PSAP-WSN: A Provably Secure Authentication Protocol for 5G-Based Wireless Sensor Networks

1  Introduction

Historically, communication modes have evolved constantly, progressing through flying pigeons, post stations, wireless telegrams, fixed telephones, and mobile phones. Currently, most countries enjoy excellent Internet communication. Humans can control objects around them, as well as distant objects. Consequently, the Internet of Things (IoT) [1–3] emerged. In 1990, the world’s first IoT device, Xerox’s vending machine, appeared. In 1999, Professor Kevin Ashton of the Massachusetts Institute of Technology first proposed the definition of the IoT [4]. IoT now controls distant things from theory to practice. However, the slow transmission speed of information in the IoT, high latency, and limited support for connected devices are significant problems. 5G has emerged to solve these problems [5,6], providing higher data transfer rates, lower latency, and more connections to facilitate the efficient application of IoT worldwide [7]. Currently, IoT has been deployed in various applications [8–10].

In the last two or three decades, people’s lives have continuously improved with the vigorous development of the Internet. Expectations for quality of life have generally increased. However, traditional electronic devices cannot meet the growing needs of people. With the rapid development of IoT, sensors joined IoT to form wireless sensor networks (WSNs) [11–13], meeting people’s needs for work, production, study, entertainment, and other aspects. Sensors are ubiquitous in everyday life. As shown in Fig. 1, different types of sensors are deployed in homes, hospitals, schools, and other environments. In hospitals, patients are equipped with sensors to self-monitor physiological indicators, and doctors can remotely analyze these data to provide timely medical services to patients. Sensors are placed in schools or homes to collect temperature, carbon monoxide, or pyroelectric data.

Figure 1: Wireless sensor network environment

Although WSNs make people’s lives more efficient and convenient, they also create security problems [14–16]. For example, in 2016, a massive network outage in the eastern United States was caused by hackers who exploited vulnerabilities in communication protocols through a distributed denial-of-service attack [17,18]. Therefore, security is a significant problem that must be solved in WSNs [19,20]. In a typical WSN, two vital security issues must be carefully considered. First, because all sensing data are transmitted through a public channel, the data must be encrypted. Second, all members in a WSN should authenticate each other before sending data [21,22]. Many authentication protocols have been proposed to overcome these two security issues [23–25].

Recently, Yu et al. [26] proposed an authentication protocol called SLUA-WSN, declaring that it is secure against various attacks. Nevertheless, their design remains insecure against temporary information disclosure and sensor capture attacks [26]. To address these vulnerabilities, in this study, a novel authentication protocol, called PSAP-WSN, is proposed. To demonstrate that PSAP-WSN is secure and addresses the vulnerability issues, the ROR model, BAN logic, and ProVerif tools, which are three effective methods for proving the security of an authentication protocol, were employed. In addition, a performance evaluation was conducted to demonstrate that PSAP-WSN is suitable for WSN environments.

The remainder of this paper is organized as follows. In Sections 2 and 3, related work and Yu et al.’s protocol are described, respectively. In Section 4, it is demonstrated that Yu et al.’s protocol is insecure. In Section 5, new solutions are proposed. In Sections 6 and 7, a security analysis and performance evaluation are provided, respectively.

2  Related Work

5G requires powerful security and privacy solutions because it connects all aspects of a communication network. Various security mechanisms have been proposed for 5G applications. In 2019, Lu et al. [27] recognized the crucial challenges of security and privacy in 5G vehicle-to-everything. In 2020, Liu et al. [28] proposed a federated learning framework to make 5G environments secure. In 2021, Afaq et al. [29] recognized essential security issues in 5G networks. Then, Yahaya et al. [30] proposed a privacy handover scheme for SDN-based 5G networks. In 2022, Yahaya et al. [30] provided an energy trading model for a 5G-deployed smart community based on blockchain technology.

Various authentication protocols have been proposed for WSNs. In 2015, Chang et al. [31] proposed an authentication protocol for protecting user privacy. However, some parameters of their protocols are not protected. Anonymity and backward confidentiality attacks may occur when users lose their smart cards. In 2017, Lu et al. [32] presented a three-factor authentication protocol with anonymity. In 2019, Mo et al. [33] analyzed Lu et al.’s protocol and concluded that it did not provide three-factor security. Therefore, an improved protocol was proposed. In 2020, Yu et al. [26] indicated that their protocol [33] was insecure against camouflage and session key exposure attacks. In addition, this protocol [33] does not provide anonymity. In 2020, Almuhaideb et al. [34] analyzed Yu et al.’s protocol and noted loopholes. Security problems occur if an adversary obtains both random numbers and sensitive information stored in a smart card. However, we believe that this attack is not reasonable because an adversary should simultaneously obtain two types of secret information.

3  Revisit SLUA-WSN

Here, Yu et al.’s design, which consists of sensor registration, user registration, and login and authentication phases, is revisited. The symbols and notations used are listed in Table 1.

3.1 Sensor Registration Phase

Assuming that a sensor Sj desires to enter a WSN, Sj must register with the gateway GWN first. GWN selects identity SIDj for Sj and calculates Xj = h(SIDj||KGWN). Subsequently, GWN transmits {SIDj,Xj} to Sj.

3.2 User Registration Phase

1.    Ui enters his IDi, PWi and BIOi and then calculates Gen(BIOi)=(Ri,Pi) and MPWi =  h(PWi||Ri), where Gen is a fuzzy extractor operation and Ui transmits {IDi, MPWi} to GWN.

2.    GWN generates Rg and calculates MIDi = h(IDi||h(KGWN||Rg)), Xi = h(MIDi||Rg||KGWN), Qi = h(MIDi||MPWi)⊕Xi and Wi = h(MPWi||Xi). GWN deposits Rg in its own database and further issues a smart card storing {MIDi,Qi,Wi} to Ui.

3.3 Login and Authentication Phase

1.    With the smart card, Ui inputs IDi, PWi, and BIOi, and obtains Ri = Rep(BIOi,Pi), where Rep is another fuzzy extractor operation. Ui then calculates MPWi = h(PWi||Ri), Xi = h(MIDi||MPWi)⊕Qi, and Wi∗ = h(MPWi||Xi) and verifies whether Wi∗ is equal to Wi. If it is equal, Ui generates Ru and T1 and calculates M1 = Xi⊕Ru, CIDi = (IDi||SIDj)⊕h(MIDi||Ru||Xi), and MUG = h(IDi||Ru||Xi||T1). Now, Ui transmits {M1,MIDi,CIDi,MUG,T1} to GWN.

2.    GWN examines the freshness of T1 and obtains MUG∗ by calculating Xi = h(MIDi||Rg||KGWN), Ru = M1⊕Xi, (IDi||SIDj) = CIDi⊕h(MIDi||Ru||Xi). GWN compares MUG∗ with the received MUG. If they are equal, GWN calculates M2 = (Ru||Rg)⊕h(SIDj||Xj||T2) and MGS =  h(MIDi||SIDj||Ru||Rg||Xj||T2) and then transmits {M2, MIDi, MGS, T2} to Sj.

3.    Sj examines the freshness of T2 and calculates (Ru||Rg) = M2⊕h(SIDj||Xj||T2), MGS∗=h(MIDi||SIDj||Ru||Rg||Xj||T2). Sj checks whether MGS∗ and the received MGS are equal. Next, Sj generates Rs and T3, calculates M3 = Rs⊕h(Ru||SIDj||Xj||T3), MSG = h(Rs||Rg||SIDj||Xj||T3), and finally calculates the session key SK=h(Ru||Rs) and MSU = h(SK||Rs||Ru||SIDj||MIDi). Now, Sj transmits {M3, MSG, MSU, T3} to GWN.

4.    GWN calculates Rs = M3⊕h(Ru||SIDj||Xj||T3) and MSG∗ = h(Rs||Rg||SIDj||Xj||T3) after checking the freshness of T3. GWN then checks whether MSG∗ and the received MSG are equal. Next, GWN computes MIDinew = h(IDi||h(KGWN||Rg)), Xinew = h(MIDinew||Rg||KGWN), M4 = (MIDinew||Xinew||Rs||Rg)⊕h(MIDi||Xi||T4), and MGU = h(Ru||Rg||MIDi||Xi||T4). Thereafter, GWN transmits {M4,MSU,MGU,T4} to Ui.

5.    Ui first examines the freshness of T4 and calculates (MIDinew||Xinew||Rs||Rg) = M4⊕h(MIDi|| Xi||T4) and MGU∗ = h(Ru||Rg||MIDi||Xi||T4). In addition, Ui verifies whether MGU∗ is equal to the received MGU. If they are equal, Ui obtains the session key SK = h(Ru||Rs).

4  Attacks on the SLUA-WSN Protocol

This section analyzes the SLUA-WSN protocol [26]. The adversary model utilized in this study is presented, demonstrating that SLUA-WSN is insecure against sensor node capture and temporary information leakage attacks.

4.1 Adversary Model

The Dolev-Yao (DY) model [35] is a widely used and reasonable adversary model for analyzing authentication protocols [36]. Under the DY model, the protocol can be thoroughly and reasonably cryptanalyzed. Therefore, the DY model was used as the adversary model with A utilized to denote an attacker; the detailed attack capability is described below:

1.    A can intercept/modify/delete messages submitted via a public channel.

2.    A can steal temporary variables used in the process of an authentication protocol.

3.    A can crack parameters stored in a smart card [37], implying that, once the user’s smart card is stolen, sensitive parameters in this smart card will also be compromised by A.

4.    A can capture the sensor and obtain the information stored in it.

4.2 Sensor Node Capture Attack

According to the DY model, after capturing a sensor, A can capture the sensitive parameters stored therein. Various authentication protocols have considered this attack [38–41].

Assume that A captures a sensor Sj, and then A performs the following steps:

1.    A obtains {SIDj,Xj} stored in Sj.

2.    A intercepts {M1,M2,M4,MIDi,CIDi,MGS,MUG,T1,T2,T4} via a public channel.

3.    A obtains (Ru||Rg) by computing M2⊕h(SIDj||Xj||T2).

4.    With Ru and M1, A can have Xi.

5.    Now, A will have Rs by computing M4⊕h(MIDi||Xi||T4).

6.    Eventually, A can have SK because SK=h(Ru||Rs).

Evidently, the SLUA-WSN protocol [26] cannot effectively resist sensor node capture attacks.

4.3 Temporary Information Leakage Attack

As mentioned in the adversary model, A steals temporary variables during the authentication process. Various authentication protocols have considered this attack [41–43].

Suppose that A obtains {Ru}, which is a temporary variable in this protocol. The following steps are then performed:

1.    A intercepts {M1,M4,MIDi,T4} via a public channel.

2.    A obtains Xi by computing Ru⊕M1.

3.    A obtains (MIDinew||Xinew||Rs||Rg) by computing M4⊕h(MIDi||Xi||T4).

4.    Eventually, A obtains SK because SK=h(Ru||Rs).

5  PSAP-WSN

This section describes, in detail, the proposed PSAP-WSN, which consists of the pre-processing, user registration, login, and authentication phases. The symbols used in PSAP-WSN are listed in Table 2.

5.1 Pre-Processing Phase

GWN has to prepare some parameters for the sensors before they are deployed. This phase does not significantly differ from the SLUA-WSN protocol [26]. Fig. 2 illustrates this process. The detailed steps are as follows:

(1)   GWN chooses the unique SUIDj for Sj and uses its own key KG to calculate UAj=h(SUIDj||KG). Then, GWN submits {SUIDj,UAj} to Sj.

(2)   Sj stores them in its local memory.

Figure 2: Pre-processing phase

5.2 User Registration Phase

All users need to register with GWN before entering the network. Assume that Ui desires to join this network; then, the user registration phase is initiated. In Fig. 3, the procedure followed in this phase is displayed. The detailed steps are as follows. Note that this phase is executed through a secure channel.

1.    Ui inputs UIDi, UPWi and UBIOi and computes Gen(UBIOi)=⟨URi,UPi⟩. Ui then calculates MUPWi=h(UPWi||URi) and encrypts MUPWi with GWN’s public key PU. Thereafter, Ui sends {URi,UIDi,S} to GWN.

2.    GWN obtains MUPWi by decrypting S with his private key PR. Further, GWN generates Rn and calculates MUIDi=h(h(KG||Rn)||UIDi), UAi=h(KG||Rn||MUIDi), UBi=UAi⊕h(MUIDi||MUPWi), and UCi=h(MUPWi||UAi). GWN issues a smart card to Ui, which stores UBi, UCi, and MUIDi. GWN also stores Rn, URi and S in its database.

Figure 3: User registration phase

5.3 Login and Authentication Phase

This phase is performed when the user is expected to connect to a specific sensor. Fig. 4 illustrates this process. Suppose that Ui wishes to connect to Sj; the following steps are then executed:

(1)   Ui inserts his smart card and inputs UBIOi, UIDi, and UPi. Ui then computes URi=Rep(BIOi,UPWi), MUPWi=h(UPWi||URi), UAi=h(MUIDi||MUPWi)⊕UBi, and UCi′=h(MUPWi||UAi). The smart card checks whether UCi equals UCi′. Subsequently, Ui generates Ru and T1 and calculates M1=MUPWi⊕UIDi⊕UAi⊕Ru, CUIDi=h(MUIDi||UAi||Ru)⊕(SUIDi||UIDi), and KUG=h(UAi||Ru||UIDi||T1). Now, Ui transmits {M1,MUIDi,CUIDi,KUG,T1} to GWN.

(2)   GWN checks the freshness of T1. GWN calculates UAi=h(MUIDi||Rn||KG), Ru=UAi⊕M1⊕UIDi⊕MUPWi, (UIDi||SUIDj)=CUIDi⊕h(MUIDi||UAi||Ru), and KUG′=h(UAi||Ru||UIDi||T1). Now, GWN verifies whether KUG′ is equal to the KUG that GWN received. If they are the same, GWN further calculates M2=(Ru||Rg)⊕h(SUIDj||UAj||T2) and KGS=h(MUIDi||SUIDj||Ru||Rg||UAj||T2) and then sends {M2,MUIDi,MGS,T2} to Sj.

(3)   Sj confirms the freshness of T2 and computes (Ru||Rg)=h(SUIDj||UAj||T2)⊕M2, KGS′=h(MUIDi||SUIDj||Ru||Rg||UAj||T2). Now, Sj verifies the correctness KGS′. Then, Sj generates Rs and T3 and calculates N=ENCPU(Rs), KSG=h(Rs||Rg||SUIDj||UAj||T3), SK=h(Ru||Rs) and KSU=h(SK||Rs||Ru||SUIDj||MUIDi). Eventually, Sj transfers {N,KSG,KSU,T3} to GWN.

(4)   GWN confirms the freshness of T3 and computes Rs=DESPR(N) and KSG′=h(Rs||Rg||SUIDj|| UAj||T3). Then, GWN confirms the correctness of KSG′. After that, GWN calculates MUIDinew=h(UIDi||h(KG||Rg)), UAinew=h(MUIDinew||Rg||Kg), M4=h(MUIDi||UAi||T4)⊕(MUIDinew||UAinew||Rg), KGU=h(Ru||Rg||MUIDi||UAi||T4), MUPWi=DESPR(S), UCi=h(MUPWi||UAi) and MKU=Rs⊕UCi⊕URi. Now, GWN sends {MKU,M4,KSU,KGU,T4} to Ui.

(5)   Ui checks the freshness of T4 and calculates (MUIDinew||UAinew||Rg)=M4⊕h(MUIDi||UAi||T4), Rs=MKU⊕UCi⊕URi and KGU′=h(Ru||Rg||MUIDi||UAi||T4). Ui then verifies the correctness of KGU′. After that, Ui calculates SK=h(Ru||Rs) and KSU′=h(SK||Rs||Ru||SUIDj||MUIDi), and then checks the correctness of KSU′. Furthermore, Ui calculates UBinew=h(MUIDinew|| MUPWi)⊕UAinew and UCinew=h(MUPWi||UAinew), and then replaces MUIDi,UBi,UCi with MUIDinew,UBinew,UCinew.

Figure 4: Login and authentication phase

Finally, Ui and Sj both have SK=h(Ru||Rs) as a session key.

6  Security Analysis

This section demonstrates that PSAP-WSN is provably secure against different attacks, using BAN logic, ROR model, and ProVerif tool.

6.1 BAN Logic

Ban Logic Rules

Message-meaning rule (R1) U∣≡U⟷KG,U⊲{M}KU∣≡G∣∼M. U∣≡U⇌NG,U⊲⟨M⟩NU∣≡G∣∼M.

Nonce-verification rule (R2) U∣≡♯(M),U∣≡G∣∼MU∣≡G∣≡M.

Jurisdiction rule (R3) U∣≡G∣⇒M,U∣≡G∣≡MU∣≡M.

Freshness rule (R4) U∣≡♯(M)U∣≡♯(M,N).

Belief rule (R5) U∣≡M,U∣≡NU∣≡(M,N).

Session key rule (R6) U∣≡♯(M),U∣≡G∣≡MU∣≡U⟷KG.

Goals

G1 U∣≡U⟷SKG.

G2 G∣≡U⟷SKG.

G3 U∣≡G∣≡U⟷SKG.

G4 G∣≡U∣≡U⟷SKG.

G5 S∣≡S⟷SKG.

G6 G∣≡S⟷SKG.

G7 S∣≡G∣≡S⟷SKG.

G8 G∣≡S∣≡S⟷SKG.

6.1.1 Idealizing Communication

Msg1U→G:{M1,MUIDi,CUIDi,KUG,T1}.

Msg2G→S:{M2,MUIDi,KGS,T2}.

Msg3S→G:{N,KSG,KSU,T3}.

Msg4G→U:{MKU,M4,KSU,KGU,T4}.

Initial state assumptions

A1 U∣≡U⇌UAiG.

A2 G∣≡U⇌UAiG.

A3 G∣≡♯(Ru,Rs).

A4 G∣≡U∣⇒(Ru).

A5 G∣≡♯(Rs).

A6 U∣≡♯(Ru,Rs).

A7 U∣≡G∣⇒(Ru,Rs).

A8 S∣≡G⇌UAj,SUIDjS.

A9 G∣≡S⇌UAj,SUIDjG.

A10 S∣≡♯(Ru,Rs).

A11 S∣≡G∣⇒(Ru,Rs).

Detailed steps

With Msg1 and using the seeing rule, we obtain

S1:G⊲{⟨Ru⟩UAi,⟨MUIDi,CUIDi,KUG,T1⟩}

Using S1, R1, and A2, we obtain

S2:G∣≡U∣∼(Ru)

Using S2, under the assumption of A3 and nonce verification postulate R2, S3 can be obtained.

S3:G∣≡U∣≡(Ru)

With A4, R3, and S3, we obtain

S4:G∣≡(Ru)

Similarly, we obtain

S5:G∣≡(Rs)

Because SK=h(Ru||Rs), using S4 and S5, we obtain

S6:G∣≡U⟷SKG(G2).

With A3, A5, and R4, we obtain

S7:G∣≡U∣≡U⟷SKG(G4).

In addition, using Msg4, we obtain

S8:U⊲{⟨Rs⟩UAi,MKU,KSU,M4,T4}.

By using A1, and R1 we obtain

S9:U∣≡G∣∼(Rs)

With S9, A6, and R2, we obtain

S10:U∣≡G∣≡(Rs)

Using A7, S9, and R3, we obtain

S11:U∣≡(Rs).

thus,

S12:U∣≡(Ru).

Because SK=h(Ru||Rs), using S11 and S12, we obtain

S13:U∣≡U⟷SKG(G1)

With S13, A6, and R4, we obtain

S14:U∣≡G∣≡U⟷SKG(G3).

By considering the message Msg2, we obtain

S15:S⊲{⟨Ru,Rs⟩UAj,MUIDi,KGS}

Using S15, R1, and A8, we obtain

S16:S∣≡G∣∼(Ru,Rs)

Using S16, under the assumption of A10 and the nonce verification postulate R2, S17 can be obtained.

S17:S∣≡G∣≡(Ru,Rs)

Using A11, R3, and S17, we obtain

S18:S∣≡(Ru,Rs)

Because SK=h(Ru||Rs), using S18, we obtain

S19:S∣≡G⟷SKS(G5)

Using S19, A10, and R4, we obtain

S20:S∣≡G∣≡S⟷SKG(G7).

By considering message Msg3, we obtain

S21:G⊲{⟨Ru,Rs⟩SUIDj,KGU}

Using S21, R1, and A9, we obtain

S22:G∣≡S∣∼(Ru,Rs)

Using S22, under the assumption of A3, A5, and nonce verification postulate R2, S23 can be obtained.

S23:G∣≡U∣≡(Ru,Rs)

Using A4, R3, and S2, we obtain

S24:G∣≡(Ru,Rs)

Because SK=h(Ru||Rs), using S24, we obtain

S25:G∣≡S⟷SKG(G6)

Using S25, A3, A5, and R4, we obtain

S26:S∣≡G∣≡S⟷SKG(G8).

6.2 ROR Model

The well-known real-or-random (ROR) model [44] was used to demonstrate that PSAP-WSN is provably secure. The ROR model has been widely used in numerous studies. The PSAP-WSN has three entities: Ui, GWN, and Sj. In the proof, we define R={Hux,HGy,Hsz}, where Hux, HGy, and Hsz denote the x-th Ui, y-th GWN, and z-th Sj, respectively. In addition, A as an attacker can perform the following operations:

Execute(R): With Execute(R), A can obtain messages transmitted by Ui, GWN, and Sj through a public channel.

Send(R,M): A can receive or send messages transmitted between entities via Send(R,M).

Reveal(R): By performing Reveal(R), A can access the session key generated between various entities.

Hash(String): Using Hash(String), A can calculate the hash value of a fixed string.

Test(O): During the execution of the game, it is necessary to flip coin C to determine the probability that A can obtain SK. If C equals 1, the correct painting key is obtained; if it equals 0, a string with the same length as the painting key is obtained.

Theorem 1: Using AdvPA as the main function for A the SK between the communicators is obtained. qh and qs represent the number of Hash and Send queries, respectively, and H and B represent the range that can be accommodated by the hash function and the space size of the user password dictionary. The advantage of using a function to crack SK is that AdvPA≤qh2/|H|+2qs/|B|.

Security proof

Proof: To prove Theorem 1, four games Gamei(i=0,1,2,3) were created. Among them, the A that wins the game can be identified as AdvGameiA, and the probability of A winning the game is Pr[AdvGameiA].

Game0: In the first game, A does not perform any operation except for selecting bit b; therefore, the result of A against the protocol is AdvPA=|2AdvGame0A−1|.

Game1: In the second game, A performs the eavesdropping operations. A can intercept and eavesdrop on the information {M1,MUIDi,CUIDi,KUG,T1} and {N,KSG,KSU,T3} transmitted between communicators through a public channel. However, if A wants to obtain SK between the two communication parties by executing the Test operation, it must also know the random numbers Ru and Rs because SK=h(Ru||Rs). Therefore, even if A executes the Execute operation, the probability of obtaining the session key is the same as in Game0. Hence, Pr[AdvGame0A]=Pr[AdvGame1A].

Game2: The Send operation and Hash query were added to the previous game. During the execution of the game, we found that M2, KUG, and KSG were protected by a hash function. If A wants to obtain SK, A must crack the hash function; however, A cannot successfully crack the hash function because of the collision of the hash function. Thus, a conclusion can be drawn from the birthday paradox Pr[AdvGame2A−AdvGame1A]≤qh2/2|H|.

GM3: During the operation of this game, A attempts to estimate UIDi. In addition, A cracked SK between Ui and Sj by intercepting the messages transmitted by the communicator through a public channel. However, random number Ru can only be obtained using Ui’s password, because Ru=UAi⊕M1⊕UIDi⊕MUPWi. In the proposed protocol, A can only send a limited number of send requests to crack SK. Thus,

Pr[AdvGame3A−AdvGame2A]≤qs/|B|.

After executing the above four games, A can only win the game by guessing the correct bit B; thus,

Pr[AdvGame3A]=1/2.

By sorting the above formulae, we obtain

1/2AdvPA=|AdvGame0A−1/2|=|Pr[AdvGame1A]−Pr[AdvGame3A]|≤|Pr[AdvGame1A]−Pr[AdvGame2A]|+|Pr[AdvGame2A]−Pr[AdvGame3A]|=qh2/2|H|+qs/|B|

Subsequently, we obtain

AdvPA≤qh2/|H|+2qs/|B|. Therefore, it is proven that Theorem 1 is valid.

6.3 ProVerif

To further verify the security of the proposed PSAP-WSN, a well-known verification tool called ProVerif [45,46] was used. In this simulation, we define ch as a public channel and sch as a secure channel. SKi and SKj represent the session keys established by the user and the sensor node, respectively. In addition, PR and KG represent the gateway’s private and master keys, respectively. The simulation contained five events: UserStarted(), UserAuthed(), GatewayAcUser(), SjAcGateway(), and UserAcSj(). The defined parameters and function codes are presented in detail in Fig. 5.

Figure 5: Definition, queries, and events in the ProVerif tool

The results for ProVerif are shown in Fig. 6. We can see “Result not attacker (ski []) is true,” “RESULT not attacker(SKj[]) is true,” “RESULT inj-event(UserAuthed) ==> inj-event(UserStarted) is true,” “RESULT inj-event(GatewayAcSj) ==> inj-event(GatewayAcUser) is true,” “RESULT inj-event(Sj-“AcGateway) ==> inj-event(GatewayAcSj) is true,” and “RESULT inj-event(UserAcSj) ==> inj-event (SjAcGateway) is true.” The results show that PSAP-WSN can pass the Proverif tool.

Figure 6: Operation results

6.4 Security Requirement Analysis

Next, it is demonstrated that PSAP-WSN is secure against the following attacks.

6.4.1 Sensor Node Capture Attack

Because a sensor node is unattended, it is easily obtained by A to analyze the internal parameters. Assume A obtains SUIDj and UAj after capturing Sj. However, to obtain SK, A must know Ru and Rs simultaneously. Ru can be obtained through (Ru||Rg)=h(SUIDj||UAi||T2)⊕M2, where T2 and M2 are submitted via a public channel. Unfortunately, Rs is a temporary random number; therefore, the PSAP-WSN can resist this attack.

6.4.2 Temporary Information Disclosure Attack

This attack assumes that A can obtain a random number in PSAP-WSN if Ru is leaked, but UAi and UIDi are not obtained. Only UIDi⊕UAi can be acquired, but other operations cannot be further performed. If Rg is leaked, but other parameters have not been analyzed, A cannot carry out the next operation. Thus, the PSAP-WSN can resist this type of attack.

6.4.3 Impersonation Attack

A can impersonate a user to send messages to GWN, but A cannot generate a request message M1,MUIDi,CUIDi,KUG. This is because A cannot obtain the user identity, biometrics, and random numbers; thus, PSAP-WSN can resist this attack.

6.4.4 Replay Attack

Suppose A performs a replay attack. However, when A attempts to send a request M1,MUIDi, CUIDi,KUG,T1, GWN verifies the freshness of the timestamp T1. Simultaneously, PSAP-WSN uses UAi, Ru, and UIDi to hash T1. For these reasons, it is concluded that PSAP-WSN can resist this attack.

6.4.5 Anonymity and Untraceability

In our design, neither UIDi is transferred, nor are there any devices to store UIDi. In addition, one-way hash function processing is performed for the places where UIDi is required; therefore, A cannot analyze UIDi in various ways. The user parameters MUIDi,UBi,UCi are updated after each authentication round. A cannot use the current information to infer previously transmitted information and cannot track the user; therefore, the proposed protocol can ensure anonymity and untraceability.

6.5 Security Comparisons

The proposed PSAP-WSN was compared with similar protocols. The primary attacks included A1: sensor node capture attack; A2: privileged insider attack; A3: temporary information disclosure attack; A4: impersonation attack; A5: replay attack; and A6: anonymity and untraceability attacks. The results in Table 3 confirm that PSAP-WSN provides sufficient security advantages compared with other protocols.

7  Performance Evaluation

This section evaluates the performance by experimentally calculating the computation and communication overhead.

7.1 Computation Comparisons

The three different types of devices used in the comparisons included the OPPO-R9 mobile phone, MI10-UTAR mobile phone, and ASUS-A456U notebook to represent the user, gateway, and sensor, respectively. The running times of the different functions for each device are listed in Table 4. In our experiment, the running times of symmetric encryption and asymmetric encryption were almost the same. In the experiment mentioned in [47], the running time of TR (rep operation) is nearly equal to Tm. Therefore, this setting was adopted in our experiment.

The experimental results are presented in Table 5. As shown in the Table 5, the running times of the user, gateway, and sensor node were 15.055, 0.0825, and 0.11 ms, respectively. Although the running time of our design was not always optimal, the overall ranking was relatively high. In addition, the difference was also quite small. Most importantly, these protocols have better running times and are vulnerable to attacks. The results are illustrated in Fig. 7.

Figure 7: Running time

7.2 Communication Comparisons

Here, to discuss the communication overhead, the proposed protocol is compared with other related protocols. In the experiment, the settings in [26] were adopted, thereby assuming that the prime number, random nonce, identity, timestamp, and hash function are 160, 128, 32, 32, and 160 bits, respectively. The information exchanged in our proposed protocol includes, M1,MUIDi,CUIDi,KUG,T1, M2,MUIDi,MGS,T2, N,KSG,KSU,T3, and MKU,M4,KSU,KGU,T4, respectively, denoted by (160 + 160 + 160 + 160 + 32 = 672 bits), (160 + 160 + 160 + 32 = 672 bits), (128 +  160 + 160 + 32 = 480 bits), (160 + 160 + 160 + 32 = 672 bits). Table 6 lists the overhead for each protocol. It is observed that our design is not the best in terms of communication overhead, but the differences are not significant. However, the proposed method provides better security than these other protocols.

8  Conclusions

In this paper, first, Yu et al.’s protocol was reviewed and cryptanalyzed, thereby determining that it is vulnerable to sensor node capture attacks and temporary information disclosure attacks. Therefore, the PSAP-WSN protocol was proposed. Subsequently, PSAP-WSN was demonstrated to be provably secure, using BAN logic, the ROR model, and the Proverif tool. In addition, an adversarial attack was simulated against the proposed PSAP-WSN. The performance evaluation indicates that the PSAP-WSN has reasonable communication and computation overhead and is suitable for WSNs.

Funding Statement: The authors received no specific funding for this study.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.