A Rivest–Shamir–Adleman-Based Robust and Effective Three-Factor User Authentication Protocol for Healthcare Use in Wireless Body Area Networks

In healthcare, wireless body area networks (WBANs) can be used to constantly collect patient body data and assist in real-time medical services for patients from physicians. In such security- and privacy-critical systems, the user authentication mechanism can be fundamentally expected to prevent illegal access and privacy leakage occurrences issued by hacker intrusion. Currently, a significant quantity of new WBAN-oriented authentication protocols have been designed to verify user identity and ensure that body data are accessed only with a session key. However, those newly published protocols still unavoidably affect session key security and user privacy due to the lack of forward secrecy, mutual authentication, user anonymity, etc. To solve this problem, this paper designs a robust user authentication protocol. By checking the integrity of the message sent by the other party, the communication entity verifies the other party’s identity validity. Compared with existing protocols, the presented protocol enhances security and privacy while maintaining the efficiency of computation.


Introduction
With the development and maturity of wireless communication technologies, wireless networks have been widely used to obtain specific information; this has a profound impact on how we live, work, and play.It is well known that wireless body area networks (WBANs), as a promising application of wireless networks in healthcare, have attracted significant attention with their foreseeable potential to improve the quality of healthcare services.As defined in the IEEE 802.15.6 standard [1], WBANs are composed of wearable, implantable, and invasive intelligent electronic devices around the human body; currently, most wireless medical devices operate under the 2.4 GHz band [2].
As shown in Figure 1, electroencephalogram (EEG) sensors can monitor different types of brain waves.Electromyography (EMG) sensors can test muscle activity.Electrocardiogram (ECG) sensors can detect the electrical transmissions of the heart.Pulse oximeter (POT) sensors can measure hemoglobin in the blood.These health facilities, i.e., EEG, EMG, ECG, and POT sensors, have been used to assist physicians in empowering the functions of human gait analysis, postoperative rehabilitation monitoring, sleep quality detection, and respiratory disease prevention [3]; then, they enable physicians to provide timely medical services without geographical limitations.However, the openness of wireless communication undoubtedly runs the risk of unfettered illegal access, which may, on the one hand, distort professional diagnosis and treatment and, on the other hand, leak patients' personal vital and sensitive physiological data.With so much real-time data traveling from body area sensor nodes to physicians, just as much attention must be paid to security and privacy issues as vaccine research and the elimination of COVID-19 [4].
Luckily, a user authentication mechanism-as a first line of defense for information security that identifies the authenticity of users-is required to protect these key realtime medical data from unauthorized access.As with wireless medical sensor networks (WMSNs) [5], WBANs consist of ad hoc sensor networks, which are continuously carried by patients, connected to their bodies, to sample patient body data.Specifically, the authentication for WBANs involves three indispensable participating entities (shown in Figure 2): a user (U), a gateway node (GWN), and a series of body area sensor nodes (BASNs).The U is often the physician who holds the smart card, the GWN can be a personal digital assistant (PDA), which can be charged, and the BASNs are suitably deployed in patients' bodies and continuously collect medical data [6].After the mutual authentication among the three entities, a negotiated session key between the user and BASNs will be generated with the help of the GWN.However, considering the security threats (such as no forward secrecy for the session key, no user anonymity, and inevitable attacks) in existing WBAN-oriented authentication schemes and the financial expenses of energy-constrained sensor nodes, designing a solution that both strengthens efficiency and security and achieves a good balance between efficiency and security is a challenge [7].For this challenge, we use the Rivest-Shamir-Adleman (RSA) cryptosystem [8] to only protect the secret values; we do not involve RSA in the computation of session keys to preserve efficiency, and add secret values and the "modulus" operation to enhance security.Then, we consider a three-factor authentication scheme, which can be more suitable for WBANs with limited resources.

Motivations and Contributions
WBANs, with the guard of the authentication mechanism, can avoid unauthorized access from malicious attackers.However, existing alternatives show deficiency, either in terms of superior performance or robust security.In addition, a greater number of solutions compromise security in favor of higher efficiency.This compromise prompts the design of an efficient user authentication scheme with robust security.Accordingly, three indispensable research works listed below are our research contributions: (1) The design of a user authentication protocol for WBANs.
Firstly, we show the detailed user authentication system model for WBANs and then give a complete, three-factor (namely smart card, password, and user's personal biometric information) user authentication protocol, which can obtain mutual authentication from the user, the gateway, and the BASNs.Meanwhile, this protocol offers a user-friendly property whereby the user can locally change or update their password without interacting with the gateway, and can enable BASN deletion/addition at will.
(2) A detailed security analysis for the proposed protocol.
Second, by preserving the user anonymity, a session key is securely established by the user and BASNs.After that, the proposed protocol is demonstrated to be provably secure by the formal security in the random-or-real model.Moreover, a heuristic security analysis has been carried out to show that the proposed protocol can obtain various desirable features and be resistant to all known attacks.
(3) The complete performance comparisons for the proposed scheme.
Third, performance comparisons-covering storage, communication, and computation costs-between our protocol and other existing relevant protocols have been performed.It is clear that the presently proposed protocol can obtain a better balance between efficiency and security than the alternatives.
To give readers a road map of what to expect in the subsequent sections, the rest of this paper is organized as follows.The related works are introduced in Section 2, and preliminary works are shown in Section 3. The designed protocols are detailed in Section 4. In Section 5, a full security analysis is presented for the proposed protocol, including performance evaluation.A final conclusion is made in Section 6.

Related Work
Kumar et al. [9] were the first to propose an authentication protocol for securing communications in medical healthcare.From then on, a large number of related authentication protocols were developed to enhance the protocol security and performance efficiency [10][11][12][13][14][15][16][17].
In one of the proposed research works, Mo et al. [10] highlighted that common attacks (password guessing attack; desynchronization attack) still threaten the security of the designed protocols.Then, they gave some countermeasures to thwart the vulnerabilities, e.g., using the "modulus" operation to resist the password guessing attack, and making the parameters unchanged to resist desynchronization attacks.Similarly, Khan et al. [11] examined and pointed out that their analyzed scheme cannot guarantee the security of passwords and had no forward secrecy of the session key and no user anonymity [11].Following this, based on the achievement of [11], Khan et al. [12] offered an improved user authentication scheme for healthcare applications, and they showed that their scheme can be more robust than other analyzed schemes.
In 2013, He et al. [13] listed seven functionality requirements of the authentication solution and then presented a robust anonymous authentication protocol for healthcare.Lately, the work in [14] found that He et al.'s scheme had an incorrect authentication and session key agreement phase and that there was no wrong password detection mechanism.Then, they introduced biometric information as the third authentication factor and designed a three-factor authentication solution to remove the drawback of the scheme in [13].However, Das et al. [15] showed that the scheme presented in [14] could not resist the privileged-insider attack or the sensor node capture attack; then, they developed a more secure biometric-based user authentication scheme.This was more secure than the schemes proposed in [13,14], in which the additional BAN logic AVISPA tool had been used to prove the security of their proposed scheme.
Focusing on securing the communication in wireless healthcare sensor networks, the authors of [16] presented a three-factor user authentication and key agreement protocol.
Their work considered a more user-friendly property for re-registration to accommodate cases in which a user may have lost their smart card or their smart card was stolen.Aiming to resolve security issues in telecare medicine information systems, Ostad et al. [17] developed an enhanced, anonymous, and unlinkable user authentication and key agreement protocol; here, the protocol can provide perfect forward secrecy, patient anonymity, and unlinkability.However, the security of the password could not be preserved, because, in their protocol, the patient directly submitted the bare information OPW p to the server; this can enable the server to easily guess their password.
Afterwards, for securing the authentication in WBANs, Zhang et al. [18] proposed a privacy-preserving authentication protocol between the user and the telecare medical server, and the session key can be used for forward secrecy by using the chaotic map; however, their scheme inevitably suffered from user identity leakage and password guessing attacks (i.e., the insider attacker guesses PW * i and then checks whether . Very interestingly, for authentication with access control in medical settings, Soumya Banerjee et al. [19] designed a user authentication and session key exchange protocol, in which any physician with their medical department and professional title will only obtain mutual authentication from the designated sensing devices, while anyone who has been revoked or whose authentication credential is overdue cannot obtain authentication anymore.However, we find that their scheme will be under threat due to an absence of forward secrecy, leaving it vulnerable to the password guessing attack and the node capture attack [20]. In a cloud-of-things-centered wearable device monitoring system, based on the Chinese Remainder Theorem [21] (CRT), the research work in [22] presented a secure user authentication with access control scheme whose functionality is similar to the work in [19], in which an observation highlights that, for the forward secrecy, they adopted a principle wherein the long-term key does not need to be involved in constituting the session key.However, significantly more storage resources are consumed in their scheme, which should be optimized.
Using the well-known RSA-based cryptosystem, Dharminder et al. [23] propounded an RSA-based authentication protocol for two communication entities: the user and the telecare server, whereas security flaws-including vulnerabilities to the password-guessing attack, the absence of forward secrecy, and the absence of user anonymity-should be mitigated.
To solve the session key's forward secrecy, Mahdi Fotouhi et al. [24] offered a robust WBAN-oriented authentication scheme.Their scheme can obtain perfect forward secrecy (PFS) by adopting the secret and updated dynamic authentication credential (DAC) parameters [25], whereas considering the adversary as an administrator of the gateway means that their scheme is defeated in internal anonymity [26]; meanwhile, a very large amount of storage resources are consumed to store indispensable information, including the user data and hundreds or thousands of medical devices.
In contrast to the general centralized system architecture, to mitigate the single point of failure and the trust problem, a blockchain-based authentication scheme [27] was proposed.In their scheme, through the certificate-free-authentication key agreement, each PDA from the WBANs acquires authentication through blockchain nodes, and then these securitycritical medical data will be stored in the blockchain.Through blind signature technology, each node can verify the authenticity of an entity that wants to query the medical data.
In 2021, Masud et al. [28] used the physical unclonable function (PUF) [29] and designed a robust user authentication and key establishment scheme, where their scheme can attain perfect anonymity through a very large challenge-response pair.However, to preserve forward secrecy, all entities in the scheme must run the operation of verification at least twice during the authentication phase.
To obtain a superior authentication performance, a lightweight WBAN-oriented scheme [30] was proposed; in this process, a session key is established in the sensor node and the Hub node.However, a deficiency was shown in that there was no mutual authentication among the three entities (access point, hub node, and sensor node); this creates obstacles when encountering real-world applications.Then, Xie et al. of [31] analyzed that the protocol [30] cannot resist a stolen-verifier attack and has no perfect forward secrecy.Then, a robust patient monitoring authentication scheme based on elliptic curve cryptography (ECC) [32] was proposed, and the formal security proof demonstrates the security of their scheme.However, it still lacks mutual authentication between the relay node and sensor node.
To obtain mutual authentication among all entities, Narwal et al. in [33] demonstrated mutual authentication among three entities (sensor node, mid node, and chief node) in their paper.However, their scheme still weakens the session key's forward secrecy and resistance against the node capture attack.Focusing on the WBAN scenario, the authors of [34] offered a mutual authentication protocol for securing the communication between body sensor units (BSUs) and administrator (Adm); here, the session key can be used for forward secrecy.However, the anonymity of identity should be improved if one considers the GWN as an insider attacker.
In summary, existing alternatives show deficiencies, either in terms of superior performance or robust security.Furthermore, a greater number of solutions compromise security in favor of higher efficiency.It is necessary to design an authentication protocol with higher efficiency and while preserving robust security.

System Model
The system model shown in Figure 3 consists of three entities: the physicians, the gateway node (GWN), and a series of body area sensor nodes (BASNs).Furthermore, the GWN computes and then transmits messages between physicians and BASNs; BASNs are constantly carried on a patient's body and collect real-time data from the body.Furthermore, the physicians comprise entities who directly access the data from the BASNs to monitor patients and then provide timely medical service.Note that, in Figure 3, information packets in the secure channel are transmitted during the registration phase, and information packets in the public channel from number 1 to number 4 are transmitted during the authentication and key agreement phase.We then introduced the implementation of authentication and key agreement among the three entities.In the beginning, the GWN initiates the authentication system and then generates a long-term key, a secret key value, and other public parameters.Then, when a physician (denoted by U i ) registers in the GWN through the secure channel, they send the registration request to the GWN, and then the GWN sends a smart card securely to the U i (information packets shown on the left).For the registration of the BASNs, which also occurs through the secure channel, these nodes only need to submit their identities to the GWN, and then they can receive the identity-related secret values from the GWN's calculations (information packets shown on the right).
In the following authentication, firstly, the U i submits a login request to the GWN (number 1); the GWN then verifies the identity of the U i based on the login request and sends the verification message to the BASNs (number 2).After receiving the verification message, the BASNs first verify the GWN and calculate a message which consists of a session key and relevant authentication parameters, and then send this message to the GWN (number 3).After obtaining the message from the BASNs, the GWN verifies the BASNs and sends the message with the newly embedded session key to the U i .Finally, the U i authenticates the GWN, and obtains key parameters from the received message; then, it recomputes the session key (number 4).

RSA Cryptosystem
As a public key cryptography, the Rivest-Shamir-Adleman (RSA) encryption and decryption algorithm [8], based on the hardness problem of a large-number factorization problem, is described below with an example of a message sender S sending a message m to a message receiver R.

Threat Model
The Dolev-Yao model [35]-which depicts the adversary's capacity-has been widely applied to analyze the security of the authentication protocol.Now, the newest research work [20] further summed up the capabilities of adversaries aiming to fully assess the proposed schemes.Then, in this more sophisticated threat model, an attacker A can be described to have seven capacities (A-), as outlined below: (A-4) A can obtain previous session keys established between the physician (user) and body area sensor node (BASN).• (A-5) A can grasp GWN's secret key when we consider the system's eventual failure.• (A-6) A can break some BASNs, i.e., extracting the sensitive data stored therein, and control the broken BASN to join the next newly communication of GWN, other users, and body area sensor nodes.• (A-7) A may register as a legitimate user or as the administrator of the GWN, only when the security of the user's password is assessed.

The Proposed Protocol
In this part, the following indispensable phases covering the user/body area sensor node registration, user/body area sensor node mutual authentication, password change, and body area sensor node deletion and addition constitute a robust RSA-based three-factor user authentication and key agreement protocol.Furthermore, we reinforce the session key's security and user anonymity from the points below: 1.
To achieve forward secrecy, the session key will be computed from the secret values of user and BASNs, rather than the general GWN's long-term key x.Although the adversary grasps x, they cannot corrupt the session key.Furthermore, the RSAbased encryption and decryption algorithm will only be used to protect secret values of user and BASNs, but not involving the computation of session key to preserve the efficiency.2.
To preserve user anonymity, in the registration phase, the user only submits the hashed value A 0 to GWN, and no real identity information has been exposed to adversary (i.e., identity protection); on the other hand, in the verification phase, the dynamic pseudo identity PID i will be allocated to the user.The randomness of PID i confuses the adversary to decide whether two sessions are from the same user (i.e., untraceability).
To facilitate an understanding of the proposed protocol for readers, the notations used in this paper are explained in Table 1.Next, we provide a detailed description of the proposed protocol.

System Setup Phase Run by GWN
Given a security parameter n, the GWN chooses a long-term key x ∈ {0, 1} n and keeps x secret.

Registration Phase of User and BASN
The registration phase enables the user and the body area sensor nodes (BASNs) to finish the registration of related identity information in the terminal of the GWM; meanwhile, the user and the BASNs receive feedback from the GWN to be ready for future identity authentication.Specifically, two parts are involved-one for the body area BASN and another one for the user/physician (U i ).
For the registration of each body area a sensor node called MS j , MS j sends its identity MIS j to the GWN by the secure channel.Upon receiving the registration request from MS j , the GWN computes x j = h(MIS j ||x) and then feeds back x j to MS j also by the secure channel.Meanwhile, the GWN publishes a revocation list L revoke which will store the identity of deleted sensor nodes.
For the new user, U i , to register, they need to follow the three following steps with the help of the GWN.

•
Step 1. U i =⇒ GW N : A 0 .U i chooses their own ID i , PW i and a random value r, and computes Then, the U i sends the value A 0 to the GWN through the secure channel.

•
Step 2. GW N =⇒ U i : {PID i , BKG(•), A 1 , Cou}.Through the received A 0 , GWN firstly generates a pseudo-identifier, PID i , computes and then injects the values PID i , BKG(•), A 1 , Cou to the smart card, in which the "Cou" means the maximal times (such as 3).This allows the user to try to login using the smart card if they forget the right password.Lastly, GWN also feeds back the smart card to U i by the secure channel.

•
Step 3.After obtaining the smart card from the GWN, the U i inputs their biometric information bio i into the smart card, and the smart card further computes In the end, the smart card updates A 1 = V i ⊕ HPW i and stores < PID i , BKG(•), A 1 , A 2 , Cou >.

User Login Phase
In the login phase, the U i needs to be verified by the smart card.Once the smart card verifies the U i 's legitimacy, the U i successfully logs in using the smart card, and the smart card generates an authentication request for the U i .Finally, the smart card transmits this request packet to the GWN.Specifically, the U i enters (ID * i ,PW * i ) and their own biometric information bio * i , then the smart card computes ii ) mod n 0 , and checks whether A * 2 = A 2 ; here, A 2 has been stored in the smart card during the registration phase (step 3).If A * 2 = A 2 , then the smart card terminates this session and sets Cou = Cou + 1 at the same time.If Cou exceeds a certain value, such as 3, then this smart card is directly suspended until the physician U i re-registers by the gateway.Otherwise, the smart card shares the registration information V i ; meanwhile, the terminal of the user (e.g., personal computer, laptop) initializes a pair of RSA parameters (e i , d i ), where "e i " is the public key and "d i " is the private key, and selects a random value r u ∈ Z * p -some body area sensor node MS j -with the identifier, MIS j , which the U i needs to acquire, and extracts the time stamp T 1 .Then, it computes the following values: In the end, the U i sends the request packet {PID i , B 1 , B 2 , B 3 , T 1 } to the GWN in the open channel.It is worth noting that, in computing B 1 , to keep the '⊕' operation running properly, the size of h(V i )||e i is equal to the size of h(r u ||T 1 ); through this, 0 is added in the upper part of h(r u ||T 1 ).

Verification Phase of the User, the GWN, and the BASNs
In the verification phase, all three entities-the U i , the GW N, and the MS j -will verify each other's identities, and then the U i and the MS j negotiate a session key, SK, to protect secret information in future communications.

•
Step 1. GW N −→ MS j : {B 4 , B 5 , B 6 , T 2 }.Given the login response from the U i , the GWN first checks whether |T c − T 1 | < ∆T; here, T c and ∆T are the current timestamp and the time gap, respectively.If so, then the GWN computes ).The GWN checks whether MIS * j ∈ L revoke .If so, then the authentication request for MIS * j (i.e., MIS j ) is not valid, and the GWN neglects this login request.Otherwise, the GWN further computes Furthermore, the GWN checks whether B * 3 = B 3 ; if not, then this session concludes.Otherwise, the GWN selects a nonce or a random value r g ∈ Z * p , extracts the timestamp T 2 , and then obtains: Next, the GWN transmits {B 11 , B 12 , B 13 } to the physician, U i .

•
Step 4. When receiving feedback from the GWN, the . After that, the U i checks whether B * 13 = B 13 ; if so, then the U i accepts SK * as SK.Furthermore, they update

User Password Change Phase
The password change phase enables the user to update their password at will.Specifically, it consists of two parts: user identity verification, finished by the smart card; update parameters covering PW i , A 1 , A 2 , finished by the user.That is, the U i only submits their old or frequently used password to the smart card, as shown in the login phase.After the smart card verifies the U i 's legitimacy-through checking whether A * 2 = A 2 -the smart card allows the U i to choose a new PW new i , and updates the

Body Area Sensor Node Deletion Phase
Given that some nodes may be compromised or run out of their limited energy, let us take MS j ; at this time, the GWN directly revokes this sensor node and puts MS j 's identity MIS j into a revocation list L revoke .Lastly, the GWN broadcasts L revoke to all communication entities within the WBANs.

Body Area Sensor Node Addition Phase
In this part, the proposed protocol offers a dynamic node addition phase to meet the real-time data collection persistently from the patient.When a new MS t needs to be added into the existing architecture, the GWN only assigns an identifier MIS t and computes x t = h(MIS t ||x) to MS t .Then, the new body area sensor node MS t stores the corresponding x t in its secure memory.

Analyses of the Proposed Protocol
Here, we provide analyses of the proposal, including a security analysis and a performance analysis.The security analysis involves a provable proof security and a heuristic analysis, which shows that our scheme can be robust.Then, the performance analysis includes comparisons of our designed scheme with other new WBAN-oriented schemes, to indicate that the proposed protocol can be applied in real-world uses.

Formal Security Analysis of The Proposed Protocol
As an effective method to prove the semantic security of the protocol, the formal security analysis covers two aspects.That is, given the adversary model shown in Section 3, we need to (1) firstly provide some introductions for formal proof and then state the security objectives of the protocol in Section 5.2; (2) second, in Section 5.3, we provide Theorem 1 to determine the advantages of adversary breaking for the session key in the protocol.

Introductions for Formal Proof
In the proposed protocol P, three participants (a physician-U i ; a gateway node-GWN; body area sensor node-MS j ) are involved.Initially, the simulator uses the RSA encryption and decryption algorithm over two large primes p, q, where |p| = |q|.Next, the U i obtains their own information {ID i , PW i , Bio i } and smart card containing {PID i , BKG(•), A 1 , A 2 , Cou}; the GWN generates a long-term key x; the MS j keeps the identity secret key pair MIS j , x j .
During the proof, the three entities will instantiate U i , GW N, and MIS j with ∏ u u i , ∏ g GW N , ∏ m MS j , respectively.Furthermore, these instances can be uniformly marked as ∏ t if there is no need to tell the three instances apart.Furthermore, if the input message is valid/incorrect or null, then the state of the instance as an oracle will reach accept/reject, or return "⊥", which means that there is no response for the input.
Here, we provide some terms used in this proof.
• Accepted state: When an instance ∏ t receives the last expected protocol message, an instance ∏ t obtains an accepted state.In this session, all ordered concatenation communicated messages decide on the session identifier.Adversary: Based on the information received by initiating the query oracles and controlling the simulator, an adversary A attempts to compromise the security of the authentication messages and rebuild the session key in protocol P. Some queries A that can launch are the following: ).This query can be run to simulate the entire authen- tication process, and A will obtain communicated messages among U i , GW N and MS j .
-Send(∏ t , l).A can launch an active attack against a participating instance ∏ t with a message l.Furthermore, if ∏ t received the valid l, then the simulator gives a response to A. Otherwise, the simulator ends the query.-Reveal(∏ t ).This query means that A can grasp the session key calculated by ∏ t (and its partner).-Corrupt(∏ u u i , α).In this query, A can obtain the corresponding authentication factors stored by the user, U i , according to the value α.That is, the oracle exposes the password (α = −1), the data stored in the smart card (α = 0), and the biometric information Bio i (α = 1), respectively, to A.
-Corrupt (∏ g GW N ).For this query, the long-term key x could be known by A. -Corrupt (∏ m MS j ).A in this query can obtain the secret value of MS j .

•
Freshness: If the session key between the U i and the MS j has not been revealed to A using Reveal, then the instance ∏ u u i or ∏ g GW N , or ∏ m MS j can be fresh.

•
Test (∏ t ): In this test query, A is capable of querying only once.By the protocol P, the instance ∏ t can, accordingly, only be ∏ u u i or ∏ m MS j .Formally, if instance ∏ t has not computed a session key or ∏ t cannot be fresh, or Test(∏ t ) has been queried before, then the test query outputs "⊥" (null).Otherwise, the oracle will flip the unbiased coin b.If b = 1, the adversary A receives the real session key.If b = 0, then A obtains a random string that has the same length as the real session key.

•
Semantic Security: Given a protocol P, a probabilistic polynomial time (PPT) adversary A has requested new instances for a series of queries including the execute query, the send query, the corrupt query, and the test query.Now, A desires to break the protocol P by guessing the value of b in the test query and outputting a guessing value b * .Let Succ(A) denote the event that A guesses b * correctly b, i.e., b * = b.The advantage of A breaking the semantic security of protocol P over the session key can be defined as follows:

Semantic Security Proof of The Protocol
In this part, we show the proposed protocol's semantic security evaluation in the view of a theorem.Theorem 1.Let P be the proposed protocol, |D| be the space of a password, and n be the system security parameter.After making a series of queries-including execute-query q e times, send query q s times, hash query q h times, and bio-hashing query q BKG(•) times-the advantage Adv P,D A of A breaking the semantic security of SK in P is less than Proof.By the games chain, involving Game 1 -Game 8 , we now prove that the adversary's advantage in breaking the semantic security of session key is factually negligible.Furthermore, set Succ i to the event in which A successfully guesses the b in the test query of Game k , where k = 1, 2, • • • , 8. Game 1 : this game simulates a real attack by the random oracle.A bit b is then randomly chosen at the beginning of this game.Thus, Game 2 : this game shapes a hash list Ω h and a BKG(•) list Ω BKG(•) .Say that A initiates a hash query h(γ), then the hash oracle Θ h takes γ to retrieve Ω h .If a hash value h(γ) is retrieved in Ω h , then Θ h responds the hash value.Otherwise, a random string ψ will be sent to A; meanwhile, (γ, ψ) is stored in Ω h .
For BKG(•)'s oracle Θ BKG(•) , its simulation is simulated in the same way as the hash oracle Θ h .By the known list in this game, A performs the Test-query to tell the real session key and the random value apart.For SK = h(h(r u ||T 1 )||r s ||h(V i )), secret values only include U i 's r u , V i , and MS j 's r s .Hence, A has no way to compute SK and to distinguish whether b = 0 or b = 1 other than to guess.
Thus, compared to Game 1 , A's chance of winning Game 2 does not increase the A's advantage despite its eavesdropping attack, i.e., Game 3 : In this game, A can execute an active send query or hash query to try to persuade a communication entity to accept a forged message.Compared with Game 1 and Game 2 , A's advantage may be enhanced by finding the collision to generate a valid message.That is, if the following collisions occur, then this game aborts.
(i) A collision can be found in the hash values or BKG(•)'s outputs, and the probability is , where l 1 and l 2 denote the length of the output by the hash function and BKG(•), respectively.(ii) Another collision which can be found is on the choice of random numbers r u , r g , r s ; the probability is .
Thus, we have: Game 4 : In this game, A wants to guess B 3 , B 6 , B 9 , B 13 without asking the hash query.Obviously, we obtain: Game 5 : In this game, A tries to guess A 2 without asking the hash query.Similarly, we can obtain: Game 6 : In this game, by the corrupt (∏ u u i , α) query, A computes A 1 .There are three cases we need to consider.

•
Case 1, i.e., corrupt (∏ u u i , α = −1, 0): the probability that A guesses the user's biometric information is less than Case 2, i.e., corrupt (∏ u u i , α = 1, 0): in the technology of "fuzzy keywords + honeywords", the probability that A guesses the physician's password is no more than C q s send [36,37].Here, C and s are constants, depending on the password dataset, and can be gained through linear regression.Take the Gmail password dataset [38] as an example, C = 0.020963, s = 0.225653.

•
Case 3, i.e., corrupt (∏ u u i , α = −1, 1): the probability that A guesses values of A 1 is less than Therefore, we obtain: Game 7 : This game describes the attack that A aims to compromise the body area sensor node MS j by performing the corrupt (∏ m MS j ) oracle, and then A obtains the secret value x j and further r s .However, A cannot retrieve r s from r s , since there is no PPT solution to break the hardness of large number factorization problem [8].Therefore, we can yield: Game 8 : In this attack, A tries to calculate SK.At this time, A cannot query the oracle execute query, send query and Corrupt query any more.Similarly to the analysis of Game 7 , A cannot compute r s from r s .In other words, A's advantage in Game 8 is equal to the advantage in Game 7 .Thus, we can have: Until now, we can obtain that A has no non-negligible advantage other than 1  2 , and so Pr[Succ 8 ] = 1 2 .From Equations ( 1)-( 8) and triangular inequality, we yield the following deduction with ∆ = 2(C q s send + Adv RSA A (n): As a conclusion, one can see that, if the adversary desires to break the semantic security of a session key, then the advantage of this adversary can only be negligible, Adv P,D A , which is less than

Heuristic Security Analysis of The Proposed Protocol
The heuristic method [7] does not involve any complex formula.It is a very effective and simple method, which can conduct a concise security analysis of the protocol.In this part, our designed protocol provides not only desired attributes, but is also resistant against a variety of known attacks.

•
Mutual authentication.The proposed scheme can obtain mutual authentication, since the U i and the GWN authenticate each other bidirectionally by checking whether B * 3 = B 3 and B * 13 = B 13 , respectively.Then, through the MS j checking whether B * 6 = B 6 and the GWN seeing that B * 9 = B 9 , the GWN and the MS j can authenticate each other.
• Session Key Agreement.The session key agreement means that no one can solely pre-compute the session key without interacting with another entity.Factually, in the proposed scheme, SK = h(h(r u ||T 1 )||r s ||h(V i )) contains the indispensable part from the U i (the secret parameter r u ) and the MS j (the secret parameter r s ), and so our scheme meets this well-defined attribute.• Forward Secrecy.Forward secrecy holds if the past built session keys are still secure, on the condition that the long-term secret-i.e., the GWN's x-is corrupted.As a matter of fact, suppose that the attacker knows x, and further that they can obtain the PID i from the open channel and then compute V i = h(PID i ||x), and then obtain h(r u ||T 1 ).
Even so, it is vitally important to note that they cannot retrieve the r s because of the hardness of the large number's factorization in RSA [8].That is, we can obtain forward secrecy.• User Anonymity.User anonymity mainly consists of user identity protection that cannot be figured out by the adversary and the user's un-traceability, which guarantees that the adversary can neither determine who the user is nor distinguish whether two occurrences of data interaction are by the same user.For identity protection, in the registration phase, the U i only submits A 0 to the GWN, so it does not directly extract the identity information for the adversary, even if the GWN is destroyed.The PID i cannot be used to deduce the identity of a user during the authentication phase, and so the adversary cannot capture the user's identity ID i .As for the un-traceability of the user, the randomness of PID i breaks the statistical property, which effectively confuses the adversary in their attempt to determine whether two data behaviors are from the same entity.• Password Guessing Attack.There are two password guessing attacks that result from the verification value: one is in a smart card (attack I) and the other is the verification value in a public channel (attack II).For attack I, even if the adversary knows the verification values A 1 , A 2 in the smart card, they cannot check the correctness of the guessed PW * i and ID * i , because of the congruence of the "modulus" operation in HPW i and A 2 .For attack II, the password-related verification value only is attributed to B 1 .Although the adversary obtains B 1 and even owns A 1 , they cannot verify the correctness of the guessed PW * i and ID * i , because the indeterminacy and congruence of the "modulus" operation confuses the adversary in their attempt to decide which of the guessed values (ID * i , PW * i ) is correct [39].Additionally, according to the research work of [39], the space of the adversary to guess the identity and the password is , where 2 4 ≤ n 0 ≤ 2 8 , |D pw | = |D id | = 10 6 .So, the valid password and identity cannot be effectively guessed by the adversary, since the 32 is larger than the finite value Cou, which denotes the time data of the smart card, leading to login failure for the adversary.Thus, the proposed protocol is safe against password-guessing attacks.

•
Body area sensor node impersonation attack.The adversary in this attack [7] is mainly the legitimate inside user.The user could obtain the body area sensor node's secret key x j , leading to a faulty session key for the next new physician.Factually, this adversary cannot extract this secret x j from B 7 , B 8 , B 10 , since they cannot obtain the value r g of the GWN.So, this attack in the proposed scheme has no favorable space.• Desynchronization attack.Generally, after the session key is established, U i , GW N, and MS j have no need to update any parameters, and so the desynchronization attack is impossible.However, the U i in our scheme needs to change their pseudo-identity PID i to PID new Replay attack.The adversary in the replay attack usually sends old messages to obtain the verification of the participants.In the proposed protocol, the U i , the GWN, and the MS j choose random numbers r, r u , r g , and r s , respectively, to ensure the freshness and independence of the exchanged messages in each session.As a result, the adversary cannot obtain authentication from another through the replay attack.• Verifier-stolen attack.For an adversary using verifiers to launch an attack, since there is no verifier table associated with the user being stored in the GWN, the verifier-stolen attack cannot occur.• Privileged insider attack.In this attack, the adversary (even a corrupted GWN) can extract the real or bare identity information of a legitimate user in the registration phase.Factually, the U i just submits an A 0 that encapsulates the ID i to the GWN, rather than the bare ID i .Therefore, the identity of the user can be protected in this attack.or replay the old messages.As discussed above, the proposed scheme can resist an impersonation attack and replay attack.That is, it is not possible for the adversary to be authenticated by both the user and the gateway.Hence, the proposed scheme is resistant against the MITM attack.
• Session-specific temporary information attack.This attack happens if the adversary learns the value of session key by obtaining short-term information like random values or nonces, r u , r s .However, in our scheme, apart from the nonces, the long-term information like V i constitutes an SK, and so this attack is infeasible for adversaries.

Performance Analyses in Functionality and Consumed Cost
In this section, we provide details on the detailed performance analyses covering the functionality comparisons and cost comparisons among the WBAN-oriented user authentication schemes.
For a long time, indispensable valuable design criteria have been used to effectively evaluate the advantages and disadvantages of extant authentication protocols; meanwhile, these provide guidance for designing a good protocol that obtains a balance between performance and security.In accordance with the new criteria [20] and according to our security analyses shown above, Table 2 describes 10 detailed criteria, comprising five ideal (E * ) attributes and five security (C * ) attributes.Furthermore, in Table 3, for the five ideal attributes, it can be observed that all schemes meet E 2 , i.e., sound repairability.However, a difference appears in the remaining four attributes.Specifically, scheme [31] does not involve the "password" as an authentication factor and so there is no comparison to be made (denoted by '-').However, the scheme presented by [28] shows weakness in E 3 , with no secret user or sensor node constituting the session key.
For the five security attributes, the sensor node capture attack threatens the session key's security, which indicates that [28,31,34] cannot meet C 4 .In the scheme of [28], the user's password security and the session key's forward secrecy cannot be guaranteed, since the adversary can easily initiate an effective password guessing attack and compromise the GWN.This implies that the scheme presented in [28] cannot meet C 2 , C 3 , or C 5 .For the schemes presented in [31,34], the GWN can grasp the identities of communication entities, which makes it easy for the attacker to obtain identity values by corrupting the GWN.Accordingly, the works presented in [31,34] do not meet C 1 .Meanwhile, in the scheme presented by [31], no one verifies the identity of the relay node, and so E 4 cannot be achieved.
Our scheme is thus superior to the alternatives.That is, by using the technology of the RSA algorithm, the dynamic assigning of the pseudo identity, and "the modulus" operation, our scheme successfully fulfills the 10 criteria.
Next, we present a comparison among the consumed overheads, covering the storagecommunication-computation costs.To obtain a comprehensive evaluation of the overhead comparisons, Table 4 pre-defines the reasonable reference length of all the terms for the compared schemes [28,31,34].In Table 5, for the aspect of storage costs consumed, one can see that the user, the gateway, and the BASN in our protocol need 640 bits, 320 bits, and 160 bits, respectively.However, the storage costs of these three entities in other schemes are unavoidably influenced by the following parameters: N (the number of challenge-response pairs in [28]); m (the number of users), n (the number of BASNs), and m (the number of relay nodes) in [31].Please note that, in [31], from the flow of mutual authentication and key agreement phase in Figure 2 of [31], the role of SN j can be seen as that the U i , the role of MS can be seen as that of the BASN, and the role of RN can be seen as that of the GW N. Thus, more storage costs (i.e., total 128N(2m + n) + 640(m + n) + 416 in [28] and 128(m + n) + 928 in [31]) will be consumed as the parameters increase.Overall, the proposed protocol is advantageous compared with the compared schemes.As for the communication costs comparison shown in Figure 4, it can be seen that our protocol consumes more communication costs than other compared schemes in order to meet all the attributes shown in Table 3; other schemes save in communication costs, but subsequently weaken the security of the authentication protocol.As for the computation costs, since the login phase and the verification phase are frequently run through a user authentication protocol, we provided the cryptography computation costs of these two phases.Then, by running the test algorithm on compiler CLion (version 2023.2) in the Windows 11 operating system with 12th Intel core i7-12700H, 16G memory, where the compiler was developed by JetBrains, located in Prague, Czech Republic, we determined that the estimated time of the 1024-bit RSA modular exponentiation is 0.63 ms and the time for the scalar multiplication of the ECC is 0.85 ms.Furthermore, for other cryptography functions, the time for the BKG is 0.29 ms [41], the time for the hash function (SHA-1) is 0.00069 ms [42], and the time for the PUF is 0.43 ms [43].As shown in Figure 4, the time consumption values from the user and the BASN in our scheme were 0.92 ms and 0.64 ms, respectively.These show the potential for reducing the user's and the BASN's computation costs by 64% and 79% in comparison with the scheme presented by [31].
In summary, as evidenced by the provable security demonstrated in Section 5.3 and the heuristic analysis demonstrated in Section 5.4, our proposed mechanism can ensure the mutual authentication, forward secrecy of the session key, and user anonymity, while resisting all known attacks.As demonstrated by the performance analyses presented in Section 5.5, we show that the proposed protocol meets the 10 design criteria; other schemes show deficiencies in the provision of the key agreement (E 3 ), the mutual authentication (E 4 ), and the security criteria from C 1 to C 5 .Combined with Figure 4 and Table 5, one can see that the costs of storage and computation are superior to the schemes presented by [28,34].Hence, we can determine that the proposed protocol outperforms the baseline protocols.

Conclusions
The authentication mechanism has always been an effective method of guaranteeing the security of data sharing for WBANs.In this paper, based on the RSA encryption and decryption algorithm, we propose a robust three-factor authentication protocol for WBANs.Through detailed security proofs and heuristic analyses, we prove that the proposed protocol can resist various known attacks.Finally, the performance analyses were evaluated to show that the costs of storage and computation are superior to the schemes proposed by [28,34]; specifically, our proposal can reduce the user's and the BASN's computation costs by 64% and 79%, respectively, compared to the scheme proposed in [31], which indicates that our protocol would be more suitable for WBANs with limited resources.For our future research, we will focus on the authentication of WBANs in the architecture of decentralized identity (DID) through blockchain.

Figure 2 .
Figure 2. System architecture of WBANs in healthcare.

3 Figure 3 .
Figure 3. System model in the proposed scheme.
and keeps the private key d secret.• Encryption: Message sender S takes a message m and computes an encryption c = m e mod n with R's public key e.Then, S sends the cipher c to R. • Decryption: Upon receiving the cipher c, R decrypts m = c d mod n with their own private key d.

• (A- 1 )A- 3 )
A can fully control the open channel and then intercept, modify, insert, and delete any messages transmitted in the open channel.• (A-2) A can enumerate all items offline in the Cartesian product of the identity space and the password space D id × D pw within the polynomial time.• (To a three-factor user authentication scheme, A can compromise the following two of three authentication factors: (a) user's password; (b) data in the smart card; and (c) user's biometric information.•

i
and B 1 to B new 1 , and then check whether h(B new * 1 ||h(r * s ||SK * )) = B 13 .Luckily, it is verifying the correctness of B 13 that guarantees the synchronization update of PID i and B 1 .•

Table 1 .
Notations of symbols in our scheme.
Then, the GWN sends the information packet {B 4 , B 5 , B 6 , T 2 } to MS j in the open channel.• Step 2. MS j −→ GW N:{B 7 , B 8 , B 9 , B 1 0, T 3 }.Through the request from the GWN, the body area sensor node MS j first checks whether |T c − T 2 | < ∆T; if not, then this session is concluded.Otherwise, MS j obtains: e * i ||r * g ||h(r * u Then, it further computes B * 6 = h(h(r * u ||T 1 )||r * g ||x j ||MIS * j ||T 2 ).Next, MS j checks whether B * 6 = B 6 ; if not, then this session is concluded.Otherwise, MS j chooses a nonce r s ∈ Z * p , extracts timestamp T 3 , and computes r s = (r s ) e i and SK = h(h(r u ||T 1 )||r s Next, the verifier obtains B 10 = h(SK||r g ) ⊕ x j ⊕ h(r s ||SK).Finally, MS j sends the information packet {B 7 , B 8 , B 9 , B 10 , T 3 } to the GWN in the open channel.Upon obtaining B 7 , B 8 , B 9 , B 10 , T 3 , the GWN first checks whether |T c − T 3 | < ∆T; if not, then this session is concluded.Otherwise, the GWN computes MIS * j = B 7 ⊕ h(r g ) and checks whether MIS * j ∈ L revoke .If so, then this denotes that the authentication session from MIS * j (i.e., MIS j ) is not valid, and the GWN neglects this request.Otherwise, the GWN further computes x * j = h(MIS * j ||x), r * s ||h(SK * ||r * g ) = B 8 ⊕ x * j and B * 9 = h(r * s ||h(SK * ||r * g )||x * j )||T 3 ), and checks whether B * 9 = B 9 ; if so, then the GWN further computes h(r s ||SK) = B 10 ⊕ h(SK||r g ) ⊕ x j and then selects a new pseudo-identifier PID new i •Step 3. GW N −→ U i : {B 11 , B 12 , B 13 }.
• Partnering: Here, mutually authenticated ∏ t 1 , ∏ t 2 are partnering, if ∏ t 1 , ∏ t 2 simultaneously satisfy the following criteria: (1) both have an accepted state; (2) both share the same identification; (3) both ∏ t 1 , ∏ t 2 are the mutual partners of each other.• • Node capture attack.This attack denotes that the adversary has the node's secret value, x j , and then retrieves A 3 and A 4 .However, this adversary cannot re-calculate the session key, SK, unless they can effectively solve the problem of the large number's factorization.• Denial of service (DoS) attack.In the proposed scheme, even if the adversary may render BASN unavailable by repeatedly replaying the old message B 4 , B 5 , B 6 , T 2 , the BASN firstly verifies whether the time gap meets |T c − T 2 | > ∆T or not.If so, then the BASN directly terminates this session.Furthermore, even though the adversary updates the timestamp T 2 to make |T c − T 2 | < ∆T, the BASN also ignores this session, because of the following verification failure of value B 6 , where B 6 can only be derived by the original timestamp.Thus, this DoS attack makes no sense.Similarly, the terminal of the GWN can resist the DoS attack.• Man-in-the-middle (MITM) attack.In our protocol, suppose that the adversary [40] listens to and blocks the user's login message PID i , B 1 , B 2 , B 3 , T 1 , the response message B 11 , B 12 , B 13 from the GWN, and extracts all the parameters of the smart card.

Table 2 .
Ten criteria for evaluating authentication schemes.The protocol can resist the impersonation attack, offline guessing attack, desynchronization attack, replay attack, stolen verifier-attack, unknown key share and known key attack, DoS attack, and node capture attack.Note that, in these attacks, A does not compromise the smart card or the BASB anymore.

Table 4 .
The length of all terms.

Table 5 .
Comparison of storage costs.