Next Article in Journal
Adversarial Attacks on Heterogeneous Multi-Agent Deep Reinforcement Learning System with Time-Delayed Data Transmission
Previous Article in Journal
Sensor Network Environments: A Review of the Attacks and Trust Management Models for Securing Them
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier

by
Abdullah M. Almuhaideb
1,* and
Huda A. Alghamdi
2
1
SAUDI ARAMCO Cybersecurity Chair, Department of Networks and Communications, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, P.O. Box 1982, Dammam 31441, Saudi Arabia
2
Department of Computer Science, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, P.O. Box 1982, Dammam 31441, Saudi Arabia
*
Author to whom correspondence should be addressed.
J. Sens. Actuator Netw. 2022, 11(3), 44; https://doi.org/10.3390/jsan11030044
Submission received: 21 May 2022 / Revised: 29 July 2022 / Accepted: 1 August 2022 / Published: 8 August 2022
(This article belongs to the Section Network Security and Privacy)

Abstract

:
Telecare medical information system (TMIS) is a technology used in a wireless body area network (WBAN), which has a crucial role in healthcare services. TMIS uses wearable devices with sensors to collect patients’ data and transmit the data to the controller node via a public channel. Then, the medical server obtains the data from the controller node and stores it in the database to be analyzed. Unfortunately, an attacker can try to perform attacks via a public channel. Thus, establishing a secure mutual authentication protocol is essential for secure data transfer. Several authentication schemes have been presented to achieve mutual authentication, but there are performance limitations and security problems. Therefore, this study aimed to propose two secure and efficient WBAN authentication protocols between sensors and a mobile device/controller: authentication protocol-I for emergency medical reports and authentication protocol-II for periodic medical reports. To analyze the proposed authentication protocols, we conducted an informal security analysis, implemented BAN logic analysis, validated our proposed authentication protocol using the AVISPA simulation tool, and conducted a performance analysis. Consequently, we showed that our proposed protocols satisfy all security requirements in this study, attain mutual authentication, resist active and passive attacks, and have suitable computation and communication costs for a WBAN.

1. Introduction

A WBAN is being utilized effectively in healthcare services remotely because of the fast progress of wireless communication technology. TMIS is one of the WBAN technologies that can provide a variety of healthcare services to patients remotely through telecare servers [1,2,3].
In the TMIS environment, patients can wear wearable devices with many sensors to continuously monitor patients’ physical conditions and collect sensitive health data, such as the temperature of the body, heart rate, pressure, sugar of the blood, and other data [4,5]. The health data are transmitted to patients’ mobile devices and then transferred to medical servers at any time and from any location. Thus, patients can save time and cost by utilizing numerous healthcare services remotely. Due to these advantages, TMIS offers better healthcare services compared to traditional healthcare services [6]. However, despite the advantages of TMIS, sensitive medical data concerning patients must be protected from malicious attacks as they are transmitted through unsecured channels. Thus, secure mutual authentication is essential for secure data transmission [7].
The transmitted messages include emergency medical reports and periodic medical reports. The emergency medical report occurs when a sensor detects an emergency in the body of a patient, which is needed to be sent as soon as the emergency is detected. The periodic medical report occurs when the sensor nodes are requested to collect the patient’s health data and send them to take an appropriate diagnosis at a specific time.
In this paper, we propose two WBAN authentication protocols for the intra-BAN tier: authentication protocol-I for emergency medical reports and authentication protocol-II for periodic medical reports. We conducted an informal security analysis to show that the proposed authentication protocols satisfy all security requirements in this study. Moreover, we implemented BAN logic to evaluate our proposed authentication protocols and ensure they attain mutual authentication. In addition, the AVISPA simulation tool was used to demonstrate that our proposed protocols resist active and passive attacks. Moreover, we conducted a performance analysis by comparing our proposed authentication protocols’ computation and communication costs with related protocols.
The rest of the paper is organized as follows. Section 2 presents the related work, and Section 3 presents the problem statement and the proposed scheme, whereas Section 4 outlines the security analysis of the proposed authentication protocols. In Section 5, a performance analysis of the proposed protocols and related protocols is demonstrated. Finally, Section 6 presents the conclusion.

2. Related Works

WBANs deal with patients’ sensitive health data, which must be safeguarded against cyberattacks. Many researchers have been interested in proposing WBAN authentication protocols to protect patients’ sensitive data transmitted over insecure channels.

2.1. Overview of The System Model

The WBAN includes three tiers [8], as shown in Figure 1:
  • The first tier is “Intra-BAN“ The communication in this tier is between sensor nodes and a controller node. Sensors monitor and collect the patient’s data, which are then transmitted via a public channel to the controller node/local server/mobile device.
  • The second tier is “Inter-BAN“. The communication in this tier is between a controller node/mobile device and a remote medical server. The controller node gathers data from sensor nodes and then sends them to the medical server via a public channel. The medical server stores the data in the database for later analysis.
  • The third tier is “Beyond-BAN“. The communication in this tier is between a medical server and a medical service provider (i.e., a doctor). The medical server can be over the cloud, and the doctor can access the server’s data.
Figure 1. Overview of the WBAN system model.
Figure 1. Overview of the WBAN system model.
Jsan 11 00044 g001

2.2. Requirements of Authentication Schemes in WBAN

The authentication schemes in the WBAN must satisfy the following requirements:
  • Emergency and periodic authentication protocols: The emergency authentication occurs when a sensor detects an emergency in the patient’s body, and it needs to initiate the authentication request for sending the emergency report securely. Periodic authentication occurs when the controller node requests to collect the patient’s data from a sensor node at a specific time, and the controller initiates the periodic authentication request to the sensor node for transmitting the data securely.
  • Replay attack: An attacker can obtain messages when transmissions occur via unsecured channels. However, the attacker is unable to perform a replay attack if the message contains a timestamp.
  • Session key disclosure attack: If an attacker tries to obtain the session key, the attacker cannot obtain secret values using messages sent via a public channel. Thus, the session key cannot be calculated by the attacker.
  • Impersonation attack: An attacker cannot produce an authentication message to impersonate the legitimate entity.
  • Controller node/mobile device stolen attack: If an attacker obtains a legitimate patient’s mobile device, the attacker is unable to extract any information stored on it and is unable to generate a legitimate message.
  • Off-line guessing attack: An attacker has the ability to guess either identity or a password, but not both at the same time.
  • Perfect forward/backward secrecy: Future keys will not be attacked, and previous keys will not be misused (future/past key secrecy).
  • Known session-specific temporary information attack: In case an attacker gets the secret values that are created randomly through the session, the session key cannot be calculated.
  • Anonymity and unlinkability: This refers to an attacker being unable to obtain the identity of a legitimate entity through message eavesdropping and being unable to trace a legitimate entity using messages sent during previous sessions.
  • Desynchronization attack: The solution should prevent the risk of a desynchronization attack that blocks communication between two parties and render them unable to proceed with authentication.
  • Secure password change: This refers to an attacker being unable to arbitrarily change the password of a legitimate mobile device because the identity and password of the legitimate entity are unknown to the attacker.
  • Performance: Authentication protocols must be cost-effective in terms of computation and communication.

2.3. Adversary Model

An adversary model’s capabilities are as follows:
  • The attacker has total control over all messages sent through unsecured channels. Thus, the attacker has the ability to eavesdrop, manipulate, insert, and remove messages [9].
  • An attacker can steal a patient’s mobile device/controller and access the data stored on it [10].
  • An attacker could guess either a patient’s identity (IDi) or password (PWi), but not both at the same time [2].
  • An attacker can perform desynchronization, man-in-the-middle (MITM) attacks, impersonation attacks, replay attacks, and other possible attacks over public channels [11].
  • An attacker is unable to compromise the trusted authority’s private key [12].

2.4. The Existing Authentication Schemes in WBAN

The authors of [13] suggested a WBAN authentication protocol for the intra-BAN tier. Their scheme provides a group key generated by a controller node to many sensor nodes. The authentication protocol ensures forward secrecy only in the case of adding or deleting at least one sensor node where the group key is changed. However, it does not ensure forward secrecy when the sensor nodes are constant.
The scheme in [14] presented a WBAN authentication protocol for the interaction among sensor nodes and a controller device. It creates a group key between the controller device and many sensor nodes. The scheme ensures perfect forward secrecy where a new group key is generated for each session even if the sensor nodes are unchanged. However, the scheme has high communication and computation costs do not support node anonymity/unlinkability and are vulnerable to desynchronization attacks, stolen mobile device attacks, and a replay attack [15].
The authors of [16,17] suggested a lightweight WBAN authentication protocol to transmit data on a public channel securely. It relies on XOR operation and hash function to achieve low computation and communication costs. However, it presents security weaknesses such as a stolen mobile device/controller node attack, where an attacker can obtain the sensitive data within the controller device if the attacker can steal it. This allows for establishing the session key between the attacker and the sensor node.
The scheme in [18] presented an authentication protocol for the intra-BAN tier. It prevents node impersonation, MITM, and session key disclosure attacks, and it ensures forward secrecy, node anonymity, and node unlinkability. However, it has high computation and communication costs and does not prevent the risk of a desynchronization attack. The scheme adopts elliptic curve cryptography (ECC) with a point multiplication operation on the sensors and controller side, along with a hash function and XOR operation. However, the point multiplication operation is considered complex for the first tier given the resource constraints of the sensor nodes.
The authors of [19] suggested a lightweight WBAN authentication scheme to transmit sensitive data on a public channel securely. It relies on XOR operation and hash function to enhance performance. In addition, it creates biometric keys by extracting features from physiological signals, such as ECG signals. However, it presents security weaknesses such as a stolen controller device attack. If an attacker steals the controller device, the attacker can extract the secret key of the controller node, the secret key of the sensor node, and the identity of the sensor node, which represents the secret information. Thus, the session key between the attacker and a sensor node may be established.
The authors of [20] suggested a WBAN authentication protocol for the intra-BAN tier. The scheme has suitable computation and communication costs for a WBAN. Moreover, it provides some security features, such as protection from replay attacks, session key disclosure attacks, impersonation attacks, and desynchronization attacks and it ensures perfect forward/backward secrecy and node anonymity/unlinkability. However, it is prone to a stolen mobile device/controller node attack. If an attacker steals the controller device, the attacker can obtain the secret key of the controller device and the sensor node’s identity and then compute the sensor node’s secret key.
Ding et al. [15] and Abiramy and Sudha [21] (pp. 287–296) proposed a WBAN authentication protocol for interaction between sensor nodes and a controller node. The controller node can create a session key and distribute it to the sensor nodes in a group, which means all sensor nodes in the same group can use the same session key with the controller node. In addition, the schemes ensure perfect forward secrecy.
The scheme in [22] worked on establishing mutual authentication for the intra-BAN tier. The scheme prevents node impersonation, man-in-the-middle, and desynchronization attacks and it ensures forward/backward secrecy, node anonymity, and node unlinkability.
The authors of [23] suggested an authentication protocol for the intra-BAN tier. The scheme ensures forward/backward secrecy, node anonymity, and node unlinkability.
The scheme in [24] proposed an authentication protocol for the intra-BAN tier. Their scheme achieves integrity, confidentiality, authentication, and access control over sensitive data.
In summary, we concluded that the existing schemes did not satisfy all the solution requirements in this study, where most schemes focus on proposing secure authentication protocols but still present performance limitations or vice versa. Moreover, all existing schemes do not consider two types of authentication protocols. The first one occurs when a sensor detects an emergency in the patient’s body and needs to initiate an authentication to send the emergency medical report as soon as the emergency is detected. In contrast, the second one occurs when the controller node needs to initiate an authentication to collect the patient’s data from sensor nodes at specific times. Furthermore, most schemes were designed with the assumption that a patient’s mobile device/controller is trusted, but in reality, an attacker can steal the patient’s mobile device and extract the sensitive information stored on it. As a result, they did not protect against the risk of a stolen mobile device/controller attack. Based on analyzing the previous WBAN authentication protocols, it was found that working on improving the existing schemes may lead to secure and efficient authentication protocols in a WBAN.

3. Problem Statement and Proposed Scheme

The public wireless network environment of a WBAN provides a significant security concern in terms of ensuring that only permitted entities have access to patients’ sensitive health data. Unauthorized access may result in interception, interruption, or modification of sensitive data that may threaten a patient’s life [25]. Several authentication schemes have been presented to achieve secure authentication and establish a session key, where the session key is utilized to encrypt the sensitive data transmitted through the insecure channel. Nonetheless, there are still performance limitations and security problems, such as impersonation attacks, desynchronization attacks, and other possible attacks over unsecured channels [26]. Our study will answer the following question:
  • How can we achieve secure and efficient WBAN authentication protocols for the intra-BAN tier?
Therefore, we proposed WBAN authentication protocols for securing the communication between sensor nodes and a controller node. The sensor nodes (SN) work as data collectors for the patient body, and the controller node (CN) works as a local server for data collection from sensor nodes. The proposed scheme includes an initialization phase, registration phase, authentication protocol-I, authentication protocol-II, and changing password protocol. Table 1 presents the notations that are used in our proposed protocols.

3.1. Initialization Phase

During this phase, TA creates the system’s parameters as well as its private and public keys:
  • TA chooses an additive group G1 of prime order q and a generator P of the group G1.
  • TA selects a secure hash function h:{0,1} → Zq.
  • TA generates a secret random number STAZq* as its private key and calculates its public key PKTA = STA * P where STA * P denotes the scalar multiplication operation of the point P in G1.
  • TA publishes the system’s parameters (G1, PKTA, P, q, h) and keeps STA as a private key.

3.2. Registration Phase

As shown in Figure 2, the CN and SN register with TA as follows:
  • Pi chooses IDi and PWi and then creates a number aiZq*. Pi calculates HIDi = h (IDi || ai) and sends (HIDi) to TA securely. TA calculates SIDi = (HIDi * STA) * PKTA and then stores HIDi in secure memory.
  • TA assigns a unique IDSN for each SN and then creates a number uSNZq*. TA calculates SSN = h(IDSN || SIDi), VSN = uSNh(SIDi), WSN = IDSNh(uSN), and RESN = IDSNh(SIDi). TA sends (IDSN, SSN, VSN) to the SN securely to store them in the SN’s memory.
  • TA sends (SIDi, VSN, WSN, RESN) to the CN securely. The CN generates a random number bi Zq* and then calculates HPWi = h(IDi PWi || ai), APi = h(IDi || PWi) ⊕ ai, BPi = HPWibi, CPi = SIDibi * P, and DPi = h(ai || bi || HPWi || SIDi). The CN stores (APi, BPi, CPi, DPi, VSN, WSN, RESN) in its memory.
Figure 2. Registration phase.
Figure 2. Registration phase.
Jsan 11 00044 g002

3.3. Authentication Protocol-I

This authentication protocol is for emergency medical reports. When a sensor detects an emergency in the patient’s body, the sensor node initiates the emergency authentication request to the controller node for sending the report securely. Figure 3 shows the authentication protocol between the SN and CN and contains the following steps:
  • SN creates a secret number xSNZq* and a current timestamp T1. The SN computes XSN = h(SSN) ⊕ xSN and LSN1 = h(IDSN || xSN || SSN || VSN || T1). Afterwards, the SN transmits the message (VSN, LSN1, XSN, T1) to the CN via an unsecured channel.
  • When (VSN, LSN1, XSN, T1) is received, Pi enters IDi and PWi to the CN. Then, the CN computes ai = APih(IDi || PWi), HPWi = h(IDi || PWi || ai), bi = HPWiBPi, and SIDi = CPibi * P. Next, the CN checks to see if DPih(ai || bi || HPWi || SIDi). If so, Pi is logged into the CN successfully.
  • The CN checks the validity of the timestamp, i.e., if |T1T1*| < ΔT, where T1* denotes the time of message receipt and ΔT denotes the longest possible transmission delay, then the CN retrieves WSN of VSN from its memory and then computes uSN = VSNh(SIDi), IDSN = WSNh(uSN), SSN = h(IDSN || SIDi), xSN = h(SSN) ⊕ XSN, and LSN1* = h(IDSN || xSN || SSN || VSN || T1). The CN checks whether LSN1* ≟ LSN1. If so, then the SN is authenticated. Next, the CN creates a secret random number uSN+Zq* and the current timestamp T2. Afterwards, the CN computes VSN+ = uSN+h(SIDi), WSN+ = IDSNh(uSN+), Ui = h(SSN) ⊕ uSN+, SK-I = h(IDSN || SSN || xSN || uSN+ || VSN), and C = VSN+uSN+. The CN replaces (VSN, WSN) with (VSN, WSN, VSN+, WSN+) and then computes Li1 = h(SSN || SK-I || IDSN || VSN+ || T2). The CN transmits the message (Ui, Li1, C, T2) to the SN through an unsecured channel.
  • When the SN received (Ui, Li1, C, T2), the SN checks the validity of the timestamps. If |T2T2*| < ΔT, where T2* denotes the time of message receipt, then the SN computes uSN+ = Uih(SSN), SK-I = h(IDSN || SSN || xSN || uSN+ || VSN), and VSN+ = CuSN+. The SN checks to see if Li1h(SSN || SK-I || IDSN || VSN+ || T2). If so, it replaces (VSN) with (VSN+) in its memory, and the session key is established between the SN and CN.
Figure 3. Authentication protocol-I.
Figure 3. Authentication protocol-I.
Jsan 11 00044 g003

3.4. Authentication Protocol-II

This authentication protocol is for periodic medical reports. When the controller node requests to collect the patient’s data from a sensor node at a specific time, the controller initiates the periodic authentication request to the sensor node for transmitting the data securely, as shown in Figure 4, and contains the following steps:
  • Pi inputs IDi and PWi to the CN. Then, the CN computes ai = APih(IDi || PWi), HPWi = h(IDi || PWi || ai), bi = HPWiBPi, and SIDi = CPibi * P. Next, the CN checks to see if DPih(ai || bi || HPWi || SIDi). If so, Pi is logged into the CN successfully.
  • The CN retrieves IDSN from its secure memory, where IDSN = RESNh(SIDi), and computes SSN = h(IDSN || SIDi). The CN creates a secret number riZq* and current timestamp T1 and then computes Ri = h(SSN) ⊕ ri, SK-II = h(IDSN || SSN || ri), and Li2 = h(SSN || SK-II || IDSN || T1). Afterwards, the CN transmits the message (Ri, Li2, T1) to the SN via a public channel.
  • When (Ri, Li2, T1) is received from the CN, the SN checks the validity of the timestamps. If |T1T1*| < ΔT, where T1* denotes the time of message receipt, then the SN computes ri = h(SSN) ⊕ Ri and SK-II = h(IDSN || SSN || ri). The SN checks to see if Li2h(SSN || SK-II || IDSN || T1). If so, the session key is established between the CN and SN.
Figure 4. Authentication protocol-II.
Figure 4. Authentication protocol-II.
Jsan 11 00044 g004

3.5. Password Change Protocol

This protocol provides a secure changing of the password when Pi wants to change the old password of the CN, as shown in Figure 5, and contains the following steps:
  • Pi inputs IDi and PWi in the CN.
  • The CN computes ai = APih(IDi || PWi), HPWi = h(IDi || PWi || ai), bi = HPWiBPi, and SIDi = CPibi * P. Next, the CN checks to see if DPih(ai || bi || HPWi || SIDi). If so, the CN asks Pi for a new password.
  • Pi inputs a new password PWi+.
  • The CN calculates HPWi+ = h(IDi || PWi+ || ai), APi+ = h(IDi || PWi+) ⊕ ai, BPi+ = HPWi+bi, CPi = SIDibi * P, and DPi+ = h(ai || bi || HPWi+ || SIDi). Finally, the CN replaces (APi, BPi, CPi, DPi, VSN, WSN, RESN) with (APi+, BPi+, CPi, DPi+, VSN, WSN, RESN) in the CN.
Figure 5. Change password protocol.
Figure 5. Change password protocol.
Jsan 11 00044 g005

4. Security Analysis

Both informal and formal security analyses were conducted to show that our authentication protocols satisfy security requirements.

4.1. Informal Security Analysis

This section discusses the proposed protocols in connection to the aforementioned solution requirements in Section 2.2.

4.1.1. Emergency and Periodic Authentication Protocols

  • There are two proposed authentication protocols: the first protocol is for emergency reports, and the second protocol is for periodic reports. According to protocol-I, when a sensor detects an emergency in the patient’s body, the sensor node initiates the emergency authentication request by sending the message M1 = (VSN, LSN1, XSN, T1) to the CN. An attacker cannot generate a legal LSN1 because it is computed using the secret key SSN. Thus, the CN authenticates the SN by checking LSN1h(IDSN || xSN || SSN || VSN || T1). Then, the CN responds to the authentication by sending the message M2 = (Ui, Li1, C, T2) to the SN. An attacker is unable to generate a valid Li1, so the SN authenticates the CN by checking Li1h(SSN || SK-I || IDSN || VSN+ || T2). Therefore, the SN and CN can authenticate each other.
  • The authentication protocol-Ⅱ occurs when the controller node requests to collect the patient’s data from a sensor node at a specific time. Thus, there is no need to initiate the authentication by the SN, reducing costs and enhancing performance. In this case, the CN requests authentication periodically from the SN, whose identity IDSN is stored in the CN. The CN initiates the authentication by sending the message M1 = (Ri, Li2, T1) to the SN. An attacker cannot generate a legal Li2 because it is computed using the secret key SSN. Thus, the SN authenticates the CN by checking Li2h(SSN || SK-II || IDSN || T1). Therefore, the CN and SN can authenticate each other.

4.1.2. Replay and MITM Attacks

We presupposed in the model of the adversary that an attacker could obtain messages when transmissions occurred via unsecured channels. However, the attacker is unable to perform replay and MITM attacks on our protocols because each message sent through a public channel contains a timestamp. For protocol-I, timestamp 1 is created by the SN and contained in the hash value LSN1 = h(IDSN || xSN || SSN || VSN || T1). Timestamp 2 is generated by the CN and contained in the hash value Li1 = h(SSN || SK-I || IDSN || VSN+ || T2). An attacker is unable to forge the values IDSN, xSN, and SSN for LSN1 and SSN, IDSN, and VSN+ for Li1.
For protocol-Ⅱ, timestamp 1 is generated by the CN and included in the hash value Li2 = h(SSN || SK-II || IDSN || T1). An attacker cannot tamper with the values SSN and IDSN for Li2. Therefore, the proposed protocols are resistant to such attacks.

4.1.3. Session Key Disclosure Attack

This security requirement is intended to ensure that if an attacker attempts to obtain the session key, the attacker cannot obtain secret values using messages sent via a public channel. For protocol-I, if an attacker wants to obtain the session key SK-I, the attacker must first obtain IDSN, SSN, xSN, and uSN+. However, the attacker cannot obtain these values through messages sent over a public channel to compute SK-I.
For protocol-Ⅱ, if an attacker tries to obtain the session key SK-II, the attacker must first obtain IDSN, SSN, and ri. However, the attacker cannot obtain these values through the message sent via a public channel. Thus, the attacker cannot obtain the session keys.

4.1.4. Impersonation Attack

This security requirement aims to ensure that an attacker cannot produce an authentication message to impersonate a legitimate entity. For protocol-I, an attacker must generate an authentication message (VSN, LSN1, XSN, T1) to impersonate the genuine SN. However, the attacker is unable to calculate a legal LSN1 because it is computed using the secret key SSN = h(IDSN || SIDi), and the attacker cannot compute a legal SSN because it is computed using the secret identity SIDi = (HIDi * STA) * PKTA, where we assumed in the adversary model that an attacker cannot compromise the TA’s private key. Thus, the CN checks LSN1h(IDSN || xSN || SSN || VSN || T1). If they do not match, then the attacker is locked out by the CN. Moreover, the attacker must generate an authentication message (Ui, Li1, C, T2) to impersonate the genuine CN. However, the attacker is unable to calculate a legal Li1. Thus, the SN checks Li1h(SSN || SK-I || IDSN || VSN+ || T2). If they do not match, then the attacker is locked out by the SN.
For protocol-Ⅱ, an attacker must generate an authentication message (Ri, Li2, T1) to impersonate the legitimate CN. However, the attacker cannot calculate a legal Li2 because it is calculated using the secret key SSN, and the secret key is computed using the secret identity SIDi. Thus, the SN checks Li2h(SSN || SK-II || IDSN || T1). If they do not match, then the attacker is locked out by the SN. Therefore, our protocols are resistant to such attacks.

4.1.5. Mobile Device Stolen Attack

We assumed in the model of adversary that the mobile device/controller of the genuine Pi can be stolen by an attacker. However, for protocol-I, when the attacker receives an authentication message from the SN, the session key cannot be established between the SN and the attacker because the attacker cannot extract Pi’s IDi and PWi and cannot compute SIDi.
For protocol-II, the attacker cannot create a valid authentication message because the attacker cannot extract Pi’s IDi and PWi and cannot compute SIDi. As a result, the proposed protocols are resistant to such attacks.

4.1.6. Off-Line Guessing Attack

We presupposed in the model of the adversary that an attacker could guess either Pi’s IDi or PWi but not both at the same time. For protocol-I and protocol-II, the attacker cannot compute ai = APih(IDi || PWi) without correctly guessing both IDi and PWi at the same time. Thus, the attacker cannot compute HPWi, bi, and SIDi. Therefore, the proposed protocols are resistant to such attacks.

4.1.7. Perfect Forward/Backward Secrecy

This security service aims to guarantee that if an attacker obtains any session key, this should not impact the secrecy of future/past session keys. For authentication protocol-I, the session key cannot be calculated by the attacker SK-I = h(IDSN || SSN || xSN || uSN+ || VSN) because the attacker cannot obtain xSN and uSN+, which are secret random numbers.
For authentication protocol-II, the session key cannot be calculated by the attacker SK-II = h(IDSN || SSN || ri) because it is a dynamic that involves a secret random number ri. Thus, our protocols guarantee forward/backward secrecy, as a new session key is created for each session.

4.1.8. Known Session-Specific Temporary Information Attack

This security requirement aims to ensure that if an attacker gets the secret values that are created randomly through the session, the session key cannot be calculated. For protocol-I, if an attacker obtains the secret values xSN and uSN+, which are created randomly during the session between the SN and CN, the attacker still cannot compute SSN = h(IDSN || SIDi) without obtaining SIDi = (HIDi * STA) * PKTA. Thus, the session key cannot be calculated by the attacker SK-I = h(IDSN || SSN || xSN || uSN+ || VSN).
For protocol-Ⅱ, if an attacker obtains the random number ri generated during the session between the CN and SN, the attacker still cannot compute SSN without obtaining SIDi. Thus, the session key cannot be calculated by the attacker SK-II = h(IDSN || SSN || ri). Therefore, the proposed protocols are resistant to such attacks.

4.1.9. Node Anonymity and Untraceability

For protocol-I, the messages transmitted in the authentication, i.e., M1 = (VSN, LSN1, XSN, T1) and M2 = (Ui, Li1, C, T2), are updated during each session because the authentication depends on secret random numbers xSN and uSN+. Likewise, for protocol-Ⅱ, the messages transmitted by the CN, i.e., M3 = (Ri, Li2, T1), depend on a secret random number ri, making the messages transmitted during the session independently. Thus, the attacker cannot obtain IDi and IDSN through eavesdropping on these messages and the attacker is unable to track a node using the messages sent during previous sessions. As a result, our protocols preserve these security features.

4.1.10. Desynchronization Attack

A desynchronization attack blocks communication between parties at a particular stage during the authentication, rendering both parties unable to update some data synchronously and proceed with authentication. The proposed authentication protocol-I prevents desynchronization attacks by updating the data (VSN, WSN) stored by the CN and (VSN) stored by the SN during the authentication. If the attacker blocks the communication from the SN to CN, the SN needs to restart a new authentication round. If the attacker blocks the communication from the CN to SN, there are data stored in the CN (VSN, WSN, VSN+, WSN+) indicated as the nonupdated and updated data. When the SN sends a new authentication request to the CN using the nonupdated data (VSN), the CN can still use the nonupdated data (VSN, WSN).
In other words, the CN and SN, respectively, can verify that the received message is synchronized by checking the equality of LSN1* ≟ h(IDSN || xSN || SSN || VSN || T1) and Li1h(SSN || SK-I || IDSN || VSN+ || T2) [27].
For protocol-II, if the attacker blocks the communication from the CN to SN, the CN only needs to restart a new authentication round [28,29]. Therefore, our protocols prevent the risk of a desynchronization attack.

4.1.11. Secure Password Change

Our protocols provide a secure password change when a Pi wants to change the old password. First, the Pi must input the current IDi and PWi in the CN to ensure that the user is the legitimate owner of the CN, where the CN checks whether DPih(ai || bi || HPWi || SIDi). If so, the CN requests a new password from the Pi and then computes HPWi+, APi+, BPi+, and DPi+. After that, the CN replaces (APi, BPi, CPi, DPi, VSN, WSN, RESN) with (APi+, BPi+, CPi, DPi+, VSN, WSN, RESN) in the CN for future purposes. Thus, an attacker cannot arbitrarily change the password because the attacker does not know IDi and PWi. Therefore, our protocols provide a secure password change.
In summary, Table 2 shows the security features’ comparison of our authentication protocols with related protocols [13,14,16,17,18,19,20]. As shown in Table 2, our protocols met all security requirements.

4.2. BAN Logic Proof

We implemented BAN logic to evaluate our proposed authentication protocols and ensure they attain mutual authentication [30].

4.2.1. Basic Notation

We used the following fundamental notation in both authentication protocol-I and protocol-II:
  • P, Q: two principals.
  • X1, X2: two statements.
  • SK: the session key.
  • P|≡ X1: P believes X1, if X1 is true.
  • P⊲ X1: P sees X1, i.e., P receives X1 contained within a message, but P does not necessarily believe X1.
  • P|∼X1: P once says X1, i.e., P transmits a message including X1. It is unclear if P sent the message lately or a long time ago, but P believes X1 when P sent it.
  • P|⇒ X1: P controls X1, and P should trust X1.
  • #(X1): X1 is fresh, i.e., X1 has never been sent before.
  • (X1) K: X1 is combined with K.
  • P K Q: P and Q have the same key K.
  • P Q : if P is true, then Q is also true.

4.2.2. Inference Rules

Rule 1 (Message meaning rule)
M M R = P   |     P   K   Q ,   P   ( X 1 ) K P   |     Q   |     X 1
Rule 2 (Nonce verification rule)
N V R = P   | # ( X 1 ) , P   | Q   | X 1   P   | Q   | X 1
Rule 3 (Jurisdiction rule)
J R = P   | Q | X 1 , P   | Q   | X 1   P   | X 1
Rule 4 (Belief rule)
B R = P   | ( X 1 , X 2 )   P   | X 1
Rule 5 (Freshness rule)
F R = P   | # ( X 1 ) P   | # ( X 1 , X 2 )
Rule 6 (Session key rule)
S K R = P   | # ( X 1 ) , P   | Q   | X 1 P   |     P   K   Q

4.2.3. Protocol-I Goals

  • G1: SN | ≡ (SN S K I CN)
  • G2: SN | ≡ CN | ≡ (SN S K I CN)
  • G3: CN | ≡ (SN S K I CN)
  • G4: CN | ≡ SN | ≡ (SN S K I CN)

4.2.4. Protocol-I Assumptions

  • A1: CN | ≡ #(T1)
  • A2: SN | ≡ #(T2)
  • A3: SN | ≡ CN ⇒ (SN S K I CN)
  • A4: CN | ≡ SN ⇒ (SN S K I CN)
  • A5: SN | ≡ SN S S N CN
  • A6: CN| ≡ SN S S N CN

4.2.5. Protocol Idealized Forms

  • Msg1: S N CN : ( V S N , x S N ,   I D S N ,   T 1 ) S S N
  • Msg2: C N S N : ( V S N + , u S N + , I D S N , T 2 ) S S N

4.2.6. Protocol-I Formal Analysis

We implemented the BAN logic analysis of the proposed authentication protocol-I as below:
Step 1: D1 is obtained from Msg1.
D 1 : C N ( V S N , x S N ,   I D S N ,   T 1 ) S S N
Step 2: C N verifies the transmitted message is from S N . Applying MMR with D1 and A6 yields D2.
C N   |     S N   S S N C N ,   C N ( V S N , x S N ,   I D S N ,   T 1 ) S S N C N |     S N   |     ( V S N , x S N ,   I D S N ,   T 1 )
D 2 : C N |     S N   |     ( V S N , x S N ,   I D S N ,   T 1 )
Step 3: C N checks whether the S N request is fresh. Applying FR with A1 and D2 yields D3.
C N   |     # ( T 1 )   C N   |     # ( V S N , x S N ,   I D S N ,   T 1 )  
D 3 :   C N   |     # ( V S N , x S N ,   I D S N ,   T 1 )
Step 4: C N checks whether the S N request is valid. Applying NVR with D2 and D3 yields D4.
C N   |     # ( V S N , x S N ,   I D S N ,   T 1 ) , C N |     S N   |     ( V S N , x S N ,   I D S N ,   T 1 )   C N   | S N   | ( V S N , x S N ,   I D S N ,   T 1 )
D 4 :   C N   | S N   | ( V S N , x S N ,   I D S N ,   T 1 )
Step 5: The CN now trusts the SN and all its transmitted parameters. D5 is obtained by applying BR using D4.
C N   | S N   | ( V S N , x S N ,   I D S N ,   T 1 ) C N   | S N   | ( V S N , x S N ,   I D S N )
D 5 :   C N   | S N   | ( V S N , x S N ,   I D S N )
Step 6: D6 is obtained by applying SKR using D3 and D5 to accomplish G4.
C N   |     # ( V S N , x S N ,   I D S N ,   T 1 ) , C N   | S N   | ( V S N , x S N ,   I D S N ) C N   |     S N   |     ( S N   S K I   C N )
D 6 :   C N   |     S N   |     ( S N   S K I   C N )
Step 7: C N has full control over the transmitted SN parameters. D7 is obtained by applying JR using A4 and D6 to accomplish G3
  C N | S N ( S N S K I C N ) , C N   |     S N   |     ( S N S K I C N )   C N   |     ( S N S K I C N )
D 7 :   C N   |     ( S N S K I C N )
Step 8: D8 is obtained from Msg2
D 8 :   S N ( V S N + , u S N + , I D S N , T 2 ) S S N
Step 9: S N verifies the transmitted message is from C N . Applying MMR with D8 and A5 yields D9.
S N   |     S N S S N C N   ,   S N ( V S N + , u S N + , I D S N , T 2 ) S S N S N   |     C N   |     ( V S N + , u S N + , I D S N , T 2 )
D 9 : S N   |     C N   |     ( V S N + , u S N + , I D S N , T 2 )
Step 10: S N checks whether C N request is fresh. Applying FR with A2 and D9 yields D10.
S N   | # ( T 2 ) S N   | # ( V S N + , u S N + , I D S N , T 2 )
D 10 :   S N   | # ( V S N + , u S N + , I D S N , T 2 )
Step 11: S N checks whether C N request is valid. Applying NVR with D9 and D10 yields D11.
S N   | # ( V S N + , u S N + , I D S N , T 2 ) ,   S N   |     C N   |     ( V S N + , u S N + , I D S N , T 2 ) S N   |     C N   |   ( V S N + , u S N + , I D S N , T 2 )
D 11 :   S N   |     C N   |   ( V S N + , u S N + , I D S N , T 2 )  
Step 12: S N now trusts C N and all its transmitted parameters. Applying BR with D11 yields D12.
S N   |     C N   |   ( V S N + , u S N + , I D S N , T 2 ) S N   |     C N   |   ( V S N + , u S N + , I D S N )
D 12 :   S N   |     C N   |   ( V S N + , u S N + , I D S N )
Step 13: D13 is obtained by applying SKR using D10 and D12 to accomplish G2.
S N   | # ( V S N + , u S N + , I D S N , T 2 ) ,   S N   |     C N   |   ( V S N + , u S N + , I D S N ) S N   |     C N |     ( S N S K I C N )
D 13 :   S N   |     C N |     ( S N S K I C N )
Step 14: S N has the new session key’s parameters from transmitted C N parameters. D14 is obtained by applying JR to A3 and D13 to accomplish G1.
S N   | C N ( S N S K I C N ) , S N   |     C N |     ( S N S K I C N )   S N   |     ( S N S K I C N )
D 14 :   S N   |     ( S N S K I C N )
In summary of protocol-I, the S N and CN attained mutual authentication. Furthermore, the session key SK-I was established in a secure manner based on G1, G2, G3, and G4. In the following, we analyze the authentication protocol-II.

4.2.7. Protocol-II Goals

  • G1: S N | ≡ ( C N   S K I I   S N )
  • G2: S N | ≡ C N | ≡ ( C N   S K I I   S N )
  • G3: C N | ≡ ( C N   S K I I   S N )
  • G4: C N | ≡ S N | ≡ ( C N   S K I I   S N )

4.2.8. Protocol-II Assumptions

  • A1: S N | ≡ #(T1)
  • A2: S N | ≡ C N ⇒ ( C N   S K I I   S N )
  • A3: C N | ≡ S N ⇒ ( C N   S K I I   S N )
  • A4: S N | ≡ C N   S S N   S N
  • A5: C N | ≡ S N | ≡ ( I D S N   )

4.2.9. Protocol-II Idealized Forms

  • Msg1: T A C N : ( I D S N )
  • Msg2: C N S N : ( r i , I D S N , T 1 ) S S N

4.2.10. Protocol-II Formal Analysis

We implemented the BAN logic to analyze our proposed authentication protocol-Ⅱ, as below:
Step 1: D1 is obtained from Msg1.
D 1 : C N ( I D S N )
Step 2: C N trusts the transmitted parameters from TA and trusts the S N is legitimate. D2 is obtained from A5, SSN = h (IDSN || SIDi), ri = h (SSN)Ri, and the session key SK-II = h (IDSN || SSN || ri) to accomplish G4.
D 2 : C N |     S N |     ( C N   S K I I   S N )
Step 3: D3 is obtained by applying JR using A3 and D2 to accomplish G3.
C N | S N ( C N   S K I I   S N ) , C N |     S N |     ( C N   S K I I   S N )   C N |     ( C N   S K I I   S N )
D 3 :   C N |     ( C N   S K I I   S N )
Step 4: D4 is obtained from Msg2
D 4 :   S N ( r i , I D S N , T 1 ) S S N
Step 5: S N verifies the transmitted message is from C N . Applying MMR with D4 and A4 yields D5.
S N   |     C N   S S N   S N ,   S N ( r i , I D S N , T 1 ) S S N S N   |     C N |     ( r i , I D S N , T 1 )
D 5 :   S N   |     C N |     ( r i , I D S N , T 1 )
Step 6: S N checks whether the C N request is fresh. Applying FR with A1 and D5 yields D6.
S N   | # ( T 1 ) S N   | # ( r i , I D S N , T 1 )
D 6 :   S N   | # ( r i , I D S N , T 1 )
Step 7: S N checks whether the C N request is valid. Applying NVR with D5 and D6 yields D7.
S N   | # ( r i , I D S N , T 1 ) , S N   |     C N |     ( r i , I D S N , T 1 ) S N   |     C N |   ( r i , I D S N , T 1 )
D 7 :   S N   |     C N |   ( r i , I D S N , T 1 )
Step 8: S N now trusts C N and all its transmitted parameters. Applying BR with D7 yields D8.
S N   |     C N |   ( r i , I D S N , T 1 ) S N   |     C N |   ( r i , I D S N )
D 8 :   S N   |     C N |   ( r i , I D S N )
Step 9: D9 is obtained by applying SKR, using D6 and D8 to accomplish G2.
S N   | # ( r i , I D S N , T 1 ) ,   S N   |     C N |   ( r i , I D S N ) S N   |     C N |     ( C N   S K I I   S N )
D 9 :   S N   |     C N |     ( C N   S K I I   S N )
Step 10: S N has the new session key’s parameters from transmitted C N parameters. D10 is obtained by applying JR, using A2 and D9 to accomplish G1.
S N   | C N ( C N   S K I I   S N ) , S N   |     C N |     ( C N   S K I I   S N )   S N   |     ( C N   S K I I   S N )
D 10 :   S N   |     ( C N   S K I I   S N )
In summary of protocol-Ⅱ, the C N and SN attained mutual authentication. Furthermore, the session key SK-II was established in a secure manner based on G1, G2, G3, and G4.

4.3. AVISPA Simulation Tool

We used the Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool and the Security Protocol ANimator for AVISPA (SPAN) to analyze the security of the proposed authentication protocols. We showed that the simulator executed our authentication protocols entirely, proving the validity of the authentication and privacy reports generated by AVISPA’s security checker module. First, we wrote the protocol-I and protocol-II codes in High-Level Protocol Specification Language (HLPSL). After that, we ran the SPAN animator to confirm that protocol-I and protocol-II were entirely executable. Finally, we ran the On-the-Fly Model Checker (OFMC) and the Constraint Logic-Based Attack Searcher (CL-AtSe) to determine whether our protocols’ security goals were SAFE or UNSAFE. If the results of the OFMC and CL-AtSe models were SAFE, it meant that the protocols were secure.
Figure 6 and Figure 7 show the HLPSL code for authentication protocol-I. Figure 8 and Figure 9 show the HLPSL code for protocol-II. We had three agents’ roles, a session role, and an environment role. The role controller was played by agent CN, the role sensor was played by agent SN, and the role trustedauthority was played by agent TA. The role controller header contained SN, CN, and TA as agents, hash function, SKcnta as the symmetric key used to create a secure channel, and SND/RCV channels of type Dolev–Yao (dy). The role sensor header contained SN, CN, and TA as agents, hash function, SKsnta as the symmetric key to generate a secure channel, and SND/RCV channels. The role trustedauthority header contained SN, CN, and TA as agents, hash function, SKsnta/SKcnta as the symmetric keys, and SND/RCV channels. The SN was not permitted to know SKcnta, and the CN did not know SKsnta.
Figure 6. HLPSL code for protocol-I.
Figure 6. HLPSL code for protocol-I.
Jsan 11 00044 g006
Figure 7. HLPSL code for protocol-I.
Figure 7. HLPSL code for protocol-I.
Jsan 11 00044 g007
Figure 8. HLPSL code for protocol-II.
Figure 8. HLPSL code for protocol-II.
Jsan 11 00044 g008
Figure 9. HLPSL code for protocol-II.
Figure 9. HLPSL code for protocol-II.
Jsan 11 00044 g009
Moreover, HLPSL should specify the session and environment roles. The role session defines the interactions between the three agents’ roles, which describes a protocol session. The role environment includes the intruder knowledge, specifies the goal, and expresses a composition of one or more sessions. The parameters (sp1, sp2, sp3, sp4, sp5, sn_cn_xsn, sn_cn_t1, cn_sn_usn, cn_sn_t2) of protocol-I and parameters (sp1, sp2, sp3, sp4, sp5, sn_cn_idsn, cn_sn_ri, cn_sn_t1) of protocol-II are declared as protocol_id and are used as privacy and authentication checkers. In the goal section, the goal secrecy_of sp1, sp2, sp3, sp4, sp5 indicates that the values of specific variables are kept secret to the specific agents. The goals authentication_on sn_cn_xsn and authentication_on sn_cn_idsn express that the CN authenticates the SN after receiving messages containing these values. The goal authentication_on sn_cn_t1 means that the SN selects a timestamp t1 and the CN authenticates the SN after receiving a message from the SN containing t1. The goals authentication_on cn_sn_usn and authentication_on cn_sn_ri mean that the CN generates random values and the SN checks that CN is the emitter of these values and authenticates CN after receiving messages from CN containing these values. The goals authentication_on cn_sn_t1 and authentication_on cn_sn_t2 indicate that the CN selects timestamps and the SN authenticates the CN after receiving the timestamps from the messages of the CN.
We used the SPAN animator to demonstrate the correct execution of our proposed protocols. Figure 10 and Figure 11 show snapshots of the SPAN animator of protocol-I and protocol-II, respectively. As shown in Figure 10 and Figure 11, all messages were executed and exchanged by the simulator. No message was left unexecuted.
The simulation results of our protocols using AVISPA with OFMC and CL-AtSe are shown in Figure 12. The summary reports demonstrate that the proposed protocol-I and protocol-II were SAFE and met all the security goals stated in the role environment.
Figure 10. SPAN animator of protocol-I.
Figure 10. SPAN animator of protocol-I.
Jsan 11 00044 g010
Figure 11. SPAN animator of protocol-II.
Figure 11. SPAN animator of protocol-II.
Jsan 11 00044 g011
Figure 12. AVISPA with OFMC and CL-AtSe summary reports: (a) protocol-I OFMC report; (b) protocol-I CL-AtSe report; (c) protocol-II OFMC report; (d) protocol-II CL-AtSe report.
Figure 12. AVISPA with OFMC and CL-AtSe summary reports: (a) protocol-I OFMC report; (b) protocol-I CL-AtSe report; (c) protocol-II OFMC report; (d) protocol-II CL-AtSe report.
Jsan 11 00044 g012aJsan 11 00044 g012b

5. Performance Analysis

In this section, we compare the computation and communication costs of our proposed authentication protocols with those of related protocols [13,14,16,17,18,19,20].

5.1. Computation Costs

To calculate the computation costs, we considered the time complexity of each operation based on the experiments conducted in [2] and [31], where the time needed for scalar multiplication (Tmul) was 2.226 ms, the time needed for random number generation (Trng) was 0.539 ms, the time needed for symmetric encryption and decryption (Ted) was 0.0046 ms, the time needed for point addition (Tadd) was 0.0288 ms, and the time needed for the one-way hash function (Th) was 0.0023 ms.
The computation cost for Shen et al.’s scheme in [13] amounted to 6 Tmul + 2 Ted + 2 Tadd + 1, Th ≈ 13.4251 ms. The computation cost of Liu et al. [14] was 4 Tmul + 2 Ted + 2 Th ≈ 8.9178 ms. The computation cost of Ur Rehman et al.’s scheme in [16] was 3 Trng + 6 Th ≈1.6308 ms. Chen et al.’s scheme in [17] had a cost of 3 Trng+ 7 Th ≈1.6331 ms. Wan et al.’s scheme in [18] required 2 Trng+ 11 Th + 6 Tmul ≈ 14.4593 ms. Moreover, the computation cost of Rehman et al.’s scheme in [19] was 1 Trng+ 5 Th ≈ 0.5505 ms. The computation cost for Li et al [20] was 2 Trng+ 8 Th ≈ 1.0964 ms. Our authentication protocol-I required 1 Tmul + 2 Trng + 11, Th ≈ 3.3293 ms. The cost of our authentication protocol-II was 1 Tmul + 1 Trng + 8 Th ≈ 2.7834 ms.
As shown in Table 3, the proposed authentication protocols had a better computation cost compared to the computation costs in [13,14,18] and had a higher computation cost than the computation costs in [16,17,19,20]. However, the existing schemes presented security concerns, where they did not satisfy all security requirements in this study. Thus, our proposed authentication protocols achieved better security than other schemes and had acceptable computation costs. Therefore, the proposed authentication protocols were suitable for the WBAN.

5.2. Communication Costs

To calculate the communication costs, we considered the bit sizes and communication overhead. Bit sizes were calculated based on the schemes in [31] and [32], where the one-way hash function had 160 bits, the group element G1 had 1024 bits, the identity had 128 bits, and the timestamp required 32 bits.
In Shen et al.’s [13] scheme, the first authentication message (Qi) required 1024 bits, the second authentication message (MACPDA, QPDA) needed 1184 bits, and the third message (M) needed 1024 bits. Therefore, the total cost was 3232 bits. In Liu et al. [14], the first message (MACC) needed 160 bits, the second message (MACi+) required 160 bits, and the third message (M) needed 1024 bits. Thus, the total cost was 1344 bits. In Ur Rehman et al. [16], the first message (tidN, aN, bN, tN) needed 192 bits and the second message (β, µ, η) required 160 bits. Thus, the total cost was 352 bits. In Chen et al. [17], the first message (tidN,yN,aN,bN,tN) needed 352 bits and the second message (α, β, η, µ) required 480 bits. Thus, the total cost was 832 bits. In Wan et al. [18], the first message (D1, GSN, ZSN, W1, T1) needed 1536 bits, the second message (M1, W2, T2) needed 1216 bits, and the third message (W3, T3) needed 192 bits. Thus, the total cost was 2944 bits. In Rehman et al. [19], the first message (tidN,aN,bN,tN) needed 192 bits, whereas the second message (β, µ, η) required 160 bits. Therefore, the total cost was 352 bits. In Li et al. [20], the first message (tidSN, HSN, x) needed 448 bits and the second message (tidSN, z, HCN) required 448 bits. Thus, the total cost was 896 bits. In our proposed authentication protocol-I, the first message (VSN, LSN1, XSN, T1) needed 512 bits and the second message (Ui, Li1, C, T2) needed 352 bits. Therefore, the total cost was 864 bits. In our proposed authentication protocol-II, the message (Ri, Li2, T1) needed 352 bits.
The result of the communication cost comparison is shown in Table 4. In terms of communication costs in bits, authentication protocol-I had a better communication cost than the communication costs in [13,14,18,20] and had a higher communication cost than the communication costs in [16,17,19]. However, protocol-I achieved better security than these other schemes. Thus, protocol-I had an acceptable communication cost. On the other hand, authentication protocol-II had a better communication cost than the communication costs in [13,14,17,18,20] and had the same communication cost as [16,19]. Regarding communication overhead, the schemes in [13,14,18] needed three messages, which added overhead to the communication channel. On the other hand, the authentication protocol-II required one message. Therefore, the proposed authentication protocols are suitable for the WBAN.

6. Conclusions

We proposed two secure and efficient WBAN authentication protocols between sensor nodes and a controller node: authentication protocol-I for emergency medical reports and authentication protocol-II for periodic medical reports. The proposed scheme included an initialization phase, registration phase, authentication protocol-I, authentication protocol-II, and password change protocol. We conducted an informal security analysis and found that our proposed authentication protocols enhanced the security of the existing schemes and satisfied all security requirements in this study. We also implemented the BAN logic and found that our proposed authentication protocols attained mutual authentication. We also utilized the AVISPA simulation tool and found that our proposed protocols were secure against active and passive attacks. Moreover, we conducted a performance analysis and found that the proposed authentication protocols had suitable computation and communication costs for a WBAN.

Author Contributions

Conceptualization, A.M.A. and H.A.A.; methodology, A.M.A. and H.A.A.; validation, A.M.A. and H.A.A.; writing—original draft preparation, H.A.A.; writing—review and editing, A.M.A.; supervision, A.M.A.; funding acquisition, A.M.A. All authors have read and agreed to the published version of the manuscript.

Funding

This work was funded by SAUDI ARAMCO Cybersecurity Chair at Imam Abdulrahman Bin Faisal University, Saudi Arabia.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Acknowledgments

The authors would like to express their appreciation to the Journal Editor, an Associate Editor, and the four anonymous reviewers for their insightful comments. We also would like to thank Imam Abdulrahman Bin Faisal University for facilitating access to the resources used in this paper.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Hsu, C.L.; Le, T.V.; Hsieh, M.C.; Tsai, K.Y.; Lu, C.F.; Lin, T.W. Three-Factor UCSSO Scheme with Fast Authentication and Privacy Protection for Telecare Medicine Information Systems. IEEE Access 2020, 8, 196553–196566. [Google Scholar] [CrossRef]
  2. Son, S.; Lee, J.; Kim, M.; Yu, S.; Das, A.K.; Park, Y. Design of Secure Authentication Protocol for Cloud-Assisted Telecare Medical Information System Using Blockchain. IEEE Access 2020, 8, 192177–192191. [Google Scholar] [CrossRef]
  3. Ryu, J.; Oh, J.; Kwon, D.; Son, S.; Lee, J.; Park, Y.; Park, Y. Secure ECC-Based Three-Factor Mutual Authentication Protocol for Telecare Medical Information System. IEEE Access 2022, 10, 11511–11526. [Google Scholar] [CrossRef]
  4. Poongodi, T.; Rathee, A.; Indrakumari, R.; Suresh, P. IoT Sensing Capabilities: Sensor Deployment and Node Discovery, Wearable Sensors, Wireless Body Area Network (WBAN), Data Acquisition. Intell. Syst. Ref. Libr. 2020, 174, 127–151. [Google Scholar] [CrossRef]
  5. Taleb, H.; Nasser, A.; Andrieux, G.; Charara, N.; Motta Cruz, E. Wireless Technologies, Medical Applications and Future Challenges in WBAN: A Survey. Wirel. Netw. 2021, 27, 5271–5295. [Google Scholar] [CrossRef]
  6. Deebak, B.D.; Al-Turjman, F. Smart Mutual Authentication Protocol for Cloud Based Medical Healthcare Systems Using Internet of Medical Things. IEEE J. Sel. Areas Commun. 2021, 39, 346–360. [Google Scholar] [CrossRef]
  7. Wazid, M.; Das, A.K.; Vasilakos, A.V. Authenticated Key Management Protocol for Cloud-Assisted Body Area Sensor Networks. J. Netw. Comput. Appl. 2018, 123, 112–126. [Google Scholar] [CrossRef]
  8. Alzahrani, B.A.; Irshad, A.; Albeshri, A.; Alsubhi, K.; Shafiq, M. An Improved Lightweight Authentication Protocol for Wireless Body Area Networks. IEEE Access 2020, 8, 190855–190872. [Google Scholar] [CrossRef]
  9. Zhang, J.; Zhang, Q.; Li, Z.; Lu, X.; Gan, Y. A Lightweight and Secure Anonymous User Authentication Protocol for Wireless Body Area Networks. Secur. Commun. Netw. 2021, 2021, 4939589. [Google Scholar] [CrossRef]
  10. Yu, S.J.; Lee, J.Y.; Park, Y.H.; Park, Y.H.; Lee, S.W.; Chung, B.H. A Secure and Efficient Three-Factor Authentication Protocol in Global Mobility Networks. Appl. Sci. 2020, 10, 3565. [Google Scholar] [CrossRef]
  11. Yang, X.; Yi, X.; Nepal, S.; Khalil, I.; Huang, X.; Shen, J. Efficient and Anonymous Authentication for Healthcare Service with Cloud Based WBANs. IEEE Trans. Serv. Comput. 2021, 1. [Google Scholar] [CrossRef]
  12. Ali, Z.; Ghani, A.; Khan, I.; Ashraf, S.; Hafizul, S.K. A Robust Authentication and Access Control Protocol for Securing Wireless Healthcare Sensor Networks. J. Inf. Secur. Appl. 2020, 52, 102502. [Google Scholar] [CrossRef]
  13. Shen, J.; Chang, S.; Shen, J.; Liu, Q.; Sun, X. A Lightweight Multi-Layer Authentication Protocol for Wireless Body Area Networks. Futur. Gener. Comput. Syst. 2018, 78, 956–963. [Google Scholar] [CrossRef]
  14. Liu, X.; Jin, C.; Li, F. An Improved Two-Layer Authentication Scheme for Wireless Body Area Networks. J. Med. Syst. 2018, 42, 1–14. [Google Scholar] [CrossRef]
  15. Ding, Y.; Xu, H.; Zhao, M.; Liang, H.; Wang, Y. Group Authentication and Key Distribution for Sensors in Wireless Body Area Network. Int. J. Distrib. Sens. Netw. 2021, 17, 15501477211044338. [Google Scholar] [CrossRef]
  16. Ur Rehman, Z.; Altaf, S.; Iqbal, S. An Efficient Lightweight Key Agreement and Authentication Scheme for WBAN. IEEE Access 2020, 8, 175385–175397. [Google Scholar] [CrossRef]
  17. Chen, C.M.; Xiang, B.; Wu, T.Y.; Wang, K.H. An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks. Appl. Sci. 2018, 8, 1074. [Google Scholar] [CrossRef] [Green Version]
  18. Wan, T.; Wang, L.; Liao, W.; Yue, S. A Lightweight Continuous Authentication Scheme for Medical Wireless Body Area Networks. Peer-to-Peer Netw. Appl. 2021, 14, 3473–3487. [Google Scholar] [CrossRef]
  19. Rehman, Z.U.; Altaf, S.; Ahmad, S.; Huda, S.; Al-Shayea, A.M.; Iqbal, S. An Efficient, Hybrid Authentication Using Ecg and Lightweight Cryptographic Scheme for Wban. IEEE Access 2021, 9, 133809–133819. [Google Scholar] [CrossRef]
  20. Li, X.; Ibrahim, M.H.; Kumari, S.; Kumar, R. Secure and Efficient Anonymous Authentication Scheme for Three-Tier Mobile Healthcare Systems with Wearable Sensors. Telecommun. Syst. 2018, 67, 323–348. [Google Scholar] [CrossRef]
  21. Abiramy, N.V.; Sudha, S.V. A secure and lightweight authentication protocol for multiple layers in wireless body area network. Smart Intell. Comput. Appl. 2019, 104, 287–296. [Google Scholar] [CrossRef]
  22. Koya, A.M.; Deepthi, P.P. Deepthi. Anonymous Hybrid Mutual Authentication and Key Agreement Scheme for Wireless Body Area Network. Comput. Netw. 2018, 140, 138–151. [Google Scholar] [CrossRef]
  23. Arfaoui, A.; ben Letaifa, A.; Kribeche, A.; Senouci, S.M.; Hamdi, M. Adaptive Anonymous Authentication for Wearable Sensors in Wireless Body Area Networks. In Proceedings of the 2018 14th International Wireless Communications & Mobile Computing Conference (IWCMC), Limassol, Cyprus, 25–29 June 2018; pp. 606–611. [Google Scholar] [CrossRef]
  24. Morales-Sandoval, M.; De-La-Parra-Aguirre, R.; Galeana-Zapien, H.; Galaviz-Mosqueda, A. A Three-Tier Approach for Lightweight Data Security of Body Area Networks in E-Health Applications. IEEE Access 2021, 9, 146350–146365. [Google Scholar] [CrossRef]
  25. Azees, M.; Vijayakumar, P.; Karuppiah, M.; Nayyar, A. An Efficient Anonymous Authentication and Confidentiality Preservation Schemes for Secure Communications in Wireless Body Area Networks. Wirel. Netw. 2021, 27, 2119–2130. [Google Scholar] [CrossRef]
  26. Almuhaideb, A.M.; Alqudaihi, K.S. A Lightweight and Secure Anonymity Preserving Protocol for WBAN. IEEE Access 2020, 8, 178183–178194. [Google Scholar] [CrossRef]
  27. Ostad-Sharif, A.; Nikooghadam, M.; Abbasinezhad-Mood, D. Design of a Lightweight and Anonymous Authenticated Key Agreement Protocol for Wireless Body Area Networks. Int. J. Commun. Syst. 2019, 32, e3974. [Google Scholar] [CrossRef]
  28. Shuai, M.; Xiong, L.; Wang, C.; Yu, N. Lightweight and Privacy-Preserving Authentication Scheme with the Resilience of Desynchronisation Attacks for WBANs. IET Inf. Secur. 2020, 14, 380–390. [Google Scholar] [CrossRef]
  29. Xu, Z.; Xu, C.; Liang, W.; Xu, J.; Chen, H. And Key Agreement Scheme for Medical Internet of Things. IEEE Access 2019, 7, 53922–53931. [Google Scholar] [CrossRef]
  30. Almuhaideb, A.M.; Alqudaihi, K.S. Authentication in Wireless Body Area Network: Taxonomy and Open Challenges. J. Internet Things 2021, 3, 159–182. [Google Scholar] [CrossRef]
  31. Kilinc, H.H.; Yanik, T. A Survey of SIP Authentication and Key Agreement Schemes. IEEE Commun. Surv. Tutor. 2014, 16, 1005–1023. [Google Scholar] [CrossRef]
  32. Kim, M.; Yu, S.; Lee, J.; Park, Y.; Park, Y. Design of Secure Protocol for Cloud-Assisted Electronic Health Record System Using Blockchain. Sensors 2020, 20, 2913. [Google Scholar] [CrossRef] [PubMed]
Table 1. Notations that are used in the proposed protocols.
Table 1. Notations that are used in the proposed protocols.
NotationDescription
Pii-th patient
CNController node of Pi
SNSensor node-i of Pi
TATrusted authority
IDi, PWiIdentity and password of Pi
IDSNIdentity of SN
HIDiMasked identity of Pi
SIDiSecret identity of Pi
SSNSecret key of SN
STA, PKTASecret key and public key of TA
ai, bi, uSN+, riCN-generated random numbers
xSNSN-generated random number
uSNTA-generated random number
VSN, WSN, VSN+, WSN+Data to check message synchronization
RESNData used in protocol-II for IDSN retrieval and SN authentication
HPWi, APi, BPi, CPi, DPiData used by CN to authenticate Pi
TnTimestamp n
Tn*The time of message receipt
ΔTThe maximum transmission delay
XSNData used to retrieve xSN in protocol-I
LSN1Data used by CN to authenticate SN in protocol-I
UiData used to retrieve uSN+ in protocol-I
CData used to retrieve VSN+ in protocol-I
Li1Data used by SN to authenticate CN in protocol-I
RiData used to retrieve ri in protocol-II
Li2Data used by SN to authenticate CN in protocol-II
SK-ISession key for protocol-I
SK-IISession key for protocol-II
qLarge prime number
G1An additive group of order q
PA generator of the group G1
hHash function
Zq*The nonzero positive integers’ modulus q
||Concatenation operation
*Scalar multiplication operation
XOR operation
Jsan 11 00044 i001Secure communication channel
Jsan 11 00044 i002Public communication channel
Table 2. Security features comparison.
Table 2. Security features comparison.
Feature[13][14][16][17][18][19][20]Proposed
Emergency and periodic authentication protocols×××××××
Replay and MITM attacksN/AN/A
Session key disclosure attackN/AN/AN/A
Impersonation attack N/AN/A
Mobile device stolen attack×××××××
Off-line guessing attackN/AN/AN/AN/AN/AN/A
Perfect forward/backward secrecy×
Known session-specific temporary informationN/AN/AN/AN/AN/A
Node anonymity and unlinkability××
Desynchronization attacks×××
Secure password change×××××××
N/A = Information not available.
Table 3. Computation cost comparison.
Table 3. Computation cost comparison.
SchemeComputation Cost (ms)
[18]14.4593
[13]13.4251
[14]8.9178
[17]1.6331
[16]1.6308
[20]1.0964
[19]0.5505
Proposed Protocol-I3.3293
Proposed Protocol-II2.7834
Table 4. Communication cost comparison.
Table 4. Communication cost comparison.
SchemeCommunication Cost (bits)Communication Overhead
[13]32323
[18]29443
[14]13443
[20]8962
[17]8322
[16]3522
[19]3522
Proposed Protocol-I8642
Proposed Protocol-II3521
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Almuhaideb, A.M.; Alghamdi, H.A. Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier. J. Sens. Actuator Netw. 2022, 11, 44. https://doi.org/10.3390/jsan11030044

AMA Style

Almuhaideb AM, Alghamdi HA. Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier. Journal of Sensor and Actuator Networks. 2022; 11(3):44. https://doi.org/10.3390/jsan11030044

Chicago/Turabian Style

Almuhaideb, Abdullah M., and Huda A. Alghamdi. 2022. "Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier" Journal of Sensor and Actuator Networks 11, no. 3: 44. https://doi.org/10.3390/jsan11030044

APA Style

Almuhaideb, A. M., & Alghamdi, H. A. (2022). Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier. Journal of Sensor and Actuator Networks, 11(3), 44. https://doi.org/10.3390/jsan11030044

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop