A Secure and Lightweight Three-Factor-Based Authentication Scheme for Smart Healthcare Systems †

Internet of Things (IoT) technology has recently been integrated with various healthcare devices to monitor patients’ health status and share it with their healthcare practitioners. Since healthcare data often contain personal and sensitive information, healthcare systems must provide a secure user authentication scheme. Recently, Adavoudi-Jolfaei et al. and Sharma and Kalra proposed a lightweight protocol using hash function encryption only for user authentication on wireless sensor systems. In this paper, we found some weaknesses in target schemes. We propose a novel three-factor lightweight user authentication scheme that addresses these weaknesses and verifies the security of the proposed scheme using a formal verification tool called ProVerif. In addition, our proposed scheme outperforms other proposed symmetric encryption-based schemes or elliptic curve-based schemes.


Introduction
Digital healthcare services have recently received a considerable amount of attention as various Internet-enabled wearable devices have been deployed. Digital services can also be used to continuously monitor patients and share information with their healthcare practitioners. According to a Spyglass Consulting Group's report [1], with 100 interviewees working in medical informatics and healthcare IT technology areas, about 88% of hospitals and healthcare systems have considered adopting remote patient monitoring (RPM) as their primary business model in the future.
RPM technology is increasingly used by hospitals and medical systems [1]. We believe that continuous monitoring and fast response times are necessary for high-risk patients with chronic diseases. For example, practitioners can use a monitoring device to collect ECG signals from patients with heart-related conditions and quickly identify any suspicious changes [2][3][4][5]. Because such data (e.g., raw ECG signals) are often highly personal and sensitive, any data that have been collected in healthcare systems should be securely protected and accessible only to authorized users such as primary care physicians. Furthermore, the scheme to monitor and analyze processes should not only be safe, but also be completed in real-time because patients might otherwise be at risk.
If there is a problem with the certification of these RPM technologies, the following damage can occur. First, if hospitals do not provide fast enough authentication using a heavy enough operation, quick feedback is impossible when monitoring the patient's condition. In such cases, in a situation where urgent patients with fatal internal injuries require immediate treatment due to rapid changes, the treatment may be delayed due to the late certification speed. In the worst-case scenario, the treatment of patients can be difficult. Second, if there is a security flaw in the certification, privacy infringement of patients and medical personnel may occur. For example, if a session key is released, all medical information of the patient can be disclosed to the hacker. Therefore, in order to avoid such damage, a certification protocol is shown in Figure 1 that satisfies both high speed (i.e., lightweight computation) and safety should be used.

Sensor Node
Patient's Body Many security protocols (e.g., [6][7][8][9]) have been developed to satisfy these security and performance requirements. Among those protocols, Sharma and Kalra's scheme [6] is specifically designed to improve the protocol's efficiency. Unlike existing protocols that require expensive cryptographic operations or three authentication factors [7,9,10], Sharma and Kalra's scheme [6] uses hash functions with only two authentication factors. Similarly, Adavoudi-Jolfaei et al. [11] also proposed a protocol using hash functions only. Sharma and Kala's scheme [6] and Adavoudi-Jolfei et al.'s scheme [11] are the most recently written lightweight authentication protocols that can keep high speed and safety, the conditions required by the healthcare system.
In this paper, we confirmed that Adavoudi-Jolfaei et al.'s scheme [11] has a severe vulnerability. We also demonstrate that Sharma and Kalra's scheme [6] has a serious design error. Therefore, we propose a new scheme to fix the weaknesses of these target schemes. We formally verify the security of the new protocol using ProVerif, an automatic cryptographic protocol verifier. In summary, this paper presents the following contribution: • We demonstrate that Sharma and Kalra's scheme [6] has a serious design error: mutual authentication between a practitioner and a sensor cannot be ensured in their original protocol. • We confirm that Adavoudi-Jolfaei et al.'s scheme [11] and Sharma and Kalra's scheme have a severe vulnerability. We find that Adavoudi-Jolfaei et al.'s scheme [11] is vulnerable to user impersonation attack and session key attack. We also find that Sharma and Kalra's scheme [6] is vulnerable to password guessing attack, stealing the session key and sensor impersonation attack.
• We propose a scheme for smart healthcare systems. Our new scheme resists privileged insider attack, outsider attack, offline ID guessing attack, online id guessing attack, session key disclosure attack, practitioner impersonation attack, and sensor impersonation attack. We provide security proofs. • We formally verify the security of the new protocol using ProVerif, an automatic cryptographic protocol verifier. • We show the performance analysis of the proposed scheme. We compared the proposed scheme with that of Chen et al. [12], Renuka et al. [13], and Li et al. [14] to show how efficient our proposed scheme is.
The remainder of this paper is arranged as follows: Section 2 describes related work. Section 3 introduces the preliminary knowledge necessary to understand the scheme by Sharma and Kalra and Adavoudi-Jolfaei et al. The target schemes are briefly described in Section 4. Section 5 discusses several weaknesses of the target schemes. We propose our improved scheme in Section 6 and show the security analysis of the proposed scheme in Section 7. In Section 8, we show the performance analysis of the proposed scheme. Finally, Section 9 concludes the paper.

Related Work
Various user authentication schemes have been proposed for smart healthcare applications. Hu et al. [15] proposed a real-time hardware and software-based healthcare monitoring system for cardiac patients in 2007. The proposed scheme focuses on efficiency improvements but lacks adequate security protection. Malasri et al. [16] proposed an authentication scheme for wireless mote-based medical sensor networks using an ECC (elliptic curve cryptography) system in 2009. However, the scheme cannot withstand denial-of-service and relay nodes attacks. Furthermore, ECC may be too expensive for embedded devices in the medical domain.
In 2012, Kumar et al. [17] proposed a two-factor user authentication scheme for wireless medical sensors to monitor patients' health status. However, Khan and Kumari [18] found that Kumar et al.'s scheme is vulnerable to security attacks. The scheme included the use of a smart card to enhance the security of the protocol, but the user information stored on the smart card can end up leaked if the smart card is stolen. Khan and Kumari proposed an improved scheme to fix the security flaws of the previous scheme in 2014. Li et al. [19] and Wu et al. [20] each analyzed the scheme presented by Khan and Kumari [18]. They discovered that Khan and Kumari's scheme is not secure against offline password guessing attacks, as it does not identify invalid input and user impersonation attacks. Li et al. [19] and Wu et al. [20] proposed their respective improved schemes, which employ a smart card to overcome the security flaws of Khan and Kumari [18]. Hossain et al. [21] proposed an IoT-based ECG health monitoring service framework in the cloud. They presented a framework for secure transmission of patients data from different sensors to the cloud in a wireless environment.
Recently, Sharma and Kalra [6] proposed an authentication scheme for cloud-IoT-based remote patient healthcare monitoring services. It is efficient because only the hash function is used for system encryption. Several papers briefly addressed security flaws of Sharma and Karla's scheme [22,23]. However, they only mentioned briefly that privileged insider attacks are possible. However, we have pinpointed the structural problems of Sharma and Kalra's scheme, and showed that password guessing attack, stealing the session key attack, and sensor impersonation attack are possible in the case of privileged insider attack.
In 2016, Gope et al. [24] proposed a novel two-factor lightweight anonymous authentication protocol in WSNs (wireless sensor networks) that uses a database to overcome prior vulnerabilities. However, Adavoudi-Jolfaei et al. [11] argue that protocol is vulnerable to side-channel attacks because of the use of 2-factors, and that the session keys are also vulnerable. To overcome these drawbacks, in 2019, Adavoudi-Jolfaei et al. [11]. proposed a new 3-factor authentication protocol in WSN. Unfortunately, Shin and Kwon found user collusion attacks, desynchronization attack and no sensor node anonymity. In addition, through our prior research, we found more weaknesses that user impersonation attack and session key attack are able to take advantage of.

Preliminaries
This section introduces the hash function, fuzzy extractor and threat model used in this paper.

Hash Function
Data convert an arbitrary value to a fixed-length value through a hash function. This is useful for fast and safe search functions. The hash function has the following properties [25]. • Preimage-resistance It is computationally impossible to use the output of any hash value to find the input that results in this value, i.e., to find any preimage a such that h(a ) = b when given any b for which a corresponding input is not known. • 2nd-preimage-resistance For any input, when there is an output for the hash function, it is computationally impossible to find another input value with this output, i.e., to find a 2nd-preimage a = a such that h(a) = h(a ).

•
Collision resistance It is computationally infeasible to find two different inputs with the same hashing result, i.e., any two distinct inputs a, a , which hash to the same output, such that h(a) = h(a ).

Fuzzy Extractor
Biometric information should be treated as sensitive. Since biometric information is unique to the user, it is convenient to use, but difficult to handle. In general, biometrics cannot be recognized equally each time. Therefore, a fuzzy extractor is used to recognize varied biometric information within a certain tolerance range. The fuzzy extractor can obtain a unique string using error tolerance. The fuzzy extractor operates through two procedures (Gen, Rep), as follows [26,27]: Gen and Rep are a probabilistic generation function and a deterministic reproduction function, respectively. Gen returns a factored out string α ∈ {0, 1} k for the input biometrics B and a co-adjutant string β ∈ {0, 1} * . Rep is a function that restores β to α, and any vector B * close to B.

Threat Model
Based on the work of Dolev and Yao [28] and other previous research [10,29], we employ a threat model with the following assumptions.

•
An attacker can steal a smart device with the user's identity. • An attacker can eavesdrop on a public channel. An attacker can steal the message between the user and the gateway node or between the gateway node and the sensor node. • An attacker can extract the information stored in the smart device as a side-channel attack.

Review of Target Protocols
This section describes the target protocols.

Review of Adavoudi-Jolfaei et al.'s Protocol
This section describes the protocol developed by Adavoudi-Jolfaei et al. [11]. The scheme consists of four phases: registration, login, authentication, and password change. The notation for the target paper [11] is shown in Table 1. In the registration phase, U and GW N in the private channel exchange secret information about SC. When the user authenticates, this allows confidential information to be stored in the database used by SC and GW N.

1.
User U chooses his/her identity U id and sends the registration request U id and personal credential to the gateway node GW N in the secure channel.

2.
The gateway node GW N generates a random number n g , a unique random number used to identify a particular access group G j , a random number user access privilege mask APM j and random sequence number Ts ug . Then, the created variables are grouped as G = {G 1 , G 2 , ...}, APM = {APM 1 , APM 2 , ...}. After obtaining the registration request from user U, GW N calculates as follows: After user U takes SC from the GW N, chooses his/her U id , password U psw , imprints the biometric U b and then computes as follows:

Login Phase
In the login phase, the user enters his/her confidential information into the smart card and requests login.

1.
U inserts the smart card and enters U id , U psw and U b . The smart card computes If it holds, the smart card ensures that the user successfully passes the verification process. Otherwise, this phase terminates immediately.

2.
After successful verification, user U generates random number N u and the system computes as follows: If there is a loss of synchronization, user U selects one of the unused pair of (sid * j , KEM * ug j ) from (SU * id , KEM * ug ) and surrenders his/her U id , U psw , RS U and computes

3.
U sends the login request messages

Authentication Phase
In the authentication phase, GW N verifies U with the login message received from U, and sends a new message containing secret information to SN. SN and U share their keys and exchange the secret information.

1.
After receiving the login request messages M A 1 from user U, GW N first checks the validity of the transaction sequence number Ts ug . GW N computes as follows: Then, GW N calculates AU id = h (U id Sk ug N U Ts ug ), V 1 = h (AU id G j Sk ug N x SN id ) and checks if AU id and V 1 are valid. If the verification of AU id is successful, then calculation continues. Otherwise, GW N terminates the session. GW N generates a session key SK and time stamp T and calculates as follows: Upon receiving the message M A 2 , SN assess the validity of T. If it is not valid, SN disconnects the session. If it is valid, SN also verifies V 2 ?
=h (AU id APM j SK T Sk gs ). If this condition is not satisfied, SN disconnects the session. If it is satisfied, SN computes as follows:

3.
The gateway node GW N checks that the time stamp T and V 3 ? =h (SK Sk gs SN id T ). If not, it terminates the connection. GW N generates a random number Ts ug new and calculates as follows: GW N updates Sk ug = K ug new and Sk gs = K gs new . If GW N cannot find Ts ug in M A 1 , GW N generates a random number K ug new and calculates x = h (U id KEM ug j ) ⊕ K ug new . Then, GW N updates Sk ug = K ug new and then sends the messages M A 4 = {SK " , Ts, V 4 , x} to the user U.

4.
When user U obtains the message V 4 = h (SK " N U Ts Sk ug ), the protocol checks its validity. If there is no abnormality, the system proceeds to the next step or ends the session. Furthermore, U computes SK = h Sk ug U id N U ) ⊕ SK " , Ts ug new = h (Sk ug U id N U ) ⊕ Ts, K ug new = h (Sk ug U id Ts ug new and then updates Sk ug = K ug new and Ts ug = Ts ug new .

5.
U and SN have successfully shared SK. SN responds to user U's query according to APM j stored for user U using session key SK. Finally, at the end of this phase, SN removes APM j from storage for security reasons.

Password and Biometrics Change Phase
The protocol uses the following steps to change the user's password: 1.
U puts his/her smart card into the terminal and inserts U id , previous password U psw and previous biometric U b . U then inputs the new password U * psw and new biometric U * b .

2.
The smart card computes RS U = Rep (U b , P U ) and retrieves Sk ug , KEM ug , SU id , G and f U . The smart card continues to compute as follows: The smart card computes Gen (U * b ), Sk * * ug , SU * * id , KEM * * ug , G * * and f * * U , as shown below.
Finally, the smart card replaces

Review of Sharma and Kalra's Scheme
This section briefly describes Sharma and Kalra's scheme. The notation of the scheme is summarized in Table 1. Sharma and Kalra's scheme consists of five different phases:

1.
Setup Phase: The registration center sets up the parameters.

2.
Registration Phase: The practitioner registers with his/her identity and password.

3.
Login Phase: The practitioner logs in with his/her identity, password and smart device.

4.
Authentication Phase: The practitioner and sensor node mutually authenticate.

5.
Password Change Phase: The practitioner inputs identity, password and smart device, and changes his/her old password to the new password.

Setup Phase
The gateway node GW N obtains its secret key K from the registration center. The center also computes and gives Sk gs = h(SN id K) to the sensor node SN. Sk gs and K are stored in GW N and SN.

Registration Phase
The practitioner creates his/her identity and password. He/she registers through the gateway node to receive a smart device. The detailed process is as follows: 1.
Practitioner P chooses his/her ID p and PW p and generates random number R, computes the masked password Mask(PW p ) = h(PW p R). Finally, he/she sends the registration message {Mask(PW p ), ID p } to the gateway node GW N.

2.
After the gateway node GW N receives the message from the practitioner, it computes variables

Login Phase
When the practitioner enters his/her identity and password, the smart device checks that the practitioner is an authorized party. The procedure for doing so is as follows:

1.
P inputs his/her identity ID p and password PW p in his/her smart device.

2.
SC computes Mask(PW p ) = h(PW p R), a = h(Mask(PW p ) ID p ) and compares a to a . If the two are not the same, P fails to login.

Authentication Phase
We describe the mutual authentication of the practitioner's login information and the sensor node. The procedure is as follows: 1.
If P successfully logs in, GW N checks that the timestamp |T 1 − T c | < ∆T. ∆T means maximum transmission delay. If it is in range, GW N chooses a random nonce M and computes: SN checks the validity of |T 2 − T c | < ∆T. If it is valid, SN continues as follows: Finally, SN posts the message M 3 = {V 6 , V 7 , V 8 , V 9 , T 3 } to GW N.

4.
GW N checks the timestamp |T 3 − T c | < ∆T, and if it is valid, computes as follows: At the end of the computation, GW N sends the message M 4 = {V 6 , V 8 , V 10 , T 3 , T 4 } to P.

5.
P checks the timestamp |T 4 − T c | < ∆T. If it is in range, P computes

Password Change Phase
The practitioner should be able to change his/her password if he/she wants to do so (e.g., for security reasons or because of a lost password). The procedure is as follows:

1.
P inputs his/her ID p and PW p to SC.

Analysis of Adavoudi-Jolfaei et al.'s Scheme
In this section, we prove that the scheme put forth by Adavoudi-Jolfaei et al. [11] has some security vulnerabilities. The details are as follow.

Loss of Smart Card Information
Attacker A can easily decrypt the information on the SC in the following two cases. The first case is an insider attack in the registration phase, while the second case is loss of synchronization in the login phase. Insider attack is the stronger of the two: it should be considered when there is no apparent loss of synchronization.

Insider Attack
In the registration phase, Attacker A extracts the smart card SC when GW N sends information to U. He/she can then read the information stored on the SC {Sk ug , SU id , KEM ug , Ts ug , G, h (·)} that is not encrypted.

Loss of Synchronization
1.
An attacker A steals U's smart card SC, which contains sensitive information In the loss of synchronization case, A can thus see the user's login message

User Impersonation Attack
Attacker A can carry out a user impersonation attack (the victim is assumed to be U). The details are as follows.

1.
A generates random numbers N A and computes: N xA , G jA , AID A and V 1A from Sk ug and G j obtained from the stolen smart card attack.

2.
A transmits the login request M A1 = {AID A , G jA , N xA , Ts ug , SN id , V 1A } to the gateway node GW N.

3.
After GW N obtains the login request from A, first, it verifies Ts ug and calculates: GW N checks if AID A and V 1 is valid. GW N does not detect the presence of the attacker. Unfortunately, GW N still believes it is in communication with U.
As a result, attacker A will be verified as GW N by user U. Therefore, the user impersonation attack is successful.

Session Key Attack
Assume that Attacker A has access to the DB. At this time, Attacker A can extract the session key SK of user U and sensor node SN as follows.

2.
Attacker A extracts the message M A 2 = {AU id , APM j , SK , T, V 2 } and calculates: Thus, attacker A has successfully seized the session key SK.
This result shows that Adavoudi-Jolfaei et al.'s scheme does not satisfy the requirement of key security.

Design Error in Sharma and Kalra's Scheme
There is a fatal error in Sharma and Kalra's paper. The design of their scheme is wrong. During the authentication phase of their scheme, the session keys computed by SC and GW N are not identical. If the session key is not the same, when authentication is finished and the message is transmitted, there is a problem, because encryption is not properly performed. That is, mutual authentication would be processed incorrectly. We describe this problem in detail.
SK p is the session key that the practitioner generates. SK GW N is the session key that GW N calculates. When sending and receiving messages later, this session key is encrypted.
In this phase, Sk gs = h(SN id K), but Sk gs = h(SN id ). Therefore, the session keys computed by SC and GW N are not the same. Therefore, the authentication phase should be changed as follows.

1.
If P logs in successfully, GW N checks the timestamp |T 1 − T c | < ∆T. If it is in range, GW N computes MSN id = SN id ⊕ h(h(K) T 2 ) and chooses a random nonce M. GW N continues to calculate V 4 = h(Sk gs T 1 SN checks the validity of |T 2 − T c | < ∆T. If it is valid, SN continues the operation SN id = MSN id ⊕ h(h(K) T 2 ) and checks that SN id ? = SN id . SN keep calculating as follows: GW N checks the timestamp |T 3 − T c | < ∆T and if it is valid, computes as follows: At the end of the computation, GW N sends the message M 4 = {V 6 , V 8 , V 10 , T 3 , T 4 } to P.

5.
P checks the timestamp |T 4 − T c | < ∆T. If it is in range, it computes In addition to pointing out the correctness problem in Sharma and Kalra's scheme, as discussed in Section 5.2.1, we demonstrate several attack methods that are fatal to the scheme. We describe the methods in detail as follows:

Password Guessing Attack
In the registration phase, if Attacker A masquerades as GW N, then he/she can easily obtain P's PW p . PW p is hashed only once in Mask(PW p ) with R. We assume that R can be extracted from the smart device, and the attacker knows the target user's identity. Moreover, then, Attacker A knows the practitioner P's ID p , and he/she can extract the information in SC using reverse engineering or a side-channel attack.

1.
Attacker A extracts a and R from P's smart device SC.

2.
A compares a and h(h(PW p R) ID p ), so that he/she can guess the password in a brute force attack.
Easily guessing a password implies knowing the practitioner's identity and likely, passwords, and having access to his/her smart device, so it is virtually the same as a practitioner. This process can also be used to pretend to be a medical professional and directly engage with the patient's healthcare-related information.
In order to make passwords difficult to guess, the authentication process should involve more robust data encryption.

Stealing the Session Key
We found that the session key SK GW N can be extracted if attacker A used attacks Section 5.2.2. The details are as follows.

2.
A steals the message M 1 and extracts V 2 , T 1 . Then, he/she calculates N = V 2 ⊕ h(b T 1 ).

3.
A also steals V 6 and T 3 in M 3 and computes Finally, he/she finds the session key SK GW N = h(N ⊕ M).
A now has the session key to use in future messages. This session key allows attackers to check the messages. This process is a serious breach of confidentiality.

Sensor Impersonation Attack
A sensor impersonation attack is also possible. Since GW N only assesses the validity of the timestamp to check the sensor separately, the attacker can impersonate the sensor by sending just the timestamp. This attack generates meaningless data and wastes time.

Proposed Scheme
To address the problems of Sharma and Kalra's scheme and Adavoudi-Jolfaei et al.'s scheme, we propose a three-factor-based authentication scheme. We specifically introduce a new factor that is based on the practitioner's biometrics data. In addition, our scheme contains a procedure to validate both GW N and the sensor. The flow of the entire scheme is shown in the Algorithm 1.
Result ← AuthenticationP2(V 6 , V 8 , V 11 , T 3 , T 4 ) 10: if Result then 11: return Authentication successes. In the setup phase, the gateway node GW N gets its secret key K from the registration center. The center also computes Sk gs = h(SN id K) and gives it to the sensor node SN. Sk gs and K are stored in GW N and SN.

Registration Phase
The practitioner creates his/her identity and password, and then registers them via the gateway node to receive a smart device. This is summarized in the Algorithm 2. The detailed procedure is as follows:

1.
Practitioner P chooses his/her identity ID p , password PW p and imprints B p over a device for biometrics collection, and calculates a biometric information of the practitioner P like Gen (B p ) = (R p , P bp ). He/she generates random number R and computes the masked password Mask(PW p ) = h(h(PW p R) R p ). Finally, he/she sends the registration message {Mask(PW p ), ID p } to the gateway node GW N.

2.
After the gateway node GW N obtains the message from the practitioner, it computes as follows: After calculation, GW N sends the smart device SC = {a, c, d} to the practitioner P.

3.
P stores {a, c, d, R, P bp , Gen, Rep, h} in the smart device SC.
return Mask(PW p ), ID p message to GWN 5: end procedure 6: procedure REGISTRATIONP2(a, c, d) P's registration phase 2 7: return a, c, d, R, P bp , Gen, Rep, h stores in SC 8: end procedure 9: procedure REGISTRATIONGWN(Mask(PW p ), ID p ) GWN's registration phase 10: return a, c, d message to P 15: end procedure

Login Phase
When the practitioner enters his/her identity and password, the smart device checks whether the practitioner is an authorized party. This phase is summarized in the Algorithm 3. The detailed procedure is as follows:

1.
P inputs his/her identity ID p , password PW p and biometric information B p in his/her smart device.

2.
The smart device SC executes the biometric information R p = Rep (B p , P bp ). SC computes masked password and the value a as follows: If a and a are not the same, P fails to login.

Algorithm 3 Proposed Scheme (Login Phase)
1: procedure LOGINP(ID p , PW p , B p ) P's login phase 2: if a = a then 6: return True login successes 7: else 8: return False login fails 9: end if 10: end procedure

Authentication Phase
The practitioner's login information and the sensor node execute a mutual authentication process. This phase is summarized in Algorithms 4-6. The procedure is as follows: 1.
If P logs in successfully, SC selects a random nonce N and computes as follows: GW N checks the timestamp |T 1 − T c | < ∆T. If it is in range, GW N computes as follows: If it is valid, GW N chooses a random nonce M and computes as follows: Finally, GW N sends the message M 2 = {V 1 , V 2 , V 3 , V 4 , V 5 , T 1 , T 2 , MSN id } to the sensor node SN.

3.
SN checks the validity of |T 2 − T c | < ∆T. If it is valid, SN continues the operation SN id = MSN id ⊕ h(h(K) T 2 ) and checks SN id ? = SN id . SN computes as follows: It also checks the validity of V 5 ? = V 5 . If it is valid, SN computes: Finally, SN sends the message M 3 = {V 6 , V 7 , V 10 , T 3 } to GW N.

4.
GW N checks the timestamp |T 3 − T c | < ∆T and if it is valid, GW N computes: and checks V 10 ? = V 10 . If it is also valid, GW N computes: At the end of the computation, GW N sends the message M 4 = {V 6 , V 8 , V 11 , T 3 , T 4 } to P.

5.
P checks the timestamp and checks V 8

Password Change Phase
The practitioner can change his/her password. The procedure is as follows:

1.
P inputs his/her identity ID p , password PW p and biometric information B p in his/her smart device.

2.
The smart device SC executes Rep (B p , P bp ) = R p . SC computes Mask(PW p ) = h(h(PW p R)

Security Analysis
In this section, we analyze the security of the proposed scheme in two ways: formal security analysis and informal security analysis. We use a formal protocol verification tool called ProVerif in Section 7.1, to demonstrate the security of our scheme. We also provide a theoretical security analysis of the protocol in Section 7.2. Through this verification, we have demonstrated how safe our scheme can be in reality.

Formal Security Analysis
We use ProVerif to analyze the security and correctness of our scheme; ProVerif is widely used to verify security protocols [7,30,31]. ProVerif is a software tool that formally verifies the security of cryptographic protocols. We define basic cryptographic primitives such as hash function, encryption, digital signature and bit-commitment.
We used three channels: a registration channel (cha), a practitioner-gateway node channel (chb) and a gateway node-sensor node channel (chc). The variables, constants, secret key, functions and events are defined in Table A1.
The "Registration" and "Login and Authentication" phases for practitioners are shown in Table A2. The "Registration" and "Authentication" phases for gateway nodes are shown in Table A3. The "Authentication" phase for sensor nodes is shown in Table A4. Tables 2 and 3 show a query and the corresponding query results.
When we run the query in Table 2, we obtain the following result: Table 2. Query.
RESULT not attacker(IDp[]) is true.

Informal Security Analysis
We present a theoretical analysis of our scheme. We then briefly explain the results of the analysis.

Privileged Insider Attack
In the registration step, the practitioner sends his/her plaintext ID and Mask(PW p ) = h(h(PW p R) R p ) to the gateway node. Since the ID is used in conjunction with secret information K without being exposed to the outside, there is no way for an insider to know the practitioner's personal information. Therefore, it is secure against a privileged insider attack.

Outsider Attack
The SC only contains the information {a, c, d, R, P bp , Gen, Rep, h}. We cannot infer practitioner P in this case.

Offline ID Guessing Attack
The practitioner's identity is not moved directly in the login and authentication phase after registration. When the sensor checks the practitioner's ID, the information V 1 , K, and T 1 is required, all of which cannot be obtained through SC.

Online ID Guessing Attack
The practitioner's identity can only be exposed as V 1 , K, and T 1 , as mentioned in the offline ID guessing attack. At this time, V 1 and T 1 can be seized through a message sent to the GW N by the practitioner in the authentication phase, but the secret GW N key K cannot be found.

Session Key Disclosure Attack
As shown in Section 5.2.1, the session key consists of h(N ⊕ M). N is a value generated by SC and N = V 2 ⊕ h(b T 1 ), and M is a value generated by GW N and expressed as M = V 4 ⊕ h(X GW N T 1 T 2 ). Because the attacker is not the practitioner or GW N, he/she cannot know the session key because X GW N including b and Mask(PW) including K cannot be known.

Practitioner Impersonation Attack
GW N verifies the practitioner in equation . If an attacker pretends to be an authorized practitioner, then he/she needs to know b = d ⊕ h(Mask(PW) a), h(K) = c ⊕ h(Mask(PW) b).
However, the attacker cannot obtain Mask(PW). Therefore, the attacker cannot impersonate the practitioner P.

Sensor Impersonation Attack
GW N verifies a sensor with the Equation V 10 = h(V 8 V 9 T 3 ) and checks V 10 . This means that a sensor can only prove that it is a sensor if it knows Sk gs and b.

Performance Analysis of the Proposed Scheme
The four symbols necessary for comparison are as follows. T Rep is the time to check for a match when recognizing the user's (or practitioner's) biometric B p . T h is the time it takes to hash. T m is the time of the multiplicative operation used in ECC. The time taken for symmetric encryption or decryption is denoted by T s .These are listed in Table 4. We compared our scheme with the following three schemes of Chen et al. [12], Renuka et al. [13] and Li et al. [14]. The four symbols necessary for comparison are as follows, and depicted as a graph in Figure 2.  Table 5 summarizes the total time cost for each scheme ( [12][13][14]). The Y-axis shown in Figure 2 is the total time cost in microseconds (ms). This is calculated based on the times shown in Table 4. Table 6 shows the computer hardware and software used to calculate the algorithm's runtime. Li et al.'s scheme [14] uses elliptic curve cryptography, however it has large time costs because of its slow encryption and decryption. Chen et al. [12] Renuka et al. [13] Li et al. [14] Ours  [14]. They used symmetric encryption and decryption, but had a significant difference in cost compared to ours. Chen et al. [12] Renuka et al. [13] Li et al. [14] Ours 0

Conclusions
Recently, several lightweight two-factor-based authentication protocols, such as Sharma and Kalra's protocol [6] and Adavoudi-Jolfaei et al.'s protocol [11], were proposed for IoT applications. Those protocols have some benefits in efficiency because they are designed with light and straightforward operations, such as hash function and XOR without complicated cryptographic operations. However, we found that those protocols have several security weaknesses.
To address these problems, we use three factors: the practitioner's identity, a password, and biometric information. We propose a lightweight three-factor user authentication scheme to fix several issues in Sharma and Kalra's protocol [6] and Adavoudi-Jolfaei et al.'s protocol [11]. We provide the security verification of the proposed scheme using ProVerif. Furthermore, we show that our proposed method outperforms other proposed symmetric-based or elliptic curve-based methods.
We are motivated to fix the problems of existing protocols and proposed a more efficient and secure authentication scheme. Our scheme is designed only with the hash function and XOR, providing fast and secure authentication. The proposed protocol can be used for various IoT applications such as medical devices.