Securing Body Sensor Networks with Biometric Methods: A New Key Negotiation Method and a Key Sampling Method for Linear Interpolation Encryption

We present two approaches that exploit biometric data to address security problems in the body sensor networks: a new key negotiation scheme based on the fuzzy extractor technology and an improved linear interpolation encryption method. The first approach designs two attack games to give the formal definition of fuzzy negotiation that forms a new key negotiation scheme based on fuzzy extractor technology. According to the definition, we further define a concrete structure of fuzzy negotiation that can enlarge the types of biometric data used to negotiate shared keys between biosensor nodes. The second approach includes a detailed key sampling method that uses shared secrets to generate linear interpolation factors and an improved linear interpolation encryption scheme based on linear equation group. Security analyses show that these two approaches are secure and can resist attacks launched by Ultra-Wide Band (UWB) technology, which has not received due attention in the existing studies.


Introduction
Body sensor networks (BSNs) are an important branch of wireless sensor networks (WSNs) [1,2]. A BSN is a medical information system in the field of e-health, and it consists of some biosensor nodes that form a wireless micronetwork on the human body. These biosensor nodes are microscale equipment integrated with biosensors and transceivers [3], and they can provide a capability of automated and continuous human monitoring when they are worn on or implanted in the human body. At present, various biosensors have been designed to measure diverse physiological signals, such as blood pressure (systolic and diastolic), electrocardiogram (ECG), blood oxygen level (SpO2), and activity recognition. These sensors are available in many different forms, including wrist wearable devices, implantable devices, and biomedical smart clothes [4][5][6][7]. Based on the functions of biosensors, BSNs cannot only monitor body health, but also perform complete intelligent treatment, such as accurate insulin injection. Applications of BSNs will greatly improve the society's medical conditions and promote living qualities of people.
In order to realize exchanging of medical information among biosensor nodes in a BSN, physiological signals should be transformed into biometric data. Since these data are sensitive medical information, they must be protected. Otherwise, the leaked biometric data could divulge personal privacy, and the tampered biometric data could cause serious medical accident and even threaten a patient's life [8][9][10][11]. National regulations are being established to ensure the privacy and security of healthcare data from data generation, transmission, storage, and usage. For example, the HIPAA (the Health Insurance Portability and Accountability Act) has set a benchmark [8]. However, the computational and bandwidth limitations of BSNs are on a par with those 2 International Journal of Distributed Sensor Networks found in the so-called microsensor networks, which make traditional security paradigms [12][13][14][15][16][17] designed for conventional WSNs not directly applicable to BSNs. Thus, there are great challenges in designing security schemes for BSNs. One of the core problems is how to establish shared keys among biosensor nodes and how to encrypt biometric data efficiently. Note that biometric data themselves have an advantage over conventional cryptography in authenticating genuine users [18,19]; a natural solution of protecting biometric data will be the combination of conventional cryptography and biometric security method, for example, as discussed in biocryptography [20,21].
Due to physiological noise and errors of biosensors, the same kind of biometric data collected by various biosensors may not have the exact same value, which causes these data to be not suitable to be used in key negotiation directly. To solve the problem, a common method is to use error-correcting codes [17,22]. In addition, linear interpolation encryption method has great advantages over conventional encryption methods in protecting biometric data [23]. However, both of the methods have drawbacks, respectively. In the former method, common keys only can be derived from errorcorrecting codes, which stringently limits the size of key space. In addition, the method only can use high-entropy physiological signals to negotiate common keys, but at present people only recognize a few kinds of high-entropy physiological signals in the human body, which means that the method has not a good application prospect. Also the latter method does not provide idea on how to sample interpolation factors from the physiological signals, and it cannot resist the attack of remotely collecting physiological signals launched by the Ultra-Wide Band (UWB) technology. In order to address the above problems, we introduce predeployed keys technology and fuzzy extractor to build key negotiation scheme and propose a new biometric data encryption scheme. Our contributions include the following: (i) we design a fuzzy-extractor-based key negotiation scheme using error-correcting codes and predistributed keys, and the scheme has stronger security and is easier to use in practice; (ii) to remedy the drawbacks in the linear interpolation encryption shown in [23], we give a concrete method of sampling interpolation factors from physiological signals and propose a more secure encryption method for biometric data.
The rest of the paper is organized as follows. Section 2 presents the existing research results related to key negotiation and biometric data encryption in BSNs and analyzes the known security problems. Section 3 proposes a new key negotiation scheme based on fuzzy extractor technology and analyzes security of the new scheme. A detailed method of sampling linear interpolation factors and an improved linear interpolation encryption scheme are developed and their security analyses are given in Section 4. Finally, in Section 5 conclusions are drawn.

Fuzzy Commitment Technology.
In a human body, some biometric data have a high level randomness and can be viewed as pseudorandom numbers, and thus, these data can be used to build key negotiation schemes in BSNs. Reference [24] proposed using a group of similar random numbers generated from these biometric data at different sites of the human body to encrypt and decrypt a symmetric key for secured distribution. Since the same biometric data captured at different locations of the body have slight differences, they employed a fuzzy commitment technology [22] to ensure that errors in a recovered encryption key can be removed by a certain error-correcting code . At the transmission terminal, a high-entropy biometric value is used by a biosensor node A to commit the key shared that is an element of , say, using ( shared , ) = ℎ( shared )‖( ⊕ shared ), where ℎ(⋅) is a hash function, ⊕ is the bitwise XOR operation, and ‖ means concatenation. At the receiving terminal, if the same kind of biometric value collected by the other biosensor node B is similar to , and the difference between them is tolerable to , B can use and to decommit the key shared . Compared with traditional key negotiation schemes, the noninteractive fuzzy commitment scheme has less energy consumption in messages transmission and is suitable for BSNs. Next, various algorithms have been developed following the work of [24]. In [23], a method was proposed, which only transfers commitments to complete keys negotiation. The method is conductive in reducing messages transferred for negotiation of shared keys and is suitable to negotiate shared keys among more than two biosensor nodes. Reference [25] used a hybrid topology that combines two topologies, star and mesh, to establish shared keys. In the scheme, identities of biosensor nodes are used to authenticate shared keys, and a mechanism of changing cluster heads according to energy is proposed to maximize the lifetime of BSNs. Reference [26] proposed a method that uses time slots to solve synchronization problem of highentropy biometric data between biosensors. Reference [27] pointed out by experiment that the timing information of heartbeats has high-entropy characteristic and can be used to negotiate shared keys in BSNs. Reference [28] proposed an energy efficient key management for BSNs based on fuzzy commitment where a weak time synchronization mechanism and an energy-based multi-hop-route-choice method are advanced to decrease the energy of key management in BSNs.
Although many achievements have been made on this topic, several challenging security problems remain. (1) Only variable and high-entropy biometric data in the human body are considered for negotiating keys. Up to now, only the timing information of heartbeats has been proved to satisfy the requirement [27], which greatly limits applications of the technology in practice. (2) Shared keys are only generated from the set of error-correcting codes, which restrict the choice space of keys. Furthermore, some researchers argue that the generation may cause security problems for the reason that error-correcting codes should be public, and adversaries could easily get shared by its hash value [29].
(3) Shared keys are vulnerable to a new developing RCB (remotely capturing biometric data) attack that uses UWB (Ultra-Wide Band Radar) technology to remotely capture some kinds of biometric data [27]. That is, when an adversary remotely captures a biometric value that is used to negotiate shared keys and eavesdrops the corresponding commitment: International Journal of Distributed Sensor Networks 3 = ⊕ shared , he can easily get the shared key by: ⊕ = ⊕ shared ⊕ = shared .

Fuzzy Extractor Technology.
Following the development of the fuzzy commitment technology, another biometric cryptography, fuzzy extractor technology, was proposed in [30]. A fuzzy extractor is composed of two procedures (Gen, Rep) that operate as follows. Suppose is a variable and and are two values of . The first procedure (Gen) in the transmission terminal holds , if it wants to establish a shared secret with the second procedure (Rep) in the receiving terminal, it computes ( , ) = Gen( ) and sends to Rep; Rep holds , and when it receives , it computes = Rep( , ). A fuzzy extractor satisfies correctness if = when the distance between and is tolerable to a selected error-correcting code and satisfies security if is uniformly distributed even given when the entropy of is high. The main difference between fuzzy commitment and fuzzy extractor lies in the fact that the former's goal is to recover the original key of transmission terminal at the receiving terminal, and the latter's goal is realize the reproduction of a secret from close to at the receiving terminal after the transmission terminal generates from .
When is looked at as a biometric template, fuzzy extractor can be used widely in the fields of secure authentication and key reproduction, which cause it to be well studied. Reference [31] pointed out that an improper sketch construction and a biased error-correcting code are both the source of leaking secret biometric data; they make a fuzzy extractor not adequate for multiple use of the same secret biometric data. And then, it proposed two concepts, "outsider chosen perturbation security" and "insider chosen perturbation security, " to address the security problem. Reference [32] pointed out that fuzzy extractor cannot resist active attack, and when commitments are tampered, the authentication service provided by fuzzy extractor will be invalid. And then, it used ideal hash function to build a robust extractor to resist this kind of active attack. Reference [33] showed that some of more popular constructions that have been shown before have serious security weaknesses in presence of even very weak adversaries. And then, it proposed two concepts, indistinguishability and irreversibility, and designed two attack games to define the security of fuzzy extractor. Reference [34] explained the root of vulnerability of fuzzy extractor; that is, because the key derived from biometric data must be indistinguishable to uniform random distribution, the leakage of information associated with the biometric data is unavoidable. And following the work of [33], it further divided the concept of indistinguishability into two security levels, "weak biometric privacy" and "strong biometric privacy, " and according to the two security levels, it advanced a method to improve the security of fuzzy extractor. Following the above researches [35], proposed a robust fuzzy extractor structure and an authenticated key agreement from close biometric data. The research considered both keyless case and keyed case of building shared keys and gave solutions to reduce the loss of entropies in the negotiation of shared keys. Fuzzy extractor has advantages over fuzzy commitment in terms of key space and option of biometric data, while it cannot be used directly to negotiate shared keys in BSNs scenario. That is, due to real-time physiological noise and errors of biosensors, the distance between the template of biometric data and the same kind of biometric data collected in real time by other biosensors always is out of toleration of the selected error-collecting code. In addition, the existing key management schemes based on fuzzy extractor technology are always not suitable to practical BSNs; for instance, key agreement scheme in [35] cannot resist the new developing RCB attack, and furthermore it only uses biometric data with high entropy to negotiate shared keys.

INTRAS Encryption.
In order to improve the efficiency of encrypting biometric data in BSNs, [23] proposed a set of linear interpolation encryption schemes, called INTRAS, which are effectively a combination of interpolation and random sampling. The simplest scheme of INTRAS is summarized as follows.
(1) In a BSN context, the shared encryption key is used to generate a vector of sampling instants = ⟨ [1], [2], . . ., [ ]⟩ by both the sender and the receiver.
Here, security is achieved from the fact that the input cannot be recovered from the scrambled output [ ], without knowledge of the delay vector .
(4) For the receiver, on input sequence and , he can recover the sequence .
The simplest INTRAS encryption has two problems. One is that [23] does not give the concrete method to generate interpolation factors, and the problem exists in all of the other forms of INTRAS encryption schemes; the other one is that knowing the input data and encrypted output is equivalent to knowing the key, which is vulnerable to the RCB attack. Though other forms of INTRAS encryption do not have the latter problem, their procedures are too complicated to realize.
From the above analyses, it can be seen that existing researches cannot secure BSNs effectively, so in the rest of the paper, we first combine the technologies of predeployed keys and fuzzy extractor to design a new key negotiation method, called fuzzy negotiation. And then, we propose a detailed method to generate interpolation factors sequence from shared secrets and further advance an improved INTRAS encryption method.

Proposed Fuzzy Negotiation Technology for Key Negotiation
In this section, we make use of predeployed keys technology and fuzzy extractor technology to propose a new key negotiation method. Our goal is threefold, (i) to enlarge the key space by combing predeployed keys and physiological signals; (ii) to use physiological signals with any entropies to negotiate common keys; (iii) to resist the RCB attack.

Definition of Fuzzy Negotiation.
Like fuzzy commitment and fuzzy extractor, fuzzy negotiation makes use of errorcorrecting codes to negotiate keys. Let be a space of messages with distance function dist(⋅); more formally an error-correcting code is a subset of number of distinct codewords { 0 , . . . , −1 } of . The Hamming distance of is the smallest such that dist( , ) ≥ for all ̸ = , which means that can detect up to − 1 errors, and the errorcorrecting distance is = ⌊( − 1)/2⌋ [17].
As our work is in the computational setting, we use to denote the security parameter. All algorithms are assumed to be a polynomial time in . Then a function ( ) is negligible if for all positive polynomial (⋅) and sufficiently large , ( ) ≤ 1/ ( ).
In a BSNs, let denote the preloaded secret of all biosensor nodes, is a variable of with length | | = , and are values of , is a random value with length , and is the error-correcting distance of a selected public error-collecting code , where the length of each codeword is . Then, we give a formal definition of fuzzy negotiation as follows.
Definition 1. A structure of fuzzy negotiation is a pair of randomized procedures, "Trans" and "Rec, " with the following properties.
If dist( , ) > , then no guarantee is provided about the output of "Rec. " (3) Security. Any adversary wins the adaptively chosen biometric data attack game and adaptively chosen commitment attack game defined as follows with negligible possibilities.
Adaptively Chosen Biometric Data Attack Game. We define an adaptively chosen biometric data attack game against fuzzy negotiation as the following game between a challenger and an adversary. In the initialization, the challenger is assigned with a secret .
Preparation. The adversary chooses a kind of physiological signal and describes it as a biometric variable ∈ . Then, the adversary gives the specification of (such as the kind of the physiological signal) to the challenger.
Queries. The adversary makes up to possibly adaptive queries. To form adaptive query , the adversary produces a value of , a random value , and a codeword from and then sends all of them to the challenger. The challenger produces ( , ) ← Trans( , , , ) and sends to the adversary.
Challenge. The adversary produces a value of , a random value with length | |, and a random value and selects a codeword from and then sends all of them to the challenger. The challenger randomly produces a bit ; if = 1, the challenger computes ( * , * ) ← Trans( , , , ), and if = 0, the challenger computes ( * , * ) ← Trans( , , , ) instead. Finally, the challenger sends * to the adversary.
More Queries. The adversary runs additional queries as described in step "Queries." Response. The adversary eventually produces a bit and wins if = .
Let adversary( * ) be the output of the adversary when it gets * and | an alternative choice with a probability of 1/2. Then, the adversary's advantage in this game is defined Proof. The attack game simulates adaptive attack to the "Trans" procedure of fuzzy negotiation in practice: an adversary can adaptively capture some kind of biometric value (such as timing information of heartbeats) by RCB (remote capturing biometric data) attack and get the corresponding commitment by eavesdropping method. In such way, the adversary can do enough adaptive exercises to analyze the relationships between biometric data and corresponding commitments. If in such attacks, the adversary's advantage is negligible in step "Challenge, " it means that the adversary cannot find the relationships between them, and then, the attacker cannot make use of commitments to compute biometric data, which cannot be captured remotely.
Adaptively Chosen Commitments Attack Game. Let Δ be the set of perturbation functions over a messages space ; that is, Δ = { : → }, where dist( , ( )) can be greater than . We define an adaptively chosen commitments attack game against a fuzzy negotiation as the following game between a challenger and an adversary. In the initialization, the challenger is assigned with an error-correcting code and a secret .
Preparation. The adversary points a kind of physiological signal as a biometric variable ∈ . And then, the adversary International Journal of Distributed Sensor Networks 5 gives the specification of (such as the kind of the physiological signal) to the challenger.
Public Queries. The adversary makes up to possibly adaptive queries: to form adaptive query , the adversary produces a value of , a random value , and chooses a codeword from and then sends all of them to the challenger. The challenger produces ( , ) ← Trans( , , , ) and sends to the adversary.
Keys Queries. The adversary makes up to possible adaptive reproduction queries that can be interspersed with public queries as follows. To form query , the adversary chooses ∈ Δ, a biometric value , and that is generated from in the "public queries" step and then sends them to the challenger. The challenger computes = Rec( , ( ), , ) and returns to the adversary. In order to let the adversary do enough exercises, the procedure "Rec" will return the adversary a value, such as a fault ; even satisfies dist( , ( )) > .
Challenge. The adversary chooses * ∈ { 1 , . . . , } from strings returned by the challenger in a public query and in any key query ( , , * ) the distance has dist( , ( )) > . The adversary sends * to the challenger. The challenger randomly produces a bit ; if = 1, the challenger computes = Rec( , , * , ) with unperturbed and gives it to the adversary. Otherwise, if = 0, it chooses a random string with length of | | and gives it to the adversary instead.
More Queries. The adversary runs additional queries as described in step "Public Queries. " Response. The adversary eventually produces a bit and wins if = .
The adversary's advantage in this game is defined as adv ( ) = | Pr[ ← adversary( ) = Rec( , , * , )] − 1/2|. Proof. The attack simulates the adaptively chosen commitments attack to the "Rec" procedure of fuzzy negotiation in practice. Before a user uses a BSN product, an adversary can get the BSN product by some means (e.g., the adversary unpacks the BSN product unauthorizedly in the transportation) to launch adaptively chosen commitments attack where, for a pair of biometric value and commitment adaptively chosen, the adversary can get corresponding shared key. So, the adversary can do enough adaptive exercises to analyze the relationships between commitments and corresponding shared keys.

The Characteristics of Definition of Fuzzy Negotiation.
The definition of fuzzy negotiation is similar to that of fuzzy extractor, and the main difference lies in that the security in fuzzy negotiation is in the computational setting and is defined by two attack games. The reason is that fuzzy negotiation is used in key negotiation of BSNs, and the two attack games can emulate real attacks well on BSNs where the new RCB attack is included. In addition, we explicitly point out that error-correcting code is public, and its codewords can be known by the adversary, which meets the common usages of error-correcting code and is in accordance with the opinion in [29]. Our adaptively chosen biometric data attack game looks similar to the "weak biometric privacy" game introduced in [33]. However, their applications are different in essence. The "weak biometric privacy" game is used to describe the attack to biometric data based authentication that uses fuzzy extractor technology. In order to launch such an attack, the adversary needs to obtain the same kind of biometric trait that is already used as an authentication template. Due to differences in sampling biometric data each time from the human body, the game introduces a set of perturbation functions to simulate the differences, whereas our adaptively chosen biometric data attack game is used to describe the adversary's ability to analyze the relationships between biometric data and their commitments. When designing the game, it is observed that the RCB attack can contain some kinds of biometric data from the human body, which can pose serious threat to the security of BSNs. Our game does not need perturbation functions because the adversary is allowed to know the biometric data that are used to produce commitments. In step "Challenge, " the adversary in former game does not know the perturbation function selected by the challenger and the biometric data which he wants to challenge. These restrictive conditions will decrease adversary's attacking ability. Whereas the adversary in our game knows the biometric data, the random value and the codeword , all of them, are used to generate the challenge in step "Challenge. " Furthermore, our adaptively chosen biometric data attack game implies that the adversary could analyze the relationship between biometric data and their commitments in "Queries, " "Challenge, " and "More Queries" steps. Thus, our adaptively chosen biometric data attack game is not only suitable for describing the attacks to BSNs, but also a stronger attack model.
In addition, our adaptively chosen commitments attack game is similar to the "strong biometric privacy" game specified in [33]. However, unlike the "strong biometric privacy" game, our adaptively chosen commitments attack game does not do any "key queries" in step "More Queries, " which follows the fact that when BSN product is deployed on the user's body, the BSN is under surveillance all the time. The adversary has no chance to do "key queries" exercises. Furthermore, our adaptively chosen commitments attack game implies that the adversary could use to analyze the relationship between biometric data and their commitments and between commitments and corresponding shared keys in "Public Queries, " "Private Queries, " "Challenge, " and "More Queries" steps.

Structure of Fuzzy Negotiation.
According to the definition in Section 3.1 we design a fuzzy negotiation structure as follows. The structure consists of a pair of procedures: "Trans" and "Rec. " As mentioned in Section 3.1, in the initialization of the structure, each biosensor node is preloaded with a secret that is divided into two keys, 0 and 1 , with | 0 | = | 1 | = . In addition, each biosensor node is assigned with a keyed one-way pseudorandom function (1) Procedure "Trans": (i) collecting a biometric value from a pointed physiological signal and encoding it into a binary value with | | = ; (ii) selecting a codeword from the error-correcting code and computing the relationship between and : V = ( , ); (iii) generating an open random value with | | = and then using (⋅) to hide V : = V ⊕ 0 ( ); (iv) finally, deriving the shared key: shared = 0 ( 1 ( ⊕ )) (⊕ is bitwise XOR operation) and outputting the commitment corresponding : = ⟨ , , 0 ( ‖ ‖ )⟩ ("‖" denotes connection of messages).
The structure of fuzzy negotiation is shown in Figure 1. In hospital applications, many BSNs on various patients' bodies may overlap in their wireless range. If biometric data collected by two biosensor nodes that have been placed on two adjacent patients' bodies, respectively, are similar, the two biosensor nodes belonging to two different subjects can negotiate a shared key, which will cause serious medical accidents. However, many existing schemes [22][23][24][25][26][27] have ignored this problem. In our scheme, the preloaded 0 and

Correction Analysis of Fuzzy Negotiation.
For simplicity, we define (⋅) as bitwise XOR operation ⊕, and then in procedure "Trans" V and can be defined as V = ⊕ and = ⊕ ⊕ 0 ( ), respectively. Accordingly, can be defined as ⟨ ⊕ ⊕ 0 ( ), , 0 ( ⊕ ⊕ 0 ( )‖ ‖ )⟩, and the shared key can be defined as shared = 0 ( 1 ( ⊕ )). In procedure "Rec, " * can be defined as * = (V, ) = ⊕ 0 ( ) ⊕ = ⊕ ⊕ = ⊕ , where is the difference between and . If ≤ , procedure "Rec" can recover by the error-correcting function Dec(⋅) which causes 0 ( ‖ ‖ ) = 0 ( ‖ ‖ ). And then, procedure "Rec" can recover by = (V, ) to generate shared = 0 ( 1 ( ⊕ )) which is shared with procedure "Trans. " If > , procedure "Rec" cannot recover effectively, and the key negotiation fails. In the former attack game, when the adversary gets commitment = ⟨ ⊕ ⊕ 0 ( ), , 0 ( ⊕ ⊕ 0 ( )‖ ‖ )⟩, it can compute 0 ( ). Since 0 (⋅) is a keyed one-way function, the adversary can only guess the right 0 from 0 ( ) and with a negligible probability. Then, we can say that although the adversary can get a biometric value by RCB attack and its commitment by eavesdropping, it hardly finds the relationship between them with a negligible probability. In other words, the adversary can win the former attack game with a negligible probability. In the situation, the adversary cannot launch RCB attack to a biometric value which he cannot capture remotely as he cannot deduce the biometric value by its public commitment. This can protect these biometric data from being known by the adversary.
In the latter attack game, the adversary can obtain enough pairs of and Rec( , ( ), , ) = 0 ( 1 ( ⊕ )). Although , , and 0 ( 1 ( ⊕ )) are known to the adversary, it will search the key space of 2 128 ×2 128 before obtaining the right 0 and 1 , which is an infeasible task. Then, without 0 and 1 , the adversary can hardly compute the relationship between the commitment of and the shared key shared , even given , ( ), and . Thus, we can say that the adversary wins the latter attack game with a negligible probability.
It is worth noting that, in fuzzy negotiation, we do not require that must be a high-entropy biometric value. The reason is that, in the equation shared = 0 ( 1 ( ⊕ )), is a random value and (⋅) is a keyed pseudorandom function, which causes the input of 0 (⋅) to be a secret value that is computing-indistinguishable from a uniformly random value even is a constant value. Thus, in the "Key Queries" step of the adaptively chosen commitments attack game, the adversary cannot obtain any knowledge of shared from . So, in our fuzzy negotiation structure, biometric values with any entropy can be used to establish shared keys.
We summarize the advantages of our fuzzy negotiation technology as follows. (1) Shared keys are produced by biometric nodes themselves, rather than delivering shared keys from one biosensor node to others, which reduces the messages that need to be delivered in key negotiation. With the help of broadcast mechanism, the method is suitable to establish shared keys among biosensors with more than two nodes. (2) Using two predeployed keys, 0 and 1 to generate shared keys, it helps the key negotiation scheme to withstand the RCB attack with little extra storage cost. (3) Breaking the limit that only high-entropy biometric data could be used to negotiate shared keys and widening the choice of the kinds of biometric data used in the practical negotiation of keys in BSNs.

Efficient Linear Interpolation Encryption with Keys Sampling Method
In [23], the linear interpolation operation is iteratively executed with interpolation factors and physiological signals to produce cipher text, and the cipher text can hide the physiological signals if interpolation factors keep confidential. However, the scheme does not give the detail on how to generate linear interpolation factors and only claims that these factors can be derived from the session key, which makes INTRAS lacking of operational guidance. In addition, if we use the method in [22] to produce the session keys, the keys may be easily captured by RCB attack according to the description in Section 2.1, which will cause the divulgation of interpolation factors and furthermore the divulgation of physiological signals. To address the problems, in this section we propose a concrete sampling method to generate interpolation factors and then design an efficient INTRAS encryption scheme that can resist RCB attack.

The Key Sampling Method.
In this subsection, we propose a key sampling method that can produce a sequence of linear interpolation factors with enough length from the shared key to be used to encrypt biometric data. And the method is described as follows.
We call some consecutive bits of as a sampling window, and before extract interpolation factors from the shared key shared , we let the sender A produce two secret parameters: open ℓ and secret ; therein ℓ is the size of sample window; is a secret vector: = ⟨ 1 , . . . , ⟩, where (1 ≤ ≤ ) denotes the start position of a sampling window and is the number of interpolation factors required by encrypting biometric data.
When A needs to extract a sequence of interpolation factors from , it denotes each interpolation factor by the value of a 's fragment that is with a length of ℓ bits and starts from the bit of . Security here is achieved from the fact that the adversary does not know the distribution of , which renders it infeasible to computer each interpolation factor . After producing , A sends ℓ and shared ( ) to B, therein shared ( ) means using shared to encrypt in a symmetric encryption algorithm (such as AES). And then, B can produce the same sequence of interpolation factors.

An Improved INTRAS Encryption Scheme.
Using the sequence of interpolation factors , we combine the traditional encryption and signal encryption to propose an improved INTRAS encryption scheme. In the improved scheme, we first encode raw biometric data into a sequence by PCM (pulse code modulation) encoding, and we then encrypt a fragment of biometric data sequence using a fragment of by iterative linear interpolation method. More specifically, we denote a fragment of biometric data  V + [1] ( ≥ 2). In the encryption process, if has been used to encrypt number of biometric data fragments, − +1 , . . . , −1 , ( ≤ − + 1), we will use the next fragment of , ⟨ +1 , . . . , + ⟩, to encrypt the next number of biometric data sequences +1 , . . . , + . In order to protect the integrity of biometric data transferred from A to B, A should use a keyed pseudorandom hash function 0 (⋅) to produce a commitment: . Before B decrypts the encrypted messages that is received from A, A must send ℓ, shared ( ), and 0 (ℓ‖ shared ( )) to B; therein 0 (ℓ‖ shared ( )) is used to commit the integrity of ℓ and shared ( ). When B wants to decrypt biometric data, at first, it checks the integrity of ℓ and shared ( ); if the integrity is valid, it will use ℓ and to produce the same interpolation factors sequence as A. Next, B will check the integrity of encrypted biometric data, and if the integrity is valid, it will use and to decrypt the received encrypted messages by iterative decryption method.
For simplicity, Figure 2 only shows the sender part of the improved INTRAS encryption scheme.

Security Analysis.
INTRAS encryption is different from the traditional encryption scheme, and it adopts a simple addition operation and a multiplication operation to hide biometric data, which results in a piece of ciphertext exposing some valuable information about corresponding biometric value. Here we take our improved INTRAS encryption scheme as an example. Suppose in an improved INTRAS encryption scheme ℓ = 10, = 3, and the range of the biometric values needed to be encrypted was studied in [10,21]. Thus, if an interpolation factor is 1023 (the maximum value when ℓ = 10) in a fragment of , the encrypted biometric values produced by the fragment should be between 10230 and 61410. In other words, if an adversary receives an encrypted value between 10230 and 61410, and it also knows and the range of biometric values, it will induce the value of ℓ easily. Thus, in our improved INTRAS encryption scheme, ℓ does not need to be encrypted.
Though ℓ is open, we argue that the improved INTRAS encryption scheme is still a secure scheme. Below, we will explain this in terms of security of interpolation factors and biometric data, respectively.
(1) Security of Interpolation Factors. In the analysis, we consider the worst case where all of biometric values encrypted by a fragment of are captured by the adversary using RCB attack. And in this context, the adversary will get the following equations set: . . .
In the equation, and the coefficients , . . . , + − are known by the adversary. Because the length of each interpolation factor is ℓ bits, the search space of adversary is 2 ℓ×( − −1) before he guesses the right values of ⟨ , . . . , + − ⟩. When ℓ × ( − − 1) ≥ 128, the adversary hardly guesses the right fragment of . For instance, if ℓ = 10 and = 2, then must be 16. That is, the sender should execute the following encryption: Thus, it can be seen that, in the worst case, the improved scheme still can maintain the security of interpolation factors as long as we give suitable values to ℓ, , and .
(2) Security of INTRAS Encryption. Due to existence of RCB attack, we hardly can resist an adversary to capture some kinds of biometric data remotely, while we should take measures to prevent the adversary from obtaining biometric data which it cannot capture remotely using the information which it can obtain by RCB attack. In the following, we show that the improved INTRAS encryption scheme can maintain the security of biometric data that cannot be captured by RCB attack.
In this analysis, we suppose the interpolation factors sequence is secure, and then the worst case is that when a fragment of is used to encrypt fragments of biometric data, the former −1 numbers of fragments in the fragments are known to the adversary; then we analyze whether the last value of the th fragment is secure.
From Figure 3 we can see that the improved INTRAS encryption scheme not only can hide the values of biometric values, but also can hide the changing trend of biometric values.

Conclusion
In order to improve the security of BSNs and provide BSNs with maximum protection from RCB attacks, we propose two improved approaches in this paper. One approach proposes a fuzzy negotiation structure that can use biometric data with any entropy to negotiate shared keys between biosensor nodes. Furthermore, when some shared keys are generated from biometric data that can be threatened by RCB attacks, the structure can secure these keys and also other biometric data that cannot be captured remotely. The second approach firstly proposed a key sampling method, which was not studied in the original INTRAS encryption, and it can be used to produce interpolation factors. We also proposed an improved INTRAS encryption scheme that can effectively resist the RCB attacks. Security analyses show our approaches are adequate for being used to secure BSNs.