Description

In 2014, Turkanovic´ et al. applied the Internet of Things (IoT) notion to wireless sensor networks (WSNs) and proposed a user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks with lightweight computational operations. In 2015, Chang et al. find that Turkanovic´ et al.’s scheme possesses two drawbacks that can be overcome with simple modification. After further analyzing Turkanovic´ et al.’s scheme, we find that their scheme suffers from two fatal security flaws. First, user anonymity is not provided as claimed. Second, an attacker can obtain the session key shared between a normal sensor node and the user who has ever connected to a compromised sensor node. In this paper, we explicitly show the found security flaws and propose an improvement by taking the following into consideration: (1) user anonymity, (2) no complex computations, (3) mutual authentication between any two of a gateway node, a sensor node, and the user, (4) user friendly, and (5) ensuring the correctness of the session key earlier.