Next Article in Journal
Classification of Scientific Documents in the Kazakh Language Using Deep Neural Networks and a Fusion of Images and Text
Previous Article in Journal
White Blood Cell Classification Using Multi-Attention Data Augmentation and Regularization
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Design of Inter-BAN Authentication Protocols for WBAN in a Cloud-Assisted Environment

by
Abdullah M. Almuhaideb
1,* and
Huda A. Alghamdi
2
1
Department of Networks and Communications, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, P.O. Box 1982, Dammam 31441, Saudi Arabia
2
Department of Computer Science, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, P.O. Box 1982, Dammam 31441, Saudi Arabia
*
Author to whom correspondence should be addressed.
Big Data Cogn. Comput. 2022, 6(4), 124; https://doi.org/10.3390/bdcc6040124
Submission received: 8 September 2022 / Revised: 16 October 2022 / Accepted: 18 October 2022 / Published: 24 October 2022

Abstract

:
The Telecare Medical Information System (TMIS) is a technology used in Wireless Body Area Networks (WBAN) that is used efficiently for remote healthcare services. TMIS services can be provided as cloud computing services for storage and processing purposes. TMIS uses wearable sensors to collect patient data and transmit it to the controller node over a public channel. The data is then obtained from the controller node by the medical server and stored in the database for analysis. However, an attacker can attempt to launch attacks on data transferred across an unsecured channel. Several schemes have therefore been proposed to provide mutual authentication however, there are security and performance problems. Therefore, the research aims to design two secure and efficient inter-BAN authentication protocols for WBAN: protocol-I (P-I) for emergency authentication and protocol-II (P-II) for periodic authentication. To analyze the proposed protocols, we conduct an informal security analysis, implement Burrows-Abadi-Needham (BAN) logic analysis, validate the proposed protocols using the Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool, and conduct a performance analysis. Consequently, we show that the proposed protocols meet all the security requirements in this research, achieve mutual authentication, prevent passive and active attacks, and have suitable performance for WBAN.

1. Introduction

The Internet of Things (IoT) is a platform that integrates sensor devices with wireless networks and is applied in various environments and applications across businesses and industries. One such application is a WBAN, because of the rapid advancement of wireless communication technology, which is effectively used in remote healthcare services [1,2,3]. TMIS is a WBAN technology capable of remotely providing various healthcare services via telecare servers [4,5,6,7].
Patients in the TMIS use wearable sensors to continuously check their physical health condition and gather health data [8,9]. This health data is sent to the medical server anytime and from any location. TMIS is especially beneficial for those patients who are disabled, need to monitor their health status continuously, or are unable to attend the hospital for various reasons. Thus, TMIS gives better healthcare services in comparison to conventional healthcare delivery methods [10,11].
TMIS includes medical servers that store Electronic Medical Records (EMRs) of patients engaged in the system. The medical server can be in the cloud for storage and processing purposes, and patients and doctors can view the EMRs stored on the server via the Internet [12,13]. Medical messages transmitted to the medical server include emergency and periodic reports. An emergency report is one that must be sent to the medical server as soon as sensors detect an emergency in the body of the patient. The periodic reports are sent to the medical server at specific times to enable a medical service provider to access the patient’s data and provide an appropriate diagnosis.
Nevertheless, despite the benefits of TMIS, as patients’ health data is conveyed across unprotected channels, it needs to be safeguarded from malicious attacks. Accordingly, mutual authentication is necessary for transferring data securely [14]. Several authentication protocols have been proposed to securely perform mutual authentication; however, there are security and performance issues.
Therefore, the primary aim of this research is to design secure and efficient authentication protocols between a controller node and a cloud-based medical server for secure data transfer. To achieve this aim, this research proposes two WBAN authentication protocols for inter-body communication (Inter-BAN) in a cloud-assisted environment. P-I is for emergency authentication, which takes place whenever a sensor identifies an emergency in the body of the patient, requiring the controller node to begin an emergency authentication with the medical server, while P-II is for periodic authentication, which occurs when the cloud-based medical server needs to obtain the patient’s data from the controller node and store it in the database system at a specific time, requiring the medical server to initiate periodic authentication with the controller node.

1.1. Overview of WBAN

WBAN has three tiers [15], as illustrated in Figure 1:
  • In the intra-BAN tier, communication takes place between sensor and controller nodes. The patient’s data is monitored and captured by sensors, and it is subsequently transmitted to the controller node through an unsecured channel.
  • In the inter-BAN tier, communication takes place between a controller node and a medical server. Software is developed at the controller node/local server for gathering data from sensor nodes and then sending it to the medical server via unsecured channels. In addition, another software is developed at a remote medical server to obtain the data from the controller and store it in the database system for further analysis.
  • In the beyond-BAN tier, communication takes place between a medical server and a doctor. The medical server can be in the cloud, and the doctor can view the data stored on the server.
WBAN in a cloud-assisted environment consists of four parties, as shown in Figure 2:
  • The Trusted authority initializes the system and registers the system parties.
  • The patient wears sensing devices to gather sensitive medical data, which is then transferred via public channels for medical purposes.
  • The cloud-based medical server has sufficient storage and processing power to store the massive amount of medical data concerning patients [16,17].
  • The doctor can request access to the patient’s data and provide appropriate treatment measures.

1.2. Problem Statement and Main Contributions

The environment of WBAN’s public wireless network presents a substantial security issue in terms of guaranteeing that only legitimate parties have access to patient data [18]. Unauthorized access can lead to the interruption, interception, or manipulation of data, putting patients’ lives in danger [19,20]. Several schemes have been proposed to securely perform authentication and create a session key, which is subsequently used to encrypt sensitive data delivered across an unsecured channel. However, there are still performance and security issues [21,22]. Our research will provide an answer to the following question:
  • How do we achieve secure and efficient inter-BAN authentication protocols for WBAN in a cloud-assisted environment?
The contributions of this research are as follows:
  • We design two inter-BAN authentication protocols for WBAN: P-I is for emergency authentication, and P-II is for periodic authentication.
  • We conduct an informal security analysis to demonstrate that our protocols meet all of the security requirements in this research.
  • We evaluate our proposed authentication protocols using BAN logic and the AVISPA simulation tool.
  • We conduct a performance analysis in terms of computation and communication costs.

1.3. Research Scope

The research considers the inter-BAN authentication protocols. Thus, authentication protocols for the intra-BAN and beyond-BAN tiers are outside the scope of this research. Moreover, the research assumes the existence of hardware with integrated sensors that are working properly for manufacturers. The hardware specifications, development, and operation of the sensors are not in the scope of this research, but the use of such sensors to propose authentication protocols is.
The rest of the paper is organized as follows. Section 2 presents the literature review. Section 3 introduces the proposed scheme, whereas Section 4 demonstrates the security analyses of the proposed authentication protocols. In Section 5, performance analyses of the proposed protocols and related protocols are conducted. Finally, Section 6 presents the conclusion.

2. Literature Review

WBANs handle the health data of patients, which must be protected from cyber-attacks. Many researchers have expressed an interest in developing WBAN authentication protocols to safeguard sensitive patient data while it is sent via unsecured channels. This section provides preliminary information, clarifies the requirements of WBAN authentication schemes, reviews existing WBAN schemes, and discusses the findings.

2.1. Preliminary

2.1.1. Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) is a popular kind of asymmetric key encryption. ECC is more secure and efficient than other asymmetric key cryptosystems with smaller key sizes [23,24]. Let q is a prime number, a,bFq, and 4 a 3 + 27 b 2     0   m o d   q . Then, an elliptic curve Eq(a, b) over a finite field Fq is defined by an equation as below:
E q a , b : y 2 = x 3 + a x + b   m o d   q
ECC has two fundamental operations: scalar multiplication and point addition. The scalar multiplication operation is calculated by repeatedly adding as n . P = P + + P (n times), where P is a base point on the elliptic curve Eq(a, b) and n is a positive integer [25].
ECC security is based on the following problems [26]:
  • Elliptic Curve Discrete Logarithm Problem (ECDLP): Given an elliptic curve Eq(a, b) and two points Q, P on Eq(a, b) such that Q = n . P , it is hard to determine an integer n.
  • Elliptic Curve Diffie-Hellman Problem (ECDHP): Given an elliptic curve Eq(a, b) and three points P, x.P, y.P on Eq(a, b), it is hard to determine x . y . P .

2.1.2. Adversary Model

The capabilities of an adversary model are described as the following:
  • All messages exchanged through public channels are completely under the control of the attacker [27].
  • A patient’s controller node/mobile device can be stolen, and the attacker can access the data on it [28].
  • A patient’s identity (IDi) or password (PWi) could be guessed by an attacker, but not both at the same time [29].
  • An attacker has the ability to launch attacks through public channels [30].
  • The private key of the trusted authority cannot be compromised by the attacker [31].

2.2. Requirements of WBAN Authentication Schemes

The following security and performance criteria for WBAN authentication schemes should be met:
  • Emergency and periodic authentication protocols: Whenever a sensor identifies an emergency in the body of the patient, the patient’s controller device begins an emergency authentication with the medical server to send the emergency report in a secure manner. Likewise, when the patient’s data must be obtained from the controller node and stored on the server at a specific time, the cloud-based medical server begins a periodic authentication with the controller node to ensure secure data transmission.
  • Perfect forward/backward secrecy: Future and past keys will not be compromised.
  • Anonymity and Untraceability: This refers to an attacker’s inability to determine a patient’s identity via message eavesdropping and tracking a patient through messages transmitted during earlier sessions.
  • Secure password change: A legitimate mobile device’s password cannot be changed at will by an attacker since the attacker is unaware of IDi and PWi.
  • Controller node revocation: It is essential to include a revocation mechanism if a patient’s mobile device/controller node is lost or stolen.
  • Replay attack: When messages are sent through insecure channels, an attacker can obtain them. However, if the message has a timestamp, the attacker cannot launch a replay attack.
  • Session key disclosure attack: An attacker cannot extract secret values from messages transmitted over an unsecured channel. This prevents the attacker from computing the session key.
  • Off-line guessing attack: A patient’s IDi or PWi could be guessed by an attacker, but not both at the same time.
  • Impersonation attack: An attacker is unable to generate an authentication message to pretend to be a real entity.
  • Controller node stolen attack: An attacker who gets a valid patient’s controller node cannot retrieve any information on it.
  • Known session-specific temporary information attack: The session key cannot be computed even if an attacker has the random values produced securely throughout the session.
  • Desynchronization attack: This attack, which corrupts the communication between two parties, should be prevented by updating the data kept on both parties during the authentication.
  • Computation cost: This refers to the computational load on the involved parties. The computational cost should be minimized since it is critical for devices with constrained resources.
  • Communication cost: This is the cost of exchanging messages in terms of bit sizes and communication overhead between the parties participating in the authentication. Regarding communication overhead, the authentication messages should require at most one round trip.

2.3. The Existing Authentication Schemes in WBAN

Authors in [29,32] presented authentication protocols for medical information assisted by cloud computing. They establish secure authentication between the patient and the cloud server (CS) to securely transmit health data to the CS. They also provide secure access to the CS for medical personnel. However, the schemes do not prevent desynchronization attacks.
Kumar & Chand [33] presented a scheme for authentication between a WBAN client and the CS. It resists session key disclosure and user impersonation attacks, and guarantees forward secrecy and user anonymity/ untraceability. However, it has security weaknesses, and it has more computation costs because it uses complex operations on the two sides.
Authors in [34] presented an authentication scheme for the WBAN client and the CS. The scheme resists user impersonation, replay, and session key disclosure attacks. However, client anonymity is not ensured by the scheme, where the client’s identity is transmitted without masking it over an unsecured channel.
Konan and Wang [35] proposed mutual batch authentication for the interaction between a WBAN client and a medical service provider. Batch authentication allows the medical service provider to handle multiple requests from patients at the same time to achieve lower computation costs. The scheme ensures anonymity to the WBAN client, but it does not resist the stolen mobile device and desynchronization attacks.
Almuhaideb and Alqudaihi [36] suggested an authentication scheme between a client’s controller device and a server. It is based on a three-factor mutual authentication, including biometrics, that worked on improving the scheme of Yu and Park [37] to overcome the security and efficiency problems that were encountered. The scheme ensures patient anonymity, perfect forward/backward secrecy, and resists guessing attacks. Moreover, it provides two protocols. The first one is for authentication between the controller node and the server. The second protocol is for reauthentication, which occurs after the successful initial authentication. Thus, there is no need to generate a new session key, saving considerable energy and time.
Zhou et al. [38] and Amin et al. [39] suggested authentication protocols between a client’s mobile device and a cloud-based server. The schemes are based on an architecture combining many cloud servers with various services distributed among them to distribute the computation burden and make the proposed schemes appropriate for resource-limited devices.
Authors in [40] suggested inter-BAN authentication. It resists replay and impersonation attacks, and it guarantees perfect forward/backward secrecy and anonymity/untraceability. Furthermore, the scheme avoids complex cryptographic operations and uses simple operations on elliptic curves and symmetric encryption. However, it does not resist a stolen controller node attack. If an attacker obtains a controller node, the attacker has the ability to extract the secret information shared between the client and the server.
Almuhaideb [41] proposed two WBAN authentication protocols. The first one is for authentication among a WBAN client and a service provider. The second protocol is for reauthentication, which occurs after the successful initial authentication. There is no need to generate a new session key, saving considerable energy and time since the second protocol helps to minimize communication and computation costs.
Authors in [42] suggested a WBAN protocol for authentication among a patient and a medical server for remote healthcare systems in 5G. It is based on a three-factor mutual authentication, including biometrics. The scheme is designed to provide fast authentication in multiserver environments.
Chen and Peng [43] suggested a WBAN authentication protocol between a client and a server. It worked to enhance the security of the scheme [44]. Also, authors in [45,46] suggested schemes for authentication among a user and a remote server in IoT environments. However, authors in [47] indicated that the scheme [45] does not prevent offline guessing, impersonation, and known session-specific temporary information attacks and does not offer user anonymity/untraceability. Although bilinear pairing and modular exponentiation are considered complex cryptographic operations, the schemes in [43,45] achieve low computation costs because they adopt these operations on only one side to minimize computation costs at the WBAN client.
Authors in [48] suggested a mutual authentication scheme for medical care in a TMIS environment. It has a high computation cost due to its use of complex cryptographic operations on both sides. Moreover, it does not prevent desynchronization and session-specific temporary information attacks.
Authors in [49] presented a mutual authentication protocol between a WBAN client and a medical service provider. The scheme prevents the session key from being disclosed even if the attacker obtains the random values that are produced securely by the client or service provider through the session. Moreover, it ensures client anonymity and untraceability. However, it does not prevent the desynchronization attack and stolen mobile device attacks.
Authors in [50] suggested a WBAN authentication protocol that achieves user anonymity and untraceability. However, it does not prevent the desynchronization attack and stolen mobile device attacks. Moreover, the scheme uses complex cryptographic operations, which create high computation costs.
Authors in [51] suggested an authentication protocol between the patient and a server. It is based on a three-factor mutual authentication, including biometrics, that worked to enhance the scheme of Sahoo et al. [52] and overcomes the security and efficiency problems that were encountered. The scheme ensures patient anonymity, resists the stolen mobile device attack, and provides a secure password change feature. Moreover, it avoids complex operations to achieve low computation costs by using ECC with scalar multiplication and hash functions.
Chen and Chen [53] presented a protocol for authentication between the WBAN client and a server. It is based on a three-factor mutual authentication, including biometrics. The scheme ensures patient anonymity, resists the stolen mobile device attack, and provides a secure password change feature. However, it is vulnerable to a desynchronization attack.
Karthigaiveni and Indrani [54] suggested a scheme for authentication between a patient and a remote server in an IoT-based E-healthcare environment. However, Alzahrani [55] indicated that this scheme does not resist stolen smart card and impersonation attacks, and does not offer patient anonymity/untraceability.
Authors in [56] suggested an authentication between a client and a server. It resists the stolen mobile device attack. However, it is vulnerable to a desynchronization attack.
Kumari and Renuka [57] worked on improving Qiu et al. scheme [58] to overcome the security and efficiency problems that were encountered. They suggested an authentication protocol between a client’s controller device and a server based on three-factor authentication: password, smartcard, and biometrics.
Authors in [59] suggested a WBAN authentication protocol between a client and a medical service provider. The scheme ensures client anonymity and resists desynchronization attacks. However, the scheme does not resist a stolen mobile device attack.
Alzahrani et al. [60,61], Khadem et al. [62], Chunka and Banerjee [63], and Narwal and Mohapatra [64] suggested authentication protocols among sensors and a hub node. In their scheme, the controller device works only to forward the messages between the sensor and the hub nodes. The schemes [60,61,62,63,64] do not ensure anonymity to a controller node and do not resist a stolen controller node attack.
Almuhaideb and Alqudaihi [21] suggested two WBAN authentication protocols. The first protocol is for authentication among a sensor node and a hub node. The second protocol is for reauthentication, which occurs after the successful initial authentication. Thus, there is no need to create a new session key, saving considerable energy and time. Therefore, the second protocol helps to minimize communication and computation costs. In their scheme, the controller node works only to forward the messages among the sensor and the hub nodes.
Narwal and Mohapatra [65] presented a scheme for authentication among a sensor node and a hub node. In their scheme, the controller node works only to forward the messages among the sensor and the hub nodes. It ensures anonymity to a controller node but is vulnerable to a stolen controller node attack.
Authors in [66,67,68] suggested authentication protocols between a patient and a server. The schemes ensure patient anonymity and prevent stolen mobile devices and desynchronization attacks. Moreover, they avoid complex operations to improve performance. However, the schemes do not consider an authentication protocol when the server requests to periodically get the patient’s data.

2.4. Findings

After highlighting the WBAN authentication requirements and reviewing the current authentication schemes, we discovered that the current schemes did not match all of the requirements in this research. Furthermore, none of the current schemes considered emergency and periodic authentication protocols. Moreover, most schemes assumed that the controller node of a patient could be trusted; nevertheless, an attacker can take the controller node and obtain the sensitive data contained in it. In addition, most schemes were vulnerable to a desynchronization attack, which would prohibit both parties from updating certain data synchronously and proceeding with authentication. Also, we discovered that using simple operations on ECC along with hash functions and XOR operations and avoiding complex operations results in a better trade-off between efficiency and security.
Based on the analysis of current inter-BAN authentication schemes, it was discovered that focusing on enhancing current schemes might result in secure and efficient inter-BAN authentication protocols. Therefore, we propose two inter-BAN authentication protocols for WBAN: P-I for emergency authentication and P-II for periodic authentication. Moreover, the proposed protocols meet all the highlighted WBAN authentication requirements to provide security features, prevent security attacks, and achieve the performance criteria.

3. Proposed Scheme

We design inter-BAN authentication protocols for securing the communication between a controller node and a cloud-based medical server. Our scheme consists of an initialization phase, registration phase, authentication P-I, authentication P-II, and changing password protocol. Table 1 provides the fundamental symbols utilized in our scheme.

3.1. Initialization Phase

TA generates the parameters of the system and also its secret and public keys, during the system initialization phase.
  • TA chooses an elliptic curve Eq(a, b) over a finite field Fq, and a base point P on Eq(a, b).
  • TA chooses a hash function h:{0,1}* → Zq*.
  • TA creates a secret number STAZq* as its secret key and computes its public key PKTA = STA * P.
  • TA makes the parameters (Eq(a, b), PKTA, P, q, h) public while keeping STA secret.

3.2. Registration Phase

Figure 3 demonstrates the registration of CN and MSh with TA, and as the following:
  • Pi selects IDi and PWi, then produces a number randomly aiZq*, and calculates HIDi = h (IDi || ai). Pi transmits (IDi, HIDi) to TA in a secure manner. Then TA calculates Si = h (IDi || STA) as CN secret key, PKi = Si*P, SIDi = (HIDi * STA)*PKTA, and CIDi = h(HIDi || STA). TA stores HIDi and IDi in secure memory and makes (PKi) public.
  • MSh chooses IDh and sends (IDh) to the TA securely. Afterward, the TA produces uiZq* and retrieves HIDi from secure memory. TA then calculates Sh = h (IDh || STA) as MSh secret key, PKh = Sh*P, Vi = uih (Sh), Wi = HIDih(ui), and REi = CIDih(Sh). The TA makes (PKh, IDh) public.
  • TA sends (Sh, HIDi, Vi, Wi, REi) to MSh securely. MSh defines Sh as its secret key and computes PIDh-i = HIDih(Sh). MSh stores PIDh-i, Vi, Wi, and REi in its memory.
  • TA sends (Si, SIDi, CIDi, Vi) to CN securely. CN defines Si as its secret key and creates a number biZq*. CN then computes HPWi = h (IDi || PWi || ai), APi = h (IDi || PWi) ⊕ ai, BPi = HPWibi, CPi = SIDibi * P, DPi = h (ai || bi || HPWi || SIDi), and EPi = CIDiSIDi. CN keeps (APi, BPi, CPi, DPi, EPi, Vi) in its memory.

3.3. Authentication P-I

Whenever a sensor identifies an emergency in the body of the patient, the patient’s controller device requests an emergency authentication with the medical server in order to send the report securely. Figure 4 demonstrates P-I, and as the following:
  • Pi enters IDi and PWi to CN. Then CN calculates ai = APih(IDi || PWi), HIDi = h(IDi || ai), HPWi = h(IDi || PWi || ai), bi = HPWiBPi, and SIDi = CPibi*P. Then, CN verifies if DPih(ai || bi || HPWi || SIDi), Pi is logged into CN successfully.
  • CN produces a number riZq* and a current timestamp T1. CN calculates XRi = ri* P, Xi = ri * PKh, Ji = ViXi, and Li1 = h (Xi || HIDi || T1 || IDh || Vi). Afterward, CN transmits the message (XRi, Ji, Li1, T1) to MSh through an unsecured channel.
  • When (XRi, Ji, Li1, T1) is received, MSh validates the timestamp, i.e., if |T1T1*| < ΔT, where T1* denotes the time of message receipt, then MSh calculates Xi = XRi * Sh, Vi = JiXi, then retrieves Wi of Vi from its memory and calculates ui = Vih(Sh), and HIDi = Wih(ui). MSh checks whether HIDih(Sh) ≟ PIDh-i is in its memory. If this condition is met, CN of Pi is registered. MSh then checks whether Li1h (Xi || HIDi || T1 || IDh || Vi). If so, then CN is authenticated.
  • Next, MSh creates random numbers rhZq*, ui+Zq*, and current timestamp T2. Then, MSh calculates Rh = rh * P, Vh = rh * PKi, Vi+ = ui+h(Sh), Wi+ = HIDih(ui+), and SKi-h = h(HIDi || Vh || Xi || Vi). MSh replaces (Vi, Wi) with (Vi, Wi, Vi+, Wi+), then computes C1 = Vi+Vh, and Li2 = h (Vh || SKi-h || IDh || HIDi || Vi+ || T2). Then MSh transmits the message (Rh, Li2, C1, T2) to CN through an insecure channel.
  • When (Rh, Li2, C1, T2) is received from MSh, CN checks the validity of the timestamps. If |T2T2*| < ΔT, where T2* denotes the time of message receipt, then CN calculates Vh = Si * Rh, SKi-h = h(HIDi || Vh || Xi || Vi), and Vi+ = C1 ⊕ Vh. CN checks if Li2h (Vh || SKi-h || IDh || HIDi || Vi+ || T2), CN replaces (Vi) with (Vi+) in its memory, MSh is authenticated, and SKi-h is created between CN and MSh.

3.4. Authentication P-II

When the patient’s data must be obtained from the controller node and stored on the server at a specific time, the cloud-based medical server begins a periodic authentication with the controller node to ensure secure data transmission. Figure 5 demonstrates P-II, and as follows:
  • MSh generates secret numbers fhZq*, bhZq*, and current timestamp T1. MSh retrieves (CIDi) from the secure memory, where CIDi = REih(Sh), (i.e., retrieve the identity of the requested Pi). MSh then computes XBh = bh * P, Bh = bh * PKi, Fh = h (CIDi) ⊕ fh, SKh-i = h (Bh || CIDi || fh), and Lk2 = h (Bh || CIDi || IDh || SKh-i || T1). Afterward, MSh transmits the message (XBh, Fh, Lk2, T1) to CN through an unsecured channel.
  • When (XBh, Fh, Lk2, T1) is received from MSh, Pi enters IDi and PWi to CN. Then CN calculates ai = APih(IDi || PWi), HIDi = h(IDi || ai), HPWi = h(IDi || PWi || ai), bi = HPWiBPi, and SIDi = CPibi*P. After that, CN verifies if DPih(ai || bi || HPWi || SIDi), Pi is logged into CN successfully.
  • CN validates the timestamps. If |T1T1*| < ΔT, where T1* denotes the time of message receipt, then CN calculates CIDi = EPiSIDi, Bh = XBh * Si, fh = Fhh(CIDi), and SKh-i = h (Bh || CIDi || fh). Next, CN checks whether Lk2h (Bh || CIDi || IDh || SKh-i || T1). If so, MSh is authenticated, and SKh-i is created between MSh and CN.

3.5. Password Change Protocol

The password can be changed securely whenever the Pi intends to replace the current password as follows:
  • Pi enters IDi and PWi in CN.
  • CN calculates ai = APih(IDi || PWi), HIDi = h(IDi || ai), HPWi = h(IDi || PWi || ai), bi = HPWiBPi, and SIDi = CPibi * P. Then, CN verifies if DPih(ai || bi || HPWi || SIDi), CN prompts Pi to choose a new password.
  • Pi chooses a new password PWi+ and transmits it to CN.
  • After getting PWi+, CN calculates HPWi+ = h (IDi || PWi+ || ai), APi+ = h (IDi || PWi+) ⊕ ai, BPi+ = HPWi+bi, CPi = SIDibi * P, and DPi+ = h (ai || bi || HPWi+ || SIDi). Finally, CN replaces (APi, BPi, CPi, DPi, EPi,Vi) with (APi+, BPi+, CPi, DPi+, EPi,Vi).

4. Security Analysis

Security evaluations are conducted informally and formally to demonstrate that P-I and P-II meet all of the security requirements.

4.1. Informal Security Analysis

In light of the requirements laid out in Section 2.2, P-I and P-II are discussed in this section.

4.1.1. Emergency and Periodic Authentication Protocols

According to the emergency authentication protocol, whenever a sensor identifies an emergency in the body of the patient, CN requests authentication by sending the message M = (XRi, Ji, Li1, T1) to MSh. An attacker AR cannot create a valid Li1, so MSh authenticates CN by checking Li1h(Xi || HIDi || T1 || IDh || Vi). Then, MSh replies to the authentication by transmitting the message M = (Rh, Li2, C1, T2) to CN. AR cannot produce a legal Li2, so CN authenticates MSh by checking Li2h (Vh || SKi-h || IDh || HIDi || Vi+ || T2). Therefore, CN and MSh can authenticate one another.
The periodic authentication protocol occurs when the medical server requires a patient’s data from the controller node and stores it in the database system at specific times. As a result, there is no need for the controller node to start the authentication, which reduces the communication overhead. In this instance, MSh asks CN, whose identity CIDi is kept on the MSh’s secure memory, for authentication. The MSh requests authentication by sending a message M = (XBh, Fh, Lk2, T1) to CN. AR cannot produce a legal Lk2, so CN authenticates MSh by checking Lk2h (Bh || CIDi || IDh || SKh-i || T1). Therefore, CN and MSh can authenticate each other.

4.1.2. Perfect Forward/Backward Secrecy

If AR acquires any session key, the secrecy of future or previous session keys should not be attacked. For P-I, the session key SKi-h = h(HIDi || Vh || Xi || Vi) cannot be computed by AR, because AR cannot compute Vh and Xi without rh and ri, which are secret numbers generated at random.
For P-II, AR cannot compute the session key SKh-i = h(Bh || CIDi || fh) due to its dynamic nature and the usage of secret random numbers fh and bh. As a result, our protocols provide this feature since each session generates a fresh session key.

4.1.3. Patient Anonymity and Untraceability

For P-I, M = (XRi, Ji, Li1, T1) and M = (Rh, Li2, C1, T2) are changed throughout each session since the authentication is based on random values ri and rh. Moreover, M = (XBh, Fh, Lk2, T1) for P-II depends on the random values fh and bh, making the messages transmitted throughout the sessions independently. As a result, AR cannot gain IDi by eavesdropping on these messages, nor can AR trace a controller node utilizing messages transmitted throughout earlier sessions. Consequently, these features of our proposed protocols are preserved.

4.1.4. Secure Password Change

Our scheme allows for secure password changes whenever a Pi desires to replace the current PWi. To begin, the Pi should enter the current IDi and PWi into CN to confirm that the user is the legal owner of CN. CN verifies if DPih (ai || bi || HPWi || SIDi), CN asks that Pi chooses a new password. CN then computes HPWi+, APi+, BPi+, and DPi+. After that, CN replaces (APi, BPi, CPi, DPi, EPi,Vi) with (APi+, BPi+, CPi, DPi+, EPi,Vi) for future purposes. As a result, AR cannot change the password at will since AR does not know the current IDi and PWi. Therefore, our scheme ensures a secure password change.

4.1.5. Controller Node Revocation

In the event that Pi’s controller node is lost or stolen, Pi can request that it be revoked. The identity-based revocation mechanism is adopted [34], in which Pi sends a revocation message containing IDi to TA. Then, TA retrieves HIDi of IDi from its memory and revokes the controller node from the system. Likewise, TA sends the revocation message containing HIDi to MSh. As a result, if MSh receives an authentication message from a controller node whose HIDi is in the revocation list, the authentication message is ignored.

4.1.6. Replay Attack

In the adversary model, we assumed that AR may get messages when transmissions happened across an unsecured channel. However, AR is unable to launch a replay attack since each message in our protocols has a timestamp. For P-I, CN creates a timestamp, which is included in the hash value Li1 = h(Xi || HIDi || T1 || IDh || Vi). MSh creates a timestamp, which is contained in the value Li2 = h (Vh || SKi-h || IDh || HIDi || Vi+ || T2). The values Xi, HIDi, and Vi for Li1, and the values Vh, HIDi, and Vi+ for Li2 cannot be forged by AR.
For P-II, MSh creates a timestamp, which is included in the hash value Lk2 = h (Bh || CIDi || IDh || SKh-i || T1). The values Bh and CIDi for Lk2 cannot be forged by AR. Therefore, our protocols resist such an attack.

4.1.7. Session Key Disclosure Attack

For P-I, if AR attempts to get SKi-h, AR needs to compute HIDi, Vh, and Xi. However, AR is unable to obtain ai or Sh, rh or Si, and ri or Sh to compute HIDi, Vh, and Xi, respectively.
For P-II, if AR attempts to get SKh-i, AR needs to obtain Bh and fh. However, AR cannot obtain the values bh or Si, and fh via an unsecured channel message. Moreover, AR is unable to obtain HIDi and STA, or Sh to calculate CIDi. Therefore, our protocols resist such an attack.

4.1.8. Off-Line Guessing Attack

In the adversarial model, we assumed that AR can only predict one of IDi or PWi at a time. For P-I and P-II, AR is unable to calculate ai = APih(IDi || PWi) without simultaneously guessing both IDi and PWi correctly. Thus, AR is unable to calculate bi, HIDi, HPWi, and SIDi. Also for P-II, AR cannot compute CIDi = EPiSIDi, without simultaneously predicting both IDi and PWi correctly. Therefore, our protocols resist such an attack.

4.1.9. Impersonation Attack

For P-I, AR must produce the message (XRi, Ji, Li1, T1) to pretend to be the legitimate CN. However, AR is unable to compute a legal Li1 because it is calculated using Xi and HIDi. Thus, MSh checks Li1h(Xi || HIDi || T1 || IDh || Vi). If the condition is not satisfied, MSh locks out AR. Moreover, AR must produce the message (Rh, Li2, C1, T2) to impersonate the legitimate MSh. However, AR is unable to calculate Li2 since it is calculated using Vh and HIDi. Thus, CN checks Li2h(Vh || SKi-h || IDh || HIDi || Vi+ || T2). If the condition is not satisfied, CN locks out AR.
For P-II, AR must produce the message (XBh, Fh, Lk2, T1) to pretend to be the legitimate MSh. However, AR is unable to calculate Lk2 since it is calculated using Bh and CIDi. Thus, CN checks Lk2h (Bh || CIDi || IDh || SKh-i || T1). If the condition is not satisfied, CN locks out AR. Therefore, our protocols resist such an attack.

4.1.10. Controller Node Stolen Attack

In the adversary model, we considered that AR may steal the legitimate Pi’s mobile device/controller node. However, for P-I, AR is unable to produce a legal message because AR cannot retrieve IDi and PWi, and is unable to calculate HIDi.
For P-II, when AR gets an authentication message from MSh, the creation of the session key among MSh and AR is not able because AR cannot retrieve IDi and PWi, and cannot calculate CIDi. Therefore, our protocols resist such an attack.
Furthermore, Pi can request that the stolen controller node be revoked in order to prevent its misuse.

4.1.11. Known Session-Specific Temporary Information Attack

For P-I, if AR gets secret values ri and rh, which are generated randomly during the session, then AR has the ability to calculate Xi = ri * PKh and Vh = rh * PKi. However, AR still is unable to compute HIDi = h (IDi || ai) without Sh or ai. Thus, SKi-h = h(HIDi || Vh || Xi || Vi) cannot be calculated by AR.
For P-II, if AR gets secret values fh and bh, which are generated randomly during the session, then AR has the ability to calculate Bh = bh * PKi. However, AR still is unable to obtain CIDi = h (HIDi || STA) without ai and STA, or Sh. Therefore, AR is not capable of computing SKh-i = h (Bh || CIDi || fh). Therefore, our protocols resist such an attack.

4.1.12. Desynchronization Attack

This attack corrupts the link between CN and MSh at a certain point throughout the authentication, preventing CN and MSh from updating some data synchronously and completing authentication. P-I resists this attack by updating the data (Vi, Wi) kept on MSh, and (Vi) kept on CN. If AR corrupts the communication from CN to MSh, CN requires to initiate a new authentication round. If AR corrupts the link from MSh to CN, there is data stored in MSh’s memory (Vi, Wi, Vi+, Wi+) indicating to the nonupdated and updated data. When CN transmits a new authentication request to MSh using the nonupdated data (Vi), MSh is still able to utilize the nonupdated data (Vi, Wi).
In other words, MSh and CN, respectively, may confirm that the messages they have received are synchronous by examining the equality of Li1h(Xi || HIDi || T1 || IDh || Vi), and Li2h(Vh || SKi-h || IDh || HIDi || Vi+ || T2) [69].
For P-II, if AR corrupts the link from MSh to CN, the MSh only requires to initiate a new authentication round [70,71]. Thus, our protocols resist such an attack.
In summary, Table 2 presents the security requirements comparison of P-I and P-II with those of related protocols [29,33,40,43,45,48,51]. As depicted in Table 2, our protocols meet all of the security requirements.

4.2. BAN Logic Proof

We implement BAN logic to show that P-I and P-II achieve mutual authentication [72,73]. Table 3 shows the fundamental notations of BAN logic.

4.2.1. Inference Rules

We use the following inference rules in the proposed authentication protocols:
Rule 1 (Message Meaning Rule):
M M R = P   |     P   K   Q ,   P   X 1 K P       Q       X 1
Rule 2 (Nonce Verification Rule):
N V R = P   | # X 1 , P   Q   X 1   P   Q   X 1
Rule 3 (Jurisdiction Rule):
J R = P   Q X 1 , P   Q   X 1   P   | X 1
Rule 4 (Belief Rule):
B R = P   | ( X 1 , X 2 )   P   | X 1
Rule 5 (Freshness Rule):
F R = P   | # X 1 P   | # ( X 1 , X 2 )
Rule 6 (Session Key Rule):
S K R = P   | # X 1 , P   Q   X 1 P   |     P   K   Q

4.2.2. P-I Goals

G1: P i |     ( P i   S K i h   M S h )
G2: P i       M S h       ( P i   S K i h   M S h )
G3: M S h   |     ( P i   S K i h   M S h )
G4: M S h       P i       ( P i   S K i h M S h )

4.2.3. P-I Assumptions

A1: M S h   |     # T 1
A2: P i   |     # T 2
A3: P i   |     M S h     ( P i S K i h   M S h )
A4: M S h   |     P i     ( P i S K i h   M S h )  
A5: P i   |     P i   V h   M S h
A6: M S h   |     P i   X i   M S h

4.2.4. P-I Idealized Forms

Msg1: P i M S h : X R i ,   H I D i ,   V i ,   T 1 X i
Msg2: M S h P i : R h , H I D i , V i + , T 2 V h

4.2.5. P-I Formal Analysis

P-I uses BAN logic proof as shown below:
  • Step 1: D1 is obtained from Msg1.
    D 1 : M S h X R i ,   H I D i ,   V i ,   T 1 X i
  • Step 2: M S h confirms that the message sent is from P i . Applying MMR with D1 and A6 yields D2.
    M S h   |     P i   X i M S h ,   M S h X R i ,   H I D i ,   V i ,   T 1 X i M S h     P i       X R i ,   H I D i ,   V i ,   T 1
    D 2 : M S h       P i     X R i ,   H I D i ,   V i ,   T 1
  • Step 3: M S h checks whether P i request is fresh. D3 is obtained by applying FR using A1 and D2.
    M S h   |     # T 1   M S h   |     # X R i ,   H I D i ,   V i ,   T 1  
    D 3 :   M S h   |     # X R i ,   H I D i ,   V i ,   T 1
  • Step 4: M S h verifies whether P i request is legitimate. D4 is obtained by applying NVR using D2 and D3.
    M S h # X R i ,   H I D i ,   V i ,   T 1 , M S h P i | X R i ,   H I D i ,   V i ,   T 1   M S h   P i   X R i ,   H I D i ,   V i ,   T 1
    D 4 :   M S h   P i   X R i ,   H I D i ,   V i ,   T 1
  • Step 5: M S h now trusts P i and all its sent parameters. D5 is obtained by applying BR using D4.
    M S h   P i   X R i ,   H I D i ,   V i ,   T 1 M S h   P i   X R i ,   H I D i ,   V i
    D 5 :   M S h   P i   X R i ,   H I D i ,   V i
  • Step 6: D6 is obtained by using SKR with D3 and D5 to achieve G4.
    M S h   |     # X R i ,   H I D i ,   V i ,   T 1 , M S h   P i   X R i ,   H I D i ,   V i M S h       P i       P i   S K i h   M S h
    D 6 :   M S h       P i       P i   S K i h   M S h
  • Step 7: M S h has complete control over the sent P i parameters. D7 is obtained by using JR with A4 and D6 to achieve G3
      M S h | P i P i S K i h M S h , M S h   P i P i   S K i h   M S h   M S h   |     P i   S K i h   M S h
    D 7 :   M S h   |     P i S K i h   M S h
  • Step 8: D8 is obtained from Msg2
    D 8 :   P i R h , H I D i , V i + , T 2 V h
  • Step 9: P i confirms that the message sent is from M S h . Applying MMR with D8 and A5 yields D9.
    P i   |     P i V h M S h ,   P i R h , H I D i , V i + , T 2 V h P i       M S h       R h , H I D i , V i + , T 2
    D 9 : P i       M S h       R h , H I D i , V i + , T 2
  • Step 10: P i checks whether M S h request is fresh. Applying FR with D9 and A2 yields D10.
    P i   | # T 2 P i   | # R h , H I D i , V i + , T 2
    D 10 :   P i   | # R h , H I D i , V i + , T 2
  • Step 11: P i verifies whether M S h request is legitimate. D11 is obtained by applying NVR using D9 and D10.
    P i   | # R h , H I D i , V i + , T 2 ,   P i       M S h       R h , H I D i , V i + , T 2   P i       M S h     R h , H I D i , V i + , T 2
    D 11 :   P i       M S h   R h , H I D i , V i + , T 2
  • Step 12: P i   now trusts M S h and all of the parameters it has sent. D12 is obtained by using BR with D11.
    P i       M S h   R h , H I D i , V i + , T 2 P i       M S h R h , H I D i , V i +
    D 12 :   P i       M S h R h , H I D i , V i +
  • Step 13: D13 is obtained by using SKR with D10 and D12 to achieve G2.
    P i   | # R h , H I D i , V i + , T 2 ,   P i       M S h R h , H I D i , V i + P i       M S h     P i   S K i h   M S h
    D 13 :   P i       M S h     P i   S K i h   M S h
  • Step 14: P i obtains the parameters of the new session key from the sent M S h parameters. D14 is obtained by using JR with A3 and D13 to achieve G1.
    P i   | M S h P i S K i h M S h , P i M S h P i S K i h M S h   P i   |     P i   S K i h   M S h
    D 14 :   P i   |     P i   S K i h   M S h
In summary of P-I, P i and M S h attain mutual authentication. Furthermore, the session key S K i h is created securely according to G1, G2, G3, and G4.

4.2.6. P-II Goals

G1: P i | ≡ ( M S h   S K h i   P i )
G2: P i | ≡ M S h | ≡ ( M S h   S K h i   P i )
G3: M S h | ≡ ( M S h   S K h i   P i )
G4: M S h | ≡ P i | ≡ ( M S h   S K h i   P i )

4.2.7. P-II Assumptions

A1: P i     |     # T 1
A2: P i | ≡ M S h ⇒ ( M S h   S K h i   P i )
A3: M S h | ≡ P i ⇒ ( M S h   S K h i   P i )
A4: P i | ≡ M S h   B h P i
A5: M S h | ≡ P i | ≡ ( C I D i )
A6: P i | ≡ M S h   C I D i P i

4.2.8. P-II Idealized Forms

Msg1: T A M S h : C I D i
Msg2: M S h P i : X B h , f h , T 1 B h

4.2.9. P-II Formal Analysis

P-II uses BAN logic proof as shown below:
  • Step 1: D1 is obtained from Msg1.
    D 1 : M S h C I D i
  • Step 2: M S h trusts the T A s transmitted parameter and that P i is genuine. D2 is obtained from D1, A5, fh = h ( C I D i ) ⊕ Fh, Bh = bh * PKi, and the session key SKh-i = h ( B h || CIDi || fh) to accomplish G4.
    D 2 : M S h     P i     M S h   S K h i   P i
  • Step 3: D3 is obtained by using JR with A3 and D2 to achieve G3.
    M S h | P i M S h S K h i P i , M S h P i M S h S K h i P i   M S h |     M S h   S K h i   P i
    D 3 :   M S h |     M S h   S K h i   P i
  • Step 4: D4 is obtained from Msg2
    D 4 :   P i X B h , f h , T 1 B h
  • Step 5: P i confirms that the message sent is from M S h . D5 is obtained by applying MMR using D4 and A4.
    P i   |     M S h   B h P i ,   P i X B h , f h , T 1 B h P i       M S h     X B h , f h , T 1
    D 5 :   P i       M S h   X B h , f h , T 1
  • Step 6: P i checks whether M S h request is fresh. D6 is obtained by using FR with A1 and D5.
    P i   | # T 1 P i   | # X B h , f h , T 1
    D 6 :   P i   | # X B h , f h , T 1
  • Step 7: P i verifies whether M S h request is legitimate. D7 is obtained by applying NVR using D5 and D6.
    P i   # X B h , f h , T 1 , P i       M S h |     X B h , f h , T 1   P i       M S h   X B h , f h , T 1
    D 7 :   P i       M S h   X B h , f h , T 1
  • Step 8: P i now trusts M S h and all of the parameters it has sent. D8 is obtained by using BR with D7.
    P i       M S h   X B h , f h , T 1   P i       M S h X B h , f h
    D 8 :   P i       M S h X B h , f h
  • Step 9: D9 is obtained from D8, A6, fh = h ( C I D i ) ⊕ Fh, Bh = XBh * Si, and the session key SKh-i = h ( B h || CIDi || fh) to accomplish G2.
    D 9 :   P i       M S h     M S h   S K h i   P i
  • Step 10: P i obtains the parameters of the new session key from the sent M S h parameters. D10 is obtained by using JR with A2 and D9 to achieve G1.
    P i   | M S h ( M S h S K h i P i ) , P i M S h ( M S h S K h i P i )   P i   |     ( M S h   S K h i   P i )
    D 10 :   P i   |     ( M S h   S K h i   P i )
In summary of P-II, M S h and P i attain mutual authentication. Furthermore, the session key S K h i is created securely according to G1, G2, G3, and G4.

4.3. AVISPA Simulation Tool

The AVISPA simulation tool and the Security Protocol Animator (SPAN) are used to evaluate the security of P-I and P-II. We demonstrate that the simulator completely executes P-I and P-II, verifying the validity of the privacy and authentication reports issued by AVISPA’s checkers’ modules. First, High-Level Protocol Specification Language (HLPSL) is used to write P-I and P-II codes. Then, we evaluate whether the security goals of our protocols are SAFE or UNSAFE by running the On-the-fly Model-Checker (OFMC) and the Constraint-Logic-based Attack Searcher (CL-AtSe). If the outputs are SAFE, then the protocols are secure. Finally, we run the SPAN to ensure that all messages of P-I and P-II are exchanged.
Figure 6 and Figure 7 present the HLPSL code of P-I. Figure 8 and Figure 9 present the HLPSL code of P-II. We have three agents’ roles, a session role, and an environment role. The role controller is played by CN, the role medicalserver is played by MS, and the role trustedauthority is played by TA. The role controller header includes CN, MS, TA as agents, hash function, SKcnta as the symmetric key, and SND/RCV channels of type Dolev-Yao (dy). The role medicalserver header includes CN, MS, TA as agents, hash function, SKmsta as the symmetric key, and SND/RCV channels. The role trustedauthority header includes CN, MS, TA as agents, hash function, SKcnta/ SKmsta as the symmetric keys, and SND/RCV channels. CN is not allowed to be aware of SKmsta, and MS is not aware of SKcnta.
HLPSL specification also identifies the session and environment roles. A protocol session is described by the role session, which defines the interactions between the three agents’ roles. The role environment incorporates the intruder knowledge and the goal. The parameters (sp1, sp2, sp 3, sp4, sp5, sp6, vnew, wnew, cn_ms_ri, cn_ms_t1, ms_cn_rh, ms_cn_t2) of P-I, and parameters (sp1, sp2, sp3, sp4, sp5, sp6, ms_cn_bh, ms_cn_t1, cn_ms_cidi) of P-II, are declared as protocol_id and are used as privacy and authentication checkers. In the goal section, the goal secrecy_of sp1 indicates that CN keeps the variables PWi and Ai secret. The goal secrecy_of sp2 indicates that TA and MS keep the variable Sh secret. The goal secrecy_of sp3 indicates that CN and TA keep the variables SIDi and Si secret. The goal secrecy_of sp4 indicates that TA keeps the variable Sta secret. The goal secrecy_of sp5 indicates that CN and MS keep the session keys SKih and SKhi secret. The goal secrecy_of sp6 indicates that CN, TA, and MS keep the variable CIDi secret. The goal secrecy_of vnew indicates that CN and MS keep the variable Vinew secret. The goal secrecy_of wnew indicates that the variable Winew is kept secret to MS. The goals authentication_on cn_ms_ri and authentication_on cn_ms_cidi indicate that MS authenticates CN after getting messages including Ri and CIDi. The goal authentication_on cn_ms_t1 indicates that CN creates a timestamp T1, and MS authenticates CN after getting a message from CN including T1. The goals authentication_on ms_cn_rh and authentication_on ms_cn_bh indicate that MS creates values, and CN authenticates MS after getting messages from MS including Rrh and Bbh. Finally, the goals authentication_on ms_cn_t1 and authentication_on ms_cn_t2 mean that MS creates timestamps, and CN authenticates MS after getting the timestamps from the messages of MS.
Figure 10 depicts P-I and P-II simulation results utilizing AVISPA with OFMC and CL-AtSe. The summary reports show that P-I and P-II are SAFE and meet all of the security goals indicated in the role environment.
We use the SPAN to show the proper execution of P-I and P-II. Figure 11 and Figure 12 depict screenshots of the P-I and P-II SPAN animators, respectively. The simulator executes and exchanges all messages.

5. Performance Analysis

This section analyses P-I and P-II in connection to the performance requirements.

5.1. Computation Costs

We compute the computation costs by considering the time of the operations according to the studies [29,74]. Bilinear pairing (Tbp) takes 5.811 ms, map-to-point hash (Thp) takes 12.418 ms, modular exponentiation (Texp) requires 3.85 ms, scalar multiplication (Tmul) requires 2.226 ms, random number generation (Trng) requires 0.539 ms, symmetric encryption and decryption (Ted) takes 0.0046 ms, point addition (Tadd) requires 0.0288 ms, and a one-way hash function (Th) needs 0.0023 ms.
In Son et al. [29], the cost at the controller node side is 8 Tmul + 1Trng + 8Th ≈ 18.3654 ms, and the cost at the server side is 2Tbp + 5 Tmul + 1Trng + 5Th ≈ 23.3025 ms. In Chen and Peng scheme [43], the computation cost at the patient side is 1Texp + 5Tmul + 1Trng + 1Ted + 1Tadd + 4Th ≈ 15.5616 ms, and the cost at the server side is 1Tbp + 4Tmul + 1Trng + 1Ted + 2Tadd + 4Th ≈ 15.3254 ms. In Khatoon et al. [48], the cost at the patient side is 1Tbp + 2Thp + 3Tmul + 1Trng + 1Ted + 4Th ≈ 37.8778 ms, and the cost at the server side is 1Tbp + 2Thp + 4Tmul + 1Trng + 1Ted + 2Th ≈ 40.0992 ms. In Rajaram et al. [45], the computation cost at the patient side is 5Tmul + 1Trng + 1Tadd + 7Th ≈ 11.7139 ms, and the cost at the server side is 1Tbp + 1Texp + 3Tmul + 1Trng + 1Tadd + 6Th ≈ 16.9206 ms. In Kumar and Chand [33], the computation cost at the patient side is 1Thp + 6Tmul + 1Trng + 2Tadd + 4Th ≈ 26.3798 ms, and the cost at the cloud server side is 1Thp + 6Tmul + 1Trng + 2Tadd + 4Th ≈ 26.3798 ms. In Li et al. [40], the computation cost at the patient side is 2Tmul + 2Trng + 3Ted ≈ 5.5438 ms, and the cost at the server side is 1Tmul + 1Trng + 3Ted ≈ 2.7788 ms. In Ryu et al. [51], the cost at the patient side is 3Tmul + 1Trng + 11Th ≈ 7.2423 ms, and the cost at the server side is 3Tmul + 1Trng + 7Th ≈ 7.2331 ms.
In P-I, the cost at the patient side is 4Tmul + 1Trng + 7Th ≈ 9.4591 ms, and the cost at the server side is 3Tmul + 2Trng + 6Th ≈ 7.7698 ms. In P-II, the computation cost at the patient side is 2Tmul + 7Th ≈ 4.4681 ms, and the cost at the server side is 2Tmul + 2Trng + 4Th ≈ 5.5392 ms.
The schemes in [33,48] use complex ECC operations on two sides, such as bilinear pairing and map-to-point hash operations, incurring more computation costs. The schemes in [29,43,45] adopt complex cryptographic ECC operations on only one side. The schemes in [40,51] use simple operations on ECC, such as scalar multiplication operations, to minimize the computation costs. P-I and P-II adopt simple ECC operations along with hash function and XOR operation and avoid complex operations, with P-II having fewer operations.
As shown in Table 4, P-I has a lower computation than [29,33,43,45,48], but has a higher computation cost than [40,51]. P-II has a lower computation cost than [29,33,43,45,48,51], but has a higher computation cost then [40]. However, the current schemes had security problems, where they did not meet all of the security requirements in this research. Therefore, P-I and P-II achieve better security than these other schemes, yet they have acceptable computation costs.

5.2. Communication Costs

We compute the communication costs by considering the bit size and communication overhead. Bit sizes are computed according to the scheme [51], where ECC point has 320 bits, SHA-256 hash function has 256 bits, identity has 160 bits, the timestamp has 32 bits, symmetric encryption/decryption has 128 bits, and the random number has 160 bits.
In Son et al. [29], (PKi, Di, PSIDi, T1) requires 928 bits, and (RCS, Li2, T2) needs 608 bits. In Chen and Peng [43], the first message (VC, AuthC, TC) needs 480 bits, and the second message (RAP, AuthAP) requires 576 bits. In Khatoon et al. [48], (Ri, Ti, Authi) needs 480 bits, and (RS, TS, AuthS) needs 608 bits. In Rajaram et al. [45], the first message (idx, Rx, L3, L4, Tx) needs 768 bits, whereas the second message (A3, y3, Ts) requires 352 bits. In Kumar and Chand [33], the first message (W, X) needs 640 bits, and the second message (t, TCS, Y) requires 608 bits. In Li et al. [40], (ReqAuth, TIDN,EkN (tN, r), rN, tN) needs 480 bits, and (rN,EkN (rN, rHSP), EkN (rHSP, K)) requires 416 bits. In Ryu et al. [51], the message (PIDi, Mi, S1, T1) needs 864 bits, and the message (Mj, S3, T2) requires 608 bits.
In P-I, the first message (XRi, Ji, Li1, T1) needs 608 bits, and the second message (Rh, Li2, C1, T2) needs 608 bits. In P-II, the message (XBh, Fh, Lk2, T1) needs 864 bits.
Table 5 shows the results of the communication cost comparison. In terms of communication costs in bits, P-I has a lower communication cost than [29,33,51] but has a higher communication cost than [40,43,45,48]. On the other hand, P-II has a better communication cost than other schemes. Furthermore, P-II achieves a lower communication overhead by requiring only one message.

6. Conclusions

TMIS is a WBAN technology that is capable of providing various healthcare services via telecare servers. TMIS uses wearable sensors to gather patient medical data and transmit it via a public channel for medical purposes. However, several cyber-attacks can be performed via such an unsecured channel. Therefore, the research aimed to design two inter-BAN authentication protocols for securing data transfer between a controller node and a cloud-based medical server: P-I for emergency authentication and P-II for periodic authentication. Our scheme consisted of an initialization phase, registration phase, authentication P-I, authentication P-II, and password change protocol. To analyze our protocols, we performed an informal security analysis and discovered that our protocols satisfied all of the security requirements in this research. Furthermore, we used the BAN logic and discovered that our protocols achieved mutual authentication. We also used the AVISPA simulation tool and discovered that our protocols were secure against passive and active attacks. Moreover, we conducted a performance analysis and discovered that our protocols had suitable computation and communication costs for WBAN, and P-II achieved a lower communication overhead than all other schemes due to the authentication message’s one-way communication. In future work, our goal is to conduct a performance analysis regarding the complexity of the proposed authentication protocols.

Author Contributions

Conceptualization, A.M.A., and H.A.A.; methodology, A.M.A., and H.A.A.; validation, A.M.A., and H.A.A.; writing—original draft preparation, H.A.A.; writing—review and editing, A.M.A.; supervision, A.M.A.; funding acquisition, A.M.A. All authors have read and agreed to the published version of the manuscript.

Funding

This work was funded by SAUDI ARAMCO Cybersecurity Chair at Imam Abdulrahman Bin Faisal University, Saudi Arabia.

Acknowledgments

The authors would like to express their appreciation to the Journal Editor, an Associate Editor, and the four anonymous reviewers for their insightful comments. We also would like to thank Imam Abdulrahman Bin Faisal University for facilitating access to the resources used in this paper.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Poongodi, T.; Rathee, A.; Indrakumari, R.; Suresh, P. IoT Sensing Capabilities: Sensor Deployment and Node Discovery, Wearable Sensors, Wireless Body Area Network (WBAN), Data Acquisition. Intell. Syst. Ref. Libr. 2020, 174, 127–151. [Google Scholar] [CrossRef]
  2. Hussain, M.; Mehmood, A.; Khan, S.; Khan, M.A.; Iqbal, Z. Authentication Techniques and Methodologies used in Wireless Body Area Networks. J. Syst. Archit. 2019, 101, 101655. [Google Scholar] [CrossRef]
  3. Alzahrani, B.A.; Irshad, A. A Secure and Efficient TMIS-Based Authentication Scheme Improved Against Zhang et al.’s Scheme. Arab. J. Sci. Eng. 2018, 43, 8239–8253. [Google Scholar] [CrossRef]
  4. Hsu, C.L.; Le, T.V.; Hsieh, M.C.; Tsai, K.Y.; Lu, C.F.; Lin, T.W. Three-factor UCSSO scheme with fast authentication and privacy protection for telecare medicine information systems. IEEE Access 2020, 8, 196553–196566. [Google Scholar] [CrossRef]
  5. Liu, X.; Ma, W.; Cao, H. MBPA: A medibchain-based privacy-preserving mutual authentication in TMIS for mobile medical cloud architecture. IEEE Access 2019, 7, 149282–149298. [Google Scholar] [CrossRef]
  6. Narwal, B.; Mohapatra, A.K. A survey on security and authentication in wireless body area networks. J. Syst. Archit. 2021, 113, 101883. [Google Scholar] [CrossRef]
  7. Lara, E.; Aguilar, L.; Garcia, J.A. Lightweight Authentication Protocol Using Self-Certified Public Keys for Wireless Body Area Networks in Health-Care Applications. IEEE Access 2021, 9, 79196–79213. [Google Scholar] [CrossRef]
  8. Taleb, H.; Nasser, A.; Andrieux, G.; Charara, N.; Motta Cruz, E. Wireless technologies, medical applications and future challenges in WBAN: A survey. Wirel. Netw. 2021, 27, 5271–5295. [Google Scholar] [CrossRef]
  9. Gupta, A.; Tripathi, M.; Sharma, A. A provably secure and efficient anonymous mutual authentication and key agreement protocol for wearable devices in WBAN. Comput. Commun. 2020, 160, 311–325. [Google Scholar] [CrossRef]
  10. Wu, T.Y.; Yang, L.; Luo, J.N.; Wu, J.M.-T. A Provably Secure Authentication and Key Agreement Protocol in Cloud-Based Smart Healthcare Environments. Secur. Commun. Netw. 2021, 2021, 2299632. [Google Scholar] [CrossRef]
  11. Deebak, B.D.; Al-Turjman, F. Smart Mutual Authentication Protocol for Cloud Based Medical Healthcare Systems Using Internet of Medical Things. IEEE J. Sel. Areas Commun. 2021, 39, 346–360. [Google Scholar] [CrossRef]
  12. Ogundoyin, S.O.; Kamil, I.A. PAASH: A privacy-preserving authentication and fine-grained access control of outsourced data for secure smart health in smart cities. J. Parallel Distrib. Comput. 2021, 155, 101–119. [Google Scholar] [CrossRef]
  13. Ren, Y.; Leng, Y.; Zhu, F.; Wang, J.; Kim, H.J. Data storage mechanism based on blockchain with privacy protection in wireless body area network. Sensors 2019, 19, 2395. [Google Scholar] [CrossRef] [Green Version]
  14. Wazid, M.; Das, A.K.; Vasilakos, A.V. Authenticated key management protocol for cloud-assisted body area sensor networks. J. Netw. Comput. Appl. 2018, 123, 112–126. [Google Scholar] [CrossRef]
  15. Almuhaideb, A.M.; Alghamdi, H.A. Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier. J. Sens. Actuator Netw. 2022, 11, 44. [Google Scholar] [CrossRef]
  16. Ahmad, W.; Rasool, A.; Javed, A.R.; Baker, T.; Jalil, Z. Cyber security in IoT-based cloud computing: A comprehensive survey. Electronics 2022, 11, 16. [Google Scholar] [CrossRef]
  17. Chengoden, R.; Victor, N.; Huynh-the, T.; Yenduri, G.; Hjhaveri, R.; Member, S.; Alazab, M.; Bhattacharya, S.; Hegde, P.; Kumar Reddy Maddikunta, P.; et al. Metaverse for Healthcare: A Survey on Potential Applications, Challenges and Future Directions. Available online: https://arxiv.org/ftp/arxiv/papers/2209/2209.04160.pdf (accessed on 7 September 2022).
  18. Umar, M.; Wu, Z.; Liao, X. Authenticating tier-two body area network devices through user-specific signal propagation characteristics. Comput. Secur. 2022, 120, 102800. [Google Scholar] [CrossRef]
  19. Li, X.; Peng, J.; Obaidat, M.S.; Wu, F.; Khan, M.K.; Chen, C. A Secure Three-Factor User Authentication Protocol with Forward Secrecy for Wireless Medical Sensor Network Systems. IEEE Syst. J. 2020, 14, 39–50. [Google Scholar] [CrossRef]
  20. Ullah, I.; Zeadally, S.; Amin, N.U.; Asghar Khan, M.; Khattak, H. Lightweight and provable secure cross-domain access control scheme for internet of things (IoT) based wireless body area networks (WBAN). Microprocess. Microsyst. 2021, 81, 103477. [Google Scholar] [CrossRef]
  21. Almuhaideb, A.M.; Alqudaihi, K.S. A Lightweight and Secure Anonymity Preserving Protocol for WBAN. IEEE Access 2020, 8, 178183–178194. [Google Scholar] [CrossRef]
  22. Xu, Z.; Xu, C.; Chen, H.; Yang, F. A lightweight anonymous mutual authentication and key agreement scheme for WBAN. Concurr. Comput. Pract. Exp. 2019, 31, e5295. [Google Scholar] [CrossRef]
  23. Kasyoka, P.; Kimwele, M.; Mbandu Angolo, S. Certificateless pairing-free authentication scheme for wireless body area network in healthcare management system. J. Med. Eng. Technol. 2020, 44, 12–19. [Google Scholar] [CrossRef]
  24. Dhillon, P.K.; Kalra, S. Multi-factor user authentication scheme for IoT-based healthcare services. J. Reliab. Intell. Environ. 2018, 4, 141–160. [Google Scholar] [CrossRef]
  25. Sowjanya, K.; Dasgupta, M.; Ray, S. An elliptic curve cryptography based enhanced anonymous authentication protocol for wearable health monitoring systems. Int. J. Inf. Secur. 2020, 19, 129–146. [Google Scholar] [CrossRef]
  26. Song, Y.; Tan, H. Practical pairing-Free sensor cooperation scheme for cloud-Assisted wireless body area networks. Cybersecurity 2020, 3, 21. [Google Scholar] [CrossRef]
  27. Zhang, J.; Zhang, Q.; Li, Z.; Lu, X.; Gan, Y. A Lightweight and Secure Anonymous User Authentication Protocol for Wireless Body Area Networks. Secur. Commun. Netw. 2021, 2021, 4939589. [Google Scholar] [CrossRef]
  28. Yu, S.J.; Lee, J.Y.; Park, Y.H.; Park, Y.H.; Lee, S.W.; Chung, B.H. A secure and efficient three-factor authentication protocol in global mobility networks. Appl. Sci. 2020, 10, 3565. [Google Scholar] [CrossRef]
  29. Son, S.; Lee, J.; Kim, M.; Yu, S.; Das, A.K.; Park, Y. Design of secure authentication protocol for cloud-assisted telecare medical information system using blockchain. IEEE Access 2020, 8, 192177–192191. [Google Scholar] [CrossRef]
  30. Yang, X.; Yi, X.; Nepal, S.; Khalil, I.; Huang, X.; Shen, J. Efficient and Anonymous Authentication for Healthcare Service with Cloud based WBANs. IEEE Trans. Serv. Comput. 2021, 15, 2728–2741. [Google Scholar] [CrossRef]
  31. Ali, Z.; Ghani, A.; Khan, I.; Ashraf, S.; Hafizul, S.K. A robust authentication and access control protocol for securing wireless healthcare sensor networks. J. Inf. Secur. Appl. 2020, 52, 102502. [Google Scholar] [CrossRef]
  32. Son, S.; Kwon, D.; Lee, J.; Yu, S.; Jho, N.S.; Park, Y. On the Design of a Privacy-Preserving Communication Scheme for Cloud-Based Digital Twin Environments Using Blockchain. IEEE Access 2022, 10, 75365–75375. [Google Scholar] [CrossRef]
  33. Kumar, M.; Chand, S. A Lightweight Cloud-Assisted Identity-Based Anonymous Authentication and Key Agreement Protocol for Secure Wireless Body Area Network. IEEE Syst. J. 2020, 15, 2779–2786. [Google Scholar] [CrossRef]
  34. Saeed, M.E.S.; Liu, Q.Y.; Tian, G.Y.; Gao, B.; Li, F. AKAIoTs: Authenticated key agreement for Internet of Things. Wirel. Netw. 2019, 25, 3081–3101. [Google Scholar] [CrossRef]
  35. Konan, M.; Wang, W. A secure mutual batch authentication scheme for patient data privacy preserving in WBAN. Sensors 2019, 19, 1608. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  36. Almuhaideb, A.M.; Alqudaihi, K. A lightweight three-factor authentication scheme for WHSN architecture. Sensors 2020, 20, 6860. [Google Scholar] [CrossRef] [PubMed]
  37. Yu, S.J.; Park, Y.H. Slua-wsn: Secure and lightweight three-factor-based user authentication protocol for wireless sensor networks. Sensors 2020, 20, 4143. [Google Scholar] [CrossRef] [PubMed]
  38. Zhou, L.; Li, X.; Yeh, K.H.; Su, C.; Chiu, W. Lightweight IoT-based authentication scheme in cloud computing circumstance. Futur. Gener. Comput. Syst. 2019, 91, 244–251. [Google Scholar] [CrossRef]
  39. Amin, R.; Kumar, N.; Biswas, G.P.; Iqbal, R.; Chang, V. A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment. Futur. Gener. Comput. Syst. 2018, 78, 1005–1019. [Google Scholar] [CrossRef]
  40. Li, X.; Ibrahim, M.H.; Kumari, S.; Kumar, R. Secure and efficient anonymous authentication scheme for three-tier mobile healthcare systems with wearable sensors. Telecommun. Syst. 2018, 67, 323–348. [Google Scholar] [CrossRef]
  41. Almuhaideb, A.M. Re—AuTh : Lightweight Re—Authentication with Practical Key Management for Wireless Body Area Networks. Arab. J. Sci. Eng. 2021, 46, 8189–8202. [Google Scholar] [CrossRef]
  42. Wong, A.M.K.; Hsu, C.L.; Le, T.V.; Hsieh, M.C.; Lin, T.W. Three-factor fast authentication scheme with time bound and user anonymity for multi-server e-health systems in 5g-based wireless sensor networks. Sensors 2020, 20, 2511. [Google Scholar] [CrossRef] [PubMed]
  43. Chen, R.; Peng, D. Analysis and Improvement of a Mutual Authentication Scheme for Wireless Body Area Networks. J. Med. Syst. 2019, 43, 19. [Google Scholar] [CrossRef]
  44. Wu, L.; Zhang, Y.; Li, L.; Shen, J. Efficient and Anonymous Authentication Scheme for Wireless Body Area Networks. J. Med. Syst. 2016, 40, 134. [Google Scholar] [CrossRef] [PubMed]
  45. Rajaram, S.; Maitra, T.; Vollala, S.; Ramasubramanian, N.; Amin, R. eUASBP: Enhanced user authentication scheme based on bilinear pairing. J. Ambient Intell. Humaniz. Comput. 2020, 11, 2827–2840. [Google Scholar] [CrossRef]
  46. Agrahari, A.K.; Varma, S.; Venkatesan, S. Two factor authentication protocol for IoT based healthcare monitoring system. J. Ambient Intell. Humaniz. Comput. 2022, 1–18. [Google Scholar] [CrossRef] [PubMed]
  47. Son, S.; Park, Y.; Park, Y. A secure, lightweight, and anonymous user authentication protocol for IoT environments. Sustainability 2021, 13, 9241. [Google Scholar] [CrossRef]
  48. Khatoon, S.; Rahman, S.M.M.; Alrubaian, M.; Alamri, A. Privacy-Preserved, Provable Secure, Mutually Authenticated Key Agreement Protocol for Healthcare in a Smart City Environment. IEEE Access 2019, 7, 47962–47971. [Google Scholar] [CrossRef]
  49. Odelu, V.; Saha, S.; Prasath, R.; Sadineni, L.; Conti, M.; Jo, M. Efficient privacy preserving device authentication in WBANs for industrial e-health applications. Comput. Secur. 2019, 83, 300–312. [Google Scholar] [CrossRef]
  50. Azees, M.; Vijayakumar, P.; Karuppiah, M.; Nayyar, A. An efficient anonymous authentication and confidentiality preservation schemes for secure communications in wireless body area networks. Wirel. Netw. 2021, 27, 2119–2130. [Google Scholar] [CrossRef]
  51. Ryu, J.; Oh, J.; Kwon, D.; Son, S.; Lee, J.; Park, Y.; Park, Y. Secure ECC-Based Three-Factor Mutual Authentication Protocol for Telecare Medical Information System. IEEE Access 2022, 10, 11511–11526. [Google Scholar] [CrossRef]
  52. Sahoo, S.S.; Mohanty, S.; Majhi, B. A secure three factor based authentication scheme for health care systems using IoT enabled devices. J. Ambient Intell. Humaniz. Comput. 2020, 12, 1419–1434. [Google Scholar] [CrossRef]
  53. Chen, Y.; Chen, J. An efficient and privacy-preserving mutual authentication with key agreement scheme for telecare medicine information system. Peer-to-Peer Netw. Appl. 2022, 15, 516–528. [Google Scholar] [CrossRef]
  54. Karthigaiveni, M.; Indrani, B. An efficient two-factor authentication scheme with key agreement for IoT based E-health care application using smart card. J. Ambient Intell. Humaniz. Comput. 2019, 4, 1–12. [Google Scholar] [CrossRef]
  55. Alzahrani, B.A. Secure and Efficient Cloud-based IoT Authenticated Key Agreement scheme for e-Health Wireless Sensor Networks. Arab. J. Sci. Eng. 2021, 46, 3017–3032. [Google Scholar] [CrossRef]
  56. Mohammedi, M.; Omar, M.; Bouabdallah, A. Secure and lightweight remote patient authentication scheme with biometric inputs for mobile healthcare environments. J. Ambient Intell. Humaniz. Comput. 2018, 9, 1527–1539. [Google Scholar] [CrossRef]
  57. Kumari, S.; Renuka, K. Design of a Password Authentication and Key Agreement Scheme to Access e-Healthcare Services. Wirel. Pers. Commun. 2021, 117, 27–45. [Google Scholar] [CrossRef]
  58. Qiu, S.; Xu, G.; Ahmad, H.; Wang, L. A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems. IEEE Access 2017, 6, 7452–7463. [Google Scholar] [CrossRef]
  59. Hussain, S.J.; Irfan, M.; Jhanjhi, N.Z.; Hussain, K.; Humayun, M. Performance Enhancement in Wireless Body Area Networks with Secure Communication. Wirel. Pers. Commun. 2021, 116, 1–22. [Google Scholar] [CrossRef]
  60. Alzahrani, B.A.; Irshad, A.; Albeshri, A.; Alsubhi, K.; Shafiq, M. An improved lightweight authentication protocol for wireless body area networks. IEEE Access 2020, 8, 190855–190872. [Google Scholar] [CrossRef]
  61. Alzahrani, B.A.; Irshad, A.; Albeshri, A.; Alsubhi, K. A Provably Secure and Lightweight Patient-Healthcare Authentication Protocol in Wireless Body Area Networks. Wirel. Pers. Commun. 2021, 117, 47–69. [Google Scholar] [CrossRef]
  62. Khadem, B.; Suteh, A.M.; Ahmad, M.; Alkhayyat, A.; Farash, M.S.; Khalifa, H.S. An Improved WBSN Key-Agreement Protocol Based on Static Parameters and Hash Functions. IEEE Access 2021, 9, 78463–78473. [Google Scholar] [CrossRef]
  63. Chunka, C.; Banerjee, S. An Efficient Mutual Authentication and Symmetric Key Agreement Scheme for Wireless Body Area Network. Arab. J. Sci. Eng. 2021, 46, 8457–8473. [Google Scholar] [CrossRef]
  64. Narwal, B.; Mohapatra, A.K. SEEMAKA: Secured Energy-Efficient Mutual Authentication and Key Agreement Scheme for Wireless Body Area Networks. Wirel. Pers. Commun. 2020, 113, 1985–2008. [Google Scholar] [CrossRef]
  65. Narwal, B.; Mohapatra, A.K. SAMAKA: Secure and Anonymous Mutual Authentication and Key Agreement Scheme for Wireless Body Area Networks. Arab. J. Sci. Eng. 2021, 46, 9197–9219. [Google Scholar] [CrossRef]
  66. Park, K.; Noh, S.; Lee, H.; Das, A.K.; Kim, M.; Park, Y.; Wazid, M. LAKS-NVT: Provably Secure and Lightweight Authentication and Key Agreement Scheme without Verification Table in Medical Internet of Things. IEEE Access 2020, 8, 119387–119404. [Google Scholar] [CrossRef]
  67. Yu, S.; Park, K. SALS-TMIS: Secure, Anonymous, and Lightweight Privacy-Preserving Scheme for IoMT-Enabled TMIS Environments. IEEE Access 2022, 10, 60534–60549. [Google Scholar] [CrossRef]
  68. Le, T.V.; Lu, C.F.; Hsu, C.L.; Do, T.K.; Chou, Y.F.; Wei, W.C. A Novel Three-Factor Authentication Protocol for Multiple Service Providers in 6G-Aided Intelligent Healthcare Systems. IEEE Access 2022, 10, 28975–28990. [Google Scholar] [CrossRef]
  69. Ostad-Sharif, A.; Nikooghadam, M.; Abbasinezhad-Mood, D. Design of a lightweight and anonymous authenticated key agreement protocol for wireless body area networks. Int. J. Commun. Syst. 2019, 32, e3974. [Google Scholar] [CrossRef]
  70. Shuai, M.; Xiong, L.; Wang, C.; Yu, N. Lightweight and privacy-preserving authentication scheme with the resilience of desynchronisation attacks for WBANs. IET Inf. Secur. 2020, 14, 380–390. [Google Scholar] [CrossRef]
  71. Xu, Z.; Xu, C.; Liang, W.; Xu, J.; Chen, H. A lightweight mutual authentication and key agreement scheme for medical Internet of Things. IEEE Access 2019, 7, 53922–53931. [Google Scholar] [CrossRef]
  72. Almuhaideb, A.M.; Alqudaihi, K.S. Authentication in Wireless Body Area Network: Taxonomy and Open Challenges. J. Internet Things 2021, 3, 159–182. [Google Scholar] [CrossRef]
  73. Koya, A.M.; Deepthi, P.P. Anonymous hybrid mutual authentication and key agreement scheme for wireless body area network. Comput. Netw. 2018, 140, 138–151. [Google Scholar] [CrossRef]
  74. Kilinc, H.H.; Yanik, T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutor. 2014, 16, 1005–1023. [Google Scholar] [CrossRef]
Figure 1. WBAN system model overview.
Figure 1. WBAN system model overview.
Bdcc 06 00124 g001
Figure 2. WBAN in a cloud-assisted environment.
Figure 2. WBAN in a cloud-assisted environment.
Bdcc 06 00124 g002
Figure 3. Registration phase.
Figure 3. Registration phase.
Bdcc 06 00124 g003
Figure 4. Authentication P-I.
Figure 4. Authentication P-I.
Bdcc 06 00124 g004
Figure 5. Authentication P-II.
Figure 5. Authentication P-II.
Bdcc 06 00124 g005
Figure 6. The HLPSL code of P-I.
Figure 6. The HLPSL code of P-I.
Bdcc 06 00124 g006
Figure 7. The HLPSL code of P-I.
Figure 7. The HLPSL code of P-I.
Bdcc 06 00124 g007
Figure 8. The HLPSL code of P-II.
Figure 8. The HLPSL code of P-II.
Bdcc 06 00124 g008
Figure 9. The HLPSL code of P-II.
Figure 9. The HLPSL code of P-II.
Bdcc 06 00124 g009
Figure 10. AVISPA with OFMC and CL-AtSe summary reports: (a) P-I OFMC report; (b) P-I CL-AtSe report; (c) P-II OFMC report; (d) P-II CL-AtSe report.
Figure 10. AVISPA with OFMC and CL-AtSe summary reports: (a) P-I OFMC report; (b) P-I CL-AtSe report; (c) P-II OFMC report; (d) P-II CL-AtSe report.
Bdcc 06 00124 g010
Figure 11. The SPAN animator of P-I.
Figure 11. The SPAN animator of P-I.
Bdcc 06 00124 g011
Figure 12. The SPAN animator of P-II.
Figure 12. The SPAN animator of P-II.
Bdcc 06 00124 g012
Table 1. Symbols utilized in our scheme.
Table 1. Symbols utilized in our scheme.
SymbolDescription
PiPatient-i
CNController node of Pi
MShCloud-based medical server-h
TATrusted authority
IDi, PWiPi’s identity and password
HIDiPi’s masked identity
SIDiPi’s secret identity
IDhMSh’s identity
Si, PKiCN’s secret and public keys
Sh, PKhMSh’s secret and public keys
STA, PKTATA’s secret and public keys of
ai, bi, riCN-created random numbers
rh, ui+, fh, bhMSh-created random numbers
uiTA-created a random number
HPWi, APi, BPi, CPi, DPiData used by CN to authenticate Pi
Vi, Wi, Vi+, Wi+Data to verify message synchronization
TnTimestamp n
ΔTThe maximum transmission delay
Tn*The time of message receipt
XRiPublic data generated by CN and used by MSh to compute Xi
XiElliptic Curve Diffie-Hellman Problem
JiData utilized to retrieve Vi in P-I
PIDh-iData stored on MSh to check CN’s registration
RhPublic data generated by MSh and used by CN to compute Vh
VhElliptic Curve Diffie-Hellman Problem
C1Data utilized to retrieve Vi+ in P-I
Li1Data that MSh uses in P-I to authenticate CN
Li2Data that CN uses in P-I to authenticate MSh
REiData that MSh uses in P-II to retrieve CIDi
CIDiData generated by TA and used by MSh to authenticate CN
XBhPublic data generated by MSh and used by CN to compute Bh
BhElliptic Curve Diffie-Hellman Problem
FhData utilized to retrieve fh in P-II
EPiData stored on CN and used to retrieve CIDi in P-II
Lk2Data that CN uses in P-II to authenticate MSh
SKi-hSession key between CN and MSh in P-I
SKh-iSession key between MSh and CN in P-II
PA base point on an elliptic curve
qLarge prime number
*Scalar multiplication operation
Zq*The nonzero positive integers modulus q
XOR operation
hHash function
|| Concatenation operation
Public channel
Secure channel
Table 2. A security requirements comparison.
Table 2. A security requirements comparison.
SchemeS01S02S03S04S05S06S07S08S09S10S11S12
[29]~
[33]~~
[40]~~~
[43]~~
[45]~
[48]
[51]
Proposed
S01 = Emergency and periodic authentication protocols, S02 = Perfect forward/backward secrecy, S03 = Patient anonymity and untraceability, S04 = Secure password change, S05 = Controller node revocation, S06 = Replay attack, S07 = Session key disclosure attack, S08 = Off-line guessing attack, S09 = Impersonation attack, S10 = Stolen controller node attack, S11 = Known session-specific temporary information attack, S12 = Desynchronization attack, ✓ = Could provide the requirement, ✘ = Could not provide the requirement, ~ = Information not available.
Table 3. The notations of BAN logic.
Table 3. The notations of BAN logic.
NotationDescription
P, QTwo principals
X1, X2Two statements
SKThe session key
P|≡ X1P believes X1, if X1 is true
PX1P sees X1, i.e., P receives X1 contained within a message, but P does not necessarily believe X1
P| ∼X1P once says X1, i.e., P transmits a message including X1. It is unknown if P sent the message recently or a long time ago, but P believes X1 when P sends it
P| ⇒ X1P controls X1, and P should trust X1
#(X1) X1 is fresh, i.e., X1 has never been sent before
(X1) KX1 is combined with K
P K QP and Q have the same key K
P Q If P is true, then Q is also true
Table 4. A computation costs comparison.
Table 4. A computation costs comparison.
SchemeComputation Cost
CNMShTotal (ms)
[48]1Tbp + 2Thp + 3Tmul + 1Trng + 1Ted + 4Th1Tbp + 2Thp + 4Tmul + 1Trng + 1Ted + 2Th77.977
[33]1Thp + 6Tmul + 1Trng + 2Tadd + 4Th1Thp + 6Tmul + 1Trng + 2Tadd + 4Th52.7596
[29]8 Tmul + 1Trng + 8Th2Tbp + 5 Tmul + 1Trng + 5Th41.6679
[43]1Texp + 5Tmul + 1Trng + 1Ted + 1Tadd + 4Th1Tbp + 4Tmul + 1Trng + 1Ted + 2Tadd + 4Th30.887
[45]5Tmul + 1Trng + 1Tadd + 7Th1Tbp + 1Texp + 3Tmul + 1Trng + 1Tadd + 6Th28.6345
[51]3Tmul + 1Trng + 11Th3Tmul + 1Trng + 7Th14.4754
[40]2Tmul + 2Trng + 3Ted1Tmul + 1Trng + 3Ted8.3226
P-I4Tmul + 1Trng + 7Th3Tmul + 2Trng + 6Th17.2289
P-II2Tmul + 7Th2Tmul + 2Trng + 4Th10.0073
Table 5. A communication costs comparison.
Table 5. A communication costs comparison.
SchemeCommunication Cost
CNMShMShCNTotal (bits)Communication Overhead
[29]92860815362
[51]86460814722
[33]64060812482
[45]76835211202
[48]48060810882
[43]48057610562
[40]4804168962
P-I60860812162
P-IINot considered8648641
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Almuhaideb, A.M.; Alghamdi, H.A. Design of Inter-BAN Authentication Protocols for WBAN in a Cloud-Assisted Environment. Big Data Cogn. Comput. 2022, 6, 124. https://doi.org/10.3390/bdcc6040124

AMA Style

Almuhaideb AM, Alghamdi HA. Design of Inter-BAN Authentication Protocols for WBAN in a Cloud-Assisted Environment. Big Data and Cognitive Computing. 2022; 6(4):124. https://doi.org/10.3390/bdcc6040124

Chicago/Turabian Style

Almuhaideb, Abdullah M., and Huda A. Alghamdi. 2022. "Design of Inter-BAN Authentication Protocols for WBAN in a Cloud-Assisted Environment" Big Data and Cognitive Computing 6, no. 4: 124. https://doi.org/10.3390/bdcc6040124

APA Style

Almuhaideb, A. M., & Alghamdi, H. A. (2022). Design of Inter-BAN Authentication Protocols for WBAN in a Cloud-Assisted Environment. Big Data and Cognitive Computing, 6(4), 124. https://doi.org/10.3390/bdcc6040124

Article Metrics

Back to TopTop