Trusted Authority Assisted Three-Factor Authentication and Key Agreement Protocol for the Implantable Medical System

Mao, Deming; Zhang, Ling; Li, Xiaoyu; Mu, Dejun

doi:https://doi.org/10.1155/2018/7579161

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Authors’ Contributions Acknowledgments References Copyright Related Articles

Special Issue

Rethinking Authentication on Smart Mobile Devices

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 7579161 | https://doi.org/10.1155/2018/7579161

Trusted Authority Assisted Three-Factor Authentication and Key Agreement Protocol for the Implantable Medical System

Deming Mao,¹Ling Zhang,²Xiaoyu Li,¹and Dejun Mu¹

Academic Editor: Joseph Liu

Received05 Apr 2018

Accepted27 Jun 2018

Published29 Jul 2018

Abstract

The application of implantable medical devices (IMDs), which solves the problems of geographical distance limitation and real-time health monitoring that plague patients and doctors, has caused great repercussions in the medical community. Despite the great potential of wide application, it also brings some security and privacy issues, such as the leakage of health data and unauthorized access to IMDs. Although a number of authentication and key agreement (AKA) schemes have been developed, we find that some subtle attacks still remain to be addressed. Then we propose an improved AKA scheme which achieves strong security features including user anonymity and known key security. It is formally proved to be secure under the Real-or-Random model. Moreover, a comprehensive security analysis shows that our scheme can resist various attacks and satisfy the desired requirements. Finally, the performance analysis shows the superiority of our protocol which is suitable for the implantable medical system.

1. Introduction

With the improvement of wireless communication technologies, the implantable medical devices (IMDs), such as pacemakers, cranial nerve stimulators, and cochlear implants, have been widely used in the medical services field [1, 2]. All these micro devices implanted in patients’ body can continuously monitor and collect data to reflect the patient’s health. Through controller node (CN), implantable medical devices are able to transmit the data to the remote attending physician or the medical institution, which greatly simplifies the treatment process of patients and breaks the limitation of region. Generally speaking, the combination of these advanced technologies improves health care practices, urgent care, and preventive health [3].

A typical architecture of implantable medical system is shown in Figure 1. CN and IMDs firstly register to the trusted authority (TA) before they are deployed into the system. Then, IMDs collect data such as body temperature, heart beats, and blood pressure, which can be derived by CN via wireless communication technologies, such as Bluetooth or ZigBee [4]. After the collection process, the CN needs to be plugged into the Internet via an access point to be accessible by the attending physician or the medical institution. In the meantime, cloud servers may be used for storing collected health data to ease the storage burden on mobile devices [5, 6].

However, it is the application of wireless communication that makes the transmission of medical data face the potential security risks [7–9]. According to the Dolev-Yao threat model [10], the implantable medical system is facing a wide range of malicious attacks which may cause the leakage of health data and unauthorized access to IMDs. In response to the serious security threats, it is imperative to design a mutual authentication and key agreement (AKA) mechanism which can ensure the confidentiality of the transmitted sensor data and resist malicious attacks.

1.1. Related Work

With the wireless interface enabled, IMDs can be accessed by an authorized operator in physical proximity via the IMDs programmer. However, the wireless communication and networking capabilities of IMDs turn out to be the major sources of security vulnerabilities [11, 12]. For this purpose, access control for implantable medical system is highly desired and many schemes have also been put forward in this field.

Initially, considering the scarce energy reserves and limited communication capacity of IMDs, some schemes based on symmetric key cryptography [15–19] were proposed, they realized high encryption speed and efficiency at the same time but showed weaknesses of resisting against certain attacks, and the complexity of key management will introduce large memory and communication overhead which contradicts their original intentions. This means that the symmetric key cryptography based schemes are difficult to provide a complete security guarantee for implantable medical system.

Then, traditional public key cryptography (TPKC) based authentication schemes [20, 21] were implemented in IMDs. Unfortunately, the limited computing capability and battery capacity of the mobile device hinders the application of TPKC in implantable medical system. The concept of ECC (Elliptic curve cryptosystem) was then put forward [22] which provided the same security with a much smaller key size compare to the TPKC [23] so that many ECC-based protocols were proposed subsequently [13, 24]. In 2013, Liu et al. [25] put forward a scheme in which they used the bilinear pairing defined on the elliptic curve to design a new certificateless signature scheme, but later in 2014, Xiong [26] analyzed the Liu et al.’s authentication protocol and concluded that their scheme was prone to a kind of attack by a key replacement adversary [27]. In 2016, He et al. [28] also claimed that the Liu et al.’s scheme cannot resist the impersonation attack; meanwhile they put forward their own improved protocol. In 2018, Li et al. [29] analyzed the loopholes in each layer of the current implantable medical system and put forward a complete three-layer scheme.

As we know, each authentication factor has its own advantages and disadvantages. Passwords are prone to dictionary attacks while smart cards may be lost. A number of two-factor protocols [30–38] have been put forward. In these schemes, two kinds of factors, i.e., passwords and smart cards, are combined to achieve user authentication. In 2015, He et al. came up with a scheme [35] where the smart card is used to store some private parameters about healthcare applications using wireless medical sensor networks. Wei et al. proposed an anonymous authentication scheme [33] for wireless body area networks in 2017 as well as gave a formal security analysis of the protocol.

To further enhance the security strength of two-factor protocols, three-factor authentication (3FA) schemes which consolidate all three factors (i.e., passwords, smart cards, and biometrics) have attracted more and more attentions [14, 39–44]. In 2017, Wei applied the fuzzy extractor scheme into his newly proposed protocol [39] to handle the biometrics. Meanwhile Jiang et al. presented a scheme [41] where the biohashing is used to protect the biometrics. In 2016, Wu et al. proposed a 3FA scheme [43] aiming at summarizing the flaws that existed in previous typical protocols and came up with a more complete solution. In 2017, Li et al. [40] remedied flaws in Jiang et al.’s scheme [32] in which fuzzy commitment is used to protect biometrics. In 2017, Wazid et al. provided a 3FA scheme [14] for IMDs and claimed that their protocol could meet the known security, but we reveal that the protocol cannot achieve complete security.

1.2. Motivations and Contributions

With the popularity of the IMD, its safety and privacy protection have attracted great attention and a large number protocols in this field have emerged, but few of them can achieve the desired security guarantee. In such a situation, it is imperative to sum up the defects in previous protocols and propose new schemes to make the implantable medical system more secure and reliable. Among these protocols, we pick Wazid et al.’s scheme [14] as a typical case study to analyze some defects of the scheme. Then we propose a trusted authority assisted 3FA protocol which effectively solves the security vulnerabilities in the original protocol. Our contributions are summarized as follows:(i)First, we find out three drawbacks of the most recent 3FA protocol of Wazid et al. To be specific, we find that the scheme cannot withstand offline password guessing attack, the CN impersonation attack, and the authentication phase of the protocol is problematic.(ii)Second, we propose a trusted authority assisted 3FA protocol. Specifically, we introduce the fuzzy verifier [45] to effectively prevent offline password guessing attack during local login verification phase and adopt the widely used fuzzy vault [46] to protect the biometric template.(iii)Third, we analyze the security of our protocol both formally and informally. Our protocol not only properly solves the shortcomings in the original scheme, but also achieves perfect forward security, user anonymity, know key security, and so forth. At the same time, our protocol can resist a variety of known attacks.

1.3. Organization of the Paper

The rest of the paper is organized as follows. In Section 2, we briefly review some preliminaries used in this paper, including ECC and the fuzzy vault. Section 3 depicts the details of Wazid et al.’s scheme. Then in Section 4, we present the vulnerabilities in their scheme. In Section 5, we propose an improved scheme. In Section 6, we have an elaborate analysis from both formal and informal point of view. The comparisons of efficiency and features are listed in Section 7. In the end, this paper is concluded in Section 8.

2. Preliminaries

2.1. Fuzzy Vault

The fuzzy vault is a constructor used to protect biometric templates with various built-in algorithms. Its security relies on the secret key and . It works in key binding mode where the biometric and the key are monolithically bound within a binding mechanism. Compared with fuzzy extractor [47], the Euclidean distance measurement used in fuzzy vault has been widely accepted in most biostatistical applications [48]. Therefore, in view of the value in practice, we will adopt the fuzzy vault to protect biometric features in our improved scheme.

Specifically, the user selects a polynomial which is used to encode secret key and be evaluated on all elements in . Then the biometric which is imprinted by user can be converted into a set of points which lie on the according to . Then, taking and which is a large set of “chaff points” as inputs of , we can get the final vault which equals , that is, . Generally, we put the final vault in the mobile device.

When the user wants to recover the secret key , she/he can scan the biometric on terminal firstly, then taking the vault and as the inputs of the algorithm which will output the if and only if where is the fuzziness parameter. The secret key can be recovered with the input by the algorithm Rec finally.

2.2. Elliptic Curve Cryptosystem (ECC)

Compared with the traditional RSA algorithm, ECC achieves the same security strength with much smaller key size, so ECC is more efficient than RSA. Elliptic curve equation is defined in such a form: nonsingular elliptic curve over a prime finite field , where is a large prime and satisfies .

Besides, there are two difficult problems in ECC, namely, Elliptic Curve Discrete Logarithm Problem (ECDLP) and Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP). Specifically, the first one depicts that it is impossible to find an integer that satisfies the formula with two given points and over . The other one describes that it is hard to calculate the value with the given points , and , . These two hard problems guarantee the security of Elliptic Curve primitives, and an adversary still has a great deal of difficulty in getting the secret after obtaining the public values.

3. Review of Wazid et al.’s Scheme

In this section, we review the details of Wazid et al.’s scheme, which consists of eight phases, i.e., predeployment, postdeployment, registration, login, authentication and key agreement, password and biometric update, and dynamic control node addition, as well as dynamic IMD addition. The scheme is for the purpose of mutual authentication and key agreement establishment between the mobile device and IMDs. The notations used in this paper are listed in Table 1.

3.1. Predeployment Phase

Before deployment, a trusted authority needs to complete the registration for each as well as . first selects a secret 1024-bit number for and . Then picks the identity for and calculates , , . Meanwhile, constructs the univariate polynomial according to the polynomial-based key distribution proposed in [49] where the prime is chosen as a large number and n is also large to preserve unconditional security and n-collusion resistant property against capture attack. Finally, stores in the memory of . Similar to the above calculations, generates a unique identity and calculates , and then stores the information in the memory of .

3.2. Postdeployment Phase

After the predeployment phase, and establish a shared key using the information distributed during the predeployment phase. The details of the process are as follows. Firstly, sends the message to . Once receives the message, responds with the message . Then they calculate the same shared secret key and on each own for future use.

3.3. Registration Phase

This phase has 4 steps.

Step 1. The user selects his/her identity at will and forwards it with registration request to in a secure channel.

Step 2. After accepting the request, computes the pseudo identity of as . Then continues to compute the value as . sends the message to .

Step 3. After receiving registration reply from , further selects a private key and computes the corresponding public key .

Step 4. inputs his/her password and imprints fingerprint in mobile device , then calculates , , , , , , , and . At last, keeps the data in its memory.

3.4. Login Phase

As depicted in Figure 2, to login to , executes the following steps.

Step 1. inputs his/her , and , then retrieves the biometric key . Then computes , , , , , , and . If equals the stored , it means that ’s inputs are verified as correct; otherwise, the login phase will be terminated immediately.

Step 2. picks the current timestamp and a 160-bit random nonce . Then computes , , and as well as the signature . At last, forwards the message to via a public channel.

3.5. Authentication and Key Agreement Phase

In this phase, and need to authenticate each other as well as establish a session key between them for future safe communications; see Figure 2.

Step 1. After obtaining the message , first checks , if two values are equal, calculates , and then checks . Similarly, if verification matches, it indicates that is considered legitimate. Then chooses and a random number and continues to compute , , , session key , and . Finally, sends the message to through the public channel.

Step 2. After receiving the message from , first judges , then computes , , and . If , it indicts that passes the verification. With that, calculates and forwards the message to .

Step 3. checks , then computes , and judges whether .

Finally, both and complete the mutual authentication and agree on the same session key which will used for the secure communications in future.

3.6. Password and Biometric Update Phase

If wants to change the password, he/she can execute ensuing procedure.

Step 1. Firstly, inputs , , and . computes , , , , , and and checks if equals . If it holds, asks for the new password .

Step 2. After inputs the and calculates , , , , , , and . Finally, replaces , , , , , and with , , , , , and , respectively.

3.7. Dynamic Controller Node Addition Phase

In this phase, a new controller node can be deployed as follows.

First, determines a new identity for and calculates and new polynomial as well as in which the is the newly generated registration timestamp. Finally, stores the parameters into the memory of before it is deployed into the system.

3.8. Dynamic IMD Addition Phase

In this phase, we can deploy a new (). Specifically, computes and and then stores in the memory of .

4. Weakness of the Wazid et al.’s Scheme

The widely accepted Dolev-Yao threat model (DY model) [10] demonstrates that the adversary can fully control the public channel between communicators. That is, is capable of eavesdropping, stealing, inserting, deleting, and modifying the messages in the open channel. Most recently, Wang et al. [45] have provided a complete summary of the adversary’s capabilities and present twelve evaluation criteria for a secure protocol, i.e., no password verifier-table, no smart card loss attack, mutual authentication, and so forth. According to above evaluation criteria, we make a reasonable analysis of Wazid et al.’s scheme and find that the protocol has the following three flaws, i.e., offline password guessing attack, controller node impersonation attack, and Incorrect authentication process. As a result, it cannot achieve mutual authentication; that is, the scheme fails to meet the security claimed by the authors.

4.1. Offline Password Guessing Attack

To achieve user friendliness, in registration phase, users are allowed to choose their own identities and passwords at will; the majority of users will choose easy-to-recall and ; the combination of these low entropy and are likely to be vulnerable to offline guessing attack. A probabilistic polynomial time (PPT) adversary can offline enumerate all pairs in Cartesian product , where and represent space and space, respectively. In a 3FA protocol, we should ensure that even the and biometric have been corrupted, and the whole scheme can still resist this type attack to protect the security of user’s secrets. Based on all above assumptions, the adversary can launch an offline password guessing attack through the following processes.

Step 1. We assume that the adversary has acquired and biometric of the user and then obtains the secret parameters stored in the .

Step 2. The adversary picks a pair and calculates , , , , , , , and .

Step 3. Finally, checks whether , and if it holds, we can say that the selected by the adversary is a legal one. Otherwise, can choose another pair to continue implementing above steps until success.

4.2. The Controller Node Impersonation Attack

In registration phase, picks a secret number and calculates ’s pseudo identifier which is a fixed value. What is more, in predeployment phase, both and have obtained ; for a malicious , he/she can disguise himself/herself as to communicate with another as shown in Figure 3.

Step 1. The malicious intercepts the first authentication message sent by which is ought to have been received by .

Step 2. Then can impersonate to communicate with , selects time stamp , random value , and , Then computes , , session key , and . Finally, forwards the constructed false message to .

Step 3. After receiving the message from , will check and then calculate , session key and , and obviously equals which means that passes the verification of . Then computes and sends the message to .

Step 4. Once receives the message, checks and computes , then he/she will successfully verify that equals the received message .

At this point, and have completed mutual authentication and negotiated the same session key used in future sessions. In real life, this situation is manifested as the adversary (, e.g., a doctor) successfully disguises as another patient and sends false health information to his/her attending doctor, which is easy to cause medical accident as well as being extremely harmful to the patient.

4.3. Incorrect Authentication Process

In authentication phase, computes and and then sends the message to . Normally, after receiving the message, she/he computes and then judges the legality of via checking . But it is not hard to notice that the message does not contain the public key . Without knowledge of , cannot complete the judgement of signature, so that fails to authenticate .

5. The Proposed Scheme

To correct these shortcomings in Section 4, we remedy the protocol of Wazid et al. from the following aspects. (1) In the predeployment phase, chooses a random value as the private key and computes the corresponding public key . (2) We add the fuzzy verifier to prevent the offline password guessing attack in login phase. (3) We adopt the more widely used fuzzy vault to protect biometric templates instead of fuzzy extractor.

There are also eight phases in our proposed scheme: predeployment, postdeployment, registration, login, authentication and key agreement, password and biometric update, and dynamic control node addition as well as dynamic IMD addition.

5.1. Predeployment Phase

first selects a secret 1024-bit number and chooses the finite cyclic additional group generated by a point with a large prime order over a finite field on an elliptic curve. Then selects the private key only known to itself, whose corresponding public key is which is made public.

computes the value and stores in the memory of as well as and then adds the univariate polynomial to the memory of .

The computing processes in predeployment phase of the is the same as that of Wazid et al.’s scheme, so the details are omitted.

5.2. Postdeployment Phase

The specific process of this phase is as follows.

Firstly, sends the message to ; once receives the message, responds with the message . At the same time, they calculate the same shared secret key and on each own for future use.

5.3. User Registration Phase

In this phase, registers with by executing ensuing procedure as shown in Figure 4.

Step 1. inputs the selected and password and imprints the biometric into the . chooses the private key and computes the corresponding public key , as well as keeping the both secret. Finally, submits the and to via the secure channel.

Step 2. After receiving the registration request from , calculates and stores specific of in the memory. Then forwards the value to .

Step 3. Upon receiving the message, chooses a random number and calculates fuzzy vault parameters and as well as and . Then, computes the verification value where is a medium integer which represents the capacity of the pool of the pair against the offline password guessing attack in the Wazid et al.’s scheme. After the calculation of , stores the parameters .

5.4. Login Phase

As showed in Figure 5, in this phase, inputs , , and the biometric on the . Then regains the fuzzy vault parameter by computing the value and Rec. With continues to calculate and and checks . If two values are not equal, refuses the login request; otherwise, believes that , , and are legitimate and continues to compute . Then, generates the current timestamp and random numbers and . With these numbers, continues to calculate , , , , , and . Finally, sends the message to via a public channel.

5.5. Authentication and Key Agreement Phase

By executing following procedures, mutual authentication is established among , , and , and a secure session key is negotiated between and .

Step 1. After receiving the login request , first judges if holds, where is the current timestamp and is the maximum transmission delay. If it is invalid, terminates the session; otherwise, computes the value and retrieves (i.e., the public key of ) corresponding to . Then computes and and checks the validation of the signature by checking if the equation holds. Specifically, the equality means that certifies ’s legitimacy; otherwise, terminates the session. Then, continues to calculate , , , and . Finally, sends the message to via the public channel.

Step 2. After receiving the message from , first checks the validation of the condition where is the current timestamp. If it does not hold, the session is terminated here; otherwise, regains the value of and by computing as well as . Then, checks if equals the result of the computation of . If it does not hold, terminates the session; otherwise, it means that verifies ’s legality. Then selects a random number and goes on with the computation of , , the session key , and . Finally, the massage will be sent to for authentication.

Step 3. When receiving the massage from , will first check the validation of condition ; if it holds, continues to calculate the session key and judge if the value equals . The final verification shows that the mutual authentication among the , , and is accomplished and the session key is established for future sessions.

5.6. Password and Biometric Update Phase

In this phase, we allow to update the password at will by the following process, which is executed locally without involving for security reasons.

Step 1. First, inputs her/his , , and on the terminal. Then calculates fuzzy vault parameters and and regains the private key and . checks whether equals or not. If it does not hold, rejects the request; otherwise, claims for the new .

Step 2. When inputs the new password , computes , , , and .

Step 3. After the computation, updates the value of , , and in the list. Above processes simulate the situation that user only wants to update the password and maintains original biometric where . The password and biometric update phase are summarized in Figure 6.

5.7. Dynamic Controller Node Addition Phase

In this phase, we can deploy a new control node as follows.

Step 1. first picks a new identity for , called , then repeats the calculation of in the predeployment phase where is newly generated registration timestamp. Next, calculates the univariate polynomial .

Step 2. Finally, stores the parameters into its memory and stores the credentials into the memory of prior to its deployment.

5.8. Dynamic IMD Addition Phase

Depending on the real situation, the patient needs to check the state of the implantable device in time to ensure that accurate health data is conveyed, so we often need to replace an old IMD or add a new IMD. In the case that we use a new to replace the existing one, please refer to Wazid et al.’s scheme for the details.

6. Security Analysis

We analyze the security of our proposed scheme in this section; it fully proves that our scheme can solve the shortcomings of Wazid et al.’s scheme and resist all kinds of known attacks. The security features such as user anonymity and forward secrecy are guaranteed in our protocol.

6.1. Security Model

Our scheme involves three interacting entities, such as with , with , and which keeps his/her private key . Each participant can activate multiple protocol instances and run multiple session instances in parallel. The is defined as the th instance of , and the same rules apply to and . All of these instances can be seen as oracles which have three states below.(i)Accept state: when the oracle has received the last valid message of the protocol, we can say the oracle accepts the message.(ii)Reject state: when the oracle has received any incorrect message, the oracle will reject the received message.(iii) state: when the oracle outputs no answer of the queries, we say that the oracle is in an unresponsive state which is defined as state.

We give the security model of our scheme, which combines the security models of [33, 45].

Definition 1 (partnering). If the instances of and satisfy the following three conditions meanwhile, we determine that they are partnered to each other. (1) One of the instances is the target object of session for the other instances in the protocol, that is, the partner identification of is and vice versa. (2) Both instances accept the messages mutually and negotiate the same secure session key. (3) Both instances share the same session identifier.

Definition 2 (freshness). An instance called fresh must meet the following conditions. (1) Before the instance accepts the protocol run and generates the session key, neither the participants nor the partners of the instance are completely corrupted. (2) Neither nor his/her partner instances are queried of by the adversary or disclose the session key.

Definition 3 (correctness). When and are partnered as well as accepted, they will agree on the same session key.

Definition 4 (adversary capabilities). Interaction between the adversary and participants in the protocol is implemented via oracle queries to simulate the abilities of attackers in reality. All oracle queries are listed as follows.(i): this oracle simulates the passive attacks (such as eavesdropping, tracking) where the adversary can get all response messages exchanged during the honest execution of authentication process.(ii): this oracle models the active attacks where the adversary can forward a modified message to . Then he/she will get the response generated from who executes the procedure of honest protocol after receiving . Additionally, the query initials the protocol.(iii): this query does not model the actual attack capabilities of adversary but rather measures the semantic security of the session key . For a participant instance , if the instance does not generate the session key, an undefined symbol will be returned. Otherwise, a uniform coin is thrown, if the result is 1, the true session key of the instance is returned; otherwise, a random number of the same length as the session key is returned. The adversary needs to guess the result of the toss to see whether he/she gets a real session key or a random number. Notice that the oracle query can only be used for fresh instance and up to once.(iv): this oracle simulates the reveal of session key to adversary if really holds and has not been queried by a before. Otherwise the will be returned.(v): this oracle query is used to model the corruption ability of the adversary; we assume can get any one factor of but not all. If , it responses with the password of . If , it responses with all the security parameters stored in the of . If , it responses with the biometric of . If , it responses with the private key of .(vi): the adversary can get the long-term secret values of , such as of or the private key of .

Definition 5 (random oracle). We determine the cryptographic one-way hash function which can be accessed by all participants including as a random oracle.

A 3FA protocol should guarantee the semantic security which is defined from Test-query. In the process run of the protocol , can ask the Test-query just once while other queries; i.e., Execute-query, Reveal-query, or Send-query can be asked multiple times in polynomial time. Besides, can only make Test-query on a fresh instance. The adversary’s operation is to guess the result of the coin toss in the Test-query, then we treat the event in which the adversary correctly guesses the result as a successful attack, credited as . Only after the participants have completed the strict mutual authentication can a common session key be negotiated. The advantage of an adversary breaking the session key security of protocol is defined as where denotes the password space whose distribution follows a Zipf’s law [50].

Theorem 6 (semantic security). Given a 3FA protocol , if the advantage of an arbitrary PPT adversary breaking the session key security of the protocol is at most a negligible amount larger than , then we believe that the satisfies the semantic security, where the denotes the number of active attacks by the PPT adversary and represents a negligible function for the security parameter .

As shown above, and represent the Zipf parameters put forward by Wang et al. [50].

6.2. Security Proof

Assuming that DDH holds in a cyclic group, the public key encryption algorithm used in the protocol is CCA secure, and the signature algorithm is unforgeable for adaptively chosen messages. Here we prove Theorem 6 by simulating several mixing games. The mixing games start with a real attack game, and then we gradually modify the simulation rules in each game until the adversary’s attack advantage to distinguish the correct session key from a random key of the same length becomes zero and then the game ends. For two adjacent mixing games, we will calculate the upper bound of the attacker’s advantage gap and finally calculate the upper bound of adversary’s attack on this 3FA protocol. We use to indicate the difference between mixing games and and use to denote the advantage of in hybrid games .(i): this experiment is the start game which simulates the real attack mode of the adversary we demonstrate in Section 6. So, we can get(ii): in this game, we simulate all random oracles in the protocol by maintaining a hash query list . Besides, we also simulate a private hash oracle by holding another list which records the Hash-query directly implemented by the adversary. Obviously, the game is indistinguishable from a real one, so we have(iii): we exclude some impossible collisions in the , i.e., the collisions of messages in sessions and the collisions in the outputs of Hash-query. According to the birthday paradox, we have(iv): we will revise the session simulation rules for the passive attacks that the adversary asks through the Execute-query. We suppose that constructs the using another pair chosen from Cartesian product instead of the real one. That is, parameters , , and are calculated and so that the signature can be calculated as . Upon receiving the message , continues to simulate session with the false identity. If is lucky enough to guess the real , the game is terminated. The real and the pseudo can be seen as two challenge messages for the encryption algorithm, so the difference between the games and is at most the advantage of breaking the encryption algorithm’s CPA security of the signature. And the CPA security of the signature can be reduced to the DDH hypothesis. So, we can conclude

(v): in this game, we continue to revise the simulation session rules in passive attacks. We use the private hashing function to compute the session key without the Diffie-Hellman parameters and , that is, . Since we have excluded the collisions in the previous game, only computes the valid Diffie-Hellman parameters and sends the query to and can distinguish the difference between and the previous one. But the capability of is limited by the hardness of DDH security where given , , and , , , cannot tell from . Based on the intractability of the DDH problem, we have(vi): in this game, we start to revise the simulation session rules by active attacks. We take the as the example, and if is not corrupted and correctly constructs the signature, then we say that wins the game and terminate the simulation. Based on the unforgeability security of the signature, then we have(vii): we continue to revise the simulation session rules in active sessions. We acknowledge that wins the game when has successfully fabricated the message and sent it to . We use the private hash function to simulate the active sessions. The authenticator is calculated as where the is randomly selected from a cyclic group. When the corresponds to a fake , the distribution of is indistinguishable from the uniform distribution on a cyclic group. Then we have(viii): we change the simulation rules in active sessions for the last time in this game. If correctly forge the message , then we say wins the game and terminate the game. The authenticator contains the random number which is unknown to . We have eliminated this situation in previous game. So, we have

The only way to succeed in this game is to obtain the parameters in and guess ’s real password. is unable to get any information of from simulation, according to the Zipf law, we get

Therefore, Theorem 6 is proved.

6.3. Other Discussions

In this aspect, we demonstrate that our protocol can resist various known attacks as well as achieve security characteristics such as user anonymity, forward security, and key security.

6.3.1. Privileged Insider Attack

In the registration phase of our protocol, sends the message consisting of the identity and corresponding public key without any knowledge of the password , so that has no approach to derive . Obviously, our scheme can withstand the privileged insider attack.

6.3.2. Stolen-Verifier Attack

In this attack mode, an attacker can steal the verification parameters stored by to cheat , while we just put and in the verification table which contains no knowledge about password . Therefore, our scheme is immune to the stolen-verifier attack.

6.3.3. Offline Password Guessing Attack with Stolen Mobile Device

For this situation, we usually suppose that the has gained the security parameters stored in the and the biometric simultaneously; can eavesdrop authentication messages transmitted via the public channel.

picks a candidate pair in the Cartesian product and computes , , , and as well as the verification value . In general, can determine the chosen pair’s validation by checking if equals the stored value . If it holds, it means that has guessed the correct of successfully; otherwise, he/she can pick another pair continuing to attack. However, we introduce the fuzzy-verifier which is effective in leaving adequate candidates for to identify and thus making it impossible for a PPT adversary to successfully guess the password.

Hence, the offline password guessing attack can not damage ’s security.

6.3.4. Undetectable Online Password Guessing Attack

In the proposed scheme, once tries initialing the protocol, he/she needs to make sure that the chosen password is valid to construct the verification signature which will pass authentication of . Otherwise, the wrong will be observed easily by . So, our scheme can withstand the undetectable online password guessing attack.

6.3.5. Modification Attack

In our protocol, even intercepts the messages transmitted in the channel, it is still impossible for to construct , , and which are protected by the secret value, private key or hash functions to pass the message verification. For example, in is unable to calculate the value , since where consists of secret values only known to or such as , private key , and , so that ’s login request will be rejected by . Similarly, cannot construct the valid verification parameters without knowledge of or due to the hardness of ECCDH problem introduced in Section 2.2. Thus, all modified messages will be detected and rejected by receiver simultaneously.

In conclusion, modification attack is impossible in our scheme.

6.3.6. User Impersonation Attack

We suppose that plans to impersonate as a legitimate user to interact with . The key step is to construct a valid value to pass the verification of . However, is unable to calculate without . To get , he/she needs to know the most of long-term values. Therefore, our proposed scheme is immune to the user impersonation attack.

6.3.7. Control Node Impersonation Attack

We have analyzed that the malicious may successfully impersonate to cheat another in Wazid et al.’s scheme. On the one hand, both and hold the same parameter which composes the correct verification value and . On the other hand, in Wazid et al.’s scheme, the essential parameter is not verified when it is sent to . But in our scheme, this attack mode cannot be implemented, and the malicious is unable to fabricate without knowing of , so we solve the potential pitfall in Wazid et al.’s scheme.

From another point of view, an adversary cannot construct the verification value due to the hardness of ECCDH, so fails to impersonate a . In a word, the control node impersonation attack has no threat to our protocol.

6.3.8. TA Impersonation Attack

For , it is computationally infeasible to get the value which is protected by hash function and critical parameters as well as nonce . The can be derived from two functions as , but even has intercepted the parameters , , and ; he/she still cannot calculate without , , or , and then cannot be computed. In short, our scheme is immune to the impersonation attack.

6.3.9. Denial-of-Service (DoS) Attack

Before ’s login request is sent to , the password , identity , and biometric input in the terminal by will be determined locally by verifying the value of . According to the protocol, only when , the process will continue. Hence, our protocol can withstand such an attack.

6.3.10. Replay Attack

When an adversary wants to send the intercepted messages to receiver again, it will fail to pass the protection of timestamp . All these intercepted messages will be seen overdue. So, our scheme can withstand this attack effectively.

6.3.11. Mutual Authentication

Mutual authentication means that before the doctor gets health information from , , , and have confirmed the legitimacy of the other two parties. In our protocol, holds the public key to verify the signature , and then is authenticated. In the same way, we take the verification values and which consist of some parameters only known to them just like private key or nonce to accomplish mutual authentication. That is, when they affirm that each other is legal, a secure session key is negotiated between and .

6.3.12. Known Key Security

Our entire protocol’s purpose is to ensure the safety of subsequent medical information delivery after mutual authentication is completed. The session key which depends on random numbers and can be different and independent in every key agreement phase. Even some session keys are disclosed, in the next session, the will maintain secure. Hence, our protocol guarantees the security of the session key.

6.3.13. Perfect forward Secrecy

At the final step of authentication phase, and negotiate a session key . To calculate the session key with , has to solve the ECCDH problem as we showed before. It follows that even long-term keys of and are disclosed, the session key still maintains secure. Hence, the proposed protocol achieves perfect forward secrecy.

6.3.14. User Anonymity

In the proposed protocol, we conceal the identity in the , , and . It shows that is protected by private key in , nonce in . That means in addition to the , , and , no one knows the . So, our scheme achieves user anonymity.

6.3.15. User Untraceability

In the proposed protocol, messages , , and transmitted among , , and are dynamic and different from before ones because the sender randomly selects a number to compose messages. For instance, in , the introductions of and make the parameters different for each login phase to prevent from using static values to track user. In short, it is impossible for to track in our scheme.

6.3.16. Biometric Template Privacy

Our scheme can effectively maintain the privacy of biometric . On the one hand, user does not offer the biometric template, and there is no knowledge about ’s biometric template in the memory of . On the other hand, we firstly use fuzzy vault to convert the form of biometric template to . Even obtains the form , he/she still cannot recover the biometric template because the algorithms of fuzzy vault are one-way operations. Moreover, the biometric template itself is difficult to lose or falsify. In short, our protocol guarantees the privacy of biometric template.

7. Features and Efficiency Comparison

This section shows the comparisons of our scheme and other two related works (Wang et al. [13], Wazid et al. [14]) in efficiency and the advantages/disadvantages showed in Tables 3 and 2, respectively. Specifically, we analyze the computation cost from the point of time complexity to compare the efficiency. What needs to be explained is that we only focus on the login and authentication phases and ignore the bit-XOR operation due to its low computation consumption. Besides, we use the symbols of , , , , , and to represent the time cost of elliptic curve point multiplication, hash function, bilinear pairing, symmetric key encryption/decryption, modular exponentiation, and asymmetric key encryption/decryption, respectively.

From Tables 2 and 3, it could be seen that although the calculation cost of our scheme is a little higher than the other two solutions, we have greatly satisfied various security standards in terms of security, which is superior to Wang et al.’s protocol [13] in resisting impersonation attack and achieving mutual authentication. And our scheme makes up for the flaws we analyzed in Wazid et al.’s protocol [14]. In general, our protocol is more suitable for use in implantable medical system, within the acceptable computational energy consumption of the devices.

8. Conclusion

We take the most recent scheme of Wazid et al. as a typical example to show the subtlety of the design of 3FA for the implantable medical system. We have found that the scheme cannot resist three types of drawbacks, i.e., password guessing attack, controller node impersonation attack, and the incorrect authentication process. Then we have presented a trusted authority assisted 3FA protocol for the implantable medical system. Specifically, we have made the following amendments. is introduced in the authentication phase of the newly proposed solution. We have also replaced fuzzy extractor with the more widely applied fuzzy vault to the biometrics. The new protocol is provably secure under DDH assumption; the efficiency comparison and features analysis indicate that while a little efficiency is sacrificed, our protocol satisfies all the required security features. Overall, our new protocol is suitable for use in the implantable medical system.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Authors’ Contributions

All the authors have contributed equally to this work.

Acknowledgments

This work is supported by National Natural Science Foundation of China (no. 61672433) and Basic Research Project from Science and Innovation Council of Shenzhen (nos. 201703063000511 and 201703063000517).

References

R. Altawy and A. M. Youssef, “Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices,” IEEE Access, vol. 4, pp. 959–979, 2016.
View at: Publisher Site | Google Scholar
M. Rushanan, A. D. Rubin, D. F. Kune, and C. M. Swanson, “SoK: security and privacy in implantable medical devices and body area networks,” in Proceedings of the 35th IEEE Symposium on Security and Privacy (SP '14), pp. 524–539, San Jose, Calif , USA, May 2014.
View at: Publisher Site | Google Scholar
P. K. Sahoo, “Efficient security mechanisms for mhealth applications using wireless body sensor networks,” Sensors, vol. 12, no. 9, pp. 12606–12633, 2012.
View at: Publisher Site | Google Scholar
D. Wu, J. Yan, H. Wang, D. Wu, and R. Wang, “Social Attribute Aware Incentive Mechanism for Device-to-Device Video Distribution,” IEEE Transactions on Multimedia, vol. 19, no. 8, pp. 1908–1920, 2017.
View at: Publisher Site | Google Scholar
J. Xiong, Y. Zhang, L. Lin et al., “ms‐PoSW: A multi‐server aided proof of shared ownership scheme for secure deduplication in cloud,” Concurrency & Computation Practice & Experience, no. 5, Article ID e4252, 2017.
View at: Publisher Site | Google Scholar
S. Kumari, X. Li, F. Wu, A. K. Das, K.-K. R. Choo, and J. Shen, “Design of a provably secure biometrics-based multi-cloud-server authentication scheme,” Future Generation Computer Systems, vol. 68, pp. 320–330, 2017.
View at: Publisher Site | Google Scholar
G. Zheng, R. Shankaran, M. A. Orgun, L. Qiao, and K. Saleem, “Ideas and Challenges for Securing Wireless Implantable Medical Devices: A Review,” IEEE Sensors Journal, vol. 17, no. 3, pp. 562–576, 2017.
View at: Publisher Site | Google Scholar
D. Wu, S. Si, S. Wu, and R. Wang, “Dynamic trust relationships aware data privacy protection in mobile crowd-sensing,” IEEE Internet of Things Journal, vol. PP, no. 99, pp. 1–1, 2017.
View at: Publisher Site | Google Scholar
D. Wu, F. Zhang, H. Wang, and R. Wang, “Security-oriented opportunistic data forwarding in Mobile Social Networks,” Future Generation Computer Systems, vol. 87, pp. 803–815, 2018.
View at: Publisher Site | Google Scholar
D. Dolev and A. C.-C. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.
View at: Publisher Site | Google Scholar | MathSciNet
L. Wu, X. Du, M. Guizani, and A. Mohamed, “Access Control Schemes for Implantable Medical Devices: A Survey,” IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1272–1283, 2017.
View at: Publisher Site | Google Scholar
E. Marin, D. Singelée, F. D. Garcia, T. Chothia, R. Willems, and B. Preneel, “On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them,” in Proceedings of the 32nd Annual Computer Security Applications Conference, ACSAC 2016, pp. 226–236, Los Angeles, Calif, USA, December 2016.
View at: Publisher Site | Google Scholar
C. Wang and Y. Zhang, “New authentication scheme for wireless body area networks using the bilinear pairing,” Journal of Medical Systems, vol. 39, no. 11, article 136, 2015.
View at: Publisher Site | Google Scholar
M. Wazid, A. K. Das, N. Kumar, M. Conti, and A. V. Vasilakos, “A novel authentication and key agreement scheme for implantable medical devices deployment,” IEEE Journal of Biomedical and Health Informatics, vol. 22, no. 4, 2018.
View at: Publisher Site | Google Scholar
A. Perrig, “The tesla broadcast authentication protocol,” Rsa Cryptobytes, vol. 20, no. 2, p. 2002, 2005.
View at: Google Scholar
C.-C. Lee, C.-W. Hsu, Y.-M. Lai, and A. Vasilakos, “An enhanced mobile-healthcare emergency system based on extended chaotic maps,” Journal of Medical Systems, vol. 37, no. 5, article 9973, 2013.
View at: Publisher Site | Google Scholar
F. Wu, X. Li, L. Xu et al., “A lightweight and privacy-preserving mutual authentication scheme for wearable devices assisted by cloud server,” Computers & Electrical Engineering, vol. 63, pp. 168–181, 2017.
View at: Google Scholar
X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta, and K. R. Choo, “Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks,” Computer Networks, 2017.
View at: Publisher Site | Google Scholar
S. Kumari, X. Li, F. Wu, A. K. Das, H. Arshad, and M. K. Khan, “A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps,” Future Generation Computer Systems, vol. 63, pp. 56–75, 2016.
View at: Publisher Site | Google Scholar
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar | MathSciNet
R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, vol. 26, no. 1, pp. 96–99, 1983.
View at: Publisher Site | Google Scholar
V. S. Miller, “Use of elliptic curves in cryptography,” in Advances in Cryptology—CRYPTO'85, H. C. Williams, Ed., vol. 218 of Lecture Notes in Computer Science, pp. 417–426, Springer, 1986.
View at: Publisher Site | Google Scholar | MathSciNet
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
View at: Publisher Site | Google Scholar | MathSciNet
J. Shen, S. Chang, J. Shen, Q. Liu, and X. Sun, “A lightweight multi-layer authentication protocol for wireless body area networks,” Future Generation Computer Systems, 2016.
View at: Publisher Site | Google Scholar
J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, “Certificateless remote anonymous authentication schemes for wireless body area networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 332–342, 2014.
View at: Publisher Site | Google Scholar
H. Xiong, “Cost-effective scalable and anonymous certificateless remote authentication protocol,” IEEE Transactions on Information Forensics & Security, vol. 9, no. 12, pp. 2327–2339, 2014.
View at: Publisher Site | Google Scholar
B. Hu, D. Wong, Z. Zhang, and X. Deng, “Key replacement attack against a generic construction of certificateless signature,” in Information Security and Privacy, vol. 4058 of Lecture Notes in Computer Science, pp. 235–246, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, N. Kumar, and J. H. Lee, “Anonymous authentication for wireless body area networks with provable security,” IEEE Systems Journal, vol. 11, no. 4, pp. 1–12, 2016.
View at: Google Scholar
X. Li, M. H. Ibrahim, S. Kumari, and R. Kumar, “Secure and efficient anonymous authentication scheme for three-tier mobile healthcare systems with wearable sensors,” Telecommunication Systems, vol. 67, no. 3, pp. 1–26, 2018.
View at: Google Scholar
C.-T. Li, C.-C. Lee, C.-Y. Weng, and S.-J. Chen, “A Secure dynamic identity and chaotic maps based user authentication and key agreement scheme for e-Healthcare systems,” Journal of Medical Systems, vol. 40, no. 11, article 233, 2016.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, and C. Yang, “Efficient end-to-end authentication protocol for wearable health monitoring systems,” Computers Electrical Engineering, 2017.
View at: Google Scholar
Q. Jiang, J. Ma, F. Wei, Y. Tian, J. Shen, and Y. Yang, “An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks,” Journal of Network and Computer Applications, vol. 76, pp. 37–48, 2016.
View at: Publisher Site | Google Scholar
F. Wei, P. Vijayakumar, J. Shen, R. Zhang, and L. Li, “A provably secure password-based anonymous authentication scheme for wireless body area networks,” Computers and Electrical Engineering, vol. 65, pp. 322–331, 2018.
View at: Publisher Site | Google Scholar
F. Wu, X. Li, A. K. Sangaiah et al., “A lightweight and robust two-factor authentication scheme for personalized healthcare systems using wireless medical sensor networks,” Future Generation Computer Systems, vol. 82, pp. 727–737, 2018.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, J. Chen, C.-C. Lee, N. Chilamkurti, and S.-S. Yeo, “Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks,” Multimedia Systems, vol. 21, no. 1, pp. 49–60, 2015.
View at: Publisher Site | Google Scholar
S. Kumari, M. K. Khan, and M. Atiquzzaman, “User authentication schemes for wireless sensor networks: A review,” Ad Hoc Networks, vol. 27, pp. 159–194, 2015.
View at: Publisher Site | Google Scholar
T. Chen, C. Lee, M. Hwang et al., “Towards secure and efficient user authentication scheme using smart card for multi-server environments,” The Journal of Supercomputing, vol. 66, no. 2, pp. 1008–1032, 2013.
View at: Google Scholar
C.-T. Li, C.-C. Lee, C.-Y. Weng, and C.-I. Fan, “An extended multi-server-based user authentication and key agreement scheme with user anonymity,” KSII Transactions on Internet and Information Systems, vol. 7, no. 1, pp. 119–131, 2013.
View at: Publisher Site | Google Scholar
F.-S. Wei, Q. Jiang, R.-J. Zhang, and C.-G. Ma, “A privacy-preserving multi-factor authenticated key exchange protocol with provable security for cloud computing,” Journal of Information Science and Engineering, vol. 33, no. 4, pp. 907–921, 2017.
View at: Google Scholar | MathSciNet
X. Li, J. Niu, S. Kumari et al., “A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments,” Journal of Network & Computer Applications, vol. 103, no. 1, pp. 194–204, 2018.
View at: Publisher Site | Google Scholar
Q. Jiang, Z. Chen, B. Li et al., “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence & Humanized Computing, pp. 1–13, 2017.
View at: Google Scholar
Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, S. Kumari, and X. Li, “An improved and provably secure three-factor user authentication scheme for wireless sensor networks,” Peer-to-Peer Networking and Applications, vol. 11, no. 5, pp. 1–20, 2016.
View at: Publisher Site | Google Scholar
C. Lee, C. Chen, P. Wu, and T. Chen, “Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices,” IET Computers & Digital Techniques, vol. 7, no. 1, pp. 48–55, 2013.
View at: Publisher Site | Google Scholar
S. Yin, X. Li, H. Gao, and O. Kaynak, “Data-based techniques focused on modern industry: an overview,” IEEE Transactions on Industrial Electronics, vol. 62, no. 1, pp. 657–667, 2015.
View at: Publisher Site | Google Scholar
A. Juels and M. Sudan, “A fuzzy vault scheme,” Designs, Codes and Cryptography. An International Journal, vol. 38, no. 2, pp. 237–257, 2006.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” SIAM Journal on Computing, vol. 38, no. 1, pp. 97–139, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
J. Yu, G. Wang, Y. Mu, and W. Gao, “An efficient generic framework for three-factor authentication with provably secure instantiation,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 12, pp. 2302–2313, 2014.
View at: Publisher Site | Google Scholar
C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, “Perfectly secure key distribution for dynamic conferences,” in Advances in Cryptology —CRYPTO’ 92, vol. 740 of Lecture Notes in Computer Science, pp. 471–486, 1993.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipfs law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2018 Deming Mao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1095

Downloads

930

Citations