On the Design of Secure and Efficient Three-Factor Authentication Protocol Using Honey List for Wireless Sensor Networks

The Internet of Thing (IoT) is useful for connecting and collecting variable data of objects through the Internet, which makes to generate useful data for humanity. An indispensable enabler of IoT is the wireless sensor networks (WSNs). Many environments, such as smart healthcare, smart transportation and smart grid, have adopted WSN. Nonetheless, WSNs remain vulnerable to variety of attacks because they send and receive data over public channels. Moreover, the performance of IoT enabled sensor devices has limitations since the sensors are lightweight devices and are resource constrained. To overcome these problems, many security authentication protocols for WSNs have been proposed. However, many researchers have pointed out that preventing smartcard stolen and off-line guessing attacks is an important security issue, and guessing identity and password at the same time is still possible. To address these weaknesses, this paper presents a secure and efficient authentication protocol based on three-factor authentication by taking advantage of biometrics. Meanwhile, the proposed protocol uses a honey_list technique to protect against brute force and stolen smartcard attacks. By using the honey_list technique and three factors, the proposed protocol can provide security even if two of the three factors are compromised. Considering the limited performance of the sensors, we propose an efficient protocol using only hash functions excluding the public key based elliptic curve cryptography. For security evaluation of the proposed authentication protocol, we perform informal security analysis, and Real-Or-Random (ROR) model-based and Burrows Abadi Needham (BAN) logic based formal security analysis. We also perform the formal verification using the widely-used Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation software. Besides, compared to previous researches, we demonstrate that our proposed authentication protocol for WSNs systems is more suitable and secure than others.


I. INTRODUCTION
As the IoT notions has spread in recent years, vast quantities of sensors have been deployed for collecting and exchanging data in various fields related to IoT. An essential technological enabler of IoT is WSNs. WSNs collect user and The associate editor coordinating the review of this manuscript and approving it for publication was Weizhi Meng . device data and use these data for various applications such as remote health monitoring for patients, smart grid power usage monitoring, etc. Figure 1 shows a WSN network model. Generally, WSNs consist of a series of dispersed sensor nodes, plenty distributed users, and one or more gateway nodes which have a powerful performance and play trusted parties. Each set of distributed sensor nodes is located in a specific area. And a series of sensor nodes collect information data of human, device or environment and then they transmit data to the gateway node through open wireless channels. The gateway can access these data, and analysis of these data can help administrators and automated systmes make various functional decisions in real industrial environments. Generally, sensor nodes have limited communication, computing and storage capability. In addition, sensor nodes are easily compromised by attackers and cannot be guaranteed secure, because sensor nodes have limited physical security. Moreover, in WSNs, data are transmitted through open wireless channels and it causes security vulnerabilities that allow data can be captured by malicious attackers. If attackers capture these transmitted data, they can perform variable attacks i.e., man-in-themiddle, replay, privileged insider attacks and identity and password guessing attack and so on. Thus, various protocols have been developed in an attempt to guarantee the security of the transmitted data and the sensor node devices. However, traditional two factor authentication schemes remain vulnerable to guessing attacks according to [1]- [4]. They have been shown that attackers can guess identity and password from identity dictionary space D ID and password dictionary space D PW in real polynomial time. Therefore, in recent years, three-factor based mechanisms that use biometrics of users have been studied. Moreover, the honey_list technique can be used with three-factor to further protect the authentication protocol. Wang and Wang [34], Wang et al. [35] demonstrated that using biometrics and honey _list techniques can be safe, even if two of the three factors are compromised.
Recently, Chen et al. [5] suggested a privacy-preserving authentication protocol for WSNs. However, we demonstrate that the protocol of Chen et al. cannot be safe against stolen smartcard, off-line password and off-line identity guessing and replay attacks. Then, this paper proposes authentication protocol based three-factor utilizing biometrics and honey_list technique for WSNs.

A. MOTIVATION AND CONTRIBUTIONS
In WSNs environments, most authentication protocols are based on two-factor. Thus, they cannot prevent against simultaneously guessing identity and passwords. Furthermore, if users lose their smart cards or attackers steal smart cards, users are vulnerable to password guessing attack. Thus, this paper proposes a three factor authentication protocol to help ensure security of WSNs. The contributions of this paper include: • This paper discovers that proposed protocol of Chen et al. [5] cannot provide security and is vulnerable to smartcard stolen, identity guessing, password guessing, and replay attacks. And also Chen et al.'s protocol cannot guarantee mutual authentication.
• This paper designs an authentication protocol based on three-factor for WSNs excluding elliptic curve cryptography (ECC), owing to the limited performance capability of sensor nodes. And we adopt the fuzzy-extractor for the biometric awareness. Moreover, we propose authentication protocol using honey_list technique to overcome malicious attacks including smartcard stolen attack and simultaneous guessing attack of identity and password.
• We analyze security using BAN logic, AVISPA software and ROR model for a formal security analysis. We conduct an informal analysis and we show security comparison, computational and communicational costs with previous related researches.

B. PAPER ORGANIZATION
We introduce previous interrelated researches in authentication for WSNs in Section II. Section III describes some preliminaries to show necessary backgrounds such as fuzzy extractor, honey_list and related notations. Sections IV and V review the suggested scheme of Chen et al. and analyze its security aspects. Section VI illustrates our proposed protocol for WSNs. Section VII demonstrates the security of the proposed protocol by performing a security analysis. Section VIII compares our efficiency and security features with other previous researches. In the end, we summarize and close the paper in Section IX.

II. RELATED WORKS
Authentication is considered as a primary security service which allows an entity to mutually authenticate with another entity [6]- [20]. Authentication protocols for WSNs have already been researched, and, here, we briefly review works involved in three aspects, i.e., lightweight authentication for WSNs, simultaneous guessing identity and password attack on protocol for WSNs and three-factor based protocol. Owing to the limitations of sensor nodes performance, efficiency communication and computation costs have become an important issue to design authentication protocols for WSNs. For this reason, several lightweight protocols for WSNs have been suggested.
In 2014, Turkanovic et al. [21] suggested key agreement scheme for WSNs. They used masked identities for users and sensors to protect real identities. Unfortunately, Amin and Biswas [22] discovered that their scheme cannot provide security. They discovered that Turkanovic et al.'s protocol doesn't guarantee safety against smartcard stolen, masquerade and off-line password guessing attacks. Amin and Biswas put forward a novel authentication protocol using VOLUME 8, 2020 a symmetric key to overcome security vulnerabilities of Turkanovic et al.'s protocol. Nevertheless, Srinivas et al. [23] pointed out that Amin and Biswas's authentication protocol cannot provide key security and also does not withstand impersonation, stolen smartcard attacks. To resolve these weaknesses, they suggested more efficient user authentication protocol to employing WSNs.
Unfortunately, some researchers have proved that password and smartcard based protocols are not safe against simultaneous guessing of identity and password. In 2016, Maitra et al. [24] proffered an authentication protocol for multiserver environment using a password and a smartcard. Nevertheless, Wang et al. [1] proved that Maitra et al.'s protocol is not safe against off-line guessing attack. They demonstrated that an attacker can conduct attack of simultaneous guessing identity and password through the Zipf's law [25]. Roy et al. [26] put forward a secure authentication protocol to employing IoT environment. They used a user's biometric to prevent various attacks. Unfortunately, Park [2] showed Roy et al.'s protocol is insecure against offline identity guessing attack guessed password at the same time. And also, according to [3], [4], people easily want to choose identities and passwords that are easy to remember for convenience. Both identities and passwords must be taken from a very small dictionary space. Therefore, an attacker can guess identity and password of an user in polynomial time.
To prevent an adversary's simultaneous identity and password guessing attack, many researchers have suggested using a security three-factor authentication scheme. Biometric keys have several advantages compared with traditional passwords. They are unforgettable and they cannot be lost. Furthermore, they are difficult to fragile and difficult to copy. In 2016, Park and Park [28] discovered that the protocol of Chang et al. [27] cannot provide security such as perfect forward secrecy and password guessing attacks. Moreover Chan et al.'s protocol cannot provide accurate password updates. Thus, Park et al. proposed a three-factor based user authentication protocol for WSNs. They demonstrated that their protocol can provide more secure authentication by utilizing biometrics and elliptic curve cryptosystem. In 2018, Amin et al. [29] suggested a user authentication scheme for medical WSNs. They used a synchronous update mechanism to provide user anonymity. Nevertheless, Li et al. [30] figured out Amin et al.'s protocol cannot provide forward secrecy and also is not safe against denial of service attack. Therefore, they proposed three-factor based with forward secrecy for WMSN with ECC. And they also applied honey_list technique to provide security against device or smartcard stolen and brute-force attacks.

III. PRELIMINARIES
To improve the readability of this paper, we introduce the preliminary information of this paper: the basis of fuzzyverifier; honey_ list; adversary model; and basic notations adopted in this paper.

A. HONEY LIST
Honey Encryption (HE) is an algorithm that can be used to protect data by strongly fooling unauthorized users if an attacker attempts to decrypt plain text using the wrong password or honeyword. When an adversary attempts to decrypt with multiple invalid passwords or honeywords, the HE process generates a fake valid message. HE [31], [32] is based on Distributed Transforming Encoding (DTE). HE manages plain-text space through DTE and includes encryption and decryption. The encryption process takes the space of a plain text message M as input and returns the S value of the n-bit string as output. The decryption process makes a conversion that is the value of the seed space S of the n-bit string into plain text. DTE encryption and decryption algorithms are as following figure: In Figure 2, K is a key, H is a hash function, S is a seed, M is a message, C is a cipher-text and R is a random string. ←$ means uniform random assignment. Let the probability distribution over the message space M be p m . And the message M is over the M. If the M gets bigger, the p m is going to lower. Thus, to assign the corresponding message rate, the DTE process takes a probability distribution theory. In this paper, Honey_list denotes honeywords. Honeywords mean false passwords and honeywords are kinds of honey encryption algorithm. The details of the honeyword generation algorithm are referred to [33]. Among the various methods used to prevent password guessing attack by using the Honey_list during the login phase [33], this paper applies the following method. We allow the login to proceed as usual, but the system tracks the login source. Moreover, the system ends the session when the number of items in the honey_ list exceeds the threshold. Wang and Wang [34], Wang et al. [36] demonstrated that simultaneously using a fuzzy-verifier and Honey_list techniques ensures that the system would be safe even if two of the three factors are attacked. In this paper, we use the fuzzy extractor instead of the fuzzy-verifier.

B. FUZZY EXTRACTOR
The fuzzy extractor [36] is a technology that uses a user biometric data through data extraction. The data extraction from biometrics normally has difficulty capturing real values due to various noises. To resolve this problem, the fuzzy extractor can help to extract random bit strings evenly without noises. The basic processes of the fuzzy extractor include generation and reproduction. In this paper, Ge denotes the generation process and Re denotes reproduction process.
To generate a key information, fuzzy extractor uses the generation process algorithm. Biometric data BIO i is used as input, public reproduction P i is a helper string and uniformly random string R i is secret key data as an output.
• Re(BIO i , P i ) = R i . To reproduce a secret string R i , the reproduction algorithm is used by the fuzzy extractor. The inputs of reproduction process are P i and user biometrics BIO i . And the reproduction algorithm reproduces the original secret biometrics R i . For restoring the equal R i , the metric space distance between BIO i and BIO i must be within the allowed specified error tolerance.

C. ADVERSARY MODEL
In the interest of analyze the security of the authentication protocol, it is necessary to first identify attacker's malicious attacks. We explicitly describe an adversary model consistent with reality by using the widely-accepted ''Dolev-Yao threat model'' [37] which introduces a simultaneous identity and password guessing attack. We assume capabilities of an adversary as follows.
• The adversary is in full control of transmitted messages through wireless public channels and can learn transmitted messages. Then, the adversary can eliminate, insert, eavesdrop or modify legitimate messages.
• The malicious adversary is able to get or pilfer a validate smartcard, and then the adversary can take out confidential values stored in the smartcard via a power analysis attacks [38], [39].
• The malicious adversary is able to damage some sensor nodes.
• The malicious adversary is able to register as a valid user and conduct a privileged-insider attack for guessing a user's password [40].
• The malicious adversary is able to get gateway's secret key when evaluating the system failure. Then, the adversary tries to previous session key.
We assume an adversary can conjecture registered legitimate user's identity or password. Moreover, we also follow the assumptions in [1]- [4]. We have assumption that the adversary can conjecture identity and password simultaneously. The adversary can choose random identity ID and random password PW from dictionary space of identity D ID and space of password D PW . The space of identity and password is usually, |D ID | < |D PW | < 10 6 . Therefore, the computational time complexity is very efficient. Table 1 describes used the notations in this paper.

IV. REVIEW OF CHEN et al.'s PROTOCOL
We shortly examine the protocol developed by Chen et al., which is composed of the user and sensor's registration phase, the login and authentication phase and the password change  phase. Prior to registration, the gateway forms public parameters {n, a, b, p, G, and h} for the ECC and the gateway is published to the whole system. Additionally, the gateway generates a secret key X GWN .  Figure 3 describes this phase.

A. REGISTRATION PHASE OF USERS AND SENSORS
• Sensor registration: A sensor S j chooses a unique identity SID j and transmits it to the gateway node GWN . After GWN receives SID j , GWN calculates x j = h(SID j ||X GWN ) and transmits it to the sensor. S j keeps x j in its private memory.

B. LOGIN AND AUTHENTICATION PHASE
When users needs to approach resources of sensor nodes, they have to login and authenticate with a gateway node. Then, the gateway authenticates the sensor nodes. And finally, users and sensors can have a shared session key. The detailed equations are as follows.
Step 1: An user U i enters ID i , PW i and a smartcard.
Then, the smartcard chooses random number k 1 and timestamp T 1 and computes A = k 1 · G. U i gets a value k i from the smartcard and chooses timestamp T 1 . And then, and sends a login request message < A, k i , M 1 , T 1 > to a gateway GWN .
Step 2: After the gateway receives < A, k i , M 1 , T 1 >, the gateway GWN verifies the freshness of the timestamp and calculates . The gateway checks legitimate for comparing M 2 and M 2 . If they are valid, the gateway calculates x j = h(SID j ||X GWN ) and chooses a timestamp T 2 . Finally, the gateway computes M 3 = h(A||SID j ||x j ||T 2 ) and sends a message < A, M 3 , T 2 > to a sensor nodes S j .

C. PASSWORD CHANGE PHASE
The user is able to change the PW within k times in a period of T at Chen et al.'s protocol. For using a variable counter, their protocol counts the number of times which is a user incorrectly enter a password. If the user inputs an incorrect password over than k times, the password will not be allowed to enter. More detailed equations and steps are as follows.
Step 1: A validate user U i inserts a smartcard and inputs ID i and PW i . Step 2: The smartcard checks counter is smaller than k.
If it is smaller than k, go Step 4, else, go Step 3.
Step 3: The smartcard checks if |TW first −T now | is bigger than T . TW first means the user enters a incorrect password for the first time. If it is bigger than T , go Step 4 and set counter=0. Otherwise, the user is not able to input a password.
Step 4: The smartcard calculates h(r i ||ID i ||PW i ) and compares with MP i stored in the smartcard. If they are same value, the smartcard allows to change password. Otherwise, go to Step 8.
Step 5: Check if counter is larger than 0, set counter is 0.
Step 6: The smartcard calculates d i = f i ⊕ MP i and e i = l i ⊕ MP i . Step 7: The user inputs a new password PW i . Then, the smartcard updates and also updates f i = d i ⊕ MP i and l i = e i ⊕ MP i . Finally, the user completes the password change.
Step 8: Set counter is counter + 1. If counter is 1, go to step 1 and TW first is set to be now().

V. CRYPTANALYSIS OF CHEN et al.'s PROTOCOL
We discover security vulnerabilities of Chen et al.'s protocol in this section. They demonstrated that their protocol prevents user anonymity and off-line dictionary attack. Nevertheless, this paper discovers that their protocol is insecure to several attacks as following.

A. SMARTCARD STOLEN ATTACK
Section III-C introduced the adversary model used to obtain values stored in a smartcard. Therefore, an adversary can in a valid user's smartcard via a stolen smartcard attack.

B. OFF-LINE PASSWORD GUESSING ATTACK
In accordance with references [1]- [4], an adversary can conjecture ID i and PW i at a same time. From this assumption, the adversary can conjecture a legitimate user's ID i and a PW i as following.
Step 1: An adversary randomly selects a identity ID * from an identity dictionary space D ID , and picks up a password PW * from a password dictionary space D PW . And the adversary obtains smartcard values Step 2: The adversary calculates MP * = h(r i ||ID * ||PW * ) to check the correctness of ID * and PW * .
Step 3: If MP * and the stored value MP i are the same, the adversary's guessing result is as successful. Else, the adversary returns to Step 1 and repeats until the adversary correctly guess the ID and password for the user. O(|D ID | * |D PW | * T h ) is the computational time complexity of this procedure, where T h is the hash computation cost. |D ID | and |D PW | denote the number of passwords and identities, respectively. According to Zipf's law [25], |D ID | < |D PW | < 10 6 . Therefore, the off-line guessing attack is very efficient. Thus, the attack can be finished in the real polynomial time.

C. OFF-LINE IDENTITY GUESSING ATTACK
An adversary can conjecture a valid user's original ID i as following steps.
Step 1: An adversary can obtain smartcard values )} by power analysis. Then, the adversary randomly chooses the identity ID * in an identity dictionary space D ID .
Step 2: The adversary calculates e inew = MP i ⊕ l i through obtained smartcard values. The adver- where M 6 is obtained through channels.
Step 4: The adversary calculates Step 1: At a registration phase of sensors, an adversary chooses a sensor identity SID j . Then, the adversary can obtain a legitimate x j = h(SID j ||X GWN ).
Step 2: The adversary can compute M 3 = h(A||SID j || x j ||T 2 ) in a login and authentication phase.
Step 3: Finally, the adversary can generate a legitimate message < A, M 3 , T 2 >. In conclusion, the adversary can generate a legitimate message to treat a sensor node.
And also, the adversary can conduct the man-in-the-middle attack. The adversary chooses a random nonce k a then the adversary computes A a = k a · G.

VI. PROPOSED PROTOCOL
To provide secure wireless IoT service via WSNs, we propose an authentication protocol based on three-factor with the biometrics. And also, our protocol uses ''honey_ list'' and ''Fuzzy-extractor'' techniques to maintain security even if two of the three factors are damaged by an malicious adversary. Before beginning of the registration phase, a gateway generates a secret key X GWN .

A. REGISTRATION PHASE OF USERS AND SENSORS
To access WSNs service, an user U i and a sensor S j have to register with gateway. Figures 4 and 5 show the registration phase of users and sensors with detailed equations and steps as following.  Figure 4 describes this phase.
• Registration phase of sensors: A sensor S j chooses a its identity SID j and a random nonce r j . S j computes S 1 = SID j ⊕ h(r j ) sends S 1 and r j to the gateway node GWN . After GWN receives registration request message, GWN computes SID j = S 1 ⊕ h(r j ) and PID j = h(SID j ||r j ). After that, GWN generates a random secret key y and computes K j = h(PID j ||X GWN ||y) and stores r j , PID j in its private memory. Then, GWN sends K j to the sensor. Figure 5 describes detailed steps.

B. LOGIN AND AUTHENTICATION PHASE
Users have to login and authenticate with the gateway and sensors to access information of sensors. Figure 6 shows the detailed steps of login and authentication phase. We also describe the detailed equations of login and authentication phase.
Step 1: User U i inputs his/her unique identity ID i and password PW i and imprints a biometric BIO i Then, If it is not equal, a i inserts into Honey_list or suspends the identify when the items in the Honey_list exceed a certain threshold. Otherwise, GWN com- Then, GWN sends < M 3 , M 4 > to a sensor node S j .
If session key agreement is successful, GWN updates HID i to HID inew . Otherwise, GWN keeps to store HID i .

C. PASSWORD CHANGE PHASE
If U i wishes to change a password, U i conducts the password change phase without the gateway's assistance. The detailed steps of the password change phase are as following.
Step 1: U i imprints biometrics BIO i and inputs his/her identity and password. And U i sends ID i , PW i ,and BIO i to the smartcard.
Then, smartcard makes a comparison between c * i and c i stored value in the smartcard. If they are same values, the smartcard asks the user to supply a new password.

VII. SECURITY ANALYSIS OF THE PROPOSED PROTOCOL
This section shows that the suggested protocol has security to variable malicious attacks. And also, it shows that our protocol has a secure mutual authentication with key agreement by adopting BAN logic. Besides, we demonstrate that our proposed authentication protocol is secure to guessing attack, man-in-the-middle attack and replay attack employing ROR model and AVISPA.

A. INFORMAL SECURITY ANALYSIS
We describe how our protocol achieves security features in this section. And also, we demonstrate that our proposed authentication protocol can ensure safety session key agreement and mutual authentication.

1) OFF-LINE GUESSING ATTACK
If a user selects a password which is easy to guess, a malicious adversary is able to conjecture the user's ID i and PW i in real polynomial time. Nevertheless, in our authentication protocol, the adversary cannot conjecture user's ID i and PW i . The adversary can extract values {b i , c i , L i , P i } stored in a smartcard through the power analysis attack. Then, the adversary can attempt to guess the legitimate user's ID i and PW i . b i and c i are masked with a i and HPW i . And also, a i is masked with X GWN and k i . Therefore, the adversary cannot retrieve user's identity and password from b i , c i . Furthermore, if the adversary attempts to simultaneously guess identity and password, the adversary cannot guess them because of masking with user's biometric. Meanwhile, the honey_list can prevent to the times in off-line password guessing attack.
In conclusion, our authentication protocol is secure to off-line guessing attack.

2) USER/SENSOR ANONYMITY
An adversary wants to obtain user's real identity for performing the tracing attack. In proposed authentication protocol, a true identity ID i and SID j of user and sensor are encrypted by a random number r i and r j . Meanwhile, HID i is updated to HID inew by GWN because HID i is transmitted through a public channels. Therefore, the adversary cannot know the user's original ID i and sensor's original identity SID j .

3) FORGERY ATTACK
In our proposed protocol, all transmitted messages are concatenated with the random nonces N i and N G , and the secret parameters a i and K j . The messages are also encapsulated by the one-way collision-resistant cryptographic hash function. It is then impossible to compute correct messages M 1 and M 2 without a i on the user side. Moreover, a i consists of X GWN and k i which are unknown to the adversary. On the gateway side, M 3 , M 4 , M 6 , M 7 , M 8 and M gu consist of a i , N i , N G , PID j and K j which are unknown to the adversary. On the sensor side, M 5 is also masked with K j and N G . Therefore, our protocol is secure against forgery attack.

4) IMPERSONATION ATTACK
The impersonation attack is a particular case of forgery attack. As an adversary tries to impersonate each entity, the adversary has to compute legitimate messages. In the VOLUME 8, 2020 proposed protocol, transmitted messages over public channels are encrypted with random secrets N i and N G . The adversary tries to extract random numbers but the adversary cannot extract them. Meanwhile, M 3 is encrypted by K j and PID j . K j and PID j which are masked with random number r j and secret keys X GWN , y. In this way, the proposed protocol can be secure to impersonation attack.

5) DESYNCHRONIZATION ATTACK
Assuming a user does not receive the message < M 6 , M 7 , M 8 , M gu > from a gateway because of attacks of adversary or unexpected termination, the adversary can perform the desychronization attack. However, the adversary cannot perform desychronization attack because the user checks whether M gu and M gu are same or not. If it is not same, the session is terminated. Moreover, the gateway does not update HID inew when the session is terminated. In conclusion, the proposed authentication protocol prevents to desynchronization attack.

6) SESSION KEY DISCLOSURE ATTACK
An adversary must know K j and N G to compute a valid session key SK ij . But, K j is encrypted with the gateway's master key X GWN , secret key y and random number r j . The adversary cannot extract a random nonce N G . The adversary can also capture the message M 8 to compute SK ij . However, the adversary does not know the correct random nonce N i . Therefore, we can say that our proposed protocol can resist against session key disclosure attack.

7) TRACE ATTACK
In our proposed protocol, the user's real identity is hidden by HID i . Moreover, HID i is updated to HID inew by GWN to protect against adversary's guessing. And all transmitted messages are changed in all each session because the messages include random numbers are changed in each session. Thus, the proposed protocol resists trace attack.

8) PRIVILEGED-INSIDER ATTACK
We assume that a user is privileged-insider attacker. Then, the privileged-insider attacker knows the registration information HID i , HPW i of a legitimate U i over registration phase. Then, the attacker performs the power analysis attack for extracting stores values from a smartcard {b i , c i , L i , P i }. However, the attacker cannot guess correctly user's identity ID i and password PW i without having the biometric secret key R i because of computationally expensive. In concluding, our authentication protocol can prevent privileged-insider attack. The adversary cannot compute K j , PID j and SK ij because they consist of r j , X GWN and y. Therefore, our proposed protocol prevents session specific random number leakage attack.

10) STOLEN VERIFIER ATTACK
The adversary can steal a legal registered user's information from the GWN and S j . However, HID i is updated to HID inew for every session. Even if HID i and k i are compromised to the adversary, he/she cannot obtain entities' information. This is because the parameters including HID i are masked with the gateway node's secret key X GWN . If the adversary steals r j and PID j through stolen verifier attack, the adversary cannot still compute K j and SK ij as they are masked with X GWN , y and N G . Therefore, the proposed protocol can resist against stolen verifier attack.

11) MAN-IN-THE-MIDDLE ATTACK AND REPLAY ATTACK
We assume that the adversary can learn transmitted messages via open channel. However, the adversary cannot compute a valid login request message as mentioned at Section VII-A4. Moreover, the adversary cannot impersonate a legal registered user because the messages are refreshed in every session with random numbers N i and N G . In conclusion, our authentication protocol is secure to man-in-the middle and replay attacks.

12) DENIAL-OF-SERVICE (DoS) ATTACK
The adversary can conduct DoS attack for blocking to user's access for service. If the adversary intercepts the message < = M gu . Moreover, our proposed protocol can prevent desynchronization attack as Section VII-A5. Therefore, we can say our proposed protocol can prevent DoS attack. = M gu . Moreover, Section VII-A7 shows that all transmitted messages are changed. All entities have authenticated each other, they compute the same session key. Thus, we can say our proposed authentication protocol can achieve secure key agreement and mutual authentication.

B. SECURITY ANALYSIS USING BAN LOGIC
This paper provides the proof which shows that the proposed protocol can provide mutual authentication by performing the BAN logic [41]. We describe basic notations of the BAN logic in the Table 2, and also illustrate logical rules, goals, assumptions and idealized forms. Then, we conduct the BAN logic to confirm the mutual authentication of our proposed protocol.

1) LOGICAL RULES OF BAN LOGIC
The Logical rules of the BAN logic are: 1.
Jurisdiction rule:

5.
Freshness rule: The following goals are presented to demonstrate that the proposed protocol achieves secure mutual authentication:

3) IDEALIZED FORMS
The idealized forms are: The following assumptions are generated for the initial state of the proposed protocol to achieve the BAN logic proof.

5) PROOF USING BAN LOGIC
Main proofs using rules and assumptions of the BAN logic are as the following steps: Step 1: S 1 can be obtained from M 1 Step 2: For obtaining S 2 , we apply the message meaning rule with A 1 S 2 : GWN | ≡ U i | ∼ (SID j , HID i , N i ).
Step 3: For obtaining S 3 , we apply the freshness rule with A 2 S 3 : GWN | ≡ #(SID j , HID i , N i ).
Step 4: For obtaining S 4 , we apply the nonce verification rule with S 2 and S 3 Step 5: For obtaining S 5 , we apply the belief rule S 5 : GWN | ≡ U i | ≡ (N i ). (Goal 1) Step 6: S 6 can be obtained from M 2 S 6 : S j (SID j , PID j , N G ) K j .
Step 7: For obtaining S 7 , we apply the message meaning rule with A 3 S 7 : S j | ≡ GWN | ∼ (SID j , PID j , N G ).
Step 8: For obtaining S 8 , we apply the freshness rule with A 4 S 8 : S j | ≡ #(SID j , PID j , N G ).
Step 9: For obtaining S 4 , we apply the nonce verification rule with S 7 and S 8 S 9 : S j | ≡ GWN | ≡ (SID j , PID j , N G ).
Step 12: For obtaining S 12 , we apply the message meaning rule with S 11 and A 5 S 12 : GWN | ≡ S j | ∼ (PID j , N G , K j ).
Step 13: For obtaining S 13 , we apply the freshness rule with A 6 S 13 : GWN | ≡ #(PID j , N G , K j ).
Step 14: For obtaining S 14 , we apply the nonce verification rule with S 12 and S 13 S 14 : GWN | ≡ S j | ≡ (PID j , N G , K j ).
Step 21: From S 20 , we can obtain S 21 Step 22 : We apply the jurisdiction rule with S 5 and A 9 to obtain S 22 : GWN | ≡ (N i ). (Goal 2) Step 23: We apply the jurisdiction rule with S 10 and A 10 to obtain S 23 : S j | ≡ (N G ). (Goal 4) Step 24: We apply the jurisdiction rule with S 15 and A 11 to obtain Step 23: We apply the jurisdiction rule with S 21 and A 12 to obtain This section shows that our proposed protocol can be secure to man-in-the-middle and replay attacks by being universally adopted Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool [42], [43]. The AVISPA simulation tool uses High-Level Protocol Specification Language (HLPSL) [44] to check if protocols are secure. The HLPSL inputs to one of four back-end models which are ''On-the-Fly Model Checker (OFMC) [45]'', ''Constraint Logic-based Attack Searcher (CL-AtSE)'' [46], ''Tree automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)'', and ''SAT-based Model Checker (SATMC)''. This input is converted to a format called ''Intermediate Format (IF)'', and output in a format called ''Output format (OF)''. The OF shows security analysis results of protocols. We provide similar simulation results as adopted in [47]- [49]. Figs. 7, 8 and 9 each describe role of user, gateway and sensor nodes. And the Figure 10 shows goals and environment of our proposed protocol. Then, according to goals, the results is shown in Fig 11. In CL-AtSe, the translation time has 0.09 seconds. And search time is 7.89 seconds for visiting 1,040 nodes in OFMC analysis. Two of the results all show that the proposed protocol is safe. Therefore, the proposed protocol can be secure to man-inthe-middle and replay attacks.

D. FORMAL SECURITY ANALYSIS UNDER ROR MODEL
We adopt the ROR model [50] to illustrate the semantic security of our suggested authentication protocol. This section demonstrates that our proposed protocol can achieve the session key security by employing the ROR model. We shortly describe the ROR model and present the proof of the session key security of protocol in Theorem 1. In this model, the proposed protocol has three participants P t , which are user P t 1 U i , gateway P t 2 GWN and sensor P t 3 S j . And each participants have t th denotes an instance of an executing participant. We assume that P t 1 U i , P t 2 GWN and P t 3 S j are instances t th 1 of the user, t th 2 of the gateway and t th 3 of the sensor, respectively. Moreover, we assume that an adversary A can modify, eliminate or insert or learn transmitted messages during the communication. Under the ROR model, the model defines various queries simulating a real attack like Execute, CorruptSC, Reveal, Send and Test queries. The detailed description of queries is as follows.
A performs this query to eavesdrop exchanged messages between wireless communicating entities U i , GWN and S j over public channels.
• CorruptSC: A can extract all stored sensitive parameters from the smartcard of the user to use the CorruptSC query.
• Reveal(P t ): A can reveal the session key SK ij /SK a between P t and its partner in the current session.
• Send(P t , M ): This query is modeled as an active attack.
A can transmit a message M to P t and can also reply to the message accordingly.
• Test(P t ): This query corresponds to the security of the session key among with U i , GWN and S j following the ROR model. Before the game starts, a coin c without prejudice is flipped. According to the coin result, the following decision is made, Assume that A executes Test and the session key SK ij and SK a is fresh, P t returns the session key for c = 1 or a random number if c = 0. Otherwise, it returns a null value (⊥).
Moreover, all communicating participants and A can access a collision-resistant hash function h(·) that is modeled as a random oracle, say Hash.
Wang et al. [25] demonstrated that the chosen passwords by users conform with the Zipf's law, which differs significantly from uniform distribution. We apply the Zipf's law for the formal analysis to prove the session key security. We show the detailed Theorem 1 is as in the following. Theorem 1: We define the advantage probability of an adversary A running in polynomial time who can break the session key security of the proposed authentication protocol as Adv A . Then, where q h , q send and |Hash| mean ''the amount of Hash queries, the amount of Send queries and the range space of the hash function'', respectively, C and s mean the Zipf's parameters, and l R is the number of bits in the biometric secret key b i of U i . Proof: We provide the similar proof as adopted in [51]- [53], and we follow this proof. We proof the session key security through a sequence of four games, namely, GM j , where j ∈ [0, 3] wherein an event is defined in which A is able to accurately conjecture the random bit c in GM j , which is defined by Succ A,GM j and its advantage to win the game GM j is defined by Pr[Succ A,GM j ]. The detailed description of defined four games are as follows. and Test queries to verify whether the derived session key SK ij /SK a between U i , GWN and S j is a real or random key. In our proposed protocol, we take notice of the session key which is constructed as SK ij = h(PID j ||K j ||N G ). To derive the session key, A have to need the secret identity PID j of sensor and also random nonce N j . And A must calculate the K j with long term key X GWN and short term secret key y which are unknown to A. In conclusion, we obtain the truth that the A cannot have the GM 1 's winning probability. Therefore, games GM 0 and GM 1 are indistinguishable, we then obtain, • GM 2 : In this game, Hash and Send queries are performed to model it calls an ''active attack''. The    gateway's secret key X GWN . Thus, it has computationally infeasible problem for A guessing the password of a legitimate user. Besides, the probability that A guesses the biometric key R i of l R bits is roughly 1 2 l R . Thus, in the absence of a password or biometric guessing attack, the games GM 2 and GM 3 are the same. In conclusion, by utilizing the Zipf's law on passwords, we have the next results: Due to all the games have been run, A must conjecture the exact bit c. Consequently, we can obtain below equation: We can obtain the following result from Eqs. (1) and (2): Again, Eqs. (5) and (6) give the below equation: We can obtain Eq. (8) by applying the triangular inequality with Eqs. (4), (5) and (7).
Finally, we can obtain the required result of multiplying both sides of Eq. (8) with a multiple of 2: Therefore, Theorem 1 is proved. VOLUME 8, 2020

VIII. ANALYSIS OF SECURITY AND EFFICIENCY FEATURES
This section discusses security and efficiency aspects of the proposed protocol. We compare the security of our protocol with other related protocols and compare the performance, i.e., computation cost and communication cost with relevant protocols.

A. SECURITY FEATURES COMPARISON
This section compares the security features of our proposed protocol with related schemes [5], [22], [29]. The results of comparison are shown in Table 3. According to Table 3, All previously researches cannot resist the smartcard stolen attack, and also most of researches cannot prevent the desynchronization attack and cannot provide mutual authentication. Therefore, our proposed protocol provides superior security and functionality features according to comparison of results.

B. COMPUTATIONAL AND COMMUNICATION COSTS COMPARISON
We make the computation costs comparison between our proposed protocol and previous related works in this section. Table 4 describes the results of comparing the login and authentication phase. For comparison, we follow the experimental reported results in [54]. We define T h , T f and T mul as the execution time needed for a hash function, a fuzzy extraction and an elliptic curve point multiplication, where T mul , T h and T f are 63.075 ms, 0.5 ms and 63.075 ms, respectively. The exclusive-or (XOR) execution time is not included because it can be ignored in comparison with other operations. Our proposed protocol requires T f + 19T h as the total cost. This is higher than Amin and Biswas's protocol and Amin et al.'s protocol. However, the computational demand for a sensor node is most lightweight than other related works. Also, our proposed protocol allows for a lighter computation than Chen et al.'s protocol. Thus, we can say that our proposed protocol is more efficient than related researches in WSN environment. We also compare the communication overheads with related protocols. For the comparison, we follow the assumption of Chen et al. [5]. Thus, we assume that the timestamp size is 4 bytes and the identity is 8 bytes, a random nonce is 20 bytes and the byte length of a point on the elliptic curve is 48 bytes. Besides, the hash output is 32 bytes. The sum of communicational cost also describes in Table 4.
In conclusion, we can say our authentication scheme is more efficient compared to other related previous researched protocols.

IX. CONCLUDING REMARKS
Due to the development of the Internet, the number of objects connected to the IoT is increasing. Therefore, it is necessary to provide a secure service of IoT-enabled WSN that connects sensors of objects. Recently, previous researches and the protocol of Chen et al. are insecure to simultaneous ID and password guessing attacks, and Chen et al.'s protocol is also insecure to replay attack. To resolve these vulnerabilities, this paper provides a more efficient and secure three factor authentication protocol for WSNs using the honey list technique. We show that the proposed protocol is able to provide secure mutual authentication by employing the BAN logic. Moreover, we applied the broadly-accepted ROR model to prove that our protocol could achieve the session key security. Furthermore, we applied AVISPA simulation to show that the proposed protocol could prevent man-in-the-middle and replay attacks. This paper also provided the informal security analysis to demonstrate how the proposed authentication protocol is secure against impersonation, guessing, smartcard stolen, man-in-the-middle, replay, desynchronization and privileged-insider attacks. Furthermore, our protocol can provide mutual authentication and user/sensor anonymity. We also performed a performance analysis to show that our protocol is efficient. In conclusion, the proposed authentication protocol is more secure and efficient for application in practical WSN environment than other related schemes. ASHOK KUMAR DAS (Senior Member, IEEE) received the M.Sc. degree in mathematics, the M.Tech. degree in computer science and data processing, and the Ph.D. degree in computer science and engineering from IIT Kharagpur, India. He is currently an Associate Professor with the Center for Security, Theory, and Algorithmic Research, International Institute of Information Technology, Hyderabad, India. His current research interests include cryptography, network security, blockchain, security in the Internet of Things (IoT), the Internet of Vehicles (IoV), the Internet of Drones (IoD), smart grids, smart city, cloud/fog computing and industrial wireless sensor networks, and intrusion detection. He has authored over 225 articles in international journals and conferences in the above areas, including over 190 reputed journal articles. Some of his research findings are published in top cited journals, such as the IEEE TRANSACTIONS ON INFORMATION FORENSICS AND  SECURITY, the IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,  the IEEE TRANSACTIONS ON SMART GRID, the IEEE INTERNET OF THINGS JOURNAL,  the IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, the IEEE TRANSACTIONS ON  VEHICULAR TECHNOLOGY, the IEEE TRANSACTIONS