An IoT notion-based authentication and key agreement scheme ensuring user anonymity for heterogeneous ad hoc wireless sensor networks

In 2014, Turkanović et al. applied the Internet of Things (IoT) notion to wireless sensor networks (WSNs) and proposed a user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks with lightweight computational operations. In 2015, Chang et al. find that Turkanović et al.'s scheme possesses two drawbacks that can be overcome with simple modification. After further analyzing Turkanović et al.'s scheme, we find that their scheme suffers from two fatal security flaws. First, user anonymity is not provided as claimed. Second, an attacker can obtain the session key shared between a normal sensor node and the user who has ever connected to a compromised sensor node. In this paper, we explicitly show the found security flaws and propose an improvement by taking the following into consideration: (1) user anonymity, (2) no complex computations, (3) mutual authentication between any two of a gateway node, a sensor node, and the user, (4) user friendly, and (5) ensuring the correctness of the session key earlier.