An efficient and secure certificateless authentication protocol for healthcare system on wireless medical sensor networks.

Sensor networks have opened up new opportunities in healthcare systems, which can transmit patient's condition to health professional's hand-held devices in time. The patient's physiological signals are very sensitive and the networks are extremely vulnerable to many attacks. It must be ensured that patient's privacy is not exposed to unauthorized entities. Therefore, the control of access to healthcare systems has become a crucial challenge. An efficient and secure authentication protocol will thus be needed in wireless medical sensor networks. In this paper, we propose a certificateless authentication scheme without bilinear pairing while providing patient anonymity. Compared with other related protocols, the proposed scheme needs less computation and communication cost and preserves stronger security. Our performance evaluations show that this protocol is more practical for healthcare system in wireless medical sensor networks.

1. Introduction

Wireless medical sensor networks (WMSNs) have a capability of connecting patient with doctor by using of lightweight devices with limited memory, small and low power [1]. All these medical sensors collaborate together to collecting patient's physiological signals (e.g., blood pressure, blood sugar, and pulse oximeter) and send the collected data to health professional's hand-held devices (i.e., PDA, iPhone, iPad, etc.) via a wireless channel. The doctor uses these hand-held devices to observe the patient's real-time health condition.

However, the healthcare system on WMSN has many challenges, such as reliable data transmission, timely delivery of data, and power management [2]. Patient's privacy, a big concern for healthcare system, must be ensured at all sections on WMSN. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established rules for healthcare provider that it is necessary to control who is accessing to medical server's (MS's) resources and whether they are authorized to do so. Therefore, a secure authentication scheme among patient, MS, and doctor is needed to protect the patient's privacy. So far many schemes that use cryptography have been proposed for this goal.

Most recently, Pu et al. [3] proposed a generic construction of smart card-based password authentication protocol for Telecare Medicine Information Systems (TMIS) and proved its security. Wu et al. [4] proposed a concrete efficient authentication scheme for TMIS. In their scheme, Wu et al. introduced a precomputing phase to compute costly and time-consuming exponential operations that are stored in a smart card. He et al. [5] pointed out that Wu et al.'s scheme could not resist impersonation attack and insider attack. Then, they proposed a more secure authentication scheme for TMIS. However, Wei et al. [6] demonstrated that both of Wu et al.'s scheme and He et al.'s scheme could not achieve a two-factor authentication. To overcome the weakness, Wei et al. proposed an improved authentication scheme for TMIS. Zhu [7] showed that Wei et al.'s scheme is vulnerable to an offline password guessing attack and also proposed a new authentication scheme for TMIS.

A common property of the above schemes is that the patient's identity ID is transmitted in plaintext on the public channel, which leads to impersonating attack and divulging the patient's privacy. To avoid these risks, based on the identity-based public key cryptography (ID-PKC) [8], Das et al. [9] proposed a dynamic ID-based remote client authentication scheme without any verifier table. However, Chien and Chen [10] pointed out that it fails to protect the anonymity of a user, and Ku and Chang [11] demonstrated that it is vulnerable to impersonation attack.

To address the key escrow problem [8] in ID-based authentication scheme, Xiong et al. [12] and Zhang et al. [13] proposed two certificateless authentication schemes, respectively. Unfortunately, their schemes are based on the bilinear pairing. Chen et al. [14] pointed out that the relative computation cost of the bilinear pairing is approximately twenty times higher than that of the scalar multiplication over a cyclic additive group, which is unsuitable for healthcare system on WMSN with lower computation power. Therefore, it is vitally important to present a certificateless authentication without bilinear pairing in the healthcare system.

In this paper, based on certificateless public key cryptography (CL-PKC) [15], we propose a certificateless authentication scheme without bilinear pairing in healthcare system on WMSN. Our protocol can establish a secure channel in Patient-to-MS and Doctor-to-MS with high efficiency. The proposed scheme has the following advantages: (1) it limits the power of MS to resist the malicious MS attack. (2) It ensures that the serial numbers of patient's wearable medical sensor and doctor's hand-held device can be updated in time. (3) It avoids the management of digital certificate and releases the key escrow problem by MS. (4) It achieves the Girault trust level 3 [16] as in traditional public key infrastructure (PKI). (5) It provides patient anonymity. (6) It preserves the perfect forward secrecy. (7) It can resist replay attack and impersonation attack. (8) It does not need to operate the bilinear pairing.

The remainder of this paper is organized as follows. Section 2 addresses some preliminaries such as the computational assumptions, security model, Girault's trust level, and the model of certificateless authentication. Section 3 proposes a certificateless authentication scheme and analyzes its security. Section 4 compares the proposed scheme with some other related schemes. Finally, we conclude the paper in Section 5.

2. Preliminaries

In this section, we review some fundamental backgrounds required in this paper, namely, computational assumptions, security model, Girault's trust level, and the model of certificateless authentication.

2.1. Computational Assumptions

The security of our protocol is based on the following computational assumptions:

Discrete Logarithm (DL) problem: let G be a cyclic additive group of prime order p; P is a generator of G. Given Q ∈ G, find an integer x ∈ Z * such that Q = xP.

The DL assumption is that there is no polynomial time algorithm that can solve the DL problem with nonnegligible probability.

Computational Diffie-Hellman (CDH) problem: let G be a cyclic additive group of prime order p; P is a generator of G. Given Q, R ∈ G and Q = xP,  R = yP for any x, y ∈ Z *, compute x yP.

The CDH assumption is that there is no polynomial time algorithm that can solve CDH problem with nonnegligible probability.

2.2. Security Model

In WMSN, we assume that attackers are “internal adversary” and “external adversary.” Internal adversary is a legitimate member of WMSN, such as the malicious MS who has the ability of obtaining the private key and eavesdropping the privacy information of patient. We also assume that the external adversary is divided into four kinds. Type I adversary may capture the transmitted information between patient and doctor. By this information, Type I adversary can get the specific identity of patient. Type II adversary has a capability of extracting the secret key from the transmitted information; it may derivate the secret key in previous session by using this extracted key. Type III adversary may eavesdrop the transmitted information in public channel. Then, it transmits this information again to deceive patient (or doctor) that is provided from the legitimate doctor (or patient). Type IV adversary may capture the transmitted information and extract some important data from it. After that, it may impersonate the patient (or doctor) to communicate with the legitimate doctor (or patient).

2.3. Girault's Trust Level

Girault's trust level provides the trust hierarchy for public key cryptography, which can be used to judge the creditability of the authority (e.g., the MS in the healthcare system on WMSN).

Level 1: the authority knows (or can easily compute) users' secret keys. Therefore, the authority can impersonate any user at any time without being detected.

Level 2: the authority does not knows (or cannot easily compute) users' secret keys. Nevertheless, it can still impersonate user by generating false guarantees (e.g., false public keys).

Level 3: the authority cannot compute users' secret keys, and it can be proven that it generates false guarantees of users' if it does so.

According to these definitions, we can easily find that the conventional certificateless cryptography can reach Level 2, and a traditional PKI can achieve Level 3 while the ID-PKC falls into Level 1.

2.4. Model of Certificateless Authentication

A certificateless authentication scheme consists of six probabilistic, polynomial time algorithms: Setup, User-Key-Generation, Partial-Key-Extract, Set-Private-Key, Set-Public-Key, and Authentication. These algorithms are defined as follows.

Setup. Taking security parameter k as input, the authority returns a list of public parameters param and a randomly chosen master secret key msk.

User-Key-Generation. Taking a list of public parameters param as input, the user returns a secret key sk and a public key pk.

Partial-Key-Extract. Taking param,  msk, user's identity ID, and pk received from the user as inputs, the authority returns a partial private key D ID and a partial public key P ID.

Set-Private-Key. Taking param, D ID, and sk as inputs, the user returns a private key SKID.

Set-Public-Key. Taking param, P ID, and pk as inputs, the user returns a public key PKID.

Authentication. Taking identity, private key of the sender, and a list of parameters param as inputs, the receiver verifies the legality of the sender by its public key.

This model is similar to that of [15] but with a crucial difference that User-Key-Generation algorithm must be run prior to the Partial-Key-Extract algorithm, which makes the scheme achieve Girault's trust level 3.

3. Our Protocol

In this section, we propose a certificateless authentication scheme without bilinear pairing to ensure the legality of Patient and Doctor by the MS.

3.1. Construction

The proposed scheme involves three entities: Patient, Doctor, and MS. Before Patient obtains the wearable medical sensor at the first time, MS presets the {ID, S } ∈ {0,1} and {ID, S } ∈ {0,1} into Patient's sensor and his/her doctor's health professional hand-held device through the secure channel as their identities and the serial numbers of equipments, respectively. Besides, these two serial numbers will be preserved secretly by themselves. The details of our certificateless authentication scheme are as follows.

We show the initialization phase of this protocol in Figure 1.

Figure 1

Initialization phase.

Setup. The MS generates a large prime p, which makes the DL and CDH problems in the cyclic additive group G with generator P of order p be intractable. Then, the MS picks x ∈ Z * uniformly at random, computes X = xP, and chooses hash functions which can be achieved easily by collision-resistant hash function. Return {p, P, G, X, H 1, H 2, H 3, H 4, H 5} as scheme parameters and the master secret key msk = {x}.

Patient/Doctor-Key-Generation. The Patient and the Doctor pick y, z ∈ Z * at random, compute Y = yP,  Z = zP, and return (sk, pk) = (y, Y) and (sk, pk) = (z, Z), respectively.

Partial-Key-Extract. The MS picks s ∈ Z * at random and computes

Return (P, D ID) = (ω, d ), (P, D ID) = (ω, d ) as partial keys to be placed into Patient's sensor and the Doctor's hand-held device, respectively.

Set-Private-Key. The Patient sets SKID = (sk, D ID) = (y, d ) as his/her private key, and the Doctor sets SKID = (sk, D ID) = (z, d ) as his/her private key as well.

Set-Public-Key. Set PKID = (pk, ω) and PKID = (pk, ω) as the public keys of Patient and Doctor, respectively.

Now, we show the authentication phase in Figure 2.

Figure 2

Authentication phase.

Authentication

Step

The Patient picks the current time stamp t and computes

Send {M , t } to the MS.

Step 2

The Doctor picks the current time stamp t and computes

Send {M , t } to the MS.

Step 3

If (t* − t ) < Δt and (t* − t ) < Δt , where Δt and Δt denote the expected valid time interval for time delay of Patient and Doctor, the MS proceeds to the next step. Otherwise, return “Reject.”

Step 4

The MS computes

If M ′ is equal to M , Patient is a legal one. Otherwise, return “Reject.” In addition, if M ′ is equal to M , Doctor is a legal one. Otherwise, return “Reject.”

Step 5

The MS picks N ∈ {0,1} uniformly at random and updates the serial numbers of Patient and Doctor as follows:

Send {N } to Patient and Doctor.

Step 6

By using of {N }, Patient computes for updating the serial number of his/her wearable medical sensor.

Step 7

After obtaining {N }, Doctor computes for updating the serial number of his/her hand-held device.

3.2. Security Analysis

Theorem 1

This certificateless authentication scheme is secure in the following possible attacks, provided that H 1 is a collision-resistance hash function and DL and CDH problems are intractable.

Proof

Anonymity. In the proposed scheme, the partial key d = s + xH 1(ID, ω, pk) is used instead of ID to ensure the Patient's anonymity. Since ID is never transmitted as plaintext form in the public channel, Type I adversary cannot find the real identity ID of Patient. That is, when Patient transmits his/her health information, their real identity ID can only be computed as d = s + xH 1(ID, ω, pk) to be transmitted, where s is a random value, H 1 is a collision-resistant hash function, and x is the master secret key which is preserved by MS. Therefore, Type I adversary cannot trace Patient.

Perfect Forward Secrecy. To extract {M , M } without the knowledge of the values {r , y, d , r , z, d }, Type II adversary should solve the DL problem and the CDH problem from public parameters. Moreover, r = H 2(ID, S , t ) and r = H 2(ID, S , t ) will be different in every session for the reason of time stamps {t , t } and the updated serial numbers {S , S }. Therefore, Type II adversary cannot receive the previous value {r , y, d , r , z, d } and the protocol enjoys the perfect forward security.

Replay Attack. During the data transmission, Type III adversary may eavesdrop {M ,  M } and impersonate the legitimate Patient and Doctor to transmit {M ,  M } to MS. After each session is over, the serial numbers of the Patient's sensor and Doctor's hand-held device have been updated to be the new serial numbers {S ,  S }, which can be used to generate the new messages  {M ,  M }. Hence, Type III adversary cannot pass the verification by retransmitting {M , M } in the new session. Moreover, there are time stamps {t , t } in this scheme, which ensures the freshness of {M , M }.

Impersonation Attack. The impersonation attack fails due to the secret serial number. Provided that Type IV adversary wants to impersonate the legitimate Patient and Doctor, it must produce the relative {M , M } for passing the verification of MS. However, in order to generate the exactly {M , M }, Type IV adversary needs to obtain the current serial numbers {S , S } first of all, which are preserved secretly by Patient and Doctor and updated in time in the end of Authentication phase. Therefore, Type IV adversary has no capability to impersonate the legitimate Patient and Doctor to generate the correct {M , M }.

Malicious MS Attack. The malicious MS cannot obtain the private keys to eavesdrop the privacy information of patient. This authentication scheme is proposed on the base of CL-PKC, and the private keys (SKID, SKID) generated by Patient and Doctor consist of partial private keys (d , d ) and the secret values (y, z). The malicious MS cannot obtain (y, z) from public parameters for the intractable of DL and CDH problems. Therefore, our scheme can resist the malicious MS attack.

Achieve Girault's Trust Level 3. The Patient/Doctor-Key-Generation must be run prior to Partial-Key-Extract. In this way, the Partial-Key-Extract algorithm includes (pk, pk) generated by Patient and Doctor as input. Therefore, provided that the MS replaces (pk, pk), there will exist two working keys (pk, pk′) and (pk, pk′) for Patient and Doctor, respectively. Furthermore, two working public keys (PKID, PKID′) binding only one identity ID can result from two partial private keys (the same to Doctor), and only the MS could generate these two working partial private keys. Hence, it can be proven that MS generates false guarantees of Patient and Doctor, which means that our scheme achieves Girault's trust level 3 (the same level as is enjoyed in a traditional PKI).

Thus, to sum up the analysis above, we complete the proof of Theorem 1.

4. Comparisons

In this section, we evaluate some performance issues of our protocol with related works in functionality and efficiency.

4.1. Functionality Comparisons

Table 1 demonstrates the functionality comparisons between the proposed scheme and others [7, 12, 13]. Zhu's, Xiong et al.'s, and Zhang et al.'s protocols do not provide user anonymity. Moreover, the schemes in [12, 13] are insecure against the replay attack. However, as shown in Table 1, our scheme not only provides user anonymity but also achieves all security requirements. Furthermore, our scheme does not need an additional certificate to bind the user to its public key.

Table 1

Functionality comparisons.

Properties	[7]	[12]	[13]	Ours
User anonymity	No	No	No	Yes
Perfect forward secrecy	No	Yes	Yes	Yes
Replay attack resistance	Yes	No	No	Yes
Impersonation attack resistance	Yes	Yes	Yes	Yes
Malicious server attack resistance	Yes	Yes	Yes	Yes
No certificate management	No	Yes	Yes	Yes
Trust level	1	2	3	3

4.2. Efficiency Comparisons

In this subsection, we compare the proposed scheme with others on the computation complexity of authentication (Authen), bandwidth of the largest message (Bandwidth), and operation time in authentication (Time). Without considering the addition of two points, hash function and exclusive-OR operations, each scheme has three types of operations, that is, pairing (P), exponentiation (E), and scalar multiplication (S).

We evaluate the cryptographic operations by using of MIRACL (version 5.6.1, [17]), a standard cryptographic library, on a laptop using the Intel Core i5-2400 at a frequency of 3.10 GHz with 3 GB memory, and then obtain the average running time in Table 2. For pairing-based schemes, we use the Fast-Tate-Pairing in MIRACL, which is defined over the MNT curve E/F [18] with embedding degree 4, and q is a 160-bit prime. For ECC-based scheme, we employed the parameter secp192r1 [19], where p = 2192 − 264 − 1. Moreover, the length of an element in multiplication group is set to be 1024 bits.

Table 2

Cryptographic operation time.

Fast-Tate-Pairing	Exponential	Scalar multiplication
2.66 ms	3.75 ms	0.94 ms

We compare the computation cost of different protocols with the method in [20]. For example, to finish the authentication in [12], six pairing operations, six exponentiations in Z *, and twenty-one scalar multiplications are needed; thus, the operation time is 2.66 × 6 + 3.75 × 6 + 0.94 × 21 = 58.2 ms. Assuming the bit size of the identity, the point in additional group and the output of one-way hash function are all 192 bits. We also assume that the size of timestamp is 32 bits. In [12], the largest message contains three points in additional group and one identification; thus, the bandwidth of it is (192 × 3 + 192)/8 = 96 bytes. The detailed comparison results are demonstrated in Table 3.

Table 3

Efficiency comparisons.

Scheme	Authen	Bandwidth	Time
[7]	4E	48 bytes	15 ms
[12]	6P + 6E + 21S	96 bytes	58.2 ms
[13]	2P + 10S	72 bytes	14.72 ms
Ours	8S	28 bytes	7.52 ms

From Table 3, we know that the largest bandwidth of our scheme is only 28 bytes and the whole operation time in authentication is only 7.52 ms, which shows that our protocol is suitable for the lightweight devices (with limited memory, small and low power) in the healthcare system on WMSN.

5. Conclusions

In this paper, we propose a secure certificateless authentication scheme to ensure the legality of Patient and Doctor in healthcare system on WMSN. Meanwhile, this protocol also provides patient anonymity and resists the malicious MS attack to meet the privacy requirements in HIPAA. Our certificateless authentication protocol achieves a lower communication and computational overhead and stronger security than others. By the performance evaluation, the results show that our protocol is suitable for healthcare system on WMSN.