Lightweight User Authentication in Wireless Sensor Networks

foamyflumpMobile - Wireless

Nov 21, 2013 (3 years and 7 months ago)

72 views


STO
-
MP
-
IST
-
111

23

-

1



Lightweight User Authentication in Wireless Sensor Networks


Ronggong Song, Peter C. Mason

3701 Carling Ave, Ottawa, ON K1A0Z4, Canada

Ronggong.song@drdc
-
rddc.gc.ca
,
Peter.mason@drdc
-
rddc.gc.ca

ABSTRACT

In a tactical communication scenario, wireless sensor networks are often deployed in hostile territories
-

open and uncontrolled environments where only legitimate users should be able to access the netw
ork and
retrieve data. The security of user authentication and data transfer in such systems becomes a critical issue
in these resource
-
constrained environments. In this paper, we suggest that some weaknesses in a previously
published user authentication p
rotocol [M. L. Das, Two
-
Factor User Authentication in Wireless Sensor
Networks, IEEE Transactions on Wireless Communications, Vol.8, No.3, 2009] make it insufficiently robust
for tactical environments. Based on our analysis of that protocol, we present a l
ightweight user
authentication and demonstrate that the new protocol has better security features and is more efficient in
comparison. We believe the new protocol is more suitable for tactical situations.

1

INTRODUCTION

A wireless sensor network (WSN) is
a wireless network typically consisting of a large number of distributed
autonomous sensor nodes deployed in an unattended environment. The WSN may be tasked to conduct
activities such as monitoring the characteristics of its environment, tracking movement
s, detecting
anomalies, and many other potentially useful applications [1, 2]. Among the applications of sensor networks
for which security is a concern are tactical operations such as force tracking, battlefield surveillance,
reconnaissance, targeting, an
d chemical, biological, radiological, and nuclear (CBRN) detection, homeland
security and health care. In most applications, sensor nodes have low processing power, limited bandwidth,
memory, and energy [3].

In this paper, we focus on security
-
critical sen
sor network applications, in which the sensor nodes might be
deployed in hostile environments, captured and compromised by adversaries. In these applications, one of
the critical security challenges is to design an efficient and strong authentication proto
col to authenticate
users who need to access real
-
time data directly from outside the sensor network, and to ensure a secure
communication channel between the user and sensor nodes for protecting the transferred data.

In order to address the security probl
em, Das [4] presented a hash
-
function based two
-
factor user
authentication protocol. The author demonstrated that the new protocol is more efficient than the
authentication protocols proposed by Watro et al. [5] and Wong et al. [6], and indicates that the
protocol can
provide strong authentication and session key establishment for secure communication between the user and
sensor node. However, there are some shortcomings in the Das protocol if used in an adversarial
environment. First, it does not provide a
ny protection to the query response data. No session key or secure
channel is established between the user and sensor node during data transfer. As a result, adversaries could
eavesdrop upon or modify the data in transit. Furthermore, this paper will demon
strate that an inside intruder
can easily forge some credentials of other users using a smart card without physically tampering with it.
Lightweight User Authentication in Wireless Sensor Networks

23

-

2

STO
-
MP
-
IST
-
111



Assuming a more resource
-
rich attacker, the Das protocol has weaknesses such as robustness, tolerance, and
resilience s
ince the whole system relies on just one secret parameter which resides on all smart cards and
sensor nodes. This means the security of the system can be easily broken if only one sensor node or smart
card is captured and compromised. Similar issues appear

in a later improvement of Das' work, presented by
Nyang and Lee [7]. Detailed analysis of this compromise can be found in Section 3.

In order to improve the Das [4] and Nyang
-
Lee [7]'s authentication protocols and provide strong, secure data
protection, w
e propose a lightweight user authentication for wireless sensor networks. The new protocol
stores the system secret only into the gateway nodes instead of all regular sensor nodes and the users' smart
cards. In practice it is reasonable to assume that the
gateway nodes are more powerful and secured with
tamper
-
resistant technologies because of their critical role in the sensor network. In the new system, the
secret keys of sensor nodes are pre
-
distributed in the bootstrapping phase and shared with the gatew
ay nodes.
They are used to securely communicate with the gateway nodes, authenticate the user, and establish secure
communication channels between the user and sensor nodes, i.e., a session key is established during
authentication in order to protect the t
ransferred data. Unlike the Das and Nyang protocols, adversaries
cannot get the system secret from captured or compromised sensor nodes even if they are able to extract all
data from them. In addition, our improvements prevent a malicious insider from ded
ucing the system secret
from
the

data stored on their smart card. The new protocol embeds the user's identity into the authentication
message to protect against the type of impersonation attacks described in Section 3, and provides mutual
authentication be
tween the user and gateway nodes to prevent an adversary from sending forged data to an
unsuspecting user. The advantages of the proposed method are discussed and compared with other protocols
in Section 5.1 and 5.2.

The remainder of the paper is organized

as follows. WSN network architecture, usage scenarios, and attack
models are briefly introduced in the next section. The Das and Nyang user authentication protocols are
reviewed and analyzed in Section 3. In Section 4, we present a lightweight user authen
tication to improve the
Das and Nyang protocols. Section 5 analyzes the security and performance of the new protocol. Concluding
remarks are given in Section 6.

2

WIRELESS SENSOR NETW
ORK ARCHITECTURE

A wireless sensor network generally consists of spatiall
y distributed autonomous devices using sensors to
cooperatively monitor physical or environmental conditions. WSNs were originally motivated by military
applications, but now have a wide range of applications including environmental and industrial monitori
ng.


Figure 1: A Typical Wireless Sensor Network Architecture

Lightweight User Authentication in Wireless Sensor Networks

STO
-
MP
-
IST
-
111

23

-

3



A wireless sensor network generally consists of two kinds of nodes: gateway nodes and sensor nodes [8].
The gateway nodes (GWs) connect the sensor network to the external world, collect data fr
om sensor nodes,
and relay the collected data to users. The sensor nodes gather and process sensory information and may
communicate with other connected sensor nodes in the network. The gateway nodes usually contain more
computation, energy, and communicat
ion resources. In military applications the gateway nodes are equipped
with strong security protection such as tamper
-
resistant technology. Figure 1 depicts a general wireless
sensor network architecture, where the local sensor nodes construct a wireless a
d hoc network. Users can
access and collect data through the gateway nodes remotely in real time.

In tactical operations, it is critical for the users (e.g., commanders or soldiers) to get timely, accurate, and
reliable data from the sensor nodes in order
to make appropriate decisions. This data should not be available
to anyone other than authorized users. To achieve these design requirements, the user and gateway nodes
must mutually authenticate in an efficient manner and the data from the sensor to the u
ser must be protected
en route. The following discussion describes our network usage scenarios and attack models.

2.1

Network Usage Scenarios

In this paper, we assume that sensor networks are already deployed and the system secrets for the user
authentica
tion have been distributed to GWs. Remote users have a direct connection with GWs through an
unprotected network. GWs have bi
-
directional communication with sensor nodes using the chosen routing
protocols (e.g., SPIN [9], DDiff [10], LEACH [11], QDPRA [12]
, EER [13]) and are synchronized with time
synchronization schemes such as RBS [14] and GTSP [15]. The following demonstrates network usage
under a tactical scenario.

WSN Scenario for Tactical Operations: A number of sensor nodes and GWs are pre
-
deployed i
n a hostile
environment for various monitoring or sensing purposes. Users may be located in their own country and
connect to GWs through satellite ground receivers, which are located in a safe environment (see case


in
Figure 2). Users may also be located

in the hostile environment and connect to GWs through satellite directly
(see case


in Figure 2), or connect to GWs directly within local wireless transmission range (see case


in
Figure 2). Under some situations, remote users may want to directly conta
ct sensor nodes through GWs to
get data or to control them in real time. Efficient user authentication and a secure channel between the user
and sensor nodes become very important for protecting data and making accurate tactical decisions, since
attacks as

simple as data modification could increase the risk of mission failure. Figure 2 depicts the WSN
scenario in battlefield operations.


Figure 2: A WSN Usage Scenario in Battlefield Operations

Lightweight User Authentication in Wireless Sensor Networks

23

-

4

STO
-
MP
-
IST
-
111



2.2

Attack Models

We present two major attacks in our network s
cenario: attacks on data and attacks on security protocols
described below.

2.2.1

Attacks on Data

If there is no security protection on communication data between a user and sensor nodes, adversaries can
easily make significant attacks on data such as eave
sdropping and modification, among others.

1)

Eavesdropping: Without security protection, adversaries can eavesdrop upon data exchanged between a
user and sensor nodes and collect all information passing between them. As a result, adversaries could
anticipate
and be prepared for potential attacks against them.

2)

Modification: Without security protection, adversaries can easily modify the communication data for
their own purposes. With erroneous data modified by adversaries, the user may make poor decisions and
fa
il in the mission. This is very severe attack in battlefield operations. In addition, with the capability of
data modification, adversaries can also launch replaying and impersonation attacks.

These attacks are not acceptable in battlefield operations. Sec
urity protection on the communication data is a
requirement.

2.2.2

Attacks on Security Protocols

Even with security protection for the data, adversaries may still attack the security protocols. These include,
in general, online and offline attacks, side c
hannel attacks, and node compromise attacks. The goal of these
attacks is to gain control of system secret, user's credential, or session key, and perhaps then launch further
attacks on communication data.

1)

Online Attacks: General online attacks include imp
ersonation, replay, modification, etc. The goal of
online attacks is to recover session keys, user credentials, or system secrets by actively involving
communication sessions of security protocols in real time, and then use them to launch attacks on
commun
ication data.

2)

Offline Attacks: Offline attacks also aim to recover session key, users' credentials, or system secrets but
have the advantage of access to higher power computers using eavesdropped messages from the security
protocols. These may include exh
austive searching, chosen
-
plaintext attacks, and so on.

3)

Side Channel Attacks: Side channel attacks can be used to recover session keys, users' credentials, or
system secrets by monitoring timing or power variations of a machine when a secret is used for
co
mputation with that machine.

4)

Node Compromise Attacks: In a hostile environment, adversaries may physically capture some sensor
nodes and attempt to recover system secrets or user credentials therein.

3

REVIEW OF THE DAS AN
D NYANG AUTHENTICATI
ON PROTOCOLS

3
.1

The Das Authentication Protocol

The Das two
-
factor user authentication protocol
[4]

is based on smart card technologies and uses a hash
function for providing security services. The proposed system assumes that an intruder cannot extract data
Lightweight User Authentication in Wireless Sensor Networks

STO
-
MP
-
IST
-
111

23

-

5



from a com
promised smart card or sensor node. The smart card uses the data stored upon it for on
-
card
computation in order to protect the system against impersonated gateway node attacks. The protocol consists
of three phases: registration, login, and authentication
.

(1) Registration Phase

The gateway node generates two system secret parameters:
K

and
x
a

for registration use. The system secret
x
a

is stored on the sensor nodes before their deployment and distribution into the WSN. A user
U
i
, who wants
to register wit
h the WSN, submits his identity
ID
i

and password
PW
i

to the gateway node in a secure way.
The gateway node computes an additional secret that binds the user identity and password to the system
secret
K: N
i

= h(ID
i
||PW
i
)


h(K)
. The hash function,
h()
, and t
he parameters: {
ID
i
, N
i
, h(PW
i
),

x
a
} are stored
onto a new smart card that is given to the user. The user has no knowledge of the secret parameters:
N
i
, K
,
and
x
a

on the card
.

(2) Login Phase

To log in and access data from the WSN, the user
U
i

inserts his
smart card into a terminal and keys
ID
i

and
PW
i
. The smart card validates the entered
ID
i

and
PW
i

by comparing them with the stored ones. If the
verification is successful, the smart card performs the following operations.

1.

Compute
DID
i

=

h(ID
i
||PW
i
)


h(x
a
|
|T)
, where
T

is the current timestamp of
U
i
's terminal;

2.

Compute
C
i

= h(N
i
||x
a
||T)
;

3.

Send <
DID
i
, C
i
, T
> to the gateway node.


(3) Verification Phase

Upon receiving the login request message <
DID
i
, C
i
, T
> at time
T*
, the gateway node authenticates
U
i

with
the

following procedures.

1.

Validate
T
. The gateway node proceeds to next step if
T*
-
T



T
, where

T

is the expected time interval
for transmission delay. Otherwise, it rejects the request as stale;

2.

Compute
h(ID
i
||PW
i
)* = DID
i


h(x
a
||T)

and
C
i
* = h((h(ID
i
||PW
i
)*


h(K))||x
a
||T)
;

3.

Validate
C
i
. The gateway node accepts the login request if
C
i

= C
i
*
. Otherwise, it rejects the request;

4.

Send <
DID
i
, A
i
, T'
> to the nearest sensor node (e.g.,
S
n
) to respond to
U
i
's query, where
T'

is the current
timestamp of the gateway
node's system, and
A
i

= h(DID
i
||S
n
||x
a
||T')
;

5.

S
n

first verifies
T'

as in Step 1 above. It computes
A
i
* = h(DID
i
||S
n
||x
a
||T')

and validates whether
A
i

=
A
i
*
. If the verification is successful,
S
n

sends the requested data to
U
i
.

3.2

Analysis of the Das Authen
tication Protocol

From the description of the protocol, we can see that there is no key established between the user and
gateway node or sensor node and therefore no secure channel to protect the requested data. This is, perhaps,
because the protocol was n
ot intended for use in adversarial environments.

In situations where there are strong adversaries to contend with, there are several weaknesses of the Das
protocol that we can identify. Foremost among them is the distribution of the system secret
x
a

onto e
very
smart card and sensor node in the system. Das explicitly assumes that extraction of
x
a

from the smart card is
difficult. While this may be true, it should be considered a possibility, as should the risk of
x
a

being
Lightweight User Authentication in Wireless Sensor Networks

23

-

6

STO
-
MP
-
IST
-
111



extracted from a captured or compr
omised sensor node. Even though the protocol uses two system secrets,
learning one of them,
x
a
, is sufficient to break the security.

If a single node or smart card in the system is captured and compromised, an adversary can use the extracted
secret
x
a

to
create a fake query. It would do so by creating its own
A
i

= h(DID
i
||S
n
||x
a
||T)

and sending a
forged <
DID
i
,

A
i
,

T
> to the sensor node
S
n
. Since the sensor node only verifies
A
i

and
T
, and does not verify
DID
i
, the adversary can use an old
DID
i

or simply pu
t anything in the
DID
i

field to generate a new
A
i

with
{
T, S
n
,
x
a
} where
T

is the current timestamp,
S
n

is the sensor node's identity, and
x
a

is the compromised
system secret. That is, the verification at the sensor node is only verifying that the query w
as generated by
someone who knows the hash function
h()

and the secret
x
a
. All other parameters are either public, sent in the
clear, or, in the case of
DID
i
, superfluous. As a result, adversaries can forge <
DID
i
,

A
i
,

T
> and request data
from any sensor no
de. This makes the system weak with respect to robustness, tolerance, and resilience.

There is also a weakness with respect to an insider attack, for which the attacker does not need to be able to
extract system secrets from a node or smart card. In [4],
it is claimed that an attacker cannot generate a
DID
i

with a new timestamp without knowing the user's password
PW
i

and the system secret
x
a
. We show that this
is not the case. First, the inside attacker (e.g.,
U
j
) eavesdrops the request message <
DID
i
,

C
i
,

T
> sent by the
user
U
i
. The attacker resets his system time to
T

and uses his smart card to generate a new message <
DID
j
,

C
j
,

T
>. Next, he computes
h(x
a
||T)

by h
(x
a
||T)=DID
j

h(ID
j
||PW
j
)

using his own identity
ID
j

and password
PW
j
, and retrieves the user
U
i
's
h(ID
i
||PW
i
)

by
h(ID
i
||PW
i
) = DID
i

h(x
a
||T)
. The attacker now has the hash
of
U
i
's identity and password, a constant that is intended to provide security by binding a user's identity to
queries. Finally, the attacker can generate a new request message
<
DID
j
', C
j
', T'
> using his own smart card
and current timestamp, and further get a new
h(x
a
||T')

and
DID
i
'
with the current timestamp
T'

by
DID
i
'=h(ID
i
||PW
i
)

h(x
a
||T')
. By these means, the attacker can generate a valid
DID
i

for any time. Now,
without being

able to calculate a corresponding, valid
C
i
, which depends on the system secret
K
, the inside
attacker cannot forge a complete query <
DID
i
, C
i
, T
> for any
T
, but clearly this represents an unintended
design flaw in the protocol that weakens the system. In

the case where the smart card itself is attacked, the
adversary can similarly use
h(ID
i
||PW
i
)

along with an extracted
N
i

to recover
h(K)
. This could expose
K

to
further attack if there were any gain in doing so.

Other shortcomings of the protocol in an ad
versarial environment include the unilateral authentication,
unprotected data transfer, and fixed password. In the protocol, the gateway node authenticates the user but
the gateway itself is not authenticated. Without authenticating the gateway, an intrude
r can impersonate the
gateway to send falsified data to the user. Also, since the data is not bound to the identity of the sensor node
or the requestor it is easy for an adversary to modify or misdirect the data. For example, sensor data could be
sent to a

different user than original requestor. In addition, users cannot freely change passwords since
N
i

is
pre
-
computed and stored into the smart card for on
-
card computation. More detailed research on smart card
-
based remote user authentication can be found i
n [16].

3.3

The Nyang Authentication Protocol

The Nyang authentication protocol [7] is an augmentation of the Das protocol. It uses
h(ID
i
||PW
i
||
x
a
)

instead
of
h(ID
i
||PW
i
)

for the system secret
N
s

calculation in order to prevent an off
-
line password guessin
g attack in
the Das protocol (see [7]) and introduces a symmetric key
x
n

for the senor node
S
n

in order to establish a
secure channel between the user and sensor node.

Although the Nyang protocol solves some issues in the Das protocol, it still suffers s
ensor node and smart
card compromising attacks since its system secret
x
a

is stored on both of sensor node and smart card, which
Lightweight User Authentication in Wireless Sensor Networks

STO
-
MP
-
IST
-
111

23

-

7



makes the system weak with respect to tolerance and resilience. In addition, the Nyang protocol still keeps
many features as sa
me as the Das protocol such as unilateral authentication, fixed password, smart card and
sensor node must be equipped with a tamper
-
proof module and on
-
card computation, etc.

In order to improve the Das and Nyang protocols and provide strong authenticatio
n under the WSN resource
-
constrained environment, we present the following strong user authentication protocol and lightweight user
authentication protocol.

4

LIGHTWEIGHT USER AUT
HENTICATION PROTOCOL

The lightweight user authentication protocol we propose
is based on smart card technology. The smart card
can be integrated into the user's mobile devices with self
-
lock or destroy functionality for physical security.
The protocol uses a hash to protect the system secret and consists of three phases: registrati
on,
authentication, and secure data transfer phases. Figure 3 depicts the data flow of the lightweight user
authentication protocol.


Figure 3:
Data
F
low of the
L
ightweight
U
ser
A
uthentication
P
rotocol

4.1

Registration Phase

The system generates the follo
wing parameters:
x, h()
, and
E
K
(),

and stores them into the gateway nodes,
where
x

is the system secret. The registration center creates a user identity
ID
i

and remote access password
PW
i
, computes a long
-
term key
K
i

as
K
i
=h(x,

ID
i
)

and
B
i
=K
i


PW
i

for user

U
i
, stores
ID
i
, B
i
, h(),

and
E
K
()

onto a new smart card, and sends the smart card with the password to the user in a secure way. The user
knows nothing about the system secret
x

and
K
i

if he does not compromise his smart card physically and
extract the pa
rameter
B
i

but can change passwords after receiving the smart card.

Lightweight User Authentication in Wireless Sensor Networks

23

-

8

STO
-
MP
-
IST
-
111



For password change, the smart card needs to update the data
B
i

stored in the card by
B
i
'
=B
i

PW
i

PW
i
'
,
where
PW
i

is the old password and
PW
i
'

is the new password. To do this, the protocol
has two options. The
first option does not require connecting to the registration
centre
. In it, the user needs to connect to the
registration
centre

to re
-
setup his password if he inputs an incorrect one. The second option is that the user
needs to go th
rough the following authentication procedure and let the gateway node verify his old password
first.

4.2

Authentication Phase

The authentication phase contains the following three steps.

Step 1:

The user
U
i

inserts his smart card into his mobile device and

keys a pin or scans his finger for smart

card access authentication. If the pin or fingerprint verification is successful, the user then keys the remote
access password. Unlike the strong user authentication, the smart card authenticates the user with the

pin or
fingerprint but not the remote access password for smart card access. This can provide another security
feature such as stealing and compromising the smart card since we do not directly store the remote access
password and system secret in the card
.

The smart card recovers the user's long term key
K
i

by
K
i
=B
i

PW
i
, and sends the following request message
to the gateway node
GW
:

Message 1.

U
i



GW:

<ID
i
, ID
GW
, T
i
, N
i
, E
Ki
(SK, Req), h(ID
i
, ID
GW
, SK, T
i
, N
i
, Req)>,

where
T
i

is the current timestamp of
U
i
's device,
SK

is a session key generated by the smart card.

Step 2:

Upon receiving the request message at time
T
GW
*
, the gateway node
GW

validates the destination
identity
ID
GW

and the timestamp
T
i

by comparing
T
GW
*
-
T
i


T
. If the verification is successfu
l,
GW

recovers
the user's long
-
term key
K
i

by
K
i
=h(x,

ID
i
)

and decrypts the ciphertext with
K
i
. It then validates the user and
received message by checking the hash value. If they are correct, it sends the following authentication
message back to the smart

card:


Message 2.

GW


U
i

:

<ID
GW
, ID
i
, T
GW
, h(ID
GW
, ID
i
, SK, T
GW
, Req
)>,

where
T
GW

is the current timestamp of the gateway node.

Meanwhile, the gateway node sends the following message back to the targeted sensor nodes:

Message
3
.

GW


S
g

:

<ID
GW
, ID
g
,

ID
i
, T
GW
, N
i
, E
Kg
(SK, Req), h(ID
GW
, ID
g
, ID
i
, SK, K
g
, T
GW
, N
i
, Req)>.

where
K
g

is the group key of the sensor nodes having the requested data,
ID
g

is their group identity, T
GW

is
the current timestamp of the gateway node.
K
g

is managed by the gateway and
could be updated periodically
depending on the different applications.
K
g

could be also a shared key between the gateway node and a
specific sensor node under the situation when the requested data only is stored on that sensor node. For key
management amon
g sensor nodes and GWs such as group key and shared key establishment, we can use
existing technologies (e.g., IKDM
[17]

and Key Evolution
[18]
), which is beyond the scope of this paper.

Step 3:

After receiving the authentication message <
ID
GW
, ID
i
, T
GW
, h
(ID
GW
, ID
i
, SK, T
GW
, Req
)> at time
T
i
*
,
the smart card validates the destination identity
ID
i
, the timestamp
T
GW

by comparing
T
i
*
-
T
GW


T
, and the
received message by checking the hash value. If the authentication is successful, it waits for the data from
t
he sensor nodes
.

Lightweight User Authentication in Wireless Sensor Networks

STO
-
MP
-
IST
-
111

23

-

9



4.3

Secure Data Transfer Phase

Upon receiving the message sent by the gateway node at time
T*
, the sensor nodes check the group identity
ID
g

and validate the timestamp
T
GW

by
T*
-
T
GW




T
. The sensor nodes decrypt the ciphertext with the gr
oup
key
K
g

and validate the received message by checking the hash value. If the authentication is successful, the
sensor nodes send the requested data to the user through the following secure channel:

Message
4
.

S
g



U
i

:

<

ID
g
, ID
i
, ID
GW
, E
SK
(Data), h(ID
g
, ID
i
, ID
GW
, SK, N
i
, Data)>.

The user decrypts the data with the session key
SK

after receiving the message from the sensor nodes and
validates the received message by checking the hash value.

5

ANALYSIS OF THE PROT
OCOLS

In this section, we analyze the sec
urity of the new authentication protocol and demonstrate its strength with
respect to security and efficiency.

5.1

Security Characteristics

Some security characteristics of the new protocol are examined below.

5.1.1

Security of the System Secret

The securi
ty of the new authentication protocol relies on the system secret
x
. In the proposed protocol, only
the gateway nodes contain the system secret
x

which is protected with tamper
-
resistant technology. It is
difficult for an intruder to re
-
compute or recover
a user
U
i
's long
-
term key
K
i

based only on the identity
ID
i

without knowing
x
. In order to recover the system secret
x
, the user needs break the hash function from
K
i
=h(x, ID
i
)
.

We stress that the proposed protocol do not store any system secret on the sma
rt cards or sensor nodes. The
intruders cannot get any information about the system secret by capturing and compromising the sensor
nodes since the Shannon mutual information
I(x, K
g
)=0

and
I(x, M)=0
, where
K
g

is the group key of the
sensor nodes, and
M

is

the authentication message sent to the sensor nodes [19]. In addition, since the group
key is updated periodically, this means captured and compromised nodes can only impact system security for
applications related to the group key during a limited period
. This provides forward and backward security
for the system and provides for a system that has strong tolerance, robustness, and resilience.

5
.1.2

Secure Channel

The new authentication protocol creates a secure channel between the user and gateway node or

sensor nodes
during authentication by establishing a shared session key between them. This provides protection for
transferring data from the sensor nodes to the user, securing it against attacks such as eavesdropping,
message modification, and data misdi
rection.

Lightweight User Authentication in Wireless Sensor Networks

23

-

10

STO
-
MP
-
IST
-
111



5
.1.3

General Online Attacks

General online attacks for an authentication protocol include, among others, impersonation, replay,
modification, and parallel session attacks. The protocols ability to withstand these attacks is as follows:



Imperson
ation Attack: In the proposed user authentication protocol, an impersonation attack could be
launched from any of the user, gateway node, and sensor node sides. First, on the user side, it is
infeasible for an intruder to create a pair of new user identity

ID
i

and corresponding long
-
term key
K
i

=
h(x, ID
i
)

to impersonate a new user or an existing legitimate user
U
i

without knowledge of
x
, based on
the keyed hash function [20]. From the gateway node side, without knowledge of the system secret
x
, an
intruder

cannot recover a legitimate user's long
-
term key, further decrypt the authentication request
message and get the session key
SK
. Therefore, it cannot create the correct response message to the user.
In addition, if the user wants to bypass the gateway nod
e, even if he knows the session key, he still
cannot create the corresponding request message for the sensor nodes without knowing the group key of
the sensor nodes. From the sensor node side, an intruder cannot recover the session key without the
group ke
y in order to impersonate the sensor node to create a secure channel with the user.



Replay Attack: The new protocol uses a timestamp to defend against replay attacks. This requires user
devices and gateway nodes with good time synchronization.



Modification

Attack: In the proposed protocol, each authentication message is protected with the hash
value that is calculated and protected with the session key. Without the session key, an intruder cannot
create a valid hash value for a modified or forged authentica
tion message. That is the hash value links
the all parts of the authentication message together to make modification attacks very difficult.



Parallel Session Attack: In the proposed user authentication protocol, the timestamp combined in the
hash value pr
ovides the protection.

5
.1.4

Side Channel Attack on Gateway Nodes

Side channel attacks such as timing and power monitoring on a gateway side should also be considered in the
new protocol since the system secret is stored on it and the gateway node may be
put in an hostile
environment. If so, some computation with the system secret may leak extra source of information such as
timing or power consumption, which can be exploited to recover the system secret. In order to prevent these
attacks, the gateway node
s should also be protected with special hardware or software such as adding a
random delay, using isochronous mechanisms or asynchronous CPU [21], or PC
-
secure program [22], which
are beyond the scope of this paper.

5
.1.5

Mutual Authentication

In the new
protocol, the user also authenticates the gateway node at the same time the gateway node
authenticates the user. This provides secure protection against attacks such as the intruders impersonating the
gateway node and providing misleading data to the users
.

5
.1.6

Password Management

In the new authentication protocol, the user can freely choose and change passwords without any additional
processing and management required on the registration and gateway sides, i.e., the registration center and
gateway node
s do not know the user's password for smart card access after the users update their password.
This makes the system more robust against some insider attacks. In the new system, another advantage is
Lightweight User Authentication in Wireless Sensor Networks

STO
-
MP
-
IST
-
111

23

-

11



that the password is independent of the system access aut
hentication message. This makes the Shannon
mutual information of the password and system access authentication message equal to zero (i.e.,
I(PW,
M)=0
) [19] and further strengthens the system against attacks such as password information leakage,
password
guessing, chosen
-
content, exhaustive password search, and chosen
-
plaintext attacks [16].

In addition, an attacker cannot access the network without the user's password even if he steals a smart card
and extracts the stored data. First, we do not store the
password information in the smart card, which means
the attacker cannot get the password from the card. Secondly, the attacker cannot recover the user's long term
key without the user's password even if he extracts the data
B
i

stored in the card. This prov
ides security
protection for the users when compared to most existing smart cards which are vulnerable to physical
attacks.

In the new system, the password and long
-
term key table are not required in the gateway nodes.

5
.1.7

On
-
Card Computation

On
-
card co
mputation is not mandatory for the new protocol. A user can let the registration center to store the
data stored on his smart card into his other smart devices such as PDA since the data do not disclose system
secret. Such on
-
card computations using system

secrets or their derivatives can expose these secrets to an
additional range of attacks (such as power and timing analysis) should the smart card fall into the hands of an
adversary.

Overall the proposed method is more robust and tolerance from smart card

and node compromising attacks
and more efficiency when compared to the Das and Nyang protocols. The key difference between the
proposed method with the Das and Nyang protocols is that we don't store any system secret on smart card
and sensor node since th
ey can be compromised very easily in real world especially under tactical
environments, and further causing the whole system being broken.

5.2

Performance Analysis


In order to analyze the performance of the new protocol, we compare it with the Das [4] and

Nyang
protocols [7]. Table 1 gives a brief review of their performance, where the computational complexity of the
symmetric key operations
t
s

is similar to the hash operations
t
h

(e.g., Feldhofer and Rechberger claim that
AES [23] is even more efficient t
han SHA
-
256 [24] in resource
-
constrained devices such as RFIDs [25]).

In the proposed user authentication protocol, since the symmetric key operations
t
s

(i.e., encryption and
decryption) are mainly used for establishing the secure channel, the computation
al complexity for
authentication is 2
t
h
, 4
t
h
, and 1
t
h

on the user, gateway node, and sensor node sides respectively. Therefore,
the new protocol is more efficient on the user side and has same cost on the gateway node and sensor node
sides when compared to

the Das protocol. The overall costs for the new protocol are 1
t
s
+2
t
h
, 2
t
s
+4
t
h
, 1
t
s
+1
t
h

on the user side, gateway node side, and sensor node side, respectively. This is slightly more than the Das
protocol on the gateway node and sensor node sides, but it i
s much better than the Nyang protocol at either
side, especially on sensor node side. In addition, the new protocol contains a secure channel establishment
process and its computational cost is well suited to most resource
-
constrained sensor nodes consider
ing the
security benefits of this small amount of additional computation.

6

CONCLUSION

In this paper, we analyzed the Das and Nyang user authentication protocols for wireless sensor networks,
pointed out an unexpected weakness of both protocols, and demons
trated how other weaknesses could be
exploited by a strong adversary. We further presented a lightweight user authentication to address these
Lightweight User Authentication in Wireless Sensor Networks

23

-

12

STO
-
MP
-
IST
-
111



issues. We analyzed the security and performance of the new authentication protocol and demonstrated that
the new
protocol has better security features such as tolerance, mutual authentication, security channel
establishment, without requiring on
-
card computation for smart card, and so on. In addition, the new
protocol has reasonable computational cost for resource
-
co
nstrained sensor networks when compared to the
protocols proposed by Das

[4]
, Nyang et al.
[7],

Watro et al.
[5]
, and Wong et al.
[6]
. These features should
make it more suitable for security
-
sensitive deployments, such as tactical environments.

Table 1: C
omparison of the User Authentication Protocols


REFERENCES

[1]

C. W. Chang, A. Kothari, A. Jafri, D. Koutsonikolas, D. Peroulis, and Y. C. Hu, Radiating Sensor Selection for
Distributed Beamforming in Wireless Sensor Networks, In Pr
oceedings of the 2008 IEEE Military
Communications Conference (MILCOM'08), San Diego, USA, November 2008.

[2]

D. Pompili, T. Melodia, and I. F. Akyildiz, A CDMA
-
Based Medium Access Control for Under Water Acoustic
Sensor Networks, IEEE Transactions on Wireles
s Communications, vol. 8, no. 4, pp. 1899
-
1909, April 2009.

[3]

P. K. K. Loh, Y. Pan, and H. Jing, Performance Evaluation of Efficient and Reliable Routing Protocols for Fixed
-
Power Sensor Networks, IEEE Transactions on Wireless Communications, vol. 8, no. 5,
pp. 2328
-
2335, May
2009.

[4]

M. L. Das, Two
-
Factor User Authentication in Wireless Sensor Networks, IEEE Transactions on Wireless
Communications, vol. 8, no. 3, pp. 1086
-
1090, March 2009.

[5]

R. Watro, D. Kong, S. Cuti, C. Gardiner, C. Lynn, and P. Kruus, TinyPK:
Securing Sensor Networks with Public
Key Technology, In Proceedings of ACM Workshop Security of Ad Hoc Sensor Networks (SASN'04),
Washington DC, USA, October 2004.

Protocols


Performance

Lightweight User
Authentication
Protocol

Das

Au
thentication
Protocol

Nyang

Authentication
Protocol

Registration

User Side

-

-

-

Registration Center/Gateway Node Side

1
t
h

3
t
h

3
t
h

Sensor Node Side

-

-

-

Authentication

User Side

1
t
s

+ 2
t
h

4
t
h

4
t
h

Gateway Node Side

2
t
s

+ 4
t
h

4
t
h

1
t
s

+ 8
t
h

Sensor

Node Side

1
t
s

+ 1
t
h

1
t
h

1
t
s

+ 3
t
h

Security Features

Tolerance

Yes

No

No

Mutual Authentication

Yes

No

No

Secure Channel Establishment

Yes

No

Yes

Smart Card On
-
card Computation

No

Yes

Yes

Password Management

Freely Change

Fixed

Fixed



t
s

is symmetric
key computation
, i.e, an encryption or decryption with a symmetric key
;



t
h

is hash computation;


Note: The computation cost of the symmetric key operations is similar to the hash operations

Lightweight User Authentication in Wireless Sensor Networks

STO
-
MP
-
IST
-
111

23

-

13



[6]

K. H. M. Wong, Y. Zheng, J. Cao, and S. Wang, A Dynamic User Authentication Scheme for Wire
less Sensor
Networks, In Proceedings of IEEE International Conference on Sensor Networks, Ubiquitous, Trustworthy
Computing (SUTC 2006), Taichung, Taiwan, June 2006.

[7]

D. H. Nyang and M. K. Lee, Improve of Das’s Two
-
Factor Authentication Protocol in Wireless

Sensor Networks,
Cryptology ePrint Archive, Report 2009/631, December 21, 2009.

[8]

E. Cayirci and C. Rong, Security in Wireless Ad Hoc and Sensor Networks, United Kingdom: A John Wiley &
Sons, Ltd, 2009.

[9]

W. Heinzelman, J. Kulik, and H. Balakrishnan, Adaptive

Protocols for Information Dissemination in Wireless
Sensor Networks, In the Proceedings of the 5
th

Annual ACM/IEEE International Conference on Mobile
Computing and Networking (MobiCom99), Seattle, WA, August 1999.

[10]

C. Intanagonwiwat, R. Govindan and D. Es
trin, Directed diffusion: A Scalable and Robust Communication
Paradigm for Sensor Networks, In the Proceedings of the 6
th

Annual ACM/IEEE International Conference on
Mobile Computing and Networking (MobiCom’00), Boston, MA, August 2000.

[11]

W. Heinzelman, A. C
handrakasan, and H. Balakrishnan, Energy
-
Efficient Communication Protocol for Wireless
Sensor Networks, In the Proceedings of the Hawaii International Conference System Sciences, Hawaii, January
2000.

[12]

D. Virmani and S. Jain, Quality of Service On
-
demand Po
wer Aware Routing Algorithm for Wireless Sensor
Networks, Communications in Computer and Information Science, vol. 70, pp. 281
-
289, Springer, April 2010.

[13]

M. Tariq, Y.P. Kim, J.H. Kim, Y.J. Park, and E.H. Jung, Energy Efficient and Reliable Routing Scheme f
or
Wireless Sensor Networks, in the Proceedings of 2009 IEEE International Conference on Communication
Software and Networks, Los Alamitos, CA, USA, 2009.

[14]

J. Elson, L. Girod, and D. Estrin, Fine
-
grained network time synchronization using reference broadcas
ts, in the
Proceedings of the 5
th

symposium on Operating systems design and implementation, Boston, MA, USA,
December 2002.

[15]

P. Sommer and R. Wattenhofer, Gradient Clock Synchronization in Wireless Sensor Networks, in the Proceedings
of the 8
th

ACM/IEEE Int
ernational Conference on Information Processing in Sensor Networks (IPSN), San
Francisco, USA, April 2009.

[16]

R. Song, L. Korba, and G. Yee, Analysis of Smart Card
-
Based Remote User Authentication Schemes, In
Proceedings of the 2007 International Conference o
n Security and Management (SAM’07), Las Vegas, USA,
June 2007.

[17]

Y. Cheng and D. P. Agrawal, An Improved Key Distribution Mechanism for Large
-
scale Hierarchical Wireless
Sensor Networks, Journal of Sensor and Ad Hoc Networks, vol. 5, no. 1, pp. 35
-
48, Elsevi
er, January 2007.

[18]

Z. Liu, J. Ma, Q. Pei, L. Pang, and Y. Park, Key Infection, Secrecy Transfer, and Key Evolution for Sensor
Networks, IEEE Transactions on Wireless Communications, Vol. 9, No. 8, pp.2643
-
2653, August 2010.

[19]

A. Menezes, P. van Oorschot, and
S. Vanstone, Eds., Applied Cryptography, CRC Press, Inc. 1997.

[20]

D. Stinson, Ed., Cryptography Theory and Practice, CRC Press, Inc. 2002.

[21]

L. Spadavecchia, A Network
-
based Asynchronous Architecture for Cryptographic Devices, Ph.D. Thesis, the
University of E
dinburgh, 2005.

[22]

D. Molnar, M. Piotrowski, D. Schultz, and D. Wagner, The Program Counter Security Model: Automatic
Detection and Removal of Control
-

Flow Side Channel Attacks, in Proceedings of the 14
th

USENIX Security
Symposium, Baltimore, MD, USA, July

31
-
August 5, 2005.

Lightweight User Authentication in Wireless Sensor Networks

23

-

14

STO
-
MP
-
IST
-
111



[23]

M. Feldhofer, J. Wolkerstorfer, and V. Rijmen, AES Implementation on a Grain of Sand, IEE Proceedings on
Information Security, vol. 152, no. 1, pp. 13
-
20, 2005.

[24]

L. Dadda, M. Macchetti, and J. Owen, The Design of a High Speed ASIC Unit
for the Hash Function SHA
-
256
(384, 512), In 2004 Design, Automation and Test in Europe Conference and Exposition (DATE 2004), vol. 3, pp.
70
-
75, Paris, France, IEEE Computer Society, February 2004.

[25]

M. Feldhofer and C. Rechberger, A Case Against Currently
Used Hash Functions in RFID Protocols, Lecture
Notes in Computer Science (LNCS), vol. 4277, pp. 372
-
381, Springer Berlin, 2006.