PSAP-WSN: A Provably Secure Authentication Protocol for 5G-Based Wireless Sensor Networks

Nowadays, the widespread application of 5G has promoted rapid development in different areas, particularly in the Internet of Things (IoT), where 5G provides the advantages of higher data transfer rate, lower latency, and widespread connections. Wireless sensor networks (WSNs), which comprise various sensors, are crucial components of IoT. The main functions of WSN include providing users with real-time monitoring information, deploying regional information collection, and synchronizing with the Internet. Security in WSNs is becoming increasingly essential because of the across-the-board nature of wireless technology in many fields. Recently, Yu et al. proposed a user authentication protocol for WSN. However, their design is vulnerable to sensor capture and temporary information disclosure attacks. Thus, in this study, an improved protocol called PSAP-WSN is proposed. The security of PSAP-WSN is demonstrated by employing the ROR model, BAN logic, and ProVerif tool for the analysis. The experimental evaluation shows that our design is more efficient and suitable for WSN environments.

In the last two or three decades, people's lives have continuously improved with the vigorous development of the Internet. Expectations for quality of life have generally increased. However, traditional electronic devices cannot meet the growing needs of people. With the rapid development of IoT, sensors joined IoT to form wireless sensor networks (WSNs) [11][12][13], meeting people's needs for work, production, study, entertainment, and other aspects. Sensors are ubiquitous in everyday life. As shown in Fig. 1, different types of sensors are deployed in homes, hospitals, schools, and other environments. In hospitals, patients are equipped with sensors to self-monitor physiological indicators, and doctors can remotely analyze these data to provide timely medical services to patients. Sensors are placed in schools or homes to collect temperature, carbon monoxide, or pyroelectric data. Although WSNs make people's lives more efficient and convenient, they also create security problems [14][15][16]. For example, in 2016, a massive network outage in the eastern United States was caused by hackers who exploited vulnerabilities in communication protocols through a distributed denial-of-service attack [17,18]. Therefore, security is a significant problem that must be solved in WSNs [19,20]. In a typical WSN, two vital security issues must be carefully considered. First, because all sensing data are transmitted through a public channel, the data must be encrypted. Second, all members in a WSN should authenticate each other before sending data [21,22]. Many authentication protocols have been proposed to overcome these two security issues [23][24][25].
Recently, Yu et al. [26] proposed an authentication protocol called SLUA-WSN, declaring that it is secure against various attacks. Nevertheless, their design remains insecure against temporary information disclosure and sensor capture attacks [26]. To address these vulnerabilities, in this study, a novel authentication protocol, called PSAP-WSN, is proposed. To demonstrate that PSAP-WSN is secure and addresses the vulnerability issues, the ROR model, BAN logic, and ProVerif tools, which are three effective methods for proving the security of an authentication protocol, were employed. In addition, a performance evaluation was conducted to demonstrate that PSAP-WSN is suitable for WSN environments.
The remainder of this paper is organized as follows. In Sections 2 and 3, related work and Yu et al.'s protocol are described, respectively. In Section 4, it is demonstrated that Yu et al.'s protocol is insecure.
In Section 5, new solutions are proposed. In Sections 6 and 7, a security analysis and performance evaluation are provided, respectively.

Related Work
5G requires powerful security and privacy solutions because it connects all aspects of a communication network. Various security mechanisms have been proposed for 5G applications. In 2019, Lu et al. [27] recognized the crucial challenges of security and privacy in 5G vehicle-to-everything. In 2020, Liu et al. [28] proposed a federated learning framework to make 5G environments secure. In 2021, Afaq et al. [29] recognized essential security issues in 5G networks. Then, Yahaya et al. [30] proposed a privacy handover scheme for SDN-based 5G networks. In 2022, Yahaya et al. [30] provided an energy trading model for a 5G-deployed smart community based on blockchain technology.
Various authentication protocols have been proposed for WSNs. In 2015, Chang et al. [31] proposed an authentication protocol for protecting user privacy. However, some parameters of their protocols are not protected. Anonymity and backward confidentiality attacks may occur when users lose their smart cards. In 2017, Lu et al. [32] presented a three-factor authentication protocol with anonymity. In 2019, Mo et al. [33] analyzed Lu et al.'s protocol and concluded that it did not provide three-factor security. Therefore, an improved protocol was proposed. In 2020, Yu et al. [26] indicated that their protocol [33] was insecure against camouflage and session key exposure attacks. In addition, this protocol [33] does not provide anonymity. In 2020, Almuhaideb et al. [34] analyzed Yu et al.'s protocol and noted loopholes. Security problems occur if an adversary obtains both random numbers and sensitive information stored in a smart card. However, we believe that this attack is not reasonable because an adversary should simultaneously obtain two types of secret information.

Revisit SLUA-WSN
Here, Yu et al.'s design, which consists of sensor registration, user registration, and login and authentication phases, is revisited. The symbols and notations used are listed in Table 1.

Sensor Registration Phase
Assuming that a sensor S j desires to enter a WSN, S j must register with the gateway GWN first. GWN selects identity SID j for S j and calculates X j = h(SID j ||K GWN ). Subsequently, GWN transmits {SID j , X j } to S j .

User Registration Phase
1. U i enters his ID i , PW i and BIO i and then calculates Gen where Gen is a fuzzy extractor operation and U i transmits . GWN deposits R g in its own database and further issues a smart card storing

Login and Authentication Phase
1. With the smart card, U i inputs ID i , PW i , and BIO i , and obtains where Rep is another fuzzy extractor operation. U i then calculates and verifies whether W * i is equal to W i . If it is equal, U i generates R u and T 1 and calculates GWN examines the freshness of T 1 and obtains M * UG by calculating 3. S j examines the freshness of T 2 and calculates (R u . S j checks whether M * GS and the received M GS are equal. Next, S j generates R s and T 3 , calculates and finally calculates the session key SK = h(R u ||R s ) and after checking the freshness of T 3 . GWN then checks whether M * SG and the received M SG are equal. Next, GWN computes MID new In addition, U i verifies whether M * GU is equal to the received M GU . If they are equal, U i obtains the session key SK = h(R u ||R s ).

Attacks on the SLUA-WSN Protocol
This section analyzes the SLUA-WSN protocol [26]. The adversary model utilized in this study is presented, demonstrating that SLUA-WSN is insecure against sensor node capture and temporary information leakage attacks.

Adversary Model
The Dolev-Yao (DY) model [35] is a widely used and reasonable adversary model for analyzing authentication protocols [36]. Under the DY model, the protocol can be thoroughly and reasonably cryptanalyzed. Therefore, the DY model was used as the adversary model with A utilized to denote an attacker; the detailed attack capability is described below: 1. A can intercept/modify/delete messages submitted via a public channel. 2. A can steal temporary variables used in the process of an authentication protocol. 3. A can crack parameters stored in a smart card [37], implying that, once the user's smart card is stolen, sensitive parameters in this smart card will also be compromised by A. 4. A can capture the sensor and obtain the information stored in it.

Sensor Node Capture Attack
According to the DY model, after capturing a sensor, A can capture the sensitive parameters stored therein. Various authentication protocols have considered this attack [38][39][40][41].
Assume that A captures a sensor S j , and then A performs the following steps: Evidently, the SLUA-WSN protocol [26] cannot effectively resist sensor node capture attacks.

Temporary Information Leakage Attack
As mentioned in the adversary model, A steals temporary variables during the authentication process. Various authentication protocols have considered this attack [41][42][43].
Suppose that A obtains {R u }, which is a temporary variable in this protocol. The following steps are then performed:

PSAP-WSN
This section describes, in detail, the proposed PSAP-WSN, which consists of the pre-processing, user registration, login, and authentication phases. The symbols used in PSAP-WSN are listed in Table 2.
Generation/reproduction process of fuzzy extractor ENC PU ()/DES PR () Public and private key encryption and decryption of gateway node SK Session keys produced by The attacker h(·) One-way hash function x||y Concatenation ⊕ Exclusive-or operation

Pre-Processing Phase
GWN has to prepare some parameters for the sensors before they are deployed. This phase does not significantly differ from the SLUA-WSN protocol [26]. Fig. 2 illustrates this process. The detailed steps are as follows: (1) GWN chooses the unique SUID j for S j and uses its own key (2) S j stores them in its local memory.

User Registration Phase
All users need to register with GWN before entering the network. Assume that U i desires to join this network; then, the user registration phase is initiated. In Fig. 3, the procedure followed in this phase is displayed. The detailed steps are as follows. Note that this phase is executed through a secure channel.
1. U i inputs UID i , UPW i and UBIO i and computes Gen( GWN issues a smart card to U i , which stores UB i , UC i , and MUID i . GWN also stores R n , UR i and S in its database.

Login and Authentication Phase
This phase is performed when the user is expected to connect to a specific sensor. Fig. 4 illustrates this process. Suppose that U i wishes to connect to S j ; the following steps are then executed: (1) U i inserts his smart card and inputs UBIO i , UID i , and UP i . U i then computes The smart card checks whether UC i equals UC i . Subsequently, U i generates R u and T 1 and calculates (2) GWN checks the freshness of . Now, GWN verifies whether K UG is equal to the K UG that GWN received. If they are the same, GWN further calculates M 2 = (R u ||R g ) ⊕ h(SUID j ||UA j ||T 2 ) and . Now, S j verifies the correctness K GS . Then, S j generates R s and T 3 and calculates N = ENC PU (R s ), GWN confirms the freshness of T 3 and computes R s = DES PR (N) and K SG = h(R s ||R g ||SUID j || UA j ||T 3 ). Then, GWN confirms the correctness of K SG . After that, GWN calculates

Security Analysis
This section demonstrates that PSAP-WSN is provably secure against different attacks, using BAN logic, ROR model, and ProVerif tool.

BAN Logic
Ban Logic Rules

Detailed steps
With M sg1 and using the seeing rule, we obtain Using S1, R1, and A2, we obtain Using S2, under the assumption of A3 and nonce verification postulate R2, S3 can be obtained.

ROR Model
The well-known real-or-random (ROR) model [44] was used to demonstrate that PSAP-WSN is provably secure. The ROR model has been widely used in numerous studies. The PSAP-WSN has three entities: U i , GWN, and S j . In the proof, we define where H x u , H y G , and H z s denote the x-th U i , y-th GWN, and z-th S j , respectively. In addition, A as an attacker can perform the following operations:

Test(O):
During the execution of the game, it is necessary to flip coin C to determine the probability that A can obtain SK. If C equals 1, the correct painting key is obtained; if it equals 0, a string with the same length as the painting key is obtained.
Theorem 1: Using Adv A P as the main function for A the SK between the communicators is obtained. q h and q s represent the number of Hash and Send queries, respectively, and H and B represent the range that can be accommodated by the hash function and the space size of the user password dictionary. The advantage of using a function to crack SK is that Adv A P ≤ q 2 h /|H| + 2q s /|B|.

Security proof
Proof: To prove Theorem 1, four games Game i (i = 0, 1, 2, 3) were created. Among them, the A that wins the game can be identified as Adv A Game i , and the probability of A winning the game is Pr[Adv A Game i ]. Game 0 : In the first game, A does not perform any operation except for selecting bit b; therefore, the result of A against the protocol is Adv A P = |2Adv A Game 0 − 1|. Game 1 : In the second game, A performs the eavesdropping operations. A can intercept and eavesdrop on the information {M 1 , MUID i , CUID i , K UG , T 1 } and {N, K SG , K SU , T 3 } transmitted between communicators through a public channel. However, if A wants to obtain SK between the two communication parties by executing the Test operation, it must also know the random numbers R u and R s because SK = h(R u ||R s ). Therefore, even if A executes the Execute operation, the probability of obtaining the session key is the same as in Game 0 . Hence, Pr[Adv A Game 0 ] = Pr[Adv A Game 1 ]. Game 2 : The Send operation and Hash query were added to the previous game. During the execution of the game, we found that M 2 , K UG , and K SG were protected by a hash function. If A wants to obtain SK, A must crack the hash function; however, A cannot successfully crack the hash function because of the collision of the hash function. Thus, a conclusion can be drawn from the birthday paradox Pr[Adv A Game 2 − Adv A Game 1 ] ≤ q 2 h /2|H|. GM 3 : During the operation of this game, A attempts to estimate UID i . In addition, A cracked SK between U i and S j by intercepting the messages transmitted by the communicator through a public channel. However, random number R u can only be obtained using U i 's password, because R u = UA i ⊕ M 1 ⊕ UID i ⊕ MUPW i . In the proposed protocol, A can only send a limited number of send requests to crack SK. Thus,

Pr[Adv A
Game 3 − Adv A Game 2 ] ≤ q s /|B|. After executing the above four games, A can only win the game by guessing the correct bit B; thus,

Subsequently, we obtain
Adv A P ≤ q 2 h /|H| + 2q s /|B|. Therefore, it is proven that Theorem 1 is valid.

ProVerif
To further verify the security of the proposed PSAP-WSN, a well-known verification tool called ProVerif [45,46] was used. In this simulation, we define ch as a public channel and sch as a secure channel. SKi and SKj represent the session keys established by the user and the sensor node, respectively. In addition, PR and KG represent the gateway's private and master keys, respectively. The simulation contained five events: UserStarted(), UserAuthed(), GatewayAcUser(), SjAcGateway(), and UserAcSj(). The defined parameters and function codes are presented in detail in Fig. 5.

Security Requirement Analysis
Next, it is demonstrated that PSAP-WSN is secure against the following attacks.

Sensor Node Capture Attack
Because a sensor node is unattended, it is easily obtained by A to analyze the internal parameters. Assume A obtains SUID j and UA j after capturing S j . However, to obtain SK, A must know R u and R s simultaneously. R u can be obtained through (R u ||R g ) = h(SUID j ||UA i ||T 2 ) ⊕ M 2 , where T 2 and M 2 are submitted via a public channel. Unfortunately, R s is a temporary random number; therefore, the PSAP-WSN can resist this attack.

Temporary Information Disclosure Attack
This attack assumes that A can obtain a random number in PSAP-WSN if R u is leaked, but UA i and UID i are not obtained. Only UID i ⊕ UA i can be acquired, but other operations cannot be further performed. If R g is leaked, but other parameters have not been analyzed, A cannot carry out the next operation. Thus, the PSAP-WSN can resist this type of attack.

Impersonation Attack
A can impersonate a user to send messages to GWN, but A cannot generate a request message M 1 , MUID i , CUID i , K UG . This is because A cannot obtain the user identity, biometrics, and random numbers; thus, PSAP-WSN can resist this attack.

Replay Attack
Suppose A performs a replay attack. However, when A attempts to send a request M 1 , MUID i , CUID i , K UG , T 1 , GWN verifies the freshness of the timestamp T 1 . Simultaneously, PSAP-WSN uses UA i , R u , and UID i to hash T 1 . For these reasons, it is concluded that PSAP-WSN can resist this attack.

Anonymity and Untraceability
In our design, neither UID i is transferred, nor are there any devices to store UID i . In addition, one-way hash function processing is performed for the places where UID i is required; therefore, A cannot analyze UID i in various ways. The user parameters MUID i , UB i , UC i are updated after each authentication round. A cannot use the current information to infer previously transmitted information and cannot track the user; therefore, the proposed protocol can ensure anonymity and untraceability.

Security Comparisons
The proposed PSAP-WSN was compared with similar protocols. The primary attacks included A1: sensor node capture attack; A2: privileged insider attack; A3: temporary information disclosure attack; A4: impersonation attack; A5: replay attack; and A6: anonymity and untraceability attacks. The results in Table 3 confirm that PSAP-WSN provides sufficient security advantages compared with other protocols. This section evaluates the performance by experimentally calculating the computation and communication overhead.

Computation Comparisons
The three different types of devices used in the comparisons included the OPPO-R9 mobile phone, MI10-UTAR mobile phone, and ASUS-A456U notebook to represent the user, gateway, and sensor, respectively. The running times of the different functions for each device are listed in Table 4. In our experiment, the running times of symmetric encryption and asymmetric encryption were almost the same. In the experiment mentioned in [47], the running time of T R (rep operation) is nearly equal to T m . Therefore, this setting was adopted in our experiment. The experimental results are presented in Table 5. As shown in the Table 5, the running times of the user, gateway, and sensor node were 15.055, 0.0825, and 0.11 ms, respectively. Although the running time of our design was not always optimal, the overall ranking was relatively high. In addition, the difference was also quite small. Most importantly, these protocols have better running times and are vulnerable to attacks. The results are illustrated in Fig. 7.

Conclusions
In this paper, first, Yu et al.'s protocol was reviewed and cryptanalyzed, thereby determining that it is vulnerable to sensor node capture attacks and temporary information disclosure attacks. Therefore, the PSAP-WSN protocol was proposed. Subsequently, PSAP-WSN was demonstrated to be provably secure, using BAN logic, the ROR model, and the Proverif tool. In addition, an adversarial attack was simulated against the proposed PSAP-WSN. The performance evaluation indicates that the PSAP-WSN has reasonable communication and computation overhead and is suitable for WSNs.

Funding Statement:
The authors received no specific funding for this study.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.