As the background of application in the field of smart health care, the flexible interaction between patients and medical system is provided by medical cyber-physical systems (MCPSs) to realize all-round three-dimensional medical service. According to the controllable and credible requirements of MCPS, it needs a secure and reliable device identity authentication mechanism to build the security barrier. Based on the blockchain technology, a lightweight authentication scheme is designed for sensor/execution devices, users, and gateway nodes in MCPS. The security analysis and experimental results show that the scheme can resist the existing attacks with better efficiency; thus, our proposed scheme can be efficiently applied to the medical field.

1. Introduction

We have witnessed the great development of the Internet, as well as the popularity of the Internet of Things (IoT) and IoT devices, including wireless sensors, smart phones, wearable devices, global positioning systems, and laser scanners. These devices are widely deployed around us to realize intelligent computing and services, such as logistics, retail, medical, intelligent city, and other application fields. However, the trusted authentication in IoTs has become a major issue that has to be considered in the rapid development of IoTs.

Closely related to IoTs, medical cyber-physical systems (MCPSs) [1] are a kind of unique cyber-physical systems (CPSs) in the field of modern medicine, which combines the system operations with independent equipment to provide patients with new monitoring functions, such as controlling the physiological closed loop and alarm process of drug infusion process. In the MCPS, there are many kinds of devices with different performance. With the development of blockchain technology, the blockchain-based authentication schemes can mitigate some attacks, which ensure the security of the system. How to ensure that the security authentication protocol can work efficiently and reliably when using the blockchain technology is the key problem to be solved. Hence, based on the blockchain technology, we propose a device authentication scheme to ensure secure access to medical data among sensor devices nodes, gateway nodes, and users in the medical cyber-physical system. Specifically, our contributions can be summarized as follows:(1)We distinguish the identity of the device nodes in the information physical space and propose a device security authentication model based on blockchain for the medical cyber-physical system.(2)We design a blockchain-based efficient device authentication protocol. Our scheme is suitable for device nodes with different computing, transmission, and storage capacities and uses blockchain technology to solve the trustworthiness problem of third-party service centers. Meanwhile, we use BAN logic and formal proof to verify the feasibility of our scheme and the security of mutual authentication process and the session key.

Based on the extensive application of radio frequency identification (RFID) in medical environment, He et al. [2] analyzed the security requirements of RFID authentication scheme and summarized the performance and security of RFID authentication scheme based on elliptic curve cryptography (ECC). They found that although most authentication schemes cannot meet all the security requirements and have satisfactory performance, some ECC-based authentication schemes are suitable for medical environment in terms of performance and security. Combined with cloud storage, cryptography, and other technologies, a large number of authentication schemes are also proposed. The wireless body area network (WBAN) plays an indispensable role in MCPS. It is a network composed of multiple wearable devices or embedded devices, using wireless technology for communication. Therefore, in WBAN environment, a security and reliable authentication scheme is essential. Xu et al. [3] proposed a safe lightweight authentication scheme for WBAN. With this scheme, forward secrecy can be guaranteed without asymmetric encryption, and the security of the scheme can be verified and analyzed by using ProVerif. Alhayajneh et al. [4] analyzed and evaluated the accuracy, cost, and feasibility of the most prominent biometric authentication technology and proposed to use a variety of biometric authentication schemes to ensure the confidentiality, integrity, and reliability of WBAN. Moosavi et al. [5] proposed an end-to-end security scheme for mobile medical IoTs. Their solutions include a secure and efficient end-user authentication and authorization architecture based on certificate DTLS handshake, end-to-end communication based on session recovery security, and strong mobility based on Internet intelligent gateway. Amin et al. [6] proposed a mutual authentication and key agreement protocol to protect the confidential information in the device in order to prevent unauthorized users from accessing the general device. Aiming at the challenges brought by the electronic health information management system using IoTs, including the communication security of wireless channel, the protocol between authentication key and entity, access control scheme, and other defects, Aghili et al. [7] proposed a new lightweight, secure, and efficient authentication protocol, which is also suitable for access control. Aiming at the problem of authentication in edge and IoT environments, Ma et al. [8] proposed a blockchain-based decentralized authentication modeling scheme. Their scheme is suitable for multiple types of authentication (such as password-based, certificate-based, biometric-based, and token-based authentication). The edge cloud system also has many devices with limited computing and storage capabilities. Thus, Zhang et al. [9] proposed a collaborative authentication scheme among users, edge cloud, and robots, which reduced the computational cost of identity verification and improved the verification efficiency. In order to provide more accurate and effective biometric identification, Zhang et al. [10] proposed a parallel ECG-based authentication called PEA for smart healthcare systems.

According to the survey of Altman Vilandrie and Company [11], due to the lack of security authentication and other security systems, the IoT system of small- and medium-sized enterprises is vulnerable to attacks, resulting in their annual income loss of up to 13%. Chandrasekhar et al. [12] reported that the protocol of Yeh’s protocol has some shortcomings, including incomplete forward secrecy, nonmutual authentication, and key agreement between users and sensor nodes. Shi and Gong [13] proposed an ECC-based user authentication protocol for wireless sensor networks, which is more efficient in computing cost, communication cost and security. However, Choi et al. [14] found that the protocol of Shi is vulnerable to session key attack, stolen smart card attack, and sensor energy depletion attack. In addition, an attacker can easily obtain the user’s identity because it is transmitted through a public channel without encryption. Therefore, Choi et al. improved the protocol by verifying the identification legitimacy of users so as to keep from sensor energy consumption attacks. Compared with the protocol of Shi, the protocol also makes use of ECC to calculate authentication messages without bringing more cost. Both [13, 14] transmit user identity and sensor identity in plaintext on the public channel, so that they cannot provide anonymity. Chen et al. [15] proposed transmission protection, storage protection, and access control of infrastructure framework in the context of privacy protection of community medical IoT but did not mention the device security authentication. Shu et al. [16] proposed the aggregate signature algorithm, but it lacks the application background. Xue et al. [17] proposed a wireless sensor network identity authentication and key protocol based on temporary credentials, which only uses hash and XOR calculation. It has relatively more security features and higher security level without generating more communication and computing costs, but the traditional third party is vulnerable to attack. In order to solve the problem that the restricted computing power and storage of the sensors are vulnerable to physical attacks, Liu et al. [18] proposed a lightweight three-factor and anonymous user authentication protocol. The solution uses hash algorithms, XOR operations, and PUF to achieve lightweight and physical security. The wireless sensor network is widely used in medical, military, industrial, security, and other fields. Recently, Kumar et al. [19] discussed a wireless sensor network authentication protocol for coal mine safety monitoring. In the IoT environment, trust has become ubiquitous. It is not enough to just authenticate individual users or devices. The reason is that the cointeraction and cooperation between users and devices are crucial in the IoT environment. In this case, information sharing, data fusion, and other elements, including the integration of people, devices, and environment, are great challenges.

Traditional device authentication methods usually perform authentication when users and devices are separated from each other. At the same time, attackers can eavesdrop on communications, forge authentication tokens [20], or perform replay attacks to simulate actual users or devices. The existing authentication schemes rarely consider the space-time characteristics of IoT computing. In general, authentication usually performs settings at once, and once users or devices are authenticated, they can operate for a long time without any authentication. This kind of time-sensitive authentication still needs to be improved so as to realize sufficient long-term trust guarantee, which is continuous authentication. Once an attacker fortunately bypasses the authentication system, various destructive attacks can be carried out. Therefore, the system can only respond to the attack passively, and the security network of IoTs is threatened.

Recently, researchers have gradually applied blockchain to the medical field. The combination of MCPS and blockchain can allow us to promote the sharing of services and resources and simplify several time-consuming workflows in an automated manner during the encryption verification [21]. In cloud-assisted telecare medical information system (TMIS), cloud servers are vulnerable to attacks. To solve this problem, Son et al. [22] used blockchain technology to design a secure identity verification protocol. In addition, they used CP-ABE to achieve data access control. Although the blockchain-based authentication scheme can enhance the security of the system, it is necessary to consider the authentication credentials and the accounting method of the authentication process when we use the decentralized blockchain as a third party to achieve authentication. Especially, the existing blockchain consensus algorithms and authentication protocols no longer adapt to the wide range of devices with vastly different performance in MCPS.

3. MCPS and Its Security Model

In the part of related works, we analyze the existing security risks and threats of device authentication. Therefore, we need to further improve the device authentication scheme to ensure the safety and reliability.

3.1. Classification of Medical Devices

With the rapid and revolutionary development of medical information, the medical equipment is widely used. The medical devices are classified as follows.

The first kind is the diagnostic equipment. It includes physical diagnostic instruments (sphygmomanometers, thermometers, all kinds of physiological recorders, etc.), images (MRI, B ultrasound, CT scanning, etc.), analytical instruments, and electrophysiology (EEG, etc.). These devices are distributed in each diagnosis and treatment area of the hospital, and the devices connected to the network need strict identity authentication.

The second kind is the treatment equipment. It includes ward nursing equipment (sickbed, oxygen bottle, etc.), surgical equipment, radiotherapy equipment, and emergency equipment (ventilator, cardiac defibrillation pacemaker, etc.). This kind of devices needs to be authenticated to ensure the safe use.

The third kind is the auxiliary equipment. It includes sterilization devices, refrigeration devices, and so on.

3.2. System Model

In order to study the problem of device security authentication in the MCPS, we first construct the system model of device security authentication based on the blockchain, as shown in Figure 1. The medical institutions are organized in a medical alliance chain to realize medical data sharing. The lower layer of the blockchain is composed of users and some medical equipment, which mainly completes data collection and other work; the blockchain layer is mainly used to realize the storage of medical data and the process of device security authentication.

As shown Figure 1, the device is mainly composed of sensor nodes. Sensor nodes can perceive various characteristics from different environments. In the MCPS, the collection process of medical data is mainly composed of medical professionals (doctors, patients, nurses, pathologists, etc.), sensors, and gateway nodes, as shown in Figure 2. The sensor nodes sense the patient’s physical condition and then send the sign data in a certain electronic data format to the trusted gateway nodes of MCPS through the access point. As the core of the model in MCPS, the trusted gateway nodes execute the registration algorithm to provide the registration interface to all medical staffs. Medical staffs collect sensitive sign information of patients from the trusted gateway nodes, analyze them, and monitor patients’ physical condition.

3.3. Architecture

MCPS increasingly relies on software to provide new functions, so that new medical software and devices can be more widely connected with the network to meet the needs of continuous monitoring of patients. The basic architecture of MCPS includes cyber space (including network space) and physical space (including user space), as shown in Figure 3. As the core of MCPS, cyber space includes the processing, storage, security access, and so on. Physical space is the physical basis of MCPS, including medical perception and control devices needed by users, such as electronic sphygmomanometer, heart rate, and pulse collector, which are responsible for the collection and monitoring of user health information. MCPS is composed four layers such as data generation layer, data transport layer, data storage layer, and application service layer.

3.3.1. Data Generation Layer

At the bottom of MCPS architecture, it is mainly composed of a series of sensing nodes to collect the user’s health information and transmit the collected data to the medical data storage space through the tablet or other electronic devices. At the same time, after receiving the feedback information from the sensing nodes, the execution nodes complete the monitoring function of the user through the display or other alarms and execution devices and timely transmit the received information to the outside world, so as to realize the communication and feedback of information.

3.3.2. Data Transport Layer

It means that after the data collected by the data generation layer is encrypted or processed by other means, it is transmitted to the server by wired Ethernet or wireless transmission for storage. The service of the data transport layer is reflected through the running IPv4 or IPv6 protocol. Therefore, the level of data transport layer has a great relationship with the quality of network service, which requires higher network bandwidth, larger transmission range, faster transmission rate, stable transmission process performance, etc.

3.3.3. Data Storage Layer

The data storage object is the user’s health information. The health information includes the user’s medical records (sign data, outpatient medical records, hospitalization records, body temperature list, doctor’s order list, laboratory test list, medical imaging examination data, special examination consent, operation consent, operation and anesthesia record list, pathological data, nursing records, and other medical records), etc. It uses blockchain and cloud storage technology to realize the secure storage and data sharing of medical records. The chain structure that stores the hash of medical data of each hospital, the digest, and the location index of medical data in cloud storage is called medical chain.

3.3.4. Application Service Layer

It focuses on application management and secure access to medical data. With the help of the platform technology of blockchain, we can provide data addition, deletion, insertion, decision-making, and diversified services. And the user can send the corresponding operation or control commands to the relevant execution nodes according to the access results to realize the feedback and exchange of information.

In the system model, we mainly combine the blockchain technology, build a system model of security authentication, and analyze the collection process of medical data under the blockchain. On the basis of this model, we need to consider how to ensure the security of the device node access. Therefore, we propose a secure data transmission protocol based on device authentication and key agreement. The proposed authentication protocol consists of six stages: system setup, user registration, user login, authentication, key change, and sensor node join. The symbols and descriptions used are shown in Table 1.

4. Authentication Protocol

In this section, we propose a device security authentication scheme based on blockchain technology to ensure the security and reliability of sensor device nodes. The proposal in this section mainly includes the following parts.

4.1. Setup

(i)Step 1: the blockchain center selects as its private key and as the identifier of the gateway node and calculateswhere is selected as the private key of the gateway node.(ii)Step 2: is the identifier of the sensor device node selected by the blockchain center , which calculates It is the shared key between the gateway node and the sensor device node.(iii)Step 3: is saved in by the blockchain center .(iv)Step 4: the blockchain center saves and sends it to the gateway node in order to register with the gateway node.

4.2. User Registration

In order to access the medical data collected from sensor device nodes, each medical staff needs to register at the corresponding gateway. In the user registration stage, the medical staff sends the registration request to the gateway. After the preliminary verification, the gateway adds the user into its user list and sends one smart card storing user’s identification information to the user. The identification information may include some personalized parameters of the user, such as complex password in a certain length and identity credentials convenient for authentication in encrypted form. The steps of user registration are as follows:(i)Step 1: the user selects a unique and , generates a random number , and calculatesThen, the user sends to the gateway node .(ii)Step 2: when the gateway node receives , the gateway node generates another random number and calculates it at the timestamp :(iii)Step 3: the gateway node stores in the smart card and then transmits it to the user securely.(iv)Step 4: when the user receives , calculates

And it writes it into the smart card.

4.3. User Login

In the login stage, the user enters the identity identifier (identity credentials and password) in the device. The system first checks the correctness of the user input value and then sends the login message to the gateway. Once the authentication is successful, the user can securely and legally access the remote computer data at any time according to the following steps:(i)Step 1: the user inserts the into the reader, then enters and .(ii)Step 2: the user selects a gateway node to obtain the data required by the user from the nearest sensor node.(iii)Step 3: smart card calculates(iv)Step 4: the smart card checks whether and are equal. If , the and of the user are verified; otherwise, the session is interrupted.(v)Step 5: the smart card generates a random number , and at , it calculates(vi)Step 6: the smart card sends to the gateway node through the public channel.

4.4. Authentication

In the authentication stage, the gateway node first verifies the validity of the user’s identity and then transmits the authentication message to the sensor device. After receiving the authentication message, the sensor device verifies the identification authenticity of the gateway node and then sends another message back to the gateway node so as to further prove its authenticity. After that, the gateway node sends a new message to the user node. In addition, the session key is calculated by each participant, including user nodes, gateway nodes, and sensor device nodes. In this stage, the following steps are performed to establish mutual authentication between the caregiver user node and the sensor device node.(i)Step 1: when gateway node receives the login request at time , calculates(ii)Step 2: the gateway node checks whether is less than , where is the maximum allowable transmission delay of the sender and receiver. If the condition is not met, terminate the session; otherwise, continue to the next step.(iii)Step 3: the gateway node calculates And it checks whether . If met, the user is authenticated; otherwise, the session is terminated.(iv)Step 4: the gateway node generates a random number and calculates(v)Step 5: gateway node sends to sensor node .(vi)Step 6: after the receives , then at time , it calculates(vii)Step 7: sensor device node checks whether is less than . If the condition is not met, terminate the session; otherwise, continue to the next step.(viii)Step 8: sensor device node calculates(ix)Step 9: the checks whether . If met, it continues to the next step; otherwise, terminate the session.(x)Step 10: the generates a random number and calculates(xi)Step 11: the sends to the gateway node .(xii)Step 12: the receives the message at time and calculatesAnd it checks whether is less than . If not met, the session is terminated; otherwise, continue to the next step.(xiii)Step 13: the verifies whether ; if met, the is verified.(xiv)Step 14: the continues to calculate(xv)Step 15: the sends to the user .(xvi)Step 16: when the user receives at time , the smart card calculatesAnd it checks whether ; if not met, then terminate the session; otherwise, continue to the next step.(xvii)Step 17: smart card calculates

If , then both and authenticate with user ; otherwise, the session is terminated.

Among them, security authentication and key agreement phase is shown in Figure 4.

4.5. Password Change

This stage provides the user with the operation to change the password. An effective password change process can make the protocol friendly. In order to achieve this goal, the password change should not involve any other unnecessary participants, which can reduce communication costs and resist Denial of Service (DoS) attacks. Here are the steps to change the password:(i)Step 1: the user first inserts the into the reader device and then enters and .(ii)Step 2: calculates(iii)Step 3: compares with already stored in . If , the user identity and password are verified; otherwise, the session is terminated.(iv)Step 4: enters a new password .(v)Step 5: calculates(vi)Step 6: the replaces and with the corresponding new values: , , and . Then, the password is changed successfully.

4.6. Sensor Node Join

When a new sensor device node needs to join the MCPS, the system will perform the following steps:(i)Step 1: the blockchain center selects the new sensor node , uses as its identifier, and calculatesAnd it stores .(ii)Step 2: sends to the gateway node.(iii)Step 3: the gateway node stores this value and updates the information in the database.

5. Authentication Proof Based on Ban Logic

5.1. Definition of BAN

BAN (Burrows, Abadi, and Needham) logic is a popular identity authentication protocol analysis model. It helps to prove identity verification and key establishment, thereby proving the validity of the protocol [23, 24].

Now, we have defined some logical rules such as Message-Meaning rule (MM), Nonce-Verification rule (NV), Jurisdiction rule (J), Freshness-Conjuncatenation rule (FC), Session Key rule (SK), and Belief rule (B) used in the proof, and these rules are directly adopted from [25].

5.2. Formal Verification Process

All certification protocols need to achieve Goal 1, 2, …, 8. Here, the variables , and represent three subjects:(i)Goal 1: .(ii)Goal 2: .(iii)Goal 3: .(iv)Goal 4: .(v)Goal 5: .(vi)Goal 6: .(vii)Goal 7: .(viii)Goal 8: .

Make the following assumptions and analyze the initial state of the agreement:(i).(ii).(iii).(iv).(v).(vi).(vii).(viii).(ix).(x).(xi).

Based on BAN logic rules and assumptions, we can analyze the ideal form of the protocol:(i)Message 1: Using rule:: , : Using and MM rule:: Using and FC rule:Using and J rule, B rule, NV rule:: Using and SK rule: (Goal 1).Using and NV rule: (Goal 2).(ii)Message 2: Using rule::Using and MM rule:Using and NV rule:: Using and J rule, FC rule:Using and B rule:Using , and SK rule: (Goal 3).Using and NV rule: (Goal 4).(iii)Message 3: Using rule:: Using and MM rule:Using and J rule, FC rule, NV rule:Using and B rule:: Using and SK rule: (Goal 5).Using and NV rule: (Goal 6).(iv)Message 4:Using rule:Using and MM rule:Using and FC rule, NV rule:Using , B rule and J rule:: Using and SK rule: (Goal 7).Using and NV rule: (Goal 8).

The above BAN logic discussion clearly proves the effectiveness and feasibility of the mutual authentication and session key protocol among user , gateway node , and sensor device node .

6. Security Analysis and Discussion

6.1. Security Analysis

In this section, we mainly discuss the security issues to prove that our protocol is secure for all related security attacks.

6.1.1. Replay Attack

Assuming that the device authentication protocol maintains a global clock to synchronize timestamps against clock synchronization, we can verify whether it can effectively resist replay attacks and work smoothly or not. Affected by replay attack, the performance of the system will decline dramatically. Attackers usually capture the previously transmitted messages by the sender entity and resend them to the receiver entity to prove that the message was sent from the legitimate sender entity. Because the system timestamp is used in the protocol and the transmission delay time will be checked, the protocol always rejects the replay messages captured by the attacker due to the invalid transmission delay time. In the protocol, new random numbers are also used to identify duplicate messages. Therefore, the protocol proposed in this paper is resistant to replay attacks.

6.1.2. User Impersonation Attack

According to the attacker’s ability, the attacker can eavesdrop all the transmitted messages through the public channel during the execution of the protocol. The attacker can modify the bugged message and retransmit it to the user in order to impersonate a valid user. The following will prove that the protocol in this paper provides strong security protection against user simulated attacks.

We suppose that the attacker eavesdrops on the message and tries to generate another valid message, which will be authenticated by the gateway. In order to generate a forged message, the attacker must calculate the following valid parameters:

However, the attacker could not calculate the effective , where as and are unknown to the attacker. In addition, it is not feasible to simulate and guess all unknown constraints in polynomial time. As a result, attackers cannot generate or guess other valid messages in polynomial time.

6.1.3. Offline User Identity and Password Guessing Attacks

Assuming that most users use simple and for identity recognition, it is easy to guess and in polynomial time. However, during the execution of the protocol in this paper, the user’s and are protected by an irreversible one-way hash function. Therefore, the attacker cannot extract user information . An attacker may try to extract multiple parameters such as , , , , , , and from the offline state of the user and then guess and verify user’s and . All these parameters are known to the attacker as follows.

The attacker finds the constraint parameters and of the smart card. The constraint parameters and of the smart card are defined aswhere .

From these relationships, it can be clearly seen that is protected by an irreversible one-way function, and an attacker cannot extract , , , and . If an attacker tries to guess the constraint parameters, he must guess all unknown values to verify whether the guessed value is not feasible in polynomial time. If the identity, password, and random number are all N characters and the key of the gateway is characters, then the probability of guessing the parameters at the same time is about [26].

6.1.4. Sensor Device Node Simulated Attack

According to our assumption, an attacker can intercept messages during the execution of the protocol . After intercepting this message, the attacker attempts to generate another valid message that will be verified by the gateway node , where , . However, an attacker cannot calculate effective intercepted messages without knowing the valid and , and these messages are protected by the one-way hash function. Therefore, the attacker cannot generate valid other messages. Therefore, our protocol can resist simulated attacks on sensor nodes.

6.1.5. Gateway Node Simulation Attack

In the proposed protocol, the gateway node sends and to the sensor and the user. Using these messages, both the sensor node and the user can verify the legitimacy of the gateway node. It is now assumed that an attacker can intercept these two messages.(i)Case 1: if the attacker intercepts the message between and , namely, , through the public channel, where , and , the attacker attempts to generate another message and send it to the sensor node to simulate as a legitimate gateway. However, the calculation of , , and , respectively, depends on the random number . It should be noted that due to the irreversible properties of the one-way hash function, an attacker cannot extract this value. Since is a shared key parameter between the gateway node and the sensor device node, an attacker cannot guess it in polynomial time.(ii)Case 2: if the attacker intercepts the message between and through the public channel, that is, , where and , then the attacker tries to generate another message and transmit it to the user to impersonate legal gateway. However, the calculation of and depends on and . Also, it should be noted that the attacker cannot extract the values generated due to the irreversibility of the one-way hash function, and these values cannot be guessed in polynomial time. In addition, the user terminated the connection due to an invalid message. Therefore, if an attacker initiates a gateway simulation attack, it may be captured.

6.1.6. Long-Term Key Security

The authentication protocol uses several keys, such as (private key of BC), (the private key of gateway node), and (the shared key between gateway node and sensor device node). It is worth noting that in the setup stage, and . Because the keys are protected by a one-way hash function, attackers cannot retrieve them. Similarly, the key of the gateway node cannot be retrieved. Therefore, in the protocol of this chapter, all keys are highly protected.

6.1.7. Mutual Authentication

In this protocol, all entities will authenticate each other to verify the validity of their identities before the actual information sharing or retrieval occurs. During the implementation of the protocol, the gateway node first authenticates the user’s identity according to the received login message , and then the sensor node uses the message received from the gateway device node to verify the identity of the gateway node. Similarly, the gateway uses the message to authenticate the sensor node, and the user uses the message to authenticate the gateway node. As a result, all participants involved use their own messages to authenticate with each other.

6.1.8. Perfect Forward Confidentiality

This protocol provides perfect forward secrecy, which means that even if one of the long-term keys is disclosed, the session key will not be disclosed. For example, we suppose that the long-term key of the gateway node is disclosed to the attacker in some way. The attacker then attempts to calculate the session key used in the protocol. Even if the secret key is known, the attacker cannot calculate the random number used in the protocol and will not know the shared secret key between the gateway node and the sensor device node. Because the session key depends on a random number, the attacker cannot calculate it. If we assume that the session key used in the protocol has been destroyed by the attacker, the attacker will try to calculate the previous session key. The attacker was unable to calculate the previous session key because he could not extract any confidential information from the compromised session key . Therefore, our protocol has perfect forward confidentiality.

6.1.9. Effective Authentication

In order to prolong the service life of sensor devices, we hope to reduce the computation cost of sensor and the number of bits it must transmit. In this paper, we also prove that the computation cost of authentication messages of sensor nodes is very low as shown in Table 2. The bits of transmitted message are also less as shown in Table 3. In addition, the sensor node first checks the legitimacy of the user and gateway node by comparing with the received and then performs further calculation and communication processes, which prevent the attacker from repeatedly sending false messages to harm the sensor device node. If the sensor device node participates in the calculation and communication messages as the response of the false message, it will cause unnecessary battery consumption of the sensor device node. Therefore, the protocol provides effective authentication.

6.1.10. Valid Key Changes

When a user suspects that his password has been leaked, the registered user will change their password. Therefore, the protocol proposed in this paper needs the password change function. Registered users can change their passwords in the agreement. Users do not need any support from the gateway node or the registry during the password change process, which reduces the load on the channel and also can resist the DoS attack. In addition, in order to reduce the computation cost, the system will verify the correctness of the personal information such as the identity and password before calculating the new value with the new password. Therefore, the password change stage is effective and practical.

6.2. Performance Evaluation
6.2.1. Comparison of Security Performance

We compare the security performance of the proposed scheme with the protocols Shi [13], Choi [14], Xue [17], and Kumar [19]. In Table 4, it can be seen that the protocols of Shi [13] are vulnerable to several attacks, such as smart card theft and session key attack. In addition, the protocol of Shi is easy to expose the anonymity of users. From this table, it is clear that our proposed protocol provides strong security protection against related attacks, including user anonymity, password guessing attack, user sensor simulation attack, internal attack, smart card theft attack, and session key disclosure attack. Our improved protocol can provide more adequate security protection, because it can meet all the security requirements. Our protocol is the only one that can resist all known attacks and provide all required security functions.

6.2.2. Comparison of Computation Cost

In Table 2, H, S, and ECC represent the execution time of hash function, symmetric encryption/decryption, and ECC dot product, respectively. The computation amount of user registration is one-time. Therefore, we do not pay attention to this time. Due to the resource constrained nature of gateway nodes and sensor nodes, we find that Shi et al. [13] used elliptic curve points to calculate authentication messages, and our protocol mainly uses encryption one-way hash function , XOR””, and connection”” operations to provide security identity authentication. Because the cost of exclusive or and concatenation is negligible, we only consider the cost of the hash function. In addition, the computational complexity of Li [27] can be roughly expressed as . As described in Li [27], we assume that one-way hash function (H), symmetric key encryption/decryption algorithm, and ECC of scalar point of elliptic curve need 0.0005, 0.0087, and 0.063075 seconds respectively. From Table 2, we find that the computing cost of our protocol is , while the computing cost of sensor device node is . That is, in our protocol, the computing cost of sensor node is of the total computing cost. Table 2 shows that the computation cost of our protocol is lower than the protocols Shi [13], Choi [14], Xue [17], and Kumar [19]. Therefore, our protocol is suitable for the security authentication of sensor nodes in the medical cyber-physical systems, which can save resources and increase service life.

6.2.3. Comparison of Communication Cost

As shown in Table 3, we compare the communication overhead in this paper with the methods discussed in Shi [13], Choi [14], Xue [17], and Kumar [19]. Communication overhead is the total number of bits required for transmission during the login and authentication stages. Now, we assume that the participants’ identities, random numbers, and timestamps are 32 bits, the results of AES are 512 bits, the ECC points are 320 bits, and the message digests of SHA1 are 160 bits. It can be seen from the results that the total communication cost of our scheme is the lowest, and the cost of sensor devices is low, which can keep the sensor devices active for a long time.

7. Conclusions and Future Works

In this paper, a security authentication model of medical cyber-physical systems based on blockchain is proposed, and the process of data collection and transmission is described in detail. Then, we propose an authentication scheme of sensor devices. The process includes system initialization, user registration, user login, security authentication and key negotiation, password change, and adding sensor nodes. Finally, we analyze the availability and security of the proposed scheme.

Compared with the traditional device identity authentication scheme, this scheme has the following advantages: first, taking the blockchain node as the authentication third party can solve the untrustworthy problem of the third party and also can resist the attacker’s attack on the third party’s data center to prevent data leakage. Second, the authentication scheme can be adapted to device nodes with different computing, transmission, and storage capacities. At the same time, it can also save the energy consumption of device nodes and increase the service life. Third, the device nodes can be added dynamically. Because the transaction speed of alliance chain is fast, each node has its own private key, the transaction cost is not high, and it cannot be tampered with. However, due to the multiple data types and high complexity of data transactions in the device nodes of the medical cyber-physical systems, and with the needs of the use process, the device nodes need to be added to collect new data. The medical institutions can be connected with the alliance chain, which can provide an innovative way for the medical cyber-physical systems architecture and make the system efficient, safe, and traceable.

Although our scheme has made some progress in the research of device identity authentication, there are still some shortcomings of our work. The following problems need further research:(1)A new security authentication protocol for sensor devices in the medical cyber-physical systems is proposed in this paper, which is used to authenticate legitimate users and sensor devices. The protocol realizes the security requirements of authentication process at a lower cost and saves the cost of devices life. Mutual authentication and key establishment can also be completed. In the future, we hope that the scheme of device security authentication can be extended to other application fields to complete the device security authentication with the blockchain technology.(2)The security authentication scheme proposed in this paper is based on the blockchain technology. However, we only analyze the security and effectiveness of the scheme in theory and realizes the simple construction of medical alliance chain. In further, we can use the Hyperledger Fabric to complete more rigorous experimental simulation [28]. The open platform of Hyperledger Fabric, which is open-source and free of charge, provides a modular and scalable architecture and can be used in various industries from banking and health care to supply chain.

Data Availability

No data were used to support the findings of this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


The authors would like to thank the colleagues and students in Anhui Provincial Key Laboratory of Network and Information Security. The authors thank the National Natural Science Foundation of China under grant no. 61972438 and Key Research and Development Projects in Anhui Province under grant no. 202004a05020002 for supporting this research.