A Secure Iot-Based Healthcare System With Body Sensor Networks

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 1

A Secure IoT-based Healthcare System with


Body Sensor Networks
Kuo-Hui Yeh, Senior Member, IEEE

 based on specific functionalities, namely the camera and


Abstract—The ever-increasing advancement in communication voice-interaction, which support the operation of the IoT
technologies of modern smart objects brings with it a new era of product and its interactive applications.
application development for IoT (Internet of Things) based Today, the IoT has become one of the most promising
networks. In particular, owing to the contactless-ness nature and
communication paradigms, and one in which all the smart
efficiency of data retrieval of mobile smart objects, such as
wearable equipment or tailored bio-sensors, several innovative objects in our daily life become part of the Internet owing to
types of healthcare systems with body sensor networks (BSN) their communication and computing capabilities. This
have been proposed. In this paper, we introduce a secure opportunity brings with it new security challenges for IoT
IoT-based healthcare system which operates through BSN applications. Every smart object (or sensor) in the IoT
architecture. To simultaneously achieve system efficiency and represents a potential risk in terms of system vulnerability. That
robustness of transmission within public IoT-based
is, each intelligent object may become a vulnerable entry point
communication networks, we utilize robust crypto-primitives to
construct two communication mechanisms for ensuring for any malicious attack. Two security issues, i.e. (1) physical
transmission confidentiality and providing entity authentication protection for smart objects, and (2) how to maintain data
among smart objects, the local processing unit and the backend confidentiality, integrity and privacy during data collection
BSN server. Moreover, we realize the implementation of the among smart objects, have thus emerged. Given the novelty and
proposed healthcare system with the Raspberry PI platform to innovative nature of IoT technologies, there seems to be a
demonstrate the practicability and feasibility of the presented
general expectation for a new and revolutionary security
mechanisms.
solution tailored specifically to IoT-based objects. This is
Index Terms—Authentication, Body Sensor Networks, Internet because traditional security protection mechanisms may not be
of Things (IoT), Security suitable for smart objects. For example, firewalls containing
network management control protocols are able to manage
high-level traffic through the Internet. However, this
I. INTRODUCTION application-level solution is not suitable for endpoint devices in
IoT applications because these devices usually possess a
T HE rapid advancement in smart object technology has
included significant achievements in application
development for wireless sensor based distributed
specific, defined mission with limited resources available to
accomplish it. Therefore, the refinement of traditional security
communication architecture. Capitalizing on the solutions to fit the specific security requirements of IoT-based
contactless-ness and efficiency of data retrieval from modern smart objects is one of the most promising ways of securing
smart objects, various innovative types of on-demand and IoT-based application systems.
real-time IoT-based services have been developed and Normally, security is addressed during the system life cycle,
deployed in daily life. Principal criteria regarding data including secure booting, access control, device authentication,
processing, such as the volume, velocity, variety and, most network management, firewall, IDS/IPS and updates and
importantly, the veracity of the data, must be considered patches. Among these, device authentication (with secure
carefully when designing IoT-based applications. However, device-to-device communication) has been shown to offer
while IoT-oriented techniques pave the way for the significant benefits to the security paradigm of IoT network
development of innovative applications, new threats may arise architecture and has become one of the most indispensable
from these “opportunities”. For example, Hello Barbie, a novel elements in IoT security ecosystems. In an IoT-based
IoT-based commercial product for children, reveals a potential application, smart objects often cannot be self-interacted with a
privacy threat which allows an attacker to spy on consumers, user or the backend system, and often need someone to input
their families and everything in the house [15]. The attack is the credentials required to access the network. Fortunately,
device authentication allowing a device to access a network
This work was supported by the Academia Sinica, the Taiwan Information
based on a similar set of credentials pre-stored in a secure
Security Center (TWISC) and the Ministry of Science and Technology, Taiwan, storage area of the device itself, represents a possible way to
under the grants numbered MOST 105-2221-E-259-014-MY3, MOST solve this predicament. The academic community has devoted
105-2221-E-011-070-MY3, MOST 105-2923-E-182-001-MY3, MOST
104-2218-E-001-002 and MOST 105-2218-E-001-001.
great effort to this important and interesting research field.
Kuo-Hui Yeh is with the National Dong Hwa University, Hualien 97401, Hence, in this study we propose two secure device
Taiwan (e-mail: [email protected], [email protected]).

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 2

authentication mechanisms for IoT-based healthcare systems the scheme's feasibility and effectiveness, the authors
relying on body sensor networks. First, we will address the implemented an experimental system consisting of an 802.11
principal security requirements for IoT-based systems. A enabled sensor, a self-designed management server and an IoT
secure IoT-based healthcare system with two authentication application. The experimental results showed that their
mechanisms operating via BSN network architecture is then proposed system is practicable. However, one limitation exists
proposed to achieve the identified requirements. as the system scalability cannot be guaranteed.
The rest of the paper is organized as follows. Section II In 2014, Keoh et al. [5] presented an overview of the security
describes the current state of the art of IoT security and solutions for IoT ecosystems proposed by the Internet
discusses the principal security requirements for IoT-based Engineering Task Force (IETF), in which CoAP and, in
healthcare systems. In Section III, we first introduce the particular, Datagram Transport Layer Security (DTLS) are
underlying communication architecture of our proposed examined. Based on their performance evaluation, these
IoT-based healthcare system. Then, the IoT-based healthcare authors developed a refined and lightweight DTLS capable of
system using body sensor networks is introduced, comprising providing robust security functionality for IoT objects. Even so,
two authentication processes among the smart objects, the local the authors identified some unresolved issues for future work,
processing unit and the backend server. The security robustness i.e. device bootstrapping, key management, authorization,
of the proposed schemes is analyzed in Section IV, while the privacy and message fragmentation issues in IoT networks.
system implementation and performance evaluation is Next, in 2015, Kawamoto et al. [11] demonstrated an effective
presented in Section V. Finally, we make our concluding data collection scheme for location based authentication in IoT
remarks in Section VI. networks. In order to improve the authentication accuracy,
parameters related to network control are adjusted dynamically
II. RELATED WORK based on the real-time requirements from the system and the
In this section, we describe the current state of the art of IoT surrounding network environment. In addition, optimization of
security and then discuss the major security requirements for authentication accuracy was investigated. The authors finally
IoT-oriented healthcare systems. suggested that future work could focus on intelligently
controlling the data distribution from inhomogeneous IoT
A. The current state of the art of IoT security devices. In the same year, Cirani et al. [12] introduced an
In recent years, both industry and academia have devoted authorization framework which is integrated with HTTP/CoAP
considerable attention to the development of IoT applications services and is even able to invoke an external OAuth (Open
and related security measures. In 2013, Yao et al. [7] presented Authorization) based service. In the proposed framework, an
a lightweight multicast authentication scheme for small-scale external client may access a remote service from a network
IoT applications. They exploited the specific characteristics of broker (with constrained smart objects) via HTTP/CoAP.
the fast accumulator proposed by K. Nyberg [8], i.e. the Robust communication among entities such as an external
absorbency property and the one-way and client, a network broker and smart objects was thus designed
quasi-communicative property, to construct a lightweight and implemented. Performance evaluations were performed to
multicast authentication mechanism. To test their scheme’s examine the feasibility of the proposed framework, with results
practicability, the authors evaluated seven principal criteria showing that the proposed approach will increase the amount of
required by multicast authentications for resource-constrained energy consumed to ensure compatibility with IEEE 802.15.4.
applications in the course of a performance analysis. The In addition, the issues of memory footprint and dynamic
proposed scheme was claimed to be more efficient and configuration make the OAuth logic based scheme infeasible
effective than other systems it was compared to. The following for use with common smart objects.
year, Bello and Zeadally [9] investigated the possibility of In 2015, Ning et al. [13] proposed an aggregated proof based
self-collaborated device-to-device communications without hierarchical authentication scheme for layered U2IoT
any centralized control. Two challenges, namely the architecture to pursue security protection among ubiquitous
computation cost of smart objects and network heterogeneity, things. In the proposed scheme, security properties such as
were identified. After that, the authors analyzed the entity anonymity, mutual authentication and hierarchical access
state-of-the-art of communication mechanisms in licensed and control are achieved via the following techniques: user
unlicensed spectra and routing techniques which are able to authorization, aggregated-proof based verifications,
support intelligent inter-devices communications. In the course homomorphism functions and Chebyshev chaotic maps. Later,
of their analysis, four unresolved issues were identified: 1) Hernández-Ramos et al. [14] developed a series of lightweight
maximizing the use of available network resources; 2) route authentication and authorization procedures which are
management optimization; 3) inter-device based cooperation compliant with the Architectural Reference Model (ARM)
for load balancing; and 4) security properties such as privacy, from the EU FP7 IoT-A project, for use on constrained smart
authentication, integrity and resistance to new types of attack. objects. The proposed schemes are able to be combined with
Later, Cai et al. [10] adopted 802.11 based sensors to construct other standard technologies and form security plans for the life
an IoT-based device management system with a centralized cycle of IoT devices. Recently, Gope and Hwang introduced
control mechanism. The principal technique was based on the two authentication schemes, i.e. BSN-Care [1] and USM-IoT
IETF Constrained Application Protocol (CoAP). To evaluate [2], for IoT-based networks. These two authentication schemes

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 3

are designed to fit the security requirements for body sensor qualified security, the exclusive-or operation may be the
networks and distributed wireless sensor networks, respectively. attacker’s target. It is obvious that the exclusive-or operation
Accordingly, from the standpoint of authentication analysis, the can only resist against “cipher-text only” attacks, which
underlying architectures can respectively be characterized as represents the lowest security level in terms of cryptanalysis
being client-server and client-server-server. In 2015, Gope and activity. Other security guarantees, such as resistance to known
Hwang [2] first presented an authentication protocol for plain-text attacks, chosen plain-text attacks, chosen cipher-text
distributed wireless sensor networks. Their proposal not only is attacks, and chosen text attacks launched by a malicious
compatible with client-server-server (i.e. the adversary are not supported. Hence, we have to carefully
sensor-gateway-server) architecture, but also satisfies consider the utilization of the exclusive-or operation during the
important security properties such as mutual authentication, design of each protocol run. More specifically, all publicly
sensor anonymity and un-traceability, system scalability, and transmitted text must be in an unpredictable cipher form and the
resistance to impersonation attack, replay attack and cloning exclusive-or computation cannot be performed simply and
attack. The authors thus claimed the proposed protocol is directly on the cipher. It is suggested that all exclusive-or
secure as well as efficient. In 2016, Gope and Hwang [1] further operations must be embedded within the computation of a
proposed an authentication mechanism for a distributed one-way hash function. For example, the form of “M⊕key”
IoT-based healthcare system. The proposed protocol is based may be more vulnerable than the form of “H(M⊕key)” or
on body sensor networks (BSNs), which consist of lightweight “H(M)⊕key”, where key is a secret and M is a message.
and healthcare oriented smart objects. Lightweight
crypto-modules, such as a one-way hash function random 3) GPS information is suggested to resist against spoofing
number generation function and bitwise exclusive-OR attack
operation, are adopted to simultaneously pursue system The IoT-based communication architecture builds on
efficiency and security robustness. The authors then traditional wireless sensor networks and at the same time
investigated the security density and protocol efficiency via embeds body area networks consisting of body bio-sensors.
BAN logics analysis and computation cost comparison. Individual privacy is a key issue to consider owing to the
involvement of personal bio-data and sensitive health-related
B. Security Requirements for IoT-based Healthcare Systems information. Meanwhile, the correctness of application
In the following, we present the major security requirements operation incurred by sensor movement must also be
for IoT-based communication systems. considered carefully, including individual identification,
network switching, reputation maintenance, anonymity and
1) A session key is required for secure communication un-traceability, and resistance to spoofing attacks invoked by a
In the past decades, the research community has thoroughly malicious cluster head made up of parts of IoT networks. All
investigated the design of dynamic identity based these requirements can be supported via the anonymous
authentication schemes owing to their advantages in terms of authentication technique with a unique legitimate identification
user convenience and protocol efficiency. Lightweight in which GPS information is involved. That is, with
computation modules, such as one-way hash functions and identification of an individual’s location, immunity against
bitwise exclusive-or operation, are usually exploited in the spoofing attacks can be guaranteed.
design of secure transmission for each protocol run. Because
communication entities’ identities are anonymous and 4) The need for resistance to man-in-the-middle attack
unpredictable as a result of the hash function and exclusive-or Resistance to man-in-the-middle attack is one of the most
operation, it can be claimed that this category of authentication important security considerations after authentication. A
provides user anonymity. However, in traditional dynamic malicious attacker may interrupt transmitted authentication
identity based authentication mechanisms, a robust session key messages and spoof the legal communicating entities into
must be eventually agreed for secure communication among believing that he/she is the other legitimate side via
entities. A simple authentication and login activity without counterfeited and illegal messages by spoofing. That is, the
session key generation is not enough to guarantee any kind of attacker may pretend that he/she is the legitimate user who is
security. Even if it may be claimed that SSL/TLS or other communicating with the server. Spoofing can also be used
security techniques can be used to achieve robust security after when the attacker faces the real legitimate user. The attacker
the authentication, the computation cost involved will make may pretend to be the legitimate server to communicate with
such an approach inefficient. Based on the above reason, we the legal user. An efficient solution for resisting
argue that the session key agreement is an essential property for man-in-the-middle attacks is to embed the identities of all
entity authentication and secure communication. communicating entities into the protocol message for entity
authentication. For instance, H(IDi||IDi+1||…) is a possible form
2) Inappropriate usage of the bitwise exclusive-or module of protocol message which can be utilized to perform entity
must be avoided authentication and simultaneously conquer man-in-the-middle
Cryptanalysis for security modules is critical for protocol attacks.
robustness. While the one-way hash function maintains

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 4

5) Multiple security and privacy properties must be and, in addition, data confidentiality and data integrity can be
guaranteed at the same time guaranteed via the system's secure communication feature.
The protection of data security and entity privacy is the most In our proposed healthcare system, two communication
important aspects for IoT-based healthcare systems. As the channels, i.e. “sensors to LPU” and “LPU to BSN server,” are
communication of the BSN is mostly wireless (and insecure) in focused on, since the openness of these two channels means it
nature, various attacks may be launched at it as a vulnerability cannot be guaranteed that all the data transmissions on them are
entry, resulting in serious system damage to the entire system. secure. An attacker (or hacker) may therefore wish to launch
Therefore, in the following, we describe the key security and malicious behaviors, such as bio-data eavesdropping on a
privacy properties which must be guaranteed in an IoT-based specific person and entity counterfeiting for purposes of
healthcare system. First, mutual authentication among spoofing, on these insecure channels. The result could be huge
communication entities is required to protect against malicious and unpredictable losses. To sum up, the assumptions about the
data access and entity spoofing. Second, the system has to trust boundary of our IoT-based healthcare system are listed
achieve anonymity and untraceability for the bio-sensors in below: (1) the security parameters received during the
IoT-based healthcare systems to guard against the disclosure of registration phase are under a secure channel; (2) the LPU and
an individual's personal health status or private information. sensors are equipped with secure storage; (3) the “sensors to
Third, the resistance against forgery attack and replay attack LPU” and “LPU to BSN server” channels are insecure, i.e. the
during system operations must be embedded into the IoT-based transmitted data may be sniffed out; (4) the BSN server is
healthcare system. trusted and all the database accesses are safe and (5) a trusted
third party exists to support the public key infrastructure.
III. THE PROPOSED IOT-BASED HEALTHCARE SYSTEM WITH In the following section, we will introduce the
BODY SENSOR NETWORKS communication procedures of the proposed IoT-based
In this section, we first introduce the underlying healthcare system. The proposed system consists of two phases:
communication architecture of our proposed IoT-based the system initialization phase and the authentication phases. In
healthcare system. Then, the trust boundary and the desired the system initialization phase, all of the security parameters
objectives of the proposed IoT-based healthcare scheme are will be agreed upon and shared among the communication
introduced. After that, we present the detailed communication entities, i.e. wearable bio-sensors, the LPU and the BSN server,
procedures of the proposed system, which consist of a system via a secure channel. Next, two authentication phases are
initialization phase and two authentication phases. presented for securing all the communication and data
exchanges among the communication entities. In Table I, we
A. The Underlying IoT-based Communication Architecture present the common notations used throughout this study.
In this sub-section, we present the IoT-based communication
architecture on which our proposed healthcare system is TABLE I
modeled. As shown in Figure 1, there are three indispensable COMMON NOTATIONS USED THROUGHOUT THIS STUDY
components in the IoT-based communication architecture: the Symbol Definition
bsi Identity of the wearable bio-sensor i
wearable body bio-sensors (i.e. the smart objects), the Local LPUj Identity of the local processing unit j
Processing Unit (LPU) (which would normally be an intelligent BSN Identity of the BSN server
handheld device and acts as a mobile gateway), and the Body TTP Trusted third party
Sensor Networks (BSN) server. The IoT-based biomedical 𝐴𝐼𝐷𝑖 One-time-alias identity of the wearable bio-sensor i
bsID A set of un-linkable shadow identities bsID={sid1, sid2, …}
equipment (i.e. body bio-sensors) is adopted (or embedded) by for the wearable bio-sensor i
the user as the edge devices which are responsible for collecting Ki The secret key shared between the wearable bio-sensor i and
bio-data from the human (or, in this case, the patient). All of the the BSN server
collected data will be forwarded to the LPU and BSN server for Trseq Track sequence number
H(.) Secure one-way hash function, i.e. SHA-3 [3]
data analysis and user-oriented service provision. That is, based HMACk(.) A keyed-hash message authentication code
on specific bio-data from the user, the system can recognize and ⊕ Bitwise exclusive-or operation
satisfy the particular individual's needs in a faster and more || Concatenation operation
efficient way. For instance, by analyzing human bio-data, such
as electrocardiography (ECG), electroencephalography (EEG),
B. The System Initialization
electromyography (EMG) and blood pressure (BP), a
healthcare system in a hospital can provide more Let the notation E/Fp denote an elliptic curve E over a prime
individually-tailored and timely services and reduce delays in finite field Fp, defined by an equation y 2  x3  ax  b , where
medical treatment. In the proposed IoT-based communication a, b  Fp are constants such that Δ=4a 3+27b 2  0 . All points
architecture, all the body bio-sensors and the LPU need to
perform registrations with the BSN server in advance. After Pi=(xi, yi) on E and the infinity point O form a cyclic group G
registration, security credentials will be shared and stored under the operation of point addition R=P+Q defined according
among the bio-sensors, the LPU and the BSN server. The to a chord-and-tangent rule. In particular, we define
security credentials are exploited to achieve the goal of entity t  P  P  P  ...  P (t times) as scalar multiplication, where
authentication and to establish a secure communication channel, P is a generator of G with order n.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 5

Fig. 1. The underlying IoT based communication architecture of our proposed healthcare system.

Fig. 2. The authentication phase between the local processing unit j and the BSN server.

Fig. 3. The authentication phase among the wearable bio-sensor i, the local processing unit j and the BSN server.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 6

First, given a security parameter k, a trusted third party (short Then, the local processing unit j sends ( R j , T j , j ) back to the
for TTP) generates a group G of elliptic curve points with prime BSN server who then examines the validity of the incoming
order n and determines a generator P of G. Next, TTP chooses a
message ( R j , T j , j ) with the following verification processes.
private key s  Z n* and a secure hash function
H : 0, 1*  G  Z q* [3]. Next, TTP derives a public key With {G, P, PKTTP , H} , PK j , LPUj, BSN and ( R j , T j , j ) ,
PKTTP  s  P and publishes {G, P, PKTTP , H } . Meanwhile, the BSN server computes h j  H ( PKTTP , LPU j , R j ) and
TTP keeps s  Z n* securely. k j  H (T j , h j , BSN , PK j ) . After that, the server verifies
whether the equation  j  P  T j  k j  PK j  R j  h j  PKTTP
Given {G, P, PKTTP , H} , the private key s and the identity
holds or not. If it holds, the ( R j , T j , j ) is legitimate. The
LPUj of local processing unit j, TTP generates a random
number r j  Z n* , and calculates R j  rj  P , correctness of ( R j , T j , j ) is verified by:

h j  H (PKTTP , LPU j , R j ) and s j  rj  h j  s mod n . Then,  j  P  (t j  k j  x j  s j )  P


 t j  P  k j  x j  P  rj  P  h j  s  P
TTP returns D j  (s j , R j ) to the local processing unit j who
 T j  k j  PK j  R j  h j  PKTTP
then checks the validity of D j via whether the equation
s j  P  R j  h j  PKTTP mod n holds or not. Once it holds, the (Step 2) the BSN server  local processing unit j:
local processing unit j picks a random number x j  Z n* as ( RBSN , TBSN , BSN )
After that, the BSN server calculates a session key
his/her own private key and computes PK j  x j  P as his/her
SK  t BSN  T j , where t BSN is a random number. Next, given
public key. Similarly, TTP chooses a random number
{G, P, PKTTP , H } , LPUj, BSN, DBSN  (sBSN , RBSN ) , hBSN and
rBSN  Z n* , and sends DBSN  (sBSN , RBSN ) to the BSN server,
xBSN , the BSN calculates TBSN  t BSN  P ,
server
where RBSN  rBSN  P , hBSN  H (PKTTP , BSN , RBSN ) and
hBSN  H (PKTTP , BSN , RBSN ) ,
sBSN  rBSN  hBSN  s mod n . Once the validity of DBSN is
k BSN  H (SK , TBSN , hBSN , LPU j , PK BSN ) and
verified, the BSN server picks a random number xBSN  Z n* as
 BSN  t BSN  k BSN  xBSN  sBSN mod n . Then, the BSN server
its private key and computes PK BSN  xBSN  P as its public
sends ( RBSN , TBSN , BSN ) back to the local processing unit j.
key.
Upon receiving ( RBSN , TBSN , BSN ) , the local processing unit j
verifies ( RBSN , TBSN , BSN ) with the following processes.
C. The Communication Procedures of the Proposed
IoT-based Healthcare System
 Compute hBSN  H ( PKTTP , BSN , RBSN ) ,
In the proposed IoT-based healthcare system, we consider
SK  t j  TBSN and
that a nurse with his/her intelligent devices (acting as a local
processing unit) would like to provide on-demand patient-care k BSN  H (SK , TBSN , hBSN , LPU j , PK BSN )
services via an automatic and contactless data retrieval  Check whether the equation
mechanism. As the IoT communication network is public, a  BSN  P  TBSN  k BSN  PK BSN  RBSN  hBSN  PKTTP
robust authentication procedure is required for secure data
holds or not. The correctness is verified by:
exchange among wearable bio-sensors, the local processing
 BSN  P  (t BSN  k BSN  xBSN  sBSN )  P
unit and the BSN server. The detailed procedures of our
proposed authentication mechanisms are presented in Figures 2  t BSN  P  k BSN  xBSN  P  rBSN  P  hBSN  s  P
and 3, respectively.  TBSN  k BSN  PK BSN  RBSN  hBSN  PKTTP

1) The Key Agreement Phase between the Local Processing Finally, the local processing unit j and the BSN server both
Unit j and the BSN Server (Figure 2) possess and share a session key
SK  t BSN  T j  t j  t BSN  P  t j  TBSN .
(Step 1) local processing unit j  the BSN server:
( R j , T j , j )
2) The Authentication Phase among the Wearable Bio-sensor
Given {G, P, PKTTP , H } , LPUj, BSN, D j  (s j , R j ) , h j and i, the Local Processing Unit j and the BSN Server (Figure 3)
x j , the local processing unit j computes T j  t j  P with a
In the proposed authentication scheme, Ki is a secret shared
random number t j  Z n* , h j  H ( PKTTP , LPU j , R j ) , by the BSN server and the wearable bio-sensor i, and bsID is a
k j  H (T j , h j , BSN , PK j ) and  j  t j  k j  x j  s j mod n .
set of un-linkable shadow identities bsID={sid1, sid2, …}

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 7

generated by the BSN server and installed into the wearable is launched
bio-sensor i at the system initialization. Trseq is a track sequence
number created to speed up the authentication process as well Condition (1): check the validity of Trseq, and look for the
as to prevent replay attacks. During each authentication session, corresponding tuple via Trseq from the backend database. If
Trseq will be renewed and stored at both the BSN server and the Trseq is valid, the BSN server retrieves Ni=H(Ki||𝑏𝑠𝑖 )⊕Mi, and
wearable bio-sensor i. In that case, the BSN server is able to then verifies if the received value 𝐴𝐼𝐷𝑖 and the computed value
check the freshness of an incoming request sent from the H(𝑏𝑠𝑖 ||Ki||Ni||Mi||𝐿𝑃𝑈𝑗 ||𝐺𝑃𝑆𝑗 |Trseq) are equal.
wearable bio-sensor i, and to achieve a fast identification of the
bio-sensor i via Trseq at the backend database during the Condition (2): If the BSN server cannot find any Trseq in 𝑀𝐴1 ,
authentication session. If Trseq in the request does not match the the BSN server will examine the freshness and validity of
one maintained in the backend database, the BSN server will
𝐴𝐼𝐷𝑖 =𝑠𝑖𝑑𝑖 . If the BSN server cannot identify the 𝑠𝑖𝑑𝑖 from the
reject the incoming request and terminate the connection. A backend database, the server will terminate the connection and
new request from the wearable bio-sensor i will be asked for in
request the wearable bio-sensor i to try again with another valid
which one of the fresh shadow identities 𝑠𝑖𝑑𝑖 will be picked up shadow identity 𝑠𝑖𝑑𝑖 .
from the list bsID as an anonymous identity of the wearable
bio-sensor i. The shadow identities 𝑠𝑖𝑑𝑖 adopted at this time If one of the above examinations is passed, the BSN server
must be removed from the bsID list at both the BSN server side will generate a random number m and assign this number as the
and the wearable bio-sensor i side after the authentication
new track sequence number Trseq, i.e. 𝑇𝑟𝑠𝑒𝑞𝑛𝑒𝑤 = 𝑚 .
session.
Subsequently, the BSN server computes Tr=H(Ki||𝑏𝑠𝑖 ||Ni)⊕
(Step 1) Local processing unit j  wearable bio-sensor 𝑇𝑟𝑠𝑒𝑞𝑛𝑒𝑤 , V=H(Tr||Ki||BSN||𝐿𝑃𝑈𝑗 ||𝑏𝑠𝑖 ) and 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 :{Tr,
i: 𝑮𝑷𝑺𝒋 , 𝑳𝑷𝑼𝒋 BSN, V}). After that, the BSN server sends 𝑀𝐴2 ,
The local processing unit j sends its identity 𝐿𝑃𝑈𝑗 and its 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 ) to the local processing unit j as a response
global location information 𝐺𝑃𝑆𝑗 to the wearable bio-sensor i message.
as an authentication request.
(Step 5) local processing unit j  wearable bio-sensor i:
(Step 2) wearable bio-sensor i  local processing unit j: 𝑴𝑨𝟐 :{Tr, BSN, V}
𝑴𝑨𝟏 ={𝑨𝑰𝑫𝒊 , Mi, Trseq (if req.), 𝑳𝑷𝑼𝒋 , 𝑮𝑷𝑺𝒋 } After receiving 𝑀𝐴2 ={Tr, BSN, V}, the local processing unit
After receiving 𝐺𝑃𝑆𝑗 and 𝐿𝑃𝑈𝑗 , the wearable bio-sensor i j checks the correctness of 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 ). If it holds, the local
first generates a random number Ni and calculates Mi=H(Ki||𝑏𝑠𝑖 ) processing unit j forwards 𝑀𝐴2 ={Tr, BSN, V} to the wearable
⊕Ni and 𝐴𝐼𝐷𝑖 = H(𝑏𝑠𝑖 ||Ki||Ni||Mi||𝐿𝑃𝑈𝑗 ||𝐺𝑃𝑆𝑗 ||Trseq). Next, the bio-sensor i. Upon obtaining 𝑀𝐴2 , the wearable bio-sensor i
wearable bio-sensor i constructs a message 𝑀𝐴1 ={𝐴𝐼𝐷𝑖 , Mi, calculates H(Tr||Ki||BSN||𝐿𝑃𝑈𝑗 ||𝑏𝑠𝑖 ) and compares it with the
Trseq (if req.), 𝐿𝑃𝑈𝑗 , 𝐺𝑃𝑆𝑗 } and sends 𝑀𝐴1 as an authentication received value V. If these two values are the same, the wearable
request to the local processing unit j. Note that if the value Trseq bio-sensor i derives 𝑇𝑟𝑠𝑒𝑞𝑛𝑒𝑤 =H(Ki|| 𝑏𝑠𝑖 ||Ni) ⊕ Tr and sets
shared between the wearable bio-sensor i and the BSN server is 𝑇𝑟𝑠𝑒𝑞 = 𝑇𝑟𝑠𝑒𝑞𝑛𝑒𝑤 for the next authentication session.
out of synchronization, the wearable bio-sensor i needs to
choose a fresh shadow identity 𝑠𝑖𝑑𝑖 from bsID and, IV. SECURITY ANALYSIS
consequently, assigns the picked value 𝑠𝑖𝑑𝑖 as 𝐴𝐼𝐷𝑖 . After that, Before describing the security analysis, we introduce the
the wearable bio-sensor i sends 𝑀𝐴1 ={𝐴𝐼𝐷𝑖 , M1, 𝐿𝑃𝑈𝑗 , 𝐺𝑃𝑆𝑗 } adversary model. In the real world, it is possible for adversaries
as an authentication request to the local processing unit j. to replace a communication entity's public key with a false one
of its choice. Hence, the adversary Adv models an outside
(Step 3) local processing unit j  the BSN server: 𝑴𝑨𝟏 , adversary who is able to replace any entity’s public key with
𝑯𝑴𝑨𝑪𝑺𝑲 (𝑮𝑷𝑺𝒋 , 𝑴𝑨𝟏 ) specific values chosen by the adversary itself; however, the
Upon receiving the authentication request from the wearable adversary Adv does not know the private key of TTP. In
bio-sensor i, the local processing unit j computes addition, the adversary Adv is able to learn valid verification
𝐻𝑀𝐴𝐶𝑆𝐾 (𝐺𝑃𝑆𝑗 , 𝑀𝐴1 ) and sends 𝑀𝐴1 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝐺𝑃𝑆𝑗 , 𝑀𝐴1 ) to messages for a replaced public key without any submission.
the BSN server.
Game 1: The following game is performed between a
(Step 4) the BSN server  local processing unit j: 𝑴𝑨𝟐 , challenger C and an adversary Adv during the proposed
𝑯𝑴𝑨𝑪𝑺𝑲 (𝑴𝑨𝟐 ) authentication scheme between the local processing unit and
the BSN server.
Once the BSN server obtains 𝑀𝐴1 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝐺𝑃𝑆𝑗 , 𝑀𝐴1 ) ,
the BSN server first checks whether 𝐻𝑀𝐴𝐶𝑆𝐾 (𝐺𝑃𝑆𝑗 , 𝑀𝐴1 ) is Initialization: C generates a private key s, and public system
correct. If it holds, the server then checks the track sequence parameters {G, P, PKTTP , H } . Next, C keeps s, but gives all of
number Trseq is in the request or not. If Trseq is included in 𝑀𝐴1 , the public system parameters {G, P, PKTTP , H } to the adversary
the BSN server performs condition (1). Otherwise, condition (2)

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 8

Adv. oracle model, assuming the hardness of solving the elliptic


curve discrete logarithm problem. That is, if there exist a
Queries: The adversary Adv can adaptively issue the following polynomial-time (pt, qeps, qes, qpk, qrpk, qss) adversary 𝛼1 which
oracle queries, i.e. RequestPublicKey(IDt), can submit at most qeps queries to the oracle
ReplacePublicKey(IDt, PKt, PKt′), ExtractSecret(IDt), ExtractPartialSecret(IDt), qes queries to the oracle
ExtractPartialSecret(IDt), and SuperSign(IDt, mt) to C, where t ExtractSecret(IDt), qpk queries to the oracle
may be the local processing unit j or the BSN server. RequestPublicKey(IDt), qrpk queries to the oracle
(1) RequestPublicKey(IDt): The oracle takes as input a query ReplacePublicKey(IDt, PKt, PKt′) and qss queries to the oracle
(IDt), where IDt is the party t’s identity. It browses the list SuperSign(IDt, mt) and 𝑆𝑢𝑐𝑐𝛼1 is negligible, where 𝑆𝑢𝑐𝑐𝛼1 is
L and returns the party t’s public key PKt. the success probability that 𝛼1 wins in game 1, then there exists
(2) ReplacePublicKey(IDt, PKt, PKt′): The oracle takes as another algorithm  which can solve a random instance of the
input a query (IDt, PKt, PKt′), where IDt is the party t’s elliptic curve discrete logarithm problem in polynomial time
identity. This oracle replaces the party t’s public key with with success probability
PKt′ and updates the corresponding information in the list
L. 1 1 𝑞𝑒𝑝𝑠
𝑆𝑢𝑐𝑐𝛽 ≥ (1 − ) 𝑆𝑢𝑐𝑐𝛼1
(3) ExtractSecret(IDt): This oracle takes as input a query 𝑞𝐻 𝑞𝐻
IDt, where IDt is the party t’s identity. It browses the list L
and returns the secret values xt. If the party t has been Proof: Let 𝛼1 be a polynomial-time adversary that breaks the
asked the RequestPublicKey query, it returns ⊥. proposed authentication scheme with non-negligible advantage
(4) ExtractPartialSecret(IDt): This oracle takes as input a 𝑆𝑢𝑐𝑐𝛼1 . The goal of this proof is to build a polynomial-time
query IDt which is the party t’s identity. It then browses algorithm  which uses 𝛼1 to solve the ECDLP. That is, given
the list L and returns the partial private key Dt = (st, Rt). a random instance (P, x  P ), it derives the secret x .
(5) SuperSign(IDt, mt): The oracle takes as input a query
(IDt, mt), where IDt denotes the party t’s identity and m In the Initialization phase,  picks an identity IDt* as the
denotes the message to be signed. This oracle outputs a
signature t such that challenged identity in game 1, sets PKTTP =Q and sends public

true  Verify(mt ,  t , params, IDt , PKt ) . If the public key system parameters {G, P, PKTTP , H } to 𝛼1 .

has not been replaced, PKt = PKt , where PKt is the


In the query phase, 𝛼1 can adaptively issue the following
public key returned from the oracle oracle queries to  , and each query is unique.
'
RequestPublicKey(IDt). Otherwise, PKt = PKt where
PKt' is the latest public key value submitted to the oracle Hash query: For each query,  maintains a list listH storing
ReplacePublicKey(IDt, PKt, PKt′). (Tt , ht , LPU j , BSN , Rt , PKt , Ht ) , where t means the local
 Output: The adversary Adv outputs processing unit j or the BSN server. Upon receiving an H
( IDt , mt , ( Rt , Tt , t ) ). The adversary Adv wins the game if query for some (Tt , ht , LPU j , BSN , Rt , PKt , Ht ) from 𝛼1 , 
true  Verify ( IDt , mt , ( Rt , Tt , t ) PKt ) , and the oracle
checks the listH and returns H t to 𝛼1 via the following steps.
ExtractPartialSecret(IDt) and SuperSign(IDt, mt) have
never been queried. (1) If (Tt , ht , LPU j , BSN , Rt , PKt , Ht ) exists in listH , 
directly returns H t to 𝛼1 and terminates the process.
Definition 1: The proposed authentication mechanism between
the local processing unit and the BSN server is secure against (2) Otherwise, it chooses a random value H t  Z n* , adds
malicious adversaries, if for any polynomial adversary Adv, (Tt , ht , LPU j , BSN , Rt , PKt , Ht ) into listH , and returns H t to
Succj is negligible, where Succj is the success probability that
Adv wins in game 1. 𝛼1 .

Next, according to the hardness of solving the elliptic curve RequestPublicKey(IDt): Upon receiving a query with an
discrete logarithm problem, we prove that our proposed identity IDt from 𝛼1 ,  performs the following steps.
authentication scheme is existentially secure against malicious (1) If IDt  IDt* ,  generates three random numbers
adversaries. Note that the Elliptic Curve Discrete Logarithm
Problem (short for ECDLP) is defined as follows: given a group at , bt , xt  Z n* , and Rt  at  P  bt  PKTTP ,
performs
G of elliptic curve points with prime order n, a generator P of G ht  H ( PKTTP , LPUt , Rt )  bt , st  at and PKt  xt  P .
and a point x  P , it is computationally infeasible to derive x, Then,  adds  IDt , Rt , ht  ,  IDt , st , Rt  and
where x  Z n* .
 IDt , PKt , xt  to the lists listH , listK1 and listK 2 ,
Theorem 1: The proposed authentication scheme is respectively. Finally,  returns PK t to 𝛼1 .
existentially secure against malicious adversary in the random

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 9

(2) Otherwise,  generates three random numbers


The probabilities of the following equations are presented.
at , bt , xt  Z n* , and sets Rt  at  P , ht  bt , st   and 1 𝑞𝑒𝑝𝑠
Pr[E1 ] ≥ (1 − ) , Pr[E2 |E1 ] ≥ 𝑆𝑢𝑐𝑐𝑆𝐴1 and Pr[E3 |E1 ∧
PKt  xt  P . Then,  adds  IDt , Rt , ht  ,  IDt , , Rt  1
𝑞𝐻

and  IDt , PKt , xt  to the lists listH , listK1 and listK 2 , E2 ] ≥ , where 𝑞𝐻 and 𝑞𝑒𝑝𝑠 are the numbers of Hash query
𝑞𝐻
and ExtractPartialSecret query.
respectively. Finally,  returns PK t to 𝛼1 .
Then, the probability that  solves the given instance of the
ExtractPartialSecret(IDt): Upon receiving a query for an
ECDLP is
identity IDt from 𝛼1 ,  performs the following steps.
(1) If IDt = IDt* ,  stops the session. 𝑆𝑢𝑐𝑐𝛽 = Pr[E1 ∧ E2 ∧ E3 ] =
(2) Otherwise,  looks at listK1 for  IDt , st , Rt  . If a record 1 1 𝑞𝑒𝑝𝑠
Pr[E1 ] Pr[E2 |E1 ] Pr[E3 |E1 ∧ E2 ] ≥ (1 − ) 𝑆𝑢𝑐𝑐𝛼1
𝑞𝐻 𝑞𝐻
of such a tuple exists,  returns st to 𝛼1 ; otherwise, 
makes a RequestPublicKey query with IDt and returns st to 𝛼1 Hence, the algorithm  can solve the ECDLP with, at
accordingly. 1 1 𝑞𝑒𝑝𝑠
minimum, the advantage (1 −
𝑆𝑢𝑐𝑐𝛼1 , where q H )
𝑞𝐻 𝑞𝐻
ExtractSecret(IDt): When  receives a query for an identity denotes the maximum number of queries to Hash, and qeps
IDt from 𝛼1 ,  looks for  IDt , PKt , xt  in the list listK 2 . If denotes the maximum number of queries to
ExtractPartialSecret(IDt). That contradicts the hardness of
there is such a tuple,  returns xt to 𝛼1 . Otherwise,  makes solving the ECDLP.
a RequestPublicKey query with IDt and returns xt to 𝛼1 . ■

ReplacePublicKey ( IDt , PKt# ) : Once  receives a query for Next, we present security claims for the proposed
authentication mechanism among the wearable bio-sensor, the
some ( IDt , PKt# ) from 1 ,  performs the following steps. local processing unit and the BSN server.
(1)  looks for  IDt , PKt , xt  in the list LK 2 . If there exists
Theorem 2: To achieve mutual authentication between the
such a record,  sets PK t  PK t# and xt   . wearable bio-sensor and the local processing unit
(2) Otherwise,  simulate the RequestPublicKey(IDt) query
for the identity IDt and sets PKt = PK t# and xt   . The mutual authentication of the proposed authentication
mechanism is proven via BAN logic analysis [4]. Basic
constructs and logic postulates are presented in the following,
In the final phase, 𝛼1 successfully outputs  t*  ( Rt* , Tt* , t* ) where the symbols P and Q range over principals, X and Y
for the target IDt* with non-negligible advantage 𝑆𝑢𝑐𝑐𝛼1 . range over statements, and K ranges over long-term secrets
keys.
Based on the forking lemma [16], if we have the polynomial
replay of  with the same random tape and different choices Constructs:
of hash oracle, 𝛼1 is able to output another three signatures  P believes X: The principal P believes that X is true.
 t ( j )  ( Rt , Tt , t ( j ) ) , where j = 2, 3, 4. Eventually, we have four  P sees X: Someone has sent a message containing X to P,
who can read and repeat X (possibly after doing some
valid signatures, i.e.  t ( j )  ( Rt , Tt , t ( j ) ) with j = 1, 2, 3, 4, decryption).
satisfying the following equations  P said X: P has actually sent a message including
 t ( j )  tt  kt ( j )  ( xt  rt  ht ( j )  s) mod n , where j = 1, 2, 3, 4. statement X at the current session of the protocol or
before.
 P controls X: P has jurisdiction over X, i.e. the principal P
Based on the four linear and independent equations,  can
is an authority on X and this matter should be trusted.
derive the four unknown values tt , xt , rt and s , and outputs s  fresh(X): X has not been sent in a message before the
as the solution of the random instance (P, Q  s  P ) of the current session of the protocol.
ECDLP. Next, we analyze  ’s success probability 𝑆𝑢𝑐𝑐𝛽 of P  Q: The key K is shared between the principals
K

winning game 1. P and Q.
P  Q: The formula X is a secret known only to P
X

 E1:  does not abort in all the queries of and Q. Only P and Q may use X to prove their identities to
ExtractPartialSecret. each other.
 E2: 𝛼1 can forge a valid signature ( IDt , mt ,  t ) .
 E3: The output ( IDt , mt , t ) satisfies IDt = IDt* . Logical postulates:

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 10

 Rule 1 (the message-meaning rules): If P believes P 12. 𝑏𝑠𝑖 believes S believes { 𝑀𝐴2 } (Based on (10) & (11),

K
Q and P sees {X}K, then we postulate P believes Inferred by Rule 2).
Q said X. 13. 𝑏𝑠𝑖 believes S controls{Ni} (Based on assumption 5).
 Rule 2 (the nonce-verification rule): If P believes fresh (X) 14. 𝑏𝑠𝑖 believes {𝑀𝐴2 } (Based on (12) & (13), Inferred by
and P believes Q said X, then we postulate P believes Q Rule 3).
believes X.
 Rule 3 (the jurisdiction rule): If P believes Q controls X The final results are as follows:
and P believes Q believes X, then we postulate P believes LPUj believes S believes {𝑀𝐴2 } (result 5)
X. LPUj believes {𝑀𝐴2 } (result 7)
 Rule 4: If P sees (X, Y) then P sees X. In addition, if P 𝑏𝑠𝑖 believes S believes {𝑀𝐴2 } (result 12)
believes P  Q and P sees {X}K, then P sees X.
X
𝑏𝑠𝑖 believes {𝑀𝐴2 } (result 14)
 Rule 5: If one part of a formula is fresh, then the entire
formula must also be fresh. If P believes fresh (X), then P With the four results (5), (7), (12) and (14), and the assumption
believes fresh (X, Y). of the trustworthiness of S, both the wearable bio-sensor and the
local processing unit can be authenticated by each other via S.
Assumption: ■
 Assumption 1: bio-sensor i (𝑏𝑠𝑖 ), the BSN server (S)
𝑏𝑠𝑖 , 𝐾𝑖 ,𝑏𝑠𝐼𝐷, 𝑇𝑟𝑠𝑒𝑞 Claim 1: Guaranteeing anonymity and untraceability for
believe𝑠 𝑏𝑠𝑖 ↔ 𝑆
𝑆𝐾 wearable bio-sensors i.
 Assumption 2: LPUj, S believes 𝐿𝑃𝑈𝑗 ↔ 𝑆
 Assumption 3: 𝑏𝑠𝑖 , S, LPUj believes fresh (Ni) In the proposed communication procedures, a random
 Assumption 4: 𝑏𝑠𝑖 believes fresh (m) number Ni is generated and utilized to randomize the messages,
 Assumption 5: 𝑏𝑠𝑖 , LPUj believes S controls Ni such as 𝐴𝐼𝐷𝑖 , Mi, V and Tr, transmitted among the wearable
bio-sensor i, the local processing unit j and the BSN server.
The concrete realization of the proposed authentication scheme Without revealing the real identity of bsi in public, the local
is as follows: processing unit j and the BSN server only need to know whether
the involved partner bio-sensor i is legitimate or not. Explained
Step 1: 𝐿𝑃𝑈𝑗  𝑏𝑠𝑖 : 𝐺𝑃𝑆𝑗 , 𝐿𝑃𝑈𝑗 in a more detailed way, the identity bsi is transmitted in a
Step 2: 𝑏𝑠𝑖  LPUj: 𝑀𝐴1 ={ 𝐴𝐼𝐷𝑖 , Mi, Trseq (if req.), 𝐿𝑃𝑈𝑗 , randomized cipher text format instead of plaintext during each
𝐺𝑃𝑆𝑗 }, where 𝐴𝐼𝐷𝑖 = H(𝑏𝑠𝑖 ||Ki||Ni||Mi||𝐿𝑃𝑈𝑗 ||𝐺𝑃𝑆𝑗 ||Trseq) and session. As a result, the proposed communication procedures
can provide the property of sensor anonymity and
Mi=H(Ki||𝑏𝑠𝑖 )⊕Ni.
untraceability. In addition, the shadow identity mechanism is
Step 3: LPUj  S: 𝑀𝐴1 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝐺𝑃𝑆𝑗 , 𝑀𝐴1 ). used because loss of synchronization between the bio-sensor i
Step 4: S  LPUj: 𝑀𝐴2 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 ), where 𝑀𝐴2 ={Tr, BSN, and the BSN server may occur. Even if the attacker interrupts
V}, Tr=H(Ki|| 𝑏𝑠𝑖 ||Ni) ⊕ 𝑇𝑟𝑠𝑒𝑞𝑛𝑒𝑤 and the shadow identity, it cannot retrieve any clue regarding entity
V=H(Tr||Ki||BSN||𝐿𝑃𝑈𝑗 ||𝑏𝑠𝑖 ) identification and traceability due to the un-linkable property of
Step 5: LPUj  𝑏𝑠𝑖 : 𝑀𝐴2 ={Tr, BSN, V} these shadow identities.

The formal analysis of mutual authentication: Claim 2: Resistance against forgery attack and replay attack.
1. LPUj sees {𝑀𝐴2 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 )} (Based on step 4).
𝑆𝐾 Attackers may intend to deceive the legal communication
2. LPUj believes 𝐿𝑃𝑈𝑗 ↔ 𝑆 (Based on assumption 2). entities via fake messages. However, without the knowledge of
3. LPUj believes S said {𝑀𝐴2 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 )} (Based on (1) Ni and Ki, it is difficult for the attacker to counterfeit legitimate
& (2), Inferred by Rule 1). request (or response) messages such as {𝐴𝐼𝐷𝑖 , Mi, Trseq (if req.),
4. LPUj believes fresh (Ni) (Based on assumption 3). 𝐿𝑃𝑈𝑗 , 𝐺𝑃𝑆𝑗 } and {Tr, BSN, V} for purposes of spoofing. Even
5. LPUj believes S believes {𝑀𝐴2 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 )} (Based on if the attacker sends a previously eavesdropped message to a
(3) & (4), Inferred by Rule 2). victim party, the verification of previously-used messages will
6. LPUj believes S controls {Ni} (Based on assumption 5). fail. This is because the random number Ni is used at a previous
session. Therefore, the resistance to forgery attack and replay
7. LPUj believes {𝑀𝐴2 , 𝐻𝑀𝐴𝐶𝑆𝐾 (𝑀𝐴2 )} (Based on (5) & (6),
attack are obviously embedded in our system.
Inferred by Rule 3).
Claim 3: Preservation of data confidentiality.
8. 𝑏𝑠𝑖 sees {𝑀𝐴2 } (Based on step 5).
𝑏𝑠𝑖 , 𝐾𝑖 ,𝑏𝑠𝐼𝐷, 𝑇𝑟𝑠𝑒𝑞
9. 𝑏𝑠𝑖 believes 𝑏𝑠𝑖 ↔ 𝑆 (Based on assumption 1). In the proposed communication procedures, all of the
10. 𝑏𝑠𝑖 believes S said {𝑀𝐴2 } (Based on (8) & (9), Inferred by transmitted messages {𝐴𝐼𝐷𝑖 , Mi, Trseq (if req.), 𝐿𝑃𝑈𝑗 , 𝐺𝑃𝑆𝑗 }
Rule 1). and {Tr, BSN, V} are well-protected via the robust one-way
11. 𝑏𝑠𝑖 believes fresh(Ni), fresh(m) (Based on assumption 3 & hash function, i.e. SHA-3 (512 bits), and a high-entropy secret
4). Ki chosen by S. Without knowing the secret, it is difficult for

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 11

attackers to break the SHA-3 hash function or to retrieve any the major overhead is based on the SHA-3 (with output 512 bits)
useful information from transmitted cipher texts owing to the operations in which 78.8% and 96.7% of computation cost are
irreversibility of the one-way hash function. Data needed, respectively, during the two authentication processes.
confidentiality is thus guaranteed. If we replace the SHA-3 operation with traditional SHA-family
techniques, the system efficiency can be further improved and
V. SYSTEM IMPLEMENTATION the overhead of our proposed scheme will be dominated by the
ECC based scalar multiplication computation.
To evaluate the practicability of the proposed scheme, we
implement the major security components of our scheme on an TABLE 3
IoT-based testbed, i.e. a Raspberry Pi series platform. The basic THE COMPUTATION COSTS FOR THE PROPOSED SCHEME
implementation environment is as shown in Table 2, where the Phase Process
Raspberry Pi II platform (i.e. Figure 4) is simulated as an 6 ECC Multiply + 4 SHA-3
(at local processing unit side)
intelligent mobile object or local processing unit. We adopt The key agreement phase
6 ECC Multiply + 4 SHA-3
SHA-3 (512 bits) as the secure one-way hash function [3], between the local processing
(at the BSN server side)
unit j and the BSN server
while the ECC based scalar multiplication operations (in which 12 ECC Multiply + 8 SHA-3
elliptic curve points over a prime field GF(p) with a 384 bit (Total computation cost)
prime p) and the random number generator (96 bits) are 1 RN + 4 SHA-3 + 2 XOR
(at wearable bio-sensor side)
implemented with the Bouncy Castle Crypto APIs [6]. The The authentication phase 2 SHA-3
experiment is programmed via Open JDK and Eclipse 3.8. among the wearable bio-sensor (at local processing unit side)
i, the local processing unit j and 1 RN + 6 SHA-3 + 2 XOR
TABLE 2 the BSN server. (at the BSN server side)
IMPLEMENTATION ENVIRONMENT 2 RN + 12 SHA-3 + 4 XOR
Environment Description (Total computation cost)
Broadcom BCM2836 @ 1GHz Quad-Core ARM
Cortex-A7 Architecture. VI. CONCLUSIONS
Raspberry PI 2
1GB DDR2 RAM
SanDisk 16GB Class 10 SD Card In this paper, we have demonstrated a secure healthcare
Operating System Raspbian 2016/03 system for IoT-oriented BSN infrastructures in which two
Programming Open JDK
Language
authentication processes are proposed to satisfy major security
Programming IDE Eclipse 3.8 requirements. According to our experiments, the computation
Crypto API The Bouncy Castle Crypto APIs [6] times of 4.056 ms and 4.965 ms are needed for performing two
authentication mechanisms, respectively, on a common
IoT-based development platform, i.e. the Raspberry Pi II.
Although the computation cost is user-acceptable, the system
efficiency can be further improved once the adopted
crypto-hash-modules are substituted by the traditional SHA-2
techniques. In addition, we investigate the security of the
proposed authentication schemes via rigorous formal analysis.
The robustness of the two schemes is proved. In brief,
according to the analysis and implementation results, we have
Fig. 4. Raspberry PI II platform adopted in the experiments. proved that the proposed schemes are suitable to be
implemented on common intelligent mobile objects with robust
In the system implementation, all of the random numbers, security density. Hence, the practicability of our proposed
entity identities and secrets are set to 96-bits for appropriate IoT-based healthcare system is guaranteed.
security density. Table 3 demonstrates the computation cost
required in our proposed scheme. During the authentication REFERENCES
phase between the local processing unit and the BSN server, the [1] Prosanta Gope, Tzonelih Hwang, “BSN-Care: A Secure IoT-based
computation cost of 12 ECC based scalar multiplication Modern Healthcare System Using Body Sensor Network,” IEEE Sensor
operations and 8 SHA-3 operations is required to perform a Journal, Volume 16, Issue 5, pp. 1368-1376, March 2016.
[2] Prosanta Gope, Tzonelih Hwang, “Untraceable Sensor Movement in
session key agreement for secure communication. Taking into
Distributed IoT Infrastructure,” IEEE Sensor Journal, Volume 15, Issue 9,
account the consideration of security robustness, ECC based pp. 5340-5348, September 2015.
scalar multiplication (over a prime field GF(p) with a 384 bit [3] Morris J. Dworkin, “SHA-3 Standard: Permutation-Based Hash and
prime p) is implemented on the Raspberry Pi II platform. In Extendable-Output Functions,” NIST FIPS-202,
dx.doi.org/10.6028/NIST.FIPS.202, August 2015.
brief, the proposed scheme needs at most 4.056 ms for
[4] M. Burrows, M. Abadi, R. Needham, “A logic of authentication,” ACM
performing 12 ECC based scalar multiplication operations and Transactions on Computer Systems, Volume 8, Issue 1, pp. 18-36,
8 SHA-3 operations. The computation cost is user-acceptable. February 1990.
In the authentication phase among the wearable bio-sensor, the [5] Sye Loong Keoh, Sandeep S. Kumar, Hannes Tschofenig, “Securing the
local processing unit and the BSN server, we require at most Internet of Things: A Standardization Perspective,” IEEE Internet of
Things Journal, Volume 1, Issue 3, pp. 265-275, 2014.
4.965 ms to perform 2 random number generations (RN), 12
[6] The Bouncy Castle Crypto APIs, https://www.bouncycastle.org/, 2016.
SHA-3 and 4 XOR operations. In our experiments, we find that

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2638038, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 12

[7] Xuanxia Yao, Xiaoguang Han, Xiaojiang Du, Xianwei Zhou, “A


Lightweight Multicast Authentication Mechanism for Small Scale IoT
Applications,” IEEE Sensors Journal, Volume 13, Issue 10, pp.
3696-3701, 2013.
[8] Kaisa Nyberg, “Fast accumulated hashing,” International Workshop on
Fast Software Encryption, pp. 83-87, 1996.
[9] Oladayo Bello, Sherali Zeadally, “Intelligent Device-to-Device
Communication in the Internet of Things,” IEEE Systems
Journal, Volume 10, Issue 3, pp. 1172-1182, September 2016.
[10] Xuejun Cai, Yan Wang, Xiuyong Zhang, Lu Luo, “Design and
implementation of a WiFi sensor device management system,” 2014
IEEE World Forum on Internet of Things (WF-IoT), pp. 10-14, March
2014.
[11] Yuichi Kawamoto, Hiroki Nishiyama, Nei Kato, Yoshitaka Shimizu,
Atsushi Takahara, Tingting Jiang, “Effectively Collecting Data for the
Location-Based Authentication in Internet of Things,” IEEE Systems
Journal, 10.1109/JSYST.2015.2456878, September 2015.
[12] Simone Cirani, Marco Picone, Pietro Gonizzi, Luca Veltri, Gianluigi
Ferrari, “IoT-OAS: An OAuth-Based Authorization Service Architecture
for Secure Services in IoT Scenarios,” IEEE Sensors Journal, Volume 15,
Issue 2, pp. 1224-1234, 2015.
[13] Huansheng Ning, Hong Liu, Laurence T. Yang, “Aggregated-proof
Based Hierarchical Authentication Scheme for the Internet of Things,”
IEEE Transactions on Parallel and Distributed Systems, Volume 26, Issue
3, pp. 657-667, 2015.
[14] José L. Hernández-Ramos, Marcin Piotr Pawlowski, Antonio J. Jara,
Antonio F. Skarmeta, Latif Ladid, “Toward a Lightweight Authentication
and Authorization Framework for Smart Objects,” IEEE Journal on
Selected Areas In Communications, Volume 33, Issue 4, pp. 690-702,
2015.
[15] Samuel Gibbs, Hackers can hijack Wi-Fi Hello Barbie to spy on your
children, November 2015. (Retrieved at 5th December 2016)
http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijac
k-wi-fi-hello-barbie-to-spy-on-your-children
[16] David Pointcheval, Jacques Stern, “Security Proofs for Signature
Schemes,” The 15th annual international conference on Theory and
application of cryptographic techniques (EUROCRYPT '96), pp. 387-398,
May 1996.

Kuo-Hui Yeh received his B.S.


degree in Mathematics from the Fu
Jen Catholic University, New Taipei
City, Taiwan, in 2000, and the M.S.
and Ph.D. degrees in Information
Management from the National
Taiwan University of Science and
Technology, Taipei, Taiwan, in 2005
and 2010, respectively. Dr. Yeh is
currently an associate professor of the
department of Information Management at the National Dong
Hwa University, Hualien, Taiwan. He had been elevated as an
IEEE Senior Member in 2016. His research interests include
IoT Security, Android Security and Privacy, NFC/RFID
Security, Digital Signature, Network Security, and Big Data
and Cloud Computing. So far, Dr. Yeh has published more than
75 articles in international journals and conference
proceedings.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

You might also like