This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE SYSTEMS JOURNAL
A Secure Three-Factor User Authentication Protocol
With Forward Secrecy for Wireless Medical
Sensor Network Systems
Xiong Li , Jieyao Peng , Mohammad S. Obaidat , Fellow, IEEE, Fan Wu ,
Muhammad Khurram Khan , Senior Member, IEEE, and Chaoyang Chen, Member, IEEE
Abstract—The Internet of Things (IoT) enables all objects to
connect to the Internet and exchange data via different emerging
technologies, which makes the intelligent identification and man-
agement a reality. Wireless sensor networks (WSNs), as a crucial
basis of IoT, have been applied in many fields like smart health
care and smart transportation. With the development of WSNs,
data security has attracted more and more attention, and user
authentication is a popular mechanism to ensure the information
security of WSNs. Recently, many authentication mechanisms for
wireless medical sensor networks (WMSNs) have been proposed,
but most of the protocols cannot achieve the features of local pass-
word change and forward secrecy while resisting stolen smart card
attack. To enhance the security based on previous work, an ECC-
based secure three-factor authentication protocol with forward
secrecy for WMSN is proposed in this paper. It utilizes a fuzzy
commitment scheme to handle the biometric information. Mean-
while, fuzzy verifier and honey_list techniques are used to solve the
contradiction of local password verification and mobile device lost
attack. The security of our protocol is evaluated by provable secu-
rity, Proverif tool, and information analysis. Besides, the compar-
isons with the relevant protocols are given, and the results indicate
that our protocol is robust and secure for WMSN systems.
Manuscript received August 5, 2018; revised October 29, 2018 and January 6,
2019; accepted February 12, 2019. This work was supported in part by the Hunan
Provincial Natural Science Foundation of China under Grant 2018JJ3191 and
in part by the Open Foundation of the State Key Laboratory of Networking and
Switching Technology, Beijing University of Posts and Telecommunications
under Grant SKLNST-2018-1-12. (Corresponding author: Xiong Li.)
X. Li is with the School of Computer Science and Engineering, Hunan Uni-
versity of Science and Technology, Xiangtan 411201, China and also with
the State key Laboratory of Networking and Switching Technology, Beijing
University of Posts and Telecommunications, Beijing 100876, China (e-mail:,
lixiongzhq@163.com).
J. Peng is with the School of Computer Science and Engineering, Hu-
nan University of Science and Technology, Xiangtan 411201, China (e-mail:,
pengvvvv@foxmail.com).
M. S. Obaidat is a with the Electrical and Computer Engineering Depart-
ment, Nazarbayev University, Astana 010000, Kazakhstan and also with the
King Abdullah II School of Information Technology, The University of Jordan,
Amman 11942, Jordan (e-mail:,msobaidat@gmail.com).
F. Wu is with the Department of Computer Science and Engineering, Xia-
men Institute of Technology, Xiamen 361021, China (e-mail:, conjurer1981@
gmail.com).
M. K. Khan is with the Center of Excellence in Information Assurance, King
Saud University, Riyadh 11653, Saudi Arabia (e-mail:,mkhurram@ksu.edu.sa).
C. Y. Chen is with the School of Information Science and Engineering,
Hunan University of Science and Technology, Xiangtan 411201, China (e-mail:,
chychen@ieee.org).
Digital Object Identifier 10.1109/JSYST.2019.2899580
1937-9234 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
1
Index Terms—Elliptic curve (EC) encryption, fuzzy commitment
scheme (FCS), Internet of things (IoT), user authentication, wire-
less medical sensor network (WMSN).
I. INTRODUCTION
HE Internet of Things (IoT) enables objects to connect to
T each other and exchange data via the Internet. By using
different emerging technologies, such as the radio frequency
identification technology (RFID), sensor technology, and em-
bedded system technology, IoT makes the vision of intelligent
identification and management a reality. A wireless sensor net-
work (WSN) is an indispensable technical basis of the IoT,
which provides data sources for IoT applications. A WSN usu-
ally consists of many sensor nodes which communicate with
each other over wireless means. It is usually used to monitor
the environmental conditions of a specific area via the informa-
tion gathered by the sensor nodes. In the common architecture
of WSN, there are three participants, namely users, gateway
node, and sensor nodes. Sensor nodes are placed in the target
area to collect environmental parameters, and then these param-
eters are transmitted to the gateway node through the wireless
channel. These data can be accessed by the legitimate users,
and the fusion and analysis of these data are conducive in mak-
ing appropriate decisions for the managers. At present, WSNs
have important applications in many industrial fields, such as
health care monitoring [1], intelligent transportation [2], and en-
vironmental monitoring [3]. Taking industrial health care as an
example, the wireless medical sensor network (WMSN) can be
used to construct pervasive medical system [4]. The system can
immediately identify patient’s emergency conditions through
the remote monitoring function, which can improve the quality
of life for elders and children from chronic diseases. Generally,
the sensor nodes are resource-limited devices in computing,
communication, and storage capabilities. Besides, the sensor
nodes are often deployed in unattended environments, and their
physical security cannot be guaranteed because nodes are easily
compromised by adversaries. Therefore, the security of WSNs
has become a great challenge, especially in WMSN, where the
security and privacy issues are more serious due to the medi-
cal data, is patient’s critical privacy information. Many mecha-
nisms have been proposed to improve the security of WSN and
WMSN, such as intrusion detection and key management. Since
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE SYSTEMS JOURNAL
it provides basic security services by verifying the validity of
user who wants to access the sensory data, identity authentica-
tion [5]–[8] is also a crucial security mechanism for WSN and
WMSN.
A. Motivation and Contributions
Most of authentication schemes for WSN and WMSN cannot
achieve local password verification while defending against
stolen smart card attack/mobile device lost attack. This paper
tries best to leverage this contradiction, and propose a secure
three-factor user authentication protocol (3FUAP) with forward
secrecy for WMSN. The contributions of this paper are shown
below.
1) Except for the security flaws pointed out by Jiang et al. [9],
such as mobile device loss attack, sensor key exposure,
and de-synchronization attack due to the unsuccessful de-
livery, we also show that the protocol in [10] is susceptible
to denial of service (DoS) attack due to message replace-
ment attack and cannot provide forward secrecy.
2) We designed a 3FUAP with forward secrecy for WMSN.
The error-correcting code and fuzzy commitment scheme
(FCS) are adopted for the biometric recognition, and the
elliptic curve cryptography (ECC) is employed to guar-
antee forward secrecy. Moreover, the proposed protocol
adopted the fuzzy verifier and Honey_list techniques to
balance the feature of local password verification and the
problem of mobile device lost attack.
3) We did an in-depth security analysis using provable se-
curity method, and discussed the other security features
of the new protocol. Besides, we compared the security
and efficiency with other relevant protocols to show the
advantages of our protocol.
B. Organization of the Paper
The organization of the remaining chapters are arranged as
follows: Section II reviews recent related work in authentication
for WSN and WMSN. Section III illustrates some preliminaries
such as treat model, ECC, and FCS. The cryptanalysis of Amin
et al.’s protocol [10] is given in Section IV. The proposed 3FUAP
for WMSN is described in Section V. In Section VI, we evaluate
the security features of the propsoed scheme using different
mechanisms, and also compare it with other related protocols.
Finally, Section VII concludes the paper.
II. RELATED WORK
User authentication provides basic security service for
WSN and WMSN by verifying the validity of user’s identity.
Researchers have done a lot of work in authentication for
WSNs and WMSN, and we briefly review part of related
work from three aspects, i.e., lightweight authentication for
WSN, ECC-based authentication for WSN, and authentication
protocols for WMSN.
Due to the limitations on resources of sensor nodes, com-
puting and communication efficiency are important indicators
in the design of authentication protocols for WSN. There-
fore, lightweight authentication schemes for WSNs have been
proposed. As a pioneering work, Wong et al. [11] proposed
a dynamic password authentication method for WSN in 2006,
and it is lightweight because only XOR and hash operations are
required. However, their protocol cannot stand against stolen-
verifier attack, and also suffers from login cheat that an adversary
who knows a valid user’s password can login to the system [12].
Subsequently, in 2009, Das [12] proposed a two-factor authen-
tication protocol to withstand the weaknesses of Wong et al.’s
protocol [11]. However, the protocol of Das [12] was found sus-
ceptible to several kinds of attacks [13]. In 2012, Das et al. [14]
proposed a user authentication scheme for hierarchical WSNs,
and it is efficient since only lightweight operations like hash
and symmetric encryption are involved in their scheme. Fur-
thermore, their scheme realized some ideal features like local
password change and dynamic node addition. However, Wang
et al. found the scheme in [14] is susceptible to insider attack,
server master key disclosure, and stolen smart card attack. Later,
Xue et al. [15] designed a lightweight authentication with key
agreement scheme for WSNs, which keeps efficiency while pro-
viding some ideal features. Unfortunately, He et al. [16] found
this scheme can be breached by password-guessing attack, mod-
ification attack, and impersonation attack. In 2014, Turkanovic
et al. [17] designed a lightweight authentication protocol for het-
erogeneous WSN using hash function, and they asserted that it
can resist various malicious attacks and provide some ideal fea-
tures like dynamic node addition. However, Amin [18] showed
that the scheme in [17] is vulnerable to stolen smart card attack,
password-guessing attack, user/sensor node impersonation at-
tack, and it also lacks mutual authentication. Later, some other
lightweight authentication protocols [19], [20] for WSN have
been proposed.
Most of lightweight protocols cannot ensure the security of
session key and cannot resist smart card breach attack. Public
key cryptography can provide higher level of security, such as
He et al. [21] proposed a public key cryptography distributed
signing protocol in IEEE P1363 Standard, which allows two
parties to generate a valid signature without revealing the entire
private key of the user. Yeh et al. [22] first proposed an ECC-
based authentication scheme for WSN to improve the security of
authentication in WSN, which is suitable for environments with
higher security requirements. In 2013, Shi and Gong [23] also
proposed an ECC-based authentication scheme for WSN. Later,
some security weaknesses of these schemes are pointed out by
Choi et al. [24], and they put forward an enhanced protocol. In
2015, Wu et al. [25] proposed a provable secure ECC-based au-
thentication protocol for WSN to address the off-line password
guessing and the user forgery attack of the protocol in [24].
Hereafter, some ECC-based authentication protocols have been
proposed by researches to enhance the security features.
In 2012, Kumar et al. [26] designed a two-factor protocol
for WMSN, and claimed that it is secure against the known
attacks. Unfortunately, He et al. [27] pointed out that Kumar
et al.’s protocol [26] is vulnerable to the insider attack and
off-line guessing attack. In 2016, Li et al. [28] stated some
weaknesses, such as the de-synchronization attack and the sen-
sor nodes capture attack can be implemented in the scheme
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LI et al.: SECURE THREE-FACTOR USER AUTHENTICATION PROTOCOL
in [27]. Recently, Amin et al. [10] proposed an enhanced user
authentication protocol for WMSNs, which uses a synchronous
update mechanism to achieve user anonymity and untraceability.
However, Jiang et al. [9] showed that their protocol is suscep-
tible to mobile device loss attack, sensor key exposure, and
de-synchronization attack due to the unsuccessful delivery. On
this basis, we point out that the protocol in [10] also suffers from
DoS due to a message replacement attack, and cannot provide
forward secrecy.
Although researchers have done a lot of work in this field,
most of previous work cannot achieve the functions of local
password change and forward secrecy while resisting stolen
smart card attack.
III. PRELIMINARIES
To make our protocol more readable, this section briefly in-
troduces some preliminaries of our protocol, i.e., the basis of
EC and the biometrics verification method by combining error-
correcting code and FCS.
A. EC Over a Finite Field
ECC [29] refers to an encryption algorithm based on EC,
which provides a higher level of security with shorter keys.
Let p > 3 be a prime number. On the prime field Zp =
{0, 1, . . . , p − 1}, the points (x, y) ∈ Zp × Zp satisfying the
equation y 2 = x3 + a · x + b (mod p) along with a distin-
guished point O at infinity, form an EC Ep (a, b), where
a, b ∈ Zp and 4a3 + 27b2 = 0 (mod p). For cryptographic ap-
plication, the algorithm can be designed based on a subgroup
G of Ep (a, b) with order prime n, which is generated by point
P . Besides, given an EC, the point multiplication on the EC
is calculated as the repeated addition of a point. For exam-
ple, suppose P is a point on Ep (a, b), then sP is calculated as
sP = P + P + · · · + P .
   hamming distance is probably very high. We denote it as
s
Most cryptographic applications of ECs are based on the
following two commonly accepted intractable problems:
Definition 1: EC computational Diffie–Hellman problem
(ECCDHP): Suppose G is a subgroup of an EC over a finite
field with order prime n, and P is the generator of G. EC-
CDHP is to calculate abP when aP and bP are given. Let
AdvA ECCDH
(t) = P r[A(G, P, aP, bP ) = abP ] denotes the ad-
vantage of an algorithm A in solving the ECCDHP possibility
in polynomial time t. Generally, there is no effective algorithm
to solve this problem, and AdvA ECCDH
(t) is negligible.
Definition 2: EC discrete logarithm problem (ECDLP):
Given Q ∈ Ep (a, b) and Q = k · P , where k ∈ Zn∗ and P .
ECDLP is to calculate k when known P and Q. If the large prime
p is big enough, it is impossible to recover k from Q and P .
B. Biometrics Verification With Error-Correcting Code
and FCS
The original purpose of error-correcting code is to transmit
the information over a noisy channel. Before the message m is
transmitted, the sender encodes it to a longer code c. Since
3
c contains the redundant information, it is possible for the
receiver to reconstruct c and m even if some bits are distorted
during transmission. FCS combines error-correcting code with
cryptography, which makes the adversary unable to know the
committed value. However, it allows the committer to open the
committed value in a fuzzy way, i.e., the committed value can
be opened if the witness is close to the original witness enough.
Since the biometrics information often contains noise, the FCS
is very suitable for biometrics verification. Please refer to [30]
for the detailed knowledge about error-correcting code and FCS.
By taking Bose–Chaudhuri–Hocquenghem (BCH) code [31] as
an example, we briefly introduce the idea of the biometric veri-
fication using error-correcting code and FCS.
In a (n, k, t) BCH code, where k < n, there are three func-
tions, i.e., EN C, DEC, and f . EN C is a conversion function,
which converts any k-bit binary string K into n-bit codeword
C that EN C(K) = C. DEC is an inverse conversion func-
tion, which retrieves the message K from the code word that
K = DEC(C). f is a decoding function, which maps arbitrary
n bit string to the nearest codeword with the correction thresh-
old t, i.e., for a codeword C and an n-bit string e with the
hamming distance ||e|| ≤ t, f (C ⊕ e) = C. Based on the BCH
code, we can construct a FCS using the hash function for biomet-
rics verification. For a codeword C and biometrics information
BIO, the corresponding commitment is (h(C), BIO ⊕ C).
When the biometric information BIO is input, if it is close to
BIO enough and the hamming distance BIO ⊕ BIO  ≤ t,
C  = f (C ⊕ BIO ⊕ BIO ), h(C  ) = h(C), and the commit-
ment is opened.
Here we make the following remarks on BIO and BIO :
1) If BIO and BIO are input by one person, the ham-
ming distance is close to zero. We represent it as P r
[dis(BIO, BIO ) < t] ≥ 1 − εf n , where the εf n refers
to “false negative” probability.
2) If BIO1 and BIO2 are input by different people, the
P r[dis(BIO1 , BIO2 ) > t ] ≥ 1 − εf p , t > t and εf p is
“false positive” probability.
IV. CRYPTANALYSIS OF AMIN et al.’s
AUTHENTICATION PROTOCOL
Amin et al.’s protocol [10] contains five phases: Setup, med-
ical professional registration, patient registration, login and au-
thentication and password change phase. Due to the limitation
of the space, we omit the review of this scheme and the readers
can refer to [10]. In 2017, Jiang et al. [9] pointed out that Amin
et al.’s protocol [10] is vulnerable to mobile device loss attack,
sensor key exposure, and de-synchronization attack due to the
unsuccessful delivery. We further show that Amin et al.’s proto-
col [10] is susceptible to DoS attack due to message replacement
attack and message-blocking attack. In addition, their scheme
cannot provide forward secrecy. The symbols used in the full
paper are listed in Table I.
1) DoS Attack: In Amin et al.’s protocol [10], the syn-
chronous renewal mechanism is adopted to achieve the features
of user anonymity and untractability. In their protocol, Ui up-
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE SYSTEMS JOURNAL
TABLE I
NOTATIONS
dates a temporary identity T IDi synchronously with GW at
the end of each session. Then, the adversary cannot track a
special user. We found that the synchronization mechanism of
their protocol can be breached by two types of message replace-
ment attacks, and their scheme may be vulnerable to DoS. We
illustrate such attack in two cases as follows:
Case 1: In the step 6 of authentication phase of the protocol
in [10], when GW submits the message {M8 , M9 , M10 , M11 }
to Ui , where M11 = T IDi ⊕ h(R2 ⊕ R3 ) and T IDi is a new
temporary identity of Ui generated by GW ; A intercepts the

message and replaces it with {M8 , M9 , M10 , M11 }, where

M11 = M11 ⊕ T IDA and T IDA is a nonce produced by

A. So after receiving the message {M8 , M9 , M10 , M11 }, Ui
 
retrieves R2 and R3 from M9 and M8 , respectively. Then Ui
calculates T IDi = M11 
⊕ h(R2 ⊕ R3 ) = M11 ⊕ T IDA ⊕
h(R2 ⊕ R3 ) = T IDi ⊕ h(R2 ⊕ R3 ) ⊕ T IDA ⊕ h(R2 ⊕ R3 )
  
= T IDi ⊕ T IDA , SK  = h(h(IDi R1 R2 )R2 R3 ), and

M10 = h(IDi SK  R3 ). Since M10

has no relation to T IDi ,
M10 equals to M10 , and Ui updates T IDi with T IDi ⊕ T IDA .

Hereafter, GW updates T IDi with T IDi while receiving the
confirmation message from Ui . So we can see, the temporary
identities synchronization mechanism between Ui and GW is
breached by the message replace attack. Then, the user cannot
access services from server anymore, and Amin et al.’s protocol
[10] is vulnerable to DoS attack.
Case 2: In the step 7 of authentication phase of the protocol
in [10], Ui updates T IDi with T IDi when the validity of M10
is verified, and then sends a confirmation message to GW . GW
also updates T IDi with T IDi while receiving the confirmation
message. Therefore, if A blocks the confirmation message dur-
ing the authentication phase, user will update T IDi with T IDi ,
while GW keeps T IDi unchanged. Therefore, the temporary
identities synchronization mechanism between Ui and GW can
be breached by this type of message blocking attack. The user
also cannot access the service anymore and the protocol in [10]
is susceptible to DoS attack.
2) Lack of Forward Secrecy: We say a protocol is forward
secrecy if the leakage of the long-term secret keys does not lead
to the compromise of previous established session keys. Here
we assume that the attacker A acquires the long-term key K of
the gateway node, and intercepts the message {M3 , M4 , M5 }
sent by GW to SNj , and the message {M7 , M8 } sent by SNj
back to GW , then the previous established session key can be
obtained by performing the following procedures.
1) A computes SKG W −S N j = h(IDS N j K), where IDS N j
is received from the public channel. Then, A can compute
R2 = M5 ⊕ h(SKG W −S N j ).
2) A computes M6 = M4 ⊕ SKG W −S N j and R3 = M8 ⊕
h(R2 ).
3) A can calculate SK = h(M6 R2 R3 ).
Therefore, if A compromised the secret key K, A can cal-
culate the previous established session keys which are shared
between Ui and SNj . Thus, the protocol in [10] cannot ensure
forward secrecy.
V. PROPOSED PROTOCOL
In order to provide the secure medical services via medical
sensor network, we propose a 3FUAP with forward secrecy
based on ECC, where the error-correcting code and FCS are
used to deal with the biometrics. Bedsides, in order to achieve
true multifactor authentication, Wang et al.’s “Fuzzy-verifier”
and “Honey_List” techniques [32], [33] are adopted by our
protocol to make it is still secure even if two out of three factors
are compromised by an attacker. The proposed protocol also
contains six phases, and we illustrate each phase as follows.
A. System Setup Phase
The GW initializes the system by choosing some parame-
ters. GW chooses an EC Ep (a, b) over prime field Zp and a
hash function h(·). Then GW selects a subgroup G with prime
order n of Ep (a, b), and its base point is P . GW selects the
master private key x ∈ [1, n − 1] and computes the public key
X = xP . Meanwhile, GW chooses a (n, k, t) BCH code and
the corresponding functions EN C, DEC, f according to the re-
quired security requirements. Moreover, GW defines a medium
integer n0 , 24 ≤ n0 ≤ 28 , which is used for the fuzzy verifier.
Finally, GW publishes the parameters {p, Ep (a, b), P, X, h(·)},
while keeps x secretly.
B. Medical Professional Registration Phase
To become a legitimate user who can acquire the data of
the sensor nodes, Ui needs to register at GW . The specific
procedures are shown in Fig. 1 and also explained as below:
1) Ui chooses IDi , P Wi , a nonce r and extracts the biomet-
ric information BIOi at the mobile device. Then Ui cal-
culates HP Wi = h(P Wi r), and sends the registration
request {IDi , HP Wi , BIOi } with personal credential,
such as personal identification code to GW via a secure
channel.
2) After receiving {IDi , HP Wi , BIOi }, GW first checks if
IDi is already in the database. If so, Ui is request for a new
registration information. Otherwise, GW chooses a k-bit
string ki for Ui . Then, GW computes Ci = EN C(ki ),
Ai = Ci ⊕ BIOi , Bi = h((h(IDi ki ) ⊕ HP Wi ) mod
n0 ), Di = h(IDi ki x) and Ei = Di ⊕ HP Wi . GW
stores {IDi , ki , Honey List = N ull} in its database,
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LI et al.: SECURE THREE-FACTOR USER AUTHENTICATION PROTOCOL
Fig. 1. User registration phase.
and submits {Ai , Bi , Ei , X, DEC, f, n0 } to Ui via the
secure channel.
3) Ui stores r and {Ai , Bi , Ei , X, DEC, f, n0 } in the mo-
bile device, and the mobile device includes the parameters
{Ai , Bi , Ei , X, DEC, f, n0 , r}.
C. Patient Registration Phase
For each sensor node Sj with the identity SIDj , the registra-
tion center computes the secret key Kj = h(IDG W SIDj x),
and stores it in the sensor node. Then the sensor nodes can be
attached to the certain patient.
D. Login and Authentication Phase
When Ui wants to access the sensory data of Sj , he or she
must login to the gateway node at first. After the three-party
mutual authentication is completed with GW and Sj , Ui can
acquire the information legally. This phase is described below
and also demonstrated in Fig. 2.
1) Ui inputs IDi , P Wi and imprints biometric information
BIOi on the mobile device with extraction equipment.
It calculates Ci = f (Ai ⊕ BIOi ) = f (Ci ⊕ (BIOi ⊕
BIOi )), ki = DEC(Ci ), Bi = h((h(IDi ki ) ⊕ h(P Wi
? Bi = Bi . Bi = Bi will lead to the rejection of the pass-
r)) mod n0 ), and checks Bi = Bi . The request is
aborted if Bi = Bi . Otherwise, the user’s three factors are
checked by the mobile device. Then, it produces a nonce
a and calculates M1 = aP, M2 = aX, M3 = IDi ⊕ h
(M1 M2 ), M4 = SIDj ⊕ h(M2 M1 ), Di = Ei ⊕ h
(P Wi r), and M5 = h(Di SIDj M2 ). At last, Ui
forwards the login request W1 = {M1 , M3 , M4 , M5 }
to GW .
2) While getting the message W1 , GW calculates M2 =
xM1 , and derives IDi = M3 ⊕ h(M1 M2 ). Then, GW
checks if the identity is valid. If not, the session is
terminated. Otherwise, GW finds the corresponding
ki and calculates Di  = h(IDi ki x), SIDj = M4 ⊕
h(M2 M1 ), M5 = h(Di  SIDj M2 ), and checks
?
M5 = M5 . If they are unequal, GW inserts Di 
into Honey List or suspends the identity if the items
of Honey List are more than a specific threshold
(e.g., more than ten items). Meanwhile, the session is
5
terminated by GW . Otherwise, the login request is legit-
imate. GW generates a random nonce b, and computes
Kj = h(IDG W SIDj x), M6 = Kj ⊕ b, and M7 =
h(SIDj Kj bM1 ). At last, GW forwards the message
W2 = {M1 , M6 , M7 } to the sensor node Sj .
3) After receiving the message W2 , Sj calculates b =
M6 ⊕ Kj , M7 = h(SIDj Kj b M1 ), and verifies the
?
validity of GW by checking M7 = M7 . If it is valid, Sj
produces a nonce c and calculates M8 = cP , M9 = cM1 ,
SKj = h(M1 M8 M9 ), M10 = h(SIDj Kj b M8 ),
and M11 = h(SIDj M1 M8 SKj ), then SNj re-
sponses the message W3 = {M8 , M10 , M11 } back
to GW .

4) While obtaining the message W3 , GW computes M10 =
h(SIDj Kj bM8 ) and verifies the validity of Sj by
 ?
checking M10 = M10 . If it is valid, GW computes
M12 = h(Di  SIDj M2 M8 ) and forwards the mes-
sage W4 = {M8 , M11 , M12 } to Ui .

5) While receiving the message W4 , Ui computes M12 =
?
h(Di SIDj M2 M8 ) and verifies M12  
= M12 . M12
= M12 which means the message is invalid and the ses-
sion is aborted. Otherwise, the validity of GW is con-
firmed by Ui . Then, Ui computes M13 = aM8 , SKi =
h(M1 M8 M13 ), M11
= h(SIDj M1 M8 SKi ), and
 ?
verifies the validity of Sj by checking M11 = M11 . Fi-
nally, Ui and Sj can use the shared key SKi = SKj for
the subsequent communication through GW .
E. Password Change Phase
The user could modify the password by executing the follow-
ing procedures.
1) Ui inputs IDi , P Wi and imprints biometric informa-
tion BIOi on mobile device with extraction equip-
ment. The mobile device computes Ci = f (Ai ⊕
BIOi ) = f (Ci ⊕ (BIOi ⊕ BIOi )), ki = DEC(Ci ),
Bi = h((h(IDi ki ) ⊕ h(P Wi r)) mod n0 ), and checks
?
word change request. Otherwise, continue with the sub-
sequent operations.
2) The mobile device asks for a new password, and Ui enters
the new password P Winew .
3) The mobile device calculates HP Winew = h(P Winew r)
and Binew = h((h(IDi ki ) ⊕ h(P Winew r)) mod n0 ).
Finally, the mobile device replaces Bi with Binew . There-
fore, Ui can modify the password without the assistance
of GW .
F. Revocation and Reregister Phase
When Ui ’s mobile device is lost or stolen, the following steps
can be used to the revocation of the mobile device.
1) Ui submits IDi and the personal credential to GW via a
secure channel as a revocation request.
2) GW checks if the IDi and the personal credential are
valid. If so, IDi is locked and the mobile device is revoked
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE SYSTEMS JOURNAL
Fig. 2. Login and authentication phase.
by GW . Then, no user can login to the GW with identity
IDi .
After the mobile device is revoked, if Ui wants to re-register
as a user using a new mobile device in the name of identity IDi ,
the following steps should be performed.
1) Ui chooses a new password P Wi∗ , a nonce r∗ , and ex-
tracts the biometric information BIOi∗ at a new mobile
device. Then Ui computes HP Wi∗ = h(P Wi∗ r∗ ), and
sends the re-registration request {IDi , HP Wi∗ , BIOi∗ }
with personal credential, such as personal identification
code to GW through a secure channel.
2) After receiving {IDi , HP Wi∗ , BIOi∗ }, GW chooses a
new k-bit string ki∗ for Ui . Then, GW computes Ci∗ =
EN C(ki∗ ), A∗i = Ci∗ ⊕ BIOi∗ , Bi∗ = h((h(IDi ki∗ ) ⊕
HP Wi∗ ) mod n0 ), Di∗ = h(IDi ki∗ x), and Ei∗ = Di∗ ⊕
HP Wi∗ . GW stores {IDi , ki∗ , Honey List = N ull} in
its database, and submits {A∗i , Bi∗ , Ei∗ , X, DEC, f, n0 }
to Ui via the secure channel.
3) Ui stores {A∗i , Bi∗ , Ei∗ , X, DEC, f, n0 , r∗ } in the mobile
device.
Then Ui can login to the GW using the new mobile device
as the name of original identity IDi .
VI. DISCUSSION OF SECURITY AND PERFORMANCE
In this section, the security of the proposed is evaluated by
proof security, Proverif tool and informal security protocol anal-
ysis. The protocol is evaluated using NS-3 simulation tool. Be-
sides, the comparisons with the relevant protocols are given.
A. Formal Proof
1) Basis of Formal Proof: Based on the security models of
previous work in [34]–[36], we present the formal proof for our
protocol.
To concentrate on A’s ability, only three entities existed in
our protocol P: a user Ui , a sensor Sj , and a gateway node GW .
I can be used to represent the entity if it is not required to tell
apart these entities. Every session entity owns many instances
with their own numbers. For instance, Uiμ is the mth instance
of Ui . Other notations like Sjν , GW λ , and I k can be deduced.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LI et al.: SECURE THREE-FACTOR USER AUTHENTICATION PROTOCOL
We deem each instance as an oracle. Three states may happen
for an oracle. The “accept” state will occur if the input data
is right. Otherwise, if an incorrect information arrives, “reject”
will execute. If the input is not answered, the oracle will turn to
⊥. When the oracle Uiμ or Sjν is obtained and a session key is
calculated, the parameters are linked by the oracle: The identity
sidU iμ or sidS jν for session, its partner’s identity pidU iμ or pidS jν ,
and the session key skU iμ or skS jν . The concept “partnering” is
demonstrated later.
Before the proof starts, some conditions are mentioned below.
1) The three entities run the setup and registration phases to
prepare the simulation.
2) A knows IDi , SIDj and all public parameters at the
beginning.
A makes queries to the simulator, in order to forge or get
session keys. The queries are expressed below.
1) Execute(Uiμ , GW λ , Sjν ): The overall login and authenti-
cation phase is simulated. A gets the content of informa-
tion among Uiμ , GW λ , and Sjν .
2) Send(I, Irs , m): The entity I transmits a parameter m to
the oracle Irs . If m is right and Irs can get it, the simulator
will respond based on P. Else, the query is abandoned.
3) Reveal(I k ): Known-key attack is simulated and the at-
tack is for Ui and Sj . If I k is in partnering state, the
session key is returned back to A.
4) Corrupt(Uiμ , α): It demonstrates the cases of user’s in-
formation lost.
a) α = 0: The password is attained by A.
b) α = 1: The data of the smart card is attained by A.
c) α = 2: The biometrics is attained by A.
5) Corrupt(I k ): It denotes strong forward security in [35].
A can attain every parameter of I k after this query. Since
A could acquire some data at start, we list what A can
obtain after this operation.
a) Corrupt(Uiμ ): A can attain P Wi , BIOi and the
parameters of the SC.
b) Corrupt(GW λ ): A can attain the secret key x.
c) Corrupt(Sjν ): A can attain Kj through Sj .
6) T est(I k ): At last A selects the target session. Here I is
Ui or Sj . If I k has not received state or is not appropriate
for the notion sf s-f resh which is introduced below, ⊥
will be the result. Otherwise, a coin z is tossed. If z = 1,
the true session key is output by the simulator. Otherwise,
a random string {0, 1} s is output.
Before starting the proof, we first introduce the definitions
referred above.
1) P artnering: When the session is established between
Uiμ and Sjν , we consider Uiμ and Sjν are companies when
and only when they are accepted and sidU iμ = sidS jν ,
pidU iμ = Sjν , pidS jν = Uiμ and skU iμ = skS jν .
2) sf s-f resh: It is just applied at Uiμ and Sjν . I k is sf s-
f resh if none of the events occur.
a) A Corrupt(I k ) or Corrupt(pidI k ) is queried be-
fore T est(I k ).
b) A Reveal(I k ) is queried.
c) A Reveal(pidI k ) is queried.
7
d) For U i , the three kinds of Corrupt(U i , α) have
happened.
3) sf s-secure: We think the attacker A’s advantage of crack-
ing P is the possibility of surmising the coin z correctly
after T est(I k ). A outputs a bit z  and his superiority is
AdvPsf s (A) = 2P r[z = z  ] − 1.
Let qs represents the amount of Send queries. AdvPsf s (A)
is negligible bigger than max{O(qs ( N1 , 1l , εf p ))} with the
security parameter s , number of password N , length of
biometrics l, and the probability of false negative accident,
the protocol P is sf s-secure.
2) Formal Proof:
Theorem 1: G is an additional cyclic group on E(Fp ), and
n is its large prime order. There are N passwords in total. s is
the security parameter, and random nonce and hash values reach
this length. The biometrics has l bits. “false positive” probability
is expressed as εf p . Any attacker A has chances including qe
Execute queries, qs Send queries, and qh hash oracles and
within time t at most. We see that
(qh2 + (qs + qe )2 ) (qs + qe )2
AdvPsf s (A) ≤ +
2 s n−1
  
5qh + 6qs 1 1
+ + 2max qs , , εf p
2 s −1 N 2l
+ 4qh ((qs + qe )2 + 1)AdvA
ECCDH 
(t )
where t = t + (6qe + 2qs )Tm , and Tm is the execution time of
a point multiplication.
Proof: A sequence of games from G0 to G5 are completed
in the proof. Si is the possibility of A’s correctly surmising the
coin z for Gi in the test part. Based on previous hypothesis, A
can get IDi and does not need to surmise.
1) Game G0 : The protocol is based on the random oracles. It
is obvious that AdvPsf s (A) = 2P r[S0 ] − 1. An arbitrary
bit z  is chosen if A applies more time than a threshold or
if the game terminates without response from A.
2) Game G1 : The oracles are simulated according to the
proposed scheme. There are five Send queries for the
corresponding to Section V-D: Send(Uiμ , IN IT ), Send
(Uiμ , GW λ , W1 ), Send(GW λ , Sjν , W2 ), Send(Sjν ,
GW λ , W3 ), and Send(GW λ , Uiμ , W4 ). Meanwhile,
there are three lists to store relevant results.
a) Lh : It keeps the results of hash queries.
b) LA : If A queries the hash, the answer will be kept
here.
c) LP : It keeps all transcripts in the whole proof pro-
cess.
So G1 and G0 are not distinguishable and P r[S1 ] =
P r[S0 ].
3) Game G2 : Collisions in P are calculated here. Based on
birthday paradox, we show the three sorts of them as
follows.
a) The hash function results may have a collision prob-
q2
ability of 2  sh+ 1 at most.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

8 IEEE SYSTEMS JOURNAL

b) The collision possibility of random numbers a and Keep in mind that the above situations cannot appear
2
c is given by (q2(ns +q e )
−1) at most.
simultaneously. So the possibility for online guess-
c) The collision probability of random number b is ing attack is approximately max{qs ( N1 , 21l , εf p )}.
given by (q2s +q e)
2
at most. c) In the off-line guessing attack, A could apply
s+1
So G2 and G1 cannot be distinguishable unless the Corrupt(Uiμ , 0) or Corrupt(Uiμ , 2) and then ask
collisions happen, and Execute queries. acP can be attained in LA with
1
q h at most. The function of Execute is completed
qh2 + (qs + qe )2 (qs + qe )2 in the following situation.
|P r[S2 ] − P r[S1 ]| ≤ +
2s +1 2(n − 1) i) A immediately asks Execute, the proba-
bility is approximately qh AdvA ECCDH
(t +
4) Game G3 : We think that there is a possibility of A imper-
6qe Tm ).
sonating W1 ∼ W4 without random oracles. Here some
ii) A first asks Send queries to produce
operations in Send queries are added. Once any validation
an Execute query, the possibility is qh
fails, the query will be stopped.
AdvA ECCDH
(t + 2qs Tm ).
a) For Send(Uiμ , GW λ , W1 ): The simulator must
We decide that t = t + (6qe + 2qs )Tm and the pos-
check if (M1 M2 , ∗), (M2 M1 , ∗), (Di SIDj 
sibility for off-line guessing attack is expressed
M2 , ∗) ∈ LA and W1 ∈ LP . Moreover, (P Wi , ∗)
below:
cannot be checked since P Wi and r are both secrets
for GW . The probability is 3q2h +q s
s
at most.
λ
b) For Send(GW , Sj , W2 ): The simulator must
ν ECCDH
qh AdvA (t + 6qe Tm ) + qh AdvA
ECCDH

check if (IDG W SIDj ∗, ∗), (SIDj Kj bM1 ,

∗) ∈ LA , and W1 , W2 ∈ LP . The probability is × (t + 2qs Tm )
q h +q s
2 s
at most. ≤ 2qh AdvA
ECCDH
(t + (6qe + 2qs )Tm )
c) For Send(Sjν , GW λ , W3 ): The simulator must
ECCDH 
check if (M1 M8 ∗, ∗), (SIDj Kj b M8 , M10 ), = 2qh AdvA (t ).
(SIDj M1 M8 ∗, M11 ) ∈ LA . The probability is
q h +2q s
at most.
2 s So we have |P r[S4 ] − P r[S3 ]| ≤ max{qs ( N1 , 21l , εf p )}
d) For Send(GW λ , Uiμ , W4 ): the simulator must ECCDH 
 + 2qh AdvA (t ).
check if (SIDj M1 M8 ∗, M11 ), (Ki SIDj 
6) Game G5 : In this game, the strong forward secrecy is
M2 M8 , M12 ) ∈ LA . The probability is 2q

s
2 s
at
considered. On the basis of the concept of sf s-f resh,
most.
Corrupt(I k ) can only be executed after T est(I k ). Or this
So G3 and G2 are indistinguishable if such checks are
game just influences old games, and old transcripts turn to
considered. Then
be the sources of the answers. It is similar to the off-line
5qh + 6qs guessing attack in G4 . Assume we attain (aP cP acP ) ∈
|P r[S3 ] − P r[S2 ]| ≤ .
2 s LA and the possibility for attaining aP and cP in a session
1
5) Game G4 : In this game, ECCDH problem has appeared. If is (q s +q e)
2 , then we have

A is enabled to attain the real session key, which means A

solved the problem and we see that (aP cP acP ) must
be stored in LA . According to [37], A can get two factors
and then try to break the third one. If A only gets BIOi and
P Wi , nothing could be done to terminate the scheme. So
Corrupt(Uiμ , 1) cannot be avoided for A and we consider
A has queried. The game can be demonstrated as three
situation. The first and second denote online guessing
attacks while the third denotes off-line guessing attack.
a) A queries Corrupt(Uiμ , 2), aims to find the correct
one. Since A has qs probabilities for Send queries
and the quantity of passwords is N , the possibility
is qNs .
b) A asks Corrupt(Uiμ , 0) query, so BIOi should be
broken. These can be divided into the following
subcases here:
i) A guesses biometrics with length l in qs
chances. The possibility is q2sl .
ii) A can use his own biometrics in Send queries
to try possibility of “false positive”. It is qs εf p
at most.
|P r[S5 ] − P r[S4 ]| ≤ 2qh (qs + qe )2 AdvA
ECCDH 
(t )
Hence, A loses the edge in surmising z and P r[S5 ] = 12 ,
thus this theorem is proved.
B. Formal Verification Using Proverif Tool
According to [38], Proverif is a broadly used testing tool for
cryptographic protocols. Unlimited message space and session
simulation are permitted while the tool is running, and the com-
mon cryptographic operations containing symmetric and asym-
metric encryption/decryption, signature and hash functions are
provided. Properties like verifiablity, traceability, and privacy
can be judged when the tool is applied. Furthermore, Proverif
tries to rebuild an attacking trace if the scheme is insecure.
1) Definition of Our Code: We demonstrate all definitions
for our code in Table II. Here, ch1 and ch2 are public channels,
while sch1 and sch2 are private channels. We use ch1 and sch1
between user and gateway, and ch2 and sch2 between sensor and
gateway. Also, sks and sku are session keys for sensor and user,
respectively; x is the secret key of gateway. IDi, PWi, and BIOi
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LI et al.: SECURE THREE-FACTOR USER AUTHENTICATION PROTOCOL
TABLE II
DEFINITION OF CODE
TABLE III
CODE FOR USER
denote user identity, password, and biometrics, respectively. P
is the generator of ECC group. SIDj and IDGW are identities
of sensor and gateway. d is the table to store user information
in gateway. Simultaneously, we claim that IDi and PWi low-
entropy strings, which may be guessed by the attacker. Then
functions and equations related to functions are illustrated. At
last, there are two queries about the session keys, and the aim is
to test if the session keys are secure against attacks.
2) Process of Our Code: We divide the code into three parts,
illustrated by Table III–V. Line 2–5 in Table III and the last
9
TABLE IV
CODE FOR SENSOR
TABLE V
CODE FOR GATEWAY
TABLE VI
RESULTS FOR CODE
nine lines in the first blank of Table V are the content for
professional registration. Line 2 in Table IV and the last two
lines in the second blank of Table V are for patient registra-
tion. Except the fourth blank of Table V, the rest content is
for the login and authentication phase. The sentence letGW =
GW Reg1|GW Reg2|GW Auth. denotes that the whole pro-
cess of gateway includes processes GWReg1, GWReg2, and
GWAuth. Moreover, We use process!U ser|!GW |!Sensor to
demonstrate the parallel execution for all three entities.
The results of the code execution are illustrated in Table VI.
The first two denote that both weak strings IDi and PWi can resist
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10
guessing attacks. The last two results mean that both the session
keys are robust against common attacks. Thus, our scheme is
secure under the formal verification.
C. Analysis of Security Features
This section mainly discusses if the proposed protocol meet
common security features, and the results show that our protocol
is resistance to various attacks.
1) Resist Mobile Device Loss Attack: When Ui ’s mobile
device is stolen by an attacker, A can extract the parame-
ters {Ai , Bi , Ei , X, DEC, f, n0 , r} in the mobile device by
using the side-channel technique as in [39]. As we can
see from the medical professional registration phase, Ai =
Ci ⊕ BIOi , Ci = EN C(ki ), Bi = h((h(IDi ki ) ⊕ HP Wi )
mod n0 ), Ei = Di ⊕ HP Wi , Di = h(IDi ki x), HP Wi =
h(P Wi r), and ki is a k-bit string. Ai is not related to IDi
and P Wi , while both Bi and Ei contain three unknown val-
ues, therefore A cannot retrieve IDi /P Wi from {Ai , Bi , Ei }
directly. Furthermore, if the user’s biometric information BIOi
was stolen by A, A can retrieve ki from Ai and Ci . How-
ever, due to the adoption of fuzzy-verifier technique [32], [33],
there are 232 candidates of (ID, P W ) pair when the identity
and password space are both 106 and n0 = 28 . Meanwhile, the
Honey List of the proposed protocol can restrict the times of
the off-line password guessing attack. Therefore, A cannot guess
the right IDi and P Wi accurately from Bi . Furthermore, even
if the attacker gets ki , A still cannot retrieve IDi and P Wi from
Ei without knowing x. In conclusion, the proposed protocol can
resist mobile device loss attack and off-line password attack.
2) Resist Gateway Node Impersonation Attack: In order to
imitate as the gateway node, A needs to be able to forge a valid
message W2 = {M1 , M6 , M7 } to send to Sj and another valid
message W4 = {M8 , M11 , M12 } to response to Ui , where
M1 = aP, M6 = Kj ⊕ b, M7 = h(SIDj Kj bM1 ), Kj =
h(IDG W SIDj x), M8 = cP, M11 = h(SIDj M1 M8 
SKj ), and M12 = h(Ki  SIDj M2 M8 ). To forge these
messages, ki and Kj are necessary knowledge, and they are
rely on {x, IDG W }. However, {x, IDG W } are only known by
GW . That’s to say, our protocol is secure against this attack.
3) Resist User Impersonation Attack: The adversary who
attempts to imitate a legitimate user needs to forge a valid lo-
gin request message. In our protocol, the login request mes-
sage is {M1 , M3 , M4 , M5 }, where M1 = aP , M3 = IDi ⊕
h(M1 M2 ), M2 = aX, M4 = SIDj ⊕ h(M2 M1 ), M5 =
h(Di SIDj M2 ), Di = h(IDi ki x), and ki is a k-bit string.
A can produce a nonce a to calculate M1 = a P and M2 =
a X. However, without the information of IDi and Di , A is
unable to calculate the correct M3 and M5 . Therefore, the pro-
posed protocol is secure against this attack.
4) Resist Sensor Node Impersonation Attack: In our proto-
col, if A wants to imitate as a sensor node, A needs to forge
the valid message {M8 , M10 , M11 }, where M8 = cP , M10 =
h(SIDj Kj b M8 ), M11 = h(SIDj M1 M8 SKj ), and
Kj = h(IDG W SIDj x). They are calculated by Sj ’s secret
key Kj , which means that A has to know the GW ’s identity
IDG W and secret key x to forge a valid response message.
Therefore, our protocol can also avoid this attack.
IEEE SYSTEMS JOURNAL
5) User Anonymity: User anonymity refers to the legal user’s
identity cannot be obtained and the different sessions of a spe-
cific user cannot be distinguished by an adversary. Assuming
that A can eavesdrop all messages transmitted via the pub-
lic channel; only M3 = IDi ⊕ h(M1 M2 ) is related to IDi ,
where M1 = aP and M2 = aX. A has to solve ECDLP to ob-
tain IDi from M1 and M3 . Besides, each element of the login
request message {M1 , M3 , M4 , M5 } is calculated based on the
random number a. The freshness of the random number ensures
that the login request for every session is different from other
sessions, so our protocol also can guarantee untractability.
6) Known-Key Security: In our protocol, the session key
h(aP cP acP ) is shared between Ui and Sj for the secure
communication after the mutual authentication, where a and c
are random numbers produced by Ui and Sj , respectively. Since
the security of the session key is guaranteed by ECDLP and
ECCDHP, A cannot figure out it from M1 and M8 . Further-
more, the random numbers involved in the session key of each
session are different from others. Therefore, the disclosure of
some session keys will not affect the security of other session
keys, and the feature of known-key security can be ensured.
7) Forward Secrecy: As stated earlier, forward secrecy is to
ensure that previously established session keys remain secure
in the case of the long-term private keys are leaked. In our
protocol, we can see that the session key is only relevant to the
random numbers a and c. Even if the long-term keys are leaked,
A has to solve ECDLP and ECCDHP to retrieve the previously
established session keys. That is to say, our protocol guarantees
forward secrecy.
8) No Clock Synchronization: Generally, there are two
mechanisms to cope with replay attack, i.e., the clock synchro-
nization and random number mechanism. However, the clock
synchronization between gateway and sensor nodes itself is still
a research problem in WSN. In our scheme, the replay attack
can be blocked by random number mechanism, and our protocol
is not affected by clock-synchronization problem.
9) Performance and Security Comparisons: We compare the
performance and security of our scheme with other relevant pro-
tocols [10], [24], [25] in this section. For convenience of per-
formance evaluation, we define Tm , Th , and Ts to represent the
run time of a point multiplication using ECC, a hash operation
and a symmetric encryption/decryption, respectively. Generally
speaking, Tm is much larger than Th . Meanwhile, we assume
the point on ECC is 320 bit, the identity, timestamp, the random
number, the hash function, the symmetric encryption, and the
confirmation message are all 160 bits long. The result of per-
formance evaluation comparison in the login and authentication
phase is shown in Table VII. It is clear that the computational
complexity of our protocol is the same as the protocol in [24] and
a little higher than the protocol in [25]. However, the commu-
nication cost of their protocols [24], [25] are both higher than
our protocol. Compared with Amin et al.’s protocol [10], our
protocol adopts the point multiplication on ECC to guarantee
the important feature of forward secrecy, therefore our protocol
needs more time and communication cost. From the security
comparison in the Table VIII, except our protocol, no other
protocol can achieve the features of local password change and
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
LI et al.: SECURE THREE-FACTOR USER AUTHENTICATION PROTOCOL
TABLE VII
PERFORMANCE COMPARISON
TABLE VIII
FUNCTIONALITY AND SECURITY FEATURES COMPARISON
forward secrecy while resisting mobile device attack. Moreover,
the protocols in [10], [24] have both face clock-synchronization
problem, and Amin et al.’s protocol is also vulnerable to DoS at-
tack. In summary, our protocol could provide a higher level of se-
curity and the computational cost is also within acceptable level.
VII. CONCLUSION
In order to achieve local password change and forward se-
curity while resisting mobile device loss attack, we proposed a
secure 3FUAP with forward secrecy for WSMN. In our protocol,
error-correcting code and FCS are adopted to handle the biomet-
ric information. Besides, the point multiplication on ECC is used
to generate the session key, and the forward secrecy can be guar-
anteed by ECCDHP and ECDLP. Fuzzy verifier and honey_list
techniques allow our protocol to achieve local password change
while resisting mobile device loss attack. The provable security,
Proverif tool, and the discussion of security features indicate
that our protocol is secure in resisting most common attacks.
Moreover, the security and performance comparisons with the
relevant competing protocols indicate that the proposed protocol
is secure with acceptable computational efficiency.
REFERENCES
[1] S. H. Shah, A. Iqbal, and S. S. A. Shah, “Remote health monitoring
through an integration of wireless sensor networks, mobile phones and
cloud computing technologies,” in Proc. Global Humanitarian Technol.
Conf., 2014, pp. 401–405.
[2] Z. Xiong, H. Sheng, W. Rong, and D. E. Cooper, “Intelligent transportation
systems for smart cities: A progress review,” Sci. Chin. Inf. Sci., vol. 55,
no. 12, pp. 2908–2914, 2012.
[3] G. Mois, T. Sanislav, and S. C. Folea, “A cyber-physical system for
environmental monitoring,” IEEE Trans. Instrum. Meas., vol. 65, no. 6,
pp. 1463–1471, Jun. 2016.
[4] H. Alemdar and C. Ersoy, “Wireless sensor networks for healthcare: A
survey,” Comput. Netw., vol. 54, no. 15, pp. 2688–2710, 2010.
[5] D. He, S. Zeadally, N. Kumar, and J.-H. Lee, “Anonymous authentication
for wireless body area networks with provable security,” IEEE Syst. J.,
vol. 11, no. 4, pp. 2590–2601, Dec. 2017.
11
[6] X. Li, J. Peng, J. Niu, F. Wu, J. Liao, and K. R. Choo, “A robust and energy
efficient authentication protocol for industrial,” IEEE Internet Things J.,
vol. 5, no. 3, pp. 1606–1615, Jun. 2018.
[7] Q. Jiang, J. Ma, and F. Wei, “On the security of a privacy-aware authen-
tication scheme for distributed mobile cloud computing services,” IEEE
Syst. J., vol. 12, no. 2, pp. 2039–2042, Jun. 2018.
[8] R. Ali and A. K. Pal, “Cryptanalysis and biometric-based enhancement of
a remote user authentication scheme for e-healthcare system,” Arabian J.
Sci. Eng., vol. 43, no. 12, pp. 1–16, 2018.
[9] Q. Jiang, J. Ma, C. Yang, X. Ma, J. Shen, and S. A. Chaudhry, “Effi-
cient end-to-end authentication protocol for wearable health monitoring
systems,” Comput. Elect. Eng., vol. 63, pp. 182–195, 2017.
[10] R. Amin, S. H. Islam, G. Biswas, M. K. Khan, and N. Kumar, “A robust
and anonymous patient monitoring system using wireless medical sensor
networks,” Future Gener. Comput. Syst., vol. 80, pp. 483–495, 2018.
[11] K. H. M. Wong, Y. Zheng, J. Cao, and S. Wang, “A dynamic user authen-
tication scheme for wireless sensor networks,” in Proc. IEEE Int. Conf.
Sensor Netw., Ubiquitous, Trustworthy Comput., 2006, pp. 244–251.
[12] M. L. Das, “Two-factor user authentication in wireless sensor networks,”
IEEE Trans. Wireless Commun., vol. 8, no. 3, pp. 1086–1090, Mar. 2009.
[13] K. M. Khurram and A. Khaled, “Cryptanalysis and security improvements
of two-factor user authentication in wireless sensor networks,” Sensors,
vol. 10, no. 3, pp. 2450–2459, 2010.
[14] A. K. Das, P. Sharma, S. Chatterjee, and J. K. Sing, “A dynamic password-
based user authentication scheme for hierarchical wireless sensor net-
works,” J. Netw. Comput. Appl., vol. 35, no. 5, pp. 1646–1656, 2012.
[15] K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based mutual
authentication and key agreement scheme for wireless sensor networks,”
J. Netw. Comput. Appl., vol. 36, no. 1, pp. 316–323, 2013.
[16] D. He, N. Kumar, and N. Chilamkurti, “A secure temporal-credential-
based mutual authentication and key agreement scheme with pseudo
identity for wireless sensor networks,” Inf. Sci., vol. 321, pp. 263–277,
2015.
[17] M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication
and key agreement scheme for heterogeneous ad hoc wireless sensor
networks, based on the internet of things notion,” Ad Hoc Netw., vol. 20,
no. 2, pp. 96–112, 2014.
[18] R. Amin and G. P. Biswas, “A secure light weight scheme for user au-
thentication and key agreement in multi-gateway based wireless sensor
networks,” Ad Hoc Netw., vol. 36, no. 1, pp. 58–80, 2015.
[19] X. Li et al., “A robust ECC based provable secure authentication protocol
with privacy protection for industrial internet of things,” IEEE Trans. Ind.
Inform., vol. 14, no. 8, pp. 3599–3609, Aug. 2018.
[20] R. Ali, A. K. Pal, S. Kumari, M. Karuppiah, and M. Conti, “A secure user
authentication and key-agreement scheme using wireless sensor networks
for agriculture monitoring,” Future Gener. Comput. Syst., vol. 84, pp. 200–
215, 2018.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
12
[21] D. He, Y. Zhang, D. Wang, and K. R. Choo, “Secure and efficient two-
party signing protocol for the identity-based signature scheme in the ieee
p1363 standard for public key cryptography,” IEEE Trans. Dependable
Secure Comput., to be published, doi: 10.1109/TDSC.2018.2857775.
[22] H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, and H.-W. Wei, “A secured
authentication protocol for wireless sensor networks using elliptic curves
cryptography,” Sensors, vol. 11, no. 5, pp. 4767–4779, 2011.
[23] W. Shi and P. Gong, “A new user authentication protocol for wireless
sensor networks using elliptic curves cryptography,” Int. J. Distrib. Sensor
Netw., vol. 9, no. 4, 2013, Art. no. 730831.
[24] Y. Choi, D. Lee, J. Kim, J. Jung, J. Nam, and D. Won, “Security enhanced
user authentication protocol for wireless sensor networks using elliptic
curves cryptography,” Sensors, vol. 14, no. 6, pp. 10081–10106, 2014.
[25] F. Wu, L. Xu, S. Kumari, and X. Li, “A new and secure authentication
scheme for wireless sensor networks with formal proof,” Peer-to-Peer
Netw. Appl., vol. 10, no. 1, pp. 1–15, 2015.
[26] P. Kumar, S. G. Lee, and H. J. Lee, “E-sap: Efficient-strong authentica-
tion protocol for healthcare applications using wireless medical sensor
networks,” Sensors, vol. 12, no. 2, pp. 1625–1647, 2012.
[27] D. He, N. Kumar, J. Chen, C. C. Lee, N. Chilamkurti, and S. S. Yeo,
“Robust anonymous authentication protocol for health-care applications
using wireless medical sensor networks,” Multimedia Syst., vol. 21, no. 1,
pp. 49–60, 2015.
[28] X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, and M. K. Khan, “A new
authentication protocol for healthcare applications using wireless medical
sensor networks with user anonymity,” Secur. Commun. Netw., vol. 9,
no. 15, pp. 2643–2655, 2016.
[29] N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve
cryptography,” Des. Codes Cryptography, vol. 19, no. 2–3, pp. 173–193,
2000.
[30] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proc. 6th
ACM Conf. Comput. Commun. Secur., 1999, pp. 28–36.
[31] R. T. Chien, “Cyclic decoding procedures for Bose–Chaudhuri–
Hocquenghem codes,” IEEE Trans. Inf. Theory, vol. 10, no. 4, pp. 357–
363, Oct. 1964.
[32] D. Wang and P. Wang, “Two birds with one stone: Two-factor authentica-
tion with security beyond conventional bound,” IEEE Trans. Dependable
Secure Comput., vol. 15, no. 4, pp. 708–722, Jul. 2018.
[33] D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication
schemes for real-time data access in industrial wireless sensor networks,”
IEEE Trans. Ind. Inform., vol. 14, no. 9, pp. 4081–4092, Sep. 2018.
[34] M. Abdalla, M. Izabachene, and D. Pointcheval, “Anonymous and trans-
parent gateway-based password-authenticated key exchange,” in Proc. Int.
Conf. Cryptology Netw. Secur., 2008, pp. 133–148.
[35] L. Xu and F. Wu, “An improved and provable remote user authentication
scheme based on elliptic curve cryptosystem with user anonymity,” Secur.
Commun. Netw., vol. 8, no. 2, pp. 245–260, 2015.
[36] D. Pointcheval and S. Zimmer, “Multi-factor authenticated key exchange,”
in Proc. Int. Conf. Appl. Cryptography Netw. Secur., 2008, pp. 277–295.
[37] C.-I. Fan and Y.-H. Lin, “Provably secure remote truly three-factor au-
thentication scheme with privacy protection on biometrics,” IEEE Trans.
Inf. Forensics Secur., vol. 4, no. 4, pp. 933–945, Dec. 2009.
[38] B. Blanchet, “An efficient cryptographic protocol verifier based on prolog
rules,” in Proc. 14th IEEE Comput. Secur. Found. Workshop, Cape Breton,
NS, Canada, 2001, pp. 82–96.
[39] N. Veyrat-Charvillon and F.-X. Standaert, “Generic side-channel distin-
guishers: Improvements and limitations,” in Proc. Annu. Cryptology Conf.,
2011, pp. 354–372.
Xiong Li received the Ph.D. degree in computer sci-
ence and technology from the Beijing University of
Posts and Telecommunications, Beijing, China, in
2012.
He is currently an Associate Professor with the
School of Computer Science and Engineering, Hu-
nan University of Science and Technology, Xiangtan,
China. He has authored and coauthored over 100 re-
ferred papers. His current research interests include
cryptography and information security.
Dr. Li was a recipient of the 2015 Journal of Net-
work and Computer Applications Best Research Paper Award.
IEEE SYSTEMS JOURNAL
Jieyao Peng received the masters degree in software
engineering from the Hunan University of Science
and Technology, Xiangtan, China, in 2018.
Her research interests include authentication and
key exchange protocols.
Mohammad S. Obaidat (S’85–M’86–SM’91–F’05)
received the Ph.D. and M. S. degrees in computer en-
gineering with a minor in computer science from The
Ohio State University, Columbus, OH, USA.
He is currently a Full Professor with the Electrical
and Computer Engineering Department, Nazarbayev
University, Astana, Kazakhstan.
Dr. Obaidat is the Editor-in-Chief of the Wiley
Security and Privacy Journal and the Wiley Interna-
tional Journal of Communication Systems. He serves
also as Editor or Advisory Editor of many other jour-
nals, such as IEEE WIRELESS COMMUNICATIONS, IEEE SYSTEMS JOURNAL,
Elsevier Commuter Communications, IET Wireless Sensor Systems, among oth-
ers. He is an internationally well known academic/researcher/scientist. He was
the recipient of numerous worldwide awards for his technical and service con-
tributions, such as the 2018 IEEE ComSoc Technical Achievement Award and
the Amity University Distinguished Honorary Professor Award. He is also the
People’s Republic of China Ministry of Education Distinguished Professor at
the University of Science and Technology, Beijing, China. He is a Fellow of
Society for Modeling and Simulation International (SCS).
Fan Wu received the masters degree in computer
software and theory from Xiamen University, Xia-
men, China, in 2008.
He is currently working as an Associate Professor
with the Xiamen Institute of Technology. His current
research interests include information security, inter-
net protocols, and network management.
Muhammad Khurram Khan (M’07–SM’12) is
currently a Full Professor with the Center of Ex-
cellence in Information Assurance, King Saud Uni-
versity, Riyadh, Saudi Arabia. He has authored and
coauthored over 350 research papers in the journals
and conferences of international repute. He has in-
vented 10 U.S./PCT patents.
Prof. Khan is the Editor-in-Chief of Telecommu-
nication Systems Journal (Springer). He is a Fellow
of the Institution of Engineering and Technology and
British Computer Science, and a member of the IEEE
Technical Committee on Security and Privacy, the IEEE Cybersecurity Com-
munity, and the IEEE Consumer Electronics Society.
Chaoyang Chen (M’16) received the Ph.D. de-
gree in control science and engineering from the
Huazhong University of Science and Technology,
Wuhan, China, in 2014.
He is currently an Associate Professor with the
School of Information and Electrical Engineering,
Hunan University of Science and Technology, Xiang-
tan, China. His research interests include networked
control systems, complex networks, and multiagent
systems.