Security Improvement on Biometric Based Authentication Scheme for Wireless Sensor Networks Using Fuzzy Extraction

Wireless sensor networks are used to monitor physical or environmental conditions. However, authenticating a user or sensor in wireless sensor networks is more difficult than in traditional networks owing to sensor network characteristics such as unreliable communication networks, resource limitation, and unattended operation. As a result, various authentication schemes have been proposed to provide secure and efficient communication. He et al. suggested a robust biometrics-based user authentication scheme, but Yoon and Kim indicated that their scheme had several security vulnerabilities. The latter then proposed an advanced biometrics-based user authentication scheme; in this paper, we analyze this advanced scheme and perform a cryptanalysis. Our analysis shows that Yoon and Kim's scheme has various security weaknesses such as a biometric recognition error, a user verification problem, lack of anonymity and perfect forward secrecy, session key exposure by the gateway node, vulnerability to denial of service attacks, and a revocation problem. Therefore, we suggest countermeasures that can be implemented to solve these problems and then propose a security-enhanced biometrics-based user authentication scheme using fuzzy extraction that conforms to the proposed countermeasures. Finally, we conduct a security analysis for the proposed biometrics-based user authentication scheme.


Introduction
Nowadays, numerous physical, chemical, and biological sensors are deployed in wireless sensor network (WSN) environments for various applications. These sensors can monitor a variety of conditions, including temperature, pressure, military surveillance, and real-time traffic conditions. One benefit of WSNs is that the sensors can be easily deployed in various kinds of harsh environments. Therefore, there has been a remarkable increase in the interest in WSNs [1]. WSNs generally consist of gateways, users, and sensors, and communication security is a momentous concern in real-world applications. Various authentication schemes for WSNs have been proposed for ensuring secure communication.
To support confidentiality and authentication for sensor networks, Watro et al. introduced a user authentication scheme employing the RSA and DH algorithms for WSNs in 2004. Wong et al. proposed a dynamic user authentication scheme that used a hash function [2]. But Tseng et al.
indicated that Wong et al. 's authentication scheme has vulnerability to replay, stolen-verifier, and forgery attacks [3][4][5][6][7]. Das proposed a two-factor user authentication scheme based on a password and smart card to improve the security in 2009. Das demonstrated his scheme to be secure against various real-time attacks [6]. However, He et al. indicated that Das's scheme has vulnerability to insider attacks and impersonation attacks and that no provision was available for users to change their passwords. And also He et al. proposed an improved two-factor scheme to solve these security problems [8]. Khan and Alghathbar demonstrated that Das's scheme did not provide mutual authentication, and it has vulnerability to gateway bypassing and privileged-insider attacks [9]. Chen and Shih indicated that Das's scheme did not provide mutual authentication between the gateway and the sensor, and Chen and Shih proposed a robust mutual authentication scheme for WSNs and claimed that their scheme provides greater security than Das's scheme [10]. In 2010, Yuan et al. [11] proposed a biometric-based user 2 International Journal of Distributed Sensor Networks authentication scheme, but it was found to have various security problems. Yoon and Yoo pointed out that Yuan et al. 's scheme has vulnerability to insider, user impersonation, gateway node impersonation, and sensor node impersonation attacks. To address these problems, Yoon and Yoo proposed an improved user authentication scheme [12]. However, in 2012, He demonstrated that Yoon and Yoo scheme was still vulnerable to denial of service (DoS) and sensor impersonation attacks. The former then proposed an improved scheme to overcome these security problems [13].
In 2013, Yoon and Kim [14] indicated that even He et al. ' scheme had various security vulnerabilities such as poor repair-ability and vulnerability to user and sensor node impersonation attacks. The former then proposed an advanced biometrics-based user authentication scheme for WSNs. They demonstrated that their scheme was more effective and had stronger security than other related schemes [13,14]. To verify the security of Yoon and Kim's advanced scheme, we analyzed their scheme and performed a security cryptanalysis. We found that it has various security problems, including a biometric recognition error, a user verification problem, lack of anonymity and perfect forward secrecy, session key exposure by the gateway node, vulnerability to DoS attacks, and a revocation problem. To solve these problems, we first suggest appropriate countermeasures and then propose a biometrics-based user authentication scheme using fuzzy extraction with improved security that conforms to the proposed countermeasures. Moreover, we also conduct a security analysis of 16 security properties for the proposed biometrics-based user authentication scheme.
The remainder of this paper is organized as follows. Section 2 describes some related work to understand this paper. Section 3 explains Yoon and Kim's authentication scheme, and Section 4 analyzes their scheme to discuss the inherent security problems. Section 5 explains countermeasures to solve these problems. Section 6 proposes the biometric-based authentication using fuzzy extraction with improved security, and Section 7 presents a security analysis about 16 security properties for the proposed scheme. Section 8 concludes the paper.

Attacker's Capability.
Throughout this paper, we make the following assumptions about the capabilities of a probabilistic, polynomial-time attacker A in order to properly capture the security requirements of the two-factor authentication scheme that uses smart cards in WSNs [15].
(i) A has complete control over all message exchanges between the protocol participants, including a user, a sensor, and the gateway. That is, A can eavesdrop, insert, modify, intercept, and delete messages exchanged among the three parties at will.
(ii) A is able to (1) extract sensitive information from the smart card of a user through a power analysis attack or (2) determine the user's password possibly via shoulder-surfing or by employing a malicious card reader. However, it is assumed that A is unable to compromise both the information of the smart card and the password of the user. It is otherwise clear that there is no way to prevent A from impersonating the user if both factors have been compromised.

Elliptic Curves Cryptography.
Elliptic Curves Cryptography (ECC) is a form of public-key cryptography that is based on the use of algebraic structures of elliptic curves over finite fields. Elliptic curves are also used in several integer factorization algorithms. The important benefit of ECC is that it provides a smaller key size, so ECC can maintain the same degree of security with a smaller key size than other publickey forms of cryptography, such as Rivest Shamir Adleman (RSA), Diffie-Hellman (DH), and Digital Signature Algorithm (DSA). Therefore, ECC is especially useful for wireless devices that are typically limited in terms of their computational ability, power, and network connectivity. ECC has three related mathematical problems: an Elliptic Curve Discrete Logarithm Problem (ECDLP), Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP), and Elliptic Curve Decisional Diffie-Hellman Problem (ECD-DHP). No polynomial time algorithm can solve the ECDLP, ECCDHP, and ECDDHP with nonnegligible probability.
Let > 3 be a large prime and choose two field elements , ∈ F satisfying 4 3 + 27 2 ̸ = 0 mod to define the equation of a nonsuper-singular elliptic curve E: 2 = 3 + + mod over F . Choose a generator point = ( × , × ) whose order is a large prime number over E(F ). The subgroup G of the elliptic curve group E(F ) with order is constructed in the same way. Then, the three mathematical problems in ECC that are defined in several studies [16][17][18] are given as follows: (i) ECDLP: given a point element in G, find an integer ∈ Z * such that = × , where × indicates that point is added to itself times through an operation with elliptic curves.
In the proposed scheme, we use ECDLP for protecting and . In detail, a user sends = × to the gateway, and the sensor node sends = × to the user for authentication and session key agreement. If an attacker knows and , he can attempt various attacks. However, the attacker cannot compute and due to ECDLP even if he steals and from public communication. And in proposed scheme, we use ECCDHP for protecting = = × × . In other words, An attacker cannot compute and due to ECCDHP even thought he know and . Only legal user and sensor node can compute and , respectively, using and , and own random number. The user computes = × = × × and the sensor node computes = × = × × .

Fuzzy Extraction.
The fuzzy extractor converts biometric information into a uniformly random string. Therefore, it is possible to apply cryptographic techniques for biometric security. The extractor consists of a pair of efficient randomized procedures, Gen (generate) and Rep (reproduce). Li et al. 's scheme uses Gen( ) = ( , ) and = Rep( , ) are used. The fuzzy extractor Gen generates and by using a user's biometric information during the registration phase.
is a uniform and random string, and is the helper string; thus, can be the same under the assistance of auxiliary information even if the the biometric information that has been input changes, so long it maintains a reasonably similar status as the original biometric information. As a result, the fuzzy extraction is error-tolerant, and Rep reproduces the using the biometric information that has been newly input and in the login phase. To reproduce the same , the metric space distances between and have to meet the given verification threshold [19,20].
The basic notation that is used consistently throughout this paper is shown in "Notations."

Review of Yoon and Kim's Authentication Scheme
Yoon and Kim's authentication scheme includes a registration phase and login and authentication phases. This scheme does not require making changes to a user's password because this scheme only uses biometrics. The gateway node has two master keys ( and ) and before starting the system, the gateway issues a long-term secret key ℎ( ID ‖ ) to sensor node . is then used for . During the registration phase, the gateway issues a smart card stored as ℎ(ID ‖ ) to [11].

Registration Phase.
In the registration phase, a user communicates securely with the gateway. sends important information regarding the user's identification and biometrics. Figure 1 describes the registration phase, and detailed steps are given as follows. First, chooses ID and imprints his biometrics on the specific sensor device. Then, computes = ℎ(ID , ) and sends ID and to GW node by using a secure channel. Then, GW node computes two values: = ℎ(ID ‖ ) ⊕ and = ℎ(ID ‖ ). And the GW node inputs ⟨ID i , , , ℎ(⋅), (⋅), ⟩ into a smart card and sends the smart card to user . ℎ(⋅) is a one-way hash function. (⋅) is a symmetric parametric function and is a predetermined threshold for the biometric verification.

Login and Authentication Phases.
During the login and authentication phases, when enters ID and into a smart card terminal, the smart card must validate the legitimacy of . Then, , , and GW authenticate each other. This scheme uses three messages ⟨ 1 , 2 , 3 ⟩ during authentication, as shown in Figure 2. Finally, and share the session key sk after the login and authentication phases; and communicate with each other using the session key sk. (1) inserts his smart card into the card reader and imprints his biometric on a specific device to verify the user's biometrics.
(3) The smart card compares the computed * and the that is stored in the smart card. If ( , * ) ≤ , the user's smart card stops the login phase. Otherwise, the smart card generates a random number .  (1) The GW node checks the freshness of by using ( − ) ≤ Δ . Δ is the expected time interval for the transmission delay. If is not fresh, the GW node rejects the user's request.
(3) The GW node checks whether ID and ID are equal. If they are not equal, the GW node stops the session. Otherwise, the GW node picks up the current timestamps .
(5) The GW node then computes 2 = ⟨ID , , ⟩ and sends it to the sensor node . receives 2 and performs the following actions.
(3) checks whether ID and ID are equal and picks up the current timestamps .     (1) checks the freshness of using ( − ) ≤ Δ .
(3) If the entire authentication phase finishes without any problems, accepts RM.
(4) and communicate with each other securely using the session key sk, and and compute sk = ℎ(ID ‖ ‖ ).

International Journal of Distributed Sensor Networks 5
Hash function h(·): small differences of input data make very big differences of output data (i) In login phase of Yoon and Kim's scheme, login problem relevant to biometrics can occur as follows: Normal login phase Even if U i inputs own same biometrics, ⇒ It has possibility to make different biometrics ∼B * i ⇒ Different ∼B * i makes very big differences in ∼E * i due to h(·) ⇒ ∼E * i makes more very big differences in ∼V * i due to h(·) ⇒ Because of very big differences between V i and ∼V * i , d(V i , ∼V * i ) excesses limit of predetermined threshold (ii) Though U i inputs own same biometrics, login failure can occur due to biometric recognition error

Biometric Recognition Error.
Yoon and Kim's authentication scheme uses a one-way hash function to provide biometric verification. This hash function can be used to map the data of an arbitrary size to data of a fixed size with slight differences in the input data producing very large differences in the output data. Figure 3 describes the biometric recognition error in Yoon and Kim's scheme. Biometrics have general limitations such as false acceptance and false rejection. This means that the output of the imprinted biometrics is not always constant. Although inputs its own biometrics to the scanning device, it is possible to output a different ∼ * . Therefore, the same biometrics can generate different output, such as the * and ∼ * . A different ∼ * causes slight differences in * and ∼ * . Therefore, this difference produces a very large difference between * and ∼ * due to the property of hash function. The large difference between * and ∼ * causes a biometric recognition error, so a legal user can fail to accept the smart card verification. As a result, advanced techniques are needed to improve the success rate of a legal user's verification [5].

User Verification Problem.
In Yoon and Kim's authentication scheme, GW verifies a legal user by comparing ID in 1 and ID in the output of the decrypted . Specifically, the user computes using a symmetric encryption algorithm; = (ID ‖ ). ID and do not matter but has a problem in that there is a possibility to obtain unexpected results. This is the reason why is made up by and and consist of , * : * = ℎ (ID , ) , Even if biometrics are the same, the output of the scanning device is not constant. Therefore, the same biometrics can generate a different output, like ∼ * . The different output of the biometrics causes slight differences in * and ∼ * . Due to these slight differences, different ∼ and ∼ are produced. As a result, the user and GW en/decrypt the using different keys. GW cannot get a normal ID from so the user is not authenticated by GW even when the user uses its own normal ID and . This is the reason why the hash function and the symmetric key encryption algorithm have a property that results in large differences due to a slight difference of input. Figure 4 specifically describes the user verification problem in Yoon and Kim's scheme.

Lack of Anonymity. Figure 5 describes how Yoon and
Kim's scheme does not provide the anonymity. In this scheme, the user sends its own to GW over public communication, and GW sends to the sensor without any protection. Therefore, an attacker can easily acquire from those communications. This results in an information exposure problem. For the GW' incoming communication, an attacker can obtain information of the approximate number of registered users to GW. Also an attacker can acquire information on which user communicates with . Therefore, the lack of anonymity in Yoon and Kim's scheme raises some problems that need to be addressed by providing user anonymity through a protection technique. To solve this problem, it is necessary to use anonymity identification AID in the WSNs communication instead of sending a normal ID [21][22][23].

Lack of Perfect Forward Secrecy.
Perfect forward secrecy means that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised at some point in the future [24]. Unfortunately, Yoon and Kim's authentication scheme does not provide perfect forward secrecy. Therefore, an attacker can compute the session key sk between the and if the attacker knows one of the long-term keys in the future. The following list describes how Yoon and Kim's scheme does not provide perfect forward secrecy [5]: (1) Attacker got , , and in previous public channel.
⇒ Attacker has , , , and and computes and as follows:

International Journal of Distributed Sensor Networks
Hash function h(·): small differences of input data make very big differences of output data Symmetric key algorithm E k : small differences of K i make big differences in the output of E k (i) In authentication phase of Yoon and Kim's scheme, user verification problem can occur as follows: Normal authentication phase Even if U i inputs own same biometrics, it has possibility to make different biometrics ∼B * i ⇒ Different ∼D i makes very big differences in ∼k i due to h(·) ⇒ ∼k i makes more very big differences in ∼C * i due to E k ⇒ U i sends ∼C i to GW but ∼C i is very different to normal C i ⇒ There are differences between D i and ∼D i ⇒ There are more differences between k i and ∼k i ⇒ Due to differences k i and ∼k i , ⇒ Attacker can know how many user are registered in GW ⇒ Attacker can know which user wants to access to sensor S j (ii) Therefore, Yoon and Kim's scheme basically does not GW U i provide user anonymity (3) Attacker acquires ID and and then computes sk.
(4) Attacker can compute all of previous session key sk.
In advance, the attacker obtains , , and from previous communication between and . The attacker obtains one of the user's long-term secrets . Then, the attacker can compute = ℎ( ‖ ) and decrypt the using the computed . So the attacker can figure out ID and random number . Finally, the attacker can compute the session key sk using ID , , and .

Session
Key Exposure by the Gateway Node. The session key sk is used to provide secure communications between and after the authentication phase is successfully finished. Even if the GW node is a trusted node, it is not necessary for the GW node to know sk because usually wants to communicate secretly with without the observation of the GW node. However, in Yoon and Kim's authentication scheme, the GW node can compute sk without difficulty. GW node can collect previous ID and in 's authentication phase and thus can obtain all over a public channel. Then, the GW node can compute all sk = ℎ(ID ‖ ‖ ) between and . Therefore, the GW node can decrypt the encrypted message between and , and can figure out all 's secret messages that are protected by session key sk. The session key exposure by GW on Yoon and Kim's scheme [5] is described as follows: (1) GW knew ID and in communication with .
(3) GW can compute all session key sk between and .
(4) GW can decrypt the secret messages between and .
(5) GW can acquire important information between and .
4.6. Vulnerability to Denial of Service Attack. Figure 6 shows the potential for a DoS attack on Yoon and Kim's authentication scheme. The attacker can send malicious messages ⟨ID , , ⟩ that have been generated to consume the battery power of the GW node and sensor node. The attacker obtains ID and from the previous public channel communication and generates a current timestamps . When the GW node and the sensor node receive the malicious messages ⟨ID , , ⟩, they first check for the freshness of the timestamps . However, the generated by the attacker is current, GW node executes 1-5, and the GW node and sensor cannot determine that ID and are from previous messages. So they execute various functions, such as a hash function, decryption function, and verification function before checking whether the ID sent by the attacker and the computed ID are the same. Therefore, the attacker is able to execute a DoS attack without difficulty [5]. The GW node has sufficient resources that can be used in the system, but the sensors are different. The sensor nodes have a limited computational ability, low battery, low bandwidth, and a small amount of memory. The computational cost of a sensor node is a critical consideration in the design of WSNs since this increases the consumption of the battery power of the sensor [15]. Quite often it is economically preferable to discard a sensor rather than recharge it, and for this reason, the battery power of a sensor is usually important for wireless devices, with its lifetime determining the sensor lifetime. Therefore, it is significant issue for the sensor node to be protected from a DoS attack.

Revocation Problem.
Yoon and Kim's authentication scheme does use the user's password but only uses the user's ID and biometrics . Therefore, a password change phase is not necessary. For this reason, when an attacker steals or picks up the user's smart card, a revocation problem occurs. When the GW node issues the user's smart card, it always produces the same ⟨ID , , , ℎ(⋅), (⋅), ⟩ if the sends the same ID and to the GW node. So even though reissues a new smart card, cannot discard the lost smart card because the reissued smart card and the lost smart card are the same. Therefore, the user has to change his ID in order to reissue a different smart card. Figure 7 describes the potential problem due to lack of revocation phase on Yoon and Kim's scheme [5].
In new smart card In stolen smart card ⇒ Though U i reissues new smart card, but they are same

Countermeasures
The vulnerability of Yoon and Kim's scheme to a biometric recognition error and a user verification problem is due to the fact that (i) though the same inputs its own biometrics to the scanning device, a different output can be generated; (ii) the hash function makes slight differences in the input data by producing very large differences in the output data; (iii) in a symmetric key encryption algorithm , small differences of produce large differences in the output.
This design flaw causes normal users to fail the login phase using smart card. Therefore, we suggest modifying the * = ℎ(ID , * ), * = ℎ(ID ‖ * ), and ( , * ) ≤ to prevent a biometric recognition error. Moreover, the difference in and * results in a different encryption key . So, this can cause a user verification problem because 8 International Journal of Distributed Sensor Networks the differences in and produce a different that is used for authentication between and the GW node. To prevent an authentication error, we also suggest modifying = ⊕ * and = ℎ( ‖ ). We thus improve Yoon and Kim's scheme using fuzzy extraction as follows.
During the registration phase, instead of * = ℎ(ID , * ), the smart card computes and using a fuzzy extraction function Gen( ) such as ⟨ , ⟩ = Gen( ). It also computes = ℎ( ) and sends both ID and to the GW node. The GW node modifies the computation of and from = ℎ(ID ‖ ) ⊕ and = ℎ(ID ‖ ) to As a result of this modification carried out using a fuzzy extraction function, the accuracy of verification using biometrics improves. Consequently, the biometric recognition error and user verification problem can be solved.
We next present a possible mechanism for eliminating the vulnerability in Yoon and Kim's scheme due to the lack of anonymity. This vulnerability is due to the fact that (i) ID is used in public communication without any protection; (ii) the attacker can know how many users are registered in GW and which user wants to access .
Using the user's ID , the attacker can acquire a variety of information on the user, GW, and the sensor. Therefore, we propose to use an anonymity AID to provide anonymity. Instead of sending a normal ID , we suggest using AID in the communication as follows: GW sends ℎ( ‖ ) to a user using = ℎ( ‖ ) ⊕ in registration phase. ℎ( ‖ ) uses only a previous secret and so it does not need to add a new secret. The attacker and sensor cannot know ℎ( ‖ ) and AID changes every session due to so we can provide user anonymity.
To provide the perfect forward secrecy in our proposed scheme, we modify the computation of sk from sk = ℎ(ID ‖ ‖ ) to sk = ℎ (AID ‖ ‖ ) .
AID = ID ⊕ ℎ(ℎ( ‖ ) ‖ ) has a secret ℎ( ‖ ). Therefore, sk has two secret ℎ( ‖ ) and ; moreover, they are independent on each other, and so the session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future. is thus important information between and : Since can be used to eliminate the vulnerability in Yoon and Kim's scheme to session key exposure by the GW node, this vulnerability is due to the fact that (i) the GW node can know all elements of sk including ; (ii) it is hard to share secret information between and in advance.
To prevent this problem, we suggest a key exchange using elliptic curve encryption. The user generates and computes and : Then, the user sends to the sensor through the GW and receives from the sensor, so the sensor can compute sk as follows: and can be used by the user and sensor to compute sk = ℎ(AID ‖ ‖ ) in a manner that is concealed from the GW node. Therefore, we resolve the session key exposure by the GW node.
However, even after implementing the modifications described above, Yoon and Kim's scheme is vulnerable to DoS attacks. This type of attack results from the fact that (i) GW and the sensor perform all operations without checking the freshness of the incoming messages; (ii) in particular, the sensor has limited energy but this scheme verifies messages after performing various operations.
In advance, the GW node and sensor check and to verify an incoming message: International Journal of Distributed Sensor Networks Inputs P i into the smart card and are thus only computed for a legal user and the GW node. Due to this modification, the GW node and sensor can prevent a DoS attack by checking and in 1 and 2 , respectively. Finally, the revocation problem is prevented by implementing a revocation and reissue phase. This phase should also be modified for consistency, particularly to induce a user to select identification different from previous identifications (see Section 6.3 for details). All the modifications suggested above are combined to propose an improved authentication scheme that is described in the following section.

Proposed Scheme
Our proposed scheme is divided into three phases: a user registration phase, login and authentication phase, and revocation and reissue phase. Before our scheme is executed, GW generates two master keys, and , and provides a long-term secret key ℎ( ID ‖ ) to the sensor .

Registration Phase.
The registration phase of the proposed scheme is described in Figure 8. The perform a user registration phase with GW by using a secure channel. computes by using a biometrics scanning device and and using fuzzy extraction. Then, the user's information is sent to the GW for registration. However, the GW cannot store the user's biometrics information. The detailed steps are as follows.
(1) selects ID and scans its own biometrics to compute .
(3) After receiving ⟨ID , ⟩, the GW node computes the authentication parameters for as follows: (4) GW stores ID , ℎ(⋅), and the authentication parameters; ⟨ID , , , , ℎ(⋅)⟩ in a smart card. And GW issues the smart card to through a secure channel.
(5) receives the smart card and inputs to the smart card.

Login and Authentication Phases.
The login and authentication phase of the proposed scheme is described in Figure 9. During the login phase, the smart card checks the user's legality by using the user's and biometrics * . GW authenticates the user by checking ID through the detailed steps of the login phase as follows: (1) inserts his smart card into a card reader. Then, inputs his ID and computes the biometric information * using a scanning device. The smart card computes * , * , and * using fuzzy extraction and compares * with stored in smart card as follows: (2) The smart card generates a random number and computes , , and ℎ( ‖ ). is used for the session key between and . This scheme uses ℎ( ‖ ) to provide perfect forward secrecy: (3) picks up the current timestamps and computes , , AID , and for authentication with GW. is used to prevent the DoS attack. Then, sends the authentication message 1 to GW: Verifies AID i ? = AID i Generates random number r s (10) From now on, can communicate securely with using sk:

Revocation and Reissue
Phase. The revocation problem can result in serious attacks, so a revocation phase should be provided when wants to reissue a smart card due to loss. To prevent the same user identification from being selected, inputs the previous ID . Then, selects a different identification ID * and sends ID , ID * to the GW with hashed biometrics information . After the GW receives these, GW revokes ID and reissues the smart card using ID * . Then, GW continues into a phase that is equal to the registration phase. Revocation and reissue phase of the proposed scheme is described in Figure 10.

Security Analysis
This section describes the security analysis to confirm the security of the proposed scheme. We need to provide the following definitions to then compare the proposed scheme to other authentication schemes, including that proposed by Yoon and Kim.

Definition 1.
A strong secret key ( , , ) has a high value of entropy ( ) that cannot be guessed in polynomial time.

Definition 2.
A secure one-way hash function = ℎ( ) is the following. Given to compute is easy but to compute is hard.

Biometric Recognition Error.
The proposed scheme prevents a biometric recognition error by using fuzzy extraction. Yoon and Kim's scheme uses a hash function to check for conformity in the biometrics. Even if they use a threshold , since the hash function makes slight differences in the input data that produces very large differences in the output data, it is possible for biometric recognition errors to occur. However, the proposed scheme using fuzzy extractor prevents biometric recognition errors.
Input previous ID ID i Selects different ID ID * i Imprints biometric impression B i Computes ⟨R i , P i ⟩ = Gen(B i ) Inputs P i into the smart card The fuzzy extractor Gen() generates and using the user's biometric during the registration phase. is a uniform and random string, and is a helper string, so can be the same with the assistance of auxiliary information even if the user's inputs slightly different biometrics * , which thus maintains a reasonably similar status as that of the original biometric information. imprints for registration and computes , , and as follows: With the assistance of , the fuzzy extractor can compute a constant * even if the user inputs slightly different biometrics, so the proposed scheme is secure against a biometric recognition error.
GW verifies sameness of ID as follows: Unlike in Yoon and Kim's scheme, can compute constant values including as a result of the fuzzy extractor. Therefore, GW can authenticate a legal user even if the user inputs a slightly different biometric information * . Therefore, the proposed scheme can prevent a user verification problem.

Anonymity.
In the proposed scheme, an attacker cannot compute a user's real identification ID without ℎ( ‖ ) because the real identification of the user is always protected using AID = ID ⊕ ℎ(ℎ( ‖ ) ‖ ). Therefore, only the legal user and GW can compute ID from AID . GW stores and , so GW can easily compute ℎ( ‖ ). can compute ℎ( ‖ ) from the stored in the smart card as follows: To compute ℎ( ‖ ), the attacker has to obtain both the user's smart card and . However, even if the attacker can obtain a smart card, he cannot compute . As a result, the attacker cannot obtain the user's real identification ID . Therefore, the proposed scheme provides user anonymity.

Perfect Forward Secrecy.
Proposed scheme computes the session key between and as follows: Therefore, to compute all of the session keys of a user, an attacker has to know both ℎ( ‖ ) and . However, the attacker cannot compute two values using another longterm key because ℎ( ‖ ) and are independent of each other. In other words, if an attacker knows one of ℎ( ‖ ) and , he cannot compute the other one, so the session key that is derived from a set of long-term keys will not be compromised, even if one of the long-term keys is compromised in the future. Therefore, the proposed scheme achieves the perfect forward secrecy.

Session Key Exposure by the Gateway Node.
In the proposed scheme, GW also knows most of the information related to the scheme but cannot compute sk between and . we suggest sk as follows: GW can know AID , , , and but cannot acquire and . Even though = × and = × , GW cannot compute and from and because it is mathematical problem about ECC. Therefore, sk is not exposed by GW in proposed scheme. 7.6. Vulnerability to Denial of Service Attack. In the proposed scheme, , GW, and basically check for freshness in the message using timestamps. Therefore, the scheme is considered to be able to endure a DoS attack if an attacker sends a previous message to the server with previous timestamps. Moreover, the DoS attack can be better prevented since the proposed scheme uses , , in 1 , 2 , and 3 , respectively: , , and include the current timestamps . So, , GW, and can check for the freshness and legality of 1 , 2 , and 3 because the timestamps of , , and do not match the timestamps of 1 , 2 , and 3 even if the attacker sends the previous , , and with the current timestamps. Therefore, the proposed scheme is more secure against the DoS attack than Yoon and Kim's scheme.

Revocation Problem.
The proposed scheme does not use the user's password but only uses the user's ID and biometrics for registration. As a result, the proposed scheme needs to provide a revocation and reissue phase when the wants to reissue a smart card due to loss. If a user reissues their own smart card with the same ID as the previous ID , the reissued smart card is going to be completely the same as the previous smart card. An attacker could thus make use of the lost smart card due to the sameness. Therefore, the proposed scheme suggests for the GW to check for differences between the previous ID and new ID * during the revocation and reissue phase. In other words, we induce a user to select a different identification from the previous identification, so the GW reissues a new smart card with different information when the user loses his smart card, and the revocation problem is solved in this manner.
, , , and RM are basically public information, so they do not need to be protected. Other information can provide confidentiality because an attacker cannot compute important information from AID , , , , , , , and .

Password Change Phase.
In a password-based authentication scheme, the user should be able to change his own password when he forgets his password or loses his smart card. In detail, to change a password freely, a smart card has to store information related to the user's password, such as ℎ(password). However, when an attacker steals a user's smart card, he can gain all the information stored in the smart card by using a simple and differential power analysis. Therefore, the attacker can obtain a user's password even when it is protected by ℎ(password) because a few characters are necessary to use the password. Therefore, a password change phase is important but poses a serious risk in that information (such as the password) for login and authentication can be exposed. However, the proposed scheme uses only a user's biometric information with high entropy; therefore, the attacker cannot obtain the original biometric information, even if ℎ(biometrics) is known. Moreover, a user does not forget his biometric information and so does not need to change it.
7.11. Stolen Verifier Attack. If the GW or stores verifier information, an attacker can attempt a stolen verifier attack. However, the proposed scheme is resistant to a stolen verifier attacker because GW and do not store a user's identification/password table and the user's biometrics. In the proposed scheme, GW only stores the secret key , , and store only ℎ( ID ‖ ). Therefore, the GW cannot obtain authentication information from a legal user even if the attacker has the authority to access the database of the GW and .
7.12. Guessing Attack. Since the proposed scheme does not use the user's password, this scheme is not vulnerable to a guessing attack. Moreover, the user's biometrics is always protected by the one-way hash function. Since the biometrics information has a high level of entropy, unlike a password, the attacker cannot calculate the user's biometric information from the hashed value. When the attacker steals a user's smart card, the attacker can obtain ID , , , , , ℎ(⋅) from the smart card. However, since , , are hashed values, the attacker cannot obtain any secret information from them. ID and are not secret information, so the attacker cannot acquire secret information using a guessing attack. Therefore, the proposed scheme is not vulnerable to a guessing attack [25][26][27].
7.13. Replay Attack. The proposed scheme is secure against a replay attack by adding timestamps , , into authentication messages , , in 1 , 2 , 3 , respectively. Even if the attacker obtains 1 , 2 , 3 and sends them again with the current timestamps, the attacker cannot compute , , using the current timestamps: 7.14. Impersonation Attack. Even if an attacker intercepts the authentication message 1 = ⟨AID , , , , ⟩ to impersonate a legitimate user, the attacker cannot normally extract and from AID , , and since the oneway hash function is implemented according to Definition 2. Without and , the attacker cannot produce a legitimate login and authentication message in the attacker's current time. Therefore, the proposed scheme is secure from impersonation attacks. Likewise, the attacker cannot impersonate a legitimate GW and . Even if the attacker obtains 2 = ⟨AID , , , ⟩, the attacker cannot compute or ℎ(ℎ( ID ‖ ) ‖ ) from such due to Definition 2.
7.15. Insider Attack. Typically, malicious insiders want to acquire private user information, such as their biometrics. In the proposed registration phase, a user's smart card device imprints the biometric impression and computes ⟨ , ⟩ using Gen( ) and then sends to GW; = ℎ( ). Therefore, GW cannot obtain using the incoming because of the properties of the one-way hash function. Therefore, the proposed scheme is secure against insider attacks. 7.16. Security Factor. Two-or three-factor authentication methods are implemented by means of a combination of two or three different components. In WSNs, most authentication schemes use a user's password, smart card, and biometric information as components. We propose a twofactor authentication scheme that uses the smart card and biometric information without a password but can provide a similar secure authentication environment comparable to those provided by three-factor authentication schemes. Table 1 provides a summary and comparison of the security provided by the proposed scheme and that provided by other schemes, including the one by Yoon and Kim.

Conclusions
To provide security to wireless sensors and users, various authentication schemes for WSNs have been proposed recently. The security problem in He et al. 's scheme was addressed by Yoon and Kim, who proposed an advanced biometrics-based user authentication scheme for WSNs. In this paper, we have identified vulnerabilities in Yoon and Kim's scheme in terms of a biometric recognition error, a user verification problem, lack of anonymity and perfect forward secrecy, session key exposure by the GW node, vulnerability to a DoS attack, and a revocation problem. To solve these security vulnerabilities, we have suggested specific countermeasures, including the use of fuzzy extraction to imprint biometrics during the registration phase consisting of errortolerant cryptographic primitives for biometric security. We recommend the use of the sensor node's random number and ECC to exchange a random number between a user and the sensor node during the authentication phase. ECC can maintain the same degree of security with a smaller key size than other forms of public-key cryptography. Therefore, ECC is suitable for use with wireless devices that have limited resources. In accordance with these countermeasures, we propose a biometrics-based authentication scheme based on fuzzy extraction with improved security. In addition, we conduct a security analysis to show that the proposed scheme is more secure than other authentication schemes. Three-factor Two-factor Two-factor Two-factor Notations : The th user ID : The identification of AID : The anonymous identification of user : The biometric template of GW: The gateway of WSNs , : Two master keys of GW : The th sensor node ID : identification ℎ(⋅): A secure one-way hash function (⋅): Symmetric parametric function : Predetermined threshold for biometric verification (⋅): A symmetric encryption function with key (⋅): The decryption function corresponding to (⋅) : Timestamps : User'srandomnonce : Sensor's random nonce sk: Session key between user and sensor ‖: A string concatenation operation ×: Multiplication operation ⊕: AstringXORoperation RM: Response to the query message.