Anticollusion Attack Noninteractive Security Hierarchical Key Agreement Scheme in WHMS

Mao, Kefei; Liu, Jianwei; Chen, Jie

doi:https://doi.org/10.1155/2016/1905872

Journal of Electrical and Computer Engineering

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2016 | Article ID 1905872 | https://doi.org/10.1155/2016/1905872

Anticollusion Attack Noninteractive Security Hierarchical Key Agreement Scheme in WHMS

Kefei Mao,¹Jianwei Liu,¹and Jie Chen¹

Academic Editor: Jit S. Mandeep

Received16 Feb 2016

Accepted04 May 2016

Published02 Jun 2016

Abstract

Wireless Health Monitoring Systems (WHMS) have potential to change the way of health care and bring numbers of benefits to patients, physicians, hospitals, and society. However, there are crucial barriers not only to transmit the biometric information but also to protect the privacy and security of the patients’ information. The key agreement between two entities is an essential cryptography operation to clear the barriers. In particular, the noninteractive hierarchical key agreement scheme becomes an attractive direction in WHMS because each sensor node or gateway has limited resources and power. Recently, a noninteractive hierarchical key agreement scheme has been proposed by Kim for WHMS. However, we show that Kim’s cryptographic scheme is vulnerable to the collusion attack if the physicians can be corrupted. Obviously, it is a more practical security condition. Therefore, we proposed an improved key agreement scheme against the attack. Security proof, security analysis, and experimental results demonstrate that our proposed scheme gains enhanced security and more efficiency than Kim’s previous scheme while inheriting its qualities of one-round communication and security properties.

1. Introduction

Wireless Health Monitoring System (WHMS) is a dedicated network environment that supports the biometric information acquisition devices to gather people’s health data anytime and anywhere [1]. Moreover, WHMS is a typical example of using wireless technologies to reduce medical expense and improve social benefits, such as detecting the lonely stroke patients timely [2, 3]. Security and privacy are the major concerns in medical activities, and WHMS is not an exception [4–6]. To provide privacy and security assurances in WHMS, it is important to provide security services by using cryptographic algorithms. Thus, obtaining cryptographic keys is an essential operation to achieve the security goals in WHMS. There are several key agreement schemes that have been proposed for WHMS applications [5, 7–10].

The noninteractive scheme is becoming a very active direction in the sensors networks [11–14] because sensor nodes have limited energy and processing and storage abilities. A noninteractive hierarchical key agreement scheme, called the Freshness-Preserving Noninteractive Hierarchical Key Agreement Protocol (FNKAP), was proposed by Kim [8] in 2014. The major advantages of the proposed scheme in Kim [8] go as follows. Firstly, there is only one-round communication to agree on a session key between two entities. Secondly, it is declared that the FNKAP achieves the patient anonymity and the session key confidentiality, and it can resist active and passive security attacks. However, we found that there is a flaw in the FNKAP when the physicians are not to be trusted. The scheme is not strong enough against the collusion attack where there are two adversaries who are a physician and a patient, separately. More precisely, in order to obtain a specific patient’s electronic medical data, the adversary can pretend to be sick and become the same physician’s patient with the victim in the real world. Then, the adversary bribes any other physician to get the private values of a physician. Finally, the adversary could calculate the session key and decrypts the victim’s electronic health data freely. Note that a physician can casually expose the private values because the disclosed values are untraceable in Kim’s scheme. As a result, this method of attack is reasonable and straightforward to implement.

The contributions of this paper are twofold. First, we illustrate that there is a weakness in FNKAP and introduce specific attack methods. Second, we propose an enhanced security hierarchical key agreement scheme with noninteracting for WHMS based on pairings. Security proof and analysis illustrate our scheme enhances security strength of FNKAP, and it can resist the collusion attack. Moreover, theoretical analysis results show that our scheme is more efficient than Kim’s work.

The rest of this paper is organized as follows. We formalize a basic system structure for WHMS in Section 2, and we also give the security model and define the adversary’s ability in the same section. We simply highlight Kim’s scheme [8] in Section 3. The weakness of Kim’s scheme is discussed in Section 4. We detail our enhanced security hierarchical key agreement scheme against the security attacks in Section 5. We present the analysis of our improvements regarding correctness and security in Section 6. We compare our scheme with Kim’s scheme in terms of functionality and performance in Section 7. Finally, this paper is concluded in Section 8.

2. Preliminaries

We first illustrate the basic system structure of WHMS in this section. Moreover, we introduce security threats, security model, bilinear group, and mathematic assumption, separately. Basic notations are provided in Notations section.

2.1. Basic Structure

As depicted in Figure 1, a typical hierarchical key agreement for WHMS involves five types of parties. They are, namely, the u-Health Server (), the physicians (), the patients (), the gateways (), and the sensor nodes (). There is a hierarchical permission structure from the u-Health Server to the physicians , , to the gateway , of patients and to the sensor node , of the gateway [7, 8].

As the root authority, is responsible for managing the entities’ authorities in WHMS. produces the private keys of entities such as , , and . When wants to use WHMS, his/her and should agree on the session keys with the physician (), separately. Similarly, when wants to send a diagnostic report to , he/she should also agree on a session key with .

2.2. Security Threats

Kim assumes that the physicians are trusted in paper [8]. However, we point out that the scheme should take the risk of the physician’s corruption because it is more practical. In practice, not all physicians are trusted all the time. For example, as reported, the staff of a famous hospital sold the patient’s personal medical data in USA [7], and 500 patients’ medical information may have been compromised at a medical center in LA because an employee’s laptop was stolen [15].

Thus, we assume a security model in which the adversary has the following abilities. First, the adversary can totally control the channel. Therefore, the adversary can eavesdrop, intercept, modify, replay, or inject any data via the channel. Second, the adversary can compromise the secure information from the physicians except for the victim’s current physician. Third, the adversary can also compromise several sensor nodes and gateways except for the victim’s current and .

We aim to achieve the following security goals under the above security threats.

Key Agreement. Two entities establish a session key which is only known by specific entities.

Anonymity and Untraceability. The identities of and should be kept confidential from the adversary and cannot be traced by the adversary.

Resistance Passive and Active Attacks. The scheme is secure against the passive and active attacks.

2.3. Security Model

Inspired by the security model for a noninteractive hierarchical key agreement scheme [11] and the original Bellare-Rogaway key exchange model [16], the security model of our scheme is stated as follows.

Participants. We model the scheme participants as a finite set of fixed size with each being a Probabilistic Polynomial Time (PPT) turing machine. Each scheme participant may execute a polynomial number of protocol instances in parallel. We will refer to th instance of principal communicating with peer as .

Adversary Model. The adversary is modeled as a PPT Turing machine and can be given all public parameters of the system, and he/she can access the oracle by issuing some specified queries:(i). The adversary sends the message to the session executed by communicating with . Since our proposal is a noninteractive scheme, the query does not need to be responded to.(ii). The adversary names a node and obtains all the secret values held by the node. Neither of the patient’s gateway and sensor nodes named in the test query or any of their ancestors can be established.(iii). If the query is achieved, the system returns the session key to the adversary . The session between the target patient’s facilities (a gateway and sensor nodes) and the physician cannot be revealed.(iv). Only one query of this form is allowed for the adversary . The adversary names and and executes this query at any time. Then, a number is returned as follows. A bit is chosen at random in . If then the adversary gets the secret key shared between the two nodes, and if it gets a key chosen at random from the set of all possible shared keys.

Definition 1 (HKA-security). As a function of the security parameter , we define the advantage of the PPT adversary in an attacking scheme as

Here, is the probability that the adversary queries and outputs a bit such that is used by the test query. We call a hierarchical key agreement scheme to be HKA secure if for any PPT adversary the function is negligible.

2.4. Bilinear Groups

Definition 2 (bilinear map). is an additive cyclic group of prime order and is a multiplicative cyclic group of prime order . The bilinear pairing is a map with the following properties [17].

Bilinearity. For all and , we have .

Nondegeneracy. The map does not send all pairs in to the identity in .

Computability. There exists an efficient algorithm to compute for all .

2.5. Mathematic Assumption

The mathematic assumptions used in the paper are listed as follows.

Definition 3 (Elliptic Curve Discrete Logarithm Problem, ECDL problem). Suppose is an elliptic curve over a finite field . Given to find the , is believed to be hard [18].

Definition 4 (Bilinear Diffie-Hellman Problem, BDH problem). BDH problem is defined as follows. There is a bilinear map . Given for , to compute the is believed to be hard [17].

Definition 5 (Decisional Bilinear Diffie-Hellman Problem, DBDH problem). DBDH problem is defined as follows. There is a bilinear map . Given for , to differentiate the and is believed to be hard [17].

2.6. Notations

To provide a quick reference, the basic notations used in the paper are listed in Notations section.

3. Review of the Kim’s Scheme

In this section, we briefly review Kim’s key agreement scheme [8], which consists of three phases: System Initialization Phase, Physician and Patient Registration Phase, and Noninteractive Key Agreement and Secure Communication Phase.

3.1. System Initialization Phase

generates two groups and of prime order with a bilinear map . Also, it chooses a cryptographic hash function . After that, picks four random numbers as the master private keys. Then, computes an amplified identity and a public key . Finally, keeps the master private keys and the amplified identity, securely.

3.2. Physician and Patient Registration Phase

Before providing service, the patient and his/her physician must register in . Here, the statement denotes that receives a message from via a secure channel. The Physician and Patient Registration Phase is basically shown in Figure 2.

Step R1 (). When a physician wants to be a legal e-medical physician, he/she sends his/her identity to via a secure channel. Then, validates the identity . If the solution is positive, sends . Here, . Finally, stores the received information, securely.

Step R2 ( and ). When a patient of wants to use the service in the WHMS, he/she should register his/her gateway and sensor nodes , in . validates the identity submitted by . If the solution is positive, receives the gateway’s identity and the sensor nodes’ identity , . Then, sends and to them via a secure channel. Here, and as follows:

Finally, and store their received information, securely.

3.3. Noninteractive Key Agreement and Secure Communication

In this phase, the sensor node and the gateway of the patient and the physician agree on a fresh session key for establishing a secure communication channel. Here, the statement denotes that receives a message from via a unsecure channel. The Noninteractive Key Agreement and Secure Communication is basically shown in Figure 3.

Step K1 (). chooses a random number and computes . The fresh session key is computed as follows:Then, computes and , where is the data collected by .

Step K2. When is authenticated by , he/she can check the data of the patient . computes the fresh session key as follows:Then, computes . Only if is equal to does assure the correctness of . Then, decrypts to get by using the key .

Step K3 (). When wants to send the electronic health report to , he/she chooses a random number and computes . computes the fresh session key as follows:In addition, computes and . Here, is the electronic health report composed by .

Step K4. When is authenticated by , he/she can receive the report of the patient from . computes the fresh session key as follows:Then, computes . Only if is equal to does assure the correctness of . Then, decrypts to get by using the key .

4. Security Analysis of Kim’s Scheme

The author of [8] proposed a noninteractive key agreement scheme for freshness-preserving in WHMS. Under our security model, there is a weakness in the scheme as explained in the following section.

4.1. Security against Collusion Attack

We now demonstrate that Kim’s scheme is vulnerable to the collusion attack as claimed. One adversary has registered as a legal physician , and the other adversary has registered as a normal patient , as shown in Figure 4. The adversaries can obtain the electronic health data of any patient who is diagnosed by the same physician with the adversary . The adversaries attack a patient as follows.

Step A1. Assume that is an attacker who has registered as a physician in , and then he/she can legally receive a private key set from (Step R1). Then, sends a part of private key set to .

Step A2. is an adversary who has registered as a patient of the physician . He/she can legally receive a secure data set and a private key set of his/her gateway from (Step R2).

Step A3. Suppose is a victim ’s smart node that sends information through the gateway . is diagnosed by the same physician with . When runs the Step K1, an adversary can intercept the data because the communications are unsecure between and .

Step A4. When sends the electronic health report to at the Step K3, an adversary can intercept data because the communications are also unsecure between and .

Step A5. can compute the session key after the above steps. receives from at Step A1. Then, he/she gets and at Step A2. Moreover, the information and is intercepted at Steps A3 and A4, separately. Therefore, can compute the same session keys and as follows:

Step A6. decrypts and to obtain the victim’s medical information using the session keys and , respectively.

5. Our Proposed Scheme

In this section, we propose an improved scheme that can overcome the flaw of Kim’s scheme in Section 4. Our scheme construction is inspired by the practical noninteractive key distribution scheme in [12] and Kim’s paper [8]. Our scheme consists of four operational phases: Setup Phase, Key Generation Phase, Key Agreement from to Phase, and Key Agreement from to Phase. The details of our scheme are described as follows.

5.1. Setup Phase

In this phase, the u-Health Server , as the Private Key Generator (PKG), takes as inputs a security parameter and the maximal number of the physicians . Then, outputs the system public parameters and the master private key sets . publishes and keeps private.

Similar to the identity-based cryptography scheme, generates two groups and of prime order with a bilinear map . However, it chooses three cryptographic hash functions , , and . After that, generates random numbers and selects a random generator . Finally, keeps the master key secret and publishes , . Here, is used to verify the correctness of the secret key sets.

It is important to note that although our proposal increase the storage space because of the values , there is a one-to-one mapping between a physician and a value . In addition, the list of physicians must be stored in . Thus, we can use the mapping to reduce the storage space. For instance, gets the list of the registration physicians. Then, chooses a secret hash function and a random value . Finally, can compute the times hash function to get the secret value . In this way, only needs to store the selected hash function and initial value , secretly. On one hand, the proposal can save the storage resources by using the hash function. On the other hand, it increases the consumption of the computing resources. In order to balance the computing cost and the storage space, can store not only the initial value , but also some intermediate random values . We introduce the scheme by using the secret values , to help the analysis.

5.2. Key Generation Phase

In this phase, takes the identity as an input and outputs a secret key set . Moreover, takes his/her secret key set and the identities and as inputs and outputs two secret key sets and , separately.

Step 1. A physician , submits his/her identity to for registration. If the identity of is validated, Then, computes , , and a private key set of , as follows:In addition, packs a data package containing a private key set and two amplified identities and delivers the data package to via a secure channel. Here, the secure channel could be a smart card passed by a trusted person. Finally, keeps the received information, securely.

Step 2. When a patient goes to see a doctor in a real clinic, they decide to use the WHMS to monitor his/her health directed by a physician . The patient submits his/her identity and the identity of gateway and sensor nodes to for registration. If the patients’ identity is validated, generates a random value and computes the amplified identities and . computes the private key sets of and as follows:Next, packs a data package containing a private key set and three amplified identities and delivers the data package to via a secure channel. Furthermore, packs a data package containing a private key set and delivers it to via a secure channel. Finally, and store their received information in a secure area, respectively.

5.3. Key Agreement from SN to PH Phase

In this phase, a sensor node of the patient makes a connection with the physician . The sensor node and the physician achieve a key agreement.

Step 1. When a sensor node wants to upload the patient’s medical data, chooses a random number and computes using its amplified identity . The session key is calculated as follows:Then, computes and . Here, is the data collected by and is a current timestamp. Finally, sends a message package to .

Step 2. After receiving the data package , verifies the timestamp whether it is within the valid time for communication. If it is invalid, the key agreement terminates. Otherwise, it can assure the package by judging as follows:Only if is equal to included in does assure the source of package from a sensor node and send a notice to . Finally, store the package in its database.

Step 3. When is authenticated by , he/she can check the data of a sensor node . computes the fresh session key as follows:In addition, computes by using the information of . Only if is equal to does assure the correctness of and decrypt to get by using the key .

5.4. Key Agreement from PH to GW Phase

In this phase, the physician makes a connection with a patient’s gateway , and they agree on a fresh session key for communication.

Step 1. When wants to communicate with such as sending the electronic health report, he/she chooses a random number and computes . computes the fresh session key as follows:In addition, computes and . Here, is the electronic health report composed by , and is a current timestamp. Finally, sends a message package to .

Step 2. After receiving the data package , checks the validity of the timestamp . If it has grown stale, quits the session. Otherwise, can assure the package by judging as follows:Only if is equal to included in does assure the source of package from a physician and send a notice to . Finally, stores the package in its database.

Step 3. When is authenticated by , he/she can get the report of the patient from . computes the fresh session key as follows:Then, computes . Only if is equal to does assure the correctness of and decrypt to get by using the key .

6. Correctness and Security

In this section, we present the correctness of our improved scheme. Then, we illustrate that our enhanced key agreement scheme can overcome the two security weaknesses of security analysis of FNKAP by security analysis.

6.1. Correctness

We verify the correctness of key agreement in our scheme as follows:

Thus, the agreed session keys , , and computed by , , and are equal. The same as above, we prove that is equal to because is equal to and :

6.2. Security Proof

In the following, we will show that our scheme is provably secure under DBDH assumption in the random oracle model. We treat , , and as three random oracles.

Theorem 6. Let and be two groups of order and be a bilinear mapping that together satisfy the DBDH assumption. Let the hash functions , , and used in the scheme be modeled as the random oracles. Suppose that the DBDH assumption holds; the proposed scheme is a secure key agreement in our security model.

Proof. Suppose an adversary is an attack algorithm that breaks our scheme in the probability ; we will show how to use the ability of to build an algorithm that solves the DBDH assumption with probability of at least . Thus, ’s advantage must be negligible because the DBDH assumption holds.

We refer to as “the simulator” because it simulates a real attacking environment for . is initialized with the DBDH parameters and the points , , and . The idea of the proof is that will embed the DBDH problem into the queries issued by . Since the hash function is modeled as random oracle, after the adversary issues the test query, it has only two unneglected cases to distinguish the tested session key or from a random string.

Case 1 (key-replication attack). The adversary forces a nonmatching session to have the same session key with the . In this case, the adversary can get the session key by querying the nonmatching session. However, the input of hash function includes the entities’ identities and the random nonce. Furthermore, they and a timestamp are integrally protected by . For example, in Step 1, the session key includes the identities and and the random nonce . The certification value includes them and the timestamp . Therefore, two nonmatching sessions cannot have the same values and when and are modeled as a random oracle, the success probability of key-replication attack is negligible.

Case 2 (forging attack). The adversary queries on the value or in the test query. Obviously, in this case the adversary can compute the value or by itself.

In the following, we mainly analyze the Case 2 forging attack. A simulator is interested in using the to turn ’s advantage in distinguishing the tested session key from a random string into an advantage in solving the DBDH problem. During the game, has to answer all queries of the .

Setup. simulates the Setup algorithm as follows. starts by choosing security and public parameters for our scheme using its input DBDH parameters and . also chooses a random master key set from , as the PKG would do. Using these keys, sets the random generator , and then ’s public parameters are . invokes the adversary , providing it with the public parameters . Note that the DBDH parameters have been embedded in the game and the simulator has no idea about the value . With the probability at least , guesses the adversary will select one patient and his/her physician . With the probability at least , guesses the adversary will select the session as test session.

Queries. When the adversary makes his/her queries, the simulator answers the queries in arbitrary order as follows. Note that , , and are the guessed victims physician and devices.

. In order to enhance simulation’s fidelity, maintains an initially empty list of tuples . When queries the oracle as an input , responds to the query in the following way.(i) checks the list ; if and are already there, then responds with stored value .(ii)Otherwise, if and , randomly chooses , and it computes . Then, it inserts into the . Finally, it responds with .(iii)Otherwise, if , randomly chooses and computes the value . Then, it inserts into the . Here, . Finally, it responds with .(iv)Otherwise, if , randomly chooses and computes the value . Then, it inserts into the . Here, . Finally, it responds with .(v)Otherwise, randomly chooses , computes , and inserts in the list. Finally, it responds with .

. The simulator maintains an initially empty list with entries of the form . When queries the oracle as a input , the simulator responds to the query in the following way.(i) checks the list ; if is already there, responds with the value .(ii)Otherwise, randomly chooses and sends back the value to . Finally, stores the new tuple in the list .

. The simulator maintains an initially empty list with entries of the form . The simulator responds to these queries in the following ways.(i) checks the list ; if is already there, responds with the value .(ii)Otherwise, randomly chooses and sends back to . Finally, stores the new tuple in the list .

. When receiving this query, responds to the query in the following way.(i)If is the target physician or the target patient’s gateway or sensor nodes, aborts the game.(ii)Otherwise, if is a physician , looks in for the entries and . Then, returns .(iii)Otherwise, if is a patient’s , looks in for the entries , , and . Then, returns .(iv)Otherwise, if is a physician , the simulator looks in for the entries , , , and . Then, returns .

. Since the and are the random oracles, the adversary cannot change the communication message. the simulator needs only to store the values according to the scheme. Moreover, the parameters are included in the data , which can be found in the lists and .

. maintains a list with tuples of the form . The simulator responds to the query in the following way.(i)If and are the target physician and the target patient’s gateway or sensor nodes, aborts the game.(ii)Otherwise, if is a target physician and is not target patients’ facilities, proceeds in the following way to respond:(a)If is an identity of gateway, computes . Then, finds the value from and returns as the response.(b)Otherwise should be an identity of sensor node; the simulator computes . Then, finds the value from and returns as the response.(iii)Otherwise, if is another physician and is his/her patients facilities, proceeds in the following way to respond:(a)If is an identity of gateway, computes . Then, finds the value from and returns as the response.(b)Otherwise should be an identity of sensor node; computes . Then, finds the value from and returns as the response.

. issues a test query. Suppose the identity tuple of the first node is and the second target node is or .(i)If and do not belong to our guessed victims and , aborts the game.(ii) Otherwise, queries , , , and .(a)If , computes .(b)Otherwise, computes . looks in the list and returns the value or to the adversary .

The test query is answered by with its DBDH input or . Consider the following two cases:(i)If , since in the DBDH instance, then Thus, the response by corresponds to the real values and .(ii)If , since is random, then the response by to the test query of is a random element in .

If the adversary succeeds in getting the session key or , it shall distinguish between the value or and a random value; then, it outputs the correct bit or . can give the correct answer to the DBDH problem by using ’s output.

The success probability of isHere, is the probability that the adversary succeeds in launching the attack. is the polynomial bound on the number of the adversary ’s queries.

If the adversary succeeds with nonnegligible probability to attack our scheme, we can also solve the DBDH problem with a nonnegligible probability. Thus, our scheme is based on the DBDH problem.

6.3. Security Analysis

In the following, we will directly analyze how our proposed scheme achieves entity anonymity and untraceability and resists collusion attack and whether the security requirements have been satisfied.

Proposition 7. The proposed scheme can resist the replay attack.

Proof. It should be noted that our proposed scheme inherits the structure of FNKAP. We also use the random numbers and to achieve the freshness key agreement. The adversary cannot compute the , from and because of the difficulty of the ECDL problem. Moreover, the proposed scheme can efficiently resist the replay attack by considering the following scenarios. An adversary cannot replay the data package to cheat and . During the Key Agreement from SN to PH Phase, when receives a data package , it verifies the timestamp with the current time. If the data package is a replay attack, will detect it. Moreover, if the adversary changes the timestamp in , will find the behavior by checking the equation because it cannot obtain the session key . An adversary cannot replay the data package to cheat and . Similar to the above, an adversary cannot replay the data package to cheat and . During the key agreement from PH to GW Phase, when receives a data package , it verifies the timestamp with the current time. If the data package is a replay attack, then will detect it. Moreover, if the adversary changes the timestamp in , will find the behavior by checking the equation because it cannot know the session key .

Proposition 8. The proposed scheme can provide basic forward secrecy.

Proof. To establish session key between SN and PH, and use various for each session. Thus, the current session key is disclosed, and an adversary cannot obtain the information about . In other words, the adversary cannot get more opportunities to guess previous key than before, even if he/she knows the current key . Similarly, because is equal to , the adversary cannot gain any benefits to guess previous key between PH and GW compared to before, even if he/she knows the current key . Thus, our proposal can provide basic forward secrecy.

Proposition 9. The proposed scheme can prevent fraud attack.

Proof. Our proposal provides mutual authentication between and or and . The proposed scheme can prevent fraud attack by considering the following scenarios. An adversary cannot impersonate to cheat . can authenticate by verifying in Step 3. Since the adversary cannot obtain or , he/she cannot compute , , or . Thus, the adversary cannot get and , sequentially. Thus, the adversary cannot generate the valid verifier to . An adversary cannot impersonate to cheat . Similar to the above, can authenticate by verifying in Step 3. Since the adversary cannot obtain or , he/she cannot compute , , or . Thus, the adversary cannot get and , sequentially. Thus, the adversary cannot generate the valid verifier to .

Proposition 10. The proposed scheme can provide entity anonymity and untraceability.

Proof. In the proposed scheme, the adversary can obtain the amplified identities , , , and instead of , , , and in Steps K1 and K3. Here, and are big random numbers in . Therefore, the adversary cannot verify whether the guessed identity is correct or incorrect by testing all possible identities without the secret and . For example, to guess , the adversary should input the guess values of and at the same time. Suppose the identity is composed of bits; it is infeasible for adversary to launch an exhausted search for possible solutions. Here, is the group order of , and it is a big random number. In particular, if the physicians reregister on a period, would be fresh regularly. Thus, this risk of corruption will be lower to . Moreover, is also a big random number in , and each patient has a different value. Even if it is the same patient, there are different values on the various diagnoses. Based on the similar reason, the adversary cannot know the identities of and or trace them. Furthermore, it is also intractable to derive the identity from , , , and because is a secure one-way cryptography hash function. Thus, our proposal can achieve anonymity and untraceability.

Proposition 11. The proposed scheme can withstand the collusion attack.

Proof. In our proposal, distributes different secret values for various physicians . Thus, the adversary physician and his/her patients cannot get the victim’s information , directly. Furthermore, the adversary who has registered as a normal patient of the physician can legally obtain from . However, he/she cannot obtain or from except when he/she can solve the ECDL problem. Similarly, the adversary cannot obtain from because of the difficulty of the ECDL problem. Obviously, our scheme destructs the attack conditions at Steps A1 and A2 in Section 4. As a result, the scheme can resist the collusion attack and prevent the adversary from generating the session keys and . Furthermore, if an insider adversary wants to attack the key agreement from SN to PH, he/she should get the secure information about . The adversary receives up to ; he/she cannot get the information except whens he/she can solve the ECDL problem. Similarly, an insider adversary cannot launch an attack to the key agreement from PH to GW phase, because he/she cannot get the value . Thus, our proposal resists the collusion attack, effectively.

7. Functionality and Performance Comparison

In this section, security and functionality are compared between our scheme and FNKAP. Then, we illustrate a comparison of the communication and computation costing performances.

7.1. Functionality Comparison

As shown in Table 1, our scheme not only provides the functionality in [8] but also resists the collusion attack. Therefore, we can conclude that the proposed scheme achieves a higher security level than FNKAP.

7.2. Performance Comparison

To compare the actual computational costs, we have implemented our scheme and Kim’s scheme with JPBC Library (Java Pairing-Based Cryptography Library [19]) in an ARM platform and a desktop platform. The detailed parameters of the platform are listed in Table 2. To provide a similar environment in WHMS, the weak processing ability is simulated on an android smartphone (HTC M7) running Android 4.1 with Snapdragon APQ8064 1.7 GHz, and the powerful processing ability is simulated on a desktop computer running Windows 7 with Intel Core i5-3470.

Table 3 summarizes the detailed parameters about the elliptic curve and pairing parameters for JPBC. We use a 512 bits elliptic curve to evaluate our scheme in the platforms. In Table 4, top row is the results in the ARM platform, and the second row is the result in the desktop platform. Here, all the experiment results are averaged over 10 independent runs.

In order to provide detailed comparison, we test the basic operation in , , and , separately. The time of a pairing computation is indicated by . The time of a hash operation is indicated by . The time complexity of computing multiplication in , , and is indicated by , , and , respectively. The time of the addition in and is indicated by and , independently. The time of the exponentiation in is indicated by . Note that the time of hash operation is the smallest because it needs very limited computation. On the contrary, the time of pairing operation is the highest consumption.

Tables 5 and 6 illustrate the performance comparison with Kim’s scheme. In Tables 5 and 6, the notation is a unit length of identity; the notation is a unit length of private key. First, in order to achieve the session key freshness, we maintain one-round communication to exchange a random value or in FNKAP. Second, our scheme increases the amplified identity randomness against the passive offline attack. However, the amplified identity space is equal to that of FNKAP because the amplified identity is still a hash value. Third, the private key space of and decreases because we reduce the redundancy of private key information to and . Moreover, it shrinks the risk of insider attack because only knows total secure information. Fourth, the computation time of our scheme is near half of FNKAP because we decrease half of the pairing operations. Finally, we should point out that our scheme computation and store cost for the are higher than those of Kim’s work. More precisely, we should choose and store random numbers more than FNKAP, and multiplications in should be added in Initial Section. Commonly, the above propositions only increase the computation cost and the storage requirement in . has enough computing and storing power to hold the operations because the u-Health Server is usually a server cluster. Furthermore, the computing operations are only increased in Initial Phase. For the resources limited entities and , the computation and storage requirements do not increase instead of decreasing. Thus, the scheme is feasible to key agreement in WHMS.

Our proposed scheme inherits the advantage of Kim’s hierarchical scheme in WHMS. At the same time, our scheme provides security enhancement against collusion attack in our security model. Furthermore, it preserves the low computation and private key space in and compared to FNKAP. Therefore, it is an enhanced security hierarchical key agreement scheme with the noninteractive property that is suitable for the application in WHMS.

8. Conclusions

In this paper, we have illustrated that there is a security weakness in Kim’s work [8] under a practical security model with the physicians corruption. The security flaw is due to the fact that the physicians’ parts of the private key are the same. Therefore, the adversary, as a legal physician, can acquire the entire patient’s private information. To enhance the scheme, we proposed an authenticated key agreement scheme which randomizes each physician’s private key. Moreover, we have reduced the numbers of the private keys and the operations of the bilinear pairing. Thus, the performance of our scheme is more suitable for the WHMS environment than Kim’s work. We also prove the security of our scheme. The proof shows that the proposed scheme is secure under the DBDH assumption in the random oracle model.

Notations

:	The th physician
:	The th physician’s th patient
:	The u-Health Server
:	The ’s gateway
:	The ’s th sensor node
:	The identity of an entity
:	The amplified identity of
and :	The session key established between two entities
, , , and :	The cryptographic hash functions
:	Encryption of a message using an symmetric key
	Multiplication operator
:	Concatenation operator.

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

The authors thank Dr. Jianghong Wei, Dr. Haosu Cheng, Dr. Hui Lu, and Dr. Honghao Zhao for their support. This paper is supported by the National Key Basic Research Program (973 Program) through Project 2012CB315905, by the Natural Science Foundation through Projects 61370190, 61272501, 61173154, 61402029, and 61003214, and by the Beijing Natural Science Foundation through Projects 4132056 and 4122041.

References

V. Custodio, F. J. Herrera, G. López, and J. I. Moreno, “A review on architectures and communications technologies for wearable health-monitoring systems,” Sensors, vol. 12, no. 10, pp. 13907–13946, 2012.
View at: Publisher Site | Google Scholar
F. Touati and R. Tabish, “U-healthcare system: state-of-the-art review and challenges,” Journal of Medical Systems, vol. 37, no. 3, pp. 9949–9969, 2013.
View at: Publisher Site | Google Scholar
H. F. Rashvand, V. Traver Salcedo, E. Montón Sánchez, and D. Iliescu, “Ubiquitous wireless telemedicine,” IET Communications, vol. 2, no. 2, pp. 237–254, 2008.
View at: Publisher Site | Google Scholar
R. Lu, X. Lin, X. Liang, and X. Shen, “A secure handshake scheme with symptoms-matching for mHealthcare social network,” Mobile Networks and Applications, vol. 16, no. 6, pp. 683–694, 2011.
View at: Publisher Site | Google Scholar
W. Liu, J. Liu, Q. Wu, W. Susilo, H. Deng, and B. Qin, “SAKE: scalable authenticated key exchange for mobile e-health networks,” Security and Communication Networks, 2015.
View at: Publisher Site | Google Scholar
X. Lin, R. Lu, X. S. Shen, Y. Nemoto, and N. Kato, “SAGE: a strong privacy-preserving scheme against global eavesdropping for ehealth systems,” IEEE Journal on Selected Areas in Communications, vol. 27, no. 4, pp. 365–378, 2009.
View at: Publisher Site | Google Scholar
Q. Huang, X. Yang, and S. Li, “Identity authentication and context privacy preservation in wireless health monitoring,” International Journal of Computer Network and Information Security, vol. 4, pp. 53–60, 2011.
View at: Google Scholar
H. Kim, “Freshness-preserving non-interactive hierarchical key agreement protocol over WHMS,” Sensors, vol. 14, no. 12, pp. 23742–23757, 2014.
View at: Publisher Site | Google Scholar
D.-C. Lou, T.-F. Lee, and T.-H. Lin, “Efficient biometric authenticated key agreements based on extended chaotic maps for telecare medicine information systems,” Journal of Medical Systems, vol. 39, no. 5, pp. 58–68, 2015.
View at: Publisher Site | Google Scholar
S. H. Erfani, H. H. S. Javadi, and A. M. Rahmani, “A dynamic key management scheme for dynamic wireless sensor networks,” Security and Communication Networks, vol. 8, no. 6, pp. 1040–1049, 2015.
View at: Publisher Site | Google Scholar
R. Gennaro, S. Halevi, H. Krawczyk, T. Rabin, S. Reidt, and S. D. Wolthusen, “Strongly-resilient and non-interactive hierarchical key-agreement in MANETs,” in Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS '08), pp. 49–65, Málaga, Spain, October 2008.
View at: Google Scholar
R. Dupont and A. Enge, “Provably secure non-interactive key distribution based on pairings,” Discrete Applied Mathematics, vol. 154, no. 2, pp. 270–276, 2006.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
Y. Yang, “Broadcast encryption based non-interactive key distribution in MANETs,” Journal of Computer and System Sciences, vol. 80, no. 3, pp. 533–545, 2014.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
H. Guo, Y. Mu, Z. Li, and X. Zhang, “An efficient and non-interactive hierarchical key agreement protocol,” Computers and Security, vol. 30, no. 1, pp. 28–34, 2011.
View at: Publisher Site | Google Scholar
Chad Garland. Cedars-Sinai reports possible breach of patients' medical data, June 2015, http://www.latimes.com/business/la-fi-cedars-breach-20140823-story.html.
M. Bellare and P. Rogaway, “Entity authentication and key distribution,” in Advances in Cryptology— CRYPTO '93, D. R. Stinson, Ed., vol. 773 of Lecture Notes in Computer Science, pp. 232–249, Springer, New York, NY, USA, 1994.
View at: Publisher Site | Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003.
View at: Publisher Site | Google Scholar
D. Hankerson and A. Menezes, “Elliptic curve discrete logarithm problem,” in Encyclopedia of Cryptography and Security, C. A. Van Tilborg and S. Jajodia, Eds., pp. 397–400, Springer US, 2011.
View at: Google Scholar
A. De Caro and V. Iovino, “jPBC: Java pairing based cryptography,” in Proceedings of the 16th IEEE Symposium on Computers and Communications (ISCC '11), pp. 850–855, IEEE, Kerkyra, Greece, July 2011.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2016 Kefei Mao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

927

Downloads

857

Citations