits the message MES 2 � M 1 , N 1 , N 2 , T 2 to SN j via an open channel.
Step LA4: after obtaining the message If N 2 ′ ≠ N 2 , terminate the session. Otherwise, SN j generates a random number c j and the current time T 3 and computes N 3 � c j · P, SN j sends the message MES 3 � N 3 , N 4 , T 2 , T 3 to U i via an open channel.
Step LA5: upon receiving the message MES 3 � N 3 , N 4 , T 2 , T 3 , U i generates the current timestamp T * 3 and ensures that |T * 3 − T 3 | ≤ ΔT; if it is not, reject the session; otherwise, U i computes If N 4 ′ ≠ N 4 , terminate the session. Otherwise, the authentication is completed. Figure 1 demonstrates the steps of the mutual authentication and the key agreement phase.

Informal Security Analysis
In this section, we discuss the possible attacks on the proposed scheme.

Stolen and Hyphen
, he/she cannot verify whether the guessed password is correct without knowing the biometric key σ i .

Replay Attack.
Suppose that an adversary U A impersonates user U i and intercepts and replays MES 1 � M 1 , M 2 , M 3 , T 1 . e replayed MES 1 cannot pass the GWN's verification process if the timestamp is invalid. Even if a replay of MES 1 worked, and U A gets MES 3 ; however, the session key and m i is a random number created by U i . U A cannot obtain a * i or m i . erefore, it is useless to replay MES 1 .
Suppose that U A replays GWN's messages or sensor nodes' messages. First, the replayed messages cannot pass the validity verification of the timestamp. In addition, U i , GWN, and SN j generate new random numbers in a new session, which are used in the verification and generation of the session key. erefore, our scheme is resistant to replay attacks.

Forger Attack and Impersonation Attack.
Suppose an attacker impersonates the user U i and sends ; if the attacker does not have ID * i , PW * i , and fng * i , he/she cannot forge M 3 . In other words, the attacker cannot impersonate a user.
If the attacker tries to impersonate GWN and forge , the attacker does not know K GWN , so the forged N 2 cannot pass the verification of SN j .
If the attacker impersonates the sensor node, he/she cannot forge valid N 4 � h(S i ′ ‖SK j ‖N 3 ‖ID i ″ ‖T 3 ) without knowing SID j and b j .

Smart Card Loss Attack.
Suppose the smart card stolen by an attacker U A ; U A can get 〈MPW i , τ i , F i , PK G , P〉, where MPW i � h(ID i ‖PW i ‖σ i ), τ i is the reproduction parameter of the fuzzy extractor algorithm, F i � a i ⊕h(ID i ‖σ i ‖PW i ), PK G is the public key of GWN, and P is the base point of the elliptic curve. MPW i and F i are protected by the user's biometric information and password. erefore, an attacker Security and Communication Networks cannot get any plaintext information or pass through the verification without knowing ID i , PW i , and fng i .

Sensor Node Capture Attack.
In the proposed scheme, each sensor node SN j stores b j , SID j , P , where b j � h(SID j ‖K GWN ), SID j is the identity of the sensor, and P is the base point on the curve. An attacker cannot get K GWN even if he/she captures the sensor. In other words, capturing a sensor node cannot influence other sensor nodes. erefore, the proposed scheme resists sensor capture attacks.

5.7.
Known-Key Attack. e session key where c j and m i are random numbers generated in every session, and the CDH problem is intractable. erefore, even if an attacker gets session keys, he/she cannot solve the CDH problem.

Anonymity and Unlinkability.
In the authentication phase of the proposed scheme, the user's identity is contained in the message MES 1 � M 1 , M 2 , M 3 , T 1 , where M 1 � m i · P, M 2 � (ID * i ‖SID j )⊕h(m i · PK G ‖T 1 ), and . e user's identity ID * i is protected by h(m i · PK G ‖T 1 ); only the gateway can obtain the user's real identity. So, our scheme meets the requirement of anonymity. At the same time, because the random number m i and the timestamp T 1 are contained in M 2 , which is changed in each session, therefore, our scheme is also unlinkability.

Perfect Forward Secrecy.
In the proposed scheme, the session key SK � h(c j · m i · P‖SID j ‖ID i ‖S i ′ ). Even if an adversary can know the user's all secret information and the secret key of GWN, c j P, and m i P, but he/she still cannot compute c j · m i · P because of the intractability of the computational Diffie-Hellman (CDH) problem. So, the proposed scheme can achieve perfect forward secrecy.

Formal Security Analysis Using ProVerif
ProVerif is a formalized cryptographic protocol verification tool based on the Dolev-Yao model, which can describe various cryptographic primitives. When using the ProVerif tool to validate a cryptographic protocol, the tool will present a corresponding sequence of attacks if the protocol is vulnerable.
As shown in Figure 2, we defined channels, basic types, and functions. e proposed scheme involves 5 events, namely, ULoginPhase(), UAuthenticationPhase(), UserSes-sionKey(), SNSessionKey(), and GWNAuthentication().   Security and Communication Networks   ULoginPhase() indicates the login phase of the user, UAuthenticationPhase() indicates the user sends authentication request, GWNAuthentication() indicates the gateway pass the authentication of the user, SNSessionKey() indicates sensor node agrees on the session key, and UserSessionKey() indicates the user agrees the session key. Figure 3 shows the above events and queries. e operations of the user, GWN, and sensor node are shown in Figure 4, Figure 5, and Figure 6, respectively. Figure 7 exhibits the main process. According to the result in Figure 8, the proposed scheme can provide security of the session key, the password of the user, and the secret parameter of GWN. Meanwhile, the process of mutual authentication is executed in sequence.

Performance Comparison
In this section, we analyze the security and performance comparison between our schemes with some related schemes. Table 2 shows the comparison of attacks/properties of the schemes. Compared with Shuai et al.'s scheme, our scheme is more secure to various known attacks and has some good properties. As shown in Table 3, we can see the comparison of computational cost between the proposed scheme and the related schemes [19-21, 23, 24], where T H represents hash operation time, T SE is the time of the symmetric encryption/decryption operation, and T ECC denotes the time cost of ECC operation. In the environment [18] of Windows 10 64 bit laptop, Intel (R) Core (TM)

Conclusion
In this paper, we first pointed out Shuai et al.'s scheme is vulnerable to desynchronization attack, stolen-verifier attack, and no perfect forward security. In addition, we propose a new three-factor authentication using ECC and fuzzy extractor algorithm, which not only defends against the above attacks but also defends other attacks as shown in informal security analysis. We also simulate the proposed scheme for its formal security verification using the ProVerif tool to prove the security. Its performance analysis shows that it has less communication cost than the related schemes, and it can be applied to WSN in IoT. In the future, we will design block chain-based anonymous authentication scheme for WSN in IoT.

Data Availability
e data used to support the findings of the study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.