A Secure User Authentication Scheme against Smart-Card Loss Attack for Wireless Sensor Networks Using Symmetric Key Techniques

User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. In order to protect the security of real-time data query from an external user, many two-factor (password and smart-card) user authentication schemes are proposed. However, most of them are insecure against various attacks. This paper summarizes attacks and security requirements for two-factor user authentication in WSNs. Based on security requirements, a user authentication and session key establishment scheme is also proposed, and this scheme can resist smart-card loss attack merely by using symmetric key techniques. Security and performance analysis demonstrate that, compared to the existing schemes, the proposed approach is more secure and highly efficient.


Introduction
Wireless sensor networks (WSNs) have emerged as a field of interest in communication technologies over the years.They usually consist of a large number of autonomous sensor nodes, which are generally deployed in unattended environments.Each sensor node has limited storage capacity and computational resource and a small communication module to communicate with the outside world over an ad hoc wireless network.Generally speaking, most of the queries in WSN applications are issued by the points of base stations or gateway-(GW-) nodes of the network.However, one can foresee that there should be great needs to access the realtime data inside WSN; where real-time data from the sensor nodes may no longer be accessed through the GW-node only, instead, the data are to be accessed directly by the external party (user) when demanded.If the data in WSN were made available to the user on demand, then authentication of the user should be ensured before the users are allowed to access the data.
According to the background above and actual application demand, in 2009, Das [1] proposed an efficient two-factor user authentication scheme firstly based on password and smart-card.He claimed that his scheme is secure against many types of attacks, such as many logged-in users with the same login identity, stolen-verifier, guessing, replay, and impersonation attacks.Since then, more and more two-factor user authentication schemes have been proposed.Nyang and Lee [2] pointed out that Das's scheme was not practical and vulnerable to an offline password guessing attack by insiders and node compromise attacks, and his scheme did not meet other security issues, that is, encryption and authenticity verification of query responses.Further, they proposed an enhanced two-factor user authentication protocol for WSNs, which overcomes the security flaws of Das's scheme with some additional security services.However, their scheme [2] also does not care about mutual authentication and is without password updates.In 2010, Khan and Alghathbar [3] pointed out that the scheme of Das [1] was insecure and cannot resist many other security attacks, such as gatewaynodes bypass attacks.To overcome the security weaknesses of Das's scheme, Khan and Alghathbar [4] proposed an improved two-factor user authentication in WSNs, which provided protection against insider attacks and GW-node 2 International Journal of Distributed Sensor Networks bypass attacks at the same time; it introduced a password change phase for users.There are many other cases about improvement and enhancement.For example, He et al. [5] proposed an enhanced scheme based on Das's scheme [1].Their scheme keeps the merits of the original protocol and can resist the security weaknesses such as vulnerabilities to insider attack and the impersonation attack.Vaidya et al. [6] showed that Das's scheme [1] and Khan-Alghathbar's scheme [4] have flaws and remain vulnerable to various attacks such as smart-card loss attacks.In order to overcome security weaknesses of both schemes, they proposed an improved two-factor user authentication which is resilient to smartcard loss attacks as well as other common types of attacks.Fan et al. [7] proposed a simple Denial-of-Service resistant user authentication scheme for two-tiered WSN, which is efficient.Their scheme can establish a session key between the user and a master node (cluster node) in the sensor network.In the same year, Chen and Shih [8] proposed a robust protocol for WSNs and achieved mutual authentication.Later biometricbased user authentication in WSNs has drawn some research attention.A biometric-based user authentication scheme for WSNs has been proposed by Yuan [9].However, there also exist many flaws in Yuan's scheme.To improve the performance and the security, Yeh et al. [10] proposed the first user authentication protocol for WSNs by using the elliptic curve cryptography (ECC).
However, such schemes are still used by method of "attack-improve." Namely, even though the two-factor user authentication protocol has been proposed, it was secure until others found its vulnerabilities and improved it.This "attack-improve" method is a never-ending cycle.For the two-factor user authentication in WSNs, there is no summary on security vulnerabilities and abilities of adversary, and nobody concludes the security requirements.What is more, there is no appropriate formal model to examine the security of the user authentication scheme for WSNs.In this paper, we will classify the summary for the attacks and security requirements, but it is still an open question of how to present a formal definition of the user authentication under the WSN setting and design the scheme, which can be reduced to satisfy the definition assuming the minimal cryptographic assumption.
What is worth mentioning is Sun's scheme proposed in [11].Sun's scheme is an improved scheme based on K-A's scheme [4].The security of the user authentication session in Sun's scheme is reduced by the model of Bellare and Rogaway [12].However, Sun's scheme is still insecure in smart-card loss case discussed in [11].Namely, adversary can implement offline password guessing attack after obtaining user's secret parameters in smart-card.Moreover, the model of Bellare and Rogaway used by Sun is not a formal model corresponding to two-factor user authentication in WSNs.Sun pointed out that it is still an open question whether to construct a secure user authentication scheme merely by using symmetric key techniques.
Our Contributions.In this paper, we summarize all attacks in existing protocols and assort them into several classes.It is the first time that four types of security requirements have been proposed for two-factor user authentication in WSNs.For those attacks and security requirements, we propose a secure user authentication scheme against smart-card loss attack for WSNs by using symmetric key techniques.The proposed scheme perfectly solves the open question which was pointed out in [11] and has a high efficiency.
Organization.The remainder of this paper is organized as follows.In Section 2, we list some notations which are used throughout the paper and summarized attacks for two-factor user authentication in WSN.In Section 3, we proposed security requirements aiming at security vulnerabilities discussed in the previous section.Our proposed scheme is described in Section 4. Its security analysis and performance analysis are discussed in Section 5. Finally, in Section 6, we conclude the paper with a brief summary and outline our future work.

Security Vulnerabilities/Attacks Summary
In this section, we describe all security vulnerabilities in previous works, except common types of attacks such as replay attack or stolen-verifier attack.We just focus on twofactor user authentication in WSNs.Some notations and symbols used throughout this paper are summarized in Notation.
Before summarizing the attacks, it is assumed that an adversary may have full control over the network with following capabilities.
(i) An adversary may intercept all the messages at any time.
(ii) An adversary may intercept, delete or modify, and inset any message over the public network.
(iii) An adversary may either hack passwords or steal user's smart-card and utilize secrets stored in smartcard, but not all at the same time.
(iv) An adversary may compromise the sensor node   and extract all parameters stored in it.
Strictly speaking, almost all previous schemes are no longer safe after considering ability of adversary mentioned above, although they claimed that their schemes can resist lots of attacks.We will discuss this situation in the following paper.
2.1.Privileged-Inside Attack.In registration phase, a user's password, that is, PW  , is transmitted directly to the registration center in plaintext.However, in real word, it is common knowledge that many users use the same passwords in different applications or servers for their convenience of remembering long passwords and using them easily whenever required.Therefore, it would appear that the system administrator or privileged-insider of GW-node may try to use PW  to impersonate the user to access other GW-nodes where   could be a registered user.
For insider attack, some researchers have developed various defense approaches.He et al. [5] suggested that user can transmit ℎ( ⊕ PW  ) instead of PW  to GW-node in registration phase, where  is a high-entropy random number selected by   and not revealed to the GW-node.In addition, Sun's scheme [11] suggested that   only submits his/her ID  to the GW-node until receiving the smart-card which includes the initial password selected by GW-node;   is able to change the initial password immediately by using the password change operation.

User Impersonation Attack.
User impersonation attack can be caused by many other security flaws such as the privileged-inside attack discussed in Section 2.1, other legal users being malicious, or the parameters in the smart-card being extracted by attackers.
In registration phase, many users will receive the unique and personalized smart-card from the identical GW-node.However, the secret parameters which are generated by the GW-node and related to smart-card, such as  and   , are kept unchanged for different users in some proposed scheme.In other words, different users and identical GW-nodes share the same secret parameters; namely, every entity does not have the secret parameter or key belonging to it.If the smartcard is stolen or the secret parameters are compromised, then the whole sensor network will be vulnerable to the user impersonation attack.For example, Li et al. [13] showed that an attacker   who has registered as a user of GW-node can restore ℎ() =   ⊕ ℎ(ID  ‖ PW  ) from his/her own password and smart-card in Das's scheme [1].Note that   can be extracted from   's smart-card directly.Therefore, the attacker   is able to impersonate another legal user or forge nonregistered user to log in GW-node legally without being noticed.
We suggest that GW-node distinguishes different users by different secret parameters.For example, GW-node can compute ℎ(ID  ‖   ) instead of   in registration phase, take a secure billing service introduced in Li's scheme [13] which stores a password/verifier table, or add biometric keys in register/login phase, and so forth.However, these tricks are at the expense of anonymity.Namely, we can see from the tricks that if the user's identity ID  or biometric keys are added to register/login phase, the vulnerable schemes are robust against user impersonation attack.Therefore, to accomplish secure aims, the schemes do not have the anonymity.In order to avoid anonymity loss, it is essential to design a secure user authentication scheme with anonymity for WSNs.

Guessing Attack.
Guessing attack is a crucial concern in any password-based system.The attacker can recover ℎ(PW  ‖ * * * ) through privileged-inside attack, node compromise attack, or smart-card loss attack, where " * * * " is an acquired formula.Thus, the attacker can guess   's password in a relatively small dictionary containing all the words about   .For example, in Das's scheme [1], the attacker   who has registered as a legal user of GW-node can compute ℎ(ID  ‖ PW  ) = DID  ⊕ ℎ(ID  ‖ PW  ) ⊕ DID  [2], or an adversary can obtain any user's ℎ(ID  ‖ PW  ) = ℎ(  ‖ )⊕ DID  after the secret parameter   stored in designated sensor node is compromised through node compromise attack [14].Nyang and Lee [2] suggested that the prevention of the offline password guessing attack is using ℎ(ID  ‖ PW  ‖   ) instead of ℎ(ID  ‖ PW  ).The other common improvement method is sending user's identity ID  and ℎ( ⊕ PW  ) to the GW-node in registration phase; then   enters  into his/her smart-card after receiving the personalized smart-card from GW-node.They claimed that their methods can resist offline password guessing attack.However, they would not achieve that goal if smart-card loss attack was taken into account (see Section 2.6).
In fact, the improvements discussed above are not a solution, which people fail to realize.Symmetric key techniques and offline validation are widely used in login phase of "smart-card-password" two-factor user authentication schemes in WSN at present.Namely,   inserts its smartcard to a terminal in login phase and keys ID  and PW  .Then the smart-card uses secret parameters and PW  to compute some formulas.The correctness of these formulas will determine whether users log in to the scheme successfully, while it is independent of GW-node.Technically, there is an unavoidable loophole; that is, if the smart-card is stolen and secret parameters such as   and  are leaked, the scheme will not be safe anymore.This problem exists in almost two-factor user authentication scheme.For example, in He's scheme [5],   ,   ,  are stored in   's smart-card, where If the attacker obtains these parameters and user's ID  , he/she also can attack by guessing.Therefore, designing a genuine twofactor user authentication scheme that can defeat guessing attack is meaningful for the application.

Node Compromise Attack.
Node compromise attack refers to a series of attacks caused by a malicious or captured sensor node.These attacks include guessing attack by obtaining the hash of password, impersonation of other sensor nodes by using secret parameters in captured sensor node, and GW-node bypassing attack.GW-node bypassing attack [3] means that the attacker can compute the legal messages to gain the trust of other sensor nodes by bypassing GW-node.The basic cause of above vulnerabilities is that several sensor nodes   and GW-node share the same secret parameters such as   .
To avoid node compromise attack, Huang et al. [14] suggested using ℎ(  ‖ SID  ) instead of   as a shared key between sensor node   and GW-node.ℎ(  ‖ SID  ) is stored in sensor node beforehand, where   is generated securely by the GW-node.Even if sensor node   is captured, the attacker cannot recover the value of   and the shared key ℎ(  ‖ SID  ).Therefore, sensor node that had been captured has no influence on other sensor nodes and GW-node.

GW-Node Impersonation
Attack.There are at least two situations where the attack occurred.The first situation is GW-node bypassing attack, namely, adversary steals the secret shared key of GW-node from a captured sensor node to impersonate GW-node (GW-node bypassing attack can be regarded as GW-node impersonation attack).The second situation is "smart-card loss attack." That means adversary steals secret parameters from smart-card, or a malicious legitimate user recovers secret parameters from their own smart-card and impersonates GW-node.In many schemes, International Journal of Distributed Sensor Networks smart-card would store numerous sensitive information such as ℎ(PW  ),   , or ℎ(  ) directly.The other core reason is still that different users and identical GW-nodes share the same secret parameters such as  and   , or there is another issues like   is poor in design.According to Vaidya's suggestion [6], the GW-node impersonation attack caused by smartcard loss attack can be avoided by adding various validation conditions.However, Vaidya's suggestion cannot solve the inherent problem.
By analyzing the second situation, one way to avoid the GW-node impersonation attack is to let GW-node distinguish different users by different secret parameters.The methods are similar to user impersonation attack (see Section 2.2).However, it is a fact that all these tricks are at the sacrifice of anonymity.Therefore, to accomplish secure aims, the schemes do not have anonymity.In order to avoid anonymity loss, it is essential to design a secure user authentication scheme with anonymity for WSNs.
2.6.Smart-Card Loss Attack.Smart-card loss attack means that a variety of attacks are caused by information leakage in smart-card.If the compromised information in smartcard includes secret parameters associated with GW-node, "GW-node impersonation attack" and "GW-node bypassing attack" will happen.If it involves user's identity and password, "password guessing attacks" will happen.
As for the appearance of guessing attack related to smartcard, adversary can recover user's password from offline validation formulas through guessing attack.For example, in He's scheme [5],   = ℎ(  ) = ℎ(  ⊕ ℎ(ID  ‖ ℎ( ⊕ PW  ))) and   ,   ,  are all stored in smart-card (see Section 2.3).If these parameters in smart-card are compromised, adversary can easily carry out the offline password guessing attack.
For the guessing attack caused by smart-card loss attack, Sun et al. [11] pointed out that public key techniques in validation formulas of smart-card can solve this situation.However, the WSN applications cannot burden the high implementation costs of the public key algorithms.Actually, symmetric key techniques and offline validation are widely adopted in login phase of "smart-card-password" two-factor user authentication schemes in WSN at present.In the smartcard loss attack, it is still an open question whether there is a secure user authentication scheme merely by using symmetric key techniques.Therefore, designing a genuine two-factor user authentication scheme which can resist guessing attack is meaningful for the application.

Parallel Attack/No Protection against Forgery
Attack.This attack works in many existing schemes.With Das's scheme [1], for example, a malicious legal user of the system  * can embed a synchronized Trojan virus into the other legal user   's system and log in to the WSN as   at certain moment.For the detailed description of parallel attack, refer to [8,10,15].
In Chen-Shih's scheme [8], the authors added the random nonce  to DID  and   to neutralize this attack.However, Yoo et al. [15] found this improvement remains vulnerable.The reason is that secret parameters used by different users are uniform.For instance, ℎ(  ) exists in both DID  and DID * , so it can be offset by "⊕." In order to resolve the problems resulting from parallel attack, we can consider changing the traditional thinking mode of generating DID  or sacrificing anonymity to achieve discrepancy of parameters for different users.

Security Requirements
Sastry and Wagner [16] investigated several issues regarding IEEE 802.15.4 [17], such as ACL management problems (i.e., the same key in multiple ACL entries, loss of ACL state due to power interruptions, key management problems, and insufficient integrity protection), and provided some solutions for these problems.However, the requirements for security authentication protocol in WSNs need to be considered by more appropriate methods in order to resolve the application layer issues, such as mutual authentication, impersonation, replay, parallel session, sinkhole, and wormhole attacks as well as other kinds of sensor node attacks which are described in detail in Section 2.
This section is aimed at discussing the security requirements for two-factor user authentication in WSNs.The proposed security requirements will cover all the known attacks in two-factor user authentication schemes.
3.1.Authentication Security.Authentication security includes not only the mutual authentication between user and GWnode, but also mutual authentication between GW-node and sensor node in WSNs.The main idea of authentication security may be summed up in one sentence: only by stealing all parameters of a participant can adversary impersonate the participant.
The essential idea of mutual authentication mainly has three aspects.As for the user, if the adversary wants to impersonate the user   , he/she must obtain the   's password PW  and   's smart-card simultaneously.Similarly, even if   's PW  and smart-card are compromised, it is difficult to impersonate the GW-node or sensor node.As for the GWnode, we assume that the GW-node is secure, except for privileged-inside attack.Namely, the adversary cannot obtain all parameters of the GW-node directly.However, even if all secret values of every   and sensor nodes are compromised, it is still difficult to impersonate the GW-node.As for the sensor node   , it is impossible to impersonate the sensor node   unless   is captured immediately.If other sensors are captured or all secret parameters of other participants in current system are compromised, it is still difficult for attackers to impersonate   .The three points above almost cover all attacks in Section 2, such as privileged-inside attack, user impersonation attack, node compromised attack, GWnode impersonation attack, smart-card loss attack, and parallel attack.

Session Key Security Requirement.
It is necessary to establish a session key for translating sensitive data between legal users and sensor nodes.Therefore, semantic security and forward security of session key should be needed in the two-factor user authentication system.More narrowly, semantic security of session keys is guaranteed if an active attacker cannot get any information about the session keys shared between the legitimate parties involved.Specifically, the attacker cannot distinguish a real session key from a random one, chosen from the same key space, in the security definition; for more details, see [12].Forward security of session key means that if long-term secret keys of all the participants are compromised, the secrecy of previously established session keys should not be affected.In the twofactor (password and smart-card) user authentication scheme for WSNs, long-term secret keys refer to the participants' passwords, secret keys in smart-card, and nodes' master keys.

Password Security
Requirement.Password security requirement can divide into two aspects: offline dictionary attack security and online dictionary attack security.Offline dictionary attack security is also called guessing attack and it means that there is no successful attacker as follows: the attacker intercepts and stores the message and then chooses a candidate password of dictionary in offline mode by using the interception of messages to test whether the candidate password is correct.The process repeats until another candidate password is guessed correctly.One of online dictionary attack securities is to resist undetectable online dictionary attack, and the other is to resist computer program online dictionary attack.This is how we define password security requirement: except if legal users' secret values in smart-card are compromised, the external attackers and internal participants will not be unable to carry out the offline dictionary attack on these legal users.Namely, it means that it can resist offline password guessing attack discussed in Section 2.3.In addition, adversary may be able to carry out the online attack; however, once the online dictionary attack occurred, the server can detect it rapidly.Namely, it means that it can resist undetectable online dictionary attack and computer program online dictionary attack.

Password Updating Security Requirement.
A passwordbased user authentication scheme should provide users with a password updating facility so that a user can update his/her password freely.

Proposed Scheme
To resist the attacks discussed in Section 2 and meet security requirements discussed in Section 3, we propose a secure user authentication scheme against smart-card loss attack for WSNs by using symmetric key techniques in this section.There are three phases in our scheme: the registration phase, the password updating phase, and the authentication phase.

Registration Phase.
In this phase, user   has to submit an identity and password to the GW-node in a secure way.Then, the GW-node issues a license to   .The detailed steps are depicted as follows.
Step-R1.  chooses his/her identifier ID  and password PW  , generates a random number , and computes PW  = ℎ(PW  ‖ ).Then   sends ID  and PW  to the GW-node over a secure channel.
Step-R3.After receiving the smart-card, the user   inputs  into it and finishes the registration.

Password Updating Phase.
The password updating phase is needed whenever user   wants to update his old password PW  .The detailed process is as follows.
Step-P1.User   inserts his/her smart-card into the terminal and enters his/her identity ID  , old password PW  , and new password PW  * and requests to change the password.
Step-P2.  's smart-card validates the entered parameter ID  using the stored value.If ID  is correct, then   is allowed to change the password.Otherwise, the password change phase is terminated. Step

Authentication Phase.
The authentication phase is invoked when   wants to perform some query or to access data from the network.The phase is further divided into login and verification phases.Figure 1 shows both the login phase and the verification phase.
(1) Login Phase.  inserts her/his smart-card to a terminal and keys ID  and PW  .The smart-card validates ID  with the stored ones.If the entered ID  is correct, the smart-card performs the following operations.
(2) Verification Phase.Upon receiving the login request {ID  ,   ,  1 } at time   1 , the GW-node authenticates   and creates a session key between   and sensor node   by the following steps.
Step-V1.Validate  1 .If (  1 −  1 ) ≤ Δ then the GW-node proceeds to the next step, or else abort, where Δ denotes the expected time interval for the transmission delay.
Step-V2.The GW-node computes  = ℎ 1 (ℎ(ID  ‖   ) ‖  1 ) and   (  ) = {ID  ,  1 ,  1 }, where   ( * ) means that " * " is decrypted by the symmetric key .Then the GW-node checks whether the decrypted messages ID  and  1 are equal to the ones received.If it is true, the GW-node establishes trust on the   and proceeds to the next step; otherwise abort.

User GW-node
Sensor node Figure 1: Authentication session of the proposed scheme.
Step-V3.The GW-node computes SK = ℎ 1 (ID  ‖ ℎ(  ‖ SID  ) ‖  2 ) and , where  2 is the current timestamp of GW-node's system and SK is the session key between user   and   in information transport.Then the GW-node sends the message {ID  ,   ,  2 } to the sensor node   .
Step-V4.Upon receiving the message from the GW-node,   first validates  2 in a similar line of Step-V1.  computes the session key SK = ℎ and then checks whether   * =   .If it is true, the sensor node   establishes trust on the GW-node or else rejects it. Step-V5.
, where  3 is the current timestamp of   's system; then   sends the message {  ,  3 } to GW-node.
Step-V6.Upon receiving the message from the sensor node   , the GW-node first validates  3 in a similar line of Step-V1.GW-node computes   * = ℎ 1 (ℎ(  ‖ SID  ) ‖ SK ‖ ID  ‖ SID  ‖  3 ) and then checks whether   * =   .If it is true, the GW-node establishes trust on the sensor node   or else rejects it.
Step-V8.Upon receiving the message from the GW-node,   first validates  4 in a similar line of Step-V1.  computes   (  ) = {ID  , SID  , SK,  1 ,  4 }; then   checks whether the decrypted messages ID  ,  1 , and  4 are equal to the previous ones.If it is true, user   establishes trust on the GW-node and establishes a session key SK with the sensor node   ; then he/she can enjoy the data from the WSN; otherwise stop accessing to the sensor network.

Scheme Analysis
In this section, based on adversary's capabilities assumptions in Section 2, we carry out a security analysis of our scheme.Then efficiency analysis is followed (computational cost and communication cost).Finally, we give a performance comparison with existing schemes.

Security Analysis
Authentication Security.Our scheme provides authentication security, where all entities can authenticate each other.
Further, no one can impersonate the participant unless the adversary steals all parameters of the participant.More details are as follows.
We assume that the GW-node is secure; namely, adversary cannot get the values of   and   from GW-node directly.Our scheme is passing PW  = ℎ(PW  ‖ ) instead of the plain password to resist the privileged-insider attack.Furthermore, if all secret values of every   and sensor nodes are compromised, it is still difficult to impersonate the GWnode.Because the compromised value of ℎ(  ‖ SID  ) in   cannot affect   and smart-card just stores   = ℎ(ID  ‖   ) ⊕ PW  about GW-node, attackers cannot recover   from it.
It is also difficult to impersonate   except that   is captured immediately because the secret values are unique in different sensor nodes by binding with sensor nodes' identity.Moreover, the compromised sensor node cannot affect other participants including the users and GW-node.
In our scheme, we solved the open question which was pointed out in [11]; namely, our scheme is secure merely by using symmetric key techniques when the smart-card is stolen.If the adversary wants to impersonate user   , he/she must obtain the user's password PW  and smart-card simultaneously.This is because that smart-card only stores {,   , ℎ(⋅)} and uses online validation which is different from Sun's scheme [11].It is known that offline validation with symmetric cryptography could cause guessing attack that we have discussed in Section 2.6.Moreover, offline password guessing attack also exists in online validation (Sun pointed out that his proposed scheme is insecure in smart-card loss case [11]).But in our scheme,   = ℎ(ID  ‖   ) ⊕ PW  stored in smart-card is used to generate symmetric cryptography key  = ℎ 1 ((  ⊕ PW  ) ‖  1 ), and   =   (ID  ‖  1 ‖  1 ) is transmitted to GW-node, where  1 ∈ {0, 1}  .It is deserved to note that the function of the random number  1 prevents exhaust attacks, but without freshness.In this way, adversary cannot recover user's password PW  from smartcard through offline password guessing attack.What is more, our scheme only uses symmetric key techniques.Similarly, even if   's PW  and smart-card are both compromised, it is difficult to impersonate the GW-node or sensor node.
Based on the analysis above, our scheme meets authentication security.This means that our scheme can resist all attacks in Section 2, such as user impersonation attack, node compromised attack, GW-node impersonation attack, smartcard loss attack, and parallel attack.
Session Key Security Requirement.Our proposed scheme establishes a session key SK = ℎ 1 (ID  ‖ ℎ(  ‖ SID  ) ‖  2 ) for translating sensitive data between legal users and sensor nodes.Obviously, the session key SK has semantic security and forward security.
Password Security Requirement.In accordance with the above analysis, the proposed scheme can resist privileged-inside attack.In addition, according to the analysis above, the external attackers and internal participants are unable to carry out the offline dictionary attack on legal users even if legal users' secret values in smart-card are compromised.Online dictionary attack also can be avoided.So, our scheme meets password security requirement.
Password Updating Security Requirement.A password updating facility is provided for users in our scheme (see Section 4.2).
From Table 1, it is easy to see that the proposed scheme has more security functionality as compared with other existing protocols for two-factor user authentication in WSNs.In Table 1, "usual" denotes the common attacks such as replay attack or stolen-verifier attack, "RA" denotes relay attack, "PIA" denotes privileged-insider attack, "UIA" denotes user impersonation attack, "GA" denotes guess attack, "NCA" denotes node compromise attack, "GIA" denotes GW-node impersonation attack, "SRA" denotes smart-card loss attack, and "PA" denotes parallel attack."Y" denotes the scheme that can resist this attack and "N" denotes the scheme that cannot resist this attack.

Performance Analysis.
In this subsection, we compare our protocol with related ones in terms of computational cost in the registration/authentication phase and communication cost in the message exchange phase.Because these two phases are the main procedures of an authentication protocol, let us define "H" as performing one-way hash function, "Pub/Pri" as public/private-key computation, "Se/Sd" as symmetric key encryption/decryption, "MAC" as message authentication code (MAC) function computation, "PM/PA" as elliptic curve point multiplication/addition computation, "E" as elliptic curve polynomial computation, and "NME" as the numbers of message exchanges in authentication phase.The result is shown in Table 2.
Computational Cost.The computational cost for user registration is onetime job for certain period of time.The user and the GW-node in our scheme only require 1 hash operation, respectively.And computational cost for user authentication is prime concern.Our sensor node requires only 3 hash operations with ensuring security.Although its computation cost just requires one or two more hash operations than some schemes [1, 4-6, 9, 11, 14], it is highly efficienct compared with other schemes [10,18,19].It is also desirable that the user and the GW-node for user authentication require symmetric encryption operation Se/Sd, and our scheme does not require Pub/Pri [9], PA/PM, E [10,18], and MAC [19], which need additional storage and computations.Sequently, all operations added to protect query responses can be implemented using a block cipher such as Advanced Encryption Standard (AES) [20].Also, note that most of the recently developed nodes in WSNs, for example, TMote, TelosB, and Micaz, already have a built-in AES module and, thus, no additional hardware is required [21].Therefore, our scheme is wellsuited to the resource-limited sensor node.Compared with previous schemes which have too many vulnerabilities on security, our proposal achieves stronger security without loss of immense effectiveness.In conclusion, our scheme is also practical for the real world applications in enhancing the security over wireless communications.Communication Cost.In WSN, without constant supply of power, sensor nodes are resource-limited.In addition, the most energy-intensive element of sensor is wireless communication module, namely, receiving, sending, and so on.Therefore, the number of message exchanges is crucial.Our scheme only needs four message exchanges to achieve all security features; however, many schemes which need less number of message exchanges have various vulnerabilities in security.In Sun's scheme [11], it uses nonce instead of timestamp to reduce the trouble of synchronized time clocks, but it needs one additional message and also has security flaws.Obviously, compared with Sun's scheme our scheme is well-suited to the resource-limited sensor node.Considering computational cost and communication cost, it is clear that the proposed scheme not only is an efficient scheme with high reliability, but also is practical for real-time applications.

Conclusion and Future Work
In real-time, access control is an imperative requirement for WSNs to protect the data access from unauthorized parties.However, there is no appropriate formal model to examine the security of the two-factor user authentication scheme for WSNs.In addition, previous schemes failed to resist the smart-card loss attack merely by using symmetric key techniques.Therefore, designing a genuine two-factor user authentication scheme which can resist guessing attack caused by smart-card loss attack is meaningful for the application.
In this regard, we summarize the main attacks and security requirements for two-factor user authentication in WSNs in this paper.A user authentication and session key establishment scheme based on security requirements is also proposed, which can resist smart-card loss attack merely by using symmetric key techniques.The proposed scheme solves the open question pointed out in [11].We have shown a security analysis and performance analysis of our proposal and carried out a comparison with existing schemes.Analysis shows that the proposed scheme is more secure and highly efficient.Therefore, it is very suited to WSNs environments.
We highlight two areas for our future work.For the attacks and security requirements discussed in this paper, there is no appropriate formal model to examine the security of the two-factor user authentication scheme for WSNs.One direction of our future work will be to present a formal definition of the two-factor user authentication scheme under WSNs setting and construct new scheme in the given definition.Moreover, the proposed scheme cannot provide the user privacy.That is, the adversary can trace the target user by observing the user authentication session.Thus, the other future work is to devise the anonymous user authentication scheme for WSNs.

Table 1 :
Functionality comparison of our scheme with existing schemes.

Table 2 :
Performance comparison among related protocols.