Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks

•We observed that Farash et al.’s authentication protocol for WSN is susceptible to many security attacks.•The protocol is also unable to preserve user anonymity.•We designed an anonymity preserving authentication scheme for WSN.•We analyze the security of the proposed protocol using AVISPA S/W.•The proposed protocol is secure against active and passive attacks and more efficient than other protocols. Recently, Farash et al. pointed out some security weaknesses of Turkanović et al.’s protocol, which they extended to enhance its security. However, we found some problems with Farash et al.’s protocol, such as a known session-specific temporary information attack, an off-line password-guessing attack using a stolen-smartcard, a new-smartcard-issue attack, and a user-impersonation attack. Additionally, their protocol cannot preserve user-anonymity, and the secret key of the gateway node is insecure. The main intention of this paper is to design an efficient and robust smartcard-based user authentication and session key agreement protocol for wireless sensor networks that use the Internet of Things. We analyze its security, proving that our protocol not only overcomes the weaknesses of Farash et al.’s protocol, but also preserves additional security attributes, such as the identity change and smartcard revocation phases. Moreover, the results of a simulation using AVISPA show that our protocol is secure against active and passive attacks. The security and performance of our work are also compared with a number of related protocols.