Improved Authenticated Key Agreement Scheme for Fog-Driven IoT Healthcare System

Wu, Tsu-Yang; Wang, Tao; Lee, Yu-Qi; Zheng, Weimin; Kumari, Saru; Kumar, Sachin

doi:https://doi.org/10.1155/2021/6658041

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security, Trust and Privacy for Cloud, Fog and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6658041 | https://doi.org/10.1155/2021/6658041

Improved Authenticated Key Agreement Scheme for Fog-Driven IoT Healthcare System

Tsu-Yang Wu,^1,2,3Tao Wang,^2,3Yu-Qi Lee,^2,3Weimin Zheng ,^1,2Saru Kumari,⁴and Sachin Kumar⁵

Academic Editor: Shehzad Chaudhry

Received30 Oct 2020

Revised04 Jan 2021

Accepted15 Jan 2021

Published31 Jan 2021

Abstract

The Internet of things (IoT) has been widely used for various applications including medical and transportation systems, among others. Smart medical systems have become the most effective and practical solutions to provide users with low-cost, noninvasive, and long-term continuous health monitoring. Recently, Jia et al. proposed an authentication and key agreement scheme for smart medical systems based on fog computing and indicated that it is safe and can withstand a variety of known attacks. Nevertheless, we found that it consists of several flaws, including known session-specific temporary information attacks and lack of per-verification. The opponent can readily recover the session key and user identity. In this paper, we propose a secure authentication and key agreement scheme, which compensates for the imperfections of the previously proposed. For a security evaluation of the proposed authentication scheme, informal security analysis and the Burrows–Abadi–Needham (BAN) logic analysis are implemented. In addition, the ProVerif tool is used to normalize the security verification of the scheme. Finally, the performance comparisons with the former schemes show that the proposed scheme is more applicable and secure.

1. Introduction

A wireless sensor network (WSN) [1–5] (also called sensor network) is a multihop self-organizing network system formed by several inexpensive minisensor nodes distributed in the detection region by wireless communication. The aim of WSN is to gather and process the information of the sensing objects in the network coverage area and transmit it to the observer. The WSN is a significant foundation of the Internet of things and has been used in several fields, such as smart healthcare. Wireless medical sensor networks (WMSNs) [6] can be used to build universal medical systems, which can immediately verify patient emergency situations through the remote monitoring function and can increase the quality of patient medical treatment. In a WSN-based healthcare system, medical sensors are physically applied on patients, and then the acquired data are forwarded to authorized entities in a secure manner. However, the sensors deployed in the wireless medical sensor network have limited storage and computing capabilities; therefore, when excessive data are collected, the real-time nature of all the data processing may not be guaranteed.

To resolve the aforementioned critical problems, the concept of a fog-driven IoT healthcare system [7–9] (Figure 1) is proposed to move computing functions to users and devices at more remote locations. The fog-driven IoT healthcare system consists of the three following layers: healthcare device layer, medical fog layer, and medical cloud layer. In fog computing [10–16], fog nodes (including routers, gateways, switchers, and access points) are distributed at the margin of the network and approach terminal facilities in a geographic location. By expanding cloud services to the margin of the network, fog computing transforms cloud data centers into distributed platforms while preserving cloud services for users. Therefore, the waiting time for wireless medical sensor data processing is minimized [17–19], improving user experience and service quality.

Generally, sensor nodes are resource-constrained devices with computing, communication, and storage functions. In addition, sensor nodes are usually distributed in a sparsely populated environment. Because the nodes are vulnerable to threats from adversaries, the security of the deployed equipment cannot be guaranteed. Hence, the security of wireless sensor networks has become a significant challenge for researchers, particularly in WMSN because medical data, security, and privacy issues are more serious considering key patient private information. A few challenges need to be overcome to exploit the entire mechanism and run it efficiently. Maintaining the integrity of the medical data gathered from sensor nodes, providing only legitimate users with secure access to these data, and preventing misuse of data transmitted through public channels are the main challenges that need to be addressed and must be handled carefully. The integrity and confidentiality of data transmitted between the parties must be guaranteed [20].

To establish trust between communication parties and prevent counterfeiting, it is necessary to provide a unique identification [21] and authentication [22] to each user or fog node in the system. In addition, data transmitted through public channels and stored in fog nodes or cloud servers need to be encrypted to ensure data security and privacy [23–25]. However, owing to the mobility of deployed fog nodes and terminal devices, it is not practical to share session keys between them in advance. The authenticated key agreement (AKA) [26–29] is a sufficient scheme for user or node authentication and generating public session keys; however, it is rarely used for fog computing.

Recently, numerous AKA protocols [28–41] have been proposed in WSN, fog computing, and IoT environments. Turkanovic et al. [31] proposed an effective AKA scheme for heterogeneous WSNs, in which the user authenticates through the sensor node without communicating with the gateway node. However, Farash et al. [33] found that their protocol is vulnerable to theft attacks of smart cards and does not provide the untraceability and anonymity of sensor nodes to the user. Wang and Wang [32] indicated that the realization of anonymous authentication cannot be accomplished only through a symmetric cryptographic system. Therefore, it has always focused on designing AKA schemes based on asymmetry. Hayajneh et al. [34] proposed a lightweight authentication scheme based on the Rabin signature, which is used for the remote monitoring of patients by wireless sensor networks. In 2018, Amin et al. [35] proposed a lightweight AKA protocol that is applied to IoT devices in a distributed cloud computing environment. The mutual authentication between the user, service provider, and control server is implemented in their protocol, and a common session key is shared between the user and the server provider. In the scheme indicated above, only a symmetric cryptographic system is used to make the scheme highly efficient. Yeh et al. [30] proposed the first AKA elliptic curve cryptography (ECC) wireless sensor network solution, leading to other researchers proposing an increasing number of ECC-based AKA protocols [36, 41–46].

Although several AKA schemes have been proposed for IoT environments, these protocols are rarely suitable for directly deployed fog computing environments. Hamid et al. [45] proposed a third-party single-round AKA protocol with bilinear pairing for this feature and indicated that it can ensure the privacy of medical data of the fog-based medical system. However, because the session key generated by this scheme is static, it cannot provide forward privacy. The key exchange mechanism of this scheme is based on Joux’s three-party Diffie–Hellman key exchange algorithm [43]; thus, it is also vulnerable to man-in-the-middle attacks. Recently, Jia et al. [46] proposed an AKA scheme for a fog-driven IoT healthcare system using bilinear pairs, in which the cloud server authenticates the IoT device as well as the fog node and generates a shared common session key between them. Based on the Bellare–Rogaway–Pointcheval (BRP) security model [42], they claim that the proposed scheme can resist various known attacks. Informal security analysis also indicates that this scheme retains user anonymity and untractability. Some important related works are summarized in Table 1.

In this study, we first analyzed Jia et al.’s scheme and revealed that it is vulnerable to a random number impersonation attack and key compromise impersonation attack. Then, we proposed an enhancement based on their proposal and remedied the shortcomings of their scheme. In our proposed scheme, the mutual authentication and key agreement between the three entities can be achieved only by one round of communication. After the cloud server verifies the identity of the IoT devices and fog nodes, it generates shared common session keys between them. For a security analysis, we adopted the BAN logic, ProVerif, and an informal security analysis. These approaches can provide evidence indicating that our improvement can resist several well-known security threats.

2. Cryptanalysis of Jia et al.’s AKA Scheme

2.1. Review of Jia et al.’s AKA Scheme

Here, we briefly review the scheme proposed by Jia et al. [46], which mainly consists of the following four phases: system setup, user registration, and fog node registration, as well as authentication and key agreement.

2.1.1. System Setup

The cloud service provider (CSP) selects a nonsingular elliptic curve on the finite field , where p is a large prime number, and is the security parameter. Let G be a cyclic group of order n generated by a base point P. Then, CSP selects a random and computes . (G, P, ) are published as the public system parameters, while remains hidden. Six secure hash functions , are selected by CSP, where , , , , , and . We assume that the CSP is fully trusted and also holds a database to record registered users and fog nodes.

2.1.2. User Registration

inputs respective identity and password , and then computes = , where ∈ is a random number chosen by . Then, sends (, ) to CSP via a secure channel. After receiving the request, CSP randomly chooses ∈ and computes = . The CSP then stores in the smart card and the (, ) in its database and finally sends the smart card to the user over a secure channel. After the user receives the smart card, calculates = and replaces on the card with .

2.1.3. Fog Node Registration

Each fog node must be registered with the CSP before deployment. transmits its identity to CSP. Then, CSP randomly selects ∈ and computes ; CSP sends to the fog node over a secure channel and stores (, ) into its database.

2.1.4. Authentication and Key Agreement

In this phase, CSP can help and F_N to authenticate each other and establish a session key SK after executing the following steps:(a) randomly chooses and computes , , , , ||, where is the current timestamp. sends Msg₁ = {, , , } to (b)Upon receiving Msg₁, first checks that the freshness of the timestamp meets the requirements. Then, F_N randomly selects and calculates B, , , | , where is the current timestamp. Finally, sends Msg₂ = {, , , , , } to the CSP.(c)After receiving Msg₂, CSP first checks the validity of two timestamps , and then executes the following steps:(i)CSP computes , , = , and = .(ii)CSP searches its database to find entries that match (, ) and (, ). If there are no matching entries, CSP denies the request and immediately terminates the session. Otherwise, CSP computes = , = , = , and = .(iii)CSP checks whether = and = . If one of these equations is not true, the CSP rejects the request and terminates. Otherwise, it randomly chooses and computes |, , and ; note, the current timestamp is . Finally, CSP forwards Msg₃ = {, , , to .(d)Upon receiving Msg₃, checks the freshness of and verifies whether . If the equation is not true, terminates the session. Otherwise, calculates , where . Then, F_N sends Msg₄ = {B, C, , } to .(e)Upon receiving Msg₄, checks the freshness of and verifies whether . If not, aborts the session. Otherwise, computes , where .

2.2. Security Weakness of Jia et al.’s Scheme

2.2.1. Known Session-Specific Temporary Information Attack

Here, we demonstrate that Jia et al.’s scheme suffered from a known session-specific temporary information attack. This attack is indicated in Canetti and Krawczyk’s (CK) adversary model [47]. We allow an attacker E to fully control the communications over the user, fog node, and CSP for “authentication and key agreement phase.” Thus, E can intercept the messages and obtain the hidden information of a current session from either side over a public channel, which enabled the recovery of key information from the session, such as the session key and the entity’s identity.(a)Session key recovery. Based on the CK adversarial model, we may assume that an attacker E can obtain a random number of users . Note, E can also be intercepted in the open channel. Then, E can compute , where . Note, we may assume that E can obtain b or c from F_N and CSP. The session key SK can also be computed by and because in Jia et al.’s scheme; note, a, b, and c are random numbers chosen by F_N, and CSP, respectively.(b)Identity recovery (anonymity violation). By the same assumption in (a), E can recover the identity , where . Similarly, E can recover , where , while E obtains the random value b.

2.2.2. Lack of Per-Verification

Step (a) of the authentication and key agreement phase lacks verifying the user input and . This will increase the redundant computational cost, while the user inputs an incorrect or . The incorrect input will be identified by CSP in step (c) of the authentication and key agreement phase.

3. Our Improved Scheme

In this section, we propose an improvement based on Jia et al.’s scheme to overcome the previously indicated security weaknesses in Section 2. In our improvement, the system setup is the same as in Jia et al.’s scheme.

3.1. Modified User Registration

This phase is depicted in Figure 2.(a) randomly chooses ∈, inputs the password and the identity to compute . Then, sends (, ) to CSP via a secure channel.(b)After receiving , CSP randomly chooses and computes , . The CSP then stores (, ) in the smart card and the (, ) in its own database and finally sends the smart card to the user over a secure channel.(c)After the user receives the smart card, calculates , , and replaces , with and .

3.2. Modified Fog Node Registration

transmits its identity to the CSP. It randomly selects ∈ and computes . Then, CSP sends to the fog node via a secure channel and stores (, ) in its own database. This phase is shown in Figure 3.

3.3. Modified Authentication and Key Agreement

This phase is depicted in Figure 4.(a) inputs and and computes , . Then, whether is checked. If the equation is true, randomly chooses and computes , , , , , where is the current timestamp. Finally, sends to (b)Upon receiving , first checks that the freshness of the timestamp meets the requirements. Then, it randomly selects and calculates , , , , , where is the current timestamp. Finally, forwards to the CSP.(c)After receiving , CSP first checks the validity of two timestamps , and then executes the following steps:(i)To compute , , , and then searches for (, ) and (, ) in its database. If there are no matching entries, CSP denies the request and immediately terminates the session.(ii)To compute , , and . Then, it checks whether and . If one of these equations is not true, the CSP rejects the request and terminates.(iii)CSP randomly chooses and computes , , , , , , , where is the current timestamp. Finally, CSP sends to .(d)Upon receiving , checks the freshness of and verifies whether . If the equation is not true, then immediately terminates the session. Otherwise, calculates , , and forwards to .(e)Upon receiving , checks the freshness of and verifies if . If the equation is not true, immediately terminates the session. Otherwise, calculates , .

4. Security Analysis of Our Improved Scheme

In this section, the security of our scheme is illustrated by the BAN logic, ProVerif, and an informal security analysis.

4.1. Formal Security Analysis Using BAN Logic

In this subsection, the sharing session SK calculated by CSP between , , and CSP is presented, which can be used to send request information to the server when the user wants to obtain data from the server. Note, the following notations and rules for the BAN logic can be found in previous studies [33, 35, 39, 48].

4.1.1. Related Rules

Messages meaning rule : if principal A believes that hidden K value is shared between principals A and B, and A receives the message X enciphered with K and then A believes that B is the sender of X. Nonce verification rule : if A believes that message X is fresh and that B has sent X, then A believes that B also believes in message X. Jurisdiction rule : if A believes that B has jurisdiction over X and that B believes on statement X, then A believes on X. Session key introduction rule : if A believes that message X is fresh and that B also believes on X, then A believes they share the session key. Belief rule : if A believes that B believes formula (X, Y), then A believes that B also believes the X or Y part of the formula.

4.1.2. Goals

GOAL 1: GOAL 2: GOAL 3: GOAL 4: GOAL 5: GOAL 6: GOAL 7:

4.1.3. Idealize the Communication Messages

Msg1 Msg2 Msg3 Msg4 Msg5 Msg6

4.1.4. Initial State Assumptions

A1: A2: A3: A4: A5: A6: A7: A8: A9: A10: A11: A12: A13: A14: A15: A16: A17: A 18: A 19: A 20: A 21: A 22: A 23: A 24: α A 25: A 26: A 27:

If is a random number chosen by , we can obtain A1and A2; when Msg1 sends form to , A22 is obtained. From A22, we obtain A9; when Msg3 sends form to CSP, we obtain A27. From A27, we obtain A14. Similarly, because b is a random number chosen by , we obtain A6 and A7; when Msg6 sends from to , we obtain A18. From A18, we obtain A4; when Msg2 sends from to CSP, we obtain A26. From A26, we obtain A15. c is a random number chosen by CSP; we obtain A26 and A27; when Msg5 sends from CSP to , we obtain A19. From A19, we obtain A5; when Msg4 sends from to , we obtain A23. From A23, we obtain A10.

4.1.5. Main Proofs Using BAN Rules and Assumptions

(1) For GOAL 1 and GOAL 2. From message Msg6 and using the seeing rule, we obtain S1: . Using the seeing rule, we obtain S2: . Using A16, S2, and the message meaning rule, we obtain S3: . Using A4, S3, and the nonce verification rule, we obtain S4: . Using A18, S4, and the jurisdiction rule, we obtain S5: . Based on message Msg5 and the seeing rule, we obtain S6: . Using the seeing rule, we obtain S7: . According to A17, S7, and the message meaning rule, we have S8: . Using A5, S8, and the nonce verification rule, we obtain S9: . Using A19, S9, and the jurisdiction rule, we obtain S10: . Based on A2, A4, A5, A3, S5, S10, and the belief rule, we obtain S11: and S12: . Because , we can obtain S13: . Because , . Using A2, A16, S12, S13, and the belief rule, we obtain S14: (GOAL 1).

Using A2, S14, and the session key introduction rule, we obtain S15: (GOAL 2).

(2) For GOAL 3 and GOAL 4. From message Msg1 and using the seeing rule, we obtain S16: . Using the seeing rule, we obtain S17: . According to A20, S17, and the message meaning rule, we have S18: . Employing A9, S18, and the nonce verification rule, we obtain S19: . Using A22, S19, and the jurisdiction rule, we have S20: . From message Msg4 and using the seeing rule, we have S21: . We obtain S22: via the seeing rule. According to A21, S22, and the message meaning rule, we obtain S23: . Using A10, S23, and the nonce verification rule, we obtain S24: . According to A23, S24, and the jurisdiction rule, we have S25: . According to A7, A10, A9, A8, S20, S25, and the belief rule, we obtain S26: and S27: . Because , we can obtain S28: . Using A7, A20, S27, S28, and the belief rule, we obtain S29: (GOAL 3).

By using A7, S29, and the session key introduction rule, we obtain S30: (GOAL 4).

(3) For GOAL 5, GOAL 6, and GOAL 7. According to Msg2 and using the seeing rule, we obtain S31: . Using the seeing rule, we obtain S32: . Using A25, S32, and the message meaning rule, we obtain S33: . Using A15, S33, and the nonce verification rule, we obtain S34: . Using A26, S34, and the jurisdiction rule, we obtain S35: . Based on Msg3 and the seeing rule, we obtain S36: . We have S37: via the seeing rule. According to A24, S37, and the message meaning rule, we obtain S38: . Using A14, S38, and the nonce verification rule, we obtain S39: . According to A27, S39, and the jurisdiction rule, we obtain S40: . According to A14, A12, A15, A13, S35, S40, and the belief rule, we obtain S41: and S42: . Because , we can obtain S43: . Using A12, S42, S43, and the belief rule, we obtain S44: (GOAL 5).

Using A14, S44, and the session key introduction rule, we obtain S45: (GOAL 6).

Using A15, S44, and the session key introduction rule, we obtain S46: (GOAL 7).

4.2. Informal Security Analysis

In this section, we demonstrate that our improved scheme can achieve the following well-known security requirements.

4.2.1. Known Session-Specific Temporary Information Attacks

The session key is generated utilizing the hidden values of , and , , ; (A, B, C) can be intercepted on an open channel, but adversaries do not know (, , ) because they are the hidden values of , , and CSP, respectively, and, thus, cannot calculate (, , ). Therefore, despite adversaries determining (a, b, c), they cannot calculate () without (, , ). Therefore, an opponent cannot recover SK using temporarily leaked session-specific information {a, b, c}.

(, ) are the hidden values of , and , respectively; if only (a, b) is found, but not (, ), the adversaries cannot calculate , . , , , ; can be intercepted on an open channel, but adversaries cannot retrieve and without (, ). If adversaries intercept (A, B) on an open channel, they do not know the key of the CSP and, thus, cannot calculate and , or retrieve , without .

4.2.2. Mutual Authentication

CSP authenticates by verifying whether equals to the saved in the CSP database and whether equals to , sent from . authenticates CSP by verifying whether equals to , which includes calculated by CSP.

Similarly, CSP authenticates by verifying whether equals to the saved in the CSP database and whether equals , sent from . authenticates CSP by verifying whether equals to , which includes calculated by CSP.

authenticates by verifying whether equals to which includes calculated by , and authenticates by verifying whether equals to , which includes calculated by .

4.2.3. Impersonation Attack

To impersonate a legitimate user, the adversary has to obtain the identity , password , and of or construct , , and . First, the opponent is unable to guess the correct identity and password of through “password-guessing attack.” Second, to construct {A, ,}, the adversary has to obtain the key and parameter . However, it cannot compute without , , and , which are crucial for computing {A,,}. Thus, the adversary cannot impersonate a legitimate user.

Similarly, to mimic a legitimate fog node, the opponent must obtain the identity and of or construct ,, and ; the adversary can obtain the identity , but it is impossible for the adversary to determine , which is computed and assigned by CSP in registration. cannot be computed without and , which are crucial for computing {B, ,}. Thus, the adversary cannot impersonate a legitimate .

The adversary is also unable to impersonate CSP. To compute , , and , , , and are required to compute . However, the adversary cannot obtain unless it obtains all three factors at the same time. This is beyond the capacity of an adversary. Thus, the adversary cannot impersonate CSP.

4.2.4. Man-in-the-Middle Attacks

If the adversary obtains Msg1 or Msg2 from the public channel and modifies Msg1 or Msg2 to launch a man-in-the-middle attack, the identity authentication of CSP cannot be passed; the premise of the authentication of CSP is to determine the identity of and . From “(2),”we know that CSP will compute and and compare the values with and saved in the CSP database; if it is not equal, the session will immediately be terminated. From “(1),” we know that the adversary cannot obtain and . Meanwhile, from “(3),” we also know that the adversary cannot obtain the values of ,, and . Thus, the modified messages cannot pass the verification of = and = from CSP.

If the adversary obtains Msg3 or Msg4 from the open channel and modifies Msg3 or Msg4 to launch the man-in-the-middle attack, the authentication from and will still not be passed. As indicated by “(2),” we can see that if the messages are modified by the adversary, they cannot pass the verification of = and = from and .

4.2.5. Known Session Key Attacks

A scheme is considered vulnerable to known session key attacks if an adversary wants to use the old compromised session key to obtain sensitive parameters and keys for subsequent communication sessions. In our scheme, , , , , , , is refreshed using random numbers {a, b, c} and the attacker does not know {, , }. Thus, owing to the computational difficulty of the elliptic curve Diffie–Hellman problem, it is impossible for the attacker to obtain the new SK information from the old SK and extract {a, b, c} from {A, B, C}; thus, the scheme we proposed can withstand the known session key attack.

4.2.6. Compromise Impersonation Attacks

If the CSP long-term key is compromised, the adversary may use to impersonate a legitimate user to determine and CSP. However, all attack sessions are terminated immediately, as follows. In a worst case scenario, the adversary may have access to the data = ,, in the stolen smart card SC. Despite knowing , the adversary does not know the hidden values of {, ,} to compute = or directly. Thus, the adversary cannot generate Msg1 = to masquerade to launch a new session.

The adversary may intercept messages sent by during authentication and key negotiation and attempt to impersonate the initiator of the session. However, the session will terminate immediately because the attacker cannot calculate correctly without knowing the hidden values of , despite knowing .

4.2.7. Parallel Session Attacks

When the entity is in session, the adversary may try to replay the old messages to launch a new session attack; however, this is impossible. When an attacker replays {M1, M2} to CSP, it can pass the verification of , . However, because the attacker does not know {a, b} and {, }, it cannot compute one of , , , and , , and the attacker session is immediately aborted.

4.2.8. Stolen Smart Card Attacks

If an attacker steals the smart card and extracts = , , he/she may impersonate to and CSP. However, the attacker does not know the sensitive parameter {, , , s} to generate the initiator message , , thus cannot impersonate to and CSP. Hence, the proposed scheme can withstand stolen smart card attacks.

4.2.9. Password-Guessing Attacks

If an adversary obtains information regarding {, B, , , , , , , , , ,} from the open channel, online password-guessing attacks may be launched. However, the adversary will fail because , , , , , , , , , and are not included in these values. Therefore, remains secure.

If the smart card is compromised by an opponent, the parameter {} in the SC can be obtained through the power analysis attack method, and then off-line dictionary attacks can be made based on the relevant parameter , , to guess the user password. However, because the values {, s} are only known by the CSP, the opponent cannot verify the accuracy of the guess value; therefore, all sensitive parameters are safe.

4.2.10. Privileged-Insider Attacks

When the attacker obtains registration information (, , ) and the key of CSP, the intent is to compute the session key , which is randomized using {a, b, c} and {, , }. By and , , , the attacker can compute and obtain (A, B, C) from the public channel. However, (a, b, c) are random numbers independently selected by , , and CSP, respectively, and are not available to the attacker; therefore, and cannot be computed.

Similarly, when the attacker obtains the registration information (, ) and the key of CSP, the intent is to compute the session key ; the attacker can compute and obtain (A, B, C) from the public channel. However, (a, b, c) are random numbers independently selected by , , and CSP, respectively, and are not available to the attacker; therefore, and cannot be computed.

The attacker also cannot compute ; can be computed, but cannot be computed without the selected by CSP. Thus, the modified scheme can withstand privileged-insider attacks.

4.2.11. Replay Attacks

The adversary may attempt to replay old messages {Msg1, Msg2, Msg3, and Msg4}. However, all communicated messages are refreshed and rely on the timestamp {, , } as well as random numbers {a, b, c}. Upon receiving the authentication request from the sender, the receiver first checks the freshness of the timestamp. If the timestamp is not fresh, the session is terminated immediately.

4.2.12. Perfect Forward Secrecy

Perfect forward secrecy indicates that if a long-term key is revealed to an attacker, the SK between , , and CSP, cannot be computed and remains secure. If an attacker attempts to calculate the session key, , which is randomized using numbers {a, b, c} and {, , }; , , , . The attacker obtains (A, B, C) from the public channel; however, the attacker needs to compute one of the parameters , , , which cannot be obtained, thus SK cannot be calculated. Therefore, the improved scheme can provide perfect forward secrecy.

4.2.13. No Key Control

Each entity cannot control the key agreement process to calculate SK individually, where , , and , , , . The details are as follows:

(a, b, c) are random numbers independently selected by , , and CSP, respectively, and (A, B, C) are computed independently by each entity. If does not know the values of B and C, which are contributed by and CSP, cannot be computed. Similarly, and CSP cannot compute and without the values of (A, C) and (A, B).

4.2.14. Unknown Key-Share

From “‘(2),” we know that all three entities are mutually identifiable. If and entity-1 establish the session key and send the request message of entity-1 by mistake to entity-2, it is impossible to pass the validation , , , and , thus the session terminates immediately. Therefore, the proposed scheme can resist unknown key-share attacks.

4.3. Evaluation by ProVerif

In this section, we choose the widely accepted software tool ProVerif [49–53] to perform security simulation and testing of the scheme, which can fully guarantee the characteristics of confidentiality and authenticity.

The complete scheme shown in Figure 4 is implemented and validated in ProVerif. During the simulation, we assumed the two channels shown in Figure 5(a). The ch is a common channel used for the transmission of messages between entities in the authentication phase. The sch is a secure channel for user and fog node registration. Variables and constants are also defined in Figure 5(a). and are the identities of users and fog nodes, respectively, , , and are the keys negotiated between the three entities, respectively.

(a)

(b)

(c)

(d)

User and fog node are described by starting and ending events, and scheme authenticity is achieved by exposing the respective relationships between the start and end intervals of related events initiated by a particular participant. If no end event is reached, it means the scheme failed to terminate and the scheme is incorrect. Figures 5(b)–5(d) represent the user, fog node, and CSP implementation simulation processes, respectively, which are described in detail in Section 3 and executed in parallel.

The necessary queries are defined in Figure 5(a) to verify the security and correctness of the scheme. The query attacker simulates an actual attack to obtain the session key and secret random numbers, while the other three query in-events correspond to the start and end events of the three processes. If any of these queries result in false, it means that the scheme is incorrect. The results of the discussion query are shown in Figure 6.

(a)

(b)

(c)

It can be seen from the results in Figures 6(a) and 6(b) that the session key negotiated between entities and the secret random number selected by each entity are secure when dealing with security threats, which proves that the authenticity and confidentiality of our scheme are guaranteed during the execution process. The results in Figure 6(c) show that each process started and ended successfully, which proves the correctness of our scheme.

5. Performance Evaluation

In this section, the security features and defense against various attacks are compared between our scheme and the previous schemes [36, 41, 46] in Table 2. We can conclude that our scheme is more secure than the compared schemes. Note that “Yes” represents that the scheme can resist the indicated attack, whereas “No” represents that the scheme cannot, and “” represents that the attack method indicated is not in the scope of the scheme.

Subsequently, we evaluate the performance of the proposed scheme from the perspective of computational and communication costs. The improved scheme was implemented in JAVA with JDK version 1.3, and the simulation of the scheme was based on the JAVA paired cryptography library (JPBC) [54], version JPBC-2.0.0. A Windows 10 computer system was used as the experimental platform, which was configured with a quad-core 2.3 GHz Intel(R) Core i5-8300H processor and 16 GB memory. The software developed is the community version of IntelliJ IDEA 2020.2.1 and uses the widely accepted type A pairing, which is based on the curve structure in the field of a specific . We have listed the symbols () and time used in the performance comparison in Table 3. Table 4 presents the calculation costs for the different phases of the scheme.

As shown by the analysis in Table 4, the computing cost for our scheme is slightly higher than that of schemes [36, 46]; however, our scheme provides auxiliary security features, and the mandatory security objectives achieved by this scheme are greater than those achieved by other schemes [36, 41, 46]. Our solution provides security features that other solutions do not have, such as being able to resist replay attacks and impersonation attacks and providing user anonymity, mutual authentication, etc.

To calculate the communication and storage costs, we present that the length of the random nonce, password, and identity is 160 bits, and the length of a point in the group is 1024 bits, denoted as |G₁|. The output length of the hash functions , ,, , and in is 160 bits, denoted as |q|. The output length of and the key length are both 256 bits. The length of the timestamp is 32 bits, denoted as |T|. The communication and storage costs of our scheme and related schemes are listed in Tables 5 and 6.

As shown in Tables 5 and 6, the communication and the storage overhead of our scheme are slightly higher. The slightly higher cost of our scheme is mainly due to the increase in computing overhead while providing stronger security. However, because the primary purpose of a scheme is to ensure the security and privacy of data, it is acceptable to have a slightly higher communication cost but stronger security. After analyzing Tables 4 and 5, our scheme is concluded to be better than the other schemes [36, 41, 46], which can provide stronger security and withstand various known attacks.

6. Conclusion

The usage of fog-driven IoT healthcare systems has brought significant convenience to people. The authentication of the healthcare system is also the most important. Recently, a growing number of scholars have taken a closer look at healthcare systems and developed stronger authentication protocols for their certification environments. In this study, we proposed a secure authenticated and key agreement scheme in fog-driven IoT healthcare systems; the defects of the original scheme were analyzed and security improvements were proposed. An analysis of the performance evaluation and informal security in comparison to other related schemes is also presented in this study, which indicates that our scheme provides more security features. Our solution uses pairing technology, and the time cost is slightly higher than other solutions. Future studies can improve on this limitation, but our solution provides security features that other solutions do not have, which is more suitable for the practical application of medical system based on the IoT.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

The work was supported in part by National Key Research and Development Project, China, under Grant no. 2018YFC1201102 and the Natural Science Foundation of Fujian Province, China, under Grant nos. 2018J01636 and 2018J01638.

References

F. C. Chang and H. C. Huang, “A survey on intelligent sensor network and its applications,” Journal of Network Intelligence, vol. 1, no. 1, pp. 1–15, 2016.
View at: Google Scholar
J. S. Pan, L. Kong, T. W. Sung, P. W. Tsai, and V. Snasel, “Alpha-fraction first strategy for hierarchical wireless sensor networks,” Journal of Internet Technology, vol. 19, no. 6, pp. 1717–1726, 2018.
View at: Google Scholar
J. Wang, Y. Gao, K. Wang, A. K. Sangaiah, and S.-J. Lim, “An affinity propagation-based self-adaptive clustering method for wireless sensor networks,” Sensors, vol. 19, no. 11, p. 2579, 2019.
View at: Publisher Site | Google Scholar
Z.-G. Du, J.-S. Pan, S.-C. Chu, H.-J. Luo, and P. Hu, “Quasi-affine transformation evolutionary algorithm with communication schemes for application of RSSI in wireless sensor networks,” IEEE Access, vol. 8, pp. 8583–8594, 2020.
View at: Publisher Site | Google Scholar
J. Wang, Y. Gao, C. Zhou, R. Simon Sherratt, and L. Wang, “Optimal coverage multi-path scheduling scheme with multiple mobile sinks for WSNs,” Computers, Materials & Continua, vol. 62, no. 2, pp. 695–711, 2020.
View at: Publisher Site | Google Scholar
H. Alemdar and C. Ersoy, “Wireless sensor networks for healthcare: a survey,” Computer Networks, vol. 54, no. 15, pp. 2688–2710, 2010.
View at: Publisher Site | Google Scholar
T. N. Gia, M. Jiang, A. M. Rahmani, T. Westerlund, P. Liljeberg, and H. Tenhunen, “Fog computing in healthcare internet of things: a case study on ECG feature extraction,” in Proceedings of the IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), pp. 356–363, IEEE, Liverpool, UK, October 2015.
View at: Google Scholar
B. Farahani, F. Firouzi, V. Chang, M. Badaroglu, N. Constant, and K. Mankodiya, “Towards fog-driven IoT ehealth: promises and challenges of IoT in medicine and healthcare,” Future Generation Computer Systems, vol. 78, pp. 659–676, 2018.
View at: Publisher Site | Google Scholar
A. M. Rahmani, T. N. Gia, B. Negash et al., “Exploiting smart e-health gateways at the edge of healthcare internet-of-things: a fog computing approach,” Future Generation Computer Systems, vol. 78, pp. 641–658, 2018.
View at: Google Scholar
F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, “Fog computing and its role in the internet of things,” in Proceedings of the First Edition of the MCC Workshop on Mobile Cloud Computing ACM, pp. 13–16, Helsinki, Finland, August 2012.
View at: Google Scholar
S. Yi, Z. Qin, and Q. Li, “Security and privacy issues of fog computing: a survey,” in Wireless Algorithms, Systems, and Applications. WASA 2015. Lecture Notes in Computer Science, K. Xu and H. Zhu, Eds., vol. 9204, pp. 685–695, Springer, Cham, Switzerland, 2015.
View at: Google Scholar
C. Huang, R. Lu, and K.-K. R. Choo, “Vehicular fog computing: architecture, use case, and security and forensic challenges,” IEEE Communications Magazine, vol. 55, no. 11, pp. 105–111, 2017.
View at: Publisher Site | Google Scholar
O. Osanaiye, S. Chen, Z. Yan, R. Lu, K.-K. R. Choo, and M. Dlodlo, “From cloud to fog computing: a review and a conceptual live vm migration framework,” IEEE Access, vol. 5, pp. 8284–8300, 2017.
View at: Publisher Site | Google Scholar
A. Alrawais, A. Alhothaily, C. Hu, and X. Cheng, “Fog computing for the internet of things: security and privacy issues,” IEEE Internet Computing, vol. 21, no. 2, pp. 34–42, 2017.
View at: Publisher Site | Google Scholar
H. Xiong, Y. Wu, C. Jin, and S. Kumari, “Efficient and privacy-preserving authentication protocol for heterogeneous systems in IIoT,” IEEE Internet of Things Journal.
View at: Publisher Site | Google Scholar
H. Xiong, Y. Zhao, Y. Hou et al., “Heterogeneous signcryption with equality test for IIoT environment,” IEEE Internet of Things Journal.
View at: Publisher Site | Google Scholar
Z. Meng, J.-S. Pan, and K.-K. Tseng, “PaDE: an enhanced differential evolution algorithm with novel control parameter adaptation schemes for numerical optimization,” Knowledge-Based Systems, vol. 168, pp. 80–99, 2019.
View at: Publisher Site | Google Scholar
A. Q. Tian, S. C. Chu, J. S. Pan, H. Cui, and W. M. Zheng, “A compact pigeon-inspired optimization for maximum short-term generation mode in cascade hydroelectric power station,” Sustainability, vol. 12, no. 3, p. 767, 2020.
View at: Publisher Site | Google Scholar
S. C. Chu, X. Xue, J. S. Pan, and X. Wu, “Optimizing ontology alignment in vector space,” Journal of Internet Technology, vol. 21, no. 1, pp. 15–22, 2020.
View at: Google Scholar
Y. Huang, M. Hsieh, H. Chao, S. Hung, and J. Park, “Pervasive, secure access to a hierarchical sensor-based healthcare monitoring architecture in wireless heterogeneous networks,” IEEE Journal on Selected Areas in Communications, vol. 27, no. 4, pp. 400–411, 2009.
View at: Publisher Site | Google Scholar
J. S. Pan, X. X. Sun, S. C. Chu, A. Abraham, and B. Yan, “Digital watermarking with improved SMS applied for QR code,” Engineering Applications of Artificial Intelligence, vol. 97, Article ID 104049, 2021.
View at: Google Scholar
R. Tso, “Two-in-one oblivious signatures,” Future Generation Computer Systems, vol. 101, pp. 467–475, 2019.
View at: Publisher Site | Google Scholar
T.-Y. Wu, C.-M. Chen, K.-H. Wang, C. Meng, and E. K. Wang, “A provably secure certificateless public key encryption with keyword search,” Journal of the Chinese Institute of Engineers, vol. 42, no. 1, pp. 20–28, 2019.
View at: Publisher Site | Google Scholar
J. Zhang, H. Liu, and L. Ni, “A secure energy-saving communication and encrypted storage model based on RC4 for EHR,” IEEE Access, vol. 8, pp. 38995–39012, 2020.
View at: Publisher Site | Google Scholar
J. M.-T. Wu, G. Srivastava, A. Jolfaei, P. Fournier-Viger, and J. C.-W. Lin, “Hiding sensitive information in eHealth datasets,” Future Generation Computer Systems, vol. 117, pp. 169–180, 2021.
View at: Publisher Site | Google Scholar
C. M. Chen, L. Xu, T. Y. Wu, and C. R. Li, “On the security of a chaotic maps-based three-party authenticated key agreement protocol,” Journal of Network Intelligence, vol. 1, no. 2, pp. 61–66, 2016.
View at: Google Scholar
C. M. Chen, Y. Huang, E. K. Wang, and T. Y. Wu, “Improvement of a mutual authentication protocol with anonymity for roaming service in wireless communications,” Data Science and Pattern Recognition, vol. 2, no. 1, pp. 15–24, 2018.
View at: Google Scholar
S. Kumari, P. Chaudhary, C.-M. Chen, and M. K. Khan, “Questioning key compromise attack on Ostad-Sharif et al.'s authentication and session key generation scheme for healthcare applications,” IEEE Access, vol. 7, pp. 39717–39720, 2019.
View at: Publisher Site | Google Scholar
P. Wang, C.-M. Chen, S. Kumari et al., “HDMA: hybrid D2D message authentication scheme for 5G-enabled VANETs,” IEEE Transactions on Intelligent Transportation Systems, p. 1, 2020.
View at: Publisher Site | Google Scholar
H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, and H.-W. Wei, “A secured authentication protocol for wireless sensor networks using elliptic curves cryptography,” Sensors, vol. 11, no. 5, pp. 4767–4779, 2011.
View at: Publisher Site | Google Scholar
M. Turkanovic, B. Brumen, and M. Holbl, “A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion,” Ad Hoc Networks, vol. 20, pp. 96–112, 2014.
View at: Google Scholar
D. Wang and P. Wang, “On the anonymity of two-factor authentication schemes for wireless sensor networks: attacks, principle and solutions,” Computer Networks, vol. 73, pp. 41–57, 2014.
View at: Publisher Site | Google Scholar
M. S. Farash, M. Turkanović, S. Kumari, and M. Hölbl, “An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the Internet of Things environment,” Ad Hoc Networks, vol. 36, pp. 152–176, 2016.
View at: Publisher Site | Google Scholar
T. Hayajneh, B. J. Mohd, M. Imran, G. Almashaqbeh, and A. V. Vasilakos, “Secure authentication for remote patient monitoring with wireless medical sensor network,” Sensors, vol. 16, no. 4, p. 424, 2016.
View at: Publisher Site | Google Scholar
R. Amin, N. Kumar, G. P. Biswas, R. Iqbal, and V. Chang, “A light weight authentication protocol for IoT-enabled devices in distributed cloud computing environment,” Future Generation Computer Systems, vol. 78, pp. 1005–1019, 2018.
View at: Publisher Site | Google Scholar
S. Challa, A. K. Das, V. Odelu et al., “An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks,” Computers & Electrical Engineering, vol. 69, pp. 534–554, 2018.
View at: Publisher Site | Google Scholar
C.-M. Chen, K.-H. Wang, K.-H. Yeh, B. Xiang, and T.-Y. Wu, “Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications,” Journal of Ambient Intelligence and Humanized Computing, vol. 10, no. 8, pp. 3133–3142, 2019.
View at: Publisher Site | Google Scholar
C.-M. Chen, B. Xiang, Y. Liu, and K.-H. Wang, “A secure authentication protocol for internet of vehicles,” IEEE Access, vol. 7, pp. 12047–12057, 2019.
View at: Publisher Site | Google Scholar
T.-Y. Wu, Z. Lee, M. S. Obaidat, S. Kumari, S. Kumar, and C.-M. Chen, “An authenticated key exchange protocol for multi-server architecture in 5G networks,” IEEE Access, vol. 8, pp. 28096–28108, 2020.
View at: Publisher Site | Google Scholar
C.-M. Chen, Y. Huang, K.-H. Kumari, and M.-E. Wu, “A secure authenticated and key exchange scheme for fog computing,” Enterprise Information Systems, p. 1, 2020.
View at: Publisher Site | Google Scholar
M. Nikravan and A. Reza, “A multi-factor user authentication and key agreement protocol based on bilinear pairing for the internet of things,” Wireless Personal Communications, vol. 111, no. 1, pp. 463–494, 2020.
View at: Publisher Site | Google Scholar
M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in Advances in Cryptology—EUROCRYPT 2000. EUROCRYPT 2000. Lecture Notes in Computer Science, B. Preneel, Ed., vol. 1807, Springer, Berlin, Germany, 2000.
View at: Google Scholar
A. Joux, “A one round protocol for tripartite Diffie-Hellman,” Journal of Cryptology, vol. 17, no. 4, pp. 263–276, 2004.
View at: Publisher Site | Google Scholar
C. T. Li, T. Y. Wu, C. L. Chen, C. C. Lee, and C. M. Chen, “An effificient user authentication and user anonymity scheme with provably security for IoT-based medical care system,” Sensors, vol. 17, no. 7, p. 1482, 2017.
View at: Google Scholar
H. A. Hamid, S. M. Rahman, M. S. Hossain, A. Almogren, and A. Alamri, “A security model for preserving the privacy of medical big data in a healthcare cloud using a fog computing facility with pairing-based cryptography,” IEEE Access, vol. 5, pp. 22313–22328, 2017.
View at: Google Scholar
X. Jia, D. He, N. Kumar, and K.-K. R. Choo, “Authenticated key agreement scheme for fog-driven IoT healthcare system,” Wireless Networks, vol. 25, no. 8, pp. 4737–4750, 2019.
View at: Publisher Site | Google Scholar
R. Canetti and H. Krawczyk, “Universally composable notions of key exchange and secure channels,,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques–Advances in Cryptology (EUROCRYPT’02), pp. 337–351, Amsterdam, Netherlands, April 2002.
View at: Google Scholar
M. Burrows, R. A. Abadi, and R. Needham, “A logic of authentication,” ACM Transactions on Computer Systems, vol. 24, no. 20, pp. 18–36, 1975.
View at: Google Scholar
B. Blanchet, M. Sylvestre, M. X. Allamigeon, V. Cheval, B. Smyth, and C. Stentzel, “ProVerif: cryptographic protocol verifier in the formal model,” 2019, http://prosecco.gforge.inria.fr/personal/bblanche/proverif/.
View at: Google Scholar
K. Mansoor, A. Ghani, S. Chaudhry, S. Shamshirband, S. Ghayyur, and A. Mosavi, “Securing IoT-based RFID systems: a robust authentication protocol using symmetric cryptography,” Sensors, vol. 19, no. 21, p. 4752, 2019.
View at: Publisher Site | Google Scholar
B. A. Alzahrani, S. A. Chaudhry, A. Barnawi, A. Al-Barakati, and M. H. Alsharif, “A privacy preserving authentication scheme for roaming in IoT-based wireless mobile networks,” Symmetry, vol. 12, no. 2, p. 287, 2020.
View at: Publisher Site | Google Scholar
S. A. Chaudhry, “Correcting “PALK: password-based anonymous lightweight key agreement framework for smart grid,” International Journal of Electrical Power & Energy Systems, vol. 125, p. 106529, 2021.
View at: Publisher Site | Google Scholar
T. Y. Wu, Y. Q. Lee, C. M. Chen, Y. Tian, and N. A. Al-Nabhan, “An enhanced pairing-based authentication scheme for smart grid communications,” Journal of Ambient Intelligence and Humanized Computing, 2021.
View at: Publisher Site | Google Scholar
A. D. Caro and V. Iovino, “JPBC: java pairing based cryptography,” in Proceedings of the 2011 IEEE Symposium on Computers and Communications (ISCC), pp. 850–855, IEEE, Corfu, Greece, June 2011.
View at: Google Scholar
Z. Ali, A. Ghani, I. Khan, S. A. Chaudhry, S. H. Islam, and D. Giri, “A robust authentication and access control protocol for securing wireless healthcare sensor networks,” Journal of Information Security and Applications, vol. 52, Article ID 102502, 2020.
View at: Publisher Site | Google Scholar
S. Shamshad, K. Mahmood, and S. Kumari, “Comments on “a multi-factor user authentication and key agreement protocol based on bilinear pairing for the internet of things,” Wireless Personal Communications, vol. 112, no. 1, pp. 463–466, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Tsu-Yang Wu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1483

Downloads

1267

Citations