An Improved User Authentication Protocol for Healthcare Services via Wireless Medical Sensor Networks

Healthcare service sector is one of the major applications of Wireless Sensor Networks (WSNs) acknowledged as Wireless Medical Sensor Network (WMSNs). It deploys tiny medical sensor-nodes (MS-nodes) on the body of the patient to sense crucial physiological signs which can be accessed and analyzed by registered medical professionals. Recently, Khan et al. analyzed Kumar et al.'s scheme proposed for healthcare applications using WMSNs and observed that the scheme is susceptible to many security weaknesses if an adversary extracts the information from the lost smart card of some user. The adversary can access patient's physiological data without knowing actual password, can deceive medical professionals by sending fake information about patients, can guess the password of a user from the corresponding smart card, and so forth. Besides, the scheme fails to resist insider attack, lacks user anonymity and the session key shared between the user and the MS-node is insecure. To overcome these problems, we propose an improved user authentication scheme for healthcare applications using WMSNs. We show that the scheme is free from the identified weaknesses and excels in performance and efficiency scheme.


Introduction
Healthcare sector is witnessing a transition from traditional human-labor-dependent services to technology-based smart services.This changeover is the outcome of Wireless Medical Sensor Networks (WMSNs), a transmission technology employed by medical professionals (like nurses, doctors, etc.) to obtain the information like blood pressure, pulse rate, body temperature, ECG of the patients.This is achieved by deploying tiny MS-nodes like blood pressure sensors, pulse oximeter, body temperature sensors, and ECG electrodes on the body of patient.The MS-nodes sense physiological information from patient's body and then transmit it to the professionals in a wireless manner.Consequently, it cuts the cost of the human labor required for the purpose and facilitates the health professionals to observe and treat the patients as and when required.But patient's personal medical data may be misused by adversaries like corrupt persons, personal enemies, health insurance professionals, and so forth.Thus, there is need for the security of WMSNs to ensure access to patient's physiological information only to the authorized health professionals.Employing a user authentication scheme is a suitable method to achieve the desired security and establish a secure, efficient, and reliable healthcare environment via WMSNs.
After the development of simple user authentication schemes like [1][2][3][4][5][6], schemes for Wireless Sensor Networks (WSNs) [7][8][9][10][11][12][13] have also attracted a large community of researchers.Some work has also been proposed for healthcare applications using WSNs [14][15][16][17].In 2012, Kumar et al. [18] observed that most of the schemes proposed for WSNs such as [9,10,12,13] fall short to provide security and also require heavy computational load and high communication cost.They proposed a user authentication scheme using WMSNs for healthcare applications and called it an Efficient-Strong Authentication Protocol (E-SAP) [18].They claimed that their scheme achieves mutual authentication between the user and the MS-node and also establishes session key between them.They found their scheme finer than other existing protocols concerning cost, performance, and security.Subsequently, Khan et al. [19] identified that the scheme of Kumar et al. suffers from many security problems if an adversary extracts the information from the stolen smart card of some user.As a consequence, the scheme is exposed to user impersonation attack and insecure session key generation between user and MS-node.They showed that the scheme does not go with the authors' claim as the mutual authentication between user and MSnode does not imply properly and an adversary can compute the session key to be established between.They also pointed out password guessing attack, insider attack, and MS-node impersonation attack on it.They found that if the identity of any user is revealed, it gives chance to many unauthorized/illegal persons to gain the personal medical data of patients and thereby generates problems for an authorized professional.
We feel that in addition to resist the prevalent threats, a user authentication scheme for WMSN should also provide user anonymity.Therefore, we propose a user anonymous authentication scheme using WMSNs eradicating the identified weaknesses of Kumar et al. 's scheme.We aim to provide perfect mutual authentication and secure session key generation between the active participants of the authentication protocol in the scheme.The rest of the paper is arranged as the description follows for the subsequent sections.Section 2 briefly explains the architecture of WMSN and its benefit in healthcare applications.Kumar et al. 's scheme is reviewed in Section 3. Section 4 gives review of the analysis of Kumar et al. 's scheme by Khan et al.The proposed scheme is illustrated in Section 5 along with its security analysis and performance comparison in presented by Sections 6 and 7, respectively.To end with, Section 8 gives the conclusion of this paper.In this paper, we use professional and user interchangeably.

Architecture of WMSN and Its Benefits in Healthcare Services
The architecture of the Wireless Medical Sensor Network is depicted by Figure 1.There are four parties involved in the user authentication protocol employing WMSN as described below: (i) Users: medical professionals like nurses, doctors, and so forth, looking for physiological data of the patient via WMSN.
(ii) MS-nodes: tiny sensors like temperature sensor, pulse oximeter, and so forth, deployed on the body of the patients.
(iii) GW-node: a powerful master node which plays the role of the registering authority and acts as an interface between the user and the MS-node.
(iv) Patients: they are under vigilance of medical professionals by means of MS-nodes for treatment.
First three participants are the active parties of the user authentication scheme.MS-nodes are tiny sensor having low processing power, limited computational capabilities, and limited energy and storage capacity [20].GW-node is a powerful node with sufficiently large processing power, computational capabilities, and energy and storage capacity [20].A user registers itself to the GW-node to become a valid user of the system.Whenever a user (medical professionals) wishes to obtain the physiological data of the patient, he transmits request message to the GW-node.Afterwards, the GW-node verifies the legitimacy of the user, if satisfied then it directs the desired MS-node(s) to answer to the user's request.
Benefits of WMSN in providing healthcare services are as follows: (i) Improvement in healthcare services, (ii) Uninterrupted monitoring of patients, (iii) Saving human labor, time, and money, (iv) Protecting sensitive and private medical data of the patient from various adversaries.

Review of the Scheme Proposed by Kumar et al.
Initially, the GW-node chooses three secret keys denoted as , and , each of 256 bits.The GW-node also shares a secret key   = ℎ( ‖   ) with all deployed MS-nodes by means of some key agreement method [21,22].The scheme has five phases each of which are described in succession.But before giving detail of each phase of the scheme, we summarize the notations and description used throughout the paper in Notations.

Patient Registration Phase.
A patient has to register itself in registration center of the hospital [23].Patient submits her/his name to the registration center.On receiving patient's name, the registration center chooses a suitable medical sensor kit (i.e., MS-nodes and GW-node) according to the disease of the patient and assigns medical professionals (users).Then the registration center transmits the identity   of the patient along with medical sensors kit information to the assigned professionals/users.Finally, a technician deploys MS-node on the body of the patient.

Review of the Analysis of Kumar et al.'s Scheme
This section presents a review of the security problems of Kumar et al. 's scheme identified by Khan et al. [19].This analysis is based on the assumption that an adversary   can recover [24,25] the information stored in smart card.
If   extracts values {ℎ(⋅),   ,   , } from the lost  of a user, then he holds the master key  which is stored in the  of each user (professional).Consequently, the scheme becomes vulnerable to different attacks described as follows.

Lacks User Anonymity.
can obtain the hashed value of the identity of any user by decrypting the first component of the login request.For instance, if   intercepts the login request {  ,   } of , then he can obtain ℎ(  ) by decrypting   using .Having hashed value of user's identity ℎ(  ) in hand,   can guess the corresponding identity   of .Thus, the scheme fails to provide user anonymity.

Password Guessing Attack.
We further extend the above two threats to a more harmful vulnerability.If   successfully guesses the identity   of the user from whose smart card he extracts the secret key , then he can guess the password   of .For this,   guesses   as the probable password, computes   * = ℎ(  ⊕  ⊕), and verifies if   * =   .If so, it implies success of   in guessing the   of .In fact, it is complete violation of security since   holds user's  along with user's identity   and password   so he can behave as the legal user .

Illegal Logged-In Users Using Legal
Identity.  can guess the identity   of any user as described in Section 4.2; he can misuse   for crafting other damage to the security of the scheme as described below.
(1)   applies for her/his registration by submitting   and   , where   is a random password chosen by   .
(2) In return, the GW-node provides   a   = {ℎ(⋅),   ,   , } with   = ℎ(  ⊕   ⊕ ) and The role of password in the login-authentication procedure of the scheme is up to confirming the legitimacy of the user by her/his smart card.From then on, only user's identity   is used to authenticate  at the GW-node.As a result, there are two pictures.
( node.Undoubtedly, the equivalence   * =   confirms the legality of GW-node to MS-node but reverse is not achieved.Thus, GW-node has no way to ensure itself of connecting with real MS-node.Hence, mutual authentication between MS-node and GW-node is not achieved in the scheme. Besides, the authors claim that their scheme achieves mutual authentication between MS-node and user .Mutual authentication between  and MS-node is established using the session key  - = ℎ( ‖   ‖  ‖   ).
But as shown in Sections 4.5 and 4.6,   can compute  - and impersonate   , respectively.Therefore, mutual authentication between  and MS-node is not achieved in the scheme.
4.8.Insider Attack.For convenience people use the same password for more than one application.During registration phase of the scheme, user submits her/his password plaintext   to GW-node.So, the system administrator at the GWnode easily comes to know the password of each user and he can use it to impersonate  at servers, where  is registered with the same password.Although authors assume the hospital registration center as a trusted authority, we think that often the trustworthy breaches the trust.Therefore, plaintext password   should not be submitted to any second party.

The Proposed Scheme
The proposed scheme has the same number of phases as in Kumar et al. 's scheme.Each of the phases is detailed below along with Tables 1, 2, and 3.The GW-nodekeeps only one master secret key  (length 256 bits).Besides, the GW-node shares a secret key   = ℎ( ‖   ) with MS-nodes using some key agreement method [21,22].

User Registration Phase.
The user (professional)  registers itself to the GW-node in registration center of the hospital, in the following manner.
(1) User choses her/his identity   and submits it to the GW-node using a secure channel.

Patient Registration
Phase.This phase is identical to that in Kumar et al. 's scheme so we avoid its explanation here.On receiving { 1 ,   } from the GW-node,  verifies the legitimacy of GW-node as follows.

Login
(5) It checks if (   −  ) > Δ; if so, it dumps the session; otherwise it continues further.

Analysis of the Security of the Proposed Scheme
This section, examines the security of the proposed scheme.We will display that the proposed scheme is secure under the same assumption subject to which Kumar et al. 's scheme is attackable.The assumption is that an attacker   can extract [24,25] the information stored inside smart card.* due to noninvertible nature of hash function.Session key between  and MS-node is  - = ℎ( ‖   ‖   ) which an attacker cannot compute without knowing .Thus, the scheme establishes independent and secure session keys between every pair of the participating entities.6.6.Resisting Sensor-Node Impersonation Attack.In order to impersonate the MS-node,   should be able to compute the response messages sent by it to the GW-node and .To compute  1 = ℎ(  ‖   ‖   ) ⊕ ℎ(  ‖   ) and  2 * = ℎ(  ‖  * ‖   * ‖   ) the knowledge of   and  * is required, respectively.Since   = ℎ( ‖   ) is shared secretly by GW-node with MS-node using some key agreement method [21,22] and its computation involves master secret key  and identity   of the GWnode,   cannot access or compute   .Further / * is not retrievable from   ,  1 , and  2 without knowing   and   , respectively.Moreover, one-way property of hash function prohibits extraction of / * from  2 * .Hence   cannot impersonate the MS-node to make fool of the user and GW-node.6.7. Providing  As just discussed,  is authenticated to the MS-node via message { 2 ,   ,   } with which GW-node is verified.Finally, the legitimacy of MS-node is ensured to  by means of the equivalence  2 =  2 * .In this way, our scheme provides perfect mutual authentication.

Resisting Insider Attack.
During registration phase,  submits only his identity   to the GW-node at the hospital registration center.The GW-node provides secret keys   and   to the user.Then using his chosen password   and identity   , the user  itself computes   = ℎ(  ‖   ‖   ) and embeds   and   as   =   ⊕ (  ‖   ) and   =   ⊕ (  ‖   ), respectively.Finally,  inserts   ,   , and   in .Since the insider of the system never receives user's password, privileged insider attack is not applicable on the scheme.

Performance Analysis of the Proposed Scheme via Comparison
Now, we compare our scheme with Kumar et al. 's scheme [18] to present a comparative analysis of its performance and efficiency.Table 4 is about memory space required by smart card and computational complexity/cost in both the schemes.Table 5 exhibits the performance of both the schemes.For convenience, we assume that the identity   , password   , random numbers {}, timestamps {  ,   , etc.}, and outputs of one-way hash function {ℎ(  ‖   ‖   ), etc.} are 128bit long.Table 4 shows that the memory space required by the smart card in Kumar et al. 's scheme and the proposed scheme is 512 bits and 640 bits, respectively.Further, it is noticeable that our scheme adds some hash functions (ℎ(⋅)) but remarkably cuts the number of time consuming symmetric cryptography operation (  ) at each of the three ends.The most important aspect is that there is no symmetric  5 that with extra memory capacity of 128 bits in smart card and some extra hash functions, the proposed scheme achieves higher performance.The most significant feature of our scheme is the establishment of mutual authentication and session key between every pair of the three participating entities.

Conclusion
A secure and efficient user authentication scheme is essential to offer reliable and proficient healthcare services via WMSNs.This work is motivated by the security problems of Kumar et al. 's scheme for healthcare services using WMSNs.
In this paper, we have designed a user authentication scheme to eradicate the security problems of Kumar et al. 's scheme.Our scheme is user anonymous and is free from risks occurring due to loss of smart card of a user.It defies insider attack and password guessing attack.The most important feature of the scheme is that it establishes mutual authentication and provides session key between every pair of the participating entities, that is, user, GW-node, and MS-node.
Phase.A professional logs in to the GW-node in order to gain patients' medical data via WMSN.The user inserts her/his SC into the smart card reader and inputs   and   .Then the SC performs the following: (8) It computes session key  - = ℎ(  * ‖   ‖  * ‖   ).Then it acquires   , another current timestamp, and computes  =   - (  ‖  * ‖   ).The MS-node sends {,   } to the user.It computessession key  − = ℎ(  ‖   ‖  ‖   ).Then it performs the decryption   - () and obtains   and  * .It compares   * with   , and  * with ; if both the equivalences hold only, then the session key is assumed to be established securely. enters new password (  )  .(4)  computes (  )  = ℎ(  ⊕ (  )  ⊕ ) and then replaces   with (  )  .
can compute the session key to be used between a user and a MS-node during a particular session.Suppose   recovers the values {ℎ(  ), ,   } out of   of the intercepted login request of U. Then he attempts to guess the identity   as described in Section 4.2 and uses timestamp   from the corresponding intercepted login request {  ,   }.Then   can easily compute the session key  - = ℎ(  ‖   ‖  ‖   ) to be used by  and the MS-nodewith identity   .Hence, the shared session key Ksess U-Sn is insecure and   can decrypt the confidential messages communicated between MS-node and .4.6.MS-Node ImpersonationAttack.An active attacker   having secret key  obtained from a lost or stolen SC can perform decryption of   's for as many users as he wants.As a result, he can obtain the hashed value like ℎ(  ) of all the target users.Next,   can guess the identity   for each ℎ(  ) and tabulates the values {ℎ(  ),   }.After that,   can impersonate the MS-node to deceit legitimate users as explained below.Moreover,   can misguide the user doctor by sending fake data about the patient.Consequently, the patient may receive false treatment, thus denying the goal of healthcare through WMSN.
i)   can successfully log in as the legal user  with the received   = {ℎ(⋅),   ,   , }.  inserts her/his  into the terminal and inputs   and   .Once   and   are verified,   computes   =   (ℎ(  ) ‖   ‖   ‖   ‖   ) and sends the login request {  ,   } to the GW-node.Clearly, the GW-node considers it as a valid login request from the legitimate user  since it is computed using valid   in   .(ii)has open option to distribute the user's identity   among malicious persons interested to obtain patient's private health data in an illicit way.These persons can register themselves in similar manner as just explained in the previous scenario and can access data through MS-node.can also distribute the values {ℎ(  ),   ,   } in place of   among these persons.Then it is possible to impersonate  as described in Section 4.1.In case such an illegal access is detected by the system, it will raise a question on the credibility of the valid user (medical professional) whose identity   is misused by  .4.5.Insecure Session-Key.(1)As   finds a login request {  ,   } on the network, he intercepts and blocks it and quickly decrypts   to see if ℎ(  ) included in it is present in the table maintained or not.If not then it relays the login request to GW-node.(2)But if ℎ(  ) exists in the tabular record, then   keeps the login request blocked and uses   from the record, values {,   } from current decryption, and   from login request;   quickly computes  - = ℎ(  ‖   ‖  ‖   ).(3)It computes  =   - (  ‖  ‖   ) and sends {,   } to , where   is the current timestamp chosen by   .(4)Obviously  will qualify the verification test at the user side as it consists of valid {  , } and fresh timestamp   .It is noticeable that  - , the common session key is computed by  and   but  believes it to be confidential between him and the MS-node.
Attack.To impersonate as the user,   has to compute a valid login request.Suppose   obtains the lost smart card of  and extracts the values {  ,   ,   ,   } stored in it.Though   is involved in both the components {  and  1 } of the login request, but without   , ℎ(  ), and   computation of these components is incomplete.To recover   from   , the attacker   needs to know of user's identity and password.On the contrary, to obtain   from   or   , the attacker   should hold   or   , respectively.Further, it is not feasible to obtain   or   from   due to noninvertible nature of hash function.Thus, the scheme resists user impersonation attack.6.2.Providing User Anonymity.If   intercepts the login request {  ,  1 ,   } of , then he needs   to obtain ℎ(  ) by decrypting   .But   neither knows   nor can recoverit by extracting information {ℎ(⋅),   ,   ,   ,   } from the lost smart card of some user; say .To take out   from   , the attacker   should know user's identity and password.In fact, key   required to encrypt/decrypt   is not stored directly in user's smart card and is different for each user.Therefore,   cannot obtain ℎ(  ) and guess the identity as in Kumar et al. 's scheme.On the other hand, to procure identity   from   ,   , or   is infeasible.It requires knowledge of keys   and   to gain   out of   or   , respectively.Moreover, one-way property of hash function does not allow extraction of   out of   .Therefore,   cannot gain the identity of a user and hence the scheme provides user anonymity.and.As described in Section 6.2,   cannot gain the identity of a user either from the lost smart card of a user or from an intercepted login request.Besides,   is not available as plaintext in 's  and is not obtainable from   without having exact values of   and   .Thus, the scheme resists password guessing attack.Since it is not possible to guess or know the identity   of a logging user,   cannot register itself to the GW-node with legal identity   and fake password   .Hence   cannot harm the security of the scheme by misusing the identity.As a result, the scenario of many illegal users logged in with legal identity   of a registered user is not possible in the proposed scheme.6.5.Providing Secure Session Key between Every Pair of theParticipating Entities.The proposed scheme establishes session key between every pair of participating entities.Session key between  and GW-node is  - = ℎ( ‖   ‖   ) which depends on three values ,   , and   .Although user's identity   is fixed,  and   are different for each session imparting dynamic nature to  - .However   is available in { 1 ,   } from the open network but   cannot compute  - without having  and   .Session key between GW-node and MS-node is  - = ℎ(  ‖   ‖ ) which is dynamic because of fresh timestamp   and one time usable random number .Although   is fixed but is known only to the GW-node and the MSnode so no one except these two entities can compute the valid  - .Moreover,   cannot procure  from   without knowing   ; from  1 without knowing   ; and from  2 6.3.Resisting Password Guessing Attack.In order to guess 's password   from   = ℎ(  ‖   ‖   ) obtained from the lost SC of , the attacker   requires knowledge of Mutual Authentication between Every Pair of the Participating Entities.At each of the three ends, any received message undergoes at least two-step verification test to verify the authenticity of the sender.For every message, firstly timestamp is checked for freshness followed by one or more equivalences holding tests.The proposed scheme achieves mutual authentication between  and GW-node by exchange of messages {  ,  1 ,   } and { 1 ,   }.When GW-node receives {  ,  1 ,   } from , in addition to timestamp freshness test, the equivalences ℎ(  * ) = ℎ(  ) § ,   * =   , and   =   § are required to guarantee the legitimacy of U. Similarly, for { 1 ,   } received by  from GW-node, the equivalence  * = ,   * =   , and   * =   should hold to prove the validity of the GW-node.Mutual authentication between the GW-node and the MS-node is achieved through the messages { 2 ,   ,   } and { 1 ,   }.Corresponding to the message { 2 ,   ,   }, the equivalence   * =   is imperative to confirm the legitimacy of GW-node and hence of  to MS-node.On the other hand, only the designated MS-node can compute  1 = ℎ(  ‖   ‖   ) ⊕ ℎ(  ‖   ) and the authorized GW-node can retrieve correct ℎ(  ‖   ) from  1 as the computation and retrieval involves use of   hence mutually authenticate the entities to each other.

Table 4 :
Comparison of efficiency: memory space and computational cost/complexity.

Table 5 :
Comparison of performance.and GW-node mutual authentication No Yes Provides GW-node and MS-node mutual authentication No Yes Provides U and MS-node mutual authentication No Yes Establishes secure session key between U and GW-node No Yes Establishes secure session key between GW-node and MS-node No Yes Establishes secure session key between U and MS-node No Yes operation required at low powered MS-node.However, it is apparent from Table Random nonce generated at the user side   ,    ,   ,    : Current timestamps generated at the user side   ,   , : User (professional) ⊕: B i t w i s e X o r o p e r a t o r ||:Concatenation operator.