1.1. Background
Due to the rapid development of network hardware technology, a variety of services and applications that make use of wireless connections such as the LTE, 3G, Wi-Fi, Bluetooth and ZigBee communication technologies have become popular in daily life. One such service is remote medical monitoring and care [
1,
2]. At the same time, governments have formulated new policies in order to respond to the healthcare requirements of aging populations. Their aim is to build a comprehensive medical network using new wireless technologies such as sensor networks and cloud computation [
3]. Their goal is to drive the medical industry, combined with the Internet of Things (IoT), to the next phase of application [
4].
In current medical fields, information technology is already used for the secure management of drugs via radio-frequency identification (RFID), patient information and blood information, as well as remote medical monitoring of newborns, and many other applications [
5,
6,
7,
8]. However, as populations continue to age, the need for expanded medical care-related applications for elderly people has also grown. Examples of technologies in this field include smart wheelchairs, rural medical care, GPS location, and mobile healthcare, signifying very important development needs. On the other hand, the rapid development of a variety of physiological sensing devices has reduced these in size and improved their energy efficiency, making them suitable for long-term wear by the elderly. These body sensors combined with personal wireless devices form a body area network (BAN) [
9,
10,
11,
12]. The personal wireless device collects and integrates personal physiological data, and then transmits the data to the backend of the network for related diagnostics and applications.
This means that when people go to a hospital, the medical staff can obtain relevant medical data from their body sensors using a medical reader. The body sensors will transmit the related sensing data to the personal wireless device, which will transmit the data to the medical reader [
13,
14,
15,
16]. The medical staff can then provide these data to a doctor for future reference or immediate medical diagnosis. These data can also be sent to the national medical server to be stored for related statistical big data analysis through cloud technology.
Fortino et al. [
17] proposed BodyCloud architecture for body sensor networks (BSN). Their scheme defined a network communication protocol for the communication between the body sensors and the cloud server. Subsequently, Fortino et al. [
18] proposed another C-SPINE architecture for body-sensor networks. Their scheme defined a network communication protocol for the communication between different body sensors. They also made the hardware implementation for C-SPINE architecture. Gravina et al. [
19] proposed a survey for existing BSN environments, including BodyCloud and C-SPINE architecture.
However, many people still seek to violate the privacy of others, or even harm them. For example, a malicious attacker could send incorrect sensing data to a medical reader, causing an incorrect diagnosis. This could delay treatment, or even result in the death of the patient. In addition, attackers may seek to obtain the sensing data of public figures for blackmail or extortion. Therefore, there must be a complete set of encryption and authentication mechanisms that make it impossible for attackers to obtain and modify such sensitive information in order to protect people’s safety and privacy [
20,
21,
22,
23].
Previously, while researchers proposed schemes based on the IoT environment, these schemes were either not for healthcare environments [
2,
4] or lacked the comprehensive security required for healthcare environments [
1,
3]. Jr. et al. [
2] proposed a session-key establishment scheme between an initiator and a responder for the IoT environment, but they did not mention how the initiator and responder would authenticate each other’s legality. Ray et al. [
4] proposed an RFID ownership transfer protocol based on the IoT environment with a comprehensive protocol related to the ownership transfer between two RFID tags; while their protocol achieved mutual authentication between RFID tag and RFID reader, the framework differs from our healthcare environment. The title of Moosavi et al.’s study [
1] stated that they were proposing a secure scheme for mobility healthcare based on the IoT environment, but actually they only proposed a challenge-response concept for mobile sensor, smart gateway, and end-user; there is no detailed cryptography description in their article. Yang et al. [
3] also proposed a framework for healthcare based on the IoT environment, but their protocol only focuses on the server and the user; they did not make a comprehensive protocol for a body sensor, personal reader, medical reader, and medical server.
He et al. [
24] proposed a security mechanism to protect sensitive personal information based on a medical care system such as that alluded to above; their scheme provided a generalized architecture. However, this study found that their proposed scheme still had some vulnerability. First, their proposed security mechanism is not complete; it only considers the protocol between body sensors and personal wireless devices, ignoring the protocol between a personal wireless hub and medical readers. Furthermore, in their proposed scheme, only personal wireless devices authenticate body sensors; since body sensors do not authenticate personal wireless devices, mutual authentication is not achieved.
Based on He et al.’s scheme [
24], this study addresses the above vulnerabilities, and adds to this by proposing novel extension architecture, namely an IoT-based design of a secure and lightweight BAN health-care system. The proposed authentication mechanism achieves security, privacy and efficiency.