Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks

Recently, Farash et al. pointed out some security weaknesses of Turkanovic et al.'s protocol, which they extended to enhance its security. However, we found some problems with Farash et al.'s protocol, such as a known session-specific temporary information attack, an off-line password-guessing attack using a stolen-smartcard, a new-smartcard-issue attack, and a user-impersonation attack. Additionally, their protocol cannot preserve user anonymity, and the secret key of the gateway node is insecure. The main intention of this paper is to design an efficient and robust smartcard-based user authentication and session key agreement protocol for wireless sensor networks that use the Internet of Things. We analyze its security, proving that our protocol not only overcomes the weaknesses of Farash et al.'s protocol, but also preserves additional security attributes, such as the identity change and smartcard revocation phases. Moreover, the results of a simulation using AVISPA show that our protocol is secure against active and passive attacks. The security and performance of our work are also compared with a number of related protocols. (C) 2016 Elsevier B.V. All rights reserved.