<i>CasCP</i>: Efficient and Secure Certificateless Authentication Scheme for Wireless Body Area Networks with Conditional Privacy-Preserving

Xie, Yong; Zhang, Songsong; Li, Xiang; Li, Yanggui; Chai, Yuan

doi:https://doi.org/10.1155/2019/5860286

Security and Communication Networks

On this page

Abstract Introduction Related Works Preliminaries System Model Analysis Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Privacy and Security of Information Processing in Industrial Big Data and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2019 | Article ID 5860286 | https://doi.org/10.1155/2019/5860286

CasCP: Efficient and Secure Certificateless Authentication Scheme for Wireless Body Area Networks with Conditional Privacy-Preserving

Yong Xie,¹Songsong Zhang,¹Xiang Li,¹Yanggui Li,¹and Yuan Chai¹

Guest Editor: Mingwu Zhang

Received06 Mar 2019

Accepted24 Apr 2019

Published04 Jun 2019

Abstract

As the aging population of society continues to intensify, the series of problems brought about by aging is becoming more and more serious. Because the health problem of the elderly brings many social problems, people have paid close attention to it. Fortunately, as a typical smart healthcare system, wireless body area networks (WBANs) present quit nice medical care for people, especially the aged. However, personal health information is very sensitive. But, the common communication channel is used in WBANs and any malicious entity can initiate a security attack on WBANs. To ensure secure communication and privacy-preserving which are the premise of the sound development of WBANs, an improved and efficient certificateless authentication scheme with conditional privacy-preserving is proposed in this paper on the basis of analyzing the most recent presented certificateless authentication scheme for WBANs. The proposed scheme also provides batch authentication to decrease authentication and communication cost. A rigid security proof demonstrates that our proposed scheme resists every type of security attack and can provide condition privacy-preserving. The performance analysis shows that our proposed scheme has some advantages in computation and communication cost.

1. Introduction

Nowadays, the population growth rate in many countries around the world is decreasing. Most of these counties have gradually entered an aged society. World Health Organization (WHO) has predicted that human life expectancy will reach 75 year old in 2030, and about 80 million people will be 60 year old in America and 430 million in China by 2050 [1]. Sociologists have pointed out that the aging population structure will put tremendous pressure on all aspects in society, especially healthcare.

In order to provide comprehensive and accurate care for the elderly, researchers have launched various research on smart healthcare. With the rapid development of wearable sensors, especially health sensors, wireless body area networks (WBANs) have a profound significance for improving the health monitoring of the elderly [2]. Information technologies are used in WBANs and can be well applied to medical related services [3]. In WBAN, client’s information, such as weight trend, diet attempt, food-intake, hematologic biochemical parameters, respiratory rate, cardiac status, blood data, etc., is transmitted to the corresponding medical service application providers (AP) by wireless communication from body sensors. The client’s doctor will receive this information soon and provide timely treatment based on this information [4, 5]. The scenes of sensor nodes collect and send the client real-time physiological data to AP and the typical smart medical service based WBANs can be depicted as in Figure 1.

However, the security and privacy issues in WBANs are very serious and worthy of paid close attention. It is well known that private personal health information is very sensitive, which may cause serious problems such as family conflicts, corporate crisis, and even state instability [6]. The health data are sent to AP through insecure communication channel and suffered from intercepting, eavesdropping, modification, and other attacks with little problem. The security of health data is critical to the patient as a forged health data results in doctor’s misdiagnosis and extremely may endanger the life of a patient. If WBANs cannot provide strong security protection measures, client’s personal health information cannot be effectively protected, client will no longer trust WBANs, and people will no longer accept WBANs. Then, WBANs cannot get further development and cannot achieve the goal of smart medical care [7].

In order to meet the challenges of security and privacy protection in WBANs, many researchers have made continuous efforts and obtained some research results on WBANs authentication scheme. One important way is digit signature and data encryption. PKI-based authentication scheme and identity-based authentication scheme have been adopted to WBANs for a long time. But the PKI-based authentication scheme causes heavy certificate management and identity-based authentication scheme has an inevitable problem of key escrow. To solve this issue, certificateless authentication technology is introduced to WBANs and presents good application prospects. Recently, Ji et al. [8] proposed an efficient certificateless authentication scheme for WBANs. Ji et al. presented security analysis to show that their scheme can secure against all kinds of security attacks. However, their scheme cannot resist forgery attack and bath authentication attack, which is demonstrated in Section 5 in this paper. To the best of our knowledge, no universally accepted effective and secure authentication scheme for WBAN has been proposed, especially constructed by using certificateless public key cryptography [9]. Because of the strong privacy protection requirements of health data, limited communication channel, limited computing power, and fully open wireless communication environment, it is a huge challenge to build an efficient and secure certificateless authentication scheme for WBANs.

1.1. Motivations and Contributions

On reviewing Ji et al.’s certificateless authentication scheme [8], we decided to solve their security deficiencies while appreciating their high efficiency in message signing phase and authentication phase. In this paper, we present an improved and secure certificateless authentication scheme with conditional privacy-preserving (called CasCP). CasCP constructs signature and authentication algorithm by using elliptic curve cryptography (EEC) and no longer needs complex bilinear pairing operation. To sum up, there are three major contributions in our proposed scheme.

First, we present an improved and secure certificateless authentication scheme with conditional privacy-preserving. The proposed scheme includes five key phases for WBANs.

Second, we present a rigid security proof and detailed security analysis. It shows that CasCP can be secure against all known security attacks and providing privacy-preserving.

Third, the performance analysis shows that CasCP requires less computational and communication costs than recent similar schemes.

1.2. Organization of the Paper

The rest of the paper is arranged as follows. Related works and preliminaries are presented in Sections 2 and 3. Section 4 shows the system model and security requirements. Ji et al.’s certificateless authentication scheme is reviewed and analyzed in Section 5. Next, the CasCP is proposed in Section 6. Security proof and performance analysis are presented in Sections 7 and 8. At last, it draws a conclusion.

In order to present a secure communication in WBANs, there are many security requirements. Among all of the security requirements, the remote authentication is the most basic and important requirement. In 1981, Lamport proposed the first remote authentication scheme [10] that allows the mobile user to authenticate with a server through a public channel and generate the session key to encrypt the later session. From then on, more and more remote authentication schemes have been proposed to apply to different environments.

Some works in [11–15] are constructed based on traditional public key cryptosystem (PKC). But there are many difficulties in the establishment, implementation, and management of traditional PKC system. In order to solve the problems in traditional PKC system for WBANs, some researchers have proposed mutual authentication scheme using identity-based public key cryptography [16, 17]. In this way, these authentication schemes solve the difficulties in traditional PKC system. However, there is another thorny problem, key escrow problem; that is, if the key generation center has been compromised, the system goes into a state of being out of control.

In 2003, Al Riyami et al. [18] proposed certificateless cryptography, which can erase key escrow problem in identity-based PKC. Based on the previous work [18], scholars have proposed a lot of secure authentication schemes [19, 20] by using certificateless cryptography. In 2005, Huang et al. [21] proposed an improved scheme over Al Riyami et al.’s [18] that can avoid security leaks. Huang et al. [20] proposed two certificateless signature schemes on assuming three-kind-adversary security model. However, it has been pointed out their scheme cannot resist key replacement attacks [22].

To decrease authentication and communication cost, Boneh et al. [23] presented a certificateless authentication scheme with batch authentication in 2003. Batch authentication has been widely used for Internet of thing and other wireless networks, including WBANs. Without doubt, new security issues of batch authentication technology are unavoidable. Until now, researchers have proposed a lot of batch authentication schemes for WBANs and other wireless networks [24–26]. Based on the computational complexity of pairing, batch authentication and aggregate signature schemes [27–29] have been presented by using bilinear pairing. Xiong et al. [30] proposed an aggregate signature and batch authentication scheme that do not use clock synchronization and needs less computation cost than Zhang et al.’s [27] scheme. But, an adversary can successfully launch a forgery attack on Xiong et al.’s scheme [31, 32]. Wen et al. [33] constructed an aggregate signature scheme using bilinear pairing with designed verifier. Hartung et al. [34] presented another fault-tolerant batch authentication scheme. Tu et al. [29] proposed a revised authentication scheme to solve the security deficiencies of Xiong’s scheme [30]. He et al. [35] presented a new certificateless authentication scheme for WBANs. Unfortunately, the foregoing schemes have more or less security deficiencies; some schemes cannot resist security attacks in batch authentication [36–38].

Most recently, Ji et al. [8] proposed a certificateless conditional privacy-preserving authentication scheme by using elliptic curve cryptography (ECC) for WBANs. Their proposed scheme has a clear advantage in computation performance when compared with the former certificateless scheme using bilinear pairing. They claimed that their proposed scheme provides conditional privacy-preserving and can resist all kinds of security attacks. However, we demonstrate that a common adversary can successfully launch a forgery attack in individual authentication and batch authentication. To solve the deficiencies of Ji et al.’s authentication scheme, we propose an improved certificateless authentication scheme with conditional privacy-preserving.

3. Preliminaries

3.1. Elliptic Curve Cryptosystem (ECC)

In 1984, Miller proposed elliptic curve cryptography (ECC) for the first time [39]. Koblitz [40] proposed an ECC instance based on the difficulty of elliptic curve discrete logarithm problem (ECDLP) before long. Since then, researchers have proposed a lot of secure authentication schemes that are constructed with ECC since ECC is efficient to decrease computation cost [41]. The definition of ECC can be depicted as follows.

Let be a large prime number; is a finite field over . Elliptic curve meets equation with and . Let point be an infinite point. and other points in form an addictive group . Given and are different points on , is defined as point addition. is defined as scalar multiplication. is defined as order if is the smallest number that meets .

3.2. Complexity Assumptions

Elliptic curve discrete logarithm problem (ECDLP): given two random points and , without knowing , it is hard to compute from . The probability for an adversary to solve the ECDLP problem is . The hardness is that to compute from is negligible [42].

4. System Model and Security Model

4.1. System Model

There are three main entities in WBANs, i.e., key generation center (KGC), clients (including his/her PDA), and application providers (AP). KGC generates the system parameters and location public key and secret key for APs. Each client generates his/her secret value and then registers with KGC to obtain their public key, partial private key, and PDA with system parameter and partial key. At last, the clients could sign and send their messages to APs. In the process, AP and client should be authenticated each other and obtain an identical session key. The common network structure of wireless body area networks (WBANs) is illustrated in Figure 2.

Generally speaking, the messages in WBANs include sensitive health data. To ensure data integrity and identity authentication, these data should be signed and encrypted by PDA. The data with a signature could fall into two types: valid signature that can pass AP’s authentication and invalid signature that cannot pass AP’s authentication. When AP receives messages from different clients, AP can authenticate message one by one and also can adopt a more efficient way to authenticate multimessages, such as batch authentication. In our proposed scheme, batch authentication is used to improve authentication efficiency.

4.2. Security Model

In this section, we analyze the adversary model of certificateless authentication scheme for WBANs. As Al Riyami’s work [18], two-level attacks exist in the certificateless PKC. One is type-I adversary (called ) who is able to simulate an “outsider” attacker; another is type-II adversary who is able to simulate an “insider” attacker (called ), who may be an “honest but curious” KGC. cannot get system secret key and users’ partial key; however it could compromise users’ secret value. can get the system secret key and users’ partial key but cannot get user secret value [43].

According to the ability of adversary (include and ) and the system model of WBANs, we define security model as a game between a challenger and under the random Oracle model for the proposed scheme. Three steps are included in the game.

Initialization: generates system parameters and system secret key. Then gives the public parameters to .

Oracle query: can make queries with Oracle, -, --, --, --, and Oracle at will, unlimited query times and order. Then answers by the definition of game.

Output: forges a signature after has finished the above Oracle queries. At last, the advantage of successfully forging a valid signature is analyzed.

According to the definition of the game, can breach the authentication scheme only if could make a valid signature and pass authentication. Let be the probability that can breach during the game.

Definition 1. An authentication scheme for WBANs can be determined to be secure only if the probability is negligible for any probabilistic-polynomial-time (PPT) adversary .

As definition of security requirement in most works for WBAN, we also agree that a secure certificateless authentication scheme for WBAN should provide anonymity, mutual authentication, traceability, and session key establishment; it also should be secure against modification attack, impersonation attack, replay attack, batch authentication attack, and other security attacks [44].

5. Review and Analysis of Ji et al.’s Scheme

In this section, we will review and analyze Ji et al.’s scheme [8]. To more clearly, Table 1 lists the notations and their descriptions adopted in Ji et al.’s scheme.

5.1. Review of Ji et al.’s Scheme

There are four phases in Ji et al.’s scheme [8], and the four phases can be briefly depicted as follows.

System Initialization Phase. TA executes this phase based on security parameter .

(1) Choose two prime numbers and , define a finite field , and then generate group with order on .

(2) Let be a generator of , choose , and compute as its public key. Then choose four one-way hash functions, .

(3) Select for each registered AP and compute as AP’s private key and as AP’s public key.

Pseudo Identity Generation and Message Singing Phase. In this phase, each valid client should register with TA, then he/she can sign messages with his/her private key and send to AP. The detailed steps are as follows:

(1) The client chooses , computes and , and then sends to TA via a secure way.

(2) TA computes and , where is the validity period of pseudo identity. Then TA chooses and computes and , where and . Finally, TA loads into the client’s PDA. Now, the client’s private key is , and public key is .

(3) Before signing a message, the client should input his and into his/her PDA. PDA checks whether it meets . If it does, the client can sign by using PDA as next step.

(4) Assume medical message be ; PDA chooses and timestamps and computes , , , and , where will be the session key between AP and the client. At last, PDA sends to AP.

Authentication Phase. AP can authenticate messages by the following two ways.

(i) Individual Authentication. When receiving a message , AP checks whether and are valid. If they do, AP computes and and checks whether holds or not. If it holds, AP accepts the message and computes session key and then sends to the client. At last, the client uses as session key if the received is identical to his/her .

(ii) Batch Authentication. When receiving messages from different clients, AP checks and for each message. Then AP computes and for each message and checks whether the messages meet the following equation:

If does, AP accepts these messages.

Password Change Phase. For security of PDA, the client can renew password locally by following steps.

(1) The client inputs and old password ; the PDA checks . If it does, the PDA requires the client to input new password , then computes , and replaces with .

5.2. Analysis of Ji et al.’s Scheme

In this subsection, the security deficiencies of Ji et al.’s scheme are analyzed.

(i) Not Be Secure against Forge Attack. Ji et al. show that their scheme could resist any forge attacks. However, any PPT could lightly win Game I in their scheme; that is, it could not be secure against forge attack. Assuming that the client’s identity is , the adversary is . launches the forge attack as the following steps:

(1) has intercepted or received a valid message , which meets verification function . Then selects , message , and timestamps .

(2) computes , , , and , where is a valid pseudo identity. At last, sends the forged message to AP by using ’s identity.

(3) AP receives message , and checks whether the equation holds or not. Let us expand the equation as follows:

As shown above, can forge a valid message by using ’s identity easily. Therefore, Ji et al.’s scheme cannot resist any ’s forge attack.

(ii) Not Be Secure against Batch Authentication Attack. The adversary can also launch security attack in the batch authentication step of Ji et al.’s scheme. can do as the following steps.

(1) can forge two signatures and on two messages and , which cannot meet the verification. However, and can meet the batch authentication function of Ji et al.’s scheme as .

Therefore, Ji et al.’s scheme cannot resist any ’s batch authentication attack.

6. The Improved Certificateless Authentication Scheme

In this section, an improved and secure certificateless authentication scheme for WBANs with conditional privacy-preserving (called CasCP) is proposed. The proposed CasCP consists of five phases: system initialization phase, pseudo identity generation phase, message signing phase, authentication phase, and password change phase.

To be clear, four new notations and descriptions that adopted in CasCP are listed in Table 2.

Next, the five phases are described as the following subsections.

6.1. System Initialization Phase

The KGC runs this phase with security level parameter as follows.

(1) KGC chooses two prime numbers and and defines a finite field and then generates group with order on .

(2) Let be one of generators of . KGC chooses and computes as its public key. Then choose four one-way hash functions, .

(3) KGC selects for each registered AP and computes as AP’s private key and as AP’s public key.

6.2. Pseudo Identity Generation Phase

Each WBANs client should register with KGC when he/her wants to obtain healthcare services. The client and KGC complete the pseudo identity phase as follow steps.

(1) Assume the client real identity be and his/her login password for PDA be . He/she chooses , computes , and then sends to KGC via a secure way.

(2) Upon receiving , KGC chooses and expiration time and then computes , , , , and . Finally, KGC loads into the client’s PDA.

(3) When the client receives the PDA from KGC, he/she inputs and into PDA. Next PDA checks whether holds or not. If it holds, the client’s private key is and public key is . Otherwise, he/she registers again as next step.

6.3. Message Signing Phase

In this phase, the client signs messages by using PDA when he/she needs to communicate with others (such as AP) as the following steps.

(1) The client inputs and into PDA firstly. Then PDA checks whether holds or not, where is stored in the PDA. If it holds, the client can sign message by PDA.

(2) Assume the medical message be . PDA chooses and timestamps and then computes , , , and , where is the session key between AP and the client. At last, PDA sends to AP.

6.4. Authentication Phase

To ensure the security of data, the client and AP can authenticate each other in the proposed scheme. In order to further improve the authentication efficiency, batch authentication is provided. Next, individual authentication and batch authentication are presented.

(i) Individual Authentication. (1) When receives a message from the client, AP checks whether and valid. If they do, AP computes and and checks whether the verification equationholds or not. If it holds, AP accepts the message and computes session key and then sends to the client.

(2) After receiving from AP, the client uses his/her that obtained in message signing phase to compute and then checks whether the received is identical to his/her . If it does, the client and AP have authenticated each other successfully and obtained an identical session key for subsequent communications.

The message signing and individual authentication phase are illustrated as Figure 3.

(ii) Batch Authentication. When receiving messages from different clients, AP can execute batch authentication for the messages.

(1) AP checks and for each message and then computes and for each message.

(2) AP selects a small random integer vector , which have little computation cost in scalar multiplication [41].

(3) At last, AP checks whether the messages meet the following equation:If it does, AP accepts these messages.

6.5. Password Change Phase

This phase is same as Ji et al.’s scheme, and the description will not be repeated here.

7. Security Proof and Analysis

In this section, a formal security proof of CasCP is presented. It shows that CasCP is unforgeable against adversary (included and ), and CasCP can meet the security requirements of WBANs.

7.1. Security Proof

Next, CasCP is assessed on the security under the random Oracle model.

Theorem 2. Assume be a PPT adversary who could win Game I with nonnegligible probability. Let be a challenger who could solve ECDLP problem on advantage , where are the times of executing , -, and -- Oracle query, respectively.

Proof. Let be a PPT adversary, which attempts to forge target client ’s valid message. could win Game-I with a probability . Given an ECDLP instance , runs as a subroutine to solve the ECDLP instance.

Step 1. executes system initialization, and publics the parameters to , given an ECDLP instance to , from which it tries to compute from .

Step 2. executes Oracle queries within limited query times, then will answer as the following rules.
(i) Hash-Queries. answers when he/she executes Oracle queries as follows.
(a) -. As executes this query with (, ), looks for (, ) in list . If has the entry, returns to . Otherwise, chooses at random and sets . Finally returns to .
(b) -. As executes this query with (), looks for () in list . If has the entry, returns to . Otherwise, chooses at random and computes and sets . Then returns to .
(c) -. As executes this query with (, ), looks for (, ) in sign list . If has the entry, returns to . Otherwise, chooses at random, computes , and sets (, , , , , , ), where , , , and can be obtained from other queries and create-user query. Then returns to .
(ii) -(). As executes this query with (), looks for () in user list . If has an entry with , returns to . Otherwise, randomly selects and computes , , and . Next, adds to the corresponding list .
(iii) --(). As executes this query with (), chooses at random and computes , Finally, adds () in and sends () to . As for , returns .
(iv) --(). As executes this query with (), looks for user list . If has the entry, returns to .
(v) --(). As executes this query with (), looks for user list . If , sends to . Else if has the entry with , sends to , else runs -() query and sends to .
(vi) (, ). As executes this query with (, ), looks for tuple () in . If , randomly selects , computes , , and , and then adds in . If , selects at randomly and computes , and then adds to . At last, returns () to .

Step 3. Finally, obtains a forged message under certain restrictions that the never makes -- query with and query with . If , stops the game. Otherwise, looks for the corresponding entry in . If there is not the corresponding , it stops the game. Otherwise, meets the following equation: can replay the game based on forgery lemma [45]; he/her could obtain another forged message by selecting another .According to (5) and (6), could obtain the ; i.e., could solve the ECDLP problem. Next, the probability of which obtains the correct solution for () is analyzed. If has done successfully, two events must happen.(i): never stop the game.(ii): is valid.Therefore, the advantage of is = . The occurrence probability of could be gained in -, --, and Oracle query during the game. Therefore, it can obtain . Therefore, we can get .

Theorem 3. Assume is a PPT super type-II adversary who can succeed in Game-II with nonnegligible probability. Let be a challenger who can solve the ECDLP problem with advantage , where denote the times of executing , -, --, and -- Oracle query, respectively.

Proof. Assume is a type-II adversary, and attempts to forge target client ’s valid message. Then could win Game-II with probability . Given an ECDLP instance , let be a challenger. Next, runs as a subroutine to solve ECDLP problem.

Step 1. executes system initialization and public parameters and to . Assume is given an ECDLP instance; tries to compute from .

Step 2. executes Oracle queries within limited query times, then will answer as the following rules.

(i) Hash-Queries. answers when he/she executes Oracle queries as follows.

(a) -. As executes the query with (, ), looks for (, ) in list . If has the entry, returns to . Otherwise, chooses at random and computes and sets . Finally returns to .

(b) - and -. As executes the two queries, could answer as he/she answers in Game I.

(ii) -(). As executes the query with (), looks for user list . If has the entry, returns . Otherwise, if , chooses and at random and current time , calculates , , , and , and sets . Then, will add () to list , respectively. If , chooses at random and current time and calculates , , , , and . Then, will add () to corresponding list , respectively.

(iii) --(). As executes the query with (), will answer as the following two cases: if , will answer with the definition of Partial Key Generation and Private key Generation algorithm. If , chooses and at random. Next calculates , , , and and sets . Finally, sends () to .

(iv) --(). As executes the query with (), looks for it in user list . If has the entry with , sends to . Or, if , chooses at random and adds it to as ’s secret value. Next sends to . If , returns .

(v) --(). As executes the query with (), looks for it in . If has the entry with , sends to . Otherwise, will execute -() query and then sends to .

(vi) (, ). As executes the query with (, ), looks for it in . If , chooses at random and current time and then calculates , , and . Next adds in and sends to . If , chooses at random and calculates , , and and then adds to . At last, returns () to .

Step 3. At last, obtains a forged message under the constrain restrictions that never makes -- query with and query with (). If , stops the game. Otherwise, looks for the corresponding entry in . If there is not corresponding , stops the game or meets the following authentication equation: can replay the game based on forgery lemma [45]; he/she could obtain another forged messages by selecting another .According to (7) and (8), could obtain the ; i.e., could solve the ECDLP problem. Next, the probability that gains the correct solution for the instance () is analyzed. If has been successful, two events must happen.(i): never abort the game.(ii): is valid.Therefore, ’s advantage is = . The probability of ’s occurrence can be gained in -, --, and Oracle query during the game. Therefore, it can obtain . Therefore, we can get .

Now, we can draw a conclusion that CapCP can resist two-level adversary on the condition of the ECDLP assumption which is established.

7.2. Other Security Analyses

Next, we will analyze whether CapCP meets the security requirements of WBANs.

(i) Anonymity. In CasCP, a client’s real identity is embedded his/her pseudo identity . is generated by KGC, any adversaries cannot retrieve the real identity from because , , and make up a classic CDH problem. Therefore CapCP provides anonymity for clients.

(ii) Mutual Authentication. After receiving a message from a client, AP checks the validity and integrity of the message according to individual authentication equation. If it holds, the message can be regarded as a valid message. The AP signs and returns reply message in the same way to the client, the AP can also be securely authenticated. Therefore, CasCP can satisfy mutual authentication for WBANs.

(iii) Traceability. The clients’ real identities are embedded in by . KGC is the only authenticated one that can retrieve the real identity from because only KGC knows the system secret key . Therefore, CasCP provides identity traceability for KGC.

(iv) Modification Attack. Assume a forged message is modified from a valid message by an adversary, the verifier could easily distinguish the forged message because the forged message cannot meet the authentication equation . Therefore, CasCP is secure against modification attack.

(v) Session Key Establishment. In CasCP, the client and AP have a session key as . From the definition of , , , and are CDH problem instance. An adversary cannot compute a valid session key because of ECDLP assumption’s hardness. Therefore, CasCP can achieve secure session key establishment.

(vi) Impersonation Attack. To impersonate a client, an adversary must generate a valid message to meet the authentication equation . But the adversary cannot generate the valid a valid message according to Theorems 2 and 3. Therefore, CasCP is secure against impersonation attack.

(vii) Replay Attack. An adversary replays an old message by new time in . However, AP can find that this message is invalid by verification equation according to the ECDLP assumption’s hardness. That is CasCP can be secure against replay attack.

(viii) Batch Authentication Attack. When an invalid message or more messages join in batch authentication process, CasCP uses a small random integer vector to break the inherent relationship among of the signatures of messages. Therefore, an adversary cannot use the invalid or forged messages to launch batch authentication attack.

(ix) Lost PDA Attack. To use PDA, the correct and must be input into PDA. However, the adversary cannot login the PDA without knowing and , even if the adversary has breached PDA and has got the data in PDA. However, the data is nothing useful for the adversary.

8. Performance Analysis

In this section, the performance analysis of computation and communication cost is presented among four authentication schemes for WBANs that are the proposed scheme (CapCP), Ji et al.’s scheme [8] (2018), He et al.’s scheme [7] (2017), and Wu et al.’s scheme [46] (2016).

It is important to be fair and objective for performance analysis. Therefore, we adopt the simulation results of cryptographic operation execution time in [8]. Their simulation environments are set as follows: operation system is Windows 8, hardware is formed with 2.50 CHz Intel Core i5-2450 CPU, memory is 8.00 GB, and PBC (pairing based cryptography) is used to run the related cryptographic operations. Table 3 lists the execution times of main time-consuming cryptographic operations; the other cryptographic operations, such as point addition operation and one-way hash function which are much less than scalar multiplication, are not included in the comparison.

8.1. Computation Cost Analysis

Next, the proposed CasCP is compared with three authentication schemes for WBANs in terms of computation cost in the client’s message signing phase, AP’s individual authentication phase, and AP’s batch authentication phase.

In Wu et al.’s scheme, the computation cost of the client in message signing phase comprises three scalar multiplication and two exponentiation operations; the computation cost of the AP in individual authentication phase comprises three scalar multiplication, two exponentiation operations, and one bilinear pairing operation; the messages computation cost of the AP in batch authentication phase comprises scalar multiplication, exponentiation operation, and bilinear pairing operations.

In He et al.’s scheme, the computation cost of the client in message signing phase comprises four scalar multiplication operations; the computation cost of the AP in individual authentication phase comprises four scalar multiplications and one bilinear pairing operations; the messages computation cost of the AP in batch authentication phase comprises scalar multiplication and bilinear pairing operations.

In Ji et al.’s scheme, the computation cost of the client in message signing phase comprises three scalar multiplication operations; the computation cost of the AP in the individual authentication phase comprises four scalar multiplications; the messages computation cost of the AP in batch authentication phase comprises scalar multiplication operations.

The proposed CasCP scheme adds a random small integer vector in batch authentication to increase its security. But the increased computational overhead is small; therefore it will not be considered in the computation cost comparison. That is, CasCP’s computation costs in different phase can be considered to be the same as Ji et al.’s scheme. Here it is not presented; please refer to the previous analysis for Ji et al.’s scheme.

On the results of Table 3, the total execution time of the three phases in the four schemes is drawn, shown in Table 4.

The computation cost times of the client in message signing phase of CasCP and Ji et al.’ scheme are 7.728 , which decrease by 49% and 25% when compared with the corresponding computation time of Wu et al.’s scheme and He et al.’ scheme. The computation cost time of AP in individual authentication phase is 7.728 , which decreases by 60% and 46% when compared with the corresponding computation time of Wu et al.’s scheme and He et al.’ scheme. The more intuitive computation cost comparison of the two phases in the four schemes is shown in Figure 4.

The computation cost comparisons of AP in batch authentication phase (assume messages) are illustrated in Figure 5. As shown in Figure 5, our proposed CasCP and Ji et al.’ scheme take an advantage on computation cost than Wu et al.’s scheme and He et al.’s scheme.

According to the former computation cost analysis in batch authentication phase, the proposed CasCP and Ji et al.’s scheme have a clear advantage than the other two schemes. Figure 6 depicts the computation costs in batch authentication phase for the different number of messages of the four schemes. Therefore, CasCP and Ji et al.’s scheme are more efficient than Wu et al.’s scheme and He et al.’s scheme regardless of the number of messages.

In summary, compared with Wu et al.’s scheme and He et al.’s scheme, CasCP and Ji et al.’s scheme have lower computation cost in message signing phase, individual authentication phase, and batch authentication phase.

8.2. Communication Cost Comparison

In the subsection, we analyze the communication cost of the proposed CasCP and the three authentication schemes for WBANs in this subsection.

According to the definitions of the above cryptographic operations, we assume that the size of is 20 bytes, the element in is 40 bytes, and the size of other communication elements in is 20 bytes. For simplicity, message is not included in the comparison.

In Wu et al.’s scheme, the message sent by a client to AP consists of ; the message sent by a client to AP consists of . The messages include four elements in , i.e., (, 403 bytes), and four elements in , i.e., (, 204 bytes); the total size of one communication round is 200 bytes.

In He et al.’s scheme, the message sent by a client to AP consists of ; the message sent by a client to AP comprises . The messages have four elements in , i.e., (, 403 bytes), and two elements in , i.e., (, 202 bytes); the total size of one communication round is 200 bytes.

In Ji et al.’s scheme, the message sent by a client to AP consists of , which has four elements in , i.e., (, 404 bytes), and four elements in , i.e., (, 204 bytes). The message sent by a client to AP consists of . Therefore, the total size of one communication round is 240 bytes.

In CasCP, the message sent by a client to AP consists of , which has three elements in , i.e., (, 403 bytes), and four elements in , i.e., (, 204 bytes). The message sent by a client to AP consists of ; the size of is defined as 20 bytes. Therefore, the total size of one communication round is 200 bytes.

The communication cost comparison results of one communication round between a client and AP are shown in Table 5. Compared with Wu et al.’s scheme and He et al.’s scheme, CasCP has no advantage because the two schemes decrease communication cost by encrypting data. Tip, the encrypted data must be more than 20 bytes that we assumed. Compared with Ji et al.’s scheme, CasCP scheme’s communication cost has decreased by 15.4%.

Overall, CasCP scheme needs less computation cost than Wu et al.’s scheme and He et al.’s scheme. CasCP incurs less communication cost than Ji et al.’s scheme under the premise of solving the security deficiencies of Ji et al.’s scheme, providing conditional privacy-preserving and batch authentication.

9. Conclusion and Future Work

To provide privacy protection, Ji et al. proposed a certificateless authentication scheme for WBANs. However, the security analysis in this paper demonstrates that their scheme cannot be secure against forgery attack and batch authentication attack. To solve the deficiencies, an improved certificateless authentication scheme with conditional privacy-preserving (called CasCP) constructs signature with ECC, without any bilinear pairing operation. CasCP also provides batch authentication function and conditional privacy-preserving. A rigid security proof and analysis prove that CasCP is secure against different level adversary’s attacks, such as adversary and adversary . Compared with similar authentication scheme, CasCP has some advantages in computation and communication cost. Therefore, the proposed CasCP is more suitable for the WBANs.

Although CasCP is efficient and more secure than similar recent proposed schemes, more efficient authentication scheme is more favored, especially lightweight authentication scheme. Therefore, our next work is to study a secure lightweight authentication scheme with batch verification function for WBANs.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

We declare that we do not have any commercial or associative interest that represents conflicts of interest in connection with the work submitted.

Acknowledgments

The work was supported in part by the National Natural Science Foundation of China under Grant 61862052 and the National Natural Science Function of Qinghai Province (2019-ZJ-7065 and 2017-ZJ-959Q).

References

S. Movassaghi, M. Abolhasan, J. Lipman, D. Smith, and A. Jamalipour, “Wireless body area networks: a survey,” IEEE Communications Surveys & Tutorials, vol. 16, no. 3, pp. 1658–1686, 2014.
View at: Publisher Site | Google Scholar
N. Dey, A. S. Ashour, F. Shi, S. J. Fong, and R. S. Sherratt, “Developing residential wireless sensor networks for ECG healthcare monitoring,” IEEE Transactions on Consumer Electronics, vol. 63, no. 4, pp. 442–449, 2017.
View at: Publisher Site | Google Scholar
L. Wu, J. Wang, K.-K. R. Choo, and D. He, “Secure key agreement and key protection for mobile device user authentication,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 2, pp. 319–330, 2018.
View at: Publisher Site | Google Scholar
Z. Fei, B. Li, S. Yang, C. Xing, H. Chen, and L. Hanzo, “A survey of multi-objective optimization in wireless sensor networks: metrics, algorithms, and open problems,” IEEE Communications Surveys & Tutorials, vol. 19, no. 1, pp. 550–586, 2017.
View at: Publisher Site | Google Scholar
P. Kumar, S. Kumari, V. Sharma, A. K. Sangaiah, J. Wei, and X. Li, “A certificateless aggregate signature scheme for healthcare wireless sensor network,” Sustainable Computing: Informatics and Systems, vol. 18, no. 1, pp. 80–89, 2018.
View at: Publisher Site | Google Scholar
Q. Feng, D. He, S. Zeadally, and H. Wang, “Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment,” Future Generation Computer Systems, vol. 84, pp. 239–251, 2018.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, N. Kumar, and J.-H. Lee, “Anonymous authentication for wireless body area networks with provable security,” IEEE Systems Journal, vol. 11, no. 4, pp. 2590–2601, 2017.
View at: Publisher Site | Google Scholar
S. Ji, Z. Gui, T. Zhou, H. Yan, and J. Shen, “An efficient and certificateless conditional privacy-preserving authentication scheme for wireless body area networks big data services,” IEEE Access, vol. 6, pp. 69603–69611, 2018.
View at: Publisher Site | Google Scholar
Q. Jiang, Z. Chen, B. Li, J. Shen, L. Yang, and J. Ma, “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, no. 4, pp. 1061–1073, 2018.
View at: Publisher Site | Google Scholar
L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981.
View at: Publisher Site | Google Scholar
M. Li, S. Yu, J. D. Guttman, W. Lou, and K. Ren, “Secure ad hoc trust initialization and key management in wireless body area networks,” ACM Transactions on Sensor Networks, vol. 9, no. 2, article no. 18, 2013.
View at: Publisher Site | Google Scholar
H. Debiao, C. Jianhua, and H. Jin, “An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security,” Information Fusion, vol. 13, no. 3, pp. 223–230, 2012.
View at: Publisher Site | Google Scholar
A. S. Sangari and J. M. L. Manickam, “Public key cryptosystem based security in wireless body area network,” in Proceedings of the 2014 International Conference on Circuits, Power and Computing Technologies, ICCPCT 2014, pp. 1609–1612, IEEE, Nagercoil, India, March 2014.
View at: Google Scholar
J. Li, X. Chen, M. Li, J. Li, P. P. C. Lee, and W. Lou, “Secure deduplication with efficient and reliable convergent key management,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 6, pp. 1615–1625, 2014.
View at: Publisher Site | Google Scholar
M. Li, W. J. Lou, and K. Ren, “Data security and privacy in wireless body area networks,” IEEE Wireless Communications Magazine, vol. 17, no. 1, pp. 51–58, 2010.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, J. Liao, and W. Liang, “Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update,” International Journal of Communication Systems, vol. 28, no. 2, pp. 374–382, 2015.
View at: Publisher Site | Google Scholar
C. C. Tan, S. Zhong, H. Wang, and Q. Li, “Body sensor network security: an identity-based cryptography approach,” in Proceedings of the 1st ACM Conference on Wireless Network Security (WiSec '08), pp. 148–153, ACM, Alexandria, VA, USA, March-April 2008.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, Taipei, Taiwan, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
G. Zheng, L. Yu, H. Xuan, and C. Kefei, “Two certificateless aggregate signatures from bilinear maps,” in Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), pp. 188–193, IEEE, Qingdao, China, August 2007.
View at: Publisher Site | Google Scholar
X. Huang, Y. Mu, W. Susilo, D. S. Wong, and W. Wu, “Certificateless signatures: new schemes and security models,” The Computer Journal, vol. 55, no. 4, pp. 457–474, 2012.
View at: Publisher Site | Google Scholar
X. Huang, W. Susilo, Y. Mu, and F. Zhang, “On the security of a certificateless signature scheme,” in Proceedings of the International Conference on Cryptology and Network Security, vol. 3810 of Lecture Notes in Computer Science, pp. 13–25, Springer, Xiamen, China, 2005.
View at: Publisher Site | Google Scholar
K.-A. Shim, “Security models for certificateless signature schemes revisited,” Information Sciences, vol. 296, pp. 315–321, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 416–432, Springer, Warsaw, Poland, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
L. Zhang and F. Zhang, “A new certificateless aggregate signature scheme,” Computer Communications, vol. 32, no. 6, pp. 1079–1085, 2009.
View at: Publisher Site | Google Scholar
X. Liu, H. Zhu, J. Ma, Q. Li, and J. Xiong, “Efficient attribute based sequential aggregate signature for wireless sensor networks,” International Journal of Sensor Networks, vol. 16, no. 3, pp. 172–184, 2014.
View at: Publisher Site | Google Scholar
L. Zhang, C. Hu, Q. Wu, J. Domingo-Ferrer, and B. Qin, “Privacy-preserving vehicular communication authentication with hierarchical aggregation and fast response,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 65, no. 8, pp. 2562–2574, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
L. Zhang, B. Qin, Q. Wu, and F. Zhang, “Efficient many-to-one authentication with certificateless aggregate signatures,” Computer Networks, vol. 54, no. 14, pp. 2482–2491, 2010.
View at: Publisher Site | Google Scholar
F. Zhang, L. Shen, and G. Wu, “Notes on the security of certificateless aggregate signature schemes,” Information Sciences, vol. 287, pp. 32–37, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
H. Tu, D. He, and B. Huang, “Reattack of a certificateless aggregate signature scheme with constant pairing computations,” The Scientific World Journal, vol. 2014, Article ID 343715, 10 pages, 2014.
View at: Google Scholar
H. Xiong, Z. Guan, Z. Chen, and F. Li, “An efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 219, pp. 225–235, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
L. Cheng, Q. Wen, Z. Jin, H. Zhang, and L. Zhou, “Cryptanalysis and improvement of a certificateless aggregate signature scheme,” Information Sciences, vol. 295, pp. 337–346, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
D. He, M. Tian, and J. Chen, “Insecurity of an efficient certificateless aggregate signature with constant pairing computations,” Information Sciences, vol. 268, pp. 458–462, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Wen, J. Ma, and H. Huang, “An aggregate signature scheme with specified verifier,” Journal of Electronics, vol. 20, no. 2, pp. 333–336, 2011.
View at: Google Scholar
G. Hartung, B. Kaidel, A. Koch, J. Koch, and A. Rupp, “Fault-tolerant aggregate signatures,” in Public-Key Cryptography–PKC 2016, vol. 9614, pp. 331–356, Springer, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
D. He, S. Zeadally, and L. Wu, “Certificateless public auditing scheme for cloud-assisted wireless body area networks,” IEEE Systems Journal, no. 99, pp. 1–10, 2015.
View at: Publisher Site | Google Scholar
L. Shen, J. Ma, X. Liu, and M. Miao, “A provably secure aggregate signature scheme for healthcare wireless sensor networks,” Journal of Medical Systems, vol. 40, no. 11, article no. 244, 2016.
View at: Google Scholar
M. Zhang, Y. Zhang, Y. Jiang, and J. Shen, “Obfuscating EVES algorithm and its application in fair electronic transactions in public clouds,” IEEE Systems Journal, pp. 1–9, 2019.
View at: Publisher Site | Google Scholar
Y. Liu and Q. Zhao, “E-voting scheme using secret sharing and K-anonymity,” World Wide Web, pp. 1–11, 2018.
View at: Google Scholar
J. G. Miller, “Culture and the development of everyday social explanation,” Journal of Personality and Social Psychology, vol. 46, no. 5, pp. 961–978, 1984.
View at: Publisher Site | Google Scholar
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
View at: Publisher Site | Google Scholar | MathSciNet
D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015.
View at: Publisher Site | Google Scholar
Y. Xie, X. Li, S. Zhang, and Y. Li, “iclas: an improved certificateless aggregate signature scheme for healthcare wireless sensor networks,” IEEE Access, vol. 7, pp. 15170–15182, 2019.
View at: Publisher Site | Google Scholar
D. He and D. Wang, “Robust biometrics-based authentication scheme for multiserver environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015.
View at: Publisher Site | Google Scholar
Y. Liu, Y. Wang, X. Wang, Z. Xia, and J. Xu, “Privacy-preserving raw data collection without a trusted authority for IoT,” Computer Networks, vol. 148, pp. 340–348, 2019.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, vol. 1070 of Lecture Notes in Computer Science, pp. 387–398, Springer, Saragossa, Spain, 1996.
View at: Publisher Site | Google Scholar
L. Wu, Y. Zhang, L. Li, and J. Shen, “Efficient and anonymous authentication scheme for wireless body area networks,” Journal of Medical Systems, vol. 40, no. 6, article no. 134, 2016.
View at: Google Scholar

Copyright

Copyright © 2019 Yong Xie et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1210

Downloads

1151

Citations