A. Literature Review

This paper mainly classifies the current mainstream authentication protocols into two kinds: single-gateway protocols and multi-gateway protocols.

In 1981, Lamport [3] first proposed a single-factor authentication protocol based on password. In 2004, Watro et al. [4] proposed a user authentication protocol using RSA and Diffie-Hellman algorithms that placed the computationally expensive operations on parties external to WSNs. However, Das [5] pointed out that Watro et al.’s protocol suffered from impersonation attack. In 2006, Wong et al. [6] proposed a dynamic strong password solution to access control in WSNs, which only required simple hash function and XOR operations. However, in 2007, Tseng et al. [7] showed that Wong et al.’s scheme was vulnerable to replay attack and forgery attack, then proposed a lightweight dynamic user authentication scheme for WSNs, which was in possession of many advantages, including resistance to replay attack and forgery attack. Since many schemes relied only on password security, they were vulnerable to off-line password guessing attack. To avoid these problems, two-factor authentication protocols based on password and smart card have been proposed one after another. In 2009, Das [5] established a novel two-factor authentication scheme, where the user is in possession of a password and a smart card. In the same year, Nyang and Lee [8] pointed out that Das’s protocol [5] was vulnerable to off-line password guessing attack, and presented a countermeasure to overcome this drawback. In 2010, Chen and Shih [9] showed Das’s scheme [5] failed to achieve mutual authentication, and they proposed a robust mutual authentication protocol. In 2010, Cheikhrouhou et al. [10] proposed a lightweight authentication scheme based on the symmetric algorithm AES, in which mutual authentication and key establishment mechanisms were used to ensure the confidentiality and data integrity of the protocol. Public key algorithm-based schemes can accomplish more security attributes than symmetric algorithm-based schemes, but they also use up more system resources. In 2011, Yeh et al. [11] found that Chen and Shih’s scheme [9] failed to provide a secure method for updating user passwords and was vulnerable to the insider attack, where the privileged insider can obtain the user’s password. To address these existing issues, they first applied the elliptic curve cryptography (ECC) algorithm and smart card to construct WSNs authentication protocol. Han [12] pointed out that the above protocol cannot provide perfect forward secrecy and cannot achieve mutual authentication or key agreement between user and sensor nodes. In 2013, Shi and Gong [13] established an authentication protocol to achieve perfect forward secrecy, mutual authentication, and key agreement between user and sensor nodes. Choi et al. [14] pointed out that Shi and Gong’s protocol [13] was vulnerable to session key attack, stolen smart card attack, and node energy consumption attack, and improved on these drawbacks. Authentication protocols based on ECC are one of the methods used in authentication protocols in order to improve the security and privacy of RFID systems. In 2016, Dinarvand and Barati [15] examined and compared protocols that utilized this method to establish security. In 2019, a RFID authentication protocol wad presented using ECC for mutual authentication overcome weakness of the existing schemes by Dinarvand and Barati [16]. In 2020, Srinivas et al. [17] came up with a novel user authentication scheme for secure authentication of medical data using Rabin, which could achieve mutual authentication between a user and a wearable sensor node and establish a secret key that is used for future secure communications. In 2021, Wang et al. [18] utilized the ECC to propose an enhanced anonymous authentication scheme for a smart healthcare system. In 2022, Hayouni [19] presented a lightweight authentication protocol for IoT-based WSNs to provide mutual authentication services for connected objects. In 2022, Nezhad et al. [20] proposed a secure routing method to prevent the intrusion of malicious nodes, consisting of star structure, key distribution, and intra-cluster communication. Hossein et al. [21] proposed a three-factor authentication scheme based on the blockchain platform for the IoT environment.

Amin and Biwas [22] first proposed a two-factor based multi-gateway authentication and key agreement protocol for WSNs that was able to ensure user anonymity while resisting password guessing attack, insider attack, stolen verifier attack, etc in. In the same year, Das et al. [23] pointed out that Amin and Biwas’s scheme could not protect user anonymity. Additionally, it was vulnerable to password guessing attack, stolen smart card attack and identity guessing attack. After that, Das et al. proposed a three-factor authentication protocol based on the AES algorithm to solve these problems. However, Wu et al. [24] pointed out that the scheme in [23] also failed to resist the tracking attack and did not have a common session key for three parties. Gou et al. [25] found that the two-factor authentication scheme in [24] could not resist offline password guessing attack and identity guessing attack. In addition, the protocol in [24] was vulnerable to internal privilege attack, user tracing attack and sensor forgery attack. To address the security issues in Wu et al.’s protocol [24], Gou et al. [25] proposed a three-factor authentication protocol for multi-gateway WSNs. In 2017, Srinivas et al. [26] analyzed Amin and Biwas’s scheme [22] in details and proposed an improved three-factor authentication protocol. Wang et al. [27] found that Srinivas et al.’s scheme [26] still suffered from smart card stolen attack, node capture attack, and tracking attack and could not guarantee forward secrecy. In 2019, Lee et al. [28] proposed a three-factor mutual authentication for multi-gateway protocols, in which they needed to register at all gateway nodes if users hoped to use all sensor nodes. In 2022, Dai and Xu [29] found the scheme in [25] was prone to single point of failure, and they proposed a novel elliptic curve cryptograph based three-factor authentication scheme for multi-gateway WSNs that realized smart card revocation, dynamic sensor node addition, and could withstand single point of failure. Zhao et al. [30] presented a novel three-factor authentication and key agreement protocol based on elliptic curve cryptography for IIoT environments, where their scheme can be used in single-gateway environments and can be extended to multi-gateway environments. In 2023, Chen et al. [31] proposed a two-factor multi-gateway authentication protocol based on password and smart card that could resist the joint password and identity guessing with the smart card loss attack.

A majority of schemes leverage ECC operations to ensure they can achieve more security attributes. However, ECC provides more security while producing more overhead. The Rabin mechanism is characterized by its property of computational asymmetry. The encryption performs a modular squaring operation, while the decryption performs a module-square root operation. Rabin’s encryption is significantly less than the ECC point multiple, which is the motivation that the proposed scheme leverages Rabin to build.

B. Our Contributions

1. We proposed a new three-factor user authentication and key agreement scheme using Rabin [32] for multi-gateway WSNs. Due to the lightweight computation of Rabin, it is suitable for devices with limited computational resources, such as sensor nodes. The proposed single-gateway and multi-gateway authentication schemes can also protect user privacy and achieve good forward secrecy due to the introduction of a public key system.

2. The designed authentication protocol is demonstrated to be secure using the random oracle model (ROM) [33]. As a result, the lightweight authentication scheme is secure against the Dolev-Yao adversary model.

3. Scyther [34], a verification tool, is utilized to simulate the security of the proposed protocols, and the results show that our protocols can achieve mutual authentication and can resist many attacks.

C. Organization of the Paper

The remaining sections are organized as follows: In Section II, we present the preliminary information, including the description of Rabin, the network model, and the threat model. In Section III, we propose a novel three-factor authentication and key agreement scheme for single-gateway and multi-gateway WSNs, respectively. In Section IV, we describe formal and informal security analysis and provable security. In Section V, we compare the security and efficiency of our scheme with those of related schemes. Finally, we summarize this article in Section VI.

A. Rabin

In 1979, Rabin [32] proposed a novel public-key cryptography mechanism. Selecting two different large primes $p$ and $q$ that satisfy $p \equiv q \equiv 3\bmod 4$ as the private key and computing $N = pq$ as the public key. The user stores the private key and discloses the public key. Using a public key $N$ to encrypt the message $m$ can obtain ciphertext $c$ , $c = {m^{2}}\bmod N$ . Decryption necessitates the use of the private keys $p,q$ to determine $c\bmod p$ and $c\bmod q$ , respectively. Subsequently, utilizing the Chinese remainder theorem (CRT), only the legitimate user in possession of the private key can calculate the decryption consequences.

The security of the Rabin cryptography mechanism is based on the intractable integer factorization problem. Since the intractable integer factorization problem (IFP) is considered computationally difficult under certain conditions, Rabin can be considered secure. In addition, Rabin is a typical asymmetric algorithm, and its encryption and decryption operations have different computational overheads. Rabin’s encryption operations are lightweight, but the decryption operations consume a significant amount of resources. Therefore, encryption operations are usually performed on the side of sensor nodes with limited resources, and decryption operations can be performed on the side of gateway nodes with strong computing power.

B. Network Model

According to literature [22], [24], [26], the network model used in the home region is a standard model for a single-gateway environment and consists of three types of entities: user nodes, gateway nodes, and sensor nodes, as shown in Figure 1. In this architecture, three types of entities can authenticate each other through two complete rounds of information interaction, which can be extended to a multi-gateway architecture. WSNs are typically unattended networks that cannot be physically changed on a large scale once they have been deployed. Due to the limited memory and computing power of sensor nodes, it is a great burden for edge sensors and gateway nodes to receive and send messages when the network size is too large or the distance is too long. Therefore, more gateways need to be extended to increase the network’s capacity. Figure 2 shows us a multi-gateway architecture. In steps 1–4, the Home Gateway Node (HGWN) helps to establish the trust connection between the user and the Foreign Gateway Node (FGWN), and in steps 5–8, the user accesses the sensor via the FGWN.

FIGURE 1.

Network model of HGWN.

Show All

FIGURE 2.

Network model of FGWN.

Show All

C. Threat Model

Dolev-Yao threat model [35] is often used to formally analyze authentication protocols in communication networks, where the model assumes that two communication entities communicate over an insecure channel. WSNs can adopt a similar threat model where the channel is insecure and the terminal points cannot be generally trusted. Dolev-Yao threat model defines the precise mathematical model, and the basic assumptions listed are as follows:

1. In a perfect public key system:

   1. The one-way hash functions used are unbreakable.

   2. The public directory is secure and cannot be tampered with.

2. We will assume the following about an adversary $\mathscr {A}$ :

   1. An adversary can obtain any message passing through the network.

   2. An adversary can be a legitimate user of a network and, in particular, can initiate a conversation with any other user.

   3. An adversary will be able to act as a receiver for any sender.

A. Initialization Phase

During the initialization phase, SA selects the identity $SI{D_{j}}$ for each sensor, sharing this global devices list with all gateways. After that, SA selects two different large random numbers ${p_{h}},{q_{h}}$ for home gateway node (HGWN), ${p_{h}} \equiv {q_{h}} \equiv 3\bmod 4$ (${p_{h}},{q_{h}}$ are congruent with module 4) and computes the public key ${N_{h}} = {p_{h}}{q_{h}}$ . In the same way as above, the foreign gateway node (FGWN) gets a pair of private keys, which are two different large prime numbers ${p_{f}},{q_{f}}$ , where ${p_{f}} \equiv {q_{f}} \equiv 3\bmod 4$ (${p_{f}},{q_{f}}$ are congruent with module 4). FGWN computes the public key ${N_{f}} = {p_{f}}{q_{f}}$ . Finally, two cryptographic collision-resistant one-way hash functions $h_{1}( \cdot ):{\{ 0,1\} ^{*}} \to {\{ 0,1\} ^{l}}$ and $h_{2}( \cdot ):{\{ 0,1\} ^{*}} \to {\{ 0,1\} ^{*}}$ are selected, where ${l}$ is the output length of hash function. Table 1 shows the symbols used in this paper.

TABLE 1 Symbol Description

B. User Registration Phase

Biometric features are added in this scheme to improve the security of the system and can be well used in the setting of an authentication scheme because of their uniqueness. Compared with low-entropy passwords, biometric features also have the advantages of being difficult to forge and share and not being easy to lose. Figure 3 illustrates the registration procedure.

• Step 1:

  ${U_{i}}$ inputs his/her own identity $I{D_{i}}$ , password $P{W_{i}}$ and the biometric information $BI{O_{i}}$ . After that, the fuzzy extractor computes biometric key data ${\sigma _{i}}$ and common parameter ${\theta _{i}}$ using $Gen(BIO_{i}) \to ({\sigma _{i}},{\theta _{i}})$ . The common parameter ${\theta _{i}}$ is stored in ${SC_{i}}$ . Next, ${U_{i}}$ computes $HI{D_{i}} = h_{1}(I{D_{i}}||{\sigma _{i}})$ and $HP{W_{i}} = h_{1}(P{W_{i}}||{\sigma _{i}})$ , and transmits $\left \{{ HI{D_{i}},HP{W_{i}}}\right \}$ to HGWN over a secure connection.

• Step 2:

  After getting the messages $HI{D_{i}}$ and $HP{W_{i}}$ from ${U_{i}}$ , HGWN creates a random number ${r_{h}}$ , and computes ${A_{i}} = h_{1}(HI{D_{i}}||{p_{h}}||{q_{h}}||{r_{h}}) \oplus HI{D_{i}}$ , ${B_{i}} = h_{1}(HI{D_{i}}||{r_{h}}||HP{W_{i}})$ , and ${C_{i}} = HI{D_{i}} \oplus {r_{h}}$ . The long-term secret $\{ HI{D_{i}},{r_{h}}\}$ is stored in HGWN’s memory. HGWN delivers a message $\left \{{ {A_{i},{B_{i}},{C_{i}}} }\right \}$ to ${U_{i}}$ over a secure connection.

• Step 3:

  After receiving the message $\left \{{ {A_{i},{B_{i}},{C_{i}}} }\right \}$ , long-term secret $\left \{{ {A_{i},{B_{i}},{C_{i}},{\theta _{i}}} }\right \}$ is preserved in ${U_{i}}$ ’s ${SC_{i}}$ .

FIGURE 3.

User registration phase.

Show All

C. Sensor Registration Phase

Each sensor node is given a distinct identity by SA. In order to register, $S{N_{j}}$ transmits its own identity $SID_{j}$ to the nearby HGWN over a secure channel. The registration procedure is described in Figure 4.

• Step 1:

  $S{N_{j}}$ utilizes a secure connection to convey its own identity $SID_{j}$ to the nearest HGWN.

• Step 2:

  After receiving the message from $S{N_{j}}$ , HGWN computes ${A_{gs}} = h_{1}(SI{D_{j}}||{p_{h}}||{q_{h}})$ and maintains the long-term secret $\{ SI{D_{j}},{A_{gs}}\}$ in its memory. Then HGWN transmits message ${A_{gs}}$ to $S{N_{j}}$ over a secure connection.

• Step 3:

  When $S{N_{j}}$ receives the message ${A_{gs}}$ , $S{N_{j}}$ preserves the long-term secret $\{ SI{D_{j}},{A_{gs}}\}$ in its own memory.

FIGURE 4.

Sensor registration phase.

Show All

D. User Login Phase

Before ${U_{i}}$ enters his/her identity $ID_{i}$ , password $PW_{i}$ , and biometric information $BIO_{i}$ , ${U_{i}}$ inserts his/her smart card $SC_{i}$ into a terminal. Next, the terminal utilizes a fuzzy extractor to recover the biometric key data ${\sigma _{i}}$ , that is $Rep(BIO_{i},{\theta _{i}}) \to \sigma _{i}$ . After that, the terminal figures out $HID_{i} = h_{1}(ID_{i}||\sigma _{i})$ and $HPW_{i} = h_{1}(PW_{i}||\sigma _{i})$ , and reads the secret parameters stored in its memory, computing $r_{h}^{*} = HID_{i} \oplus {C_{i}}$ and $B_{i}^{*} = h_{1}(HID_{i}||r_{h}^{*}||HPW_{i})$ . The terminal verifies $B_{i}^{*}\mathop = \limits ^{?} {B_{i}}$ . When the verification is successful, ${U_{i}}$ is able to log in. Otherwise, the login request will be rejected and no further procedure will be carried out.

If user login is successful, generating a random number ${\mathrm{ }}{r_{u}}$ , timestamp ${T_{1}}$ , two large prime numbers ${p_{u}},{q_{u}}$ and public key ${N_{u}} = {p_{u}} \cdot {q_{u}}$ , user calculates ${A_{h}} = {A_{i}} \oplus HID_{i}$ , ${M_{1}} = {(HID_{i}||I{D_{hg}}||SI{D_{j}}||{N_{u}}||{r_{u}}||r_{h}^{*})^{2}}~mod~{N_{h}}$ and ${M_{2}} = h_{1}(HID_{i}||{r_{u}}||{A_{h}}||{N_{u}}||{M_{1}}||{T_{1}})$ . Figure 5 demonstrates the entire procedure.

FIGURE 5.

User login phase.

Show All

E. Authentication and Key Agreement Phase in HGWN

When ${U_{i}}$ requires access to the $S{N_{j}}$ in the home region where the $S{N_{j}}$ ’s identity is in the registered devices database of HGWN, no foreign gateway is required. The mutual authentication between ${U_{i}}$ and $S{N_{j}}$ and the establishment of session keys can be performed through the HGWN only. The network model of the system is shown in Figure 6.

FIGURE 6.

HGWN model.

Show All

Next, the authentication and key agreement phase in HGWN is described in the following steps, as shown in Figure 7.

• Step 1:

  ${U_{i}}$ forwards the message $\left \{{ {M_{1}},{M_{2}},{T_{1}} }\right \}$ to the closest HGWN.

• Step 2:

  When HGWN receives the message from ${U_{i}}$ , HGWN obtains the current timestamp $T_{1}^{*}$ and verifies $T_{1}$ ’s validity, i.e., $|T_{1}^{*} - {T_{1}}| < \Delta T$ . HGWN will refuse the current session if the timestamp $T_{1}$ is out of date. Otherwise, HGWN decrypts $M_{1}$ with its own private keys ${p_{h}},{q_{h}}$ and then obtains $HID_{i},I{D_{hg}},SI{D_{j}},{N_{u}},{r_{u}},r_{h}^{*}$ . Then HGWN checks whether $r_{h}^{*}$ is equal to ${r_{h}}$ preserved in its own memory. If $r_{h}^{*} = {r_{h}}$ , then it performs subsequent calculations, otherwise, it aborts the current session. HGWN computes $A_{h}^{*} = h_{1}(HID_{i}||{p_{h}}||{q_{h}}||r_{h}^{*})$ and $M_{2}^{*} = h_{1}(HID_{i}||{r_{u}}||A_{h}^{*}||{N_{u}}||{M_{1}}||{T_{1}})$ and verifies whether $M_{2}^{*}$ is equal to the received ${M_{2}}{\mathrm{ }}$ . If $M_{2}^{*} \ne {M_{2}}{\mathrm{ }}$ , the current session is terminated. Otherwise, HGWN creates a random number ${\mathrm{ }}{r_{hg}}$ , a new timestamp ${T_{2}}$ , and computes ${A_{gs}} = h_{1}(SI{D_{j}}||{p_{h}}||{q_{h}})$ , ${M_{3}} = (HI{D_{i}}||{r_{u}}||{r_{hg}}||{N_{u}}) \oplus h_{2}({A_{gs}}||{T_{2}}||SI{D_{j}})$ and ${M_{4}} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{hg}}||{N_{u}}||{A_{gs}}||{T_{2}})$ . Finally, HGWN transmits the message $\left \{{{M_{3}},{M_{4}},{T_{2}}}\right \}$ to $S{N_{j}}$ .

• Step 3:

  After receiving the message HGWN sent, $S{N_{j}}$ acquires the current timestamp $T_{2}^{*}$ and checks $T_{2}$ ’s validity, i.e., $|T_{2}^{*} - {T_{2}}| < \Delta T$ . If the timestamp $T_{2}$ is out of date, ${SN_{j}}$ rejects the current session. Otherwise, $S{N_{j}}$ computes $h_{2}({A_{gs}}||{T_{2}}||SI{D_{j}})$ and calculates $h_{2}({A_{gs}}||{T_{2}}||SI{D_{j}}) \oplus {M_{3}}$ to obtain $(HI{D_{i}}||{r_{u}}||{r_{hg}}||{N_{u}})$ . $S{N_{j}}$ computes $M_{4}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}~||{r_{hg}}||{N_{u}}||{A_{gs}}||{T_{2}})$ and checks whether $M_{4}^{*}$ is equal to the received ${M_{4}}$ . If $M_{4}^{*} \ne {M_{4}}{\mathrm{ }}$ , $S{N_{j}}$ aborts the current session. Otherwise, $S{N_{j}}$ creates a random number ${r_{s}}$ , a new timestamp ${T_{3}}$ , and computes ${M_{5}} = {(HI{D_{i}}||SI{D_{j}}||{A_{gs}}||{r_{s}})^{2}}\mod {N_{u}}$ , $SK = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{u}}||{r_{s}})$ , $M_{6} = {(h_{1}(SK||{A_{gs}}))^{2}}\bmod {N_{h}}$ , ${M_{7}} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{hg}}||{A_{gs}}||{M_{5}}||{M_{6}}||{\mathrm{ }}{T_{3}})$ and ${M_{8}} = h_{1}(HI{D_{i}}||SI{D_{j}}||SK||{r_{u}}||{r_{s}}||{M_{5}})$ . Finally, $S{N_{j}}$ sends the message $\left \{{{M_{5}},{M_{6}},{M_{7}},{M_{8}},{T_{3}}}\right \}$ to HGWN.

• Step 4:

  After receiving the message from $S{N_{j}}$ , HGWN first obtains the current timestamp $T_{3}^{*}$ and checks $T_{3}$ ’s validity, i.e., $|T_{3}^{*} - {T_{3}}| < \Delta T$ . HGWN cancels the current session if the timestamp $T_{3}$ is not current. Otherwise, HGWN computes $M_{7}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{hg}}~||{A_{gs}}||{M_{5}}||{M_{6}}||{\mathrm{ }}{T_{3}})$ , and inspects $M_{7}^{*}\mathop = \limits ^{?} {M_{7}}$ . If $M_{7}^{*} \ne {M_{7}}{\mathrm{ }}$ , the current session is terminated by HGWN. Otherwise, HGWN creates a new timestamp ${\mathrm{ }}{T_{4}}$ and figures out ${M_{9}} = h_{1}({M_{5}}||{M_{8}}||{r_{u}}||{A_{h}}||{T_{4}})$ , and finally sends the message $\left \{{{M_{5}},{M_{8}},{M_{9}},{T_{4}}}\right \}$ to ${U_{i}}$ .

• Step 5:

  After getting the message from HGWN, ${U_{i}}$ first acquires the current timestamp $T_{4}^{*}$ and confirms $T_{4}$ ’s validity, i.e., $|T_{4}^{*} - {T_{4}}| < \Delta T$ . If the timestamp $T_{4}$ is not fresh, ${U_{i}}$ aborts the current session. Otherwise, ${U_{i}}$ calculates $M_{9}^{*} = h_{1}({M_{5}}||{M_{8}}||{r_{u}}||{A_{h}}||{T_{4}})$ and verifies whether $M_{9}^{*}$ is equal to the received ${M_{9}}$ . If $M_{9}^{*} \ne {M_{9}}{\mathrm{ }}$ , ${U_{i}}$ rejects the current session. Otherwise, ${U_{i}}$ decrypts ${M_{5}}$ with its own private keys ${p_{u}},{q_{u}}$ and then obtains ${\mathrm{ }}HI{D_{i}},SI{D_{j}},{A_{gs}},{r_{s}}$ and calculates $S{K^{*}} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{u}}||{r_{s}})$ and $M_{8}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}||S{K^{*}}||{r_{u}}||{r_{s}}||{M_{5}})$ , and inspects whether $M_{8}^{*}$ is equal to the received ${M_{8}}$ . If $M_{8}^{*} \ne {M_{8}}{\mathrm{ }}$ , the current session is rejected by ${U_{i}}$ . Otherwise, ${U_{i}}$ calculates ${M_{6}^{*}} = h_{1}(SK^{*}||{A_{gs}})$ and sends ${M_{6}^{*}}$ to HGWN.

• Step 6:

  HGWN decrypts $M_{6}$ using its own private keys $p_{h},q_{h}$ to obtain $h_{1}(SK||{A_{gs}})$ . HGWN checks $M_{6}^{*}\mathop = \limits ^{?} h_{1} (SK||{A_{gs}})$ . If $M_{6}^{*} \ne h_{1}(SK||{A_{gs}})$ , HGWN aborts the current session. Otherwise, the authentication is successful. $U_{i}$ and ${SN}_{j}$ share a session key SK.

FIGURE 7.

Authentication and key agreement in HGWN.

Show All

F. Authentication and Key Agreement Phase in FGWN

If ${U_{i}}$ needs access to $S{N_{j}}$ in the foreign region, where $SI{D_{j}}$ is not in HGWN’s database of registered devices, it is necessary to use a foreign gateway to authenticate between ${U_{i}}$ and $S{N_{j}}$ . In this case, the network model of the system is shown in Figure 8.

FIGURE 8.

FGWN model.

Show All

The authentication and key agreement phase in FGWN is described in the following steps, as shown in Figure 9 and Figure 10.

• Step 1:

  ${U_{i}}$ generates the message $\left \{{{M_{1}},{M_{2}},{T_{1}}}\right \}$ as in user login phase, and transmits it to the nearest HGWN.

• Step 2:

  When HGWN receives the message from ${U_{i}}$ , HGWN acquires the current timestamp $T_{1}^{*}$ and checks $T_{1}$ ’s availability, i.e., $|T_{1}^{*} - {T_{1}}| < \Delta T$ . If the timestamp $T_{1}$ is not fresh, HGWN aborts the current session. Otherwise, HGWN decrypts $M_{1}$ with its own private keys ${p_{h}},{q_{h}}$ and then obtains $HID_{i},I{D_{hg}},SI{D_{j}},{N_{u}},{r_{u}},r_{h}^{*}$ . Then HGWN verifies whether $r_{h}^{*}$ is equal to ${r_{h}}$ in its own memory. If $r_{h}^{*} = {r_{h}}$ , then it performs subsequent calculations, otherwise, it aborts the current session. HGWN computes $A_{h}^{*} = h_{1}(HID_{i}||{p_{h}}||{q_{h}}||r_{h}^{*})$ and $M_{2}^{*} = h_{1}(HID_{i}||{r_{u}}||A_{h}^{*}||{N_{u}}||{M_{1}}||{T_{1}})$ , and verifies whether $M_{2}^{*}$ is equal to the received ${M_{2}}$ . If $M_{2}^{*} \ne {M_{2}}{\mathrm{ }}$ , HGWN terminates the current session. In WSNs, HGWN broadcasts the destination sensor identity $SID_{j}$ to the remaining gateway nodes. If any FGWN detects $SID_{j}$ in its database, it will respond to HGWN. At this point, the FGWN generates a random number $r_{fn}$ and computes ${M_{3}} = {(SI{D_{j}}||{N_{f}}||{r_{fn}})^{2}}\bmod {N_{h}}$ , where $N_{h}$ is the public key of the HGWN. FGWN sends $M_{3}$ as the reaction to the HGWN. Then HGWN will contact this FGWN in the following steps. HGWN decrypts $M_{3}$ using its own private keys and obtains ${SID_{j}},{N_{f}},{r_{fn}}$ . HGWN creates a new timestamp $T_{2}$ and calculates ${M_{4}} = {(HI{D_{i}}||SI{D_{j}}||{A_{h}}||{r_{h}}||{T_{2}})^{2}}\bmod {N_{f}}$ , where $N_{f}$ is the public key of the above FGWN. HGWN computes $M_{5} = h_{1}(HI{D_{i}}||{r_{h}}||{A_{h}}||{M_{4}}||{r_{fn}}||{T_{2}})$ In the end, HGWN sends the message ${\left \{{{M_{4}},{M_{5}}}\right \}}$ to FGWN.

• Step 3:

  After acquiring the message from HGWN, FGWN decrypts ${M_{4}}$ with its own private keys ${p_{f}},{q_{f}}$ to obtain $HI{D_{i}},SI{D_{j}},{A_{h}},{r_{h}},{T_{2}}$ . FGWN gets the current timestamp $T_{2}^{*}$ and checks $T_{2}$ ’s validity, i.e., $|T_{2}^{*} - {T_{2}}| < \Delta T$ . The current session is rejected by FGWN if the timestamp $T_{2}$ is out of date. Otherwise, FGWN figures out $M_{5}^{*} = h_{1}(HI{D_{i}}||{r_{h}}||{A_{h}}||{M_{4}}||{r_{fn}}||{T_{2}})$ , and checks whether $M_{5}^{*}$ is equal to the received $M_{5}$ . If $M_{5}^{*} \ne {M_{5}}$ , FGWN aborts the current session. Otherwise, FGWN constructs a random number ${r_{f}}$ and a new timestamp ${T_{3}}$ . After that, FGWN computes ${A_{f}} = h_{1}(HI{D_{i}}||{p_{f}}||{q_{f}}||{r_{f}})$ , ${M_{6}} = {(HI{D_{i}}||I{D_{fg}}||{A_{f}}||{r_{f}}||{r_{h}}||{T_{3}})^{2}}\bmod {N_{h}}$ . Finally, FGWN computes ${M_{7}} = h_{1}(HI{D_{i}}||{A_{f}}||{M_{6}}||{r_{f}}||{r_{h}}||{T_{3}})$ and then sends the message ${\left \{{{M_{6}},{M_{7}}}\right \}}$ to HGWN.

• Step 4:

  After receiving the message from FGWN, HGWN decrypts $M_{6}$ with its own private keys ${p_{h}},{q_{h}}$ to obtain $HI{D_{i}},I{D_{fg}},{A_{f}},{r_{h}},{r_{f}},{T_{3}}$ . HGWN obtains the current timestamp $T_{3}^{*}$ and checks $T_{3}$ ’s validity, i.e., $|T_{3}^{*} - {T_{3}}| < \Delta T$ . If the timestamp $T_{3}$ is not fresh, HGWN aborts the current session. HGWN checks whether $r_{h}^{*}$ is equal to the received $r_{h}$ . If ${r_{h}^{*}} = r_{h}$ , then it performs the subsequent calculations, otherwise, it aborts the current session. HGWN computes $M_{7}^{*} = h_{1}(HI{D_{i}}||{A_{f}}||{M_{6}}||{r_{f}}||{r_{h}}||{T_{3}})$ and verifies whether $M_{7}^{*}$ is equal to the received $M_{7}$ . If $M_{7}^{*} \ne {M_{7}}$ , HGWN aborts the current session. Otherwise, HGWN generates a new timestamp ${\mathrm{ }}{T_{4}}$ and computes ${M_{8}} = {A_{f}} \oplus {A_{h}}$ , ${M_{9}} = h_{1}(HI{D_{i}}||SI{D_{j}}||{M_{8}}||{A_{f}}||{T_{4}})$ and ${R_{1}} = h_{1}(SI{D_{j}}||HI{D_{i}}||{A_{h}}||{A_{f}}||{T_{4}}) \oplus {r_{f}}$ . Finally, HGWN sends the message $\left \{{{M_{8}},{M_{9}},{T_{4}},{R_{1}}}\right \}$ to ${U_{i}}$ .

• Step 5:

  When ${U_{i}}$ receives the message HGWN transmitted, ${U_{i}}$ first obtains the current timestamp $T_{4}^{*}$ and verifies $T_{4}$ ’s validity, i.e., $|T_{4}^{*} - {T_{4}}| < \Delta T$ . If the timestamp $T_{4}$ is not fresh, ${U_{i}}$ aborts the current session. Otherwise, ${U_{i}}$ calculates $A_{f}^{*} = {M_{8}} \oplus {A_{h}}$ , $r_{f}^{*} = {R_{1}} \oplus h_{1}(SI{D_{j}}||HI{D_{i}}||{A_{h}}||{A_{f}^{*}}||{T_{4}})$ and $M_{9}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}||{M_{8}}||A_{f}^{*}||{T_{4}})$ . $U_{i}$ inspects whether $M_{9}^{*}$ is equal to the received ${M_{9}}$ . If $M_{9}^{*} \ne {M_{9}}{\mathrm{ }}$ , ${U_{i}}$ aborts the current session. Otherwise, ${U_{i}}$ creates a new random number ${r_{u}}$ , a new timestamp ${T_{5}}$ , and figures out ${M_{10}} = (HID_{i}||SI{D_{j}}||{N_{u}}||{r_{u}}||r_{f}^{*})^{2}\bmod {N_{f}}$ and ${M_{11}} = h_{1}(HID_{i}||{r_{u}}||A_{f}^{*}||{N_{u}}||{M_{10}}||{T_{5}})$ . ${U_{i}}$ sends message $\left \{{{M_{10}},{M_{11}},{T_{5}}}\right \}$ to FGWN.

• Step 6:

  Upon getting the message ${U_{i}}$ sent, FGWN acquires the current timestamp $T_{5}^{*}$ and verifies $T_{5}$ ’s validity, i.e., $|T_{5}^{*} - {T_{5}}| < \Delta T$ . If the timestamp $T_{5}$ is not fresh, the current session is terminated by FGWN. Otherwise, FGWN decrypts $M_{10}$ with its own private keys ${p_{f}},{q_{f}}$ , and then obtains $HID_{i},I{D_{fg}},SI{D_{j}},{N_{u}},{r_{u}},r_{f}^{*}$ . Then FGWN checks whether $r_{f}^{*}$ is equal to ${r_{f}}$ in its own memory. If $r_{f}^{*} = {r_{f}}$ , then it performs subsequent calculations. Otherwise, it terminates the current session. FGWN calculates $A_{f}^{*} = h_{1}(HID_{i}||{p_{f}}||{q_{f}}||r_{f}^{*})$ and $M_{11}^{*} = h_{1}(HID_{i}||{r_{u}}||A_{f}^{*}||{N_{u}}||{M_{10}}||{T_{5}})$ . FGWN inspects whether $M_{11}^{*}$ is equal to the received ${M_{11}}{\mathrm{ }}$ . If $M_{11}^{*} \ne {M_{11}}{\mathrm{ }}$ , FGWN aborts the current session. Otherwise, FGWN produces a random number ${\mathrm{ }}{r_{fg}}$ , a new timestamp ${T_{6}}$ , and computes ${A_{fs}} = h_{1}(SI{D_{j}}||{p_{f}}||{q_{f}})$ , ${M_{12}} = (HI{D_{i}}||{r_{u}}||{r_{fg}}||{N_{u}}) \oplus h_{2}({A_{fs}}||{T_{6}}||SI{D_{j}})$ , and ${M_{13}} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{fg}}||{N_{u}}||{A_{fs}}||{T_{6}})$ . Finally, FGWN delivers the message $\left \{{{M_{12}},{M_{13}},{T_{6}}}\right \}$ to $S{N_{j}}$ .

• Step 7:

  After receiving the message FGWN transmitted, $S{N_{j}}$ acquires the current timestamp $T_{6}^{*}$ and checks $T_{6}$ ’s validity, i.e., $|T_{6}^{*} - {T_{6}}| < \Delta T$ . The current session is refused by ${SN_{j}}$ if the timestamp $T_{6}$ is not fresh. Otherwise, $S{N_{j}}$ calculates $h_{2}({A_{fs}}||{T_{6}}||SI{D_{j}})$ and calculates $h_{2}({A_{fs}}||{T_{6}}||SI{D_{j}}) \oplus {M_{12}}$ to obtain $(HI{D_{i}}||{r_{u}}||{r_{fg}}||{N_{u}})$ . $SN_{j}$ computes $M_{13}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{fg}}||{N_{u}}||{A_{fs}}||{T_{6}})$ and checks whether $M_{13}^{*}$ is equal to the received ${M_{13}}$ . If $M_{13}^{*} \ne {M_{13}}{\mathrm{ }}$ , $S{N_{j}}$ aborts the current session. Otherwise, $S{N_{j}}$ creates a random number ${r_{s}}$ , a new timestamp ${T_{7}}$ , and computes ${M_{14}} = {(HI{D_{i}}||SI{D_{j}}||{A_{fs}}||{r_{s}})^{2}}\bmod {N_{u}}$ , $SK = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{u}}||{r_{s}})$ . $SN_{j}$ computes ${M_{15}} = {({h_{1}}(SK||{A_{fs}}))^{2}}\bmod {N_{f}}$ , ${M_{16}} = h_{1}(HI{D_{i}}||~SI{D_{j}}||{r_{fg}}||{A_{fs}}|| {M_{14}}||{M_{15}}||{\mathrm{ }}{T_{7}})$ and ${M_{17}} = h_{1}(HI{D_{i}}||SI{D_{j}}||SK||{r_{u}}||{r_{s}}||{M_{14}})$ . Finally, $S{N_{j}}$ sends the message $\left \{{M_{14},{M_{15}},M_{16},{M_{17}},{T_{7}}}\right \}$ to FGWN.

• Step 8:

  On receiving the message $S{N_{j}}$ sent, FGWN first gets the current timestamp $T_{7}^{*}$ and inspects $T_{7}$ ’s validity, i.e., $|T_{7}^{*} - {T_{7}}| < \Delta T$ . If the timestamp $T_{7}$ is not fresh, FGWN terminates the current session. Otherwise, FGWN figures out $M_{16}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{fg}}~||{A_{fs}}||{M_{14}}||{M_{15}}||{\mathrm{ }}{T_{7}})$ , and inspects whether $M_{16}^{*}$ is equal to the received ${M_{16}}$ . If $M_{16}^{*} \ne {M_{16}}{\mathrm{ }}$ , FGWN rejects the current session. Otherwise, FGWN creates a new timestamp ${\mathrm{ }}{T_{8}}$ and computes ${M_{18}} = h_{1}({M_{14}}||{M_{17}}||{r_{u}}||{A_{f}}||{T_{8}})$ , and finally sends the message $\left \{{{M_{14}},{M_{17}},{M_{18}},{T_{8}}}\right \}$ to ${U_{i}}$ .

• Step 9:

  When ${U_{i}}$ receives the message FGWN transmitted, ${U_{i}}$ first acquires the current timestamp $T_{8}^{*}$ and verifies $T_{8}$ ’s validity, i.e., $|T_{8}^{*} - {T_{8}}| < \Delta T$ . If the timestamp $T_{8}$ is not fresh, ${U_{i}}$ aborts the current session. Otherwise, ${U_{i}}$ calculates $M_{18}^{*} = h_{1}({M_{14}}||{M_{17}}||{r_{u}}||{A_{f}}||{T_{8}})$ , and verifies whether $M_{18}^{*}$ is equal to the received ${M_{18}}$ . If $M_{18}^{*} \ne {M_{18}}{\mathrm{ }}$ , ${U_{i}}$ terminates the current session. Otherwise, ${U_{i}}$ decrypts ${M_{14}}$ with its own private keys ${p_{u}},{q_{u}}$ , and then obtains ${\mathrm{ }}HI{D_{i}},SI{D_{j}},{A_{fs}},{r_{s}}$ . $U_{i}$ calculates $S{K^{*}} = h_{1}(HI{D_{i}}||SI{D_{j}}||{r_{u}}||{r_{s}})$ , $M_{17}^{*} = h_{1}(HI{D_{i}}||SI{D_{j}}~||S{K^{*}}||{r_{u}}||{r_{s}}||{M_{14}})$ , and inspects whether $M_{17}^{*}$ is equal to the received ${M_{17}}$ . If $M_{17}^{*} \ne {M_{17}}{\mathrm{ }}$ , $U_{i}$ refuses the current session. Otherwise, $U_{i}$ computes ${M_{15}^{*}} = {h_{1}}(SK^{*}||{A_{fs}})$ and sends $M_{15}^{*}$ to FGWN.

• Step 10:

  FGWN decrypts $M_{15}$ using its own private keys $p_{f},q_{f}$ to obtain $h_{1}(SK||{A_{fs}})$ . FGWN checks $M_{15}^{*}\mathop = \limits ^{?} h_{1}(SK||{A_{fs}})$ . If $M_{15}^{*} \ne h_{1}(SK||{A_{fs}})$ , FGWN aborts the current session. Otherwise, the authentication is successful. $U_{i}$ and ${SN}_{j}$ share a session key SK.

FIGURE 9.

Authentication and key agreement phase 1 in FGWN.

Show All

FIGURE 10.

Authentication and key agreement phase 2 in FGWN.

Show All

G. User Password Update Phase

The user password update phase does not need the help of the gateway. When a user needs to update his/her password information, the user needs to input his/her identity $ID_{i}$ , old password $PW_{i}^{old}$ , and biometric information $BIO_{i}$ . Then the terminal regenerates the secret data ${\sigma _{i}}$ , i.e., $Rep(BIO_{i},{\theta _{i}}) \to \sigma _{i}$ . After that, the terminal computes $HID_{i} = h_{1}(ID_{i}||\sigma _{i})$ and $HPW_{i}^{old} = h_{1}(PW_{i}^{old}||\sigma _{i})$ , and reads the secret parameters stored in ${SC_{i}}$ to compute $r_{h}^{*} = HID_{i} \oplus {C_{i}}$ and $B_{i}^{*} = h_{1}(HID_{i}||r_{h}^{*}||HPW_{i}^{old})$ . The terminal verifies $B_{i}^{*}\mathop = \limits ^{?} {B_{i}}$ . If $B_{i}^{*} = {B_{i}}$ , ${U_{i}}$ login is successful. After that, ${U_{i}}$ inputs his/her new password $PW_{i}^{new}$ . The terminal calculates $HPW_{i}^{new} = h_{1}(PW_{i}^{new}||\sigma _{i})$ and updates $B_{i}^{new} = h_{1}(HI{D_{i}}||{r_{h}}||HPW_{i}^{new})$ stored in ${SC_{i}}$ . Then a password update is completed.

A. Formal Verification

This subsection focuses on the security of the proposed authentication scheme, utilizing the Dolev-Yao model as the foundation and the Scyther [34] formal analysis tool in order to more comprehensively and systematically assess the security of our proposed scheme. Since the authentication and key agreement phase is the core of this scheme and this phase runs on an insecure wireless public channel, this subsection focuses on the security simulation of the authentication and key agreement.

Figure 11 shows the result of the formal security analysis of the HGWN’s authentication and key agreement. Similarly, the analysis of FGWN’s result is shown in Figure 12. From the simulation results, it can be seen that the scheme successfully passes the security check of Scyther, which verifies its security and functionality.

FIGURE 11.

Formal verification result in HGWN.

Show All

FIGURE 12.

Formal verification result in FGWN.

Show All

B. Informal Security Analysis

C. Provable Security

2) Procedure of Provable Security

Definition 1:

$P$ is used to represent the security authentication scheme described in this section, $A$ is used to represent $\mathscr {A}$ who can break our scheme in polynomial time, and $D$ is used to represent the uniformly distributed password dictionary. ${q_{hash}}$ , $|hash|$ , ${q_{send}}$ , $|D|$ and $Adv_{p}^{IFP}$ are respectively used to represent the number of one-way hash queries, the space of one-way hash functions, the number of queries, the size of $D$ and the advantage of $\mathscr {A}$ corrupt $IFP$ . Hash function is modeled as a random oracle. There are

$$\begin{equation*} Adv_{p}^{AKA}( \mathscr {A} ) \le \frac {{{{({q_{hash}})}^{2}}}}{|Hash|} + \frac {{2{q_{send}}}}{D} + 2Adv_{p}^{IFP} \tag{1}\end{equation*}$$ View Source\begin{equation*} Adv_{p}^{AKA}( \mathscr {A} ) \le \frac {{{{({q_{hash}})}^{2}}}}{|Hash|} + \frac {{2{q_{send}}}}{D} + 2Adv_{p}^{IFP} \tag{1}\end{equation*}

Proof:

Game 0~4 are defined to describe the entire process. For each $Game$ , defining the event $WG_{0}$ represents $\mathscr {A}$ performing $Test\left({{\prod ^{t}}}\right)$ query and successfully guessing the bit ${b}$ to win the game.

Game 0: This game simulates a real attack on the protocol by the adversary $\mathscr {A}$ . At the start, choosing bit ${b}$ , according to the above definition, there is:

$$\begin{equation*} Adv_{p}^{AKA}( \mathscr {A} ) = |2Pr|W{G_{0}}| - 1| \tag{2}\end{equation*}$$ View Source\begin{equation*} Adv_{p}^{AKA}( \mathscr {A} ) = |2Pr|W{G_{0}}| - 1| \tag{2}\end{equation*}

Game 1: In this game, $\mathscr {A}$ is able to perform $Execute\left({{\prod ^{u}},{\prod ^{v}},{\prod ^{t}}}\right)$ query to simulate an eavesdropping attack. By performing $Test$ query, $\mathscr {A}$ can determine its return value as a session key or a random string. Analyzing the session key generates, where the user generates $HI{D_{i}},{r_{u}},{M_{1}}$ , the sensor node generates $SI{D_{j}},{r_{s}},{M_{5}}$ . $\mathscr {A}$ cannot compute the session key without the above secret values. Accordingly,

$$\begin{equation*} Pr|W{G_{1}}| = Pr|W{G_{0}}| \tag{3}\end{equation*}$$ View Source\begin{equation*} Pr|W{G_{1}}| = Pr|W{G_{0}}| \tag{3}\end{equation*}

Game 2: Game 2 adds the oracles $Send$ and $Hash$ to the foundation of Game 1. In this game, the active attack is mainly simulated, where the attack tries to forge legitimate information by repeatedly querying the random oracle Hash to generate collisions. However, since all the messages transmitted in the channel contain random numbers and entity identifiers, the oracle $Send$ will not generate collisions. According to the birthday paradox, it is obtained that:

$$\begin{equation*} Pr|W{G_{2}}| - Pr|W{G_{1}}| \le \frac {{q_{hash}^{2}}}{2|Hash|} \tag{4}\end{equation*}$$ View Source\begin{equation*} Pr|W{G_{2}}| - Pr|W{G_{1}}| \le \frac {{q_{hash}^{2}}}{2|Hash|} \tag{4}\end{equation*}

Game 3: Game 3 adds the oracle CorruptMobileDevice $\left({\prod _{U_{i}}^{u},a}\right)$ to the foundation of Game 2. This game mainly simulates a user’s mobile device theft attack combined with a dictionary attack, where $\mathscr {A}$ tries to obtain the user’s password. Suppose that the times that $\mathscr {A}$ enters the wrong password are limited by the system, thus it is obtained that:

$$\begin{equation*} Pr|W{G_{3}}| - Pr|W{G_{2}}| \le \frac {{{q_{send}}}}{|D|} \tag{5}\end{equation*}$$ View Source\begin{equation*} Pr|W{G_{3}}| - Pr|W{G_{2}}| \le \frac {{{q_{send}}}}{|D|} \tag{5}\end{equation*}

Game 4: Game 4 is the final game. In order to get the session key $SK$ , $\mathscr {A}$ needs to get $HI{D_{i}},SI{D_{j}}$ and random numbers ${r_{u}},{r_{s}}$ . Assume that $\mathscr {A}$ can obtain the secret information stored in mobile device, and is able to obtain the information in the channel through eavesdropping attacks. However, due to the irreversibility and collision resistance of the one-way hash function, $\mathscr {A}$ cannot extract useful information from ${M_{2}},{M_{3}},{M_{4}},{M_{7}},{M_{8}},{M_{9}}$ . Similarly, in order to extract $HI{D_{i}},SI{D_{j}},{r_{u}},{r_{s}}$ from the messages ${M_{1}},{M_{5}}$ , $\mathscr {A}$ needs to have the ability to solve the $IFP$ . As a result,

$$\begin{equation*} Pr|W{G_{4}}| - Pr|W{G_{3}}| \le Adv_{P}^{IFP} \tag{6}\end{equation*}$$ View Source\begin{equation*} Pr|W{G_{4}}| - Pr|W{G_{3}}| \le Adv_{P}^{IFP} \tag{6}\end{equation*}

In addition, $\mathscr {A}$ executes all the oracles, but it does not have the advantage of correctly guessing the bit ${b}$ , therefore, we have

$$\begin{equation*} Pr|W{G_{4}}| = \frac {1}{2} \tag{7}\end{equation*}$$ View Source\begin{equation*} Pr|W{G_{4}}| = \frac {1}{2} \tag{7}\end{equation*}

According to equations (2) and (3), we can get:

$$\begin{equation*} \frac {1}{2}Adv_{p}^{AKA}({\mathcal{ A}}) = |Pr|W{G_{0}}| - \frac {1}{2}| = |Pr|W{G_{1}}| - \frac {1}{2}| \tag{8}\end{equation*}$$ View Source\begin{equation*} \frac {1}{2}Adv_{p}^{AKA}({\mathcal{ A}}) = |Pr|W{G_{0}}| - \frac {1}{2}| = |Pr|W{G_{1}}| - \frac {1}{2}| \tag{8}\end{equation*}

In conjunction with equations (3), (4), (5), and (6), there will be:

$$\begin{align*} &\hspace {-1pc}|Pr|W{G_{1}}| - |Pr|W{G_{4}}| \\ &\le |Pr|W{G_{1}}| - Pr|W{G_{2}}| + Pr|W{G_{2}}| - Pr|W{G_{4}}|| \\ &\le |Pr|W{G_{1}}| - Pr|W{G_{2}}| + Pr|W{G_{2}}| \\ &\quad {-} Pr|W{G_{3}}| + Pr|W{G_{3}}| - Pr|W{G_{4}}|| \\ &\le |Pr|W{G_{1}}| - Pr|W{G_{2}}|| + |Pr|W{G_{2}}| \\ &\quad {-} Pr|W{G_{3}}|| + |Pr|W{G_{3}}| - Pr|W{G_{4}}|| \\ &\le \frac {{q_{hash}^{2}}}{2|Hash|} + \frac {{{q_{send}}}}{|D|} + Adv_{P}^{IFP} \tag{9}\end{align*}$$ View Source\begin{align*} &\hspace {-1pc}|Pr|W{G_{1}}| - |Pr|W{G_{4}}| \\ &\le |Pr|W{G_{1}}| - Pr|W{G_{2}}| + Pr|W{G_{2}}| - Pr|W{G_{4}}|| \\ &\le |Pr|W{G_{1}}| - Pr|W{G_{2}}| + Pr|W{G_{2}}| \\ &\quad {-} Pr|W{G_{3}}| + Pr|W{G_{3}}| - Pr|W{G_{4}}|| \\ &\le |Pr|W{G_{1}}| - Pr|W{G_{2}}|| + |Pr|W{G_{2}}| \\ &\quad {-} Pr|W{G_{3}}|| + |Pr|W{G_{3}}| - Pr|W{G_{4}}|| \\ &\le \frac {{q_{hash}^{2}}}{2|Hash|} + \frac {{{q_{send}}}}{|D|} + Adv_{P}^{IFP} \tag{9}\end{align*}

As a result, we can obtain the following consequence:

$$\begin{equation*} Adv_{p}^{AKA}( \mathscr {A} ) \le \frac {{{{({q_{hash}})}^{2}}}}{|Hash|} + \frac {{2{q_{send}}}}{D} + 2Adv_{p}^{IFP} \tag{10}\end{equation*}$$ View Source\begin{equation*} Adv_{p}^{AKA}( \mathscr {A} ) \le \frac {{{{({q_{hash}})}^{2}}}}{|Hash|} + \frac {{2{q_{send}}}}{D} + 2Adv_{p}^{IFP} \tag{10}\end{equation*}

Hence the safety and validity of our scheme are proved.

A. Security Attribute Comparison

Table 2 describes the security features our scheme and other pertinent schemes can achieve, where “✓” means that the security property is satisfied, “$\times$ ” means that it is not, and “−” means that the security property is not mentioned in their schemes. From Table 2, none of these literature [17], [22], [23], [24], [26], [28] can achieve forward secrecy. Literature [29] can achieve forward secrecy because their scheme takes advantage of ECC operations, which produce more overhead than our scheme. It can be seen that only our scheme can achieve all the security attributes listed in Table 2. Therefore, it can be concluded that the proposed protocol has better security attributes compared with other schemes.

TABLE 2 Security Comparison

B. Comparison of Computational Cost

The computational costs of authentication protocols are evaluated according to all the required calculations. To demonstrate the superiority of our scheme, the computational costs of several protocols are shown in Table 3, according to the results of experiments in [17] and [37]. “fe” denotes the fuzzy extractor, and one fe computation roughly costs 0.0171 s (s denotes second). “ed” denotes the symmetric encryption or decryption operation (using AES-128), and one ed computation roughly costs 0.0056 s. “h” denotes a hash function, and one h computation roughly costs 0.00032 s. “b” represents the run time of a BioHash operation. “m” denotes the modular squaring operation (the encryption operation in Rabin), and one m computation roughly costs 0.00088 s (when we set the length of modular |N| = 512). “qr” denotes a module-square root operation (the decryption operation in Rabin), and one qr computation roughly costs 0.0192 s. “ecm” signifies ECC point multiplication, and one ecm computation roughly costs 0.0171 s. “eca” signifies ECC point addition, and one eca computation roughly costs 0.0044 s.

TABLE 3 Computational Cost Comparison

Since only the computational resources of sensor nodes are usually limited in WSNs, this scheme primarily focuses on computational costs on the sensor node side. Table 3 compares the computational costs for HGWN and FGWN. Compared with [22], [23], [24], and [26], the computational costs on the sensor side increased slightly, but the performance improved. However, compared with [17] and [28] that cannot support multi-gateway access, our protocol has a much smaller overhead on the sensor side in HGWN. Furthermore, the computational cost on the sensor side is significantly less than that in literatures [29], [30]. In summary, the proposed protocol achieves better security attributes with lower computational costs.

C. Comparison of Communication Cost

According to literature [17], [38], the following assumptions are used to calculate the communication cost. The bit sizes required for random nonce, timestamp, hash output and ECC point are, respectively, 160 bits, 32 bits, 160 bits, and 320 bits. Additionally, modular exponentiation and inversion operations are performed using 1024-bit modulus to guarantee security. In the proposed scheme, the transmitted messages in the home region during the login and authentication phase $\left \{{{M_{1}},{M_{2}},{T_{1}}}\right \}$ , $\left \{{{M_{3}},{M_{4}},{T_{2}}}\right \}$ , $\left \{{{M_{5}},{M_{6}},{M_{7}},{M_{8}},{T_{3}}}\right \}$ , $\left \{{{M_{5}},{M_{8}},{M_{9}},{T_{4}}}\right \}$ , and ${M_{6}^{*}}$ require $(1024+160+32) = 1216$ bits, $(160+160+32) = 352$ bits, $(1024+1024+160+160+32) = 2400$ bits, $(1024+160+160+32) = 1376$ bits, and 160 bits, respectively.

Furthermore, the transmitted messages in the foreign region during the login and authentication phase $\{{M_{1}}$ , ${M_{2}}$ , ${T_{1}}\}$ , $\{{M_{4}}$ , ${M_{5}}\}$ , $\{{M_{6}}$ , ${M_{7}}\}$ , $\{{M_{8}}$ , ${M_{9}}$ , ${T_{4}}$ , ${R_{1}}\}$ , $\{{M_{10}},{M_{11}},{T_{5}}\}$ , $\{{M_{12}},{M_{13}},{T_{6}}\}$ , $\{M_{14},{M_{15}},M_{16},{M_{17}},{T_{7}}\}$ , $\{{M_{14}},{M_{17}},{M_{18}},{T_{8}}\}$ , and $M_{15}^{*}$ require $(1024+160+32) = 1216$ bits, $(1024+160) = 1184$ bits, $(1024+160) = 1184$ bits, $(160+160+32+160) = 512$ bits, $(1024+160+32) = 1216$ bits, $(160+160+32) = 352$ bits, $(1024+1034+160+160+32) = 2400$ bits, $(1024+160+160+32) = 1376$ bits and 160 bits, respectively. An identical method is used to calculate the relative schemes’ communication cost, and their results are listed in Table 4. The communication of our protocol is slight higher because we transmitted the encryption message over the open channel. We take advantage of Rabin’s ability to encrypt messages to ensure the scheme’s security, which produces slightly higher communication costs while achieving more security attributes.

TABLE 4 Communication Cost Comparison