Next Article in Journal
A Study on Important Issues for Estimating the Effectiveness of the Proposed Piezoelectric Energy Harvesters under Volume Constraints
Next Article in Special Issue
Movement Noise Cancellation in Second Derivative of Photoplethysmography Signals with Wavelet Transform and Diversity Combining
Previous Article in Journal
Estimating Parameters of the Induction Machine by the Polynomial Regression
Previous Article in Special Issue
Respiration Symptoms Monitoring in Body Area Networks
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks

1
Harbin Institute of Technology (Shenzhen), Shenzhen 518055, China
2
Fujian Provincial Key Laboratory of Big Data Mining and Applications, Fujian University of Technology, Fuzhou 350118, China
3
National Demonstration Center for Experimental Electronic Information and Electrical Technology Education, Fujian University of Technology, Fuzhou 350118, China
4
Department of Computer Science and Engineering, Hong Kong University of Science and Technology, Hong Kong, China
*
Author to whom correspondence should be addressed.
Appl. Sci. 2018, 8(7), 1074; https://doi.org/10.3390/app8071074
Submission received: 31 May 2018 / Revised: 15 June 2018 / Accepted: 21 June 2018 / Published: 2 July 2018
(This article belongs to the Special Issue Wearable Wireless Devices)

Abstract

:
The advancement of Wireless Body Area Networks (WBAN) have led to significant progress in medical and health care systems. However, such networks still suffer from major security and privacy threats, especially for the data collected in medical or health care applications. Lack of security and existence of anonymous communication in WBAN brings about the operation failure of these networks. Recently, Li et al. proposed a lightweight protocol for wearable sensors in wireless body area networks. In their paper, the authors claimed that the protocol may provide anonymous mutual authentication and resist against various types of attacks. This study shows that such a protocol is still vulnerable to three types of attacks, i.e., the offline identity guessing attack, the sensor node impersonation attack and the hub node spoofing attack. We then present a secure scheme that addresses these problems, and retains similar efficiency in wireless sensors nodes and mobile phones.

1. Introduction

The advancement of electromedical technology has led to new research topics associated with wireless body area networks (WBANs). A wireless body area network (WBAN) is formed by a medication information system and various wearable sensors attached to the patient’s body. Integration of WBAN with modern cloud and sensor technologies offers huge improvement in the efficiency and functionality of medical and health care systems. For instance, after the ischemic stroke, patients would require a long-term electrocardiographic monitoring [1]. They suffer from the sleep apnea, and, consequently, require to wear a portable monitor while sleeping [2]. A WBAN-enabled environment allows patients to enjoy the same quality of life without being tangled by the sensor wires. To provide a comprehensive and real-time health assessment to the patient, sensed data may be transmitted to the clouds.
A WBAN architecture is generally constituted of three layers, as shown in Figure 1. This architecture is composed of three types of nodes, first level nodes, second level nodes and a hub node. The first level node, e.g., a smartphone, acts as an intermediate node and forwards the data to the hob node. The second level nodes normally refer to the nodes or wearable devices situated in the body of human, sending the sensing information to a first level node. The hub node a local server or a remote cloud that analyses and manages the sensed data.
Despite the WBANs being endowed with the simplicity and high efficiency, they suffer from low security so that the transmitted data contain the health information of the user which is typically highly sensitive. The need of finding a secure solution for the network is immediate as the security association in the 802.15.6 standard is in doubt [3]. To guarantee a secure WBAN, a secure authentication key agreement protocol should be executed in advance of the communication. We argue that this protocol still requires the user anonymity. Consider a user wearing a portable electrocardiographic monitor to keep track of his cardio health, where the cardio data are appropriately encrypted. The privacy of a known data transfer channel is compromised so that the electrocardiographic monition has been related to a cardio problem through other users.
According to the previously reported works, e.g., [3,4], the authentication key agreement protocol of the WBAN shall provide the data secrecy, user anonymity, session unlinkability, mutual authentication, forward secrecy, resilient to online/offline dictionary attack, resilient to replay attack, and resilient to man-in-the-middle attack. Due to a few reasons, we should not use generic authentication key agreement protocols [5] or lightweight protocols for the general purpose short distance communications [6] in WBANs. Firstly, the specific architecture of the WBAN includes three tiers with multiple first level nodes whose most generic protocols are not optimized in this setting. Some first level nodes may be restricted in terms of power or computation ability so that a heavy computation is not possible. Furthermore, some generic authentication protocols may not offer the user anonymity as their protocol design requirement. However, in a WBAN, the identity of the patient should be concealed while being diagnosed with a WBAN.
WBANs share some similar properties with Hierarchical Wireless Sensor Networks (HWSN). The valuable experience established in the HWSN research area has in turn led to the fast development of WBANs. Wang et al. [7] has summarized some early advancement in the authentication protocol of HWSNs. However, conventional HWSNs assume a large-scale network and are more concerned about the battery power than the security and user’s privacy. As of today, there has been no direct applicable of HWSN to WBAN.
Recently, various authentication and key agreement protocols for WBANs have been proposed. In 2009, Keoh et al. [8] has reported a protocol using an on synchronized LED blinking pattern and keychains that provides a visual confirmation of the sensor pairing. Later, Liu et al. [9] presented another protocol using both public key and secret key cryptography in the authentication. In 2014 Liu et al. [10] improved the anonymity over their previous work and presented a protocol focusing on the communication between the first level and second level nodes using the elliptic curve cryptogrpahy and bilinear map. Moreover, the anonymity of the scheme was broken by Zhao in 2014 [11]. Zhao and, subsequently, Wu et al. [12] presented their protocols to overcome some weakness founded in previous works. Those protocols however require the use of public key cryptography (either elliptic curve cryptography or bilinear pairing) in the sensor node yielding a heavy computation and storage bundle [13]. In order to save resources and ensure anonymity, Shen et al. [14] proposed a cloud-aided lightweight authentication protocol. Their protocol ensures that the network manager cannot realize the user’s real identity in the authentication phase.
The sensors attached on the human bodies have direct access to the physiological signals of the person. As a result, following the electrocardiogram (ECG) or photoplethysmogram (PPG), the use of these physiological signals may be used to generate keys of the communication [15,16,17]. Such an approach is quite novel and can be possibly developed in good applications after its robustness and security may be verified in a larger scale or experiments. Unlike secrets, and like passwords or pre-loaded secret keys, the physiological signal may not be necessarily kept away from the attackers.
In 2017, Li and his colleagues proposed a lightweight mutual authentication and key agreement protocol with anonymity for the WBAN [4]. They claimed that their protocol provides anonymity and may be secure against various types of attacks. However, this study demonstrates that Li’s protocol is not secure while the first level node is being compromised. In addition, their approach fails to provide the node anonymity so that an attacker is able to track a second level node. To overcome these shortcomings, we provide a simple but effective amendment for the protocol. The repaired protocol is secured against impersonation attacks, replay attacks, and man-in-the-middle attacks. It also provides better anonymity of the WBAN users.
The organization of the paper is as follows. Section 2 reviews the Li’s scheme. In Section 3, we show the insecurity of their scheme. Next, an improvement scheme will be presented in Section 4. We then provide some security analysis on the improved scheme, and finally conclude the paper.

2. Review of the Li’s Protocol

In this section, we briefly review the Li’s protocol [4]. Figure 2 shows the architecture of this protocol, which consists of three level nodes, i.e., a hub node ( H N ), a first level nodes ( F N ) and some second level nodes ( S N ). The second level nodes are some wearable sensors to be attached to the human body. Usually, these S N are resource-constrained with limited computational and communicational power. They report sensed data to a first level node ( F N ) via a public channel. A F N is an intermediate node between S N and F N . It may be considered as a smart phone or a smart watch, providing good communication and computation ability and coordinating a set of S N attached to the same human body. Next, the F N forwards the received sensed data to a hub node ( H N ), which was formed by rich resources and may be installed on a database.
Such a protocol is composed of two phases as follows, the registration phase and the authentication phase. In the registration phase, a system administrator registers and initializes the H N , F N , and S N . In the authentication phase, an S N attempts to setup a secure connection in the network while authenticate the identity of the H N and being authenticated by the H N .

2.1. Registration Phase

In this phase, an H N generates a unique secret key, k H N , and securely stores it in its memory. In addition, each second level node is registered individually.
Once a second node N is being registered, the following steps are performed:
  • A unique secret identity i d N is generated for the N which is also used as the secret key of the N.
  • A unique identity i d N is generated for the F N . (It is not explicit in their article that would another i d N be generated or not when another S N is registered. However, if different i d N is generated for the S N that will immediately fail the S N ’s traceability since the unencrypted i d N is sent over the air every time the S N attempts to connect to the server).
  • A secret parameter k N is generated for the N.
  • The system computes a N = i d N h ( k H N , k N ) and b N = k H N a N k N .
  • The F N stores the tuple i d N , i d N , a N , b N in its memory.
  • The N stores the tuple i d N , a N , b N in its memory.
  • The H N stores the ( i d N ) in its memory.
Note that k N is not required to be stored in the sensor node S N or at the hub node H N .

2.2. Authentication Phase

In this phase, the N establishes a session key with the H N through the F N as follows. The whole process is given in Figure 3.
  • A second level node N selects a random number r N and computes
    x N = a N i d N ,
    y N = x N r N ,
    t i d N = h ( i d N t N , r N ) ,
    where t N is the current timestamp. Next, the N sends t i d N , y N , a N , b N , t N to the F N .
  • After receiving the message from the N, the F N places his identity, i d N , in the message and forwards the message i d N , t i d N , y N , a N , b N , t N to the H N .
  • Once receiving messages from the F N , the H N first checks the i d N in its database. The process will be terminated if fails. Then, the H N checks the timestamp t N by judging t * t N < ? δ t , where t * is the time when the message is received, with δ t being the maximum transmission delay. Next, the H N computes the following:
    k N * = k H N a N b N ,
    x N * = h ( k H N , k N * ) ,
    i d N * = x N * a N , r N * = x N * y N ,
    t i d N * = h ( i d N * t N , r N * ) ,
  • which checks whether t i d N * = ? t i d N . If the equation holds, the H N ensures that the N is legal. The H N picks temporary secret parameters f N , k N + and continues to compute the following:
    α = x N * f N ,
    γ = r N * f N ,
    a N + = i d N * h ( k H N , k N + ) ,
    b N + = k H N a N + k N + ,
    η = γ a N + ,
    μ = γ b N + ,
    β = h ( x N * , r N * , f N , η , μ ) .
  • Finally, the H N stores the session key k s = h ( i d N * , r N * , f N , x N * ) and sends the message α , β , η , μ , i d N to the F N .
  • Once the F N receives the message from the H N , it drops his identity i d N and sends the message α , β , η , μ to the N.
  • Now, the N computes f N * = x N α , β * = h ( x N , r N , f N * , η , μ ) and checks β * = ? β to determine whether the H N is legal or not. The authentication process will terminate if the equation does not hold. Then, the N computes γ = r N f N * , a N + = γ η , and b N + = γ μ . Afterwards, the N stores the session key k s * = h ( i d N , r N , f N * , x N ) and replaces the parameters ( a N , b N ) with the parameters ( a N + , b N + ) .

3. Cryptanalysis of the Li’s Protocol

This section shows that the protocol proposed by Li, and his colleagues, is vulnerable to three types of attacks, i.e., offline identity guessing attacks, sensor node impersonation attacks and hub node spoofing attacks.

3.1. The Adversary Model

We assume the adversary is capable of performing the following, once being attacked. The first three capabilities are adopted from the Li’s paper while the last one is a reasonable extension of their model:
  • The adversary can control the communication channel. It means that it may eavesdrop, modify and replay any messages transmitted on the communication channel. This intends to capture the protocol requirements, e.g., resilient to replay the attack, resilient man-in-middle attack, mutual authentication, resilient to online/offline dictionary attack.
  • The adversary can capture any sensor node by some ways and further extract the secret data store in a captured node. This intends to capture the ability of mutual authentication and forward secrecy.
  • The hub node, H N , is always trustworthy. However, an adversary may intrude the H N ’s database and read and manipulate all the data in the database except for the H N ’s master key, k H N . This intends to capture the resilient of the hub-node-stolen-database attack where the H N ’s database is stolen.
  • An adversary may intrude a first level node F N and read all data stored in it. Assuming that both the bottom level S N and the top level H N can be compromised by the adversary, the F N may not remain unintruded for all the time, especially an F N may be viewed as a smart phone or a smart watch which may be easily stolen.

3.2. Vulnerable against Intruding F N Attacks

In the protocol design, an F N is mainly served as a intermediate relay. However, during the registration phase, the secret information, e.g., i d N , a N and b N are all stored in the F N . It is not explicit how these values shall be used in the F N according to their paper. It is observed that the F N does not have the capability to authenticate an S N and to be authenticated by the H N on behalf of an S N , if the F N is responsible to coordinate the S N . Nevertheless, this turns out to become a point of vulnerability of the protocol. For an adversary which is able to intrude an F N , all S N s coordinated by this F N are compromised.

3.3. Vulnerable to the Tracking Attack

Li claimed that the protocol allows anonymous communication so that an adversary cannot link any communication session to another session of the same S N . However, this claim is not true, based on the following facts.
Every S N is registered to the system through one single F N . The identity of the F N , i d N , is sent over the air in Step 2 of the authentication phase. Since i d N would not be changed in the protocol, adversary can be easily associated with two sessions with the same F N s. For an F N coordinating only one S N , the adversary is allowed to link two sessions of the same S N by inspecting only Step 2. If the F N coordinates more S N s, the user’s privacy/anonymity does not enhance as in some applications suggested in Li’s paper. Consider the medication, where the sensors of a patient are likely to be connected to a single F N , e.g., his smart phone. Revealing the identity of the F N (smart phone) is even worse than revealing only the identity of an S N (a sensor).
In certain applications, an F N may coordinate extremely large amount of S N s, where the identity of the S N is the only concern and an adversary is still able to link two sessions with the same S N s. Assuming that the adversary A captures only the messages sent from the S N to F N and F N to S N at the time T 1 and a later time T 2 , as
Capture at T 1 : t i d 1 , y 1 , a 1 , b 1 , t 1 α 1 , β 1 , η 1 , μ 1 ,    Capture at T 2 : t i d 2 , y 2 , a 2 , b 2 , t 2 α 2 , β 2 , η 2 , μ 2 .
To investigate if the messages captured at T 2 is a subsequent login of the messages captured at T 1 , the A simply computes a 2 b 2 . If these two sessions are related, this value corresponds to ( γ 1 η 1 ) ( γ 1 μ 1 ) = η 1 μ 1 , which is indeed k H N k N . Except for an extreme low probability of coincident ( 2 length ( k H N ) ), comparing a 2 b 2 = ? η 1 μ 1 will allow for determining if these two sessions are related.

4. Repairing the Protocol

One of the biggest problems associated with the protocol is that the F N does not perform its function in the authentication while it is possessing the secret information of the coordinating S N . A simple straightforward approach is to let the F N not store any information about the S N . Instead, the F N only acts as a relay between the S N and the H N . The protocol will be remaining secure (but not anonymous) even if the F N is being compromised. This however does not resolve the vulnerability of the protocl against the tracking attacks. Moreover, this option removes the ability of an F N to control other S N s, which may not be suitable in some applications.
The security and system requirements may be investigated as follows. The S N s assume low computation/communication power; while F N s and H N s are less constrained, the S N s and H N s require being mutually authenticated. The S N and F N should be mutually authenticated where these two authentications may not be necessarily at the same time. Based on these requirements, we propose a simpler repaired protocol exhibiting better security and anonymity.

4.1. Architecture

In our architecture, we maintain the three-level role. However, the communication between an S N and an F N ( S N - F N ) is different from the communication session between an S N and an H N ( S N - H N ). A two-party authentication protocol will be described in this section, and the same protocol will be used in the case of S N - F N and S N - H N . In the case of an S N - H N communication, the F N will be served as a relay to support the communication. The S N - H N communication normally takes place when the sensing data is reported to the H N . The S N - F N communication normally takes place when F N manages the S N or gathering data from the S N . In the case where F N - H N communication is required, we assume that general purpose authentication protocols, e.g., [5,18], will be used since both of them have less constraint computation power.

4.2. Description of the Repaired Protocol

As mentioned above, this protocol is a two-party protocol. The reader may assume a duplication of keys for the S N - F N and S N - H N communications. We call the U N an upstream node that represents either an F N or an H N . Unless it is specified, all variables have the same length as the output of a hash function length ( h ) .
A S N should separately register with an F N and an H N , and two sets of keys are required. Practically, these two registrations may be simultaneously performed via the F N , as long as the process is securely accomplished. Assume that the S N is registering with either of them, denoted as a U N . The S N will then be assigned with the followings:
  • i d N , a unique secret identity for the S N .
  • a N = i d N h ( k U N , k N ) , where k U N is the secret key of the U N , k N is a nonce.
  • b N = a N k U N k N .
  • c N = h ( i d N , k U N ) .
In this protocol, the U N does not require storing any secret information about the S N . If the U N wishes to keep track of the identity of the S N , it may keep a truncated or hashed i d N . The value of the i d N needs to be unique and a bit of i d N may be used to indicate the association with either of S N - H N or S N - F N , and several bits from the identity of the U N .
When the S N wishes to initiate a communication with a U N , the S N will perform the following operations (In case an F N wishes to initiate the protocol, the protocol will be preceded by a Hello message from the F N to the S N .). Please also refer to Figure 4.
  • The S N generates a random number r N and a timestamp t N and computes:
    x N = a N i d N ,
    y N = x N r N ,
    t i d N = h ( i d N , t N , c N , r N ) .
    Then, it sends t i d N , y N , a N , b N , t N to the U N .
  • On receiving the request, the U N first checks if the timestamp is still valid. Then, it computes:
    k N * = k U N a N b N ,
    x N * = h ( k U N k N * ) , i d N * = x N * a N ,
    r N * = x N * y N , c N * = h ( i d N * , k U N ) .
    Next, it validates t i d N by h ( i d N * , t N , c N * , r N * ) . The protocol will be aborted if this does not hold.
  • The U N continues the protocols by selecting random numbers f N , k N + and computing the following:
    a N + = i d N * h ( k U N , k N + ) ,
    b N + = a N + k U N k N + ,
    η = h ( f N , c N * ) a N + ,
    μ = h ( c N * , f N ) b N + ,
    α = c N * f N ,
    β = h ( i d N * , r N * , f N , η , μ ) ,
    k s = h ( i d N * , r N * , f N , x N * ) ,
    where k s represents the session key. Finally, the U N sends α , β , η , μ to the S N .
  • The S N validates the message by computing f N * = c N α and checking whether β equals to h ( i d N * , r N , f N * , η , μ ) . If not, it rejects the protocol.
  • Finally, the S N computes the session keys and updates its keys, as
    a N + = h ( f N * , c N ) η ,
    b N + = h ( c N , f N * ) μ ,
    k s * = h ( i d N , r N , f N * , x N ) .
    The S N will compute the same session key k s as the U N in the absence of the adversary or noise. It will then replace ( a N , b N ) with ( a N + , b N + ) in its memory.

5. Security Analysis of the Repaired Protocol

This section demonstrates that our repaired protocol is secure against the aforementioned attacks.

5.1. Intruding on the F N Attacks

In the repaired protocol, the F N no longer stores the key between an S N and an H N . Therefore, compromising an F N would only leak the keys between the S N s and the F N . The compromised F N would not be able to impersonate an S N to communicate with the H N . It is true that the compromised F N will still be able to access the S N in an S N - F N communication, but no extra access, e.g., data exclusive for the H N , will be given to the F N . This protocol also assures a secure S N - F N communication, and vice versa if all secrets stored in the H N are compromised.

5.2. Impersonation, Man-in-the-Middle and Replay Attacks

The protocol provides a sound mutual authentication between an S N and an F N / H N . The adversary defined in Section 3.1 models the necessary capabilities that requires performing impersonation, man-in-the-middle, and replay attacks. The goals of this adversary are as follows: (Goal 1) Convincing either an S N or a U N to misbelieve that a legitimate partner is participating in a communication within the timeout period; (Goal 2) Having better strategy than the wild guess in distinguishing a session key k s against a random string with the same length. We show that there is no adversary to effectively, and with non-negligible probability, achieve either of these goals.
Goal 1 happens when either U N accepts or S N accepts. We separately discuss these cases.
  • The U N accepts. This happens if and only if t i d N = h ( i d N * , t N , c N * , r N * ) . We assume that the S N does not generate a t i d N after t * Δ T , otherwise it violates definition of Goal 1. If this equation is true but the hash h ( i d N * , t N , c N * , r N * ) has never been computed, this will happen only with p = 2 length ( h ) .
    If this equation is true and the hash has been computed before, we may conclude that it is not produced by a legitimate S N and U N . This is due to the fact that i d N is unique and S N does not produce any at t N and U N would never send computed t i d N . Therefore, the only possibility is that the adversary computes the hash by itself. This happens only if the adversary has i d N and c N which are not sent over the network. This is bounded by p 2 × q h where q h is the maximum number of the hashes that are able to query with reasonable resources.
  • The S N accepts. This happens if and only if the value of the β is equal to h ( x N + , r N , f N * , η , μ ) . Similarly, if the hash was never computed, the probability is bounded by p. If the hash is previously computed by the U N , the same S N (with i d N * ) has already sent a login request with r N * . Since r N * is randomly chosen, this happens only with p × q E , where q E is the total number of the sessions executed by the S N . Otherwise, the adversary should correctly guess i d N * and c N , which happen only with p 2 × q h .
To sum up, the occurrence of Goal 1 has a probability lower than ( q E + 2 ) p + 2 q h p 2 , where p = 2 length ( h ) , q E is the total number of the sessions executed by the S N , and q h is the total number of the hashes that are able to be computed by the adversary with reasonable resources. This number is negligible when the length of the hash is large.
Goal 2 happens only when the U N accepts and the hash h ( i d N , r N , f N , x N ) has been computed by the adversary since k s is never transmitted. However, i d N and x N are both secret. A correct guess of this variable is bounded by p 2 × q h .
Considering the probability to concurrently achieve the both Goals 1 and 2, an attacker may cast as an impersonation attack, a man-in-the-middle attack, or a replay attack has a probability less than ( q E + 2 ) p + 3 q h p 2 .

5.3. Tracking Attacks and Anonymity

We may see that the tracking attack, mentioned in Section 3.3, no longer operates. First of all, an F N serves only as a relay to replay a message. No information can be harvested to identify the relay F N . Furthermore, the equality a 2 b 2 = η 1 μ 1 no longer holds, where η 1 μ 1 = a 2 b 2 h ( f N , c N ) h ( c N , f N ) . Since c N and f N are not computable by the adversary, computing h ( f N , c N ) or h ( c N , f N ) is not possible.

6. Simulation Verification Using a Proverif Tool

Proverif is an automatic cryptographic protocol verifier, which is widely used to specify and analyze the security of authenticated key agreement protocols [19,20,21,22,23].
In this section, we utilize Proverif to further analyze the security and validity of the proposed protocol. In this simulation, two main roles, S N and U N , are included. The whole simulation contains the following procedures:
  • First, we need to define some variables used in this simulation. K U N is the secret key H N , and S K S N and S K U N are the final shared key established by S N and U N , respectively—then comes the functions and events (Figure 5),
  • Second, we list the goals of this simulation. More specifically, our goals is to ensure that the whole authentication process is successful, the shared key can be established, and the attacker cannot obtain the key anyway (Figure 6),
  • The process of S N (Figure 7),
  • The process of U N (Figure 8),
  • The main execution (Figure 9).
  • According to the simulation results depicted in Figure 10, we can observe that the proposed protocol can achieve the goals mentioned in Figure 6.

7. Performance Evaluation

This section describes performance evaluation of the repaired protocol along with other related protocols [4,10,11,12,14] in security properties and estimated time. We focus on the security against the anonymity, tracking attack, insider attack, replay attack, impersonation attack, man-in-the-middle attack, mutual authentication and the session key forward secrecy. From Table 1, we see that only the repaired protocol, Wu’s protocol [12] and Shen et al. [14] fulfill all the security properties.
We analyze the time performance of these protocol by analysis of the core cryptographic operations used in each of them, and then estimate the running time of these protocols by adding the time of executed cryptographic operations. We do not consider the possibility of parallel computation with multi-core technologies since most wearable devices are only single core. Pipelining is also not discussed here since the authentication usually needs to be executed once.
We consider two possible realizations of an S N . A sensor device using the MICAz with 4 KB RAM (Crossbow Technology, San Jose, CA, USA) and 7-MHz ATmega128L microcontroller (Microchip Technology Inc, Chandler, AZ, USA) and a smart phone using an iPhone 6s (Apple, Cupertino, CA, USA) with 2 GB RAM ARM (armv8-a) CPU. The data are taken from [13,24,25] for the time required on the MICAz while we implement those implementations on a smart phone using the Pairing Based Cryptographic Library [26]. The result is summarized in Table 2.
Table 3 lists the estimated time of the mentioned protocols, considering the above experimental data. From this table, we may observe that the repaired protocol costs more time than Li’s protocol [4] as it takes six more hash functions, but costs less time than the other related protocols [10,11,12,14] .

8. Conclusions

We demonstrated that Li’s protocol is broken and should not be used in any application implementation related to the WBAN. At the same time, we proposed another architecture that research should be considered when designing any authentication. In this architecture, the linear relationship connecting an S N to an F N and an F N to an H N is abandoned. Instead, S N s, F N s and H N s are directly connected to each other through a pairwise secret. The F N changes its role in an S N - H N communication from coordinating to relaying messages between the S N and H N . We believe that this approach is highly effective and secure so that compromise of the H N or F N would not lead to a total compromise of the system. In such an architecture, an F N may be abused through consuming the relay service by attackers. This problem, however, appears in most of the relaying systems in all wireless networks, which may be handled via some firewall rules or intrusion detection techniques. This represents an interesting research topic to be further studied by the authors in the future.

Author Contributions

C.-M.C. and K.-H.W. wrote the main concepts of the manuscript; B.X. designed and implemented the experiments; T.-Y.W. checked the English writing and organization of the manuscript.

Funding

The work of Chien-Ming Chen was supported in part by Shenzhen Technical Project under Grant number JCYJ20170307151750788 and in part by Shenzhen Technical Project under Grant number KQJSCX20170327161755. The work of Tsu-Yang Wu was supported in part by the Science and Technology Development Center, Ministry of Education, China under Grant no. 2017A13025 and the Natural Science Foundation of Fujian Province under Grant no. 2018J01636.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Dussault, C.; Toeg, H.; Nathan, M.; Wang, Z.J.; Roux, J.F.; Secemsky, E. Electrocardiographic Monitoring for Detecting Atrial Fibrillation After Ischemic Stroke or Transient Ischemic Attack. Circ. Arrhythm. Electrophysiol. 2015, 8, 263–269. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  2. Epstein, L.J.; Kristo, D.; Strollo, P.J.; Friedman, N.; Malhotra, A.; Patil, S.P.; Ramar, K.; Rogers, R.; Schwab, R.J.; Weaver, E.M.; et al. Clinical guideline for the evaluation, management and long-term care of obstructive sleep apnea in adults. J. Clin. Sleep Med. 2009, 5, 263–276. [Google Scholar] [PubMed]
  3. Toorani, M. On Vulnerabilities of the Security Association in the IEEE 802.15.6 Standard. In Proceedings of the Financial Cryptography and Data Security: FC 2015 International Workshops, BITCOIN, WAHC, and Wearable, San Juan, Puerto Rico, 26–30 January 2015; pp. 245–260. [Google Scholar]
  4. Li, X.; Ibrahim, M.H.; Kumari, S.; Sangaiah, A.K.; Gupta, V.; Choo, K.K.R. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Comput. Netw. 2017, 129, 429–443. [Google Scholar] [CrossRef]
  5. Kaufman, C.; Hoffman, P.; Nir, Y.; Eronen, P. Internet Key Exchange Protocol Version 2 IKEv2; RFC 5996, RFC Editor; IETF: Fremont, CA, USA, 2010. [Google Scholar]
  6. Wang, K.H.; Chen, C.M.; Fang, W.; Wu, T.Y. On the security of a new ultra-lightweight authentication protocol in IoT environment for RFID tags. J. Supercomput. 2017, 74, 1–6. [Google Scholar] [CrossRef]
  7. Wang, D.; Wang, P. On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Comput. Netw. 2014, 73, 41–57. [Google Scholar] [CrossRef]
  8. Keoh, S.L.; Lupu, E.; Sloman, M. Securing body sensor networks: Sensor association and key management. In Proceedings of the 2009 IEEE International Conference on Pervasive Computing and Communications, PerCom 2009, Galveston, TX, USA, 9–13 March 2009; pp. 1–6. [Google Scholar]
  9. Liu, J.; Kwak, K.S. Hybrid security mechanisms for wireless body area networks. In Proceedings of the 2010 Second International Conference on Ubiquitous and Future Networks (ICUFN), Jeju, Korea, 16–18 June 2010; pp. 98–103. [Google Scholar]
  10. Liu, J.; Zhang, Z.; Chen, X.; Kwak, K.S. Certificateless remote anonymous authentication schemes for wirelessbody area networks. IEEE Trans. Parallel Distrib. Syst. 2014, 25, 332–342. [Google Scholar] [CrossRef]
  11. Zhao, Z. An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem. J. Med. Syst. 2014, 38, 13. [Google Scholar] [CrossRef] [PubMed]
  12. Wu, L.; Zhang, Y.; Li, L.; Shen, J. Efficient and anonymous authentication scheme for wireless body area networks. J. Med. Syst. 2016, 40, 134. [Google Scholar] [CrossRef] [PubMed]
  13. Xiong, X.; Wong, D.S.; Deng, X. TinyPairing: A Fast and Lightweight Pairing-Based Cryptographic Library for Wireless Sensor Networks. In Proceedings of the 2010 IEEE Wireless Communication and Networking Conference, Sydney, NSW, Australia, 18–21 April 2010; pp. 1–6. [Google Scholar]
  14. Shen, J.; Gui, Z.; Ji, S.; Shen, J.; Tan, H.; Tang, Y. Cloud-aided lightweight certificateless authentication protocol with anonymity for wireless body area networks. J. Netw. Comput. Appl. 2018, 106, 117–123. [Google Scholar] [CrossRef]
  15. Venkatasubramanian, K.K.; Banerjee, A.; Gupta, S.K.S. PSKA: Usable and secure key agreement scheme for body area networks. IEEE Trans. Inf. Technol. Biomed. 2010, 14, 60–68. [Google Scholar] [CrossRef] [PubMed]
  16. Zhang, Z.; Wang, H.; Vasilakos, A.V.; Fang, H. ECG-cryptography and authentication in body area networks. IEEE Trans. Inf. Technol. Biomed. 2012, 16, 1070–1078. [Google Scholar] [CrossRef] [PubMed]
  17. Shi, L.; Yuan, J.; Yu, S.; Li, M. ASK-BAN: Authenticated secret key extraction utilizing channel characteristics for body area networks. In Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, Budapest, Hungary, 17–19 April 2013; ACM: New York, NY, USA, 2013; pp. 155–166. [Google Scholar]
  18. Wang, K.H.; Chen, C.M.; Fang, W.; Wu, T.Y. A secure authentication scheme for Internet of Things. Pervasive Mob. Comput. 2017, 42, 15–26. [Google Scholar] [CrossRef]
  19. Jiang, Q.; Zeadally, S.; Ma, J.; He, D. Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 2017, 5, 3376–3392. [Google Scholar] [CrossRef]
  20. Chaudhry, S.A.; Naqvi, H.; Sher, M.; Farash, M.S.; Hassan, M.U. An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Netw. Appl. 2017, 10, 1–15. [Google Scholar] [CrossRef]
  21. Wu, F.; Xu, L.; Kumari, S.; Li, X.; Shen, J.; Choo, K.K.R.; Wazid, M.; Das, A.K. An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment. J. Netw. Comput. Appl. 2017, 89, 72–85. [Google Scholar] [CrossRef]
  22. Abbasinezhad-Mood, D.; Nikooghadam, M. Efficient anonymous password-authenticated key exchange protocol to read isolated smart meters by utilization of extended chebyshev chaotic maps. IEEE Trans. Ind. Inform. 2018. [Google Scholar] [CrossRef]
  23. Abbasinezhad-Mood, D.; Nikooghadam, M. Design and hardware implementation of a security-enhanced elliptic curve cryptography based lightweight authentication scheme for smart grid communications. Future Gener. Comput. Syst. 2018, 84, 47–57. [Google Scholar] [CrossRef]
  24. Panait, C.; Dragomir, D. Measuring the performance and energy consumption of AES in wireless sensor networks. In Proceedings of the 2015 Federated Conference on Computer Science and Information Systems (FedCSIS), Lodz, Poland, 13–16 September 2015; pp. 1261–1266. [Google Scholar]
  25. Koschuch, M.; Hudler, M.; Saffer, Z. Towards algorithm agility for wireless sensor networks: Comparison of the portability of selected Hash functions. In Proceedings of the 2013 International Conference on Data Communication Networking (DCNET), Reykjavik, Iceland, 29–31 July 2013; pp. 1–5. [Google Scholar]
  26. Lynn, B. On the Implementation of Pairing-Based Cryptosystems. Ph.D. Thesis, Stanford University Stanford, Stanford, CA, USA, 2007. [Google Scholar]
Figure 1. Architecture of a medical WBAN.
Figure 1. Architecture of a medical WBAN.
Applsci 08 01074 g001
Figure 2. Architecture of Li’s protocol [4].
Figure 2. Architecture of Li’s protocol [4].
Applsci 08 01074 g002
Figure 3. Li’s protocol.
Figure 3. Li’s protocol.
Applsci 08 01074 g003
Figure 4. The repaired protocol.
Figure 4. The repaired protocol.
Applsci 08 01074 g004
Figure 5. Proverif code of variables, functions and events.
Figure 5. Proverif code of variables, functions and events.
Applsci 08 01074 g005
Figure 6. Goal of this simulation.
Figure 6. Goal of this simulation.
Applsci 08 01074 g006
Figure 7. Proverif code of S N .
Figure 7. Proverif code of S N .
Applsci 08 01074 g007
Figure 8. Proverif code of H N .
Figure 8. Proverif code of H N .
Applsci 08 01074 g008
Figure 9. Main process of this simulation.
Figure 9. Main process of this simulation.
Applsci 08 01074 g009
Figure 10. Simulation results.
Figure 10. Simulation results.
Applsci 08 01074 g010
Table 1. Comparison of the security properties. Y and N stands for fulfilling and not fulfilling the requirement respectively.
Table 1. Comparison of the security properties. Y and N stands for fulfilling and not fulfilling the requirement respectively.
C1C2C3C4C5C6C7C8
[10]YYNYYYYY
[11]NNYYYYYY
[12]YYYYYYYY
[4]NNNYNYYY
[14]YYYYYYYY
OursYYYYYYYY
C1: Provide anonymity;
C2: Withstand tracking attack;
C3: Withstand insider attack;
C4: Withstand repay attack;
C5: Withstand impersonation attack;
C6: Withstand man-in-the-middle attack;
C7: Mutual authentication;
C8: The session key forward secrecy
Table 2. Computation of the cryptographic operations.
Table 2. Computation of the cryptographic operations.
SymbolDescriptionRunning Time on a SmartphoneRunning Time on a MICAz
T h Hash function0.03 ms8 ms [25]
T s y m Symmetric encryption/description operation0.12 ms3.5 ms [24]
T s m Scalar multiplication over elliptic curves20.23 ms2450 ms [13]
T b p Bilinear pairing operation25.64 ms5320 ms [13]
Table 3. Comparison of the estimated time.
Table 3. Comparison of the estimated time.
ProtocolsTime CostRunning Time on a SmartphoneRunning Time on a MICAz
[10] 4 T h + 5 T s m + 3 T b p 178.19 ms28242 ms
[11] 11 T h + 9 T s m + 3 T s y m 182.64 ms22148.5 ms
[12] 7 T h + 8 T s m + T b p + 2 T s y m 187.93 ms24983 ms
[4] 9 T h 0.27 ms72 ms
[14] 9 T h + 13 T s m 263.26 ms31922 ms
Ours 15 T h 0.45 ms120 ms

Share and Cite

MDPI and ACS Style

Chen, C.-M.; Xiang, B.; Wu, T.-Y.; Wang, K.-H. An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks. Appl. Sci. 2018, 8, 1074. https://doi.org/10.3390/app8071074

AMA Style

Chen C-M, Xiang B, Wu T-Y, Wang K-H. An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks. Applied Sciences. 2018; 8(7):1074. https://doi.org/10.3390/app8071074

Chicago/Turabian Style

Chen, Chien-Ming, Bing Xiang, Tsu-Yang Wu, and King-Hang Wang. 2018. "An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks" Applied Sciences 8, no. 7: 1074. https://doi.org/10.3390/app8071074

APA Style

Chen, C. -M., Xiang, B., Wu, T. -Y., & Wang, K. -H. (2018). An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks. Applied Sciences, 8(7), 1074. https://doi.org/10.3390/app8071074

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop