SLUA-WSN: Secure and Lightweight Three-Factor-Based User Authentication Protocol for Wireless Sensor Networks

Wireless sensor networks (WSN) are composed of multiple sensor nodes with limited storage, computation, power, and communication capabilities and are widely used in various fields such as banks, hospitals, institutes to national defense, research, and so on. However, useful services are susceptible to security threats because sensitive data in various fields are exchanged via a public channel. Thus, secure authentication protocols are indispensable to provide various services in WSN. In 2019, Mo and Chen presented a lightweight secure user authentication scheme in WSN. We discover that Mo and Chen’s scheme suffers from various security flaws, such as session key exposure and masquerade attacks, and does not provide anonymity, untraceability, and mutual authentication. To resolve the security weaknesses of Mo and Chen’s scheme, we propose a secure and lightweight three-factor-based user authentication protocol for WSN, called SLUA-WSN. The proposed SLUA-WSN can prevent security threats and ensure anonymity, untraceability, and mutual authentication. We analyze the security of SLUA-WSN through the informal and formal analysis, including Burrows–Abadi–Needham (BAN) logic, Real-or-Random (ROR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Moreover, we compare the performance of SLUA-WSN with some existing schemes. The proposed SLUA-WSN better ensures the security and efficiency than previous proposed scheme and is suitable for practical WSN applications.


Introduction
Wireless sensor networks (WSN) are widely exploited in terms of enormous applicability [1] and have been used in various fields such as smart homes, smart factories, healthcares, and environmental monitoring [2][3][4][5][6][7][8]. Generally, WSN consist of a gateway node (GWN), a user, and a sensor node (SN) which are resource-limited in smart devices (things, sensors, etc.) [9]. SNs are deployed in various fields and collect a large amount of real-time data. GWN manages data collected by deployed SNs to provide services for legitimate users.
One of the application areas of WSN is a smart home with sensor devices, which provides a better daily life for users [10,11]. A smart home provides various services for users such as automatic checking of the temperature and humidity of the house and controlling light bulbs. However, it may cause serious privacy problems [12,13] because the data collected by SNs are exchanged through a public channel. If data collected by SNs is exposed, a malicious adversary can obtain the private information of users such as daily routines and habits in the house, and also can use the information for criminal purposes. Furthermore, in these application scenarios, smart devices are resource-constrained in terms of computation, communication, and storage overheads, and it is not suitable to apply asymmetric cryptosystems that generate high computational overheads [14]. Therefore, secure and lightweight authentication and key agreement protocols are indispensable to provide secure services for legal users in WSN environments. The secure and lightweight authentication and key agreement protocols must consider the following security requirements.

•
Three-factor security: The protocol must meet the three-factor security to protect the legitimate user's privacy.

•
Preventing well-known attacks: The protocol for WSN must be secure against potential attacks, including smart card stolen, masquerade, privileged insider, man-in-the-middle (MITM) attacks, and so on.

•
Preventing sensor node capture attack: Even if some sensors are captured by a malicious adversary, it is hard for an adversary to pretend to be other sensors.

•
Preventing offline password guessing attack: The protocol must prevent the guessing of the legitimate user's real password if a malicious adversary either intercepts the transmitted messages or approaches smart card contents.

•
Preventing smart card stolen attack: In this attack it is assumed that a malicious adversary can attain the stored secret parameters on the smart card, thus the knowledge of attained parameters should not be enough for the malicious adversary to attain useful information to masquerade a legal user.

•
Preventing privileged insider attack: The protocol must be secure to privileged insider attacks where the insider having privileges in the database may access the secret credentials and misuse the contents. • Anonymity and untraceability: A malicious adversary cannot reveal and trace the real identity of a legitimate user. • User authentication and key agreement: The protocol must mutually authenticate among entities and successfully establish a secure session key. • Confidentiality: All transmitted messages communicated between the participants must be safely transmitted using a secret credential so that only legal participants can verify the message.
In 2019, Mo and Chen [15] proposed an elliptic curve cryptosystem (ECC)-based user authentication scheme for WSN. Mo and Chen claimed that their scheme prevents various attacks and provides user anonymity, untraceability, and authentication. However, we prove that their scheme suffers from many drawbacks, including masquerade and replay and session key exposure attacks, and does not provide user anonymity, untraceability, and mutual authentication. In addition, their scheme is not suitable for WSN environments because it requires high communication and computation costs. Consequently, we propose a secure and lightweight three-factor authentication protocol for WSN (SLUA-WSN), considering the efficiency of smart devices and improving the security level of Mo and Chen's scheme [15].

Contributions and Motivations
The main contributions of our paper can be summarized as follows.

•
We propose a secure and lightweight authentication protocol for WSN to resolve the security problems of Mo and Chen's scheme utilizing secret parameters and biometrics.

•
We perform the Burrows-Abadi-Needham (BAN) logic analysis [16] to evaluate that SLUA-WSN ensures secure mutual authentication. We also perform formal security analysis utilizing the Real-or-Random (ROR) model [17] to prove session key security of SLUA-WSN.

•
We carry out the simulation analysis using the automated verification of internet security protocols and applications (AVISPA) [18,19] to evaluate that SLUA-WSN prevents against replay and MITM attacks.
• According to the security and performance analysis, we show that the proposed SLUA-WSN achieves better security along with more features, and provides efficient computational, communication, and storage overheads as compared with related schemes.
The motivations of our paper can be summarized as follows.
• Authentication and key agreement protocols for WSN are susceptible to well-known attacks, including sensor node capture, masquerade, and replay attacks. • Authentication and key agreement protocols for WSN should provide useful convenience for legitimate users and take into account the security requirements. • Secure and efficient user authentication protocols are essential in WSN, which take into account limitations for resource-constrained smart devices in terms of memory and battery capacity.
We propose a secure and lightweight three-factor authentication protocol for WSN to resolve the security weaknesses of Mo and Chen's scheme [15]. The proposed SLUA-WSN presents several advantages compared with existing authentication schemes: SLUA-WSN prevents potential attacks, including sensor node capture, replay, privileged insider, and masquerade attacks, and also ensures secure untraceability, user anonymity, and mutual authentication. SLUA-WSN also uses the fuzzy extractor technique to improve the security level of the two-factor-based protocol. Even if two of the three factors are exposed, SLUA-WSN is still secure. Furthermore, SLUA-WSN provides better efficient computation and communication costs with existing schemes because it only uses the hash and XOR operations. Thus, SLUA-WSN is suitable for practical WSN environments because it is more secure and efficient than related schemes.

Organization
The rest of this article is organized as follows. We introduce the related works for WSN environments in Section 2, and present the preliminaries of this paper in Section 3. Section 4 reviews Mo and Chen's scheme and then Section 5 proves the security shortcomings of Mo and Chen's scheme. Section 6 presents a secure and lightweight user authentication protocol for WSN environments to enhance the security shortcomings of Mo and Chen's scheme. Section 7 evaluates the security analysis of SLUA-WSN by performing informal and formal analysis, including BAN logic, ROR model, and AVISPA simulation. Section 8 presents the results of the performance analysis of the SLUA-WSN compared with those of the related schemes. Finally, we conclude the paper in Section 9.

Related Works
In the last few decades, numerous authentication protocols have been proposed to provide user privacy in the WSN environment [20][21][22][23][24][25]. In 1981, Lamport [26] presented the password-based authentication protocol using a single factor to provide user privacy and anonymity. However, Lamport's scheme [26] was fragile to offline password guessing attacks because it relied solely on the security of the password. To improve these security problems, Das [27] presented a two-factor authentication scheme using smartcard and password. Das [27] claimed that their scheme is secure and efficient because it uses only hash functions and prevents various attacks. However, some researchers [28,29] pointed out that Das's scheme [27] has various security drawbacks. Nyang and Lee [28] showed that Das's scheme [27] is fragile to the sensor node capture and offline password guessing attacks. Nyang and Lee [28] presented a secure authentication scheme in WSN to enhance the security problems of Das's scheme. In 2010, He et al. [29] proposed a two-factor user authentication scheme for WSN. However, in 2011, Kumar and Lee [30] discovered that He et al.'s scheme [29] cannot provide mutual authentication and generate a session key between each entity. Therefore, these smartcard-based two-factor authentication protocols [27][28][29] were fragile to various attacks.
Numerous biometric-based three-factor authentication protocols have been proposed [31][32][33] to resolve the above-mentioned security issues. Compared with the existing two-factor authentication schemes using a password and smartcard, biometrics (palms, irises, and fingerprints) cannot be stolen or lost because they are very difficult to forget or lose, copy, distribute, guess, break, and forge. Thus, biometric-based three-factor authentication has a higher security level than two-factor authentication.
In recent years, many three-factor authenticated key agreement protocols have been proposed to provide various services in WSN environments [34][35][36]. In 2018, Wu et al. [37] presented a secure three-factor user authentication scheme for WSN. However, in 2019, Mo and Chen [15] demonstrated that if the user inputs an incorrect password at the login process in Wu et al.'s scheme [37], the smartcard does not check whether the password is verified, and the protocol will proceed until GWN finds that the login request of the user was invalid, so GWN performs unnecessary computational resources. In 2017, Wang et al. [38] presented an enhanced three-factor user authentication scheme using ECC for WSN. Unfortunately, Wang et al.'s scheme [38] is susceptible to insider attack because the random nonce for the legitimate user is stored in the database of GWN, and the insider can access and modify it so user login can result in failure. In 2018, Li et al. [39] presented a three-factor-based authentication scheme for WSN in Internet of Things (IoT) environments with adoption of fuzzy extractor to provide high security level. However, Mo and Chen [15] pointed out that Li et al.'s scheme [39] cannot provide three-factor security if the stolen/lost smartcard is obtained by the adversary. In addition, their scheme [39] is not as secure as they claimed because the biometric of the user is collected by the adversary without the awareness of the legitimate user. In 2019, Li et al. [40] presented a secure three-factor-based user authentication protocol for wireless medical sensor networks. However, Mo and Chen [15] demonstrated that their scheme [40] is vulnerable to replay attacks. In 2019, Lu et al. [41] proposed a three-factor authenticated key agreement for WSN using ECC. However, Mo and Chen [15] proved that Lu et al.'s protocol [41] cannot withstand known session-specific temporary information (KSSTI) attacks and cannot provide three-factor security along with session key security. To improve the security drawbacks of Lu et al.'s scheme, Mo and Chen [15] presented a lightweight secure user authenticated key agreement scheme for WSN using ECC. Mo and Chen [15] claimed that their scheme can prevent potential attacks and can ensure anonymity, untraceability, and authentication. However, we analyze that Mo and Chen's scheme suffers from various security threats, such as session key exposure and masquerade attacks, and cannot ensure anonymity, untraceability, and mutual authentication. In addition, Mo and Chen's scheme is not practical for WSN because ECC makes the computation and communication overheads burden very heavy. Therefore, we propose a secure and lightweight three-factor user authentication protocol in WSN, considering the efficiency of smart devices and improving security shortcomings of Mo and Chen's scheme.

Preliminaries
This section introduces the preliminaries to improve the readability of this paper.

Fuzzy Extractor
This section briefly discusses the concepts of a fuzzy extractor [42]. The fuzzy extractor is a cryptographic method utilizing biometrics to perform secure authentication and it comprises two operations-the generator (Gen) and reproduction (Rep)-which are presented below.

2.
Rep : When a noisy biometric Bio new is imprinted, Rep reproduces ρ using value σ, where σ is public reproduction value related with Bio.

Attacker Model
We present the well-known Dolev-Yao (DY) threat model [43] to examine the security of SLUA-WSN. In the DY model, the capabilities of the attacker are as follows.

•
Referring to the DY model [43], an attacker can inject, delete, intercept, and eavesdrop the data exchanged over wireless networks. • A malicious attacker can steal the smart card of legal users and can extract secret credentials stored in memory utilizing power-analysis [44].

•
After obtaining the secret credentials of smart card, a malicious attacker may attempt various attacks, including the masquerade, offline password guessing, privileged insider, forward secrecy attacks, and so on [45,46].

System Model
In 2013, Xue et al.'s scheme [47] introduced the five basic authentication mechanism models for WSN. We adopt the first authentication mechanism model presented by Xue et al.'s scheme [47]. This authentication model for WSN consists of three entities: the user, the SN, and the GWN, as shown in Figure 1. Initially, the user contacts GWN to initiate the key agreement between them and the SN. In contrast, the SN checks whether the legitimate user and performs mutual authentication through a GWN. As a result, this model enables mutual authentication between all entities and establishes key agreement between users and corresponding sensor nodes.

User
Gateway node Internet Sensor node

Review of Mo and Chen's Scheme
Mo and Chen's scheme [15] presented a secure authentication protocol to provide useful services in WSN. This protocol comprises three entities: the user, the SN, and the GWN. Mo and Chen's scheme has four processes: pre-deployment, user registration, authentication, and password update. In the pre-deployment process, the gateway node (GW N) selects a unique identity SID j for each sensor (S j ) and computes K j = h(SID j ||X GW N ). Then, GW N sends {SID j , K j , P} to S j through a secure channel. Finally, S j stores {SID j , K j , P} in memory. During the user registration process, the GW N issues a smartcard to the legal user who wants to request registration through a secure channel and then helps the agreement of the session key between the S j and the user. They presented a password update process to maintain a high level of security. Figure 2 shows the registration process of Mo and Chen's scheme, and also the detailed steps involved in the authentication and key agreement process of Mo and Chen's scheme are as shown in Figure 3. Furthermore, the password update process is described in the following subsections. Table 1 presents the notations used in this paper.
Inputs ID i and PW i Imprints biometric BIO Calculates  Figure 3. Authentication process of Mo and Chen's scheme.

Password Update Process
If the authorized user requests a new password, Mo and Chen's scheme can update the password from the gateway as follows.
Step 1: U i inputs ID i and the old PW i and imprints Bio * , and inserts the smartcard (SC) in the reader. After that, the SC calculates Gen( If the condition is false, the communication is aborted.

Security Flaws of Mo and Chen's Scheme
We discuss the security flaws of Mo and Chen's scheme, including session key exposure and masquerade attacks. Furthermore, we discover that Mo and Chen's scheme cannot ensure user anonymity, untraceability, and mutual authentication.

Masquerade Attack
In this attack, a malicious attacker (MA) may attempt to impersonate legal users through stolen smartcard. According to Section 3.2, we assume that MA is able to extract the secret credentials {A i , B i , τ i , f i } stored in the smart card. Furthermore, MA can intercept the messages exchanged over the wireless network. Therefore, MA can perform the masquerade attack as shown in the following detailed steps.
Step 1: . After that, the MA generates the two random numbers e MA , a MA and computes m 1MA Step 2: Upon getting the M 1 , the GWN verifies the validity of T 1 .
If it is equal, Step 3: After getting the M 2 , the S j verifies the T 2 .
If it is equal, the S j calculates e k = h(SID j ||K j ) and decrypts m 6 to get (e MA , PID new i ). After that, the S j calculates and then checks m 7 ? = m 7 . If the condition is equal, the S j selects a random number b j and timestamp T 3 . Then, S j computes m 8 = b j P, Step 5: After getting the M 4 , the MA checks the T 4 and calculates and checks m 12MA As a result, Mo and Chen's scheme cannot prevent the masquerade attack because the MA can impersonate an legitimate user successfully.

Session Key Exposure Attack
In Mo and Chen's scheme, they claimed that their scheme could prevent to session key exposure attack because a MA could not obtain the secret credentials. However, according to Section 5.1, we prove that MA is able to impersonate legal users U i and calculates the session key SK as follows. Referring to Section 3.2, the MA can extract secret credentials {A i , B i , τ i , f i } stored in the smartcard. Then, the MA is able to intercept the exchanged messages between U i , GW N, and S j via wireless networks. If so, the MA can calculate e i , PID new i and (ID i ||SID j ). After that, the MA selects random numbers e MA , a MA and can successfully generate new messages {m 1MA , m 2MA , m 3MA , m 4MA , m 5MA } by utilizing e MA and a MA . Consequently, the MA can successfully perform the session key exposure attack by calculating SK MA−S = h(a MA ||m 8 ||PID new i ||SID j ||e MA ) and disguise as legitimate users.

Anonymity and Untraceability
Referring to Section 5.1, the MA can trace a legitimate user U i and can obtain the real Mo and Chen's scheme does not ensure user anonymity and untraceability.

Mutual Authentication
Mo and Chen's scheme asserted that their scheme provides secure mutual authentication among the U i , GW N, and S j . However, referring to Section 5.1, the MA can generate authentication , and then can calculate session key SK MA−S = h(a MA ||m 8 ||PID new i ||SID j ||e MA ). As a result, we prove that their scheme cannot provide correct mutual authentication among U i , GW N, and S j .

Proposed Scheme
We present a secure and lightweight user authentication protocol in WSN to improve the security flaws of [15]. The proposed SLUA-WSN comprises the same process as that Mo and Chen's scheme. The details of the four processes are shown below.

Pre-Deployment Process
This process is similar to the pre-deployment process given in Mo and Chen's scheme [15]. In Figure 4, we show the user registration process of SLUA-WSN and the detailed steps are below.

Gateway node (GW N)
Sensor node (S j ) Chooses a unique identity SID j for each sensor Computes Step 1: GW N selects a unique identity SID j for sensors and computes X j = h(SID j ||K GW N ). Finally, GW N sends {SID j , X j } to the S j over a secure communication.
Step 2: Upon receiving the messages, the S j stores them in secure memory.

User Registration Process
The U i must register within GW N to access various services. In Figure 5, we show the user registration process of SLUA-WSN and the detailed steps are below.
Inputs ID i and PW i Imprints biometric BIO i Computes Figure 5. User registration process of our scheme.
Step 1: U i inputs the ID i and PW i and imprints biometric BIO i . Then, the U i computes Gen(BIO)= R i , P i and MPW i = h(PW i ||R i ), and sends {ID i , MPW i } to the GW N over a secure communication.
Step 2: After reception of messages, the GW N generates a random nonce r g and calculates , and then stores {r g } in secure database. After that, the GW N stores {Q i , W i , MID i } in the smart card and issues it to the U i .

Authentication Process
After performing the registration process, the registered U i requests authentication to the GW N in order to establish the session key. In Figure 6, we show the authentication process of SLUA-WSN and the detailed steps are below.

User (Ui)
Gateway node (GW N) Sensor node (Sj) Step 1: U i first inserts the smart card and inputs ID i and PW i . Then, the U i imprints BIO i and computes , and then checks W * i ? = W i . If the condition is valid, the U i generates a random nonce R u and a timestamp T 1 . The U i computes M 1 = X i ⊕ R u , CID i = (ID i ||SID j ) ⊕ h(MID i ||R u ||X i ), and M UG = h(ID i ||R u ||X i ||T 1 ), and sends {M 1 , MID i , CID i , M UG , T 1 } to the GW N over an insecure channel.
Step 2: Upon reception of messages, the GW N checks the validity of T 1 and calculates and M * UG = h(ID i ||R u ||X i ||T 1 ) and then, checks M * UG ? = M UG . If the condition is correct, the GW N calculates M 2 = (R u ||R g ) ⊕ h(SID j ||X j ||T 2 ) and M GS = h(MID i ||SID j ||R u ||R g ||X j ||T 2 ), and sends {M 2 , MID i , M GS , T 2 } to the S j .
Step 3: After reception of messages, the S j checks the validity of T 2 and computes (R u ||R g ) = M 2 ⊕ h(SID j ||X j ||T 2 ) and M * GS = h(MID i ||SID j ||R u ||R g ||X j ||T 2 ) and checks M * GS ? = M GS . If it is valid, the S j generates a random nonce R s and timestamp T 3 and calculates and M SU = h(SK||R s ||R u ||SID j ||MID i ), and then sends {M 3 , M SG , M SU , T 3 } to the GW N over an insecure channel.
Step 4: Upon reception of messages, the GW N checks the validity of T 3 and calculates and checks M * If it is valid, the GW N generates a timestamp T 4 and computes MID new Step 5: After reception of messages, the U i checks the validity of T 4 and computes Consequently, the U i , the GW N and S j are mutually authenticated successfully.

Password Change Process
In SLUA-WSN, an authorized U i can freely update their password. The detailed steps of the password change process are below.
Step 1: U i inputs ID i and PW i and imprints biometric BIO i . After that, the U i computes Gen(BIO )= R i , P i and MPW i = h(PW i ||R i ) and then sends {ID i , MPW i } to the SC over a secure communication.
Step 2: Upon reception of messages, the SC calculates X i = Q i ⊕ h(MID i ||MPW i ) and W i = h(MPW i ||X i ) and sends authentication message to the U i .

Security Analysis
This section assessed the security of SLUA-WSN by using informal and formal security analysis such as BAN logic, ROR model, and AVISPA simulation, which are widely known security models.

Informal Security Analysis
The security of SLUA-WSN is assessed by performing an informal security analysis. We show that SLUA-WSN can resist potential security threats, including masquerade, sensor node capture, replay, and privileged insider attacks, and ensure secure authentication and anonymity.

Masquerade Attack
In this attack, the MA attempts to masquerade a legitimate user by intercepting messages transmitted over an insecure channel. However, the MA cannot generate the request messages {M 1 , MID i , CID i , M UG } in the proposed SLUA-WSN correctly. The MA cannot compute the request messages because MA cannot get U i 's real identity ID i , the biometric BIO, and the random nonce R u . As a result, SLUA-WSN resists masquerade attacks.

Replay Attack
Assuming that the MA attempts the replay attack utilizing previously exchanged data over an insecure channel, even if the MA intercepts the request message {M 1 , MID i , CID i , M UG , T 1 } in the previous session, the proposed SLUA-WSN verifies the freshness of the timestamp. In addition, the request messages are protected with secret parameter X i and random nonce R u . Thus, SLUA-WSN prevents replay attacks.

Sensor Node Capture Attack
As sensor nodes are typically placed in unmanned or hostile areas, the MA can easily capture sensor nodes. However, each S j has a unique SID j and a secret parameter X j . Even if some sensor nodes are captured by the MA, it is difficult to impersonate that the MA is another sensor. Therefore, the MA does not have any ability to compromise other SK established between the U i and non-compromised S j . Thus, SLUA-WSN prevents sensor node capture attacks.

Privileged Insider Attack
In this attack, the privileged insider is able to access the password of the user stored in GW N and disguises the user to log in to other systems. However, the user in the proposed SLUA-WSN only sends {ID i , MPW i } to the GW N during the registration process. Consequently, SLUA-WSN prevents privileged insider attacks because the privileged insider cannot obtain the real password of the legitimate user.

Anonymity and Untraceability
We assume that the MA can extract secret credentials stored in a smartcard and is able to eavesdrop the message exchanged in each session. However, the MA cannot trace a legal user U i because all

Security Properties
We present the security properties of SLUA-WSN compared to those of the existing schemes [15,[37][38][39][40][41]. Table 2 tabulates the security and functionality features of the proposed SLUA-WSN and other existing schemes. According to Table 2, previous schemes [15,[37][38][39][40][41] suffer from various attacks, and also their schemes cannot ensure anonymity, untraceability, and mutual authentication. In contrast, SLUA-WSN ensures mutual authentication, anonymity, and untraceability and prevents various attacks. Thus, the proposed SLUA-WSN offers superior security and more functionality features compared with existing schemes.
•: it supports security properties; ×: it does not support security properties;

Formal Security Analysis Using Ban Logic
We perform the BAN logic to demonstrate the mutual authentication of SLUA-WSN. We present notations utilized for BAN logic in Table 3.

Goals
We define the following security goals to prove that the proposed SLUA-WSN is capable of performing secure mutual authentication.

Idealized Forms
The idealized form messages of SLUA-WSN are as below.

Assumptions
In the following, the assumptions used in BAN logic are summarized.

Formal Security Analysis Using Ror Model
We perform the ROR model [17] to evaluate the session key (SK) security of SLUA-WSN from the malicious attacker MA. Initially, we introduce the ROR model [17] before performing the analysis of SK security for SLUA-WSN.
In the ROR model, the malicious attacker MA interacts with the P t MA , the t th instance of the executing participant. Furthermore, there are three participants-the user P t 1 U i , gateway P t 2 GW N , and sensor P GW N , and P t 3 S j are instances t th 1 of U i , t th 2 of GW N, and t th 3 of S j , respectively. In Table 4, we define various queries for ROR model to evaluate security analysis such as Execute, CorruptSC, Reveal, Send, and Test. Furthermore, an one-way hash function h(·) is modeled as a random oracle Hash. We utilize Zipf's law [48] to evaluate SK security of SLUA-WSN. Table 4. Queries of the Real-or-Random (ROR) model.

Query Description
Execute denotes that MA performs the passive attack by eavesdropping transmitted messages between legitimate participants over an insecure channel.

CorruptSC(P t 1 U i )
CorruptSC is modeled that the smartcard stolen attack, in which the MA can extract the secret credentials stored in the smartcard.

Send(P t , M)
Using this query, the MA can transmit a message M to the instance P t and also can receive accordingly.

Test(P t )
Test corresponds to the semantic security of the SK between U i and S j following the indistinguishability style in the ROR model [17]. In this query, an unbiased coin c is flipped prior to the starting of the experiment. If the MA performs Test query and the corresponding SK is fresh, and then P t returns SK when c = 1 after running Test query, SK is new or a random number when c = 0; otherwise, it delivers a null value (⊥).

Reveal(P t )
Using this query, the MA reveals the current SK generated by its partner to an adversary MA. Theorem 1. If Adv MA denotes the advantage function of the MA in violating SK security of SLUA-WSN. After that, we can derive the following.
where q h , |Hash|, and q send are the number of Hash, the range space of Hash, and the number of Send queries, respectively. Furthermore, C, l b , and s are parameters used in Zipf's laws [48].

Proof 1.
We define the following four games, namely, G i (i ∈ [0, 3]). We indicate that Succ i is the probability of MA winning the G i . All G i are described in detail as shown below.
• Game G 0 : The first game G 0 is considered as an passive attack executed from the MA in the proposed protocol P, as the bit C is guessed randomly at the beginning of G 0 . According to this game, the following is obtained.
• Game G 1 : This G 1 considers the scenario where MA simulates the eavesdropping attack in which the transmitted messages are intercepted during the authentication process using the Execute query. After eavesdropping transmitted messages, the MA performs the Reveal and Test queries to verify whether it is the SK or a random number. The MA needs the secret parameters, such as R u , R s , X i , and X j , to derive SK = h(R u ||R s ). Thus, the MA does not at all help in increasing the G 1 's winning probability by eavesdropping on the transmitted messages. According to this game, the following is obtained. and key agreement process. However, all exchanged messages are safeguarded using the hash function h(·). Furthermore, the random numbers R u and R s are not derived from the intercepted exchanged messages because the random numbers are protected by hash function h(·). By applying the birthday paradox [49], we can derive the following.
• Game G 3 : G 3 is simulated using CorruptSC query. In this game, the MA is able to extract the secret credentials {Q i , W i , MID i } from a smartcard's memory using the power analysis attack. Generally, a user utilizes the low-entropy password. Using SC's stored secret credentials {Q i , W i , MID i }, the MA may try to extract the password PW i by performing a password guessing attack. However, in the proposed protocol, the MA cannot obtain password PW i of the legitimate user correctly through the Send query without GW N's master key K GW N and secret parameter X i . Furthermore, the probability of guessing the biometric secret key b i of l b bits by the MA is approximately 1 2 l b . Thus, the G 2 and G 3 are indistinguishable if biometric/password guessing attacks are not present. Consequently, by applying Zipf's law [48], the following is obtained.
When all the games are executed, the MA should guess the correct bit c. Consequently, we can obtain the following result.
As a result, multiplying both sides of Equation (7) by a factor of two, the following result is obtained.

AVISPA Simulation
We perform the AVISPA simulation tool [18,19] to prove the security of SLUA-WSN against MITM and replay attacks. To perform the AVISPA simulation, the environment and session of the protocol must be implemented utilizing the High-Level Protocols Specification Language (HLPSL) [50].

HLPSL Specification
Referring to HLPSL, we consider three roles: the U i , the GW N, and the S j . We present the environment and session using HLPSL in Figure 7, which consists of the security goals. In Figure 8, the U i initially receives the message and updates the state value from 1 to 2. After that, U i transmits the registration request message {ID i , MPW i } to GW N over a secure channel. Then, U i receives the {smartcard} from GW N and U i changes the state value from 1 to 2. In the authentication process, the U i should send an authentication request message {M 1 , MID i , CID i , M UG , T 1 } to GW N over a public channel. Thus, the U i declares witness(U A, GA, ua_ga_ru, RU ) from the GW N, and then changes the state value from 2 to 3. Then, U i receives the authentication response messages = M SU . If it is correct, the U i , GW N, and S j are mutually authenticated successfully. In addition, the HLPSL specification roles of GW N and S j are similarly defined. Figures 9 and 10 show the role specification of the GW N and S j .

AVISPA Simulation Result
We present the AVISPA simulation result to demonstrate the security of the SLUA-WSN utilizing On-the-Fly Model Checker (OFMC) and Constraint-Logic-based ATtack SEarcher (CL-AtSe) back-ends. The OFMC and CL-AtSe back-ends verify whether a legitimate entity is able to execute the protocol by searching for a passive attacker. In addition, CL-AtSe and OFMC back-ends check that the SLUA-WSN is secure against the replay and MITM attacks based on the DY model. According to Figure 11, the proposed SLUA-WSN is secure against MITM and replay attacks. Moreover, the result of OFMC validation shows that the search time was 4.11 s for visiting 520 nodes, and the result of the CL-AtSe validation analyzed three states and the translation time was 0.10 s. We provide similar AVISPA simulation results as adopted in [51][52][53][54][55]. AVISPA simulation results using On-the-Fly Model Checker (OFMC) and Constraint-Logic-based ATtack SEarcher (CL-AtSe).

Computation Overheads
This section compares the computation overhead associated with the SLUA-WSN to those of related schemes [15,[37][38][39][40][41] during the authentication process. We analyzed utilizing the following parameters to evaluate the computation overhead. Referring to the work in [15], T m , T R , T S , and T h denote the execution time for point multiplication (≈ 7.3529 ms), rep operation (≈ 7.3529 ms), symmetric encryption/decryption (≈ 0.1303 ms), and hash function (≈ 0.0004 ms), respectively. The execution time of XOR operation is not included because it is negligible. In Table 5, we show the results of the computation overhead comparison. Consequently, SLUA-WSN provides a more efficient computation cost compared with the other existing schemes [15,[37][38][39][40][41].

Conclusions
In this paper, we proved that Mo and Chen's scheme suffers from various security flaws, such as session key exposure and masquerade attacks, and does not provide anonymity, untraceability, and authentication. We proposed a secure and lightweight user authentication protocol in WSN environments utilizing biometric and secret parameters to resolve the security drawbacks of Mo and Chen's protocol. SLUA-WSN prevents various attacks, including sensor node capture, masquerade, and privileged insider attacks. We demonstrated that the proposed SLUA-WSN ensures secure mutual authentication between U i , GW N, and S j by performing BAN logic. We also proved the security of SLUA-WSN by performing the formal security analysis such as the ROR model and AVISPA simulation. We compared the performance of SLUA-WSN in terms of computation, communication, and storage overheads with existing schemes. Consequently, the proposed SLUA-WSN provided a great improvement in terms of the security level compared with three-factor-based related schemes and also preserved the low computation and communication overheads using only hash and XOR operations. Therefore, the proposed SLUA-WSN provides superior security and efficiency than related schemes and is suitable for practical WSN environments.