Cross-SN: A Lightweight Authentication Scheme for a Multi-Server Platform Using IoT-Based Wireless Medical Sensor Network

: Several wireless devices and applications can be connected through wireless communication technologies to exchange data in future intelligent health systems (e.g., the Internet of Medical Things (IoMT)). Smart healthcare requires ample bandwidth, reliable and effective communications networks, energy-efﬁcient operations, and quality of service support (QoS). Healthcare service providers host multi-servers to ensure seamless services are provided to the end-users. By supporting a multi-server environment, healthcare medical sensors produce many data transmitted via servers, which is impossible in a single-server architecture. To ensure data security, secure online communication must be considered since the transmitted data are sensitive. Hence, the adversary may try to interrupt the transmission and drop or modify the message. Many researchers have proposed an authentication scheme to secure the data, but the schemes are vulnerable to speciﬁc attacks (modiﬁcation attacks, replay attacks, server spooﬁng attacks, Man-in-the middle (MiTM) attacks, etc.). However, the absence of an authentication scheme that supports a multi-server security in such a comprehensive development in a distributed server is still an issue. In this paper, a secure authentication scheme using wireless medical sensor networks for a multi-server environment is proposed (Cross-SN). The scheme is implemented with a smart card, password, and user identity. Elliptic curve cryptography is utilized in the scheme, and Burrows–Abadi–Needham (BAN) logic is utilized to secure mutual authentication and to analyse the proposed scheme’s security. It offers adequate protection against replies, impersonation, and privileged insider attacks and secure communication in multi-server parties that communicate with each other.


Introduction
The Internet of Things (IoT) technology allows healthcare to shift from traditional hubbased systems to customized eHealth systems, allowing for more preventive intervention, lower overall costs, improved patient attention, and increased sustainability. By offering to everyone unobtrusive monitoring and highly personalized rich medical information and successful clinical choices, efficient IoT-enabled eHealth systems can be implemented [1]. Wireless sensor networks (WSNs) are essential parts of the IoT architecture. WSNs consist of low-power sensors with low processing and limited resources [2]. The main task of the sensor is to collect and send data through the outside gateway. WSNs play an essential role in IoT health applications. Health and health services profit from WSNs, which offer practical applications such as real-time patient monitoring, medical administration, diagnostic support, patient tracking systems in a hospital, etc. A wide range of fields has been

Related Works
In the area of health and medical applications, IoT has great potential. Some IoTrelated technologies are of particular interest, such as body zone sensors, advanced healthcare systems, wearable sensors, wireless cloud networks, storage and display of clinical data, etc. In 2012, Kumar et al. [18] proposed a WMSN authentication protocol to track a patient's health and claimed that this could protect the protocol against established threats to security. Their protocol is efficient as they use only symmetrical encryption and hash function to protect communication protection. They introduced an Efficient Strong Authentication Protocol (E-SAP) for WMSN healthcare applications. They also suggested that the user needs to authenticate using the MS Node and to set the session key. In terms of cost and protection, they considered their scheme better than other existing protocols. However, [10] explains that the protocol [18] is ineffective against security threats. Wu et al. (2017) [19] developed a WMSN-based, stable, two-factor remote authentication scheme. Their device is more potent than current schemes and is immune to known safety threats. The device sends a validation code to pairs (for instance, cell phones or smart cards) that generate keys. Proverif Blanchet and Smyth are used to validate the proposed scheme's protection to battle various attacks (2011). A study and comparison of the scheme also revealed that it is acceptable for customized systems of healthcare (PHS). It addresses traditional security and user untraceability criteria. They say that their scheme is immune to attacks, insider attacks, offline guessing, and main session disclosure attacks but does not have forward confidentiality. Similarly, Ali et al. ( 2018) [20] developed an improved 3-factor authentication protocol for wireless healthcare applications. Burrows-Abadi-Needham and Automated Validation of Internet Security Protocols and Applications (AVISPA) were used to validate the security of their scheme. They thought they would patch their device for offline evaluation of passwords, user-independence attacks, documented temporary session-key information attacks, and identity devaluation attacks. Unfortunately, in 2019 [21], Shuai et al. showed that the system [20] was vulnerable to attacks on the user, deletion of passwords offline, and temporarily attacks on session-based key information. Yoney et al. (2018) [15] nevertheless introduced WBAN 's anonymous e-Healthcare User Authentication Scheme. The proposed scheme uses better elliptical cryptography and is secure to defend users against password guessing attacks and lost/stolen smart card verifier attacks. The author developed a user authentication framework to prevent the transmission of knowledge to intruders. The system offers good, easy, and convenient communication with calculations and controls. A structured security analysis was conducted using the AVISPA tool to validate the proposed structure. In parallel, in Li et al. (2019) [22], an Elliptic Curve Cryptography (ECC) based 3-factor wireless network sensor authentication protocol was developed using error correction code and fluent engagement schemes to manage biometric details and secrecy forward. To resolve the problem of local password search, the fuzzy checker and honey list techniques were also adopted when resisting attacks on mobile devices. While Li et al. used the fuzzy checker technique and argued its wireless medical sensor network protocol [22] fulfilling several safety features, we found that it could not withstand replay attacks. Shuai et al. implemented a three-factor authentication solution in 2019 [21] that is lightweight and effective for remote control of On-Body Wireless Networks (OBWN) patients. The proposed scheme adopts a specific hash chain technique for future users' anonymity, and a pseudonym identity is given to resist attacks of synchronization. The proposed framework adopts the pseudonym identity approach for user anonymity and provides possible confidentiality using a one-time hash chain technique. However, Mo et al. [23] have shown that their method [21] still has three security drawbacks: offline dictionary devaluation attacks, privileged insider attacks, and password change errors.
Although many researchers have proposed a large number of research in wireless medical sensor networks, we found out that the current research activities are still not considering authentication in heterogeneous networks, especially in a multi-server environment. In distributed systems, the transmitted data are sensitive and the adversary could interrupt the communication and attempts to drop, modify, or impersonate the message. Unfortunately, most of the proposed schemes still suffer certain attacks such as offline dictionary attacks, modification attacks, and insider attacks. Therefore, we designed a secure authentication scheme using a wireless medical sensor network in a multi-server environment. To design a secure authentication scheme for a wireless medical sensor network, a few security requirements must be considered, as shown in the following section.

Security Requirements of Medical Sensors
In IoMT, protection and privacy play critical roles, although most health-related organizations do not spend enough time protecting security and privacy. IoMT devices create an increasingly complex and susceptible amount of real-time data. The failure of the health system or protection of the network could have disastrous implications [24]. However, data security information for patients is given at all data handling, delivery, cloud storage, and data republication levels [24,25]. For medical security and privacy systems on the network of wireless medical sensors, the following four requirements should be considered [26].

•
Mutual authentication: The proposed protocol should include mutual authentication to ensure participants' protection. Participants interacting should be authenticated [27].
• Data integrity: Data integrity refers to the fact that all data values' syntactic and semantic specifications are met without unauthorized interference. Two specific and reliable criteria are implemented. Data integrity can be divided into four categories: integrity of individuals, the integrity of places, referential integrity, and integrity defended by primary keys, controls, laws, and external triggers [25]. • Backward and Forward Secrecy: Backward and forward secrecy play critical roles in securing exchanged messages in previous and next communication. Therefore, any proposed scheme needs to provide this property to prevent adversaries from obtaining the session keys. In case the adversary receives the current session key, he/she cannot obtain the previous and next session key [28]. • Data Usability: The use of data implies the usage of data or data structures by approved users. Big data provides immense benefits and crucial challenges, including false data and non-standard data. Moreover, unauthorized access-caused data manipulation or failure often destroys data usability [29]. • Various attack resistance: In a multi-server environment, the authentication scheme should be able to resist specific passive and active attacks, practically in real-world applications [28]. • Key Agreement for Secure Session: The proposed scheme should provide a secure session key to encrypt communication and protect the authentication message between entities [26].

Preliminaries
The hash functions and elliptic curve cryptography used in this paper are described here. Table 1 contains a summary of the notations used in the rest of the article. Identity of node sensor y, r n , r i , r g , x, Random Numbers ∈ Z * n id u User identity pw u User Password id rc Registration Centre identity h(.) Hash function

Hash Functions
A fixed hash value output size is generated by taking the input of of the string O = H(String). The output generated is called a hash code. A small change in the string value can make a significant difference [30]. A particular hash function has the following specifications: • It is easy to find O = H(String) if the string is described.
The difficult job is to differentiate between the inputs of String1 and String2, so H(String1) = H(String2). It has called collision resistance.

Elliptic Curve Cryptography
Assume that E/F q is a set of points over a prime field F q , which is defined by the following non-singular elliptic curve: (1), and the elliptical curve equation is defined as E p (e, f ) : where P is a prime number and the size of P is ≥ 160 bits. The point multiplication is computed by repeated addition, nP = P + P + P + ... + P(ntimes), over the defined t of E p (e, f ), and n is the smallest positive integer. (e, f , t, P, n) belonging to finite field F p .E defines the Abelian group [31].

Cross-SN Scheme
We propose a lightweight multi-server authentication scheme using a wireless medical sensor network in this section. However, the proposed authentication system uses a smart card in a multi-server environment with wireless medical sensors. The architecture of the proposed scheme is illustrated in Figure 2. The scheme comprises five stages: the login and authentication process, the registration process of node sensors, registration of the device, and updating passwords.

Server Registration Phase
In this phase, the server Sj sends a registration center RC request to obtain their RC secret key. The steps of this phase are explained in detail in Figure 3 and listed as follow: 1.
The server first selects an identity SID j ; then, through a secure channel, the message will be forwarded to the RC. 2.
RC receives the server identity SID j and computes R j = h(SID j k); then, it sends the message R j to the S j . 3. Now, the server receives the message and store R j securely.

Sensor Node Registration Phase
In this phase, the sensor node requests to register itself in the RC to obtain their RC secret key. The registration steps are as presented in Figure 4, listed as follows: 1.
First, the sensor node Sn selects N ID j and a random number y; then, it computes V i = h(N ID j y) and send the message {V i , N ID j } to RC through a secure channel.

2.
RC receives the message {V i , N ID j }; RC generates a random number rn computing TC j = h(N ID j r n ) ⊕ V i ) and stores N ID j , TC j in its database. Then, RC sends TC j to the sensor node through a secure channel.

3.
After RC receives the message TC j from the sensor node, Sn computes G = TC j ⊕ V i = h(N ID j y) and stores G into its memory, which is safe.

User Registration Phase
First, the RC receives a request message from the user Ui and acquires the SC with the secret key in it, received earlier from the RC. Figure 5 shows the registration steps described as follows: 1.
After the user, U i , inserts the smart card and selects the identity id u and password pw u , he/she chooses a random number r i and, then, sends the message {id u , h(pw u r i )} to RC via a secure channel; 2. Now, the RC has the message {id u , h(pw u r i )} and generates a random number rrc.

Login and Authentication Phase
The RC plays the third party's role for login and authentication of user U i and S j server. The user and the server have a generated session key for future communication.
The steps are shown simply in Figure 6 and listed as follow: 1.
The user U i first inserts his/her smart card and types the username id u and password pw u . It chooses a random number x ∈ Z * n to compute Upon receiving the message {CID i , X, α}, server S j selects a random number y ∈ Z * n , and calculates Otherwise, it ends the session. Later, the RC sends {TID i , φ, TSID j , ϕ} to the sensor node Sn. 4.
The sensor node receives the message {TID i , φ, TSID j , ϕ}, and computes . Then, validate the identity id u . If not, end the session; otherwise, it validates φ and h(id u TID i X SID j N ID j Y R j ). If valid, it calculates the session key SK = yX = xyP and η = h(id u SID j X Y SK ϕ); else, end the session. After that, Sn sends the message {TSID j , Y, ϕ, η} to Sj.

5.
The message {TSID j , Y, ϕ, η} is now received by the Sj to calculate SID j = TSID j ⊕ h(X X * R i ). It validates ϕ and h(id u X X * SID j Y R i ). If valid, it computes the session keySK = xY = xyP and checks whether η = h(id u SID j X Y SK ϕ); if not, the server ends the session. Computes: Checks β and ℎ( ∥ ∥ ∥ ∥ ∥ ∥ * ) are equal.
Generates ∈ * Computes: Then, it computes λ = h(SID j id u X Y SK ϕ) and sends the message {SID j , λ } to Ui.

1.
The user receives {SID j , λ}, and computes SID j = TSID j ⊕ h(X X * R i ), and λ = h(SID j id u X Y SK ϕ); then, it sends {λ} to the sensor node Sn.

2.
Sn checks λ by calculating λ = h(SID j id u X Y SK ϕ). If it does not hold, it ends the session; otherwise, Sn confirms that U i is a legal user.

Password Updates Phase
In this phase, the user can change or update the used password pw u to a new password pw (+1) u . The executed steps of this phase are listed as follow: 1.
After inserting the SC into a card reader, the user types pw u and id u .Then, U i has to type the newly selected password pw +1 u .

SC calculates
Finally, Z i is replaced with Z new .

Security Analysis
The security of the proposed scheme is analyzed in terms of security in this section. Based on the widely known formal analysis tool, Burrows-Abadi-Needham (BAN) logic [32] is applied to demonstrate the proposed scheme's validity and practicality. The BAN logic is widely used to prove the scheme's mutual authentication and was utilized in [33,34], for example. In addition, informal security analysis will be further discussed in this section against specific known attacks and ensures that the proposed scheme meets the necessary security requirements of medical sensors and a multi-server platform.

BAN Logic Proof
In this section, the popular formal BAN mode logic is used to validate cryptographic protocols. The notes and logical rules used in BAN logic are illustrated in Table 2.

Notation Abbreviation
P| ≡ X P believes X (X) X is fresh P ⇒ X P has jurisdiction over X P X P sees X P| ∼ X P once said X (X, Y) X or Y is one part of (X, Y) < X > Y X combined with Y (X) Y X is fresh with the key K P k − → Q P and Q use the shared key K to communicate SK The current session key The freshness-conjuncatenation rule

P|≡QX,P|≡Q|≡X P|≡X
The jurisdiction rule Goals: We first identify the main entities that will be used in BAN logic. Four entities represent the proposed scheme: the user (Ui), server (Sj), registration center (RC), and the medical sensor node (Sn). The procedure of the BAN logic is demonstrated theoretically in the following sections to meet the following goals: Assumption:The following assumptions are essential for a systematic analysis using BAN logic for the initial status of the proposed scheme: Analysis: We carry out verification of the proposed scheme according to the above assumptions and BAN logic rules:
• S19) Ui | ≡ Sj| ≡ (id u , SID, X, Y, Ui sk ←− −→)Sj).// Then, we apply the BAN logic rule for breaking the S20 conjunction. As is evident, S7 establishes goal 1, S13 establishes goal 2, S19 establishes goal 3, and S23 shows goal 4. This finally indicates that a session key between the user and the medical sensor is recognized and ensures that they connect mutually.

Informal Security Analysis
The proposed scheme is analysed informally and discusses the security of the proposed scheme against such known attacks, and the ability to withstand these attacks (e.g., stolen verifier attacks and man-in-the-middle attacks) are security requirements for the multi-server platform and medical sensors. Table 3 shows a comparison of the security properties of the proposed scheme against other schemes.

•
Multi-server Support: From the abovementioned, we know that Ui has access to numerous services from different servers and only needs to register with RC once. One authentication password is required for the user to remember. The proposed framework is, therefore, suitable for configuration of the multi-server. • Data integrity: In the proposed scheme, the one-way hash function h(.) is used to protect the identity and the password before transmission, which modifies the message to be impossible α = h(id i SID j R i X X * ). In addition, the information is attached to a random number x ∈ Z * n that it generates freshly. Therefore, the message's modification is difficult in our scheme; thus, it provides data integrity.
• Backward and forward secrecy support: If the attackers know the current session key, it will be challenging to know the next session key. The session key is calculated SK = yX = xyP, where the secret values Y = yP, Y * = yP pub are generated randomly by the Ui, Sj, and Sn. These values are different when the protocol is executed. Every session is independent; thus, even though the session's current key is known, the previous and future key cannot be obtained. • Mutual authentication: In the proposed scheme, the user Ui, server Sj, and sensor node Sn authenticate each other. The server authenticates the user if the values φ and h(id u TID i X SID j N ID j Y R j ) calculated are valid. In addition, the RC authenticates the server if the value β and h(CID i X α SID j R j Y Y * ) calculated by the RC are equal to the message received from the server. The sensor node then validates the message received from the RC φ and h(id u X X * SID j Y R i ); if the calculated value is equal, then the Sn authenticates the RC. • Session key agreement: In the proposed scheme, the adversary cannot obtain the key session's information to compute the key for the next session even if the adversary knows the current key because the key session is calculated as SK = yX = xyP, where the secret values Y = yP, Y * = yP p ub are generated randomly by the Ui, Sj, and Sn. The values are different when the protocol is executed. The key session is developed independently in every session. Therefore, the key session agreement is achieved in the proposed scheme. • Stolen verifier attack: RC calculates the Ui secret key and sends it to Ui during the proposed scheme's user registration phase. RC does not maintain an Ui password or secret key verifier table. Then, even though the opponent may access the Ui database, the adversary cannot obtain authentication information. The proposed scheme should therefore avoid a stolen attack by the verifier. • Man-in-the-middle attack: We are aware of the discussion that the scheme proposed could provide mutual authentication between Ui, Sj, Sn, and RC. The proposed scheme should therefore avoid an attack also on the man in the middle. • Impersonation attack: The adversary cannot send a legal message CIDi, X, α, even though they obtains two authentication factors. The suggested scheme, therefore, resists a user-impersonation attack. • Server spoofing attack: To impersonate Ui, Sj, Sn, and RC, the adversary has to generate the valid message β = h(CID i X α SID j R j Y Y * ). It is easy to know h(CID i X α SID j R j Y Y * ) to obtain authentication, but he/she cannot finish the task since they do not know Rj and whether h() is a secure hash function. The proposed scheme could therefore resist a server spoofing attack. • Offline password guessing attack: If the adversary steals the user's smart card and extracts information h(.), Zi using a side-channel attack, the adversary might be able to guess the password pw u . The accuracy of the value, however, is secured by a secure hash function and is not plaintext. In addition, by comparing the RC with the one in the database, it checks the password and identification. The proposed scheme is, therefore, immune to an offline attack. • Replay attack: Suppose that an intruder intercepts the message CIDi, X, α and attempts to replay Ui by replaying it with Sj. They could detect the attack by checking the validity of λ = h(SID j id u X Y SK ϕ). Using a similar approach, it might be shown that Ui finds a replay attack by testing the validity of ϕ = h(id u X X * SID j N ID j Y R i ). The proposed scheme could therefore withstand a replay attack. • Modification attack: In the authentication phase, the authentication message CID i , X, α i s sent as a hash value and contains a unique random number. Therefore, the server then calculates Y = yP, Y * = yP pub , β = h(CID i X α SID j R j Y Y * ), and CSID j = SID j ⊕ h(Y * ) to check if there was any modification carried out. If the message is modified, the server will detect it and the rest of the values will not be decrypted. Likewise, when the server Sj sends the message CID i , X, α, CSID j , Y, β to the RC, it will verify the message by computing β and h(CID i X α SID j R j Y Y * ); if the message is not valid, the RC will end the session. Therefore, the proposed scheme withstands a modification attack.
• Stolen smart card attack: let us assume that the adversary can extract the information h(.), Zi after it is st olen by a side-channel attack. The RC will recalculate the message id u , h(pw u r i ) that received and verified it with the stored one. In this case, the attacker cannot obtain the correctness of the value due to the hash function that hides the username and password in the hash value. Therefore, the proposed scheme achieves resistance against a stolen smart card attack.

Functionality Analysis
This section compares our protocol's functionality and performance with the latest protocols, namely the schemes of He et al. [12], Wu et al. [14], and Sammoud et al. [35]. A comparison between the scheme is proposed for measuring the total communication costs and computational costs for resource use by the sensor node.

Computation Cost
We define some notations as follows to test the performance of various protocols: T h , the hash function execution time (Th); T m , the multiplication execution time (T m ); and T he , the fuzzy extractor execution time (T he ). An exclusive operation's cost may be overlooked bitwise compared to the multiplication operation costs in the elliptic curve scale and the hash function. Therefore, the calculation costs of an elliptical multiplication curve operation and a hash function in calculation costs must only be considered. The proposed scheme's simulation was carried out on Intel Core™i7-5700HQ, CPU 2.70 GHzplatform using Java Pairing-Based Cryptography Library (JPBC) library. Table 4 compares the cost of authentication proposed with the new multi-server authentication schemes [12]. In Wu et al. [14], the user needs to apply 4T h on the user side and 10T h + 3T E on the server side, and the computation cost in the registration centre is 7T h + 2T E . On the sensor node side, the sensor applies 6T h + 2T E ; therefore, the total communication cost is 0.0622 ms. Likewise, Sammoud et al. [35] needs to apply 6T h + 2T E + 1T f e on the user side. On the central authority, there is a need to apply 11T h + 3T E of the hash operation and encryption operations. on the sensor node, the sensor needs to apply 6T h + 1T E . In the registration phase of the scheme of He et al. [12], 16T h of the hash function and 5T m of the multiplication operation are used. In the login and authentication phase, there is a need to apply the 19T h hash function and the 6T m multiplication operation. The proposed scheme needs a 6T h hash function operation in the server, sensor node, and user side separately in the registration phase. While the computation cost in the login and authentication phase is 21T h of the hash function in all entities except the server including two-time scalar multiplications of the ECC, our proposed scheme has fewer computation costs than the scheme of He et al. The wireless medical sensor network is a resource-constrained device, and the authentication scheme must have less computation cost, memory, and resource consumption.

Communication Cost
For comparison, we considered the length of the random number, password, identity, and timestamp being 64 bits each. The message digest of the hash function (SHA-1) takes 160 bits, and the symmetric key en/decryption (AES-256) produces 256 bits. To evaluate the communication cost of the proposed scheme, we found that Wu et al. [14] has three messages exchanged in the entire authentication phase: m 1 = C ig , CID i , C 1 , m 2 = C 5 , C 6 , C 7 , and m3 = C 5 , C 7 , C 8 , C 9 , C 10 . Therefore, the total communication cost in Wu et al. [14] is 1632 bits. In Sammoud et al. [35], the scheme exchanges the messages M 4 = N i h(K sn ) ,M 5 = h(ID i ||N i ||T 3 ||ID g ), and M 6 = E ( h(K sn ||Ni))(ID g ||ID i ||M i ||M 5 ||T 3 ) in the login and authentication phase. Therefore, the total communication cost of Sammoud et al. is 1056 bits. In He et al. [12], the server sends the message the identity SID j and receives the message (k j , s j ) while, in the user registration phase, the user sends the message pair (ID i , H(pw i ||α i )) and receives the message (z i , s i ). The user also receives the parameters z i and s i , which adds an extra cost to the scheme. Therefore, the total communication cost in He et al. [12] is 980 bits. In our scheme, the user sends the message CID i , X, α and receives the message SID j , λfrom the server while the server sends the message CID i , X, α, CSID j , Y, β to RC and recieves TSID j , Y, ϕ, η from the sensor node. The registration centre sends TID i , φ, TSID j , ϕ to the sensor node and receives CID i , X, α, CSID j , Y, β from the server. Therefore, the length of the exchanged messages is 800 bits. Table 4 shows that the proposed scheme achieved less communication and computation costs comparing to the selected works.  Note: E1, computation cost at the central authority in the server registration phase; E2, computation cost at the sensor node side in the registration phase; E3, computation cost at the central authority in the sensor registration phase; E4 computation cost at the user side in the registration phase; E5, computation cost at the central authority in the user registration phase; E6, computation cost at the user side in the login and authentication phase; E7, computation cost at the server side in the login and authentication phase; E8, computation cost at the central authority side in the login and authentication phase; and E9, computation cost at the sensor node side in the login and authentication phase.

Conclusions
This paper proposed a secure multi-server authentication scheme based on smart cards using wireless medical sensors networks (Cross-SN). The scheme is mainly based on elliptical curve cryptography. It shows that the proposed scheme will meet security standards and characteristics. The proposed scheme provides secure online communication between end-users and medical sensors. It withstands specific passive and active attacks such as impersonation attacks, server spoofing attacks, and replay man-in-themiddle attacks. It successfully provides backward/forward secrecy, mutual authentication, data integrity, and a multi-server environment. Moreover, the proposed scheme's mutual authentication is proved using the wide-used formal analysis tool BAN logic tool to verify secure mutual authentication between the users and the medical sensors. The results show that the proposed scheme achieves better efficiency in communication and computation costs due to lightweight cryptographic operations. Consequently, the scheme is suitable for IoT environments that enhance healthcare applications using a wireless medical sensor network.