Three-Factor Fast Authentication Scheme with Time Bound and User Anonymity for Multi-Server E-Health Systems in 5G-Based Wireless Sensor Networks

The fifth generation (5G) mobile network delivers high peak data rates with ultra-low latency and massive network capacity. Wireless sensor network (WSN) in Internet of Thing (IoT) architecture is of prominent use in 5G-enabled applications. The electronic healthcare (e-health) system has gained a lot of research attention since it allows e-health users to store and share data in a convenient way. By the support of 5G technology, healthcare data produced by sensor nodes are transited in the e-health system with high efficiency and reliability. It helps in reducing the treatment cost, providing efficient services, better analysis reports, and faster access to treatment. However, security and privacy issues become big concerns when the number of sensors and mobile devices is increasing. Moreover, existing single-server architecture requires to store a massive number of identities and passwords, which causes a significant database cost. In this paper, we propose a three-factor fast authentication scheme with time bound and user anonymity for multi-server e-health systems in 5G-based wireless sensor networks. In our work, the three-factor authentication scheme integrating biometrics, password, and smart card ensures a high-security sensor-enabled environment for communicating parties. User anonymity is preserved during communication process. Besides, time bound authentication can be applied to various healthcare scenarios to enhance security. The proposed protocol includes fast authentication, which can provide a fast communication for participating parties. Our protocol is also designed with multi-server architecture to simplify network load and significantly save database cost. Furthermore, security proof and performance analysis results show that our proposed protocol can resist various attacks and bear a rational communication cost.


Introduction
The fifth generation (5G) mobile network is wireless communication technology supporting two-tier heterogeneous cellular networks (HetNets) with integrated access and backhaul (IAB).

Introduction
The fifth generation (5G) mobile network is wireless communication technology supporting two-tier heterogeneous cellular networks (HetNets) with integrated access and backhaul (IAB). As shown in Figure 1, the macro base stations (MBSs) in 5G architecture provide mm-wave backhaul to the small cell base stations (SBSs). Besides, the devices can access both MBSs and SBSs through direction communications [1][2][3]. 5G-enabled devices can also directly communicate with each other. Thus, 5G technology delivers high peak data rates with ultra-low latency and massive network capacity. The Narrow-Band Internet of Things (NB-IoT) system provides low power consumption, wide coverage, low cost, and large capacity, which are essential properties for 5G network [4]. Wireless sensor networks (WSNs) are a key technological building block of IoT, where each object (virtual or physical) can be sensed, identified, accessed, and interconnected via the Internet within a dynamic ubiquitous network [5,6]. WSN applications in distributed IoT architecture can be seen in various domains, such as healthcare [7][8][9], energy [10,11], industrial data acquisition and transmission system [12], mushroom humidity monitoring system [13], intelligent manhole cover monitoring system [14], intelligent station area recognition technology [15], smart car parking system [16], and so on. The use of IoT in electronic healthcare (e-health) management systems has attracted more and more attention because of its convenience, in which healthcare data are flexibly stored and shared among participating parties. Such a system is called IoMT (Internet of Medical Things) [17][18][19]. IoMT consists of various entities including healthcare centers, emergency centers, medical devices, and ehealth users (including patients, physicians, pharmacists, medical researchers, etc.). A Wireless Body Area Network (WBAN) is composed by sensor/actuators nodes and hubs that operates in, on, or around a body (but not limited to human bodies) and supports a variety of medical and non-medical The use of IoT in electronic healthcare (e-health) management systems has attracted more and more attention because of its convenience, in which healthcare data are flexibly stored and shared among participating parties. Such a system is called IoMT (Internet of Medical Things) [17][18][19]. IoMT consists of various entities including healthcare centers, emergency centers, medical devices, and e-health users (including patients, physicians, pharmacists, medical researchers, etc.). A Wireless Body Area Network (WBAN) is composed by sensor/actuators nodes and hubs that operates in, on, or around a body (but not limited to human bodies) and supports a variety of medical and non-medical applications [20]. The 5G wireless system aims to support WBAN by increasing the interconnectivity of electronic devices [21].

Main Contributions
To prevent an adversary from carrying out potential attacks, it is essential to design a robust authentication mechanism. In this paper, we propose a three-factor fast authentication scheme with time bound and user anonymity for multi-server e-health systems in 5G-based wireless sensor networks. Our scheme introduces three-factor authentication to address security issues of traditional authentications in e-health system. By means of the authentication protocol, the users must register with healthcare providers via a secure channel. After that, the users and the servers mutually authenticate and compute shared session keys via a public channel. Finally, the users can use these shared keys to get access to specific healthcare services. The contributions of our work can be summarized as follows. • Three-factor authentication in the proposed protocol combines biometrics, password, and smart card for providing a high-security and privacy-preserving communication environment. • Time-bound authentication helps in controlling user access, protecting sensitive information, and can be applied to many scenarios in healthcare such as access control to the users in WBANs, medical channel subscription, medical examination appointment, etc.

•
Our work designs fast authentication to speed up the communication process.

•
Our scheme is designed with multi-server architecture, which allows users to use a single password to obtain services from multiple servers. This advantage can simplify network workload and save a significant database cost.

Structure of the Paper
The rest of the paper is organized as follows. We present the literature review in Section 2. We briefly review Zhang et al.'s scheme [26] in Section 3. We describe system and security model in Section 4. We propose a three-factor authentication protocol with time bound and user anonymity for e-health systems in wireless body sensor networks in Section 5. Section 6 presents logical analysis of the proposed scheme using GNY logic. Section 7 presents verification proof of the proposed scheme using AVISPA tool. Section 8 presents semantic security analysis of our work. We present performance analysis of the proposed scheme in comparison with related works in Section 9. Section 10 presents implementation of the proposed scheme. Finally, some conclusions are given in Section 11.

Related Works
Today, the number of medical devices is increasing, making security problem in e-health cloud-based system more prominent. The associated security and privacy problems of the IoMT were presented in [27,28]. Besides, security and privacy issues in WSN for health and the environment have been addressed in serval reviews [29][30][31] and surveys [32][33][34]. Among the recently proposed 1.
The user U i first enters his/her identity ID i , password PW i , and biometric template B i , and then generates a random number string r. Next, the user U i computes C 1 = h(ID i ||PW i ||h Bio (B i )) and C 2 = B i ⊕ r. The user U i then transmits (C 1 , C 2 ) as a registration request to the server via a secure channel.

2.
After receiving (C 1 , C 2 ), the server S uses private key k and C 2 to compute M = h(h Bio (C 2 )||k). Then, the server S generates a random number string v, chooses W 0 = NULL, and calculates The server S then stores {C 2 , W 0 , W} in database, and writes (ID SC , h(.), h Bio (.), X, Y) into smart card. After that, the server S sends the smart card to the user U i via a secure channel.

3.
After receiving smart card from the server, the user U i computes Z = r ⊕ h Bio (B i ). Finally, the user U i stores Z in the smart card.

1.
The user U i uses ID i , PW i , B i , and smart card to login to the server S, and then generates a random number string u. After that, the user . Then, the user U i transmits (C 3 , C 4 , C 5 ) to the server S.

2.
The server S computes W * = h(C3). After that, the server S searches W * in the dynamic verification table and obtains C 2 . Otherwise, the medical server continues to search the column "dynamic string (W 0 )" to see if a value is equal to W * . If there is a match, the server S extracts the corresponding value C 2 and replaces W with the value of W 0 . Otherwise, the medical server S rejects the login request. Next, the server S generates random number string β and calculates M = h(h Bio (C 2 ||k)), u * = C 5 ⊕ h Bio (C 2 ), and B i ⊕ r * = C 4 ⊕ h(M ||u * ). Then, the server S checks if B i ⊕ r * and C 2 are within a bearable threshold [40], then computes C 6 = β ⊕ h(B i ⊕ r * ) and C 7 = h((B i ⊕ r * )||u * ||β). Next, the server S transmits (C 6 , C 7 ) to the user U i .

3.
After receiving (C 6 , C 7 ), the user U i computes β * = C 6 ⊕ h(B i ⊕ r * ). Next, the user U i checks if C 7 is equal to h((B i ⊕ r * )||u||β * ). If there is a match, the user U i compute and session key SK = h(M * ||u||β * ). Thereafter, the user U i transmits C 8 to server S.

4.
After receiving C 8 , the server S compares If there is a match, the server S accepts SK = h(M ||u * ||β) as the session key. Next, the server S computes W new = h(h Bio (C 2 ⊕ β)). Then, the server S replaces (W 0 , W) by (W, W new ) and calculates C 9 = h(SK||β). Then, the server S transmits C 9 to user U i .

5.
After receiving C 9 , the user U i compares C 9 with h(SK||β * ). If there is a match, the user U i accepts SK as the session key. Finally, the user U i replaces X by X new in the smart card for the next login.

The Weaknesses
• Suffers from denial of service (DoS) attack: DoS attack is carried out by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users [41]. In this case, timestamp solution is employed to verify the validity of the message. Without the timestamp included in login request message (C 3 , C 4 , C 5 ), Zhang

System Model
As shown in Figure 2, we propose a system model in which 5G-based smart healthcare network consists of various domains: community care domain, home care domain, and personal care domain. Sensors included in personal care domain are body wearable sensors and biometric sensor-enabled mobile device. They can provide a continuous health monitoring of a person without any constraint on his/her normal daily life activities [42]. Besides, home care domain includes some other sensors such as camera sensor, light sensor, etc. Community care domain includes temperature measuring sensor, sporting equipment, and other IoMT-enabled equipment.
Furthermore, within personal care domains, Wireless Body Sensor Network (WBSN) is a special case of the WBAN where all nodes in the network are sensors [43], which help in remotely collecting patient's health record data (temperature, motion detection, sound, etc.) [31,[44][45][46][47]. Besides, this patient can use mobile device to collect sensing data produced by his/her body wearable sensors. This monitoring system provides an interesting and widely accepted technology, obtaining special attention because of its friendly services in the smart world. In home care domains, the user may also use this mobile device to access other sensor-enabled devices through SBS transmission, thereby having comprehensive control of their home based on the authority of the home care server. Additionally, in 5G networks, user devices and MBSs can conduct direct transmission for healthcare services as long as they have spectrum opportunities. Furthermore, in community care environments, sensors and Sensors 2020, 20, 2511 6 of 27 equipment are controlled by healthcare servers through SBSs. Thus, service providers can provide a continuity of care for the users.
In this system model, the user uses his/her mobile device and sensors to communicate with healthcare service provider and obtain specific services. Specifically, the user can login to home care server to query his/her own home care information. Besides, the user is able to upload his/her health data produced from wearable sensors to healthcare server. The user can also control light sensor, monitor sensor, and temperature measuring sensor from various healthcare domains. To accelerate the communication process, we design a fast authentication in the proposed scheme. The proposed scheme allows the communication between the user and the server to be carried out in a secure and privacy-preserved manner. Besides, Figure 2 also shows that our proposed multi-server environment allows the user to login to multiple healthcare service provider servers using a single password, thereby saving significant database cost and improving communication efficiency.
Sensors 2020, 20, x FOR PEER REVIEW 6 of 27 sensors and equipment are controlled by healthcare servers through SBSs. Thus, service providers can provide a continuity of care for the users. In this system model, the user uses his/her mobile device and sensors to communicate with healthcare service provider and obtain specific services. Specifically, the user can login to home care server to query his/her own home care information. Besides, the user is able to upload his/her health data produced from wearable sensors to healthcare server. The user can also control light sensor, monitor sensor, and temperature measuring sensor from various healthcare domains. To accelerate the communication process, we design a fast authentication in the proposed scheme. The proposed scheme allows the communication between the user and the server to be carried out in a secure and privacy-preserved manner. Besides, Figure 2 also shows that our proposed multi-server environment allows the user to login to multiple healthcare service provider servers using a single password, thereby saving significant database cost and improving communication efficiency.

Security Model
Security risks in a public communication channel are common challenge for most of the wireless techniques. Data from the sensors and device in home domain are sensitive information and very likely to be compromised without a robust authentication mechanism. Besides, in home environment, data produced from these sensors are also very important and sensitive. For example, an adversary can impersonate the user to obtain the access to camera sensor, which strongly violates privacy of the user. In addition, in community care domain, sensor-enabled IoMT devices, for instance temperature measuring sensor, are likely vulnerable to security risks. The adversary may provide tampered information to the server after compromising these sensors.
Specifically, various attacks threatening the network access legitimacy are described as follows. MITM attacks is when the attacker compromises the transmitted message while the sender and the receiver believe that they are directly communicating with each other. Impersonation attacks happen when the attacker has obtained the identity of a user, and then attempts to impersonate him/her. Replay attacks let a malicious attacker intercept messages from the last communication session to derive the session key. In addition, the importance of user privacy protection in online communication is prominent [48][49][50]. Solving the contradiction between user anonymity and authentication is still a big challenge in this research area.

Security Model
Security risks in a public communication channel are common challenge for most of the wireless techniques. Data from the sensors and device in home domain are sensitive information and very likely to be compromised without a robust authentication mechanism. Besides, in home environment, data produced from these sensors are also very important and sensitive. For example, an adversary can impersonate the user to obtain the access to camera sensor, which strongly violates privacy of the user. In addition, in community care domain, sensor-enabled IoMT devices, for instance temperature measuring sensor, are likely vulnerable to security risks. The adversary may provide tampered information to the server after compromising these sensors.
Specifically, various attacks threatening the network access legitimacy are described as follows. MITM attacks is when the attacker compromises the transmitted message while the sender and the receiver believe that they are directly communicating with each other. Impersonation attacks happen when the attacker has obtained the identity of a user, and then attempts to impersonate him/her. Replay attacks let a malicious attacker intercept messages from the last communication session to derive the session key. In addition, the importance of user privacy protection in online communication is prominent [48][49][50]. Solving the contradiction between user anonymity and authentication is still a big challenge in this research area.
For the security of the proposed scheme, the following essential requirements should be met to ensure a secure and privacy-preserved communication between the user and the server.

•
Mutual authentication: Only the user with valid registered information can be successfully authenticated and is able to compute an exact session key to obtain service provided by the server.
On the other hand, the server must be also authenticated as a legitimate party to provide true information for the user.

•
Session key establishment: The purpose of this work is to allow the user and the server to securely negotiate a session key for the communication between them. • User anonymity: We expect privacy of the user can be preserved during communication process. • Biometric template anonymity: Three-factor mechanism includes biometric template in registration and authentication process. Our purpose is to not allow user's biometric template to be revealed to the public.

•
Forward secrecy: Our work aims to prevent the attacker from using information from the past communication session to derive the key.

The Proposed Scheme
Our proposed scheme includes two roles: user U i and server S j . The purpose of the proposed protocol is to allow the user U i and the server S j to compute a shared session key in a secure and privacy-preserved manner. The user U i first must register with the server S j as a legitimate party. Next, the user U i and the user S j mutually authenticate based on their information, and then compute a session key via a public channel. The authentication process consists of four phases: initialization phase, registration phase, login and initial authentication phase, and fast authentication phase. Table 1 describes notations and cryptographic functions used in this paper. Randomly selected string, the symmetric encryption key of the server S j p j , q j Arbitrary big numbers, which are private keys of the server S j n j n j = p j · q j , the public key of the server S j σ, v Randomly generated strings b Randomly generated value Session key established by the user and the server h(.) One-way hash function Store information into USB

Initialization Phase
Our work employs Rabin cryptosystem [51], encryption process of which is extremely fast and easy (as long as encryption does not require computing a Jacobi symbol), while decryption of which (using 1. Server: The server S j chooses two arbitrary big numbers (p j , q j ), then compute n j = p j · q j , which satisfies p j ≡ q j ≡ 3 (mod 4), where p j and q j are private keys, and n j is public key of the server S j . The server S j then randomly selects a string x j as the symmetric encryption key of the server S j . The server S j then secretly stores (p j , q j , x j ).

2.
Smart card: The user has the smart card choose and store a random string σ.

Registration Phase
Before using the service, the user U i must register with the server S j via a secure channel. In this phase, the information of the user and the server are secretly stored. For that purpose, both sides perform the following steps to complete the registration phase. The procedure is shown in Figure 3.

1.
The user U i first enters identity ID i , password PW i and biometric template B i , then computes ). Next, the user U i transmits ID i , W and BB i to the sever S j .

2.
After receiving message (ID i , W, BB i ), the server S j uses symmetric encryption key x j to compute Thereafter, the server S j transmits (ID i , n j , y ij ) to the user U j .
After receiving the message, the user U i computes ε j = σ ⊕ y ij . The user U i then stores (σ, ID i , PW i , B i ) and (ε j , ID S j , n j ) into smart card and flash drive, respectively.

Initialization Phase
Our work employs Rabin cryptosystem [51], encryption process of which is extremely fast and easy (as long as encryption does not require computing a Jacobi symbol), while decryption of which (using the Chinese remainder theorem) is roughly of the same speed as RSA decryption. In this phase, based on Rabin cryptosystem, initial parameters are generated to carry out whole authentication process.
1. Server: The server chooses two arbitrary big numbers ( , ), then compute = . , which satisfies ≡ ≡ 3 ( 4), where and are private keys, and is public key of the server . The server then randomly selects a string as the symmetric encryption key of the server . The server then secretly stores ( , , ). 2. Smart card: The user has the smart card choose and store a random string .

Registration Phase
Before using the service, the user must register with the server via a secure channel. In this phase, the information of the user and the server are secretly stored. For that purpose, both sides perform the following steps to complete the registration phase. The procedure is shown in Figure 3.
After receiving the message, the user computes = ⊕ . The user then stores ( , , , ) and ( , , ) into smart card and flash drive, respectively.

Login and Initial Authentication Phase
If the user wants to use service from healthcare provider, he/she has to communicate with the sever to calculate a session key. Since this communication is carried out via a public channel, an authentication procedure is required to ensure they are legitimate parties. As shown in Figure 4, the user and the server perform the following steps to complete login and initial authentication phase.

The user
first inserts the smart card and enter * and * . Next, the user chooses a random string , determines the number of authentications , and computes = ℎ ( ) ( ), , and = ( || || || || || ) . Then, the user transmits to the server .

Login and Initial Authentication Phase
If the user U i wants to use service from healthcare provider, he/she has to communicate with the sever S j to calculate a session key. Since this communication is carried out via a public channel, an authentication procedure is required to ensure they are legitimate parties. As shown in Figure 4, the user U i and the server S j perform the following steps to complete login and initial authentication phase.

1.
The user U i first inserts the smart card and enter PW * i and B * i . Next, the user U i chooses a random string v, determines the number of authentications b, and computes , and k = (ID S j ||ID i ||y ij ||N||α||T 1 ) 2 mod n j . Then, the user U i transmits k to the server S j .

2.
After receiving k, the server S j uses private keys p j , q j to decrypt k then confirms the validity of the timestamp T 1 . Next, it uses symmetric key x j to decrypt y ij obtained from k. The server S j then verifies h(x j ), ID i and ID S j . Thereafter, the server S j computes α = (BB i ⊕ W ⊕ T 1 ). The server S j Sensors 2020, 20, 2511 9 of 27 then compares α with α . If there is a match, the server S j calculates β = h(N) ⊕ T 2 and new identity ). The server S j then determines the time bound (t 1 , t 2 ), and choose two random strings a s and b s . Next, the server S j computes AT a = h t 1 −1 (h(ID new i ||x j ||a s )), . Then, the server S j transmits (Q, t 1 , t 2 ) to the user U i .

3.
After receiving (Q, t 1 , t 2 ), the user U i computes sk ij = h(N ⊕ y ij ). Next, the user U i uses session key sk ij to decrypt Q and confirms the validity of the timestamp T 2 . Thereafter, the user U i computes β = h(N) ⊕ T 2 and confirms β. If there is a match the user U i accepts session key sk ij . Finally, the user U i stores (ID new i , AT a , AT b ) and (t 1 , t 2 ) in the smart card and flash drive, respectively.
Sensors 2020, 20, x FOR PEER REVIEW 9 of 27 2. After receiving , the server uses private keys , to decrypt k then confirms the validity of the timestamp . Next, it uses symmetric key to decrypt obtained from . The server then verifies ℎ( ), and . Thereafter, the server computes ′ = ( ⊕ ⊕ ).
3. After receiving ( , t1, t2), the user computes = ℎ( ⊕ ). Next, the user uses session key to decrypt and confirms the validity of the timestamp . Thereafter, the user computes ′ = ℎ( ) ⊕ and confirms . If there is a match the user accepts session key . Finally, the user stores ( , , ) and (t1, t2) in the smart card and flash drive, respectively.

Fast Authentication Phase
As stated above, we design the fast authentication in our work to accelerate communication process. After the initial authentication, the user and the server are allowed to quickly

Fast Authentication Phase
As stated above, we design the fast authentication in our work to accelerate communication process. After the initial authentication, the user U i and the server S j are allowed to quickly authenticate each other based on an authorized time bound without computing a new session key. As shown in Figure 5, both sides perform the following steps to complete the fast authentication.

1.
The user U i enters ID new i , PW i and B i . The smart card confirms ID new i , PW i , and B i . Next, the user ). Then, the user U i transmits A γ to the server S j .

2.
After receiving A γ , the server S j calculates ). Next, the server S j compares A γ with A γ . If there is no match, the server S j will revoke the session key sk ij ; otherwise, it computes After receiving B γ , the user U i computes SE sk ij (h(A γ ⊕ ID new i )), and then compares it with B γ . If there is a match, the user U i accepts sk ij . Following this, the user U i can still use the session key sk ij to obtain the healthcare service in this communication session.
Sensors 2020, 20, x FOR PEER REVIEW 10 of 27 authenticate each other based on an authorized time bound without computing a new session key. As shown in Figure 5, both sides perform the following steps to complete the fast authentication.
The server then transmits to the user . 3. After receiving , the user computes S (ℎ( ⊕ )), and then compares it with .
If there is a match, the user accepts . Following this, the user can still use the session key to obtain the healthcare service in this communication session.

Logical Analysis Using GNY Logic
In this section, we prove security completeness and correctness of our proposed protocol through logical roles of GNY (Gong-Needham-Yahalom) logic [52]. GNY logic has been widely used to formally analyze the completeness of a cryptographic protocol. The proposed scheme is presented in logic as follows.
Message k : Suppose that for princial P all of the following conditions hold: (1) P receives a formula consisting of a X encrypted with key K and marked with a not-originated-here mark; (2) P possesses K; (3) P believes K is a suitable secret for himself and Q; (4) P believes formula X is recognizable; and (5) P believes that K is fresh or that X is fresh.

Logical Analysis Using GNY Logic
In this section, we prove security completeness and correctness of our proposed protocol through logical roles of GNY (Gong-Needham-Yahalom) logic [52]. GNY logic has been widely used to formally analyze the completeness of a cryptographic protocol. The proposed scheme is presented in logic as follows.
Message k

Logical Rules Used in Our Proof
• (I 1 ) P * {X} K , P K, P|≡P K ↔Q, P|≡∅(X), P|≡#(X, K) P|≡Q|∼X, P|≡Q|∼{X} K , P|≡Q K : Suppose that for princial P all of the following conditions hold: (1) P receives a formula consisting of a X encrypted with key K and marked with a not-originated-here mark; (2) P possesses K; (3) P believes K is a suitable secret for himself and Q; (4) P believes formula X is recognizable; and (5) P believes that K is fresh or that X is fresh. Then, P is entitled to believe that: (1) Q once conveyed X; (2) Q once conveyed the formula X encrypted with K; and (3) Q possesses K. : Suppose that for principal P all of the following conditions hold: (1) P receives a formula consisting of X concatenated with S, encrypted with a public key, and marked with a not-originated-here mark; (2) P possesses S and the corresponding private key; (3) P believes the public key is his own; (4) P believes S is a suitable secret for himself and Q; (5) P believes that X concatenated with S is recognizable; and (6) P believes that at least one of S, X, or +K is fresh. Then, P is entitled to believes that: (1) Q once conveyed the formula X concatenated with S; (2) Q once conveyed the formula X concatenated with S and encrypted with the public key; and (3) Q possesses the public key.
• (I 7 ) P|≡Q|∼(X, Y) P|≡Q|∼X : P believes Q once conveyed a formula consisting of X, and then P is entitled to believe Q once conveyed X.

P|≡Q|⇒C, P|≡Q|≡C P|≡C
: P believes that Q is an authority on some statement C and that Q believes in C, and then P should believe in C as well.
P|≡#(X, Y), P|≡#(F(X)) : P believes message X is fresh, which means P can believe that any (X, Y) including message X is fresh, and then P believes F(X), which is computed from message X, is also fresh.
• (T 1 ) P * X P X : When P obtains a non-original value *X, it means P may obtain the original X.
: P uses secret key K to encrypt, decrypt to obtain message X.
: P uses private key −K to decrypt, uses public key +K to encrypt, and obtains the message X. • (P 1 ) P X P X : P can see the message X, indicating that P really possesses the message X. • (P 4 ) P X P H(X) : If P possesses X, then it possesses H(X).
P|≡∅(X, Y), P|≡∅(F(X)) : P believes message X is recognizable, indicating that P can believe that any (X, Y) including message X is recognizable, and P believes that any F(X) computed from message X is also recognizable). : P believes message X is recognizable and P possesses the shared secret key K, and then P believes anything computed using the shared secret key is recognizable.

• (R 4 )
P|≡∅(X), P −K P|≡∅({X} −K ) : P believes the message X is recognizable and P possesses private key −K, then P believes any message computed using private key is recognizable.

Assumptions of the Proposed Protocol
• (A 1 ) S j p j , q j : The server S j possesses private keys p j and q j . • (A 2 ) S j x j : The server S j possesses secret key x j . • (A 3 ) S j N: The server S j possesses message N.
The server S j believes that α is recognizable.
The user U i believes that timestamp T is fresh.
The server S j believes that N is a suitable secret for the user U i and the server S j . The user U i believes that v is recognizable.
The server S j believes that the user U i has jurisdiction over N, which is a suitable secret for the user U i and the server S j . • (A 12 ) S j |≡ #(T): The server S j believes that timestamp T is fresh.
The user can verify that only the server can generate message ( , t1, t2) received by the user .
• Key agreement and confirmation: They prove that the session key is secret and shared only by the legitimate parties.
Goal 5: Key Agreement of → : The user believes that only the server can obtain the shared session key . The user believes that the user server is convinced of the shared session key established between them.
The user can verify that only the server can generate message ( , t1, t2) received by the user .
• Key agreement and confirmation: They prove that the session key is secret and shared only by the legitimate parties.
Goal 5: Key Agreement of → : The user believes that only the server can obtain the shared session key . The user believes that the user server is convinced of the shared session key established between them.
Goal 7: Key Agreement of → : Only the user U i can read message (Q, t 1 , t 2 ) transmitted by the server S j .
• Message origin authentication: It proves that the received message is transmitted by the legitimate parties.
The user can verify that only the server can generate message ( , t1, t2) received by the user .
• Key agreement and confirmation: They prove that the session key is secret and shared only by the legitimate parties.
Goal 5: Key Agreement of → : The user believes that only the server can obtain the shared session key .
Goal 6: Key Confirmation of → : The user believes that the user server is convinced of the shared session key established between them. The user can verify that only the server can generate message ( , t1, t2) received by the user .
• Key agreement and confirmation: They prove that the session key is secret and shared only by the legitimate parties.
Goal 5: Key Agreement of → : The user believes that only the server can obtain the shared session key .
Goal 6: Key Confirmation of → : The user believes that the user server is convinced of the shared session key established between them.
Goal 7: Key Agreement of → : The user U i can verify that only the server S j can generate message (Q, t 1 , t 2 ) received by the user U i .

•
Key agreement and confirmation: They prove that the session key is secret and shared only by the legitimate parties.
Goal 5: Key Agreement of U i → S j : The user U i believes that only the server S j can obtain the shared session key sk ij . Goal 6: Key Confirmation of U i → S j : The user U i believes that the user server S j is convinced of the shared session key sk ij established between them. Goal 7: Key Agreement of S j → U i : The server S j believes that a shared session key sk ij between it and the user U i has been established. Goal 8: Key Confirmation of S j → U i : The server S j believes that the user U i has already obtained the shared session key sk ij . Since S j knows of message k, we have that: According to T 1 , we have that: According to Equation (2), A 1 , and T 4 , the server S j can use private keys p j and q j to decrypt k; we have that: According to Equation (3), A 2 , and T 3 , the server S j can use secret key x j to decrypt y ij = {H(x j ), According to (4) and P 1 , we have that: According to (5), A 4 , A 5 , and R 1 , we have that: According to Equation (6), S j can believe H(x j ) is truly recognizable. According to A 2 and R 4 , the server S j possesses x j and can identify H(x j ). Therefore, the server S j believes y ij (encrypted using x j ) is recognizable. We have that: According to Equations (6) and (7), A 5 , and R 1 , (G1) is realized by our protocol. Since the user U i knows of message (Q, t 1 , t 2 ), we have that: Based on rule T 1 , we have that: Sensors 2020, 20, 2511

of 27
Based on A 8 and A 9 , we have that: Based on (10) and rule P 4 , the user U i can possess the shared secret key sk ij ; we have that: Based on Equations (9) and (11), and rule T 3 , U i can use the shared key sk ij to decrypt Q = {β, ID new i , AT a , AT b , T 2 } sk ij ; we have that: Based on Equation (12), A 10 , and rule R 1 , we have that: Based on Equation (13) and R 1 , we have that: (14) applications. AVISPA tool executes the simulated protocol specified by HLPSL language [54]. For verifying cryptographic protocol, AVISPA tool includes four backends: On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based ModelChecker (SATMC), and Tree Automata based on automatic approximations for the analysis of security protocols (TA4SP). In this paper, using AVISPA tool and Security Protocol Animator (SPAN), we provide a security proof for the proposed scheme. Figure 6 shows the interface of the SPAN with AVISPA tool.

The Verification
The proposed protocol is verified using the OFMC and CL-AtSe backends. In AVISPA, our scheme incudes two roles: user U and server S. The HLPSL specifications of the user U and the sever S are shown in Boxs 1 and 2, respectively. Besides, session role, environment role and goals are also specified in HLPSL, as shown in Box 3. For verification of the proposed scheme, we consider seven secrecy goals and three authentication goals as follows.
• secrecy_of g1: E' is kept secret to the user U. • secrecy_of g2: IDi is kept secret to the user U and the server S. • secrecy_of g3: PWi is kept secret to the user U. • secrecy_of g4: Bi is kept secret to the user U. • secrecy_of g5: Xj is kept secret to the server S. • secrecy_of g6: As' is kept secret to the server S. • secrecy_of g7: Bs' is kept secret to the server S. • authentication_on u_s_v: The server S authenticates the user U based on V received from the message of the user U. • authentication_on u_s_tu: The server S authenticates the user U based on Tu received from the message of the user U. • authentication_on s_u_ts: The user U authenticates the server S based on Ts received from the message of the server S.

Semantic Security Analysis
Resistance to online password guessing attack: In this case, the attacker has obtained some relevant parameters and tries to guess the password to initiate login request. Nevertheless, the server can easily observe this attack by verifying the validity of the value α of the request message k. Thus, online password guessing attack is resisted in our protocol.
Resistance to offline password guessing attack: The attacker attempts to collect all offline information to guess the correct password. However, the attacker does not have the private key of the server, thus he cannot decrypt message k. Similarly, the attacker does not have sk ij , thus he is not able to decrypt message Q. Moreover, since the messages are changed in every single login, the attacker cannot use the stolen information of the previous login to compromise the current login. Besides, PW i is not available to the public and is computed only when the user inserts the smart card. Hence, our protocol is safe against offline password guessing attack.
Resistance to impersonation attack: In our protocol, the attacker cannot carry out impersonation attack without knowing password PW i (owing to password guessing attack resistance as stated above) and string number σ. Therefore, the attacker cannot compute the correct W and α to impersonate the user with the candidate login message. Hence, our work is free from impersonation attack.
Resistance to replay attack: Our protocol includes timestamp T 1 in login message k = (ID S j ||ID i ||y ij ||N||α||T 1 ) 2 mod n j ; therefore, the server S j can easily check the validity of the message k. In addition, the user U i can verify the validity of the message Q by checking the timstamp T 2 . Furthermore, all the messages are calculated using random number strings, which are used just once in every communication session. Thus, our protocol fully resists replay attack.
Resistance to DoS attack: As stated above, our protocol uses timestamp to prevent attacker from intercepting user's message and then retransmitting it repeatedly to disrupt the server. The message k = (ID S j ||ID i ||y ij ||N||α||T 1 ) 2 mod n j includes timestamp T 1 to prevent the attacker from retransmitting login requests to the sever. Therefore, the proposed protocol is secure from DoS attack.
Resistance to modification attack: This attack happens when the attacker intercepts the login message k and transmits a modified one to the sever. The value k is a ciphertext computed using public key n j , which is only decrypted using the private key p j and q j of the server. Moreover, the attacker is still blocked by timestamp T 1 (due to the resistance to replay attack and DoS attack stated above) even when he has compromised the message k. Similarly, the message Q is protected by the session key sk ij and the timestamp T 2 . Therefore, the proposed scheme can resist modification attack.
Resistance to insider attack: Since the proposed scheme does not require storage for storing the biometric data, it is not possible for a malicious legal user (attacker) to impersonate legitimate user without the correct biometric characteristic B i . In addition, verification table is not required in our scheme. Thus, our scheme can fully prevent insider attack.
Resistance to MITM attack: In our protocol, the attacker cannot compromise message k and sends a login request to the sever since he/she is not able to compute the correct h(x j ) for server verification without secret key x j . Moreover, the attacker also cannot calculate the correct k due to the resistance to password guessing attack and impersonation attack as stated. Hence, the attacker cannot act as a middleman and our scheme is free from man-in-the-middle attack.
Resistance to stolen smart card attack: Suppose the smart card has been stolen and the attacker has obtained the values σ, ID i , PW i , and B i . However, since the attacker does not know of the identity of the server, he cannot compute W . Besides, the attacker is unable to compute y ij from σ and ε j unless he/she steals smart card and flash drive respectively at the same time. As a result, it is not possible for the attacker to compute the correct α and k for verification. Therefore, the proposed protocol is safe against stolen smart card attack.
Resistance to desynchronization attack: In login and initial authentication phase, the server uses sk ij to encrypt acknowledgment message β and then send β to the user. The server will check the validify of the message β before accepting the session key sk ij . Similarly, in fast authentication phase, the session key sk ij is accepted only when A γ and B γ have been confirmed. The user will delete the session key and restart whole process if the confirmations are not successful. Thus, desynchronization attack is resisted in our scheme.
Provision of biometric data anonymity: In the registration phase, biometric data B i and password PW i are computed using one-way hash function. Biometric data will not be available to public since the hash is an irreversible value. Hence, the proposed scheme provides biometric data anonymity for the user.
Provision of forward secrecy: The attacker attempts to use information from the past communication session to derive the key. Suppose the attacker has obtained the random strings v and b, he/she is not able to compute the session key without the values σ and ε j stored in the smart card and flash drive. Therefore, the proposed protocol achieves forward secrecy.
Provision of user anonymity and untraceability: The identity ID i is only included in the message W = h(h(PW i ||σ)||(h(ID i ⊕ ID S j ) ⊕ σ)). Owning to the one-way hash function, the identity ID i is not available to the public during communication process. In other words, the identity ID i is kept secret to the user U i and the server S j . In addition, the attacker cannot identify any two past protocol runs initiated by the same user since the value k is computed using random number v. Therefore, the proposed scheme achieves strong user anonymity and untraceability.
Compared with previous works, Table 2 shows that our scheme is free from DoS attack, which is a vulnerability to all others. Fan and Lin [38] and Jiang et al. [39] are not secure against stolen smart card attack and desynchronization attack. Besides, Fan and Lin [38] and Zhang et al. [26] suffer from storage burden of storing biometric data in their proposed schemes. Jiang et al. [39] is not free from resist replay attack. Fan and Lin [38] is not able to resist online password guessing attack, modification attack, impersonation attack and man-in-the-middle attack. Besides, Fan and Lin [38] does not provide user untraceability. Especially, only our work provides time bound solution and fast authentication.

Performance Analysis
In this section, we provide a performance analysis to compare our scheme with its predecessor schemes. Specifically, we make a comparison with the logarithm to base 2 of the running time of each scheme. The value log 2 x is used to compare the efficiency of the protocols where x is the rough estimation of running time (Table 3) when n (number of servers) increases from 1 to 1000. When n gradually increases, Figure 7 shows that our scheme is more efficient than the predecessor schemes. Even in single-server architecture (where n = 1), our scheme is more efficient than Fan and Lin [38] and Jiang et al [39]. Table 3. Comparison of computational complexities.

39] Zhang et al. [26] Ours
Registration phase Login and authentication phase

Implementation of the Proposed Scheme
Consistent with the proposed system model presented in Figure 2, we present possible scenarios in a 5G-based multi-server-based healthcare system. The user can use his/her biometric sensorenabled mobile device and body wearable sensors to obtain services from multiple servers.

•
Scenario 1: The user can use the smart card, password, and sensor device to login to Home Care Server (S1) of Service Provider 1 to query his/her healthcare status. In addition, the user can login to healthcare data center to upload personal health information. Furthermore, the user can also login to Service Provider 2 (S2) and compute a session key to obtain remote healthcare services with caregivers. • Scenario 2: With the help of continuous care across the domains, the user can login to Healthcare Service Provider 3 (S3) to upload health sensing data produced by the wearable sensors. Besides, when the user gets in community care domain, he/she can login to its healthcare server to compute session keys for using IoMT-devices through a 5G wireless network.
Furthermore, after registering with S1, S2, and S3, the user possesses (PWi, σi, Bi) and then stores them in the smart card. The public parameters (ε1, IDs1, n1), (ε2, IDs2, n2), and (ε2, IDs2, n2) of S1, S2, and S3, respectively, are stored in the flash drive. Consistent with user anonymity property of our proposed scheme, privacy of the user (IDi) is preserved during this communication process. Besides, using the proposed scheme, the communication between the user and the servers is safe against possible attacks specified in Section 7. For example, the attacker cannot steal the smart card (containing (PWi, σi, Bi)) and the flash drive (containing (ε1, IDs1, n1)) at the same time, thus the stolen smart card attack is resisted. If these three services are provided by a single healthcare institution, overhead of the proposed system is still only 33.125 ms (according to Table 3 In addition, if service providers would like to give some discounts to specific users for their particular contribution, for instance valuable health data, the servers may use time-bound authentication solution introduced in our work for this purpose. Only authenticated users within an

Implementation of the Proposed Scheme
Consistent with the proposed system model presented in Figure 2, we present possible scenarios in a 5G-based multi-server-based healthcare system. The user can use his/her biometric sensor-enabled mobile device and body wearable sensors to obtain services from multiple servers.

•
Scenario 1: The user can use the smart card, password, and sensor device to login to Home Care Server (S 1 ) of Service Provider 1 to query his/her healthcare status. In addition, the user can login to healthcare data center to upload personal health information. Furthermore, the user can also login to Service Provider 2 (S 2 ) and compute a session key to obtain remote healthcare services with caregivers. • Scenario 2: With the help of continuous care across the domains, the user can login to Healthcare Service Provider 3 (S 3 ) to upload health sensing data produced by the wearable sensors. Besides, when the user gets in community care domain, he/she can login to its healthcare server to compute session keys for using IoMT-devices through a 5G wireless network.
Furthermore, after registering with S 1 , S 2 , and S 3 , the user possesses (PW i , σ i , B i ) and then stores them in the smart card. The public parameters (ε 1 , ID s1 , n 1 ), (ε 2 , ID s2 , n 2 ), and (ε 2 , ID s2 , n 2 ) of S 1 , S 2 , and S 3 , respectively, are stored in the flash drive. Consistent with user anonymity property of our proposed scheme, privacy of the user (ID i ) is preserved during this communication process. Besides, using the proposed scheme, the communication between the user and the servers is safe against possible attacks specified in Section 7. For example, the attacker cannot steal the smart card (containing (PW i , σ i , B i )) and the flash drive (containing (ε 1 , ID s1 , n 1 )) at the same time, thus the stolen smart card attack is resisted. If these three services are provided by a single healthcare institution, overhead of the proposed system is still only 33.125 ms (according to Table 3 In addition, if service providers would like to give some discounts to specific users for their particular contribution, for instance valuable health data, the servers may use time-bound authentication solution introduced in our work for this purpose. Only authenticated users within an authorized time bound are able to get the discounts from the providers. In a hospital, time-bound authentication is also useful for physicians to set up examination schedules for specific patients. Furthermore, we use the Go programming language to develop a system interface, where the user uses smart card to register for using services provided by Linkou Chang Gung Memorial hospital. Multi-server architecture can be designed with single sign-on (SSO) [56]. SSO solution allows the users to access multiple applications of the same authentication provider using single identity and password. First, the user makes a registration with the server (Figure 8, and then uses registered information (including the identity d0540011) to login to the system (Figure 9). We allow the user to create specific servers by himself/herself in this simulation. As shown in Figure 10, the user has used the smart card to create Billing server. The user can query server information in the next step. As shown in Figure 11, several servers including CGMH, CGMH_blockchain, Blockchain, GOOGLE, EHR, and Billing have been created. Next, the user uses his/her identity, password, and an additional ID (01011992) to register with the desired server, for instance Billing server ( Figure 12). Finally, the user can check his/her account in which specific servers (Blockchain, CGMH, Billing, and EHR) and identities (01011992 and 29071991) are listed with the corresponding extra passwords automatically generated by SSO-enabled system ( Figure 13). By this mechanism, the user is able to obtain data from multiple services provided by the hospital.
Sensors 2020, 20, x FOR PEER REVIEW 22 of 27 authorized time bound are able to get the discounts from the providers. In a hospital, time-bound authentication is also useful for physicians to set up examination schedules for specific patients. Furthermore, we use the Go programming language to develop a system interface, where the user uses smart card to register for using services provided by Linkou Chang Gung Memorial hospital. Multi-server architecture can be designed with single sign-on (SSO) [56]. SSO solution allows the users to access multiple applications of the same authentication provider using single identity and password. First, the user makes a registration with the server (Figure 8, and then uses registered information (including the identity d0540011) to login to the system (Figure 9). We allow the user to create specific servers by himself/herself in this simulation. As shown in Figure 10, the user has used the smart card to create Billing server. The user can query server information in the next step. As shown in Figure 11, several servers including CGMH, CGMH_blockchain, Blockchain, GOOGLE, EHR, and Billing have been created. Next, the user uses his/her identity, password, and an additional ID (01011992) to register with the desired server, for instance Billing server ( Figure 12). Finally, the user can check his/her account in which specific servers (Blockchain, CGMH, Billing, and EHR) and identities (01011992 and 29071991) are listed with the corresponding extra passwords automatically generated by SSO-enabled system ( Figure 13). By this mechanism, the user is able to obtain data from multiple services provided by the hospital.   authorized time bound are able to get the discounts from the providers. In a hospital, time-bound authentication is also useful for physicians to set up examination schedules for specific patients. Furthermore, we use the Go programming language to develop a system interface, where the user uses smart card to register for using services provided by Linkou Chang Gung Memorial hospital. Multi-server architecture can be designed with single sign-on (SSO) [56]. SSO solution allows the users to access multiple applications of the same authentication provider using single identity and password. First, the user makes a registration with the server (Figure 8, and then uses registered information (including the identity d0540011) to login to the system (Figure 9). We allow the user to create specific servers by himself/herself in this simulation. As shown in Figure 10, the user has used the smart card to create Billing server. The user can query server information in the next step. As shown in Figure 11, several servers including CGMH, CGMH_blockchain, Blockchain, GOOGLE, EHR, and Billing have been created. Next, the user uses his/her identity, password, and an additional ID (01011992) to register with the desired server, for instance Billing server ( Figure 12). Finally, the user can check his/her account in which specific servers (Blockchain, CGMH, Billing, and EHR) and identities (01011992 and 29071991) are listed with the corresponding extra passwords automatically generated by SSO-enabled system ( Figure 13). By this mechanism, the user is able to obtain data from multiple services provided by the hospital.

Conclusions
The use of 5G-enabled WSN applications in IoT architecture has gained a lot of attention from the scientific community. E-health system allows e-health users to store and share their data in a more convenient way compared to the traditional healthcare system. By the support of 5G technology, healthcare data produced from sensor nodes are efficiently transited in e-health system for efficient services, better analysis reports, and faster access to treatment. In this paper, we propose a threefactor fast authentication scheme with time bound and user anonymity for multi-server e-health systems in 5B-based wireless sensor networks. Three-factor authentication scheme combining biometrics, password, and smart card ensures a high security communication for participating parties in sensor-enabled environments. User anonymity is preserved during authentication process of our protocol. Besides, the proposed protocol introduces a fast authentication for accelerating communication process. This protocol is also designed with multi-server architecture that helps save database cost and alleviate network load. In addition, time-bound authentication introduced in the proposed protocol is suitable for various scenarios in healthcare. Security proof and performance analysis results show that our work can resist more attacks and bear a rational computational cost compared to its predecessor works.