Sage Journals: Discover world-class research

Abstract

Wireless body area network can be employed to collect patient’s electronic health data. To guarantee the reliability and confidentiality of the collected data, secure data transmission in wireless body area network is required. In wireless body area network, a mutual authentication process has to be carried out between the controller and sensors to ensure their legitimacy, and a key distribution mechanism is required to secure communication after successful mutual authentication. Li et al. proposed a cryptographic solution, which allows group device pairing authentication and key agreement but has low authentication efficiency and key leakage problems. To address these issues, a group authentication and key distribution scheme is proposed in this article. It enables effectively mutual authentication between controller and sensors, supports all signatures of sensors in the group to be checked by the controller through aggregation verification to achieve efficient authentication, and allows key distribution during authentication to improve the computation efficiency. Security analysis indicates that the proposed scheme enjoys existentially unforgeability, and theoretical and experimental comparison demonstrates its practicality in terms of computation and communication cost.

Keywords

Wireless body area network identity authentication aggregate validation key exchange unforgeability

Introduction

Wireless body area network (WBAN) is an important branch of the Internet of things (IoT).¹ With the development of the sensor technology, WBAN has great practical significance in remote medicine detection, health care and service,² and so on. WBAN is mainly composed of sensors equipped or implanted into a human body. Sensor nodes can sense and collect physiological data of a human body as well as surrounding environmental information.³ The collected data can be sent to the controller with powerful storage and computing capacities. The data are forwarded to the remote medicine data center for processing and analysis. According to these data, the doctor would be able to make treatment plan. For example, wearable pulse oximetry sensors can be used by patients with vascular disease to measure blood oxygen saturation.⁴ For emergency case detected by sensors, relevant measures can be taken to relieve the suffering of patients, for example, implanted blood glucose sensors can be employed to analyze the blood glucose index of the patient in real-time to trigger the insulin pump for insulin injection when necessary.⁵

While WBAN brings convenience to patients, some security and privacy issues are also arising. The collected data may contain the private information of users, which are at risk of being leaked and tampered during transmission.⁶ Therefore, it is extremely important to protect the security and privacy of users’ sensitive data. Due to the openness of the transmission channel, attackers can affect the accuracy of data by replaying, forgery, and interference, which may lead to misdiagnosis of patients, slow down the recovery speed, and even worsen the condition.⁷

For preventing malicious nodes from joining WBAN, the entities authentication is an effective way to ensure the authenticity of entities. Since there are a lot of sensors in WBAN, it is necessary to use group authentication to improve the efficiency of one-by-one authentication. Li et al.⁸ proposed a group device pairing authentication method based on secure sensor association and key management. All sensor nodes should be authenticated not only by the controller, but also by each sensor in the same group. The system assigns a serial number to each node in advance, so that the authentication message and group key can be computed using the parameters of adjacent nodes in the authentication and key negotiation phase. Note that it is difficult to ensure the true identity of each node due to the authentication process mainly depends on the verification of the group size. Thus, malicious nodes can impersonate honest nodes to participate in the authentication process and key negotiation without being detected.

Our contributions

This article proposes a group authentication and key distribution scheme, which supports mutual authentication between controller and sensors. The main contributions of this article are summarized as follows:

The controller in our scheme is able to aggregate the signatures of sensor nodes, which improves the authentication efficiency. It is especially suitable for WBAN with a large number of sensor nodes.

Secure distribution of session key can be accomplished during authentication. No additional communication for key agreement is required after authentication.

The proposed protocol can prevent malicious entities from joining the system, ensure the authenticity of sensor nodes, and guarantee the confidentiality of the session key. It can also resist traditional attacks.

Theoretical comparison and experimental results show that our scheme has higher transmission and communication efficiency than existing schemes.

Compared with the preliminary version,⁹ this article provides a secure session key distribution method during authentication, security model, security proof, and experimental results of the proposed scheme.

Article organization

The rest of the article is arranged as follows. Section “Related works” reviews related works. Section “System model and security requirements” presents system model and security requirements. Section “Identity based aggregate authentication” provides the proposed scheme. Sections “Security analysis” and “Performance analysis” show the security analysis and the performance analysis, respectively. Finally, section “Conclusion” concludes the article.

Related works

To address the key management issue against malicious key generation center in public key cryptosystems, many certificateless signature schemes have been proposed^10,11 and proved unforgeable under adaptively chosen message attacks. Due to the key escrow problem, Mwitende et al.¹² proposed a pairing-based certificateless authentication scheme. Restricted by the computing and storage resources of entities in WBAN, Huang et al.¹³ presented an identity-based signature scheme suitable for sensor networks, which reduces the online computation cost and resists replay attacks effectively. Xu et al.¹⁴ proposed a lightweight anonymous authentication scheme with only hash operations and XOR operations. Thumbur et al.¹⁵ presented an efficient certificateless signature scheme for resource-constrained devices using lightweight computing operations. However, Xu et al.¹⁶ found that Thumbur et al.’s¹⁵ scheme cannot resist signature forgery attack and proposed an improved scheme with high efficiency.

In order to achieve efficient and secure data transmission, many schemes have been proposed to support mutual authentication and session key establishment between sensor nodes and controller in the form of groups.¹⁷ Keoh et al.¹⁸ presented a sensor association scheme based on synchronous LED flashing mode, where the controller and each sensor need to be authenticated by digital signatures and then the user verifies the flashing result of LEDs. Therefore, multiple associations between sensors and the controller would bring more time costs. Li et al.⁸ proposed a scheme of sensor association and key management, which supports mutual authentication of group membership through group device pairing. Shen et al.¹⁹ proposed a lightweight multi-layer authentication and secure session key generation scheme. This scheme allows one-to-many authentication and group key to be established between the controller and each sensor node, which has the advantage of efficient authentication. Liu et al.²⁰ noticed that Shen et al.’s¹⁹ scheme is vulnerable to impersonation attacks and proposed an improved two-layer authentication scheme. Tan and Chung²¹ proposed a group key management scheme with cooperative sensors association, which utilizes the Chinese remainder theorem to realize group key management and supports batch key update. Shu et al.²² proposed aggregated signatures for WBAN applications, whose computational efficiency is independent of the number of signers. The secret sharing²³ is used to realize multi-group key establishment protocol, where users only need to keep one share to recover multiple group keys. When a group member leaves or joins, there is no need to rebuild the key.

Secure key distribution is the basic requirement for achieving secure data transmission. The scheme proposed by Kuo et al.²⁴ can send the key material to designated sensors without being eavesdropped, where the closed Faraday-cage is used as a secure channel for key distribution. The cage not only prevents the joining of external malicious sensor nodes but also increases the difficulty of new nodes joining. Benmansour et al.²⁵ designed a secure key management scheme to improve the system security, which enables all information can be communicated in ciphertext format. Owing to the limited sensor resources, most WBAN systems have the structure of distributed perception acquisition and centralized processing mechanism.⁵ Besides, WBAN has small network scale, and there is no necessity to communicate with sensor nodes. Thus, the star topology structure is often adopted in the distributed acquisition phase.²⁶ In Li et al.’s²⁷ scheme, WBAN is divided into two layers, where sensors act as the second layer to send the collected data to the central node through the first layer with powerful storage, calculation, and communication capabilities. Li et al.’s⁸ scheme also divides WBAN into two layers, and the data collected by sensor nodes in the second layer is transmitted to users through controllers in the first layer.

When the decryption key is exposed, the decryption functionality of the key needs to be revoked. Almuhaideb and Alqudaihi²⁸ introduced the user revocation function to the factor authentication scheme. Xiong and Qin²⁹ proposed a certificate-free remote anonymous authentication scheme supporting scalable revocation, which is suitable to the large-scale WBAN. However, Shim³⁰ pointed out Xiong and Qin’s²⁹ scheme cannot resist forgery attacks. Also, it requires resource-intensive bilinear pairings, which is not suitable for WBAN applications. Shen et al.¹⁹ improved the efficiency of the schemes by Li et al.⁸ and Xiong and Qin.²⁹ Besides, Cai and Niu³¹ proposed a lightweight data fusion method to solve the problems of long data transmission time and low efficiency. To make the authentication process more efficient and secure, the verification process needs to be simplified to reduce the number of interactions between the sensor and the controller. Therefore, Abro et al.³² proposed an authentication scheme based on ElGamal, which can reduce communication overhead and resist man-in-the-middle attacks. Jegadeesan et al.³³ and Wang et al.³⁴ also proposed an efficient and secure mutual authentication scheme for privacy protection, which can reduce the cost of computation and communication, and introduces time stamp to prevent replay attacks.

System model and security requirements

System model

As shown in Figure 1, a WBAN system consists of two types of entities, namely, sensors deployed on and around users and the controller for data collection. There is a private key generator (PKG) to initialize the system and issue private keys for all entities.

Figure 1.

System model.

The sensors can collect physiological data of users and information of surrounding environment. Limited by the storage space of sensors, the collected data need to be transmitted to the controller for storing and computing. Before collection data, sensors and the controller need to perform mutual authentication to confirm their authenticity. When the controller is legal, the sensor sends the collected data to the controller. During the mutual authentication procedure, the controller is able to securely distribute a session key to the sensors in a group, so that all sensors in the same group can share the same session key.

Security requirements

In WBAN, it is important to prevent malicious sensors and controller from impersonating honest entities and eavesdropping sensitive data during data collection and transmission. Therefore, a secure WBAN authentication and key distribution scheme supporting aggregate verification needs to meet the following security requirements.

Authenticity of controller: The signature issued by the legal controller can be successfully verified by sensor nodes in a group. A malicious attacker cannot forge a signature to pass the verification conditions.

Authenticity of sensors: The signatures issued by legitimate sensors in a group can be successfully verified by the controller by means of aggregation. Malicious nodes cannot impersonate legitimate sensor nodes to pass the authentication conditions, so as to join the group communication.

Confidentiality of session key: When the controller and sensors in a group perform mutual authentication, the session key can be securely shared.

Efficiency: As the number of sensor nodes increases, the computations during authentication will be increased at both sides of the controller and sensors. Therefore, the WBAN system should support aggregate verification to improve the authentication efficiency.

Security model

The security model for the unforgeability of sensor’s identity in WABN is defined by the following game between a probabilistic polynomial time adversary $A_{1}$ and challenger.

The challenger runs the initialization algorithm and gives the system public parameter $param$ to $A_{1}$ .

When $A_{1}$ issues private key generation query for an entity $u$ , the challenger runs the key generation algorithm to obtain the corresponding private key $s k_{u}$ and sends it to $A_{1}$ .

When $A_{1}$ issues group registration query for an entity $u$ , the challenger runs the group registration algorithm and returns group key $t$ to $A_{1}$ .

When $A_{1}$ issues signature generation query on some message $m$ with regard to identity $u$ , the challenger returns signature $σ_{1}$ .

Finally, $A_{1}$ outputs $(u', m', σ_{1}')$ , where $σ_{1}'$ is a signature of message $m'$ for entity $u'$ .

Adversary $A_{1}$ wins the game if $u'$ has not been queried for the private key and $m'$ has not been queried for the signature with regard to identity $u'$ . The adversary’s advantage $Adv$ is defined as the probability of winning the game. If the probability of $A_{1}$ outputs a valid signature $σ_{1}'$ of identity $u'$ in polynomial time $t$ is at most $ε_{1}$ after the adversary $A_{1}$ makes no more than $q_{k}$ key generation queries, $q_{r}$ group registration queries and $q_{s}$ signing queries, then the scheme is said to be $(ε_{1}, t)$ -secure under $A_{1}$ attack in the sense of existentially unforgeable against adaptively chosen message attacks.

The security model for the unforgeability of controller’s identity in WABN is defined by the following game between a probabilistic polynomial time adversary $A_{2}$ and challenger.

The challenger runs the initialization algorithm and gives the system public parameter $param$ to $A_{2}$ .

When $A_{2}$ issues private key generation query for an entity $u_{0}$ , the challenger runs the key generation algorithm to obtain the corresponding private key $s k_{u_{0}}$ and sends it to $A_{2}$ .

When $A_{2}$ issues signature generation query on some message $m$ with regard to identity $u_{0}$ , the challenger returns signature $σ_{2}$ .

Finally, $A_{2}$ outputs $(u_{0}', m', σ_{2}')$ , where $σ_{2}'$ is a signature of message $m'$ for entity $u_{0}'$ .

Adversary $A_{2}$ wins the game if $u_{0}'$ has not been queried for the private key and $m'$ has not been queried for the signature with regard to identity $u_{0}'$ . If the probability of $A_{2}$ outputs a valid signature $σ_{2}'$ of identity $u_{0}'$ in polynomial time $t$ is at most $ε_{2}$ after the adversary $A_{2}$ makes no more than $q_{k}$ key generation queries and $q_{s}$ signing queries, then the scheme is said to be $(ε_{2}, t)$ -secure under $A_{2}$ attack in the sense of existentially unforgeable against adaptively chosen message attacks.

Identity-based aggregate authentication scheme

The security of the proposed scheme depends on the following discrete logarithm (DLog) problem.

Discrete logarithm problem: Let $G$ be a cyclic group of prime-order $q$ with generator $g$ . Given an element $g^{x} \in G$ where $x \in Z_{q}$ , compute $x$ . If no algorithm with running time at most $t$ can solve the DLog problem with probability at least $ε$ , it is said that the $(ε, t)$ -DLog assumption holds in cyclic group $G$ .

Scheme design

The controller performs mutual authentication with sensor nodes in a group, where the validity of each entity’s identity can be checked through aggregate authentication. Figure 2 shows the authentication process of the proposed scheme.

Figure 2.

Mutual authentication between controller and sensors.

Initialization

PKG chooses a cyclic group $G$ of order $q$ , where $q$ is a large prime and $g$ is a generator of $G$ . PKG randomly chooses $w \in Z_{q}^{*}$ , computes $W = g^{w}$ , and picks a cryptographic hash function $H : {0, 1}^{*} \to Z_{q}^{*}$ . The system public parameter is $param = (G, q, g, W, H)$ , and the master key is $msk = w$ .

KeyGen

PKG chooses a random integer $r_{j} \in Z_{q}^{*}$ for each entity $u_{j} (j = 0, 1, 2, \dots, n)$ , where $u_{0}$ is the controller and other $u_{j}$ represents sensor nodes. PKG computes

\begin{matrix} R_{j} = g^{r_{j}} \\ s_{j} = r_{j} + H (R_{j} ∥ u_{j}) w mod q \end{matrix}

and gives the private key $(R_{j}, s_{j})$ to entity $u_{j}$ through a secure channel.

Group registration

The controller chooses $l$ group keys $t_{1}, t_{2}, \dots, t_{l} \in Z_{q}^{*}$ corresponding to groups $S_{i} (i = 1, 2, \dots, l)$ . When each sensor node $u_{j} (j = 1, 2, \dots, n)$ performs group registration, the controller specifies a group $S_{i}$ for it and returns the corresponding group key $t_{i}$ .

Group authentication request

When the controller communicates with group $S_{i}$ , it needs to mutually authenticate with all nodes in such group. The controller sets

S_{i} = {u_{ℓ} : 1 \leq ℓ \leq λ_{i}}

where $λ_{i}$ denotes the number of sensor nodes in the group $S_{i}$ . The controller randomly chooses $y_{i}, v_{i}, k_{i} \in Z_{q}^{*}$ for group $S_{i}$ , and computes

Y_{i} = g^{y_{i}}

and

f_{i} (x) = Π_{ℓ = 1}^{λ_{i}} (x - H (u_{ℓ}, v_{i}, t_{i})) + k_{i} = \sum_{ℓ = 0}^{λ_{i}} a_{ℓ} x^{ℓ} mod q

where $a_{λ_{i}} = 1$ . The controller constructs a string

m_{i} = a_{0} ∥ a_{1} ∥ \dots ∥ a_{λ_{i} - 1}

computes

\begin{matrix} h_{i} = H (Y_{i} ∥ R_{0} ∥ m_{i} ∥ S_{i}) \\ z_{i} = y_{i} + h_{i} s_{0} mod q \end{matrix}

and broadcasts signature $(R_{0}, Y_{i}, z_{i})$ , identity $u_{0}$ , and tuple $(v_{i}, m_{i})$ to all sensor nodes in group $S_{i}$ .

Sensor verification and response

After receiving the signature and tuple, each sensor node in group $S_{i}$ computes $h_{i} = H (Y_{i} ∥ R_{0} ∥ m_{i} ∥ S_{i})$ and checks the following equality

g^{z_{i}} = Y_{i} R_{0}^{h_{i}} W^{h_{i} H (R_{0} ∥ u_{0})}

(1)

If equation (1) does not hold, the authentication request from the controller will be rejected. Otherwise, each sensor node $u_{ℓ}$ reconstructs $f_{i} (x)$ according to $m_{i}$ and computes

k_{i} = f_{i} (H (u_{ℓ}, v_{i}, t_{i})) mod q

as session key for secure communication. Then each sensor node $u_{ℓ}$ chooses a random integer $y_{ℓ} \in Z_{q}^{*}$ , computes

\begin{matrix} Y_{ℓ} = g^{y_{ℓ}} \\ h_{ℓ} = H (Y_{ℓ} ∥ R_{ℓ} ∥ H (k_{i}) ∥ S_{i}) \end{matrix}

and

z_{ℓ} = y_{ℓ} + h_{ℓ} s_{ℓ} mod q

and sends the signature $(R_{ℓ}, Y_{ℓ}, z_{ℓ})$ and identity $u_{ℓ}$ to the controller.

Aggregate verification

After the controller receives the signatures and identities from a group $S_{i}$ of sensor nodes, it performs aggregate verification as follows. The controller computes

\begin{matrix} z = \sum_{ℓ = 1}^{λ_{i}} z_{ℓ} mod q \\ Y = Π_{ℓ = 1}^{λ_{i}} Y_{ℓ} \end{matrix}

and $h_{ℓ}$ of each sensor node $u_{ℓ} \in S_{i}$ , and verifies the following equation

g^{z_{i}} \overset{?}{=} Y (Π_{ℓ = 1}^{λ_{i}} R_{ℓ}^{h_{ℓ}}) W^{\sum_{ℓ = 1}^{λ_{i}} h_{ℓ} H (R_{ℓ} ∥ u_{ℓ})}

(2)

If equation (2) does not hold, the authentication responses from sensors will be rejected. Otherwise, the controller is able to communicate with sensor nodes in group $S_{i}$ via session key $k_{i}$ .

Correctness verification

Theorem 1

The proposed authentication scheme for WBAN is correct.

Proof

To prove the correctness of the proposed scheme, we only need to show both equations (1) and (2) hold.

First, each sensor node $u_{ℓ}$ in the group $S_{i}$ can verify the authenticity of the controller by checking equation (1), which is shown as follows

\begin{matrix} Y_{i} R_{0}^{h_{i}} W^{h_{i} H (R_{0} ∥ u_{0})} = g^{y_{i}} g^{r_{0} h_{i}} g^{w h_{i} H (R_{0} ∥ u_{0})} \\ = g^{y_{i} + (r_{0} + wH (R_{0} ∥ u_{0})) h_{i}} \\ = g^{y_{i} + s_{0} h_{i}} \\ = g^{z_{i}} \end{matrix}

Second, the controller can verify the authenticity of all sensor nodes in group $S_{i}$ by checking equation (2), which is shown as follows

\begin{matrix} Y (Π_{ℓ = 1}^{λ_{i}} R_{ℓ}^{h_{ℓ}}) W^{\sum_{ℓ = 1}^{λ_{i}} h_{ℓ} H (R_{ℓ} ∥ u_{ℓ})} = g^{\sum_{ℓ = 1}^{λ_{i}} y_{ℓ}} g^{\sum_{ℓ = 1}^{λ_{i}} r_{ℓ} h_{ℓ}} g^{w \sum_{ℓ = 1}^{λ_{i}} h_{ℓ} H (R_{ℓ} ∥ u_{ℓ})} \\ = g^{\sum_{ℓ = 1}^{λ_{i}} (y_{ℓ} + r_{ℓ} h_{ℓ} + w h_{ℓ} H (R_{ℓ} ∥ u_{ℓ}))} \\ = g^{\sum_{ℓ = 1}^{λ_{i}} (y_{ℓ} + s_{ℓ} h_{ℓ})} \\ = g^{z} \end{matrix}

Therefore, the signatures generated by the controller and all sensor nodes in a group can be successfully verified. Thus, the proposed authentication scheme for WBAN is correct.□

Security analysis

This section analyzes the security of the proposed scheme.

Theorem 2

The proposed scheme can ensure the authenticity of sensors during the authentication process. That is, the proposed scheme is $(ε_{1}, t)$ -secure in the sense of existentially unforgeability against adaptively chosen message attacks under the $(ε_{1}', t')$ -DLog assumption, where

\begin{matrix} ε_{1}' = (1 - \frac{q_{h} (q_{k} + q_{s} + q_{r})}{q}) {((1 - \frac{1}{q}) (\frac{1}{q_{h}}))}^{3} ε_{1} \\ t' = t + O (q_{k} + q_{s}) e \end{matrix}

and $q_{k}, q_{s}, q_{r}, q_{h}$ are the number of key generation, group registration, signing, and hash queries that the adversary $A_{1}$ is allowed to make, respectively, and $e$ is the time for an exponentiation operation.

Proof

Suppose an adversary $A_{1}$ can forge a valid signature of an entity $u$ . We construct an algorithm $B_{1}$ to solve the DLog problem using $A_{1}$ . $B_{1}$ is given a cyclic group $G$ with generator $g$ and prime-order $q$ , and an element $A \in G$ . The goal of $B_{1}$ is to find $α \in Z_{q}$ so that $g^{α} = A$ . The following proof for Theorem 2 follows the standard framework established in Liu et al.’s³⁵ scheme.

$Initialization$ : $B_{1}$ selects a hash function $H : {0, 1} \to Z_{q}$ . $B_{1}$ sets $W = A$ , and sends the public parameter $param = (G, g, q, W, H)$ to $A_{1}$ .

$Key generation queries$ : When $A_{1}$ queries the $KeyGen$ for identity $u$ , $B_{1}$ performs the following simulation operation. It first randomly selects $a, b \in Z_{q}$ , and then calculates $R = W^{a} g^{b}, s = b, H (R ∥ u) = - a$ . $B_{1}$ sends $(R, s)$ to $A_{1}$ and stores $(R, s, H (R ∥ u), u)$ in list $L_{1}$ .

$Group registration queries$ : When $A_{1}$ queries the $Group registration$ for a group $S$ , $B_{1}$ randomly selects $t \in Z_{q}$ as the group key and sends it to the corresponding $S$ .

$Hash queries$ : We consider the following cases.

$Queries 1$ : When $A_{1}$ issues a query on $H (u_{l} ∥ v_{i} ∥ t_{i})$ , $B_{1}$ checks whether $H (u_{l} ∥ v_{i} ∥ t_{i})$ is in list $L_{2}$ . If not, $B_{1}$ selects $h_{x} \in Z_{q}$ , sets $h_{x} = H (u_{l} ∥ v_{i} ∥ t_{i})$ and stores $(u_{l}, v_{i}, t_{i}, h_{x})$ in the list $L_{2}$ . $B_{1}$ gives $h_{x}$ to $A_{1}$ .

$Queries 2$ : When $A_{1}$ issues a query on $H (k_{i})$ , $B_{1}$ checks whether $H (k_{i})$ is in list $L_{3}$ . If not, $B_{1}$ selects $h \in Z_{q}$ , sets $H (k_{i}) = h$ and stores $(k_{i}, h)$ in the list $L_{3}$ . $B_{1}$ gives $h$ to $A_{1}$ .

$Queries 3$ : When $A_{1}$ issues a query on $H (Y_{l} ∥ R_{l} ∥ H (k_{i}) ∥ S_{i})$ , if the query tuple does not exist in list $L_{4}$ , then $B_{1}$ selects $h_{l} \in Z_{q}$ , sets $H (Y_{l} ∥ R_{l} ∥ H (k_{i}) ∥ S_{i}) = h_{l}$ and stores $(Y_{l}, R_{l}, H (k_{i}), S_{i}, h_{l})$ in the list $L_{4}$ . $B_{1}$ gives $h_{l}$ to $A_{1}$ .

$Signing queries$ : When $A_{1}$ requests the signature of a sensor $u_{l}$ in group $S_{i}$ , $B_{1}$ first checks whether $u_{l}$ has been queried for private key and the group key of group $S_{i}$ . If so, $B_{1}$ retrieves $(R, s, H (R ∥ u), u)$ , $(u_{l}, v_{i}, t_{i}, h_{x})$ , $(k_{i}, h)$ , and $(Y_{l}, R_{l}, H (k_{i}), S_{i}, h_{l})$ from $L_{1}$ , $L_{2}$ , $L_{3}$ , and $L_{4}$ , respectively, and produces a signature $σ_{1}$ accordingly. If not, $B_{1}$ first invokes key generation query, group registration query, and hash query and then produces the signature.

$Output$ : $A_{1}$ outputs a forged signature $σ_{1}^{*} = (Y^{*}, R^{*}, z_{1}^{*})$ about message $m^{*}$ and identity $u^{*}$ . Repeat again, $A_{1}$ outputs another two valid signatures $σ_{2}^{*} = (Y^{*}, R^{*}, z_{2}^{*})$ and $σ_{3}^{*} = (Y^{*}, R^{*}, z_{3}^{*})$ . Let $h_{i}^{(j)} (j = 1, 2, 3)$ represent the different outputs of the hash queries.

Note that $z_{j}^{*} = y + h_{i}^{(j)} r + h_{i}^{(j)} wH (R^{*} ∥ u) mod q$ for $j = 1, 2, 3$ , where $y, r, w$ are not known by $B_{1}$ . Let $Y = g^{y}$ , $R = g^{r}$ , and $W = A = g^{α}$ . As long as the above three linear equations are solved, $B_{1}$ can get the value of $α$ , which solves the given DLog problem instance.

$Reduction analysis$ : If $H (R ∥ u)$ assigned by the random oracle is inconsistent with that in $L_{1}$ , then the key generation queries simulation fails, and the probability is at most $q_{h} / q$ . Therefore, the simulation of a valid signature is successful $q_{k} + q_{s} + q_{r}$ times with probability at least ${(1 - (q_{h} / q))}^{q_{k} + q_{s} + q_{r}}$ .

{(1 - \frac{q_{h}}{q})}^{q_{k} + q_{s} + q_{r}} \geq 1 - \frac{q_{h} (q_{k} + q_{s} + q_{r})}{q}

In the hash queries, due to its ideal randomness, the hash query is always queried with a probability of $1 - (1 / q)$ . $B_{1}$ guesses that $H (u_{l} ∥ v_{i} ∥ t_{i})$ matches $h_{x}$ in $L_{2}$ with probability of $1 / q_{h}$ , $H (k_{i})$ matches $h$ in $L_{3}$ with probability of $1 / q_{h}$ , and $H (Y_{l} ∥ R_{l} ∥ H (k_{i}) ∥ S_{i})$ matches $h_{l}$ in $L_{4}$ with probability of $1 / q_{h}$ . Thus, the overall probability of success is

ε_{1}' = (1 - \frac{q_{h} (q_{k} + q_{s} + q_{r})}{q}) {((1 - \frac{1}{q}) (\frac{1}{q_{h}}))}^{3} ε_{1}

The time complexity of $B_{1}$ is determined by key generation queries and signing queries, which is $t' = t + O (q_{k} + q_{s}) e$ .□

Theorem 3

The proposed scheme can ensure the authenticity of controller during the authentication process. That is, the proposed scheme is $(ε_{2}, t)$ -secure in the sense of existentially unforgeability against adaptively chosen message attacks under the $(ε_{2}', t')$ -DLog assumption, where

\begin{matrix} ε_{2}' = (1 - \frac{q_{h} (q_{k} + q_{s})}{q}) {((1 - \frac{1}{q}) (\frac{1}{q_{h}}))}^{2} ε_{2} \\ t' = t + O (q_{k} + q_{s}) e \end{matrix}

and $q_{k}, q_{s}, and q_{h}$ are the number of key generation, signing, and hash queries that the adversary $A_{2}$ is allowed to make, respectively, and $e$ is the time for an exponentiation operation.

Proof

Suppose an adversary $A_{2}$ can forge a valid signature of an entity $u_{0}$ . We construct an algorithm $B_{2}$ to solve the DLog problem using $A_{2}$ . $B_{2}$ is given a cyclic group $G$ with generator $g$ and prime order $q$ , and an element $A \in G$ . The goal of $B_{2}$ is to find $α \in Z_{q}$ so that $g^{α} = A$ .

$Initialization$ : This phase directly follows from the $Initialization$ of Theorem 2.

$Key generation queries$ : This phase directly follows from the $Key generation queries$ of Theorem 2.

$Hash queries$ : We consider the following cases.

$Queries 1$ : When $A_{2}$ issues a query on $H (Y_{i} ∥ R_{0} ∥ m_{i} ∥ S_{i})$ , if the query tuple does not exist in $L_{5}$ , then $B_{2}$ selects $h_{i} \in Z_{q}$ , sets $h_{i} = H (Y_{i} ∥ R_{0} ∥ m_{i} ∥ S_{i})$ and stores $(Y_{i}, R_{0}, m_{i}, h_{i})$ in the list $L_{5}$ . $B_{2}$ gives $h_{i}$ to $A_{2}$ .

$Queries 2$ : The hash queries here are consistent with the $Queries 1$ in Theorem 2.

$Signing queries$ : When $A_{2}$ requests the signature of identity $u_{0}$ and message $m_{i}$ to communication with group $S_{i}$ , $B_{2}$ first checks whether the private key of $u_{0}$ has been queried. If so, $B_{2}$ retrieves $(R_{0}, s, H (R_{0} ∥ u_{0}), u_{0})$ , $(Y_{i}, R_{0}, m_{i}, h_{i})$ , and $(u_{l}, v_{i}, t_{i}, h_{x})$ from $L_{1}$ , $L_{5}$ , and $L_{2}$ , respectively, and generates the signature $σ_{2}$ accordingly. If not, $B_{2}$ first invokes key generation query on $u_{0}$ and hash queries, and then produces the signature.

$Output$ : $A_{2}$ outputs a forged signature $σ_{1}^{*} = (Y^{*}, R_{0}^{*}, z_{1}^{*})$ about message $m^{*}$ and identity $u_{0}^{*}$ . Repeat again, $A_{2}$ outputs another two valid signatures $σ_{2}^{*} = (Y^{*}, R_{0}^{*}, z_{2}^{*})$ and $σ_{3}^{*} = (Y^{*}, R_{0}^{*}, z_{3}^{*})$ . Let $h_{i}^{(j)} (j = 1, 2, 3)$ represent the different outputs of the hash queries.

Note that $z_{j}^{*} = y + h_{i}^{(j)} r + h_{i}^{(j)} wH (R_{0}^{*} ∥ u_{0}) mod q$ for $j = 1, 2, 3$ , where $y, r_{0}, w$ are not known by $B_{2}$ . Let $Y = g^{y}$ , $R_{0} = g^{r_{0}}$ , and $W = A = g^{α}$ . As long as the above three linear equations are solved, $B_{2}$ can get the value of $α$ , which solves the given DLog problem instance.

$Reduction analysis$ : If $H (R_{0} ∥ u_{0})$ assigned by the random oracle is inconsistent with that in $L_{1}$ , then the key generation queries simulation fails, and the probability is at most $q_{h} / q$ . Therefore, the simulation of a valid signature is successful $q_{k} + q_{s}$ times with probability at least ${(1 - (q_{h} / q))}^{q_{k} + q_{s}}$

{(1 - \frac{q_{h}}{q})}^{q_{k} + q_{s}} \geq 1 - \frac{q_{h} (q_{k} + q_{s})}{q}

In the hash queries, due to its ideal randomness, the hash query is always queried with a probability of $1 - (1 / q)$ . $B_{2}$ guesses that $H (Y_{i} ∥ R_{0} ∥ m_{i} ∥ S_{i})$ matches $h_{i}$ in $L_{5}$ with probability of $1 / q_{h}$ , and $H (u_{l} ∥ v_{i} ∥ t_{i})$ matches $h_{x}$ in $L_{2}$ with probability of $1 / q_{h}$ . Thus, the overall probability of success is

ε_{2}' = (1 - \frac{q_{h} (q_{k} + q_{s})}{q}) {((1 - \frac{1}{q}) (\frac{1}{q_{h}}))}^{2} ε_{2}

The time complexity of $B_{2}$ is determined by key generation queries and signing queries, which is $t' = t + O (q_{k} + q_{s}) e$ .□

Theorem 4

The proposed scheme can guarantee the confidentiality of the session key, that is, only the legitimate controller and sensor nodes in the group can get the session key after authentication.

Proof

The session key $k_{i}$ of the scheme is selected by the controller and used to construct polynomial $f_{i} (x)$ . All sensor nodes in the group can get the the group key $t_{i}$ in the group registration phase, which can be used to recover $k_{i}$ . For recovering the session key $k_{i}$ , the sensor nodes have to conduct the verification procedure to confirm the authenticity of the controller. If the authentication request sent by the legitimate controller can be successfully verified by the sensor node in the group, the sensor nodes can obtain the session key $k_{i}$ and then use it to communicate with the controller. The controller can performs aggregate authentication when it received all responses of sensors. Only when the verification is passed, $k_{i}$ will be used as the communication key. Thus, the privacy and security of the session key can be guaranteed by the proposed scheme.□

Replay attack

In the authentication phase of the proposed scheme, random numbers $(v_{i}, k_{i})$ will be reselected in every authentication request. Therefore, the proposed scheme can effectively resist replay attacks.

Forward security

In the proposed scheme, the session key is randomly selected. Thus, if the adversary obtains a session key, it would be unable to deduce the session keys in previous stages. Therefore, the proposed scheme can ensure the forward security.

Table 1 shows the comparison of security property. All schemes except SCSLS I²⁰ allow mutual authentication between sensors and the controller in the form of group. The difference is that the controller in our scheme can perform aggregate authentication on all signatures of sensor nodes in the group, which improves the efficiency of authentication. Whereas the other authentication schemes do not support aggregation verification and require the members in the group to be authenticated one by one. Moreover, our scheme and the ones in Tan and Chung’s³⁶ scheme and Huang et al.³⁷ scheme support the distribution of the session key during authentication, while GDP⁸ and SCSLS I²⁰ require symmetric encryption to obtain the group key after authentication and then establish the session key. Thus, the solutions in GDP⁸ and SCSLS I²⁰ do not enjoy high efficiency in session key generation.

Table 1.

Security properties comparison.

	Group authentication	Aggregate verification	Session key distribution	Unforgeability	Replay attack	Forward security
GDP⁸	Y	N	N	N	N	Y
SCSLS I²⁰	N	N	N	Y	N	Y
Tan and Chung’s³⁶ scheme	Y	N	Y	Y	Y	N
Huang et al.’s³⁷ scheme	Y	N	Y	Y	Y	N
Our scheme	Y	Y	Y	Y	Y	Y

Y: supported; N: not supported.

Moreover, GDP⁸ is vulnerable to replay attack and forgery attack, SCSLS I²⁰ cannot resist replay attacks, and Tan and Chung’s³⁶ scheme and Huang et al.’s³⁷ scheme cannot achieve forward security. It can be seen from the Table 1 that the proposed scheme has more security functionalities than the existing schemes.

Performance analysis

Efficiency analysis

This section compares the efficiency of the proposed scheme with existing ones in terms of computation costs at each stage. In Table 2, the exponentiation operation is represented as $E$ , the hash operation as $H$ , the bilinear pairing computation as $B$ , and the number of sensor nodes participating in authentication as $n$ .

Table 2.

Theoretical computation overhead comparison.

	Group authentication request	Sensor verification	Sensor response	Controller verification	Group key generation
GDP⁸	$3 E + 1 H$	$nH$	$3 E + 1 H$	$nH$	$1 H$
SCSLS I²⁰	$(n + 1) E + nH$	$2 E + 1 H$	$1 E + 1 H$	$1 E + nH$	$nE$
Tan and Chung’s³⁶ scheme	$2 E + 3 H$	$2 H$	$8 E + 7 H$	$(8 n + 1) E + (6 n + 2) H$	–
Huang et al.’s³⁷ scheme	$2 nH + nB$	$2 H + 1 B$	$2 E + 1 B$	$nH + 2 nB$	–
Our scheme	$1 E + (n + 1) H$	$3 E + 2 H$	$1 E + 2 H$	$(n + 2) E + 2 nH$	–

As shown in Table 2, for the group authentication request generation phase, the computational complexity of our scheme and the ones in SCSLS I²⁰ and Huang et al.’s³⁷ scheme are determined by the number of sensor nodes in the group, while the complexity in GDP⁸ and Tan and Chung’s³⁶ scheme is independent of the number $n$ . Note that the computational complexity of our scheme is higher than that of SCSLS I²⁰ and Huang et al.’s³⁷ scheme, since our scheme needs to construct a polynomial containing the session key. In sensor verification phase, the computation complexity of GDP⁸ is determined by the number of sensors in the group to evaluate hashes. For the controller verification phase, the computation complexity of existing schemes are determined by the number of sensor nodes. The proposed scheme requires more $(n + 2)$ and $(n + 1)$ exponentiation operations than GDP⁸ and SCSLS I,²⁰ respectively, since our scheme allows strict authentication between the controller and sensor nodes. Also, the proposed scheme requires less $(7 n - 1)$ exponentiation operations and $(4 n + 2)$ hash operations than Tan and Chung’s³⁶ scheme. Besides, Huang et al.’s³⁷ scheme requires $n$ hash operations and $2 n$ bilinear pairing operations. Note that in the group key generation phase, there is no heavy computations in our scheme, since the group key has been distributed to the sensors in the group registration phase, while SCSLS I²⁰ has to take $n$ exponentiation operations.

Communication cost analysis

This section compares the communication cost of the proposed scheme with related ones.^8,20,36,37 Suppose the length of random number, identity, time stamp, hash value, the element in cyclic group $G$ are 160 bits, 128 bits, 32 bits, 256 bits, 512 bits, respectively. The controller in our scheme needs to send the signature, identity, and random number to sensors, which communication cost is 512 + 512 + 160 + 128 + 160 = 1472 bits. The sensors send the response message to the controller, which communication cost is 512 + 512 + 160 + 128 = 1312 bits. Similarly, in GDP,⁸ SCSLS I,²⁰ Tan and Chung’s³⁶ scheme and Huang et al.’s³⁷ scheme, the communication overheads of the controller for sending messages to sensors is 2080 bits, 1568 bits, 1056 bits, 1184 bits, respectively, and the communication overheads of the sensor’s response is 2080 bits, 1408 bits, 1568 bits, 256 bits, respectively.

The comparison of communication cost is summarized in Table 3. It can be seen that the total communication cost of the proposed scheme is better than the GDP⁸ and SCSLS I²⁰ schemes. Although it is higher than the schemes in Tan and Chung’s³⁶ scheme and Huang et al.’s³⁷ scheme, our scheme is able to resist more types of attacks.

Table 3.

Communication overhead comparison.

	Controller → sensor (bits)	Sensor → controller (bits)	Total cost (bits)
GDP⁸	2080	2080	4160
SCSLS I²⁰	1568	1408	2976
Tan and Chung’s³⁶ scheme	1056	1568	2624
Huang et al.’s³⁷ scheme	1184	256	1440
Our scheme	1472	1312	2784

Experimental analysis

In this section, the code is implemented based on the pairing-based cryptography library (PBC-0.5.14, https://crypto.stanford.edu/pbc/). The simulation is conducted run on a virtual machine with 4-core 4GB memory, 64 bit Linux Ubuntu 18.04 operating system, and Intel (R) core (TM) i7-8550u CPU (1.80 GHz). Figure 3 compares the time required in each phase of mutual authentication between 100 sensor nodes and the controller. The element of cyclic group is 512 bits, and the length of $q$ is 160 bits.

Figure 3.

Performance of mutual authentication between sensor nodes and controller in each phase.

As shown in Figure 3, Tan and Chung’s³⁶ scheme takes less time than our scheme in the group authentication request generation and sensor verification phases. Our scheme needs to distribute the session key during authentication, while Tan and Chung’s³⁶ scheme distributes the key after authentication. Moreover, in the controller verification phase, our scheme shows distinct advantages. Another outstanding feature is that Huang et al.’s³⁷ scheme needs more time in each stage than other schemes. Besides, SCSLS I²⁰ and our scheme have almost the same efficiency in the group authentication request generation and sensor verification phases, and our scheme is more efficient than SCSLS I²⁰ in the controller verification phase. Compared with GDP,⁸ our scheme enjoys higher computational efficiency in all phases except sensor verification.

As shown in Figure 4, the mutual authentication performance is compared, where the group size is considered to be $25, 50, \dots, 200$ , respectively. when the number of sensors in a group is small, except Huang et al.’s³⁷ scheme, other existing schemes have almost the same computational efficiency to complete mutual authentication. When the number of nodes increases, the computing efficiency of our scheme is slightly better than SCSLS I.²⁰ Particularly, both schemes show a linear growth of computation cost with slow growth trend. Compared with GDP⁸ and Tan and Chung’s³⁶ scheme, the proposed scheme presents obvious advantages in performing controller aggregate verification to validate the authenticity of sensor nodes. Especially, when the number of nodes increases, the time required for GDP⁸ to complete authentication increases rapidly, which makes the communication efficiency of GDP⁸ is lower than our scheme. Therefore, the aggregate authentication mechanism within a group is more efficient than validation one by one. Due to the involved bilinear pairing operations, the mutual authentication time of Huang et al.’s³⁷ scheme has low authentication efficiency.

Figure 4.

Performance comparison of mutual authentication.

In the mutual authentication phase, after the controller receives the signature of all sensor nodes, it needs to verify the authenticity of their identities, so as to share the session key with sensor nodes in the group. When there are multiple sensor nodes, the efficiency comparison between aggregate verification and single verification is shown in Figure 5. It can be seen that for the same number of nodes, the time required for aggregate verification is less than that for single verification. Moreover, when the number of nodes increases, the time required for aggregate verification shows a better linear relationship with the number of nodes, and the growth rate of running time is slower than that for single verification.

Figure 5.

Time comparison between aggregate and single verification.

From the above analysis, it can be seen that our scheme can not only ensure the authenticity of each entity’s identity in WBAN and the confidentiality of session key during mutual authentication but also enjoys higher computing efficiency than single verification. Compared with existing schemes, the proposed scheme has lower computation cost, lower communication cost, and higher authentication efficiency.

Conclusion

To address the problems of identity authentication and key distribution of WBAN with a large number of sensor nodes, this article proposed a group authentication and session key distribution scheme supporting aggregate authentication. The controller can verify the authenticity of all sensor nodes in the way of aggregation, which improves the efficiency of mutual authentication between the controller and each sensor node. At the same time of mutual authentication, the session key can be shared between the controller and valid sensor nodes. Security analysis showed that the proposed scheme can resist impersonate attacks, assuming the discrete logarithm problem is hard and can guarantee the confidentiality of the session key. Theoretical performance analysis and experimental results indicated that, compared with existing schemes, our scheme has less computational overhead and higher authentication efficiency. Regarding future research, we would study the efficient joining and exiting of sensor nodes without revealing any private information.

Footnotes

Handling Editor: Benny Lo

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This article is supported in part by the National Natural Science Foundation of China (grant nos. 61772150, 61862012, and 61962012); the Guangxi Natural Science Foundation (grant nos. 2019GXNSFFA245015, 2019GXNSFGA245004, and AD19245048); the Peng Cheng Laboratory Project of Guangdong Province (grant no. PCL2018KP004); the Guangxi Young Teachers’ Basic Ability Improvement Program (grant no. 2021KY0214); the Open Program of Guangxi Key Laboratory of Cryptography and Information Security (grant no. GCIS201930); and the Innovation Projects of GUET Graduate Education (grant nos. 2021YCXS116 and 2021YCXS115).

ORCID iD

Hui Xu

References

Islam

SMR

Lloret

Zikria

YB.

Internet of things (IoT)-based wireless health: enabling technologies and applications. Electronics 2021; 10(2): 148.

Malik

MSA

Ahmed

Abdullah

, et al. Wireless body area network security and privacy issue in e-healthcare. Int J Adv Comput Sci Appl 2018; 9(4): 209–215.

Wang

Data security mix transmission mechanism in body area network. Comput Sci 2018; 45(5): 102–107.

Gao

Liu

Feng

, et al. Monitoring system design for rehabilitating training based on wireless body area network. Comput Technol Develop 2014; 24(9): 234–237.

Latré

Braem

Moerman

, et al. A survey on wireless body area networks. Wirel Netw 2011; 17(1): 1–18.

Gao

Yang

, et al. Research on privacy preservation in wireless body area network. Appl Res Comput 2013; 30(11): 3209–3215.

Huang

Research on secret key generation based on wireless channel characteristics. Doctoral Thesis, Beijing University of Posts and Telecommunications, Beijing, China, 2015.

Lou

, et al. Group device pairing based secure sensor association and key management for body area networks. In: Proceedings of the 2010 IEEE INFOCOM, San Diego, CA, 14–19 March 2010, pp.1–9. New York: IEEE.

Ding

Wang

. Group authentication for sensors in wireless body area network. In: Wang

Chen

, et al. (eds) Security, privacy, and anonymity in computation, communication, and storage, vol. 12383. Cham: Springer, pp.191–199.

10.

Yang

Wang

Pei

, et al. Security analysis and improvement of a certificateless signature scheme in the standard model. Acta Electron Sin 2019; 47(9): 1972–1978.

11.

Yang

Pei

Chen

, et al. A strongly unforgeable certificateless signature scheme and its application in iot environments. Sensors 2019; 19(12): 2692.

12.

Mwitende

Ali

, et al. Certificateless authenticated key agreement for blockchain-based WBANs. J Syst Architect 2020; 110: 101777.

13.

Huang

Zhang

Efficient anti-replay identity-based signature scheme for wireless body area network. J Cryptol Res 2017; 4(5): 447–457.

14.

Chen

, et al. A lightweight anonymous mutual authentication and key agreement scheme for WBAN. Concurr Comput Pract Exp 2019; 31(4): e5295.

15.

Thumbur

Rao

Reddy

, et al. Efficient pairing-free certificateless signature scheme for secure communication in resource-constrained devices. IEEE Commun Lett 2020; 24(8): 1641–1645.

16.

Luo

Khan

, et al. Analysis and improvement of a certificateless signature scheme for resource-constrained scenarios. IEEE Commun Lett 2021; 25: 1074–1078.

17.

Yuan

Peng

Liu

, et al. A novel approach to authenticated group key transfer protocol based on AG codes. High Technol Lett 2019; 25(2): 129–136.

18.

Keoh

Lupu

Sloman

. Securing body sensor networks: sensor association and key management. In: Proceedings of the 2009 IEEE international conference on pervasive computing and communications, Galveston, TX, 9–13 March 2009, pp.1–6. New York: IEEE.

19.

Shen

Chang

Shen

, et al. A lightweight multi-layer authentication protocol for wireless body area networks. Fut Gener Comput Syst 2018; 78(3): 956–963.

20.

Liu

Jin

An improved two-layer authentication scheme for wireless body area networks. J Med Syst 2018; 42(8): 143–157.

21.

Tan

Chung

A secure and efficient group key management protocol with cooperative sensor association in WBANs. Sensors 2018; 18(11): 3930.

22.

Shu

Chen

Xie

, et al. An aggregate signature scheme based on a trapdoor hash function for the internet of things. Sensors 2019; 19(19): 4239.

23.

Hsu

Harn

Zeng

UMKESS: user-oriented multi-group key establishments using secret sharing. Wirel Netw 2020; 26(1): 421–430.

24.

Kuo

Luk

Negi

, et al. Message-in-a-bottle: user-friendly and secure key deployment for sensor nodes. In: Proceedings of the 5th international conference on embedded networked sensor systems (SenSys’07), Sydney, NSW, Australia, 6–9 November 2007, pp.233–246. New York: ACM.

25.

Benmansour

Moussaoui

Ahmed

, et al. Server-based secure key management for the IEEE 802.15.6 standard. In: Proceedings of the 2020 IEEE symposium on computers and communications (ISCC), Rennes, 7–10 July 2020, pp.1–6. New York: IEEE.

26.

Zhang

Liu

A compressed sensing based detection for star topology WSNs. J Taiyuan Univ Technol 2018; 49(3): 473–477.

27.

Ibrahim

Kumari

, et al. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Comput Netw 2017; 129(24): 429–443.

28.

Almuhaideb

Alqudaihi

KS.

A lightweight three-factor authentication scheme for WHSN architecture. Sensors 2020; 23(6860): 6860.

29.

Xiong

Qin

Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Trans Inform Foren Sec 2015; 10(7): 1442–1455.

30.

Shim

. Comments on “revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks.” IEEE Trans Inform Foren Sec 2020; 15(1): 81–82.

31.

Cai

Niu

An improved extended Kalman algorithm for pseudo code tracking optimization simulation. Comput Simul 2019; 36(8): 258–261.

32.

Abro

Deng

Memon

KA.

A lightweight elliptic-ElGamal-based authentication scheme for secure device-to-device communication. Fut Intern 2019; 11(5): 108.

33.

Jegadeesan

Azees

Ramesh Babu

, et al. EPAW: efficient privacy preserving anonymous mutual authentication scheme for wireless body area networks (WBANs). IEEE Access 2020; 8(99): 48576–48586.

34.

Wang

Huang

Zhang

, et al. Secure and efficient mutual authentication protocol for smart grid under blockchain. Peer Peer Netw Appl 2021; 14: 2681–2693.

35.

Liu

Baek

Zhou

, et al. Efficient online/offline identity-based signature for wireless sensor network. Int J Inform Secur 2010; 9(4): 287–296.

36.

Tan

Chung

Secure authentication and group key distribution scheme for WBANs based on smartphone ECG sensor. IEEE Access 2019; 7: 151459–151474.

37.

Huang

Liu

Security authentication protocol for nodes in wireless sensor networks based on clusters. Comput Eng 2016; 42(7): 117–122, 128.

Group authentication and key distribution for sensors in wireless body area network

Abstract

Keywords

Introduction

Our contributions

Article organization

Related works

System model and security requirements

System model

Security requirements

Security model

Identity-based aggregate authentication scheme

Scheme design

Initialization

KeyGen

Group registration

Group authentication request

Sensor verification and response

Aggregate verification

Correctness verification

Theorem 1

Proof

Security analysis

Theorem 2

Proof

Theorem 3

Proof

Theorem 4

Proof

Replay attack

Forward security

Performance analysis

Efficiency analysis

Communication cost analysis

Experimental analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References