IEEE Proof IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS 1 A Provably Secure, Efﬁcient, and Flexible Authentication Scheme for Ad hoc Wireless Sensor Networks 1 2 3 Chin-Chen Chang, Fellow, IEEE, and Hai-Duong Le 4 Abstract—In 2014, Turkanovic et al. proposed a smart card- 5 based authentication scheme for heterogeneous ad hoc wireless 6 sensor network. This scheme is very efﬁcient since it employs 7 only hash function and XOR operation. However, we found that 8 Turkanovic et al.’s scheme is vulnerable to impersonation attack 9 with node capture, stolen smart card attack, sensor node spooﬁng 10 attack, stolen veriﬁer attack, and fails to ensure backward secrecy. 11 We propose an efﬁcient scheme to overcome all those weaknesses. 12 Moreover, we also propose an advanced scheme, which provides 13 perfect forward secrecy without much modiﬁcation from the ﬁrst 14 proposed scheme. 15 Index Terms—Authentication, elliptic curve cryptography, 16 key agreement, wireless sensor networks. 17 I. I NTRODUCTION 18 W IRELESS Sensor Networks (WSNs) are cost-effective 19 solutions for a wide range of real-time monitoring 20 applications, such as trafﬁc monitoring, environmental moni- 21 toring, wildlife monitoring, homeland security, health care, etc. 22 They are normally deployed in unattended environments, which 23 are sometimes under hostile conditions. Besides monitoring, 24 they are also used for controlling equipment in manufactures, 25 battleﬁeld weapons, etc. 26 A Wireless Sensor Network is comprised of a large num- 27 ber of specialized and autonomous sensors communicating over 28 wireless network. A sensor node is typically constrained by 29 its low memory, low battery power, low bandwidth and lim- 30 ited computational ability. Therefore, it is desirable not to exert 31 sensor nodes with heavy workloads. 32 In WSNs, data collected by sensor nodes sometimes contain 33 valuable and conﬁdential information that only authorized users 34 are allowed to access. Moreover, in the case where a user com- 35 mands a sensor node to perform certain tasks, the user must be 36 authenticated before sending instructions to the sensor node. 37 There are two approaches in authenticating users in WSNs: 38 (a) a user is authenticated by the gateway node (GWN) before 39 Manuscript received September 6, 2014; revised June 6, 2015; accepted August 20, 2015. The associate editor coordinating the review of this paper and approving it for publication was Prof. Yong Guan. C.-C. Chang is with the Department of Information Engineering and Computer Science, Feng Chia University, Taichung 40724, Taiwan, and also with the Department of Computer Science and Information Engineering, Asia University, Taichung 41354, Taiwan (e-mail: alan3c@gmail.com). H.-D. Le is with the Department of Information Engineering and Computer Science, Feng Chia University, Taichung 40724, Taiwan (e-mail: duonghaile @gmail.com). Color versions of one or more of the ﬁgures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identiﬁer 10.1109/TWC.2015.2473165 accessing sensor nodes; (b) a user directly contacts a sensor 40 node and performs authentication with it. 41 Since sensor nodes are limited in terms of computation and 42 communication capabilities, lightweight authentication and key 43 agreement protocols [1]–[11] are preferred for WSNs. In 2006, 44 Wong et al. [2] proposed a dynamic strong-password based 45 user authentication for WSN. This protocol is considered to 46 be lightweight since it uses only simple operations such as 47 hash functions and exclusive-OR operations. However, in 2007, 48 Tseng et al. [3] showed that Wong et al.’s protocol is vulnera- 49 ble to replay and forgery attacks, and any sensor node could 50 reveal the users’ passwords. Furthermore, Das [4] found that 51 Wong et al.’s protocol also suffers the same login-id threat 52 and the stolen-veriﬁer attack. Das then presented a two-factor 53 authentication scheme using smart card in which users are 54 authenticated by gateway nodes. Later studies [5]–[7] revealed 55 that Das’s scheme fails to provide mutual authentication and 56 key agreement, and it is vulnerable to many attacks (e.g. insider 57 attack, impersonation attack, node-capture attack, denial-of- 58 service attack, etc.). In 2010, Khan et al. [5] proposed a protocol 59 as an improvement of Das’s, but Vaidya et al. [8] showed that 60 it is susceptible to stolen smart card attack and impersonation 61 attack. 62 In 2012, two lightweight smart card-based authentication 63 protocols were proposed by Das et al. [9] and Xue et al. [10] 64 separately. However, Turkanovic and Holbl [12] demonstrated 65 that Das et al.’s scheme has ﬂaws that make it infeasible for real- 66 life implementation. In 2013, Li et al. [11] showed that Xue et 67 al.’s protocol suffers several attacks (e.g. insider attack, stolen 68 veriﬁer attack, many logged-in users attack, etc.) and proposed 69 an advanced scheme that eliminates those vulnerabilities in 70 Xue et al.’s. 71 Recently, in 2014, Turkanovic et al. [1] proposed a new 72 smart card based authentication scheme for heterogeneous ad 73 hoc wireless sensor networks in which a user can contact 74 and authenticate directly with a sensor node. Although it is 75 an efﬁcient scheme which employs only hash function and 76 exclusive-OR operation, we found that Turkanovic et al.’s pro- 77 tocol is susceptible to stolen smart card attack, impersonation 78 attack with node capture, sensor node spooﬁng attack, stolen 79 veriﬁer attack, and it fails to ensure backward secrecy. 80 In those lightweight protocols, a sensor node is always pro- 81 vided with a secret value which is either computable only by the 82 gateway or pre-shared with the gateway node. If an adversary 83 eavesdrops the communication channel and obtains this secret 84 value from a sensor node, it can compute the previous session 85 1536-1276 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.