A Smartcard-Based User-Controlled Single Sign-On for Privacy Preservation in 5G-IoT Telemedicine Systems

Healthcare is now an important part of daily life because of rising consciousness of health management. Medical professionals can know users’ health condition if they are able to access information immediately. Telemedicine systems, which provides long distance medical communication and services, is a multi-functional remote medical service that can help patients in bed in long-distance communication environments. As telemedicine systems work in public networks, privacy preservation issue of sensitive and private transmitted information is important. One of the means of proving a user’s identity are user-controlled single sign-on (UCSSO) authentication scheme, which can establish a secure communication channel using authenticated session keys between the users and servers of telemedicine systems, without threats of eavesdropping, impersonation, etc., and allow patients access to multiple telemedicine services with a pair of identity and password. In this paper, we proposed a smartcard-based user-controlled single sign-on (SC-UCSSO) for telemedicine systems that not only remains above merits but achieves privacy preservation and enhances security and performance compared to previous schemes that were proved with BAN logic and automated validation of internet security protocols and applications (AVISPA).


Introduction
Healthcare is now an important part of daily life because of rising consciousness of health management. People can check up health conditions by themselves, such as heartbeat rate, quality of sleep, amount of exercise, and so on, by supporting wearable technology, including smart phone, smart watch, smart bracelet, etc., which measures biodata and assists self-health management. Currently, biodata is only transferred to a smartphone and analyzed by applications on a smart phone, without being transferred to other outside systems [1]. Medical professionals can know users' health conditions, if medical professionals are able to access the information immediately [1].
Telemedicine systems provide long distance medical communication and services through which patient and medical professionals can communicate online, and patient benefits from being supported with ambulatory care or other medical services, even in remote areas [1][2][3][4]. Telemedicine systems allow health related data and image to be reliably transmitted from one point to another [1]. Many researchers focused on monitoring patient's health with specific diseases using telemedicine, such as diabetes and Parkinson's disease, and telemedicine systems can help a patient recover from illness through this systems with IoT can enhance functions of patient's health monitor and proactive and preventive healthcare interventions [20]. A general telemedicine system can be divided into three level [21]. Level 1 (primary healthcare unit) consists of users with webcam, smart phone, or wearable devices, which is enables communications of measured biodata through wireless communications, including radio frequency identification (RFID), near field communication (NFC), Bluetooth, Wi-Fi, Zigbee, etc. [20]. Measured biodata are transmitted to the user's smartphone without being transferred to other systems [1]. Level 2 (city or district hospital) is clinic or local hospital that the patient might visit before being transferred to a large hospital or medical center. Level 3 (specialty center) takes part in telemedicine in case of a rare disease or an incurable disease [21]. Figure 1 illustrates a general telemedicine system including two scenarios-asynchronous telemedicine and synchronous telemedicine [21,22]. Asynchronous telemedicine allows patients to decide a proper time to send medical image and health record to medical service providers for detailed examination. Synchronous telemedicine, also called synchronous video conferencing or interactive telemedicine, provides real-time communication between patient and medical professional [22].
Sensors 2021, 21, x FOR PEER REVIEW 3 of 24 dition, if they are able to view the information immediately [1,20]. In other words, telemedicine systems with IoT can enhance functions of patient's health monitor and proactive and preventive healthcare interventions [20]. A general telemedicine system can be divided into three level [21]. Level 1 (primary healthcare unit) consists of users with webcam, smart phone, or wearable devices, which is enables communications of measured biodata through wireless communications, including radio frequency identification (RFID), near field communication (NFC), Bluetooth, Wi-Fi, Zigbee, etc. [20]. Measured biodata are transmitted to the user's smartphone without being transferred to other systems [1]. Level 2 (city or district hospital) is clinic or local hospital that the patient might visit before being transferred to a large hospital or medical center. Level 3 (specialty center) takes part in telemedicine in case of a rare disease or an incurable disease [21]. Figure 1 illustrates a general telemedicine system including two scenarios-asynchronous telemedicine and synchronous telemedicine [21,22]. Asynchronous telemedicine allows patients to decide a proper time to send medical image and health record to medical service providers for detailed examination. Synchronous telemedicine, also called synchronous video conferencing or interactive telemedicine, provides real-time communication between patient and medical professional [22].

Medical Privacy
Telemedicine systems have many challenges, such as infrastructure, connections, professional requirements, data management, and real-time monitoring [23,24]. Medical privacy is of the utmost importance, and damage of medical privacy not only brings huge economic losses and losses of credibility to hospitals and other related institutions but does potential harm to patients and endangers lives of patients [24,25]. Unfortunately, thus far, healthcare-related industries did not achieve users' expectations [24]. Trust management (TM) is important for allowing reliable data collection and transmission, to provide qualified services and enhance user privacy and information security [26]. Gambetta first defined two widely accepted definitions of trust called reliability trust and decision trust [26,27]. Recently, researchers had discussions about TM of IoT [28][29][30][31][32]. Fortino et al. summarized and discussed main trust concepts, including behavior trust, reputation, honesty, and accuracy [26].
As we mentioned, telemedicine is implemented in public networks, so privacy preservation is one of notable security issues, which has caught researchers' attention. Mishra et al. [33] and Renuka et al. [34] utilized a biometric feature to design authentication schemes for telemedicine systems. Zriqat and Altamimi discussed issues through data collection, data transmission, and data storage and access level [12]. Dharminder et al. discussed authorized access to healthcare services [35]. Zhang et al. [36], Zhang et al.

Medical Privacy
Telemedicine systems have many challenges, such as infrastructure, connections, professional requirements, data management, and real-time monitoring [23,24]. Medical privacy is of the utmost importance, and damage of medical privacy not only brings huge economic losses and losses of credibility to hospitals and other related institutions but does potential harm to patients and endangers lives of patients [24,25]. Unfortunately, thus far, healthcare-related industries did not achieve users' expectations [24]. Trust management (TM) is important for allowing reliable data collection and transmission, to provide qualified services and enhance user privacy and information security [26]. Gambetta first defined two widely accepted definitions of trust called reliability trust and decision trust [26,27]. Recently, researchers had discussions about TM of IoT [28][29][30][31][32]. Fortino et al. summarized and discussed main trust concepts, including behavior trust, reputation, honesty, and accuracy [26].
As we mentioned, telemedicine is implemented in public networks, so privacy preservation is one of notable security issues, which has caught researchers' attention. Mishra et al. [33] and Renuka et al. [34] utilized a biometric feature to design authentication schemes for telemedicine systems. Zriqat and Altamimi discussed issues through data collection, data transmission, and data storage and access level [12]. Dharminder et al. discussed authorized access to healthcare services [35]. Zhang et al. [36], Zhang et al. [37], and Sureshkumar et al. [38] designed authentication and key agreement for telemedicine system. Baker et al. [8], Guo et al. [39], and Anwar et al. [11] focused on telemedicine using IoT, blockchain, and 5G technology and proposed framework or scheme. In summary, three keys to the question must be solved for assuring telemedicine environments. First, image storage should be highly efficient. Second, transmitting sensitive image should satisfy confidence, integrity, and accessibility. Finally, encryption progress should be efficient, especially for the end-point.

Proposed Scheme
In the proposed system, there are i users and j servers. User U i can use a smartcard or a smart token to log in to whichever server S j user U i wishes to access, as shown in Figure 2. The proposed scheme includes four phases-system initialization phase, registration phase, authenticated key exchange phase, and offline password change phase. In the system initialization phase, Server S j generates essential parameters and functions for the whole scheme. User U i becomes a legitimate member in the system through the registration phase. In the authenticated key exchange phase, User U i and server S j authenticate each other and establish a session key for symmetric encryption for communication and transmitted measured biodata. The proposed scheme provides offline password change phase such that user U i can change the password periodically, without the participation of server S j . Notations are defined in Table 1.  [37], and Sureshkumar et al. [38] designed authentication and key agreement for telemedicine system. Baker et al. [8], Guo et al. [39], and Anwar et al. [11] focused on telemedicine using IoT, blockchain, and 5G technology and proposed framework or scheme. In summary, three keys to the question must be solved for assuring telemedicine environments. First, image storage should be highly efficient. Second, transmitting sensitive image should satisfy confidence, integrity, and accessibility. Finally, encryption progress should be efficient, especially for the end-point.

Proposed Scheme
In the proposed system, there are i users and j servers. User U i can use a smartcard or a smart token to log in to whichever server S j user U i wishes to access, as shown in Figure 2. The proposed scheme includes four phases-system initialization phase, registration phase, authenticated key exchange phase, and offline password change phase. In the system initialization phase, Server S j generates essential parameters and functions for the whole scheme. User U i becomes a legitimate member in the system through the registration phase. In the authenticated key exchange phase, User U i and server S j authenticate each other and establish a session key for symmetric encryption for communication and transmitted measured biodata. The proposed scheme provides offline password change phase such that user U i can change the password periodically, without the participation of server S j . Notations are defined in Table 1.

•
Polynomials of Chebyshev chaotic maps T n (x) : If n ≥ 2, polynomials of the Chebyshev chaotic maps is formed as T n (x) = 2xT n−1 (x) −T n−2 (x). However, results of the Chebyshev chaotic maps are 1 and x when n is 0 and 1, respectively. • If (s, r) ∈ Z and s ∈ [−1, 1], T r (T s (x)) = T rs (x) = T s (T r (x)), which is the so-called semi-group property. • Zhang [51] proved that semi-group property can hold if Chebyshev polynomials are extended on interval [− ∞, +∞]. In the situation, polynomials of Chebyshev chaotic Even only with the knowledge of x and y, n is computationally infeasible to be obtained such that T n (x) mod N = y, which is the so-called Chaotic maps-based discrete logarithm problem (CMDLP).

•
Even only with the knowledge of (x T r (x) mod N, T s (x) mod N), T rs (x) mod N is computationally infeasible to be obtained, which is the so-called Chaotic maps-based Diffie-Hellman problem (CMDHP).
The proposed scheme applies the extended Chebyshev chaotic maps, which satisfies the above definitions.

System Initialization Phase
User U i sets up smartcard by entering an identifier and password in the system initialization phase. Server S j sets up the system's parameters by performing the following steps.
Step 1. Server S j generates a secret value x S j , a big prime p, and a random number x ∈ (− ∞, +∞).
Step 2. Server S j choses a symmetric encryption algorithm E k ( .) , a symmetric decryption algorithm D k ( .) , a collision-resistance one-way hash function H(.), and a collisionresistance secure one-way chaotic hash function h k (.).

Registration Phase
User U i and server S j perform the following steps to complete the registration phase to become a legitimate member, as illustrated in Figure 3.
Step 1. User U i enters ID i and PW i .
Step 2. User U i uses the smartcard to choose a random number y i ∈ Z * p . After that, smartcard computes (α i , A i ) as below. Finally, smartcard stores y i and sends Step 3. After receiving (ID i , A i ), server S j computes elements below. Then, server S j Sensors 2021, 21, 2880 6 of 22 Step 4. Upon receiving (B i , B j ), user U i stores (B i , B j ) in USB or smartcard.
Step 4. Upon receiving (B i , B j ), user U i stores (B i , B j ) in USB or smartcard.

Authenticated Key Exchange Phase
To complete the mutual authentication and session key confirmation and obtain the remote server's services, user U i , user U i 's smartcard, and a server S j perform the following steps, as illustrated in Figure 4.
User U i enters ID i and PW i . Step 2.
Smartcard checks PW i , utilizes (y i , x) to compute A i , retrieves (B i , B j ) to recover u i , and computes (K i , R i ), as below.
User U i Server S j 1.Enter ID i and PW i into smartcard 2.Choose a random number

Authenticated Key Exchange Phase
To complete the mutual authentication and session key confirmation and obtain the remote server's services, user U i , user U i 's smartcard, and a server S j perform the following steps, as illustrated in Figure 4.
Step 1. User U i enters ID i and PW i .
Step 2. Smartcard checks PW i , utilizes (y i , x) to compute A i , retrieves (B i , B j ) to recover u i , and computes (K i , R i ), as below.
Step 3. Smartcard chooses integer ρ i ∈ (− ∞, +∞) and a big prime Step 4. After receiving (R i , C i , N i ), server S j computes the equations below. If server S j can decrypt b i successfully, server S j successfully authenticates user U i .
Sensors 2021, 21, 2880 7 of 22 Step 5. For establishing a shared session key, server S j chooses a random number s j ∈ Z * p , utilizes ρ i , N i , and µ i retrieved from Step 4 to compute ω j , k ji , and MAC S j , and sends MAC S j , ω j to user U i .
Step 6. Upon receiving MAC S j , ω j , user U i 's smartcard computes k ij and checks whether MAC S j is correct. If it holds, the mutually shared session key is correct. Then, user U i 's smartcard computes MAC U i and sends it to server S j .
Step 7. Upon receiving MAC U i , server S j checks whether MAC U i is correct. If it holds, the shared session key confirmation is complete.

Offline Password Change Phase
User U i and smartcard cooperatively perform the following steps to complete the password changing process, as illustrated in Figure 5.
.Choose a random integer ρ i ∈ (-∞, +∞) and a big prime N i

Offline Password Change Phase
User U i and smartcard cooperatively perform the following steps to complete the password changing process, as illustrated in Figure 5.

Offline Password Change Phase
User U i and smartcard cooperatively perform the following steps to complete the password changing process, as illustrated in Figure 5. Step 1.
User U i enters PIN to start smartcard and inputs old PW i and new PWʹ i . Step 2.
Smartcard updates A i and stores it.

Security Analysis
We apply BAN logic [52] and AVISPA tool [53] for formal security proof. We also present informal security proof, which proves that the proposed scheme can achieve some security requirements. 22 Step 1. User U i enters PIN to start smartcard and inputs old PW i and new PW i .
Step 2. Smartcard updates A i and stores it.

Security Analysis
We apply BAN logic [52] and AVISPA tool [53] for formal security proof. We also present informal security proof, which proves that the proposed scheme can achieve some security requirements.

Formal Security Proof Using BAN Logic
This subsection describes the logical analyses of the proposed scheme by using the logical tool defined by Burrows et al. [52]. The process of proof in this section is similar with some schemes, because these schemes, including the proposed scheme, aim to prove that the principles in schemes can believe the established session keys. The notations used in the BAN logic [52] analysis are defined in Table 2. Table 2. Notations of BAN logic [52] used in analyzing the proposed scheme.

Notations Definitions
P, Q Principles. X, Y Statements. r, w Readers (receivers) and writers (senders). K Encryption key. P believes X P believes X. P once said X P once said X. C(X) X is transited through communication channel C. r(C)/w(C) Readers/writers of C. P sees C(X) P sees C(X). P sees X|C P sees X via C. (X) K X is encrypted with the key K. P K ↔ Q P and Q establish a secure communication channel using K.

Initial Assumptions
Making initial assumptions is necessary for ensuring success of scheme and establishing the foundation of logical proof [52]. Initial assumptions of the proposed scheme are listed below.
• A1. P ∈ r(C P, Q ): P can read from channel C P, Q . • A2. P believes w(C P, Q ) = {P, Q}: P believes that P and Q can write on C P, Q . • A3. P believes Q once said (Φ → Φ) : P believes that Q only says what it believes. • A4. P believes #(N P ): P believes that N P is fresh. • A5. P believes ( a → ECMDH(secret) P): P believes that a is P's extended chaotic maps-based Diffie-Hellman secret [24,49].

Inference Rules
The purpose of inference rules is analyzing belief, which pays attention to beliefs of principals in authentication and key agreement schemes, in order to verify message, freshness, and trustworthiness of origin of scheme [52,[54][55][56][57]. We apply the seeing rules, interpretation rules, freshness rules, and the rationality rules for logical proof.
The seeing rules define that if a principle sees a formula, the principle also sees its components with knowing necessary keys. We apply S1 and S2 as below.
P sees C(X), P∈r(C) P believes (P sees X|C), P sees X : If P receives and reads X via C, then P believes that X has arrived on C and P sees X. • S2.
P sees C(X, Y) P sees X, P sees Y : If P sees a hybrid message (X, Y), then P sees X and Y separately. The interpretation rules define that a principle can believe some hybrid facts by logical reasoning. We apply I1, I2, and I3, as below.
P believes (w(C)={P, Q}) P believes (P sees X|C)→Q once said X : If P believes that C can only be written by P and Q, then P believes that if P receives X via C, then Q said X. • I2.
P believes (Q once said (X, Y)) P believes (Q once said X), P believes (Q once said Y) : If P believes that Q said a hybrid message (X, Y), then P believes that Q has said X and Y separately.
: If P believes that a is P's extended chaotic maps-based Diffie-Hellman secret and T b (x) mod N is extended chaotic maps-based Diffie-Hellman component from Q, then P believes that T ab (x) mod N is symmetric key shared between P and Q.
The freshness rules define that if one part of a formula is fresh, the entire formula must be fresh. We apply F1 and F2 as below.
P believes (Q once said X), P believes #(X) P believes (Q once said X) : If P believes that another Q said X and P also believes that X is fresh, then P believes that Q recently said X. • F2.
P believes #(X) P believes #(X, Y) : If P believes that a part of a mixed message X is fresh, then it believes that the whole message (X, Y) is fresh.
The rationality rules define that a principle can only believe what it believes. We have R1 as below.

Goals
Goals are what schemes must achieve, and goals are required while designing schemes. The goals of the proposed scheme are listed below.
User U i believes that T y i s j (ρ i ) mod N i is a symmetric key shared between participants U i and S j .
: Server S j believes that T y i s j (ρ i ) mod N i is a symmetric key shared between participants U i and S j .
User U i believes that S j believes T y i s j (ρ i ) mod N i is a symmetric key shared between U i and S j .
• Goal 4. S j believes U i believes (U i : Server S j believes that U i believes T y i s j (ρ i ) mod N i is a symmetric key shared between U i and S j .

Proof
The proposed scheme can be normalized as Steps 1 and 2.
Step 1. S j sees ( Step 2. U i sees ( Equation (26) means user U i believes that y i is its extended chaotic maps-based Diffie-Hellman secret. Equation (27) means user U i believes that T s j (ρ i ) mod N i is the extended chaotic maps-based Diffie-Hellman component from server S j. To accomplish Goal 1 (User U i believes that k ij = T y i s j (ρ i ) mod N i is a symmetric key shared between participants user U i and server S j ), Equations (25) and (26) must hold, because of the interpretation rule (I3) and assumption (A5).
The meaning of Equation (28) is described below. The first fact is that server S j once said that T s j (x) mod p is the extended chaotic maps-based Diffie-Hellman public component from server S j , (SID j , ID i , T y i (ρ i ) mod N i ) is encrypted by k ij and T s j (ρi) mod N i . The second fact is that server S j once said that T s j (x) mod p is the extended chaotic maps-based Diffie-Hellman public component from server S j . In Equation (29), user U i believes that the first fact implies the second fact. Equation (28) means that user U i believes that server S j once said that T s j (ρ i ) mod N i is the extended chaotic maps-based Diffie-Hellman public component from server S j . Next, to accomplish Equation (27), Equations (28) and (29) must hold because of assumption (A3) and the rationality rule (R1). U i believes (S j once said ( To accomplish Equation (29), Equation (30) must hold, which means that user U i believes that T s j (ρ i ) mod N i , which is that the extended chaotic maps-based Diffie-Hellman public component from server S j is fresh because of freshness rules (F1) and (F2), and assumption (A4).
Equation (31) means that user U i can read from the channel C S j , U i . Equation (32) means that user U i believes that user U i and server S j can write messages on channel C S j , U i . Equation (33) means that user U i sees and believes that T s j (ρ i ) mod N i is in the channel C S j , U i , which is the extended chaotic maps-based Diffie-Hellman public component from server S j . To accomplish Equation (30), we have Equations (31)-(33) that must hold because of the interpretation rules (I1), the seeing rules (S1), (S2), assumptions (A1) and (A2). By using the interpretation rules (I3), our proposed scheme realizes that Goal 1 is achieved. Similarly, we ensured that the proposed scheme realizes Goal 2 by using the same arguments of Goal 1.
U i sees believes C S j , U i ( The meaning of Equation (34) is described below. The first fact is that server S j once said that T y i s j (ρ i ) mod N i is the symmetric key shared between U i and S j . The second fact is that server S j believes that T y i s j (ρ i ) mod N i is the symmetric key shared between U i and S j . In Equation (35), user U i believes that the first fact implies the second fact. To accomplish the Goal 3, we have Equations (34) and (35), which must hold because of the rationality rule (R1) and assumption (A3).
Equation (36) means that user U i believes symmetric key T y i s j (ρ i ) mod N i is fresh. To accomplish Equation (35), Equation (36) must hold because of the freshness rules (F1) and (F2) and assumption (A4).
Equation (37) means that user U i sees and believes that T y i s j (ρ i ) mod N i is in the channel C S j , U i . To accomplish Equation (36), Equations (31), (32) and (37) must hold because of the interpretation rule (I1), the assumptions (A1) and (A2), and the seeing rules (S1) and (S2). Thus, the proposed scheme realizes that Goal 3 is achieved. Similarly, using the same arguments of Goal 3, the proposed scheme realizes Goal 4.

Formal Security Proof Using AVISPA
Automated validation of internet security protocols and applications (AVISPA) is a high-level language tool for security protocols, and it provides automatic analysis techniques through its back-ends, called on-the-fly model-checker (OFMC), constraint logic based attack searcher (CL-AtSe), SAT-based model-checker (SATMC), and tree automata based on automatic approximations for the analysis of security protocols (TA4SP) [53,[58][59][60]. The AVISPA tool executes a simulated protocol through high-level protocol specification language (HLPSL) [61]. We used the AVISPA tool to verify the proposed scheme. The HLPSL specification of user U and server S are shown in Figures 6 and 7, respectively. The session role, environment role, and goals are also specified in HLPSL, shown in Figure 8. Figure 9 shows the results and proves that the proposed scheme is safe.
Equation (37) means that user U i sees and believes that T y i s j (ρ i ) mod N i is in the channel C S j , U i . To accomplish Equation (36), Equations (31), (32) and (37) must hold because of the interpretation rule (I1), the assumptions (A1) and (A2), and the seeing rules (S1) and (S2). Thus, the proposed scheme realizes that Goal 3 is achieved. Similarly, using the same arguments of Goal 3, the proposed scheme realizes Goal 4.

Formal Security Proof Using AVISPA
Automated validation of internet security protocols and applications (AVISPA) is a high-level language tool for security protocols, and it provides automatic analysis techniques through its back-ends, called on-the-fly model-checker (OFMC), constraint logic based attack searcher (CL-AtSe), SAT-based model-checker (SATMC), and tree automata based on automatic approximations for the analysis of security protocols (TA4SP) [53,[58][59][60]. The AVISPA tool executes a simulated protocol through high-level protocol specification language (HLPSL) [61]. We used the AVISPA tool to verify the proposed scheme. The HLPSL specification of user U and server S are shown in Figures 6 and 7, respectively. The session role, environment role, and goals are also specified in HLPSL, shown in Figure  8. Figure 9 shows the results and proves that the proposed scheme is safe.

Informal Security Proof
We present theoretical analyses that proved that proposed scheme could achieve security requirements.

Preventing MITM Attack
In order to prevent MITM attack, user U i and server S j can confirm whether the message is resent, modified, and replaced, by checking information through message authentication codes MAC S j and MAC U i . User U i verifies MAC S j = h k ji (SID j , ID i , µ i ) at Step 6, and server S j verifies MAC U i = h k ij (ID i , SID j , ω j at Step 7 in the authenticated key exchange phase of the proposed scheme. In this way, the adversary cannot modify message authentication codes MAC S j and MAC U i without session key k ij .Thus, the proposed scheme can prevent MITM attack.

Key Confirmation
User U i can check session key k ij by MAC S j ? = h k ji (SID j , ID i , µ i ), and server S j can also check session key k ji through MAC U i ? = h k ij (ID i , SID j , ω j in the proposed scheme. As a result, the proposed scheme achieves key confirmation.

Preventing Key-Compromise Impersonation and Server Spoofing Attacks
User U i 's random number y i is stored in a smartcard, which is hard to obtain information. The adversary must have user U i 's smartcard and correct password if they want to impersonate a legitimate user. The number of attempts that a password can be entered is limited; if the number of attempts to enter a password exceeds the allowable number of attempts, the smartcard will get locked. On the other hand, the adversary cannot obtain K i due to not knowing x S j , and afterwards the process cannot be completed by adversary. As a result, the proposed scheme can prevent key-compromise impersonation and server spoofing attacks.

Mutual Authentication
In the authenticated key exchange phase of the proposed scheme, server S j encrypts (SID j , ID i , µ i ) from user U i to message authentication code MAC S j with session key k ji = H(T s j (µ i ) mod Ni) and sends (MAC S j , ω j ) to user U i . In Step 6, user U i uses ω j from server S j to obtain session key k ij and verify MAC S j = h k ji (SID j , ID i , ω j ). Server S j verifies message authentication code MAC U i = h k ij (ID i , SID j , ω j sent by user U i in Step 7. MAC S j and MAC U i are included in session keys that only two parties of communication have, so only user U i and server S j can verify each other.

User Anonymity
User U i 's identity ID i is protected by being encrypted in C i = E K i (ID i , b i , ρ i with K i , before being sent. Server S j must obtain K i by computing K i = R i ⊕ h β j (SID j ). The adversary cannot obtain ID i even with R i and C i because only server S j has knowledge of secret x S j . The adversary cannot obtain K i without x S j and decrypting C i ; thus, the adversary cannot obtain ID i . As a result, the proposed scheme provides user anonymity during communication.

Resistant to Bergamo et al.'s Attack
Bergamo et al.'s attack is based on [62]. (i) The adversary is able to obtain related elements (x, ρ i , µ i , ω j ); and (ii) several Chebyshev polynomials pass through the same point due to periodicity of the cosine function. In the proposed scheme, the adversary is unable to obtain any related elements (x, ρ i , µ i , ω j ) as these are encrypted in transmitted messages where only user U i and server S j can retrieve decryption key. Moreover, the proposed protocol utilizes the extended Chebyshev polynomials, in which the periodicity of the cosine function is avoided by extending the interval of x to (− ∞, +∞) [51]. As a result, the proposed scheme can resist the attack proposed by Bergamo et al. [62].

Performance Analysis
We present relevant security requirements and computational complexity comparison. Table 3 shows comparisons of security requirements that were presented in the schemes designed by Wang and Zhao [63], Yoon and Jeon [46], Lin [48], Lin and Zhu [64], Lee et al. [49], Madhusudhan et al. [65], Sureshkumar et al. [38], and us. Wang and Zhao's [63], Lin's [48], and Lin and Zhu's schemes [64] are not secure against key-compromise impersonation attack, since the transmitted messages can be replayed by an adversary. Wang

Roles Lee et al. [49] Madhusudhan et al. [65] Sureshkumar et al. [38] Ours
User of users, and Figure 11 illustrates the computational complexity of user with varying number of servers. The computational complexity of user in Lee et al.'s scheme [49] [38], and the proposed scheme is not related to number of servers, and the proposed scheme shows the least computational complexity among the compared schemes.

Implementation
We developed SC-UCSSO system using the proposed scheme, in a multi-function smart token, as shown in Figure 12, which supports the public key infrastructure and the X.509 certificate. A user can insert a smart token to a computer or a laptop and insert the smartcard shown in Figure 13 into a smart token, in order to use the system. Figures 14 Figure 11. Computational complexity of user with varying number of servers.

Implementation
We developed SC-UCSSO system using the proposed scheme, in a multi-function smart token, as shown in Figure 12, which supports the public key infrastructure and the X.509 certificate. A user can insert a smart token to a computer or a laptop and insert the smartcard shown in Figure 13 into a smart token, in order to use the system. Figures 14 and 15 show the registration and login interfaces. Figure 16 shows that the user can login to multiple services, which implies that the proposed system can be used in multiserver environments. The proposed system also provides account checking (Figure 17) to manage the user's accounts. The user can login to the online telemedicine website using a computer, laptop, smartphone, or any wireless devices that has a webcam with a smart token and a smartcard in synchronous telemedicine scenario. The channel of online video consult between the patient and medical professional is protected by the session key generated by the proposed scheme. In asynchronous telemedicine, the measured biodata is transmitted to a smartphone using Bluetooth, and the user can decide when to send data to the designed server of telemedicine systems. The user logins with smart token and smartcard, before sending data. Transmitted measured data between smartphone and servers would be protected by the session key generated through the proposed scheme. The user has data ownership because the user can control data's destination and the time of being transmitted. Once data are sent by user, the privacy of user would be protected because the transmission channel is secure with the session key.

Discussion
We give a discussion for brief review, real-life scenario, and limitations of this research. Telemedicine systems work in public networks, where privacy preservation issue of users and sensitive and private transmitted information is important [1]. Security issues related to data transmission are discussed, such as eavesdropping, MITM attack, data tempering attack, message modification attack, data interception attack, etc. [12] Although regulations, such as HIPAA, GDPR, Safe Harbor Laws, etc., were developed, technical support is still not enough [12][13][14]. We proposed an SC-UCSSO for the 5G-IoT telemedicine systems, which can be applied in the 5G-IoT telemedicine multi-server environments. Security of the proposed scheme was proved by BAN logic, AVISPA tool, and theoretical analyses. The proposed scheme achieved general security requirements, such as preventing MITM attack, preventing key-compromise impersonation, and server spoofing attacks, and user anonymity, key confirmation, and mutual authentication. Moreover, the proposed scheme overcomes the drawbacks of the compared previous schemes, such as stolenverification table attack, clock synchronization problem, and DoS attack, as shown in Table 3 in the previous section. The proposed scheme applies the extended Chebychev chaotic maps that can resist Bergamo et al.'s attack [62]. Performance of the proposed scheme is also compared with Lee [38] scheme (1235T h ), as shown in Table 4.
We give four possible real-life scenarios of telemedicine systems in 5G-IoT environments that can apply the proposed scheme. Scenario 1: Patient inserts smartcard (e.g., health insurance card or smartcard, as in Figure 13) into measurement devices that include a smartcard reader, such as sphygmomanometer or blood-glucose meter, before measuring biodata. Once a patient inserts smartcard, the authenticated key agreement phase of the proposed scheme is activated, and measured biodata can be transmitted securely to server as it is encrypted by the session key. Scenario 2: Patient's wearable healthcare device (e.g., sensors, smart watch, etc.) transmits the measured biodata to the related mobile application (APP) on a smartphone, through data synchronization via Bluetooth, NFC, RFID, etc. If the patient wants to transmit the measured biodata to server, the patient can use a smartphone with a smartcard adopter, such as the smart token in Figure 13. Once a patient inserts the smartcard, the authenticated key agreement phase of proposed scheme is activated, and the measured biodata can be securely transmitted to server as it is encrypted by the session key. Scenario 3: Patient's measured biodata are recorded or stored in storage at home. If the patient wants to transmit the measured biodata to server, the patient can use the smartcard with a reader. Once a patient inserts the smartcard, the authenticated key agreement phase of proposed scheme is activated, and the measured biodata can be transmitted securely to server as it is encrypted by the session key. Scenario 4: If a medical professional would like to access the measured biodata on server, the medical professional has to use the smartcard (e.g., healthcare certification IC card [66]) with a reader. Once a medical professional inserts smartcard, the authenticated key agreement phase of proposed scheme is activated, and the measured biodata can be securely transmitted as it is encrypted by the session key.
Scenario 1 to 3 allow the patient to decide the data's destination and time of transmission. This research has limitations. We only give a software security analysis, but hardware security and availability are other aspects of security in telemedicine systems, such as electromagnetic interference (EMI), which might affect the functions on wearable devices. Although there are already measurement devices with a smartcard reader on the market, we did not evaluate the hardware's effects with the proposed scheme. We assumed that the users (patient/medical professional) have a smartcard (health insurance card/ healthcare certification IC card) and proposed a smartcard-based scheme, but authentication could be achieved in many ways, such as three-factor authentication, two-step verification, fast identity online (FIDO), etc., which can be related to works in the future.

Conclusions
Telemedicine systems is a multi-functional remote medical service that can help patients in bed in long-distance communication environments [1][2][3][4]. As telemedicine systems work in public networks, privacy preservation issue of sensitive and private transmitted information is important. [1]. We proposed a SC-UCSSO for 5G-IoT telemedicine systems, which could achieve some general security requirements, such as preventing MITM attack, preventing key-compromise impersonation and server spoofing attacks, provide user anonymity, and overcomes the drawbacks of the previous schemes compared herein. The proposed scheme establishes a secure communication channel using the authenticated session keys between patients and services of telemedicine systems, without threats of eavesdrop, impersonation, etc., and allow patient access to multiple telemedicine services, with a pair of identity and password. Formal security analysis using BAN logic [52] and the AVISPA tool [67] was given. We also gave a performance analysis and proved that the proposed scheme is more efficient than previous compared schemes, and computational complexity of the user in proposed scheme was not related to the number of servers. Moreover, the proposed scheme is suitable for asynchronous and synchronous telemedicine, and patients have data ownership because the user can control and decide data's destination and time of transmission.