Abstract
Wireless medical sensor networks (WMSNs) are used in remote medical service environments to provide patients with convenient healthcare services. In a WMSN environment, patients wear a device that collects their health information and transmits the information via a gateway. Then, doctors make a diagnosis regarding the patient, utilizing the health information. However, this information can be vulnerable to various security attacks because the information is exchanged via an insecure channel. Therefore, a secure authentication scheme is necessary for WMSNs. In 2021, Masud et al. proposed a lightweight and anonymity-preserving user authentication scheme for healthcare environments. We discover that Masud et al.’s scheme is insecure against offline password guessing, user impersonation, and privileged insider attacks. Furthermore, we find that Masud et al.’s scheme cannot ensure user anonymity. To address the security vulnerabilities of Masud et al.’s scheme, we propose a three-factor-based mutual authentication scheme with a physical unclonable function (PUF). The proposed scheme is secure against various security attacks and provides anonymity, perfect forward secrecy, and mutual authentication utilizing biometrics and PUF. To prove the security features of our scheme, we analyze the scheme using informal analysis, Burrows–Abadi–Needham (BAN) logic, the Real-or-Random (RoR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Furthermore, we estimate our scheme’s security features, computation costs, communication costs, and energy consumption compared with the other related schemes. Consequently, we demonstrate that our scheme is suitable for WMSNs.
Keywords: wireless medical sensor networks, PUF, biometrics, BAN logic, RoR model, AVISPA
1. Introduction
With the development of wireless communication and sensor minimization technology, wireless sensor networks (WSNs) have been widely used in various environments, such as industrial Internet of Things [1], healthcare [2], and smart homes [3]. In particular, the demand for remote healthcare services has been increased due to the COVID-19 pandemic [4]. Remote healthcare services can be realized through wireless medical sensor networks (WMSNs). Generally, WMSNs consist of doctors (users), a gateway, and sensor nodes. Doctors communicate with the gateway to access a patient’s health data through their smart device. The gateway, such as a smart hospital, stores sensitive data and supports smooth wireless communication between doctors and sensor nodes. Sensor nodes are attached to patients and transmit patients’ sensitive health data to doctors through the gateway [5]. Therefore, doctors can perform the diagnosis of patients remotely and patients can receive convenient remote medical services wherever they are.
Although WMSNs can provide convenient medical services to patients, there are several security risks. First of all, each message is exchanged through a public channel; therefore, malicious adversaries can perform security attacks such as replay and man-in-the-middle attacks [6]. In addition, the smart device of a doctor can be stolen and an adversary can attempt to impersonate the doctor using parameters extracted from the device. In addition, the sensor node can be physically captured by an adversary and the adversary can attempt to impersonate the patient using the secret parameter, extracted from the sensor node. If an adversary obtains and modifies the information of patients using the above security attacks, this can have a serious effect on the patient’s health, such as inducing a misdiagnosis by the doctor. Accordingly, secure authentication schemes are necessary to overcome these security vulnerabilities for WMSNs.
In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. They claimed that their scheme is lightweight and prevents various security attacks (e.g., replay, privileged insider, and impersonation attacks). Moreover, they asserted that their scheme can ensure user anonymity and session key agreement. However, we find that Masud et al.’s scheme cannot prevent offline password guessing, user impersonation, and privileged insider attacks. Moreover, we prove that their scheme cannot ensure user anonymity. Their scheme also has a device update problem, where the doctor cannot perform a login process on his own smart device. To overcome these security vulnerabilities of Masud et al.’s scheme, we propose a secure three-factor-based mutual authentication scheme with physical unclonable function (PUF) for WMSNs. In our scheme, we use PUF and fuzzy extractor [8] to enhance the security level. The PUF is a physical circuit that outputs unpredictable random strings, and the fuzzy extractor is a cryptographic algorithm that utilizes the biometrics of users. Therefore, we install the PUF in the sensor node to prevent physical and cloning attacks, and we utilize the fuzzy extractor to overcome offline password guessing attacks. Our scheme also uses hash functions and exclusive-OR operations to ensure real-time communication.
1.1. Research Contributions
The contributions of our paper are as follows.
We review Masud et al.’s scheme and prove that their scheme cannot ensure user anonymity. Moreover, we show that their scheme is vulnerable to offline password, impersonation, and privileged insider attacks and has a device update problem.
We propose a secure three-factor-based mutual authentication scheme to overcome the security vulnerabilities of Masud et al.’s scheme. We use hash functions and exclusive-OR operations to provide real-time communication for WMSNs. We also utilize PUF and fuzzy extractor [8] to prevent physical and offline password guessing attacks, respectively.
We analyze the security features of the proposed scheme using well-known Burrows–Abadi–Needham (BAN) logic [9] and the Real-or-Random (RoR) model [10], which can prove mutual authentication and session key security, respectively. Furthermore, we utilize the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool [11,12] to prove that the proposed scheme has resistance against replay and man-in-the-middle attacks.
We show that our scheme has resistance against various security attacks, such as offline password, impersonation, privileged insider, replay, and man-in-the-middle attacks, using informal analysis. Moreover, the proposed scheme ensures user anonymity, perfect forward secrecy, and mutual authentication.
We estimate the security properties and functionalities, communication costs, computation costs, and energy consumption of our scheme in comparison with existing authentication schemes.
1.2. Organization
In Section 2, we introduce related works for WMSNs. We describe the PUF, fuzzy extractor, adversary model, and system model in Section 3. In Section 4, we describe the detailed procedures of Masud et al.’s scheme. In Section 5, we prove the security vulnerabilities of Masud et al.’s scheme. To overcome these security vulnerabilities, we propose a secure three-factor-based mutual authentication scheme with PUF for WMSNs in Section 6. In Section 7 and Section 8, we analyze the security features of our scheme using formal and informal analyses and estimate the performance of our scheme, respectively. Finally, we conclude and summarize our paper in Section 9.
2. Related Works
In the past several decades, researchers have proposed numerous two-factor-based authentication schemes for WMSNs. In 2012, Kumar et al. [13] proposed an authentication scheme for healthcare applications using a smart card. Their scheme used a symmetric encryption method to establish the session key between the user and the medical sensor node. However, He et al. [14] claimed that Kumar et al.’s scheme is vulnerable to password guessing and privileged insider attacks. As a result, He et al. proposed a robust authentication scheme to overcome these security weaknesses. Unfortunately, Mir et al. [15] demonstrated that [14] cannot prevent offline password guessing and masquerading user attacks. To address the security vulnerabilities of He et al’s scheme [15], they proposed an authentication and key agreement scheme using hash functions and exclusive-OR operations. In 2018, Wu et al. [16] proposed an authentication scheme for personalized healthcare systems. They used a smart device as a factor to protect the privacy of the doctor. However, the above schemes [13,14,15,16] can be vulnerable to smart device theft and offline password guessing attacks because they adopt two-factor-based authentication schemes.
Three-factor-based authentication schemes have been proposed to improve the security level for WMSNs. In 2018, Challa et al. [17] proposed a three-factor-based user authentication and key agreement protocol using bilinear pairings for wireless healthcare sensor networks. Challa et al. employed bilinear pairing and the fuzzy extractor to overcome security vulnerabilities such as smart card theft, offline password guessing, and privileged insider attacks. In 2019, Li et al. [18] proposed a three-factor user authentication protocol based on elliptic curve cryptography (ECC). They claimed that their scheme can resist various security attacks utilizing biometrics verification with error-correcting code and a fuzzy commitment scheme. Shin et al. [19] suggested an authentication and key agreement scheme that can preserve users’ privacy in 5G-integrated IoT environments. In [19], each entity establishes the session key using elliptic curve Diffie–Hellman (ECDH). Furthermore, Ali et al. [20] proposed a biometric-based authentication and access control protocol for WMSNs using ECC. They claimed that their scheme is secure against privileged insider, stolen smart card, and offline password guessing attacks. In 2020, Hsu et al. [21] proposed a three-factor user-controlled single sign-on (UCSSO) scheme for telecare medicine information systems. Their scheme can provide fast authentication and privacy protection using only hash functions and exclusive-OR operations. Although the above schemes [18,19,20,21] can provide lightweight communications to doctors and patients, they cannot prevent sensor node physical and cloning attacks.
Recently, PUF-based authentication schemes have been proposed to prevent physical attacks. In 2017, Aman et al. [22] suggested a mutual authentication scheme using PUF in IoT systems. They claimed that their scheme is secure against IoT device cloning attacks because PUF is employed on each IoT device. Byun [23] proposed an end-to-end key exchange scheme using PUF. This scheme utilized PUF-embedded devices and the fuzzy extractor to ensure mutual authentication between two devices. In 2020, Fang et al. [24] proposed a PUF-based data transmission scheme for IoT environments. They proved that their scheme can prevent various attacks, such as DoS, eavesdropping, impersonation, and cloning attacks, using PUF. In 2021, Chen et al. [25] suggested an efficient mutual authentication and key agreement scheme using PUF and biometrics for wireless sensor network environments. To reduce the storage overhead of the user, Chen et al. [25] eliminated the password during the login phase.
In 2021, Masud et al. [7] proposed a lightweight user authentication scheme for IoT-based healthcare. They asserted that their scheme can protect against impersonation attacks and replay attacks and provide data privacy and anonymity. However, we discover that their scheme is vulnerable to several security issues, such as offline password guessing, user impersonation, and privileged insider attacks. We also find that their scheme cannot ensure user anonymity. Therefore, we propose a three-factor-based mutual authentication scheme using PUF to prevent various security weaknesses such as user anonymity, smart device theft, offline password, privileged insider, and cloning attacks, which are critical for WMSNs.
3. Preliminaries
In this section, we introduce the general system model and the adversary model for WMSNs. Then, we describe PUF and the fuzzy extractor, which can improve the security level of our scheme.
3.1. System Model
Figure 1 shows the general system model of a WMSN, which consists of doctors, a gateway, and sensor nodes. Details are as follows.
Figure 1.
The general system model of WMSNs.
Doctor (user): The doctor, who has a resource-constrained smart device, authenticates with the gateway to access patients’ health reports. To communicate with sensor nodes, the doctor must register with the gateway.
Gateway: The gateway, which is the smart hospital, communicates with doctors and sensor nodes to provide efficient and convenient remote services to patients. We assume that the gateway is a trusted party and has enough storage and computing power.
Sensor node: The sensor node is a resource-constrained device attached to the patient in the form of a wearable device. The sensor node collects the patient’s health information and sends it to the doctor through the gateway.
3.2. Adversary Model
In our paper, we assume that an adversary can eavesdrop, insert, remove, and modify messages transmitted through a public channel according to a well-known adversary model, the Dolev–Yao (DY) model [26]. Moreover, we use the Canetti–Krawczyk (CK) adversary model [27]. In this model, an adversary can access ephemeral parameters or the master key of the gateway. With the CK and DY adversary models, we assume that an adversary can perform various attacks. Details are as below.
An adversary can steal a doctor’s smart device and obtain the secret parameter, extracted from the smart device using a power analysis attack [28].
An adversary can be a privileged insider who can obtain the user’s registration message.
An adversary can obtain the patient’s sensor node and perform a cloning attack.
An adversary can perform various attacks, such as man-in-the-middle, password guessing, and stolen verifier attacks [29].
3.3. Physical Unclonable Function
Physical unclonable functions (PUFs) are physical circuits that operate as a one-way function. In the PUF circuit, there is an input–output bit string pair called the “challenge–response pair”. If a random bit string challenge is entered into the PUF circuit, a unique output response is printed out. In this paper, we express this process as , where C and R are a challenge and a response, respectively. Ideal PUF properties are as below.
The PUF is an unclonable circuit.
The PUF is a unique physical microstructure. The output of the PUF depends on the physical circuit.
The output of the PUF has to be unpredictable.
The circuit of the PUF is easy to estimate and implement.
Since a PUF has the properties of a one-way function, the PUF returns the same response when the same challenge is input into a PUF-installed device. Moreover, the PUF gives different responses when the same challenge is input into different devices. Therefore, the PUF can provide a unique one-way function that cannot be duplicated. This uniqueness enables the PUF to prevent various attacks, such as physical and cloning attacks.
3.4. Fuzzy Extractor
In this section, we explain the basic concept and direction of the fuzzy extractor [8]. When a user utilizes his biometrics or the PUF response string, we cannot ensure the accuracy due to the noise of external environmental factors. The fuzzy extractor can control the noise using the helper string. Therefore, we can use the biometric information and the PUF response string as a secret parameter using the fuzzy extractor. The fuzzy extractor consists of “generate ()” and “reproduce ()” algorithms. Details are as follows.
: This is a probability algorithm to generate a secret string . If a user inputs a random string , the fuzzy extractor generates the secret parameter and a helper string .
: This is a deterministic algorithm to reproduce the secret string . If a user enters the random string , the fuzzy extractor controls the noise of using the helper string and reproduces the secret string .
4. Review of Masud et al.’s Scheme
In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. Their scheme consists of user registration, sensor node registration, and mutual authentication and key agreement phases. Notations and descriptions are explained in Table 1.
Table 1.
Notations and descriptions.
Notation | Description |
---|---|
Identity of the doctor and the sensor node | |
Password of the doctor | |
Biometric template of the doctor | |
s | Master key of the gateway |
Registration request message | |
Random number generated by the gateway and the sensor node | |
Temporary identity of the doctor and the sensor node | |
Random nonce generated by device of the doctor, the gateway, and the sensor node | |
Challenge and response pair | |
Session key | |
Physical unclonable function | |
Hash function | |
Concatenation operator | |
⊕ | Exclusive-OR operator |
4.1. User Registration Phase
A doctor must register in the gateway to use this network system. We show the user registration phase of Masud et al.’s scheme as follows.
Step 1: The doctor inputs an identity and password , and generates a registration request message . Then, the doctor sends to the gateway through a secure channel.
Step 2: The gateway stores and , and then generates to compute and . The gateway stores in its secure database and sends to the doctor via a secure channel.
Step 3: The doctor computes and , and stores in his device. Then, the doctor computes and stores .
4.2. Sensor Node Registration Phase
To transmit the health information of a patient, the sensor node must register with the gateway. We describe the sensor node registration phase as below.
Step 1: The sensor node generates , and sends to the gateway via a secure channel, where is the real identity of the sensor node.
Step 2: The gateway generates and computes and . Then, the gateway stores in its secure database and transmits to the sensor node through a secure channel.
Step 3: When the sensor node receives , it computes and . Finally, the sensor node stores in its memory.
4.3. Mutual Authentication and Key Agreement Phase
In this phase, the doctor and the sensor node conduct a mutual authentication and key agreement phase to authenticate each other and establish a session key. Figure 2 shows the mutual authentication and key agreement phase of Masud et al.’s scheme and details are as follows.
Figure 2.
Mutual authentication and key agreement phase of Masud et al.’s scheme.
Step 1: When the doctor inputs his own password , the smart device of the doctor computes and verifies . If it is correct, the smart device generates a random nonce and computes and . Then, the doctor sends to the gateway via a public channel.
Step 2: The gateway receives and computes . If is a fresh random nonce, the gateway checks the validity of and , and computes . After verifying the equation , the gateway generates and computes , , , and , where is a session key. Then, the gateway sends to the sensor node through a public channel.
Step 3: The sensor node computes and checks the freshness of . After this, the sensor node computes and checks the equality of and . If it is equal, the sensor node generates and computes , , , , , and . Finally, the sensor node stores and transmits to the gateway.
Step 4: When the gateway receives from the sensor node, the gateway computes and verifies the freshness of . Then, the gateway computes and checks . If it is equal, the gateway computes and and stores in its database. The gateway generates a random nonce and computes , , , , and . Lastly, the gateway stores in its secure database and sends a message to the smart device of the doctor.
Step 5: After receiving from the gateway, the doctor computes and checks the freshness of . Then, the smart device computes the session key and , and verifies . If it is equal, the smart device computes and , and stores in its memory.
5. Cryptanalysis of Masud et al.’s Scheme
If an adversary obtains a legitimate user’s smart device, can extract the information from the smart device using a power analysis attack [28], according to Section 3.2. With this information, can perform various security attacks, such as offline password guessing, user impersonation, and privileged insider attacks. Furthermore, Masud et al.’s scheme does not ensure user anonymity and has a device update problem when signing in for the next session. Details are shown as below.
5.1. User Anonymity
An adversary obtains the smart device of a doctor and extracts using power analysis attack. Then, calculates , where is the real identity of the doctor. Therefore, Masud et al.’s scheme cannot ensure user anonymity.
5.2. Offline Password Guessing Attack
An offline password guessing attack has a purpose of obtaining the valid password for a user using a password dictionary in polynomial time. Thus, an adversary needs some information about the user in order to check whether the guessed password is correct or not. In Masud et al.’s scheme, can verify the correctness of the guessed password using the information extracted from the smart device of the doctor. We describe the procedures as follows.
Step 1: The adversary inputs a guessed password and calculates .
Step 2: compares , where is a parameter extracted from the smart device of the doctor. If it is equal, it means that has guessed the password correctly.
Thus, Masud et al.’s scheme is vulnerable to offline password guessing attacks.
5.3. User Impersonation Attack
The adversary can obtain the real identity and the password of the doctor, according to Section 5.1 and Section 5.2. Then, can impersonate the doctor with this information. We describe the steps as follows.
Step 1: generates a random nonce and computes and . Then, sends to the gateway.
Step 2: After receiving from the adversary , the gateway retrieves and checks the freshness of . If it is found to be fresh, the gateway verifies and from its database. Then, the gateway computes and compares . If the equation is correct, the gateway generates a random nonce and computes , , and . Finally, the gateway sends to the sensor node.
Step 3: The sensor node receives and retrieves . If is a fresh random nonce, the sensor node computes and compares . The sensor node generates a random nonce and computes , , , , and . The sensor node sends and stores .
Step 4: The gateway receives the message and retrieves . If is a fresh random nonce, the gateway computes and checks . The gateway computes and , and stores . After this, the gateway generates a random nonce and computes , , , and . Lastly, the gateway stores and sends to .
Step 5: computes and verifies the freshness of . Then, computes and , and compares . Finally, computes and , and stores these parameters .
Therefore, Masud et al.’s scheme cannot prevent an impersonation attack.
5.4. Privileged Insider Attack
A privileged insider attack can be performed by an insider adversary that has unquestioned authority within the system. Therefore, the privileged insider can obtain various information about users, including registration request messages, and may attempt to calculate the session key or impersonate a legal user.
In Masud et al.’s scheme, a privileged insider adversary can impersonate a legitimate doctor after obtaining a registration request message and the secret parameter extracted from the smart device of the doctor. generates a random nonce and computes and . Then, sends a message . The gateway and the sensor node authenticate each other and return a message to . Lastly, calculates and the session key . Thus, Masud et al.’s scheme is insecure against privileged insider attacks.
5.5. Device Update Problem
The smart device replaces with at the end of the authentication and key agreement phase. After this, the doctor may try to authenticate another sensor node that is attached to a patient in other session. However, the doctor cannot perform the login phase. If the doctor inputs a password , the smart device computes and verifies . Since , the login phase is aborted. Therefore, Masud et al.’s scheme has a device update problem.
6. Proposed Scheme
Although Masud et al.’s scheme has efficiency for WMSNs, their scheme has several security vulnerabilities. To address these security weaknesses, we propose a secure three-factor-based mutual authentication and key agreement scheme using PUF. Our scheme consists of initialization, user registration, sensor node registration, mutual authentication and key agreement, and password change phases.
6.1. Initialization Phase
Before starting the registration phase, the gateway inserts an identity and a challenge into the sensor node. Figure 3 shows the initialization of our scheme and detailed steps are as follows.
Figure 3.
Initialization phase of the proposed scheme.
Step 1: The gateway selects an identity , a challenge , and sends to the sensor node via a secure channel.
Step 2: The sensor node stores in the memory.
6.2. User Registration Phase
A doctor must register in the network to provide a convenient remote medical service to patients. We show the sensor node registration phase in Figure 4 and detailed steps are as follows.
Figure 4.
User registration phase of the proposed scheme.
Step 1: A doctor inputs an identity , a password , and biometric template to the smart device. Then, the smart device generates a registration request message and computes and , where is a fuzzy extractor generation function. The doctor sends to the gateway via a secure channel.
Step 2: After receiving from the doctor, the gateway generates random numbers and , and computes , , , and . The gateway stores in the secure database, and sends to the doctor via a secure channel.
Step 3: The doctor computes and , and stores in the memory.
6.3. Sensor Node Registration Phase
A patient must register in the network using a sensor node in order to receive remote medical services from the doctor. In Figure 5, we show the sensor node registration phase of our scheme and details are as below.
Figure 5.
Sensor node registration phase of the proposed scheme.
Step 1: The sensor node retrieves the challenge stored in the memory and computes , , and . Then, the sensor node sends to the gateway through a secure channel.
Step 2: The gateway generates and computes , . After this, the gateway stores in its secure database and sends to the sensor node via a secure channel.
Step 3: Finally, the sensor node deletes the challenge and stores in its memory.
6.4. Mutual Authentication and Key Agreement Phase
The doctor sends a login request message to the gateway and establishes a session key among the doctor, the gateway, and the sensor node. After this, the doctor can perform an accurate diagnosis of the patient. We describe the mutual authentication and key agreement phase in Figure 6 and details are as follows.
Figure 6.
Mutual authentication and key agreement phase of the proposed scheme.
Step 1: The doctor inputs the identity , the password , and imprints the biometrics . Then, the smart device computes , , and , and verifies . If it is correct, the smart device generates a random nonce and computes , , , and . The smart device sends to the gateway through a public channel.
Step 2: When the gateway receives the message from the doctor, the gateway checks the pseudo identity and retrieves in the database. Then, the gateway computes , , and . If is correct, the gateway generates a random nonce and retrieves . The gateway computes , , , and . After this, the gateway transmits to the sensor node via a public channel.
Step 3: The sensor node computes , , , , , and . If the equation is correct, the sensor node generates a random nonce and computes a new pseudo identity , a session key , , and . Lastly, the sensor node sends to the gateway through a public channel and updates to .
Step 4: After receiving from the sensor node, the gateway computes , the session key , the new pseudo identity of the sensor node , and . If the equation is correct, the gateway computes a new pseudo identity of the doctor , , and . Then, the gateway sends to the doctor and updates to .
Step 5: The doctor computes , , , and and verifies . If it is correct, the doctor replaces with in the smart device.
6.5. Password Change Phase
In our scheme, we provide a convenient password update process for the doctor. Detailed steps are as follows.
Step 1: A doctor inputs , , and to the smart device.
Step 2: The smart device computes , , and and verifies . If the equation is correct, the smart device demands a new password from the doctor.
Step 3: The doctor inputs a new password to the smart device.
Step 4: The smart device computes , , , and and updates to .
7. Security Analysis
To prove the security features of the proposed scheme, we use BAN logic and the RoR model, which can prove the mutual authentication properties and session key security, respectively. Moreover, we show that our scheme has resistance against man-in-the-middle and replay attacks using AVISPA. Furthermore, we claim that the proposed scheme can prevent various security attacks using informal analysis.
7.1. BAN Logic
BAN logic is a well-known formal proof to verify the mutual authentication of a protocol. Therefore, many researchers have used BAN logic to prove the mutual authentication of their schemes [30,31,32,33]. In this section, we prove the mutual authentication of the proposed scheme using BAN logic [9]. The basic notations and descriptions of BAN logic are shown in Table 2.
Table 2.
Notations of BAN logic.
Notation | Description |
---|---|
Principals | |
Statements | |
Session key | |
believes | |
once said | |
controls | |
receives | |
is fresh | |
is encrypted with K | |
and have shared key K |
7.1.1. Rules
The logical rules of BAN logic are as follows.
-
1. Message meaning rule (MMR):
-
2. Nonce verification rule (NVR):
-
3. Jurisdiction rule (JR):
-
4. Belief rule (BR):
-
5. Freshness rule (FR):
7.1.2. Goals
The BAN logic goals of the proposed scheme are as follows. We define the principals , , and as the doctor, the gateway, and the sensor node, respectively.
-
Goal 1:
-
Goal 2:
-
Goal 3:
-
Goal 4:
-
Goal 5:
-
Goal 6:
-
Goal 7:
-
Goal 8:
7.1.3. Idealized Forms
In the proposed scheme, there are four messages exchanged through a public channel. We transform these messages into idealized forms. Our scheme’s idealized forms for the messages are as follows:
-
:
-
:
-
:
-
:
7.1.4. Assumptions
The assumptions in the proposed scheme are shown below.
-
:
-
:
-
:
-
:
-
:
-
:
-
:
-
:
-
:
-
:
-
:
-
:
7.1.5. BAN Logic Proof
Step 1: We can obtain from the message .
Step 2: We can obtain from the message meaning rule using and .
Step 3: We can obtain from the freshness rule using and .
Step 4: We can obtain from the nonce verification rule using and .
Step 5: We can obtain from the message .
Step 6: We can obtain from the message meaning rule using and .
Step 7: We can obtain from the freshness rule using and .
Step 8: We can obtain from the nonce verification rule using and .
Step 9: We can obtain from the message .
Step 10: We can obtain from the message meaning rule using and .
Step 11: We can obtain from the nonce verification rule using and .
Step 12: We can obtain and from and . and can compute the session key .
Step 13: We can obtain and from the jurisdiction rule using and , and and , respectively.
Step 14: We can obtain from the message .
Step 15: We can obtain from the message meaning rule using and .
Step 16: We can obtain from the freshness rule using and .
Step 17: We can obtain from the nonce verification rule using and .
Step 18: We can obtain and using and . and can compute the session key .
Step 19: We can obtain and using the jurisdiction rule using and , , and , respectively.
7.2. RoR Model
In this section, we prove that the session key in the proposed scheme is secure, using the Real-or-Random (RoR) model [10]. To apply our scheme into the RoR model, we discuss the basic concepts of participants, adversaries, and queries. There are three participants in our scheme: , , and , where is the participant instance of the user, the gateway, and the sensor node. We assume that an adversary can control the whole network, which intercepts, deletes, inserts, and eavesdrops messages transmitted through a public channel. Moreover, attempts to attack the network utilizing , , , , and queries in the RoR model. Details of the queries are as follows.
: The query is a passive attack. This query explains that can eavesdrop messages generated by , , and .
: This query is an active attack. By this query, can obtain sensitive information extracted from the smart device of .
: can reveal the current session key .
: Using the query , can send a message to , , and . Moreover, can receive the return message. Therefore, this query is an active attack.
: If performs a query, an unbiased coin C is flipped prior to starting the game. When the session key is fresh, obtains . also obtains when the session key is not fresh. Otherwise, will receive a null value (⊥). If cannot distinguish between the session key and the random number, we can ensure that the proposed scheme can provide the security of the session key.
Security Proof
Theorem 1.
In the RoR model, an adversary tries to calculate the session key of the proposed scheme in polynomial time. Let be the possibility that breaks the security of the session key. We define and as the range space of hash function and PUF function , respectively. In addition, we define , , and as the number of , , and queries, respectively. is the number of bits in biometric secret key of the doctor, and are the Zipf’s parameter [34].
Proof.
We follow the security proof as performed in [35,36,37]. In our proof, there are five games where . We denote as the winning probability of the adversary and as the advantage of the .
: is the starting game, where the adversary picks up the random bit c. Therefore, we obtain the following:
(1) : In this game, performs an eavesdropping attack, which is the query in the RoR model. When obtaining messages , , , , and , carries out and queries to distinguish between the session key and a random number. To obtain the session key , needs , , and , which are random numbers generated by the user (doctor), the gateway, and the sensor node, respectively. is the shared secret parameter between the gateway and the user. For these reasons, the adversary cannot compute the session key . This means that does not enhance the probability compared with the .
(2) : In , the adversary performs and queries. In the message , , , and , parameters , , , , , and are masked by the cryptographic one-way hash function, which provides resistance against hash collision. Moreover, random numbers , , , and the hash functions are contained in , , , , and . Therefore, there is no collision problem when performs a query. We apply the birthday paradox [38] and obtain the result as follows:
(3) : is similar to . performs and queries. As explained in Section 3.3, the physical function has a secure property. Therefore, we can obtain the following inequation:
(4) : In the final game , performs a query and extracts sensitive data from the smart device of the user. attempts to calculate parameters and from and , respectively. Since parameters and are composed of the password and biometrics, must guess these parameters. Therefore, cannot enhance the probability because guessing the password and biometrics is a computationally infeasible task. According to Zipf’s law [34], we can make the following inequation:
(5) When the games are completed, the adversary obtains the guessed bit c. Therefore, it is clear that
(6) Applying the triangular inequality, we obtain the following result:
(9) Finally, we obtain the required result multiplying (9) by 2:
Thus, we have proven Theorem 1.
□
7.3. AVISPA Simulation
We simulate the proposed scheme using AVISPA [11,12] to analyze the security features of our scheme. AVISPA is a formal verification tool that can detect security vulnerabilities regarding replay and man-in-the-middle attacks. Therefore, various authentication schemes [39,40,41] have been simulated by using AVISPA.
To simulate our protocol, we need to create a code written in the High-Level Protocol Specification Language (HLPSL). The code written in HLPSL is converted to the Intermediate Format (IF) by the translator. Then, the translator inputs the IF into back-ends. AVISPA has four back-ends, named On-the-Fly Model Checker (OFMC), Constraint Logic-based Attack Searcher (CL-AtSe), SAT-based Model Checker (SATMC), and Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP). In this paper, the OFMC and CL-AtSe back-ends are used because these back-ends provide exclusive-OR operations. Lastly, we obtain the Output Format (OF), which is the security analysis result of the protocol. If we obtain a “SAFE” message in the summary of OF, we can consider that the protocol is secure against replay and man-in-the-middle attacks.
7.3.1. HLPSL Specification
In this section, we explain the HLPSL code of our scheme. There are three basic roles in HLPSL: the doctor , the gateway , and the sensor node . With these roles, we describe the session and the environment roles. The goals, the environment, and the session of our scheme written in HLPSL are shown in Figure 7.
Figure 7.
Role specification for the session, environment, and goals.
We show the role of the doctor in Figure 8. When state 1 starts, the doctor receives a start message and generates the registration request message . Then, the doctor computes with his password , the biometrics , and sends to the gateway via a secure channel. After this, the doctor receives from the gateway and computes and in state 2. The doctor stores in the smart device. With these parameters, the doctor sends a login and authentication request message to the gateway via a public channel. , indicates the freshness of . When the doctor receives the message in state 3, the doctor performs and , which represent the freshness acceptance of the random nonces and .
Figure 8.
Role specification for the doctor.
7.3.2. Simulation Result
We perform simulations using the OFMC and CL-AtSe back-ends and show the simulation result of the proposed scheme in Figure 9. If the summary message is “SAFE”, this indicates that the proposed scheme is secure against replay and man-in-the-middle attacks. As with the simulation result shown in Figure 9, both summaries simulated in the OFMC and CL-AtSe back-ends are “SAFE”. Thus, the proposed scheme can prevent replay and man-in-the-middle attacks.
Figure 9.
The AVISPA simulation result of the proposed scheme.
7.4. Informal Analysis
In this section, we show the security features of the proposed scheme, including those that protect against offline password guessing, impersonation, replay, man-in-the-middle, physical, cloning, privileged insider, session-specific random number leakage, and verification table leakage attacks. Moreover, the proposed scheme can ensure user anonymity, perfect forward secrecy, and mutual authentication.
7.4.1. User Anonymity
We assume that an adversary obtains the stolen smart device of a doctor (user) and extracts . However, cannot compute the real identity of the doctor because the pseudo identity of the doctor is masked by the hash function and updated in every session. Since the parameters and stored in the smart device are masked in the biometric template of the doctor, the has difficulty in guessing the real identity of the doctor. Hence, cannot obtain the real identity of the doctor. Therefore, we demonstrate that the proposed scheme can ensure user anonymity.
7.4.2. Offline Password Guessing Attack
obtains a doctor’s smart device and obtains from the device using a power analysis attack. Then, attempts to guess the password of the doctor using the extracted parameters. Unfortunately, cannot guess the password of the doctor because we use the biometrics in the proposed scheme. Since , must guess not only the password but also the biometrics of the doctor at the same time. Note that is the result of the fuzzy extractor, which is expressed as . However, this process is a computationally infeasible task. Thus, the proposed scheme can prevent offline password guessing attacks.
7.4.3. Impersonation Attack
Assume that an adversary tries to impersonate a legitimate doctor using parameters , which are stored in the doctor’s device. Then, attempts to calculate the login request message . However, cannot calculate and because cannot calculate . Hence, the proposed scheme is secure against impersonation attacks.
7.4.4. Replay Attack
Assume that an adversary intercepts authentication request messages , , and sends messages to authenticate the gateway and the sensor node at other sessions. However, each entity checks the freshness of , , and , which are random nonces generated by the doctor, the gateway, and the sensor node, respectively. Therefore, the proposed scheme is secure against replay attacks.
7.4.5. Man-in-the-Middle Attack
We show that cannot generate the login request message , according to Section 7.4.3. Moreover, cannot compute , , and because each message is masked in the shared secret parameter and . Thus, the proposed scheme can prevent man-in-the-middle attacks.
7.4.6. Physical and Cloning Attacks
We can assume that physically captures a sensor node and tries to authenticate the gateway as . To do this, obtains the parameters of using a power analysis attack. Then, attempts to authenticate as a legitimate sensor node using parameters or by cloning the sensor node . When receives from the gateway, computes . However, cannot compute because the function is a physically unclonable circuit and cannot duplicate, according to Section 3.3. Therefore, cannot compute and to calculate and . Thus, the proposed scheme is secure against physical and cloning attacks.
7.4.7. Privileged Insider Attack
Assume that a privileged insider obtains the registration request message of a doctor and obtains parameters , extracted from the stolen smart device of the doctor using a power analysis attack, and attempts to impersonate as the doctor. To compute the login request message , must calculate the shared secret parameter . However, cannot calculate because the parameter in is generated by the biometrics of the doctor. Moreover, must guess the password of the doctor to calculate , and it is a computationally infeasible task to guess and at the same time. Therefore, the proposed scheme can prevent privileged insider attacks.
7.4.8. Session-Specific Random Number Leakage Attack
Suppose that obtains random nonces , , and . Then, tries to calculate the session key . However, cannot compute the session key without knowing the shared secret parameter . Since is masked by the hash functions, cannot calculate . Thus, the proposed scheme has resistance against session-specific random number leakage attacks.
7.4.9. Verification Table Leakage Attack
If obtains the verification table , of the gateway, attempts to calculate the session key or impersonate a doctor. However, cannot calculate the shared secret parameter and without the master key s of the gateway. Therefore, it is difficult for to compute the session key or impersonate a doctor. Therefore, the proposed scheme can prevent verification table leakage attacks.
7.4.10. Perfect Forward Secrecy
If obtains the master key s of the gateway, attempts to compute the session key . However, cannot compute without the real identity of the doctor, and all random nonces are masked by hash functions. Therefore, cannot calculate . For this reason, the proposed scheme ensures perfect forward secrecy.
7.4.11. Mutual Authentication
To ensure mutual authentication, each entity checks the validity of , , , and . Furthermore, all participants check the freshness of random nonces , , and . When the verification processes are successful, we can demonstrate that the participants of the proposed scheme authenticate each other. Therefore, the proposed scheme ensures mutual authentication.
8. Performance
In this section, we compare the security features of the proposed scheme with other related schemes [7,18,19,20,25]. Moreover, we show the communication costs, computation costs, and energy consumption of the proposed scheme.
8.1. Security Features Comparison
We present the security features of the proposed scheme compared with related schemes [7,18,19,20,25]. In Table 3, we consider various security attacks and functionalities. The security features and the functionalities are as follows: : resistance against smart device theft attack, : resistance against offline password guessing attack, : resistance against impersonation attack, : resistance against replay attack, : resistance against privileged insider attack, : resistance against physical and cloning attacks, : resistance against session-specific random number leakage attack, : resistance against verification table leakage attack, : ensuring user anonymity, : ensuring perfect forward secrecy, : ensuring mutual authentication, : performing RoR model, : performing AVISPA simulation, : performing BAN logic proof. Therefore, our scheme can provide a secure authentication process compared with [7,18,19,20].
Table 3.
Security and functionality features comparison.
Security Properties | [18] | [19] | [20] | [25] | [7] | Proposed |
---|---|---|---|---|---|---|
× | 🗸 | 🗸 | 🗸 | × | 🗸 | |
🗸 | 🗸 | 🗸 | 🗸 | × | 🗸 | |
🗸 | 🗸 | 🗸 | 🗸 | × | 🗸 | |
🗸 | 🗸 | 🗸 | 🗸 | 🗸 | 🗸 | |
× | 🗸 | 🗸 | 🗸 | × | 🗸 | |
× | × | × | 🗸 | × | 🗸 | |
× | × | 🗸 | 🗸 | 🗸 | 🗸 | |
− | − | − | − | − | 🗸 | |
× | 🗸 | 🗸 | 🗸 | × | 🗸 | |
🗸 | 🗸 | 🗸 | 🗸 | 🗸 | 🗸 | |
🗸 | 🗸 | 🗸 | 🗸 | 🗸 | 🗸 | |
🗸 | − | − | 🗸 | − | 🗸 | |
🗸 | 🗸 | 🗸 | − | 🗸 | 🗸 | |
− | 🗸 | 🗸 | − | − | 🗸 |
🗸: Provides the security/functionality feature. ×: Does not provide the security/functionality feature. −: Does not consider the security/functionality feature.
8.2. Communication Costs Comparison
In this section, we compare the communication costs of the proposed scheme with existing schemes [7,18,19,20,25]. According to [35], we suppose that the SHA-1 hash digest, identity, random number, PUF challenge–response pair, timestamp, and ECC point are 160, 160, 128, 128, 32, and 320 bits, respectively. Therefore, the communication costs of the proposed scheme can be described as follows.
Message 1: The message requires bits.
Message 2: The message needs bits.
Message 3: The message needs bits.
Message 4: The message requires bits.
Therefore, the total communication costs of our scheme are bits. In Table 4, we show the total communication costs of our scheme and other related schemes. Consequently, we demonstrate that our scheme has more efficient communication costs than other related schemes [7,18,19,20,25].
Table 4.
Comparison of communication costs.
8.3. Computation Costs Comparison
We compare the computation costs of the proposed scheme with [7,18,19,20,25]. According to [42,43], we define , , , , , and as the random number generation (≈0.0539 s), hash function (≈0.00023 s), ECC multiplication (≈0.2226 s), ECC addition (≈0.00288 s), fuzzy extractor (≈0.268 s), and PUF operation time (≈0.012 s), respectively. Furthermore, we ignore the execution time of exclusive-OR (⊕) operations because it is computationally negligible.
The total computation costs of our scheme are slightly higher than those of Masud et al.’s scheme [7] as shown in Table 5. However, our scheme has a much higher security level than [7] using the fuzzy extractor and PUF. Moreover, our scheme is more efficient and lightweight than previous schemes [18,19,20,25] that utilize ECC, the fuzzy extractor, and PUF.
Table 5.
Comparison of computational costs.
8.4. Energy Consumption Comparison
In this section, we compare the energy consumption of our scheme with [7,18,19,20,25]. We follow the battery consumption model used in [44], where the energy consumption for sending and receiving a bit are taken as 4.602 mJ and 2.34 mJ, respectively [45]. Therefore, the total energy consumption of our scheme is 4867 mJ. Table 6 shows the total energy consumption of the proposed scheme and [7,18,19,20,25]. The result indicates that our scheme is more efficient in terms of energy consumption than other related schemes.
Table 6.
Comparison of energy consumption.
9. Conclusions
In this paper, we review Masud et al.’s scheme and prove that their scheme is vulnerable to offline password guessing, impersonation, and privileged insider attacks. We also discover that Masud et al.’s scheme cannot ensure user anonymity and has a device update problem. To improve the security level and overcome the security weaknesses of Masud et al.’s scheme, we propose a provably secure three-factor-based mutual authentication and key agreement scheme for WMSNs. Our scheme has light weight, using only hash functions and exclusive-OR operators; it provides a secure login process to the doctor using the fuzzy extractor, and it provides resistance against cloning and physical attacks using PUF. We ensure the mutual authentication utilizing BAN logic and prove the session key security of our scheme using the RoR model. We also show that our scheme offers resistance against replay and man-in-the-middle attacks by utilizing the AVISPA simulation tool. We prove that our scheme is secure against various attacks, including offline password, impersonation, sensor node capture, and verification table leakage attacks, through informal analysis. Furthermore, we demonstrate that our scheme can provide user anonymity, perfect forward secrecy, and mutual authentication. Finally, we estimate the computation costs, communication costs, and energy consumption of our scheme and compare it with other related schemes. Our result shows that the proposed scheme can provide doctors and patients with more secure services for WMSNs. In the future, we will develop and implement our scheme, considering performance evaluation and result analysis, confirming its suitability for practical WMSN environments.
Author Contributions
Conceptualization, D.K.; Formal analysis, D.K. and Y.P (Yohan Park); Methodology, D.K. and Y.P. (Yohan Park); Software, D.K.; Validation, Y.P. (Yohan Park) and Y.P. (Youngho Park); Formal Proof, Y.P. (Youngho Park); Writing—original draft, D.K.; Writing—review and editing, Y.P. (Yohan Park), and Y.P. (Youngho Park); Supervision, Y.P.(Youngho Park). All authors have read and agreed to the published version of the manuscript.
Funding
This research was supported in part by the Basic Science Research Program through the National Research Foundation of Korea (NRF), funded by the Ministry of Education under grant 2020R1I1A3058605, and in part by the BK21 FOUR project, funded by the Ministry of Education, Korea under grant 4199990113966.
Institutional Review Board Statement
Not applicable.
Informed Consent Statement
Not applicable.
Conflicts of Interest
The authors declare no conflict of interest.
Footnotes
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
- 1.Lara E., Aguilar L., Sanchez M.A., García J.A. Lightweight authentication protocol for M2M communications of resource-constrained devices in industrial Internet of Things. Sensors. 2020;20:501. doi: 10.3390/s20020501. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.Park K., Noh S., Lee H., Das A.K., Kim M., Park Y., Wazid M. LAKS-NVT: Provably secure and lightweight authentication and key agreement scheme without verification table in medical internet of things. IEEE Access. 2020;20:119387–119404. doi: 10.1109/ACCESS.2020.3005592. [DOI] [Google Scholar]
- 3.Oh J., Yu S., Lee J., Son S., Kim M., Park Y. A secure and lightweight authentication protocol for IoT-based smart homes. Sensors. 2021;21:1488. doi: 10.3390/s21041488. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4.Abdulsalam Y., Hossain M.S. COVID-19 networking demand: An auction-based mechanism for automated selection of edge computing services. IEEE Trans. Netw. Sci. Eng. 2020:1–11. doi: 10.1109/TNSE.2020.3026637. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Aileni R.M., Suciu G. Decentralised Internet of Things. Springer; Berlin/Heidelberg, Germany: 2020. IoMT: A blockchain perspective; pp. 199–215. [Google Scholar]
- 6.Rahman M., Jahankhani H. Information Security Technologies for Controlling Pandemics. Springer; Berlin/Heidelberg, Germany: 2021. Security vulnerabilities in existing security mechanisms for IoMT and potential solutions for mitigating cyber-attacks; pp. 307–334. [Google Scholar]
- 7.Masud M., Gaba G.S., Choudhary K., Hossain M.S., Alhamid M.F., Muhammad G. Lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare. IEEE Internet Things J. 2021 doi: 10.1109/JIOT.2021.3080461. [DOI] [Google Scholar]
- 8.Dodis Y., Reyzin L., Smith A. Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004. Springer; Berlin/Heidelberg, Germany: 2004. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data; pp. 523–540. [Google Scholar]
- 9.Burrows M., Abadi M., Needham R.M. A logic of authentication. ACM Trans. Comput. Syst. 1990;8:18–36. doi: 10.1145/77648.77649. [DOI] [Google Scholar]
- 10.Abdalla M., Fouque P., Pointcheval D. Lecture Notes in Computer Science, Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005. Springer; Berlin/Heidelberg, Germany: 2005. Password-based authenticated key exchange in the three-party setting; pp. 65–84. [Google Scholar]
- 11.AVISPA Automated Validation of Internet Security Protocols and Applications. [(accessed on 20 July 2021)]. Available online: http://www.avispa-project.org/
- 12.SPAN: A Security Protocol Animator for AVISPA. [(accessed on 20 July 2021)]. Available online: http://www.avispa-project.org/
- 13.Kumar P., Lee S.G., Lee H.J. E-SAP: Efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks. Sensors. 2012;12:1625–1647. doi: 10.3390/s120201625. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 14.He D., Kumar N., Chen J., Lee C.C., Chilamkurti N., Yeo S.S. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed. Syst. 2015;21:49–60. doi: 10.1007/s00530-013-0346-9. [DOI] [Google Scholar]
- 15.Mir O., Munilla J., Kumari S. Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks. Peer-to-Peer Netw. Appl. 2017;10:79–91. doi: 10.1007/s12083-015-0408-1. [DOI] [Google Scholar]
- 16.Wu F., Li X., Sangaiah A.K., Xu L., Kumari S., Wu L., Shen J. A lightweight and robust two-factor authentication scheme for personalized healthcare systems using wireless medical sensor networks. Future Gener. Comput. Syst. 2018;82:727–737. doi: 10.1016/j.future.2017.08.042. [DOI] [Google Scholar]
- 17.Challa S., Das A.K., Odelu V., Kumar N., Kumari S., Khan M.K., Vasilakos A.V. An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks. Comput. Electr. Eng. 2018;69:534–554. doi: 10.1016/j.compeleceng.2017.08.003. [DOI] [Google Scholar]
- 18.Li X., Peng J., Obaidat M.S., Wu F., Khan M.K., Chen C. A secure three-factor user authentication protocol with forward secrecy for wireless medical sensor network systems. IEEE Syst. J. 2019;14:39–50. doi: 10.1109/JSYST.2019.2899580. [DOI] [Google Scholar]
- 19.Shin S., Kwon T. A privacy-preserving authentication, authorization, and key agreement scheme for wireless sensor networks in 5G-integrated Internet of Things. IEEE Access. 2020;8:67555–67571. doi: 10.1109/ACCESS.2020.2985719. [DOI] [Google Scholar]
- 20.Ali Z., Ghani A., Khan I., Chaudhry S.A., Islam S.H., Giri D. A robust authentication and access control protocol for securing wireless healthcare sensor networks. J. Inf. Secur. Appl. 2020;52:102502. doi: 10.1016/j.jisa.2020.102502. [DOI] [Google Scholar]
- 21.Hsu C.L., Le T.V., Hsieh M.C., Tsai K.Y., Lu C.F., Lin T.W. Three-factor UCSSO scheme with fast authentication and privacy protection for telecare medicine information systems. IEEE Access. 2020;8:196553–196566. doi: 10.1109/ACCESS.2020.3035076. [DOI] [Google Scholar]
- 22.Aman M.N., Chua K.C., Sikdar B. Mutual authentication in IoT systems using physical unclonable functions. IEEE Internet Things J. 2017;4:1327–1340. doi: 10.1109/JIOT.2017.2703088. [DOI] [Google Scholar]
- 23.Byun J.W. End-to-end authenticated key exchange based on different physical unclonable functions. IEEE Access. 2019;7:102951–102965. doi: 10.1109/ACCESS.2019.2931472. [DOI] [Google Scholar]
- 24.Fang D., Qian Y., Hu R.Q. A flexible and efficient authentication and secure data transmission scheme for IoT applications. IEEE Internet Things J. 2020;7:3474–3484. doi: 10.1109/JIOT.2020.2970974. [DOI] [Google Scholar]
- 25.Chen Y., Chen J. An efficient mutual authentication and key agreement scheme without password for wireless sensor networks. J. Supercomput. 2021:1–23. doi: 10.1007/s11227-021-03820-6. [DOI] [Google Scholar]
- 26.Dolev D., Yao A. On the security of public key protocols. IEEE Trans. Inf. Theory. 1983;29:198–208. doi: 10.1109/TIT.1983.1056650. [DOI] [Google Scholar]
- 27.Canetti R., Krawczyk H. Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques—Advances in Cryptology (EUROCRYPT’02), Amsterdam, The Netherlands, 28 April–2 May 2002. Springer; Berlin/Heidelberg, Germany: 2002. Universally composable notions of key exchange and secure channels; pp. 337–351. [Google Scholar]
- 28.Kocher P., Jaffe J., Jun B. Differential power analysis; Proceedings of the Annual International Cryptology Conference; Santa Barbara, CA, USA. 15–19 August 1999; pp. 388–397. [Google Scholar]
- 29.Park K., Park Y., Park Y., Das A.K. 2PAKEP: Provably secure and efficient two-party authenticated key exchange protocol for mobile environment. IEEE Access. 2018;6:30225–30241. doi: 10.1109/ACCESS.2018.2844190. [DOI] [Google Scholar]
- 30.Park Y., Park K., Park Y. Secure user authentication scheme with novel server mutual verification for multiserver environments. Int. J. Commun. Syst. 2019;32:e3929. doi: 10.1002/dac.3929. [DOI] [Google Scholar]
- 31.Lee J., Yu S., Kim M., Park Y., Lee S., Chung B. Secure key agreement and authentication protocol for message confirmation in vehicular cloud computing. Appl. Sci. 2020;10:6268. doi: 10.3390/app10186268. [DOI] [Google Scholar]
- 32.Shashidhara R., Nayak S.K., Das A.K., Park Y. On the design of lightweight and secure mutual authentication system for global roaming in resource-limited mobility networks. IEEE Access. 2021;9:12879–12895. doi: 10.1109/ACCESS.2021.3050402. [DOI] [Google Scholar]
- 33.Jan S.U., Ali S., Abbasi I.A., Mosleh M.A., Alsanad A., Khattak H. Secure patient authentication framework in the healthcare system using wireless medical sensor networks. J. Healthc. Eng. 2021;2021:9954089. doi: 10.1155/2021/9954089. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 34.Wang D., Cheng H., Wang P., Huang X., Jian G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 2017;12:2776–2791. doi: 10.1109/TIFS.2017.2721359. [DOI] [Google Scholar]
- 35.Banerjee S., Odelu V., Das A.K., Chattopadhyay S., Rodrigues J.J., Park Y. Physically secure lightweight anonymous user authentication protocol for internet of things using physically unclonable functions. IEEE Access. 2019;7:85627–85644. doi: 10.1109/ACCESS.2019.2926578. [DOI] [Google Scholar]
- 36.Wazid M., Bagga P., Das A.K., Shetty S., Rodrigues J.J., Park Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019;6:8804–8817. doi: 10.1109/JIOT.2019.2923611. [DOI] [Google Scholar]
- 37.Lee J., Kim G., Das A.K., Park Y. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks. IEEE Trans. Netw. Sci. Eng. 2021 doi: 10.1109/TNSE.2021.3093435. [DOI] [Google Scholar]
- 38.Boyko V., MacKenzie P., Patel S. Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000. Springer; Berlin/Heidelberg, Germany: 2000. Provably secure password-authenticated key exchange using Diffie-Hellman; pp. 156–171. [Google Scholar]
- 39.Son S., Lee J., Kim M., Yu S., Das A.K., Park Y. Design of secure authentication protocol for cloud-assisted telecare medical information system using blockchain. IEEE Access. 2020;8:192177–192191. doi: 10.1109/ACCESS.2020.3032680. [DOI] [Google Scholar]
- 40.Lee J., Yu S., Kim M., Park Y., Das A.K. On the design of secure and efficient three-factor authentication protocol using honey list for wireless sensor networks. IEEE Access. 2020;8:107046–107062. doi: 10.1109/ACCESS.2020.3000790. [DOI] [Google Scholar]
- 41.Kim M., Lee J., Park K., Park Y., Park K.H., Park Y. Design of secure decentralized car-sharing system using blockchain. IEEE Access. 2021;9:54796–54810. doi: 10.1109/ACCESS.2021.3071499. [DOI] [Google Scholar]
- 42.Kilinc H.H., Yanik T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutor. 2013;16:1005–1023. doi: 10.1109/SURV.2013.091513.00050. [DOI] [Google Scholar]
- 43.Gope P., Sikdar B. Lightweight and privacy-preserving two-factor authentication scheme for IoT devices. IEEE Internet Things J. 2019;6:580–589. doi: 10.1109/JIOT.2018.2846299. [DOI] [Google Scholar]
- 44.Das A.K., Sutrala A.K., Kumari S., Odelu V., Wazid M., Li X. An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks. Secur. Commun. Netw. 2016;9:2070–2092. doi: 10.1002/sec.1464. [DOI] [Google Scholar]
- 45.Shnayder V., Hempstead M., Chen B.R., Allen G.W., Welsh M. Simulating the power consumption of large-scale sensor network applications; Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems; Baltimore, MD, USA. 3–5 November 2004; pp. 188–200. [Google Scholar]