Two factor authentication protocol for IoT based healthcare monitoring system.

In the last few years, technological advancement has led to the use of wearable body sensors for gathering patient information. Wireless body area networks played an essential role in the modern medical era. Through wearable body sensors, patient data are sent to medical professionals in real-time without any hindrance. This information moves through the public channel, and thus proper security and protection are needed because of its sensitiveness. Many authentication protocols proposed for solving these issues were neither secure nor cost-effective. This paper proposed an authentication protocol using certificateless cryptography for wireless body area networks to resolve the associated security concerns. A formal security analysis is done using the Burrows-Abadi-Needham logic shows that the proposed protocol is resilient against prevailing attacks. Additionally, we employ the Real-or-Random model for mathematical proof and Automated Verification Security Protocol and Analysis simulation tool for security analysis. A detailed comprehensive comparison with the existing protocols indicates that the proposed protocol is cost-effective with improved functionality.

Introduction

With the progression in the Internet of Things (IoT), many remote innovation have been implemented for instance in smart homes, innovative medical services, smart grid technology, for a more brilliant life. They utilized this innovation to beat the issues of this present reality climate. In this innovation region, the wearable medical services observing framework is a piece of the shrewd medical services framework. Wireless body area network (WBAN) is also part of the intelligent health care system where the sensors can be use for the network to obtain the patient information to screen their health. These sensors are portable and small in size and an intercommunicating device can be used as a wearable or is implanted in the patient body to observe the vitals symptoms of the patient. These wearable sensors observed various physiological data, including electromyography, electrocardiogram, oxygen saturation (SPO2) level, blood pressure, blood glucose, temperature, heartbeat level, etc. (Koya and Deepthi 2018). The advancement in the technology has solved the issue of sending real-time medical data to the concerned authority. These wearable sensors will be beneficial for more older people and sick individuals who cannot get to the clinic routinely for medication (Omala et al. 2018; Suriyakrishnaan and Sridharan 2018).

In WBAN, patients’ information are collected via multiple wearable sensors and is forwarded to a regulator, such as a Personal Digital Assistant (PDA). The PDA then sends received information to the medical server using a public channel. Finally, this collective information is delivered to a specialist who prescribes the medication accordingly. Since health data is classified; therefore only authorized users should be able to access this information. Thus, trustworthiness and security is the fundamental aspect of this proposed system.

As indicated by the hypothesis of Gartner (https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends), more than 14 billion IoT gadgets have been utilized till 2020, which is a lot higher than the earlier years. Gartner conjectures that 25 billion associated gadgets will be put to use in 2021, delivering massive volumes of non-structured or semi-organized information (Assunção et al. 2015).

In this paper, will discuss about specific uses of wearable sensors. In our day-to-day tasks, wearable gadgets are used to monitor carbohydrate levels, step count, etc. We make use of smart wearable sensors for constantly observing the patients’ information to identify the patient’s crisis in medical care. Table 1 defines the important abbreviations used in this paper.

Table 1

Used abbreviations and their meaning

Abbreviation	Description
WBAN	Wireless body area network
IOT	Internet of Things
PDA	Personal digital assistant
TA	Trusted authority
MAKA	Mutual authentication and key agreement protocols
BAN logic	Burrows–Abadi–Needham logic
AVISPA	Automated verification security protocol and analysis simulation
ROR	Real-or-Random (ROR)
SPO2	oxygen saturation
A	Adversary
k-mBIDH	Modified Bilinear inverse Diffie–Hellman with k values
CDH problem	Computational Deffie–Hellman problem
DY adversary model	Dolev–Yao adversary model
CK adversary model	Canetti and Krawczyk’s adversary model
AdvAP(t)	the advantage of A to break the semantic security of our proposed protocol P in the polynomial time t
Pr[Succ_i]	Succ_i denotes the probability of A winning the game G_i

Motivation

As observed in the COVID-19 crisis, with a multitude of positive patients, the lack of hospitals and limited medical infrastructure restricted patients from availing needed treatment. Non-critical patients were provided healthcare supervision from their homes. Thus, remotely accessing patient data must become an essential part of healthcare monitoring systems. Remote sensly data collected using wearable sensors are sensitive thus require a secure communication channel. Hence, we propose an authentication protocol that utilizes Certificateless encryption and satisfies all necessary security boundaries.

Research contribution

The fundamental commitment of this work is as follows:-

A new two-factor authentication scheme is designed for Wireless Body Area Network (WBAN), where the doctor will remotely access the patient data.

Self-authentication of the user (doctor) is done using the user’s smart card that stores the essential credentials. It means that in the login phase, the server will authenticate the user from their smart card and credentials.

The proposed scheme will mainly focus to secure against prevailing attack and key escrow problem.

A secure Mutual Authenticate and Key Agreement (MAKA) scheme is established between the PDA and the hospital server.

The proposed authentication scheme is semantic secure, and proved by the ROR model. We also show that our proposed authentication protocol is secure against different notable attacks in the informal security analysis.

To support our claims, a formal security analysis is conducted using the BAN logic and a formal verification using the AVISPA simulation tool.

Finally, we present a detailed comparative analysis between the proposed scheme and the existing schemes. This analysis shows that our proposed scheme is more effective and efficient compared to the other schemes, and is also secure against the prevailing attacks.

Road map of the paper

The paper’s road map is as follows: We have review the current research work in the Sect. 2. Section 3 defines the system framework and threat model. Section 4 discusses the mathematical preliminaries and some complex concept used in the proposed protocol. The proposed scheme is introduced in Sect. 5, divided into the four phases, i.e., the setup phase, registration phase, login phase, and authentication and key agreement phase. Section 6 give a detailed formal, informal, and mathematical security analysis of the proposed scheme. In Sect. 7, we have compared our proposed protocol based on computational cost and security requirements, and conclude our work in Sect. 8.

Related work

Currently, there are numerous mutual authentication and key agreement protocols (MAKA). In 2009, Yang and Chang (2009) published the Id-based scheme utilizing the elliptic curve cryptography. However, Yoon and Yoo (2009) showed that Yang’s scheme didn’t exhibit the perfect forward secrecy. Like Yang, Cao et al. (2010) published the authentication protocol based on identity-based encryption, however, it couldn’t represent user obscurity and unlinkability. In 2012, Debiao et al. (2012) proposed a validation protocol utilizing the elliptic curve idea. However, Wang and Ma (2013) demonstrated that (Debiao et al. 2012) did not give the mutual authentication and wasn’t sure against the reflection attack.

Wang and Zhang (2015) proposed the new anonymous authentication protocol with bilinear pairing, which has the key escrow problem. Zhao (2014) also proposed an authentication protocol for WBAN, but it was not cost effective. Wu et al. (2016) highlighted that Wang and Zhang (2015) couldn’t withstand to impersonation attack. The two schemes based on wireless body area network proposed by Liu et al. (2013), and Xiong and Qin (2015) could not resist impersonation attack. Likewise, in 2015 Tsai and Lo (2015) proposed the identity-based authentication protocol. In this protocol, mobile users and service providers register for the third party, who produce the long-term secret key for every client and service provider and furthermore guarantees that this protocol is secure against some notable attacks. But Jiang et al. (2016) illustrated that Tsai and Lo (2015) was not secure against the impersonation attack and also failed accomplish the mutual authentication. Nonetheless, potential solutions for the aforementioned issues were introduced in Irshad et al. (2016); Amin et al. (2016); He et al. (2016). Karati et al. (2018a) have tended to the key escrow issue in their certificate-less signature scheme, which is secure against the active attacker. Similarly, Karati et al. (2018b) also address the key escrow issue in their industrial IoT authentication protocol. Nonetheless, both schemes do not accomplish full authentication, i.e., client’s public key is not verified by the focal authority.

Recently, Jia et al. (2019) proposed an identity-based authentication and key arrangement protocol that fulfills client secrecy but not safe from the key escrow problem. In 2020 Sowjanya et al. (2020) established that Li et al. (2017) authentication protocol is not good for end-to-end communication for the medical services framework. In the same year, Zhang et al. (2020) proposed the authentication protocol utilizing the bilinear pairing, however, they couldn’t safeguard their protocol from the key escrow issue. We have also reviewed some more papers which is related to our work (Abualigah et al. 2021a, b; Abualigah and Diabat 2021; Abualigah 2019; Singh and Chaurasiya 2021).

A detailed analysis of related work is done in Table 2.

Table 2

Issues in previous authentication schemes

Schemes	Methodology	Drawbacks	Formal analysis	Mathematical analysis	Simulation analysis
Yang and Chang (2009)	Elliptic curve cryptography	Not achieve perfect forward secrecy	No	No	No
Yoon and Yoo (2009)	Elliptic curve cryptography	Existence of Key escrow problem	No	No	No
Cao et al. (2010)	Identity based cryptography	Existence of Key escrow problem and could not achieve user anonymity	No	No	Yes
Debiao et al. (2012)	Elliptic curve cryptography	Parallel key session attack and Reflection attack	No	Yes	No
Wang and Zhang (2015)	Identity based cryptography	Existence of Key escrow problem and Impersonation attack	No	No	No
Wu et al. (2016)	Identity based cryptography	Existence of Key escrow problem	No	Yes	No
Tsai and Lo (2015)	Identity based cryptography	Existence of Key escrow problem and impersonation attack	No	Yes	Yes
Karati et al. (2018a)	Certificate-less signature scheme	Do not accomplish full authentication and not secure against Type-I adversary and	No	No	Yes
Karati et al. (2018b)	Certificate-less signature scheme	Do not accomplish full authentication and existentially forgeable against the key replacement attack	No	No	No
Jia et al. (2019)	Identity based cryptography	Existence of Key escrow problem	No	Yes	Yes
Li et al. (2017)	Elliptic curve cryptography	No key control and also perfect forward secrecy not exist	Yes	No	No
Zhang et al. (2020)	Identity based cryptography	Existence of Key escrow problem	No	Yes	Yes

System framework and threat model

System framework

The system framework has four entities, namely, Trusted Authority (TA), user, server, and PDA. The user initially sends the registration request to the TA. At that point, the TA issues the smart card for the user. The server and the PDA also send the registration requests to the TA. TA creates the long-term secrets and fractional secret keys and send to the server and PDA qfter getting the keys, the server and the PDA produce their secret keys. After the registration phase, the login phase is enabled, and in this phase, the server checks the user’s authenticity. In the last phase, the server and the PDA mutually authenticate each other and create a session key for future communication. The system framework is depicted in Fig.1.

Fig. 1

System framework

Threat model

For authentication, there are two widely accepted adversary models, i.e., the Dolev-Yao adversary model (Dolev and Yao 1983) and the CK-adversary model (Canetti and Krawczyk 2001). These models are applicable when two parties communicate with each other through the public (insecure) channel. According to the DY model, an adversary can intercept the messages which are sent between the parties and also reposition, control, manipulate, eavesdrop, or delete the messages. In the proposed framework, in addition to the DY model, we will also use the CK-adversary model, which is currently de facto for authentication and key exchange protocol. In the CK-adversary model, the adversary not only controls, manipulates, eavesdrops, or deletes the message but also compromises the secret key and the session key. The adversary captures the wearable body sensors physically and can get the stored credentials of those devices. This information is used for unauthorized activities like session key computation, impersonation attack, node capture attack, and privileged-insider attack. However, the TA is treated as a trusted authority in our proposed protocol and it is not physically captured by adversary .

Mathematical preliminaries

This section will discuss the fundamental concepts and some predefined hard problems that were used in our proposed protocol to ensure wearable sensors’ security.

Ony way cryptographic hash function

A one-way cryptographic hash function takes an input string X of an arbitrary length and outputs a fixed length string Y called the hash value. The main property of the hash function is as follows:

Collision resistance It is hard to find the pair of two inputs like , where , but .

Pre-image resistance From the given hash value Y , it is hard to find the value of , Where .

Bilinear pairing

Let and are two cyclic groups. Where, is the additive group and is the multiplicative group. The order of both the group is q. The bilinear pairing function can be defined as and P is the generator point of and g is the generator point of .

The condition of bilinear pairing function exist when the pairing is able to meet the following conditions:

Bilinear Given two points and two numbers , The bilinear property states that equation holds.

Non-degeneracy Given two points and let 1 is the identity element of . Then non-degeneracy property states that .

Computability It is efficient to find the value of e(P, Q), for all points of .

Complexity assumption

This subsection discusses some hard problems which are difficult to solve in polynomial time. These hard problems have been used in our proposed scheme:

Computational Deffie–Hellman (CDH) problem He et al. (2016) Given two points , it is hard to compute the value of , where the value of is unknown.

Modified Bilinear inverse Diffie-Hellman with k values (k-mBIDH) problem Given the values of {, { , , } and , .... It is hard to compute the value of where the value of is unknown.

Elliptic curve discrete logarithm problem Agrahari and Varma (2020) Given the two points , it is computationally hard to find the value of {a} from in polynomial time. Where .

Proposed scheme

In this section, we elaborate our proposed certificateless cryptography scheme for mutual authentication and key establishment.

Our scheme is divided into 4 phases, i.e., “setup phase”, “registration phase”, “login phase”, and “authentication and key establishment phase”. The notations used in our proposed protocol are mentioned in Table 3. The description of all the phases is as follows:

Table 3

Notation used in our proposed protocol

Notations	Detail description
λ	Security parameter
TA	Trust authority
G_1	Cyclic additive group
G_2	Cyclic multiplicative group
q	order of the Cyclic groups G_1and G_2
P	Generator point of the group G_1
g	Generator point of the group G_2
e	Bilinear map function i.e. e:G_1×G_1→G_2
H_i(.)	Hash function where i= 1,2,3…
s	TA secret key
P_pu	TA public key
Id_u	Identity of the user
Id_s	Identity of the server
Id_p	Identity of the PDA (personal digital assistant)
HID	Mask identity of the user
HPW,H_1PW	Mask password of the user
S_s	Secret key of the server
S_pd	Secret key of the PDA

Setup phase

In the setup phase, the TA generates the system parameter as well as their private and public keys. The TA also selects the cyclic groups used in the proposed protocol.

At first, the TA chooses the security parameter and then generates the system parameters.

TA appoints two cyclic groups of order q where is the additive group and is the multiplicative group. The tate pairing map is used where mapping is , P is the generator point of whereas g is the generator point of , and .

TA picks which is the TA’s private key, following which, the TA calculates its public key,

TA selects the secure hash function. TA then stores the private key and publishes the system parameter, i.e., {}

Registration phase

The user, server and PDA register in this phase. The process is as follows:

User registration

To access patient data from the server, the users needs to register themselves securely. The whole process is summarized in Table 4.

Table 4

User registration phase

User	TA
Generate ID_u,PW∈Zq∗
r,α∈Zq∗
HID=H_1(ID_u||r)
HPW=H_1(PW||r)
H_1PW=HPW⊕α
→{HID,H_1PW}
	Genaerate t∈Zq∗,T=t.P
	R=H_2(T||HID||H_1PW)
	C_i=T⊕HID
	B_i=H_3(H_1PW||R||C_i)
←{C_i}
W_i=H_1(ID_u||PW)⊕r
V_i=C_i⊕r
Z_i=α⊕H_1(HID||HPW)
Smart card save the value of {W_i,V_i,Z_i}

Firstly, the user generates , and after that, it creates two long term secrets . After producing and PW, the user calculates the value of mask identity, i.e., , mask password, i.e., , , and sends this information to the TA.

After getting the user’s value, the TA generates the random number , calculates , uses this value to generate and , , and finally sends to the user. TA uses in the server registration process and also stores the value of into the server’s memory for user verification.

After obtaining the value from TA, the user computes , , and , and stores these values in the smart card for further verification.

At the end, the user deletes the value of and the TA deletes the values of from their respective memories to evade the privileged insider attack.

Server registration

The server registration is as follows:

The server generates the identity , random number , calculates the value of , and then relays the value to the TA.

After getting the value, the TA generates a new random number, and calculates . After that, the TA computes two values, and . TA then transfers the calculated values (L, , , ) to the server.

The Server generates a new random value , and determines the secret key upon getting the values from TA. The server then computes the value of , and and saves the value of {} in the database.

Lastly, the TA and the server erase the value of {} from their memories to abstain from the privileged insider attack. The whole process is summarized in Table 5.

Table 5

Server registration phase

Server	TA
Generate ID_s∈Zq∗
r_s∈Zq∗,R_s=r_s.P
→{ID_s}
	Genaerate r_t∈Zq∗
	R_t=r_t.P
	A_s=s.H(ID_s)
	L=s.r_t
←{L,A_s,r_t,,C_i}
x∈Zq∗, X=x.P
S_s=x+A_s
S_sp=S_s.P
L_1=(r_s+L).P
M=(r_s||R_s||r_t||x||X)⊕C_i
Server will save the value of {M,S_s,S_sp,L_1}

PDA registration

The PDA registration phase is as follows :The entire process are summarized in Table 6.

Table 6

PDA registration phase

PDA	TA
Generate ID_p∈Zq∗
r_ϕ∈Zq∗,R_ϕ=r_ϕ.P
→{ID_p,R_ϕ}
	A_t=1H(ID_p)+s.P
	ϕ_2={H_1(ID_p||R_ϕ)+r_t.s}
←{ϕ_2,A_t}
y∈Zq∗,Y=y.p
S_pd=(ϕ_2+y)
S_pdp=S_pd.P PDA will save the value of {S_pd, A_t,Y,S_pdp}

The PDA generates the identity, and the random number, . It then computes the value of and delivers (,) to the TA.

After getting the values, the TA calculates and , and forwards these values to the PDA.

Upon receiving values and , the PDA calculates a random number, and calculate his secret key and also compute

At the end, the PDA stores the values of { , , Y} and in server’s memory.

Login phase

In login phase, the server authenticates the user. The process is as follows:The whole process is summarized in the Table 7.

Table 7

Login phase

User	Server
Insert Smart card and enter the credentials
<ID_u,PW>
→{ID_uPW}
	W_i⊕H_1(ID_u||PW)=r^′
	HID^′=H_1(ID_u||r^′)
	HPW^′=H_1(PW||r^′)
	V_i⊕r^′=Ci′
	Z_i⊕H_1(HID^′||HPW^′)=α^′
	H_1PW^′=HPW^′⊕α^′
	Ci′⊕H_1PW^′=T
	R^′=H_2(T||HID^′||H_1PW^′)
	B_i?=H_3(H_1PW^′||R^′||Ci′)

Firstly, the user inserts his smart card in server machine and then enter the values .

On receiving and the stored smart card value, , the server begets the value of long term secret using . The value of is used to get the masked value of identity and password, i.e., and .

Using the stored smart card value and the value of , the server estimates . The server then computes another long-term secret . Using , the server calculates the second masked password, . To get the value of T, the server uses the value of and and computes the value of .

At last, the server verifies the value of . If the value equals the value of , then the user is authorized access, else the server aborts the login.

Authentication and key establishment phase

In this phase, the server and the PDA mutually authenticate each other and generate the session key for future communication. The steps are as follows:

The server generates a new random number, , and calculates the value of . After that, the server computes , , , , , and a verifier, . The server finally sends {,,,} to the PDA.

After receiving these values, the PDA first checks the validity of the message using . This showcases that the message is not repeated. Here, represents the maximum transmission delay.

The PDA computes and . Next, it determines two values, and , and verifies if is equal to . If true, it indicates the server’s authenticity and message integrity, else the PDA aborts the session.

PDA chooses a new random number and computes , and . After calculating these values the PDA estimates the value of and . At last, the PDA reckons the shared session key, . After that the PDA transfers {,,F,} to the server.

The overall process is summarized in Table 8.

Table 8

Authentication and key establishment phase

Server	PDA
z∈Zq∗,Z=z.P
Ci′⊕M=(r_s||R_s||r_t||x||X)
T_t=x.z
I=g^T_t
∧_1=T_t(H(ID_p).P+P_pu)
∧_2= I⊕(R_s||r_t||X||Z||B_i||T_1)
∧_3=r_s+H_1(ID_p||R_ϕ)
→{∧_1,∧_2,∧_3,T_1}
	Check|T_2-T_1|≤ΔT
	I^′=e(A_t,∧_1)
	I^′⊕∧_2=(R_s||r_t|||X||Z||B_i||T_1)
	ρ_1=∧_3.P+P_pu.r_t+Y
	ρ_2=S_pdp+R_s
	Verify ρ_1?=ρ_2
	f∈Zq∗,F=f.P
	ρ_3=Z.f||(R_s+P_pu.r_t)
	ρ_4=H(ID_s).P_pu+X
	ρ_5=(ρ_3⊕ρ_4)
	ρ_6=(ρ_2⊕ρ_4)
	S.K.= (ID_s||ID_p||ρ_2||ρ_3||ρ_4||B_i||T_3)modq
←{ρ_5,ρ_6,F,T_3}
Check|T_4-T_3|≤ΔT
∧_4=(z.F||L_1)
∧_5=S_sp
Check ρ_5?=((z.F||L_1)⊕S_sp)
ρ2′=ρ_6⊕∧_5
S.K.= (ID_s||ID_p||ρ2′||∧_4||∧_5||B_i||T_3)modq

Subsequently, the server checks and computes , , and then examines the PDA’s message integrity and authenticity using . It also verifies that the message is coming from the authorized PDA.

At the end of the session, the server calculates and the value of the shared session key for future communication.

Proof of correctness

Security analysis

In this section, we address the security of our proposed protocol. The section is divided into four subsections. The first subsection, covers the informal security analysis, while the second subsection addresses the formal security analysis using the BAN logic. The third section, analyzes the security using a mathematical model, and the last section, discusses the AVISPA simulation tool for security verification.

Informal security analysis

Mutual authentication The server and the PDA authenticate each other and generate the session key for future communication. In the proposed protocol, the PDA verifies the server on the value of {} by using his secret key, and the server verifies the PDA for the value of {} using his secret key. The two-way verification process illustrates that the proposed protocol provides mutual authentication.

User anonymity The identities of server, user and the PDA are hidden in the messages, {,,, }, where the value of , , and . To get the PDA identity, the adversary needs to compute the value from . Whereas, {} message is used to scratch the user identity. Nevertheless, the adversary will encounter the hard problem, k-mBIDH. Thus, our scheme is secure against the user anonymity problem.

Resistance to man-in-middle-attack The proposed protocol establishes the session key, which is used by the server and the PDA to authenticate each other. To secure an authentication with the PDA, the adversary needs the legal messages, , and . However, the adversary cannot manufacture a legal message as it wasn’t exposed to the long-term secrets, . Also, the adversary won’t be able to fetch the value of from because of k-mBIDH hard problem.

When the adversary sends the legal message, {,,F, }, due to unknown long-term secrets it is unable to generate the legal messages and fails to establish a connection. This shows that the adversary is unable to generate the legal messages and therefore cannot breach the mutual authentication process. Thus, our proposed protocol can resist man-in-middle-attacks.

Offline password guessing attack The adversary compromises the secret information stored in the user’s smart card, i.e.,{}, and launches the offline dictionary attack. To get the users’ password, the adversary intercepts the saved details, but the value of and are stored in the hashed form. Firstly, to get the password from value , the adversary needs to know the value of long-term secret “r” and the one-way hash function. Moreover, to get the value of PW from , the adversary needs to know the values of “r, “”, and the one way hash function. This shows that the adversary cannot access the user’s password and the proposed protocol is therefore secure against the offline password guessing attack.

Perfect forward secrecy Assume that the server and the PDA’s long-term secrets are disclosed to the adversary, and the adversary intercepted all the exchanged messages between the server and the PDA on a public channel. To obtain the value of the session key , the adversary knows the random numbers and timestamps. The adversary is also capable of solving the CDH problem. Since, a new key is generated in each session and there is no connection between the session keys. So, even if the previous ones are compromised the current one is perfectly secure. This ensures perfect forward secrecy of the proposed protocol.

Privileged insider attack An adversary may be internal or external. Let us assume that the privileged insider is a trusted authority. In proposed protocol, as there is no information stored related to the password, and the use of masked password and deletion of from the TA during registration, ensures that any adversary from an insider cannot fetch information that harms our proposed protocol. Therefore, our proposed protocol is secure against the privileged insider attack.

Replay attack In each exchanged message, we have used the timestamp values, and ensured in each session, we have checked the freshness of our timestamp values ensuring that our proposed protocol is secure against the replay attack.

Untraceability In the proposed protocol, the random number {z, f} is selected in every new session of the authentication and key establishment phase. Hence, the message exchanged between the server and the PDA through the public channel is different in each session. The adversary is unable to co-relate the messages between the two sessions. Therefore, our proposed protocol guarantees that it is untraceable.

Formal security analysis using BAN logic

In this section, we have included the detailed description of the formal security analysis of our proposed protocol using the concept of Burrows-Abadi-Needham(BAN) logic (Burrows et al. 1989). To analyze the proposed protocol using the BAN logic, we will first discuss about the three basic items used in BAN logic,i.e. Principals, Keys, and the statements.

Let’s assume that {X, Y} are the principals, {S, T} are the statements and the “K” is the key. Then the basic logical notations used in the BAN logic is as follows:After knowing about the notation of BAN logic, there are also some basic postulates for BAN logic which is used to proof the algorithm:-To proof our proposed protocol using the BAN logic we have to follow the four essential steps,i.e.,“Se” : The Server,

X believes in the Statement and S is the true statement.

X sees the statement S,i.e., S is coming from another principal and getting by principal X.

X once said the statement S.

X has jurisdiction over S.

: The mean of this notation is the statement S is fresh and never used in previous session.

: The principals A and B used the shared key K for communication.

: A Statement S hashed with a key K.

* Message meaning rule

* Nonce-verification rule

* Jurisdiction rule

* Freshness rule

* Belief Rule

* Elimination of multipart message

Goals : The goals of our proposed protocol.

Idealize message : We have to convert the transmitted message in the idealize form.

Assumptions: We have to take the initial assumptions to proof the protocol goals.

Proof: Using the assumption and idealize message we have to proof the protocol goals. In our proposed protocol we have to mutually authenticate the server and the PDA so our goal is to proof the security. Here we use notations,i.e.,

“P” : The PDA So our goals for the proposed protocol are: The next step of BAN logic is to idealize the messages which were transmitted between the server and the PDA

Message 1:Message 2 :In next step we have to make some assumption which will help to proof the BAN logic goals:The proof of the goals of the proposed protocol

Using Message 1:Using the concept of BAN logic we prove the Goal 1 to Goal 6 and it shows that the formal security analysis using the BAN logic will be done and it insures the security of our proposed protocol.

Using the elimination postulate and the message 1 we got the

Using the Assumption and and the message meaning rule we got the

Using the concept of freshness rule and the assumption we got the

Using the , and nonce verification rule we got the

Using the belief rule and the we got the                Goal 5 Again using Message 1 and the elimination rule we got

Using the Assumption and and the message meaning rule we got the

Using the concept of freshness rule and the assumption we got the

Using the , and nonce verification rule we got the

Using the belief rule and the we got the                Goal 2

Using the message 2 and the elimination rule we got the

Using the Assumption and and the message meaning rule we got the

Using the concept of freshness rule and the assumption we got the

Using the concept of freshness rule and the assumption we got the

Using the , and nonce verification rule we got the

Using the belief rule and the we got the                Goal 6

Using the , and nonce verification rule we got the

Using the belief rule and the we got the                Goal 1

Using the , and nonce verification rule we got the

Using the belief rule and the we got the                Goal 3

Using the concept of jurisdiction rule, assumption , and we got the                Goal 4

Security analysis based on mathematical model

This section will show our proposed protocol security using the concept of a Real or random (ROR) model (Abdalla et al. 2005). We occupied the concept of Bellare and Rogaway (1993) to define our proposed protocol security model. According to the model, the adversary has to differentiate between the real session key and random numbers. In many mutual authentications and key agreement(MAKA) protocol (Agrahari and Varma 2021; Abbasinezhad-Mood et al. 2019), the ROR model is used to prove the session key security.

In our proposed protocol, there are two participants associated with the mutual authentication and key agreement protocol. The following components are associated with the ROR model. The components of our scheme are as follows:-

Participants

Server “S” and PDA “P” is the two participants of our proposed protocol. Let us assume that and are the two instances of our participants represented as and respectively.

Accepted state

When the instance gets the final message of the proposed protocol, it enters the final state. All the sent and the received message are arranged according to the accepted state, and at last, the session identification will form for the current session.

Partnering

Two instances of the participants, and , are known to be a partner when they follow the following properties:-Freshness

Both instances in an acceptable state.

Both instances are mutually authenticating to each other and also have the same session identification.

Both instances are mutual partner of each other.

The session key between the two participants, “S”, “P”, was unable to leak using the reveal query, then only the instances and are fresh.

Adversary

Let’s assume that is an adversary who is having control of the entire network. Here, the control shows that adversary can read or modify all the messages through the public channel, and the adversary can also construct the message or delete the message in the network. has to run the following queries:The adversary has no restriction over the execution of test query, but the capture and corruptSC query will run a limited number of times.

Execute{, }: This query works like a passive attack where will try to obtain the message, which will be transferred between the S and P. It’s like an eavesdropping attack.

Send {, M}: This query works like an active attack where will try to impersonate the participant to send a message to another participant.

CorruptSC : When adversary runs this query, he will get the all information stored in the smart card. This kind of attack is possible by the the side channel attack.

Capture{}: When adversary runs this query, then he will get the secrets information of the server“S” or PDA “P’.

Test{}: When the adversary runs this query, it can simulate the session key’s semantic security using the unbiased coin C. The query output returns the random number of the same key size when the value of , if the value of , then the output is session key. Otherwise, the output is the null value..

Semantic security To make our proposed MAKA protocol is semantic secure, we will implement the game between the oracle and . can make many queries to , and the will respond accordingly. When makes the test query then the response the . If the then the adversary wins the game. Let Succ denotes the event when the adversary wins the game. So, the advantage of to break the semantic security of our proposed protocol in the polynomial time t is represented as

Theorem

Suppose is a polynomial time ‘t’ bound adversary and be the advantage of breaking the proposed scheme’s semantic security. Then this is denoted asWhere,

= Number of hash query

= Number of send query

= Number of execute query

|Hash| = Range space of h(.)

p = Bit length of random number

= Uniformly distributed dictionary of user identity

Uniformly distributed dictionary of user password

Proof

In the following proof of the games , Adversary will do a five attacks. denotes the probability of winning the game . So the result of game to demonstrates that adversary can breach the semantic security of the session key in the polynomial-time or not.

−Game : The game defines as a real attack in the network, which is done by . The bit C chosen by the adversary at the starting of the game, Therefore by definition

−Game : Under this game, the eavesdropping attack has been implemented. The Adversary runs the execute query,i.e., Execute{, }, and gets the transmitted message between the server “S” and the PDA “P”,i.e., {,,,} and {,,F,} after that, runs the Test query. At last, requires to verify the session key. In our proposed algorithm, the session key is SK = . However, none of the messages can use to implement the session key, and also, the secret credential is not revealed in the intercepted message. The possibility of winning the game using the eavesdropping attack is not increased, So we conclude that−Game: The difference between the previous game and this game is that we consider the collision in the hash query and transcript. performs the active attack and runs the send and hash query to mislead the node to accepting the illegal messages. However, in the proposed scheme, all messages are dynamic because they have random numbers and timestamps. So no collision occurs in the transcript messages and the hash oracle messages. According to the birthday paradox, the hash query’s collision probability is at most and the collision probability for random number is . So the result is−Game : In this game, the adversary performs the CorruptSC() and capture query to obtain the secret information store in the smart card, server, and PDA. If obtains the correct ID and PW, then will win the game. However, in proposed scheme the adversary could not get the secret information using the card data because it is in masked form and encrypted using the one way hash function. So the result obtain as:−Game: Adversary eavesdrops on the messages sent between the “S” and “P”. To obtain the session key to breach the semantic security, the adversary must solve the k-mBIDH problem in polynomial time. But it is hard to solve the k-mBIDH problem in polynomial time, so the result obtain as runs all the queries to obtain the value of the session key to break the semantic security. So, at last, the adversary guess the bit value of C to win the game, so it generates:From equation (1) and (2)using equation (6)Applying triangular inequalityFrom Eqs. (3), (4), (5) and (7) we get the resultHence our proposed protocol insures the semantic security.

Security verification using AVISPA tool

This part officially verifies our proposed protocol utilizing the Automated Verification Security Protocol and Analysis (AVISPA) simulation tool. It is a push button tool that is used for checking the cryptographic protocols and recognizing whether those security protocols are SAFE or UNSAFE against different active and passive attacks.

AVISPA utilizes High-Level Protocol Specification Language(HLPSL) [30] for code execution to confirm the security vulnerabilities in a protocol.

AVISPA incorporates four back-ends, to be specific (1) On-the-fly-Model-Checker (OFMC), (2) Constraint-Logic-based Attack Searcher (CL-AtSe),(3) SAT-based Model-checker (SATMC), and (4)Tree Automata dependent on Automatic Approximations for the Analysis of Security Protocols (TA4SP), with HLPSL to analyze the protocol. In the AVISPA tool, the HLPSL code is initial changed over into the intermediary form(IF) with the assistance of the HLPSL2IF interpreter. This IF code is given to back-ends for security checks, and afterward its yield shows whether the protocol is protected or attacked.

The yield design contains the accompanying significant fields:

SUMMARY It Shows that the protocol is SAFE or UNSAFE.

DETAILS Depicting conditions in which text protocol is declared to be protected or attack discovering condition.

PROTOCOL Name of the protocol.

GOAL The objective of the analysis.

BACKEND Shows which back-end is used.

STATISTICS Shows the parse-time, search-time, visited hubs, and the profundity of the hub in executing of the protocol.

Implementation and results

The HLPSL code of our proposed protocol run in the SPAN simulation tool. To run this simulation tool, we have used a personal computer. The configuration of our system is

Processor: Intel(R) Core(TM) i3-3220 CPU @3.30GHz

RAM: 6GB

System type: 64 bit OS

The result of the SPAN simulation tools shows in Table 9. The output of the AVISPA code is categorized based on the backend tool and its model type. According to the simulation result, We have used the OFMC backend tool for the bounded number of the session then the statistics for the proposed protocol is as follows: it is visited 167 nodes with the depth of 4 plies where the search time is .31 second.

Table 9

Simulation results of AVISPA tool

Version	Backend tool	Details	Statistics	Goal	Summary
Basic	OFMC	Bounded number of Session	Parse time :.00s, Search time:.31s, Visited nodes: 167, Depth : 4plies	As specified in HLPSL code	SAFE
Basic	CL-AtSe	Bounded number of Session Typed model	Analysed: 15 states, Reachable :15 states, Translation : .01s, Computation: .00s	As specified in HLPSL code	SAFE
Basic	CL-AtSe	Bounded number of Session Untyped model	Analysed: 15 states, Reachable :15 states, Translation : .00s, Computation: .00s	As specified in HLPSL code	SAFE

The statistics for CL-AtSe backend tool for the typed and untyped model for the bounded number of session is as follows: it will analyze 15 states and reach all the states in the .01s in the typed model and .00s for the untyped model. Whereas the computation time for both the model is .00s.

This simulation result shows that our proposed protocol is secure against the various attacks.

Performance analysis

In this section, we will illustrate the performance of the proposed protocol for wireless body area networks. The analysis is based on computation cost and security threats. Finally, we provide a comprehensive discussion of the effectiveness of the proposed protocol compared to some existing protocols.

Computation cost analysis

In this section, we compare the computation cost of our proposed protocol with some similar existing protocols, such as, Wang and Zhang (2015); Wu et al. (2016); Liu et al. (2013); Xiong and Qin (2015); Abbasinezhad-Mood et al. (2019); Zhang et al. (2020); Li et al. (2016); Tsai and Lo (2015); He et al. (2016). We have considered many cryptographic functions in the proposed protocols. We defined the notations and computation time in Table 10, which we used further. We have referred the Kilinc et al. work to get the computation cost of the cryptographic operation. In Kilinc and Yanik (2013) using the version 0.5.12 of PBC library by using 32 bit OS of ubuntu 12.04.1 , CPU:2.2GHz and RAM: 2GB to get the computation time.

Table 10

Execution time of the cryptographic operation According to Kilinc and Yanik (2013)

Operation	Description	time(ms)
T_b	Time to compute the bilinear pairing operation	5.811
T_h	Time to compute the hash operation	0.0023
T_m	Time to compute point multiplication	2.226
T_e	Time to compute exponentiation operation	3.85

The computation time of the proposed scheme is 27.52 ms. The comprehensive comparison of the proposed protocol with some existing protocol is as follows :The complete comprehensive analysis of all cryptographic operations and total computational cost is enumerated in Table 11. Additionally the computation cost-related graph is shown in Fig 2. Whereas, Table 12 shows the Efficiency of the existing schemes with respect to the proposed scheme.

Table 11

Total cryptographic operation and total computation cost

Scheme	Server side cryptographic operation	PDA side cryptographic operation	Total cryptographic operation	Computation time (ms)
Wang and Zhang (2015)	1.T_b+5.T_h+2.T_m ≈ 10.27	1.T_b+5.T_h+3.T_m ≈ 12.52	2.T_b+10.T_h+5.T_m	≈ 22.79
Wu et al. (2016)	3.T_h+4.T_m+2.T_e ≈ 16.61	1.T_b+2.T_h+3.T_m+2.T_e ≈20.21	1.T_b+5.T_h+7.T_m+4.T_e	≈ 36.83
Liu et al. (2013)	1.T_b+2.T_h+2.T_m+1.T_e ≈ 14.13	2.T_h+5.T_m ≈11.16	1.T_b+4.T_h+7.T_m+1.T_e	≈ 25.28
Xiong and Qin (2015)	8.T_b+3.T_h+4.T_e ≈61.89	1.T_b+8.T_h+5.T_m+11.T_e ≈ 59.32	9.T_b+11.T_h+5.T_m+15.T_e	≈ 121.21
Abbasinezhad-Mood et al. (2019)	1.T_b+5.T_h+5.T_m ≈ 16.95	6.T_h+7.T_m+1.T_e ≈ 19.49	1.T_b+11.T_h+12.T_m+1.T_e	≈ 36.44
Zhang et al. (2020)	1.T_b+6.T_h+4.T_m ≈14.73	5.T_h+4.T_m+1.T_e ≈ 12.79	1.T_b+11.T_h+8.T_m+1.T_e	≈ 27.52
Li et al. (2016)	2.T_b+4.T_h+3.T_m+1.T_e ≈ 22.16	4.T_h+4.T_m+1.T_e ≈ 12.79	2.T_b+8.T_h+7.T_m+2.T_e	≈ 34.95
Tsai and Lo (2015)	4.T_b+4.T_h+2.T_m+1.T_e ≈31.55	6.T_h+7.T_m+1.T_e ≈ 19.48	4.T_b+10.T_h+9.T_m+2.T_e	≈ 51.03
He et al. (2016)	2.T_b+5.T_h+2.T_m+3.T_e ≈ 27.62	6.T_h+3.T_m+3.T_e ≈ 18.26	2.T_b+11.T_h+5.T_m+6.T_e	≈ 45.89
Proposed scheme	8.T_h+4.T_m+1.T_e ≈ 12.77	1.T_b+1.T_h+4.T_m ≈14.75	1.T_b+9.T_h+8.T_m+1.T_e	≈ 27.52

Fig. 2

Computation cost

Table 12

Efficiency With respect to the proposed scheme

Schemes	Efficiency with respect to proposed scheme	Security remark
Wang and Zhang (2015)	17.18% more efficient	Not secure against the session key attack, replay attack, impersonation attack
Wu et al. (2016)	33.83% less efficient	Not secure against the replay attack , impersonation attack and also having the key escrow issue
Liu et al. (2013)	8.14% more efficient	Not secure against impersonation attack and also having a key escrow issue
Xiong and Qin (2015)	340.44% less efficient	Not secure against the impersonation attack and also having the key escrow and perfect forward secrecy issue
Abbasinezhad-Mood et al. (2019)	32.41% less efficient	Not secure against the impersonation attack and also not proof the protocol using BAN logic
Zhang et al. (2020)	Equally efficient(Approx)	Not handle the key escrow issue and also not secure against the privileged insider attack
Li et al. (2016)	27.00% less efficient	Not satisfy the Perfect forward secrecy property]
Tsai and Lo (2015)	85.42% less efficient	Not resist a smart card and privileged insider attack and also have the key escrow issue
He et al. (2016)	66.75% less efficient	Not secure against the impersonation attack and also not proof the protocol using any predefined model or tool like RoR model, BAN logic or AVISPA tool

The computation cost of the Wang and Zhang (2015) is 22.79 ms. The scheme is approximately more efficient compared to the proposed scheme, but it is not secure against the session key attack, replay attack, impersonation attack, and also fails in user anonymity and untraceability.

The computation cost of the Wu et al. (2016) is 36.83 ms. The scheme is approximately less efficient compared to the proposed scheme.

The computation cost of the Liu et al. (2013) is 25.28 ms, The scheme is approximately more efficient compared to the proposed scheme, but it has the key escrow problem, and is also not secure against impersonation attack .

The computation cost of the Xiong and Qin (2015) is 121.21 ms. The scheme is approximately less efficient compared to the proposed scheme.

The computation cost of the Abbasinezhad-Mood et al. (2019) is 36.44 ms. The scheme is approximately less efficient compared to the proposed scheme.

The computation cost of the Zhang et al. (2020) is 27.52 ms, which is approximate equally efficient to the proposed scheme, but does not handle the key escrow issue.

The computation cost of the Li et al. (2016) is 34.95 ms. The scheme is approximately less efficient compared to the proposed scheme.

The computation cost of the Tsai and Lo (2015) is 51.03 ms. The scheme is approximately less efficient compared to the proposed scheme.

The computation cost of the He et al. (2016) is 45.89 ms. The scheme is approximately less efficient compared to the proposed scheme.

Fig. 3 mentions the computation cost of the server. According to Fig 3, when we increases the number of servers, the server’s computation time increases. However, the server’s time of the proposed scheme is better than the existing schemes except Wang and Zhang (2015) scheme. According to Table 13, the Wang scheme is not secure against many predefined attacks like perfect forward secrecy, replay attack, impersonation attack, and does not establish mutual authentication. Hence, it takes less server time than the proposed scheme, but does not fulfill the security requirements.

Fig. 3

Computation cost on server

Table 13

Security requirements

Security requirements	Wang and Zhang (2015)	Wu et al. (2016)	Liu et al. (2013)	Xiong and Qin (2015)	Zhang et al. (2020)	Kompara et al. (2019)	Tsai and Lo (2015)	Proposed protocol
Resistance to replay attack	N	N	Y	Y	Y	Y	Y	Y
Resistance to impersonation attack	N	N	N	N	Y	N	N	Y
Resistance to Man in the middle attack	Y	Y	Y	Y	Y	N	N	Y
Resistance to Password guessing attack	–	–	Y	Y	Y	–	Y	Y
Resistance to smart card attack	–	–	–	–	Y	–	N	Y
Resistance to privileged insider attack	–	–	Y	Y	N	Y	N	Y
Resistance to key escrow problem	–	N	N	N	N	–	N	Y
Perfect forward secrecy	N	Y	N	N	Y	Y	Y	Y
Session key security	N	Y	Y	Y	Y	Y	N	Y
User untraceability	N	Y	N	Y	Y	Y	N	Y
User anonymity	N	Y	Y	Y	Y	Y	N	Y
Mutual authentication	N	N	N	Y	Y	Y	N	Y

Security analysis

This section is completely dedicated to the comparison of our proposed authentication scheme with the other existing schemes on the basis of the features, functionality and their security requirements. The notations “N”, “Y”, and “−” are used which means security requirements are not fulfilled, security requirements are fulfilled and security requirements are not included simultaneously.

The main security requirement is whether the schemes have focused on the mutual authentication between the server and the PDA. Among all, the Wang and Zhang (2015); Wu et al. (2016); Liu et al. (2013), and Tsai and Lo (2015) could not achieve the mutual authentication requirements in their schemes. The scheme avoided the key escrow problem. The key escrow problem is when the trusted authority knows the secret keys of the user. While our proposed protocol is able to avoid this problem, the schemes of Wu et al., Liu et al., Xiong et al., Zhang et al., and Tsai et al. have not even considered this problem.

The proposed scheme is also secure against the privileged insider attack which Zhang et al., and Tsai et al. fail to secure. User is traceable in Wang and Zhang (2015); Liu et al. (2013), and Tsai and Lo (2015). Additionally, the scheme is also secure against impersonation and man-in-the-middle attacks.

The comprehensive security requirements comparison is summarized in the Table 13.

Conclusion and future work

Security is the primary goal in a healthcare environment when crucial data are transferred via the public channel. This paper has designed a new authentication scheme where the legitimate user can register through a trusted authority. The server and the PDA have to authenticate each other in order to send or receive the sensitive information mutually. Our primary focus is to avoid the key escrow problem and establish a new session key between the server, and the PDA, which will be used for future communication. The formal security analysis of the proposed protocol is done using the BAN logic and ROR model. While the Security verification is done using the AVISPA tool. In addition, a detailed comparative analysis for the communication cost is also included. This analysis, verification, and comparison prove that the proposed protocol is secure against prevailing attacks and better among the other existing protocols.

However, the proposed scheme has certain limitations, such as assuming the PDA (sensors) remain undamaged once installed in the patient body. In contrast, this is not the case in the real world. We have to replace the sensors after they are damaged. Another concern is that we are using the centralized server for our scheme, which incurs some latency even in the best case. So, in the future, we would try to extend our work and shift our paradigm towards edge computing which is the extension of cloud computing for resolving latency. Additionally, we will try to inculcate the private blockchain to make the system transparent and immutable. Last but not least, we would try to work on the real dataset and execute the proposed work in the real environment.