An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks

The advancement of Wireless Body Area Networks (WBAN) have led to significant progress in medical and health care systems. However, such networks still suffer from major security and privacy threats, especially for the data collected in medical or health care applications. Lack of security and existence of anonymous communication in WBAN brings about the operation failure of these networks. Recently, Li et al. proposed a lightweight protocol for wearable sensors in wireless body area networks. In their paper, the authors claimed that the protocol may provide anonymous mutual authentication and resist against various types of attacks. This study shows that such a protocol is still vulnerable to three types of attacks, i.e., the offline identity guessing attack, the sensor node impersonation attack and the hub node spoofing attack. We then present a secure scheme that addresses these problems, and retains similar efficiency in wireless sensors nodes and mobile phones.


Introduction
The advancement of electromedical technology has led to new research topics associated with wireless body area networks (WBANs).A wireless body area network (WBAN) is formed by a medication information system and various wearable sensors attached to the patient's body.Integration of WBAN with modern cloud and sensor technologies offers huge improvement in the efficiency and functionality of medical and health care systems.For instance, after the ischemic stroke, patients would require a long-term electrocardiographic monitoring [1].They suffer from the sleep apnea, and, consequently, require to wear a portable monitor while sleeping [2].A WBAN-enabled environment allows patients to enjoy the same quality of life without being tangled by the sensor wires.To provide a comprehensive and real-time health assessment to the patient, sensed data may be transmitted to the clouds.
A WBAN architecture is generally constituted of three layers, as shown in Figure 1.This architecture is composed of three types of nodes, first level nodes, second level nodes and a hub node.The first level node, e.g., a smartphone, acts as an intermediate node and forwards the data to the hob node.The second level nodes normally refer to the nodes or wearable devices situated in the body of human, sending the sensing information to a first level node.The hub node a local server or a remote cloud that analyses and manages the sensed data.Despite the WBANs being endowed with the simplicity and high efficiency, they suffer from low security so that the transmitted data contain the health information of the user which is typically highly sensitive.The need of finding a secure solution for the network is immediate as the security association in the 802.15.6 standard is in doubt [3].To guarantee a secure WBAN, a secure authentication key agreement protocol should be executed in advance of the communication.We argue that this protocol still requires the user anonymity.Consider a user wearing a portable electrocardiographic monitor to keep track of his cardio health, where the cardio data are appropriately encrypted.The privacy of a known data transfer channel is compromised so that the electrocardiographic monition has been related to a cardio problem through other users.
According to the previously reported works, e.g., [3,4], the authentication key agreement protocol of the WBAN shall provide the data secrecy, user anonymity, session unlinkability, mutual authentication, forward secrecy, resilient to online/offline dictionary attack, resilient to replay attack, and resilient to man-in-the-middle attack.Due to a few reasons, we should not use generic authentication key agreement protocols [5] or lightweight protocols for the general purpose short distance communications [6] in WBANs.Firstly, the specific architecture of the WBAN includes three tiers with multiple first level nodes whose most generic protocols are not optimized in this setting.Some first level nodes may be restricted in terms of power or computation ability so that a heavy computation is not possible.Furthermore, some generic authentication protocols may not offer the user anonymity as their protocol design requirement.However, in a WBAN, the identity of the patient should be concealed while being diagnosed with a WBAN.
WBANs share some similar properties with Hierarchical Wireless Sensor Networks (HWSN).The valuable experience established in the HWSN research area has in turn led to the fast development of WBANs.Wang et al. [7] has summarized some early advancement in the authentication protocol of HWSNs.However, conventional HWSNs assume a large-scale network and are more concerned about the battery power than the security and user's privacy.As of today, there has been no direct applicable of HWSN to WBAN.
Recently, various authentication and key agreement protocols for WBANs have been proposed.In 2009, Keoh et al. [8] has reported a protocol using an on synchronized LED blinking pattern and keychains that provides a visual confirmation of the sensor pairing.Later, Liu et al. [9] presented another protocol using both public key and secret key cryptography in the authentication.In 2014 Liu et al. [10] improved the anonymity over their previous work and presented a protocol focusing on the communication between the first level and second level nodes using the elliptic curve cryptogrpahy and bilinear map.Moreover, the anonymity of the scheme was broken by Zhao in 2014 [11].Zhao and, subsequently, Wu et al. [12] presented their protocols to overcome some weakness founded in previous works.Those protocols however require the use of public key cryptography (either elliptic curve cryptography or bilinear pairing) in the sensor node yielding a heavy computation and storage bundle [13].In order to save resources and ensure anonymity, Shen et al. [14] proposed a cloud-aided lightweight authentication protocol.Their protocol ensures that the network manager cannot realize the user's real identity in the authentication phase.
The sensors attached on the human bodies have direct access to the physiological signals of the person.As a result, following the electrocardiogram (ECG) or photoplethysmogram (PPG), the use of these physiological signals may be used to generate keys of the communication [15][16][17].Such an approach is quite novel and can be possibly developed in good applications after its robustness and security may be verified in a larger scale or experiments.Unlike secrets, and like passwords or pre-loaded secret keys, the physiological signal may not be necessarily kept away from the attackers.
In 2017, Li and his colleagues proposed a lightweight mutual authentication and key agreement protocol with anonymity for the WBAN [4].They claimed that their protocol provides anonymity and may be secure against various types of attacks.However, this study demonstrates that Li's protocol is not secure while the first level node is being compromised.In addition, their approach fails to provide the node anonymity so that an attacker is able to track a second level node.To overcome these shortcomings, we provide a simple but effective amendment for the protocol.The repaired protocol is secured against impersonation attacks, replay attacks, and man-in-the-middle attacks.It also provides better anonymity of the WBAN users.
The organization of the paper is as follows.Section 2 reviews the Li's scheme.In Section 3, we show the insecurity of their scheme.Next, an improvement scheme will be presented in Section 4. We then provide some security analysis on the improved scheme, and finally conclude the paper.

Review of the Li's Protocol
In this section, we briefly review the Li's protocol [4].Figure 2 shows the architecture of this protocol, which consists of three level nodes, i.e., a hub node (HN), a first level nodes (FN) and some second level nodes (SN).The second level nodes are some wearable sensors to be attached to the human body.Usually, these SN are resource-constrained with limited computational and communicational power.They report sensed data to a first level node (FN) via a public channel.A FN is an intermediate node between SN and FN.It may be considered as a smart phone or a smart watch, providing good communication and computation ability and coordinating a set of SN attached to the same human body.Next, the FN forwards the received sensed data to a hub node (HN), which was formed by rich resources and may be installed on a database.Such a protocol is composed of two phases as follows, the registration phase and the authentication phase.In the registration phase, a system administrator registers and initializes the HN, FN, and SN.In the authentication phase, an SN attempts to setup a secure connection in the network while authenticate the identity of the HN and being authenticated by the HN.

Registration Phase
In this phase, an HN generates a unique secret key, k HN , and securely stores it in its memory.In addition, each second level node is registered individually.
Once a second node N is being registered, the following steps are performed: 1.
A unique secret identity id N is generated for the N which is also used as the secret key of the N.

2.
A unique identity id N is generated for the FN.(It is not explicit in their article that would another id N be generated or not when another SN is registered.However, if different id N is generated for the SN that will immediately fail the SN's traceability since the unencrypted id N is sent over the air every time the SN attempts to connect to the server).

3.
A secret parameter k N is generated for the N. 4.
The system computes a The FN stores the tuple id N , id N , a N , b N in its memory.6.
The N stores the tuple id N , a N , b N in its memory.7.
The HN stores the (id N ) in its memory.
Note that k N is not required to be stored in the sensor node SN or at the hub node HN.

Authentication Phase
In this phase, the N establishes a session key with the HN through the FN as follows.The whole process is given in Figure 3.

1.
A second level node N selects a random number r N and computes where t N is the current timestamp.Next, the N sends tid N , y N , a N , b N , t N to the FN.

2.
After receiving the message from the N, the FN places his identity, id N , in the message and forwards the message id N , tid N , y N , a N , b N , t N to the HN.

3.
Once receiving messages from the FN, the HN first checks the id N in its database.The process will be terminated if fails.Then, the HN checks the timestamp t N by judging t * − t N ?
< δt, where t * is the time when the message is received, with δt being the maximum transmission delay.Next, the HN computes the following: which checks whether tid * N ?= tid N .If the equation holds, the HN ensures that the N is legal.The HN picks temporary secret parameters f N , k + N and continues to compute the following:

5.
Finally, the HN stores the session key k s = h(id * N , r * N , f N , x * N ) and sends the message α, β, η, µ, id N to the FN.

6.
Once the FN receives the message from the HN, it drops his identity id N and sends the message ) and checks β * ?= β to determine whether the HN is legal or not.The authentication process will terminate if the equation does not hold.Then, the

Cryptanalysis of the Li's Protocol
This section shows that the protocol proposed by Li, and his colleagues, is vulnerable to three types of attacks, i.e., offline identity guessing attacks, sensor node impersonation attacks and hub node spoofing attacks.

The Adversary Model
We assume the adversary is capable of performing the following, once being attacked.The first three capabilities are adopted from the Li's paper while the last one is a reasonable extension of their model:

•
The adversary can control the communication channel.It means that it may eavesdrop, modify and replay any messages transmitted on the communication channel.This intends to capture the protocol requirements, e.g., resilient to replay the attack, resilient man-in-middle attack, mutual authentication, resilient to online/offline dictionary attack.

•
The adversary can capture any sensor node by some ways and further extract the secret data store in a captured node.This intends to capture the ability of mutual authentication and forward secrecy.

•
The hub node, HN, is always trustworthy.However, an adversary may intrude the HN's database and read and manipulate all the data in the database except for the HN's master key, k HN .This intends to capture the resilient of the hub-node-stolen-database attack where the HN's database is stolen.

•
An adversary may intrude a first level node FN and read all data stored in it.Assuming that both the bottom level SN and the top level HN can be compromised by the adversary, the FN may not remain unintruded for all the time, especially an FN may be viewed as a smart phone or a smart watch which may be easily stolen.

Vulnerable against Intruding FN Attacks
In the protocol design, an FN is mainly served as a intermediate relay.However, during the registration phase, the secret information, e.g., id N , a N and b N are all stored in the FN.It is not explicit how these values shall be used in the FN according to their paper.It is observed that the FN does not have the capability to authenticate an SN and to be authenticated by the HN on behalf of an SN, if the FN is responsible to coordinate the SN.Nevertheless, this turns out to become a point of vulnerability of the protocol.For an adversary which is able to intrude an FN, all SN s coordinated by this FN are compromised.

Vulnerable to the Tracking Attack
Li claimed that the protocol allows anonymous communication so that an adversary cannot link any communication session to another session of the same SN.However, this claim is not true, based on the following facts.
Every SN is registered to the system through one single FN.The identity of the FN, id N , is sent over the air in Step 2 of the authentication phase.Since id N would not be changed in the protocol, adversary can be easily associated with two sessions with the same FN s.For an FN coordinating only one SN, the adversary is allowed to link two sessions of the same SN by inspecting only Step 2. If the FN coordinates more SN s, the user's privacy/anonymity does not enhance as in some applications suggested in Li's paper.Consider the medication, where the sensors of a patient are likely to be connected to a single FN, e.g., his smart phone.Revealing the identity of the FN (smart phone) is even worse than revealing only the identity of an SN (a sensor).
In certain applications, an FN may coordinate extremely large amount of SN s, where the identity of the SN is the only concern and an adversary is still able to link two sessions with the same SN s.Assuming that the adversary A captures only the messages sent from the SN to FN and FN to SN at the time T 1 and a later time T 2 , as Capture at T 1 : To investigate if the messages captured at T 2 is a subsequent login of the messages captured at T 1 , the A simply computes a 2 ⊕ b 2 .If these two sessions are related, this value corresponds to = η 1 ⊕ µ 1 will allow for determining if these two sessions are related.

Repairing the Protocol
One of the biggest problems associated with the protocol is that the FN does not perform its function in the authentication while it is possessing the secret information of the coordinating SN.A simple straightforward approach is to let the FN not store any information about the SN.Instead, the FN only acts as a relay between the SN and the HN.The protocol will be remaining secure (but not anonymous) even if the FN is being compromised.This however does not resolve the vulnerability of the protocl against the tracking attacks.Moreover, this option removes the ability of an FN to control other SNs, which may not be suitable in some applications.
The security and system requirements may be investigated as follows.The SNs assume low computation/communication power; while FNs and HNs are less constrained, the SNs and HNs require being mutually authenticated.The SN and FN should be mutually authenticated where these two authentications may not be necessarily at the same time.Based on these requirements, we propose a simpler repaired protocol exhibiting better security and anonymity.

Architecture
In our architecture, we maintain the three-level role.However, the communication between an SN and an FN (SN-FN) is different from the communication session between an SN and an HN (SN-HN).A two-party authentication protocol will be described in this section, and the same protocol will be used in the case of SN-FN and SN-HN.In the case of an SN-HN communication, the FN will be served as a relay to support the communication.The SN-HN communication normally takes place when the sensing data is reported to the HN.The SN-FN communication normally takes place when FN manages the SN or gathering data from the SN.In the case where FN-HN communication is required, we assume that general purpose authentication protocols, e.g., [5,18], will be used since both of them have less constraint computation power.

Description of the Repaired Protocol
As mentioned above, this protocol is a two-party protocol.The reader may assume a duplication of keys for the SN-FN and SN-HN communications.We call the UN an upstream node that represents either an FN or an HN.Unless it is specified, all variables have the same length as the output of a hash function length(h).
A SN should separately register with an FN and an HN, and two sets of keys are required.Practically, these two registrations may be simultaneously performed via the FN, as long as the process is securely accomplished.Assume that the SN is registering with either of them, denoted as a UN.The SN will then be assigned with the followings: • id N , a unique secret identity for the SN.
In this protocol, the UN does not require storing any secret information about the SN.If the UN wishes to keep track of the identity of the SN, it may keep a truncated or hashed id N .The value of the id N needs to be unique and a bit of id N may be used to indicate the association with either of SN-HN or SN-FN, and several bits from the identity of the UN.
When the SN wishes to initiate a communication with a UN, the SN will perform the following operations (In case an FN wishes to initiate the protocol, the protocol will be preceded by a Hello message from the FN to the SN.).Please also refer to Figure 4.

1.
The SN generates a random number r N and a timestamp t N and computes: Then, it sends tid N , y N , a N , b N , t N to the UN.

2.
On receiving the request, the UN first checks if the timestamp is still valid.Then, it computes: Next, it validates tid N by h(id * N , t N , c * N , r * N ).The protocol will be aborted if this does not hold.

3.
The UN continues the protocols by selecting random numbers f N , k + N and computing the following: where k s represents the session key.Finally, the UN sends α, β, η, µ to the SN.

4.
The SN validates the message by computing f * N = c N ⊕ α and checking whether β equals to h(id * N , r N , f * N , η, µ).If not, it rejects the protocol.5.
Finally, the SN computes the session keys and updates its keys, as The SN will compute the same session key k s as the UN in the absence of the adversary or noise.It will then replace (a N , b N ) with (a + N , b + N ) in its memory.

Security Analysis of the Repaired Protocol
This section demonstrates that our repaired protocol is secure against the aforementioned attacks.

Intruding on the FN Attacks
In the repaired protocol, the FN no longer stores the key between an SN and an HN.Therefore, compromising an FN would only leak the keys between the SNs and the FN.The compromised FN would not be able to impersonate an SN to communicate with the HN.It is true that the compromised FN will still be able to access the SN in an SN-FN communication, but no extra access, e.g., data exclusive for the HN, will be given to the FN.This protocol also assures a secure SN-FN communication, and vice versa if all secrets stored in the HN are compromised.

Impersonation, Man-in-the-Middle and Replay Attacks
The protocol provides a sound mutual authentication between an SN and an FN/HN.The adversary defined in Section 3.1 models the necessary capabilities that requires performing impersonation, man-in-the-middle, and replay attacks.The goals of this adversary are as follows: (Goal 1) Convincing either an SN or a UN to misbelieve that a legitimate partner is participating in a communication within the timeout period; (Goal 2) Having better strategy than the wild guess in distinguishing a session key k s against a random string with the same length.We show that there is no adversary to effectively, and with non-negligible probability, achieve either of these goals.
Goal 1 happens when either UN accepts or SN accepts.We separately discuss these cases.
• The UN accepts.This happens if and only if tid N = h(id * N , t N , c * N , r * N ).We assume that the SN does not generate a tid N after t * − ∆T, otherwise it violates definition of Goal 1.If this equation is true but the hash h(id * N , t N , c * N , r * N ) has never been computed, this will happen only with p = 2 −length(h) .If this equation is true and the hash has been computed before, we may conclude that it is not produced by a legitimate SN and UN.This is due to the fact that id N is unique and SN does not produce any at t N and UN would never send computed tid N .Therefore, the only possibility is that the adversary computes the hash by itself.This happens only if the adversary has id N and c N which are not sent over the network.This is bounded by p 2 × q h where q h is the maximum number of the hashes that are able to query with reasonable resources.

•
The SN accepts.This happens if and only if the value of the β is equal to h(x + N , r N , f * N , η, µ).Similarly, if the hash was never computed, the probability is bounded by p.If the hash is previously computed by the UN, the same SN (with id * N ) has already sent a login request with r * N .Since r * N is randomly chosen, this happens only with p × q E , where q E is the total number of the sessions executed by the SN.Otherwise, the adversary should correctly guess id * N and c N , which happen only with p 2 × q h .To sum up, the occurrence of Goal 1 has a probability lower than (q E + 2)p + 2q h p 2 , where p = 2 −length(h) , q E is the total number of the sessions executed by the SN, and q h is the total number of the hashes that are able to be computed by the adversary with reasonable resources.This number is negligible when the length of the hash is large.
Goal 2 happens only when the UN accepts and the hash h(id N , r N , f N , x N ) has been computed by the adversary since k s is never transmitted.However, id N and x N are both secret.A correct guess of this variable is bounded by p 2 × q h .Considering the probability to concurrently achieve the both Goals 1 and 2, an attacker may cast as an impersonation attack, a man-in-the-middle attack, or a replay attack has a probability less than (q E + 2)p + 3q h p 2 .

Tracking Attacks and Anonymity
We may see that the tracking attack, mentioned in Section 3.3, no longer operates.First of all, an FN serves only as a relay to replay a message.No information can be harvested to identify the relay FN.Furthermore, the equality a 2 ⊕ b 2 = η 1 ⊕ µ 1 no longer holds, where Since c N and f N are not computable by the adversary, computing h( f N , c N ) or h(c N , f N ) is not possible.

Simulation Verification Using a Proverif Tool
Proverif is an automatic cryptographic protocol verifier, which is widely used to specify and analyze the security of authenticated key agreement protocols [19][20][21][22][23].
In this section, we utilize Proverif to further analyze the security and validity of the proposed protocol.In this simulation, two main roles, SN and UN, are included.The whole simulation contains the following procedures: • First, we need to define some variables used in this simulation.K UN is the secret key H N , and SK SN and SK UN are the final shared key established by SN and UN, respectively-then comes the functions and events (Figure 5), • Second, we list the goals of this simulation.More specifically, our goals is to ensure that the whole authentication process is successful, the shared key can be established, and the attacker cannot obtain the key anyway (Figure 6), • The process of SN (Figure 7), • The process of UN (Figure 8), • The main execution (Figure 9).

•
According to the simulation results depicted in Figure 10, we can observe that the proposed protocol can achieve the goals mentioned in Figure 6.

Performance Evaluation
This section describes performance evaluation of the repaired protocol along with other related protocols [4,[10][11][12]14] in security properties and estimated time.We focus on the security against the anonymity, tracking attack, insider attack, replay attack, impersonation attack, man-in-the-middle attack, mutual authentication and the session key forward secrecy.From Table 1, we see that only the repaired protocol, Wu's protocol [12] and Shen et al. [14] fulfill all the security properties.We analyze the time performance of these protocol by analysis of the core cryptographic operations used in each of them, and then estimate the running time of these protocols by adding the time of executed cryptographic operations.We do not consider the possibility of parallel computation with multi-core technologies since most wearable devices are only single core.Pipelining is also not discussed here since the authentication usually needs to be executed once.
We consider two possible realizations of an SN.A sensor device using the MICAz with 4 KB RAM (Crossbow Technology, San Jose, CA, USA) and 7-MHz ATmega128L microcontroller (Microchip Technology Inc, Chandler, AZ, USA) and a smart phone using an iPhone 6s (Apple, Cupertino, CA, USA) with 2 GB RAM ARM (armv8-a) CPU.The data are taken from [13,24,25] for the time required on the MICAz while we implement those implementations on a smart phone using the Pairing Based Cryptographic Library [26].The result is summarized in Table 2. Bilinear pairing operation 25.64 ms 5320 ms [13] Table 3 lists the estimated time of the mentioned protocols, considering the above experimental data.From this table, we may observe that the repaired protocol costs more time than Li's protocol [4] as it takes six more hash functions, but costs less time than the other related protocols [10][11][12]14] .

Figure 1 .
Figure 1.Architecture of a medical WBAN.

Figure 5 .
Figure 5. Proverif code of variables, functions and events.

Figure 6 .
Figure 6.Goal of this simulation.

Figure 9 .
Figure 9. Main process of this simulation.

Table 1 .
Comparison of the security properties.Y and N stands for fulfilling and not fulfilling the requirement respectively.

Table 2 .
Computation of the cryptographic operations.