Skip to main content
Sensors (Basel, Switzerland) logoLink to Sensors (Basel, Switzerland)
. 2021 Sep 9;21(18):6039. doi: 10.3390/s21186039

Provably Secure Three-Factor-Based Mutual Authentication Scheme with PUF for Wireless Medical Sensor Networks

DeokKyu Kwon 1, YoHan Park 2, YoungHo Park 1,3,*
Editors: Simon Tjoa, Peter Kieseberg, Henri Ruotsalainen
PMCID: PMC8469710  PMID: 34577245

Abstract

Wireless medical sensor networks (WMSNs) are used in remote medical service environments to provide patients with convenient healthcare services. In a WMSN environment, patients wear a device that collects their health information and transmits the information via a gateway. Then, doctors make a diagnosis regarding the patient, utilizing the health information. However, this information can be vulnerable to various security attacks because the information is exchanged via an insecure channel. Therefore, a secure authentication scheme is necessary for WMSNs. In 2021, Masud et al. proposed a lightweight and anonymity-preserving user authentication scheme for healthcare environments. We discover that Masud et al.’s scheme is insecure against offline password guessing, user impersonation, and privileged insider attacks. Furthermore, we find that Masud et al.’s scheme cannot ensure user anonymity. To address the security vulnerabilities of Masud et al.’s scheme, we propose a three-factor-based mutual authentication scheme with a physical unclonable function (PUF). The proposed scheme is secure against various security attacks and provides anonymity, perfect forward secrecy, and mutual authentication utilizing biometrics and PUF. To prove the security features of our scheme, we analyze the scheme using informal analysis, Burrows–Abadi–Needham (BAN) logic, the Real-or-Random (RoR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Furthermore, we estimate our scheme’s security features, computation costs, communication costs, and energy consumption compared with the other related schemes. Consequently, we demonstrate that our scheme is suitable for WMSNs.

Keywords: wireless medical sensor networks, PUF, biometrics, BAN logic, RoR model, AVISPA

1. Introduction

With the development of wireless communication and sensor minimization technology, wireless sensor networks (WSNs) have been widely used in various environments, such as industrial Internet of Things [1], healthcare [2], and smart homes [3]. In particular, the demand for remote healthcare services has been increased due to the COVID-19 pandemic [4]. Remote healthcare services can be realized through wireless medical sensor networks (WMSNs). Generally, WMSNs consist of doctors (users), a gateway, and sensor nodes. Doctors communicate with the gateway to access a patient’s health data through their smart device. The gateway, such as a smart hospital, stores sensitive data and supports smooth wireless communication between doctors and sensor nodes. Sensor nodes are attached to patients and transmit patients’ sensitive health data to doctors through the gateway [5]. Therefore, doctors can perform the diagnosis of patients remotely and patients can receive convenient remote medical services wherever they are.

Although WMSNs can provide convenient medical services to patients, there are several security risks. First of all, each message is exchanged through a public channel; therefore, malicious adversaries can perform security attacks such as replay and man-in-the-middle attacks [6]. In addition, the smart device of a doctor can be stolen and an adversary can attempt to impersonate the doctor using parameters extracted from the device. In addition, the sensor node can be physically captured by an adversary and the adversary can attempt to impersonate the patient using the secret parameter, extracted from the sensor node. If an adversary obtains and modifies the information of patients using the above security attacks, this can have a serious effect on the patient’s health, such as inducing a misdiagnosis by the doctor. Accordingly, secure authentication schemes are necessary to overcome these security vulnerabilities for WMSNs.

In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. They claimed that their scheme is lightweight and prevents various security attacks (e.g., replay, privileged insider, and impersonation attacks). Moreover, they asserted that their scheme can ensure user anonymity and session key agreement. However, we find that Masud et al.’s scheme cannot prevent offline password guessing, user impersonation, and privileged insider attacks. Moreover, we prove that their scheme cannot ensure user anonymity. Their scheme also has a device update problem, where the doctor cannot perform a login process on his own smart device. To overcome these security vulnerabilities of Masud et al.’s scheme, we propose a secure three-factor-based mutual authentication scheme with physical unclonable function (PUF) for WMSNs. In our scheme, we use PUF and fuzzy extractor [8] to enhance the security level. The PUF is a physical circuit that outputs unpredictable random strings, and the fuzzy extractor is a cryptographic algorithm that utilizes the biometrics of users. Therefore, we install the PUF in the sensor node to prevent physical and cloning attacks, and we utilize the fuzzy extractor to overcome offline password guessing attacks. Our scheme also uses hash functions and exclusive-OR operations to ensure real-time communication.

1.1. Research Contributions

The contributions of our paper are as follows.

  • We review Masud et al.’s scheme and prove that their scheme cannot ensure user anonymity. Moreover, we show that their scheme is vulnerable to offline password, impersonation, and privileged insider attacks and has a device update problem.

  • We propose a secure three-factor-based mutual authentication scheme to overcome the security vulnerabilities of Masud et al.’s scheme. We use hash functions and exclusive-OR operations to provide real-time communication for WMSNs. We also utilize PUF and fuzzy extractor [8] to prevent physical and offline password guessing attacks, respectively.

  • We analyze the security features of the proposed scheme using well-known Burrows–Abadi–Needham (BAN) logic [9] and the Real-or-Random (RoR) model [10], which can prove mutual authentication and session key security, respectively. Furthermore, we utilize the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool [11,12] to prove that the proposed scheme has resistance against replay and man-in-the-middle attacks.

  • We show that our scheme has resistance against various security attacks, such as offline password, impersonation, privileged insider, replay, and man-in-the-middle attacks, using informal analysis. Moreover, the proposed scheme ensures user anonymity, perfect forward secrecy, and mutual authentication.

  • We estimate the security properties and functionalities, communication costs, computation costs, and energy consumption of our scheme in comparison with existing authentication schemes.

1.2. Organization

In Section 2, we introduce related works for WMSNs. We describe the PUF, fuzzy extractor, adversary model, and system model in Section 3. In Section 4, we describe the detailed procedures of Masud et al.’s scheme. In Section 5, we prove the security vulnerabilities of Masud et al.’s scheme. To overcome these security vulnerabilities, we propose a secure three-factor-based mutual authentication scheme with PUF for WMSNs in Section 6. In Section 7 and Section 8, we analyze the security features of our scheme using formal and informal analyses and estimate the performance of our scheme, respectively. Finally, we conclude and summarize our paper in Section 9.

2. Related Works

In the past several decades, researchers have proposed numerous two-factor-based authentication schemes for WMSNs. In 2012, Kumar et al. [13] proposed an authentication scheme for healthcare applications using a smart card. Their scheme used a symmetric encryption method to establish the session key between the user and the medical sensor node. However, He et al. [14] claimed that Kumar et al.’s scheme is vulnerable to password guessing and privileged insider attacks. As a result, He et al. proposed a robust authentication scheme to overcome these security weaknesses. Unfortunately, Mir et al. [15] demonstrated that [14] cannot prevent offline password guessing and masquerading user attacks. To address the security vulnerabilities of He et al’s scheme [15], they proposed an authentication and key agreement scheme using hash functions and exclusive-OR operations. In 2018, Wu et al. [16] proposed an authentication scheme for personalized healthcare systems. They used a smart device as a factor to protect the privacy of the doctor. However, the above schemes [13,14,15,16] can be vulnerable to smart device theft and offline password guessing attacks because they adopt two-factor-based authentication schemes.

Three-factor-based authentication schemes have been proposed to improve the security level for WMSNs. In 2018, Challa et al. [17] proposed a three-factor-based user authentication and key agreement protocol using bilinear pairings for wireless healthcare sensor networks. Challa et al. employed bilinear pairing and the fuzzy extractor to overcome security vulnerabilities such as smart card theft, offline password guessing, and privileged insider attacks. In 2019, Li et al. [18] proposed a three-factor user authentication protocol based on elliptic curve cryptography (ECC). They claimed that their scheme can resist various security attacks utilizing biometrics verification with error-correcting code and a fuzzy commitment scheme. Shin et al. [19] suggested an authentication and key agreement scheme that can preserve users’ privacy in 5G-integrated IoT environments. In [19], each entity establishes the session key using elliptic curve Diffie–Hellman (ECDH). Furthermore, Ali et al. [20] proposed a biometric-based authentication and access control protocol for WMSNs using ECC. They claimed that their scheme is secure against privileged insider, stolen smart card, and offline password guessing attacks. In 2020, Hsu et al. [21] proposed a three-factor user-controlled single sign-on (UCSSO) scheme for telecare medicine information systems. Their scheme can provide fast authentication and privacy protection using only hash functions and exclusive-OR operations. Although the above schemes [18,19,20,21] can provide lightweight communications to doctors and patients, they cannot prevent sensor node physical and cloning attacks.

Recently, PUF-based authentication schemes have been proposed to prevent physical attacks. In 2017, Aman et al. [22] suggested a mutual authentication scheme using PUF in IoT systems. They claimed that their scheme is secure against IoT device cloning attacks because PUF is employed on each IoT device. Byun [23] proposed an end-to-end key exchange scheme using PUF. This scheme utilized PUF-embedded devices and the fuzzy extractor to ensure mutual authentication between two devices. In 2020, Fang et al. [24] proposed a PUF-based data transmission scheme for IoT environments. They proved that their scheme can prevent various attacks, such as DoS, eavesdropping, impersonation, and cloning attacks, using PUF. In 2021, Chen et al. [25] suggested an efficient mutual authentication and key agreement scheme using PUF and biometrics for wireless sensor network environments. To reduce the storage overhead of the user, Chen et al. [25] eliminated the password during the login phase.

In 2021, Masud et al. [7] proposed a lightweight user authentication scheme for IoT-based healthcare. They asserted that their scheme can protect against impersonation attacks and replay attacks and provide data privacy and anonymity. However, we discover that their scheme is vulnerable to several security issues, such as offline password guessing, user impersonation, and privileged insider attacks. We also find that their scheme cannot ensure user anonymity. Therefore, we propose a three-factor-based mutual authentication scheme using PUF to prevent various security weaknesses such as user anonymity, smart device theft, offline password, privileged insider, and cloning attacks, which are critical for WMSNs.

3. Preliminaries

In this section, we introduce the general system model and the adversary model for WMSNs. Then, we describe PUF and the fuzzy extractor, which can improve the security level of our scheme.

3.1. System Model

Figure 1 shows the general system model of a WMSN, which consists of doctors, a gateway, and sensor nodes. Details are as follows.

Figure 1.

Figure 1

The general system model of WMSNs.

  • Doctor (user): The doctor, who has a resource-constrained smart device, authenticates with the gateway to access patients’ health reports. To communicate with sensor nodes, the doctor must register with the gateway.

  • Gateway: The gateway, which is the smart hospital, communicates with doctors and sensor nodes to provide efficient and convenient remote services to patients. We assume that the gateway is a trusted party and has enough storage and computing power.

  • Sensor node: The sensor node is a resource-constrained device attached to the patient in the form of a wearable device. The sensor node collects the patient’s health information and sends it to the doctor through the gateway.

3.2. Adversary Model

In our paper, we assume that an adversary can eavesdrop, insert, remove, and modify messages transmitted through a public channel according to a well-known adversary model, the Dolev–Yao (DY) model [26]. Moreover, we use the Canetti–Krawczyk (CK) adversary model [27]. In this model, an adversary can access ephemeral parameters or the master key of the gateway. With the CK and DY adversary models, we assume that an adversary can perform various attacks. Details are as below.

  • An adversary can steal a doctor’s smart device and obtain the secret parameter, extracted from the smart device using a power analysis attack [28].

  • An adversary can be a privileged insider who can obtain the user’s registration message.

  • An adversary can obtain the patient’s sensor node and perform a cloning attack.

  • An adversary can perform various attacks, such as man-in-the-middle, password guessing, and stolen verifier attacks [29].

3.3. Physical Unclonable Function

Physical unclonable functions (PUFs) are physical circuits that operate as a one-way function. In the PUF circuit, there is an input–output bit string pair called the “challenge–response pair”. If a random bit string challenge is entered into the PUF circuit, a unique output response is printed out. In this paper, we express this process as R=PUF(C), where C and R are a challenge and a response, respectively. Ideal PUF properties are as below.

  • The PUF is an unclonable circuit.

  • The PUF is a unique physical microstructure. The output of the PUF depends on the physical circuit.

  • The output of the PUF has to be unpredictable.

  • The circuit of the PUF is easy to estimate and implement.

Since a PUF has the properties of a one-way function, the PUF returns the same response when the same challenge is input into a PUF-installed device. Moreover, the PUF gives different responses when the same challenge is input into different devices. Therefore, the PUF can provide a unique one-way function that cannot be duplicated. This uniqueness enables the PUF to prevent various attacks, such as physical and cloning attacks.

3.4. Fuzzy Extractor

In this section, we explain the basic concept and direction of the fuzzy extractor [8]. When a user utilizes his biometrics or the PUF response string, we cannot ensure the accuracy due to the noise of external environmental factors. The fuzzy extractor can control the noise using the helper string. Therefore, we can use the biometric information and the PUF response string as a secret parameter using the fuzzy extractor. The fuzzy extractor consists of “generate (Gen(.))” and “reproduce (Rep(.))” algorithms. Details are as follows.

  • Gen(Bi)=(Ri,Pi): This is a probability algorithm to generate a secret string Ri. If a user inputs a random string Bi, the fuzzy extractor generates the secret parameter Ri and a helper string Pi.

  • Rep(Bi,Pi)=(Ri): This is a deterministic algorithm to reproduce the secret string Ri. If a user enters the random string Bi, the fuzzy extractor controls the noise of Bi using the helper string Pi and reproduces the secret string Ri.

4. Review of Masud et al.’s Scheme

In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. Their scheme consists of user registration, sensor node registration, and mutual authentication and key agreement phases. Notations and descriptions are explained in Table 1.

Table 1.

Notations and descriptions.

Notation Description
DID,SID Identity of the doctor and the sensor node
PWD Password of the doctor
BIOD Biometric template of the doctor
s Master key of the gateway
Rreq Registration request message
RSG,RSN Random number generated by the gateway and the sensor node
DTID,STID Temporary identity of the doctor and the sensor node
ND,NG,NS Random nonce generated by device of the doctor, the gateway, and the sensor node
CH1,RE1 Challenge and response pair
SK Session key
PUF(.) Physical unclonable function
h(.) Hash function
|| Concatenation operator
Exclusive-OR operator

4.1. User Registration Phase

A doctor must register in the gateway to use this network system. We show the user registration phase of Masud et al.’s scheme as follows.

Step 1: The doctor inputs an identity DID and password PWD, and generates a registration request message Rreq. Then, the doctor sends MRD1={DID,PWD,Rreq} to the gateway through a secure channel.

Step 2: The gateway stores DID and PWD, and then generates RSG1 to compute α=(DIDRSG1)PWD and DTID=RSG1DID. The gateway stores {RSG1,DTID} in its secure database and sends α to the doctor via a secure channel.

Step 3: The doctor computes RSG1=(αPWD)DID and DTID=RSG1DID, and stores {RSG1,DTID} in his device. Then, the doctor computes β=h(PWD||RSG1)DTID and stores {β}.

4.2. Sensor Node Registration Phase

To transmit the health information of a patient, the sensor node must register with the gateway. We describe the sensor node registration phase as below.

Step 1: The sensor node generates RSN1, and sends {SID,RSN1} to the gateway via a secure channel, where SID is the real identity of the sensor node.

Step 2: The gateway generates RSG2 and computes δ=(SIDRSG2)RSN1 and STID=RSG2SID. Then, the gateway stores {SID,RSN1,RSG2,STID} in its secure database and transmits {δ} to the sensor node through a secure channel.

Step 3: When the sensor node receives {δ}, it computes RSG2=(δRSN1)SID and STID=RSG2SID. Finally, the sensor node stores {RSN1,RSG2,STID} in its memory.

4.3. Mutual Authentication and Key Agreement Phase

In this phase, the doctor and the sensor node conduct a mutual authentication and key agreement phase to authenticate each other and establish a session key. Figure 2 shows the mutual authentication and key agreement phase of Masud et al.’s scheme and details are as follows.

Figure 2.

Figure 2

Mutual authentication and key agreement phase of Masud et al.’s scheme.

Step 1: When the doctor inputs his own password PWD, the smart device of the doctor computes Q=h(PWD||RSG1) and verifies Q=?β. If it is correct, the smart device generates a random nonce ND1 and computes ND1=ND1PWD and λ=h(RSG1||PWD). Then, the doctor sends {ND1,DTID,λ,STID} to the gateway via a public channel.

Step 2: The gateway receives {ND1,DTID,λ,STID} and computes ND1=ND1PWD. If ND1 is a fresh random nonce, the gateway checks the validity of STID and DTID, and computes λ=h(RSG1||PWD). After verifying the equation λ=?λ, the gateway generates NG1 and computes GW1=NG1STID, GW2=h(RSN1||RSG2), SKS=(SKRSN1)NG1, and GW3=RSG3RSN1, where SK is a session key. Then, the gateway sends {GW1,GW2,DTID,SKS,GW3} to the sensor node through a public channel.

Step 3: The sensor node computes NG1=GW1STID and checks the freshness of NG1. After this, the sensor node computes SN1=h(RSN1||RSG2) and checks the equality of SN1 and GW2. If it is equal, the sensor node generates NS1 and computes SK=(SKSNG1)RSG1, SN2=NS1STID, SN3=h(RSG2||RSN1||SK), SN4=RSG2RSN2, RSG3=GW2RSN1, and STIDnew=RSG3SID. Finally, the sensor node stores {RSN2,RSG3,STIDnew} and transmits {SN2,SN3,SN4} to the gateway.

Step 4: When the gateway receives {SN2,SN3,SN4} from the sensor node, the gateway computes NS1=SN2STID and verifies the freshness of NS1. Then, the gateway computes GW4=h(RSG2||RSN1||SK) and checks GW4=?SN3. If it is equal, the gateway computes RSN2=SN4RSG2 and STIDnew=RSG3SID and stores {RSN2,RSG3,STIDnew} in its database. The gateway generates a random nonce NG2 and computes μ=DIDNG2, SKU=(SKPWD)NG2, η=h(DID||PWD||SK||NG2), GW5=RSG4PWD, and DTIDnew=RSG4DID. Lastly, the gateway stores {RSG4,DTIDnew} in its secure database and sends a message {μ,SKU,η,GW5} to the smart device of the doctor.

Step 5: After receiving {μ,SKU,η,GW5} from the gateway, the doctor computes NG2=μDID and checks the freshness of NG2. Then, the smart device computes the session key SK=(SKUNG2)PWD and ϕ=h(DID||PWD||SK||NG2), and verifies ϕ=?η. If it is equal, the smart device computes RSG4=GW5PWD and DTIDnew=RSG4DID, and stores {RSG4,DTIDnew} in its memory.

5. Cryptanalysis of Masud et al.’s Scheme

If an adversary A obtains a legitimate user’s smart device, A can extract the information {β,RSG1,DTID} from the smart device using a power analysis attack [28], according to Section 3.2. With this information, A can perform various security attacks, such as offline password guessing, user impersonation, and privileged insider attacks. Furthermore, Masud et al.’s scheme does not ensure user anonymity and has a device update problem when signing in for the next session. Details are shown as below.

5.1. User Anonymity

An adversary A obtains the smart device of a doctor and extracts {β,RSG1,DTID} using power analysis attack. Then, A calculates DID=DTIDRSG1, where DID is the real identity of the doctor. Therefore, Masud et al.’s scheme cannot ensure user anonymity.

5.2. Offline Password Guessing Attack

An offline password guessing attack has a purpose of obtaining the valid password for a user using a password dictionary in polynomial time. Thus, an adversary A needs some information about the user in order to check whether the guessed password is correct or not. In Masud et al.’s scheme, A can verify the correctness of the guessed password using the information extracted from the smart device of the doctor. We describe the procedures as follows.

Step 1: The adversary A inputs a guessed password PWA and calculates Q=h(PWA||RSG1)DTID.

Step 2:A compares Q=?β, where β=h(PWD||RSG1)DTID is a parameter extracted from the smart device of the doctor. If it is equal, it means that A has guessed the password PWD correctly.

Thus, Masud et al.’s scheme is vulnerable to offline password guessing attacks.

5.3. User Impersonation Attack

The adversary A can obtain the real identity DID and the password PWD of the doctor, according to Section 5.1 and Section 5.2. Then, A can impersonate the doctor with this information. We describe the steps as follows.

Step 1:A generates a random nonce NA1 and computes NA1=NA1PWD and λA=h(RSG1||PWD). Then, A sends {NA1,DTID,λA,STID} to the gateway.

Step 2: After receiving {NA1,DTID,λA,STID} from the adversary A, the gateway retrieves NA1=NA1PWD and checks the freshness of NA1. If it is found to be fresh, the gateway verifies DTID and STID from its database. Then, the gateway computes λ=h(RSG1||PWD) and compares λ=?λA. If the equation is correct, the gateway generates a random nonce NG1 and computes GW1=NG1STID, GW2=h(RSN1||RSG2), SKS=(SKRSN1)NG1 and GW3=RSG3RSN1. Finally, the gateway sends {GW1,GW2,DTID,SKS,GW3} to the sensor node.

Step 3: The sensor node receives {GW1,GW2,DTID,SKS,GW3} and retrieves NG1=GW1STID. If NG1 is a fresh random nonce, the sensor node computes SN2=h(RSN1||RSG2) and compares SN2=?GW2. The sensor node generates a random nonce NS1 and computes SK=(SKSRSN1)NG1, SN2=NS1STID, SN3=h(RSG2||RSN1||SK), SN4=RSG2RSN2, RS3G=GW3RSN1 and STIDnew=R3)SGSID. The sensor node sends {SN2,SN3,SN4} and stores {RSN2,RSG3,STIDnew}.

Step 4: The gateway receives the message {SN2,SN3,SN4} and retrieves NS1=SN2STID. If NS1 is a fresh random nonce, the gateway computes GW4=h(RSG2||RSN1||SK) and checks GW4=?SN3. The gateway computes RSN2=SN4RSG2 and STIDnew=RSG3SID, and stores {RSN2,RSG3,STIDnew}. After this, the gateway generates a random nonce NG2 and computes μ=DIDNG2, SKU=(SKPWD)NG2, η=h(DID||PWD||SK||NG2), GW5=RSG4PWD and DTIDnew=RSG4DID. Lastly, the gateway stores {RSG4,DTIDnew} and sends {μ,SKU,η,GW5} to A.

Step 5:A computes NG2=μDID and verifies the freshness of NG2. Then, A computes SK=(SKUPWD)NG2 and ϕ=h(DID||PWD||SK||NG2), and compares ϕ=?η. Finally, A computes RSG4=GW5PWD and DTIDnew=RSG4DID, and stores these parameters {RSG4,DTIDnew}.

Therefore, Masud et al.’s scheme cannot prevent an impersonation attack.

5.4. Privileged Insider Attack

A privileged insider attack can be performed by an insider adversary A that has unquestioned authority within the system. Therefore, the privileged insider A can obtain various information about users, including registration request messages, and may attempt to calculate the session key or impersonate a legal user.

In Masud et al.’s scheme, a privileged insider adversary A can impersonate a legitimate doctor after obtaining a registration request message {DID,PWD,Rreq} and the secret parameter {β,RSG1,DTID} extracted from the smart device of the doctor. A generates a random nonce NA1 and computes NA1=NA1PWD and λA=h(RSG1||PWD). Then, A sends a message {NA1,DTID,λA,STID}. The gateway and the sensor node authenticate each other and return a message {μ,SKU,η,GW5} to A. Lastly, A calculates NG2=μDID and the session key SK=(SKUNG2)PWD. Thus, Masud et al.’s scheme is insecure against privileged insider attacks.

5.5. Device Update Problem

The smart device replaces {RSG1,DTID} with {RSG4,DTIDnew} at the end of the authentication and key agreement phase. After this, the doctor may try to authenticate another sensor node that is attached to a patient in other session. However, the doctor cannot perform the login phase. If the doctor inputs a password PWD, the smart device computes Q=h(PWD||RSG4)DTIDnew and verifies Q=?β. Since β=h(PWD||RSG1)DTID, the login phase is aborted. Therefore, Masud et al.’s scheme has a device update problem.

6. Proposed Scheme

Although Masud et al.’s scheme has efficiency for WMSNs, their scheme has several security vulnerabilities. To address these security weaknesses, we propose a secure three-factor-based mutual authentication and key agreement scheme using PUF. Our scheme consists of initialization, user registration, sensor node registration, mutual authentication and key agreement, and password change phases.

6.1. Initialization Phase

Before starting the registration phase, the gateway inserts an identity and a challenge into the sensor node. Figure 3 shows the initialization of our scheme and detailed steps are as follows.

Figure 3.

Figure 3

Initialization phase of the proposed scheme.

Step 1: The gateway selects an identity SID, a challenge CH1, and sends {SID,CH1} to the sensor node via a secure channel.

Step 2: The sensor node stores {SID,CH1} in the memory.

6.2. User Registration Phase

A doctor must register in the network to provide a convenient remote medical service to patients. We show the sensor node registration phase in Figure 4 and detailed steps are as follows.

Figure 4.

Figure 4

User registration phase of the proposed scheme.

Step 1: A doctor inputs an identity DID, a password PWD, and biometric template BIOD to the smart device. Then, the smart device generates a registration request message Rreq and computes Gen(BIDD)=<RD,PD> and GPWD=h(PWD||RD), where Gen(.) is a fuzzy extractor generation function. The doctor sends {DID,GPWD,Rreq} to the gateway via a secure channel.

Step 2: After receiving {DID,GPWD,Rreq} from the doctor, the gateway generates random numbers RSG1 and RSG2, and computes α=h(DID||s), β=αh(GPWD||RSG2), ω=αh(RSG1||s), and DTID=h(α||RSG2||RSG1). The gateway stores {ω,RSG1,DTID} in the secure database, and sends {β,DTID,RSG2} to the doctor via a secure channel.

Step 3: The doctor computes θ=h(RD||GPWD)RSG2 and VerD=h(DID||GPWD||RD), and stores {β,θ,VerD,DTID,PD} in the memory.

6.3. Sensor Node Registration Phase

A patient must register in the network using a sensor node in order to receive remote medical services from the doctor. In Figure 5, we show the sensor node registration phase of our scheme and details are as below.

Figure 5.

Figure 5

Sensor node registration phase of the proposed scheme.

Step 1: The sensor node retrieves the challenge stored in the memory and computes RE1=PUF(CH1), Gen(RE1)=<RSN1,PSN>, and ASID=h(RSN1||SID). Then, the sensor node sends {SID,ASID,CH1} to the gateway through a secure channel.

Step 2: The gateway generates RSG3 and computes δ=h(ASID||s), STID=h(δ||RSG3||ASID). After this, the gateway stores {ASID,STID,CH1} in its secure database and sends {δ,STID} to the sensor node via a secure channel.

Step 3: Finally, the sensor node deletes the challenge CH1 and stores {δ,PSN,STID} in its memory.

6.4. Mutual Authentication and Key Agreement Phase

The doctor sends a login request message to the gateway and establishes a session key among the doctor, the gateway, and the sensor node. After this, the doctor can perform an accurate diagnosis of the patient. We describe the mutual authentication and key agreement phase in Figure 6 and details are as follows.

Figure 6.

Figure 6

Mutual authentication and key agreement phase of the proposed scheme.

Step 1: The doctor inputs the identity DID, the password PWD, and imprints the biometrics BIOi. Then, the smart device computes RD=Rep(BIOD,PD), GPWD=h(PWD||RD), and VerD=h(DID||GPWD||RD), and verifies VerD=?VerD. If it is correct, the smart device generates a random nonce ND1 and computes RSG2=θh(RD||GPWD), α=βh(GPWD||RSG2), MD1=ND1h(DTID||α), and VD1=h(ND1||DTID||α||STID). The smart device sends {DTID,STID,MD1,VD1} to the gateway through a public channel.

Step 2: When the gateway receives the message {DTID,STID,MD1,VD1} from the doctor, the gateway checks the pseudo identity {DTID,STID} and retrieves {ω,RSG1} in the database. Then, the gateway computes α=ωh(RSG1||s), ND1=MD1h(DTID||α), and VD1=h(ND1||DTID||α||STID). If VD1=?VD1 is correct, the gateway generates a random nonce NG1 and retrieves {ASID,CH1}. The gateway computes δ=h(ASID||s), MG1=CH1h(δ||DTID||STID), MG2=(h(ND1||α)NG1)h(δ||DTID||ASID), and VG1=h(δ||STID||ASID||(h(ND1||α)NG1)||DTID). After this, the gateway transmits {DTID,STID,MG1,MG2,VG1} to the sensor node via a public channel.

Step 3: The sensor node computes CH1=MG1h(δ||DTID||STID), RE1=PUF(CH1), RSN1=Rep(RE1,PSN), ASID=h(RSN1||SID), (h(ND1||α)NG1)=MG2h(δ||DTID||ASID), and VG1=h(δ||STID||ASID||(h(ND1||α)NG1)||DTID). If the equation VG1=?VG1 is correct, the sensor node generates a random nonce NS1 and computes a new pseudo identity STIDnew=h(δ||NS1||ASID), a session key SK=h(h(ND1||α)NG1NS1), MS1=NS1h(δ||ASID||h(ND1||α)NG1), and VS1=h(NS1||STIDnew||SK). Lastly, the sensor node sends {MS1,VS1} to the gateway through a public channel and updates {STID} to {STIDnew}.

Step 4: After receiving {MS1,VS1} from the sensor node, the gateway computes NS1=MS1h(δ||ASID||h(ND1||α)NG1), the session key SK=h(h(ND1||α)NG1NS1), the new pseudo identity of the sensor node STIDnew=h(δ||NS1||ASID), and VS1=h(NS1||STIDnew||SK). If the equation VS1=?VS1 is correct, the gateway computes a new pseudo identity of the doctor DTIDnew=h(α||ND1||NG1NS1), MG3=(NG1NS1)h(α||DTID), and VG2=h(NG1NS1||DTIDnew||SK). Then, the gateway sends {MG3,VG2} to the doctor and updates {STID,DTID} to {STIDnew,DTIDnew}.

Step 5: The doctor computes (NG1NS1)=MG3h(α||DTID), DTIDnew=h(α||ND1||(NG1NS1)), SK=h(h(ND1||α)(NG1NS1)), and VG2=h(NG1||NS1||DTIDnew||SK) and verifies VG2=?VG2. If it is correct, the doctor replaces {DTID} with {DTIDnew} in the smart device.

6.5. Password Change Phase

In our scheme, we provide a convenient password update process for the doctor. Detailed steps are as follows.

Step 1: A doctor inputs DID, PWD, and BIOD to the smart device.

Step 2: The smart device computes RD=Rep(BIOD,PD), GPWD=h(PWD||RD), and VerD=h(DID||GPWD||RD) and verifies VerD=?VerD. If the equation is correct, the smart device demands a new password from the doctor.

Step 3: The doctor inputs a new password PWDnew to the smart device.

Step 4: The smart device computes GPWDnew=h(PWDnew||RD), β=αh(GPWDnew||RSG2), θ=h(RD||GPWDnew)RSG2, and VerDnew=h(DID||GPnewWD||RD) and updates {β,θ,VerD} to {βnew,θnew,VerDnew}.

7. Security Analysis

To prove the security features of the proposed scheme, we use BAN logic and the RoR model, which can prove the mutual authentication properties and session key security, respectively. Moreover, we show that our scheme has resistance against man-in-the-middle and replay attacks using AVISPA. Furthermore, we claim that the proposed scheme can prevent various security attacks using informal analysis.

7.1. BAN Logic

BAN logic is a well-known formal proof to verify the mutual authentication of a protocol. Therefore, many researchers have used BAN logic to prove the mutual authentication of their schemes [30,31,32,33]. In this section, we prove the mutual authentication of the proposed scheme using BAN logic [9]. The basic notations and descriptions of BAN logic are shown in Table 2.

Table 2.

Notations of BAN logic.

Notation Description
P1,P2 Principals
M1,M2 Statements
SK Session key
P1|M1 P1 believes M1
P1|M1 P1 once said M1
P1M1 P1 controls M1
P1M1 P1 receives M1
#M1 M1 is fresh
{M1}K M1 is encrypted with K
P1KP2 P1 and P2 have shared key K

7.1.1. Rules

The logical rules of BAN logic are as follows.

  • 1. 
    Message meaning rule (MMR):
    P1|P1KP2,P1{M1}KP1|P2|M1
  • 2. 
    Nonce verification rule (NVR):
    P1|#(M1),P1|P2|M1P1|P2|M1
  • 3. 
    Jurisdiction rule (JR):
    P1|P2M1,P1|P2|M1P1|M1
  • 4. 
    Belief rule (BR):
    P1|(M1,M2)P1|M1
  • 5. 
    Freshness rule (FR):
    P1|#(M1)P1|#(M1,M2)

7.1.2. Goals

The BAN logic goals of the proposed scheme are as follows. We define the principals DO, GWN, and SN as the doctor, the gateway, and the sensor node, respectively.

  • Goal 1: 

    DO|DOSKGWN

  • Goal 2: 

    DO|GWN|DOSKGWN

  • Goal 3: 

    GWN|DOSKGWN

  • Goal 4: 

    GWN|DO|DOSKGWN

  • Goal 5: 

    SN|SNSKGWN

  • Goal 6: 

    SN|GWN|SNSKGWN

  • Goal 7: 

    GWN|SNSKGWN

  • Goal 8: 

    GWN|SN|SNSKGWN

7.1.3. Idealized Forms

In the proposed scheme, there are four messages exchanged through a public channel. We transform these messages into idealized forms. Our scheme’s idealized forms for the messages are as follows:

  • Message1

    : DOGWN:{ND1}α

  • Message2

    : GWNSN:{NG1,h(ND1||α)}δ

  • Message3

    : SNGWN:{NS1}δ

  • Message4

    : GWNDO:{NG1,NS1}α

7.1.4. Assumptions

The assumptions in the proposed scheme are shown below.

  • A1:

    GWN|#(ND1)

  • A2:

    GWN|#(NS1)

  • A3:

    SN|#(h(ND1||α))

  • A4:

    DO|#(NG1)

  • A5:

    DO|GWN(DOSKGWN)

  • A6:

    GWN|DO(DOSKGWN)

  • A7:

    SN|GWN(SNSKGWN)

  • A8:

    GWN|SN(SNSKGWN)

  • A9:

    DO|DOαGWN

  • A10:

    GWN|DOαGWN

  • A11:

    SN|SNδGWN

  • A12:

    GWN|SNδGWN

7.1.5. BAN Logic Proof

Step 1: We can obtain S1 from the message Message1.

S1: GWN{ND1}α

Step 2: We can obtain S2 from the message meaning rule using S1 and A10.

S2: GWN|DO|(ND1)

Step 3: We can obtain S3 from the freshness rule using S2 and A1.

S3: GWN|#(ND1)

Step 4: We can obtain S4 from the nonce verification rule using S2 and S3.

S4: GWN|DO|(ND1)

Step 5: We can obtain S5 from the message Message2.

S5: SN{NG1,h(ND1||α)}δ

Step 6: We can obtain S6 from the message meaning rule using S5 and A11.

S6: SN|GWN|(NG1,h(ND1||α))

Step 7: We can obtain S7 from the freshness rule using S6 and A3.

S7: SN|#(NG1,h(ND1||α))

Step 8: We can obtain S8 from the nonce verification rule using S6 and S7.

S8: SN|GWN|(NG1,h(ND1||α))

Step 9: We can obtain S9 from the message Message3.

S9: GWN{NS1}δ

Step 10: We can obtain S10 from the message meaning rule using S9 and A12.

S10: GWN|SN|(NS1)

Step 11: We can obtain S11 from the nonce verification rule using A2 and S10.

S11: GWN|SN|(NS1)

Step 12: We can obtain S12 and S13 from S8 and S11. SN and GWN can compute the session key SK=h(h(ND1||α)NG1NS1).

S12: GWN|SN|(SNSKGWN)   (Goal8)
S13: SN|GWN|(SNSKGWN)   (Goal6)

Step 13: We can obtain S14 and S15 from the jurisdiction rule using S12 and A8, and S13 and A7, respectively.

S14: GWN|(SNSKGWN)   (Goal7)
S15: SN|(SNSKGWN)   (Goal5)

Step 14: We can obtain S16 from the message Message4.

S16: DO{NG1,NS1}α

Step 15: We can obtain S17 from the message meaning rule using A9 and S16.

S17: DO|GWN|(NG1,NS1)

Step 16: We can obtain S18 from the freshness rule using S17 and A4.

S18: DO|#(NG1,NS1)

Step 17: We can obtain S19 from the nonce verification rule using S17 and S18.

S19: DO|GWN|(NG1,NS1)

Step 18: We can obtain S20 and S21 using S4 and S19. DO and GWN can compute the session key SK=h(h(ND1||α)NG1NS1).

S20: DO|GWN|(DOSKGWN)   (Goal2)
S21: GWN|DO|(DOSKGWN)   (Goal4)

Step 19: We can obtain S22 and S23 using the jurisdiction rule using S20 and A5, S21, and A6, respectively.

S22: DO|(DOSKGWN)   (Goal1)
S23: GWN|(DOSKGWN)   (Goal3)

7.2. RoR Model

In this section, we prove that the session key in the proposed scheme is secure, using the Real-or-Random (RoR) model [10]. To apply our scheme into the RoR model, we discuss the basic concepts of participants, adversaries, and queries. There are three participants in our scheme: PUsert1, PGatewayt2, and PSensort3, where tk is the participant instance of the user, the gateway, and the sensor node. We assume that an adversary A can control the whole network, which intercepts, deletes, inserts, and eavesdrops messages transmitted through a public channel. Moreover, A attempts to attack the network utilizing Execute, CorruptSD, Reveal, Send, and Test queries in the RoR model. Details of the queries are as follows.

  • Execute(PUsert1,PGatewayt2,PSensort3): The query Execute is a passive attack. This query explains that A can eavesdrop messages generated by PUsert1, PGatewayt2, and PSensort3.

  • CorruptSD(PUsert1): This query is an active attack. By this query, A can obtain sensitive information extracted from the smart device of PUsert1.

  • Reveal(Pt): A can reveal the current session key SK.

  • Send(Pt,M): Using the query Send, A can send a message M to PUsert1, PGatewayt2, and PSensort3. Moreover, A can receive the return message. Therefore, this query is an active attack.

  • Test(Pt): If A performs a Test query, an unbiased coin C is flipped prior to starting the game. When the session key SK is fresh, A obtains C=1. A also obtains C=0 when the session key is not fresh. Otherwise, A will receive a null value (⊥). If A cannot distinguish between the session key and the random number, we can ensure that the proposed scheme can provide the security of the session key.

Security Proof

Theorem 1.

In the RoR model, an adversary A tries to calculate the session key of the proposed scheme in polynomial time. Let AdvA(P) be the possibility that A breaks the security of the session key. We define Hash and PUF as the range space of hash function h(.) and PUF function PUF(.), respectively. In addition, we define qh, qp, and qs as the number of Hash, PUF, and Send queries, respectively. lD is the number of bits in biometric secret key BIOD of the doctor, C and s are the Zipf’s parameter [34].

AdvA(P)qh2|Hash|+qp2|PUF|+2max{Cqss,qs2lD}
Proof. 

We follow the security proof as performed in [35,36,37]. In our proof, there are five games Gamek where k=0,1,2,3,4. We denote SGamek as the winning probability of the adversary A and Pr[SGamek] as the advantage of the SGamek.

  • Game0: Game0 is the starting game, where the adversary A picks up the random bit c. Therefore, we obtain the following:
    AdvA(P)=|2Pr[SGame0]1| (1)
  • Game1: In this game, A performs an eavesdropping attack, which is the Execute query in the RoR model. When obtaining messages {DTID,STID,MD1,VD1}, {DTID,STID,MG1, MG2,VG1}, {MS1,VS1}, and {MG3,VG2}, A carries out Test and Reveal queries to distinguish between the session key SK and a random number. To obtain the session key SK=h(h(ND1||α)NG1NS1), A needs ND1, NG1, and NS1, which are random numbers generated by the user (doctor), the gateway, and the sensor node, respectively. α is the shared secret parameter between the gateway and the user. For these reasons, the adversary A cannot compute the session key SK. This means that A does not enhance the probability compared with the Game0.
    [Pr[SGame1]]=[Pr[SGame0]] (2)
  • Game2: In Game2, the adversary A performs Send and Hash queries. In the message {DTID,STID,MD1,VD1}, {DTID,STID,MG1,MG2,VG1}, {MS1,VS1}, and {MG3,VG2}, parameters DTID, STID, VD1, VG1, VS1, and VG2 are masked by the cryptographic one-way hash function, which provides resistance against hash collision. Moreover, random numbers ND1, NG1, NS1, and the hash functions are contained in MD1, MG1, MG2, MG3, and MS1. Therefore, there is no collision problem when A performs a Hash query. We apply the birthday paradox [38] and obtain the result as follows:
    |Pr[SGame2]Pr[SGame1]|qh2|Hash| (3)
  • Game3: Game3 is similar to Game2. A performs Send and PUF queries. As explained in Section 3.3, the physical function PUF(.) has a secure property. Therefore, we can obtain the following inequation:
    |Pr[SGame3]Pr[SGame2]|qp2|PUF| (4)
  • Game4: In the final game Game4, A performs a CorruptSD query and extracts sensitive data {β,θ,VerD,DTID,PD} from the smart device of the user. A attempts to calculate parameters α and RSG2 from β=αh(GPWD||RSG2) and θ=RSG2h(RD||GPWD), respectively. Since parameters RD and GPWD=h(PWD||RD) are composed of the password and biometrics, A must guess these parameters. Therefore, A cannot enhance the probability because guessing the password and biometrics is a computationally infeasible task. According to Zipf’s law [34], we can make the following inequation:
    |Pr[SGame4]Pr[SGame2]|max{Cqss,qs2lD} (5)
    When the games are completed, the adversary A obtains the guessed bit c. Therefore, it is clear that
    Pr[SGame4]=12 (6)
    By (2) and (3), we can obtain the following equation:
    12AdvA(P)=|Pr[SGame0]12|=|Pr[SGame1]12| (7)
    We can obtain the following equation using (6) and (7):
    12AdvA(P)=|Pr[SGame1]Pr[SGame4]| (8)
    Applying the triangular inequality, we obtain the following result:
    12AdvA(P)=|Pr[SGame1]Pr[SGame4]||Pr[SGame1]Pr[SGame3]|+|Pr[SGame3]Pr[SGame4]||Pr[SGame1]Pr[SGame2]|+|Pr[SGame2]Pr[SGame3]|+|Pr[SGame3]Pr[SGame4]|
    qh22|Hash|+qp22|PUF|+max{Cqss,qs2lD} (9)

    Finally, we obtain the required result multiplying (9) by 2:

    AdvA(P)qh2|Hash|+qp2|PUF|+2max{Cqss,qs2lD}

Thus, we have proven Theorem 1.

7.3. AVISPA Simulation

We simulate the proposed scheme using AVISPA [11,12] to analyze the security features of our scheme. AVISPA is a formal verification tool that can detect security vulnerabilities regarding replay and man-in-the-middle attacks. Therefore, various authentication schemes [39,40,41] have been simulated by using AVISPA.

To simulate our protocol, we need to create a code written in the High-Level Protocol Specification Language (HLPSL). The code written in HLPSL is converted to the Intermediate Format (IF) by the translator. Then, the translator inputs the IF into back-ends. AVISPA has four back-ends, named On-the-Fly Model Checker (OFMC), Constraint Logic-based Attack Searcher (CL-AtSe), SAT-based Model Checker (SATMC), and Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP). In this paper, the OFMC and CL-AtSe back-ends are used because these back-ends provide exclusive-OR operations. Lastly, we obtain the Output Format (OF), which is the security analysis result of the protocol. If we obtain a “SAFE” message in the summary of OF, we can consider that the protocol is secure against replay and man-in-the-middle attacks.

7.3.1. HLPSL Specification

In this section, we explain the HLPSL code of our scheme. There are three basic roles in HLPSL: the doctor DO, the gateway GW, and the sensor node SN. With these roles, we describe the session and the environment roles. The goals, the environment, and the session of our scheme written in HLPSL are shown in Figure 7.

Figure 7.

Figure 7

Role specification for the session, environment, and goals.

We show the role of the doctor in Figure 8. When state 1 starts, the doctor receives a start message and generates the registration request message Rreq. Then, the doctor computes GPWD with his password PWD, the biometrics BIOD, and sends {DID,GPWD,Rreq} to the gateway via a secure channel. After this, the doctor receives {β,DTID,RSG2} from the gateway and computes VerD and θ in state 2. The doctor stores {β,θ,VerD,DTID,PD} in the smart device. With these parameters, the doctor sends a login and authentication request message {DTID,STID,MD1,VD1} to the gateway via a public channel. witness(DOC,GW, doc_gw_n1d,ND1) indicates the freshness of ND1. When the doctor receives the message {MG3,VG2} in state 3, the doctor performs request(GW,DOC,doc_gw_n1s,NS1) and request(GW,DOC,doc_gw_n1g,NG1), which represent the freshness acceptance of the random nonces NG1 and NS1.

Figure 8.

Figure 8

Role specification for the doctor.

7.3.2. Simulation Result

We perform simulations using the OFMC and CL-AtSe back-ends and show the simulation result of the proposed scheme in Figure 9. If the summary message is “SAFE”, this indicates that the proposed scheme is secure against replay and man-in-the-middle attacks. As with the simulation result shown in Figure 9, both summaries simulated in the OFMC and CL-AtSe back-ends are “SAFE”. Thus, the proposed scheme can prevent replay and man-in-the-middle attacks.

Figure 9.

Figure 9

The AVISPA simulation result of the proposed scheme.

7.4. Informal Analysis

In this section, we show the security features of the proposed scheme, including those that protect against offline password guessing, impersonation, replay, man-in-the-middle, physical, cloning, privileged insider, session-specific random number leakage, and verification table leakage attacks. Moreover, the proposed scheme can ensure user anonymity, perfect forward secrecy, and mutual authentication.

7.4.1. User Anonymity

We assume that an adversary A obtains the stolen smart device of a doctor (user) and extracts {β,θ,VerD,DTID,PD}. However, A cannot compute the real identity of the doctor because the pseudo identity of the doctor DTID is masked by the hash function and updated in every session. Since the parameters β=αh(GPWD||RSG2) and θ=h(RD||GPWD)RSG2 stored in the smart device are masked in the biometric template of the doctor, the A has difficulty in guessing the real identity of the doctor. Hence, A cannot obtain the real identity of the doctor. Therefore, we demonstrate that the proposed scheme can ensure user anonymity.

7.4.2. Offline Password Guessing Attack

A obtains a doctor’s smart device and obtains {β,θ,VerD,DTID,PD} from the device using a power analysis attack. Then, A attempts to guess the password of the doctor using the extracted parameters. Unfortunately, A cannot guess the password of the doctor because we use the biometrics in the proposed scheme. Since GPWD=h(PWD||RD), A must guess not only the password PWD but also the biometrics BIOD of the doctor at the same time. Note that RD is the result of the fuzzy extractor, which is expressed as RD=Rep(BIOD,PD). However, this process is a computationally infeasible task. Thus, the proposed scheme can prevent offline password guessing attacks.

7.4.3. Impersonation Attack

Assume that an adversary A tries to impersonate a legitimate doctor using parameters {β,θ,VerD,DTID,PD}, which are stored in the doctor’s device. Then, A attempts to calculate the login request message {DTID,STID,MD1,VD1}. However, A cannot calculate MD1=ND1h(DTID||α) and VD1=h(ND1||DTID||α||STID) because A cannot calculate α=βh(GPWD||RSG2). Hence, the proposed scheme is secure against impersonation attacks.

7.4.4. Replay Attack

Assume that an adversary A intercepts authentication request messages {DTID,STID,MD1,VD1}, {DTID,STID,MG1,MG2,VG1}, and sends messages to authenticate the gateway and the sensor node at other sessions. However, each entity checks the freshness of ND1, NG1, and NS1, which are random nonces generated by the doctor, the gateway, and the sensor node, respectively. Therefore, the proposed scheme is secure against replay attacks.

7.4.5. Man-in-the-Middle Attack

We show that A cannot generate the login request message {DTID,STID,MD1,VD1}, according to Section 7.4.3. Moreover, A cannot compute {DTID,STID,MG1,MG2,VG1}, {MS1,VS1}, and {MG3,VG2} because each message is masked in the shared secret parameter α and δ. Thus, the proposed scheme can prevent man-in-the-middle attacks.

7.4.6. Physical and Cloning Attacks

We can assume that A physically captures a sensor node SN1 and tries to authenticate the gateway as SN1. To do this, A obtains the parameters of SN1{δ,PSN,STID} using a power analysis attack. Then, A attempts to authenticate as a legitimate sensor node SN1 using parameters {δ,PSN,STID} or by cloning the sensor node SN1. When A receives {DTID,STID,MG1,MG2,VG1} from the gateway, A computes CH1=MG3h(δ||DTID||STID). However, A cannot compute RE1 because the function PUF(.) is a physically unclonable circuit and cannot duplicate, according to Section 3.3. Therefore, A cannot compute RSN1=Rep(RE1,PSN) and ASID=h(RSN1||SID) to calculate MS1 and VS1. Thus, the proposed scheme is secure against physical and cloning attacks.

7.4.7. Privileged Insider Attack

Assume that a privileged insider A obtains the registration request message {DID,GPWD,Rreq} of a doctor and obtains parameters {β,θ,VerD,DTID,PD}, extracted from the stolen smart device of the doctor using a power analysis attack, and A attempts to impersonate as the doctor. To compute the login request message {DTID,STID,MD1,VD1}, A must calculate the shared secret parameter α. However, A cannot calculate α=h(GPWD||RSG2) because the parameter RD in GPWD=h(PWD||RD) is generated by the biometrics of the doctor. Moreover, A must guess the password PWD of the doctor to calculate GPWD=h(PWD||RD), and it is a computationally infeasible task to guess RD and PWD at the same time. Therefore, the proposed scheme can prevent privileged insider attacks.

7.4.8. Session-Specific Random Number Leakage Attack

Suppose that A obtains random nonces ND1, NG1, and NS1. Then, A tries to calculate the session key SK=h(h(ND1||α)NG1NS1). However, A cannot compute the session key SK without knowing the shared secret parameter α. Since α is masked by the hash functions, A cannot calculate α. Thus, the proposed scheme has resistance against session-specific random number leakage attacks.

7.4.9. Verification Table Leakage Attack

If A obtains the verification table {ω,RSG1,DTID}, {ASID,STID,CH1} of the gateway, A attempts to calculate the session key SK or impersonate a doctor. However, A cannot calculate the shared secret parameter α=ωh(RSG1||s) and δ=h(ASID||s) without the master key s of the gateway. Therefore, it is difficult for A to compute the session key SK=h(h(ND1||α)NG1NS1) or impersonate a doctor. Therefore, the proposed scheme can prevent verification table leakage attacks.

7.4.10. Perfect Forward Secrecy

If A obtains the master key s of the gateway, A attempts to compute the session key SK=h(h(ND1||α)NG1NS1). However, A cannot compute α=h(DID||s) without the real identity of the doctor, and all random nonces are masked by hash functions. Therefore, A cannot calculate SK. For this reason, the proposed scheme ensures perfect forward secrecy.

7.4.11. Mutual Authentication

To ensure mutual authentication, each entity checks the validity of VD1=?VD1, VG1=?VG1, VS1=?VS1, and VG2=?VG2. Furthermore, all participants check the freshness of random nonces ND1, NG1, and NS1. When the verification processes are successful, we can demonstrate that the participants of the proposed scheme authenticate each other. Therefore, the proposed scheme ensures mutual authentication.

8. Performance

In this section, we compare the security features of the proposed scheme with other related schemes [7,18,19,20,25]. Moreover, we show the communication costs, computation costs, and energy consumption of the proposed scheme.

8.1. Security Features Comparison

We present the security features of the proposed scheme compared with related schemes [7,18,19,20,25]. In Table 3, we consider various security attacks and functionalities. The security features and the functionalities are as follows: SP1: resistance against smart device theft attack, SP2: resistance against offline password guessing attack, SP3: resistance against impersonation attack, SP4: resistance against replay attack, SP5: resistance against privileged insider attack, SP6: resistance against physical and cloning attacks, SP7: resistance against session-specific random number leakage attack, SP8: resistance against verification table leakage attack, SP9: ensuring user anonymity, SP10: ensuring perfect forward secrecy, SP11: ensuring mutual authentication, SP12: performing RoR model, SP13: performing AVISPA simulation, SP14: performing BAN logic proof. Therefore, our scheme can provide a secure authentication process compared with [7,18,19,20].

Table 3.

Security and functionality features comparison.

Security Properties [18] [19] [20] [25] [7] Proposed
SP1 × 🗸 🗸 🗸 × 🗸
SP2 🗸 🗸 🗸 🗸 × 🗸
SP3 🗸 🗸 🗸 🗸 × 🗸
SP4 🗸 🗸 🗸 🗸 🗸 🗸
SP5 × 🗸 🗸 🗸 × 🗸
SP6 × × × 🗸 × 🗸
SP7 × × 🗸 🗸 🗸 🗸
SP8 🗸
SP9 × 🗸 🗸 🗸 × 🗸
SP10 🗸 🗸 🗸 🗸 🗸 🗸
SP11 🗸 🗸 🗸 🗸 🗸 🗸
SP12 🗸 🗸 🗸
SP13 🗸 🗸 🗸 🗸 🗸
SP14 🗸 🗸 🗸

🗸: Provides the security/functionality feature. ×: Does not provide the security/functionality feature. −: Does not consider the security/functionality feature.

8.2. Communication Costs Comparison

In this section, we compare the communication costs of the proposed scheme with existing schemes [7,18,19,20,25]. According to [35], we suppose that the SHA-1 hash digest, identity, random number, PUF challenge–response pair, timestamp, and ECC point are 160, 160, 128, 128, 32, and 320 bits, respectively. Therefore, the communication costs of the proposed scheme can be described as follows.

  • Message 1: The message {DTID,STID,MD1,VD1} requires (160+160+160+160)=640 bits.

  • Message 2: The message {DTID,STID,MG1,MG2,VG1} needs (160+160+160+160+160)=800 bits.

  • Message 3: The message {MS1,VS1} needs (160+160)=320 bits.

  • Message 4: The message {MG3,VG2} requires (160+160)=320 bits.

Therefore, the total communication costs of our scheme are 640+800+320+320=2080 bits. In Table 4, we show the total communication costs of our scheme and other related schemes. Consequently, we demonstrate that our scheme has more efficient communication costs than other related schemes [7,18,19,20,25].

Table 4.

Comparison of communication costs.

Schemes Total Communication Costs Messages
Li et al. [18] 2880 bits 4 messages
Shin et al. [19] 3328 bits 4 messages
Ali et al. [20] 2240 bits 4 messages
Chen et al. [25] 2880 bits 5 messages
Masud et al. [7] 2176 bits 4 messages
Proposed 2080 bits 4 messages

8.3. Computation Costs Comparison

We compare the computation costs of the proposed scheme with [7,18,19,20,25]. According to [42,43], we define TRNG, TH, TEM, TEA, TF, and TPUF as the random number generation (≈0.0539 s), hash function (≈0.00023 s), ECC multiplication (≈0.2226 s), ECC addition (≈0.00288 s), fuzzy extractor (≈0.268 s), and PUF operation time (≈0.012 s), respectively. Furthermore, we ignore the execution time of exclusive-OR (⊕) operations because it is computationally negligible.

The total computation costs of our scheme are slightly higher than those of Masud et al.’s scheme [7] as shown in Table 5. However, our scheme has a much higher security level than [7] using the fuzzy extractor and PUF. Moreover, our scheme is more efficient and lightweight than previous schemes [18,19,20,25] that utilize ECC, the fuzzy extractor, and PUF.

Table 5.

Comparison of computational costs.

Schemes User Gateway Sensor Node Total Total Cost (s)
Li et al. [18] 1TRNG+8TH+3TEM 1TRNG+8TH+TEM 1TRNG+4TH+2TEM 3TRNG+20TH+6TEM 1.502
Shin et al. [19] 1TRNG+1TF+14TH+2TEM 12TH+1TEM 1TRNG+5TH+1TEM 2TRNG+1TF+31TH+4TEM 1.232
Ali et al. [20] 1TRNG+1TF+3TH+2TEM 1TRNG+4TH+2TEM 1TH 2TRNG+1TF+8TH+4TEM 1.268
Chen et al. [25] 1TRNG+2TF+14TH+1TPUF 8TH 1TRNG+1TF+8TH 2TRNG+3TF+30TH+1TPUF 0.919
Masud et al. [7] 1TRNG+3TH 4TRNG+3TH 2TRNG+2TH 7TRNG+8TH 0.379
Proposed 1TRNG+1TF+11TH 1TRNG+15TH 1TRNG+1TF+8TH+1TPUF 3TRNG+2TF+34TH+1TPUF 0.717

8.4. Energy Consumption Comparison

In this section, we compare the energy consumption of our scheme with [7,18,19,20,25]. We follow the battery consumption model used in [44], where the energy consumption for sending and receiving a bit are taken as 4.602 mJ and 2.34 mJ, respectively [45]. Therefore, the total energy consumption of our scheme is 4867 mJ. Table 6 shows the total energy consumption of the proposed scheme and [7,18,19,20,25]. The result indicates that our scheme is more efficient in terms of energy consumption than other related schemes.

Table 6.

Comparison of energy consumption.

Schemes Total Energy Consumption
Li et al. [18] 6739 mJ
Shin et al. [19] 7788 mJ
Ali et al. [20] 5242 mJ
Chen et al. [25] 6739 mJ
Masud et al. [7] 5092 mJ
Proposed 4867 mJ

9. Conclusions

In this paper, we review Masud et al.’s scheme and prove that their scheme is vulnerable to offline password guessing, impersonation, and privileged insider attacks. We also discover that Masud et al.’s scheme cannot ensure user anonymity and has a device update problem. To improve the security level and overcome the security weaknesses of Masud et al.’s scheme, we propose a provably secure three-factor-based mutual authentication and key agreement scheme for WMSNs. Our scheme has light weight, using only hash functions and exclusive-OR operators; it provides a secure login process to the doctor using the fuzzy extractor, and it provides resistance against cloning and physical attacks using PUF. We ensure the mutual authentication utilizing BAN logic and prove the session key security of our scheme using the RoR model. We also show that our scheme offers resistance against replay and man-in-the-middle attacks by utilizing the AVISPA simulation tool. We prove that our scheme is secure against various attacks, including offline password, impersonation, sensor node capture, and verification table leakage attacks, through informal analysis. Furthermore, we demonstrate that our scheme can provide user anonymity, perfect forward secrecy, and mutual authentication. Finally, we estimate the computation costs, communication costs, and energy consumption of our scheme and compare it with other related schemes. Our result shows that the proposed scheme can provide doctors and patients with more secure services for WMSNs. In the future, we will develop and implement our scheme, considering performance evaluation and result analysis, confirming its suitability for practical WMSN environments.

Author Contributions

Conceptualization, D.K.; Formal analysis, D.K. and Y.P (Yohan Park); Methodology, D.K. and Y.P. (Yohan Park); Software, D.K.; Validation, Y.P. (Yohan Park) and Y.P. (Youngho Park); Formal Proof, Y.P. (Youngho Park); Writing—original draft, D.K.; Writing—review and editing, Y.P. (Yohan Park), and Y.P. (Youngho Park); Supervision, Y.P.(Youngho Park). All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported in part by the Basic Science Research Program through the National Research Foundation of Korea (NRF), funded by the Ministry of Education under grant 2020R1I1A3058605, and in part by the BK21 FOUR project, funded by the Ministry of Education, Korea under grant 4199990113966.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Footnotes

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

References

  • 1.Lara E., Aguilar L., Sanchez M.A., García J.A. Lightweight authentication protocol for M2M communications of resource-constrained devices in industrial Internet of Things. Sensors. 2020;20:501. doi: 10.3390/s20020501. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 2.Park K., Noh S., Lee H., Das A.K., Kim M., Park Y., Wazid M. LAKS-NVT: Provably secure and lightweight authentication and key agreement scheme without verification table in medical internet of things. IEEE Access. 2020;20:119387–119404. doi: 10.1109/ACCESS.2020.3005592. [DOI] [Google Scholar]
  • 3.Oh J., Yu S., Lee J., Son S., Kim M., Park Y. A secure and lightweight authentication protocol for IoT-based smart homes. Sensors. 2021;21:1488. doi: 10.3390/s21041488. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 4.Abdulsalam Y., Hossain M.S. COVID-19 networking demand: An auction-based mechanism for automated selection of edge computing services. IEEE Trans. Netw. Sci. Eng. 2020:1–11. doi: 10.1109/TNSE.2020.3026637. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 5.Aileni R.M., Suciu G. Decentralised Internet of Things. Springer; Berlin/Heidelberg, Germany: 2020. IoMT: A blockchain perspective; pp. 199–215. [Google Scholar]
  • 6.Rahman M., Jahankhani H. Information Security Technologies for Controlling Pandemics. Springer; Berlin/Heidelberg, Germany: 2021. Security vulnerabilities in existing security mechanisms for IoMT and potential solutions for mitigating cyber-attacks; pp. 307–334. [Google Scholar]
  • 7.Masud M., Gaba G.S., Choudhary K., Hossain M.S., Alhamid M.F., Muhammad G. Lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare. IEEE Internet Things J. 2021 doi: 10.1109/JIOT.2021.3080461. [DOI] [Google Scholar]
  • 8.Dodis Y., Reyzin L., Smith A. Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004. Springer; Berlin/Heidelberg, Germany: 2004. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data; pp. 523–540. [Google Scholar]
  • 9.Burrows M., Abadi M., Needham R.M. A logic of authentication. ACM Trans. Comput. Syst. 1990;8:18–36. doi: 10.1145/77648.77649. [DOI] [Google Scholar]
  • 10.Abdalla M., Fouque P., Pointcheval D. Lecture Notes in Computer Science, Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005. Springer; Berlin/Heidelberg, Germany: 2005. Password-based authenticated key exchange in the three-party setting; pp. 65–84. [Google Scholar]
  • 11.AVISPA Automated Validation of Internet Security Protocols and Applications. [(accessed on 20 July 2021)]. Available online: http://www.avispa-project.org/
  • 12.SPAN: A Security Protocol Animator for AVISPA. [(accessed on 20 July 2021)]. Available online: http://www.avispa-project.org/
  • 13.Kumar P., Lee S.G., Lee H.J. E-SAP: Efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks. Sensors. 2012;12:1625–1647. doi: 10.3390/s120201625. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 14.He D., Kumar N., Chen J., Lee C.C., Chilamkurti N., Yeo S.S. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed. Syst. 2015;21:49–60. doi: 10.1007/s00530-013-0346-9. [DOI] [Google Scholar]
  • 15.Mir O., Munilla J., Kumari S. Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks. Peer-to-Peer Netw. Appl. 2017;10:79–91. doi: 10.1007/s12083-015-0408-1. [DOI] [Google Scholar]
  • 16.Wu F., Li X., Sangaiah A.K., Xu L., Kumari S., Wu L., Shen J. A lightweight and robust two-factor authentication scheme for personalized healthcare systems using wireless medical sensor networks. Future Gener. Comput. Syst. 2018;82:727–737. doi: 10.1016/j.future.2017.08.042. [DOI] [Google Scholar]
  • 17.Challa S., Das A.K., Odelu V., Kumar N., Kumari S., Khan M.K., Vasilakos A.V. An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks. Comput. Electr. Eng. 2018;69:534–554. doi: 10.1016/j.compeleceng.2017.08.003. [DOI] [Google Scholar]
  • 18.Li X., Peng J., Obaidat M.S., Wu F., Khan M.K., Chen C. A secure three-factor user authentication protocol with forward secrecy for wireless medical sensor network systems. IEEE Syst. J. 2019;14:39–50. doi: 10.1109/JSYST.2019.2899580. [DOI] [Google Scholar]
  • 19.Shin S., Kwon T. A privacy-preserving authentication, authorization, and key agreement scheme for wireless sensor networks in 5G-integrated Internet of Things. IEEE Access. 2020;8:67555–67571. doi: 10.1109/ACCESS.2020.2985719. [DOI] [Google Scholar]
  • 20.Ali Z., Ghani A., Khan I., Chaudhry S.A., Islam S.H., Giri D. A robust authentication and access control protocol for securing wireless healthcare sensor networks. J. Inf. Secur. Appl. 2020;52:102502. doi: 10.1016/j.jisa.2020.102502. [DOI] [Google Scholar]
  • 21.Hsu C.L., Le T.V., Hsieh M.C., Tsai K.Y., Lu C.F., Lin T.W. Three-factor UCSSO scheme with fast authentication and privacy protection for telecare medicine information systems. IEEE Access. 2020;8:196553–196566. doi: 10.1109/ACCESS.2020.3035076. [DOI] [Google Scholar]
  • 22.Aman M.N., Chua K.C., Sikdar B. Mutual authentication in IoT systems using physical unclonable functions. IEEE Internet Things J. 2017;4:1327–1340. doi: 10.1109/JIOT.2017.2703088. [DOI] [Google Scholar]
  • 23.Byun J.W. End-to-end authenticated key exchange based on different physical unclonable functions. IEEE Access. 2019;7:102951–102965. doi: 10.1109/ACCESS.2019.2931472. [DOI] [Google Scholar]
  • 24.Fang D., Qian Y., Hu R.Q. A flexible and efficient authentication and secure data transmission scheme for IoT applications. IEEE Internet Things J. 2020;7:3474–3484. doi: 10.1109/JIOT.2020.2970974. [DOI] [Google Scholar]
  • 25.Chen Y., Chen J. An efficient mutual authentication and key agreement scheme without password for wireless sensor networks. J. Supercomput. 2021:1–23. doi: 10.1007/s11227-021-03820-6. [DOI] [Google Scholar]
  • 26.Dolev D., Yao A. On the security of public key protocols. IEEE Trans. Inf. Theory. 1983;29:198–208. doi: 10.1109/TIT.1983.1056650. [DOI] [Google Scholar]
  • 27.Canetti R., Krawczyk H. Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques—Advances in Cryptology (EUROCRYPT’02), Amsterdam, The Netherlands, 28 April–2 May 2002. Springer; Berlin/Heidelberg, Germany: 2002. Universally composable notions of key exchange and secure channels; pp. 337–351. [Google Scholar]
  • 28.Kocher P., Jaffe J., Jun B. Differential power analysis; Proceedings of the Annual International Cryptology Conference; Santa Barbara, CA, USA. 15–19 August 1999; pp. 388–397. [Google Scholar]
  • 29.Park K., Park Y., Park Y., Das A.K. 2PAKEP: Provably secure and efficient two-party authenticated key exchange protocol for mobile environment. IEEE Access. 2018;6:30225–30241. doi: 10.1109/ACCESS.2018.2844190. [DOI] [Google Scholar]
  • 30.Park Y., Park K., Park Y. Secure user authentication scheme with novel server mutual verification for multiserver environments. Int. J. Commun. Syst. 2019;32:e3929. doi: 10.1002/dac.3929. [DOI] [Google Scholar]
  • 31.Lee J., Yu S., Kim M., Park Y., Lee S., Chung B. Secure key agreement and authentication protocol for message confirmation in vehicular cloud computing. Appl. Sci. 2020;10:6268. doi: 10.3390/app10186268. [DOI] [Google Scholar]
  • 32.Shashidhara R., Nayak S.K., Das A.K., Park Y. On the design of lightweight and secure mutual authentication system for global roaming in resource-limited mobility networks. IEEE Access. 2021;9:12879–12895. doi: 10.1109/ACCESS.2021.3050402. [DOI] [Google Scholar]
  • 33.Jan S.U., Ali S., Abbasi I.A., Mosleh M.A., Alsanad A., Khattak H. Secure patient authentication framework in the healthcare system using wireless medical sensor networks. J. Healthc. Eng. 2021;2021:9954089. doi: 10.1155/2021/9954089. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 34.Wang D., Cheng H., Wang P., Huang X., Jian G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 2017;12:2776–2791. doi: 10.1109/TIFS.2017.2721359. [DOI] [Google Scholar]
  • 35.Banerjee S., Odelu V., Das A.K., Chattopadhyay S., Rodrigues J.J., Park Y. Physically secure lightweight anonymous user authentication protocol for internet of things using physically unclonable functions. IEEE Access. 2019;7:85627–85644. doi: 10.1109/ACCESS.2019.2926578. [DOI] [Google Scholar]
  • 36.Wazid M., Bagga P., Das A.K., Shetty S., Rodrigues J.J., Park Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019;6:8804–8817. doi: 10.1109/JIOT.2019.2923611. [DOI] [Google Scholar]
  • 37.Lee J., Kim G., Das A.K., Park Y. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks. IEEE Trans. Netw. Sci. Eng. 2021 doi: 10.1109/TNSE.2021.3093435. [DOI] [Google Scholar]
  • 38.Boyko V., MacKenzie P., Patel S. Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000. Springer; Berlin/Heidelberg, Germany: 2000. Provably secure password-authenticated key exchange using Diffie-Hellman; pp. 156–171. [Google Scholar]
  • 39.Son S., Lee J., Kim M., Yu S., Das A.K., Park Y. Design of secure authentication protocol for cloud-assisted telecare medical information system using blockchain. IEEE Access. 2020;8:192177–192191. doi: 10.1109/ACCESS.2020.3032680. [DOI] [Google Scholar]
  • 40.Lee J., Yu S., Kim M., Park Y., Das A.K. On the design of secure and efficient three-factor authentication protocol using honey list for wireless sensor networks. IEEE Access. 2020;8:107046–107062. doi: 10.1109/ACCESS.2020.3000790. [DOI] [Google Scholar]
  • 41.Kim M., Lee J., Park K., Park Y., Park K.H., Park Y. Design of secure decentralized car-sharing system using blockchain. IEEE Access. 2021;9:54796–54810. doi: 10.1109/ACCESS.2021.3071499. [DOI] [Google Scholar]
  • 42.Kilinc H.H., Yanik T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutor. 2013;16:1005–1023. doi: 10.1109/SURV.2013.091513.00050. [DOI] [Google Scholar]
  • 43.Gope P., Sikdar B. Lightweight and privacy-preserving two-factor authentication scheme for IoT devices. IEEE Internet Things J. 2019;6:580–589. doi: 10.1109/JIOT.2018.2846299. [DOI] [Google Scholar]
  • 44.Das A.K., Sutrala A.K., Kumari S., Odelu V., Wazid M., Li X. An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks. Secur. Commun. Netw. 2016;9:2070–2092. doi: 10.1002/sec.1464. [DOI] [Google Scholar]
  • 45.Shnayder V., Hempstead M., Chen B.R., Allen G.W., Welsh M. Simulating the power consumption of large-scale sensor network applications; Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems; Baltimore, MD, USA. 3–5 November 2004; pp. 188–200. [Google Scholar]

Articles from Sensors (Basel, Switzerland) are provided here courtesy of Multidisciplinary Digital Publishing Institute (MDPI)

RESOURCES