Security and Communication Networks

Security and Communication Networks / 2019 / Article
Special Issue

Privacy and Security of Information Processing in Industrial Big Data and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2019 |Article ID 5860286 | https://doi.org/10.1155/2019/5860286

Yong Xie, Songsong Zhang, Xiang Li, Yanggui Li, Yuan Chai, "CasCP: Efficient and Secure Certificateless Authentication Scheme for Wireless Body Area Networks with Conditional Privacy-Preserving", Security and Communication Networks, vol. 2019, Article ID 5860286, 13 pages, 2019. https://doi.org/10.1155/2019/5860286

CasCP: Efficient and Secure Certificateless Authentication Scheme for Wireless Body Area Networks with Conditional Privacy-Preserving

Guest Editor: Mingwu Zhang
Received06 Mar 2019
Accepted24 Apr 2019
Published04 Jun 2019

Abstract

As the aging population of society continues to intensify, the series of problems brought about by aging is becoming more and more serious. Because the health problem of the elderly brings many social problems, people have paid close attention to it. Fortunately, as a typical smart healthcare system, wireless body area networks (WBANs) present quit nice medical care for people, especially the aged. However, personal health information is very sensitive. But, the common communication channel is used in WBANs and any malicious entity can initiate a security attack on WBANs. To ensure secure communication and privacy-preserving which are the premise of the sound development of WBANs, an improved and efficient certificateless authentication scheme with conditional privacy-preserving is proposed in this paper on the basis of analyzing the most recent presented certificateless authentication scheme for WBANs. The proposed scheme also provides batch authentication to decrease authentication and communication cost. A rigid security proof demonstrates that our proposed scheme resists every type of security attack and can provide condition privacy-preserving. The performance analysis shows that our proposed scheme has some advantages in computation and communication cost.

1. Introduction

Nowadays, the population growth rate in many countries around the world is decreasing. Most of these counties have gradually entered an aged society. World Health Organization (WHO) has predicted that human life expectancy will reach 75 year old in 2030, and about 80 million people will be 60 year old in America and 430 million in China by 2050 [1]. Sociologists have pointed out that the aging population structure will put tremendous pressure on all aspects in society, especially healthcare.

In order to provide comprehensive and accurate care for the elderly, researchers have launched various research on smart healthcare. With the rapid development of wearable sensors, especially health sensors, wireless body area networks (WBANs) have a profound significance for improving the health monitoring of the elderly [2]. Information technologies are used in WBANs and can be well applied to medical related services [3]. In WBAN, client’s information, such as weight trend, diet attempt, food-intake, hematologic biochemical parameters, respiratory rate, cardiac status, blood data, etc., is transmitted to the corresponding medical service application providers (AP) by wireless communication from body sensors. The client’s doctor will receive this information soon and provide timely treatment based on this information [4, 5]. The scenes of sensor nodes collect and send the client real-time physiological data to AP and the typical smart medical service based WBANs can be depicted as in Figure 1.

However, the security and privacy issues in WBANs are very serious and worthy of paid close attention. It is well known that private personal health information is very sensitive, which may cause serious problems such as family conflicts, corporate crisis, and even state instability [6]. The health data are sent to AP through insecure communication channel and suffered from intercepting, eavesdropping, modification, and other attacks with little problem. The security of health data is critical to the patient as a forged health data results in doctor’s misdiagnosis and extremely may endanger the life of a patient. If WBANs cannot provide strong security protection measures, client’s personal health information cannot be effectively protected, client will no longer trust WBANs, and people will no longer accept WBANs. Then, WBANs cannot get further development and cannot achieve the goal of smart medical care [7].

In order to meet the challenges of security and privacy protection in WBANs, many researchers have made continuous efforts and obtained some research results on WBANs authentication scheme. One important way is digit signature and data encryption. PKI-based authentication scheme and identity-based authentication scheme have been adopted to WBANs for a long time. But the PKI-based authentication scheme causes heavy certificate management and identity-based authentication scheme has an inevitable problem of key escrow. To solve this issue, certificateless authentication technology is introduced to WBANs and presents good application prospects. Recently, Ji et al. [8] proposed an efficient certificateless authentication scheme for WBANs. Ji et al. presented security analysis to show that their scheme can secure against all kinds of security attacks. However, their scheme cannot resist forgery attack and bath authentication attack, which is demonstrated in Section 5 in this paper. To the best of our knowledge, no universally accepted effective and secure authentication scheme for WBAN has been proposed, especially constructed by using certificateless public key cryptography [9]. Because of the strong privacy protection requirements of health data, limited communication channel, limited computing power, and fully open wireless communication environment, it is a huge challenge to build an efficient and secure certificateless authentication scheme for WBANs.

1.1. Motivations and Contributions

On reviewing Ji et al.’s certificateless authentication scheme [8], we decided to solve their security deficiencies while appreciating their high efficiency in message signing phase and authentication phase. In this paper, we present an improved and secure certificateless authentication scheme with conditional privacy-preserving (called CasCP). CasCP constructs signature and authentication algorithm by using elliptic curve cryptography (EEC) and no longer needs complex bilinear pairing operation. To sum up, there are three major contributions in our proposed scheme.

First, we present an improved and secure certificateless authentication scheme with conditional privacy-preserving. The proposed scheme includes five key phases for WBANs.

Second, we present a rigid security proof and detailed security analysis. It shows that CasCP can be secure against all known security attacks and providing privacy-preserving.

Third, the performance analysis shows that CasCP requires less computational and communication costs than recent similar schemes.

1.2. Organization of the Paper

The rest of the paper is arranged as follows. Related works and preliminaries are presented in Sections 2 and 3. Section 4 shows the system model and security requirements. Ji et al.’s certificateless authentication scheme is reviewed and analyzed in Section 5. Next, the CasCP is proposed in Section 6. Security proof and performance analysis are presented in Sections 7 and 8. At last, it draws a conclusion.

In order to present a secure communication in WBANs, there are many security requirements. Among all of the security requirements, the remote authentication is the most basic and important requirement. In 1981, Lamport proposed the first remote authentication scheme [10] that allows the mobile user to authenticate with a server through a public channel and generate the session key to encrypt the later session. From then on, more and more remote authentication schemes have been proposed to apply to different environments.

Some works in [1115] are constructed based on traditional public key cryptosystem (PKC). But there are many difficulties in the establishment, implementation, and management of traditional PKC system. In order to solve the problems in traditional PKC system for WBANs, some researchers have proposed mutual authentication scheme using identity-based public key cryptography [16, 17]. In this way, these authentication schemes solve the difficulties in traditional PKC system. However, there is another thorny problem, key escrow problem; that is, if the key generation center has been compromised, the system goes into a state of being out of control.

In 2003, Al Riyami et al. [18] proposed certificateless cryptography, which can erase key escrow problem in identity-based PKC. Based on the previous work [18], scholars have proposed a lot of secure authentication schemes [19, 20] by using certificateless cryptography. In 2005, Huang et al. [21] proposed an improved scheme over Al Riyami et al.’s [18] that can avoid security leaks. Huang et al. [20] proposed two certificateless signature schemes on assuming three-kind-adversary security model. However, it has been pointed out their scheme cannot resist key replacement attacks [22].

To decrease authentication and communication cost, Boneh et al. [23] presented a certificateless authentication scheme with batch authentication in 2003. Batch authentication has been widely used for Internet of thing and other wireless networks, including WBANs. Without doubt, new security issues of batch authentication technology are unavoidable. Until now, researchers have proposed a lot of batch authentication schemes for WBANs and other wireless networks [2426]. Based on the computational complexity of pairing, batch authentication and aggregate signature schemes [2729] have been presented by using bilinear pairing. Xiong et al. [30] proposed an aggregate signature and batch authentication scheme that do not use clock synchronization and needs less computation cost than Zhang et al.’s [27] scheme. But, an adversary can successfully launch a forgery attack on Xiong et al.’s scheme [31, 32]. Wen et al. [33] constructed an aggregate signature scheme using bilinear pairing with designed verifier. Hartung et al. [34] presented another fault-tolerant batch authentication scheme. Tu et al. [29] proposed a revised authentication scheme to solve the security deficiencies of Xiong’s scheme [30]. He et al. [35] presented a new certificateless authentication scheme for WBANs. Unfortunately, the foregoing schemes have more or less security deficiencies; some schemes cannot resist security attacks in batch authentication [3638].

Most recently, Ji et al. [8] proposed a certificateless conditional privacy-preserving authentication scheme by using elliptic curve cryptography (ECC) for WBANs. Their proposed scheme has a clear advantage in computation performance when compared with the former certificateless scheme using bilinear pairing. They claimed that their proposed scheme provides conditional privacy-preserving and can resist all kinds of security attacks. However, we demonstrate that a common adversary can successfully launch a forgery attack in individual authentication and batch authentication. To solve the deficiencies of Ji et al.’s authentication scheme, we propose an improved certificateless authentication scheme with conditional privacy-preserving.

3. Preliminaries

3.1. Elliptic Curve Cryptosystem (ECC)

In 1984, Miller proposed elliptic curve cryptography (ECC) for the first time [39]. Koblitz [40] proposed an ECC instance based on the difficulty of elliptic curve discrete logarithm problem (ECDLP) before long. Since then, researchers have proposed a lot of secure authentication schemes that are constructed with ECC since ECC is efficient to decrease computation cost [41]. The definition of ECC can be depicted as follows.

Let be a large prime number; is a finite field over . Elliptic curve meets equation with and . Let point be an infinite point. and other points in form an addictive group . Given and are different points on , is defined as point addition. is defined as scalar multiplication. is defined as order if is the smallest number that meets .

3.2. Complexity Assumptions

Elliptic curve discrete logarithm problem (ECDLP): given two random points and , without knowing , it is hard to compute from . The probability for an adversary to solve the ECDLP problem is . The hardness is that to compute from is negligible [42].

4. System Model and Security Model

4.1. System Model

There are three main entities in WBANs, i.e., key generation center (KGC), clients (including his/her PDA), and application providers (AP). KGC generates the system parameters and location public key and secret key for APs. Each client generates his/her secret value and then registers with KGC to obtain their public key, partial private key, and PDA with system parameter and partial key. At last, the clients could sign and send their messages to APs. In the process, AP and client should be authenticated each other and obtain an identical session key. The common network structure of wireless body area networks (WBANs) is illustrated in Figure 2.

Generally speaking, the messages in WBANs include sensitive health data. To ensure data integrity and identity authentication, these data should be signed and encrypted by PDA. The data with a signature could fall into two types: valid signature that can pass AP’s authentication and invalid signature that cannot pass AP’s authentication. When AP receives messages from different clients, AP can authenticate message one by one and also can adopt a more efficient way to authenticate multimessages, such as batch authentication. In our proposed scheme, batch authentication is used to improve authentication efficiency.

4.2. Security Model

In this section, we analyze the adversary model of certificateless authentication scheme for WBANs. As Al Riyami’s work [18], two-level attacks exist in the certificateless PKC. One is type-I adversary (called ) who is able to simulate an “outsider” attacker; another is type-II adversary who is able to simulate an “insider” attacker (called ), who may be an “honest but curious” KGC. cannot get system secret key and users’ partial key; however it could compromise users’ secret value. can get the system secret key and users’ partial key but cannot get user secret value [43].

According to the ability of adversary (include and ) and the system model of WBANs, we define security model as a game between a challenger and under the random Oracle model for the proposed scheme. Three steps are included in the game.

Initialization: generates system parameters and system secret key. Then gives the public parameters to .

Oracle query: can make queries with Oracle, -, --, --, --, and Oracle at will, unlimited query times and order. Then answers by the definition of game.

Output: forges a signature after has finished the above Oracle queries. At last, the advantage of successfully forging a valid signature is analyzed.

According to the definition of the game, can breach the authentication scheme only if could make a valid signature and pass authentication. Let be the probability that can breach during the game.

Definition 1. An authentication scheme for WBANs can be determined to be secure only if the probability is negligible for any probabilistic-polynomial-time (PPT) adversary .

As definition of security requirement in most works for WBAN, we also agree that a secure certificateless authentication scheme for WBAN should provide anonymity, mutual authentication, traceability, and session key establishment; it also should be secure against modification attack, impersonation attack, replay attack, batch authentication attack, and other security attacks [44].

5. Review and Analysis of Ji et al.’s Scheme

In this section, we will review and analyze Ji et al.’s scheme [8]. To more clearly, Table 1 lists the notations and their descriptions adopted in Ji et al.’s scheme.


Symbol Description

Acyclic group on an ECC with order

The generator point of group

The secret key of TA

The public key of TA

The real identity of a client

The identity of a AP

The pseudo identity of client

Validity period of pseudo identity

signature time

One-way hash function

5.1. Review of Ji et al.’s Scheme

There are four phases in Ji et al.’s scheme [8], and the four phases can be briefly depicted as follows.

System Initialization Phase. TA executes this phase based on security parameter .

(1) Choose two prime numbers and , define a finite field , and then generate group with order on .

(2) Let be a generator of , choose , and compute as its public key. Then choose four one-way hash functions, .

(3) Select for each registered AP and compute as AP’s private key and as AP’s public key.

Pseudo Identity Generation and Message Singing Phase. In this phase, each valid client should register with TA, then he/she can sign messages with his/her private key and send to AP. The detailed steps are as follows:

(1) The client chooses , computes and , and then sends to TA via a secure way.

(2) TA computes and , where is the validity period of pseudo identity. Then TA chooses and computes and , where and . Finally, TA loads into the client’s PDA. Now, the client’s private key is , and public key is .

(3) Before signing a message, the client should input his and into his/her PDA. PDA checks whether it meets . If it does, the client can sign by using PDA as next step.

(4) Assume medical message be ; PDA chooses and timestamps and computes , , , and , where will be the session key between AP and the client. At last, PDA sends to AP.

Authentication Phase. AP can authenticate messages by the following two ways.

(i) Individual Authentication. When receiving a message , AP checks whether and are valid. If they do, AP computes and and checks whether holds or not. If it holds, AP accepts the message and computes session key and then sends to the client. At last, the client uses as session key if the received is identical to his/her .

(ii) Batch Authentication. When receiving messages from different clients, AP checks and for each message. Then AP computes and for each message and checks whether the messages meet the following equation:

If does, AP accepts these messages.

Password Change Phase. For security of PDA, the client can renew password locally by following steps.

(1) The client inputs and old password ; the PDA checks . If it does, the PDA requires the client to input new password , then computes , and replaces with .

5.2. Analysis of Ji et al.’s Scheme

In this subsection, the security deficiencies of Ji et al.’s scheme are analyzed.

(i) Not Be Secure against Forge Attack. Ji et al. show that their scheme could resist any forge attacks. However, any PPT could lightly win Game I in their scheme; that is, it could not be secure against forge attack. Assuming that the client’s identity is , the adversary is . launches the forge attack as the following steps:

(1) has intercepted or received a valid message , which meets verification function . Then selects , message , and timestamps .

(2) computes , , , and , where is a valid pseudo identity. At last, sends the forged message to AP by using ’s identity.

(3) AP receives message , and checks whether the equation holds or not. Let us expand the equation as follows:

As shown above, can forge a valid message by using ’s identity easily. Therefore, Ji et al.’s scheme cannot resist any ’s forge attack.

(ii) Not Be Secure against Batch Authentication Attack. The adversary can also launch security attack in the batch authentication step of Ji et al.’s scheme. can do as the following steps.

(1) can forge two signatures and on two messages and , which cannot meet the verification. However, and can meet the batch authentication function of Ji et al.’s scheme as .

Therefore, Ji et al.’s scheme cannot resist any ’s batch authentication attack.

6. The Improved Certificateless Authentication Scheme

In this section, an improved and secure certificateless authentication scheme for WBANs with conditional privacy-preserving (called CasCP) is proposed. The proposed CasCP consists of five phases: system initialization phase, pseudo identity generation phase, message signing phase, authentication phase, and password change phase.

To be clear, four new notations and descriptions that adopted in CasCP are listed in Table 2.


Symbol Description

KGC Key Generation center

One-way hash function

One-hash function with key

Security-level parameter

Next, the five phases are described as the following subsections.

6.1. System Initialization Phase

The KGC runs this phase with security level parameter as follows.

(1) KGC chooses two prime numbers and and defines a finite field and then generates group with order on .

(2) Let be one of generators of . KGC chooses and computes as its public key. Then choose four one-way hash functions, .

(3) KGC selects for each registered AP and computes as AP’s private key and as AP’s public key.

6.2. Pseudo Identity Generation Phase

Each WBANs client should register with KGC when he/her wants to obtain healthcare services. The client and KGC complete the pseudo identity phase as follow steps.

(1) Assume the client real identity be and his/her login password for PDA be . He/she chooses , computes , and then sends to KGC via a secure way.

(2) Upon receiving , KGC chooses and expiration time and then computes , , , , and . Finally, KGC loads into the client’s PDA.

(3) When the client receives the PDA from KGC, he/she inputs and into PDA. Next PDA checks whether holds or not. If it holds, the client’s private key is and public key is . Otherwise, he/she registers again as next step.

6.3. Message Signing Phase

In this phase, the client signs messages by using PDA when he/she needs to communicate with others (such as AP) as the following steps.

(1) The client inputs and into PDA firstly. Then PDA checks whether holds or not, where is stored in the PDA. If it holds, the client can sign message by PDA.

(2) Assume the medical message be . PDA chooses and timestamps and then computes , , , and , where is the session key between AP and the client. At last, PDA sends to AP.

6.4. Authentication Phase

To ensure the security of data, the client and AP can authenticate each other in the proposed scheme. In order to further improve the authentication efficiency, batch authentication is provided. Next, individual authentication and batch authentication are presented.

(i) Individual Authentication. (1) When receives a message from the client, AP checks whether and valid. If they do, AP computes and and checks whether the verification equationholds or not. If it holds, AP accepts the message and computes session key and then sends to the client.

(2) After receiving from AP, the client uses his/her that obtained in message signing phase to compute and then checks whether the received is identical to his/her . If it does, the client and AP have authenticated each other successfully and obtained an identical session key for subsequent communications.

The message signing and individual authentication phase are illustrated as Figure 3.

(ii) Batch Authentication. When receiving messages from different clients, AP can execute batch authentication for the messages.

(1) AP checks and for each message and then computes and for each message.

(2) AP selects a small random integer vector , which have little computation cost in scalar multiplication [41].

(3) At last, AP checks whether the messages meet the following equation:If it does, AP accepts these messages.

6.5. Password Change Phase

This phase is same as Ji et al.’s scheme, and the description will not be repeated here.

7. Security Proof and Analysis

In this section, a formal security proof of CasCP is presented. It shows that CasCP is unforgeable against adversary (included and ), and CasCP can meet the security requirements of WBANs.

7.1. Security Proof

Next, CasCP is assessed on the security under the random Oracle model.

Theorem 2. Assume be a PPT adversary who could win Game I with nonnegligible probability. Let be a challenger who could solve ECDLP problem on advantage , where are the times of executing , -, and -- Oracle query, respectively.

Proof. Let be a PPT adversary, which attempts to forge target client ’s valid message. could win Game-I with a probability . Given an ECDLP instance , runs as a subroutine to solve the ECDLP instance.

Step 1. executes system initialization, and publics the parameters to , given an ECDLP instance to , from which it tries to compute from .

Step 2. executes Oracle queries within limited query times, then will answer as the following rules.
(i) Hash-Queries. answers when he/she executes Oracle queries as follows.
(a) -. As executes this query with (, ), looks for (, ) in list . If has the entry, returns to . Otherwise, chooses at random and sets . Finally returns to .
(b) -. As executes this query with (), looks for () in list . If has the entry, returns to . Otherwise, chooses at random and computes and sets . Then returns to .
(c) -. As executes this query with (, ), looks for (, ) in sign list . If has the entry, returns to . Otherwise, chooses at random, computes , and sets (, , , , , , ), where , , , and can be obtained from other queries and create-user query. Then returns to .
(ii) -(). As executes this query with (), looks for () in user list . If has an entry with , returns to . Otherwise, randomly selects and computes , , and . Next, adds to the corresponding list .
(iii) --(). As executes this query with (), chooses at random and computes , Finally, adds () in and sends () to . As for , returns .
(iv) --(). As executes this query with (), looks for user list . If has the entry, returns to .
(v) --(). As executes this query with (), looks for user list . If , sends to . Else if has the entry with , sends to , else runs -() query and sends to .
(vi) (, ). As executes this query with (, ), looks for tuple () in . If , randomly selects , computes , , and , and then adds in . If , selects at randomly and computes , and then adds to . At last, returns () to .

Step 3. Finally, obtains a forged message under certain restrictions that the never makes -- query with and query with . If , stops the game. Otherwise, looks for the corresponding entry in . If there is not the corresponding , it stops the game. Otherwise, meets the following equation: can replay the game based on forgery lemma [45]; he/her could obtain another forged message by selecting another .According to (5) and (6), could obtain the ; i.e., could solve the ECDLP problem. Next, the probability of which obtains the correct solution for () is analyzed. If has done successfully, two events must happen.(i): never stop the game.(ii): is valid.Therefore, the advantage of is =   . The occurrence probability of could be gained in -, --, and Oracle query during the game. Therefore, it can obtain . Therefore, we can get .

Theorem 3. Assume is a PPT super type-II adversary who can succeed in Game-II with nonnegligible probability. Let be a challenger who can solve the ECDLP problem with advantage , where denote the times of executing , -, --, and -- Oracle query, respectively.

Proof. Assume is a type-II adversary, and attempts to forge target client ’s valid message. Then could win Game-II with probability . Given an ECDLP instance , let be a challenger. Next, runs as a subroutine to solve ECDLP problem.

Step 1. executes system initialization and public parameters and to . Assume is given an ECDLP instance; tries to compute from .

Step 2. executes Oracle queries within limited query times, then will answer as the following rules.

(i) Hash-Queries. answers when he/she executes Oracle queries as follows.

(a) -. As executes the query with (, ), looks for (, ) in list . If has the entry, returns to . Otherwise, chooses at random and computes and sets . Finally returns to .

(b) - and -. As executes the two queries, could answer as he/she answers in Game I.

(ii) -(). As executes the query with (), looks for user list . If has the entry, returns . Otherwise, if , chooses and at random and current time , calculates , , , and , and sets . Then, will add () to list , respectively. If , chooses at random and current time and calculates , , , , and . Then, will add () to corresponding list , respectively.

(iii) --(). As executes the query with (), will answer as the following two cases: if , will answer with the definition of Partial Key Generation and Private key Generation algorithm. If , chooses and at random. Next calculates , , , and and sets . Finally, sends () to .

(iv) --(). As executes the query with (), looks for it in user list . If has the entry with , sends to . Or, if , chooses at random and adds it to as ’s secret value. Next sends to . If , returns .

(v) --(). As executes the query with (), looks for it in . If has the entry with , sends to . Otherwise, will execute -() query and then sends to .

(vi) (, ). As executes the query with (, ), looks for it in . If , chooses at random and current time and then calculates , , and . Next adds in and sends to . If , chooses at random and calculates , , and and then adds to . At last, returns () to .

Step 3. At last, obtains a forged message under the constrain restrictions that never makes -- query with and query with (). If , stops the game. Otherwise, looks for the corresponding entry in . If there is not corresponding , stops the game or meets the following authentication equation: can replay the game based on forgery lemma [45]; he/she could obtain another forged messages by selecting another .According to (7) and (8), could obtain the ; i.e., could solve the ECDLP problem. Next, the probability that gains the correct solution for the instance () is analyzed. If has been successful, two events must happen.(i): never abort the game.(ii): is valid.Therefore, ’s advantage is =   . The probability of ’s occurrence can be gained in -, --, and Oracle query during the game. Therefore, it can obtain . Therefore, we can get .

Now, we can draw a conclusion that CapCP can resist two-level adversary on the condition of the ECDLP assumption which is established.

7.2. Other Security Analyses

Next, we will analyze whether CapCP meets the security requirements of WBANs.

(i) Anonymity. In CasCP, a client’s real identity is embedded his/her pseudo identity . is generated by KGC, any adversaries cannot retrieve the real identity from because , , and make up a classic CDH problem. Therefore CapCP provides anonymity for clients.

(ii) Mutual Authentication. After receiving a message from a client, AP checks the validity and integrity of the message according to individual authentication equation. If it holds, the message can be regarded as a valid message. The AP signs and returns reply message in the same way to the client, the AP can also be securely authenticated. Therefore, CasCP can satisfy mutual authentication for WBANs.

(iii) Traceability. The clients’ real identities are embedded in by . KGC is the only authenticated one that can retrieve the real identity from because only KGC knows the system secret key . Therefore, CasCP provides identity traceability for KGC.

(iv) Modification Attack. Assume a forged message is modified from a valid message by an adversary, the verifier could easily distinguish the forged message because the forged message cannot meet the authentication equation . Therefore, CasCP is secure against modification attack.

(v) Session Key Establishment. In CasCP, the client and AP have a session key as . From the definition of , , , and are CDH problem instance. An adversary cannot compute a valid session key because of ECDLP assumption’s hardness. Therefore, CasCP can achieve secure session key establishment.

(vi) Impersonation Attack. To impersonate a client, an adversary must generate a valid message to meet the authentication equation . But the adversary cannot generate the valid a valid message according to Theorems 2 and 3. Therefore, CasCP is secure against impersonation attack.

(vii) Replay Attack. An adversary replays an old message by new time in . However, AP can find that this message is invalid by verification equation according to the ECDLP assumption’s hardness. That is CasCP can be secure against replay attack.

(viii) Batch Authentication Attack. When an invalid message or more messages join in batch authentication process, CasCP uses a small random integer vector to break the inherent relationship among of the signatures of messages. Therefore, an adversary cannot use the invalid or forged messages to launch batch authentication attack.

(ix) Lost PDA Attack. To use PDA, the correct and must be input into PDA. However, the adversary cannot login the PDA without knowing and , even if the adversary has breached PDA and has got the data in PDA. However, the data is nothing useful for the adversary.

8. Performance Analysis

In this section, the performance analysis of computation and communication cost is presented among four authentication schemes for WBANs that are the proposed scheme (CapCP), Ji et al.’s scheme [8] (2018), He et al.’s scheme [7] (2017), and Wu et al.’s scheme [46] (2016).

It is important to be fair and objective for performance analysis. Therefore, we adopt the simulation results of cryptographic operation execution time in [8]. Their simulation environments are set as follows: operation system is Windows 8, hardware is formed with 2.50 CHz Intel Core i5-2450 CPU, memory is 8.00 GB, and PBC (pairing based cryptography) is used to run the related cryptographic operations. Table 3 lists the execution times of main time-consuming cryptographic operations; the other cryptographic operations, such as point addition operation and one-way hash function which are much less than scalar multiplication, are not included in the comparison.


Operation Abbreviations Execute time

Scalar multiplication 2.576

Exponentiation operation 3.857

Bilinear pairing operation 4.163

8.1. Computation Cost Analysis

Next, the proposed CasCP is compared with three authentication schemes for WBANs in terms of computation cost in the client’s message signing phase, AP’s individual authentication phase, and AP’s batch authentication phase.

In Wu et al.’s scheme, the computation cost of the client in message signing phase comprises three scalar multiplication and two exponentiation operations; the computation cost of the AP in individual authentication phase comprises three scalar multiplication, two exponentiation operations, and one bilinear pairing operation; the messages computation cost of the AP in batch authentication phase comprises scalar multiplication, exponentiation operation, and bilinear pairing operations.

In He et al.’s scheme, the computation cost of the client in message signing phase comprises four scalar multiplication operations; the computation cost of the AP in individual authentication phase comprises four scalar multiplications and one bilinear pairing operations; the messages computation cost of the AP in batch authentication phase comprises scalar multiplication and bilinear pairing operations.

In Ji et al.’s scheme, the computation cost of the client in message signing phase comprises three scalar multiplication operations; the computation cost of the AP in the individual authentication phase comprises four scalar multiplications; the messages computation cost of the AP in batch authentication phase comprises scalar multiplication operations.

The proposed CasCP scheme adds a random small integer vector in batch authentication to increase its security. But the increased computational overhead is small; therefore it will not be considered in the computation cost comparison. That is, CasCP’s computation costs in different phase can be considered to be the same as Ji et al.’s scheme. Here it is not presented; please refer to the previous analysis for Ji et al.’s scheme.

On the results of Table 3, the total execution time of the three phases in the four schemes is drawn, shown in Table 4.


message signing phase (client)individual authentication phase (AP)

Wu’s Scheme

He’s Scheme

Ji’s Scheme

CasCP

The computation cost times of the client in message signing phase of CasCP and Ji et al.’ scheme are 7.728 , which decrease by 49% and 25% when compared with the corresponding computation time of Wu et al.’s scheme and He et al.’ scheme. The computation cost time of AP in individual authentication phase is 7.728 , which decreases by 60% and 46% when compared with the corresponding computation time of Wu et al.’s scheme and He et al.’ scheme. The more intuitive computation cost comparison of the two phases in the four schemes is shown in Figure 4.

The computation cost comparisons of AP in batch authentication phase (assume messages) are illustrated in Figure 5. As shown in Figure 5, our proposed CasCP and Ji et al.’ scheme take an advantage on computation cost than Wu et al.’s scheme and He et al.’s scheme.

According to the former computation cost analysis in batch authentication phase, the proposed CasCP and Ji et al.’s scheme have a clear advantage than the other two schemes. Figure 6 depicts the computation costs in batch authentication phase for the different number of messages of the four schemes. Therefore, CasCP and Ji et al.’s scheme are more efficient than Wu et al.’s scheme and He et al.’s scheme regardless of the number of messages.

In summary, compared with Wu et al.’s scheme and He et al.’s scheme, CasCP and Ji et al.’s scheme have lower computation cost in message signing phase, individual authentication phase, and batch authentication phase.

8.2. Communication Cost Comparison

In the subsection, we analyze the communication cost of the proposed CasCP and the three authentication schemes for WBANs in this subsection.

According to the definitions of the above cryptographic operations, we assume that the size of is 20 bytes, the element in is 40 bytes, and the size of other communication elements in is 20 bytes. For simplicity, message is not included in the comparison.

In Wu et al.’s scheme, the message sent by a client to AP consists of ; the message sent by a client to AP consists of