Journal of Network and Computer Applications (xxxx) xxxxxxxx

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

An ecient authentication and key agreement scheme for multi-gateway

wireless sensor networks in IoT deployment

Fan Wua, Lili Xub, Saru Kumaric, Xiong Lid, , Jian Shene, Kim-Kwang Raymond Choof, ,
Mohammad Wazidg, Ashok Kumar Dasg
a
Department of Computer Science and Engineering, Xiamen Institute of Technology, Xiamen 361021, China
b
School of Information Science and Technology, Xiamen University, Xiamen 361005, China
c
Department of Mathematics, Chaudhary Charan Singh University, Meerut 250005, Uttar Pradesh, India
d
School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China
e
School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing 210044, China
f
Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio TX 78249-0631, USA
g
Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India

A R T I C L E I N F O A BS T RAC T

Keywords: Wireless sensor networks (WSNs) for Internet of Things (IoT) can be deployed in a wide range of industries
Smart card such as agriculture and military. However, designing a secure and reliable authentication scheme for WSNs that
Sensor capture attack can be deployed in IoT remains a research and operational challenge. For example, recently in 2016, Amin and
Wireless sensor network Biswas showed that the Turcanovi et al.'s scheme is vulnerable to smart card loss attack, user impersonation
Multi-gateway
attack, etc. They then proposed a new authentication scheme for WSNs with multi-gateway. In this paper, we
User anonymity
revisit the scheme of Amin and Biswas and reveal previously unknown vulnerabilities in the scheme (i.e. sensor
capture attack, user forgery attack, gateway forgery attack, sensor forgery attack and o-line guessing attack). In
addition, we demonstrate that the user in the scheme can be tracked due to the use of a constant pseudo-identity
and previously established session keys can be calculated by the attacker. Rather than attempting to x a broken
scheme, we present a novel authentication scheme for multi-gateway based WSNs. We then demonstrate the
security of the proposed scheme using Proverif, as well as evaluating the good performance of the scheme using
NS-2 simulation.

1. Introduction
Internet of Things (IoT) is an increasingly popular concept that has
been widely adopted in a wide range of applications, partly due to
decreasing costs of digital devices (e.g. mobile and portable devices
such as sensors) and Internet services. In a typical IoT deployment, one
could obtain information sent by sensors installed in rural and remote
areas as long as there is Internet connection, for example via WiFi or a
wireless sensor network (WSN). WSNs are all around us from trac
monitoring to temperature and moisture collection, or from blood
pressure detection to wildlife tracking. Initially, homogenous sensors
were used in a WSN, where every sensor within the WSN has the same
capacity, power and other parameters. However, a modern day WSN
generally contains dierent heterogeneous sensors designed to collect
dierent kinds of information from the surroundings in real-time (i.e.
sensors with dierent parameters), and researchers put their concen-
tration on various usages (Xie and Wang, 2014; Shen et al., 2015b).
However, due to the wireless nature of the communication channel,
there are many inherent security and privacy risks (e.g. potentially
vulnerable to eavesdropping, forgery attacks and o-line guessing
attacks).
To solve the security disadvantages, many aspects of schemes are
presented, such as key agreement (Chaudhry et al., 2016a, 2016b; Li
et al., 2013a, 2013b, 2015; Chaudhry, 2015), signatures (Ren et al.,
2015; Guo et al., 2014), and frames for multi-layered security (Chang
et al., 2016; Chang and Ramachandran, 2016) and location privacy
(Sun et al., 2016a, 2016b). In the existing WSN security literature,
designing schemes that provide both mutual authentication and
anonymity is one of current interests (see Jiang et al., 2015a, 2015b,
2016; Wu et al., 2015b, 2015d; Amin et al., 2016; Shen et al., 2015a;
He et al., 2015). Mutual authentication guarantees that messages
received by the recipient in the session are indeed sent by the correct

corresponding authors.
E-mail addresses: conjurer1981@gmail.com (F. Wu), saryusiirohi@gmail.com, saru@ccsuniversity.ac.in (S. Kumari), lixiongzhq@163.com (X. Li),
raymond.choo@fulbrightmail.org (K.-K.R. Choo), mohammad.wazid@research.iiit.ac.in (M. Wazid), iitkgp.akdas@gmail.com, ashok.das@iiit.ac.in (A.K. Das).

http://dx.doi.org/10.1016/j.jnca.2016.12.008
Received 14 September 2016; Received in revised form 20 November 2016; Accepted 2 December 2016
1084-8045/ 2016 Elsevier Ltd. All rights reserved.

Please cite this article as: Wu, F., Journal of Network and Computer Applications (2016), http://dx.doi.org/10.1016/j.jnca.2016.12.008
F. Wu et al.
sender. Anonymity is a relatively new property proposed in recent
years. Identities, especially the users, are protected if this property is
held. There are also attempts to include two-factor authentication (e.g.
physical possession of a smart card and knowledge of the password) to
enhance the security of WSN. In such a setting, a registered user can
only successfully login to a system if the user has both items (e.g. smart
card and password). Many such schemes have also been proposed in
the literature (see Jiang et al., 2015a; Wu et al., 2015b, 2016b; Xu and
Wu, 2015a, 2015b).
Generally, there are three types of participants in a WSN. First,
sensors are deployed on or in special objects in a region. Second, a
gateway is a special node with relatively strong computation power in
the WSN. Third, users who wish to obtain information from particular
objects can access the sensors after mutual authentication. Once the
user is authenticated, a session key should be generated and will be
used as the symmetric key to encrypt subsequent messages. Xue et al.
(2013) listed ve dierent authentication structures for WSNs. For
example, the user contacts the gateway, who then communicates with
the sensor. In the schemes presented in Turkanovi et al. (2014) and
Farash et al. (2016), however, the sensor is designed to be the media
sitting between a user and the server. However, Amin and Biswas
(2016) explained that the setting in Turkanovi et al. (2014) and
Farash et al. (2016) is not suitable for WSN due to the drain on the
battery life of the sensors involved. Generally once the sensors and the
gateway nodes are placed, they are stationary. In wireless circum-
stance, the cost of sending and receiving messages increases while the
distance between the participants and the whole network increase
simultaneously. It is better to make only the gateway nodes have the
ability to communicate with the users who is relatively far away.
However, data ow with high speed may collide and the performance of
the WSN will be slow down where there is only one gateway. So if the
sensors are distributed in a large scale, more gateway nodes are
needed. Thus, to cater for situations where user needs to have access
to sucient sensors which may be located a fair distance away, an
authentication scheme for WSNs based on multi-gateway is proposed
in paper (Amin and Biswas, 2016). In their scheme, users can register
with a gateway in the vicinity (referred to as home gateway node
HGWN). Other gateways are then referred to as foreign gateway nodes
(FGWNs). Through the nearby FGWNs, users have the capability to
access sensors physically located at a distance away, as long as they are
managed by participating FGWNs see Fig. 1.
There have been a large number of proposed authentication and key
agreement (also known as key establishment) schemes for WSNs in the
literature. For example, Watro et al. and Das (2009) presented an
authentication scheme for WSNs based on RSA and a two-factor
authentication scheme for WSNs, respectively. Other two-factor
authentication schemes designed for WSNs include those detailed in
Althobaiti et al. (2013); Amin and Biswas (2016); Amin et al. (2016);
Chen and Shih (2010); Choi et al. (2014); Farash et al. (2016); He et al.
(2010); Jiang et al. (2015a); Khan and Alghathbar (2010); Khan and
Kumari (2014); Kumar and Lee (2011) and Shi and Gong (2013).
However, papers (Chen and Shih, 2010; He et al., 2010; Khan and
Alghathbar, 2010) showed that weaknesses such as destitution of
mutual authentication, and vulnerability to the user forgery attack
existed in the scheme of Das (2009). Similar to the history of key
establishment protocols not specically designed for WSNs (see Choo
et al.; Choo, 2009; Choo et al., 2006), a number of schemes were
subsequently found to be vulnerable to attacks. For example, Yoo et al.
(2012) and Kumar and Lee (2011) illustrated that the schemes in Chen
and Shih (2010), He et al. (2010), Khan and Alghathbar (2010) suer
from a number of security vulnerabilities. Chen et al.'s scheme (Chen
and Shih, 2010) is vulnerable to replay and forgery attacks. He et al.'s
scheme (He et al., 2010) does not achieve user anonymity and mutual
authentication, as claimed. Similarly, Khan et al.'s scheme (Khan and
Alghathbar, 2010) does not provide mutual authentication. In 2013,
Xue et al. (2013) presented a lightweight and temporal-credential-
2
Journal of Network and Computer Applications (xxxx) xxxxxxxx
based authentication scheme for WSNs. Temporal credential is a hash
result containing user information such as identity and expiration time.
The scheme was subsequently broken by Jiang et al. (2015a), who
pointed out that the scheme is vulnerable to o-line password guessing
attack, identity guessing attack, and user tracking attack. Here the user
tracking attack is stronger than pure user anonymity. Generally, we
consider that a random string representing the user's identity in the
session as the property user anonymity. But if this string appears in
every session, the attacker can track it and know that it is a special user.
This is what user tracking attack means. To avoid this, it is better that
the user should employ dierent random strings as the pseudo-identity
in dierent sessions. Jiang et al. then presented an enhanced scheme,
and Wu et al. (2015c) pointed out that the revised scheme is vulnerable
to de-synchronization and o-line guessing attacks. In 2014,
Turkanovi et al. (2014) presented a new two-factor authentication
and key agreement scheme for WSNs. The scheme includes only two
kinds of computations, namely: hash functions and exclusive-or.
However, subsequent research (Farash et al., 2016; Amin and
Biswas, 2016) pointed out that the scheme is not able to withstand
identity guessing attack, o-line password guessing attack and user
impersonation attack. More recently in 2016, Amin et al. (2016) also
demonstrated that the scheme in Farash et al. (2016) is vulnerable to
o-line password guessing attack and user forgery attack, and pre-
sented a x.
In this work, we revisit the scheme in Amin and Biswas (2016) and
point out that the scheme is vulnerable to sensor capture, the o-line
guessing and de-synchronization attacks. We then present a novel and
ecient authentication scheme for multi-gateway WSNs, and seek to
prove its security using Proverif and a security analysis. Also, a
simulation with the famous tool NS-2 is shown to illustrate the
practicality of our scheme.
The remainder of the paper is organized as follows. Background
materials are presented in Section 2. We revisit the scheme of Amin
and Biswas (2016) and reveal the weaknesses in Section 3. Our scheme
and the security analysis are presented in Sections 4 and 5, respec-
tively. We evaluate the performance of the scheme in Section 6 as well
as using NS-2 simulation in Section 7. Finally, we conclude this paper
in Section 8.
2. Background
2.1. Notations
The notations used in this paper are described in Table 1.
2.2. Threat model
In the threat model we use to argue the security of the proposed
scheme, an adversary ( has the following capabilities.
Assumption 1. Data in smart card could potentially be obtained
using side-channel attacks (Kocher et al., 1999); thus, we allow ( to
obtain information stored on a smart card that ( has physical access to
(e.g. misplaced or stolen card).
Assumption 2. In Item 3, Section 1.5 of Amin and Biswas (2016),
Amin and Biswas show a hypothesis that in polynomial time ( could
guess either Ui's password or identity since the two strings are in two
small dictionaries, respectively. But they consider that it is impossible
to guess the both two strings simultaneously in polynomial time. And
there is no any explanation for such expression. That does not make
sense. So we suppose that ( can guess both the identity and the
password in polynomial time.
Assumption 3. There are two styles of the communication channels:
the private channel, or the secure channel; and the public channel, or
the insecure channel. ( can control the public channel under the two-
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

Fig. 1. Structure of multi-gateway WSNs.

Table 1 including Choi et al. (2014); Shi and Gong (2013); Wu et al. (2015c),
Summary of notations. which illustrate new authentication schemes for WSNs, and the review
(Kumari et al., 2015). So we employ this attack for the adversary.
Notation Meaning

Ui,IDi,PWi the i th user with his identity and password Assumption 6. We show the insider attack as a separate kind of
Sj,SIDj,xj the j th sensor with its identity and secret key attack here. It means that the malicious server administrator may get
HGWN,IDhg,xhg the home gateway node with its identity and secret key
some information from the user's submitted data in registration phase.
FGWN,IDfg,xfg the foreign gateway node with its identity and secret key
SA the system administrator
For example, if user's password is a plaintext in the registration phase,
SKu,SKs the session keys formed by the user and the sensor, it can be easily obtained by the administrator without diculty. Note
respectively that this assumption is not contradict to Assumption 3, since the secret
SKhg,SKfg the session keys formed by the home gateway and the foreign information is not obtained from the private channel, but on the server
gateway, respectively
side.
( the adversary
h (.) the hash function
T1, T2 timestamps
T the defined transmission time delay 3. Revisiting the scheme of Amin and Biswas
the exclusive-or operation
the concatenation operation 3.1. The scheme

factor circumstance (Wu et al., 2015c, 2016b, 2016a). But ( cannot get
any information from the private channel, which is only for
registrations.
Assumption 4. The hash function results, random numbers and
secret keys cannot be guesses by ( because they reach the security
length l. Besides that, hash function is secure against collision
exploration in polynomial time.
Assumption 5. ( is permitted to compromise some sensors in
WSNs, but not the special one which communicates with Ui. It is
called the sensor capture attack, for which we discuss the relation of the
secret keys of sensors. In some schemes, such as Amin and Biswas
(2016), the sensors are injected with a common secret string at the very
beginning and such string may be leaked due to the wrong arrangement
in the scheme. After the leakage from one sensor, other sensors are
threatened by the attackers who master the string. This attack is
broadly accepted by researchers and applied in research papers
There are seven phases in the scheme (Amin and Biswas, 2016),
and similarities between the dynamic node addition phase and the
sensor registration phase. The password change phase plays no role in
the attacks we will be describing. Hence, we only list the remaining ve
phases.
3.2. System setup
The systems administrator SA chooses SIDj for the Sj, selects a
random number rsr and computes xj = h (SIDj rsr ). SA stores
(SIDj , xj , rsr ) into Sj. Here rsr is known to all GWNs and secretly stored.
3.3. Sensor registration
Sj computes Aj = xj rsr and sends {SIDj , Aj } to HGWN via a public
channel. HGWN computes xj = Aj rsr and stores (SIDj , xj ) in data-
base. Then HGWN sends a permission to Sj. Sj nally deletes rsr.

3
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

3.4. User registration
Step 1: Ui selects IDi, PWi and a nonce r0, calculates
DIDi = h (IDi r0 ) and HPWi = h (PWi r0 ), and sends {DIDi , HPWi }
to HGWN via a secure way.
Step 2: HGWN generates a pseudo-identity TIDi for Ui and
computes B1 = h (DIDi HPWi ) and B2 = h (DIDi TIDi xhg )
h (DIDi HPWi ) .
Step 3: HGWN stores (TIDi , DIDi ) in database and issues a smart
card containing (B1, B2 , IDhg , TIDi ) to Ui via a secure way. Finally Ui
stores r0 in the card.
3.5. Login
Step 1: Ui inserts his smart card on the terminal and inputs IDi and
PWi. The smart card computes DIDi = h (IDi r0 ) and
HPWi = h (PWi r0 ), and checks B1 ?= h (DIDi HPWi ). If so, the next
step will be done.
Step 2: The smart card selects SIDj, a nonce ru, and the timestamp
T1, computes D0 = B2 h (DIDi HPWi ), D1 = h (IDhg D0 ru T1)
and D2 = D0 ru , and sends the message M1 = {IDhg , TIDi , SIDj ,
D1, D2 , T1} to HGWN.
3.6. Authentication and key agreement
HGWN should check if SIDj is in its own database. If so, Case-1 is
executed. Otherwise, HGWN broadcasts the message {SIDj , TIDi , IDhg}
and Case-2 has to be done.
Case-1:
Step 1: HGWN picks up T2 and checks if |T2 T1 | T . Then it
extracts DIDi from database according to TIDi, calculates
D0 = h (DIDi TIDi xhg ) and ru = D2 D0 , and checks
D1 ?= h (IDhg D0 ru T1). The session will be rejected if either
checking is unsuccessful.
Step 2: HGWN generates a nonce rhg, computes
D3 = h (IDhg DIDi xj rhg T2 ), D4 = xj rhg , D5 = ru h (rhg )
and D6 = DIDi h (IDhg rhg ), and sends the message
M2 = {D3, D4, D5, D6, T2} to Sj.
Step 3: Sj picks up T3 and checks if |T3 T2 | T . Then it
computes rhg = D4 xj , ru = D5 h (rhg ) and DIDi = D6 h
(IDhg rhg ) and checks if D3 ?= h (IDhg DIDi xj rhg T2 ). The
session will be rejected if either checking is unsuccessful.
Step 4: Sj generate a nonce rs, computes D7 = h (D3 DIDi rs T3)
and D8 = rhg rs , and sends the message M3 = {D7, D8, T3} to
HGWN.
Step 3: FGWN selects T7, and checks if |T7 T6 | T . Then it
computes Z1 = h (TIDi x fg ) and ru2 = D12 Z1, and checks
D11 ?= h (TIDi Z1 ru2 T6 ). If both checks are right, the next step
can be continued.
Step 4: FGWN generates a nonce rfg, computes D13 = h (TIDi
Z1 r fg xj T7 ru2 ) , D14 = r fg xj and D15 = h (xj ) Z1, and
sends the message M6 = {TIDi , D12 , D13, D14 , D15, T7} to Sj.
Step 5: Sj selects T8 and checks if |T8 T7 | T . Then it computes
r fg = D14 xj , Z1 = h (xj ) D15 and ru2 = D12 Z1, and checks
D13 ?= h (TIDi Z1 r fg xj T7 ru2 ). If both checks are right, the
next step will be continued.
Step 6: Sj generates rs2, computes W1 = h (SIDj xj ),
D16 = h (TIDi rs2 W1 T8), D17 = rs2 W1 and D18 = Z1 W1,
and sends the message M7 = {TIDi , D16 , D17, D18, T8} to FGWN.
Here we should express that D17 is missed in Amin and Biswas
(2016). If FGWN cannot get D17, FGWN and Ui will not have rs2
to form the session key. So we add it.
Step 7: FGWN selects T9 and checks if |T9 T8 | T . If so,
FGWN computes W1 = h (SIDj xj ), rs2 = D17 W1 and
D19 = rs2 r fg and sends the message M8 = {TIDi , D16 , D18,
D19, T8, T9} to Ui.
Step 8: Ui selects T10 and checks if |T10 T9 | T . Then the
smart card computes W1 = D18 Z1, rs2 = D17 W1 and
r fg = D19 rs2 and checks D16 ?= h (TIDi rs2 W1 T8). Either
failed checking will lead to the rejection. At last Ui, Sj and
FGWN share the same session key SKu = SKs = SKfg
=h (TIDi SIDj ru2 rs2 r fg ) .
3.7. Previous unpublished attacks
3.7.1. Sensor capture attack and session key leakage
From sensor registration phase, we notice that HGWN gets all xj
with a xed secret string rsr. Note that no any information about SIDj
in HGWN's database when system setup phase is over. So rsr is a
constant for every sensor in the whole system, and ( can do the
following operations: A legal insider ( masters a sensor Sk after
system setup, and gets its stored data (SIDk , xk , rsr ) before the registra-
tion. Then he can eavesdrop all newer registration messages from other
sensors. We take the message {SIDj , Aj } from Sj for example. ( can
calculate xj = Aj rsr . Also, ( could get SIDj from M1 and compute the
corresponding secret key xj = h (SIDj rsr ). Then ( can get the session
keys after eavesdropping messages from a past session, and the two
cases can be illustrated below:
For Case 1, ( calculates rhg old
= D4old xj , ruold = D5old h (rhg
old
),
rsold = D8old old old
rhg and DIDi = D6 h (IDhg rhg ). old

Step 5: HGWN picks up T4, and checks if |T4 T3 | T . Then it For Case 2, ( calculates r fg old
= D14old xj , rsold old old
2 = D19 r fg and
computes rs = D8 rhg and checks D7 ?= h (D3 DIDi rs T3). ruold old
h (xj ) D15old .
2 = D12
The session will be rejected if either checking is unsuccessful.
After checking, HGWN calculates D9 = h (D3 DIDi rs rhg T4 ) And the session key SKuold = SKsold = SKhg
old
= h (DIDi ruold rsold rhg
old
)
and D10 = rs ru , and sends the message can be calculated.
M4 = {D3, D8, D9, D10 , T4} to Ui.
Step 6: Ui picks up T5 and checks if |T5 T4 | T . Then Ui 3.7.2. User forgery attack
computes rs = D10 ru and rhg = D8 rs , and checks if After ( gets rsr and DIDi in the sensor capture attack, he can use
D9 ?= h (D3 DIDi rs rhg T4 ). The session will be rejected if the information {IDhg , TIDi , Z 2old , Z 3old} from a historical session in
either checking is unsuccessful. At last Ui, Sj and HGWN share which Ui communicated with some sensor Sk in a foreign WSN.
SKu = SKs = SKhg = h (DIDi ru rs rhg ). Then ( calculates Z1old = Z 2old rsr and D0 = Z 3old Z1old and he selects
Case-2: a nonce r( and the timestamp T1( , and computes
Step 1: If one foreign gateway FGWN nds out SIDj from its D1( = h (IDhg D0 r( T1( ) and D2( = D0 r( . At last ( selects a
database, it searches xj according to SIDj, and computes sensor Sj and sends the legal message
Z1 = h (TIDi x fg ) and Z 2 = Z1 rsr , and sends {Z 2, IDfg} to M1( = {IDhg, TIDi , SIDj , D1( , D2( , T1( } to FGWN. The following opera-
HGWN. HGWN computes D0, Z1 = Z 2 rsr and Z 3 = D0 Z1, tions can be divided into two cases:
and sends {Z 3, IDfg} to Ui.
Step 2: Ui extracts Z1 = Z 3 D0 , picks up T6 and a nonce ru2, 1. If Sj can be found by HGWN, ( can calculate rs = D10 r( ,
computes D11 = h (TIDi Z1 ru2 T6 ) and D12 = Z1 ru2 , and rhg = D8 rs and SK( = h (DIDi r( rs rhg ) after receiving M4
sends the message M5 = {TIDi , D11, D12, T6} to FGWN.

4
F. Wu et al.
from HGWN.
2. Otherwise if Sj is in a foreign GWN, when HGWN sends {Z 3, IDfg} to
( , ( computes Z1 = Z 3 D0 , selects r( 2 and T2( , calculates
D11( = h (TIDi Z1 r( 2 T2( ) and D12( = Z1 r( 2 , and sends the
legal message M5( = {TIDi , D11( , D12( , T2( } to FGWN. At last once
( receives M8 from FGWN, he can calculate W1 = D18 Z1,
rs2 = D17 W1, r fg = D19 rs2 and its session key
SK( = h (TIDi SIDj r( 2 rs2 r fg ).
So Ui's messages are perfectly forged.
3.7.3. Gateway forgery attack
After ( gets rsr, xj and D0 from Sections 3.7.1 and 3.7.2, he uses
the old messages M1old and M2old in a past session for Case 1 and
old
calculates rhg = D4old xj , ruold = D5old h (rhg
old
) and DIDi = D6old h
old
(IDhg rhg ) . For Case 2, ( eavesdrops {Z 2, IDfg} and computes
Z1 = Z 2 rsr . Here we concentrate on a targeted FGWN as an example.
So all necessary information about Ui and Sj is ready.
For Case 1, ( rst shields HGWN and when receiving M1 whose
target is Sj, he selects a timestamp T2( and a nonce r( , calculates
ru = D2 D0 , D3( = h (IDhg DIDi xj r( T2( ), D4( = xj r( ,
D5( = ru h (r( ) and D6( = DIDi h (IDhg r( ). So a legal
M2( = {D3A, D 4A, D5( , D6( , T2( } is produced. Moreover, After (
receives M3 from Sj, he selects a timestamp T4( and calculates
rs = D8 r( , D9( = h (D3( DIDi rs r( T4A) and D10( = rs ru .
So the second legal message M4( = {D3( , D8, D9( , D10( , T4( } is
generated and the session key SK( = h (DIDi ru rs r( ) can be
computed.
For Case 2, ( rst shields FGWN, and answers HGWN with the
xed message {Z 2, IDfg}. After ( receives M5, he selects a
timestamp T7( and a nonce r( and computes ru2 = D12 Z1,
D13 = h (TIDi Z1 r( xj T7( ru2 ), D14 = r( xj and D15 = h (xj )
Z1 . So the legal message M6( = {TIDi , D12, D13( , D14( , T7( } is
generated. Then after ( gets M7( , ( selects T9( and computes
W1 = h (SIDj xj ), rs2 = D17 W1 and D19 = rs2 r( . So a legal mes-
sage M8( = {TIDi , D16 , D18, D19( , T8, T9( } is produced. Also, ( can
calculate SK( = h (TIDi SIDj ru2 rs2 r( ) as the session key.
So the gateways are successfully impersonated.
3.7.4. Sensor forgery attack
From Section 3.7.3, ( owns xj and DIDi. We suppose ( shields Sj.
For Case 1, after receiving M2, ( selects a timestamp T3( and a
nonce r( , and computes rhg = D4 xj , ru = D5 h (rhg ),
D7( = h (D3 DIDi r( T3( ) and D8( = rhg r( . So a legal mes-
sage M3( = {D7( , D8( , T3( } and the session
SK( = h (DIDi ru r( rhg ) can be nished.
For Case 2, after receiving M6, ( selects a timestamp T8( and a
nonce r( , and computes r fg = D14 xj , ru2 = D12 Z1,
W1 = h (SIDj xj ), D16( = h (TIDi rs2 W1 T8( ), D17( = rs2 W1
and D18( = Z1 W1. So a legal message
M7( = {TIDi , D16( , D17( , D18( , T8( } and the session
SK( = h (TIDi SIDj ru2 r( r fg ) can be nished.
So ( has the ability to produce legal messages of the sensor.
3.7.5. User tracking attack
Since every time Ui uses a xed string TIDi as his pseudo-identity,
( can track Ui according to this string constantly.
3.7.6. Lack of mutual authentication
As ( can forge any of the participants in the session, the scheme
clearly does not achieve mutual authentication.
Journal of Network and Computer Applications (xxxx) xxxxxxxx
4. Proposed scheme
There are ve phases in our scheme, namely: initialization,
registration, login, authentication and key agreement, and password
change. If a new sensor joins the WSN, we employ the sensor
registration part to complete that task.
4.1. Initialization
At rst, HGWN and FGWN share a common secret key Kfh. Each
pair of gateway nodes should have one key and it can be found
according to the identity of the gateway node.
4.2. Registration
We divide this phase into two parts and messages in both of them
are transmitted via a secure channel. Unlike Amin and Biswas (2016),
registration for sensors via a secure channel is widely accepted (Choi
et al., 2014; Jiang et al., 2015a; Khan and Kumari, 2014; Shi and Gong,
2013; Wu et al., 2015a, 2015c, 2016b). Moreover, it is normal to set
suitable data in sensor and then to place it in WSN via a secure
registration process. So we use the common way, not the idea in Amin
and Biswas (2016).
1. Sensor registration: SA selects SIDj for Sj, computes
xj = h (SIDj xhg ) and stores (SIDj , xj , IDhg ) in Sj secretly. Then Sj is
placed in the WSN and SIDj is stored in the database of HGWN.
2. User registration:
Step 1: Ui selects IDi, PWi and a nonce r0, computes
HPWi = h (PWi r0 ) and sends {IDi , HPWi } to HGWN via a secure
channel.
Step 2: SA checks if IDi is valid. If so, IDi is stored in the database
for auditing. Then SA selects TIDi as the pseudo-identity for Ui,
computes B1 = h (TIDi IDhg xhg ) h (IDi HPWi ) and
B2 = h (IDi xhg ) HPWi , stores (TIDi , B1, B2 , IDhg ) into a smart
card and sends the smart card to Ui via a secure channel.
Step 3: Ui stores B3 = h (IDi PWi ) r0 into the smart card.
4.3. Login
The details are shown in Fig. 2. Ui inserts his smart card and inputs
IDi and PWi, selects a nonce ru, a timestamp T1 and the sensor SIDj,
computes r0 = B3 h (IDi PWi ), HPWi = h (PWi r0 ), D0 = B1 h (IDi
HPWi ) , D1 = D0 ru , D2 = h (ru TIDi IDhg SIDj ) IDi and
D3 = h (IDi SIDj ru T1), and sends the message M1 = {IDhg, TIDi ,
SIDj , D1, D2 , D3, T1} to HGWN.
key 4.4. Authentication and key agreement
HGWN checks if IDhg is correct. If so, it checks if SIDj is in the
local WSN. If so, Case 1 will be executed. Otherwise, HGWN rst
checks the validation of M1 and broadcasts {IDhg , TIDi , SIDj} to other
key
Fig. 2. Login phase.
5
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

Fig. 3. Case 1 of authentication and key agreement phase.

nearby WSNs. The two cases are illustrated in Figs. 3 and 4,

respectively.

Case 1:
Step 1: HGWN selects T2 and checks if |T2 T1 | T . Then
HGWN computes D0 = h (TIDi IDhg xhg ), ru = D0 D1 and
IDi = D2 h (ru TIDi IDhg ) and checks D3 ?= h (IDi SIDj
ru T1) . The session will be rejected if either checking is
unsuccessful. If the checks are correct, HGWN generates a nonce
rhg, computes xj = h (SIDj xhg ), D4 = xj rhg , D5 = ru h (rhg )
and D6 = h (IDhg xj ru rhg SIDj T2 ), and sends the message
M2 = {D4, D5, D6, T2} to Sj.
Step 2: Sj picks up T3 and checks if |T3 T2 | T . Then Sj Fig. 4. Case 2 of authentication and key agreement phase.
computes rhg = D4 xj and ru = D5 h (rhg ), and checks
D6 ?= h (IDhg xj ru rhg SIDj T2 ). The session will be rejected
if either checking is unsuccessful. If the checks are passed, Sj D11 = D0new h (IDi xhg ) ru and D12 = h (IDhg SKhg TIDinew
generates a nonce rs, computes SKs = h (ru rhg rs ), D7 = rhg rs D0new D0 T4 ) . HGWN sends the message M4 = {D7, D9,
and D8 = h (IDhg xj SKs SIDj T3), and sends the message D10 , D11, D12 , T4} to Ui.
M3 = {D7, D8, T3} to HGWN. Step 4: Ui selects T5 and checks if |T5 T4 | T . Then the smart
Step 3: HGWN picks up T4 and checks if |T4 T3 | T . Then it card computes rs = D9 ru , rhg = D7 rs , SKu = h (ru rhg rs ),
computes rs = D7 rhg and SKhg = h (ru rhg rs ) and checks TIDinew = D10 h (ru SIDj T4 ) and D0new = D11 B2 HPWi
D8 ?= h (IDhg xj SKhg SIDj T3). The session will be rejected ru , and checks D12 ?= h (IDhg SKu TIDinew D0new D0 T4 ). The
if either checking is unsuccessful. If passed, HGWN selects a new session will be rejected if either checking is unsuccessful. If
pseudo-identity TIDinew for Ui, computes D9 = ru rs , passed, the smart card computes B1new = D0new h (IDi HPWi )
D10 = TIDinew h (ru SIDj T4 ), D0new = h (TIDinew IDhg xhg ), and replaces (TIDi , B1) with (TIDinew , B1new ).

6
F. Wu et al.
Case 2:
Step 1: HGWN computes D0, ru, and IDi, searching SIDi and
checks D3 as step 1 of Case 1. {IDhg , TIDi , SIDj} will be sent out
when the above check is correct.
Step 2: FGWN searches SIDj in its database. If found, FGWN
computes xj = h (SIDj x fg ), Z1 = h (TIDi IDfg x fg ), and
Z 2 = Kfh Z1, and sends the message {Z 2, IDfg} to HGWN.
Step 3: HGWN selects TIDinew as in Case 1, computes
D0new = h (TIDinew IDhg xhg ), Z1 = Z 2 Kfh , Z 3 = h (D0 ru ) Z1,
Z 4 = h (ru IDi ) TIDinew , Z 5 = D0new h (IDi xhg ) ru and
new new
Z 6 = h (TIDi D0 D0 IDi Z1), and sends the message
{Z 3, Z 4, Z 5, Z 6, IDfg} to Ui.
Step 4: Ui computes Z1 = Z 3 h (D0 ru ), picks up a nonce ru2
and the timestamp T6, and then calculates D13 = Z1 ru2 and
D14 = h (TIDi Z1 ru2 T6 ), and sends the message
M5 = {TIDi , D13, D14, T6} to FGWN.
Step 5: FGWN selects T7, and checks if |T7 T6 | T . Then it
computes ru2 = D13 Z1 and checks D14 ?= h (TIDi Z1 ru2 T6 ).
If the two checks are both correct, the next operations can be
continued. FGWN generates a nonce rfg, computes D15 = r fg xj ,
D16 = ru2 h (r fg ) and D17 = h (IDfg xj ru2 r fg SIDj T7), and
sends the message M6 = {D15, D16, D17, T7} to Sj.
Step 6: Sj selects T8 and checks if |T8 T7 | T . Then it computes
r fg = D15 xj and ru2 = D16 h (r fg ), and checks
D17 ?= h (IDfg xj ru2 r fg SIDj T7). If the two checks are both
correct, the next operations can be continued. Sj then selects a
nonce rs2, computes SKs = h (ru2 r fg rs2 ), D18 = rs2 r fg and
D19 = h (IDfg xj SKs SIDj T8), and sends M7 = {D18, D19, T8}
to FGWN.
Step 7: FGWN selects T9 and checks if |T9 T8 | T . Then it
calculates rs2 = D18 r fg and SKfg = h (ru2 r fg rs2 ), and checks
D19 ?= h (IDfg xj SKfg SIDj T8). If the two checks are both
correct, the next operations can be continued. FGWN then
calculates D20 = r fg ru2 and D21 = h (IDfg TIDi SKfg
SIDj T9 ) , and sends the message M8 = {D18, D20 , D21, T9} to Ui.
Step 8: Ui selects T10 and checks if |T10 T9 | T . Then the
smart card computes r fg = D20 ru2 , rs2 = D18 r fg and
SKu = h (ru2 r fg rs2 ), and checks D21 ?= h (IDfg TIDi SKu
SIDj T9 ) . If the two checks are both correct, the next
operations can be continued. The smart card then computes
TIDinew = Z 4 h (ru IDi ) and D0new = Z 5 B2 HPWi ru , and
veries Z 6 ?= h (TIDinew D0new D0 IDi Z1). If this verication is
failed, the session will be aborted. Otherwise, the card computes
B1new and replaces (TIDi , B1) with (TIDinew , B1new ).
4.5. Password change
Step 1: Ui inputs IDi and PWi after inserting the smart card into
terminal. The smart card selects a nonce ru3 and a timestamp T11,
computes r0, HPWi and D0 as in step 1, Case 1 in Section 4.4, and
D22 = D0 ru3, D23 = h (ru3 TIDi IDhg ) IDi and D24 = h (IDi ru3
T11) , and sends the message M9 = {IDhg, TIDi , D22, D23, D24, T11}
with a request of password changing to HGWN.
Step 2: HGWN checks if |T12 T11 | T while T12 is the current
timestamp. Then it computes D0 = h (TIDi IDhg xhg ),
ru3 = D0 D22 and IDi = D23 h (ru3 TIDi IDhg ). HGWN checks
the validation of IDi and D24 ?= h (IDi ru3 T11). If so, HGWN selects
TIDinew, computes D0new = h (TIDinew IDhg xhg ), D25 = TIDinew h
(ru3 IDhg ) , D26 = D0new h (IDi xhg ) ru3 and D27 = h (IDhg
TIDinew D0new D0 T12 ) , and sends the message
M10 = {D25, D26 , D27, T12} with a grant to Ui.
Step 3: Ui checks if |T13 T12 | T while T13 is the timestamp. Then
the smart card computes TIDinew = D25 h (ru3 IDhg ), and
D0new = D26 B2 HPWi ru3, and checks D27 ?= h (IDhg TIDinew
D0new D0 T12 ) . If so, Ui is asked to input a new password
PWinew and the smart card generates a new nonce r0new , comp-
Journal of Network and Computer Applications (xxxx) xxxxxxxx
utes HPWinew = h (PWinew r0new ), B1new = D0new h (IDi HPWinew ),
B2new = B2 HPWi HPWinew , and B3new = r0new h (IDi PWinew ),
and updates (TIDi , B1, B2 , B3) with (TIDinew , B1new , B2new , B3new ).
5. Security analysis
5.1. Formal verication
Proverif is a mature tool to test if a cryptography protocol is secure.
Main cryptographic primitives including digital signature, symmetric
and asymmetric encryption, hash function, etc. are supported by
Proverif. It can also give the results such as correspondence assertion
and reachability. New properties like traceability, privacy and veria-
bility can also be judged. In this tool, protocol analysis with unlimited
sessions and messages is applied to verify the security. It is applied in
many papers, such as Chaudhry et al. (2015a), Wu et al. (2015b),
Chaudhry et al. (2015b) and Wu et al. (2016a). Here we give the test
code with Proverif to prove the security of our scheme.
5.2. Premises for the code
At rst we show the denitions throughout the code. ch denotes the
public channel. sch1 and sch2 denote the private channels. The rst is
between the user and HGWN. The second is between the sensor and
HGWN/FGWN and it depends on the position of the sensor. sku, sks, skhg
and skfg are session keys produced by the user, the sensor, FGWN and
HGWN, respectively. There is some constant information about the entities
containing xhg, xfg, IDi, PWi, IDhg, IDfg and SIDj. Three functions
including hash, concatenation and X-or calculations are shown. They are
h(), xor() and con(), respectively. The equation is to explain the rule of X-or.
Two events UserStart and UserAuth are to verify the correspondence
relation for the messages of the user. The code query attacker(sku) is to
nd if the session key sku is secure against the attacker, and other two are
similar to understand. Here we should point that skhg and query
attacker(skhg) are for Case 1, while skfg and query attacker(skfg) are
only for Case 2. We show the annotation and use the italic font for the Case
2. The two cases are separated indeed. If Case 1 is veried, skfg and the
corresponding query do not appear. Similar situation can be deduced for
Case 2. Finally, the last query inj event (UserAuth (id ))== > inj event
(UserStart (id )) is to test if the two events mentioned above are in the
correct order in execution. We can see that if the scheme is executed
normally, UserAuth(id) is behind UserStart(id). The code for this part is
illustrated in Fig. 5.
5.3. Code for case 1 and case 2
Here use the double-lines to divide the registrations and the login and
authentication and key agreement in gures. There are three parts for Case
1 and we show the code in Fig. 6.
The rst blank in the left is for the user. Five lines above the double-
line are the content of user registration and the rest are for the login
and authentication and key agreement phases. The whole process
User in the rst line contains the both parts.
The second blank in the left is for the sensor. Three lines above the
double-line are the content of sensor registration and the rest are
corresponding to the operations in Case 1, Section 4.4. The whole
process Sensor in the rst line contains the two parts.
The right content is for HGWN. The part GWNReg1 is for the user
registration. The part GWNReg2 is for the sensor registration. The
part GWNAuth is for the operations in Case 1, Section 4.4. Finally,
the entire process of HGWN is combined by the above three parts
GWNReg1, GWNReg2 and GWNAuth. The code let
GWN = GWNReg1|GWNReg2|GWNAuth is below the last double-line.
The code for Case 2 is in Fig. 7.
7
F. Wu et al.
Fig. 5. Premises for the code.
The rst column is the code for the user. Also there are ve lines
above the double-line for the registration and the rest are for the
login and authentication and key agreement phases.
The top part of the second column is the code for the sensor. The
registration content is the same as Case 1 and the rest is for the
operations in Case 2, Section 4.4.
The bottom part of the second column and the top part of the third
column is the code for HGWN. Seven lines above the rst double-
line are for HGWNReg, which is the content of user registration. The
code from the rst double-line to the second is for the operations in
Case 2, Section 4.4. The last line let HGWN = HGWNReg|HGWNAuth
illustrates the whole process of HGWN.
The last part is the code for FGWN. Three lines above the rst
double-line are the content of sensor registration, and the code
between the rst double-line and the second is for the corresponding
operations in Case 2, Section 4.4. The last line
let FGWN = FGWNReg|FGWNAuth denotes the whole process of
FGWN.
Furthermore, all the processes in the two cases are executed by a
command process ! User| ! GWN | ! Sensor .
To make the variables clear to readers, we give the explanations
about them. For user and sensor registration phases in both cases, all
produced and received variables, along with the dened constants,
which should be rst used on the user and sensor side, are the same as
in the protocol, such as r0, HPWi, IDi, SIDj and xj. And we use the
prexes gr- and fgr- in HGWN and FGWN registration phases for
the produced and received variables, respectively, such as grTIDi, grxj,
grB1, and fgrxj. Also, the generated and received variables in user
authentication, sensor authentication, HGWN authentication and
FGWN authentication employ prexes u-, s- g-, and fg-, Section 5.5.3, the two messages from the sensor cannot be generated by
respectively, such as uD0, sD6, gD0, and fgz1.
5.4. Results
Both the two cases can pass the verication with Proverif. The
conclusion is in Fig. 8. The left column is for Case 1 while the right
column is for Case 2. We can see that each result for query is true. So
we consider that our scheme is secure against the simulated attacks
with Proverif.
5.5. A comparative summary: security
We compare the security properties between our scheme and two
recent schemes of the same kind. The results are shown in Table 2. We
use to denote if the scheme satises the property, or appears.
8
Journal of Network and Computer Applications (xxxx) xxxxxxxx
5.5.1. Resistance to insider attack
In user registration phase, HPWi is submitted to HGWN and it is a
hash result which protects PWi with a random string r0. Any insider
attacker cannot guess PWi without knowing r0. So this attack is
avoided.
5.5.2. Resistance to o-line guessing attack
According to Section 2.2, Then two cases are divided below:
For Case 1, ( gets {TIDi , B1, B2 , IDhg} from Ui's smart card and
(M1old , M2old , M3old , M4old ) from the last session. Then ( guesses the
pair (ID*, PW *), and computes r0* = B3 h (ID* PW *) and
HPW * = h (PW * r0*). The formulas B1 h (ID* HPW *)
=D11old B2 HPW * ruold and ruold = B1old h (ID* HPW *) can
be used by ( . But B1old has disappeared. From D5old , D7old and D9old ,
ruold cannot be gained, either.
For Case 2, ( gets {TIDi , B1, B2 , IDhg} from Ui 's smart card and
(Z 2, Z 3, Z 4, Z 5, Z 6, IDfg , M1old , M5old , M6old , M7old , M8old ) from the last
session. Like the above case, ( guesses (ID*, PW *), and com-
putes r0* and HPW *. The formulas B1 h (ID* HPW *) = Z5old
B2 HPW * ruold , ruold = D0old D1old can be used. But D0old is
protected in Z 3 by a hash function and ruold. ( cannot get ruold
or D0old from Z 3 , not to say guessing the identity and the
password.
So ( cannot guess Ui's identity and password.
5.5.3. Resistance to user forgery attack
Every time if ( wants to forge Ui's message, he should master
D0 = h (TIDi IDhg xhg ) to forge D1 in M1. But xhg is the secret key of
HGWN and ( cannot calculate D0, not to say D1 or M1.
5.5.4. Resistance to gateway forgery attack
In Case 1, if ( wants to forge M2, he should get xj = h (SIDj xhg )
which is an imperative parameter to construct D4 and D6. To forge M4,
at the last step of the two cases, D12 is an imperative element for
checking. They all need xhg as one of the input strings. Like the
expression in Section 5.5.3, ( cannot obtain xhg and this attack can be
avoided. In Case 2, if ( wants to forge Z2 as FGWN, he should know
Kfh and xfg. To forge M6, xj is a necessary number and to forge M8, D0
is an imperative element. If ( wants to forge HGWN's message, he
must calculate D0 in Z6 for verication on the user side. However, it is
impossible to compute strings Kfh, xfg and xj and from Section 5.5.3.
So we know D0 is hard for ( to calculate.
5.5.5. Resistance to sensor forgery attack
( must calculate D8 or D19 to forge M3 or M7 in the two cases.
However, D0 is needed in both of them. Like we have analyzed in
(.
5.5.6. Resistance to sensor capture attack
According to the denition of this attack in Assumption 5 of Section
2.2, if A seizes some sensor Sk, other than Sj with which Ui
communicates, he could not get any secret information about Sj.
There is no direct relation between xj and xk, or we can say that (
cannot calculate xj from any xk. So our scheme is secure against this
attack.
5.5.7. Resistance to user tracking attack
Each time Ui uses a new pseudo-identity TIDi in the login message
M1. It is dierent from the schemes (Amin and Biswas, 2016; Das et al.,
2016), which can be tracked by the adversary ( to follow the trail of
the user.
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

Fig. 6. Code for Case 1.

5.5.8. Resistance to session key leakage the secret strings xhg or xfg fundamentally. According to our hypoth-
Unlike scheme (Amin and Biswas, 2016), ( has no breakthrough esis in Section 2.2, the two strings cannot be obtained. Thus, our
point like a common secret rsr which is prone to be obtained by A. scheme is away from session key leakage.
Every random number for constructing the session key is protected by

9
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

Fig. 7. Code for Case 2.

5.5.9. Mutual authentication

In Case 1, Ui checks D12 to authenticate HGWN directly and Sj
indirectly. And Sj checks D6 to authenticate HGWN directly and Ui
indirectly. And HGWN checks D3 to verify Ui and D8 to verify Sj. In
Case 2, Ui checks Z6 to authenticate HGWN and D21 to authenticate Sj
indirectly and FGWN indirectly. HGWN checks D3 to authenticate Ui.
Sj checks D17 to authenticate Ui indirectly and FGWN indirectly. And
FGWN checks D14 to authenticate Ui and D19 to authenticate Sj.

5.5.10. Session key for all three participants

It is obvious that the nal session key is for the three participants in
a WSN. But the scheme (Das et al., 2016) does not achieve this.

6. Performance evaluation

Fig. 8. Results for the queries. We evaluate and compare our scheme with those presented in Amin
and Biswas (2016) and Das et al. (2016) for the performance, in terms
of the following:

10
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

Table 2
Comparative summary: security.

Property Our scheme Das et al. (2016) Amin and Biswas (2016)

Resistance to insider attack

Resistance to o-line guessing attack
Resistance to user forgery attack
Resistance to gateway forgery attack
Resistance to sensor forgery attack
Resistance to sensor capture attack
Resistance to user tracking attack
Resistance to session key leakage
Mutual authentication
Session key for all three participants

Tm (time of one scalar multiplication on elliptic curve) is
0.427576 ms (ms) (Wu et al., 2016a).
TRep (time of a Rep operation for biometrics) is approximate Tm
(Das, 2016).
Ts (time of one average symmetric encryption/decryption) is
0.0214385 ms (Wu et al., 2016a).
Th (time of a one-way hash function) is 0.0000328 ms (Wu et al.,
2016a).
The bit lengths of hash output, random nonce/number, identity and
timestamp are assumed to be 160 bits (if we use SHA-1 hash
algorithm, 160 bits, 160 bits, and 32 bits, respectively. The bit
length of a sensor node is assumed to be 32 bits.
proposed scheme oers better security as compared to other
schemes.
The storage of smart card in our scheme is equal to the scheme in
Amin and Biswas (2016) and is much better than the scheme in Das
et al. (2016). The main reason is that the smart card in Das et al.
(2016) must store some parameters such as identity of FGWN and
login parameters for FGWN. In our scheme and Amin and Biswas
(2016), there is no storage burden like that.
The most important index is the security. From Table 2, our scheme
satises all requirements while the other two cannot.
So our scheme is applicable for practical deployment.

The comparative summary is shown in Table 3, and described
below:
For the aspect of user time in the two cases, the time cost of our
scheme is only 0.0001 ms more than (Amin and Biswas, 2016) for
both cases. And it is better than (Das et al., 2016).
For the aspect of HGWN time, our scheme is in the middle in Case 1
and costs most in Case 2. The reason is that HGWN needs to
calculate the data for Ui's next session. Such calculations are
necessary for security of our scheme.
FGWN time only happens in Case 2. Our scheme is same as the
scheme in Amin and Biswas (2016), and is better than the scheme in
Das et al. (2016).
In both Case 1 and Case 2, our scheme costs the least in sensor time
and is much better than (Das et al., 2016).
Considering all transmitted messages, our scheme takes more
communication cost as compared to other schemes (Amin and
Biswas, 2016; Das et al., 2016). This is justiable because the
7. Practical perspective: NS2 simulation study
The proposed scheme is simulated using the widely-accepted NS2
simulator tool to provide the practical perspective.
7.1. Simulation parameters
We have simulated our scheme on a Ubuntu 14.04 LTS platform
using the NS2 2.35 simulator. NS2 is widely used for the discrete event
simulations of dierent protocols, such as TCP/UDP protocols, routing
protocols (i.e., AODV), and multicast protocols over wired and wireless
networks (Issariyakul and Hossain, 2011). The values of dierent types
of network parameters used in simulation are given in Table 4. The
simulation time is taken as 1800 s (30 min).
7.2. Simulation environment
We have considered three dierent network simulation scenarios

Table 3
Comparative summary: performance.

Our scheme Das et al. (2016) Amin and Biswas (2016)

Time for user (ms) Case 1: 9Th=0.0002592 Case 1: TRep + Ts + 10Th 0.4493425 Case 1: 7Th=0.0002296
Case 2: 11Th=0.0003608 Case 2: TRep + 2Ts + 9Th 0.4707122 Case 2: 8Th=0.0002624

Time for HGWN (ms) Case 1: 11Th=0.0003608 Case 1: 2Ts + 5Th = 0.043041 Case 1: 8Th=0.0002624
Case 2: 7Th=0.0002296 Case 2: 0 Case 2: Th=0.0000328

Time for FGWN (ms) Case 1: 0 Case 1: 0 Case 1: 0

Case 2: 7Th=0.0002296 Case 2: 2Ts + 5Th = 0.043041 Case 2: 7Th=0.0002296

Time for sensor (ms) Case 1: 4Th=0.0001312 Case 1: Ts + 4Th = 0.0215697 Case 1: 5Th=0.000164
Case 2: 4Th=0.0001312 Case 2: Ts + 3Th = 0.0215369 Case 2: 5Th=0.000164

Communication Cost (bits) Case 1: 2688 Case 1: 1696 Case 1: 2016

Case 2: 4480 Case 2: 3468 Case 2: 3616

Storage cost in smart card (bits) 640 7180 640

Satisfactory for security requirements Yes No No

11
F. Wu et al. Journal of Network and Computer Applications (xxxx) xxxxxxxx

Table 4 scenario 1
Simulation parameters. 100 scenario 2
scenario 3

Parameter Description
80

throughput (bps)
Platform Ubuntu 14.04 LTS
Tool used NS2 2.35
Deployment area 400 m40 m 60
Number of home gateway nodes 4 (for scenarios 1, 2, 3)
Number of users 4 (for scenarios 1, 2, 3)
Number of sensors 20 (for Scenario 1)
40
40 (for Scenario 2)
60 (for Scenario 3)
Communication range of home gateway nodes 200 m
20
Communication range of sensors 25 m
Simulation time 1800 s

0
scenario 1 scenario 2 scenario 3
scenarios
for Case-1 of the proposed scheme. In a similar way, the Case-2 of the
proposed scheme can also be simulated. In each scenario, we have four Fig. 9. Throughput.

login and authentication & key agreement messages, which are

IDhg , TIDi , SIDj , D1, D2 , D3, T1 , D4 , D5, D6 , T2 , D7, D8, T3 and 0.9
scenarios vs end-to-end delay
D7, D9, D10 , D11, D12 , T4 of 992 bits, 512 bits, 352 bits, and 832 bits, 0.8
respectively.

end-to-end delay (sec)

We have considered the following three network scenarios in our 0.7
simulation:
0.6

Scenario 1. It has four HGWNs, four users and 20 sensors. 0.5

Scenario 2. It has four HGWNs, four users and 40 sensors.
Scenario 3. It has four HGWNs, four users and 60 sensors.
0.4

0.3
7.3. Discussion on simulation results
0.2

Dierent network performance parameters, such as throughput (in 0.1

bps), end-to-end delay (in seconds) and packet delivery ratio are
computed during the simulation.
7.3.1. Impact on throughput
Throughput of the proposed scheme is computed as the number of
bits transmitted per unit time. The throughput can be calculated by
nr npkt
Throughput = T , where Td is the total time (in seconds), npkt the
d
size of a packet, and nr the total number of received packets.
Throughput (in bps) of the proposed scheme under three dierent
scenarios are given in Fig. 9. The scenarios 1, 2 and 3 have the
throughput values as 33.90 bps, 62.27 bps and 91.79 bps, respectively.
The throughput values increase with the number of increasing sensor
nodes, because users communicate (authenticate) with more number of
sensor nodes, and as a result, the number of exchanged messages is
high from scenarios 12, and also from scenarios 23.
7.3.2. Impact on end-to-end delay
The end-to-end delay (EED ) is derived as the average time taken by
packets to arrive at a destination from a source. EED can be calculated
p
by using the formula, EED = i =1 (Treci Tsendi )/ p , where Treci and Tsendi
are the receiving and sending time of a packet i, respectively, and p the
total number of packets. The EEDs of the proposed scheme under
scenarios 1, 2 and 3 are given in Fig. 10. The values of EEDs for our
scheme are 0.46250 s, 0.64541 s and 0.70712 s for scenarios 1, 2 and
3, respectively. The value of EED increases with the increasing number
of sensor nodes. This is because the increment in the number of sensor
nodes causes more messages exchange that further incurs congestion,
and thus, the EED increases from scenarios 2 and 3.
7.3.3. Impact on packet delivery ratio
Packet delivery ratio (PDR) is the ratio of total packets sent to the
total packets received. PDR values of the proposed scheme under
scenarios 1, 2 and 3 are given in Fig. 11. PDRs of our scheme are 0.90,
0.83 and 0.80 for scenarios 1, 2 and 3, respectively. PDR decreases with
0
1 2 3
scenarios
Fig. 10. End-to-end delay.
increasing number of sensor nodes from scenarios 12, and also from
scenarios 23 because in case of more number of sensor nodes, more
messages are exchanged that further causes congestion in the network.
As a result, PDR decreases from scenarios 12, and also from scenarios
23. Since the proposed scheme is lightweight and uses small packet
size, PDR decrement is less.
8. Concluding remarks
IoT is a trend that is unlikely to fade anytime soon, and designing
lightweight cryptographic schemes suitable for IoT deployment re-
mains a research challenge. In this paper, we pointed out that multi-
gateway WSN can help facilitate user in accessing data from dierent
sensor regions (a typical IoT deployment). We rst revisited the
authentication scheme of Amin and Biswas for multi-gateway WSNs,
and despite their security claims, we revealed previously unpublished
vulnerabilities (e.g. sensor capture attack, user forgery attack, gateway
forgery attack, sensor forgery attack, o-line guessing attack, session
key exposure, and no mutual authentication). We then presented a new
authentication scheme multi-gateway WSNs. To demonstrate the
security of the scheme, we employed a widely used formal verication
tool, Proverif, as well as providing an informal analysis. We also
showed that our scheme outperforms two other related schemes, in
terms of performance; thus, it is more suited for IoT deployment where
devices installed at the eld are generally resource-constrained.
Findings from our NS-2 simulation demonstrated the proposed
scheme's eciency, in terms of throughput, end-to-end play and packet
delivery ratio.

12
F. Wu et al.
1.2
scenario 1
scenario 2
scenario 3
1 Trans. Wirel. Commun. 8, 10861090.
packet delivery ratio
0.8
0.6
0.4
0.2
0
scenario 1 scenario 2 scenario 3
scenarios
Fig. 11. Packet delivery ratio.
Acknowledgements
The authors thank the anonymous reviewers for their valuable
comments. This research is supported by Fujian Education and
Scientic Research Program for Young and Middle-aged Teachers
under Grant No. JA14369, University Distinguished Young Research
Talent Training Program of Fujian Province (Year 2016), the National
Natural Science Foundation of China under Grant No. 61300220, and
the Scientic Research Fund of Hunan Provincial Education
Department under Grant no. 16B089. It is also supported by PAPD
and CICAEET. Saru Kumari is sponsered by the University Grants
Commission, India through UGC-BSR Start-up grant under Grant no.
3(A)(60)31.
References
Althobaiti, O., Al-Rodhaan, M., Al-Dhelaan, A., 2013. An ecient biometric
authentication protocol for wireless sensor networks. Int. J. Distrib. Sens. Netw..
Amin, R., Biswas, G., 2016. A secure light weight scheme for user authentication and key
agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw. 36,
5880.
Amin, R., Islam, S.H., Biswas, G., Khan, M.K., Leng, L., Kumar, N., 2016. Design of
anonymity preserving three-factor authenticated key exchange protocol for wireless
sensor network. Comput. Netw. 101, 4262.
Chang, V., Ramachandran, M., 2016. Towards achieving data security with the cloud
computing adoption framework. IEEE Trans. Serv. Comput. 9, 138151.
Chang, V., Kuo, Y.-H., Ramachandran, M., 2016. Cloud computing adoption framework:
a security framework for business clouds. Future Gener. Comput. Syst. 57, 2441.
Chaudhry, S.A., Mahmood, K., Naqvi, H., Khan, M.K., 2015a. An improved and secure
biometric authentication scheme for telecare medicine information systems based on
elliptic curve cryptography. J. Med. Syst. 39, 112.
Chaudhry, S.A., Naqvi, H., Sher, M., Farash, M.S., Hassan, M.U., 2015b. An improved
and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer
Netw. Appl..
Chaudhry, S.A., Naqvi, H., Mahmood, K., Ahmad, H.F., Khan, M.K., 2016a. An improved
remote user authentication scheme using elliptic curve cryptography. Wirel. Pers.
Commun..
Chaudhry, S.A., Khan, I., Irshad, A., Ashraf, M.U., Khan, M.K., Ahmad, H.F., 2016b. A
provably secure anonymous authentication scheme for session initiation protocol.
Secur. Commun. Netw..
Chaudhry, S.A., 2015. A secure biometric based multi-server authentication scheme for
social multimedia networks. Multimed. Tools Appl. 75, 1270512725.
Chen, T.-H., Shih, W.-K., 2010. A robust mutual authentication protocol for wireless
sensor networks. ETRI J. 32, 704712.
Choi, Y., Lee, D., Kim, J., Jung, J., Nam, J., Won, D., 2014. Security enhanced user
authentication protocol for wireless sensor networks using elliptic curves
cryptography. Sensors 14, 1008110106.
Choo, K.-K.R., Boyd, C., Hitchcock, Y., Errors in computational complexity proofs for
protocols. In: International Conference on the Theory and Application of Cryptology
and Information Security, Springer, pp. 624643.
Choo, K.-K.R., Boyd, C., Hitchcock, Y., 2006. The importance of proofs of security for key
establishment protocols: formal analysis of jan-chen, yang-shen-shieh, kim-huh-
hwang-lee, lin-sun-hwang, and yeh-sun protocols. Comput. Commun. 29,
27882797.
K. Choo, 2009. Secure Key Establishment. Advances in Information Security, vol. 41.
Das, A.K., Sutrala, A.K., Kumari, S., Odelu, V., Wazid, M., Li, X., 2016. An ecient multi-
13
Journal of Network and Computer Applications (xxxx) xxxxxxxx
gateway-based three-factor user authentication and key agreement scheme in
hierarchical wireless sensor networks. Secur. Commun. Netw. 9, 20702092.
Das, M.L., 2009. Two-factor user authentication in wireless sensor networks. IEEE
Das, A.K., 2016. A secure and robust temporal credential-based three-factor user
authentication scheme for wireless sensor networks. Peer-to-Peer Netw. Appl. 9,
223244.
Farash, M.S., Turkanovi, M., Kumari, S., Hlbl, M., 2016. An ecient user
authentication and key agreement scheme for heterogeneous wireless sensor
network tailored for the internet of things environment. Ad Hoc Netw. 36, 152176.
Guo, P., Wang, J., Geng, X.H., Kim, C.S., Kim, J.-U., 2014. A variable threshold-value
authentication architecture for wireless mesh networks. J. Internet Technol. 15,
929935.
He, D., Gao, Y., Chan, S., Chen, C., Bu, J., 2010. An enhanced two-factor user
authentication scheme in wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 10,
361371.
He, D., Kumar, N., Shen, H., Lee, J.-H., 2015. One-to-many authentication for access
control in mobile pay-tv systems. Sci. China Inf. Sci. 59, 114.
Issariyakul, T., Hossain, E., 2011. Introduction to network simulator NS2. Springer US.
Jiang, Q., Ma, J., Lu, X., Tian, Y., 2015a. An ecient two-factor user authentication
scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw. Appl. 8,
10701081.
Jiang, Q., Wei, F., Fu, S., Ma, J., Li, G., Alelaiwi, A., 2015b. Robust extended chaotic
maps-based three-factor authentication scheme preserving biometric template
privacy. Nonlinear Dyn. 83, 20852101.
Jiang, Q., Khan, M.K., Lu, X., Ma, J., He, D., 2016. A privacy preserving three-factor
authentication protocol for e-health clouds. J. Supercomput. 72, 38263849.
Khan, M.K., Alghathbar, K., 2010. Cryptanalysis and security improvements of two-factor
user authentication in wireless sensor networks. Sensors 10, 24502459.
Khan, M.K., Kumari, S., 2014. An improved user authentication protocol for healthcare
services via wireless medical sensor networks. Int. J. Distrib. Sens. Netw..
Kocher, P., Jae, J., Jun, B. 1999. Dierential Power Analysis. In: Wiener M. (eds)
Advances in Cryptology CRYPTO 99. CRYPTO 1999, pp. 388-397. Lecture Notes
in Computer Science, vol 1666. Springer, Berlin, Heidelberg
Kumar, P., Lee, H.-J., 2011. Cryptanalysis on two user authentication protocols using
smart card for wireless sensor networks. In: IEEE Wireless Advanced (WiAd), pp.
241245.
Kumari, S., Khan, M.K., Atiquzzaman, M., 2015. User authentication schemes for
wireless sensor networks: a review. Ad Hoc Netw. 27, 159194.
Li, X., Niu, J., Khan, M.K., Liao, J., 2013a. An enhanced smart card based remote user
password authentication scheme. J. Netw. Comput. Appl. 36, 13651371.
Li, X., Ma, J., Wang, W., Xiong, Y., Zhang, J., 2013b. A novel smart card and dynamic id
based remote user authentication scheme for multi-server environments. Math.
Comput. Model. 58, 8595.
Li, X., Niu, J., Liao, J., Liang, W., 2015. Cryptanalysis of a dynamic identity-based remote
user authentication scheme with veriable password update. Int. J. Commun. Syst.
28, 374382.
Ren, Y.-J., Shen, J., Wang, J., Han, J., Lee, S.-Y., 2015. Mutual veriable provable data
auditing in public cloud storage. J. Internet Technol. 16, 317323.
Shen, J., Tan, H., Moh, S., Chung, I., Liu, Q., Sun, X., 2015a. Enhanced secure sensor
association and key management in wireless body area networks. J. Commun. Netw.
17, 453462.
Shen, J., Tan, H.-W., Wang, J., Wang, J.-W., Lee, S.-Y., 2015b. A novel routing protocol
providing good transmission reliability in underwater sensor networks. J. Internet
Technol. 16, 171178.
Shi, W., Gong, P., 2013. A new user authentication protocol for wireless sensor networks
using elliptic curves cryptography. Int. J. Distrib. Sens. Netw..
Sun, G., Chang, V., Ramachandran, M., Sun, Z., Li, G., Yu, H., Liao, D., 2016a. Ecient
location privacy algorithm for internet of things (iot) services and applications. J.
Netw. Comput. Appl..
Sun, G., Liao, D., Li, H., Yu, H., Chang, V., 2016b. L2p2: a location-label based approach
for privacy preserving in lbs. Future Gener. Comput. Syst..
Turkanovi, M., Brumen, B., Hlbl, M., 2014. A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the
internet of things notion. Ad Hoc Netw. 20, 96112.
Watro, R., Kong, D., Cuti, S.-f., Gardiner, C., Lynn, C., Kruus, P., Tinypk: securing sensor
networks with public key technology, In: Proceedings of the 2nd ACM Workshop
oSecurity of Ad hoc and Sensor Networks, ACM, pp. 5964.
Wu, F., Xu, L., Kumari, S., Li, X., 2015a. An improved and anonymous two-factor
authentication protocol for health-care applications with wireless medical sensor
networks. Multimed. Syst..
Wu, F., Xu, L., Kumari, S., Li, X., Alelaiwi, A., 2015b. A new authenticated key agreement
scheme based on smart cards providing user anonymity with formal proof. Secur.
Commun. Netw. 8, 38473863.
Wu, F., Xu, L., Kumari, S., Li, X., 2015c. A new and secure authentication scheme for
wireless sensor networks with formal proof. Peer-to-Peer Netw. Appl..
Wu, F., Xu, L., Kumari, S., Li, X., 2015d. A novel and provably secure biometrics-based
three-factor remote authentication scheme for mobile client-server networks.
Comput. Electr. Eng. 45, 274285.
Wu, F., Xu, L., Kumari, S., Li, X., Das, A.K., Khan, M.K., Karuppiah, M., Baliyan, R.,
2016a. A novel and provably secure authentication and key agreement scheme with
user anonymity for global mobility networks. Secur. Commun. Netw. 9, 35273542.
Wu, F., Xu, L., Kumari, S., Li, X., 2016b. A privacy-preserving and provable user
authentication scheme for wireless sensor networks based on internet of things
security. J. Ambient Intell. Humaniz. Comput..
Xie, S., Wang, Y., 2014. Construction of tree network with limited delivery latency in
F. Wu et al.
homogeneous wireless sensor networks. Wirel. Pers. Commun. 78, 231246.
Xu, L., Wu, F., 2015a. Cryptanalysis and improvement of a user authentication scheme
preserving uniqueness and anonymity for connected health care. J. Med. Syst. 39,
19.
Xu, L., Wu, F., 2015b. An improved and provable remote user authentication scheme
based on elliptic curve cryptosystem with user anonymity. Secur. Commun. Netw. 8,
14
Journal of Network and Computer Applications (xxxx) xxxxxxxx
245260.
Xue, K., Ma, C., Hong, P., Ding, R., 2013. A temporal-credential-based mutual
authentication and key agreement scheme for wireless sensor networks. J. Netw.
Comput. Appl. 36, 316323.
Yoo, S.G., Park, K.Y., Kim, J., 2012. A security-performance-balanced user
authentication scheme for wireless sensor networks. Int. J. Distrib. Sens. Netw..