APP下载

An End-to-End Authentication Scheme for Healthcare IoT Systems Using WMSN

2021-12-14ShadiNashwan

Computers Materials&Continua 2021年7期

Shadi Nashwan

Department of Computer Science,College of Computer and Information Sciences,Jouf University,Sakaka,42421,Saudi Arabia

Abstract: The healthcare internet of things (IoT) system has dramatically reshaped this important industry sector.This system employs the latest technology of IoT and wireless medical sensor networks to support the reliable connection of patients and healthcare providers.The goal is the remote monitoring of a patient’s physiological data by physicians.Moreover, this system can reduce the number and expenses of healthcare centers, make up for the shortage of healthcare centers in remote areas,enable consultation with expert physicians around the world,and increase the health awareness of communities.The major challenges that affect the rapid deployment and widespread acceptance of such a system are the weaknesses in the authentication process,which should maintain the privacy of patients, and the integrity of remote medical instructions.Current research results indicate the need of a flexible authentication scheme.This study proposes a scheme with enhanced security for healthcare IoT systems, called an end-to-end authentication scheme for healthcare IoT systems,that is,an E2EA.The proposed scheme supports security services such as a strong and flexible authentication process,simultaneous anonymity of the patient and physician,and perfect forward secrecy services.A security analysis based on formal and informal methods demonstrates that the proposed scheme can resist numerous security-related attacks.A comparison with related authentication schemes shows that the proposed scheme is efficient in terms of communication,computation,and storage,and therefore cannot only offer attractive security services but can reasonably be applied to healthcare IoT systems.

Keywords: Healthcare IoT systems; wireless medical sensor networks;mutual authentication service; anonymity service; perfect forward secrecy service; COVID-19

1 Introduction

The main goal of internet of things (IoT) healthcare systems is the remote monitoring of the physiological data of patients by physicians to make their lives safer and more comfortable [1–4].A patient’s physiological data can be collected remotely using specific sensors when the patient is away from a healthcare center, such as electrical activity of the brain, blood pressure, heartbeat,body temperature, blood sugar, pedometer readings, and respiratory signs [5].These sensitive data are transmitted to physicians, who can provide immediate and continuous health advice, especially during an emergency, such as during the coronavirus disease 2019 (COVID-19) pandemic [6].Furthermore, healthcare IoT systems can enable the reduction of the number of healthcare centers and cover shortages in remote areas.Healthcare IoT systems can increase the health awareness of communities at a lower cost.In an IoT healthcare system, communications between service providers and patients can be achieved through the internet [7–10].The communication technology used in most such systems is a wireless medical sensor network (WMSN) [11–13],which enables a reliable wireless connection between provider communication devices and sensor nodes of patients [14,15].

There are two security challenges to the deployment and acceptance of such technology:data privacy of patients and integrity of medical instructions.An unauthorized party could access the sensitive data collected by sensor nodes, with consequences such as loss of jobs or health insurance.

An unauthorized party could modify messages to deliver the wrong order or advice to patients, such as to update the dose pumped by an electronic insulin device [16,17].Unauthorized access to messages transferred between system nodes is the primary source of weakness, and unauthorized access to sensor nodes may lead to inconsistent or fabricated medical reports.Restricted capabilities of the sensor nodes themselves can cause other types of weaknesses.

Many security attacks exploit these weaknesses, such as smartcard loss attacks; patient and physician anonymity attacks; sensor node spoofing; patient and physician impersonation;and replay, insider, desynchronization, and man-in-the-middle attacks [18–30].Therefore, WMSN security requires significant improvement.

1.1 Security Requirements of Healthcare IoT Systems

To determine the security requirements of a healthcare IoT system, authentication must be accomplished through an integral unit.Requirements include the following [18–29].

• A lightweight cryptographic function should be used at the patient node to achieve fast and secure mutual authentication with WMSN nodes;

• Mutual authentication is required not only between WMSN nodes and physician nodes but among all communication nodes using different cryptographic techniques;

• Authentication should detect both random and malicious alterations of authentication messages without effecting the communication data rate;

• With anonymity service becoming increasingly important, authentication should hide identities of physician nodes and all communication nodes;

• Authentication should support perfect forward secrecy for long-term keys of communication nodes such that an unauthorized party cannot disclose previous authentication session keys.

1.2 Architecture of Healthcare IoT Systems

A healthcare IoT system must prevent unauthorized access to sensitive patient data and medical instructions, so a high priority in the design of the authentication scheme should be given for the malicious modifications.We propose a model architecture to monitor patient medical status using WMSN.Fig.1 shows its main components.

Figure 1:The healthcare IoT system architecture using WMSN

WMSN nodes are either sensor or actuator nodes.Sensor nodes can sense the physiological data of patients and send regular data reports to smart devices such as electroencephalogram, heartbeat, pulse rate, pedometer, breathing, vision, glucose level, and temperature sensors [24,30].Actuator nodes receive medical instructions from a physician though a patient’s smart device to carry out actions such as for insulin pumps, drug delivery, and brain and muscle stimulators [13,31].

A patient’s smart device node should be able to store and transmit physiological data captured by sensor nodes, including on-demand and emergency sensor data [20].Sensor nodes periodically send captured data to the smart device, which forwards it directly to the gateway node(GWN) though the internet.Therefore, the smart device must be able to compute the lightweight cryptographic functions to communicate with sensor nodes and GWN node.

The GWN node is the heart of the authentication process, providing registration stages to providers and patient smart devices.It coordinates authentication and key agreement (AKA)execution between all authentication nodes.The physician gathers a patient’s physiological data indirectly from the GWN node to analyze it and monitor the patient’s physical condition.

The physician node is represented by a physician’s monitoring device that collects the physiological data of a patient, either indirectly from the GWN node during periodic monitoring, or directly from the patient’s smart device node during an emergency.The physician can diagnose the medical state of the patient and send medical instructions to actuator nodes for treatment.

WMSN nodes suffer from restrictions such as memory space and computational capability.Moreover, the connection takes place through low frequencies with WMSN nodes.Thus, the communication cost is proportional to the distance between the WMSN node and other nodes in the system.

The proposed architecture eliminates this obstacle.The physician node can connect to WMSN nodes through the patient’s smart device to collect physiological data in an emergency, allowing real-time gathering of data from the patient’s smart device [18].

1.3 Related Work

With increasing demand for healthcare IoT systems, numerous authentication schemes have been proposed to ensure data privacy and integrity of medical instructions.We highlight some schemes proposed for healthcare IoT systems using WMSN.

Kumar et al.[32] proposed an authentication scheme for WMSN to monitor the vital signs of a patient while preventing various security attacks.He et al.[33] claimed that this scheme was vulnerable to attacks such as password guessing, insider attacks, and cannot be achieved the user anonymity service, and suggested an improved scheme.This scheme cannot defeat attacks such as password guessing [34–36].Li et al.[34] improved on this with an authentication scheme for WMSN applications to preserve user anonymity, using smartcard concepts and hash functions.

Das et al.[37] presented a secure and anonymous user authentication scheme based on smartcard concepts for healthcare applications using WMSN.Srinivas et al.[38] pointed out that the scheme of Li et al.[34] was vulnerable to stolen smartcard attack, insider attack, and user impersonation attack, and proposed a scheme claimed to resist all known attacks.Wu et al.[39]identified security weaknesses in the scheme of Srinivas et al.[38], such as offline password guessing attack.

Amin et al.[40] suggested an anonymity and robust mutual authentication scheme they claimed was more robust than other schemes.Ali et al.[41] showed that the scheme suffers from user offline password guessing, identity guessing, user impersonation, insider, and session key attacks.

Shuai et al.[42] noted that Wu et al.[39] and Ali et al.[41] cannot support perfect forward secrecy service nor resist a desynchronization attack, and proposed a scheme for healthcare systems using WMSN to solve these weaknesses.Fotouhi et al.[43] showed that Srinivas et al.[38]cannot support sensor anonymity and untraceability, nor resist an offline guessing attack, and claimed that Wu et al.[39] and Amin et al.[40] cannot support perfect forward secrecy or sensor anonymity and untraceability services.

It can be observed that none of the above schemes supports end-to-end authentication between all communication nodes of a system

1.4 Motivations and Contributions

The healthcare IoT system is especially important in developing countries to achieve economic growth, as it can reduce the number and expense of healthcare centers, and enable patients to consult physicians from around the world.A healthcare IoT system can increase the health awareness of communities, especially during crises such as the COVID-19 pandemic.An authentication scheme by integrate the healthcare IoT system with WMSN technology can make it more secure and widely accepted.

The main contributions of this paper are as follows.An architecture of the healthcare IoT system using WMSN is introduced, including the main authentication nodes and the communication flow.An authentication scheme for healthcare IoT systems using WMSN is proposed.Security verification based on BAN logic is used to verify mutual authentication between nodes.An informal, comparative security analysis shows how the proposed scheme can resist all types of attacks.A comparative performance analysis demonstrates the scheme’s applicability.

1.5 Organization of This Paper

The remainder of this paper is organized as follows.Section 2 describes the proposed authentication scheme.Formal verification using BAN logic and an informal security analysis of the proposed scheme are described in Section 3.A performance analysis is presented in Section 4.We provide our conclusions in Section 5.

2 Proposed Authentication Scheme

An end-to-end authentication scheme for healthcare IoT systems using WMSN is proposed,which is based on the one-way hash function and symmetric cryptographic techniques.

2.1 Preliminaries

We address preliminaries such as scheme structure, notation, assumptions, and design requirements.

2.1.1 Scheme Structure

The proposed scheme has four types of authentication nodes; physician nodes (Pi), GWNs,WMSN nodes the physician must access (Sk), and smart device nodes (SDj).

The scheme has 10 phases:physician node registration, smart device node registration, WMSN node registration, physician login authentication, patient login authentication, patient password change, physician password change, WMSN node authentication, and long- and short-term authentication.

2.1.2 Notation and Abbreviations

Notation and abbreviations are listed in Tab.1.

2.1.3 Assumptions

We list the vulnerability assumptions used in the security analysis of the proposed authentication scheme.

• An adversary can recover the smartcard information of a physician node, and of the patient based on power consumption methods [44,45].

• An adversary can modify, intercept, capture, reroute, and retransmit authentication messages between all communication nodes where communication channels are considered unsecured and unreliable during authentication.

• An adversary can act as a legitimate smart device of a patient or physician node.

• The GWN node is considered a trusted communication node between the smart device of the physician node and the smart device node of the patient.

• Registration phases are accomplished directly through secure and reliable channels with the GWN node.

Table 1:Notation and abbreviations of proposed authentication scheme

2.1.4 Design Requirements

We introduce the security requirements used to design the proposed authentication scheme.

• AKA concepts are utilized in all authentication phases.Therefore, communication nodes will mutually and securely authenticate each other to set up a reliable channel and exchange patient data after each authentication session between WMSN and physician nodes.

• Dynamic anonymity is used in authentication to hide the actual identities of patient’s smart device and physician nodes.Therefore, communication nodes use a different identity in each authentication session, and an adversary cannot track or masquerade patients or service provider workers.

• A robust integrity mechanism is used in all authentication phases to detect modifications in authentication messages exchanged between communication nodes.Hence, an adversary cannot alter these messages.

• Lightweight symmetric cryptography is used in long- and short-term authentication to encrypt and decrypt authentication parameters with high entropy.Thus, an adversary cannot guess these parameters in polynomial time.Consequently, physiological data exchanged between communication nodes remain confidential, and only physician nodes can receive it.

• One-way hash functions are used in long- and short-term authentication to derive the longterm session keys.Therefore, an adversary cannot disclose the current session keys nor disclose previous session keys.

2.2 Proposed Scheme Description

The proposed authentication scheme deploys a set of hash and symmetric cryptographic functions; its steps are described using the notation and abbreviations in Tab.1.

2.2.1 Physician Node Registration Phase

A new physician wanting to access the physiological data collected by the WMSN nodes through the smart device of a patient, whether for periodic monitoring or an emergency, must first register in the GWN node using his/her monitoring device.Fig.2 shows the physician node registration phase, whose steps are as follows.

Figure 2:Physician node registration phase

Step 1:A new physician node (Pi) selects identity number (PIDi), password (PPWi), and security code (PSCi) according to the system specifications.Pigenerates a random number (R0),and computes Ci=h2(PIDi‖PPWi‖R0).Pisends a registration request message {PIDi, Ci, and PSCi} to the GWN node through a secure communication channel.

Step 2:In response to the Pirequest, the GWN node verifies the existence of the identity(PIDi) in the physicians table, which contains the data of physicians that have already registered.If it exists, then the GWN node rejects the registration request message {M1}, and asks Pito select an unrepeated identity (PIDi).Otherwise, the GWN node generates a random number (R1)and secret key (Xi), whose value is saved securely and separately.

Step 3:Pireceives SCiand inserts R0.Piseparately and securely stores the list of patients.

2.2.2 Smart Device Registration Phase

A new patient’s smart device (SDj) receives physiological data from connected WMSN nodes and forwards it to a service provider for periodic monitoring.This device must be registered in the GWN node.Fig.3 shows the smart device registration phase, whose steps are as follows.

Figure 3:Patient’s smart device registration phase

Step 1:A new smart device (SDj) selects an identity number (SIDj), password (SPWj), and security code (SSCj), whose values are formulated according to the system specifications.SDjgenerates a random number (R2) and computes Cj= h2(SIDj‖SPWj‖R2).SDjtransmits the registration request message {M1:SIDj, Cj, and SSCj} to the GWN node through a secure communication channel.

Step 3:SDjreceives SCjand stores R2in SCj.SDjinitiates and securely stores the session counter (C1j=0).

2.2.3 WMSN Node Registration Phase

When a new WMSN node (Sk) is created as a sensor node to sense the physiological data of the patient or an actuator node to receive medical instructions from physician node Pi, the WMSN node must be registered in the patient’s smart device SDj.This is a unique characteristic of the proposed authentication scheme.The stage can prevent the use of the sensor node by someone other than the patient.Fig.4 shows WMSN node registration, which connects Skand SDj.The steps are as follows.

Figure 4:WMSN node registration phase

Step 1:A new Sknode sends a registration request message M1:SIDkto SDjthough a secure communication channel, where the identity value (SIDk) of Skis initiated when created by the healthcare service provider.

Step 2:In response to the Sknode request message {M1}, SDjrandomly generates the session number SNk0=(R4)and initiates sensor sequence numbers SSk0=SSk1=0.SDjadds the Sknode record to the sensor nodes table [SIDk, SSk0, and SNk0].SDjnode securely sends {M2:SSk1,SNk0} to Sk.

Step 3:A new Sknode securely stores [SSk1, SNk0].

2.2.4 Physician Login Authentication Phase

To monitor patients through WMSN services, the physician activates the monitoring device(Pi) by authentication to the smartcard (SCi) obtained from the GWN node during physician node registration.Fig.5 describes the physician login authentication phase between Piand SCi.The main steps can be summarized as follows.

Figure 5:Physician login authentication phase

Step 1:Piinserts (PIDi), (PPWi), and (PSCi) as the login authentication request to the SCi.

Step 2:In response to the Pirequest, SCifetches (R0) and computes Ci=h2(PIDi‖PPWi‖R0),PKi=(PFi⊕PSCi), and XPVi= h1((SNi‖PSCi)⊕(Ci‖PKi)).SCiverifies whether (XPVi)matches (PVi) as stored in its memory by the GWN node.If not, then SCirejects the login request and terminates the session.Otherwise, authentication will pass, and Piis considered a legitimate node and will be used by an authorized physician.SCiinitiates the value of IDi=h1(PIDi‖SNi).

2.2.5 Patient Login Authentication Phase

To use WMSN services, the patient activates his/her smart device (SDj) to authenticate himself/herself to the smartcard (SCj) obtained from the GWN node during smart device registration.Fig.6 describes the patient login authentication phase between SDjand SCj.The main steps are as follows.

Figure 6:Patient login authentication phase

Step 1:SDjinserts (SIDj), (SPWj), and (SSCj) as the login authentication request to SCj.

2.2.6 Smart Device Password Change Phase

This is accomplished between SDjand SCjwhen the patient wants to change a smart device(SDj) password.Fig.7 shows the smart device password change phase between SDjand SCjwithout going back to the GWN node.The patient must execute the following steps:

Figure 7:Smart device password change phase

Step 1:The patient inserts (SIDj), (SPWj), (SSCj), and a new password (∗SPWj) through SDjas the request to change his/her password.

Step 2:SCjcomputes Cj= h2(SIDj‖SPWj‖R2), SKj=(SFj⊕SSCj), and XSVj=h1((SNj‖SSCj)⊕Cj‖SKj)).SCjverifies whether (XSVj) matches (SVj) as stored in its memory by the GWN node.If not, then SCjrejects the request.Otherwise, SCjcomputes∗Cj=h2(SIDj‖∗SPWj‖R2)and a new verification code,∗SVj= h1((SNj‖SSCj)⊕(∗Cj‖SKj)).SCjreplaces the new code with the old one (SVj=∗SVj).

2.2.7 Physician Password Change Phase

This is accomplished between Piand SCiwhen the physician (Pi) wants to change his/her password.Fig.8 shows the details of the physician password change phase between Piand SCiwithout going back to the GWN node.The steps are as follows.

Step 1:The physician inputs (PIDi), (PPWi), (PSCi), and a new password (∗PPWi) though Pito request a password change.

Step 2:SCicomputes Ci= h2(PIDi‖PPWi‖R0), PKi=(PFi⊕PSCi), and XPVi=h1((SNi‖PSCi)⊕(Ci‖PKi)).SCiverifies whether (XPVi) matches (PVi) as stored in memory by the GWN node.If not, SCirejects the request.Otherwise, SCjcomputes∗Ci= h2(PIDi‖ ∗PPWi‖R0), and a new verification code∗PVi= h1((SNi‖PSCi)⊕(∗Ci‖PKi)), and replaces the verification code with the new one(PVi=∗PVi).

Figure 8:Physician password change phase

2.2.8 Long-Term Authentication Phase

A physician can monitor a patient’s medical state by gathering physiological data indirectly from the patient’s smart device through the GWN node.Therefore, the physician, through the monitoring device, must achieve mutual authentication with the GWN node and the patient’s smart device SDj, and to establish the subsequence session key with SDj.Fig.9 shows the long-term authentication phase between the physician’s monitoring device Pi, the patient’s smart device SDj, and the GWN node as a service provider.The following steps are carried out.

Figure 9:Long-term authentication phase

Step 1:Piinitiates the authentication request message through SCiby inserting a patient identity (SIDj).Pigenerates a random number (R5) and computes TPKi=(IDi⊕PKi), where IDiwas computed and PKiextracted during physician login authentication.Picomputes CTi0=ETPKi(TP0‖R5‖SIDj)and Vi0=h3(TP0‖TPKi‖SNi‖IDi‖R5), where TP0is a current timestamp of Pi.Pisends an authentication request message {M1:IDi, CTi0, and Vi0} to the GWN node through a public communication channel.

Step 2:Upon receiving M1 from Pi, the GWN node searches the table of physician nodes to find (IDip) and (IDis) based on IDias received from Pi.One of the following cases will occur [18,26]:

Case 1:(IDiIDip) and (IDiIDis).The GWN node rejects M1 and terminates the session.

Case 2:(IDi=IDip) and (IDis/Φ).The GWN node computes new values for SNi=h0(SNi),PKi= h1(PIDi‖Xi), and TPKi=(IDi⊕PKi).The GWN node computes=DTPKi(CTi0) and checks whether Pican monitor the medical state of SIDj.If not, then the GWN node rejects M1 and terminates the session.Otherwise, the GWN node verifies the value of (TP0).If it does not hold, then the GWN node rejects M1 and terminates the session.Otherwise, the GWN node computes XVi0=h3(TP0‖TPKi‖SNi‖IDi‖R5)to verify whether (XVi0) matches Vi0.If so, then the GWN node renews IDis=IDip, and IDip=h1(IDi‖R5).Otherwise, the GWN node rejects M1 and terminates the session.

Case 3:(IDi= IDip) and (IDis=Φ).The GWN node computes new values for PKi=h1(PIDi‖Xi)and TPKi=(IDi⊕PKi), and computes= DTPKi(CTi0).The GWN node checks whether Pican monitor the medical state of SIDj.If not, then the GWN node rejects M1 and terminates the session.Otherwise, the GWN node verifies the value of (TP0).If it does not hold, then the GWN node rejects M1 and terminates the session.Otherwise, the GWN node computes XVi0=h3(TP0‖TPKi‖SNi‖IDi‖R5)to verify whether XVi0matches Vi0.If so, then the GWN node renews IDis=IDipand IDip=h1(IDi‖R5).Otherwise, the GWN node rejects M1 and terminates the session.

Case 4:IDi=IDis.The GWN node computes PKi=h1(PIDi‖Xi), TPKi=(IDi⊕PKi), and=DTPKi(CTi0), and checks whether Pican monitor the medical status of SIDj.If not, then the GWN node rejects M1 and terminates the session.Otherwise, the GWN node verifies the value of (TP0).If it does not hold, then the GWN node rejects M1 and terminates the session.Otherwise, the GWN node computes XVi0=h3(TP0‖TPKi‖SNi‖IDi‖R5)to verify whether XVi0matches Vi0.If so, then the GWN node renews IDip=h1(IDi‖R5).Otherwise, the GWN node rejects M1 and terminates the session.

Step 3:According to the values of PIDiand SIDjdetermined through M1, the GWN node computes the authentication session key PSij= h2((PIDi⊕Xi)‖(SIDj⊕Xj)‖SQij), where SQijis a sequence number of the current execution for long-term authentication.The GWN node fetches the SDjnode record from the patient table and computes SKj=h1(SIDj‖Xj)and TSKj=(IDj⊕SKj).The GWN node initiates session counter C0j=(C0j+1)and computes the pseudonym identity IDjp= h1(SIDj‖IDjp), SNj= h0(SNj), and IDj= h1(SIDj‖SNj).The GWN node generates random number R6and computes CTj0= ETSKj(TGWN0‖R6‖PSij)and Vj0=h3(TGWN0‖PSij‖IDjp‖SIDj‖R6), where TGWN0is the current timestamp.The GWN node sends an authentication request message {M2:C0j, CTj0, and Vj0} to SDjthrough an unsecure public communication channel.

Step 4:When M2 is received from the GWN node, the SDjnode through the SCjcomputesΔCj=(C0j−C1j).SDjchecks whether 1 ≤ΔCj≤μ2, whereμ2 is assigned based on system requirements.If not, then SDjrejects M2 and terminates the session.Otherwise, it retrieves SNj=(SSCj⊕SN), computes SNj=h0(SNj)function for (ΔCj−1)times until(ΔCj−1)=1.SDjupdates SN=(SSCj⊕SNj), and computes IDj=h1(SIDj‖SNj) and TSKj=(IDj⊕SKj), where SKjwas computed during patient login authentication.SDjcomputes=DTSKj(CTj0).SDjchecks the value of TGWN0.If it does not hold, then SDjrejects M2 and terminates the session.Otherwise, SDjsets IDjs=IDjpand computes IDjs=h1(SIDj‖IDjs)function for(ΔCj−1) times until (ΔCj−1)=1.SDjcomputes XVj0=h3(TGWN0‖PSij‖IDjs‖SIDj‖C0j)to verify whether XVj0matches Vj0.If not, then SDjrejects M2 and terminates the session.Otherwise, SDjbelieves the GWN node is legitimate.SDjgenerates random number R7, and computes CTj1=ETSKj(TSD‖R7‖C1j)and Vj1=h3(TSD‖TSKj‖PSij‖IDjs‖R7), where TSDis the current timestamp of SDj.Then SDjsets C1ij= C0ij, and sends the response authentication message {M3:IDjs, CTj1, and Vj1} to the GWN node through a public communication channel.

Step 5:Upon receiving M3 from SDj, the GWN node fetches TSKjagain to compute=DTSKj(CTj1), where the pseudonym identity IDjs=IDjp.The GWN node verifies the value of TSD.If it does not satisfy, the GWN node rejects M3 and terminates the session.Otherwise, the GWN node computes XVj1=h3(TSD‖TSKj‖PSij‖IDjs‖R7)to verify whether XVj1matches Vj1.If not, then the GWN node rejects M3 and terminates the session.Otherwise,the GWN node believes SDjis legitimate.The GWN node generates random number R8and computes CTi1=ETPKi(R8‖PSij‖TGWN1), where TGWN1is the current timestamp.The GWN node computes Vi1= h3(PIDi‖PSij‖R8‖SNi‖TGWN1), and sends the response authentication message{M4:CTi1, and Vi1} to Pi.

Step 6:When M4 is received from the GWN node, Picomputes=DTPKi(CTi1)and checks the value of TGWN1.If it does not hold, then Pirejects M4 and terminates the session.Otherwise, Picomputes XVi1=h3(PIDi‖PSij‖R8‖SNi‖TGWN1)to verify whether XVi1matches Vi1.If not, then Pirejects M4 and terminates the session.Otherwise, Pibelieves the GWN node is legitimate.Picomputes Vi2=h3(PIDi‖PSij‖R8‖SNi‖(TP1−TGWN1))andVix=((TP1⊕TGWN1)‖Vi2), where TP1is the current timestamp of Pi.Then, Piupdates SNi=h0(SNi)and sets IDi=IDip=h1(IDi‖R5).Pisends an acknowledgment message {M5:IDi,andVix} to the GWN node.

Step 7:Upon receiving M5 from Pi, the GWN node computes TP1=((TP1⊕TGWN1)⊕TGWN1)andΔTP=(TP1−TGWN1), and checks whetherΔTPexceeds the thresholdμ3, which is assigned based on system requirements.If not, then the GWN node resends M4, with a fresh value of TGWN1, to Pi.Otherwise, the GWN node computes XVi2=h3(IDip‖PSij‖R7‖SNi‖ΔTP)to verify whether XVi2matches Vi2.If not, then the GWN node rejects M5 and terminates the session.Otherwise, the GWN node believes Pinode is legitimate, and it updates SNi=h0(SNi),IDis=Φ, and SQij=(SQij+1).

2.2.9 Short-Term Authentication Phase

When a physician wants to monitor a patient’s medical status based on real-time data through a direct communication channel, physiological data must be received from the patient’s smart device without returning to the GWN node.In this case, the physician achieves mutual authentication with the patient’s smart device to prevent unauthorized access to the direct unsecured connection.

Fig.10 shows the short-term authentication phase between the Piand SDjdevices.The following steps are carried out after long-term authentication:

Figure 10:Short-term authentication phase

Step 1:Piinitiates an authentication request message through SCiby inserting a patient identity (SIDj).SCiretrieves the authentication session key (PSij) generated during the last long-term authentication phase with SDjthrough the GWN node.Pigenerates random number R9and initiates a session counter, C0ij=(C0ij+1).Picomputes pseudonym identity ID0ij=h1(SIDj‖ID0ij),PSij= h1(PSij‖ID0ij), CTi2= EPSij(TPi‖R9‖C0ij), and Vi3= h3(TPi‖SIDj‖PSij‖ID0ij‖R9), where TPiis the current timestamp of Pi.Then, Pisends authentication request message {M1:C0ij,CTi2, Vi3} to SDj.

Step 2:Upon receiving M1, SDjcomputesΔCij=(C0ij−C1ij)and checks whether 1 ≤ΔCij≤μ1, whereμ1 is assigned based on system requirements.If not, then SDjrejects M1 and terminates the session.Otherwise, SDjsets ID1ij=ID0ij, computes ID1ij=h1(SIDj‖ID1ij)function for(ΔCij−1) times untilΔCij−1=1.SDjcalculates PSij=h1(PSij‖ID0ij)and=DPSij(CTi2).SDjverifies the value of TPi.If it does not satisfy, then SDjrejects M1 and terminates the session.SDjcomputes XVi3=h3(TPi‖SIDj‖PSij‖ID1ij‖R9)to verify whether XVi3matches Vi3.If not, then SDjrejects M1 and terminates the session.Otherwise, SDjbelieves Piis legitimate.SDjgenerates random number R10and computes CTj2=EPSij(TPj‖R10‖C1ij), where TPjis the current timestamp of SDj.SDjcomputes Vj3=h3(TPj‖SIDj‖PSij‖ID1ij‖R10), sets C1ij= C0ij, and sends the response authentication message M2:ID1ij, CTj2, Vj3to Pi.

Step 3:Upon receiving M2 from SDj, Piretrieves PSij, where the pseudonym identity ID1ij= ID0ij.SDjcomputes= DPSij(CTj2), and Piverifies TPj.If it does not satisfy, then Pirejects M2 and terminates the session.Otherwise, Picomputes XVj3=h3(TPj‖SIDj‖PSij‖ID1ij‖R10) to verify whether XVj3matches Vj3.If not, then Pirejects M2 and terminates the session.Otherwise, Pibelieves SDjis legitimate.

2.2.10 WMSN Node Authentication Phase

To exchange physiological data and medical instructions between smart device SDjand connected WMSN node Sk, mutual authentication between both is achieved in all authentication sessions.Fig.11 shows the WMSN node authentication phase between Skand SDj.The steps are as follows.

Figure 11:WMSN node authentication phase

Step 1:To achieve mutual authentication with Sk, SDjdetermines its identity (SIDk) of Sk.SDjrandomly generates a secret key (SKk), updates SNk0=h1(SNk0‖SIDk), and computes CTk=((SKk‖ST)⊕h2(SNk0‖SIDk‖SSk0)), where the value of ST is used to determine whether SDjneeds to receive physiological data or forward medical instructions.SDjcomputes the pseudonym identity IDk=h1(SKk‖SIDk) and Vk0=h3(ST‖SIDk‖SKk‖SNk0‖SSk0), and renews SSk0=SSk0+1.SDjsends an authentication request message {M1:CTk, Vk0, SSk0} to Skthrough an unsecure communication channel.

Step 2:Upon receiving M1 from SDj, SkcomputesΔSSk= (SSk0−SSk1) and verifies whether 1 ≤ΔSSk≤μ0, whereμ0 is assigned based on the system requirements.If not, then Skrejects M1 and terminates the session.Otherwise, Sksets SNk1=SNk0, computes the SNk1=h1(SNk1‖SIDk)function forΔSSktimes untilΔSSk−1=1.

Skdetermines (SKk‖ST)= CTk⊕h2(SNk0‖SIDk‖SSk0) and computes Vk1= h3(ST‖SIDk‖SKk‖SNk1‖SSk0−1).Skverifies whether Vk1matches Vk0.If not, then Skrejects M1 and terminates the session.Otherwise, SDjis considered a legitimate smart device for Sk.Then Skcomputes SNk0=h1(SNk1‖SIDk), Vk2=h3(ST‖SIDk‖SKk‖SNk0‖SSk0), and IDk=h1(SKk‖SIDk); renews SSk1=SSk0; and computes SNk0=h1(SNk1‖SIDk).Sksends response authentication {M2:IDk,and Vk2} to SDjthrough an unsecure communication channel.

Step 3:When SDjreceives M2 from Sk, SDjcomputes SNk0=h1(SNk0‖SIDk)and Vk3=h3(ST‖SIDk‖SKk‖SNk0‖SSk0), and verifies whether Vk3matches Vk2.If so, then Skis considered a legitimate WMSN node for SDj.Otherwise, SDjrejects M2 and terminates the session.

3 Security Analysis

We discuss the security of the proposed authentication scheme.First, the BAN logic model is used to illustrate the validity of the mutual authentication service and secure session key [39].Further analysis demonstrates that the scheme can resist all common attacks.

3.1 Formal Security Validation Using BAN Logic Model

The BAN logic model is used to validate the freshness, trustfulness and originality of the authentication messages exchanged between authentication nodes [41,42,46].

The login authentication and password change phases are not used frequently, and the registration phases are executed through secure communication channels.We concentrate on the soundness of the long-term, short-term, and WMSN node authentication phases.The basic notation and believing rules of the BAN logic model are summarized in Tabs.2 and 3, respectively.

The lists the authentication phase goals, the idealized form of the authentication messages for the long-term, the short-term and WMSN node authentication phases, and the assumptions used in the verification process for the long-term, short-term, and WMSN node authentication phases are illustrated in Tabs.4–6, respectively.

The physician node (Pi), GWN node (GWN), patient’s smart device (SDj), and sensor node (Sk) are considered the main involved principles in the security verification of the proposed authentication scheme.

In the long-term authentication phase, TPKiand TSKjare the secret keys used to symmetrically encrypt authentication messages, while sets of unrepeated timestamps (TP0, TP1, TGWN0,TGWN1, and TSD) and random numbers (R5, R6, R7, and R8) are used to guarantee the freshness of an authentication session.In the short-term authentication phase, PSijis a secret key used to symmetrically encrypt the authentication messages, while unrepeated timestamps TPi, and TPjand random numbers R9and R10are used to guarantee the freshness of the authentication session.SKkis the secret key used to symmetrically encrypt the authentication messages in the WMSN node authentication phase, while serial numbers SSk0and SSk1are used to guarantee the freshness of authentication sessions.

Table 2:Notation of BAN logic model

Table 3:Rules of BAN logic model

The basic BAN logic rules, idealized form, and assumptions in Tabs.2, 5, and 6 are used to validate the authentication phases.

Table 4:Authentication phase goals

Table 5:Idealized form of authentication phase messages

3.1.1 Validation of Long-Term Authentication Phase

The validation process of the long-term authentication phase can be summarized as follows.

Using (Mesg1), a1 (GWN ◁IDi, CTi0, Vi0:〈(TP0,R5)〉TPKi) can be seen.From (a1),(Assmp9), the belief rule, and the message meaning rule, a2(GWN|≡Pi|~〈(TP0,R5)〉TPKi)can be obtained.Using (Assmp3) and the freshness conjuncatenation rule, a3 (GWN|≡#(〈(TP0,R5)〉TPKi)) can be obtained.Using (a2), (a3), and the nonce verification rule, a4 (GWN|≡Pi|≡〈(TP0,R5)〉TPKi) can be obtained.Therefore, from (a3), (a4), and the session key rule,can be inferred, which represents (Goal1).Using (Assmp3), (a5), and the nonce verification rule, a6can be inferred, which represents (Goal2)as well.

Table 6:Initial assumptions of authentication phases

Similarly, using (Mesg2), b1 (SDj◁C0j,CTj0,Vj0:〈(TGWN0,R6)〉TSKj) can be seen.Therefore,from (b1), (Assmp11), the belief rule, and the message meaning rule, b2 (SDj|≡GWN|~〈(TGWN0,R6)〉TSKj) can be obtained.Next, using (Assmp6) and the freshness conjuncatenation rule,b3 (SDj|≡#(〈(TGWN0,R6)〉TSKj)) can be obtained.Then, using (b2), (b3), and the nonce verification rule, b4 (SDj|≡GWN|≡〈(TGWN0,R6)〉TSKj) can be obtained.Therefore, from (b3), (b4),and the session key rule, b5 (SDj|≡SDjSK↔GWN) can be inferred, which represents (Goal3).Using(Assmp6), (b5), and the nonce verification rule, b6 (SDj|≡GWN|≡can be inferred,which represents (Goal4) as well.

Similarly, using (Mesg3), then c1 (GWN ◁IDjs,CTj1,Vj1:〈(TSD,R7)〉TSKj) can be seen.So, from (c1), (Assmp10), the belief rule, and the message meaning rule, c2 (GWN|≡SDj|~〈(TSD,R7)〉TSKj) can be obtained.Next, using (Assmp3) and the freshness conjuncatenation rule, c3 (GWN|≡#(〈(TSD,R7)〉TSKj)) can be obtained.Then, using (c2), (c3), and the nonce verification rule, c4 (GWN|≡SDj|≡〈(TSD,R7)〉TSKj) can be obtained.Therefore, from (c3), (c4),and the session key rule, c5 (GWN|≡GWNSDj) can be inferred, which represents (Goal5).Using (Assmp3), (c5), and the nonce verification rule, c6 (GWN|≡SDj|≡GWNSDj) can be inferred, which represents (Goal6) as well.

Finally, using (Mesg4), d1 (Pi◁CTi1,Vi1:〈(R8,TGWN1)〉TPKi) can be seen.Thus, from(d1), (Assmp8), the belief rule, and the message meaning rule, d2 (Pi|≡GWN|~〈(R8,TGWN1)〉TPKi) can be obtained.Next, using (Assmp1) and the freshness conjuncatenation rule,d3 (Pi|≡#(〈(R8,TGWN1)〉TPKi)) can be obtained.Then, using (d2), (d3), and the nonce verification rule, d4 (Pi|≡GWN|≡〈(R8,TGWN1)〉TPKi) can be obtained.Therefore, from (d3), (d4), and the session key rule, d5 (Pi|≡PiGWN) can be inferred, which represents (Goal7).Also, using(Assmp1), (d5), and the nonce verification rule, d6 (Pi|≡GWN|≡PiGWN)can be inferred,which represents (Goal8).

The goals of the long-term authentication phase using the BAN logic model are proved.Therefore, mutual authentication can be achieved between the communication principles throughout this phase.

3.1.2 Validation of Short-Term Authentication Phase

The steps in the validation of the short-term authentication phase can be summarized as follows.

Using (Mesg5), e1 (SDj◁C0ij,CTi2,Vi3:〈(TPi,R9)〉PSij) can be seen.So, from (e1),(Assmp17), the belief rule, and the message meaning rule, e2 (SDj|≡Pi|~〈(TPi,R9)〉PSij) can be obtained.Next, using (Assmp14) and the freshness conjuncatenation rule, e3 (SDj|≡#(〈(TPi,R9)〉PSij)) can be obtained.Then, using (e2), (e3), and the nonce verification rule, e4 (SDj|≡Pi|≡〈(TPi,R9)〉PSij) can be obtained.Therefore, from (e3), (e4), and the session key rule,e5 (SDj|≡SDjPi) can be inferred, which represents (Goal9).Using (Assmp14), (e5), and the nonce verification rule, e6 (SDj|≡Pi|≡SDjSPi) can be inferred, which represents (Goal10)as well.

Similarly, using (Mesg6), f1 (Pi◁ID1ij,CTj2,Vj3:〈(TPj,R10)〉PSij) can be seen.Thus,from (f1), (Assmp16), the belief rule, and the message meaning rule, f2 (Pi|≡SDj|~〈(TPj,R10)〉PSij) can be obtained.Next, using (Assmp13) and the freshness conjuncatenation rule,f3 (Pi|≡#(〈(TPj,R10)〉PSij)) can be obtained.Then, using (f2), (f3), and the nonce verification rule, f4 (Pi|≡SDj|≡〈(TPj,R10)〉PSij) can be obtained.Therefore, from (f3), (f4), and the session key rule, f5 (Pi|≡PiSDj) can be inferred, which represents (Goal11).Also, using(Assmp13), (f5), and the nonce verification rule, f6 (Pi|≡SDj|≡PiSDj) can be inferred, which represents (Goal12).

The goals of the short-term authentication phase using the BAN logic model are proved.Therefore, mutual authentication can be achieved between the communication principles throughout this phase.

3.1.3 Validation of WMSN Node Authentication Phase

The validation process of the WMSN node authentication phase can be summarized as follows.

Using (Mesg7), g1 (Sk◁CTk,Vk0,SSk0:〈SSk0,SKk〉h1(SNk0‖SIDk)) can be seen.So, from(g1), (Assmp22), the belief rule, and the message meaning rule, g2 (Sk|≡SDj|~〈(SSk0,SKk)〉h1(SNk0‖SIDk)) can be obtained.Next, using (Assmp19) and the freshness conjuncatenation rule, e3 (Sk|≡#(〈(SSk0,SKk)〉h1(SNk0‖SIDk))) can be obtained.Using (g2), (g3), and the nonce verification rule, e4 (Sk|≡SDj|≡〈(SSk0,SKk)〉h1(SNk0‖SIDk)) can be obtained.Therefore, from(g3), (g4), and the session key rule, g5 (Sk|≡SkSDj) can be inferred, which represents (Goal13).Using (Assmp19), (g5), and the nonce verification rule, g6 (Sk|≡SDj|≡SkSDj) can be inferred,which represents (Goal14).

Similarly, using (Mesg8), q1 (SDj◁IDk,Vk2:〈SSk0,SKk〉h1(SNk0‖SIDk)) can be seen.So,from (g1), (Assmp21), the belief rule, and the message meaning rule, q2 (SDj|≡Sk|~〈(SSk0,SKk)〉h1(SNk0‖SIDk)) can be obtained.Next, using (Assmp17) and the freshness conjuncatenation rule,q3 (SDj|≡#(〈(SSk0,SKk)〉h1(SNk0‖SIDk))) can be obtained.Using (q2), (q3), and the nonce verification rule, e4 (SDj|≡Sk|≡〈(SSk0,SKk)〉h1(SNk0‖SIDk)) can be obtained.Therefore, from(q3), (q4), and the session key rule, q5 (SDj|≡SDjSk) can be inferred, which represents(Goal15).Also, using (Assmp17), (q5), and the nonce verification rule, q6 (SDj|≡Sk|≡SDjSk)can be inferred, which represents (Goal16).

The goals of the WMSN node authentication phase using the BAN logic model are proved,and mutual authentication can be achieved between the communication principles throughout this phase.

3.2 Further Informal Security Analysis

When authentication is performed via unsecured public communication channels between authentication nodes, an adversary can capture, intercept, alternate, trace, impersonate, and retransmit authentication messages over these channels.We show how the proposed authentication scheme can prevent common attacks in such an environment.Comparisons with related authentication schemes are also presented.

3.2.1 Session and Key Agreement

To achieve session and key agreement, communication nodes should be able to securely create and agree on one or more session keys.After that, communication nodes can use different security techniques based on the session keys to establish secure communication.In the proposed authentication scheme, the (TPKi), (TSKj), and (PSij) keys are created in the long-term authentication phase, and the (SKk) key is created during WMSN node authentication.

Piand the GWN node can create TPKi=(IDi⊕PKi) to achieve mutual authentication.(TPKi) is changed according to renewal of the value of (IDi) by performing IDi=h1(IDi‖R5) on both sides for each authentication session.But (PKi) cannot be extracted without inserting (PSCi)on the Piside.(PKi) is computed on the GWN side as PKi=h1(PIDi‖Xi), where (Xi) is known only to the GWN node.

Similarly, (TSKj) is established by SDjand the GWN node as TSKj=(IDj⊕SKj) to achieve mutual authentication.(TSKj) is changed according to the renewal of (IDj) as IDj=h1(IDj‖SNj)on both sides for each authentication session.But (SKj) cannot be extracted without inserting the security code (SSCj) on the SDjside.(SKi) is computed by the GWN node side as SKj=h1(SIDj‖Xj), where (Xj) is known only to the GWN node.

The session key is generated by the GWN node aswhere the sequence number of the current authentication session (SQij) is incremented when a new authentication session is executed between the authentication nodes.(PSij) is exchanged between Piand SDjas encrypted messages through the GWN node, where Piand SDjverify the extracted value of (PSij) using the verification codes (Vi1) and (Vj0), respectively.

The (SKk) key is created randomly by SDjto achieve mutual authentication with Sk.This key can be retrieved by Skas SNk1=h1(SNk1‖SIDk), where (SNk1) is changed according to the renewed value of (ΔSSk) in each authentication session between them.

Therefore, session and key agreement service can be securely supported by the proposed authentication scheme, where the adversary can determine no session keys, either in the longterm phase or during WMSN node authentication phase.It should be noted that when long-term authentication is executed one time, short-term authentication may be executed (Cij) times.Thus the (PSij) key may be used (Cij) times more than the (TPKi), and (TSKj) keys in the optimal case.

3.2.2 Mutual Authentication Service

Mutual authentication is considered an essential security service in most secure communication schemes, regardless of the system environment.Therefore, communication nodes should be able to authenticate each other to achieve trusted communication [34–43].The proposed authentication scheme can support fully mutual authentication between all communication nodes through the long- and short-term authentication phases as well as through WMSN node authentication phase.

In the long-term authentication phase, the GWN node is considered the trusted node between Piand SDj.Therefore, explicit mutual authentication can be achieved between communication nodes as follows.Piand the GWN node can prove each other’s authenticity by exchanging M2 and M4 based on symmetric encryption using the shared key (TPKi).

M1:When the GWN node receives this message from Pi, it decrypts (CTi0) to extract the authentication parameters (TP0), (R5), and (SIDj), then computes the verification code function XVi0=h3(TP0‖TPKi‖SNi‖IDi‖R5), where the secret shared values (SNi) and (IDi) are changed in each authentication session.The GWN node checks the following conditions during this procedure:whether Pihas permission to monitor the medical state of patient SIDj; if (TP0) is a fresh value; and if the received (Vi0) value matches (XVi0).If these conditions are met, then the GWN node can ensure that this message has been transmitted from a legitimate Pi.

M4:When Pireceives this message from the GWN node, Pidecrypts CTi1to extract the authentication parameters (TGWN1), (R8), and (PSij), and computes the verification code function XVi1=h3(PIDi‖PSij‖R8‖SNi‖TGWN1), where the secret shared values (SNi) and (PSij) are changed in each authentication session.Pichecks the following conditions during this procedure:whether (TGWN1) is a fresh value; and whether the received Vi1matches XVi1.If these conditions are met, then Piensures that this message has been transmitted from a trusted GWN node.

Similarly, SDjand the GWN node can prove each other’s authenticity by exchanging M2 and M3 based on symmetric encryption using the shared key TSKj, and the synchronized one-way hash function based on serial numbers C0ijand C1ij.

M2:When SDjreceives this message from the GWN node, it computesΔCj=(C0j−C1j) to compute the shared key (TSKj); decrypts CTj0to extract the authentication parameters (TGWN0), (R6), and (PSij); and computes the pseudonym identity function(ΔCj−1) times as IDjp= h1(SIDj‖IDjp).SDjcomputes the verification code function XVj0=h3(TGWN0‖PSij‖IDjs‖SIDj‖C0j), where the secret shared values (IDjp) and (PSij) are changed in each authentication session.SDjchecks whether 1 ≤ΔCj≤μ2, TGWN0is a fresh value, and the received Vj0matches XVj0.If these conditions are met, then SDjcan ensure that this message has been transmitted from a trusted GWN node.

M3:When the GWN node receives this message from SDj, it decrypts CTj1to extract authentication parameters (TSD), (R7), and (C1j).It computes the verification code function XVj1=h3(TSD‖TSKj‖PSij‖IDjs‖R7), where the secret shared values (TSKj) and (IDjs) are changed in each authentication session.The GWN node checks whether TSDis a fresh value, and the received Vj1matches XVj1.If these conditions are met, then the GWN node can ensure that this message has been transmitted from a legitimate SDj.

When mutual authentication is achieved between Piand the GWN node and between the GWN node and SDj, the GWN node is considered a trusted node for both Piand SDj.Then,mutual authentication has been achieved indirectly between Piand SDjthrough the GWN node after long-term authentication.

Piand SDjcan authenticate each other during short-term authentication by exchanging M1 and M2.This phase is based on the symmetric encryption method using the shared key (PSij), and the synchronized one-way hash function method based on two serial numbers (C0ij) and (C1ij) as described in the following:

M1:When SDjreceives this message from Pi, SDjcomputesΔCij= (C0ij−C1ij); decrypts CTi2to extract the authentication parameters (TPi), (R9), and (C0ij); and computes the verification code function XVi3=h3(TPi‖SIDj‖PSij‖ID1ij‖R9), where the secret shared value (ID1ij) is changed in each authentication session.SDjchecks whether TPiis a fresh value, 1 ≤ΔCij≤μ1,and the received Vj1matches XVj1.If these conditions are met, then SDjcan ensure that this message has been transmitted from a legitimate Pi.

M2:When SDjreceives this message from Pi, SDjdecrypts CTi2to extract the authentication parameters (TPi), (R9), and (C0ij); determinesΔCij=(C0ij−C1ij); computes ID1ij=h1(SIDj‖ID1ij) function for (ΔCij−1) times; and computes the verification code function XVi3=h3(TPi‖SIDj‖PSij‖ID1ij‖R9), where the secret shared value (ID1ij) is changed in each authentication session.SDjchecks whether TPiis a fresh value, 1 ≤ΔCij≤μ1, and the received Vj1matches XVj1.If these conditions are met, then SDjcan ensure that this message has been transmitted from a legitimate Pi.

Therefore, mutual authentication can be achieved between Piand SDjthrough the exchange of M1 and M2 when short-term authentication is executed Cijtimes.

Skand SDjcan authenticate each other during WMSN node authentication by exchanging M1 and M2.This is based on the synchronized one-way hash function based on serial numbers SSk0and SSk1, as follows.

M1:When Skreceives this message from SDj, SkfindsΔSSk=(SSk0−SSk1), computes SNk1= h1(SNk1‖SIDk) forΔSSktimes, and computes (SKk‖ST)= CTk⊕h2(SKk‖SIDk‖SSk0)and verification code function Vk1=h3(ST‖SIDk‖SKk‖SNk1‖SSk0−1).SDjchecks whether 1 ≤ΔSSk≤μ0), and whether the received Vk0matches Vk1.If these conditions are met, then Skcan ensure that this message has been transmitted from a legitimate SDj.

M2:When SDjreceives this message from Sk, SDjcomputes Vk3=h3(ST‖SIDk‖SKk‖SNk0‖SSk0) and SDjnode checks whether Vk3matches Vk2as received from Sk.If so, then Skis considered a legitimate WMSN node.Therefore, Piand Skcan achieve mutual authentication through the exchange of M1 and M2.

3.2.3 Anonymity and Untraceability Service

To support user anonymity and untraceability, a user’s real identity should be protected to prevent an unauthorized node from realizing the user identity and from recognizing who communicates with whom [18,25,26,43].

The proposed authentication scheme hides the actual identities of the physician (PIDi), patient(SIDj), and WMSN node (SIDk) during authentication.During long- and short-term authentication, neither Pinor SDjuses its actual identity.Also, the actual identity of Skis not used during WMSN node authentication.

In long-term authentication, Picomputes a pseudonym identity (IDi) to achieve mutual authentication with the GWN node.IDiis initiated as IDi= h1(PIDi‖SNi) during physician login authentication, where PIDiis inserted by the physician.After that, Piand the GWN node synchronously renew IDi=h1(IDi‖R5), where the random number R5is generated in each authentication session.

Similarly, SDjcomputes a new pseudonym identity (IDj) to achieve mutual authentication with the GWN node.IDjis initiated as IDj= h1(SIDj‖SNj), where SIDjis inserted by the patient.SDjand the GWN node synchronously renew IDj=h1(SIDj‖SNj) based on a refresh session number that is renewed using the one-way hash function as SNj= h0(SNj) in each authentication session.

In short-term authentication, Piand SDjuse new pseudonym identities for each session.On the Piside, a new identity for SDjis computed as ID0ij=h1(SIDj‖ID0ij).On the SDjside, its identity is computed as ID1ij=h1(SIDj‖ID1ij).It should be noted that to synchronize the values of (ID1ij) and (ID0ij), SDjexecutes the one-way hash function (ΔCij−1) times, where (ΔCij) is changed in each session.

In WMSN node authentication, a new pseudonym identity for Skis used in each session.SDjand Skcan compute IDk=h1(SKk‖SIDk), where (SKk) is changed in each session.

Therefore, the proposed authentication scheme can support full anonymity and untraceability service during all phases.

3.2.4 Perfect Forward Secrecy Service

To achieve forward secrecy, encryption and session keys are generated to ensure that past communication channels cannot be recovered even if the long-term secret keys are disclosed [18,25,26,42,43].

To ensure that the proposed authentication scheme can support forward secrecy, we consider the following scenarios.

Scenario 1:Suppose the (TPKi), (TSKj), and (PSij) keys of the current authentication session have been disclosed during long-term authentication.The (TPKi) and (TSKj) keys are updated according to the fresh pseudonym identities for Piand SDjcomputed as IDi=h1(IDi‖R5) and IDj= h1(IDj‖SNj), respectively.PSijis updated by the GWN node as PSij=h2((PIDi⊕Xi)‖(SIDj⊕Xj)‖SQij) based on a fresh sequence number (SQij).Since the session keys used in this phase are updated after each successful authentication session, the secrecy of previous and future communications will not be affected.

Scenario 2:Suppose an adversary discloses the (PSij) key of the current session during shortterm authentication.The (PSij) key is updated in each authentication session according to the fresh pseudonym identity for SDj, which is computed as ID0ij=h1(SIDj‖ID0ij).As a result, the secrecy of previous and future communications will not be affected.

Scenario 3:Suppose the (SKk) key of the current authentication session is disclosed to an adversary during WMSN node authentication.The (SKk) key is generated randomly in each authentication session by SDj.Thus, the secrecy of previous and future communications will not be affected.

Based on the above, the proposed authentication scheme can support forward secrecy during all authentication phases.

3.2.5 Attacks Resistance Analysis

We illustrate how the proposed authentication scheme can prevent related and common attacks of such an environment according to previously mentioned vulnerability assumptions.

Desynchronization Attack

The most commonly used techniques to achieve user anonymity and perfect forward secrecy are the pseudonym identity, timestamp, encryption, and hashing techniques.Authentication schemes mostly renew the user identity and generate a new session key to be used in subsequent authentication sessions.The incorrect use of such techniques can lead to a desynchronization attack [18,26,42,43].Therefore, synchronization between communication nodes in terms of identities and session keys is critical.The proposed authentication scheme can preserve synchronization between communication nodes in each authentication session.It should be noted that the desynchronization attack may be able to temporarily suspend the proposed authentication scheme but cannot impact resuming the authentication sessions in future.

Replay Attack

Authentication schemes usually deal with replay attacks using current timestamps, sequence or serial numbers, random numbers, and nonce values [18,26], which can generally prevent the reuse of authentication request messages gained by eavesdropping.Therefore, these methods can maintain the freshness of exchanged authentication messages between nodes.The proposed authentication scheme employs a set of timestamps, random numbers, and serial numbers as part of all challenge-and-response messages.

To ensure the proposed authentication scheme can resist the replay attack, consider the following attack scenarios.

Scenario 1:Suppose an adversary resends the authentication request message {M1:IDi,CTi0,Vi0} to the GWN node, which was sent during long-term authentication.The GWN node will reject the authentication request and terminate the session because the value of (TP0) is out of range.

Scenario 2:Suppose an adversary resends the authentication request message {M2:C0j,CTj0,Vj0} to SDj, which was sent during long-term authentication.SDjwill reject the authentication request and terminate the session because the value of (ΔCj) may be out of the system requirement, and the value of (TGWN0) out of the range.

Scenario 3:Suppose an adversary resends the short-term authentication request message{M1:C0ij,CTi2,Vi3} to SDj, which was sent during short-term authentication.In response, SDjwill reject the authentication request and terminate the session because the value of (ΔCij) may be out of the system requirement, and the value of (TPi) out of range.

Scenario 4:Suppose an adversary resends the request authentication message {M1:CTk,Vk0,SSk0} to Sk, which was sent during WMSN node authentication.In response, Skwill reject the authentication request and terminate the session because the value of (ΔSSk) may be out of the system requirement, and the value of (TPi) out of range.

The values of timestamps and serial numbers are used in all authentication messages, and are updated after each successful authentication session.In the previous attack scenarios, the proposed authentication scheme could resist a replay attack during authentication.

Smartcard Loss Attack

It has been pointed out that an adversary can uncover the two authentication factors (identity and password) of the user from a stolen smartcard based on a power analysis attack or an offline procedure within polynomial time [18,26,44,45].Therefore, this attack should be considered when designing an authentication scheme using smartcards.

The proposed authentication scheme is based on three authentication factors (identity, password, and secret security code).It should be noted that the secret security code may be computed by imprinting a biometric method (e.g., fingerprint, iris scan, or face recognition) using the smart devices of the physician and patient.The proposed authentication scheme employs a set of parameters and one-way hash functions to prevent such an attack.

It is useful to consider the following attack scenarios to ensure that the proposed authentication scheme can resist a smartcard loss attack using a fuzzy verifier [26].

Scenario 1:Suppose an adversary steals a physician’s smartcard (SCi) and finds the data [SNi,PFi,PVi], where SNi= h0(R1), PKi= h1(PIDi‖Xi), PFi=(PKi⊕PSCi), PVi=h1((SNi‖PSCi)⊕(Ci‖PKi)), and Ci= h2(PIDi‖PPWi‖R0).The adversary cannot retrieve and guess the correct values of (PIDi) and (PPWi), not even of (PSCi), since there is an imperial address space of candidates for (PIDi), (PPWi), and (PSCi), which can be calculated by(|PIDi|×|PPWi|×|PSCi|)/1024, where |PIDi|, |PPWi|, and |PSCi|are the address spaces of the physician’s identity, password, and security code, respectively.

Scenario 2:Suppose an adversary steals a patient’s smartcard (SCj) and finds the data[SN,SFj,SVj], where SNj=h0(R3), SN=(SSCj⊕SNj), SKj=h1(SIDj‖Xj), SFj=(SKj⊕SSCj),SVj=h1((SNj‖SSCj)⊕(Cj‖SKj)), and Cj=h2(SIDj‖SPWj‖R2).Similar to the previous scenario,the adversary cannot retrieve and guess the correct value of (SIDj) or (SSCj), not even (SSCj),since there is an imperial address space of candidates for (SIDj), (SPWj), and (SSCj), which can be calculated by (|SIDj|×|SPWj|×|SSCj|)/1024, where |SIDj|, |SPWj|, and |SSCj| are the address spaces of the patient’s identity, password, and security code, respectively.

The proposed authentication scheme can resist attacks on both the physician’s side and patient’s side.

Impersonation Attack

An adversary can generally intercept and forge authentication request messages transmitted through public channels to impersonate a communication node in the system.The adversary uses previously collected information to generate valid authentication parameters and initiate an illegal authentication request.Under the proposed authentication scheme, authentication request messages include infeasible authentication parameters that cannot be generated by the adversary.We consider the following attack scenarios to ensure the proposed scheme can resist an impersonation attack.

Scenario 1:Suppose an adversary intercepts the authentication request message {M1:IDi,CTi0,Vi0}that has been sent to the GWN node to impersonate Piduring long-term authentication.The encrypted value (CTi0) is infeasible because the adversary does not know the secret keys(TPKi), nor the current (SNi) value.Thus, the adversary cannot compute (Vi0) using different(TP0), (SNi), and (R5), and therefore cannot impersonate Pi.

Scenario 2:Suppose an adversary intercepts the authentication request message {M2:C0j,CTj0,Vj0}that has been sent to SDjto impersonate the GWN node during long-term authentication.The encrypted value of (CTj0) is infeasible because the adversary does not know the secret keys (TSKj), nor the value of (SIDj).Thus, the adversary cannot compute (Vj0) using different(PSij), (TGWN0), and (R6), and therefore cannot impersonate the GWN node.

Scenario 3:Suppose an adversary intercepts the short-term authentication request message{M1:C0ij,CTi2,Vi3} that has been sent to SDjto impersonate Piduring short-term authentication.The encrypted value of (CTi2) is infeasible because the adversary does not know the secret keys (PSij), nor the value of (SIDj).Thus, the adversary cannot compute (Vi3) using different(TPi), (ID0ij), and (R9).Therefore, the adversary cannot impersonate Pi.

Scenario 4:Suppose an adversary intercepts the request authentication message {M1:CTk,Vk0,SSk0}that has been sent to the Sknode to impersonate the SDjnode when the WMSN node authentication phase has been executed.However, the values of (SNk0) and (CTk) are infeasible because the adversary does not know (SIDk).Thus, the adversary cannot compute (Vk0) using different (SKk) and (SNk0), and therefore cannot impersonate SDj.

The proposed authentication scheme can resist attacks when the adversary tries to impersonate the physician, GWN, and patient nodes.

Man-in-the-Middle Attack

Through the man-in-the-middle attack, an adversary can intercept and forge an authentication message transmitted through public channels to control the connection between communication nodes in the system.The adversary resends these authentication messages to make the nodes believe they are connected directly through forged authentication messages.

In the proposed authentication scheme, challenge and response messages exchanged between communication nodes are protected throughout all authentication phases.The long-term authentication phase uses (TPKi) and (TSKj) as secret keys to protect M1, M2, M3, M4, and M5, and(ΔCj) is used to guarantee synchronization between connection sides.The secret key (PSij) is used in short-term authentication to protect M1 and M2, and (ΔCij) is used to guarantee synchronization between connection sides.The secret key (SKk) is used in WMSN node authentication to protect M1 and M2, and (ΔSSk) is used to guarantee synchronization between connection sides.The proposed authentication scheme can resist the man-in-the-middle attack when the adversary tries to intercept and forge authentication requests and response messages to control the connection between communication nodes.

Wrong Login Attack

Wrong login detection is considered fundamental to user login authentication.This not only can prevent a wrong login attack but can save needless computation and communication costs that can affect network congestion.When a smartcard receives the wrong login authentication data,the proposed authentication scheme provides a detection mechanism to prevent such an attack at the beginning of the physician or patient login authentication phases without unnecessary computation.

When SCireceives the wrong login information, whether in (PIDi), (PPWi), or (PSCi) at the physician login authentication phase, SCifetches (R0) and computes Ci= h2(PIDi‖PPWi‖R0),PKi=(PFi⊕PSCi)and verification code XPVi= h1((SNi‖PSCi)⊕(Ci‖PKi)).SCiverifies whether (XPVi) matches (PVi) as stored in its memory.If not, then SCirejects the login request and terminates the session.

Similarly, when SCireceives the wrong login information, whether in (SIDj), (SPWj),or (SSCj), at the patient login authentication phase, SCjfetches (R2) and computes SNj=(SSCj⊕SN), Cj= h2(SIDj‖SPWj‖R2), SKj=(SFj⊕SSCj), and XSVj= h1((SNj‖SSCj)⊕(Cj‖SKj)).SCjverifies whether (XSVj) matches (SVj) as stored in its memory.If not, then SCjterminates the login request and terminates the session.The proposed authentication scheme can resist an unauthorized login attack without extra communication with the GWN node.

Insider Attack

In an insider attack, a gateway administrator or other privileged insider can use registration data to imitate a user through another system gateway.The proposed authentication scheme does not give the chance for privileged insiders to perform such attack, whether through execution of the physician or patient registration phases.

In the physician registration phase, the physician sends a registration request message{PIDi,Ci, and PSCi} to the GWN node.Therefore, an adversary cannot get the physician’s password (PPWi), whose value has been transmitted using the one-way hash function Ci=h2(PIDi‖PPWi‖R0) instead of the clear value.Similarly, a patient sends the registration request message {SIDj, Cj, and SSCj} to the GWN node at the patient registration phase.An adversary cannot get the patient’s password (SPWj), whose value has been transmitted using the oneway hash function Cj= h2(SIDj‖SPWj‖R2) instead of the clear value.Hence, the proposed authentication scheme can resist and avoid an insider attack.

Stolen Password-verifier Table Attack

An adversary can use a stolen password-verifier attack to steal a password from the passwordverifier table stored in the network gateway to impersonate an authorized user and login to the system.Under the proposed authentication scheme, the GWN has no password-verifier table containing a physician’s password (PPWi) or patient’s password (SPWj).Hence, the scheme can resist such an attack.

3.2.6 Security Comparisons

We compare the proposed authentication scheme to other schemes [38–43] in terms of security services and resistance to attacks.The main security issues that distinguish the proposed authentication scheme from the other schemes can be summarized as follows.

Throughout the authentication phases of E2EA, the actual identities of the communication nodes are not used completely, all authentication messages are protected by both symmetric encryption and cryptographic hash functions, and all authentication messages include fresh and nonce values to synchronize the communication nodes.Patients can determine and control the connected sensor nodes with them, and can prevent their sensor nodes from being used by others.

As illustrated in Tab.7, the other schemes [38–43] fail to provide anonymity and untraceability for patients and sensor nodes.Schemes [38–43] cannot support full mutual authentication.The other schemes fail to resist a patient’s smartcard loss attack, patient impersonation attack,sensor node impersonation attack, or wrong patient login attack.Scheme [38] cannot support the physician’s anonymity and untraceability.Schemes [38–41] fail to support perfect forward secrecy,and cannot resist a desynchronization attack.Scheme [40] fails to detect a physician impersonation attack, insider attack, or stolen password-verifier table attack.It should be noted that, compared to the other new authentication schemes [38–43], the proposed authentication scheme can fulfill more security features and can resist all related attacks.

Table 7:Security feature comparisons

4 Performance Analysis

We analyze the performance of the proposed authentication scheme and compare its cost to schemes [38–43] in terms of storage space, communication, and computation.

The storage space cost analysis is performed throughout the registration of physician, smart device, and WMSN nodes.Communication and computation cost analyses are performed for the long-term, short-term, and WMSN node authentication phases.Other phases are not examined,as these are not executed frequently in any of the schemes.

In long-term authentication, a physician node sends an authentication request to the GWN node to obtain permission to monitor the physiological data of a specific patient, and delegates the GWN node to perform mutual authentication with the patient.Since to monitor the physiological data of the patient through the GWN node is expensive in terms of the size of data signaling and access time, the physician and patient obtain the session key to directly authenticate each other (n) times by short-term authentication without going back to the GWN node.The patient executes WMSN node authentication (n+1) times with the connected sensor nodes, as shown in Fig.12.

Figure 12:Timeline of authentication phases in proposed scheme

Figure 13:Timeline of login authentication phase in other proposed authentication schemes

Using the same execution timeline, Figs.12 and 13 show that while the proposed authentication scheme executes long-term authentication (m) times, the other schemes execute login authentication (m×n+m) times.According to an analytic model proposed to find the desired values of (n) [47], the best value satisfies 1 ≤n ≤5.Therefore, in our analysis, we select m and n as 1 and 5, respectively.Thus, login authentication is executed six times in other authentication schemes [38–43] while in the proposed scheme, long-term authentication will be executed once,short-term authentication five times, and WMSN authentication six times.To perform valid comparisons, the sizes of all identities, passwords, security codes, random numbers, sequential numbers, and timestamps are set to 128 bits.The input and output block sizes of symmetric encryption and decryption functions are multiples of 128 bits, and the output of the hash functions is 160 bits.According to experimental results [18], [26], the running time of SHA-1 and AES cryptographic functions are (Th0.00032 s), and (TE/D0.0056 s), respectively.So, we have(Th0.00032 s), and (TE/D0.0056 s).

4.1 Storage Space Cost Analysis

One of the main challenges in such a system is to optimize the storage space costs of sensor nodes and smartcards.To facilitate analysis, the size of embedded hash functions is not considered.

Tab.8 shows the storage space costs of the smartcards and WMSN node in the proposed authentication scheme and schemes [38–43].For the proposed scheme, the storage space costs for the physician’s smartcard {SNi,PFi, and PVi}, patient’s smartcard {SN, SFj, and SVj}, and sensor node {SSk1, SNk0} require(160+128+160)=448 bits,(160+128+160)=448 bits, and(128+128)=256 bits, respectively.

Table 8:Storage space cost analysis

As illustrated in Tab.8, the other authentication schemes [38–43] do not include the patient registration phase, as in the proposed scheme.Results indicate that the proposed scheme has the minimum required storage space whether in the smartcard of the physician or the sensor node.

4.2 Communication Cost Analysis

Communication costs are calculated based on the size of the total bits of the authentication messages that are exchanged between communication nodes during the authentication phases.

The communication costs of the proposed scheme can be summarized as follows.The authentication messages of the long-term authentication phase, {M1:IDi,CTi0, and Vi0}, {M2:C0j,CTj0, and Vj0}, {M3:IDjs,CTj1, and Vj1}, {M4:CTi1, and Vi1}, and {M5:IDi, andVix},require(128+384+160)=672 bits,(128+384+160)=672 bits,(128+384+160)=672 bits,(384 + 160)= 544 bits, and(128 + 160)= 288 bits, respectively.The authentication messages of the short-term authentication phase, {M1:C0ij,CTi2,Vi3} and {M2:ID1ij,CTj2,Vj3}, require(128+384+160)=672 bits and(128+384+160)=672 bits, respectively.Authentication messages of the WMSN authentication phase, {M1:CTk,Vk0,SSk0}and {M2:IDk, and Vk2}, require(160+160+128)=448 bits and(128+160)=288 bits, respectively.

Tab.9 shows the total communication costs for the proposed authentication scheme and schemes [38–43].The results indicate that the proposed scheme has the minimum required communication costs.

Table 9:Communication cost analysis

4.3 Computation Cost Analysis

We compare the proposed scheme with schemes [38–43] in terms of computation costs.These are calculated based on the total execution time of the cryptographic functions in each authentication node.Tab.10 shows the total cryptographic functions in each authentication node.

Table 10:Total cryptographic functions in each authentication node

Tabs.10 and 11 show the computation costs for the proposed authentication scheme as well as for schemes [38–43].The results indicate that the proposed scheme has lower computation costs than authentication schemes [39,41], which use both cryptographic one-way hash functions and symmetric encryption functions.The proposed authentication scheme has higher computation costs than schemes [38,40,42,43], which use only the one-way hash functions.

Table 11:Computation cost analysis

5 Conclusion

We proposed an end-to-end authentication scheme for healthcare IoT systems using WMSN(E2EA) to overcome current security weaknesses and make such systems more widely deployed and accepted.E2EA has appealing security features such as fully mutual authentication, full anonymity, and perfect forward service in all authentication phases.To design the E2EA authentication scheme, a usable architecture model for healthcare systems using WMSN was proposed.The BAN logic model was used to verify the mutual authentication between all nodes during all authentication phases.Throughout several attack scenarios, the security level of the E2EA authentication scheme was shown.Therefore, it cannot only support appealing security features but can resist common attacks such as desynchronization, impersonation, smartcard loss, replay,man-in-the-middle, insider, wrong login information, and password table.Moreover, compared to new state-of-the-art authentication schemes, E2EA authentication has the highest security level.A performance analysis illustrated that E2EA authentication incurs the minimum cost in terms of storage space and communication, and has a suitable level of computation costs compared to the other new authentication schemes.Finally, E2EA is applicable to healthcare IoT systems to remotely monitor a patient’s physiological data.

Acknowledgement:The author expresses his gratitude to all members of the Computer and Information Sciences College at Jouf University for their support.

Funding Statement:The author received no specific funding for this study.

Conficts of Interest:The author declares no conflicts of interest to report regarding the present study.