WSN-SLAP: Secure and Lightweight Mutual Authentication Protocol for Wireless Sensor Networks

1.1. Contributions

• We analyze and prove the security vulnerabilities of Moghadam et al.’s scheme. Then, we propose WSN-SLAP to resolve security vulnerabilities of Moghadam et al.’s scheme.
• We demonstrate the mutual authentication of WSN-SLAP using Burrows–Abadi–Needham (BAN) logic [8].
• We proof the session key security of WSN-SLAP by using the Real-or-Random (ROR) model [9]
• We use Automated Verification of Internet Security Protocols and Applications (AVISPA) [10,11] to prove security features of WSN-SLAP against replay and MITM attacks.
• We analyze the communication cost, the computational cost, and security properties of WSN-SLAP compared with related schemes.

1.2. Adversary Model

• If an adversary registers as a legal user to the gateway, the adversary can authenticate with other entities.
• An adversary can obtain a user’s lost/stolen smart card. The adversary can perform the power analysis attack [14] to get stored parameters of the smart card.
• An adversary can attempt various attacks such as replay, sensor node capture, stolen verifier, and off-line password guessing attacks.

1.3. Organization

3.1. Sensor Node Registration Phase

Step 1: 

$S_j$ generates its identity $SI{D}_j$, and sends it to $GW$ over a secure channel.

Step 2: 

$GW$ receives $SI{D}_j$ and checks the validity of $SI{D}_j$. After that, $GW$ computes $KG=h\left(SI{D}_j\right|\left|k_{GWN}\right)$, and stores $\{SI{D}_j,KG\}$ in its secure database, where $k_{GWN}$ is the master key of $GW$. Finally, $GW$ sends $\left\{KG\right\}$ to $S_j$.

Step 3: 

$S_j$ receives and stores $\left\{KG\right\}$ in its database.

3.2. User Registration Phase

Step 1: 

$U_i$ inputs the identity $I{D}_i$ and the password $P{W}_i$, and then generates a random number $q_i$. After that, $U_i$ computes $AP{W}_i=h(q_i\left|\right|P{W}_i)$ and sends the registration request message $\{I{D}_i,AP{W}_i\}$ to the gateway $GW$ over a secure channel.

Step 2: 

$GW$ receives $\{I{D}_i,AP{W}_i\}$ from $U_i$, and then generates a random number $z_i$. After that, $GW$ computes $B_i=h(I{D}_i\left|\right|AP{W}_i\left|\right|z_i),$$C_i=h(I{D}_i\left|\right|k_{GWN})$, and $D_i=h(I{D}_i\left|\right|C_i\left|\right|z_i\left|\right|B_i)$. Finally, $GW$ stores $\{z_i,C_i,D_i,$$h(.)\}$ in a smart card and issues it to $U_i$ over a secure channel.

Step 3: 

$U_i$ receives the smart card, and stores $q_i$ in the smart card. Finally, parameters $\{z_i,C_i,D_i,h(.),q_i\}$ are stored in the smart card.

3.3. Login and Authentication Phase

Step 1: 

After inserting the smart card, $U_i$ inputs the identity $I{D}_i^{*}$ and the password $P{W}_i^{*}$. The smart card computes $AP{W}_i^{*}=h(P{W}_i^{*}\left|\right|q_i),B_i^{*}=h(I{D}_i^{*}\left|\right|AP{W}_i^{*}\left|\right|z_i),D_i^{*}$$=h\left(I{D}_i^{*}\right|\left|C_i\right|\left|z_i\right|\left|B_i^{*}\right)$ and verifies $D_i^{*}\stackrel{?}{=}{D}_i$. If the verification process is successful, the smart card generates a random nonce $a_i$ and timestamp $T_1$. With the public key of the gateway X, the smart card computes $A_1=a_i·P,A_2=a_i·X,DI{D}_i=I{D}_i\oplus A_{2\left(x\right)},A_3=SI{D}_j\oplus A_{2\left(x\right)}$, and $A_4=E_{A_2}(B_i\left|\right|SI{D}_j\left|\right|A_3)$. At last, the smart card sends $\{A_1,A_3,A_4,T_1\}$ to $GW$ through a public channel.

Step 2: 

$GW$ receives $\{A_1,A_3,A_4,T_1\}$ from $U_i$, and selects a timestamp $T_2$ and checks the validity of $T_1$. If the timestamp is vaild, $GW$ computes $A_2=k_{GWN}·A_1,D_{A_2}\left(A_4\right)=(B_i^{*}\left|\right|SI{D}_i^{*}\left|\right|A_3^{*}),A_3=SI{D}_i^{*}\oplus A_{2\left(x\right)}$ and verifies $A_3^{*}\stackrel{?}{=}{A}_3$. If the equality holds, $GW$ generates a random nonce $g_i$ and computes $KG=h\left(SI{D}_j\right|\left|k_{GWN}\right),$$D_1=KG\oplus A_2,D_2=h(A_2\left|\right|SI{D}_j\left|\right|A_3)$. At last, $GW$ sends $\{g_i·P,D_1,D_2,$$T_2\}$ to the sensor node $S_j$ over a public channel.

Step 3: 

After reception of the message $\{g_i·P,D_1,D_2,T_2\}$ from $GW$, $S_j$ selects a timestamp $T_3$ and checks the validity of $T_2$. Then, $S_j$ computes $A_2=KG\oplus D_1,A_3=SI{D}_j\oplus A_{2\left(x\right)},D_2^{*}=h(A_2\left|\right|SI{D}_j\left|\right|A_3)$ and verifies $D_2^{*}\stackrel{?}{=}{D}_2$. If the verification is legitimate, $S_j$ generates a random nonce $f_i$, and computes $sk=h(A_2\left|\right|f_i·g_i·P),X_i=h\left(sk\right|\left|KG\right)$. At last, $S_j$ sends $\{f_i·P,X_i,T_3\}$ to $GW$.

Step 4: 

After receiving $\{f_i·P,X_i,T_3\}$ from $S_j$, $GW$ selects a timestamp $T_4$ and checks the validity of $T_3$. Then, $GW$ computes $sk=h(A_2\left|\right|f_i·g_i·P),X_i=h\left(sk\right|\left|KG\right)$ and verifies $X_i^{*}\stackrel{?}{=}{X}_i$. If it is equal, $GW$ computes $D_4=E_{A_2}\left(g_i\right),y_i=h\left(sk\right||A_3)$ and sends $\{y_i,D_4,T_4\}$ to $U_i$.

Step 5: 

$U_i$ receives the message $\{y_i,D_4,T_4\}$, and selects a timestamp $T_5$ and checks the validity of $T_4$. At last, $U_i$ computes $D_{A_2}\left(D_4\right)=\left(g_i\right),sk=h(A_2\left|\right|f_i·g_i·P),y_i^{*}=h\left(sk\right||A_3)$ and verifies $y_i^{*}\stackrel{?}{=}{y}_i$. If it is equal, the key agreement is successful.

4.1. Insider Attack

Step 1: 

$\mathcal{A}$ inserts the smart card, and inputs the identity $I{D}_i$ and the password $P{W}_i$ of $\mathcal{A}$. Then, the smart card checks the validity of $\mathcal{A}$, and sends a login request message $\{A_1,A_3,A_4,T_1\}$ to $GW$. After authenticating $\mathcal{A}$, $GW$ sends $\{g_i·P,D_1,D_2,T_2\}$ to $S_j$. Upon reception of the message $\{g_i·P,D_1,D_2,T_2\}$, $S_j$ computes a session key $sk$. Then, $S_j$ sends the authentication response message $\{f_i·P,X_i,T_3\}$ to $GW$. $GW$ computes the session key and sends $\{y_i,D_4,T_4\}$ to $\mathcal{A}$. $\mathcal{A}$ computes the session key and obtains communication messages during the login and authentication phase.

Step 2: 

After obtaining the message $\{g_i·P,D_1,D_2,T_2\}$, $\mathcal{A}$ computes $KG=D_1\oplus A_2$, where $A_2$ is the secret key of $\mathcal{A}$ using ECC and $KG$ is a shared secret key between $GW$ and $S_j$.

Step 3: 

$\mathcal{A}$ intercepts a message $\{g_i^l·P,D_1^l,D_2^l,T_2^l\}$ from the message of another legal user $U_i^l$. Since $\mathcal{A}$ knows $KG$, it can compute $A_2^l=D_1^l\oplus KG$, where $A_2^l$ is the secret key of $U_i^l$.

Step 4: 

$\mathcal{A}$ obtains the message $\{y_i^l,D_4^l,T_4^l\}$ and decrypts $D_4^l$ using the secret key $A_2^l$ of $U_i^l$. Then, $\mathcal{A}$ can obtain the random secret nonce $g_i^l$ of sensor node. $\mathcal{A}$ can compute $f_i^l·g_i^l·P$ by utilizing the message $\{f_i^l·P,X_i^l,T_3^l\}$. Finally, $\mathcal{A}$ compute the session key $s{k}^l=h(A_2^l\left|\right|f_i^l·g_i^l·P)$.

4.2. Perfect Forward Secrecy

Step 1: 

If $\mathcal{A}$ obtains the master key $k_{GWN}$, $\mathcal{A}$ can compute the secret key $A_2=k_{GWN}·A_1$ of $U_i$ by utilizing the login request message $\{A_1,A_3,A_4,T_1\}$.

Step 2: 

When $\mathcal{A}$ intercepts the message $\{y_i,D_4,T_4\}$, $\mathcal{A}$ can decrypt $E_{A_2}\left(g_i\right)$ because $A_2$ is the symmetric key between the $U_i$ and the gateway $GW$.

Step 3: 

After $\mathcal{A}$ obtains the message $\{f_i·P,X_i,T_3\}$, $\mathcal{A}$ can get $(A_2,g_i)$ and $(f_i·P)$. At last, $\mathcal{A}$ computes $U_i$’s session key $sk=h\left(A_2\right||f_i·g_i·P)$.

4.3. Session-Specific Random Number Leakage Attack

Step 1: 

After getting the parameter $A_2$, $\mathcal{A}$ captures the message $\{y_i,D_4,T_4\}$. Then, $\mathcal{A}$ decrypts $D_4=E_{A_2}\left(g_i\right)$ by using the symmetric key $A_2$ and obtains $g_i$.

Step 2: 

$\mathcal{A}$ eavesdrops the message of the sensor node $S_j$$\{f_i·P,X_i,T_3\}$. Finally, $\mathcal{A}$ computes the session key $sk=h\left(A_2\right||f_i·g_i·P)$ using $f_i·P$ in the message of $S_j$.

5.1. Sensor Node Registration Phase

Step 1: 

$S_j$ selects its identity $SI{D}_j$ and generates a random number $R_j$. Then, $S_j$ computes $h\left(SI{D}_j\right|\left|R_j\right)$ and sends $\{SI{D}_j,h(SI{D}_j\left|\right|R_j\left)\right\}$ to $GW$ over a secure channel.

Step 2: 

$GW$ receives $\{SI{D}_j,h(SI{D}_j\left|\right|R_j\left)\right\}$ and computes $K{S}_j=h\left(h\right(SI{D}_j\left|\right|R_j\left)\right||k_{GWN})$, where $k_{GWN}$ is the master key of $GW$. $GW$ stores $\{SI{D}_j,h(SI{D}_j\left|\right|$$R_j\left)\right\}$ in the secure database and sends $\left\{K{S}_j\right\}$ to $S_j$.

Step 3: 

At last, $S_j$ stores $\left\{K{S}_j\right\}$ in its memory.

5.2. User Registration Phase

Step 1: 

$U_i$ inputs an identity $I{D}_i$ and a high entropy password $P{W}_i$. After that, $U_i$ transmits $\left\{I{D}_i\right\}$ to $GW$ via a secure channel.

Step 2: 

$GW$ generates random numbers x and $R_g$, and computes $HI{D}_i=h(I{D}_i\left|\right|R_g),$$PI{D}_i$$=HI{D}_i\oplus h\left(x\right||k_{GWN})$. $GW$ stores $\{PI{D}_i,x\}$ in its secure database and sends the message $\{PI{D}_i,HI{D}_i,h(.)\}$ to $U_i$.

Step 3: 

$U_i$ generates a random number $R_i$. With $R_i$, $U_i$ computes $AP{W}_i=h(P{W}_i\left|\right|R_i),$$S{R}_i=R_i\oplus (I{D}_i\left|\right|P{W}_i), SHI{D}_i=HI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i)$, and $V_i=h($$AP{W}_i$$\left|\right|I{D}_i\left|\right|R_i)$. Finally, $U_i$ stores $\{S{R}_i,SHI{D}_i,V_i,PI{D}_i,h(.)\}$ in the smart card.

5.3. Login and Authentication Phase

Step 1: 

After inserting the smart card, $U_i$ inputs the identity $I{D}_i$ and the password $P{W}_i$. The smart card computes $R_1^{*}=S{R}_i\oplus h(I{D}_i\left|\right|P{W}_i),AP{W}_i^{*}=h(P{W}_i\left|\right|R_i)$ and $V_i^{*}=h(AP{W}_i^{*}\left|\right|I{D}_i\left|\right|R_1^{*})$. Then, the smart card checks the validity of $V_i^{*}$ compared with $V_i$ stored in the smart card. If the validity is confirmed, the smart card generates a random nonce $N_1$, and computes $HI{D}_i=SHI{D}_i\oplus h(P{W}_i\left|\right|I{D}_i\left|\right|R_i),S_i=SI{D}_j\oplus h(PI{D}_i\left|\right|HI{D}_i),M_1=N_1\oplus h(HI{D}_i\left|\right|PI{D}_i),$ and $V_1=h(SI{D}_j\left|\right|PI{D}_i\left|\right|N_1\left|\right|HI{D}_i)$. At last, $U_i$ sends $\{PI{D}_i,S_i,M_1,V_1\}$ to $GW$ over a public channel.

Step 2: 

When $GW$ receives $\{PI{D}_i,S_i,M_1,V_1\}$ from $U_i$, $GW$ retrieves $PI{D}_i$ and the shared secret value x from $GW$’s database. Then, $GW$ computes $HI{D}_i^{*}=PI{D}_i\oplus h\left(x\right||k_{GWN}),SI{D}_j^{*}=S_i\oplus h(PI{D}_i\left|\right|$$HI{D}_i^{*}),N_1^{*}=M_1\oplus h(HI{D}_i^{*}\left|\right|PI{D}_i)$ and $V_1^{*}=h(SI{D}_j^{*}\left|\right|PI{D}_i\left|\right|N_1^{*}\left|\right|HI{D}_i^{*})$, and checks the validity of $V_1^{*}$ compared with $V_1$. If the validity is confirmed, $GW$ retrieves $SI{D}_j$ and $h\left(SI{D}_j\right|\left|R_j\right)$ from $GW$’s database. $GW$ computes $K{S}_j=h\left(h\right(SI{D}_j\left|\right|R_j\left)\right||k_{GWN}),M_2=h(N_2\left|\right|HI{D}_i)\oplus h(K{S}_j\left|\right|PI{D}_i),$$M_3=N_1\oplus h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||K{S}_j),$ and $V_2=h(PI{D}_i\left|\right|SI{D}_j\left|\right|h(N_2\left|\right|HI{D}_i\left)\right||N_1)$. At last, $GW$ sends $\{PI{D}_i,M_2,M_3,V_2\}$ to $S_j$ over a public channel.

Step 3: 

If $S_j$ receives $\{PI{D}_i,M_2,M_3,V_2\}$, $S_j$ computes $h(N_2\left|\right|HI{D}_i{)}^{*}=M_2\oplus h(K{S}_j\left|\right|$$PI{D}_i),N_1^{*}=M_3\oplus h\left(h\right(N_2\left|\right|HI{D}_i{)}^{*}\left|\right|PI{D}_i$$),$$V_2^{*}=h(PI{D}_i\left|\right|SI{D}_j\left|\right|h(N_2\left|\right|HI{D}_i\left)\right||$$N_1^{*})$ and checks the validity of $V_2^{*}$ compared with the parameter $V_2$. If the validity is confirmed, $S_j$ computes $SK=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3\left|\right|N_1),M_4=N_3\oplus h(K{S}_j\left|\right|N_2),V_3=h\left(SK\right||N_3$$\left|\right|SI{D}_j)$, where $SK$ is a session key. Finally, $S_j$ sends $\{M_4,V_3\}$ to $GW$.

Step 4: 

After receiving the message $\{M_4,V_3\}$ from $S_j$, $GW$ computes $N_3^{*}=M_4\oplus h(K{S}_j\left|\right|N_2),S{K}^{*}=h\left(h\right(N_2\left|\right|HI{D}_i\left)\right||N_3^{*}\left|\right|N_1),V_3^{*}=h(S{K}^{*}\left|\right|N_3^{*}\left|\right|$$SI{D}_j)$ and verifies the equality of $V_3^{*}$ and $V_3$. If the verification is successful, $GW$ generates a random nonce $N_2$ and computes $x^{new}=h\left(x\right||N_2),PI{D}_i^{new}=HI{D}_i\oplus h(x^{new}\left|\right|k_{GWN}),P_i=PI{D}_i^{new}\oplus h(N_1\left|\right|HI{D}_i),M_5=N_2\oplus h(HI{D}_i\left|\right|SI{D}_j\left|\right|$$N_1)$$,M_6=N_3\oplus h(N_2\left|\right|HI{D}_i$$\left|\right|PI{D}_i^{new})$ and $V_4=h(N_2\left|\right|N_3\left|\right|$$PI{D}_i^{new}\left|\right|SK)$. At last, $GW$ sends $\{P_i,M_5,M_6,V_4\}$ to $U_i$ and updates $\{PI{D}_i,x\}$ to $\{PI{D}_i^{new},x^{new}\}$ if the key agreement is successful.

Step 5: 

When $U_i$ receives the message $\{P_i,M_5,M_6,V_4\}$ from $GW$, $U_i$ computes $PI{D}_i^{new}$$=P_i\oplus h(N_1\left|\right|HI{D}_i),N_2^{*}=M_5\oplus h(HI{D}_i\left|\right|SI{D}_j\left|\right|N_1),N_3^{*}=M_6\oplus h(N_2^{*}\left|\right|HI{D}_i$$\left|\right|$$PI{D}_i^{new})$$,S{K}^{*}=h\left(h\right(N_2^{*}\left|\right|HI{D}_i\left)\right||N_3^{*}\left|\right|N_1),V_4^{*}=h(N_2^{*}\left|\right|N_3^{*}\left|\right|$$PI{D}_i^{new}\left|\right|S{K}^{*})$ and checks the validity of $V_4^{*}$ compared with $V_4$. If the validity is confirmed, $U_i$ replaces $\left\{PI{D}_i\right\}$ to $\left\{PI{D}_i^{new}\right\}$ in the smart card.

5.4. Password Update Phase

Step 1: 

After inserting the smart card, The user $U_i$ inputs the identity $I{D}_i$ and the password $P{W}_i$. The smart card computes $R_i^{*}=S{R}_i\oplus h(I{D}_i\left|\right|P{W}_i),AP{W}_i^{*}=h(P{W}_i\left|\right|R_i),V_i^{*}=h(AP{W}_i\left|\right|I{D}_i\left|\right|R_i^{*})$ and verifies the equality of $V_i^{*}$ and $V_i$. If the verification is successful, the smart card requests a new password to $U_i$.

Step 2: 

$U_i$ inputs a new password $P{W}_i^{new}$. The smart card selects a random number $R_i^{new}$ and computes $AP{W}_i^{new}=h(P{W}_i^{new}\left|\right|R_i^{new}),S{R}_i^{new}=R_i^{new}\oplus (I{D}_i\left|\right|P{W}_i^{new})$$,SHI{D}_i^{new}=HI{D}_i\oplus h(P{W}_i^{new}\left|\right|I{D}_i\left|\right|R_i^{new}),V_i^{new}=h(AP{W}_i^{new}\left|\right|I{D}_i\left|\right|R_i^{new})$. Finally, the smart card stores $\{S{R}_i^{new},SHI{D}_i^{new},V_i^{new},PI{D}_i,h(.)\}$.

5.5. Sensor Node Addition Phase

Step 1: 

$S_j^{new}$ selects its identity $SI{D}_j^{new}$. Then, $S_j^{new}$ generates a random number $R_j^{new}$. With $SI{D}_j^{new}$ and $R_j^{new}$, $S_j^{new}$ computes $h(SI{D}_j^{new}||R_j^{new})$ and sends $\{SI{D}_j^{new},h($$SI{D}_j^{new}$$\left|\right|R_j^{new}\left)\right\}$ to $GW$ through a secure channel.

Step 2: 

After receiving $\{SI{D}_j^{new},h(SI{D}_j^{new}\left|\right|R_j^{new}\left)\right\}$ from $S_j^{new}$, $GW$ computes $K{S}_j^{new}=h(h(SI{D}_j^{new}\left|\right|R_j^{new}\left)\right||k_{GWN})$ and stores $\{SI{D}_j^{new},h(SI{D}_j^{new}\left|\right|R_j^{new}\left)\right\}$ in the database of $GW$. Finally, $GW$ sends $\{K{S}_j^{new}\}$ to $S_j^{new}$.

Step 3: 

$S_j^{new}$ receives the message $\{K{S}_j^{new}\}$ from $GW$ and stores $\{K{S}_j^{new}\}$ in the memory of $S_j^{new}$.

6.1. Informal Security Analysis

6.2. BAN Logic