Next Article in Journal
Flow of Newtonian Incompressible Fluids in Square Media: Isogeometric vs. Standard Finite Element Method
Next Article in Special Issue
Reversible Data Hiding for Color Images Using Channel Reference Mapping and Adaptive Pixel Prediction
Previous Article in Journal
Identification and Control of Rehabilitation Robots with Unknown Dynamics: A New Probabilistic Algorithm Based on a Finite-Time Estimator
Previous Article in Special Issue
Cross-Server End-to-End Patient Key Agreement Protocol for DNA-Based U-Healthcare in the Internet of Living Things
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT

1
College of Computer Science and Engineering, Shandong University of Science and Technology, Qingdao 266590, China
2
School of Artificial Intelligence (School of Future Technology), Nanjing University of Information Science & Technology, Nanjing 210044, China
*
Author to whom correspondence should be addressed.
Mathematics 2023, 11(17), 3701; https://doi.org/10.3390/math11173701
Submission received: 6 August 2023 / Revised: 22 August 2023 / Accepted: 25 August 2023 / Published: 28 August 2023
(This article belongs to the Special Issue Frontiers in Network Security and Cryptography)

Abstract

:
The Internet of Things (IoT) has witnessed significant growth with advancements in Internet and wireless technologies. In the medical field, the Internet of Health Things (IoHT) has emerged as an extension of the IoT, enabling the exchange of remote data and real-time monitoring of patients’ health conditions. Through the IoHT, doctors can promptly provide diagnoses and treatment for patients. As patient data are transmitted over public channels, security issues may arise, necessitating security mechanisms. Recently, Amintoosi et al. proposed an authentication protocol for smart medical services in the IoHT. However, their protocol exhibited security weaknesses, including vulnerabilities to privileged insider attacks. To address the security concerns, we propose an enhanced authentication and key agreement protocol. The security of our protocol is rigorously analyzed using the Real-Or-Random model, informal security analysis, and the AVISPA tool. Finally, the results of our analysis demonstrate that our proposed protocol ensures sufficient security while maintaining a performance level similar to existing protocols.

1. Introduction

The Internet of Things (IoT) [1,2,3] is a technology that enables the collection of real-time data and the connection of devices, thus serving as an infrastructure in people’s lives. With the advancements in the Internet, mobile communication, and wireless technology, the IoT can be applied to various environments, including smart home [4], smart grid [5], Internet of Vehicles [6,7], and artificial intelligence [8,9]. These environments take advantage of the information-gathering features of the IoT to solve problems existing in real life, so as to bring more benefits and convenience to people’s lives.
The Internet Health of Things (IoHT) [10,11,12] is an extension of the IoT specifically focused on healthcare. It combines modern communication and medical information technology to create a new mode of health management. The IoHT enables the real-time monitoring of patients’ health data, reducing the repetitive workload for medical staff. Simultaneously, it allows medical professionals to provide timely diagnosis and treatment based on the collected data, as well as deliver preventive or proactive healthcare services at a lower cost. The architecture of the IoHT, as illustrated in Figure 1, includes three main entities: users (doctors/nurses), gateway, and sensor nodes. Sensor nodes are distributed among patients and are responsible for collecting various health data, such as electrocardiogram readings, body temperature measurements, and blood oxygen saturation levels. The gateway serves as a semi-trusted entity that facilitates the real-time transmission of the collected data between the sensor nodes and the users. Users are medical staff (doctors/nurses) who have the ability to access patients’ health data, and use the collected data to analyze the condition and provide appropriate diagnosis and treatment plans for patients.
The security of medical data in IoHT is of utmost importance due to the sensitivity of the information involved. If patient health data and diagnostic reports are stolen by attackers through public channels, it can lead to privacy breaches and potential security attacks such as impersonation [13,14], replay [15,16], and man-in-the-middle (MITM) [17,18] attacks. To address these security concerns, authentication and key agreement (AKA) techniques can be employed to achieve mutual authentication [19,20] between communication entities and establish session keys, ensuring secure communication in IoHT. According to Diffie et al.’s study [21], AKA protocols should follow some general principles when being designed. These principles include the ideas that authentication and key exchange need to be linked together, asymmetry should be exhibited in the protocol, messages should avoid being used repeatedly to prevent replay attacks, entities should incorporate appropriate random numbers into encryption operations, etc.
In recent years, several AKA protocols have been proposed specifically for healthcare applications based on IoT. Challa et al. [22] put forward a secure AKA protocol for medical wireless sensor networks based on elliptic curve cryptography (ECC) in 2018. Unfortunately, Soni et al. [23] found their protocol violated user anonymity and was subjected to session key disclosure attacks. As a result, Soni et al. proposed an enhanced AKA protocol specifically designed for healthcare systems. Unfortunately, Xu et al. [24] demonstrated that this enhanced protocol violated perfect forward secrecy (PFS) and could not resist offline password guessing (OPG) and sensor node capture (SNC) attacks. Qiu et al. [25] put forward a robust AKA protocol based on a telecare medicine system. However, Shamshad et al. [20] found that this protocol was vulnerable to privileged insider (PI) and OPG attacks. Consequently, Shamshad et al. devised a security-enhanced authentication protocol for healthcare services. Sharma and Kalra [26] presented a secure AKA protocol based on IoHT, demonstrating its resilience against multiple security attacks. Unfortunately, Azrour et al. [27] discovered that this protocol suffered from impersonation and OPG attacks. Similarly, Azrour et al. proposed an enhanced protocol for remote healthcare services based on cloud-based IoT. Aghili et al. [28] developed a lightweight AKA protocol for an e-health system based on IoT. However, Amintoosi et al. [29] demonstrated that this protocol violated PFS and was susceptible to SNC and impersonation attacks.
In 2020, Merabet et al. [30] introduced a novel mutual authentication protocol based on IoHT, ensuring secure communication between machines and the cloud. Kumari et al. [31] proposed an efficient AKA protocol for smart healthcare and cloud environments, utilizing ECC. However, Wu et al. [32] demonstrated that their protocol suffered from several security vulnerabilities, including impersonation, known session specific temporary information (KSSTI), and desynchronization attacks. Subsequently, Wu et al. proposed an alternative AKA protocol for smart healthcare, addressing the identified security issues. Hajian et al. [33] devised an attack-resilient protocol for Medical Internet of Things (MIoT) applications. Unfortunately, Yu et al. [17] found that this protocol was susceptible to MITM, impersonation, and session key disclosure (SKD) attacks. Consequently, Yu et al. proposed an enhanced AKA protocol specifically designed for the MIoT environment, seeking to improve its security. Alladi et al. [34] designed a two-way AKA protocol for the healthcare environment, incorporating physical unclonable functions to enhance data security. Shuai et al. [35] put forward a robust AKA protocol for a private healthcare system, incorporating three factors to strengthen security. However, Xie et al. [36] identified that their protocol violated PFS and was vulnerable to PI attacks. Similarly, Xie et al. proposed a privacy-protected AKA protocol for IoT environments. Agrahari et al. [37] devised an AKA protocol for healthcare monitoring systems, ensuring the security of patient data during transmission. Al-Saggaf et al. [38] proposed a two-factor AKA protocol based on IoHT, utilizing quantum computing for enhanced security.
According to previous research, ensuring the security of medical data and user privacy in the IoHT is crucial. In light of this, Amintoosi et al. [29] proposed an authentication protocol for smart medical services, which not only achieves mutual authentication between communication entities, but also facilitates the establishment of session keys between them to ensure secure communication. However, during our investigation, we identified security vulnerabilities in their protocol. To address these security concerns, we have developed an enhanced AKA protocol specifically tailored for the IoHT environment. Our protocol aims to provide robust security measures to ensure the secure transmission of medical data and protect user privacy. The main contributions of our paper are summarized as follows:
(1)
We conducted a thorough review of Amintoosi et al.’s protocol and identified certain security weaknesses, particularly PI attacks.
(2)
In response to the identified weaknesses, we propose an enhanced AKA protocol for smart medical services in the IoHT. Our protocol utilizes lightweight primitives and facilitates the establishment of session keys between doctors and sensor nodes with the assistance of gateways, ensuring secure communication.
(3)
To validate the security of our proposed protocol, we conducted a rigorous analysis using the Real-Or-Random (ROR) model, informal security analysis, and the automated validation of Internet security protocols and applications (AVISPA) tool.
(4)
Finally, we compare the performance and security of our proposed protocol with existing protocols. The comparison results demonstrate that our proposed protocol offers sufficient security with comparable performance to other protocols in the IoHT environment.
The structure of this paper is organized as follows. In Section 2, we review and analyze Amintoosi et al.’s protocol. We present the specific process and design details of the proposed enhanced security AKA protocol in the IoHT in Section 3. In Section 4, we demonstrate the security of our protocol through the ROR model, informal security analysis, and the AVISPA tool. A comparison of the proposed protocol with existing AKA protocols in the IoHT is involved in Section 5 and the conclusion is made in Section 6.

2. Review and Cryptanalysis of Amintoosi et al.’s Protocol [29]

2.1. Review of Amintoosi et al.’s Protocol [29]

Here, we only review the “registration” and the “login and authentication” phases of Amintoosi et al.’s protocol. Their protocol involves user, medical server, and sensor node. The notations used in this paper are shown in Table 1.

2.1.1. Registration

The registration phase is divided into two phases, which are the user and sensor node registration phases.
User registration phase. The process of user registration is depicted in Figure 2, with the specific steps outlined as follows.
(1)
User U i chooses I D i , P W i , and a i , and calculates U M i = h ( I D i P W i a i ) . Next, U i sends { U M i , I D i } to M S via a secure channel.
(2)
On receiving the { U M i , I D i } , M S firstly searches for the I D i stored in the database. If the I D i exists, the U i should be asked to send a new I D i . Otherwise, M S selects b i to compute T I D i = h ( b i I D i ) , U N i = h ( b i I D i T I D i ) , U O i = h ( S I D s b i ) , U P i = U O i U M i , U Q i = h ( U N i U O i ) , and i = i + 1 . Then, M S stores { b i , U P i , U Q i } in smart card, and stores { U P i , U N i , U Q i , I D i } in its database. Finally, M S transmits smart card to U i .
(3)
When U i receives the smart card, { a i } is added to it.
Sensor registration phase. Figure 3 depicts the sensor registration process, and the subsequent detailed steps are as follows.
(1)
Sensor S j selects I D S j and c j to calculate S M j = h ( I D S j X j c j ) , and sends { S M j , c j , I D S j } to M S via secure channel.
(2)
When M S receives the { S M j , c j , I D S j } , it computes S N j = h ( I D S j s c j ) , and j = j + 1 . Then, M S stores { S M j , I D S j , c j } in database, and transmits { S N j } to S j .
(3)
S j receives the { S N j } , and stores { S N j , c j } in its memory.

2.1.2. Login and Authentication Phase

The login and authentication phase process is illustrated in Figure 4, as shown below in the specific steps.
(1)
First, U i inputs I D i * , P W i * , computes U M i * = h ( I D i * P W * a i ) , U O i * = U P i U M i * , T I D i * = h ( b i I D i * ) , U N i * = h ( b i I D i * T I D i * ) , U Q i * = h ( U N i * U O i * U M i * ) and checks U Q i * = ? U Q i . If it holds, U i chooses r i and T 1 to compute W 1 = h ( U N i U O i T 1 ) r i , V 1 = h ( U N i U O i r i ) . Finally, U i transmits message M 1 = { W 1 , T 1 , b i , V 1 } to M S via public channel.
(2)
After M S receives M 1 , it verifies freshness of T 1 by calculating | T 1 T c | Δ T . Then, M S computes U O i = h ( S I D s b i ) , r i = h ( U N i U O i T 1 ) W 1 , V 1 * = h ( U N i U O i r i ) and checks V 1 * = ? V 1 . If the two values do not correspond, the authentication process is suspended. Otherwise, M S selects r s , and calculates W 2 = h ( r i I D S j c j ) r s , S N j = h ( I D S j s c j ) , V 2 = h ( S N j S M j r s ) . Finally, M S retrieves T 2 and transmits the message M 2 = { r i , W 2 , V 2 , T 2 } to S j .
(3)
On S j receiving the { r i , W 2 , V 2 , T 2 } , it first verifies T 2 . Next, S j computes r s = W 2 h ( r i I D S j c j ) , S M j * = h ( I D S j X j c j ) , V 2 * = h ( S N j S M j * r s ) and checks V 2 * = ? V 2 . If the two values are equal, S j chooses r j , and computes S K = h ( r s I D S j r j ) , W 3 = h ( S M j c j S N j ) r j , V 3 = h ( S K S N j T 3 ) . At last, S j transmits the message M 3 = { W 3 , V 3 , T 3 } to M S .
(4)
M S verifies the T 3 after receiving the M 3 . Next, M S computes U M i = U O i U P i , r j = h ( S M j c j S N j ) W 3 , S K = h ( r s I D S j r j ) , V 3 * = h ( S K S N j T 3 ) and checks V 3 * = ? V 3 . If the two values are equal, the M S selects a timestamp T 4 and computes W 4 = U M i r j , W 5 = U M i r s , V 4 = h ( W 4 W 5 U M i T 4 ) . Next, M S transmits message M 4 = { W 4 , W 5 , V 4 , T 4 } to U i .
(5)
U i verifies the T 4 after receiving the M 4 . If it is fresh, U i computes V 4 * = h ( W 3 W 4 U M i T 4 ) and checks V 4 * = ? V 4 . If the two values are equal, U i computes r j = U M i W 4 , r s = U M i W 5 , and then computes S K = h ( r s I D S j r j ) .

2.2. Cryptanalysis of Amintoosi et al.’s Protocol

In this section, we point out that Amintoosi et al.’s protocol has certain security weaknesses, particularly PI attacks.
Attacker Model. According to the Dolev-Yao (DY) [39] and Canetti and Krawczyk (CK) [40] models, we define the following capabilities for an attacker ( A ) to follow.
(1)
A possesses the capability to intercept, monitor, and manipulate messages that are transmitted through the public channel.
(2)
The medical server may have a malicious insider named A who can acquire data from the database.
(3)
A can utilize power analysis to obtain the data in the user’s smart card or smart device.
(4)
A can obtain temporary information value and long-term key.

2.2.1. Privileged Insider Attacks

Assume A obtains the data { S M j , I D S j , c j } from M S . Through the following steps, A can compute the S K successfully. The process of the attack method is depicted in Figure 5, showing only the important portion. The parts marked in red indicate the data and messages obtained by A , while the red boxes represent A ’s computational steps.
(1)
A can eavesdrop on the messages M 2 = { r i , W 2 , V 2 , T 2 } , and M 3 = { W 3 , V 3 , T 3 } on public channel.
(2)
Next, A can compute r s = W 2 h ( r i I D S j c j ) and r j = h ( S M j c j S N j ) W 3 , respectively.
(3)
At last, A can compute S K = h ( r s I D S j r j ) .

2.2.2. Incorrectness of S K

In the authentication phase of Amintoosi et al.’s protocol [29], M S first transmits the M 4 to U i . On receiving the M 4 , U i calculates numbers r j and r s to establish the S K , where S K = h ( r s I D S j r j ) . The I D S j is stored in the database of M S , and the M S does not transmit the value I D S j to U i . Thus, the U i cannot know the value I D S j , and cannot establish the S K .

3. The Proposed Protocol

In response to the identified weaknesses of Amintoosi et al.’s protocol, we propose an enhanced AKA protocol in the IoHT (shown in Figure 1). The entities involved in the protocol include U i , G W N , and S j . Here, we use G W N to replace the M S in Amintioosi et al.’s protocol, because the functions of the M S and the G W N are the same, and the G W N is commonly used in the IoHT environment. The initialization, registration, and login and authentication phases are included in our proposed protocol.

3.1. Initialization and Registration Phases

3.1.1. Initialization Phase

The smart device, gateway, and sensor nodes need to write basic arithmetic functions, such as h ( . ) , ⊕, and | | . Here, G W N is a semi-trusted entity, which means that it possesses the ability to engage in misconduct, yet lacks the capacity to collaborate with other entities. Moreover, the G W N chooses k as its private key, and is responsible for the pre-deployment of the sensor nodes. The sensor pre-deployment process is shown in Figure 6. The specific steps are described below.
(1)
S j chooses its I D S j and a random number c j , and sends { I D S j , c j } to G W N via a secure channel.
(2)
When G W N receives the { I D S j , c j } , it calculates S M j = h ( I D S j c j k ) , S N j = h ( I D S j k ) S M j . Then, G W N stores { I D S j , S N j } in its database. Finally, G W N transmits { S M j } to S j .
(3)
On receiving { S M j } , S j computes S O j = h ( I D S j c j ) S M j . Next, S j stores { c j , S O j } in its memory.

3.1.2. Doctor Registration Phase

In this phase, doctors need to register with the G W N to become legitimate users U i . The doctor registration process is described in Figure 7, and the specific steps are as follows.
(1)
First, U i chooses I D i , P W i , a i , and calculates T I D i = h ( I D i P W i a i ) . Next, U i transmits { T I D i , a i } to G W N via secure channel.
(2)
When G W N receives the { T I D i , a i } , it chooses b i to compute U M i = h ( T I D i b i a i ) , U N i = a i h ( b i k ) . Then G W N stores { T I D i , b i , U N i } in database, and transmits { U M i } to U i .
(3)
On receiving { U M i } , U i calculates R P W i = h ( P W i a i ) , U O i = a i h ( I D i R P W i ) , U P i = h ( T I D i R P W i a i ) , U Q i = U M i h ( a i R P W i ) . Finally, U i stores { U O i , U P i , U Q i } in smart device.

3.2. Login and Authentication Phase

In this section, the U i , G W N , and S j achieve mutual authentication, and the U i and S j successfully establish a S K with the assistance of the G W N . The login and authentication process is depicted in Figure 8, and the detailed login and authentication steps are as follows.
(1)
First, U i inputs I D i , P W i , and calculates a i * = U O i h ( I D i * P W i * ) , T I D i * = h ( I D i * P W i * a i * ) , R P W i * = h ( P W i * a i ) , U P i * = h ( T I D i * R P W i * a i * ) . Then, U i checks U P i * = ? U P i . If it is not equal, U i login fails. Otherwise, U i computes U M i = U Q i h ( a i R P W i ) , and chooses r i and its I D S j . Next, U i calculates R i = h ( I D i a i r i ) , W 1 = R i h ( a i U M i ) , W 2 = I D S j h ( U M i R i ) , and retrieves the T 1 to compute V 1 = h ( T I D i I D S j R i T 1 ) . Finally, U i sends message M 1 = { T I D i , W 1 , W 2 , V 1 , T 1 } to G W N via public channel.
(2)
Following the receipt of message M 1 , G W N initially verifies that timestamp T 1 is fresh. Next, G W N retrieves { b i , U N i } from the database using T I D i and calculates a i = U N i h ( b i k ) , U M i = h ( T I D i k a i ) , R i = W 1 h ( a i U M i ) , I D S j = W 2 h ( U M i R i ) , V 1 * = h ( T I D i I D S j R i T 1 ) and checks V 1 * = ? V 1 . If they are equal, G W N retrieves { S N i } according to I D S j and computes S M j = S N j h ( I D S j k ) , W 3 = R i h ( I D S j S M j ) . At last, G W N retrieves the current timestamp T 2 to compute V 2 = h ( T I D i R i S M j T 2 ) and transmits message M 2 = { T I D i , W 3 , V 2 , T 2 } to S j .
(3)
When S j receives the M 2 , it checks freshness of T 2 by computing | T 2 T c | Δ T . Then, S j calculates S M j = S O j h ( I D S j c j ) , R i = W 3 h ( I D S j S M j ) , V 2 * = h ( T I D i R i S M j T 2 ) and checks V 2 * = ? V 2 . If it holds, S j chooses r j to calculate R j = h ( I D S j c j r j ) , S K = h ( R i R j ) , W 4 = R j h ( I D S j S M j ) . Finally, S j retrieves T 3 to compute V 3 = h ( R j S M j T 3 ) and transmits message M 3 = { W 4 , V 3 , T 3 } to G W N .
(4)
When G W N receives the M 3 , it verifies the freshness of T 3 . Next, G W N computes R j = W 4 h ( I D S j S M j ) , V 3 * = h ( R j S M j T 3 ) and checks V 3 * = ? V 3 . If V 3 * = V 3 , G W N computes W 5 = R j h ( a i R i ) and retrieves current timestamp T 4 to calculate V 4 = h ( R i U M i R j T 4 ) . Finally, G W N sends message M 4 = { W 5 , V 4 , T 4 } to U i .
(5)
U i verifies freshness of the T 4 after receiving M 4 . Then, U i computes R j = W 5 h ( a i R i ) , V 4 * = h ( R i U M i R j T 4 ) and checks V 4 * = ? V 4 . If it holds, U i computes S K = h ( R i R j ) , which means that the U i and S j successfully establish a S K with the assistance of the G W N .

4. Security Analysis

4.1. Formal Security Analysis

We show the security of our protocol using the well-known ROR model [41,42,43]. Real attacks are simulated in this model through a series of rounds of games.

4.1.1. Security Model

Three entities are included in our proposed protocol: U i , G W N , and S j . We use I U i x to represent the x-th user instance, I G W N y represents the y-th gateway instance, and I S j z represents the z-th sensor node instance. Here, we define that A has certain capabilities in different games, but needs to follow the following queries.
(1)
E x e c u t e ( E ) : This query means that A can intercept messages on the public channel, where E = { I U i x , I G W N y , I S j z } .
(2)
S e n d ( E , M i ) : A is able to acquire the response from E subsequent to transmitting message M i to E .
(3)
H a s h ( s t r i n g ) : A may enter a s t r i n g to obtain its hash value by performing this query.
(4)
C o r r u p t ( E ) : This query gives A access to the long-term key or temporary information of E .
(5)
T e s t ( E ) : The A would verify the validity of the S K by flipping a coin c. When c = 1 , A obtains the S K . Otherwise, A obtains the random string.

4.1.2. Security Proof

Theorem 1.
The advantage that A breaking the proposed protocol ( P ) in polynomial time ξ is A d v A P ( ξ ) q h 2 | H a s h | + 2 C · q s s under ROR model. Here, q h , q s , | H a s h | denote the hash query, send query, and the space of the hash function, respectively. In addition, C and s are two constants.
Proof 
We define four games G M 0 - G M 3 to prove the proposed protocol’s security, and these games simulate the real process of A attacking the protocol. Here, S u c c A G M i ( ξ ) indicates that the A wins the i-th game, and A d v A P is defined as the advantage of A breaking the protocol. The A simulates detailed queries as shown in Table 2. The following are the detailed processes in the proof.
G M 0 : In G M 0 , the A performs real attacks to break the proposed protocol. The A starts the game by flipping the c. Hence, we have
A d v A P ( ξ ) = | 2 P r [ S u c c A G M 0 ( ξ ) ] 1 | .
G M 1 : In G M 1 , A can eavesdrop on the transmitted messages M 1 = { T I D i , W 1 , W 2 , V 1 , T 1 } , M 2 = { T I D i , W 3 , V 2 , T 2 } , M 3 = { W 4 , V 3 , T 3 } and M 4 = { W 5 , V 4 , T 4 } by executing the E x e c u t e ( ) query. After G M 1 , A validates the S K = h ( R i R j ) through executing the T e s t ( ) query. Since A cannot obtain the values R i and R j , A cannot compute the S K . Therefore, the result of G M 1 is no different from G M 0 .
P r [ S u c c A G M 1 ( ξ ) ] = P r [ S u c c A G M 0 ( ξ ) ] .
G M 2 : The S e n d ( ) and H a s h ( ) queries are added to G M 2 . The A wants to tamper with the eavesdropped messages, but the authentication values V 1 , V 2 , V 3 , and V 4 in the message are composed of private values and are protected by hash function. Thus, since A cannot obtain the private value and cannot crack the hash function, the intercepted message cannot be tampered with. Furthermore, no hash collision occurs because each session’s random numbers are distinct. Hence, in accordance with the birthday paradox, we have
| P r [ S u c c A G M 2 ( ξ ) ] P r [ S u c c A G M 1 ( ξ ) ] | q h 2 2 | H a s h | .
G M 3 : In G M 3 , A obtains the data { U O i , U P i , U Q i } in the smart device by executing the Corrupt ( I U i x ) query. Then, A utilizes these data and intercepted messages to attempt to deduce the correct P W i . Since A cannot obtain the values R P W i and a i , A cannot compute correct U P i and cannot obtain the P W i , where U P i = h ( T I D i R P W i a i ) . From Zipf’s law [44], we can obtain
| P r [ S u c c A G M 3 ( ξ ) ] P r [ S u c c A G M 2 ( ξ ) ] | C · q s e n d s .
Finally, A wants to win the game by guessing bit c to obtain the correct S K . Thus, we can obtain
P r [ S u c c A G M 3 ( ξ ) ] = 1 2 .
According to G M 0 to G M 3 , we have
A d v A P ( ξ ) 2 = | P r [ S u c c A G M 0 ( ξ ) ] 1 2 | = | P r [ S u c c A G M 0 ( ξ ) ] P r [ S u c c A G M 3 ( ξ ) ] | = | P r [ S u c c A G M 1 ( ξ ) ] P r [ S u c c A G M 3 ( ξ ) ] | i = 0 2 | P r [ S u c c A G M i + 1 ( ξ ) ] P r [ S u c c A G M i ( ξ ) ] | = q h 2 2 | H a s h | + C · q s e n d s .
Thus, we can obtain
A d v A P ( ξ ) q h 2 | H a s h | + 2 C · q s e n d s .

4.2. Informal Security Analysis

4.2.1. Perfect Forward Secrecy (PFS)

We use two methods to show that the proposed protocol ensures PFS.
Method 1: Suppose A can obtain the k of G W N , and attempts to calculate the S K . First, A needs to calculate the value R i , I D S j and R j , where R i = W 1 h ( a i U M i ) and R j = W 4 h ( I D S j S M j ) . Then A uses these values to calculate the S K . Since A cannot obtain a i , U M i and S M j , A cannot calculate the S K .
Method 2: We use Ge et al.’s method [45] to demonstrate that A cannot calculate the S K . The specific proof steps are as follows.
(1)
First, the composition of the session key requires variables { R i , R j } , where S K = h ( R i R j ) . Based on the rules of Ge et al. [45], we add these variables around S K and use arrows to point to S K . Then, we proceed step by step to analyze the newly added variables. For example, the composition of R i requires { r i , I D i , a i } or { a i , W 1 , U M i } or { W 3 , I D S j , S M j } .
(2)
Then, coloring is employed to denote nodes that involve long-term secrets or are transmitted over public channels. These nodes are k , W 1 , W 3 , W 4 , W 5 , which means that A can obtain these variables.
(3)
Finally, we remove the incoming edges of all colored nodes, and judge whether the proposed protocol ensures PFS through the remaining nodes. From Figure 9, we can see that the A does not have the required variables to compute the S K .
Thus, our proposed protocol ensures PFS.

4.2.2. Privileged Insider (PI) Attacks

Suppose that A is an insider in the gateway and has access to data { T I D i , b i , U N i } and { I D S j , S N j } in its database. Then, A attempts to compute the values R i and R j using these data, where R i = W 1 h ( a i U M i ) and R j = W 4 h ( I D S j S M j ) . Because a i , U M i and S M j are confidential to A , the A cannot compute R i and R j , and then cannot calculate the S K . Therefore, our protocol prevents PI attacks.

4.2.3. Sensor Node Capture (SNC) Attacks

Assume A can capture the { c j , S O j } in the memory of the S j , and attempt to calculate the values R i and R j . However, since A cannot obtain I D S j , S M j , and R j , A cannot compute R i and R j , and thus the A does not obtain the correct S K . So our protocol can withstand SNC attacks.

4.2.4. Offline Password Guessing (OPG) Attacks

Suppose A obtains the data { U O i , U P i , U Q i } from a smart device and tries to enumerate the correct password using a password dictionary. Since the A cannot obtain the R P W i and a i , and does not calculate the correct value U P i , where U P i = h ( T I D i R P W i a i ) , A cannot obtain the correct P W i . Thus, our protocol can prevent OPG attacks.

4.2.5. Session Key Disclosure (SKD) Attacks

A can only obtain the private values R i and R j in order to compute the S K = { R i R j } . However, A cannot obtain the I D i , a i and r i , so R i cannot be calculated, where R i = h ( I D i a i r i ) . Similarly, the A cannot obtain I D S j , c j and r j , and cannot calculate R j , where R j = h ( I D S j c j r j ) . Thus, the correct S K remains undisclosed to A . The proposed protocol is immune to SKD attacks.

4.2.6. Correctness of S K

In our proposed protocol, the entities involved in establishing the session key include U i , G W N , and S j . The required values for the S K are R i and R j , where S K = h ( R i R j ) , R i = h ( I D i a i r i ) and R j = h ( I D S j c j r j ) . The U i transmits the computed R i to the G W N , which securely forwards it to the S j . Upon receiving R i , the S j independently computes R j to establish the S K . Similarly, the S j transmits R j to the G W N , which then forwards this value to the U i . When receiving R j , the U i is able to successfully establish the S K . Therefore, our protocol ensures the correctness of S K .

4.2.7. Man-In-The-Middle (MITM) Attacks

Assume that A can intercept messages M 1 , M 2 , M 3 and M 4 . Here, we take M 1 = { T I D i , W 1 , W 2 , V 1 , T 1 } as an example. The A attempts to tamper with the authentication value V 1 , where V 1 = h ( T I D i I D S j R i T 1 ) . However, due to the fact that values I D S j and R j are confidential to the A , A cannot calculate the V 1 . Thus, the request message sent by A cannot be authenticated by the G W N . Similarly, A cannot obtain private values to tamper with messages M 2 , M 3 , and M 4 . Thus, it is impossible for MITM attacks to break our protocol.

4.2.8. Mutual Authentication

In the proposed protocol, entities verify each other’s legitimacy by the authentication values { V 1 , V 2 , V 3 , V 4 } , where V 1 = h ( T I D i I D S j R i T 1 ) , V 2 = h ( T I D i R i S M j T 2 ) , V 3 = h ( R j S M j T 2 ) , and V 4 = h ( R i U M i R j T 4 ) . Here, the G W N is to determine the legitimacy of the U i by verifying V 1 . The S j judges the legitimacy of the G W N by verifying V 2 . The G W N is used to determine the legitimacy of the S j by verifying V 3 . The U i is to determine the legitimacy of the G W N by verifying V 4 . Since the message sent by one entity to another entity can be verified, our protocol can achieve mutual authentication.

4.3. AVISPA

The AVISPA [46] is an instrument for formal verification that automatically analyzes the cryptographic protocol’s security. AVISPA is based on the DY model, which allows A to have attack capabilities during the simulation, and it uses High-Level Protocol Specification Language (HLPSL). In this paper, AVISPA is used to simulate the whole process of the proposed protocol.
We define the role specification for U i , G W N and S j as shown in Figure 10a–c, respectively. Additionally, the role specifications for the session, goal, and environment are shown in Figure 10d. Here, we take the role of U i as an example to explain. In the registration and authentication phases, it is essential for the user to recognize the involvement of three agents: “user agent (UA), gateway agent (GA), and sensor agent (SA)”. “(SND, RCV)” represent the send and receive channels, where “(dy)” means that the channel follows the DY model. “RCV(start)” indicates that the entire protocol starts running. “RCV(H(H(IDi.PWi.Ai’).K.Ai’)-SKuaga)” indicates that the user receives the message { U M i } transmitted from the gateway. The “SKuaga” encrypts transmitted messages, and this indicates that the message is transmitted via secure channel. Furthermore, “SND(H(IDi.PWi.Ai’).W1’.W2’.V1’.T1’)” signifies that the user transmits the message { T I D i , W 1 , W 2 , V 1 , T 1 } to the gateway via a public channel. In “State 3”, it becomes evident that the user has successfully established a session key with the sensor. Finally, we use the widely recognized On-the-Fly Model-Checker (OFMC) and Constraint Logic-based Attack Searcher (CL-AtSe) backends to verify the security of the proposed protocol, and the simulated results are depicted in Figure 11. It can be clearly seen that whether it is in the results of OFMC or CL-AtSe backend, the summary display is “SAFE”, which means that our proposed protocol can resist replay and MITM attacks.

5. Security and Performance Comparisons

We compare the security and performance of our proposed protocol to five IoHT authentication protocols [23,29,33,35,47].

5.1. Security Comparisons

In terms of security comparison, √ means that the protocol is resistant to that attack, while × means that the protocol does not satisfy that security property. The primary security properties include S1, mutual authentication; S2, PFS; S3, PI attacks; S4, OPG attacks; S5, SKD attacks; S6, SNC attacks; S7, MITM attacks; S8, correctness of S K .
The security comparison results are presented in Table 3. It is clear that our protocol and Wu et al.’s protocol [47] satisfies all security properties. However, Soni et al.’s protocol [23] violated PFS and suffered from OPG and SNC attacks. Hajian et al.’s protocol [33] failed to provide mutual authentication, leaving it vulnerable to SKD and MITM attacks. Similarly, Shuai et al.’s protocol [35] also violated PFS and suffered from PI attacks. Amintoosi et al.’s protocol [29], like the others, exhibited security weaknesses, specifically being susceptible to PI attacks and unable to ensure the correctness of S K .

5.2. Performance Comparisons

The protocol compares three aspects of communication, computational, and storage costs in performance comparison. When comparing communication and computational costs, we exclusively consider the login and authentication phases of the protocols. On the other hand, in the comparison of storage costs, our focus is solely on the registration phase.

5.2.1. Computational Cost Comparisons

For the computational cost, we use three different devices to obtain the runtime of the cryptographic primitives. The configurations of these three experimental devices are shown in Table 4, where we denote that the laptop simulates U i , the desktop computer simulates G W N , and the Xiaomi mobile phone MI 8 simulates S j . The software we use is IntelliJ idea 2020.3, and we use the Java language and cryptographic library JPBC-2.0.0 [48] to write programs. In addition, since the cost of ⊕ and ‖ in the protocol is too small, its computational size is ignored. The times of various operations are displayed in Table 5, where the running time of the operation runs 20 times in the software and takes the average value of the results. In addition, since the running time of the hash function and the fuzzy extraction are similar, we take one of them to calculate. The results of the comparison are presented in Table 6, and more clearly shown in Figure 12.
The computational costs of a few U i in each protocol are illustrated in Figure 13a. Soni et al.’s protocol [23] utilizes point scalar multiplication and fuzzy extractor, and Shuai et al.’s protocol [35] relies on symmetric key encryption/decryption. As a result, both of them incur relatively high computational costs for U i compared to the other protocols in the comparison. On the other hand, the computational costs of U i in the remaining protocols show little variation and are relatively lower compared to Soni et al.’s and Shuai et al.’s protocols. Figure 13b depicts the computational costs of a few S j in each protocol. In our proposed protocol, the computational costs of S j are higher than in some other protocols, but still lower than the costs in Hajian et al. [33] and Wu et al. [47]. It is worth noting that Hajian et al.’s protocol is the same as that in Wu et al.’s work. Overall, Soni et al.’s and Shuai et al.’s protocols have relatively higher computational costs for U i due to their specific cryptographic operations.
To verify the scalability of the protocol, we gradually increased the number of U i from 20 to 100, while simultaneously increasing the number of S j from 50 to 250. The results of computational cost as the counts of U i and S j surged are presented in Figure 13c,d, respectively. The results demonstrate that our protocol can maintain reasonable computational costs as the quantity of entities grows, ensuring the protocol retains stable performance and efficiency. As a result, our proposed protocol can guarantee scalability.

5.2.2. Communication Cost Comparisons

In the comparison of communication costs, the lengths of the identity, timestamp, hash function, random number, point multiplication, and symmetrically encrypted ciphertext are defined to be 160, 32, 256, 128, 320, and 256 bits, respectively. Here, the communication cost is illustrated using our protocol as an example. The messages M 1 = { T I D i , W 1 , W 2 , V 1 , T 1 } , M 2 = { T I D i , W 3 , V 2 , T 2 } , M 3 = { W 4 , V 3 , T 3 } , and M 4 = { W 5 , V 4 , T 4 } , in which T I D i is identity, { W 1 , W 2 , W 3 , W 4 , W 5 } are random numbers, { V 1 , V 2 , V 3 , V 4 } are hash values, { T 1 , T 2 , T 3 , T 4 } are timestamps. Based on the above calculation, our proposed protocol’s communication cost is 2 × 160 + 5 × 128 + 4 × 256 + 4 × 32 = 2112 bits. Soni et al.’s protocol [23] is 7 × 128 + 4 × 256 + 5 × 32 + 320 = 2400 bits, Hajian et al.’s protocol [33] is 4 × 160 + 3 × 128 + 8 × 256 + 7 × 32 = 3296 bits, Shuai et al.’s protocol [35] is 160 + 128 + 6 × 256 + 4 × 32 = 1952 bits, Amintoosi et al.’s protocol [29] is 6 × 128 + 5 × 256 + 4 × 32 = 2176 bits, and Wu et al.’s protocol [47] is 11 × 128 + 4 × 256 + 4 × 32 = 2560 bits. Based on the data presented in Table 7 and Figure 14, it is evident that our proposed protocol exhibits a slightly higher communication cost compared to Shuai et al.’s protocol [35]. However, our proposed protocol still maintains lower communication costs compared to Soni et al. [23], Hajian et al. [33], Wu et al. [47], and Amintoosi et al. [29].

5.2.3. Storage Cost Comparisons

In the comparison of storage costs, the lengths required for various parameters are consistent with the assumptions in Section 5.2.2. Here, we take the registration phases of our proposed protocol as an example. The storage costs required for U i , G W N , and S j are 128 × 2 + 256 = 512 bits, 128 × 3 + 160 × 2 = 704 bits, and 128 × 2 = 256 bits, respectively. The storage cost required for our proposed protocol is 1472 bits. The total storage costs for each protocol are presented in Table 8. From Figure 15, it is evident that Hajian et al.’s protocol [33] demands the highest storage costs. In contrast, our proposed protocol requires the minimum storage costs.
Based on the security and performance comparison results, we can confidently assert the following:
  • Security comparison: Our proposed protocol, along with Wu et al.’s protocol, demonstrates the ability to withstand all known attacks. In contrast, other protocols in the comparison exhibit varying degrees of vulnerability to certain attacks.
  • Performance comparison: Despite having the same security level of as Wu et al.’s protocol, our protocol outperforms theirs in terms of computational and storage costs, while also possessing scalability. Additionally, while our computational cost is slightly higher compared to Amintoosi et al.’s protocol, our communication and storage costs are lower than theirs.

6. Conclusions

In this paper, we emphasized the significance of ensuring secure data transmission within the IoHT environments. We conducted a comprehensive review of the AKA protocols employed in the IoHT context. Subsequently, we thoroughly analyzed Amintoosi et al.’s protocol and identified various security weaknesses, notably PI attacks. In response to these issues, we proposed an enhanced AKA protocol specifically tailored for the IoHT environment. Then, we subjected it to rigorous security analysis using the ROR model, informal security analysis, and the AVISPA tool. Finally, we compared the security and performance aspects of our proposed protocol with existing protocols. The comparison results revealed that our protocol outperforms other protocols in terms of security while maintaining a comparable level of performance, thereby enhancing the feasibility of its practical application. The potential challenge lies in the slightly higher computational and communication costs of the proposed protocol, but this is acceptable in practical applications. Consequently, in future research, we will focus on further enhancing the security and performance of AKA protocols in the IoHT to address evolving needs.

Author Contributions

Conceptualization, T.-Y.W.; methodology, T.-Y.W. and L.W.; software and security analysis, C.-M.C. and L.W.; investigation, C.-M.C.; writing—original draft preparation, T.-Y.W., L.W. and C.-M.C. All authors have read and agreed to the published version of the manuscript.

Funding

This research was partially supported by Natural Science Foundation of Shandong Province, China (Grant no. ZR202111230202).

Data Availability Statement

The data are included in the article.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
IoTInternet of Things
IoHTInternet Health of Things
RORReal-Or-Random
MITMMan-in-the-middle
AKAAuthentication and key agreement
ECCElliptic curve cryptography
PFSPerfect forward secrecy
OPGOffline password guessing
SNCSensor node capture
PIPrivileged insider
KSSTIKnown session specific temporary information
MIoTMedical Internet of Things
SKDSession key disclosure
AVISPAAutomated validation of internet security protocols and applications
HLPSLHigh-Level Protocol Specification Language
OFMCOn-the-Fly Model-Checker
CL-AtSeConstraint Logic-based Attack Searcher

References

  1. Shen, S.; Yang, Y.; Liu, X. Toward data privacy preservation with ciphertext update and key rotation for IoT. Concurr. Comput. Pract. Exp. 2021, 35, e6729. [Google Scholar] [CrossRef]
  2. Huang, X.; Xiong, H.; Chen, J.; Yang, M. Efficient revocable storage attribute-based encryption with arithmetic span programs in cloud-assisted internet of things. IEEE Trans. Cloud Comput. 2023, 11, 1273–1285. [Google Scholar] [CrossRef]
  3. Guezzaz, A.; Benkirane, S.; Azrour, M. A novel anomaly network intrusion detection system for internet of things security. In IoT and Smart Devices for Sustainable Environment; Springer: Berlin/Heidelberg, Germany, 2022; pp. 129–138. [Google Scholar] [CrossRef]
  4. Wu, T.Y.; Meng, Q.; Chen, Y.C.; Kumari, S.; Chen, C.M. Toward a Secure Smart-Home IoT Access Control Scheme Based on Home Registration Approach. Mathematics 2023, 11, 2123. [Google Scholar] [CrossRef]
  5. Luo, Y.; Zheng, W.m.; Chen, Y.C. An anonymous authentication and key exchange protocol in smart grid. J. Netw. Intell. 2021, 6, 206–215. [Google Scholar]
  6. Chaudhry, S.A. Combating identity de-synchronization: An improved lightweight symmetric key based authentication scheme for IoV. J. Netw. Intell. 2021, 6, 12. [Google Scholar]
  7. Xiong, H.; Chen, J.; Mei, Q.; Zhao, Y. Conditional privacy-preserving authentication protocol with dynamic membership updating for VANETs. IEEE Trans. Dependable Secur. Comput. 2022, 19, 2089–2104. [Google Scholar] [CrossRef]
  8. Xue, X.; Chen, J. Matching biomedical ontologies through compact differential evolution algorithm with compact adaption schemes on control parameters. Neurocomputing 2021, 458, 526–534. [Google Scholar] [CrossRef]
  9. Xue, X.; Huang, Q. Generative adversarial learning for optimizing ontology alignment. Expert Syst. 2023, 40, e12936. [Google Scholar] [CrossRef]
  10. Xiong, H.; Qin, Z. Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Trans. Inf. Forensics Secur. 2015, 10, 1442–1455. [Google Scholar] [CrossRef]
  11. Si-Ahmed, A.; Al-Garadi, M.A.; Boustia, N. Survey of Machine Learning based intrusion detection methods for Internet of Medical Things. Appl. Soft Comput. 2023, 140, 110227. [Google Scholar] [CrossRef]
  12. Singh, A.; Chatterjee, K.; Satapathy, S.C. TrIDS: An intelligent behavioural trust based IDS for smart healthcare system. Clust. Comput. 2023, 26, 903–925. [Google Scholar] [CrossRef]
  13. Nikkhah, F.; Safkhani, M. LAPCHS: A lightweight authentication protocol for cloud-based health-care systems. Comput. Netw. 2021, 187, 107833. [Google Scholar] [CrossRef]
  14. Gupta, S.; Arya, P.K.; Sharma, H.K. User anonymity-based secure authentication protocol for telemedical server systems. Int. J. Inf. Comput. Secur. 2023, 20, 199–219. [Google Scholar] [CrossRef]
  15. Safkhani, M.; Vasilakos, A. A new secure authentication protocol for telecare medicine information system and smart campus. IEEE Access 2019, 7, 23514–23526. [Google Scholar] [CrossRef]
  16. Alzahrani, B.A.; Irshad, A.; Albeshri, A.; Alsubhi, K. A provably secure and lightweight patient-healthcare authentication protocol in wireless body area networks. Wirel. Pers. Commun. 2021, 117, 47–69. [Google Scholar] [CrossRef]
  17. Yu, S.; Park, K. SALS-TMIS: Secure, Anonymous and Lightweight Privacy-Preserving Scheme for IoMT-Enabled TMIS Environments. IEEE Access 2022, 10, 60534–60549. [Google Scholar] [CrossRef]
  18. Lee, J.; Oh, J.; Park, Y. A secure and anonymous authentication protocol based on three-factor wireless medical sensor networks. Electronics 2023, 12, 1368. [Google Scholar] [CrossRef]
  19. Li, J.; Su, Z.; Guo, D.; Choo, K.K.R.; Ji, Y. PSL-MAAKA: Provably secure and lightweight mutual authentication and key agreement protocol for fully public channels in internet of medical things. IEEE Internet Things J. 2021, 8, 13183–13195. [Google Scholar] [CrossRef]
  20. Shamshad, S.; Ayub, M.F.; Mahmood, K.; Kumari, S.; Chaudhry, S.A.; Chen, C.M. An enhanced scheme for mutual authentication for healthcare services. Digit. Commun. Netw. 2022, 8, 150–161. [Google Scholar] [CrossRef]
  21. Diffie, W.; Van Oorschot, P.C.; Wiener, M.J. Authentication and authenticated key exchanges. Des. Codes Cryptogr. 1992, 2, 107–125. [Google Scholar] [CrossRef]
  22. Challa, S.; Das, A.K.; Odelu, V.; Kumar, N.; Kumari, S.; Khan, M.K.; Vasilakos, A.V. An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks. Comput. Electr. Eng. 2018, 69, 534–554. [Google Scholar] [CrossRef]
  23. Soni, P.; Pal, A.K.; Islam, S.H. An improved three-factor authentication scheme for patient monitoring using WSN in remote health-care system. Comput. Methods Programs Biomed. 2019, 182, 105054. [Google Scholar] [CrossRef] [PubMed]
  24. Xu, G.; Wang, F.; Zhang, M.; Peng, J. Efficient and provably secure anonymous user authentication scheme for patient monitoring using wireless medical sensor networks. IEEE Access 2020, 8, 47282–47294. [Google Scholar] [CrossRef]
  25. Qiu, S.; Xu, G.; Ahmad, H.; Wang, L. A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems. IEEE Access 2018, 6, 7452–7463. [Google Scholar] [CrossRef]
  26. Sharma, G.; Kalra, S. A lightweight user authentication scheme for cloud-IoT based healthcare services. Iran. J. Sci. Technol. Trans. Electr. Eng. 2019, 43, 619–636. [Google Scholar] [CrossRef]
  27. Azrour, M.; Mabrouki, J.; Chaganti, R. New efficient and secured authentication protocol for remote healthcare systems in cloud-iot. Secur. Commun. Netw. 2021, 2021, 5546334. [Google Scholar] [CrossRef]
  28. Aghili, S.F.; Mala, H.; Shojafar, M.; Peris-Lopez, P. LACO: Lightweight three-factor authentication, access control and ownership transfer scheme for e-health systems in IoT. Future Gener. Comput. Syst. 2019, 96, 410–424. [Google Scholar] [CrossRef]
  29. Amintoosi, H.; Nikooghadam, M.; Shojafar, M.; Kumari, S.; Alazab, M. Slight: A lightweight authentication scheme for smart healthcare services. Comput. Electr. Eng. 2022, 99, 107803. [Google Scholar] [CrossRef]
  30. Merabet, F.; Cherif, A.; Belkadi, M.; Blazy, O.; Conchon, E.; Sauveron, D. New efficient M2C and M2M mutual authentication protocols for IoT-based healthcare applications. Peer-to-Peer Netw. Appl. 2020, 13, 439–474. [Google Scholar] [CrossRef]
  31. Kumari, A.; Kumar, V.; Abbasi, M.Y.; Kumari, S.; Chaudhary, P.; Chen, C.M. Csef: Cloud-based secure and efficient framework for smart medical system using ecc. IEEE Access 2020, 8, 107838–107852. [Google Scholar] [CrossRef]
  32. Wu, T.Y.; Yang, L.; Luo, J.N.; Ming-Tai Wu, J. A provably secure authentication and key agreement protocol in cloud-based smart healthcare environments. Secur. Commun. Netw. 2021, 2021, 2299632. [Google Scholar] [CrossRef]
  33. Hajian, R.; ZakeriKia, S.; Erfani, S.H.; Mirabi, M. SHAPARAK: Scalable healthcare authentication protocol with attack-resilience and anonymous key-agreement. Comput. Netw. 2020, 183, 107567. [Google Scholar] [CrossRef]
  34. Alladi, T.; Chamola, V. HARCI: A two-way authentication protocol for three entity healthcare IoT networks. IEEE J. Sel. Areas Commun. 2020, 39, 361–369. [Google Scholar] [CrossRef]
  35. Shuai, M.; Yu, N.; Wang, H.; Xiong, L.; Li, Y. A lightweight three-factor Anonymous authentication scheme with privacy protection for personalized healthcare applications. J. Organ. End User Comput. (JOEUC) 2021, 33, 1–18. [Google Scholar] [CrossRef]
  36. Xie, Q.; Ding, Z.; Hu, B. A secure and privacy-preserving three-factor anonymous authentication scheme for wireless sensor networks in Internet of Things. Secur. Commun. Netw. 2021, 2021, 4799223. [Google Scholar] [CrossRef]
  37. Agrahari, A.K.; Varma, S.; Venkatesan, S. Two factor authentication protocol for IoT based healthcare monitoring system. J. Ambient. Intell. Humaniz. Comput. 2022, 1–18. [Google Scholar] [CrossRef] [PubMed]
  38. Al-Saggaf, A.A.; Sheltami, T.; Alkhzaimi, H.; Ahmed, G. Lightweight two-factor-based user authentication protocol for iot-enabled healthcare ecosystem in quantum computing. Arab. J. Sci. Eng. 2023, 48, 2347–2357. [Google Scholar] [CrossRef] [PubMed]
  39. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  40. Canetti, R.; Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. In International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings of the EUROCRYPT 2001: Advances in Cryptology—EUROCRYPT 2001, Innsbruck, Austria, 6–10 May 2001; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 453–474. [Google Scholar]
  41. Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Public Key Cryptography-PKC 2005, Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, 23–26 January 2005; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3386, pp. 65–84. [Google Scholar]
  42. Li, X.; Liu, S.; Kumari, S.; Chen, C.M. PSAP-WSN: A Provably Secure Authentication Protocol for 5G-Based Wireless Sensor Networks. CMES-Comput. Model. Eng. Sci. 2023, 135, 711–732. [Google Scholar] [CrossRef]
  43. Chen, C.M.; Liu, S.; Li, X.; Islam, S.H.; Das, A.K. A provably-secure authenticated key agreement protocol for remote patient monitoring IoMT. J. Syst. Archit. 2023, 136, 102831. [Google Scholar] [CrossRef]
  44. Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 2017, 12, 2776–2791. [Google Scholar] [CrossRef]
  45. Ge, M.; Kumari, S.; Chen, C.M. AuthPFS: A Method to Verify Perfect Forward Secrecy in Authentication Protocols. J. Netw. Intell. 2022, 7, 734–750. [Google Scholar]
  46. Armando, A.; Basin, D.; Boichut, Y.; Chevalier, Y.; Compagna, L.; Cuéllar, J.; Drielsma, P.H.; Héam, P.C.; Kouchnarenko, O.; Mantovani, J.; et al. The AVISPA tool for the automated validation of internet security protocols and applications. In Proceedings of the Computer Aided Verification: 17th International Conference, CAV 2005, Edinburgh, UK, 6–10 July 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 281–285. [Google Scholar]
  47. Wu, T.Y.; Meng, Q.; Yang, L.; Kumari, S.; Pirouz, M. Amassing the Security: An Enhanced Authentication and Key AgreementProtocol for Remote Surgery in Healthcare Environment. CMES-Comput. Model. Eng. Sci. 2023, 134, 317–341. [Google Scholar] [CrossRef]
  48. De Caro, A.; Iovino, V. jPBC: Java pairing based cryptography. In Proceedings of the 2011 IEEE Symposium on Computers and Communications (ISCC), Kerkyra, Greece, 28 June–1 July 2011; pp. 850–855. [Google Scholar] [CrossRef]
Figure 1. The architecture of IoHT.
Figure 1. The architecture of IoHT.
Mathematics 11 03701 g001
Figure 2. U i ’s registration phase of Amintoosi et al.’s protocol.
Figure 2. U i ’s registration phase of Amintoosi et al.’s protocol.
Mathematics 11 03701 g002
Figure 3. S j ’s registration phase of Amintoosi et al.’s protocol.
Figure 3. S j ’s registration phase of Amintoosi et al.’s protocol.
Mathematics 11 03701 g003
Figure 4. Authentication phase of Amintoosi et al.’s protocol.
Figure 4. Authentication phase of Amintoosi et al.’s protocol.
Mathematics 11 03701 g004
Figure 5. PI attacks in Amintoosi et al.’s protocol.
Figure 5. PI attacks in Amintoosi et al.’s protocol.
Mathematics 11 03701 g005
Figure 6. Pre-deployment of sensor node.
Figure 6. Pre-deployment of sensor node.
Mathematics 11 03701 g006
Figure 7. Doctor registration phase.
Figure 7. Doctor registration phase.
Mathematics 11 03701 g007
Figure 8. Login and authentication phase.
Figure 8. Login and authentication phase.
Mathematics 11 03701 g008
Figure 9. The verification result of our protocol for PFS using Ge et al.’s method [45].
Figure 9. The verification result of our protocol for PFS using Ge et al.’s method [45].
Mathematics 11 03701 g009
Figure 10. Proof of AVISPA. (a) Role specification for user. (b) Role specification for gateway. (c) Role specification for sensor. (d) Role specification for session, goal, environment.
Figure 10. Proof of AVISPA. (a) Role specification for user. (b) Role specification for gateway. (c) Role specification for sensor. (d) Role specification for session, goal, environment.
Mathematics 11 03701 g010
Figure 11. The simulation results. (a) Result using OFMC backend. (b) Result using ATSE backend.
Figure 11. The simulation results. (a) Result using OFMC backend. (b) Result using ATSE backend.
Mathematics 11 03701 g011
Figure 12. The comparison of computational cost [23,29,33,35,47].
Figure 12. The comparison of computational cost [23,29,33,35,47].
Mathematics 11 03701 g012
Figure 13. The computational costs for users and sensors [23,29,33,35,47]. (a) Computational cost with few users. (b) Computational cost with few sensors. (c) Computational cost during user surge. (d) Computational cost during sensor surge.
Figure 13. The computational costs for users and sensors [23,29,33,35,47]. (a) Computational cost with few users. (b) Computational cost with few sensors. (c) Computational cost during user surge. (d) Computational cost during sensor surge.
Mathematics 11 03701 g013
Figure 14. Comparisons of communication cost [23,29,33,35,47].
Figure 14. Comparisons of communication cost [23,29,33,35,47].
Mathematics 11 03701 g014
Figure 15. Comparisons of storage cost [23,29,33,35,47].
Figure 15. Comparisons of storage cost [23,29,33,35,47].
Mathematics 11 03701 g015
Table 1. Notations.
Table 1. Notations.
NotationsDescription
U i i-th user
I D i , T I D i U i ’s identity and pseudo-identity
P W i Password of U i
M S Medical server
S I D M S ’s identity
sPrivate key of M S
G W N Gateway node
k G W N ’s private key
S j j-th sensor
I D S j S j ’s identity
X j Secret key of S j
S K Session key
T i Timestamp
a i , b i , c j , r i , r j , r s The random numbers
Bitwise XOR
h ( . ) Secure-hash function
| | Concatenation operation
Table 2. Simulation of queries.
Table 2. Simulation of queries.
QueryDescription
S e n d ( E , M i ) For S e n d ( I U i x , start). Assume I U i x is in a normal state and selects r i , I D S j , and T 1 to compute R i = h ( I D i a i r i ) , W 1 = R i h ( a i U M i ) , W 2 = I D S j h ( U M i R i ) , V 1 = h ( T I D i I D S j R i T 1 ) . Next, the query returns the M 1 = { P I D i , W 1 , W 2 , V 1 , T 1 } .
On S e n d ( I G W N y , ( P I D i , W 1 , W 2 , V 1 , T 1 ) ) . Assume that I G W N y computes U M i , R i , I D S j and checks V 1 in a normal state. Next, I G W N y calculates S M j , W 3 , V 2 . Then, I G W N y selects T 2 . The query is answered by M 2 = { T I D i , W 3 , V 2 , T 2 } .
For S e n d ( I S j z , ( T I D i , W 3 , V 2 , T 2 ) ) . On receiving the message { T I D i , W 3 , V 2 , T 2 } , I S j z computes S M j , R i , and checks the V 2 . Then, I S j z calculates R j , S K , W 4 , V 3 . Next, I S j z returns the output M 3 = { W 4 , V 3 , T 3 } .
For S e n d ( I G W N y , ( W 4 , V 3 , T 3 ) ) . Assume that I G W N y computes R j , and checks V 3 in a normal state. If the V 3 holds, I G W N y calculates W 5 , V 4 and selects T 4 . Then, the query returns the M 4 = { W 5 , V 4 , T 4 } .
On S e n d ( I U i x , W 5 , V 4 , T 4 ). Upon receiving the message ( W 5 , V 4 , T 4 ), I U i x computes R j and checks V 4 . If the V 4 is correct, I U i x computes S K , which means that the I U i x accepts and terminates.
E x e c u t e ( E ) Continue to use S e n d queries to simulate the process for E x e c u t e ( E ) . ( T I D i , W 1 , W 2 , V 1 , T 1 ) S e n d ( I U i x , start), ( T I D i , W 3 , V 2 , T 2 ) ⟵ S e n d ( I G W N y , ( T I D i , W 1 , W 2 , V 1 , T 1 ) ) , ( W 4 , V 3 , T 3 ) S e n d ( I S j z , ( T I D i , W 3 , V 2 , T 2 ) ) , ( W 5 , V 4 , T 4 ) S e n d ( I G W N y , ( W 4 , V 3 , T 3 ) ) . The query returns ( T I D i , W 1 , W 2 , V 1 , T 1 ) , ( T I D i , W 3 , V 2 , T 2 ), ( W 4 , V 3 , T 3 ) and ( W 5 , V 4 , T 4 ).
C o r r u p t ( E ) If the I U i x is accepted, this query outputs { U O i , U P i , U Q i } in the smart device.
T e s t ( E ) Flip the coin c. If the result is 1, the S K will be returned. Otherwise, a random string of the same length as S K will be returned.
Table 3. Security comparison results.
Table 3. Security comparison results.
Security PropertiesSoni et al. [23]Hajian et al. [33]Shuai et al. [35]Amintoosi et al. [29]Wu et al. [47]Ours
S1× [17]
S2× [24]× [36]
S3× [36]×
S4× [24]
S5× [17]
S6× [24]
S7× [17]
S8×
Table 4. Configuration of simulated devices.
Table 4. Configuration of simulated devices.
Lenovo LaptopDesktop ComputerMI 8
Operating SystemWindows 10Windows 10Android system
CPUIntel(R) Core(TM)
i7-6700HQ CPU @ 2.60 GHz
Intel(R) Core(TM)
i5-9500 CPU @ 3.00 GHz
Qualcomm Snapdragon
845
Running Memory8 GB16 GB6 GB
Table 5. Running time of operations.
Table 5. Running time of operations.
DefinitionsOperations U i (ms) GWN (ms) S j (ms)
T p m Point scalar multiplication0.43260.36720.5543
T s d Symmetric key encryption/decryption0.18640.14820.2458
T h Hash function0.00320.00280.0043
Table 6. Computational cost comparison.
Table 6. Computational cost comparison.
Protocols U i (ms) GWN (ms) S j (ms)
Soni et al. [23] T f + 12 T h + 3 T p m ≈ 1.3394 11 T h + 3 T p m ≈ 1.1324 5 T h ≈ 0.0215
Hajian et al. [33] 12 T h ≈ 0.0384 7 T h ≈ 0.0196 9 T h ≈ 0.0387
Shuai et al. [35] T f + 7 T h + 2 T s d ≈ 0.3984 10 T h + 2 T s d ≈ 0.3244 4 T h ≈ 0.0172
Amintoosi et al. [29] 8 T h ≈ 0.0256 10 T h ≈ 0.0280 6 T h ≈ 0.0258
Wu et al. [47] T f + 15 T h ≈ 0.0512 21 T h ≈ 0.0588 9 T h ≈ 0.0387
Ours 12 T h ≈ 0.0384 12 T h ≈ 0.0336 7 T h ≈ 0.0301
Table 7. Communication cost comparisons.
Table 7. Communication cost comparisons.
ProtocolsRoundsCommunication Cost
Soni et al. [23]42400 bits
Hajian et al. [33]53296 bits
Shuai et al. [35]41952 bits
Amintoosi et al. [29]42176 bits
Wu et al. [47]42560 bits
Ours42112 bits
Table 8. Storage cost comparisons.
Table 8. Storage cost comparisons.
ProtocolsStorage Cost
Soni et al. [23]1632 bits
Hajian et al. [33]2336 bits
Shuai et al. [35]1728 bits
Amintoosi et al. [29]2208 bits
Wu et al. [47]1792 bits
Ours1472 bits
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Wu, T.-Y.; Wang, L.; Chen, C.-M. Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT. Mathematics 2023, 11, 3701. https://doi.org/10.3390/math11173701

AMA Style

Wu T-Y, Wang L, Chen C-M. Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT. Mathematics. 2023; 11(17):3701. https://doi.org/10.3390/math11173701

Chicago/Turabian Style

Wu, Tsu-Yang, Liyang Wang, and Chien-Ming Chen. 2023. "Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT" Mathematics 11, no. 17: 3701. https://doi.org/10.3390/math11173701

APA Style

Wu, T. -Y., Wang, L., & Chen, C. -M. (2023). Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT. Mathematics, 11(17), 3701. https://doi.org/10.3390/math11173701

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop