Security and Communication Networks

Security and Communication Networks / 2019 / Article

Research Article | Open Access

Volume 2019 |Article ID 8145087 | https://doi.org/10.1155/2019/8145087

Mengxia Shuai, Bin Liu, Nenghai Yu, Ling Xiong, "Lightweight and Secure Three-Factor Authentication Scheme for Remote Patient Monitoring Using On-Body Wireless Networks", Security and Communication Networks, vol. 2019, Article ID 8145087, 14 pages, 2019. https://doi.org/10.1155/2019/8145087

Lightweight and Secure Three-Factor Authentication Scheme for Remote Patient Monitoring Using On-Body Wireless Networks

Guest Editor: Milena Radenkovic
Received01 Feb 2019
Revised28 Apr 2019
Accepted15 May 2019
Published02 Jun 2019

Abstract

On-body wireless networks (oBWNs) play a crucial role in improving the ubiquitous healthcare services. Using oBWNs, the vital physiological information of the patient can be gathered from the wearable sensor nodes and accessed by the authorized user like the health professional or the doctor. Since the open nature of wireless communication and the sensitivity of physiological information, secure communication has always been the vital issue in oBWNs-based systems. In recent years, several authentication schemes have been proposed for remote patient monitoring. However, most of these schemes are so susceptible to security threats and not suitable for practical use. Specifically, all these schemes using lightweight cryptographic primitives fail to provide forward secrecy and suffer from the desynchronization attack. To overcome the historical security problems, in this paper, we present a lightweight and secure three-factor authentication scheme for remote patient monitoring using oBWNs. The proposed scheme adopts one-time hash chain technique to ensure forward secrecy, and the pseudonym identity method is employed to provide user anonymity and resist against desynchronization attack. The formal and informal security analyses demonstrate that the proposed scheme not only overcomes the security weaknesses in previous schemes but also provides more excellent security and functional features. The comparisons with six state-of-the-art schemes indicate that the proposed scheme is practical with acceptable computational and communication efficiency.

1. Introduction

With the improvement of living standards and the rapid development of public health, the life expectancy of humans has increased rapidly over the past decades. For example, the average life expectancy of Australian is 70.8 years old in 1960, but it has risen to 81.7 years old in 2010 [1]. With increasing age, lots of elderly people may suffer from various types of chronic diseases and unable to take care of themselves, and these will lead to a heavy burden to the next generations and the healthcare system. To handle this challenge, remote monitoring has emerged as an effective solution for the healthcare system [2, 3]. On-body wireless networks (oBWNs), as an important part of remote monitoring system, have received a great deal of attention from researchers in the academic and industrial field because of its potential to improve the quality of healthcare services.

A typical architecture for remote patient monitoring using oBWNs is demonstrated in Figure 1, which is adapted from the schemes [46]. In this scenario, there are four kinds of participants: registration authority (), the user, gateway node (), and wearable sensor nodes. The is a trusted third party, who is in charge of generating system parameters and the registration of all the users, , and wearable sensor nodes. The user, such as health professional or the doctor, can access the life-critical data of target patient and provide real-time support and interventions. , which has high computation and communication capabilities, is the critical intermediary between the user and the wearable sensor nodes. The wearable sensor nodes, such as blood pressure sensor, cardiosensor, and pulse sensor, deploy around/on the patient’s body and collect vital physiological information of target patient. Using oBWNs, it is possible to provide the continue and real-time monitoring of the patient, regardless of the patient’s location.

Although oBWNs greatly improve the health outcomes and quality of life, the open wireless network environment makes the application of oBWNs face many security risks and threats. A malicious adversary can intercept, modify, insert, and delete the transmitted messages over insecure public communication channel easily [7]. In addition, it is extremely dangerous if the unauthorized users send instructions to stop the function of the wearable devices, especially the wearable devices that are critical to the life of the patient, like heart bumps. What is more, the sensitivity of the physiological data collected by wearable sensor nodes let privacy become a significant concern in oBWNs. Therefore, there is a great need to satisfy the requirements of confidentiality, integrity, and availability. Authentication is one of the efficient mechanisms to deal with trustworthy and authentic users. In the past several years, a large number of authentication schemes have been proposed to provide secure and effective healthcare monitoring of the patients using oBWNs. Since the wearable sensor nodes have weak energy and computation ability, authentication schemes based on public key encryption, such as elliptic curve cryptography (ECC) [8] and Rabin cryptosystem [9], have heavy computation burdens, and they are not suitable for realistic scenarios. Therefore, the method of using the lightweight operations, liking symmetric encryption/decryption and hash functions, is an effective way to deal with the weaknesses of public key encryption. However, after careful analysis, we find that most of these existed schemes using lightweight cryptographic primitives are so susceptible to security threats and not suitable for practical use. Specifically, all these schemes fail to provide forward secrecy and suffer from the desynchronization attack.

1.1. Related Work

Authentication is an essential security measure for the authorized user to access the patient’s sensitive information collected by wearable sensor nodes. Until now, lots of lightweight and effective authentication schemes had been proposed for healthcare applications. In 2012, an efficient and lightweight authentication scheme, named E-SAP, was proposed by Kumar et al. [10] for healthcare applications using wireless medical sensor networks (WMSNs). They claimed that the scheme was secure and resisted multiple types of attacks. Unfortunately, He et al. in 2013 [11] indicated that the scheme in [10] failed to provide user anonymity. Moreover, their scheme was vulnerable to the privileged-insider attack and the off-line password guessing attack. To conquer the mentioned weaknesses, they presented a robust and efficient authentication scheme for healthcare applications using WMSNs. However, a series of articles [1214] pointed out that the scheme in He et al. [11] still had some drawbacks and flaws, such as user impersonation attack, sensor node capture attack, off-line password guessing attack, forward secrecy attack, and lack of wrong password detection mechanism. Later, Srinivas et al. in 2017 [15] pointed out that the scheme in [12] suffered from stolen smart card attack, insider attack and user impersonation attack. To handle these drawbacks, an authentication scheme using only computationally efficient operations was proposed for WMSNs. Later, Das et al. in 2017 [16] indicated that user anonymity was not provided in the scheme [14]. In addition, the scheme in [14] could not withstand sensor node capture attack and privileged-insider attack. To overcome the security weaknesses, they presented an efficient and secure authentication scheme for WMSNs and claimed that the enhanced scheme was secure against possible known attacks and offered additional functionality features. In 2017, Wu et al. [4] deemed that the scheme in [15] had weaknesses such as off-line password guessing attacks, and they were impractical if running. To overcome the historical security problems, a novel and lightweight two-factor authentication scheme for WMSNs was proposed, which provided user untraceability and met the desired security requirements. To ensure secure and authorized communication, Amin et al. in 2018 [5] presented an architecture for patient monitoring, and an anonymity and robust mutual authentication scheme was proposed. They claimed that their scheme was more robust and cost-effective than the existing schemes. But unluckily, Ali et al. in 2018 [6] showed that the scheme in [5] was vulnerable to user impersonation attack, off-line password guessing attack, and known session key temporary information attack. In addition, they proposed an enhanced three-factor authentication scheme for healthcare monitoring. In 2019, Chandrakar [17] presented a lightweight and robust two-factor authentication protocol for healthcare monitoring. Their scheme was efficient because only the hash function and bit XOR operations were used. Similar to some previous schemes, their scheme could not provide user anonymity and forward secrecy.

Many authentication schemes based on asymmetric cryptographic techniques were also proposed for patient monitoring in the past few years. In 2015, He et al. [18] discussed the overall system architecture and associated security requirements of a typical ambient assisted living system, and an efficient authentication protocol based on ECC was proposed subsequently. In order to provide secure communication for WMSNs, Hayajneh et al. [19] in 2016 presented a lightweight authentication scheme based on public key technology, and the Rabin cryptosystem was implemented with different hardware settings using a Tmote sky mote to prove its efficiency. In 2017, Liu and Chung [20] proposed a user authentication scheme and data transmission mechanism for medical monitoring based on wireless sensor networks, in which the cryptosystem based on bilinear pairing was used. Unfortunately, Challa et al. [8] in 2017 showed that the scheme in [20] was suspected to some desirable attributes, such as inappropriate mutual authentication and lacking of user anonymity. Besides, their scheme was vulnerable to many known attacks like stolen smart card attack, off-line password guessing attack, privileged-insider attack, and user impersonation attack. To counter these limitations and improve efficiency, they presented a three-factor authentication and key agreement scheme with provably secure for healthcare, in which the lightweight ECC point multiplications was used. In the same year, Jiang et al. [9] put forward an efficient and end-to-end authentication scheme based on quadratic residues for wearable health monitoring. In 2018, Jangirala et al. [21] proposed a new cloud based user authentication scheme for wearable healthcare monitoring system, in which the Rabin cryptosystem was used. Although these public key schemes improved the security of authentication in the IoT environment, these schemes should be avoided because the asymmetric-based solutions were highly computational and had memory overheads.

From the above analysis, we can see that though researchers proposed many lightweight authentication schemes for patient monitoring in the past, however, none of them provides both lightweight functionality and high security. The authentication schemes only using lightweight cryptographic primitives, such as the schemes in [46, 14, 15, 17], failed to provide forward secrecy and suffered from the desynchronization attack. This motivates us to design a lightweight authentication scheme for patient monitoring, which provides more security and functionality attributes.

1.2. Motivation and Contributions

In order to provide user anonymity and untraceability, the method of using pseudonym identity has been adopted in the schemes [46]. In this way, a randomly generated pseudonym identity, which is updated after each successful session, is stored in both the user and the side, respectively. Owing to the difference of the pseudonym identity at each session, the specific user cannot be tracked. Unfortunately, Wang and Wang in 2015 [22] indicated that the use of pseudonym identity may lead to the problem of desynchronization attack, which may make the authentication scheme unusable unless the user or the wearable sensor node reregisters. On the other hand, the hash chain technology can be used to ensure forward secrecy for lightweight cryptographic schemes [23]. However, this technique can also lead to the desynchronization attack because both parties need to update their shared one-time hash chain value after the completion of each session.

Motivated by these insights and our previous research work [24], we presented a lightweight and secure three-factor authentication scheme for remote patient monitoring using oBWNs. Our contributions lie in the following aspects:(1)We briefly review the authentication schemes for healthcare monitoring, and the security drawbacks of the schemes are pointed out. Specifically, we find that all the schemes using lightweight cryptographic primitives fail to provide forward secrecy and suffer from the desynchronization attack.(2)We present a lightweight and secure three-factor authentication scheme for remote patient monitoring using oBWNs. The proposed scheme adopts the pseudonym identity method to achieve user anonymity, and one-time hash chain technique is employed to ensure forward secrecy. In order to resist against desynchronization attack on the communication between the user and the , two pseudonym identities and are stored in the back-end of , respectively. Specifically, the value of the new pseudonym identity is stored in , and has two functions: the first one is to store the identity of the old pseudonym, and the second one is using as a tag to update the hash chain. If is NULL, it means that the value of the hash chain has been updated in the previous session. Otherwise, the value of hash chain has not been changed. In order to resist against desynchronization attack on the communication between the and the wearable sensor node, serial number technique is used in our scheme. Finally, a symmetric session key is established between the user and the wearable sensor node, which is used for future secure communications.(3)We give the formal security analysis under the widely accepted Burrows-Abadi-Needham (BAN) logic [25], and it proves that the proposed scheme achieves mutual authentication and the session key is mutually established between the user and the wearable sensor node with the assistance of . In addition, the informal security analysis shows that the proposed scheme can not only achieve some excellent function features, but also resist various malicious attacks, such as desynchronization attack, mobile device loss attack, replay attack, and wrong password login attack. Furthermore, we evaluate the performance of the proposed scheme with six state-of-the-art schemes, and the results demonstrate that the proposed scheme is practical with acceptable computational and communication efficiency.

1.3. Organization of the Paper

The reminder of this paper is organized as follows. Section 2 briefly introduces the preliminary knowledge of authentication schemes for remote patient monitoring. Our proposed authentication scheme for remote patient monitoring is described in Section 3, followed by its security analysis in Section 4. The performance of the proposed scheme is evaluated with the state-of-the-art schemes in Section 5. Finally, Section 6 concludes this paper.

2. Preliminaries

This section introduces some basic knowledge, containing notations and abbreviations used in this paper, security requirements of user authentication scheme for remote patient monitoring using oBWNs, threat model, and basic information about biometrics fuzzy extractor.

2.1. Notations and Abbreviations

For convenience, all the notations and abbreviations mentioned in the proposed scheme are defined in Table 1.


Notation Descriptions

Registration authority
User
Mobile device of
Gateway node
Wearable sensor node
Unique identity of
Password of
Biometric information of
Temporary identity of
Unique identity of
Unique identity of
Random number
Serial number in side
Serial number in side
Master secret key of
Session key
Time stamp values
The maximum of the transmission delay time
One-way hash function
Concatenate operation
XOR operation

2.2. Security Requirements

Ali et al. in 2018 [6] pointed out that the authentication scheme for remote patient monitoring should satisfy many security requirements, including strong user authentication, mutual authentication, confidentiality, session key establishment, low communication and computation cost, data freshness, and secure against different kinds of popular attacks, such as impersonation attack, replay attack, and password guessing attack. Due to the sensitivity of physiological data, we believe that an authentication scheme for remote patient monitoring should also meet the following security properties.

Forward Secrecy. The authentication scheme provides forward secrecy, which means that if an adversary acquires the long-term keys of the user, , and the wearable sensor node, he/she cannot access the session keys generated in previous sessions. Conversely, if authentication scheme fails to provide forward secrecy, it may cause the disclosure of the session keys used in previous communications and the disclosure of the patient’s sensitive information. To ensure the secure transmission of sensitive information, authentication scheme for remote patient monitoring should achieve forward secrecy.

Resistance to Desynchronization Attack. To the best of our knowledge, desynchronization attack has attracted little attention in the previous authentication schemes, and the damaging threat is ignored. However, the practicality and seriousness of desynchronization attack have been intensively discussed in the cryptography community [26]. Therefore, the proposed scheme should need an effective synchronization method to maintain the consistency of several one-time values among the user, , and the wearable sensor node.

Quick Detection of Wrong Password. In network applications, user usually needs to manage lots of identity and password pairs. Therefore, a wrong password detection mechanism is required for user authentication. With the help of this mechanism, the can reject session initiated by wrong password quickly, and this process will save a lot of computational and communication cost.

2.3. Threat Model

When considering cryptanalysis of the user authentication schemes, Dolev-Yao threat model [27] is widely used. Under this model, the communications between any two communicating parties are over an insecure channel, and the endpoint entities should not be considered as trusted entities. Based on this threat model, an adversary is supposed to have the following abilities:(i) can fully control the open communication channel, i.e., can intercept, modify, insert, and delete the transmitted messages over insecure public communication channels easily.(ii)When the of user was stolen or obtained by an attacker , then the secret values stored in the can be revealed by using side-channel attacks [28].(iii) is a probabilistic polynomial time attacker. In other words, can guess the low-entropy password and identity information within polynomial time.(iv) can get the long-term secret keys when forward secrecy is evaluated.(v)During the registration phase of authentication scheme, the privileged-insider in being an adversary knows the parameters submitted by the user.(vi) may be a legitimate but malicious user.(vii) may be a legitimate but malicious wearable sensor node.

2.4. Basic Knowledge of Fuzzy Extractor

Fuzzy extractor [29] is capable of extracting the uniformly distributed random key from biometric input in an error-tolerant way. If another biometric input remains reasonably similar to , the extracted random key remains unchanged with the help of an auxiliary string . An fuzzy extractor contains two procedures .

. is a probabilistic generation procedure allowing to extract random key and an auxiliary string from biometric input .

. is a deterministic reproduction procedure allowing to reproduce random key from any biometric input close to with the help of auxiliary string .

3. The Proposed Scheme

In this section, a lightweight and secure three-factor authentication scheme for remote patient monitoring using oBWNs is presented, which not only withstands all know passive and active attacks, but also achieves more security attributes. The proposed scheme includes five phases, i.e., initialization phase, registration phase, login phase, authentication and key agreement phase, password change phase.

3.1. Initialization Phase

The initialization phase is done by the in off-line securely. First of all, selects two random numbers and as the unique identity and master secret key of the . After that, selects a collision-resistant cryptographic hash function , where denotes the bit length of function output (e.g., ). For each wearable sensor node , selects an unique identity and stores it into the memory of .

3.2. Registration Phase

The registration phase of the proposed scheme contains two parts, i.e., user registration phase and wearable sensor node registration phase.

3.2.1. User Registration Phase

When a new user such as a health professional wants to access the data collected by the wearable sensor node in oBWNs, the user must register in firstly. As shown in Figure 2, the procedure of user registration is described as follows:(1)A new user first chooses an unique identity , a password , and imprints his/her biometrics to the sensor of mobile device . After that, the generates the secret biometric key and public parameter using the fuzzy extractor probabilistic generation function . Then, generates a 128-bit random secret value and computes . Finally, submits to via a secure channel.(2)Upon receipt the registration information, first checks whether the identity exists in the user information table. If it does, rejects the registration request. Otherwise, generates three random integers , , and and sets , , and . After that, computes and and stores into the user information table. Finally, copies the user information table to and transmits the registration reply with information to securely.(3)When receiving the information from , computes . After that, stores and in the memory of and finishes the registration. At last, the contains the parameters .

3.2.2. Wearable Sensor Node Registration Phase

When a new wearable sensor node is deployed, it should register in .(1)A new wearable sensor node sends the identity to via a secure channel.(2)After receiving the identity and first checks whether exists in the wearable sensor node information table. If it exists, refuses the wearable sensor node registration request. Otherwise, generates a random integer and sets the initial sequence numbers . Then, stores into the sensor node information table and copies it to . After that, sends the parameters to via a secure channel.(3)After receiving the message from , stores into its memory secretly.

3.3. Login Phase

When a user wants to access a wearable sensor node, he/she needs to login in first.(1) first provides his/her identity and password into the interface of the . also provides his/her biometrics to the sensor of . After that, extracts the biometric key with . Then, the computes , , , and and compares with the stored value . If they are not equal, the terminates the session. Otherwise, the proceeds to the next step.(2)After verifying the legitimacy of the user , the generates a random number and gets the current time stamp . After that, the user selects the wearable sensor node that he/she wants to access, and the computes and . Then sends the login request to through a public channel.

3.4. Authentication and Key Agreement Phase

On receiving the login request from , following steps are performed by , , and a wearable sensor node to establish a session key between and for future secure communication:(1)Upon receipt of the login request, first checks the validity of the time stamp. gets the current time and compares with the received time . If the matching score is beyond a predefined threshold value , terminates the session. Then, searches whether the pseudo identity exist in the user information table and operates as follows:(a)If , it demonstrates that the pseudonym identities of and are updated in the previous session. After that, extracts , , , and from the user information table corresponding to pseudonym identity . Then, checks whether the one-time hash chain value is updated.(i)If , it means that the hash chain value in side is updated in the previous session. Then, computes and and checks whether matches with the received . If it does not hold, terminates the session. Otherwise, generates a random pseudonym identity and sets ; .(ii)If , it means that the hash chain value in side is not updated in the previous session. Therefore, the hash chain value should be updated. Then, computes and and and checks whether matches with the received value . If it does not hold, terminates the session. Otherwise, generates a new random pseudonym identity and sets , , and .(b)If , it demonstrates that the pseudonym identity of the user and the hash chain value are not updated in the previous session. Then, extracts the corresponding secret values , , and and computes and . Thereafter, compares . If it holds, generates a random pseudonym identity and sets . Otherwise, terminates the session.(c)If and , terminates the session directly.(2)After that, the gateway node generates a random number of 128-bit and computes and . Then, updates and with and , respectively. Finally, transmits the message to the wearable sensor node via open channel.(3)After receiving the message from , first checks whether . In the latter inequality, the parameter is a threshold which sets according to specific application environment. If the inequality does not hold, terminates the session. Otherwise, sets and computes times . It is noted that if satisfies , the above hash operation will not be executed. Then, computes and and compares with the received value . If it is satisfied, updates and with and , respectively. After that, generates a random number and computes , , and . At last, the wearable sensor node sends the message to through a public channel.(4)After getting the message from , the gateway node computes , , and . Then, checks whether matches with . If it is failed, terminates the session. Otherwise, computes and . Finally, sends the message to through a public channel.(5)After receiving the message, computes , , and . After that, checks whether matches with the received value . If it does not hold, terminates the session. Otherwise, computes and updates and with and , respectively. Then, sends the message to through a public channel.(6)After receiving , computes and checks whether matches with the received value . If it does not hold, terminates the session. Otherwise, updates and with and , respectively. Then, a symmetric session key is established between the user and the wearable sensor node for future secure communications.

The procedure of login, authentication, and key agreement phases are summarized in Figure 3.

3.5. Password Change Phase

In this phase, can change his/her password without contacting the . For this purpose, he/she must perform the following steps:(1) first provides his/her identity and password into the interface of the . After that, also provides his/her biometrics to the sensor of . Then, the computes with , , , , and . compares with the stored value . If they are not equal, the rejects the password change request. Otherwise, the believes the legitimacy of the user and allows to input a new password .(2)The computes , , and .(3)At last, and are stored in the to replace and , respectively.

4. Security Analysis

In this section, the security of the proposed scheme has been analyzed. First of all, we conduct a formal security analysis using BAN logic [25] to demonstrate that the proposed scheme achieves mutual authentication successfully. After that, we indicate that the proposed scheme can resist all known attacks and provide the desired security features.

4.1. Formal Security Analysis Using BAN Logic

BAN logic is a set of rules for defining and analyzing authentication protocols, which is widely used in many works, such as the schemes in [5, 6, 30, 31]. For convenience, all the notations used in the BAN logic are given in Table 2:


Notation Implications

Principal sees a statement
Principal believes a statement
Principal has jurisdiction over statement
Principal once said a statement
Statement is fresh
Statement or is one part of statement
Statement is encrypted with the key
Statement is combined with statement
Statement is hashed with the key
Principal and principal communicate with the shared key

Basic rules of BAN logic are given in Table 3.


Rule Description

Message-meaning rule
Nonce-verification rule
Jurisdiction rule
Freshness rule

The proposed scheme should accomplish the following four goals:Goal1: Goal2: Goal3: Goal4:

First, the messages exchanged in the proposed scheme can be transformed into idealized forms as follows:Msg1: :Msg2: :Msg3: :Msg4: :, Msg5: :

Second, some initial assumptions about the proposed scheme are listed below:A1: A2: A3: A4: A5: A6: A7: A8: A9: A10:

Third, based on the BAN logic rules and assumptions, the main proofs are performed as follows.

According to the Msg1, we getS1: Based on Assumption A6, S1, and message-meaning rule, we haveS2: From A1, A2, and freshness rule, we getS3: , From S3, S2, and nonce-verification rule, we getS4: According to the Msg2, we getS5: , From A7, S5, and message-meaning rule, we haveS6: From A3 and freshness rule, we getS7: From S7, S6, and nonce-verification rule, we getS8: According to the Msg3, we getS9: From A8, S9, and message-meaning rule, we haveS10: From A2 and freshness rule, we getS11: From S11, S10, and nonce-verification rule, we getS12: According to the Msg4, we getS13: , From A5, S13, and message-meaning rule, we haveS14: From A4 and freshness rule, we getS15: , From S15, S14, and nonce-verification rule, we getS16: , According to the Msg5, we getS17: , From A6, S17, and message-meaning rule, we haveS18: From A2 and freshness rule, we getS19: , From S18, S19, and nonce-verification rule, we getS20: From S12, S16, and , we haveS21: (Goal2)From S4, S8, S20, and , we haveS22: (Goal4)From S21, A9, and jurisdiction rule, we haveS23: (Goal1)From S22, A10, and jurisdiction rule, we haveS24: (Goal3)

Therefore, the security of the proposed scheme is proved strictly. In other words, the proposed scheme can achieve mutual authentication successfully.

4.2. Further Security Analysis of the Proposed Scheme

In this section, the security and functional features of the proposed scheme are discussed.

4.2.1. Mutual Authentication

In the execution of the proposed scheme, the users and authenticate each other by checking , , and , respectively. Similarly, and the wearable sensor node authenticate each other by checking and , respectively. In addition, as demonstrated in Section 4.1, the security of the proposed scheme has been proved strictly based on the BAN logic. Therefore, the proposed scheme achieves mutual authentication successfully.

4.2.2. Session Key Agreement

After mutual authentication has been achieved successfully, a shared session key is established between the user and the wearable sensor node to protect future communications. The session key contains ’s contribution , , ’s contribution , , and ’s contribution , . Any third party can not predetermine the session key. Therefore, the proposed scheme provides session key agreement.

4.2.3. User Anonymity

In the proposed scheme, pseudonym identity technique is adopted to protect the real identity of the user. In particular, a pseudonym identity , instead of the user’s real identity , is generated randomly and sent to . In order to resist tracking attack, the pseudonym identity is updated after every session. Since one-way hash function is used, it is almost impossible to get the real identity of the user if the transmitted messages are intercepted by an adversary. To be more important, the transmitted messages in current session are also different from other sessions. Therefore, the proposed scheme can provide user anonymity and untraceability.

4.2.4. Forward Secrecy

Forward secrecy means that the encrypted communications and session keys in the past cannot be retrieved and decrypted even if the long-term secret keys are compromised. In the proposed scheme, if the long-term keys and are compromised by an attacker, the confidentiality of past communications are not affected. The reason is that the long-term keys are updated successfully by one-way hash function after each session. Specifically, the long-term keys and are updated by and , and the attacker can not get and from and . Therefore, the proposed scheme provides forward secrecy.

4.2.5. Resist Desynchronization Attack

As discussed in Sections 4.2.3 and 4.2.4, pseudonym identity and one-time hash chain techniques are employed to provide user anonymity and forward secrecy in the proposed scheme. However, the incorrect use of pseudonym identity may lead to the problem of desynchronization attack, such as the schemes in [46]. In order to ensure the consistency of the pseudonym identity and the value of hash chain, two pseudonym identities and , and serial numbers , are used, respectively. To perform a comprehensive analysis of this attack, an adversary is assumed to launch the following malicious scenarios.

Scenario 1. This scenario indicates that the message has been blocked by an adversary . However, it is ineffective because all the participants have not even started updating.

Scenario 2. This scenario demonstrates that the message has been blocked and the communication between and the wearable sensor node will be jammed. At this time, the hash chain values of two participants will not match each other. However, the proposed scheme is still usable. The reason is that the proposed scheme uses two serial numbers and to record the number of hash chain updated, where represents the serial number in side and denotes the serial number in the wearable sensor node side. When the transfers the message , the hash chain value and sequence number in side are updated. After receiving the message , the value of hash chain in side can be synchronized through performing times hash operations. Therefore, this scenario will not have any impact on the future session.

Scenario 3. If blocks the message , the desynchronization attack will not work because the hash chain values have been updated and they are equal to each other. Therefore, this scenario will be omitted.

Scenario 4. If the message is blocked, the communication between and will be jammed, and the pseudonym identity values of two participants will not match each other. However, this scenario has no effect on our scheme. In this scenario, both the hash chain values in two participants and the value of pseudonym identity in the side are not changed, and the value of pseudonym identity in the side has been a new value generated randomly. Fortunately, the stores the user’s old pseudonym identity in with , and mutual authentication can still be completed successfully even if initiates a new session using unchanged . Therefore, this scenario may cause the problem of asynchronous, but it will not have any impact on the future session.

Scenario 5. If blocks the message , the communication between and will be jammed, and the hash chain values of two participants will not match each other. However, this scenario has no effect on our scheme. In this scenario, the values of two participants’ pseudonym identities and the hash chain in the side have been updated, but the value of hash chain in the side has unchanged. When a new session has been initiated by the using changed hash chain value, the will update the hash chain value by checking whether the value of is nonnull. Therefore, this scenario may cause the problem of asynchronous between and , but the two pseudonym identities and will make the hash chain values synchronize again.

Therefore, the proposed scheme is resilient to desynchronization attack.

4.2.6. Resist User Impersonation Attack

In the proposed scheme, without knowing the password , the fingerprint information , and the secret key , the adversary is infeasible to forge a legal user and generate a valid message . Therefore, the proposed scheme is resilient to user impersonation attack.

4.2.7. Resist Mobile Device Loss Attack

If the of the user has been stolen or picked up by a malicious user, the stored secret messages can be revealed using side-channel attacks [28], where , , , , and . In addition, as discussed in Section 2.3, the attacker can intercept, modify, insert, and delete the transmitted messages over insecure public communication channels easily. Using this sensitive information, the attacker can launch the mobile device loss attack and try to guess the identity and password of the user. However, without knowing the secret random value and biometric input of the user, the secret key , and the high entropy random integer of the , the attacker can not obtain the correct identity and password of the user. Therefore, the proposed scheme can resist against mobile device loss attack.

4.2.8. Resist Replay Attack

In the proposed scheme, the time stamp, serial number method, and challenge-response mechanism are used to prevent the replay attack. In detail, the method of using time stamp is used to prevent the replay attack for the first message between and , and the rest messages between and adopt the challenge-response mechanism. At the same time, the messages between and adopt the serial number method to prevent the replay attack. Therefore, the proposed scheme can resist the replay attack.

4.2.9. Resist Privileged-Insider Attack

In the phase of user registration, sends to through a secure channel, where . The three secret values , , and , generated by , are high entropy random numbers which is unknown to . A malicious privileged-insider attacker can not guess the ’s password from since it is protected by the one-way hash function. Therefore, the proposed scheme is secure in the privileged-insider attack.

4.2.10. Resist Stolen Verifier Table Attack

In the proposed scheme, the maintains the secret values for authentication purpose, which has no any password-verifier information of the user. Besides, if an adversary steals the secret values , he/she still fails to compute , , , , , and without the knowledge of the user’s , , and and the secret values in the . The adversary fails to send the authentication request to , and a failure login is detected by . Therefore, the proposed scheme can resist stolen verifier table attack.

4.2.11. Quick Detection for Unauthorized Login

Quick detection mechanism for unauthorized login is essential for the authentication scheme. In the phase of user login, the value stored in the mobile device is used to verify the legitimacy of the user , where , , , , and . If an attacker inputs the wrong password and the wrong fingerprint information , the values and are not equal, and the rejects the ’s login request. Therefore, the proposed scheme can provide the quick detection mechanism for unauthorized login.

4.3. Security Comparisons

In this subsection, the comparison of security and functional features with six state-of-the-art schemes [46, 8, 14, 15] will be described. As shown in Table 4, the six lightweight state-of-the-art schemes fail to provide forward secrecy, and the schemes in [46, 14, 15] suffer from the desynchronization attack. In addition, the scheme in [5] is also vulnerable to user impersonation attack, off-line password guessing attack and privileged-insider attack. The scheme in [14] has weaknesses such as sensor node capture attack and privileged-insider attack, and user anonymity is not provided. Besides, the scheme in [15] fails to provide untraceability of the user, and the scheme in [4] lacks the detection mechanism for unauthorized login, and it can lead to unnecessary computational and communication costs. Compared with the state-of-the-art schemes [46, 8, 14, 15], the proposed scheme achieves more ideal functional features and resists various malicious attacks.


Schemes Security attributes