# A Secure and Anonymous Authentication Protocol Based on Three-Factor Wireless Medical Sensor Networks

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Research Contributions, Motivations, and Methodology

#### 1.2. Organization of the Paper

## 2. Related Works

## 3. Preliminaries

#### 3.1. System Model of Our Protocol

**User (Medical Professional)**: The user obtains the patient’s sensor node information by requesting communication to the gateway. To this end, users register their information with the gateway and agree on a session key with the sensor node. In the future, only registered users can request communication to the gateway and use secure services through the session key.**Sensor node (patient)**: The sensor node that the patient is equipped with collects various health information of the patient (e.g., body temperature, blood pressure, pulse, and ECG). The patient’s sensor nodes transmit the collected information to the user through the session key. Through this, the user can identify and diagnose the patient’s condition. Sensor nodes are resource-limited devices.**Gateway node**: A gateway is a trusted entity that performs registration and authentication processes, and regulates the authentication of users and sensor nodes. All users and sensor nodes must be registered with the gateway to acquire session keys and to communicate.**Access point**: The access point is a wireless connection between the patient’s sensor node and the gateway and between the user and the gateway. The communication between each access point and each entity is considered securely authenticated.

#### 3.2. Physical Unclonable Function

- It is not possible to clone a PUF to generate the same sensors or devices [32].
- If an attacker tries to change the sensor or device that the PUF is mounted on, the sensor or device will change the behavior of the PUF and destroy the PUF [33].
- In practical circuit manufacturing, the differences in input and output function mapping are fixed and unpredictable [34].

#### 3.3. Fuzzy Extraction

#### 3.4. Adversary Model

- According to the DY model, attackers have full control and learning of the messages exchanged on open wireless channels that are vulnerable to attack. They can then modify, remove, or insert legitimate messages.
- Attackers can guess a user’s identity and password pairs in polynomial time.

## 4. Review of Yuanbing et al.’s Protocol

#### 4.1. Pre-Deployment Phase

#### 4.2. Sensor Node Registration Phase

**Step 1:**$S{N}_{j}$ chooses a random nonce ${r}_{j}$, and calculates $M{P}_{j}=h({X}_{GWN-S{N}_{j}}$$\left|\right|{r}_{j}\left|\right|SI{D}_{j}\left|\right|{T}_{1})$ and $M{N}_{j}={r}_{j}\oplus {X}_{GWN-S{N}_{j}}$. After that, $S{N}_{j}$ transmits $\{SI{D}_{j},M{N}_{j},$$M{P}_{j},$${T}_{1}\}$ to the gateway.

**Step 2:**$GWN$ checks the timestamp. If the condition holds, $GWN$ calculates ${r}_{j}^{{}^{\prime}}=M{N}_{j}\oplus {X}_{GWN-S{N}_{j}}$. Then, $GWN$ computes $M{P}_{j}^{{}^{\prime}}=h({X}_{GWN-S{N}_{j}}\left|\right|$${r}_{j}^{{}^{\prime}}\left|\right|SI{D}_{j}\left|\right|{T}_{1})$ and checks if $M{P}_{j}=M{P}_{j}^{{}^{\prime}}$. If it is the same, $GWN$ computes ${x}_{j}=h(SI{D}_{j}\left|\right|{X}_{GWN})$, ${e}_{j}={x}_{j}\oplus {X}_{GWN-S{N}_{j}}$, ${d}_{j}=h({X}_{GWN}\left|\right|1)\oplus h({X}_{GWN-S{N}_{j}}\left|\right|{T}_{2})$, and ${f}_{j}=h({x}_{j}\left|\right|{d}_{j}\left|\right|{X}_{GWN-S{N}_{j}}\left|\right|{T}_{2})$. Then, $GWN$ sends $\{{d}_{j},{f}_{j},{e}_{j},{T}_{2}\}$ to $S{N}_{j}$.

**Step 3:**$S{N}_{j}$ checks the timestamp. If the condition is correct, $S{N}_{j}$ calculates ${x}_{j}={e}_{j}\oplus {X}_{GWN-S{N}_{j}}$ and checks if ${f}_{j}=h({x}_{j}\left|\right|{d}_{j}\left|\right|{X}_{GWN-S{N}_{j}}\left|\right|{T}_{2})$. If it is correct, $S{N}_{j}$ computes $h({X}_{GWN}\left|\right|1)={d}_{j}\oplus h({X}_{GWN-S{N}_{j}}\left|\right|{T}_{2})$. $S{N}_{j}$ stores $\{{x}_{j},h({X}_{GWN}\left|\right|1)\}$ in its memory. Then, $S{N}_{j}$ deletes the ${X}_{GWN-S{N}_{j}}$ and sends a respond message to $GWN$.

**Step 4:**Upon receiving the response message, $GWN$ removes $\{SI{D}_{j},{X}_{GWN-S{N}_{j}}\}$.

#### 4.3. User Registration Phase

**Step 1:**The user ${U}_{i}$ selects their $I{D}_{i}$ and $P{W}_{i}$, ${r}_{i}$. Then, ${U}_{i}$ calculates $MI{D}_{i}=h({r}_{i}\left|\right|I{D}_{i})$, $M{P}_{i}=h({r}_{i}\left|\right|P{W}_{i})$, and $RS{P}_{i}=h(I{D}_{i}\left|\right|M{P}_{i})$. After that, ${U}_{i}$ sends $\{RS{P}_{i},MI{D}_{i}\}$ to $GWN$.

**Step 2:**$GWN$ calculates ${e}_{i}=h(RS{P}_{i}\left|\right|MI{D}_{i})$, ${d}_{i}=h(MI{D}_{i}\left|\right|{X}_{GWN})$, ${g}_{i}=h({X}_{GWN})\oplus h(RS{P}_{i}\left|\right|{d}_{i})$, and ${f}_{i}={d}_{i}\oplus h(RS{P}_{i}\left|\right|{e}_{i})$. Then, $GWN$ stores $\{{e}_{i},{f}_{i},{g}_{i}\}$ into $SC$ and issues it to ${U}_{i}$.

**Step 3:**${U}_{i}$ computes ${r}_{i}^{*}=h(I{D}_{i}\left|\right|P{W}_{i})\oplus {r}_{i}$ and stores ${r}_{i}^{*}$ into $SC$.

#### 4.4. Login and Authentication Phase

**Step 1:**The user ${U}_{i}$ inserts $SC$, and inputs $I{D}_{i}$ and $P{W}_{i}$. $SC$ computes ${r}_{i}^{{}^{\prime}}={r}_{i}^{*}\oplus h(I{D}_{i}\left|\right|P{W}_{i})$, $MI{D}_{i}^{{}^{\prime}}=h({r}_{i}^{{}^{\prime}}\left|\right|I{D}_{i})$, $M{P}_{i}^{{}^{\prime}}=h({r}_{i}^{{}^{\prime}}\left|\right|P{W}_{i})$, and $RS{P}_{i}^{{}^{\prime}}=h(I{D}_{i}\left|\right|M{P}_{i}^{{}^{\prime}})$. Then, ${U}_{i}$ checks if ${e}_{i}=?h(RS{P}_{i}^{{}^{\prime}}\left|\right|MI{D}_{i}^{{}^{\prime}})$. If it corrects, $SC$ generates random nonce a and c, and computes ${d}_{i}={f}_{i}\oplus h(RS{P}_{i}^{{}^{\prime}}\left|\right|{e}_{i})$, $h({X}_{GWN})={g}_{i}\oplus h(RS{P}_{i}^{{}^{\prime}}\left|\right|{d}_{i})$. $SC$ also calculates ${R}_{1}=aP$, $MI{D}_{1}=h(c||I{D}_{i})$, ${x}_{i}=h(MI{D}_{1}\left|\right|h({X}_{GWN}))$, ${M}_{1}=MI{D}_{1}\oplus h(h({X}_{GWN})\left|\right|{T}_{1})$, and ${M}_{2}=h({M}_{1}\left|\right|{x}_{i}\left|\right|{R}_{1}\left|\right|{T}_{1})$. Then, ${U}_{i}$ sends $\{{M}_{1},{M}_{2},{R}_{1},$${T}_{1}\}$ to $S{N}_{j}$ through an open channel.

**Step 2:**$S{N}_{j}$ checks $|{T}_{1}-{T}_{c}|<\Delta T?$. If this condition holds, $S{N}_{j}$ generates timestamp ${T}_{2}$ and random nonce b. $S{N}_{j}$ computes $ESI{D}_{j}=SI{D}_{j}\oplus h(h({X}_{GWN})\left|\right|1)||{T}_{2})$, ${R}_{2}=bP$, ${R}_{3}=b{R}_{1}$ and ${M}_{3}=h(SI{D}_{j}\left|\right|{x}_{j}\left|\right|{R}_{2}\left|\right|{T}_{1}\left|\right|{T}_{2})$. After that, $S{N}_{j}$ transmits $\{{M}_{1},{M}_{2},{M}_{3},{T}_{1},{T}_{2},$$ESI{D}_{j},{R}_{1},$${R}_{2}\}$ to $GWN$ through an open channel.

**Step 3:**After receiving the message, $GWN$ checks $|{T}_{2}-{T}_{c}|<\Delta T?$. If this condition holds, $GWN$ computes $SI{D}_{j}^{{}^{\prime}}=ESI{D}_{j}\oplus h(h({X}_{GWN}\left|\right|1)||{T}_{2})$ and ${x}_{j}^{{}^{\prime}}=h(SI{D}_{j}^{{}^{\prime}}\left|\right|{X}_{GWN})$. Then, $GWN$ checks ${M}_{3}=?h(SI{D}_{j}^{{}^{\prime}}\left|\right|{x}_{j}^{{}^{\prime}}$$\left|\right|{R}_{2}\left|\right|{T}_{1}\left|\right|{T}_{2})$. If it holds, $GWN$ computes $MI{D}_{1}^{{}^{\prime}}={M}_{1}\oplus h(h({X}_{GWN})\left|\right|{T}_{1})$ and ${x}_{i}^{{}^{\prime}}=h(MI{D}_{1}^{{}^{\prime}}\left|\right|h({X}_{GWN}))$. $GWN$ checks ${M}_{2}=?h({M}_{1}\left|\right|{x}_{i}^{{}^{\prime}}\left|\right|{R}_{1}\left|\right|{T}_{1})$. If it is correct, $GWN$ computes ${M}_{4}=h({x}_{i}^{{}^{\prime}}\left|\right|{R}_{2}\left|\right|{T}_{3})$, ${M}_{5}=h({x}_{j}^{{}^{\prime}}\left|\right|{R}_{1}\left|\right|{T}_{3})$, and ${M}_{6}=MI{D}_{1}^{{}^{\prime}}\oplus h({x}_{j}^{{}^{\prime}}\left|\right|{T}_{3})$. Then, $GWN$ sends $\{{M}_{4},{M}_{5},{M}_{6},{R}_{1},{T}_{3}\}$ to $S{N}_{j}$.

**Step 4:**Upon receiving the message, $S{N}_{j}$ checks $|{T}_{3}-{T}_{c}|<\Delta T?$. If this condition holds, $S{N}_{j}$ checks ${M}_{5}=?h({x}_{j}\left|\right|{R}_{1}\left|\right|{T}_{3})$. If these values are the same, $S{N}_{j}$ computes $MI{D}_{1}^{{}^{\prime}}={M}_{6}\oplus h({x}_{j}\left|\right|{T}_{3})$, $SK=h(MI{D}_{1}^{{}^{\prime}}|\left|SI{D}_{j}\right|\left|{R}_{3}\right||$${T}_{3}\left|\right|{T}_{4})$, and ${M}_{7}=h(SK||{M}_{4}\left|\right|{T}_{3}\left|\right|{T}_{4})$. Finally, $S{N}_{j}$ sends $\{{M}_{4},{M}_{7},$${R}_{2},{T}_{3},{T}_{4}\}$ to ${U}_{i}$.

**Step 5:**Upon receiving the message, ${U}_{i}$ checks $|{T}_{4}-{T}_{c}|<\Delta T?$. If this condition holds, ${U}_{i}$ computes ${M}_{4}=h({x}_{i}\left|\right|{R}_{2}\left|\right|{T}_{3})$, ${R}_{4}=a{R}_{2}$, and $SK=h(MI{D}_{1}|\left|SI{D}_{j}\right||{R}_{4}$$\left|\right|{T}_{3}\left|\right|{T}_{4})$. After that, ${U}_{i}$ checks ${M}_{7}=?h(SK||{M}_{4}\left|\right|{T}_{3}\left|\right|{T}_{4})$. If it corrects, ${U}_{i}$ and $S{N}_{j}$ shares the same $SK$ at the end.

## 5. Security Analysis of Yuanbing et al.’s Protocol

#### 5.1. Off-Line Guessing Attacks

**Step 1:**$ATT$ can obtain the stored values $\{{e}_{i},{f}_{i},{g}_{i},{r}_{i}^{*}\}$ from the smartcard through power analysis attacks, and $ATT$ selects the guessing ID/password pair $I{D}_{att}/P{W}_{att}$.

**Step 2:**$ATT$ computes ${r}_{att}^{{}^{\prime}}={r}_{i}^{*}\oplus h(I{D}_{att}\left|\right|P{W}_{att})$, $MI{D}_{att}^{{}^{\prime}}=h({r}_{att}^{{}^{\prime}}\left|\right|I{D}_{att})$, $M{P}_{att}^{{}^{\prime}}=h({r}_{att}^{{}^{\prime}}\left|\right|P{W}_{att})$, and $RS{P}_{att}^{{}^{\prime}}=h(I{D}_{att}\left|\right|M{P}_{att}^{{}^{\prime}})$. Then, $ATT$ checks if ${e}_{i}=h(RS{P}_{att}^{{}^{\prime}}\left|\right|MI{D}_{att}^{{}^{\prime}})?$.

**Step 3:**If these values match, $ATT$ is considered to have successfully guessed the legitimate user’s ID and password pair. If they do not match, $ATT$ repeats Step 1 and 2 again to guess $I{D}_{i}/P{W}_{i}$.

#### 5.2. Impersonation Attacks

**Step 1:**If $ATT$ succeeds in guessing the ID/password pair of ${U}_{i}$, then $ATT$ can compute a valid $RS{P}_{i}$. Then, $ATT$ can calculate ${d}_{i}={f}_{i}\oplus h(RS{P}_{i}\left|\right|{e}_{i})$ using the values ${e}_{i}$ and ${f}_{i}$ stored in the ${U}_{i}$’s smartcard. $ATT$ can also compute $h({X}_{GWN})={g}_{i}\oplus h(RS{P}_{i}\left|\right|{d}_{i})$ using ${g}_{i}$ stored values in the smartcard.

**Step 2:**After that, $ATT$ chooses random nonces ${a}_{att}$ and ${c}_{att}$ and timestamp ${T}_{att}$. Subsequently, $ATT$ can compute ${R}_{1att}={a}_{att}P$, $MI{D}_{1att}=h({c}_{att}\left|\right|I{D}_{i})$, ${x}_{i}=h(MI{D}_{1}\left|\right|h({X}_{GWN}))$, ${M}_{1att}=MI{D}_{1att}\oplus h(h({X}_{GWN})\left|\right|{T}_{att})$, and ${M}_{2att}=h({M}_{1att}\left|\right|{x}_{i}\left|\right|{R}_{1}\left|\right|{T}_{att})$. Thus, $ATT$ can compute the login request message $\{{M}_{1att},{M}_{2att},{R}_{1att},{T}_{att}\}$. Therefore, $ATT$ can conduct successful impersonation attacks.

#### 5.3. Sensor Node Impersonation Attacks

**Step 1:**$ATT$ can acquire the values stored $\{SI{D}_{j},{x}_{j},$$h({X}_{GWN}||1)\}$ in $S{N}_{j}$ through the sensor node capture attack. Then, $ATT$ chooses random nonces ${b}_{att}$ and ${T}_{att}$. Subsequently, $ATT$ calculates $ESI{D}_{att}=SI{D}_{j}\oplus h(h({X}_{GWN}$$\left|\right|1)||{T}_{att})$.

**Step 2:**$ATT$ can obtain the values $\{{M}_{1},{M}_{2},{R}_{1},{T}_{1}\}$ through the message sent to insecure channels. $ATT$ can calculate ${R}_{2att}={b}_{att}P$, ${R}_{3att}={b}_{att}{R}_{1}$, ${M}_{3att}=h(SI{D}_{j}\left|\right|{x}_{j}$$\left|\right|{R}_{2att}\left|\right|{T}_{1}\left|\right|$${T}_{att})$. $ATT$ chooses a random nonce ${b}_{att}$ and timestamp ${T}_{att}$. Subsequently, $ATT$ can compute ${R}_{2att}={b}_{att}P$, ${R}_{3att}={b}_{att}{R}_{1}$, ${M}_{3att}=h(SI{D}_{j}\left|\right|{x}_{j}\left|\right|$${R}_{2att}\left|\right|{T}_{1}\left|\right|{T}_{att})$. Then, $ATT$ sends the message $\{{M}_{1},{M}_{2},{M}_{3att},{T}_{1},{T}_{2att},$$ESI{D}_{j},{R}_{1},$${R}_{2att}\}$ to $GWN$. Thus, we can say that $ATT$ can impersonate the sensor node.

#### 5.4. MITM Attacks

**Step 1:**When $ATT$ receives the message $\{{M}_{4},{M}_{5},{M}_{6},$${R}_{1},{T}_{3}\}$, $ATT$ computes $MI{D}_{1}^{{}^{\prime}}={M}_{6}\oplus h({x}_{j}\left|\right|{T}_{3})$ using ${x}_{j}$ obtained through sensor node capture attacks.

**Step 2:**Then, $ATT$ can compute the fake session key $S{K}_{att}=h(MI{D}_{1}^{{}^{\prime}}\left|\right|SI{D}_{j}\left|\right|{R}_{3att}\left|\right|{T}_{3}\left|\right|{T}_{4})$. $ATT$ also computes ${M}_{7att}=h(S{K}_{att}\left|\right|{M}_{4}\left|\right|{T}_{3}\left|\right|{T}_{4})$. Finally, $ATT$ sends the message $\{{M}_{4},{M}_{7att},{R}_{2},{T}_{3},{T}_{4}\}$ to ${U}_{i}$.

#### 5.5. Fail to Ensure Anonymity and Mutual Authentication

## 6. Proposed Protocol

#### 6.1. User Registration Phase

**Step URP1:**User ${U}_{i}$ chooses identity $I{D}_{i}$ and password $P{W}_{i}$, and imprints their biometrics $BI{O}_{i}$. ${U}_{i}$ generates a random nonce $R{N}_{u}$. Then, ${U}_{i}$ computes $Gen(BI{O}_{i})=<U{R}_{i},{P}_{i}>$, $HI{D}_{i}=h(U{R}_{i}\left|\right|I{D}_{i})$, $HP{W}_{i}=h(R{N}_{u}\left|\right|U{R}_{i}\left|\right|$$I{D}_{i}\left|\right|P{W}_{i})$, and $RS{P}_{i}=h(I{D}_{i}\left|\right|HP{W}_{i})$. Subsequently, ${U}_{i}$ sends $\{HI{D}_{i},RS{P}_{i},HP{W}_{i}\}$ to $GWN$ through a secure channel.

**Step URP2:**Upon receiving the message $\{HI{D}_{i},RS{P}_{i},$$HP{W}_{i}\}$, $GWN$ checks if $HI{D}_{i}$ is in its database. If not, $GWN$ creates a random nonce $R{N}_{gw}$. $GWN$ calculates ${\alpha}_{i}=h(HI{D}_{i}\left|\right|{X}_{GWN}\left|\right|R{N}_{gw})$, ${\beta}_{i}={\alpha}_{i}\oplus HP{W}_{i}$, and ${\gamma}_{i}=h(HI{D}_{i}\left|\right|RS{P}_{i}\left|\right|{\alpha}_{i})$. Subsequently, $GWN$ saves $\{HI{D}_{i},{R}_{gw}\}$ in its database and also stores $\{{\beta}_{i},{\gamma}_{i}\}$ in $SC$. Then, $GWN$ issues $SC$ to ${U}_{i}$ via a closed channel.

**Step URP3:**After receiving $SC$ from $GWN$, ${U}_{i}$ computes ${L}_{i}=h(U{R}_{i}\left|\right|P{W}_{i})\oplus R{N}_{u}$ and stores ${L}_{i}$ and $U{P}_{i}$ in $SC$. Finally, $SC$ stores $\{{\beta}_{i},{\gamma}_{i},{L}_{i},U{P}_{i}\}$.

#### 6.2. Sensor Node Registration Phase

**Step SRP1:**$S{N}_{j}$ chooses challenge value ${C}_{j}$, and generates random nonces $R{N}_{sn}$. Then, $S{N}_{j}$ computes the response value ${R}_{j}=PUF({C}_{j})$. Furthermore, $S{N}_{j}$ computes $Gen({R}_{j})=$$<SN{R}_{j},SN{P}_{j}>$, $Re{q}_{j}=SI{D}_{j}\oplus h(R{N}_{SN})$, and $H{S}_{j}=h(SI{D}_{j}\left|\right|SN{R}_{j})$. $S{N}_{j}$ sends $\{Re{q}_{j},R{N}_{sn},$${C}_{j},H{S}_{j}\}$ to $GWN$ via a closed channel.

**Step SPR2:**When $GWN$ receives the message $\{Re{q}_{j},$$R{N}_{sn},$${C}_{j},H{S}_{j}\}$, $GWN$ computes $SI{D}_{j}=Re{q}_{j}\oplus h(R{N}_{sn})$. $GWN$ creates a random secret key ${y}_{GWN}$, and calculates $PSI{D}_{j}=h(SI{D}_{j}\left|\right|R{N}_{sn})$ and ${K}_{j}=h(PSI{D}_{j}\left|\right|$${X}_{GWN}\left|\right|{y}_{GWN})$. $GWN$ stores $\{PSI{D}_{j},{y}_{GWN},H{S}_{j},{C}_{j}\}$ in its database and sends $\{PSI{D}_{j},{K}_{j}\}$ to $S{N}_{j}$.

**Step SPR3:**Upon receiving the message $\{PSI{D}_{j},{y}_{GWN},$$H{S}_{j},{C}_{j}\}$, $S{N}_{j}$ stores $\{SI{D}_{j},$$PSI{D}_{j},{K}_{j}\}$ in its secure memory.

#### 6.3. Login and Authentication Phase

**Step AP1:**${U}_{i}$ inserts $SC$ and inputs $I{D}_{i},P{W}_{i},BI{O}_{i}$. $SC$ computes $Rep(BI{O}_{i},U{P}_{i})=U{R}_{i}$, $R{N}_{u}={L}_{i}\oplus h(U{R}_{i}\left|\right|P{W}_{i})$, $HI{D}_{i}=h(U{R}_{i}\left|\right|I{D}_{i})$, $HP{W}_{i}=h(R{N}_{u}\left|\right|$$U{R}_{i}\left|\right|I{D}_{i}\left|\right|P{W}_{i})$, ${\alpha}_{i}={\beta}_{i}\oplus HP{W}_{i}$, and ${\gamma}_{i}^{*}=h(HI{D}_{i}\left|\right|$$h(I{D}_{i}\left|\right|HP{W}_{i})||{A}_{i})$. Then, $SC$ checks ${\gamma}_{i}^{*}\stackrel{?}{=}{\gamma}_{i}$. If it holds, ${U}_{i}$ generates a random nonce ${N}_{u}$ and timestamp ${T}_{1}$. ${U}_{i}$ computes ${M}_{1}=h({N}_{u}\left|\right|{A}_{i})\oplus h({T}_{1}\left|\right|{A}_{i}\left|\right|PSI{D}_{j})$ and ${M}_{2}=h(HI{D}_{i}\left|\right|$$h({N}_{u}\left|\right|{\alpha}_{i})||PSI{D}_{j})$. ${U}_{i}$ picks new pseudo identity $HI{D}_{inew}=h(U{R}_{i}\left|\right|I{D}_{i}\left|\right|{N}_{u})$ and computes ${M}_{3}=HI{D}_{inew}\oplus h(h({N}_{u}\left|\right|{\alpha}_{i})||{T}_{1})$. Then, ${U}_{i}$ sends $\{HI{D}_{i},PSI{D}_{j},{M}_{1},{M}_{2},{M}_{3},{T}_{1}\}$ to $GWN$ through insecure channels.

**Step AP2:**Upon receiving the message $\{HI{D}_{i},PSI{D}_{j},$${M}_{1},{M}_{2},{M}_{3},{T}_{1}\}$, $GWN$ checks $|{T}_{1}-{T}_{c}|<\Delta T?$. If it holds, $GWN$ retrieves ${R}_{gw}$ from its database and calculates ${\alpha}_{i}^{{}^{\prime}}=h(HI{D}_{i}\left|\right|{X}_{GWN}\left|\right|{R}_{gw})$, $h({N}_{u}\left|\right|{\alpha}_{i}^{{}^{\prime}})=h({T}_{1}\left|\right|{\alpha}_{i}$$\left|\right|PSI{D}_{j})\oplus {M}_{1}$, and ${M}_{2}^{*}=h(HI{D}_{i}\left|\right|h({N}_{u}\left|\right|{\alpha}_{i}^{{}^{\prime}})$$\left|\right|PSI{D}_{j})$. $GWN$ checks ${M}_{2}^{*}\stackrel{?}{=}{M}_{2}$. If it is not correct, then $GWN$ terminates the session. Otherwise, $GWN$ calculates $HI{D}_{inew}={M}_{3}\oplus h(h({N}_{u}\left|\right|{\alpha}_{i})||{T}_{1})$. Then, $GWN$ fetches $({C}_{j},{y}_{GWN})$ corresponding to $PSI{D}_{j}$. $GWN$ generates a random nonce ${N}_{g}$ and timestamp ${T}_{2}$. $GWN$ computes ${K}_{j}=h(PSI{D}_{j}$$\left|\right|{X}_{GWN}\left|\right|{y}_{GWN})$, ${M}_{4}={C}_{j}\oplus h(PSI{D}_{j}\left|\right|{K}_{j})$, ${M}_{5}=h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})\oplus h(PSI{D}_{j}\left|\right|H{S}_{j}\left|\right|{K}_{j})$, and ${M}_{6}=h(h(h({N}_{u}$$\left|\right|{\alpha}_{i})||{N}_{g})||{T}_{2}\left|\right|H{S}_{j})$. After that, $GWN$ sends $\{{M}_{4},{M}_{5},{M}_{6},{T}_{2}\}$ to $S{N}_{j}$ through an open channel.

**Step AP3:**After receiving the message $\{{M}_{4},{M}_{5},{M}_{6},{T}_{2}\}$ from $GWN$, $S{N}_{j}$ checks $|{T}_{2}-{T}_{c}|<\Delta T?$. If it holds, $S{N}_{j}$ computes ${C}_{j}={M}_{4}\oplus h(PSI{D}_{j}\left|\right|{K}_{j})$, $PUF({C}_{j})={R}_{j}$, $Rep({R}_{j},SN{P}_{j})=SN{R}_{j}$, $H{S}_{j}=h(SI{D}_{j}\left|\right|SN{R}_{j})$, $h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})={M}_{5}\oplus h(PSI{D}_{j}\left|\right|H{S}_{j}\left|\right|{K}_{j})$, and ${M}_{6}^{*}=h(h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{T}_{2}\left|\right|H{S}_{j})$. $S{N}_{j}$ checks ${M}_{6}^{*}\stackrel{?}{=}{M}_{6}$. If it corrects, $S{N}_{j}$ generates a timestamp ${T}_{3}$ and calculates $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$. $S{N}_{j}$ computes ${M}_{7}=h(SK$$\left|\right|{T}_{3}\left|\right|{K}_{j}\left|\right|H{S}_{j})$ and sends $\{{M}_{7},{T}_{3}\}$ to $GWN$.

**Step AP4:**When $GWN$ receives the message $\{{M}_{7},{T}_{3}\}$, $GWN$ checks $|{T}_{3}-{T}_{c}|<\Delta T?$. If it holds, $GWN$ computes the session key $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$, and computes ${M}_{7}^{*}=h(SK||{T}_{3}\left|\right|{K}_{j}\left|\right|H{S}_{j})$. Then, $GWN$ checks ${M}_{7}^{*}\stackrel{?}{=}{M}_{7}$. If they are same, $GWN$ computes ${\alpha}_{inew}=h(HI{D}_{inew}\left|\right|{X}_{GWN}\left|\right|{N}_{g})$, ${M}_{8}=SK\oplus h({N}_{u}\left|\right|{\alpha}_{i})$, ${M}_{9}={\alpha}_{inew}\oplus h(HI{D}_{inew}\left|\right|HI{D}_{i}\left|\right|h({N}_{u}\left|\right|{\alpha}_{i}))$, and ${M}_{10}=h({\alpha}_{inew}\left|\right|SK\left|\right|HI{D}_{inew})$. $GWN$ sends the message $\{{M}_{8},$${M}_{9},{M}_{10}\}$. If session key agreement is successful, $GWN$ updates $\{HI{D}_{i},{R}_{gw}\}$ to $\{HI{D}_{inew},{N}_{g}\}$. Otherwise, $GWN$ keeps $HI{D}_{i}$.

**Step AP5:**When ${U}_{i}$ receives the message $\{{M}_{8},{M}_{9},{M}_{10}\}$, ${U}_{i}$ calculates $SK={M}_{8}\oplus h({N}_{u}\left|\right|{\alpha}_{i})$, and computes ${\alpha}_{inew}={M}_{9}\oplus h(HI{D}_{inew}\left|\right|HI{D}_{i}\left|\right|h({N}_{u}\left|\right|{\alpha}_{i}))$, and ${M}_{10}^{*}=h({\alpha}_{inew}$$\left|\right|SK\left|\right|HI{D}_{inew})$. ${U}_{i}$ checks ${M}_{10}^{*}\stackrel{?}{=}{M}_{10}$. If they are same, ${U}_{i}$ computes ${\beta}_{inew}={\alpha}_{inew}\oplus HP{W}_{i}$ and ${\gamma}_{inew}=h(HI{D}_{inew}\left|\right|h(I{D}_{i}\left|\right|HP{W}_{i})||{\alpha}_{inew})$. Then, ${U}_{i}$ updates ${\beta}_{inew},{\gamma}_{inew}$ and $HI{D}_{inew}$. Finally, ${U}_{i}$, $GWN$, and $S{N}_{j}$ agrees the same session key $SK$.

#### 6.4. User’s Password and Biometrics Update Phase

**Step 1:**${U}_{i}$ inserts their $SC$ and inputs $I{D}_{i}$, $P{W}_{i}$, and biometrics $BI{O}_{i}$. Then, $SC$ computes $Rep(BI{O}_{i},U{P}_{i})=U{R}_{i}$, $R{N}_{u}={L}_{i}\oplus h(U{R}_{i}\left|\right|P{W}_{i})$, $HI{D}_{i}=h(U{R}_{i}\left|\right|I{D}_{i})$, $HP{W}_{i}=h(R{N}_{u}\left|\right|U{R}_{i}\left|\right|I{D}_{i}\left|\right|P{W}_{i})$, ${\alpha}_{i}={\beta}_{i}\oplus HP{W}_{i}$, and ${\gamma}_{i}^{*}=h(HI{D}_{i}\left|\right|h(I{D}_{i}\left|\right|HP{W}_{i})||{\alpha}_{i})$. $SC$ checks ${\gamma}_{i}={\gamma}_{i}^{*}$. If it corrects, $SC$ asks ${U}_{i}$ to input a new biometrics $BI{O}_{inew}$ and a new password $P{W}_{inew}$.

**Step 2:**${U}_{i}$ inputs a new biometrics $BI{O}_{inew}$ and a new password $P{W}_{inew}$. $SC$ proceeds to compute parameters $Gen(BI{O}_{inew})=(U{R}_{inew},U{P}_{inew})$, $HP{W}_{inew}=h(R{N}_{u}\left|\right|U{R}_{inew}\left|\right|I{D}_{i}$$\left|\right|P{W}_{inew})$, ${L}_{inew}=$$h(U{R}_{inew}$$\left|\right|$$P{W}_{inew})$$\oplus R{N}_{u}$, $RS{P}_{inew}=h(I{D}_{i}\left|\right|HP{W}_{inew})$, ${\beta}_{inew}={\alpha}_{i}\oplus HP{W}_{i}\oplus HP{W}_{inew}$, and ${\gamma}_{inew}=h(HI{D}_{i}\left|\right|RS{P}_{inew}\left|\right|{\alpha}_{i})$. Then, $SC$ replaces ${\beta}_{i},{\gamma}_{i},{L}_{i},U{P}_{i}$ with ${\beta}_{inew},$${\gamma}_{inew},{L}_{inew},$$U{P}_{inew}$.

## 7. Security Analysis

#### 7.1. ROR Model

- $Execute({\mathcal{P}}_{{U}_{i}}^{{t}_{1}},{\mathcal{P}}_{GWN}^{{t}_{2}},{\mathcal{P}}_{S{N}_{j}}^{{t}_{3}})$: $\mathcal{A}$ can conduct this query for obtaining transmitted messages via public channels between ${\mathcal{P}}_{{U}_{i}}^{{t}_{1}}$, ${\mathcal{P}}_{GWN}^{{t}_{2}}$, and ${\mathcal{P}}_{S{N}_{j}}^{{t}_{3}}$.
- $CorruptSC({\mathcal{P}}_{{U}_{i}}^{{t}_{1}})$: $CorruptSC$ indicates that the adversary can extract secret data stored in $SC$ of ${\mathcal{P}}_{{U}_{i}}^{{t}_{1}}$.
- $Reveal({\mathcal{P}}^{t})$: $\mathcal{A}$ is able to reveal the current session key $SK$ between ${\mathcal{P}}_{{U}_{i}}^{{t}_{1}}$, ${\mathcal{P}}_{GWN}^{{t}_{2}}$, and ${\mathcal{P}}_{S{N}_{j}}^{{t}_{3}}$ by executing this query. $SK$ is safe if $\mathcal{A}$ fails to reveal $SK$ using this query.
- $Send({\mathcal{P}}^{t},M)$: Using the $Send$ query, an adversary is able to send a message to participants and receive response messages.
- $Test({\mathcal{P}}^{t})$: An unbiased coin $uc$ is flipped to start the game, and the result is only known to $\mathcal{A}$. $\mathcal{A}$ uses this result to determine the $Test$. When $\mathcal{A}$ runs the $Test$ query, ${\mathcal{P}}^{t}$ returns $SK$ for $uc$ = 1 or a random number for $uc$ = 0. Otherwise, it returns a null (⊥).

#### Security Proof

**Theorem 1.**

**Proof.**

- $G{M}_{0}$: $\mathcal{A}$ executes a real attack to our protocol. $\mathcal{A}$ chooses a random bit $uc$ at the beginning of $G{M}_{0}$. The following advantage of $\mathcal{A}$ is about this game.$$Ad{v}_{\mathcal{A}}^{our}=|2Pr\left[Suc{c}_{\mathcal{A},G{M}_{0}}\right]-1|$$
- $G{M}_{1}$: $\mathcal{A}$ executes the $Execute({\mathcal{P}}_{{U}_{i}}^{{t}_{1}},{\mathcal{P}}_{GWN}^{{t}_{2}},{\mathcal{P}}_{S{N}_{j}}^{{t}_{3}})$ query and eavesdrops messages $<HI{D}_{i},$$PSI{D}_{j},{M}_{1},{M}_{2},{M}_{3},{T}_{1}>$, $<{M}_{4},{M}_{5},{M}_{6},{T}_{2}>$, $<{M}_{7},{T}_{3}>$, and $<{M}_{8},{M}_{9},{M}_{10}>$. After that, $\mathcal{A}$ performs $Reveal$ and $Test$ queries to verify whether the derived $SK$ is real. In the proposed protocol, $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$ is made up of long-term and short-term secrets. To derive $SK$, $\mathcal{A}$ needs to know the identities and random nonces of ${U}_{i}$, $GWN$, and $S{N}_{j}$. As a result, $\mathcal{A}$ cannot increase the winning probability of $G{M}_{1}$. Therefore, the probabilities of $G{M}_{0}$ and $G{M}_{1}$ are indistinguishable.$$Pr\left[Suc{c}_{\mathcal{A},G{M}_{1}}\right]=Pr\left[Suc{c}_{\mathcal{A},G{M}_{0}}\right]$$
- $G{M}_{2}$: In this game, $\mathcal{A}$ executes $Hash$ and $Send$ queries to obtain the session key. $\mathcal{A}$ attempts to attack by modifying the exchanged message. However, all messages are masked with one-way hash function $h(\xb7)$, random nonces, and secret credentials. $\mathcal{A}$ cannot derive any information due to a computationally infeasible problem of $h(\xb7)$. Hence, using the birthday paradox, we can get the following equation.$$|Pr\left[Suc{c}_{\mathcal{A},G{M}_{2}}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_{1}}\right]|\le {\displaystyle \frac{{q}_{hash}^{2}}{2\left|Hash\right|}}$$
- $G{M}_{3}$: This game is performed in analogy as described in $G{M}_{2}$. $\mathcal{A}$ executes $Send$ and $PUF$ queries. However, the probability obtained by the $PUF$ query is similar with the $Hash$ query since the physical function $PUF(\xb7)$ has security properties mentioned in Section 3.2. Therefore, we are able to acquire the following equation.$$|Pr\left[Suc{c}_{\mathcal{A},G{M}_{3}}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_{2}}\right]|\le {\displaystyle \frac{{q}_{puf}^{2}}{2\left|PUF\right|}}$$
- $G{M}_{4}$: In the final game $G{M}_{4}$, $\mathcal{A}$ tries to get $SK$ with the $CorruptSC$ query. With $CorruptSC$ query, $\mathcal{A}$ is able to extract sensitive values $\{{\beta}_{i},{\gamma}_{i},{L}_{i},U{P}_{i}\}$ stored in the smart card of ${U}_{i}$, which are expressed as ${\beta}_{i}={\alpha}_{i}\oplus HP{W}_{i}$, ${\gamma}_{i}=h(HI{D}_{i}\left|\right|RS{P}_{i}\left|\right|{\alpha}_{i})$, and ${L}_{i}=h(U{R}_{i}\left|\right|P{W}_{i})\oplus R{N}_{u}$. For computing $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$, $\mathcal{A}$ should guess these parameters from the extracted values since $\mathcal{A}$ has no knowledge of identity $I{D}_{i}$, password $P{W}_{i}$, and biometric $BI{O}_{i}$. However, it is a computationally infeasible task for $\mathcal{A}$ to guess $I{D}_{i}$, $P{W}_{i}$, and $BI{O}_{i}$ simultaneously. In conclusion, $G{M}_{3}$ and $G{M}_{4}$ are indistinguishable. We can derive the following result by utilizing Zipf’s law.$$|Pr\left[Suc{c}_{\mathcal{A},G{M}_{4}}\right]-Pr\left[Suc{c}_{\mathcal{A},G{M}_{3}}\right]|\le max\{C\xb7{q}_{send}^{s},{\displaystyle \frac{{q}_{send}}{{2}^{{l}_{D}}}}\}$$

#### 7.2. BAN Logic

#### 7.2.1. Rules

- Nonce verification rule ($NVR$):$$\frac{E|\equiv \#(T),E|\equiv K|\sim T}{E|\equiv K|\equiv T}$$
- Message meaning rule ($MMR$):$$\frac{E|\equiv E\stackrel{Skey}{\u27f7}K,E\u25c3{\{T\}}_{Skey}}{E|\equiv K|\sim T}$$
- Jurisdiction rule ($JR$):$$\frac{E|\equiv K|\Rightarrow T,E|\equiv K|\equiv T}{E|\equiv T}$$
- Freshness rule ($FR$):$$\frac{E|\equiv \#(T)}{E|\equiv \#(T,S)}$$
- Belief rule ($BR$):$$\frac{E|\equiv (T,S)}{E|\equiv T}$$

#### 7.2.2. Goals for Mutual Authentication

**Goal 1:**- ${U}_{i}|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)$
**Goal 2:**- ${U}_{i}|\equiv GWN|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)$
**Goal 3:**- $GWN|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)$
**Goal 4:**- $GWN|\equiv {U}_{i}|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)$
**Goal 5:**- $S{N}_{j}|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GW)$
**Goal 6:**- $S{N}_{j}|\equiv GWN|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)$
**Goal 7:**- $GWN|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)$
**Goal 8:**- $GWN|\equiv S{N}_{j}|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)$

#### 7.2.3. Idealized Form of Exchanged Messages

- ${M}_{1}$:
- ${U}_{i}\to GWN:\{PSI{D}_{j},h({N}_{u}\left|\right|{\alpha}_{i}{)\}}_{{\alpha}_{i}}$
- ${M}_{2}$:
- $GWN\to S{N}_{j}:\{h(h({N}_{u}\left|\right|{\alpha}_{i})||h({N}_{g}){)\}}_{{K}_{j}}$
- ${M}_{3}$:
- $S{N}_{j}\to GWN:{\{SK,{T}_{3}\}}_{{K}_{j}}$
- ${M}_{4}$:
- $GWN\to {U}_{i}:{\{SK\}}_{h({N}_{u}||{\alpha}_{i})}$

#### 7.2.4. BAN Logic Initial State Assumptions

- ${A}_{1}$:
- $GWN|\equiv {U}_{i}\stackrel{{\alpha}_{i}}{\u27f7}GW$
- ${A}_{2}$:
- $GWN|\equiv \#({N}_{u})$
- ${A}_{3}$:
- $S{N}_{j}|\equiv GWN\stackrel{{K}_{j}}{\u27f7}S{N}_{j}$
- ${A}_{4}$:
- $S{N}_{j}|\equiv \#({N}_{g})$
- ${A}_{5}$:
- $GWN|\equiv GWN\stackrel{{K}_{j}}{\u27f7}S{N}_{j}$
- ${A}_{6}$:
- $GWN|\equiv \#({T}_{3})$
- ${A}_{7}$:
- ${U}_{i}|\equiv {U}_{i}\stackrel{h({N}_{u}||{\alpha}_{i})}{\u27f7}GWN$
- ${A}_{8}$:
- ${U}_{i}|\equiv \#({N}_{g})$
- ${A}_{9}$:
- ${U}_{i}|\equiv GWN|\Rightarrow ({U}_{i}\stackrel{SK}{\u27f7}GWN)$
- ${A}_{10}$:
- $GWN|\equiv {U}_{i}|\Rightarrow ({U}_{i}\stackrel{SK}{\u27f7}GWN)$
- ${A}_{11}$:
- $S{N}_{j}|\equiv GWN|\Rightarrow (S{N}_{j}\stackrel{SK}{\u27f7}GWN)$
- ${A}_{12}$:
- $GWN|\equiv S{N}_{j}|\Rightarrow (S{N}_{j}\stackrel{SK}{\u27f7}GWN)$

#### 7.2.5. Proof of Providing Mutual Authentication

**Step 1:**- ${S}_{1}$ is obtained from ${M}_{1}$.$${S}_{1}:GWN\u25c3\{PSI{D}_{j},h({N}_{u}\left|\right|{\alpha}_{i}{)\}}_{{\alpha}_{i}}$$
**Step 2:**- ${S}_{2}$ is obtained from the $MMR$ using ${S}_{1}$ and ${A}_{1}$.$${S}_{2}:GWN|\equiv {U}_{i}|\sim \{PSI{D}_{j},h({N}_{u}\left|\right|{\alpha}_{i}{)\}}_{{\alpha}_{i}}$$
**Step 3:**- ${S}_{3}$ can be gained from the $FR$ with ${S}_{2}$ and ${A}_{2}$.$${S}_{3}:GWN|\equiv \#(PSI{D}_{j},h({N}_{u}\left|\right|{\alpha}_{i}))$$
**Step 4:**- ${S}_{4}$ can be acquired by applying the $NVR$ with ${S}_{2}$ and ${S}_{3}$.$${S}_{4}:GWN|\equiv {U}_{i}|\equiv (PSI{D}_{j},h({N}_{u}\left|\right|{\alpha}_{i}))$$
**Step 5:**- ${S}_{5}$ is obtained from ${M}_{2}$.$${S}_{5}:S{N}_{j}\u25c3\{h(h({N}_{u}\left|\right|{\alpha}_{i})||h({N}_{g}){)\}}_{{K}_{j}}$$
**Step 6:**- ${S}_{6}$ is gained from $MMR$ using ${S}_{5}$ and ${A}_{3}$.$${S}_{6}:S{N}_{j}|\equiv GWN|\sim \{h(h({N}_{u}\left|\right|{\alpha}_{i})||h({N}_{g}){)\}}_{{K}_{j}}$$
**Step 7:**- ${S}_{7}$ can be obtained by applying $FR$ with ${S}_{6}$ and ${A}_{4}$.$${S}_{7}:S{N}_{j}|\equiv \#(h(h({N}_{u}\left|\right|{\alpha}_{i})||h({N}_{g})))$$
**Step 8:**- ${S}_{8}$ can be obtained from $NVR$ with ${S}_{6}$ and ${S}_{7}$.$${S}_{8}:S{N}_{j}|\equiv GWN|\equiv (h(h({N}_{u}\left|\right|{\alpha}_{i})||h({N}_{g})))$$
**Step 9:**- From ${M}_{3}$, ${S}_{9}$ is obtained.$${S}_{9}:GWN\u25c3{\{SK,{T}_{3}\}}_{{K}_{j}}$$
**Step 10:**- ${S}_{10}$ is gained from $MMR$ with ${S}_{9}$ and ${A}_{5}$.$${S}_{10}:GWN|\equiv S{N}_{j}|\sim {\{SK,{T}_{3}\}}_{{K}_{j}}$$
**Step 11:**- ${S}_{11}$ can be obtained by applying $FR$ with ${S}_{10}$ and ${A}_{6}$, since $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$.$${S}_{11}:GWN|\equiv \#(SK,{T}_{3})$$
**Step 12:**- ${S}_{12}$ can be obtained from $NVR$ with ${S}_{10}$ and ${S}_{11}$.$${S}_{12}:GWN|\equiv S{N}_{j}|\equiv (SK,{T}_{3})$$
**Step 13:**- ${S}_{13}$ is obtained from ${M}_{4}$.$${S}_{13}:{U}_{i}\u25c3{\{SK\}}_{h({N}_{u}||{\alpha}_{i})}$$
**Step 14:**- ${S}_{14}$ is obtained from $MMR$ with ${S}_{13}$ and ${A}_{7}$.$${S}_{14}:{U}_{i}|\equiv GWN|\sim {\{SK\}}_{h({N}_{u}||{\alpha}_{i})}$$
**Step 15:**- ${S}_{15}$ can be obtained from $FR$ with ${S}_{14}$ and ${A}_{8}$, since $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$.$${S}_{15}:{U}_{i}|\equiv \#(SK)$$
**Step 16:**- ${S}_{16}$ can be obtained by using $NVR$ on ${S}_{14}$ and ${S}_{15}$.$${S}_{16}:{U}_{i}|\equiv GWN|\equiv (SK)$$
**Step 17:**- ${S}_{17}$ and ${S}_{18}$ can be obtained from ${S}_{8}$ and ${S}_{12}$ since $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|{\alpha}_{i})||{N}_{g})||{K}_{j})$.$${S}_{17}:S{N}_{j}|\equiv GWN|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{6})$$$${S}_{18}:GWN|\equiv S{N}_{j}|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{8})$$
**Step 18:**- ${S}_{19}$ and ${S}_{20}$ can be obtained from $JR$ with ${S}_{17}$, ${S}_{18}$, ${A}_{11}$, and ${A}_{12}$.$${S}_{19}:S{N}_{j}|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{5})$$$${S}_{20}:GWN|\equiv (S{N}_{j}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{7})$$
**Step 19:**- ${S}_{21}$ and ${S}_{22}$ can be obtained from ${S}_{4}$ and ${S}_{16}$ since $SK=h(PSI{D}_{j}\left|\right|h(h({N}_{u}\left|\right|$${\alpha}_{i})||{N}_{g})||{K}_{j})$.$${S}_{21}:{U}_{i}|\equiv GWN|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{2})$$$${S}_{22}:GWN|\equiv {U}_{i}|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{4})$$
**Step 20:**- ${S}_{23}$ and ${S}_{24}$ can be obtained by applying $JR$ from ${S}_{21}$, ${S}_{22}$, ${A}_{9}$, and ${A}_{10}$.$${S}_{23}:{U}_{i}|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{1})$$$${S}_{24}:GWN|\equiv ({U}_{i}\stackrel{SK}{\u27f7}GWN)\phantom{\rule{1.em}{0ex}}(\mathbf{Goal}\mathbf{3})$$

#### 7.3. AVISPA Simulation Analysis

#### 7.4. Informal Security Analysis

#### 7.4.1. Offline Guessing Attack

#### 7.4.2. Privacy Preserving and Anonymity

#### 7.4.3. Impersonation Attack

#### 7.4.4. Sensor Node Physical Capture Attack

#### 7.4.5. Replay and MITM Attack

#### 7.4.6. Desynchronization Attack

#### 7.4.7. Stolen Verifier Attack

#### 7.4.8. Perfect Forward Secrecy

#### 7.4.9. Session-Specific Random Number Leakage Attack

#### 7.4.10. Ephmeral Secret Leakage Attack

#### 7.4.11. Session Key Security and Mutual Authentication

## 8. Efficiency Analysis

#### 8.1. Functionality and Security Features Comparison

#### 8.2. Computation Costs Comparison

#### 8.3. Communication Costs Comparison

#### 8.4. Results of Comparative Analysis

## 9. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Sample Availability

## Abbreviations

Symbols | Meanings |

${U}_{i}$ | i-th user (medical professional) |

$S{N}_{j}$ | j-th sensor node |

$GWN$ | Gateway node |

$PUF$ | Physical Unclonable Function |

${C}_{j},{R}_{j}$ | The challenge/response pair |

$I{D}_{i}$, $SI{D}_{j}$ | Identity of ${U}_{i}$ and $S{N}_{j}$ |

$P{W}_{i}$ | Password of ${U}_{i}$ |

$BI{O}_{i}$ | Biometrics of ${U}_{i}$ |

$Gen,Rep$ | Fuzzy extractor’s generation and reproduction algorithm |

${X}_{GWN}$ | Secret key of $GWN$ |

$R{N}_{x}$, ${N}_{x}$ | Random nonces |

${T}_{x}$ | Timestamps |

$HI{D}_{i},PSI{D}_{j}$ | Pseudo identity of ${U}_{i}$ and $S{N}_{j}$ |

$SK$ | Session key |

$h(\ast )$ | Collision resistant one-way hash function |

⊕ | Bitwise exclusive-or operator |

## References

- Rashid, B.; Rehmani, M.H. Applications of wireless sensor networks for urban areas: A survey. J. Netw. Comput. Appl.
**2016**, 60, 192–219. [Google Scholar] [CrossRef] - Pierce, F.J.; Elliott, T.V. Regional and on-farm wireless sensor networks for agricultural systems in Eastern Washington. Comput. Electron. Agric.
**2008**, 61, 32–43. [Google Scholar] [CrossRef] - Ryu, J.; Oh, J.; Kwon, D.; Son, S.; Lee, J.; Park, Y.; Park, Y. Secure ECC-based three-factor mutual authentication protocol for telecare medical information system. IEEE Access
**2022**, 10, 11511–11526. [Google Scholar] [CrossRef] - Bahache, A.N.; Chikouche, N.; Mezrag, F. Authentication Schemes for Healthcare Applications Using Wireless Medical Sensor Networks: A Survey. SN Comput. Sci.
**2022**, 3, 382. [Google Scholar] [CrossRef] - Zhang, L.; Zhang, Y.; Tang, S.; Luo, H. Privacy protection for e-health systems by means of dynamic authentication and three-factor key agreement. IEEE Trans. Indust. Elec.
**2017**, 65, 2795–2805. [Google Scholar] [CrossRef] [Green Version] - He, D.; Kumar, N.; Chen, J.; Lee, C.-C.; Chilamkurti, N.; Yeo, S.-S. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed. Syst.
**2015**, 21, 49–60. [Google Scholar] [CrossRef] - Wu, F.; Xu, L.; Kumari, S.; Li, X. An improved and anonymous two factor authentication protocol for health-care applications with wireless medical sensor networks. Multimed. Syst.
**2017**, 23, 195–205. [Google Scholar] [CrossRef] - Wang, C.; Xu, G.; Li, W. A secure and anonymous two-factor authentication protocol in multiserver environment. Secur. Commun. Netw.
**2018**, 2018, 1–15. [Google Scholar] [CrossRef] [Green Version] - Yuanbing, W.; Wanrong, L.; Bin, L. An Improved Authentication Protocol for Smart Healthcare System Using Wireless Medical Sensor Network. IEEE Access
**2021**, 9, 105101–105117. [Google Scholar] [CrossRef] - Maes, R. Physically unclonable functions: Properties. In Physically Unclonable Functions; Springer: Berlin/Heidelberg, Germany, 2013; pp. 49–80. [Google Scholar]
- Abdalla, M.; Fouque, P. -A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Lecture Notes in Computer Science, Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 65–84. [Google Scholar]
- Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst.
**1990**, 8, 18–36. [Google Scholar] [CrossRef] - AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 21 September 2022).
- Lamport, L. Password authentication with insecure communication. Commun. ACM
**1981**, 24, 770–772. [Google Scholar] [CrossRef] [Green Version] - Kumar, P.; Lee, S.-G.; Lee, H.-J. E-SAP: Efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks. Sensors
**2012**, 12, 1625–1647. [Google Scholar] [CrossRef] [Green Version] - Li, X.; Niu, J.; Kumari, S.; Liao, J.; Liang, W.; Khan, M.K. A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity. Secur. Commun. Netw.
**2016**, 9, 2643–2655. [Google Scholar] [CrossRef] - Das, A.K.; Sutrala, A.K.; Odelu, V.; Goswami, A. A secure smartcard-based anonymous user authentication scheme for healthcare applications using wireless medical sensor networks. Wirel. Pers. Commun.
**2017**, 94, 1899–1933. [Google Scholar] [CrossRef] - Amin, R.; Islam, S.H.; Biswas, G.P.; Khan, M.K.; Kumar, N. A robust and anonymous patient monitoring system using wireless medical sensor networks. Future Gener. Comput. Syst.
**2018**, 80, 483–495. [Google Scholar] [CrossRef] - Jiang, Q.; Ma, J.; Yang, C.; Ma, X.; Shen, J.; Chaudhry, S.A. Efficient end-to-end authentication protocol for wearable health monitoring systems. Comput. Electr. Eng.
**2017**, 63, 182–195. [Google Scholar] [CrossRef] - Jan, S.U.; Ali, S.; Abbasi, I.A.; Mosleh, M.A.; Alsanad, A.; Khattak, H. Secure patient authentication framework in the healthcare system using wireless medical sensor networks. J. Healthc. Engin.
**2021**, 2021, 9954089. [Google Scholar] [CrossRef] - Fotouhi, M.; Bayat, M.; Das, A.K.; Far, H.A.N.; Pournaghi, S.M.; Doostari, M.A. A lightweight and secure two-factor authentication scheme for wireless body area networks in health-care IoT. Comput. Netw.
**2020**, 177, 107333. [Google Scholar] [CrossRef] - Nashwan, S. An end-to-end authentication scheme for healthcare IoT systems using WMSN. Comput. Mater. Contin.
**2018**, 68, 607–642. [Google Scholar] [CrossRef] - Masud, M.; Gaba, G.S.; Choudhary, K.; Hossain, M.S.; Alhamid, M.F.; Muhammad, G. Lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare. IEEE Internet Things J.
**2021**, 9, 2649–2656. [Google Scholar] [CrossRef] - Kwon, D.; Park, Y.; Park, Y. Provably Secure Three-Factor-Based Mutual Authentication Scheme with PUF for Wireless Medical Sensor Networks. Sensors
**2021**, 21, 6039. [Google Scholar] [CrossRef] - Ali, R.; Pal, A.K.; Kumari, S.; Sangaiah, A.K.; Li, X.; Wu, F. An enhanced three factor based authentication protocol using wireless medical sensor networks for healthcare monitoring. J. Ambient. Intell. Humani. Comput.
**2018**, 1–22. [Google Scholar] [CrossRef] - Shuai, M.; Liu, B.; Yu, N.; Xiong, L. Lightweight and secure three-factor authentication scheme for remote patient monitoring using on-body wireless networks. Secur. Commun. Netw.
**2019**, 2019, 8145087. [Google Scholar] [CrossRef] - Mo, J.; Hu, Z.; Lin, Y. Cryptanalysis and security improvement of two authentication schemes for healthcare systems using wireless medical sensor networks. Secur. Commun. Netw.
**2020**, 2020, 5047379. [Google Scholar] [CrossRef] - Li, X.; Peng, J.; Obaidat, M.S.; Wu, F.; Khan, M.K.; Chen, C. A secure three-factor user authentication protocol with forward secrecy for wireless medical sensor network systems. IEEE Syst. J.
**2019**, 14, 39–50. [Google Scholar] [CrossRef] - Saleem, M.A.; Shamshad, S.; Ahmed, S.; Ghaffar, Z.; Mahmood, K. Security analysis on “A secure three-factor user authentication protocol with forward secrecy for wireless medical sensor network systems”. IEEE Syst. J.
**2021**, 15, 5557–5559. [Google Scholar] [CrossRef] - Gope, P.; Sikdar, B. Lightweight and privacy-preserving two-factor authentication scheme for IoT devices. IEEE Internet Things J.
**2018**, 6, 580–589. [Google Scholar] [CrossRef] - Chen, C.M.; Li, X.; Liu, S.; Wu, M.E.; Kumari, S. Enhanced authentication protocol for the Internet of Things environment. Secur. Commu. Netw.
**2022**, 2022, 8543894. [Google Scholar] [CrossRef] - Aman, M.N.; Chua, K.C.; Sikdar, B. Mutual authentication in IoT systems using physical unclonable functions. IEEE Internet Things J.
**2017**, 4, 1327–1340. [Google Scholar] [CrossRef] - Frikken, K.B.; Blantonm, M.; Atallahm, M.J. Robust authentication using physically unclonable functions. In International Conference on Information Security; Springer: Berlin/Heidelberg, Germany, 2009; pp. 262–277. [Google Scholar]
- Chatterjee, U.; Chakraborty, R.S.; Mukhopadhyay, D. A PUF-based secure communication protocol for IoT. ACM Trans. Embedded Comput. Syst.
**2017**, 16, 1–25. [Google Scholar] [CrossRef] - Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 523–540. [Google Scholar]
- Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Advances in Cryptology; Springer Science and Business Media: Berlin, Germany; New York, NY, USA, 1999; pp. 388–397. [Google Scholar]
- Messerges, T.S.; Dabbish, E.A.; Sloan, R.H. Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput.
**2002**, 51, 541–552. [Google Scholar] [CrossRef] [Green Version] - Lee, J.; Kim, G.; Das, A.K.; Park, Y. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks. IEEE Trans. Netw. Sci. Eng.
**2021**, 8, 2412–2425. [Google Scholar] [CrossRef] - Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng.
**2022**, 9, 1346–1358. [Google Scholar] [CrossRef] - Canetti, R.; Krawczyk, H. Universally composable notions of key exchange and secure channels. In International Conference on the Theory and Applications of Cryptographic Thechniques (EUROCRYPT’02); Springer: Amsterdam, The Netherlands, 2002; pp. 337–351. [Google Scholar]
- Li, J.; Su, Z.; Guo, D.; Choo, K.K.R.; Ji, Y. PSL-MAAKA: Provably secure and lightweight mutual authentication and key agreement protocol for fully public channels in internet of medical things. IEEE Internet Things J.
**2021**, 8, 13183–13195. [Google Scholar] [CrossRef] - Park, K.; Lee, J.; Das, A.K.; Park, Y. BPPS: Blockchain-Enabled Privacy-Preserving Scheme for Demand-Response Management in Smart Grid Environments. IEEE Trans. Depend. Secur. Comput.
**2022**. [Google Scholar] [CrossRef] - Kim, M.; Lee, J.; Oh, J.; Park, K.; Park, Y.; Park, K. Blockchain based energy trading scheme for vehicle-to-vehicle using decentralized identifiers. Appl. Energy
**2022**, 322, 119445. [Google Scholar] [CrossRef] - Yu, S.; Das, A.K.; Park, Y.; Lorenz, P. SLAP-IoD: Secure and Lightweight Authentication Protocol Using Physical Unclonable Functions for Internet of Drones in Smart City Environments. IEEE Trans. Veh. Technol.
**2022**, 71, 10374–10388. [Google Scholar] [CrossRef] - Cho, Y.; Oh, J.; Kwon, D.; Son, S.; Yu, S.; Park, Y.; Park, Y. A Secure Three-Factor Authentication Protocol for E-Governance System Based on Multiserver Environments. IEEE Access
**2022**, 10, 74351–74365. [Google Scholar] [CrossRef] - Oh, J.; Lee, J.; Kim, M.; Park, Y.; Park, K.; Noh, S. A Secure Data Sharing Based on Key Aggregate Searchable Encryption in Fog-Enabled IoT Environment. IEEE Trans. Netw. Sci. Eng.
**2022**, 9, 4468–4481. [Google Scholar] [CrossRef] - Kilinc, H.H.; Yanik, T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutor.
**2013**, 16, 1005–1023. [Google Scholar] [CrossRef] - Wu, F.; Xu, L.; Kumari, S.; Li, X. A new and secure authentication scheme for wireless sensor networks with formal proof. Peer-to-Peer Netw. Appl.
**2017**, 10, 16–30. [Google Scholar] [CrossRef] - He, D.; Zeadally, S.; Xu, B.; Huang, X. An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks. IEEE Trans. Inf. For. Secur.
**2015**, 10, 2681–2691. [Google Scholar] [CrossRef]

Notation | Description |
---|---|

$Skey$ | Secret key |

$E|\equiv T$ | E believes statement T |

$\#T$ | Statement T is fresh |

$E\u25c3T$ | E receives statement T |

$E|\sim T$ | E once said T |

$E\Rightarrow T$ | E controls statement T |

$<T{>}_{S}$ | Statement T is combined with secret statement S |

${\{T\}}_{Skey}$ | Statement T is masked by $Skey$ |

$E\stackrel{Skey}{\u27f7}K$ | E and K share $Skey$ to communicate with each other |

Security Properties | Our Protocol | Yuanbing et al. [9] | Ali et al. [25] | Li et al. [28] | Masud et al. [23] |

Replay attack | o | o | o | o | o |

MITM attack | o | x | o | o | o |

Guessing attack | o | x | o | o | x |

Impersonation attack | o | x | o | x | x |

Smart card stolen attack | o | x | o | o | - |

Device or sensor capture attack | o | x | x | x | x |

Desynchronization attack | o | - | x | - | - |

Anonymity | o | x | o | x | x |

Perfect forward secrecy | o | o | x | o | o |

Using three factors | o | x | o | o | x |

Using PUF | o | x | x | x | x |

Secure mutual authentication | o | x | o | x | o |

Protocol | User | Gateway/Sever | Sensor Node | Total Cost |
---|---|---|---|---|

Ali et al. [25] | 10${T}_{hash}+1{T}_{enc}+1{T}_{dec}+1{T}_{rg}$ | $13{T}_{hash}+2{T}_{enc}+1{T}_{dec}$ | $5{T}_{hash}+1{T}_{dec}$ | $28{T}_{hash}+{T}_{rg}+3{T}_{enc}+3{T}_{dec}(83.44ms)$ |

Li et al. [28] | 8${T}_{hash}+3{T}_{pm}+1{T}_{rg}$ | $8{T}_{hash}+1{T}_{pm}+1{T}_{rg}$ | $5{T}_{hash}+1{T}_{pm}+1{T}_{rg}$ | $20{T}_{hash}+6{T}_{pm}+3{T}_{rg}(179.656ms)$ |

Masud et al. [23] | 3${T}_{hash}+1{T}_{rg}$ | $4{T}_{hash}+2{T}_{rg}$ | $2{T}_{hash}+1{T}_{rg}$ | $9{T}_{hash}+4{T}_{rg}(217.67ms)$ |

Yuanbing et al. [9] | $14{T}_{hash}+2{T}_{pm}+2{T}_{rg}$ | $10{T}_{hash}$ | $6{T}_{hash}+2{T}_{pm}+1{T}_{rg}$ | $30{T}_{hash}+4{T}_{pm}+3{T}_{rg}(177.504ms)$ |

Ours | $13{T}_{hash}+1{T}_{rg}+1{T}_{fuzzy}$ | $15{T}_{h}+1{T}_{rg}$ | $6{T}_{h}+1{T}_{puf}+1{T}_{fuzzy}$ | $34{T}_{h}+2{T}_{rg}+1{T}_{puf}+2{T}_{fuzzy}(132.98ms)$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lee, J.; Oh, J.; Park, Y.
A Secure and Anonymous Authentication Protocol Based on Three-Factor Wireless Medical Sensor Networks. *Electronics* **2023**, *12*, 1368.
https://doi.org/10.3390/electronics12061368

**AMA Style**

Lee J, Oh J, Park Y.
A Secure and Anonymous Authentication Protocol Based on Three-Factor Wireless Medical Sensor Networks. *Electronics*. 2023; 12(6):1368.
https://doi.org/10.3390/electronics12061368

**Chicago/Turabian Style**

Lee, JoonYoung, Jihyeon Oh, and Youngho Park.
2023. "A Secure and Anonymous Authentication Protocol Based on Three-Factor Wireless Medical Sensor Networks" *Electronics* 12, no. 6: 1368.
https://doi.org/10.3390/electronics12061368