An Improved Lightweight User Authentication Scheme for the Internet of Medical Things

The Internet of Medical Things (IoMT) is used in the medical ecosystem through medical IoT sensors, such as blood glucose, heart rate, temperature, and pulse sensors. To maintain a secure sensor network and a stable IoMT environment, it is important to protect the medical IoT sensors themselves and the patient medical data they collect from various security threats. Medical IoT sensors attached to the patient’s body must be protected from security threats, such as being controlled by unauthorized persons or transmitting erroneous medical data. In IoMT authentication, it is necessary to be sensitive to the following attack techniques. (1) The offline password guessing attack easily predicts a healthcare administrator’s password offline and allows for easy access to the healthcare worker’s account. (2) Privileged-insider attacks executed through impersonation are an easy way for an attacker to gain access to a healthcare administrator’s environment. Recently, previous research proposed a lightweight and anonymity preserving user authentication scheme for IoT-based healthcare. However, this scheme was vulnerable to offline password guessing, impersonation, and privileged insider attacks. These attacks expose not only the patients’ medical data such as blood pressure, pulse, and body temperature but also the patients’ registration number, phone number, and guardian. To overcome these weaknesses, in the present study we propose an improved lightweight user authentication scheme for the Internet of Medical Things (IoMT). In our scheme, the hash function and XOR operation are used for operation in low-spec healthcare IoT sensor. The automatic cryptographic protocol tool ProVerif confirmed the security of the proposed scheme. Finally, we show that the proposed scheme is more secure than other protocols and that it has 266.48% better performance than schemes that have been previously described in other studies.


Introduction
The Internet of Medical Things (IoMT) represents a combination of the healthcare field and the IoT ecosystem that can be used to create, collect, transmit, and analyze medical data through the connection of various healthcare IT systems, healthcare sensors, and healthcare management programs [1,2]. With the continued evolution of IoT technology and the outbreak of COVID-19, IoMT gaining increased interest as it can enable personalized medical information management, real-time health tracking and monitoring but also remote treatment [3].
However, there may be various security problems in the IoMT environment when dealing with sensitive medical information [4,5], such as the following:

1.
First, if malicious cyberattacks can take control of healthcare sensors attached to a patient's body, this might not only result in inaccurate data collection but also put the patient's health at risk.

2.
Second, malicious cyberattacks can expose sensitive patient data and medical information. 3.
Third, since IoMT uses low-power wearable healthcare sensors, the protocol used is not lightweight, and it therefore may be difficult to operate normally or to provide real-time service due to the need for time-consuming computation.
Therefore, further develop the IoMT environment, it is crucial to maintain security for medical systems and IoT devices and to support lightweight security protocols for implementing them.
We implemented and analyzed a suitable scheme for IoMT using the following method. For safety, we not only use a simple password base but also introduce a fuzzy extractor, i.e., it is a biometric-based authentication method. We also propose a system model and an attack model to complement the weaknesses of Masud et al. [6]. We analyze the vulnerabilities of Masud et al. [6] based on the system model and attack model and propose our new IoMT scheme. We analyze the safety of the proposed scheme using a formal analysis and an informal analysis and calculate the cost of computation. Lastly, we analyze how efficient the computational cost is compared to those of other schemes.

Our Contribution
We proposed a secure and lightweight user authentication scheme for IoMT by improving on Masud et al. [6]'s scheme by addressing the possible threats involved. In summary, we make the following contributions: 1.
First, to overcome offline password-guessing attacks, we added biometrics authentication methods that can only authenticate the user when an actual user is present. Further, to protect against replay attacks, we added logic to ensure that the gateway authenticates the user and the freshness of the user's message in the authentication phase. Finally, to overcome privileged insider attacks, we deleted the secret information that shared between the user and the sensor in the registration phase immediately following the registration phase.

2.
We proposed a lightweight security protocol that mainly uses a hash function and XOR operation to run low-spec healthcare sensors. 3.
The proposed scheme is designed to protect against various security threats such as offline password guessing attacks, privileged insider attacks, user impersonation attacks, replay attacks, and session key disclosure attacks. It also ensures user anonymity.

Organization of Our Paper
The rest of this paper is organized as follows: Section 3 presents the preliminaries about the fuzzy extractor, system model, and attack model. Section 4 presents the scheme reported by Masud et al. [6]. Section 5 demonstrates the scheme reported by Masud et al. [6]. Section 6 presents our improved scheme. Section 7 provides formal and informal security analysis. Section 8 provides a performance analysis. Section 9 provides discussion of performance. Finally, Section 10 presents our conclusion.

Related Work
Even until recently, most healthcare systems could only be accessed using a password. Password-based authentication [7,8] is the most popular method for user authentication. However, it is unfortunately not suitable for use in a sensitive system that requires strong security because it contains various security threats. For example, password-based authentication can lead to unintentional password sharing when someone looks over the user's shoulder and sees the user's password. Anyone who knows this password can access the system on behalf of the user. Moreover, a password guessing attack is possible, in which the attacker guesses the user's password and attempts authentication until finding success.
Password-based authentication schemes can also be exposed to various security threats, so to overcome the security threats of password-based authentication, two-factor authentication using a smart card has been introduced. In 2012, Wu et al. [9] proposed a secure authentication scheme for TMIS using a smart card and a password. However, Debiao et al. [10] pointed out that this scheme was vulnerable to impersonation attacks and insider attacks. Meanwhile, Wei et al. [11] pointed out that the scheme was vulnerable to offline password guessing attacks. To overcome these problems, Debiao et al. [10] proposed a more secure authentication scheme using a smart card and a password. However, Wei et al. [11] pointed out that this scheme also was vulnerable to offline password guessing attacks if the user were to lose his or her smart card. Consequently, a three-factor authentication using a password, a smart card, and biometrics, i.e., fingerprint and face recognition, has been introduced to achieve a higher level of security [12][13][14][15]. Wu et al. [12] proposed an improved and provably secure three-factor user authentication scheme for wireless sensor networks. However, Ryu et al. [13] pointed out that this scheme was vulnerable to user impersonation attacks and that it could not preserve the user's anonymity could not be preserved. A summary of each scheme's weaknesses is presented in Table 1.

Author Proposed Scheme Weakness
Wu et al. [9] For TMIS using a smart card Impersonation, insider, offline password guessing attacks Debiao et al. [10] Using a smart card and a password Offline password guessing attacks Wu et al. [12] Secure three-factor scheme for wireless sensor networks User impersonation attacks and no user anonymity Masud et al. [6] For IoT-based healthcare Offline-password, replay, privileged insider attacks Recently, Masud et al. [6] proposed a lightweight and anonymity preserving user authentication scheme for IoT-based healthcare. In the present study, we specifically focused on the use of lightweight protocols to support resource-constrained devices. However, we found various security threats, since this paper only provides user authentication using a password to remain lightweight. While it is important to keep in mind that supporting lightweight security protocols in an IoMT environment is one of the most important considerations, maintaining security is the most foundational requirement. One of the fatal security threats to which Masud et al. [6]'s scheme is vulnerable is an offline-password attack. If an attacker steals a valid authentication message in any authentication phase that is communicated via a public channel, the attacker can guess the user's valid password while offline. Masud et al. [6]'s scheme is also vulnerable to replay attacks and privileged insider attacks. Through such attack, an attacker could log in by stealing the user's password and disguising themselves as the user. An attacker could also enter information on behalf of the user or have access to the user's information as the user.
Although Masud et al. [6]'s scheme exhibited better performance to maintain security for IoMT, it still has a security challenge. Therefore, we proposed an improved lightweight user authentication scheme for IoMT that improved upon Masud et al. [6]'s scheme and reduces reduced the computational cost compared to related studies.

Preliminaries
In this section, we introduce the fuzzy extractor, the system model which we made, and the attack model. The details are as follows:

Fuzzy Extractor
Biometric information is the best way to authenticate and verify users [16][17][18]. In 2004, Dodis et al. [19] proposed the Fuzzy Extractor to obtain a unique bit string extracted from the biometric template. A fuzzy extractor is a tuple (M, m e , l, τ, ) that has two algorithms Gen and Rep, which are expressed as follows [12]: The above result means that the fuzzy extractor can generate the secret string R i and P bi . w i is a U i 's original collected biometric data.
The above result means that the fuzzy extractor can recover the secret string R i that is generated by the Gen algorithm. Figure 1 shows the system model of the proposed scheme. In our scheme, there are three entities: the User, Medical Service Gateway (Gateway), and Healthcare IoT Sensor Node (Sensor Node).

1.
Medical Service Gateway (Gateway): Since the user and the sensor node do not communicate with each other directly, the gateway is responsible for authentication and passing the communication between the user and the sensor node.

2.
Healthcare IoT Sensor Node (Sensor Node): The Healthcare IoT Sensor Node is attached to the patient's body and collects the patient's medical data. The Healthcare IoT Sensor Node is connected to the healthcare network and transmits the patient's medical data to the user through a Gateway.

3.
Doctor (User): The user is a doctor who can access the patient's medical information that has been collected from the sensor node to inform the patient's treatment.

Attack Model
For security analysis in our scheme, we consider the following attack model [20][21][22]: 1.
The attacker can extract the data in the device that stores some security parameters.

2.
The attacker can access the public communication channel, at which point the attacker can interrupt, return, amend and eliminate or transmit the message.

3.
The attacker can calculate the identity and password in polynomial time.

Review of the Scheme Presented by Masud et al. [6]
In this section, we briefly review Masud et al.'s scheme [6] that only uses password protection to only let legitimate users access the IoT sensor node to obtain the patient's health information. The notations and Masud et al. [6]'s scheme are described in Tables 2 and 3, respectively. Masud et al. [6]'s scheme consists of three phases: the User Registration Phase, the Sensor Node Registration Phase, and the Mutual Authentication and Key Agreement Phase.

1.
The user enters and transmits D ID and PW D through the secured channel to the gateway.

2.
The gateway generates R 1 SG and computes D TID = R 1 SG ⊕ D ID and α = (D ID ⊕ R 1 SG ) ⊕ PW D . The gateway stores D ID , PW D , R 1 SG and D TID . Finally, the gateway transmits α through the secured channel to the user. 3.
The user derives R 1 * SG = (α ⊕ PW D ) ⊕ D ID and computes D TID = R 1 * SG ⊕ D ID and β = h(PW D R 1 * SG ) ⊕ D TID . The user then stores R 1 * SG , D TID , and β.

1.
The sensor node generates R 1 SN and then transmits R 1 SN and S ID through the secured channel to the gateway.

2.
The gateway generates R 2 SG and computes δ = ( The gateway then stores S ID , R 1 SN , R 2 SG , and S TID . Finally, the gateway transmits δ through the secured channel to the sensor.

3.
The sensor node computes  The gateway retrieves N 1 D = N 1 * D ⊕ PW D , after which the gateway checks the freshness of N 1 D . If N 1 D is not fresh, the procedure is stopped; else the gateway compares D TID and S TID with the received values. If the values are not identical, the procedure is stopped; else the gateway computes λ * = h(R 1 SG PW D ). If λ * and λ are equal, the user authentication is successful. If they are not equal, the procedure is stopped. To share SK with the sensor node, the gateway generates N 1 G , SK, and R 3 SG . The gateway Finally, the gateway stores G 3 W and transmits G 1 W , G 2 W , D TID , SK S , and G 3 W through the public channel to the sensor node. 3.
The sensor node retrieves N 1 G = G 1 W ⊕ S TID and then checks the freshness of N 1 is not fresh, the procedure is stopped; else the sensor node computes S 1 W are equal, the gateway authentication is successful. Then, the sensor node retrieves SK = (SK S ⊕ R 1 SN ) ⊕ N 1 G and the sensor node generates N 1 S and R 2 SN . The sensor node then computes S 2 Finally, the sensor node transmits S 2 N , S 3 N , and S 4 N to the gateway. 4.
The gateway retrieves N 1 The gateway then checks the freshness of N 1 S . If N 1 S is not fresh, the procedure is stopped; else the gateway computes are equal, the mutual authentication between the sensor node and the gateway is successful. Subsequently, the gateway stores R 2 SN , R 3 SG , and S new TID . To share SK with the user, the gateway generates N 2 G and R 4 SG . The gateway then computes Finally the gateway stores R 4 SG and D new TID and ultimately transmits µ, SK u , η, and G 5 W to the user. 5.
The user retrieves N 2 G = µ ⊕ D ID . The user then checks the freshness of N 2 is not fresh, the procedure is stopped; else the user computes φ = h(D ID PW D SK N 2 G ). If φ and η are equal, the mutual authentication between the gateway and the user is successful. Then the user retrieves The user computes D new TID = R 4 SG ⊕ D ID and stores R 4 SG and D new TID .

Weaknesses of Masud et al. [6]'s Scheme
These weaknesses are listed under the assumption that the attacker has recorded the message (N 1 * D , D TID , λ, S TID ) from a successful mutual authentication and key agreement of the user A.

Offline Password Guessing Attack
In an offline password guessing attack, the attacker is never actually attempting to login to the gateway server. Suppose the attacker steals the device of user A and obtains R 1 * SG from the device. Then, the attacker repeatedly guesses a password PW * D and computes If λ * is equal to λ, the attacker can obtain the correct password PW D . Until the attacker determines a valid user's password PW D , the gateway does not notice this attack at all because the attacker does not try to login.
Then, in the Mutual Authentication and Key Agreement Phase, the attacker retrieves Eventually, the attacker can obtain an SK that can be used to access the resource of the gateway and the sensor node.

Privileged Insider Attack
If a privileged insider of the gateway has obtained the user A's password PW D , D ID and R 1 SG from the gateway's database, he is trying to impersonate user A. In the Mutual Authentication and Key Agreement Phase, the privileged insider retrieves N 2 G = µ ⊕ D ID and SK = (SK U ⊕ N 2 G ) ⊕ PW D . Eventually, the privileged insider can obtain an SK that can access the resource of the gateway and the sensor node.

Replay Attack
Masud et al. [6] claim their scheme is safe from replay attacks because the gateway checks the freshness of nonce N 1 * D = N D ⊕ PW D and that the nonce cannot be modified since it is secretly enclosed in the password PW D . However, suppose the attacker generates the nonce N A and then transmits (N A , D TID , λ, S TID ) instead of (N D , D TID , λ, S TID ). Upon receiving (N A , D TID , λ, S TID ), the gateway retrieves N 1 * D = N A ⊕ PW D and then the gateway checks the freshness of N 1 * D . However, since the retrieved N 1 * D is a random number if only freshness is guaranteed, the gateway cannot confirm whether N 1 * D is valid. Briefly, if the attacker can make a nonce that can guarantee freshness, Masud et al. [6]'s scheme cannot resist replay attacks. Further, if freshness is proven since the new identities of user and device D new TID , S new TID are changed, valid users who do not know the changed identity D new TID will no longer be able to authenticate themselves after the replay attack.

Proposed Scheme
In this section, we propose a three-factor mutual authentication scheme for the Internet of Medical Things (IoMT) that is intended to overcome the weaknesses of the scheme reported by Masud and colleagues. The proposed scheme only consists of three phases: user registration, sensor node registration, and authentication and key distribution. The proposed scheme is described in Table 4.

1.
The user enters ID i and PW D and generates a random number r 1 U . The user imprints B i on a device for biometric collection and computes Gen(B i ) = (R i , R bi ) and HPW i = h(PW i R i r 1 U ). For registration, the user transmits ID i through a secured channel to the gateway.

2.
The gateway generates random numbers r 1 GW , r 2 GW and r 3 GW and computes TID i = h(ID i r 1 GW K GW ), S 1 i = h(ID i r 2 GW K GW ) and S 2 i = h(ID i r 3 GW K GW ). The gateway stores ID i , TID i , S 1 i and S 2 i . S 2 i is temporarily stored by the gateway until the sensor node registration phase, is transferred from the gateway to the sensor node during the sensor node registration phase, and is then deleted from the gateway. Finally, the gateway transmits TID i , S 1 i , and S 2 i through a secured channel to the user. 3.
The user computes

1.
For registration, the sensor node transmits SID j through a secured channel to the gateway.

2.
The gateway generates a random number r 4 GW and computes TSID j = h(SID j r 4 GW K GW ) and stores SID j , TSID j . Finally, the gateway transmits TSID j , TID i , and S 2 i through a secured channel to the sensor node and deletes S 2 i .

3.
The sensor node stores SID j , TSID j , TID i , and S 2 i . Table 4. The proposed scheme.

1.
The user enters ID i and PW i and imprints B i on a device for biometric collection and and ts U are valid, the user verification is passed; if not, the procedure is stopped.
To generate the authentication message, the gateway generates r 5 GW and computes TID new ). Finally the gateway transmits GM 1 , GM 2 , GM 3 , GM 4 , and U i M 7 through a public channel to the sensor node. 3.
To authenticate the gateway, the sensor node retrieves r 5 ). The sensor node checks GM 4 = ? GM * 4 . If the equation is equal, the gateway verification is passed; if not, the procedure is stopped. To generate the session key SK, the sensor node generates SK and computes

Security Analysis of the Proposed Scheme
In this section, we demonstrate formal and informal security analysis. We use the security verification tool ProVerif to demonstrate that the proposed scheme can satisfy security and authentication features. As an informal security analysis, we show how our proposed scheme meets the security requirements for an IoMT sensor protocol.

Formal Security Analysis
In this section, the ProVerif tool [23] is used to evaluate the security of the proposed protocol. ProVerif tool is an automatic cryptographic protocol verifier that was developed by Bruno Blanchet [13]. Several studies have used this tool to demonstrate the safety of their protocols [24,25].
We use two types, and four channels in total. Private channel1 and Private channel2 transmit sensitive data between the user and the gateway and between the gateway and the sensor node, respectively. Public channel1 and Public channel2 transmit general data between the user and the gateway and between the gateway and the sensor node, respectively. Table 5 presents the definitions of the channels, variables, and other related parameters. The processes performed by the user, the gateway, and the sensor node are presented in Tables 6-8, respectively. Lastly, the queries and main process are detailed in Table 9.
The results of our proposed scheme are presented in Table 10. It can be seen that the proposed protocol kept the session key SK safe from the attacker.   Table 6. User's process.

Informal Security Analysis
We performed a formal analysis. However, a formal analysis by itself is not sufficient to prove safety [13,26,27]. Therefore, we further analyzed our scheme using an informal analysis. We present a theoretical analysis of the proposed scheme. The results of the informal security analysis are then briefly described.

1.
Offline Password Guessing Attack: Since our scheme uses biometric information B i with the unique biological characteristics of individuals that are not stored for user authentication, it is impossible to guess a user's password without a real user. Therefore our scheme can protect against the offline password guessing attack.

2.
Privileged Insider Attack: Even if the privileged insider steals ID i , TID i , SID j , TSID j , and S 1 i from the gateway's database, the privileged insider can not obtain the session key SK without secret information S 2 i that is shared between the user and the sensor node. Therefore our scheme can protect against privileged insider attacks.

3.
User Impersonation Attack: Even if the attacker steals and replaces the user's TID i , the attacker can not generate valid U i M 6 and U i M 7 without secret information S 1 i and S 2 i . When the gateway and the sensor node verify U i M 6 and U i M 7 , respectively, they can find the invalid user. Therefore our scheme can protect against user impersonation attacks.

4.
Server Impersonation Attack: Even if the attacker impersonates the gateway, the attacker does not generate valid GM 4 and GM 5 without TSID j and S 1 i . When the sensor node and the user verify GM 4 and GM 5 , respectively, they can find the invalid gateway. Therefore our scheme can protect against server impersonation attacks.

5.
Replay Attack: Even if the attacker steals U i M 6 , U i M 7 , U i M 8 , and TID i from a successful mutual authentication and key distribution phase and then resends it to the gateway, the gateway can find whether or not the message is reused because the gateway checks r 2 U 's freshness. Moreover, the attacker can not generate and modify r 2 U and U i M 6 without S 1 i . Therefore our scheme can protect against replay attacks. 6.
Man-in-the-Middle Attack: In a man-in-the-middle attack, an attacker puts themselves in the middle of two parties so that they can intercept and modify some communicated data to masquerade as the entities. In the mutual authentication and key distribution phase, the attacker intercepts communicated data between the user and the gateway and attempts to modify the message to retrieve the session key. However, in our scheme, the attacker can not modify communicated messages without the secret information S 1 i and S 2 i . Therefore our scheme can protect against man-in-the-middle attacks. 7.
Session Key Disclosure Attack: Even if the attacker obtains SN j M 1 which includes the session key SK, the attacker can not obtain the session key without the secret information S 2 i . Therefore, our scheme can protect against session key disclosure attacks. 8.
Forward Secrecy and Backward Secrecy: Even if someone gains the session key SK, they can not know the old session key or the new session key because each session key is generated randomly with no relation to the other session keys. Therefore our scheme can preserve forward secrecy and backward secrecy. 9.
Mutual Authentication: The gateway and the user can authenticate each other by verifying U i M 8 and GM 5 respectively, using the secret information S 1 i . Therefore our scheme provides mutual authentication. 10. User Anonymity: Our scheme identifies users using TID i and then replaces it every time with TID new i regardless of the old TID i . Therefore our scheme preserves user anonymity.
The results of the security analysis with comparisons to related papers are presented in Table 11.
Our study analyzes the computational cost using the time measurement presented in Table 12 [28,29]. T M stands for the computational cost of multiplication in the field. T bh stands for the computational cost of the biohash function operation, and T h stands for the computational cost of the one-way hash function operation. It is assumed that the XOR operation does not affect the cost of operation. Table 13 and Figure 2 compare the computational cost of our scheme with those of other schemes according to Table 12 [6,12,15]. The computational cost of the one-way hash function operation. 0.0004 [28]   We calculate the computational efficiency of our scheme as follows: (t 1 − t 2 )/t 2 In Formula (3), t 1 represents the average cost of computation of the different schemes. Moreover, t 2 represents the cost of operation of our scheme.
According to the above formula, the operation of our scheme is 266.48% more efficient in terms of computational cost than the other schemes, and Table 11 shows that our scheme is more secure than the other methods.

Discussion of Performance
We proposed a secure and lightweight user authentication scheme for IoMT by improving Masud et al. [6]'s scheme. We compared the performance of three schemes [6,12,15] in Section 8. Our scheme outperforms [12,15] by 399.73% and 499.66% respectively. The performance of [6] is lightweight, but it does not meet basic security requirements such as offline password guessing attacks, privileged insider attacks, and replay attacks. Therefore, our scheme is a suitable lightweight user authentication scheme for IoMT because our scheme not only is improved by addressing the security threats of [6] but also outperforms 266.48% more efficiently than the other schemes.

Conclusions
The purpose of our paper was to propose a secure and lightweight user authentication scheme for IoMT by addressing the security threats to which Masud et al. [6]'s scheme is vulnerable. In particular, our scheme can protect against well-known attacks in IoMT i.e., offline password guessing attacks, privileged insider attacks, user impersonation attacks, replay attacks, and session key disclosure attacks, and it ensures user anonymity. We also proved that our scheme is a suitable user authentication scheme for IoMT through formal security analysis by ProVerif. Moreover, we proposed a lightweight security protocol that mainly uses a hash function and XOR operation considering low-spec healthcare sensors. As a result, we showed 266.48% better performance than the average computational cost of the considered schemes [6,12,15]. Our scheme outperforms [12,15], but it does not outperform [6]. Our scheme shows higher safety than the compared schemes [6,12,15]. Our security and performance analysis shows that our scheme is a suitable lightweight user authentication scheme for IoMT. Further studies will be able to improve convenience by combining behavioral biometrics authentication. Behavioral biometric authentication is expected to achieve further improved convenience over biometrics authentication because it uses keystroke dynamics, gait analysis, mouse use characteristics, signature analysis, and cognitive biometrics.