Chien-Ming Chen,Shuangshuang Liu,Shehzad Ashraf Chaudhry,Yeh-Cheng Chen and Muhammad Asghar khan

1College of Computer Science and Engineering,Shandong University of Science and Technology,Qingdao,266590,China

2Department of Computer Engineering,Istanbul Gelisim University,Istanbul,34310,Turkey

3Department of Computer Science,University of California,Davis,CA,95616,USA

4Department of Electrical Engineering,Hamdard University,Islamabad,44000,Pakistan

ABSTRACT With the rise of the Internet of Things(IoT),the word“intelligent medical care”has increasingly become a major vision.Intelligent medicine adopts the most advanced IoT technology to realize the interaction between patients and people,medical institutions,and medical equipment.However,with the openness of network transmission,the security and privacy of information transmission have become a major problem.Recently,Masud et al.proposed a lightweight anonymous user authentication protocol for IoT medical treatment,claiming that their method can resist various attacks.However,through analysis of the protocol,we observed that their protocol cannot effectively resist privileged internal attacks,sensor node capture attacks,and stolen authentication attacks,and their protocol does not have perfect forward security.Therefore,we propose a new protocol to resolve the security vulnerabilities in Masud’s protocol and remove some redundant parameters,so as to make the protocol more compact and secure.In addition,we evaluate the security and performance of the new protocol and prove that the overall performance of the new protocol is better than that of other related protocols.

KEYWORDS IoT; intelligent medical; user authentication

1 Introduction

In the traditional Internet, most of the information exchange and communication took place between computers, where computers operations were manual operations; the traditional Internet realizes the information exchange and communication between people in a certain sense.Now,however, we have forayed into the era of the Internet of Things (IoT)[1,2].The applicability of the new system goes beyond realizing the mutual exchange of information and communication between people, between people and objects, and between objects.The IoT has a wide range of uses, including intelligent transportation, intelligent fire protection, intelligent home, intelligent power grid, intelligent medical, and other aspects.In short, it facilitates the use of the latest IT technology in all walks of life.Specifically, IoT technology embeds sensors into the power grid,buildings, and other objects [3-6].The construction industry is using IoT technology ubiquitously.Architecture is the foundation of a city; the progress of technology promotes the intelligent development of architecture, and intelligent architecture is rapidly gaining people’s attention.The current smart building methods incorporate power lighting and fire monitoring.Sensors are installed on equipment for sensing, transmission, and remote monitoring, which not only saves considerable time but also energy.Among the many applications of the IoT, smart medicine is one of the most promising applications for the future.

The emergence of IoT technology promotes the further development of medical information technology.IoT technology has great potential in the field of medicine and health [7-9].It can better realize diagnoses and facilitate intelligent management of things.Furthermore, it realizes digital processing and sharing of resource information, equipment information, drug information,and personnel information.The use of intelligent medicine is prominent in two fields:digital hospitals and medical wearables.The digital hospital includes a hospital information system,medical image storage system, transmission system, and doctor workstation.Their function is to realize the collection, storage, processing, and transmission of patient information.Digital hospitals enable zero-distance contact with patients.Doctors can conduct long-distance consultation,intelligent medical support resource sharing, and cross-regional optimal allocation.In addition,digital medicine can also monitor the vital signs of patients by deploying sensor nodes, which will automatically send an alarm in case of emergency, which reduces the nursing cost of seriously ill patients.The digital hospital also includes a clinical decision-making system, implying that doctors can analyze patients’symptoms while helping formulate the best and effective treatment plan.In addition, digital medicine provides a remote visitation system.When visitors visit patients, they directly do so through the remote visitation system, which can effectively avoid the direct contact between patients and visitors, eliminate the spread of disease, and shorten the recovery process of patients.

Medical wearable technology [10-12] is the deployment of sensor nodes around the patient,through the sensor nodes collecting information and parameters of the user’s patient and the surrounding environment, sending it through the network to the cloud, and then processing to the user.The digital hospital is an improvement over the traditional hospital; it realizes the digital equipment’s access to electronic medical records and the management of equipment.However,with the introduction of the medical system of the IoT, introducing sensor nodes around the patients to collect information and then transmitting it to remote medical staff is made possible,ensuring the safety of the medical staff.However, the introduction of IoT is bound to involve the transmission of information on the network channel.Due to the universality and openness of the transmission channel, privacy and security of transmitted information have become the main concern of the IoT medical systems.

Fig.1 shows the architecture of communication between three entities in the IoT-based healthcare environment:the doctor (user), IoT devices, and a gateway.All the IoT devices around the patients collect real-time patients’ information and then transmit them to a gateway.An authenticated doctor can access the gateway to obtain effective information from those IoT devices.This means that a gateway can authenticate the identity of doctors.In other words, a gateway is a medium for doctors to communicate with sensors.

Figure 1:System model

In 2012, Chen et al.[13] proposed an efficient and secure dynamic identity authentication protocol for telemedicine information systems, which dynamically authenticates the user’s identity to achieve user anonymity.However, Cao et al.[14] found that the protocol can track users through offline identity guessing attacks.When the user loses possession of a smart card, there is no guarantee of security as Chen’s protocol is also vulnerable to offline password guessing attacks.Therefore, Cao et al.[14] proposed an improved password authentication protocol based on the smart card.In 2015, He et al.[15] proposed a two-factor authentication scheme for wireless medical sensors, which allows medical personnel to access patient information using wireless sensor medical devices.In 2016, Li et al.[16] proposed a network-based electronic medical authentication scheme, which also uses the user’s password and smart card for two-factor authentication.He et al.[17] proposed an authentication protocol that is more suitable for the configuration of telemedicine information systems with low power consumption mobile devices.Wei et al.[18] found that this protocol cannot effectively resist password attacks; they proposed an improved authentication protocol for telemedicine information systems and proved that the protocol meets the security requirements of two-factor authentication.In 2018, Wu et al.[19] proposed a lightweight twofactor medical authentication scheme, and they claimed that their protocol had perfect security;however, after analysis, it was found that their protocol could not effectively resist perfect forward security.Therefore, based on the two-factor authentication protocol, Wazid et al.[20] proposed a three-factor network authentication key scheme, which introduced biological information based on the previous authentication password and smart card.The map area of biological information is mainly completed by a biological extractor.In 2019, Sharma et al.[21] proposed a lightweight user authentication protocol, but Canetti et al.[22] found that their protocol could not effectively resist privilege insider attacks.Recently, Masud et al.[23] proposed a protocol for the security of the IoT medical system.The paper mentioned that their protocol is a lightweight anonymous user authentication protocol.The protocol only uses hash primitives to encrypt the information,which reduces the burden of the processor while resisting replaying attacks, man-in-the-middle attacks, anonymity, and untraceability.However, we find that the protocol mentioned in this paper cannot effectively resist internal privilege attacks, sensor node capture attacks, or stolen verification attacks, and it cannot provide perfect forward security.

In this paper, we first demonstrate that Masud et al.’s protocol [23] is insecure against various kinds of attacks.We then propose a lightweight and robust user authentication protocol for IoTbased healthcare with user anonymity.In our design, we only use a single hash function and successive XOR operations; thus, the proposed protocol retains better performance.Additionally,the proposed protocol has perfect forward security and can effectively resist internal privilege,stolen verification, and sensor node capture attacks.In addition, we delete some redundant parameters in Masud et al.’s protocol [23] to make the entire protocol more concise.Furthermore,we compare the proposed protocol with other related protocols in terms of communication and computation cost.The results show that our design has better performance.Also, we use the real-or-random (ROR)model [24] to further prove that the proposed protocol is indeed secure.

The remainder of this paper is organized as follows.In Section 2, we briefly review Masud et al.’s protocol [23] Section 3 demonstrates that Masud et al.’s protocol [23] is vulnerable to privilege internal attacks, stolen verification attacks, and sensor node capture attacks.The proposed protocol is described in Section 4.Section 5 and Section 6 provide security and performance analyses and comparisons.Finally, Section 7 concludes the paper.

2 Review of Masud et al.’s Protocol

In this section, we briefly describe the protocol [23], which consists of three phases:user registration phase, sensor node registration phase, and login and mutual authentication phase.In the first two phases, user and sensor registration is conducted through the gateway.

2.1 User Registration Phase

(1)The user first selects anDIDand passwordPWD, and then generates a registration requestRreq.Then, the user transmits theDID,PWD, andRreqto the gateway through the secure channel.After the gateway receives the registration request from the user, it generates a random gateway private keyR1SG, calculates

and stores the parametera,R1SGandDIDin memory.Finally, the gateway returns the calculated parameterato the user through the secure channel.

(2)After receiving the parameter from the gateway, the user first calculates the value of the random gateway keyR1SGaccording to the parametera, and then calculates the value of the pseudo-identityDIDaccording to the random private key of the gateway.Secondly,the user encapsulates their password, pseudo-identity, and gateway random private key in parameterB.Finally, the values of user parametersR1SG,DIDandBare stored in their own memory.This completes the user’s entire registration process.

2.2 Sensor Registration Phase

(1)Firstly, the sensor selects its own identitySID, generates a random sensor private keyR1SN,and then transmits the generated parameterSIDandR1SNto the gateway through the secure channel.

(2)After receiving the parametersSID, andR1SN, the gateway first generates a random gateway private keyR2SG, encapsulates the sensor’s identity, random gateway private key, and random sensor private key in the parameterCthroughXoRoperation, and then calculates

Finally, the gateway stores the values of sensor identity, random sensor private key, random gateway private key, and sensor pseudo-identity in the memory.

2.3 Login and Mutual Authentication Phase

(1)First, the user enters the password, then calculates

This is to test whether the value ofQis equal toBstored in the user memory.If these values are equal, the user generates a temporary random numberN1Dand then calculates

Finally, the user transmits parametersN1∗D,DTID,K, andSTIDto the gateway via a common channel.

(2)After receiving the parameter transmitted by the user, the gateway calculates

and verifies the parameter.

After the verification, it calculates

This is done to verify whether it is equal to the parameter value ofK.If it is equal, the gateway generates a temporary random numberN1Gand then calculates

Finally, the gateway transmits the parametersG1W,G2W,DTID,SKs, andG3Wto the sensor through the secure channel.

(3)The sensor receives the parametersG1W,G2W,DTID,SKs, andG3Wfrom the gateway and calculates

and then verifiesN1G.After verification, it calculatesS1Nto verify whetherS1Nis equal to theG2W.If it passes verification, the gateway will obtain the session key

Next, the gateway generates a random numberN1Sand calculates

Then, the sensor updates its identity

Next, the sensor stores the values ofR2SG,R3SG, and.Finally, the sensor sends the values ofS2N,S3N, andS4Nto the gateway through the secure channel.

(4)The gateway calculates

Then verifiesN1Sand then calculates

This verifies whetherG4Wis equal to the received value ofS3N.If yes, the gateway calculates the values ofR2SNand, and then stores the values ofR2SN,R3SG, andin memory.Next, the gateway generates a random numberN2Gand calculates the value ofu,SKu,n,andG5Wand then updates the user pseudo-identity.Finally, it stores the values ofR4SGandand transmits the values of parametersu,SKu,n, andGW5to the user through the common channel.

(5)The user obtains the value ofN2Gby XOR of the receiveduandDIDand then verifies theN2G.Then, the value ofSKandOis computed.Next, the calculated value ofOis compared with the value ofn.If it is equal, the user continues to calculate the value ofR4SGand.Finally, the user stores the values ofR4SGandin the memory.At this point, the entire login authentication process is complete.

3 Cryptanalysis of Masud et al.’s Protocol

In this section, we first introduce the attack model used in this paper and then analyze Masud’s protocol [23] according to the attack model.The protocol cannot effectively resist privileged insider, sensor node capture, and stolen verification attacks, and there are loopholes in the perfect forward secrecy.

3.1 Threat Model

The attack model briefly describes the capabilities ofA, which has been described and discussed in [25,26] earlier.The details are as follows:

1.According to the “Dolev-Yao threat (DY)model” [27] proposed before,Acan intercept and monitor information through the public channel.In addition, the attacker can modify the transmitted information.In other words, the session messages transmitted between the participants in the protocol through the common channel can be obtained and operated byA.Moreover,Acan act as an insider to obtain the information stored in the gateway during the registration phase.

2.Once the sensor is lost and acquired byA,Acan use power analysis [28,29] to operate the sensor.The sensitive information stored in the sensor can easily be obtained byA.In this case, if the attacker has additional capabilities, it is easy to carry out sensor simulation and sensor node capture attacks [30].

3.In most user sensor authentication protocols, users often need to store some parameters in the registration phase for use in the login authentication phase.Usually, this information is stored in the user’s smart card or memory.However, the user’s smart card is often easy to lose.Once the smart card is obtained byA, the attacker can use some parameter information stored in the smart card and combine it with some other parameters to carry out a series of attack operations.

3.2 Perfect Forward Secrecy

A good protocol must comprise the perfect forward secrecy feature [31,32], which ensures that master key leakage will not lead to session key leakage.Forward secrecy can protect past communication from the threat of key exposure in the future.Even in the case of master key leaks, the historical communication still has good security.However, in Masud’s protocol, we found that ifAobtains the value of the sensor’s keyR1SN, it can conveniently obtain the session key between the gateway and sensor.The specific process is as follows:

(1)First,Aobtains the key-valueR1SNgenerated by the sensor.

(2)Second,Aintercepts the parametersSTIDandG1Wthrough the common channel and then calculates

(3)The session key between the sensor and the gateway

Acan obtain the parameterSKsas it transmits from the gateway to the gateway through the public channel.N1Gcan also be calculated through the second step while securingR1SNin the first step.Therefore, once the sensor key is exposed, the session key is obtained.However, there are some security vulnerabilities in the protocol.

3.3 Privilege Insider Attack

Privileged insider attack refers to a process in whichAor the user information administrator obtains some of the user’s basic information and then uses this information to carry out some basic operations, so as to obtain the user key between the medical staff and the sensor node [33].

(1)First,Acan disguise as a privileged insider.In the process of user registration with the gateway,Acan easily obtain the user’s registration informationDIDandPWDstored in the memory.

(2)Second,Aintercepts the messageutransmitted by the gateway to the user through the common channel and calculates

(3)The session keySKcan be obtained.

In the second step, theN2Gis calculated.SKUis transmitted to the user through the common channel in the authentication phase, which can also be obtained byA.ThePWDis obtained byAas an insider.Therefore,Acan obtain the session key between the user and the gateway.To sum up, Masud’s protocol cannot effectively resist a privilege insider attack.

3.4 Stolen Verification Attack

A stolen verification attack implies thatAcan decode the value of the session key on the premise of acquiring the information stored in the gateway memory [34].Masud’s protocol cannot effectively resist the stolen verification attack; the specific attack process is as follows:

(1)First,Aobtains the parameterR1SGstored in the gateway memory during user registration,intercepts the parameterDTIDsent by the user to the gateway through the public channel during authentication, and then calculates

(2)Aobtains the parameterR4SGin the gateway memory during authentication and intercepts the parameterG5Wtransmitted by the common channel and then calculates

(3)Ahas calculated the values ofN2GandPWD, and the parameterSKUtransmitted through the secure channel.The session key

between the user and the gateway.Therefore, this protocol cannot effectively resist the stolen verification attack.

3.5 Sensor Node Capture Attack

The sensor node capture attack refers to the process in which the session key is leaked afterAobtains the sensors [35].Through our analysis, we found that Masud’s protocol cannot resist sensor node capture attacks.

(1)During the registration of the sensor with the gateway, the sensor stores the identitySTID,and keyR1SNin its own memory.However, sensors are likely to be acquired byA.

(2)In the mutual authentication stage of gateway and sensor, the user transmits the parameterSTIDto the gateway through the common channel, and the gateway transmits the parameterG1Wto the sensor through the common channel.Then,Acalculates

(3)Session key between sensor and gateway

OnceAobtains the sensor,Acan obtain the session keys of both parties through a series of operations.

4 Proposed Protocol

We have analyzed Masud’s protocol and listed the detailed attack process.A secure protocol must be able to resist some common attacks.We have improved Masud’s protocol, and the improved protocol can successfully repair the aforementioned security vulnerabilities.In addition,we deleted some redundant symbols in the original protocol to make the entire protocol more concise.Our protocol consists of four parts:pre-deployment phase, user registration phase, sensor registration phase, and login authentication phase.

4.1 Symbol Table

The symbols used in the protocol are shown in Table 1.

Table 1:Notations used in the proposed protocol

4.2 Pre-Deployment Phase

For the pre-deployment phase of users and sensors, the gateway first generates a key-valueRGand then sends the key value to the users and sensors through the secure channel in advance.

4.3 User Registration Phase

Fig.2 illustrates the user registration phase.The detailed steps are as follows:

Figure 2:User registration phase

(1)First, the user selects idIDand passwordPW, and a random numberN1, calculates

and generates a requestRreqfor registration.Finally, the user transmits the information ofRIDandRPWto the gateway through the secure channel.

(2)After receiving the registration request from the user, the gateway calculates

and then generates a random secret valueG1.It then calculates

Finally,A1,A2, andDTIDare stored in the gateway, andA2is transmitted to users through a secure channel.

(3)According to the transmittedA2, calculate

Finally,G1,DTID,DandXis stored in the user’s memory.

4.4 Sensor Registration Phase

Fig.3 illustrates the sensor registration phase.The detailed steps are as follows:

Figure 3:Sensor registration phase

(1)First, users select an identitySIDfor themselves and generate a random key valueS1to calculate

and then the user sendsSID′,S1to the gateway through the secure channel for registration.

(2)After receiving the message from the sensor, the gateway generates a random key valueG2and encrypts the key value to obtain

and encrypts the identity of the sensor to obtain the pseudo-identity of the sensor

It next stores the parametersO,B,STIDin the gateway memory and then sends the parameterOto the sensor through the secure channel.

(3)After the sensor receives the message, it first extracts the value of the gateway’s keyG2,

and then calculates the sensor’s pseudo-identity

Finally, the sensor stores the parameter valueS1andSTIDin the sensor memory.

4.5 Login and Authentication Phase

This section introduces the login and mutual authentication process between the user and the sensor through the gateway in detail as in Fig.4.The following is the detailed description of login and authentication.

Figure 4:Login and authentication phase

(1)Before logging in, the user first enters the account idIDand passwordPW, used in registration.Then, the following is calculated:

Subsequently,D1is verified to check whether it is equal to theDvalue previously stored in the user’s memory.If it is, it implies that it is a login operation by a legal user.After successful login, the user calculates

Finally, the user sends the parameterKandSID′to the gateway through the common channel.

(2)When the gateway receives the parameters from a legitimate user, it needs to determine whether the message sent has been tampered with byA, so it calculates

to compareK′withK, and equality implies that it passes verification.Then, the gateway continues to calculate

SKsis the operation in which the gateway distributes the key to the sensor.Finally, the gateway sends the parameterY1,Y2,STID,SKsto the sensor through the common channel.

(3)The sensor receives the message from the gateway, and first calculates the temporary key valueG1of the gateway according to the values ofSTIDandY1.

then calculates

and compares theS2value sent by the gateway withY′2.If it is equal, thenAhas not tampered the parameters sent by the gateway.Next, the sensor calculates the session key

according to the parameterSKssent by the gateway.Finally, the sensor identity is updated,storing the updated sensor parameter value in memory, and the value of parameterZis sent to the gateway through the common channel.

(4)The gateway receives the parameter from the sensor.First, it checks whetherAintercepted the value of the parameter, calculates

and compares the value ofZ′with that ofZ.If it is equal, it means it passes verification.Next, the gateway obtains the identity value of the updated sensor through the following operation.

Then, it stores the updated sensor identity value in its memory.Next, the gateway allocates the session key and computes

and updates the user’s identity.

The gateway stores the updated user’s identity parameter in the gateway, and sends the value of parameteru,SKu,nto the user through the common channel.

(5)The user should first check the parameter value sent,

If the value ofG′1is equal to the value ofG1previously stored in the user memory, thus passing the verification.Next, the user calculates the session key

between the user and gateway through the value ofSKusent by the gateway.Then, before updating the user’s identity, the following is performed

which is compared with the received value ofn.The parameter is updated if it is equal.

Finally, the updated identity is stored in the user’s memory.

5 Security Analysis

5.1 Formal Proof of the Proposed Protocol

5.1.1 ROR Model

In this section, we use the ROR model [24] to prove the security of the proposed protocol.In the protocol, we define three entities:user, gateway, and sensor node.For this proof, we assume thatUi,Gj, andSzare thei-th user, thej-th gateway, and thez-th sensor node, respectively, and the parameterT={Ui,Gj,Sz}.In the initial stage,Acan perform the following query operations.

Execute(T):By performing this operation,Acan obtain the messages {K}, {Y1,Y2,STID,SKs},{Z}, and {u,SKu,n}transmitted byU,G, andSthrough the common channel.

Send(T,M):By executing this query,Acan transmit informationMtoT.

CorruptDevice(T):After executing this query,Acan get the information stored in theU,GandS′memory.In addition,Acan also get the long-term key in the protocol and the temporary information generated by the participant.

Hash(string):After entering a fixed-length string,Acan get a fixed value after executing the query.

Test(T):In the initial stage,Atosses a coinOwith uniform texture to judge whether the obtained session key is correct.IfO=1, the session key obtained is correct.Otherwise,Aobtains a string with the same length as the session key.

Theorem:For the ROR model, ifAperforms some basic query operations, the probability that it can break the proposed protocolTin polynomial time is

In the formula,frepresents the length of biological information entered by the user in the registration and login stage, andD′andb′represent two constants.

5.1.2 Security Proof

Proof:We defined 6 gamesGM0 toGM5 in the specific proof process, and everyone has different game rules.In the proof process,Succ(GMi)(η)(i=0,1,2,3,4,5)represents the probability of game success under each rule.The specific proof process is as follows:

GM0:In this game,Adoes not perform any query operations, so the probability of it breaking protocolTis:AdvTA(η)=|2Pr[SuccTA(η)−1]|.

GM1:GM1 adds theExecutequery operation on the basis ofGm0.That is,Acan obtain the informationM1,M2,M3 andM4 transmitted through the common channel.Then, it obtains the session keySKthrough theTestoperation, but the random keyS1of theSandGcannot be obtained, so the probability of success ofGM1 is equal to that ofGM0.

GM2:GM2 adds theSendoperation on the basis ofGM1, that is,Acan send information to participants through the public channel.Under Zipf’s law, we can easily obtain

GM3:GM3 addsHashquery on the basis ofGM2.Acan get specific values throughHashoperation.According to the birthday paradox, we get

GM4:In this game, we query theCorruptDeviceto obtain the value of long-term keyRGand the value of temporary informationN1generated byUto verify whether the protocol has perfect forward security and resists temporary information leakage attacks.

Perfect forward secrecy:Aobtains the parameterRGthrough theCorruptDeviceoperation,but it cannot obtain the user’s pseudo identityRID, so the values of parameterA2and the user’s pseudo passwordRPWcannot be obtained.Therefore,Aobtains the long-term key, andRGcannot successfully obtain the session key.

Temporary information leakage attack:Aobtains the temporary informationN1generated byUbut cannot obtain the user’s identityIDand passwordPW.Therefore,Acannot obtain the user’s pseudo passwordRPW.Even ifAobtains the temporary informationN1, it cannot successfully obtain the session key.Therefore, our probability of gettingGM4 is

GM5:Different from theGM4 rule, we query the information stored in the user’s memory throughCorruptDevice, and then prove that the proposed protocol can resist offline password guessing attacks.The probability that it can successfully guess the user password is 1/2, but in Zipf’s law, when the number of transmitted bitsqsend≤106, the probability thatAcan successfully guess the user password is greater than 1/2.Therefore, we get

GM6:InGM6, in order to verify that the protocol we proposed can successfully resist user simulation attacks, unlikeGM5,Aqueries throughHashoperation.Therefore, the probability ofGM6 is

Because the probabilities ofGM6 success and failure are equal,Pr[]=1/2.

From the formula calculated above, we can get

According to the above process, we prove that our proposed protocol can effectively resist user simulation, offline password guessing, and temporary information leakage attacks and has perfect forward security.

5.2 Informal Security Analysis

In this section, we describe how the new protocol can resist several common attacks.The following descriptions further prove the security of our proposed protocol.

5.2.1 Withstands Privileged Insider Attack

In this protocol, we assume thatAdisguises itself as a privileged insider.Therefore,Acan obtain the user’s pseudo-identityRIDand pseudo passwordRPW.However, parameterA2is obtained afterRGencryption.A2=RID⊕RPW⊕G1⊕RG,RGis the long-term key generated by the gateway, which is only transmitted to users and sensors in the pre-deployment phase, so only users, gateways, and sensors know the key value.As a privileged insider,Acannot obtain the long-term key value, and thus cannot obtainA2and the session key between the user and the gateway.

5.2.2 Withstands Sensor Node Capture Attack

IfAcaptures the sensor node informationSTIDandS1, then, althoughAalready knows the parametersSTIDandS1, it must know the long-term keyRGof the gateway to obtain the parameterO.The calculation of the parameterRGmust be participated byG2andB.Bcalculation is obtained by long-term keyRGof the gateway, even if the node information of the sensor is captured, it impossible to obtain the public key between the gateway and the sensor.Therefore, our improved protocol can effectively resist the sensor capture attack.

5.2.3 Withstands Stolen Verification Attack

In a stolen verification attack,Aobtains the message in the gateway memory, andAcan obtain the key of both sides of the session.SupposeAobtains the informationA1,A2,DTIDandRIDin the gateway memory.First, parametersY1andSTIDare transmitted on the common channel so we can obtain the value of parameterG1.According toG1andDTID, we can obtainRID.However, to calculateRPW, we must know the long-term keyRGof a gateway.However,the acquisition ofRGmust be participated byRPW.Therefore,Acannot obtain the session key between the user and the gateway effectively.SupposeAobtains the informationO,B,STIDandSID′in the gateway; then, it can get the parameterG1according to the obtained information, but the session key is also composed ofG2andS1.The sensor’s temporary key valueS1is generated after encryption by the gateway’s temporary keyG2and long-term keyRG, and it is impossible to obtainS1.Therefore,Acannot successfully obtain the public session key between the gateway and the sensor.In conclusion, our new protocol can successfully resist the stolen authentication attack.

5.2.4 Forward Secrecy

Assuming thatAhas obtained the long-term keyRGof the gateway, for the public session key between the user and the gateway,Aneeds to know the parameterA2and the user’s pseudo passwordRPW.However, it does not know the user’s pseudo-identityRID, so it cannot obtain the parametersA2andRPW, so the session key between the user and the gateway can be effectively protected.Second, for the session key between the sensor and the gateway, even ifAobtains the long-term keyRG, the communication between the gateway and the sensor still requiresS1,G2andO.G2needs to be obtained through the pseudo-identity of the sensor, but the pseudo-identity of the sensor cannot be obtained, andOmust be obtained by the participation of the sensor’s temporary key valueS1; therefore,Acannot obtain the session key between the sensor and the gateway.

5.2.5 Provides Anonymity

In the user registration stage, we perform the XOR operation on the user’sIDand the longterm keyRGof the gateway and then encrypt the user’s identity.Subsequently, communication with the gateway occurs through the secure channel.Therefore, it is not easy forAto obtain the identity of legitimate users, so our protocol protects the identity privacy of users.

5.2.6 Withstands Password Guessing Attack

In the user login phase, the system verifies whether the value ofD1is equal to the value ofDstored in the user memory.Aguesses the identity of a legitimate user if it can successfully guess the user’s password.However, the user authentication also needs the participation of the random numberN1generated by the user in the registration phase, soAcannot successfully carry out a password guessing attack.

5.2.7 Withstands Temporary Information Leakage Attack

IfAobtains the randomN1generated by the user in the registration phase but does not know the user’sIDand passwordPW, the user’s pseudo passwordRPWcannot be obtained.However, the session key between the user and the gateway needs the participation of the user’s pseudo passwordRPW.Therefore,Acannot successfully carry out the temporary information leakage attack.

6 Security and Performance Comparisons

In this section, we analyze the security and performance of the new protocol.We compare the new protocol with other related protocols, mainly by comparing the running time, communication cost, and the ability to resist common attacks to show that our proposed protocol has an advantage in security and performance.

6.1 Security Comparisons

In this part, we compare with other related agreements.Finally, other protocols cannot resist all common attacks, but our new protocol can resist all attacks.At present, common network attacks include A1:Identity anonymity of user device, A2:Identity anonymity of IoT sensor node, A3:privileged-insider attack, A4:off-line password guessing attack, A5:Perfect forward secrecy, A6:man-in-the-middle attack, A7:IoT sensor node impersonation attack, A8:Sensor node capture attack, A9:Stolen verification attack.The comparison results are presented in Table 2.A “Yes” implies that the protocol can resist the attack, whereas a “No” means that it cannot.

Table 2:Comparisons of security

6.2 Performance Comparisons

For performance analysis, we use the same conditions to analyze the protocols in different environments.In the analysis process, because XOR and join operations take less time, we only analyze according to the non-collision hash function used in the protocol.The time required for the hash function is 0.00089 Ms.In addition, in the communication process, the number of bits required for the non-collision hash function is 256 bits.

First, we compare the communication cost between the protocol proposed in this paper and the related protocols proposed earlier.Here, we only consider the communication cost of the noncollision hash function.The communication cost of our protocol is 1,792 bits, lower than those of Masud et al.[23] (4,096 bits), Wazid et al.[40] (2,304 bits), Turkanovi et al.[39] (5,120 bits),Farash et al.[38] (5,888), Zhou et al.[37] (6,144 bits), and Challa et al.[36] (3,840 bits).This result can be observed in Fig.5.

Figure 5:Communication cost

Second, we compare the protocols proposed in this paper with regard to time.Here, we only consider the running time of the non-collision hash function.Table 3 shows the number of hash functions required by the user gateway and sensor nodes during the protocol user registration phase, sensor registration phase, and login authentication phase whereHrepresents the hash function.In Table 4, we compare the proposed protocol with those in other related fields.The results show that the time required for our proposed protocol is 0.00623 ms, and for Masud et al.[23], Wazid et al.[40], Turkanovi et al.[39], Sharma et al.[21], Farash et al.[38], Zhou et al.[37], Challa et al.[36], the times are 0.00712, 0.02848, 0.01513, 0.02047, 0.02848, 0.03204, and 0.01068 ms, respectively.It can be seen more intuitively in Fig.6 that the running cost of the protocol proposed by us is better than those proposed in other relevant papers.

Table 3:The computational cost of the proposed protocol

Table 4:Calculation cost comparison

Figure 6:Running time

After comparing our protocol with other related protocols, we can observe that the proposed protocol can effectively resist various attacks, and so we can say that our protocol has perfect security.In addition, our proposed protocol is superior to the existing protocol in terms of communication cost and time running cost.To sum up, the proposed protocol is more suitable for the development of future medical systems and is more convenient and user friendly for future medical staff and patients.

7 Conclusions

This paper improves Masud’s authentication protocol for the medical system.The improved protocol not only resists the common attacks that the existing protocol was unable to but also removes the redundant symbols in the original protocol, reducing the communication cost.In addition, it retains the lightweight advantage of the original protocol.The improved protocol still adopts a single hash and bit-by-bit XOR operation, which reduces the running time.The protocol is secure against privileged internal attacks, stolen verification attacks, and sensor node capture attacks, thus presenting perfect forward security.This protocol is more suitable for the future medical environment.It preserves the security in the medical system as well as the user privacy,while additionally enhancing the system performance.

Funding Statement:The authors received no specific funding for this study.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.