Cryptanalysis and Improvement of a Privacy-Preserving Three-Factor Authentication Protocol for Wireless Sensor Networks

Wireless sensor networks (WSNs) are of prominent use in unmanned surveillance applications. This peculiar trait of WSNs is actually the underlying technology of various applications of the Internet of Things (IoT) such as smart homes, smart cities, smart shopping complexes, smart traffic, smart health, and much more. Over time, WSNs have evolved as a strong base for laying the foundations of IoT infrastructure. In order to address the scenario in which a user wants to access the real-time data directly from the sensor node in wireless sensor networks (WSNs), Das recently proposed an anonymity-preserving three-factor authentication protocol. Das's protocol is suitable for resource-constrained sensor nodes because it only uses lightweight cryptographic primitives such as hash functions and symmetric encryption schemes as building blocks. Das's protocol is claimed to be secure against different known attacks by providing formal security proof and security verification using the Automated Validation of Internet Security Protocols and Applications tool. However, we find that Das's protocol has the following security loopholes: (1) By using a captured sensor node, an adversary can impersonate a legal user to the gateway node, impersonate other sensor nodes to deceive the user, and the adversary can also decrypt all the cipher-texts of the user; (2) the gateway node has a heavy computational cost due to user anonymity and thus the protocol is vulnerable to denial of service (DoS) attacks. We overcome the shortcomings of Das's protocol and propose an improved protocol. We also prove the security of the proposed protocol in the random oracle model. Compared with the other related protocols, the improved protocol enjoys better functionality without much enhancement in the computation and communication costs. Consequently, it is more suitable for applications in WSNs