Sage Journals: Discover world-class research

Abstract

Healthcare service sector is one of the major applications of Wireless Sensor Networks (WSNs) acknowledged as Wireless Medical Sensor Network (WMSNs). It deploys tiny medical sensor-nodes (MS-nodes) on the body of the patient to sense crucial physiological signs which can be accessed and analyzed by registered medical professionals. Recently, Khan et al. analyzed Kumar et al.'s scheme proposed for healthcare applications using WMSNs and observed that the scheme is susceptible to many security weaknesses if an adversary extracts the information from the lost smart card of some user. The adversary can access patient's physiological data without knowing actual password, can deceive medical professionals by sending fake information about patients, can guess the password of a user from the corresponding smart card, and so forth. Besides, the scheme fails to resist insider attack, lacks user anonymity and the session key shared between the user and the MS-node is insecure. To overcome these problems, we propose an improved user authentication scheme for healthcare applications using WMSNs. We show that the scheme is free from the identified weaknesses and excels in performance and efficiency scheme.

1. Introduction

Healthcare sector is witnessing a transition from traditional human-labor-dependent services to technology-based smart services. This changeover is the outcome of Wireless Medical Sensor Networks (WMSNs), a transmission technology employed by medical professionals (like nurses, doctors, etc.) to obtain the information like blood pressure, pulse rate, body temperature, ECG of the patients. This is achieved by deploying tiny MS-nodes like blood pressure sensors, pulse oximeter, body temperature sensors, and ECG electrodes on the body of patient. The MS-nodes sense physiological information from patient's body and then transmit it to the professionals in a wireless manner. Consequently, it cuts the cost of the human labor required for the purpose and facilitates the health professionals to observe and treat the patients as and when required. But patient's personal medical data may be misused by adversaries like corrupt persons, personal enemies, health insurance professionals, and so forth. Thus, there is need for the security of WMSNs to ensure access to patient's physiological information only to the authorized health professionals. Employing a user authentication scheme is a suitable method to achieve the desired security and establish a secure, efficient, and reliable healthcare environment via WMSNs.

After the development of simple user authentication schemes like [1–6], schemes for Wireless Sensor Networks (WSNs) [7–13] have also attracted a large community of researchers. Some work has also been proposed for healthcare applications using WSNs [14–17]. In 2012, Kumar et al. [18] observed that most of the schemes proposed for WSNs such as [9, 10, 12, 13] fall short to provide security and also require heavy computational load and high communication cost. They proposed a user authentication scheme using WMSNs for healthcare applications and called it an Efficient-Strong Authentication Protocol (E-SAP) [18]. They claimed that their scheme achieves mutual authentication between the user and the MS-node and also establishes session key between them. They found their scheme finer than other existing protocols concerning cost, performance, and security. Subsequently, Khan et al. [19] identified that the scheme of Kumar et al. suffers from many security problems if an adversary extracts the information from the stolen smart card of some user. As a consequence, the scheme is exposed to user impersonation attack and insecure session key generation between user and MS-node. They showed that the scheme does not go with the authors’ claim as the mutual authentication between user and MS-node does not imply properly and an adversary can compute the session key to be established between. They also pointed out password guessing attack, insider attack, and MS-node impersonation attack on it. They found that if the identity of any user is revealed, it gives chance to many unauthorized/illegal persons to gain the personal medical data of patients and thereby generates problems for an authorized professional.

We feel that in addition to resist the prevalent threats, a user authentication scheme for WMSN should also provide user anonymity. Therefore, we propose a user anonymous authentication scheme using WMSNs eradicating the identified weaknesses of Kumar et al.'s scheme. We aim to provide perfect mutual authentication and secure session key generation between the active participants of the authentication protocol in the scheme. The rest of the paper is arranged as the description follows for the subsequent sections. Section 2 briefly explains the architecture of WMSN and its benefit in healthcare applications. Kumar et al.'s scheme is reviewed in Section 3. Section 4 gives review of the analysis of Kumar et al.'s scheme by Khan et al. The proposed scheme is illustrated in Section 5 along with its security analysis and performance comparison in presented by Sections 6 and 7, respectively. To end with, Section 8 gives the conclusion of this paper. In this paper, we use professional and user interchangeably.

2. Architecture of WMSN and Its Benefits in Healthcare Services

The architecture of the Wireless Medical Sensor Network is depicted by Figure 1. There are four parties involved in the user authentication protocol employing WMSN as described below: (i)

Users: medical professionals like nurses, doctors, and so forth, looking for physiological data of the patient via WMSN.

(ii)

MS-nodes: tiny sensors like temperature sensor, pulse oximeter, and so forth, deployed on the body of the patients.

(iii)

GW-node: a powerful master node which plays the role of the registering authority and acts as an interface between the user and the MS-node.

(iv)

Patients: they are under vigilance of medical professionals by means of MS-nodes for treatment.

First three participants are the active parties of the user authentication scheme. MS-nodes are tiny sensor having low processing power, limited computational capabilities, and limited energy and storage capacity [20]. GW-node is a powerful node with sufficiently large processing power, computational capabilities, and energy and storage capacity [20]. A user registers itself to the GW-node to become a valid user of the system. Whenever a user (medical professionals) wishes to obtain the physiological data of the patient, he transmits request message to the GW-node. Afterwards, the GW-node verifies the legitimacy of the user, if satisfied then it directs the desired MS-node(s) to answer to the user's request.

Figure 1

Architecture of WMSN.

Benefits of WMSN in providing healthcare services are as follows: (i)

Improvement in healthcare services,

(ii)

Uninterrupted monitoring of patients,

(iii)

Saving human labor, time, and money,

(iv)

Protecting sensitive and private medical data of the patient from various adversaries.

3. Review of the Scheme Proposed by Kumar et al.

Initially, the GW-node chooses three secret keys denoted as J, Kand Q, each of 256 bits. The GW-node also shares a secret key $K_{g s} = h (Q ∥ I D_{g})$ with all deployed MS-nodes by means of some key agreement method [21, 22]. The scheme has five phases each of which are described in succession. But before giving detail of each phase of the scheme, we summarize the notations and description used throughout the paper in Notations.

3.1. User Registration Phase

The user (professional) U registers itself to the GW-node in registration center of the hospital, in the following manner: (1)

user submits his chosen identity $I D_{u}$ and password $P W_{u}$ to GW-node using a secure channel;

(2)

on receiving ${I D_{u}, P W_{u}}$ , the GW-node computes $C_{u g} = E_{J} (I D_{u} ∥ I D_{g})$ and $N_{u} = h (I D_{u} \oplus P W_{u} \oplus K)$ ;

(3)

GW-node stores ${h (\cdot), C_{u g}, N_{u}, K}$ intoa SC and issues $S C = {h (\cdot), C_{u g}, N_{u}, K}$ to U, where Kis a long-term secretkey of the GW-node.

3.2. Patient Registration Phase

A patient has to register itself in registration center of the hospital [23]. Patient submits her/his name to the registration center. On receiving patient's name, the registration center chooses a suitable medical sensor kit (i.e., MS-nodes and GW-node) according to the disease of the patient and assigns medical professionals (users). Then the registration center transmits the identity $I D_{p t}$ of the patient along with medical sensors kit information to the assigned professionals/users. Finally, a technician deploys MS-node on the body of the patient.

3.3. Login Phase

A professional logs in to the GW-node in order to gain patients’ medical data via WMSN. The user inserts her/his SC into the smart card reader and inputs $I D_{u}$ and $P W_{u}$ . Then the SC performs the following: (1)

It calculates ${N_{u}}^{*} = h (I D_{u} \oplus P W_{u} \oplus K)$ and compares ${N_{u}}^{*}$ with the stored $N_{u}$ . For ${N_{u}}^{*} = N_{u}$ , the smart card continues further and else ends this session.

(2)

It generates a random nonce M to compute $C I D_{u} = E_{K} (h (I D_{u}) ∥ M ∥ S_{n} ∥ C_{u g} ∥ T_{u})$ .

(3)

It sends login request $= {C I D_{u}, T_{u}}$ to the GW-node with $T_{u}$ as the current timestamp.

3.4. Authentication Phase

On receiving the login request ${C I D_{u}, T_{u}}$ from the professional, the GW-node verifies the authenticity of Uand computes a message to transmit to the desired MS-node in the following manner: (1)

It acquires current timestamp ${T_{g}}^{'}$ and, for $({T_{g}}^{'} - T_{u}) > Δ T$ , discards the login request; otherwise it proceeds further.

(2)

It decrypts $C I D_{u}$ as $D_{K} (C I D_{u})$ to obtain ${h {(I D_{u})}^{§}, M, S_{n}, C_{u g} and {T_{u}}^{§}}$ . Also, it decrypts $C_{u g}$ as $D_{J} (C_{u g})$ to obtain ${{I D}_{u}^{*}, {I D}_{g}^{*}}$ .

(3)

It then computes $h ({I D}_{u}^{*})$ and verifies the equivalences $h {(I D_{u})}^{*} = h {(I D_{u})}^{§}$ , ${I D}_{g}^{*} = I D_{g}$ , and $T_{u} = {T_{u}}^{§}$ , if all the three equivalences hold, then it believes the login request to come from U; otherwise it terminates the login session.

(4)

It acquires $T_{g}$ , another current timestamp and computes $A_{u} = E_{S K g s} (I D_{u} ∥ S_{n} ∥ M ∥ T_{g} ∥ T_{u})$ . Then, the GW-node sends ${A_{u}, T_{g}}$ to the MS-node.

When the MS-node receives

{A_{u}, T_{g}}

from the GW-node, it performs the following steps:

(5)

It acquires current timestamp ${T_{s}}^{'}$ and, for $({T_{s}}^{'} - T_{g}) > Δ T$ , discards the received message; otherwise it continues further.

(6)

The MS-node $S_{n}$ performs the decryption $D_{S K g s} (A_{u})$ and obtains ${{I D}_{u}^{*}, {S_{n}}^{*}, M^{*}, {T_{g}}^{*}, T_{u}}$ to make sure that the request has come from the legal GW-node.

(7)

It compares ${S_{n}}^{*}$ with $S_{n}$ and $T_{g}$ with ${T_{g}}^{*}$ , and if any of these fail to match, then it discards the message; otherwise it continues further.

(8)

It computes session key $K s e s s_{U - S n} = h ({I D}_{u}^{*} ∥ S_{n} ∥ M^{*} ∥ T_{u})$ . Then it acquires $T_{s}$ , another current timestamp, and computes $L = E_{{K s e s s}_{U - S n}} (S_{n} ∥ M^{*} ∥ T_{s})$ . The MS-node sends ${L, T_{s}}$ to the user.

When U receives

{L, T_{s}}

from the MS-node, its SC performs the following steps:

(9)

It acquires current timestamp ${T_{u}}^{'}$ and, for $({T_{u}}^{'} - T_{s}) > Δ T$ , discards the received message. Or else, it proceeds further.

(10)

It computessession key $K s e s s_{U - S n} = h (I D_{u} ∥ S_{n} ∥ M ∥ T_{u})$ . Then it performs the decryption $D_{K s e s s_{U - S n}} (L)$ and obtains $S_{n}$ and $M^{*}$ . It compares ${S_{n}}^{*}$ with $S_{n}$ , and $M^{*}$ with M; if both the equivalences hold only, then the session key is assumed to be established securely.

3.5. Password Change Phase

U can change her/his password through the following stepwise procedure: (1)

U inserts her/his $S C$ into the terminal and inputs $I D_{u}$ and ${P W}_{u}$ .

(2)

Then $S C$ computes ${N_{u}}^{*} = h (I D_{u} \oplus P W_{u} \oplus K)$ and compares ${N_{u}}^{*}$ with $N_{u}$ . If both the values match allows the user to enter a new password, otherwise discards the process.

(3)

U enters new password ${(P W_{u})}_{n e w}$ .

(4)

$S C$ computes ${(N_{u})}_{n e w} = h (I D_{u} \oplus {(P W_{u})}_{n e w} \oplus K)$ and then replaces $N_{u}$ with ${(N_{u})}_{n e w}$ .

4. Review of the Analysis of Kumar et al.'s Scheme

This section presents a review of the security problems of Kumar et al.'s scheme identified by Khan et al. [19]. This analysis is based on the assumption that an adversary $U_{a}$ can recover [24, 25] the information stored in smart card.

If $U_{a}$ extracts values ${h (\cdot), C_{u g}, N_{u}, K}$ from the lost $S C$ of a user, then he holds the master key K which is stored in the $S C$ of each user (professional). Consequently, the scheme becomes vulnerable to different attacks described as follows.

4.1. User Impersonation Attack

Having master key K in hand, $U_{a}$ can impersonate any user of the system to obtain patient's physiological information. To impersonate U, the attacker $U_{a}$ intercepts the login request ${C I D_{u}, T_{u}}$ of U and decrypts $C I D_{u}$ as $D_{K} (C I D_{u}) = (h (I D_{u}) ∥ M ∥ S_{n} ∥ C_{u g} ∥ T_{u})$ to obtain ${h (I D_{u}), M, S_{n}, C_{u g}}$ . Now $U_{a}$ acquires a current timestamp $T_{a}$ and a random nonce $M_{a}$ . Then computes $C I D_{a} = E_{K} (h (I D_{u}) ∥ S_{n} ∥ C_{u g} ∥ T_{a})$ and sends ${C I D_{a}, T_{a}}$ to GW-node. Clearly this message will successfully go through GW-node authentication test as it contains valid values ${h (I D_{u}), S_{n}, C_{u g}}$ and fresh values ${M_{a}, T_{a}}$ .

4.2. Lacks User Anonymity

$U_{a}$ can obtain the hashed value of the identity of any user by decrypting the first component of the login request. For instance, if $U_{a}$ intercepts the login request ${C I D_{u}, T_{u}}$ of U, then he can obtain $h (I D_{u})$ by decrypting $C I D_{u}$ using K. Having hashed value of user's identity $h (I D_{u})$ in hand, $U_{a}$ can guess the corresponding identity $I D_{u}$ of U. Thus, the scheme fails to provide user anonymity.

4.3. Password Guessing Attack

We further extend the above two threats to a more harmful vulnerability. If $U_{a}$ successfully guesses the identity $I D_{u}$ of the user from whose smart card he extracts the secret key K, then he can guess the password $P W_{u}$ of U. For this, $U_{a}$ guesses $P W_{a}$ as the probable password, computes ${N_{u}}^{*} = h (I D_{u} \oplus P W_{a} \oplus K)$ , and verifies if ${N_{u}}^{*} = N_{u}$ . If so, it implies success of $U_{a}$ in guessing the $P W_{u}$ of U. In fact, it is complete violation of security since $U_{a}$ holds user's $S C$ along with user's identity $I D_{u}$ and password $P W_{u}$ so he can behave as the legal user U.

4.4. Illegal Logged-In Users Using Legal Identity

$U_{a}$ can guess the identity $I D_{u}$ of any user as described in Section 4.2; he can misuse $I D_{u}$ for crafting other damage to the security of the scheme as described below. (1)

$U_{a}$ applies for her/his registration by submitting $I D_{u}$ and $P W_{a}$ , where $P W_{a}$ is a random password chosen by $U_{a}$ .

(2)

In return, the GW-node provides $U_{a}$ a $S C_{a} = {h (\cdot), C_{u g}, N_{a}, K}$ with $N_{a} = h (I D_{u} \oplus P W_{a} \oplus K)$ and $C_{u g} = E_{J} (I D_{u} ∥ I D_{g})$ .

The role of password in the login-authentication procedure of the scheme is up to confirming the legitimacy of the user by her/his smart card. From then on, only user's identity

I D_{u}

is used to authenticate U at the GW-node. As a result, there are two pictures.

(i)

$U_{a}$ can successfully log in as the legal user U with the received $S C_{a} = {h (\cdot), C_{u g}, N_{a}, K}$ . $U_{a}$ inserts her/his $S C$ into the terminal and inputs $I D_{u}$ and $P W_{a}$ . Once $I D_{u}$ and $P W_{a}$ are verified, $S C_{a}$ computes $C I D_{a} = E_{K} (h (I D_{u}) ∥ M_{a} ∥ S_{n} ∥ C_{u g} ∥ T_{a})$ and sends the login request ${C I D_{a}, T_{a}}$ to the GW-node. Clearly, the GW-node considers it as a valid login request from the legitimate user U since it is computed using valid $I D_{u}$ in $C_{u g}$ .

(ii)

$U_{a}$ has open option to distribute the user's identity $I D_{u}$ among malicious persons interested to obtain patient's private health data in an illicit way. These persons can register themselves in similar manner as just explained in the previous scenario and can access data through MS-node. $U_{a}$ can also distribute the values ${h (I D_{u}), S_{n}, C_{u g}}$ in place of $I D_{u}$ among these persons. Then it is possible to impersonate U as described in Section 4.1. In case such an illegal access is detected by the system, it will raise a question on the credibility of the valid user (medical professional) whose identity $I D_{u}$ is misused by $U_{a}$ .

4.5. Insecure Session-Key

$U_{a}$ can compute the session key to be used between a user and a MS-node during a particular session. Suppose $U_{a}$ recovers the values ${h (I D_{u}), M, S_{n}}$ out of $C I D_{u}$ of the intercepted login request of U. Then he attempts to guess the identity $I D_{u}$ as described in Section 4.2 and uses timestamp $T_{u}$ from the corresponding intercepted login request ${C I D_{u}, T_{u}}$ . Then $U_{a}$ can easily compute the session key ${K s e s s}_{U - S n} = h ({I D}_{u} ∥ S_{n} ∥ M ∥ T_{u})$ to be used by U and the MS-nodewith identity $S_{n}$ . Hence, the shared session key ${K s e s s}_{U - S n}$ is insecure and $U_{a}$ can decrypt the confidential messages communicated between MS-node and U.

4.6. MS-Node Impersonation Attack

An active attacker $U_{a}$ having secret key K obtained from a lost or stolen SC can perform decryption of $C I D_{u}$ ’s for as many users as he wants. As a result, he can obtain the hashed value like $h (I D_{u})$ of all the target users. Next, $U_{a}$ can guess the identity $I D_{u}$ for each $h (I D_{u})$ and tabulates the values ${h (I D_{u}), I D_{u}}$ . After that, $U_{a}$ can impersonate the MS-node to deceit legitimate users as explained below. (1)

As $U_{a}$ finds a login request ${C I D_{u}, T_{u}}$ on the network, he intercepts and blocks it and quickly decrypts $C I D_{u}$ to see if $h (I D_{u})$ included in it is present in the table maintained or not. If not then it relays the login request to GW-node.

(2)

But if $h (I D_{u})$ exists in the tabular record, then $U_{a}$ keeps the login request blocked and uses $I D_{u}$ from the record, values ${M, S_{n}}$ from current decryption, and $T_{u}$ from login request; $U_{a}$ quickly computes ${K s e s s}_{U - S n} = h ({I D}_{u} ∥ S_{n} ∥ M ∥ T_{u})$ .

(3)

It computes $L = E_{{K s e s s}_{U - S n}} (S_{n} ∥ M ∥ T_{a})$ and sends ${L, T_{a}}$ to U, where $T_{a}$ is the current timestamp chosen by $U_{a}$ .

(4)

Obviously L will qualify the verification test at the user side as it consists of valid ${S_{n}, M}$ and fresh timestamp $T_{a}$ .

It is noticeable that

{K s e s s}_{U - S n}

, the common session key is computed by U and

U_{a}

but U believes it to be confidential between him and the MS-node. Moreover,

U_{a}

can misguide the user doctor by sending fake data about the patient. Consequently, the patient may receive false treatment, thus denying the goal of healthcare through WMSN.

4.7. Lacking of Mutual Authentication between (i) MS-Node and GW-Node, (ii) U and MS-Node

In Kumar et al.'s scheme, after verifying the login request of U, GW-node computes and sends an ensuring message ${A_{u}, {T_{g}}^{'}}$ to the required MS-node. Undoubtedly, the equivalence ${S_{n}}^{*} = S_{n}$ confirms the legality of GW-node to MS-node but reverse is not achieved. Thus, GW-node has no way to ensure itself of connecting with real MS-node. Hence, mutual authentication between MS-node and GW-node is not achieved in the scheme.

Besides, the authors claim that their scheme achieves mutual authentication between MS-node and user U. Mutual authentication between U and MS-node is established using the session key ${K s e s s}_{U - S n} = h (I D ∥ S_{n} ∥ M ∥ T_{u})$ . But as shown in Sections 4.5 and 4.6, $U_{a}$ can compute ${K s e s s}_{U - S n}$ and impersonate $S_{n}$ , respectively. Therefore, mutual authentication between U and MS-node is not achieved in the scheme.

4.8. Insider Attack

For convenience people use the same password for more than one application. During registration phase of the scheme, user submits her/his password plaintext $P W_{u}$ to GW-node. So, the system administrator at the GW-node easily comes to know the password of each user and he can use it to impersonate U at servers, where U is registered with the same password. Although authors assume the hospital registration center as a trusted authority, we think that often the trustworthy breaches the trust. Therefore, plaintext password $P W_{u}$ should not be submitted to any second party.

5. The Proposed Scheme

The proposed scheme has the same number of phases as in Kumar et al.'s scheme. Each of the phases is detailed below along with Tables 1, 2, and 3. The GW-nodekeeps only one master secret key K (length 256 bits). Besides, the GW-node shares a secret key $K_{g s} = h (K ∥ I D_{g})$ with MS-nodes using some key agreement method [21, 22].

Table 1

User registration phase of the Proposed scheme.

User (U)		GW-node
User registration phase:
Chooses ${I D}_{u}$		$C_{u g} = E_{K} ({I D}_{u} ∥ I D_{g})$
	$\overset{{{I D}_{u}}}{\to}$	$K_{u} = h (K ∥ I D_{u} ∥ I D_{g})$
	$\overset{S C = {h (\cdot), C_{u g}} & {K_{u}, K_{g}}}{\leftarrow}$	$K_{g} = h (I D_{g} ∥ K)$
Chooses ${P W}_{u}$
$N_{u} = h ({I D}_{u} ∥ {P W}_{u} ∥ K_{u})$
$P K_{u} = K_{u} \oplus (I D_{u} ∥ P W_{u})$
$P K_{g} = K_{g} \oplus (P W_{u} ∥ I D_{u})$
Inserts $N_{u}$ , $P K_{u}$ , and $P K_{g}$ in $S C$ so that $S C = {h (\cdot), C_{u g}, N_{u}, P K_{u}, P K_{g}}$

Table 2

User (U)	GW-node	MS-node
Login and authentication phase: U: inserts $I D_{u}$ and $P W_{u}$ SC: $K_{u} \leftarrow P K_{u} \oplus (I D_{u} ∥ P W_{u})$ , $K_{g} \leftarrow P K_{g} \oplus (P W_{u} ∥ I D_{u})$ , ${N_{u}}^{} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ . For ${N_{u}}^{} = N_{u}$ $C_{u 1}$ $= C_{u g} \oplus h (K_{g})$ , $C I D_{u}  =  E_{K u} ( h (I D_{u}) ∥ M ∥ S_{n} ∥ C_{u g} ∥ T_{u} )$ .
$\overset{{C I D_{u}, C u_{1}, T_{u}}}{\to}$	For $({T_{g}}^{'} - T_{u}) \leq Δ T$
	$C_{u g} \leftarrow C_{u 1} \oplus h (K_{g})$ , ${h {(I D_{u})}^{§}, M, S_{n}, {C_{u g}}^{§}, {T_{u}}^{§}} \leftarrow D_{K} (C I D_{u})$ For ${C_{u g}}^{§} = C_{u g}$ ${{I D_{u}}^{}, {I D_{g}}^{}} \leftarrow D_{K} (C_{u g})$ For $h ({I D_{u}}^{}) = h {(I D_{u})}^{§}, {I D_{g}}^{} = I D_{g}$ & $T_{u} = {T_{u}}^{§}$
For $({T_{u}}^{'} - T_{g}) \leq Δ T$ $\overset{{C_{g 1}, T_{g}}}{\leftarrow}$ $(M^{} ∥ {T_{g}}^{} ∥ {T_{u}}^{}) \leftarrow C_{g 1} \oplus K_{g}$ For $M^{} = M, {T_{g}}^{} = T_{g}$ and ${T_{u}}^{} = T_{u}$	$C_{g 1} = K_{g} \oplus (M ∥ T_{g} ∥ T_{u})$ $C_{g 2} = h (K_{g s}) \oplus (C I D_{u} ∥ T_{g} ∥ M ∥ T_{u})$ $A_{u} = h (C I D_{u} ∥ K_{g s} ∥ T_{g} ∥ S_{n} ∥ T_{g s})$ $\overset{{C_{g 2}, A_{u}, T_{g s}}}{\to}$
	$K s e s s_{U - G W} = h (M ∥ I D_{u} ∥ T_{g})$	For $({T_{s}}^{'} - T_{g s}) \leq Δ T$
		$({C I D_{u}}^{} ∥ {T_{g}}^{} ∥ M^{} ∥ {T_{u}}^{}) \leftarrow C_{g 2} \oplus h (K_{g s})$ ${A_{u}}^{} = h ({C I D_{u}}^{} ∥ K_{g s} ∥ {T_{g}}^{} ∥ S_{n} ∥ T_{g s})$ For ${A_{u}}^{} = A_{u}$
	$\overset{{C_{s 1}, T_{s g}}}{\leftarrow}$	$C_{s 1} = h (T_{g} ∥ K_{g s} ∥ T_{s g}) \oplus h (C I D_{u} ∥ S_{n})$ ${C_{s 2}}^{} = h (S_{n} ∥ M^{} ∥ {T_{u}}^{*} ∥ T_{s})$
$\overset{{C_{s 2}^{*}, T_{s}}}{\leftarrow}$
	For $({T_{g}}^{''} - T_{s g}) \leq Δ T$ ${(h (C I D_{u} ∥ S_{n}))}^{} \leftarrow C_{s 1} \oplus h (T_{g} ∥ K_{g s} ∥ T_{s g})$ For ${(h (C I D_{u} ∥ S_{n}))}^{} = h (C I D_{u} ∥ S_{n})$
		$K s e s s_{G W - S n} = h (K_{g s} ∥ T_{s g} ∥ M)$
For $({T_{u}}^{''} - T_{s}) \leq Δ T$ $C_{s 2} = h (S_{n} ∥ M ∥ T_{u} ∥ T_{s})$ $C_{s 2} = {C_{s 2}}^{*}$
$\overset{}{\leftarrow} K s e s s_{U - S n} = h (M ∥ T_{s} ∥ S_{n}) \overset{}{\to}$

Table 3

Password change phase of the Proposed scheme.

User (U)		Smart card (SC)
Password change phase: U: inserts ${I D}_{u}$ and $P W_{u}$
	$\overset{{I D_{u}, P W_{u}}}{\to}$	SC: $K_{u} \leftarrow P K_{u} \oplus (I D_{u} ∥ P W_{u})$ ,
		$K_{g} \leftarrow P K_{g} \oplus (P W_{u} ∥ I D_{u})$ , ${N_{u}}^{} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ . For ${N_{u}}^{} = N_{u}$
	$\overset{{(P W_{u})}_{n e w}}{\to}$	${(N_{u})}_{n e w} = h (I D_{u} ∥ {(P W_{u})}_{n e w} ∥ K_{u})$ ,
		${(P K_{u})}_{n e w} = K_{u} \oplus (I D_{u} ∥ {(P W_{u})}_{n e w})$ and ${(P K_{g})}_{n e w} = K_{g} \oplus ({(P W_{u})}_{n e w} ∥ I D_{u})$ . ${(N_{u})}_{n e w} \leftarrow N_{u}, {(P K_{u})}_{n e w} \leftarrow P K_{u}$ and ${(P K_{g})}_{n e w} \leftarrow P K_{g}$

5.1. User Registration Phase

The user (professional) U registers itself to the GW-node in registration center of the hospital, in the following manner. (1)

User choses her/his identity $I D_{u}$ and submits it to the GW-node using a secure channel.

(2)

On receiving $I D_{u}$ the GW-node computes $C_{u g} = E_{K} (I D_{u} ∥ I D_{g})$ , $K_{u} = h (K ∥ I D_{u} ∥ I D_{g})$ , and $K_{g} = h (I D_{g} ∥ K)$ .

(3)

GW-node stores ${h (\cdot), C_{u g}}$ into a $S C$ and provides $S C = {h (\cdot), C_{u g}}$ along with values ${K_{u}, K_{g}}$ to U through the secure channel.

(4)

On obtaining $S C = {h (\cdot), C_{u g}}$ and ${K_{u}, K_{g}}$ , the user U chooses his password $P W_{u}$ and computes $N_{u} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ , $P K_{u} = K_{u} \oplus (I D_{u} ∥ P W_{u})$ , and $P K_{g} = K_{g} \oplus (P W_{u} ∥ I D_{u})$ . Finally, U inserts $N_{u}$ , $P K_{u}$ , and $P K_{g}$ in $S C$ , so that $S C = {h (\cdot), C_{u g}, N_{u}, P K_{u}, P K_{g}}$ .

5.2. Patient Registration Phase

This phase is identical to that in Kumar et al.'s scheme so we avoid its explanation here.

5.3. Login Phase

A professional logs in the GW-node in order to gain patients’ medical data via WMSN. The user inserts her/his $S C$ into the smart card reader and inputs $I D_{u}$ and $P W_{u}$ . Then the SC performs the following. (1)

It retrieves $K_{u} = P_{K u} \oplus (I D_{u} ∥ P W_{u})$ , $K_{g} = P K_{g} \oplus (P W_{u} ∥ I D_{u})$ and computes ${N_{u}}^{*} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ . For ${N_{u}}^{*} = N_{u}$ it continues further; otherwise it stops the session.

(2)

It generates a random nonce M and computes $C_{u 1} = C_{u g} \oplus h (K_{g})$ and $C I D_{u} = E_{K u} (h (I D_{u}) ∥ M ∥ S_{n} ∥ C_{u g} ∥ T_{u})$ .

(3)

$S C$ sends ${C I D_{u}, C_{u 1}, T_{u}}$ as login request to GW-node, where $T_{u}$ is the current timestamp.

5.4. Authentication Phase

When the login request $= {C I D_{u}, C_{u 1}, T_{u}}$ from U is received by the GW-node, it executes the following steps. (1)

It acquires current timestamp ${T_{g}}^{'}$ and, for $({T_{g}}^{'} - T_{u}) > Δ T$ , discards the login request; otherwise it proceeds further.

(2)

It retrieves $C_{u g} = C_{u 1} \oplus h (K_{g})$ and decrypts $C I D_{u}$ as $D_{K} (C I D_{u})$ to obtain ${{h (I D_{u})}^{§}, M, S_{n}, {C_{u g}}^{§}$ and ${T_{u}}^{§}}$ . It verifies the equivalence ${C_{u g}}^{§} = C_{u g}$ , and if correct, then it decrypts $C_{u g}$ as $D_{K} (C_{u g})$ to obtain ${I D}_{u}^{*}$ and ${I D}_{g}^{*}$ .

(3)

It then computes $h ({I D}_{u}^{*})$ and verifies the equivalences $h {(I D_{u})}^{*} = h {(I D_{u})}^{§}$ , ${I D}_{g}^{*} = I D_{g}$ , and $T_{u}$ = ${T_{u}}^{§}$ , if all the three equivalences hold then believes the login request to come from U; otherwise terminates the login session.

(4)

It acquires $T_{g}$ as current timestamp, computes $C_{g 1}$ = $K_{g} \oplus (M ∥ T_{g} ∥ T_{u})$ , and sends ${C_{g 1}, T_{g}}$ to U. It acquires $T_{g s}$ as another current timestamp and computes $C_{g 2} = h (K_{g s}) \oplus (C I D_{u} ∥ T_{g} ∥ M ∥ T_{u})$ and $A_{u} = h (C I D_{u} ∥ K_{g s} ∥ T_{g} ∥ S_{n} ∥ T_{g s})$ . Then, the GW-node sends ${C_{g 2}, A_{u}, T_{g s}}$ to the MS-node.

On receiving

{C_{g 1}, T_{g}}

from the GW-node, U verifies the legitimacy of GW-node as follows.

(5)

It checks if $({T_{u}}^{'} - T_{g}) > Δ T$ ; if so, it dumps the session; otherwise it continues further.

(6)

It obtains $(M^{*} ∥ {T_{g}}^{*} ∥ {T_{u}}^{*}) = C_{g 1} \oplus K_{g}$ and verifies the equivalence $M^{*} = M$ , ${T_{g}}^{*} = T_{g}$ , and ${T_{u}}^{*} = T_{u}$ ; if each holds, then GW-node is authenticated; otherwise it terminates the login session.

After this mutual authentication, U and GW-node compute

{K s e s s}_{U - G W} = h (M ∥ I D_{u} ∥ T_{g})

, as the session key.

On receiving ${C_{g 2}, A_{u}, T_{g s}}$ from the GW-node, the MS-node performs the following operations. (7)

It checks if $({T_{s}}^{'} - T_{g s}) > Δ T$ ; if so, terminates the session; otherwise it proceeds further.

(8)

It obtains $({C I D}_{u}^{*} ∥ {T_{g}}^{*} ∥ M^{*} ∥ {T_{u}}^{*}) = C_{g 2} \oplus h (K_{g s})$ , computes ${A_{u}}^{*} = h ({C I D}_{u}^{*} ∥ K_{g s} ∥ {T_{g}}^{*} ∥ S_{n} ∥ T_{g s})$ , and compares ${A_{u}}^{*}$ with $A_{u}$ . The equivalence ${A_{u}}^{*} = A_{u}$ verifies the legitimacy of the GW-node and hence of U.

(9)

It acquires $T_{s g}$ as current timestamp, computes $C_{s 1} = h (T_{g} ∥ K_{g s} ∥ T_{s g}) \oplus h (C I D_{u} ∥ S_{n})$ , and sends ${C_{s 1}, T_{s g}}$ to the GW-node. Also it computes ${C_{s 2}}^{*} = h (S_{n} ∥ M^{*} ∥ {T_{u}}^{*} ∥ T s)$ , where $T_{s}$ is another current timestamp of MS-node. Then, the MS-node sends ${{C_{s 2}}^{*}, T_{s}}$ to U.

On receiving

{C_{s 1}, T_{s g}}

from the MS-node, the GW-node performs the following operations.

(10)

It checks if $({T_{g}}^{''} - T_{s g}) > Δ T$ ; if so, terminates the session; otherwise it proceeds further.

(11)

It obtains ${(h (C I D_{u} ∥ S_{n}))}^{*} = C_{s 1} \oplus h (T_{g} ∥ K_{g s} ∥ T_{s g})$ , computes $h (C I D_{u} ∥ S_{n})$ , and compares it with ${(h (C I D_{u} ∥ S_{n}))}^{*}$ . The equivalence ${(h (C I D_{u} ∥ S_{n}))}^{*} = h (C I D_{u} ∥ S_{n})$ verifies the legitimacy of MS-node.

After this mutual authentication, GW-node and MS-node compute

K s e s s_{G W - S n} = h (K_{g s} ∥ T_{s g} ∥ M)

, as the session key.

On receiving ${{C_{s 2}}^{*}, T_{s}}$ from the MS-node, U performs the following. (12)

It checks if $({T_{u}}^{''} - T_{s}) > Δ T$ ; if so, it dumps the session, otherwise it proceeds further.

(13)

It computes $C_{s 2} = h (S_{n} ∥ M ∥ T_{u} ∥ T_{s})$ and compares it with ${C_{s 2}}^{*}$ , and for $C_{s 2} = {C_{s 2}}^{*}$ the authenticity of MS-node is verified.

After this mutual authentication, U and MS-node compute

K s e s s_{U - S n} = h (M ∥ T_{s} ∥ S_{n})

, as the session key.

5.5. Password Change Phase

U can change her/his password in the following manner. For this, U inserts her/his $S C$ into the terminal, inputs her $I D_{u}$ and $P W_{u}$ , and opts to change his password. Then the following steps are performed to update a new password. (1)

$S C$ retrieves $K_{u} = {P K}_{u} \oplus (I D_{u} ∥ P W_{u})$ , $K_{g} = P K_{g} \oplus (P W_{u} ∥ I D_{u})$ and computes ${N_{u}}^{*} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ . If ${N_{u}}^{*} = N_{u}$ , then it proceeds further after asking for new password; otherwise it discards the password change request.

(2)

U enters new password ${(P W_{u})}_{n e w}$ .

(3)

$S C$ computes ${(N_{u})}_{n e w} = h (I D_{u} ∥ {(P W_{u})}_{n e w} ∥ K_{u})$ , ${({P K}_{u})}_{n e w} = K_{u} \oplus (I D_{u} ∥ {({P K}_{u})}_{n e w})$ , and ${(P K_{g})}_{n e w} = K_{g} \oplus ({({P W}_{u})}_{n e w} ∥ I D_{u})$ .

(4)

$S C$ replaces $N_{u}$ , $P K_{u}$ , and $P K_{g}$ with ${(N_{u})}_{n e w}$ , ${({P K}_{u})}_{n e w}$ , and ${(P K_{g})}_{n e w}$ , respectively.

6. Analysis of the Security of the Proposed Scheme

This section, examines the security of the proposed scheme. We will display that the proposed scheme is secure under the same assumption subject to which Kumar et al.'s scheme is attackable. The assumption is that an attacker $U_{a}$ can extract [24, 25] the information stored inside smart card.

6.1. Resisting User Impersonation Attack

To impersonate as the user, $U_{a}$ has to compute a valid login request. Suppose $U_{a}$ obtains the lost smart card of U and extracts the values ${C_{u g}, N_{u}, {P K}_{u}, P K_{g}}$ stored in it. Though $C_{u g}$ is involved in both the components ${C I D_{u}$ and $C_{u 1}}$ of the login request, but without $K_{g}$ , $h (I D_{u})$ , and $S_{n}$ computation of these components is incomplete. To recover $K_{g}$ from ${P K}_{g}$ , the attacker $U_{a}$ needs to know of user's identity and password. On the contrary, to obtain $I D_{u}$ from $P K_{u}$ or $P K_{g}$ , the attacker $U_{a}$ should hold $K_{u}$ or $K_{g}$ , respectively. Further, it is not feasible to obtain $I D_{u}$ or $K_{u}$ from $N_{u}$ due to noninvertible nature of hash function. Thus, the scheme resists user impersonation attack.

6.2. Providing User Anonymity

If $U_{a}$ intercepts the login request ${C I D_{u}, C_{u 1}, T_{u}}$ of U, then he needs $K_{u}$ to obtain $h (I D_{u})$ by decrypting $C I D_{u}$ . But $U_{a}$ neither knows $K_{u}$ nor can recoverit by extracting information ${h (\cdot), C_{u g}, N_{u}, {P K}_{u}, {P K}_{g}}$ from the lost smart card of some user; say U. To take out $K_{u}$ from ${P K}_{u}$ , the attacker $U_{a}$ should know user's identity and password. In fact, key $K_{u}$ required to encrypt/decrypt $C I D_{u}$ is not stored directly in user's smart card and is different for each user. Therefore, $U_{a}$ cannot obtain $h (I D_{u})$ and guess the identity as in Kumar et al.'s scheme. On the other hand, to procure identity $I D_{u}$ from $N_{u}$ , ${P K}_{u}$ , or $P K_{g}$ is infeasible. It requires knowledge of keys $K_{u}$ and $K_{g}$ to gain $I D_{u}$ out of ${P K}_{u}$ or $P K_{g}$ , respectively. Moreover, one-way property of hash function does not allow extraction of $I D_{u}$ out of $N_{u}$ . Therefore, $U_{a}$ cannot gain the identity of a user and hence the scheme provides user anonymity.

6.3. Resisting Password Guessing Attack

In order to guess U's password $P W_{u}$ from $N_{u} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ obtained from the lost SC of U, the attacker $U_{a}$ requires knowledge of $I D_{u}$ and $K_{u}$ . As described in Section 6.2, $U_{a}$ cannot gain the identity of a user either from the lost smart card of a user or from an intercepted login request. Besides, $K_{u}$ is not available as plaintext in U's $S C$ and is not obtainable from $P K_{u}$ without having exact values of $I D_{u}$ and $P W_{u}$ . Thus, the scheme resists password guessing attack.

6.4. Resisting Illegal Logged-In Users Using Legal Identity

Since it is not possible to guess or know the identity $I D_{u}$ of a logging user, $U_{a}$ cannot register itself to the GW-node with legal identity $I D_{u}$ and fake password $P W_{a}$ . Hence $U_{a}$ cannot harm the security of the scheme by misusing the identity. As a result, the scenario of many illegal users logged in with legal identity $I D_{u}$ of a registered user is not possible in the proposed scheme.

6.5. Providing Secure Session Key between Every Pair of the Participating Entities

The proposed scheme establishes session key between every pair of participating entities. Session key between U and GW-node is $K s e s s_{U - G W} = h (M ∥ I D_{u} ∥ T_{g})$ which depends on three values M, $I D_{u}$ , and $T_{g}$ . Although user's identity $I D_{u}$ is fixed, M and $T_{g}$ are different for each session imparting dynamic nature to $K s e s s_{U - G W}$ . However $T_{g}$ is available in ${C_{g 1}, T_{g}}$ from the open network but $U_{a}$ cannot compute $K s e s s_{U - G W}$ without having M and $I D_{u}$ . Session key between GW-node and MS-node is $K s e s s_{G W - S n} = h (K_{g s} ∥ T_{s g} ∥ M)$ which is dynamic because of fresh timestamp $T_{s g}$ and one time usable random number M. Although $K_{g s}$ is fixed but is known only to the GW-node and the MS-node so no one except these two entities can compute the valid $K s e s s_{G W - S n}$ . Moreover, $U_{a}$ cannot procure M from $C I D_{u}$ without knowing $K_{u}$ ; from $C_{g 1}$ without knowing $K_{g s}$ ; and from ${C_{s 2}}^{*}$ due to noninvertible nature of hash function. Session key between U and MS-node is $K s e s s_{U - S n} = h (M ∥ T_{s} ∥ S_{n})$ which an attacker cannot compute without knowing M. Thus, the scheme establishes independent and secure session keys between every pair of the participating entities.

6.6. Resisting Sensor-Node Impersonation Attack

In order to impersonate the MS-node, $U_{a}$ should be able to compute the response messages sent by it to the GW-node and U. To compute $C_{s 1} = h (T_{g} ∥ K_{g s} ∥ T_{s g}) \oplus h (C I D_{u} ∥ S_{n})$ and ${C_{s 2}}^{*} = h (S_{n} ∥ M^{*} ∥ {T_{u}}^{*} ∥ T_{s})$ the knowledge of $K_{g s}$ and $M^{*}$ is required, respectively. Since $K_{g s} = h (K ∥ I D_{g})$ is shared secretly by GW-node with MS-node using some key agreement method [21, 22] and its computation involves master secret key K and identity $I D_{g}$ of the GW-node, $U_{a}$ cannot access or compute $K_{g s}$ . Further $M / M^{*}$ is not retrievable from $C I D_{u}$ , $C_{g 1}$ , and $C_{g 2}$ without knowing $K_{u}$ and $K_{g}$ , respectively. Moreover, one-way property of hash function prohibits extraction of $M / M^{*}$ from ${C_{s 2}}^{*}$ . Hence $U_{a}$ cannot impersonate the MS-node to make fool of the user and GW-node.

6.7. Providing Mutual Authentication between Every Pair of the Participating Entities

At each of the three ends, any received message undergoes at least two-step verification test to verify the authenticity of the sender. For every message, firstly timestamp is checked for freshness followed by one or more equivalences holding tests. The proposed scheme achieves mutual authentication between U and GW-node by exchange of messages ${C I D_{u}, C_{u 1}, T_{u}}$ and ${C_{g 1}, T_{g}}$ . When GW-node receives ${C I D_{u}, C_{u 1}, T_{u}}$ from U, in addition to timestamp freshness test, the equivalences $h ({I D}_{u}^{*}) = h {(I D_{u})}^{§}$ , ${I D}_{g}^{*} = I D_{g}$ , and $T_{u} = {T_{u}}^{§}$ are required to guarantee the legitimacy of U. Similarly, for ${C_{g 1}, T_{g}}$ received by U from GW-node, the equivalence $M^{*} = M$ , ${T_{g}}^{*} = T_{g}$ , and ${T_{u}}^{*} = T_{u}$ should essentially hold to prove the validity of the GW-node.

Mutual authentication between the GW-node and the MS-node is achieved through the messages ${C_{g 2}, A_{u}, T_{g s}}$ and ${C_{s 1}, T_{s g}}$ . Corresponding to the message ${C_{g 2}, A_{u}, T_{g s}}$ , the equivalence ${A_{u}}^{*} = A_{u}$ is imperative to confirm the legitimacy of GW-node and hence of U to MS-node. On the other hand, only the designated MS-node can compute $C_{s 1} = h (T_{g} ∥ K_{g s} ∥ T_{s g}) \oplus h (C I D_{u} ∥ S_{n})$ and the authorized GW-node can retrieve correct $h (C I D_{u} ∥ S_{n})$ from $C_{s 1}$ as the computation and retrieval involves use of $K_{g s}$ hence mutually authenticate the entities to each other.

As just discussed, U is authenticated to the MS-node via message ${C_{g 2}, A_{u}, T_{g s}}$ with which GW-node is verified. Finally, the legitimacy of MS-node is ensured to U by means of the equivalence $C_{s 2} = {C_{s 2}}^{*}$ . In this way, our scheme provides perfect mutual authentication.

6.8. Resisting Insider Attack

During registration phase, U submits only his identity $I D_{u}$ to the GW-node at the hospital registration center. The GW-node provides secret keys $K_{u}$ and $K_{g}$ to the user. Then using his chosen password $P W_{u}$ and identity $I D_{u}$ , the user U itself computes $N_{u} = h (I D_{u} ∥ P W_{u} ∥ K_{u})$ and embeds $K_{u}$ and $K_{g}$ as $P K_{u} = K_{u} \oplus (I D_{u} ∥ P W_{u})$ and $P K_{g} = K_{g} \oplus (P W_{u} ∥ I D_{u})$ , respectively. Finally, U inserts $N_{u}$ , $P K_{u}$ , and $P K_{g}$ in $S C$ . Since the insider of the system never receives user's password, privileged insider attack is not applicable on the scheme.

7. Performance Analysis of the Proposed Scheme via Comparison

Now, we compare our scheme with Kumar et al.'s scheme [18] to present a comparative analysis of its performance and efficiency. Table 4 is about memory space required by smart card and computational complexity/cost in both the schemes. Table 5 exhibits the performance of both the schemes. For convenience, we assume that the identity $I D_{u}$ , password $P W_{u}$ , random numbers ${M}$ , timestamps ${T_{u}, T_{g}, etc.}$ , and outputs of one-way hash function ${h (I D_{u} ∥ P W_{u} ∥ K_{u}), etc.}$ are 128-bit long.

Table 4

Comparison of efficiency: memory space and computational cost/complexity.

	Schemes
	Kumar et al.'s [18]	Ours
Memory space needed by $S C$	512 bits	640 bits
Computational complexity
Registration phase (U)	Nil	$1 h (\cdot)$
Registration phase (GW-node)	$1 h (\cdot) + 1 S_{y}$	$2 h (\cdot) + 1 S_{y}$
Login and authentication phase (SC)	$4 h (\cdot) + 2 S_{y}$	$6 h (\cdot) + 1 S_{y}$
Login and authentication phase (GW-node)	$1 h (\cdot) + 3 S_{y}$	$7 h (\cdot) + 1 S_{y}$
Login-authentication phase (MS-node)	$1 h (\cdot) + 2 S_{y}$	$7 h (\cdot)$

Table 5

Comparison of performance.

Security characteristics	Schemes
Security characteristics	Kumar et al.'s [18]	Ours
Resists user impersonation attack	No	Yes
Resists password guessing attack	No	Yes
Resists multi-logged-in users attack	No	Yes
Resists sensor-node impersonation attack	No	Yes
Resists insider attack	No	Yes
Provides user anonymity	No	Yes
Provides verification mechanism in SC	Yes	Yes
Provides freely password change facility	Yes	Yes
Provides U and GW-node mutual authentication	No	Yes
Provides GW-node and MS-node mutual authentication	No	Yes
Provides U and MS-node mutual authentication	No	Yes
Establishes secure session key between U and GW-node	No	Yes
Establishes secure session key between GW-node and MS-node	No	Yes
Establishes secure session key between U and MS-node	No	Yes

Table 4 shows that the memory space required by the smart card in Kumar et al.'s scheme and the proposed scheme is 512 bits and 640 bits, respectively. Further, it is noticeable that our scheme adds some hash functions $(h (\cdot))$ but remarkably cuts the number of time consuming symmetric cryptography operation $(S_{y})$ at each of the three ends. The most important aspect is that there is no symmetric operation required at low powered MS-node. However, it is apparent from Table 5 that with extra memory capacity of 128 bits in smart card and some extra hash functions, the proposed scheme achieves higher performance. The most significant feature of our scheme is the establishment of mutual authentication and session key between every pair of the three participating entities.

8. Conclusion

A secure and efficient user authentication scheme is essential to offer reliable and proficient healthcare services via WMSNs. This work is motivated by the security problems of Kumar et al.'s scheme for healthcare services using WMSNs. In this paper, we have designed a user authentication scheme to eradicate the security problems of Kumar et al.'s scheme. Our scheme is user anonymous and is free from risks occurring due to loss of smart card of a user. It defies insider attack and password guessing attack. The most important feature of the scheme is that it establishes mutual authentication and provides session key between every pair of the participating entities, that is, user, GW-node, and MS-node.

Footnotes

Notations

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this research through the Research Group Project no. RGP-VPP-288.

References

Wang

Y.-Y.

Liu

J.-Y.

Xiao

F.-X.

Dan

A more efficient and secure dynamic ID-based remote user authentication scheme

Computer Communications 2009 32 4 583 585

2-s2.0-59649083248

10.1016/j.comcom.2008.11.008

Khan

M. K.

Kim

S.-K.

Alghathbar

Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme’

Computer Communications 2011 34 3 305 309

2-s2.0-78751642788

10.1016/j.comcom.2010.02.011

Kumar

Gupta

M. K.

Kumari

An improved efficient remote password authentication scheme with smart card over insecure network

International Journal of Network Security 2011 13 3 167 177

Kumari

Gupta

M. K.

Kumar

Cryptanalysis and security enhancement of Chen et al.'s remote user authentication scheme using smart card

Central European Journal of Computer Science 2012 2 1 60 75

10.2478/s13537-012-0003-y

Khan

M. K.

Kumari

Gupta

M. K.

More efficient key-hash based fingerprint remote authentication scheme using mobile device

Computing 2013

10.1007/s00607-013-0308-2

Kumari

Khan

M. K.

Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme’

International Journal of Communication Systems 2013

10.1002/dac.2590

Wong

K. H. M.

Yuan

Jiannong

Shengwei

A dynamic user authentication scheme for wireless sensor networks

Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing

June 2006

Taichung, Taiwan

318 327

2-s2.0-33845458336

10.1109/SUTC.2006.1636182

Tseng

H.-R.

Jan

R.-H.

Yang

An improved dynamic user authentication scheme for wireless sensor networks

Proceedings of the 50th Annual IEEE Global Telecommunications Conference (GLOBECOM ′07)

November 2007

Washington, DC, USA

986 990

2-s2.0-39349093196

10.1109/GLOCOM.2007.190

Das

M. L.

Two-factor user authentication in wireless sensor networks

IEEE Transactions on Wireless Communications 2009 8 3 1086 1090

2-s2.0-62949130774

10.1109/TWC.2008.080128

10.

Vaidya

Rodrigues

J. J. P. C.

Park

J. H.

User authentication schemes with pseudonymity for ubiquitous sensor network in NGN

International Journal of Communication Systems 2010 23 9-10 1201 1222

2-s2.0-77956388579

10.1002/dac.1097

11.

Khan

M. K.

Alghathbar

Security analysis of ‘two-factor user authentication in wireless sensor networks’

6059

Proceedings of the 4th International Conference on Information Security and Assurance (ISA ′10)

June 2010

Miyazaki, Japan

55 60 Lecture Notes in Computer Science

12.

Khan

M. K.

Alghathbar

Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’

Sensors 2010 10 3 2450 2459

2-s2.0-77955495427

10.3390/s100302450

13.

Gao

Chan

Chen

An enhanced two-factor user authentication scheme in wireless sensor networks

Ad-Hoc & Sensor Wireless Networks 2010 10 4 1 11

2-s2.0-78650459565

14.

Saleem

Ullah

Yoo

H. S.

On the security issues in wireless body area networks

Journal of Digital Content Technology and Its Applications 2009 3 3 178 184

15.

Ullah

Kwak

K. S.

Body area network for ubiquitous healthcare applications: theory and implementation

Journal of Medical Systems 2011 35 5 1243 1244

10.1007/s10916-011-9787-x

16.

Ullah

Higgins

Braem

Latre

Blondia

Moerman

Saleem

Rahman

Kwak

K. S.

A comprehensive survey of wireless body area networks—on PHY, MAC, and network layers solutions

Journal of Medical Systems 2012 36 3 1065 1094

2-s2.0-77955537164

10.1007/s10916-010-9571-3

17.

Chung

W.-Y.

Multi-modal sensing M2M healthcare service in WSN

KSII Transactions on Internet and Information Systems 2012 6 4 1090 1105

2-s2.0-84860122221

18.

Kumar

Lee

S.-G.

Lee

H.-J.

E-SAP: efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks

Sensors 2012 12 2 1625 1647

2-s2.0-84857578365

10.3390/s120201625

19.

Khan

M. K.

Kumari

Singh

Cryptanalysis of an ‘efficient-strong authentication protocol (e-sap) for healthcare applications using wireless medical sensor networks’

KSII Transactions on Internet and Information Systems 2013 7 5 967 979

20.

Callaway

E. H.

Wireless Sensor Networks, Architectures and Protocols 2003

Boca Raton, Fla, USA

Taylor & Francis

21.

Chen

Chan

Gao

Fan

Lightweight and provably secure user authentication with anonymity for the global mobility network

International Journal of Communication Systems 2011 24 3 347 362

10.1002/dac.1158

22.

Ping

Z. L.

An ID-based key agreement protocol for wireless sensor networks

Proceedings of the 1st International Conference on Information Science and Engineering (ICISE ′09)

December 2009

Nanjing, China

2542 2545

2-s2.0-77952760759

10.1109/ICISE.2009.263

23.

Lin

Shen

Nemoto

Kato

SAGE: a strong privacy-preserving scheme against global eavesdropping for ehealth systems

IEEE Journal on Selected Areas in Communications 2009 27 4 365 378

2-s2.0-67349253018

10.1109/JSAC.2009.090502

24.

Kocher

Jaffe

Jun

Differential power analysis

Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO ′99)

1999

Santa Barbara, Calif, USA

388 397

25.

Messerges

T. S.

Dabbish

E. A.

Sloan

R. H.

Examining smart-card security under the threat of power analysis attacks

IEEE Transactions on Computers 2002 51 5 541 552

2-s2.0-0036566408

10.1109/TC.2002.1004593

An Improved User Authentication Protocol for Healthcare Services via Wireless Medical Sensor Networks

Abstract

1. Introduction

2. Architecture of WMSN and Its Benefits in Healthcare Services

3. Review of the Scheme Proposed by Kumar et al.

3.1. User Registration Phase

3.2. Patient Registration Phase

3.3. Login Phase

3.4. Authentication Phase

3.5. Password Change Phase

4. Review of the Analysis of Kumar et al.'s Scheme

4.1. User Impersonation Attack

4.2. Lacks User Anonymity

4.3. Password Guessing Attack

4.4. Illegal Logged-In Users Using Legal Identity

4.5. Insecure Session-Key

4.6. MS-Node Impersonation Attack

4.7. Lacking of Mutual Authentication between (i) MS-Node and GW-Node, (ii) U and MS-Node

4.8. Insider Attack

5. The Proposed Scheme

5.1. User Registration Phase

5.2. Patient Registration Phase

5.3. Login Phase

5.4. Authentication Phase

5.5. Password Change Phase

6. Analysis of the Security of the Proposed Scheme

6.1. Resisting User Impersonation Attack

6.2. Providing User Anonymity

6.3. Resisting Password Guessing Attack

6.4. Resisting Illegal Logged-In Users Using Legal Identity

6.5. Providing Secure Session Key between Every Pair of the Participating Entities

6.6. Resisting Sensor-Node Impersonation Attack

6.7. Providing Mutual Authentication between Every Pair of the Participating Entities

6.8. Resisting Insider Attack

7. Performance Analysis of the Proposed Scheme via Comparison

8. Conclusion

Footnotes

Notations

Conflict of Interests

Acknowledgment

References