A Secure Anonymous Authentication Protocol for IoT Based Health-care System using Wireless Body Area Network

: The current technology in healthcare and its information are enhanced with IoT system. In most of IoT system, there exists a gateway between a wireless body area network (WBAN) and the internet to upload and retrieve the health information. These IoT gateways normally transmit data to a cloud. Therefore, the importance of IoT devices and health care data could be critical. Hence security constraints are required to retain the data. This paper introduces a novel concept called a secure anonymous authentication protocol with advanced encryption standard (SAAPAES) a cryptographic scheme to guarantee the security services and to protect confidential client data in the healthcare system. Our SAAPAES protocol offer the following aspects 1. Anonymous authentication, this is one of the easy and efficient way to protect patient/doctor identities from the server on cloud storage by using hash key authentication algorithm by disclosing the security aspects like password and username. 2. Patient’s health information is encrypted with SAAPAES and then uploading these data in cloud. Finally, downloading the health information from personal data assistant (PDA) in decrypted form using SAAPAES. The proposed authentication approach provides an efficient authentication mechanism with high security in the health-care system.


Introduction
In recent past, the field of telemedicine has gained high thrust due to the requirement in various medical experts worldwide, which demanded interaction between the experts through virtual meet like video conferencing. But, when it comes for an expert to know the medical background of a patient who is less informed on the technical background of his physical disorders, it has become a prominent feature to maintain a database of the patient that could be accessed by such appropriate physician to know the patient's problem (Anzanpour et al. 2008) In such event, cloud-based healthcare system helps in storing the confidential data of patients and their health condition. But unfortunately, security and privacy of such data stored has become the main concern (Challa et al. 2007; Li et al. 2014). To maintain the security of healthcare data, both cloud service providers and healthcare organizations should take unavoidable measures to secure safe handling of patient's data mainly from the target of unethical attackers. Therefore, high-security measure and assurance must be required in cloud-based healthcare systems (Zanjal et al. 2016). (Farahani et al. 2014) has pictured that the organizations must make sure that the sensitive health report is stored on cloud in a more secure and encrypted way, such that, they do not have the control over the security of the data access devices, being used to transmit the data or else it may create a substantial risk with growth of network size with new network devices.
Governments' policies should be in place to ensure that the cloud service providers should comply with all necessary means to secure patients' data privacy. If such requirements are met by the cloud service providers, there is an opportunity for efficient management of data with proper security. The first in row to mainly fear over the data is the patient, whose information is stored in the cloud, must have control over his health records. The patient should be privileged for granting access to persons only who possess the corresponding key.

Proposed methodology
This section provides the information on the architecture of proposed model, flow of healthcare information accounting the authentication and registration are discussed.
The proposed system provides a platform where the patient's personal health information is stored in a cloud which can be accessed by any authenticated doctor to know the medical background of patient who appears before him. This handles the medical history of each individual and provide access to all registered hospitals to read or update the data for future use by any other registered doctor. The hospital which accesses the database must be registered and might have got a license which is noted as a 'unique database accessing code'. The patients' details are stored in the database, and an identification number will be generated during this process. Whenever they go for any treatment, their medical data will be stored into the database using their identification number without the requirement of any personal proof or exposing the personal details of them.  Information gathered from patients is highly confidential and should be shielded from the hacker, or any third party may abuse the patient's information and use for illicit purposes.

Data in PDA (Personal data assistant)
PDA in the framework oversees patient details digitally and allocates access mechanism to different authorities. These PDA data can be updated and processed after cloud storage whenever and wherever necessary and become promptly available to the specified specialists and clients.

Anonymous authentication
As data should be kept secret and confidential from adversaries, it is necessary that every user in the health care system must be authenticated. This helps the administrator confirm the identity and access of the patient's records to the doctor instantly. Here the users can register with personal details for authentication so that the users can upload or view the medical records.
The main idea of user authentication is to find matching information between user and server.
Among these factors' password authentication is the simple and best approach in network applications due to its low costs and easy implementation. The following steps must be followed by the user to register in the hospital registration center: S issues access card (AC) with , , & ℎ(. ) parameters to U through a secure channel.

2.4a Login
If user U wants to login. The user must enter unique user and . Then the system performs the following steps: 1. By using random number , & to compute a value ℎ( ∥ ) ′ and calculate ′ .
If equation (7) satisfies, the system generates a and computes messages ( 1 , , 2 ) or else the login request gets discarded.

2.4b Authentication
After receiving the login request ( 1 , , 2 ), S performs the following steps to authenticate U 1. S uses the received value and its secret key to obtain ′ and ′.
To check the authentication message 2 is valid or not, S computes ′ and ′ .
If equation (14) satisfies, S confirms that U is a legal user and responds with a message 3 to U Or else reject 2. When receiving 3 , U first verifies whether the message is valid or not.
If the equation (16)

Cloud storage
Cloud users should register their details to get permission to access the cloud data. Data owner accepts the request from users, then share the data private key. Data users get key from the owner to access the cloud data. Then, the users can log in using their credentials and upload file after encryption. And later she/he can download the file using the identical key. When uploading the file, the content will be encrypted using SAAPAES encryption before saved into the database. 128-bit SAAPAES encryption is used to provide security to the user uploaded data.
SAAPAES is a fast-symmetric encryption algorithm.

Experimental results
The above analytically demonstrated work was implemented in Cooja toolkit, and security is implemented using homomorphic encryption as shown in figure 2. The data was imported from the SQL database, and the security was implemented over that data.

Patient/Doctor login page
The initial authentication is performed through the user credentials that are verified over the stored database provided the user has already registered to create username and password. The login page has the following three attributes as username, password, and user type for login. If not registered the page will be redirected to registration page.

Patient or Doctor Registration Form
Patient or doctors are given with unique credential for logging in. After completing the registration process, either patient or doctor can access the system to upload/view medical data.

Encrypting the data using SAAPAES
Authorization is the process of confirming a user's privilege to access a given platform. A unique file ID is generated to upload a file in the cloud environment. Authorized user can use this ID for downloading and editing their uploaded data. After uploading a medical file, these details are encrypted by using SAAPAES encryption algorithm. The key size employed for encrypting the plain text is 128 bits. Figure 3 shows that, the encryption of the patient data in user end and stored encrypted data in IoT Server.

Decrypting the data using SAAPAES
The cipher texts will be retrieved from the cloud and decrypted to get the original plaintext. The decryption is done with the help of a private key which is made available to the doctors and other users who need the healthcare data. The key is generated from the SAAPAES algorithm which is also used for decrypting the text files. Figure 4 shows that decrypted user data stored in IoT server with hash authentication key for security.

Replay attack
In our scheme, a timestamp mechanism is employed to avoid the replay attack. If an intruder try to replay the preceding messages ( , 1 , 2 ) to obtain authentication, the intruder fails to do the task because timestamp is different for each session. As result the attacker will be unable to authenticate using earlier messages.

User impersonation attack
During registration process, server S generates a timestamp to calculate parameter P using user's and secret key , where is unique for each user. As a result, the attacker attempting to guess with an unknown is not possible. Hence user impersonation attack is not possible in our proposed scheme.

Eavesdropping attack
An attacker mostly target the unsecure connection in eavesdropping attack. In our proposed system all the patients information are encrypted by AES. AES is one of the best encryption protocol thereby eavesdropping attack can be prevented in our proposed approach.

Man-in-middle attack
The attacker establishes an independent connection between a valid sender and receiver without the knowledge of true sender and receiver is known as a man-in-the-middle attack. In our proposed system the use of HMAC provides authentication to validate the geniune user and AES is used for encryption thereby the system is secure from attackers.  39ms & 78ms is given in figure 5(e). The proposed SAAPAES algorithm provides the security of about 97% and is higher than the existing algorithms with security of 87%, 82% and 95% is given in figure 5(f).

Password guessing attack
The

Conclusion
Healthcare On the performance side, the 128-bit SAAPAES encryption approach has advanced and strengthened the security of records to its highest-degree secrecy with minimum energy consumption comparatively which was justified using simulations.