A Security-Performance-Balanced User Authentication Scheme for Wireless Sensor Networks

The uses of wireless sensor networks have increased to be applicable in many different areas, such as military applications, ecology, and health applications. These applications often include the management of confidential information, making the issue of security one of the most important aspects to consider. In this aspect, a user authentication mechanism that allows only legitimate users to access the network data becomes critical for maintaining the confidentiality and integrity of the network information. In this paper, we describe and cryptoanalyze previous works in user authentication to illustrate their vulnerabilities and security flaws. We then propose a robust user authentication scheme that solves the identified limitations. Additionally, we describe how the proposed protocol is more suitable for a secure sensor network implementation by analysis in terms of security and performance.


Introduction
Wireless sensor networks (WSNs) are being applied in different fields such as habitat monitoring [1], indoor sensor networks [2], military applications [3], and health monitoring [4]. Many of these applications manage confidential information, making the issue of security one of the most important points to consider. One of the fields of research in wireless sensor network security is the user authentication scheme that allows only authentic users to access the data collected by the sensor nodes.
In 2006, Wong et al. [5] proposed a dynamic user authentication scheme and discussed the implementation issues with the recommendation of using the security features of the IEEE 802.15.4 MAC sublayer. Later, in 2009, Das [6] presented his research work where he identified vulnerabilities in Wong et al.'s protocol and proposed his own authentication scheme based on the two-factor user authentication concept. After publication of Das' proposal, several works have pointed out that such a protocol was vulnerable to other attacks. Nyang and Lee [7] identified that Das' protocol was vulnerable to offline password guessing and sensor node compromising attacks. Huang et al. [8] also identified some limitations of Das' scheme, such as vulnerability from an impersonation attack. Additionally, [9] pointed out the absence of a mutual authentication feature in Das' protocol, while Khan and Alghathbar [10] pointed out more security flaws of Das' proposal, noting that it was vulnerable to privileged-insider and gateway-node bypassing attacks. References [7][8][9][10] also proposed enhanced versions of Das' protocol to eliminate detected vulnerabilities. However, those proposals still include several vulnerabilities and limitations that an adversary could take advantage of.
In this paper, we provide two specific contributions to the WSN user authentication research area: (1) first, we cryptoanalyze the aforementioned works and show how reference [7] is still vulnerable to parallel session and privileged-insider attacks and how it does not offer a password change mechanism. We also illustrate how [8] is vulnerable to parallel session and privileged-insider attacks and how it does not provide mutual authentication and password change features. Additionally, we explain how [9] is defenseless against parallel session, privileged-insider, and gateway-node bypassing attacks, does not offer a password change mechanism, and has a serious vulnerability in its mutual authentication mechanism. Furthermore, we explain how [10] is vulnerable from parallel session attacks, only offers a partial protection against gateway-node bypassing attacks, and does not provide mutual authentication between the user and the gateway-node. (2) Later, after identifying the limitations of previously mentioned works, we propose a robust user authentication for wireless sensor networks which fixes the aforementioned weaknesses.
The rest of the paper is organized as follows. Section 2 briefly reviews the existing works and details the weaknesses and security pitfalls of such schemes. Section 3 then presents the proposed protocol which solves the vulnerabilities and limitations mentioned in Section 2. Next, Section 4 analyzes the proposed protocol in terms of security and performance. Finally, Section 5 concludes this paper.

Previous Works and Their Cryptanalysis
In this section, we explain briefly the proposal of Das [6]. We then describe further works [7][8][9][10] focused to solve the limitations of Das' scheme and how those enhanced proposals are still not secure and have several security vulnerabilities. [6] is composed of registration and authentication phases.

Review of the Das Scheme. The scheme proposed by Das
Registration Phase. A user U i submits his/her identity ID i and password PW i to the gateway node GW using a secure channel. GW then computes N i = h(ID i PW i ) h(K), where K is a symmetric key only known by GW, h(·) is a hash function, and " " is a concatenation operator. Once N i is calculated, GW personalizes a smart card with the parameters h(·), ID i , N i , h(PW i ), and x a , where x a is a secret parameter generated securely by GW and stored in the sensor nodes before deployment. Finally, GWdelivers the smart card to U i in a secure manner.
Authentication Phase. This phase is executed when U i needs to access data of a sensor node of the network. The phase is composed of the Login and verification phases.
(1) Login Phase. U i inserts the smart card in his/her terminal, and inputs ID i and PW i . The smart card verifies the validity of those values by comparing ID i and h(PW i ) with the data stored in it. If those values are correct, the smart card computes DID i = h(ID i PW i ) h(x a T) and where T is the current timestamp of U i 's system and sends {DID i , C i , T} to GW.
(2) Verification Phase. Upon receiving the login request at time T * , GW validates T. If (T * − T) > ΔT, then GW aborts the authentication process, where ΔT denotes the maximum allowed communication delay. Otherwise, GW computes h(ID i PW i ) * = DID i h(x a T) and i is different to C i , then GW rejects the login request; otherwise, GW sends a message {DID i , A i , T } to some nearest sensor node S n to respond to the query with the data that U i is looking for, where A i = h(DID i S n x a T ) and T is the current timestamp of the GW's system. S n first validates T , then computes h(DID i S n x a T ), and checks whether it is equal to A i . If those values match, then S n responds to U i query.

Chen-Shih's Scheme.
In [9], the authors indicate that Das' scheme fails in mutual authentication and it is vulnerable to parallel session attack, and propose "A robust mutual authentication protocol for wireless sensor networks" which still has vulnerabilities and limitations.
2.2.1. Review of Chen-Shih's Scheme. The protocol proposed in [9] is composed of registration, login, verification, and mutual authentication phases.
Registration Phase. The user U i submits his/her identity ID i and password PW i to the gateway node GW using a secure channel. GW then computes where K is a symmetric key only known by GW, h(·) is a hash function, and " " is a concatenation operator. Once N i is calculated, GW personalizes a smart card with the parameters h(·), ID i , N i , h(PW i ), and x a , where x a is a secret parameter generated by GW and stored in the sensor nodes before deployment. Finally, GWdelivers the smart card to U i in a secure manner.
Login Phase. When U i enters his/her ID i and PW i , the smart card verifies the validity of ID i and PW i . If they are not correct, it terminates the request; otherwise, U i 's smart card generates a random nonce R i at T u and computes where ΔT denotes the maximum allowed delay. If the required condition is fulfilled, GW aborts the authentication process; otherwise, GW computes h(ID i PW i ) * = DID i h(x a T u R i ) and GW rejects the login request; otherwise, GW accepts the request and generates a random nonce R c and sends a message {DID i , A i , T } to some sensor node S n , where A i = h(DID i S n x a T ) and T is the current timestamp of GW's system. Additionally, GW also sends the {C g , R c , S n } message to U i where C g = h(DID i S n x a R c ). Finally, S n , after validating T , computes h(DID i S n x a T ) and checks whether it is equal to A i . If those values match, then S n responds to the query from U i .
Mutual Authentication Phase. After receiving the message {C g , R c , S n }, U i only coworks with S n if C g is equal to h(DID i S n x a R c ).

Cryptoanalysis of Chen-Shih's Scheme.
Here, we show how the proposal of Chen and Shih still has some critical security pitfalls and limitations.
Parallel Session Attack. In Chen-Shih's scheme, the authors include the random nonce R i inside DID i and C i to neutralize this attack. However, their protocol remains vulnerable. Assume that a legal user Tom eavesdrops on the message where DID i(T1) is the DID i value at T 1 and R i1 denotes the random nonce at T 1 . Tom can then forge the message where R i2 is any random number selected by Tom, and ID Tom and PW Tom are Tom's ID and password, respectively. Once U i 's DID i(T2) is obtained, Tom can send a new session message {DID i(T2) , C i , T 2 , R i2 } at T 2 for a new login request.
Gateway Node Bypassing Attack. The Chen-Shih scheme uses the x a value to allow S n to verify that the A i message originates from the authentic GW. If we assume that the adversary can extract the value of x a stored inside of a valid smart card by using some techniques [11][12][13], the adversary can execute the gateway node bypassing attack. First, the attacker computes a forged DID f = h(ID f PW f ) h(x a T f R f ) by using the extracted x a , where ID f is a forged ID, PW f is a randomly chosen forged password, T f is the timestamp of an adversary's terminal, and R f is an arbitrary random nonce. The attacker then computes A f = h(DID f S n x a T f ). Once DID f and A f are calculated, the adversary sends the message {DID f , A f , T f } to S n over the public channel. Finally, S n authenticates the adversary's message because S n cannot recognize its invalidity because the h(DID f S n x a T f ) value computed by S n is equal to the A f value received from the adversary.
Privileged-Insider Attack. The system administrator or privileged-insider of GW may try to impersonate U i by authenticating himself/herself to other servers where U i could be registered user. This is possible because GW receives the password of U i in plaintext, that is, PW i , in the registration phase, and because many users use the same password to access different applications of servers.

Vulnerable Mutual Authentication between U i and GW.
Chen-Shih's scheme proposes a mutual authentication phase. However, it has vulnerability which allows an adversary to execute the GW spoofing attack. If we assume that the adversary can extract the value of x a from a valid smart card or sensor node by using some techniques [11][12][13] as assumed in [8,10], the adversary can then pretend to be a valid GW. First, the fake gateway node GW f listens to the network and sniffs the {DID i , C i , T u , R i } message. Once the message is received, GW f can respond with the message , where S f is the identification of the adversary's sensor node and where R f is a random nonce selected by the adversary. Finally, U i authenticates the adversary's message because U i cannot recognize its invalidity because the received C f is equal to h(DID i S f x a R f ) computed by U i . After authentication, the fake sensor node S f can send false data to U i .

Lack of Mutual Authentication between GW and the Sensor
Node. The Chen-Shih scheme does not provide a mutual authentication mechanism between GW and the sensor nodes. Therefore, it is vulnerable to a sensor node spoofing attack. The adversary can place a false sensor node S f to respond to the {DID i , A i , T } message with false data. GW cannot recognize the invalidity of the false data because it does not perform any verification.
Lack of a Password Change Phase. The Chen-Shih scheme does not provide a password change phase for U i , which is a requirement for a secure system.

Khan-Alghathbar's Scheme.
In [10], the authors indicate that Das' scheme is vulnerable to gateway node bypassing and privileged-insider attacks. They also point out that Das' scheme does not provide mutual authentication or a password change mechanism. As a response to such limitations, they propose improvements of Das' scheme which still has vulnerabilities and limitations.

Review of Khan-Alghathbar's Scheme.
The protocol proposed in [10] is composed of registration and authentication phases.
Registration Phase. A user U i submits his/her identity ID i and password PW i to his/her terminal. The terminal then calculates h(PW i ) and sends ID i and h(PW i ) to the gateway node GW using a secure channel, where h(·) is a hash function. GW then computes where K is a symmetric key only known by GW and " " is a concatenation operator. Once N i is calculated, GW personalizes a smart card with the parameters h(·), ID i , N i , h(PW i ), and x a , where x a is a secret parameter generated securely by GW. On the other hand, GW generates another secret parameter x s and stores it in each sensor node before its deployment in the field.
Authentication Phase. This phase is executed when U i needs to access the data of a sensor node of the network. The phase is composed of login and verification phases.
(1) Login Phase. U i inserts the smart card in his/her terminal, and inputs ID i and PW i . The smart card verifies the validity of those values by comparing the data stored in it. If those values are correct, the smart card computes where T is the current timestamp of U i 's system and sends {DID i , C i , T} to GW. Otherwise, the login request is rejected.
(2) Verification Phase. Upon receiving the login request at time T * , GW validates T. If (T * − T) > ΔT, GW aborts the authentication process, where ΔT denotes the maximum allowed communication delay. Otherwise, GW 4 International Journal of Distributed Sensor Networks and T is the current timestamp of GW's system. S n first validates T , then computes h(DID i S n x s T ), and checks whether it is equal to A i . If those values match, S n computes B i = h(S n x s T ), where T is the current timestamp of sensor node's system and sends {B i , T } to GW. After receiving the mutual authentication message {B i , T }, GW first checks the validity of timestamp T and then computes B * i = h(S n x s T ) and checks whether it is equal to B i . If those values match, GW establishes trust with the sensor node; otherwise, GW alerts U i about the possibility of a malicious sensor node in the network and sends a process-termination message.

Cryptoanalysis of Khan-Alghathbar Scheme.
The proposal of Khan and Alghathbar still has some critical security pitfalls and limitations as shown below.
Parallel Session Attack. Assume that a legal user Tom eavesdrops on the message {DID i , C i , T 1 } between GW and U i at timestamp T 1 to obtain the DID i at where ID Tom and PW Tom are Tom's ID and password, respectively. Once DID i(T2) is obtained, Tom can then send a new session message {DID i(T2) , C i , T 2 } at T 2 for a new login request.
Gateway Node Bypassing Attack. The secret value x s stored and shared by sensor nodes can be extracted using similar techniques of extracting x a from a smart card [11,13]. If x s is extracted, the adversary can execute the gateway node bypassing attack using where ID f is a forged ID, PW f is a randomly chosen forged password, and T f is the timestamp of adversary's terminal.
Lack of Mutual Authentication between U i and GW. First of all, the aforementioned work proposes a mutual authentication between GW and S n . However, they omit the mutual authentication between U i and GW. Newer sensor networks offer remote administration/query features in gateway nodes [14,15] allowing users to access to network's data from a remote terminal. In this kind of environment, it is really important to authenticate the validity of GW from the U i 's side to avoid adversaries collecting valuable data using fake gateway nodes.
2.4. Nyang-Lee's Scheme. In [7], the authors point out that Das' scheme is vulnerable to password guessing attacks and gateway node impersonation attacks and has the limitation of a lack of protection relating to query-response. As a response to such security pitfalls, the authors propose a securityenhanced protocol.

Review of Nyang-Lee's Scheme.
In [7], the authors propose a security-enhanced protocol composed of the registration and authentication phases.
Registration Phase. The registration phase is the same as that of Das' protocol Authentication Phase. It starts with the submission of ID i and PW i by U i . Once U i inputs those values, then U i 's smart card authenticates ID i and PW i by comparing those values with the values stored in it. The smart card then computes . After validation, GW computes an encryption key EK i,n = h 1 (DID i S n (DID i h(x a T) h(K)) x a T) and a MAC key MK i,n = h 2 (DID i S n (DIDi h(x a T) h(K)) x a T) between U i and the sensor node S n . To provide a secure channel for EK i,n and MK i,n between S n and itself, GW computes the encryption key EK GW,n = h 1 (GW S n x n T ) and the MAC key MK GW,n = h 2 (GW S n x n T ), respectively, where x n is a predistributed symmetric key between GW and S n , and T is the current time. GW then encrypts EK i,n and MK i,n using the key EK GW,n computed in the previous step and produces D i = E EKGW ,n (EK i,n , MK i,n ). It also computes a MAC A i = h 0 (DID i S n D i T , MK GW,n ) using the key MK GW,n , and transmits {DID i , D i , T , A i } to S n . When S n receives those values, it first verifies T and computes After verification, S n decrypts D i with EK GW,n and recovers EK i,n and MK i,n . Data sensed by nodes is encrypted with EK i,n as R = E EKi,n (Data) and the MAC is computed with MK i,n as . If this verification is successful, the sensed data is recovered by decrypting R using EK i,h = h 1 (DID i S n N i x a T). Nyang-Lee's Scheme. The Nyang-Lee's proposal still has some critical security pitfalls and limitations as shown below.

Cryptoanalysis of
Parallel Session Attack. The Nang-Lee scheme is vulnerable to a parallel session attack in the same way that happens in [9,10]. A legal user Tom can obtain the message {DID i , C i , T 1 } between GW and U i at timestamp T 1 to obtain the Privileged-Insider Attack. The system administrator or privileged-insider of GW may try to impersonate U i by authenticating himself/herself to other servers where U i could be a registered user. This is possible because GW receives the password of U i in plaintext, that is, PW i , in the registration phase and because many users use same password to access different applications of servers.
Lack of Password Change Phase. This scheme does not provide a password change phase for U i , which is a requirement for a secure system.

Huang et al.'s Scheme.
In [8], the authors point out that the security features of Das' scheme is based on the x a value and its leakage can compromise the entire network. After explaining the limitations of Das' scheme, the authors propose an improved scheme which still has vulnerabilities and limitations.

Review of Huang et al.'s Scheme.
In this scheme, GW computes and stores h(x a S n ) in the designated sensor node S n before deployment. Note that each S n is responsible for exchanging data with users. The improved scheme consists of four phases: the registration phase, login phase, verification phase, and password change phase.
Registration Phase. The user U i submits his/her identity ID i and password PW i to GW using a secure channel. GW then computes replaces the stored N i and h(PW i ) with N i and h(PW i ), respectively.

Cryptoanalysis of Huang et al.'s Scheme
Parallel Session Attack. Huang et al.'s scheme is vulnerable to parallel session attacks in the same way that can happen in [7,9,10]. A legal user Tom can obtain the mes- Privileged-Insider Attack. The system administrator or privileged-insider of GW may try to impersonate U i by authenticating himself/herself to other servers where U i could be a registered user. This is possible because GW receives the password of U i in plaintext, that is, PW i , in the registration phase, and because many users use same password to access different applications of servers.
Lack of Mutual Authentication. Huang et al.'s scheme does not provide a mutual authentication mechanism. Therefore, it is vulnerable to GW and Sensor node spoofing attacks. U i does not have any mechanism to verify the validity of messages sent by GW. Therefore, the adversary can respond to the {DID i , C i , T} message with false data. In the same way, the adversary can place a false sensor node S f to respond to the {DID i , A i , T } message with false data.

Proposed Protocol
This section describes a proposed enhanced protocol which fixes the weaknesses of previous works. The proposed protocol is composed of three phases: Registration, authen-6 International Journal of Distributed Sensor Networks tication and password change phases executed among three independent entities: users, gateway node, and sensor nodes.

Registration Phase. A user U i chooses his/her identity ID i and password PW i and inputs them to the terminal. The terminal then generates a random number r i and computes
is a hash function and is an XOR operator. Once PPW i has been calculated, ID i and PPW i are sent to the Gateway node GW using a secure channel. GW then computes M i = h(ID i PPW i ), N i = h(ID i PPW i ) h(K x a ), and K i = h(x a ID i ), where K is a symmetric key only known by GW, and where x a is a secret parameter generated securely by GW, and " " is a concatenation operator. Once M i , N i , and K i have been calculated, GW personalizes a smart card with the parameters h(·), M i , N i , and K i . Finally, GW delivers the smart card to U i in a secure manner and U i stores r i into the smart card.
Meanwhile, a unique secret key K n = h(x a S n ) is stored in each sensor node responsible for exchanging data with U i , where S n is the unique identification of the sensor node.

Authentication
Phase. This phase is performed when U i requests access to the data of a sensor node, and it is composed of login and verification phases.
Once computed A i , GW generates a random nonce RN1 GW and transmits the mes-

and checks whether it is equal to
and checks whether it is equal to B i . GW authenticates U i only if those values match. After a valid U i authentication, GW generates a random nonce RN2 GW and transmits the message {DID i , T , RN2 GW } to some nearest sensor node S n to respond to the query with the data that U i is looking for, where T is the timestamp of GW's system when sending the message. S n first validates T using similar method of T verification, then computes C i = h(K n T RN2 GW ) and sends the message {C i , RN n }, where RN n is a random nonce generated by S n . GW then computes K * n = h(x a S n ) and C * i = h(K * n T RN2 GW ) and checks whether C * i is equal to C i . Only if those values match, GW responds to S n 's message by sending the message {D i }, where D i = h(DID i K * n RN n ). Finally, S n checks the validity of D i by comparing D * i = h(DID i K n RN n ) with the received D i . If those values match, then U i is allowed to access S n 's data.
Session Key Establishment. A session key between U i and GWK Ui-GW = h(RN i RN1 GW K i ) and a session key between GW and S n K Sn-GW = h(RN n RN2 GW K n ) could be used if an encryption channel were required after authentication. Additionally, if a direct communication channel between U i and S n were required, a bilateral session key K Ui-Sn could be established through GW. In this case, GW would generate a random K Ui-Sn and send RN i K Ui-Sn encrypted with K Ui-GW to U i and RN n K Ui-Sn encrypted with K Sn-GW to S n .

Analysis of the Protocol
In this section, we analyze the proposed protocol in terms of security and performance.

Security Analysis.
In this part, we analyze the security of the proposed protocol in terms of formal verification and analysis of aforementioned attacks. The registration and password change phases of the proposed mechanism were excluded from this analysis because they are executed in a secure environment. In the analysis of the authentication phase, the widely used Dolev-Yao [16] threat model was applied, which assumes that two communicating parties communicate over an insecure channel.

Formal Proof Based on BAN Logic.
In this subsection, we demonstrate the security of the proposed mechanism by a well-known formal model called BAN logic [17]. BAN logic has been widely used in different works such as [18][19][20] to reason about their security validation.
The logical notations of BAN logic used in this paper are as described as follows.
International Journal of Distributed Sensor Networks 7 P |≡ X : The principal P believes that X holds. In other words, it means that P is entitled to act as though X is true. # (X) : The formula X is fresh. That is, X has not been sent before in any run of the protocol. P ⇒ X : The principal P has jurisdiction over the statement X. That is, P is an authority on X and can be trusted on X. P X : The principal P sees the statement X. That is, someone has sent a message to P containing X, and P can read and repeat X. P |∼ X : The principal P once said the statement X. That is, P sent a message containing X sometime. (X, Y ) : The formula X or Y is one part of the formula (X, Y ). {X} K : The formula X is encrypted under the key K (X) K : The formula X is hashed with the key K, and K may be used to prove the origin of X. P K ← → Q : Principals P and Q may use the shared key K to communicate. The key K will never be discovered by any principal except P and Q. Moreover, we describe some main logical postulates to be used in proofs.
Message-Meaning Rule. If the principal P believes that the secret key is shared with the principal Q and P sees that the statement X is encrypted under K, then the principal P believes that the principal Q once said the statement X Freshness-Conjuncatenation Rule. Provided that the principal P believes freshness of the statement X, the principal P believes freshness of the (X, Y ) Nonce-Verification Rule. Provided that the principal P believes that the statement X has never been utter before and the principal Q once said X, the principal P believes that Q believes X Jurisdiction Rule. Provided that the principal P believes that the principal Q jurisdiction over the statement X, the principal P believes Q on the validity of X Belief Rules. A necessary property of the belief operator is that P believes a set of statements if and only if P believes each statement separately. This justifies the following rules: In the following, we will demonstrate the security of the proposed scheme using the BAN logic. The proposed scheme will satisfy the following goals: First, we transform the messages of the proposed protocol to the idealized form as follows: Second, we make the following assumptions about the initial state of the scheme to analyze the proposed scheme: Finally, we perform the proof steps to the idealized form of the proposed scheme based on the BAN logic rules and the assumptions (see Table 1).
The proposed goals were reached by (S.17)-(S.24), (S.29), (S.34), and (S.35). In summary, we have demonstrated how the proposed scheme provides mutual authentication as well as establishes a fresh session keys among U i , GW, and S n .

Security Verification from Possible
Attacks. This subsection analyzes the security of the proposed solution against possible attacks. We assume that common communication channels are insecure and that there exists an attacker who can intercept all messages communicated among U i , GW, and S n . In addition, we assume that the attacker can obtain or steal legal user U i 's smart card. Based on these assumptions, the attacker might execute certain attacks to interfere with the proposed scheme.
Parallel Session Attack. Even though another legal user of the system, say Tom, eavesdrops on U i 's message {DID i , T 1 , ID i , RN i }, he cannot obtain the DID i(T2) as happens in previous protocols because the DID i in our protocol is calculated as h(ID i PPW i ) h(K i T)which is based on U i 's unique values. The equation PPW i = h(PW i ) r i contains r i which is random and individual for each U i , and K i is unique for each U i . Therefore, the resultant value of DID i(T1) DID Tom(T1) hDID Tom(T2) will be h( Privileged-Insider Attack. In the proposed solution, U i transmits his/her pseudopassword PPW i = h(PW i ) r i instead of PW i . Therefore, GW will never know the PW i value. This means that only U i will know his/her secret password, thus protecting U i in this way from a privileged-insider attack. Additionally, a random value r i is incorporated inside PPW i to make the discovery of PW i harder.
Gateway Node Bypassing Attack. The reason for the possibility of a GW bypassing attack in [6,9] is due to the sharing of secret parameter x a with the sensor node S n and user U i . If the value of x a is compromised, then the whole sensor network will become vulnerable to the gateway node bypassing attack. On the other hand, the reason for the possibility of the gateway node bypassing attack in [10] is due to the secret value x s which is stored in the sensor nodes and can be extracted using similar method of extracting x a from a smart card [11][12][13]; if x s is extracted, the adversary can execute the GW bypassing attack using In the proposed protocol, U i 's smart card and the sensor node S n do not store either x a or x s , but instead store other individual secret values K i = h(x a ID i ) and K n = h(x a S n ) which are unique per smart card and sensor node. Therefore, even if the K i or K n value were extracted from a smart card or node, the rest of the users of the nodes will still maintain their security.
Mutual Authentication. The proposed protocol provides both mutual authentication between U i and GW, and between GW and S n .
(1) Mutual authentication between U i and GW : GW verifies the authenticity of U i by comparing B i sent by U i with the B * i value calculated by itself. B i can only be computed by the authentic U i because it is based on secret values such as N i and K i which are personal to each U i . On the other hand, U i verifies the authenticity of GW by comparing A i sent by GW with the A * i value computed by U i . A i can only be computed by the authentic GW because it is based on the secret values K and x a only known by GW.
(2) Mutual authentication between GW and S n : S n verifies the authenticity of GW by comparing D i sent by GW with the D * i value calculated by itself. D i can only be computed by the authentic GW because it is based on the secret value x a . On the other hand, GW verifies the authenticity of S n by comparing C i sent by GW with the C * i value computed by GW. C i can only be computed by the authentic S n because it is based on the secret K n value only known by the specific S n .

Masquerade
Attack. An adversary who wants to impersonate a valid user U i to log into the network must calculate a valid DID i and B i . Since DID i = h(ID i PPW i ) h(K i T) and B i = h(N i K i RN1 GW ) are calculated by a one-way hash function, the adversary cannot decipher such values. Additionally, DID i and B i cannot be created arbitrarily because they are based on secret values such as K i and PPW i , Furthermore, the adversary cannot forge the GW because he/she does not know the K and x a values.
Replay Attack. Timestamps and random nonces are used to avoid replay attacks. At the beginning of each authentication request, a timestamp mechanism is used to guarantee the freshness of the authentication request. Later, a stronger mechanism: challenge-response of codified nonces is used to respond to the authentication requests. An adversary cannot replay a valid GW's verification message {A i , RN GW } to U i to succeed in verification because the RN i value required for A i computation is regenerated in each request. In the same way, the adversary cannot replay a valid U i 's verification message {B i } to succeed in verification because the RN1 GW value used in B i is regenerated in each request. In addition, the authentication messages between GW and S n are protected using the same method of messages between U i and GW.   Stolen-Verifier Attack. One of the features of the proposed protocol is the absence of a password/verifier table which prevents our solution from stolen-verifier attacks.
Guessing Attack. In the proposed scheme, secret values are never sent in plaintext, but encrypted inside a one-way hash function. Therefore, even if the adversary got DID i , A i , B i , C i , or D i , he or she could not guess any secret values (PW i , K i, , K n , or K) because of the one-way property of the hash function.
Many Logged-IN Users with the Same Login ID. By using two-factor based authentication, the proposed scheme offers higher protection than only-password-based schemes against this attack. Assuming that the U i 's smart card is not cloned, the proposed protocol successfully prevents this threat  because the authentication process requires computation executed inside the valid smart card.
Brute-Force Attack. An attacker can try two kinds of bruteforce attacks. (1) First, the attacker can attempt to authenticate by sending random or sequential messages (DID i /B i or DID i /D i combinations) to GW or S n . However, as well as explained in the replay attack, this attack becomes infeasible because each authentication process uses a different nonce.
(2) On the other hand, an insider with a valid smart card can try to discover the secret values K or x a by performing bruteforce attacks. However, the determination of those values is infeasible because they are stored using a secure oneway hash functions. If higher level of protection for x a was required, additional random numbers R i and R n could be added for the generation of K i = h(x a ID i R i ) and K i = h(x a S n R n ), respectively, which would be stored in secret in the GW. By using this additional random numbers, the number of possible combinations to decipher K i and K n is increased by 2 n times, where n is the size it bits of R i and R n .
Password Change Phase. Our proposal offers a light-weight password change phase that does not require communication with GW, making it secure and efficient.
Session Key Establishment. Our proposal offers a simple and practical method for session key establishment among U i , GW, and S n . Table 2 shows the comparison of security features among different works. This demonstrates how our scheme is stronger in terms of security. Our approach provides protection against different kinds of attacks (privileged insider's attack, gateway node bypassing attack), also provides a secure password change phase, session key establishment, and achieves complete mutual authentication (mutual authentication between GW and S n , and between U i and GW), features that previous works do not offer or offer with limitations. Table 3 indicates the number of hash operations required in each phase for each entity. It shows that our protocol requires a few more operations in the verification phase than some previous works. However, the majority of additional operations are executed by U i or GW infrastructure which has no energy or computation power limitations. Therefore, we believe that the additional operations are not an impediment for real implementation. Additionally, we believe that the additional operations are justifiable considering that our protocol includes security features that previous works do not offer, which is indispensable for implementing a reliable and trustworthy network. It is important to remember that a failure at the component level will often compromise the security of the entire system [21].

Performance Analysis.
According [22], the energy consumed by the MIPS R4000 and MC68328 "DragonBall" processors for performing the SHA-1 hashing function are 0.0000072 mJ/bit and 0.0000410 mJ/bit, respectively. Based on the previously mentioned data, we can calculate the energy consumed by sensor nodes executing the operations of the proposed scheme. Assuming that the size of DID i , K n , random nonces, and timestamps are 160 bits long, the total energy consumed by sensor nodes in each authentication would be 0.008064 mJ and 0.04592 mJ for MIPS R4000 and MC68328 "DragonBall" processors, respectively. We believe that the energy consumption of sensor nodes to perform the security operations is acceptable considering the benefits of the proposed solution.

Conclusion
In this paper, we have analyzed previous user authentication mechanisms for wireless sensor networks and identified their vulnerabilities and limitations. We also have proposed a robust user authentication for wireless sensor networks that eliminates the identified security flaws. The proposed solution takes advantage of the two-factor authentication concept to provide a secure authentication system offering balanced features in terms of security and performance.